summaryrefslogtreecommitdiffstats
path: root/crypto/openssl/doc
diff options
context:
space:
mode:
authorjkim <jkim@FreeBSD.org>2014-06-09 05:50:57 +0000
committerjkim <jkim@FreeBSD.org>2014-06-09 05:50:57 +0000
commit68fed3306b1f39bfb6d5cd97485248dc0c3884f8 (patch)
tree3b5358dd257bf44bb4ea15442ad4bdb078b6795f /crypto/openssl/doc
parente15884d6df140228c1e2db4ca751565a6933e1f5 (diff)
parentd4a5f67323e640990da5aa727b2e6da35d2157f3 (diff)
downloadFreeBSD-src-68fed3306b1f39bfb6d5cd97485248dc0c3884f8.zip
FreeBSD-src-68fed3306b1f39bfb6d5cd97485248dc0c3884f8.tar.gz
Merge OpenSSL 1.0.1h.
Approved by: so (delphij)
Diffstat (limited to 'crypto/openssl/doc')
-rw-r--r--crypto/openssl/doc/apps/cms.pod15
-rw-r--r--crypto/openssl/doc/apps/enc.pod4
-rw-r--r--crypto/openssl/doc/apps/s_server.pod6
-rw-r--r--crypto/openssl/doc/apps/smime.pod2
-rw-r--r--crypto/openssl/doc/apps/verify.pod9
-rw-r--r--crypto/openssl/doc/apps/version.pod3
-rw-r--r--crypto/openssl/doc/apps/x509v3_config.pod4
-rw-r--r--crypto/openssl/doc/crypto/CMS_decrypt.pod16
-rw-r--r--crypto/openssl/doc/crypto/CONF_modules_free.pod2
-rw-r--r--crypto/openssl/doc/crypto/CONF_modules_load_file.pod2
-rw-r--r--crypto/openssl/doc/crypto/OPENSSL_config.pod2
-rw-r--r--crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod2
-rw-r--r--crypto/openssl/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod2
-rw-r--r--crypto/openssl/doc/fingerprints.txt7
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_set_msg_callback.pod4
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_set_options.pod6
-rw-r--r--crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod8
17 files changed, 77 insertions, 17 deletions
diff --git a/crypto/openssl/doc/apps/cms.pod b/crypto/openssl/doc/apps/cms.pod
index ce1f056..a76b3e0 100644
--- a/crypto/openssl/doc/apps/cms.pod
+++ b/crypto/openssl/doc/apps/cms.pod
@@ -90,6 +90,11 @@ decrypt mail using the supplied certificate and private key. Expects an
encrypted mail message in MIME format for the input file. The decrypted mail
is written to the output file.
+=item B<-debug_decrypt>
+
+this option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
+with caution: see the notes section below.
+
=item B<-sign>
sign mail using the supplied certificate and private key. Input file is
@@ -446,6 +451,16 @@ Streaming is always used for the B<-sign> operation with detached data but
since the content is no longer part of the CMS structure the encoding
remains DER.
+If the B<-decrypt> option is used without a recipient certificate then an
+attempt is made to locate the recipient by trying each potential recipient
+in turn using the supplied private key. To thwart the MMA attack
+(Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) all recipients are
+tried whether they succeed or not and if no recipients match the message
+is "decrypted" using a random key which will typically output garbage.
+The B<-debug_decrypt> option can be used to disable the MMA attack protection
+and return an error if no recipient can be found: this option should be used
+with caution. For a fuller description see L<CMS_decrypt(3)|CMS_decrypt(3)>).
+
=head1 EXIT CODES
=over 4
diff --git a/crypto/openssl/doc/apps/enc.pod b/crypto/openssl/doc/apps/enc.pod
index 3dee4ed..41791ad 100644
--- a/crypto/openssl/doc/apps/enc.pod
+++ b/crypto/openssl/doc/apps/enc.pod
@@ -215,6 +215,10 @@ unsupported options (for example B<openssl enc -help>) includes a
list of ciphers, supported by your versesion of OpenSSL, including
ones provided by configured engines.
+The B<enc> program does not support authenticated encryption modes
+like CCM and GCM. The utility does not store or retrieve the
+authentication tag.
+
base64 Base 64
diff --git a/crypto/openssl/doc/apps/s_server.pod b/crypto/openssl/doc/apps/s_server.pod
index 6758ba3..f9b9ca5 100644
--- a/crypto/openssl/doc/apps/s_server.pod
+++ b/crypto/openssl/doc/apps/s_server.pod
@@ -44,6 +44,7 @@ B<openssl> B<s_server>
[B<-no_ssl3>]
[B<-no_tls1>]
[B<-no_dhe>]
+[B<-no_ecdhe>]
[B<-bugs>]
[B<-hack>]
[B<-www>]
@@ -131,6 +132,11 @@ a static set of parameters hard coded into the s_server program will be used.
if this option is set then no DH parameters will be loaded effectively
disabling the ephemeral DH cipher suites.
+=item B<-no_ecdhe>
+
+if this option is set then no ECDH parameters will be loaded effectively
+disabling the ephemeral ECDH cipher suites.
+
=item B<-no_tmp_rsa>
certain export cipher suites sometimes use a temporary RSA key, this option
diff --git a/crypto/openssl/doc/apps/smime.pod b/crypto/openssl/doc/apps/smime.pod
index 3aa6e84..d39a59a 100644
--- a/crypto/openssl/doc/apps/smime.pod
+++ b/crypto/openssl/doc/apps/smime.pod
@@ -159,7 +159,7 @@ EVP_get_cipherbyname() function) can also be used preceded by a dash, for
example B<-aes_128_cbc>. See L<B<enc>|enc(1)> for list of ciphers
supported by your version of OpenSSL.
-If not specified 40 bit RC2 is used. Only used with B<-encrypt>.
+If not specified triple DES is used. Only used with B<-encrypt>.
=item B<-nointern>
diff --git a/crypto/openssl/doc/apps/verify.pod b/crypto/openssl/doc/apps/verify.pod
index da68300..f35d402 100644
--- a/crypto/openssl/doc/apps/verify.pod
+++ b/crypto/openssl/doc/apps/verify.pod
@@ -25,6 +25,7 @@ B<openssl> B<verify>
[B<-untrusted file>]
[B<-help>]
[B<-issuer_checks>]
+[B<-attime timestamp>]
[B<-verbose>]
[B<->]
[certificates]
@@ -80,6 +81,12 @@ rejected. The presence of rejection messages does not itself imply that
anything is wrong; during the normal verification process, several
rejections may take place.
+=item B<-attime timestamp>
+
+Perform validation checks using time specified by B<timestamp> and not
+current system time. B<timestamp> is the number of seconds since
+01.01.1970 (UNIX time).
+
=item B<-policy arg>
Enable policy processing and add B<arg> to the user-initial-policy-set (see
@@ -386,7 +393,7 @@ an application specific error. Unused.
=head1 BUGS
-Although the issuer checks are a considerably improvement over the old technique they still
+Although the issuer checks are a considerable improvement over the old technique they still
suffer from limitations in the underlying X509_LOOKUP API. One consequence of this is that
trusted certificates with matching subject name must either appear in a file (as specified by the
B<-CAfile> option) or a directory (as specified by B<-CApath>. If they occur in both then only
diff --git a/crypto/openssl/doc/apps/version.pod b/crypto/openssl/doc/apps/version.pod
index e00324c..58f543b 100644
--- a/crypto/openssl/doc/apps/version.pod
+++ b/crypto/openssl/doc/apps/version.pod
@@ -13,6 +13,7 @@ B<openssl version>
[B<-o>]
[B<-f>]
[B<-p>]
+[B<-d>]
=head1 DESCRIPTION
@@ -38,7 +39,7 @@ the date the current version of OpenSSL was built.
option information: various options set when the library was built.
-=item B<-c>
+=item B<-f>
compilation flags.
diff --git a/crypto/openssl/doc/apps/x509v3_config.pod b/crypto/openssl/doc/apps/x509v3_config.pod
index 0450067..13ff85b 100644
--- a/crypto/openssl/doc/apps/x509v3_config.pod
+++ b/crypto/openssl/doc/apps/x509v3_config.pod
@@ -301,7 +301,7 @@ Example:
O=Organisation
CN=Some Name
-
+
=head2 Certificate Policies.
This is a I<raw> extension. All the fields of this extension can be set by
@@ -390,7 +390,7 @@ Examples:
nameConstraints=permitted;email:.somedomain.com
nameConstraints=excluded;email:.com
-issuingDistributionPoint = idp_section
+
=head2 OCSP No Check
diff --git a/crypto/openssl/doc/crypto/CMS_decrypt.pod b/crypto/openssl/doc/crypto/CMS_decrypt.pod
index d857e4f..3fa9212 100644
--- a/crypto/openssl/doc/crypto/CMS_decrypt.pod
+++ b/crypto/openssl/doc/crypto/CMS_decrypt.pod
@@ -27,7 +27,21 @@ function or errors about unknown algorithms will occur.
Although the recipients certificate is not needed to decrypt the data it is
needed to locate the appropriate (of possible several) recipients in the CMS
-structure. If B<cert> is set to NULL all possible recipients are tried.
+structure.
+
+If B<cert> is set to NULL all possible recipients are tried. This case however
+is problematic. To thwart the MMA attack (Bleichenbacher's attack on
+PKCS #1 v1.5 RSA padding) all recipients are tried whether they succeed or
+not. If no recipient succeeds then a random symmetric key is used to decrypt
+the content: this will typically output garbage and may (but is not guaranteed
+to) ultimately return a padding error only. If CMS_decrypt() just returned an
+error when all recipient encrypted keys failed to decrypt an attacker could
+use this in a timing attack. If the special flag B<CMS_DEBUG_DECRYPT> is set
+then the above behaviour is modified and an error B<is> returned if no
+recipient encrypted key can be decrypted B<without> generating a random
+content encryption key. Applications should use this flag with
+B<extreme caution> especially in automated gateways as it can leave them
+open to attack.
It is possible to determine the correct recipient key by other means (for
example looking them up in a database) and setting them in the CMS structure
diff --git a/crypto/openssl/doc/crypto/CONF_modules_free.pod b/crypto/openssl/doc/crypto/CONF_modules_free.pod
index 87bc7b7..347020c 100644
--- a/crypto/openssl/doc/crypto/CONF_modules_free.pod
+++ b/crypto/openssl/doc/crypto/CONF_modules_free.pod
@@ -37,7 +37,7 @@ None of the functions return a value.
=head1 SEE ALSO
L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>,
-L<CONF_modules_load_file(3), CONF_modules_load_file(3)>
+L<CONF_modules_load_file(3)|CONF_modules_load_file(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/CONF_modules_load_file.pod b/crypto/openssl/doc/crypto/CONF_modules_load_file.pod
index 9965d69..0c4d926 100644
--- a/crypto/openssl/doc/crypto/CONF_modules_load_file.pod
+++ b/crypto/openssl/doc/crypto/CONF_modules_load_file.pod
@@ -51,7 +51,7 @@ return value of the failing module (this will always be zero or negative).
=head1 SEE ALSO
L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>,
-L<CONF_free(3), CONF_free(3)>, L<err(3),err(3)>
+L<CONF_free(3)|CONF_free(3)>, L<err(3)|err(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/OPENSSL_config.pod b/crypto/openssl/doc/crypto/OPENSSL_config.pod
index e7bba2a..888de88 100644
--- a/crypto/openssl/doc/crypto/OPENSSL_config.pod
+++ b/crypto/openssl/doc/crypto/OPENSSL_config.pod
@@ -73,7 +73,7 @@ Neither OPENSSL_config() nor OPENSSL_no_config() return a value.
=head1 SEE ALSO
L<conf(5)|conf(5)>, L<CONF_load_modules_file(3)|CONF_load_modules_file(3)>,
-L<CONF_modules_free(3),CONF_modules_free(3)>
+L<CONF_modules_free(3)|CONF_modules_free(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod b/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
index 41902c0..4716e7e 100644
--- a/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
+++ b/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
@@ -65,7 +65,7 @@ set first so the relevant field information can be looked up internally.
=head1 SEE ALSO
L<ERR_get_error(3)|ERR_get_error(3)>, L<d2i_X509_NAME(3)|d2i_X509_NAME(3)>,
-L<OBJ_nid2obj(3),OBJ_nid2obj(3)>
+L<OBJ_nid2obj(3)|OBJ_nid2obj(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod b/crypto/openssl/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod
index 8d6b9dd..8a9243d 100644
--- a/crypto/openssl/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod
+++ b/crypto/openssl/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod
@@ -15,7 +15,7 @@ X509_STORE_CTX_get_ex_new_index, X509_STORE_CTX_set_ex_data, X509_STORE_CTX_get_
int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *d, int idx, void *arg);
- char *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *d, int idx);
+ void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *d, int idx);
=head1 DESCRIPTION
diff --git a/crypto/openssl/doc/fingerprints.txt b/crypto/openssl/doc/fingerprints.txt
index 7d05a85..4030c81 100644
--- a/crypto/openssl/doc/fingerprints.txt
+++ b/crypto/openssl/doc/fingerprints.txt
@@ -21,6 +21,13 @@ pub 2048R/F295C759 1998-12-13
Key fingerprint = D0 5D 8C 61 6E 27 E6 60 41 EC B1 B8 D5 7E E5 97
uid Dr S N Henson <shenson@drh-consultancy.demon.co.uk>
+pub 4096R/FA40E9E2 2005-03-19
+ Key fingerprint = 6260 5AA4 334A F9F0 DDE5 D349 D357 7507 FA40 E9E2
+uid Dr Stephen Henson <shenson@opensslfoundation.com>
+uid Dr Stephen Henson <shenson@drh-consultancy.co.uk>
+uid Dr Stephen N Henson <steve@openssl.org>
+sub 4096R/8811F530 2005-03-19
+
pub 1024R/49A563D9 1997-02-24
Key fingerprint = 7B 79 19 FA 71 6B 87 25 0E 77 21 E5 52 D9 83 BF
uid Mark Cox <mjc@redhat.com>
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_msg_callback.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_msg_callback.pod
index 0015e6e..8b82d94 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_msg_callback.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_msg_callback.pod
@@ -11,8 +11,8 @@ SSL_CTX_set_msg_callback, SSL_CTX_set_msg_callback_arg, SSL_set_msg_callback, SS
void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg);
- void SSL_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
- void SSL_set_msg_callback_arg(SSL_CTX *ctx, void *arg);
+ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
+ void SSL_set_msg_callback_arg(SSL *ssl, void *arg);
=head1 DESCRIPTION
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
index fded060..d886692 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
@@ -112,6 +112,12 @@ vulnerability affecting CBC ciphers, which cannot be handled by some
broken SSL implementations. This option has no effect for connections
using other ciphers.
+=item SSL_OP_TLSEXT_PADDING
+
+Adds a padding extension to ensure the ClientHello size is never between
+256 and 511 bytes in length. This is needed as a workaround for some
+implementations.
+
=item SSL_OP_ALL
All of the above bug workarounds.
diff --git a/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod b/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod
index 49fb88f..059376c 100644
--- a/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod
@@ -8,11 +8,11 @@ SSL_get_peer_cert_chain - get the X509 certificate chain of the peer
#include <openssl/ssl.h>
- STACKOF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
+ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
=head1 DESCRIPTION
-SSL_get_peer_cert_chain() returns a pointer to STACKOF(X509) certificates
+SSL_get_peer_cert_chain() returns a pointer to STACK_OF(X509) certificates
forming the certificate chain of the peer. If called on the client side,
the stack also contains the peer's certificate; if called on the server
side, the peer's certificate must be obtained separately using
@@ -24,7 +24,7 @@ If the peer did not present a certificate, NULL is returned.
The peer certificate chain is not necessarily available after reusing
a session, in which case a NULL pointer is returned.
-The reference count of the STACKOF(X509) object is not incremented.
+The reference count of the STACK_OF(X509) object is not incremented.
If the corresponding session is freed, the pointer must not be used
any longer.
@@ -39,7 +39,7 @@ The following return values can occur:
No certificate was presented by the peer or no connection was established
or the certificate chain is no longer available when a session is reused.
-=item Pointer to a STACKOF(X509)
+=item Pointer to a STACK_OF(X509)
The return value points to the certificate chain presented by the peer.
OpenPOWER on IntegriCloud