path: root/doc
diff options
authorJung-uk Kim <jkim@FreeBSD.org>2017-05-25 19:38:38 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2017-05-25 19:38:38 +0000
commit12df5ad9af4981f5d3c31a9819d31618c0f1af51 (patch)
tree97e3336a3054b8d8a0150b9d414934f73c99cb30 /doc
parent5315173646e65b5025be33013edc33eb9658e683 (diff)
Import OpenSSL 1.0.2l.vendor/openssl/1.0.2l
Notes: svn path=/vendor-crypto/openssl/dist/; revision=318897 svn path=/vendor-crypto/openssl/1.0.2l/; revision=318898; tag=vendor/openssl/1.0.2l
Diffstat (limited to 'doc')
12 files changed, 135 insertions, 22 deletions
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index 9224557255ed..35d40bbf27ae 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -179,7 +179,8 @@ When in doubt, include B<!aNULL> in your cipherlist.
=item B<kRSA>, B<RSA>
-cipher suites using RSA key exchange.
+cipher suites using RSA key exchange or authentication. B<RSA> is an alias for
=item B<kDHr>, B<kDHd>, B<kDH>
diff --git a/doc/apps/config.pod b/doc/apps/config.pod
index e12591528c0c..3f607d3b5fc8 100644
--- a/doc/apps/config.pod
+++ b/doc/apps/config.pod
@@ -47,7 +47,8 @@ or B<${section::name}>. By using the form B<$ENV::name> environment
variables can be substituted. It is also possible to assign values to
environment variables by using the name B<ENV::name>, this will work
if the program looks up environment variables using the B<CONF> library
-instead of calling B<getenv()> directly.
+instead of calling B<getenv()> directly. The value string must not exceed 64k in
+length after variable expansion. Otherwise an error will occur.
It is possible to escape certain characters by using any kind of quote
or the B<\> character. By making the last character of a line a B<\>
diff --git a/doc/apps/genrsa.pod b/doc/apps/genrsa.pod
index 3dc9870f34b9..f4ed9593ae26 100644
--- a/doc/apps/genrsa.pod
+++ b/doc/apps/genrsa.pod
@@ -7,11 +7,15 @@ genrsa - generate an RSA private key
B<openssl> B<genrsa>
[B<-out filename>]
[B<-passout arg>]
@@ -32,17 +36,21 @@ The B<genrsa> command generates an RSA private key.
=over 4
+=item B<-help>
+Print out a usage message.
=item B<-out filename>
-the output filename. If this argument is not specified then standard output is
+Output the key to the specified file. If this argument is not specified then
+standard output is used.
=item B<-passout arg>
the output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
-=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
+=item B<-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
These options encrypt the private key with specified
cipher before outputting it. If none of these options is
@@ -56,8 +64,8 @@ the public exponent to use, either 65537 or 3. The default is 65537.
=item B<-rand file(s)>
a file or files containing random data used to seed the random number
-generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
-Multiple files can be specified separated by a OS-dependent character.
+generator, or an EGD socket (see L<RAND_egd(3)>).
+Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -71,7 +79,7 @@ for all available algorithms.
=item B<numbits>
the size of the private key to generate in bits. This must be the last option
-specified. The default is 512.
+specified. The default is 2048.
@@ -96,7 +104,15 @@ be much larger (typically 1024 bits).
=head1 SEE ALSO
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
diff --git a/doc/apps/req.pod b/doc/apps/req.pod
index 30653e509357..1682ba5143dd 100644
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@@ -237,6 +237,9 @@ a self signed root CA. The extensions added to the certificate
using the B<set_serial> option, a large random number will be used for
the serial number.
+If existing request is specified with the B<-in> option, it is converted
+to the self signed certificate otherwise new request is created.
=item B<-days n>
when the B<-x509> option is being used this specifies the number of
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index 29675dd213f4..b45acbc5e3e4 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -42,6 +42,8 @@ B<openssl> B<s_client>
+[B<-sigalgs sigalglist>]
+[B<-curves curvelist>]
[B<-cipher cipherlist>]
[B<-starttls protocol>]
@@ -217,6 +219,19 @@ Send TLS_FALLBACK_SCSV in the ClientHello.
there are several known bug in SSL and TLS implementations. Adding this
option enables various workarounds.
+=item B<-sigalgs sigalglist>
+Specifies the list of signature algorithms that are sent by the client.
+The server selects one entry in the list based on its preferences.
+For example strings, see L<SSL_CTX_set1_sigalgs(3)>
+=item B<-curves curvelist>
+Specifies the list of supported curves to be sent by the client. The curve is
+is ultimately selected by the server. For a list of all curves, use:
+ $ openssl ecparam -list_curves
=item B<-cipher cipherlist>
this allows the cipher list sent by the client to be modified. Although
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index fa17488d9173..1fe93ddfbebb 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -35,6 +35,8 @@ B<openssl> B<s_server>
[B<-CAfile filename>]
+[B<-client_sigalgs sigalglist>]
+[B<-named_curve curve>]
[B<-cipher cipherlist>]
@@ -234,6 +236,18 @@ option enables various workarounds.
this option enables a further workaround for some some early Netscape
SSL code (?).
+=item B<-client_sigalgs sigalglist>
+Signature algorithms to support for client certificate authentication
+(colon-separated list)
+=item B<-named_curve curve>
+Specifies the elliptic curve to use. NOTE: this is single curve, not a list.
+For a list of all possible curves, use:
+ $ openssl ecparam -list_curves
=item B<-cipher cipherlist>
this allows the cipher list used by the server to be modified. When
diff --git a/doc/crypto/EVP_EncryptInit.pod b/doc/crypto/EVP_EncryptInit.pod
index d9513338d8aa..0c0a30c1ffa0 100644
--- a/doc/crypto/EVP_EncryptInit.pod
+++ b/doc/crypto/EVP_EncryptInit.pod
@@ -19,14 +19,17 @@ EVP_CIPHER_CTX_mode, EVP_CIPHER_param_to_asn1, EVP_CIPHER_asn1_to_param,
EVP_CIPHER_CTX_set_padding, EVP_enc_null, EVP_des_cbc, EVP_des_ecb,
EVP_des_cfb, EVP_des_ofb, EVP_des_ede_cbc, EVP_des_ede, EVP_des_ede_ofb,
EVP_des_ede_cfb, EVP_des_ede3_cbc, EVP_des_ede3, EVP_des_ede3_ofb,
-EVP_des_ede3_cfb, EVP_desx_cbc, EVP_rc4, EVP_rc4_40, EVP_idea_cbc,
-EVP_idea_ecb, EVP_idea_cfb, EVP_idea_ofb, EVP_idea_cbc, EVP_rc2_cbc,
+EVP_des_ede3_cfb, EVP_desx_cbc, EVP_rc4, EVP_rc4_40, EVP_rc4_hmac_md5,
+EVP_idea_cbc, EVP_idea_ecb, EVP_idea_cfb, EVP_idea_ofb, EVP_rc2_cbc,
EVP_rc2_ecb, EVP_rc2_cfb, EVP_rc2_ofb, EVP_rc2_40_cbc, EVP_rc2_64_cbc,
EVP_bf_cbc, EVP_bf_ecb, EVP_bf_cfb, EVP_bf_ofb, EVP_cast5_cbc,
EVP_cast5_ecb, EVP_cast5_cfb, EVP_cast5_ofb, EVP_rc5_32_12_16_cbc,
EVP_rc5_32_12_16_ecb, EVP_rc5_32_12_16_cfb, EVP_rc5_32_12_16_ofb,
EVP_aes_128_gcm, EVP_aes_192_gcm, EVP_aes_256_gcm, EVP_aes_128_ccm,
-EVP_aes_192_ccm, EVP_aes_256_ccm - EVP cipher routines
+EVP_aes_192_ccm, EVP_aes_256_ccm,
+EVP_aes_128_cbc_hmac_sha1, EVP_aes_256_cbc_hmac_sha1,
+EVP_aes_128_cbc_hmac_sha256, EVP_aes_256_cbc_hmac_sha256
+- EVP cipher routines
@@ -395,8 +398,6 @@ Sets the expected tag to B<taglen> bytes from B<tag>. This call is only legal
when decrypting data and must be made B<before> any data is processed (e.g.
before any EVP_DecryptUpdate() call).
-See L<EXAMPLES> below for an example of the use of GCM mode.
=head1 CCM Mode
The behaviour of CCM mode ciphers is similar to CCM mode but with a few
diff --git a/doc/crypto/RSA_private_encrypt.pod b/doc/crypto/RSA_private_encrypt.pod
index 746a80c79ea0..3e1f895c5ad8 100644
--- a/doc/crypto/RSA_private_encrypt.pod
+++ b/doc/crypto/RSA_private_encrypt.pod
@@ -8,10 +8,10 @@ RSA_private_encrypt, RSA_public_decrypt - low level signature operations
#include <openssl/rsa.h>
- int RSA_private_encrypt(int flen, unsigned char *from,
+ int RSA_private_encrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
- int RSA_public_decrypt(int flen, unsigned char *from,
+ int RSA_public_decrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
diff --git a/doc/crypto/RSA_public_encrypt.pod b/doc/crypto/RSA_public_encrypt.pod
index ab0fe3b2cd1c..0541f348b3e2 100644
--- a/doc/crypto/RSA_public_encrypt.pod
+++ b/doc/crypto/RSA_public_encrypt.pod
@@ -8,10 +8,10 @@ RSA_public_encrypt, RSA_private_decrypt - RSA public key cryptography
#include <openssl/rsa.h>
- int RSA_public_encrypt(int flen, unsigned char *from,
+ int RSA_public_encrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
- int RSA_private_decrypt(int flen, unsigned char *from,
+ int RSA_private_decrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
diff --git a/doc/crypto/X509_STORE_CTX_new.pod b/doc/crypto/X509_STORE_CTX_new.pod
index eb38b0a10905..1aee11726863 100644
--- a/doc/crypto/X509_STORE_CTX_new.pod
+++ b/doc/crypto/X509_STORE_CTX_new.pod
@@ -41,7 +41,7 @@ is no longer valid.
X509_STORE_CTX_init() sets up B<ctx> for a subsequent verification operation.
It must be called before each call to X509_verify_cert(), i.e. a B<ctx> is only
good for one call to X509_verify_cert(); if you want to verify a second
-certificate with the same B<ctx> then you must call X509_XTORE_CTX_cleanup()
+certificate with the same B<ctx> then you must call X509_STORE_CTX_cleanup()
and then X509_STORE_CTX_init() again before the second call to
X509_verify_cert(). The trusted certificate store is set to B<store>, the end
entity certificate to be verified is set to B<x509> and a set of additional
diff --git a/doc/crypto/des.pod b/doc/crypto/des.pod
index e1add56b5e81..339617aab024 100644
--- a/doc/crypto/des.pod
+++ b/doc/crypto/des.pod
@@ -123,7 +123,7 @@ architecture dependent I<DES_key_schedule> via the
DES_set_key_checked() or DES_set_key_unchecked() function.
DES_set_key_checked() will check that the key passed is of odd parity
-and is not a week or semi-weak key. If the parity is wrong, then -1
+and is not a weak or semi-weak key. If the parity is wrong, then -1
is returned. If the key is a weak key, then -2 is returned. If an
error is returned, the key schedule is not generated.
diff --git a/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod b/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod
new file mode 100644
index 000000000000..3b0a50956d9b
--- /dev/null
+++ b/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod
@@ -0,0 +1,62 @@
+=head1 NAME
+SSL_CTX_set_tlsext_servername_callback, SSL_CTX_set_tlsext_servername_arg,
+SSL_get_servername_type, SSL_get_servername - handle server name indication
+=head1 SYNOPSIS
+ #include <openssl/ssl.h>
+ long SSL_CTX_set_tlsext_servername_callback(SSL_CTX *ctx,
+ int (*cb)(SSL *, int *, void *));
+ long SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg);
+ const char *SSL_get_servername(const SSL *s, const int type);
+ int SSL_get_servername_type(const SSL *s);
+SSL_CTX_set_tlsext_servername_callback() sets the application callback B<cb>
+used by a server to perform any actions or configuration required based on
+the servername extension received in the incoming connection. When B<cb>
+is NULL, SNI is not used. The B<arg> value is a pointer which is passed to
+the application callback.
+SSL_CTX_set_tlsext_servername_arg() sets a context-specific argument to be
+passed into the callback for this B<SSL_CTX>.
+SSL_get_servername() returns a servername extension value of the specified
+type if provided in the Client Hello or NULL.
+SSL_get_servername_type() returns the servername type or -1 if no servername
+is present. Currently the only supported type (defined in RFC3546) is
+=head1 NOTES
+The ALPN and SNI callbacks are both executed during Client Hello processing.
+The servername callback is executed first, followed by the ALPN callback.
+SSL_CTX_set_tlsext_servername_callback() and
+SSL_CTX_set_tlsext_servername_arg() both always return 1 indicating success.
+=head1 SEE ALSO
+L<ssl(7)>, L<SSL_CTX_set_alpn_select_cb(3)>,
+Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at