diff options
author | nectar <nectar@FreeBSD.org> | 2004-03-17 15:49:33 +0000 |
---|---|---|
committer | nectar <nectar@FreeBSD.org> | 2004-03-17 15:49:33 +0000 |
commit | 0f095e8a2af65fdcbf4af38dc6a00383e2fd6b3f (patch) | |
tree | c6fe9e2dc64448f48fdaf5e0b2778005ccc1baac /crypto/openssl/doc | |
parent | e8232d78abaf5a170e34e0742d0042a65bcaafe4 (diff) | |
download | FreeBSD-src-0f095e8a2af65fdcbf4af38dc6a00383e2fd6b3f.zip FreeBSD-src-0f095e8a2af65fdcbf4af38dc6a00383e2fd6b3f.tar.gz |
Vendor import of OpenSSL 0.9.7d.
Diffstat (limited to 'crypto/openssl/doc')
21 files changed, 583 insertions, 30 deletions
diff --git a/crypto/openssl/doc/apps/config.pod b/crypto/openssl/doc/apps/config.pod index ce874a4..8f823fa 100644 --- a/crypto/openssl/doc/apps/config.pod +++ b/crypto/openssl/doc/apps/config.pod @@ -10,7 +10,8 @@ config - OpenSSL CONF library configuration files The OpenSSL CONF library can be used to read configuration files. It is used for the OpenSSL master configuration file B<openssl.cnf> and in a few other places like B<SPKAC> files and certificate extension -files for the B<x509> utility. +files for the B<x509> utility. OpenSSL applications can also use the +CONF library for their own purposes. A configuration file is divided into a number of sections. Each section starts with a line B<[ section_name ]> and ends when a new section is @@ -51,13 +52,146 @@ or the B<\> character. By making the last character of a line a B<\> a B<value> string can be spread across multiple lines. In addition the sequences B<\n>, B<\r>, B<\b> and B<\t> are recognized. +=head1 OPENSSL LIBRARY CONFIGURATION + +In OpenSSL 0.9.7 and later applications can automatically configure certain +aspects of OpenSSL using the master OpenSSL configuration file, or optionally +an alternative configuration file. The B<openssl> utility includes this +functionality: any sub command uses the master OpenSSL configuration file +unless an option is used in the sub command to use an alternative configuration +file. + +To enable library configuration the default section needs to contain an +appropriate line which points to the main configuration section. The default +name is B<openssl_conf> which is used by the B<openssl> utility. Other +applications may use an alternative name such as B<myapplicaton_conf>. + +The configuration section should consist of a set of name value pairs which +contain specific module configuration information. The B<name> represents +the name of the I<configuration module> the meaning of the B<value> is +module specific: it may, for example, represent a further configuration +section containing configuration module specific information. E.g. + + openssl_conf = openssl_init + + [openssl_init] + + oid_section = new_oids + engines = engine_section + + [new_oids] + + ... new oids here ... + + [engine_section] + + ... engine stuff here ... + +Currently there are two configuration modules. One for ASN1 objects another +for ENGINE configuration. + +=head2 ASN1 OBJECT CONFIGURATION MODULE + +This module has the name B<oid_section>. The value of this variable points +to a section containing name value pairs of OIDs: the name is the OID short +and long name, the value is the numerical form of the OID. Although some of +the B<openssl> utility sub commands already have their own ASN1 OBJECT section +functionality not all do. By using the ASN1 OBJECT configuration module +B<all> the B<openssl> utility sub commands can see the new objects as well +as any compliant applications. For example: + + [new_oids] + + some_new_oid = 1.2.3.4 + some_other_oid = 1.2.3.5 + +=head2 ENGINE CONFIGURATION MODULE + +This ENGINE configuration module has the name B<engines>. The value of this +variable points to a section containing further ENGINE configuration +information. + +The section pointed to by B<engines> is a table of engine names (though see +B<engine_id> below) and further sections containing configuration informations +specific to each ENGINE. + +Each ENGINE specific section is used to set default algorithms, load +dynamic, perform initialization and send ctrls. The actual operation performed +depends on the I<command> name which is the name of the name value pair. The +currently supported commands are listed below. + +For example: + + [engine_section] + + # Configure ENGINE named "foo" + foo = foo_section + # Configure ENGINE named "bar" + bar = bar_section + + [foo_section] + ... foo ENGINE specific commands ... + + [bar_section] + ... "bar" ENGINE specific commands ... + +The command B<engine_id> is used to give the ENGINE name. If used this +command must be first. For example: + + [engine_section] + # This would normally handle an ENGINE named "foo" + foo = foo_section + + [foo_section] + # Override default name and use "myfoo" instead. + engine_id = myfoo + +The command B<dynamic_path> loads and adds an ENGINE from the given path. It +is equivalent to sending the ctrls B<SO_PATH> with the path argument followed +by B<LIST_ADD> with value 2 and B<LOAD> to the dynamic ENGINE. If this is +not the required behaviour then alternative ctrls can be sent directly +to the dynamic ENGINE using ctrl commands. + +The command B<init> determines whether to initialize the ENGINE. If the value +is B<0> the ENGINE will not be initialized, if B<1> and attempt it made to +initialized the ENGINE immediately. If the B<init> command is not present +then an attempt will be made to initialize the ENGINE after all commands in +its section have been processed. + +The command B<default_algorithms> sets the default algorithms an ENGINE will +supply using the functions B<ENGINE_set_default_string()> + +If the name matches none of the above command names it is assumed to be a +ctrl command which is sent to the ENGINE. The value of the command is the +argument to the ctrl command. If the value is the string B<EMPTY> then no +value is sent to the command. + +For example: + + + [engine_section] + + # Configure ENGINE named "foo" + foo = foo_section + + [foo_section] + # Load engine from DSO + dynamic_path = /some/path/fooengine.so + # A foo specific ctrl. + some_ctrl = some_value + # Another ctrl that doesn't take a value. + other_ctrl = EMPTY + # Supply all default algorithms + default_algorithms = ALL + =head1 NOTES If a configuration file attempts to expand a variable that doesn't exist then an error is flagged and the file will not load. This can happen if an attempt is made to expand an environment variable that doesn't -exist. For example the default OpenSSL master configuration file used -the value of B<HOME> which may not be defined on non Unix systems. +exist. For example in a previous version of OpenSSL the default OpenSSL +master configuration file used the value of B<HOME> which may not be +defined on non Unix systems and would cause an error. This can be worked around by including a B<default> section to provide a default value: then if the environment lookup fails the default value diff --git a/crypto/openssl/doc/apps/openssl.pod b/crypto/openssl/doc/apps/openssl.pod index 07dd80e..dc0f49d 100644 --- a/crypto/openssl/doc/apps/openssl.pod +++ b/crypto/openssl/doc/apps/openssl.pod @@ -329,7 +329,8 @@ L<passwd(1)|passwd(1)>, L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>, L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>, L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>, -L<s_server(1)|s_server(1)>, L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>, +L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>, +L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>, L<verify(1)|verify(1)>, L<version(1)|version(1)>, L<x509(1)|x509(1)>, L<crypto(3)|crypto(3)>, L<ssl(3)|ssl(3)> diff --git a/crypto/openssl/doc/apps/s_client.pod b/crypto/openssl/doc/apps/s_client.pod index d061326..8d19079 100644 --- a/crypto/openssl/doc/apps/s_client.pod +++ b/crypto/openssl/doc/apps/s_client.pod @@ -8,7 +8,7 @@ s_client - SSL/TLS client program =head1 SYNOPSIS B<openssl> B<s_client> -[B<-connect> host:port>] +[B<-connect host:port>] [B<-verify depth>] [B<-cert filename>] [B<-key filename>] @@ -208,7 +208,7 @@ then an HTTP command can be given such as "GET /" to retrieve a web page. If the handshake fails then there are several possible causes, if it is nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, -B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> can be tried +B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried in case it is a buggy server. In particular you should play with these options B<before> submitting a bug report to an OpenSSL mailing list. @@ -219,7 +219,7 @@ the clients certificate authority in its "acceptable CA list" when it requests a certificate. By using B<s_client> the CA list can be viewed and checked. However some servers only request client authentication after a specific URL is requested. To obtain the list in this case it -is necessary to use the B<-prexit> command and send an HTTP request +is necessary to use the B<-prexit> option and send an HTTP request for an appropriate page. If a certificate is specified on the command line using the B<-cert> diff --git a/crypto/openssl/doc/apps/s_time.pod b/crypto/openssl/doc/apps/s_time.pod new file mode 100644 index 0000000..5a38aa2 --- /dev/null +++ b/crypto/openssl/doc/apps/s_time.pod @@ -0,0 +1,173 @@ + +=pod + +=head1 NAME + +s_time - SSL/TLS performance timing program + +=head1 SYNOPSIS + +B<openssl> B<s_time> +[B<-connect host:port>] +[B<-www page>] +[B<-cert filename>] +[B<-key filename>] +[B<-CApath directory>] +[B<-CAfile filename>] +[B<-reuse>] +[B<-new>] +[B<-verify depth>] +[B<-nbio>] +[B<-time seconds>] +[B<-ssl2>] +[B<-ssl3>] +[B<-bugs>] +[B<-cipher cipherlist>] + +=head1 DESCRIPTION + +The B<s_client> command implements a generic SSL/TLS client which connects to a +remote host using SSL/TLS. It can request a page from the server and includes +the time to transfer the payload data in its timing measurements. It measures +the number of connections within a given timeframe, the amount of data +transferred (if any), and calculates the average time spent for one connection. + +=head1 OPTIONS + +=over 4 + +=item B<-connect host:port> + +This specifies the host and optional port to connect to. + +=item B<-www page> + +This specifies the page to GET from the server. A value of '/' gets the +index.htm[l] page. If this parameter is not specified, then B<s_time> will only +perform the handshake to establish SSL connections but not transfer any +payload data. + +=item B<-cert certname> + +The certificate to use, if one is requested by the server. The default is +not to use a certificate. The file is in PEM format. + +=item B<-key keyfile> + +The private key to use. If not specified then the certificate file will +be used. The file is in PEM format. + +=item B<-verify depth> + +The verify depth to use. This specifies the maximum length of the +server certificate chain and turns on server certificate verification. +Currently the verify operation continues after errors so all the problems +with a certificate chain can be seen. As a side effect the connection +will never fail due to a server certificate verify failure. + +=item B<-CApath directory> + +The directory to use for server certificate verification. This directory +must be in "hash format", see B<verify> for more information. These are +also used when building the client certificate chain. + +=item B<-CAfile file> + +A file containing trusted certificates to use during server authentication +and to use when attempting to build the client certificate chain. + +=item B<-new> + +performs the timing test using a new session ID for each connection. +If neither B<-new> nor B<-reuse> are specified, they are both on by default +and executed in sequence. + +=item B<-reuse> + +performs the timing test using the same session ID; this can be used as a test +that session caching is working. If neither B<-new> nor B<-reuse> are +specified, they are both on by default and executed in sequence. + +=item B<-nbio> + +turns on non-blocking I/O. + +=item B<-ssl2>, B<-ssl3> + +these options disable the use of certain SSL or TLS protocols. By default +the initial handshake uses a method which should be compatible with all +servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. +The timing program is not as rich in options to turn protocols on and off as +the L<s_client(1)|s_client(1)> program and may not connect to all servers. + +Unfortunately there are a lot of ancient and broken servers in use which +cannot handle this technique and will fail to connect. Some servers only +work if TLS is turned off with the B<-ssl3> option; others +will only support SSL v2 and may need the B<-ssl2> option. + +=item B<-bugs> + +there are several known bug in SSL and TLS implementations. Adding this +option enables various workarounds. + +=item B<-cipher cipherlist> + +this allows the cipher list sent by the client to be modified. Although +the server determines which cipher suite is used it should take the first +supported cipher in the list sent by the client. +See the L<ciphers(1)|ciphers(1)> command for more information. + +=item B<-time length> + +specifies how long (in seconds) B<s_time> should establish connections and +optionally transfer payload data from a server. Server and client performance +and the link speed determine how many connections B<s_time> can establish. + +=back + +=head1 NOTES + +B<s_client> can be used to measure the performance of an SSL connection. +To connect to an SSL HTTP server and get the default page the command + + openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3] + +would typically be used (https uses port 443). 'commoncipher' is a cipher to +which both client and server can agree, see the L<ciphers(1)|ciphers(1)> command +for details. + +If the handshake fails then there are several possible causes, if it is +nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, +B<-ssl3> options can be tried +in case it is a buggy server. In particular you should play with these +options B<before> submitting a bug report to an OpenSSL mailing list. + +A frequent problem when attempting to get client certificates working +is that a web client complains it has no certificates or gives an empty +list to choose from. This is normally because the server is not sending +the clients certificate authority in its "acceptable CA list" when it +requests a certificate. By using L<s_client(1)|s_client(1)> the CA list can be +viewed and checked. However some servers only request client authentication +after a specific URL is requested. To obtain the list in this case it +is necessary to use the B<-prexit> option of L<s_client(1)|s_client(1)> and +send an HTTP request for an appropriate page. + +If a certificate is specified on the command line using the B<-cert> +option it will not be used unless the server specifically requests +a client certificate. Therefor merely including a client certificate +on the command line is no guarantee that the certificate works. + +=head1 BUGS + +Because this program does not have all the options of the +L<s_client(1)|s_client(1)> program to turn protocols on and off, you may not be +able to measure the performance of all protocols with all servers. + +The B<-verify> option should really exit if the server verification +fails. + +=head1 SEE ALSO + +L<s_client(1)|s_client(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)> + +=cut diff --git a/crypto/openssl/doc/apps/smime.pod b/crypto/openssl/doc/apps/smime.pod index 2453dd2..84b673f 100644 --- a/crypto/openssl/doc/apps/smime.pod +++ b/crypto/openssl/doc/apps/smime.pod @@ -17,6 +17,9 @@ B<openssl> B<smime> [B<-rc2-40>] [B<-rc2-64>] [B<-rc2-128>] +[B<-aes128>] +[B<-aes192>] +[B<-aes256>] [B<-in file>] [B<-certfile file>] [B<-signer file>] @@ -126,11 +129,11 @@ B<-verify>. This directory must be a standard certificate directory: that is a hash of each subject name (using B<x509 -hash>) should be linked to each certificate. -=item B<-des -des3 -rc2-40 -rc2-64 -rc2-128> +=item B<-des -des3 -rc2-40 -rc2-64 -rc2-128 -aes128 -aes192 -aes256> -the encryption algorithm to use. DES (56 bits), triple DES (168 bits) -or 40, 64 or 128 bit RC2 respectively if not specified 40 bit RC2 is -used. Only used with B<-encrypt>. +the encryption algorithm to use. DES (56 bits), triple DES (168 bits), +40, 64 or 128 bit RC2 or 128, 192 or 256 bit AES respectively. If not +specified 40 bit RC2 is used. Only used with B<-encrypt>. =item B<-nointern> diff --git a/crypto/openssl/doc/crypto/BIO_f_ssl.pod b/crypto/openssl/doc/crypto/BIO_f_ssl.pod index a56ee2b..f0b7317 100644 --- a/crypto/openssl/doc/crypto/BIO_f_ssl.pod +++ b/crypto/openssl/doc/crypto/BIO_f_ssl.pod @@ -287,8 +287,8 @@ a client and also echoes the request to standard output. return 0; } - BIO_puts(sbio, "HTTP/1.0 200 OK\r\nContent-type: text/html\r\n\r\n"); - BIO_puts(sbio, "<pre>\r\nConnection Established\r\nRequest headers:\r\n"); + BIO_puts(sbio, "HTTP/1.0 200 OK\r\nContent-type: text/plain\r\n\r\n"); + BIO_puts(sbio, "\r\nConnection Established\r\nRequest headers:\r\n"); BIO_puts(sbio, "--------------------------------------------------\r\n"); for(;;) { @@ -301,7 +301,7 @@ a client and also echoes the request to standard output. } BIO_puts(sbio, "--------------------------------------------------\r\n"); - BIO_puts(sbio, "</pre>\r\n"); + BIO_puts(sbio, "\r\n"); /* Since there is a buffering BIO present we had better flush it */ BIO_flush(sbio); diff --git a/crypto/openssl/doc/crypto/CONF_modules_free.pod b/crypto/openssl/doc/crypto/CONF_modules_free.pod new file mode 100644 index 0000000..af8ae6a --- /dev/null +++ b/crypto/openssl/doc/crypto/CONF_modules_free.pod @@ -0,0 +1,47 @@ +=pod + +=head1 NAME + + CONF_modules_free, CONF_modules_load, CONF_modules_unload - + OpenSSL configuration cleanup functions + +=head1 SYNOPSIS + + #include <openssl/conf.h> + + void CONF_modules_free(void); + void CONF_modules_unload(int all); + void CONF_modules_finish(void); + +=head1 DESCRIPTION + +CONF_modules_free() closes down and frees up all memory allocated by all +configuration modules. + +CONF_modules_finish() calls each configuration modules B<finish> handler +to free up any configuration that module may have performed. + +CONF_modules_unload() finishes and unloads configuration modules. If +B<all> is set to B<0> only modules loaded from DSOs will be unloads. If +B<all> is B<1> all modules, including builtin modules will be unloaded. + +=head1 NOTES + +Normally applications will only call CONF_modules_free() at application to +tidy up any configuration performed. + +=head1 RETURN VALUE + +None of the functions return a value. + +=head1 SEE ALSO + +L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>, +L<CONF_modules_load_file(3), CONF_modules_load_file(3)> + +=head1 HISTORY + +CONF_modules_free(), CONF_modules_unload(), and CONF_modules_finish() +first appeared in OpenSSL 0.9.7. + +=cut diff --git a/crypto/openssl/doc/crypto/CONF_modules_load_file.pod b/crypto/openssl/doc/crypto/CONF_modules_load_file.pod new file mode 100644 index 0000000..9965d69 --- /dev/null +++ b/crypto/openssl/doc/crypto/CONF_modules_load_file.pod @@ -0,0 +1,60 @@ +=pod + +=head1 NAME + + CONF_modules_load_file, CONF_modules_load - OpenSSL configuration functions + +=head1 SYNOPSIS + + #include <openssl/conf.h> + + int CONF_modules_load_file(const char *filename, const char *appname, + unsigned long flags); + int CONF_modules_load(const CONF *cnf, const char *appname, + unsigned long flags); + +=head1 DESCRIPTION + +The function CONF_modules_load_file() configures OpenSSL using file +B<filename> and application name B<appname>. If B<filename> is NULL +the standard OpenSSL configuration file is used. If B<appname> is +NULL the standard OpenSSL application name B<openssl_conf> is used. +The behaviour can be cutomized using B<flags>. + +CONF_modules_load() is idential to CONF_modules_load_file() except it +read configuration information from B<cnf>. + +=head1 NOTES + +The following B<flags> are currently recognized: + +B<CONF_MFLAGS_IGNORE_ERRORS> if set errors returned by individual +configuration modules are ignored. If not set the first module error is +considered fatal and no further modules are loads. + +Normally any modules errors will add error information to the error queue. If +B<CONF_MFLAGS_SILENT> is set no error information is added. + +If B<CONF_MFLAGS_NO_DSO> is set configuration module loading from DSOs is +disabled. + +B<CONF_MFLAGS_IGNORE_MISSING_FILE> if set will make CONF_load_modules_file() +ignore missing configuration files. Normally a missing configuration file +return an error. + +=head1 RETURN VALUE + +These functions return 1 for success and a zero or negative value for +failure. If module errors are not ignored the return code will reflect the +return value of the failing module (this will always be zero or negative). + +=head1 SEE ALSO + +L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>, +L<CONF_free(3), CONF_free(3)>, L<err(3),err(3)> + +=head1 HISTORY + +CONF_modules_load_file and CONF_modules_load first appeared in OpenSSL 0.9.7. + +=cut diff --git a/crypto/openssl/doc/crypto/EVP_BytesToKey.pod b/crypto/openssl/doc/crypto/EVP_BytesToKey.pod index 5ce4add..016381f 100644 --- a/crypto/openssl/doc/crypto/EVP_BytesToKey.pod +++ b/crypto/openssl/doc/crypto/EVP_BytesToKey.pod @@ -2,7 +2,7 @@ =head1 NAME - EVP_BytesToKey - password based encryption routine +EVP_BytesToKey - password based encryption routine =head1 SYNOPSIS diff --git a/crypto/openssl/doc/crypto/EVP_DigestInit.pod b/crypto/openssl/doc/crypto/EVP_DigestInit.pod index 5901c39..1cb315e 100644 --- a/crypto/openssl/doc/crypto/EVP_DigestInit.pod +++ b/crypto/openssl/doc/crypto/EVP_DigestInit.pod @@ -4,7 +4,7 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_DigestInit_ex, EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE, -EVP_MD_CTX_copy_ex EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, +EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2, EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj - diff --git a/crypto/openssl/doc/crypto/OPENSSL_config.pod b/crypto/openssl/doc/crypto/OPENSSL_config.pod new file mode 100644 index 0000000..1660062 --- /dev/null +++ b/crypto/openssl/doc/crypto/OPENSSL_config.pod @@ -0,0 +1,82 @@ +=pod + +=head1 NAME + +OPENSSL_config, OPENSSL_no_config - simple OpenSSL configuration functions + +=head1 SYNOPSIS + + #include <openssl/conf.h> + + void OPENSSL_config(const char *config_name); + void OPENSSL_no_config(void); + +=head1 DESCRIPTION + +OPENSSL_config() configures OpenSSL using the standard B<openssl.cnf> +configuration file name using B<config_name>. If B<config_name> is NULL then +the default name B<openssl_conf> will be used. Any errors are ignored. Further +calls to OPENSSL_config() will have no effect. The configuration file format +is documented in the L<conf(5)|conf(5)> manual page. + +OPENSSL_no_config() disables configuration. If called before OPENSSL_config() +no configuration takes place. + +=head1 NOTES + +It is B<strongly> recommended that B<all> new applications call OPENSSL_config() +or the more sophisticated functions such as CONF_modules_load() during +initialization (that is before starting any threads). By doing this +an application does not need to keep track of all configuration options +and some new functionality can be supported automatically. + +It is also possible to automatically call OPENSSL_config() when an application +calls OPENSSL_add_all_algorithms() by compiling an application with the +preprocessor symbol B<OPENSSL_LOAD_CONF> #define'd. In this way configuration +can be added without source changes. + +The environment variable B<OPENSSL_CONFIG> can be set to specify the location +of the configuration file. + +Currently ASN1 OBJECTs and ENGINE configuration can be performed future +versions of OpenSSL will add new configuration options. + +There are several reasons why calling the OpenSSL configuration routines is +advisable. For example new ENGINE functionality was added to OpenSSL 0.9.7. +In OpenSSL 0.9.7 control functions can be supported by ENGINEs, this can be +used (among other things) to load dynamic ENGINEs from shared libraries (DSOs). +However very few applications currently support the control interface and so +very few can load and use dynamic ENGINEs. Equally in future more sophisticated +ENGINEs will require certain control operations to customize them. If an +application calls OPENSSL_config() it doesn't need to know or care about +ENGINE control operations because they can be performed by editing a +configuration file. + +Applications should free up configuration at application closedown by calling +CONF_modules_free(). + +=head1 RESTRICTIONS + +The OPENSSL_config() function is designed to be a very simple "call it and +forget it" function. As a result its behaviour is somewhat limited. It ignores +all errors silently and it can only load from the standard configuration file +location for example. + +It is however B<much> better than nothing. Applications which need finer +control over their configuration functionality should use the configuration +functions such as CONF_load_modules() directly. + +=head1 RETURN VALUES + +Neither OPENSSL_config() nor OPENSSL_no_config() return a value. + +=head1 SEE ALSO + +L<conf(5)|conf(5)>, L<CONF_load_modules_file(3)|CONF_load_modules_file(3)>, +L<CONF_modules_free(3),CONF_modules_free(3)> + +=head1 HISTORY + +OPENSSL_config() and OPENSSL_no_config() first appeared in OpenSSL 0.9.7 + +=cut diff --git a/crypto/openssl/doc/crypto/OPENSSL_load_builtin_modules.pod b/crypto/openssl/doc/crypto/OPENSSL_load_builtin_modules.pod new file mode 100644 index 0000000..f14dfaf --- /dev/null +++ b/crypto/openssl/doc/crypto/OPENSSL_load_builtin_modules.pod @@ -0,0 +1,51 @@ +=pod + +=head1 NAME + +OPENSSL_load_builtin_modules - add standard configuration modules + +=head1 SYNOPSIS + + #include <openssl/conf.h> + + void OPENSSL_load_builtin_modules(void); + void ASN1_add_oid_module(void); + ENGINE_add_conf_module(); + +=head1 DESCRIPTION + +The function OPENSSL_load_builtin_modules() adds all the standard OpenSSL +configuration modules to the internal list. They can then be used by the +OpenSSL configuration code. + +ASN1_add_oid_module() adds just the ASN1 OBJECT module. + +ENGINE_add_conf_module() adds just the ENGINE configuration module. + +=head1 NOTES + +If the simple configuration function OPENSSL_config() is called then +OPENSSL_load_builtin_modules() is called automatically. + +Applications which use the configuration functions directly will need to +call OPENSSL_load_builtin_modules() themselves I<before> any other +configuration code. + +Applications should call OPENSSL_load_builtin_modules() to load all +configuration modules instead of adding modules selectively: otherwise +functionality may be missing from the application if an when new +modules are added. + +=head1 RETURN VALUE + +None of the functions return a value. + +=head1 SEE ALSO + +L<conf(3)|conf(3)>, L<OPENSSL_config(3)|OPENSSL_config(3)> + +=head1 HISTORY + +These functions first appeared in OpenSSL 0.9.7. + +=cut diff --git a/crypto/openssl/doc/crypto/OpenSSL_add_all_algorithms.pod b/crypto/openssl/doc/crypto/OpenSSL_add_all_algorithms.pod index 486c903..e63411b 100644 --- a/crypto/openssl/doc/crypto/OpenSSL_add_all_algorithms.pod +++ b/crypto/openssl/doc/crypto/OpenSSL_add_all_algorithms.pod @@ -36,7 +36,7 @@ None of the functions return a value. =head1 NOTES -A typical application will will call OpenSSL_add_all_algorithms() initially and +A typical application will call OpenSSL_add_all_algorithms() initially and EVP_cleanup() before exiting. An application does not need to add algorithms to use them explicitly, for example diff --git a/crypto/openssl/doc/crypto/RSA_print.pod b/crypto/openssl/doc/crypto/RSA_print.pod index e28d107..c971e91 100644 --- a/crypto/openssl/doc/crypto/RSA_print.pod +++ b/crypto/openssl/doc/crypto/RSA_print.pod @@ -44,6 +44,6 @@ L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<rsa(3)|rsa(3)>, L<BN_bn2bin(3)|BN_bn2bin(3)> RSA_print(), RSA_print_fp(), DSA_print(), DSA_print_fp(), DH_print(), DH_print_fp() are available in all versions of SSLeay and OpenSSL. -DSAparams_print() and DSAparams_print_pf() were added in SSLeay 0.8. +DSAparams_print() and DSAparams_print_fp() were added in SSLeay 0.8. =cut diff --git a/crypto/openssl/doc/crypto/d2i_DSAPublicKey.pod b/crypto/openssl/doc/crypto/d2i_DSAPublicKey.pod index 6ebd304..22c1b50 100644 --- a/crypto/openssl/doc/crypto/d2i_DSAPublicKey.pod +++ b/crypto/openssl/doc/crypto/d2i_DSAPublicKey.pod @@ -9,6 +9,7 @@ and parsing functions. =head1 SYNOPSIS #include <openssl/dsa.h> + #include <openssl/x509.h> DSA * d2i_DSAPublicKey(DSA **a, const unsigned char **pp, long length); @@ -35,8 +36,8 @@ and parsing functions. d2i_DSAPublicKey() and i2d_DSAPublicKey() decode and encode the DSA public key components structure. -d2i_DSA_PUKEY() and i2d_DSA_PUKEY() decode and encode an DSA public key using a -SubjectPublicKeyInfo (certificate public key) structure. +d2i_DSA_PUBKEY() and i2d_DSA_PUBKEY() decode and encode an DSA public key using +a SubjectPublicKeyInfo (certificate public key) structure. d2i_DSAPrivateKey(), i2d_DSAPrivateKey() decode and encode the DSA private key components. diff --git a/crypto/openssl/doc/crypto/d2i_RSAPublicKey.pod b/crypto/openssl/doc/crypto/d2i_RSAPublicKey.pod index 7c71bcb..279b29c 100644 --- a/crypto/openssl/doc/crypto/d2i_RSAPublicKey.pod +++ b/crypto/openssl/doc/crypto/d2i_RSAPublicKey.pod @@ -9,6 +9,7 @@ d2i_Netscape_RSA - RSA public and private key encoding functions. =head1 SYNOPSIS #include <openssl/rsa.h> + #include <openssl/x509.h> RSA * d2i_RSAPublicKey(RSA **a, unsigned char **pp, long length); @@ -31,8 +32,8 @@ d2i_Netscape_RSA - RSA public and private key encoding functions. d2i_RSAPublicKey() and i2d_RSAPublicKey() decode and encode a PKCS#1 RSAPublicKey structure. -d2i_RSA_PUKEY() and i2d_RSA_PUKEY() decode and encode an RSA public key using a -SubjectPublicKeyInfo (certificate public key) structure. +d2i_RSA_PUBKEY() and i2d_RSA_PUBKEY() decode and encode an RSA public key using +a SubjectPublicKeyInfo (certificate public key) structure. d2i_RSAPrivateKey(), i2d_RSAPrivateKey() decode and encode a PKCS#1 RSAPrivateKey structure. diff --git a/crypto/openssl/doc/crypto/des.pod b/crypto/openssl/doc/crypto/des.pod index 528c73a..6f0cf1c 100644 --- a/crypto/openssl/doc/crypto/des.pod +++ b/crypto/openssl/doc/crypto/des.pod @@ -283,7 +283,7 @@ DES_cbc_encrypt is used. =head1 NOTES Single-key DES is insecure due to its short key size. ECB mode is -not suitable for most applications; see L<DES_modes(7)|DES_modes(7)>. +not suitable for most applications; see L<des_modes(7)|des_modes(7)>. The L<evp(3)|evp(3)> library provides higher-level encryption functions. diff --git a/crypto/openssl/doc/crypto/pem.pod b/crypto/openssl/doc/crypto/pem.pod index a4f8cc3..8613114 100644 --- a/crypto/openssl/doc/crypto/pem.pod +++ b/crypto/openssl/doc/crypto/pem.pod @@ -330,7 +330,7 @@ most of them are set to 0 or NULL. Read a certificate in PEM format from a BIO: X509 *x; - x = PEM_read_bio(bp, NULL, 0, NULL); + x = PEM_read_bio_X509(bp, NULL, 0, NULL); if (x == NULL) { /* Error */ @@ -459,12 +459,12 @@ returned by EVP_bytestokey(). The PEM read routines in some versions of OpenSSL will not correctly reuse an existing structure. Therefore the following: - PEM_read_bio(bp, &x, 0, NULL); + PEM_read_bio_X509(bp, &x, 0, NULL); where B<x> already contains a valid certificate, may not work, whereas: X509_free(x); - x = PEM_read_bio(bp, NULL, 0, NULL); + x = PEM_read_bio_X509(bp, NULL, 0, NULL); is guaranteed to work. diff --git a/crypto/openssl/doc/crypto/ui.pod b/crypto/openssl/doc/crypto/ui.pod index 2b3535a..6df68d6 100644 --- a/crypto/openssl/doc/crypto/ui.pod +++ b/crypto/openssl/doc/crypto/ui.pod @@ -5,7 +5,7 @@ UI_new, UI_new_method, UI_free, UI_add_input_string, UI_dup_input_string, UI_add_verify_string, UI_dup_verify_string, UI_add_input_boolean, UI_dup_input_boolean, UI_add_info_string, UI_dup_info_string, -UI_add_error_string, UI_dup_error_string, UI_construct_prompt +UI_add_error_string, UI_dup_error_string, UI_construct_prompt, UI_add_user_data, UI_get0_user_data, UI_get0_result, UI_process, UI_ctrl, UI_set_default_method, UI_get_default_method, UI_get_method, UI_set_method, UI_OpenSSL, ERR_load_UI_strings - New User Interface diff --git a/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod b/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod index 2a98739..42fa66b 100644 --- a/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod +++ b/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod @@ -53,11 +53,11 @@ SSL_COMP_add_compression_method() may return the following values: =over 4 -=item 1 +=item 0 The operation succeeded. -=item 0 +=item 1 The operation failed. Check the error queue to find out the reason. diff --git a/crypto/openssl/doc/ssleay.txt b/crypto/openssl/doc/ssleay.txt index c6049d5..d44d2f0 100644 --- a/crypto/openssl/doc/ssleay.txt +++ b/crypto/openssl/doc/ssleay.txt @@ -6245,7 +6245,7 @@ SSL_get_app_data void SSL_CTX_set_default_verify /* This callback, if set, totaly overrides the normal SSLeay verification - * functions and should return 1 on sucesss and 0 on failure */ + * functions and should return 1 on success and 0 on failure */ void SSL_CTX_set_cert_verify_callback /* The following are the same as the equivilent SSL_xxx functions. |