Vendor import of OpenSSL 0.9.8i.vendor/openssl/0.9.8i

9 files changed, 112 insertions, 15 deletions

diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index e16eadef21ee..694e433ef392 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -105,7 +105,7 @@ The following is a list of all permitted cipher strings and their meanings.
 =item B<DEFAULT>
 
 the default cipher list. This is determined at compile time and is normally
-B<ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH>. This must be the first cipher string
+B<AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH>. This must be the first cipher string
 specified.
 
 =item B<COMPLEMENTOFDEFAULT>
@@ -209,6 +209,10 @@ anonymous DH cipher suites.
 
 cipher suites using AES.
 
+=item B<CAMELLIA>
+
+cipher suites using Camellia.
+
 =item B<3DES>
 
 cipher suites using triple DES.
@@ -229,6 +233,10 @@ cipher suites using RC2.
 
 cipher suites using IDEA.
 
+=item B<SEED>
+
+cipher suites using SEED.
+
 =item B<MD5>
 
 cipher suites using MD5.
@@ -237,10 +245,6 @@ cipher suites using MD5.
 
 cipher suites using SHA1.
 
-=item B<Camellia>
-
-cipher suites using Camellia.
-
 =back
 
 =head1 CIPHER SUITE NAMES
@@ -323,10 +327,10 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
  TLS_RSA_WITH_AES_128_CBC_SHA            AES128-SHA
  TLS_RSA_WITH_AES_256_CBC_SHA            AES256-SHA
 
- TLS_DH_DSS_WITH_AES_128_CBC_SHA         DH-DSS-AES128-SHA
- TLS_DH_DSS_WITH_AES_256_CBC_SHA         DH-DSS-AES256-SHA
- TLS_DH_RSA_WITH_AES_128_CBC_SHA         DH-RSA-AES128-SHA
- TLS_DH_RSA_WITH_AES_256_CBC_SHA         DH-RSA-AES256-SHA
+ TLS_DH_DSS_WITH_AES_128_CBC_SHA         Not implemented.
+ TLS_DH_DSS_WITH_AES_256_CBC_SHA         Not implemented.
+ TLS_DH_RSA_WITH_AES_128_CBC_SHA         Not implemented.
+ TLS_DH_RSA_WITH_AES_256_CBC_SHA         Not implemented.
 
  TLS_DHE_DSS_WITH_AES_128_CBC_SHA        DHE-DSS-AES128-SHA
  TLS_DHE_DSS_WITH_AES_256_CBC_SHA        DHE-DSS-AES256-SHA
@@ -354,6 +358,18 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
  TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA  ADH-CAMELLIA128-SHA
  TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA  ADH-CAMELLIA256-SHA
 
+=head2 SEED ciphersuites from RFC4162, extending TLS v1.0
+
+ TLS_RSA_WITH_SEED_CBC_SHA              SEED-SHA
+
+ TLS_DH_DSS_WITH_SEED_CBC_SHA           Not implemented.
+ TLS_DH_RSA_WITH_SEED_CBC_SHA           Not implemented.
+
+ TLS_DHE_DSS_WITH_SEED_CBC_SHA          DHE-DSS-SEED-SHA
+ TLS_DHE_RSA_WITH_SEED_CBC_SHA          DHE-RSA-SEED-SHA
+
+ TLS_DH_anon_WITH_SEED_CBC_SHA          ADH-SEED-SHA
+
 =head2 Additional Export 1024 and other cipher suites
 
 Note: these ciphers can also be used in SSL v3.
diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod
index b0d198724c6b..908cd2a6d657 100644
--- a/doc/apps/dgst.pod
+++ b/doc/apps/dgst.pod
@@ -18,6 +18,7 @@ B<openssl> B<dgst>
 [B<-verify filename>]
 [B<-prverify filename>]
 [B<-signature filename>]
+[B<-hmac key>]
 [B<file...>]
 
 [B<md5|md4|md2|sha1|sha|mdc2|ripemd160>]
@@ -78,6 +79,10 @@ verify the signature using the  the private key in "filename".
 
 the actual signature to verify.
 
+=item B<-hmac key>
+
+create a hashed MAC using "key".
+
 =item B<-rand file(s)>
 
 a file or files containing random data used to seed the random number
diff --git a/doc/apps/enc.pod b/doc/apps/enc.pod
index c43da5b3f1ee..4391c933600f 100644
--- a/doc/apps/enc.pod
+++ b/doc/apps/enc.pod
@@ -227,6 +227,14 @@ Blowfish and RC5 algorithms use a 128 bit key.
  rc5-ecb            RC5 cipher in ECB mode
  rc5-ofb            RC5 cipher in OFB mode
 
+ aes-[128|192|256]-cbc	128/192/256 bit AES in CBC mode
+ aes-[128|192|256]	Alias for aes-[128|192|256]-cbc
+ aes-[128|192|256]-cfb	128/192/256 bit AES in 128 bit CFB mode
+ aes-[128|192|256]-cfb1	128/192/256 bit AES in 1 bit CFB mode
+ aes-[128|192|256]-cfb8	128/192/256 bit AES in 8 bit CFB mode
+ aes-[128|192|256]-ecb	128/192/256 bit AES in ECB mode
+ aes-[128|192|256]-ofb	128/192/256 bit AES in OFB mode
+
 =head1 EXAMPLES
 
 Just base64 encode a binary file:
diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod
index 4f266058e536..b58ddc1788cb 100644
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -73,7 +73,7 @@ specify output filename, default is standard output.
 
 This specifies the current issuer certificate. This option can be used
 multiple times. The certificate specified in B<filename> must be in
-PEM format.
+PEM format. This option B<MUST> come before any B<-cert> options.
 
 =item B<-cert filename>
 
@@ -146,7 +146,7 @@ certificate in such cases.
 
 =item B<-trust_other>
 
-the certificates specified by the B<-verify_certs> option should be explicitly
+the certificates specified by the B<-verify_other> option should be explicitly
 trusted and no additional checks will be performed on them. This is useful
 when the complete responder certificate chain is not available or trusting a
 root CA is not appropriate.
@@ -154,7 +154,7 @@ root CA is not appropriate.
 =item B<-VAfile file>
 
 file containing explicitly trusted responder certificates. Equivalent to the
-B<-verify_certs> and B<-trust_other> options.
+B<-verify_other> and B<-trust_other> options.
 
 =item B<-noverify>
 
@@ -166,7 +166,7 @@ of the responders certificate.
 
 ignore certificates contained in the OCSP response when searching for the
 signers certificate. With this option the signers certificate must be specified
-with either the B<-verify_certs> or B<-VAfile> options.
+with either the B<-verify_other> or B<-VAfile> options.
 
 =item B<-no_signature_verify>
 
diff --git a/doc/apps/openssl.pod b/doc/apps/openssl.pod
index dc0f49ddca63..964cdf0f027d 100644
--- a/doc/apps/openssl.pod
+++ b/doc/apps/openssl.pod
@@ -227,6 +227,22 @@ SHA Digest
 
 SHA-1 Digest
 
+=item B<sha224>
+
+SHA-224 Digest
+
+=item B<sha256>
+
+SHA-256 Digest
+
+=item B<sha384>
+
+SHA-384 Digest
+
+=item B<sha512>
+
+SHA-512 Digest
+
 =back
 
 =head2 ENCODING AND CIPHER COMMANDS
diff --git a/doc/apps/rsautl.pod b/doc/apps/rsautl.pod
index a7c1681d9859..1a498c2f62e0 100644
--- a/doc/apps/rsautl.pod
+++ b/doc/apps/rsautl.pod
@@ -152,7 +152,7 @@ The final BIT STRING contains the actual signature. It can be extracted with:
 
 The certificate public key can be extracted with:
  
- openssl x509 -in test/testx509.pem -pubout -noout >pubkey.pem
+ openssl x509 -in test/testx509.pem -pubkey -noout >pubkey.pem
 
 The signature can be analysed with:
 
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index c17a83a22581..c44d357cf754 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -38,6 +38,10 @@ B<openssl> B<s_client>
 [B<-cipher cipherlist>]
 [B<-starttls protocol>]
 [B<-engine id>]
+[B<-tlsextdebug>]
+[B<-no_ticket>]
+[B<-sess_out filename>]
+[B<-sess_in filename>]
 [B<-rand file(s)>]
 
 =head1 DESCRIPTION
@@ -186,6 +190,26 @@ send the protocol-specific message(s) to switch to TLS for communication.
 B<protocol> is a keyword for the intended protocol.  Currently, the only
 supported keywords are "smtp", "pop3", "imap", and "ftp".
 
+=item B<-tlsextdebug>
+
+print out a hex dump of any TLS extensions received from the server. Note: this
+option is only available if extension support is explicitly enabled at compile
+time
+
+=item B<-no_ticket>
+
+disable RFC4507bis session ticket support. Note: this option is only available
+if extension support is explicitly enabled at compile time
+
+=item B<-sess_out filename>
+
+output SSL session to B<filename>
+
+=item B<-sess_in sess.pem>
+
+load SSL session from B<filename>. The client will attempt to resume a
+connection from this session.
+
 =item B<-engine id>
 
 specifying an engine (by it's unique B<id> string) will cause B<s_client>
@@ -246,6 +270,13 @@ on the command line is no guarantee that the certificate works.
 If there are problems verifying a server certificate then the
 B<-showcerts> option can be used to show the whole chain.
 
+Since the SSLv23 client hello cannot include compression methods or extensions
+these will only be supported if its use is disabled, for example by using the
+B<-no_sslv2> option.
+
+TLS extensions are only supported in OpenSSL 0.9.8 if they are explictly
+enabled at compile time using for example the B<enable-tlsext> switch.
+
 =head1 BUGS
 
 Because this program has a lot of options and also because some of
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index 7c1a9581d961..fdcc170e2832 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -12,6 +12,8 @@ B<openssl> B<s_server>
 [B<-context id>]
 [B<-verify depth>]
 [B<-Verify depth>]
+[B<-crl_check>]
+[B<-crl_check_all>]
 [B<-cert filename>]
 [B<-certform DER|PEM>]
 [B<-key keyfile>]
@@ -48,6 +50,8 @@ B<openssl> B<s_server>
 [B<-WWW>]
 [B<-HTTP>]
 [B<-engine id>]
+[B<-tlsextdebug>]
+[B<-no_ticket>]
 [B<-id_prefix arg>]
 [B<-rand file(s)>]
 
@@ -140,6 +144,12 @@ the client. With the B<-verify> option a certificate is requested but the
 client does not have to send one, with the B<-Verify> option the client
 must supply a certificate or an error occurs.
 
+=item B<-crl_check>, B<-crl_check_all>
+
+Check the peer certificate has not been revoked by its CA.
+The CRL(s) are appended to the certificate file. With the B<-crl_check_all>
+option all CRLs of all CAs in the chain are checked.
+
 =item B<-CApath directory>
 
 The directory to use for client certificate verification. This directory
@@ -205,6 +215,14 @@ also included in the server list is used. Because the client specifies
 the preference order, the order of the server cipherlist irrelevant. See
 the B<ciphers> command for more information.
 
+=item B<-tlsextdebug>
+
+print out a hex dump of any TLS extensions received from the server.
+
+=item B<-no_ticket>
+
+disable RFC4507bis session ticket support. 
+
 =item B<-www>
 
 sends a status message back to the client when it connects. This includes
@@ -307,6 +325,9 @@ mean any CA is acceptable. This is useful for debugging purposes.
 
 The session parameters can printed out using the B<sess_id> program.
 
+TLS extensions are only supported in OpenSSL 0.9.8 if they are explictly
+enabled at compile time using for example the B<enable-tlsext> switch.
+
 =head1 BUGS
 
 Because this program has a lot of options and also because some of
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index ea5c29c15021..ff2629d2cf85 100644
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -169,7 +169,7 @@ the operation was successful.
 the issuer certificate could not be found: this occurs if the issuer certificate
 of an untrusted certificate cannot be found.
 
-=item B<3 X509_V_ERR_UNABLE_TO_GET_CRL unable to get certificate CRL>
+=item B<3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL>
 
 the CRL of a certificate could not be found. Unused.