Fix nits in pod files. Add doc-nit-check to help find future issues. Make podchecker be almost clean. Remove trailing whitespace. Tab expansion Reviewed-by: Richard Levitte <levitte@openssl.org>
diff --git a/doc/apps/CA.pl.pod b/doc/apps/CA.pl.pod index be56e0a..a84083a 100644 --- a/doc/apps/CA.pl.pod +++ b/doc/apps/CA.pl.pod
@@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -103,7 +102,7 @@ =item B<-verify> verifies certificates against the CA certificate for "demoCA". If no certificates -are specified on the command line it tries to verify the file "newcert.pem". +are specified on the command line it tries to verify the file "newcert.pem". =item B<files> @@ -148,7 +147,7 @@ Create a DSA certificate request and private key (a different set of parameters can optionally be created first): - openssl req -out newreq.pem -newkey dsa:dsap.pem + openssl req -out newreq.pem -newkey dsa:dsap.pem Sign the request: @@ -169,7 +168,7 @@ perl -S CA.pl -can be used and the B<OPENSSL_CONF> environment variable changed to point to +can be used and the B<OPENSSL_CONF> environment variable changed to point to the correct path of the configuration file "openssl.cnf". The script is intended as a simple front end for the B<openssl> program for use
diff --git a/doc/apps/asn1parse.pod b/doc/apps/asn1parse.pod index cd30797..e231a93 100644 --- a/doc/apps/asn1parse.pod +++ b/doc/apps/asn1parse.pod
@@ -92,7 +92,7 @@ present then the string is obtained from the default section using the name B<asn1>. The encoded data is passed through the ASN1 parser and printed out as though it came from a file, the contents can thus be examined and written to a -file using the B<out> option. +file using the B<out> option. =item B<-strictpem> @@ -108,20 +108,20 @@ The output will typically contain lines like this: - 0:d=0 hl=4 l= 681 cons: SEQUENCE + 0:d=0 hl=4 l= 681 cons: SEQUENCE ..... 229:d=3 hl=3 l= 141 prim: BIT STRING - 373:d=2 hl=3 l= 162 cons: cont [ 3 ] - 376:d=3 hl=3 l= 159 cons: SEQUENCE - 379:d=4 hl=2 l= 29 cons: SEQUENCE + 373:d=2 hl=3 l= 162 cons: cont [ 3 ] + 376:d=3 hl=3 l= 159 cons: SEQUENCE + 379:d=4 hl=2 l= 29 cons: SEQUENCE 381:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier - 386:d=5 hl=2 l= 22 prim: OCTET STRING - 410:d=4 hl=2 l= 112 cons: SEQUENCE + 386:d=5 hl=2 l= 22 prim: OCTET STRING + 410:d=4 hl=2 l= 112 cons: SEQUENCE 412:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier - 417:d=5 hl=2 l= 105 prim: OCTET STRING - 524:d=4 hl=2 l= 12 cons: SEQUENCE + 417:d=5 hl=2 l= 105 prim: OCTET STRING + 524:d=4 hl=2 l= 12 cons: SEQUENCE ..... @@ -133,27 +133,27 @@ The B<-i> option can be used to make the output more readable. -Some knowledge of the ASN.1 structure is needed to interpret the output. +Some knowledge of the ASN.1 structure is needed to interpret the output. In this example the BIT STRING at offset 229 is the certificate public key. The contents octets of this will contain the public key information. This can be examined using the option B<-strparse 229> to yield: - 0:d=0 hl=3 l= 137 cons: SEQUENCE + 0:d=0 hl=3 l= 137 cons: SEQUENCE 3:d=1 hl=3 l= 129 prim: INTEGER :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897 135:d=1 hl=2 l= 3 prim: INTEGER :010001 =head1 NOTES If an OID is not part of OpenSSL's internal table it will be represented in -numerical form (for example 1.2.3.4). The file passed to the B<-oid> option +numerical form (for example 1.2.3.4). The file passed to the B<-oid> option allows additional OIDs to be included. Each line consists of three columns, the first column is the OID in numerical format and should be followed by white space. The second column is the "short name" which is a single word followed by white space. The final column is the rest of the line and is the "long name". B<asn1parse> displays the long name. Example: -C<1.2.3.4 shortName A long name> +C<1.2.3.4 shortName A long name> =head1 EXAMPLES
diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index 6c29485..de3744e 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod
@@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -101,7 +100,7 @@ =item B<-infiles> if present this should be the last option, all subsequent arguments -are taken as the names of files containing certificate requests. +are taken as the names of files containing certificate requests. =item B<-out filename> @@ -195,7 +194,7 @@ =item B<-preserveDN> Normally the DN order of a certificate is the same as the order of the -fields in the relevant policy section. When this option is set the order +fields in the relevant policy section. When this option is set the order is the same as the request. This is largely for compatibility with the older IE enrollment control which would only accept certificates if their DNs match the order of the request. This is not needed for Xenroll. @@ -245,7 +244,7 @@ =item B<-utf8> -this option causes field values to be interpreted as UTF8 strings, by +this option causes field values to be interpreted as UTF8 strings, by default they are interpreted as ASCII. This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid UTF8 strings. @@ -366,7 +365,7 @@ This specifies a file containing additional B<OBJECT IDENTIFIERS>. Each line of the file should consist of the numerical form of the object identifier followed by white space then the short name followed -by white space and finally the long name. +by white space and finally the long name. =item B<oid_section> @@ -398,7 +397,7 @@ =item B<default_days> the same as the B<-days> option. The number of days to certify -a certificate for. +a certificate for. =item B<default_startdate> @@ -521,7 +520,7 @@ The input to the B<-spkac> command line option is a Netscape signed public key and challenge. This will usually come from -the B<KEYGEN> tag in an HTML form to create a new private key. +the B<KEYGEN> tag in an HTML form to create a new private key. It is however possible to create SPKACs using the B<spkac> utility. The file should contain the variable SPKAC set to the value of @@ -581,18 +580,18 @@ [ ca ] default_ca = CA_default # The default ca section - + [ CA_default ] dir = ./demoCA # top dir database = $dir/index.txt # index file. - new_certs_dir = $dir/newcerts # new certs dir - + new_certs_dir = $dir/newcerts # new certs dir + certificate = $dir/cacert.pem # The CA cert serial = $dir/serial # serial no file private_key = $dir/private/cakey.pem# CA private key RANDFILE = $dir/private/.rand # random number file - + default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # md to use @@ -600,9 +599,9 @@ policy = policy_any # default policy email_in_dn = no # Don't add the email into cert DN - name_opt = ca_default # Subject name display option - cert_opt = ca_default # Certificate display option - copy_extensions = none # Don't copy extensions from request + name_opt = ca_default # Subject name display option + cert_opt = ca_default # Certificate display option + copy_extensions = none # Don't copy extensions from request [ policy_any ] countryName = supplied @@ -636,7 +635,7 @@ =head1 RESTRICTIONS -The text database index file is a critical part of the process and +The text database index file is a critical part of the process and if corrupted it can be difficult to fix. It is theoretically possible to rebuild the index file from all the issued certificates and a current CRL: however there is no option to do this. @@ -704,7 +703,7 @@ =head1 SEE ALSO L<req(1)>, L<spkac(1)>, L<x509(1)>, L<CA.pl(1)>, -L<config(5)>, L<x509v3_config(5)> +L<config(5)>, L<x509v3_config(5)> =cut
diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod index 4876ef1..2552f22 100644 --- a/doc/apps/cms.pod +++ b/doc/apps/cms.pod
@@ -186,13 +186,13 @@ =item B<-sign_receipt> -Generate and output a signed receipt for the supplied message. The input +Generate and output a signed receipt for the supplied message. The input message B<must> contain a signed receipt request. Functionality is otherwise similar to the B<-sign> operation. =item B<-verify_receipt receipt> -Verify a signed receipt in filename B<receipt>. The input message B<must> +Verify a signed receipt in filename B<receipt>. The input message B<must> contain the original receipt request. Functionality is otherwise similar to the B<-verify> operation. @@ -256,7 +256,7 @@ this option adds plain text (text/plain) MIME headers to the supplied message if encrypting or signing. If decrypting or verifying it strips -off text headers: if the decrypted or verified message is not of MIME +off text headers: if the decrypted or verified message is not of MIME type text/plain then an error occurs. =item B<-noout> @@ -298,11 +298,11 @@ the encryption algorithm to use. For example triple DES (168 bits) - B<-des3> or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the -EVP_get_cipherbyname() function) can also be used preceded by a dash, for +EVP_get_cipherbyname() function) can also be used preceded by a dash, for example B<-aes-128-cbc>. See L<B<enc>|enc(1)> for a list of ciphers supported by your version of OpenSSL. -If not specified triple DES is used. Only used with B<-encrypt> and +If not specified triple DES is used. Only used with B<-encrypt> and B<-EncryptedData_create> commands. =item B<-nointern> @@ -408,7 +408,7 @@ =item B<-receipt_request_to emailaddress> -Add an explicit email address where signed receipts should be sent to. This +Add an explicit email address where signed receipts should be sent to. This option B<must> but supplied if a signed receipt it requested. =item B<-receipt_request_print> @@ -436,7 +436,7 @@ set the encapsulated content type to B<type> if not supplied the B<Data> type is used. The B<type> argument can be any valid OID name in either text or -numerical format. +numerical format. =item B<-inkey file> @@ -469,7 +469,7 @@ =item B<cert.pem...> one or more certificates of message recipients: used when encrypting -a message. +a message. =item B<-to, -from, -subject> @@ -534,7 +534,7 @@ in turn using the supplied private key. To thwart the MMA attack (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) all recipients are tried whether they succeed or not and if no recipients match the message -is "decrypted" using a random key which will typically output garbage. +is "decrypted" using a random key which will typically output garbage. The B<-debug_decrypt> option can be used to disable the MMA attack protection and return an error if no recipient can be found: this option should be used with caution. For a fuller description see L<CMS_decrypt(3)>). @@ -598,29 +598,29 @@ Create a cleartext signed message: openssl cms -sign -in message.txt -text -out mail.msg \ - -signer mycert.pem + -signer mycert.pem Create an opaque signed message openssl cms -sign -in message.txt -text -out mail.msg -nodetach \ - -signer mycert.pem + -signer mycert.pem Create a signed message, include some additional certificates and read the private key from another file: openssl cms -sign -in in.txt -text -out mail.msg \ - -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem + -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem Create a signed message with two signers, use key identifier: openssl cms -sign -in message.txt -text -out mail.msg \ - -signer mycert.pem -signer othercert.pem -keyid + -signer mycert.pem -signer othercert.pem -keyid Send a signed message under Unix directly to sendmail, including headers: openssl cms -sign -in in.txt -text -signer mycert.pem \ - -from steve@openssl.org -to someone@somewhere \ - -subject "Signed message" | sendmail someone@somewhere + -from steve@openssl.org -to someone@somewhere \ + -subject "Signed message" | sendmail someone@somewhere Verify a message and extract the signer's certificate if successful: @@ -629,15 +629,15 @@ Send encrypted mail using triple DES: openssl cms -encrypt -in in.txt -from steve@openssl.org \ - -to someone@somewhere -subject "Encrypted message" \ - -des3 user.pem -out mail.msg + -to someone@somewhere -subject "Encrypted message" \ + -des3 user.pem -out mail.msg Sign and encrypt mail: openssl cms -sign -in ml.txt -signer my.pem -text \ - | openssl cms -encrypt -out mail.msg \ - -from steve@openssl.org -to someone@somewhere \ - -subject "Signed and Encrypted message" -des3 user.pem + | openssl cms -encrypt -out mail.msg \ + -from steve@openssl.org -to someone@somewhere \ + -subject "Signed and Encrypted message" -des3 user.pem Note: the encryption command does not include the B<-text> option because the message being encrypted already has MIME headers. @@ -654,7 +654,7 @@ -----BEGIN PKCS7----- -----END PKCS7----- -and using the command, +and using the command, openssl cms -verify -inform PEM -in signature.pem -content content.txt @@ -673,17 +673,17 @@ Sign mail using RSA-PSS: openssl cms -sign -in message.txt -text -out mail.msg \ - -signer mycert.pem -keyopt rsa_padding_mode:pss + -signer mycert.pem -keyopt rsa_padding_mode:pss Create encrypted mail using RSA-OAEP: openssl cms -encrypt -in plain.txt -out mail.msg \ - -recip cert.pem -keyopt rsa_padding_mode:oaep + -recip cert.pem -keyopt rsa_padding_mode:oaep Use SHA256 KDF with an ECDH certificate: openssl cms -encrypt -in plain.txt -out mail.msg \ - -recip ecdhcert.pem -keyopt ecdh_kdf_md:sha256 + -recip ecdhcert.pem -keyopt ecdh_kdf_md:sha256 =head1 BUGS @@ -715,7 +715,7 @@ The use of B<-recip> to specify the recipient when encrypting mail was first added to OpenSSL 1.1.0 -Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0. +Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0. The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added to OpenSSL 1.1.0.
diff --git a/doc/apps/config.pod b/doc/apps/config.pod index baa886b..499bc9e 100644 --- a/doc/apps/config.pod +++ b/doc/apps/config.pod
@@ -1,4 +1,3 @@ - =pod =for comment openssl_manual_section:5 @@ -63,14 +62,14 @@ unless an option is used in the sub command to use an alternative configuration file. -To enable library configuration the default section needs to contain an +To enable library configuration the default section needs to contain an appropriate line which points to the main configuration section. The default name is B<openssl_conf> which is used by the B<openssl> utility. Other applications may use an alternative name such as B<myapplicaton_conf>. The configuration section should consist of a set of name value pairs which contain specific module configuration information. The B<name> represents -the name of the I<configuration module> the meaning of the B<value> is +the name of the I<configuration module> the meaning of the B<value> is module specific: it may, for example, represent a further configuration section containing configuration module specific information. E.g. @@ -102,7 +101,7 @@ as any compliant applications. For example: [new_oids] - + some_new_oid = 1.2.3.4 some_other_oid = 1.2.3.5 @@ -141,7 +140,7 @@ [bar_section] ... "bar" ENGINE specific commands ... -The command B<engine_id> is used to give the ENGINE name. If used this +The command B<engine_id> is used to give the ENGINE name. If used this command must be first. For example: [engine_section] @@ -168,7 +167,7 @@ supply using the functions ENGINE_set_default_string(). If the name matches none of the above command names it is assumed to be a -ctrl command which is sent to the ENGINE. The value of the command is the +ctrl command which is sent to the ENGINE. The value of the command is the argument to the ctrl command. If the value is the string B<EMPTY> then no value is sent to the command. @@ -266,7 +265,7 @@ mentioned above. # This is the default section. - + HOME=/temp RANDFILE= ${ENV::HOME}/.rnd configdir=$ENV::HOME/config @@ -296,7 +295,7 @@ set to any value at all. If you just include the environment variable names and the variable doesn't exist then this will cause an error when an attempt is made to load the configuration file. By making use of the -default section both values can be looked up with B<TEMP> taking +default section both values can be looked up with B<TEMP> taking priority and B</tmp> used if neither is defined: TMP=/tmp
diff --git a/doc/apps/crl.pod b/doc/apps/crl.pod index bb1092c..cb5969a 100644 --- a/doc/apps/crl.pod +++ b/doc/apps/crl.pod
@@ -42,7 +42,7 @@ =item B<-outform DER|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename>
diff --git a/doc/apps/crl2pkcs7.pod b/doc/apps/crl2pkcs7.pod index f329402..26ec889 100644 --- a/doc/apps/crl2pkcs7.pod +++ b/doc/apps/crl2pkcs7.pod
@@ -74,8 +74,8 @@ Creates a PKCS#7 structure in DER format with no CRL from several different certificates: - openssl crl2pkcs7 -nocrl -certfile newcert.pem - -certfile demoCA/cacert.pem -outform DER -out p7.der + openssl crl2pkcs7 -nocrl -certfile newcert.pem + -certfile demoCA/cacert.pem -outform DER -out p7.der =head1 NOTES
diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod index ce26a56..75b8ad9 100644 --- a/doc/apps/dgst.pod +++ b/doc/apps/dgst.pod
@@ -156,7 +156,7 @@ generator, or an EGD socket (see L<RAND_egd(3)>). Multiple files can be specified separated by an OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for -all others. +all others. =item B<-fips-fingerprint>
diff --git a/doc/apps/dhparam.pod b/doc/apps/dhparam.pod index b72ca7e..771ef1b 100644 --- a/doc/apps/dhparam.pod +++ b/doc/apps/dhparam.pod
@@ -44,7 +44,7 @@ =item B<-outform DER|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in> I<filename> @@ -123,7 +123,7 @@ The program B<dhparam> combines the functionality of the programs B<dh> and B<gendh> in previous versions of OpenSSL. The B<dh> and B<gendh> -programs are retained for now but may have different purposes in future +programs are retained for now but may have different purposes in future versions of OpenSSL. =head1 NOTES
diff --git a/doc/apps/dsa.pod b/doc/apps/dsa.pod index 1f0e5dd..3a244cf 100644 --- a/doc/apps/dsa.pod +++ b/doc/apps/dsa.pod
@@ -59,7 +59,7 @@ =item B<-outform DER|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> @@ -149,7 +149,7 @@ openssl dsa -in key.pem -des3 -out keyout.pem -To convert a private key from PEM to DER format: +To convert a private key from PEM to DER format: openssl dsa -in key.pem -outform DER -out keyout.der
diff --git a/doc/apps/dsaparam.pod b/doc/apps/dsaparam.pod index 0a3727a..753f3b1 100644 --- a/doc/apps/dsaparam.pod +++ b/doc/apps/dsaparam.pod
@@ -41,7 +41,7 @@ =item B<-outform DER|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename>
diff --git a/doc/apps/ec.pod b/doc/apps/ec.pod index 738b718..c1b6bb0 100644 --- a/doc/apps/ec.pod +++ b/doc/apps/ec.pod
@@ -31,7 +31,7 @@ =head1 DESCRIPTION The B<ec> command processes EC keys. They can be converted between various -forms and their components printed out. B<Note> OpenSSL uses the +forms and their components printed out. B<Note> OpenSSL uses the private key format specified in 'SEC 1: Elliptic Curve Cryptography' (http://www.secg.org/). To convert an OpenSSL EC private key into the PKCS#8 private key format use the B<pkcs8> command. @@ -55,7 +55,7 @@ =item B<-outform DER|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> @@ -83,7 +83,7 @@ =item B<-des|-des3|-idea> -These options encrypt the private key with the DES, triple DES, IDEA or +These options encrypt the private key with the DES, triple DES, IDEA or any other cipher supported by OpenSSL before outputting it. A pass phrase is prompted for. If none of these options is specified the key is written in plain text. This @@ -130,7 +130,7 @@ This specifies how the elliptic curve parameters are encoded. Possible value are: B<named_curve>, i.e. the ec parameters are specified by an OID, or B<explicit> where the ec parameters are -explicitly given (see RFC 3279 for the definition of the +explicitly given (see RFC 3279 for the definition of the EC parameters structures). The default value is B<named_curve>. B<Note> the B<implicitlyCA> alternative ,as specified in RFC 3279, is currently not implemented in OpenSSL. @@ -170,7 +170,7 @@ openssl ec -in key.pem -des3 -out keyout.pem -To convert a private key from PEM to DER format: +To convert a private key from PEM to DER format: openssl ec -in key.pem -outform DER -out keyout.der
diff --git a/doc/apps/ecparam.pod b/doc/apps/ecparam.pod index fb0181f..a41e005 100644 --- a/doc/apps/ecparam.pod +++ b/doc/apps/ecparam.pod
@@ -41,12 +41,12 @@ This specifies the input format. The B<DER> option uses an ASN.1 DER encoded form compatible with RFC 3279 EcpkParameters. The PEM form is the default -format: it consists of the B<DER> format base64 encoded with additional +format: it consists of the B<DER> format base64 encoded with additional header and footer lines. =item B<-outform DER|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> @@ -102,7 +102,7 @@ This specifies how the elliptic curve parameters are encoded. Possible value are: B<named_curve>, i.e. the ec parameters are specified by an OID, or B<explicit> where the ec parameters are -explicitly given (see RFC 3279 for the definition of the +explicitly given (see RFC 3279 for the definition of the EC parameters structures). The default value is B<named_curve>. B<Note> the B<implicitlyCA> alternative ,as specified in RFC 3279, is currently not implemented in OpenSSL. @@ -141,7 +141,7 @@ -----END EC PARAMETERS----- OpenSSL is currently not able to generate new groups and therefore -B<ecparam> can only create EC parameters from known (named) curves. +B<ecparam> can only create EC parameters from known (named) curves. =head1 EXAMPLES
diff --git a/doc/apps/enc.pod b/doc/apps/enc.pod index 3b58aeb..7abd980 100644 --- a/doc/apps/enc.pod +++ b/doc/apps/enc.pod
@@ -257,7 +257,7 @@ desx DESX algorithm. gost89 GOST 28147-89 in CFB mode (provided by ccgost engine) - gost89-cnt `GOST 28147-89 in CNT mode (provided by ccgost engine) + gost89-cnt `GOST 28147-89 in CNT mode (provided by ccgost engine) idea-cbc IDEA algorithm in CBC mode idea same as idea-cbc @@ -283,13 +283,13 @@ rc5-ecb RC5 cipher in ECB mode rc5-ofb RC5 cipher in OFB mode - aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode - aes[128|192|256] Alias for aes-[128|192|256]-cbc - aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode - aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode - aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode - aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode - aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode + aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode + aes[128|192|256] Alias for aes-[128|192|256]-cbc + aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode + aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode + aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode + aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode + aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode =head1 EXAMPLES @@ -299,11 +299,11 @@ Decode the same file - openssl base64 -d -in file.b64 -out file.bin + openssl base64 -d -in file.b64 -out file.bin Encrypt a file using triple DES in CBC mode using a prompted password: - openssl des3 -salt -in file.txt -out file.des3 + openssl des3 -salt -in file.txt -out file.des3 Decrypt a file using a supplied password:
diff --git a/doc/apps/engine.pod b/doc/apps/engine.pod index 59c4234..32274df 100644 --- a/doc/apps/engine.pod +++ b/doc/apps/engine.pod
@@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -52,6 +51,7 @@ Displays an error trace for any unavailable engine. =item B<-pre> I<command> + =item B<-post> I<command> Command-line configuration of engines.
diff --git a/doc/apps/errstr.pod b/doc/apps/errstr.pod index 4349de1..fea95f8 100644 --- a/doc/apps/errstr.pod +++ b/doc/apps/errstr.pod
@@ -11,7 +11,7 @@ =head1 DESCRIPTION Sometimes an application will not load error message and only -numerical forms will be available. The B<errstr> utility can be used to +numerical forms will be available. The B<errstr> utility can be used to display the meaning of the hex code. The hex code is the hex digits after the second colon. @@ -22,7 +22,7 @@ 27594:error:2006D080:lib(32):func(109):reason(128):bss_file.c:107: can be displayed with: - + openssl errstr 2006D080 to produce the error message:
diff --git a/doc/apps/genpkey.pod b/doc/apps/genpkey.pod index 204ab2a..5d61b73 100644 --- a/doc/apps/genpkey.pod +++ b/doc/apps/genpkey.pod
@@ -213,12 +213,12 @@ Generate a 2048 bit RSA key using 3 as the public exponent: openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \ - -pkeyopt rsa_keygen_pubexp:3 + -pkeyopt rsa_keygen_pubexp:3 Generate 1024 bit DSA parameters: openssl genpkey -genparam -algorithm DSA -out dsap.pem \ - -pkeyopt dsa_paramgen_bits:1024 + -pkeyopt dsa_paramgen_bits:1024 Generate DSA key from parameters: @@ -227,7 +227,7 @@ Generate 1024 bit DH parameters: openssl genpkey -genparam -algorithm DH -out dhp.pem \ - -pkeyopt dh_paramgen_prime_len:1024 + -pkeyopt dh_paramgen_prime_len:1024 Output RFC5114 2048 bit DH parameters with 224 bit subgroup: @@ -240,8 +240,8 @@ Generate EC parameters: openssl genpkey -genparam -algorithm EC -out ecp.pem \ - -pkeyopt ec_paramgen_curve:secp384r1 \ - -pkeyopt ec_param_enc:named_curve + -pkeyopt ec_paramgen_curve:secp384r1 \ + -pkeyopt ec_param_enc:named_curve Generate EC key from parameters: @@ -250,8 +250,8 @@ Generate EC key directly: openssl genpkey -algorithm EC -out eckey.pem \ - -pkeyopt ec_paramgen_curve:P-384 \ - -pkeyopt ec_param_enc:named_curve + -pkeyopt ec_paramgen_curve:P-384 \ + -pkeyopt ec_param_enc:named_curve =head1 HISTORY
diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index 1d50d4b..6004794 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod
@@ -337,13 +337,13 @@ =item B<-nrequest number> -The OCSP server will exit after receiving B<number> requests, default unlimited. +The OCSP server will exit after receiving B<number> requests, default unlimited. =item B<-nmin minutes>, B<-ndays days> Number of minutes or days when fresh revocation information is available: used in the -B<nextUpdate> field. If neither option is present then the B<nextUpdate> field is -omitted meaning fresh revocation information is immediately available. +B<nextUpdate> field. If neither option is present then the B<nextUpdate> field +is omitted meaning fresh revocation information is immediately available. =back @@ -413,7 +413,7 @@ openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der -Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the +Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the response to a file, print it out in text form, and verify the response: openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \ @@ -427,7 +427,7 @@ responder certificate. All requests and responses are printed to a file. openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem - -text -out log.txt + -text -out log.txt As above but exit after processing one request:
diff --git a/doc/apps/openssl.pod b/doc/apps/openssl.pod index a3bb8f0..46d0bb1 100644 --- a/doc/apps/openssl.pod +++ b/doc/apps/openssl.pod
@@ -1,4 +1,3 @@ - =pod =head1 NAME
diff --git a/doc/apps/pkcs12.pod b/doc/apps/pkcs12.pod index f64669c..012d09c 100644 --- a/doc/apps/pkcs12.pod +++ b/doc/apps/pkcs12.pod
@@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -337,7 +336,7 @@ openssl pkcs12 -in file.p12 -clcerts -out file.pem Don't encrypt the private key: - + openssl pkcs12 -in file.p12 -out file.pem -nodes Print some info about a PKCS#12 file:
diff --git a/doc/apps/pkcs7.pod b/doc/apps/pkcs7.pod index 81354e2..abbcab2 100644 --- a/doc/apps/pkcs7.pod +++ b/doc/apps/pkcs7.pod
@@ -37,7 +37,7 @@ =item B<-outform DER|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> @@ -100,7 +100,7 @@ There is no option to print out all the fields of a PKCS#7 file. -This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315 they +This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315 they cannot currently parse, for example, the new CMS as described in RFC2630. =head1 SEE ALSO
diff --git a/doc/apps/pkey.pod b/doc/apps/pkey.pod index ddc2b58..fd564c4 100644 --- a/doc/apps/pkey.pod +++ b/doc/apps/pkey.pod
@@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -42,7 +41,7 @@ =item B<-outform DER|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> @@ -76,7 +75,7 @@ =item B<-text> prints out the various public or private key components in -plain text in addition to the encoded version. +plain text in addition to the encoded version. =item B<-text_pub> @@ -116,7 +115,7 @@ openssl pkey -in key.pem -des3 -out keyout.pem -To convert a private key from PEM to DER format: +To convert a private key from PEM to DER format: openssl pkey -in key.pem -outform DER -out keyout.der @@ -135,7 +134,7 @@ =head1 SEE ALSO L<genpkey(1)>, L<rsa(1)>, L<pkcs8(1)>, -L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)> +L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)> =cut
diff --git a/doc/apps/pkeyparam.pod b/doc/apps/pkeyparam.pod index 153871d..7472de0 100644 --- a/doc/apps/pkeyparam.pod +++ b/doc/apps/pkeyparam.pod
@@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -40,7 +39,7 @@ =item B<-text> -prints out the parameters in plain text in addition to the encoded version. +prints out the parameters in plain text in addition to the encoded version. =item B<-noout> @@ -69,7 +68,7 @@ =head1 SEE ALSO L<genpkey(1)>, L<rsa(1)>, L<pkcs8(1)>, -L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)> +L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)> =cut
diff --git a/doc/apps/pkeyutl.pod b/doc/apps/pkeyutl.pod index e937a87..73818db 100644 --- a/doc/apps/pkeyutl.pod +++ b/doc/apps/pkeyutl.pod
@@ -84,11 +84,11 @@ =item B<-pubin> -the input file is a public key. +the input file is a public key. =item B<-certin> -the input is a certificate containing a public key. +the input is a certificate containing a public key. =item B<-rev> @@ -198,7 +198,7 @@ PKCS#1 padding, B<sslv23> for SSLv23 padding, B<none> for no padding, B<oaep> for B<OAEP> mode, B<x931> for X9.31 mode and B<pss> for PSS. -In PKCS#1 padding if the message digest is not set then the supplied data is +In PKCS#1 padding if the message digest is not set then the supplied data is signed or verified directly instead of using a B<DigestInfo> structure. If a digest is set then the a B<DigestInfo> structure is used and its the length must correspond to the digest type.
diff --git a/doc/apps/req.pod b/doc/apps/req.pod index acfbb25..e98d3a4 100644 --- a/doc/apps/req.pod +++ b/doc/apps/req.pod
@@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -70,7 +69,7 @@ =item B<-outform DER|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> @@ -257,7 +256,7 @@ =item B<-utf8> -this option causes field values to be interpreted as UTF8 strings, by +this option causes field values to be interpreted as UTF8 strings, by default they are interpreted as ASCII. This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid UTF8 strings. @@ -272,7 +271,7 @@ =item B<-reqopt> customise the output format used with B<-text>. The B<option> argument can be -a single option or multiple options separated by commas. +a single option or multiple options separated by commas. See discussion of the B<-certopt> parameter in the L<x509(1)> command. @@ -342,7 +341,7 @@ This specifies a file containing additional B<OBJECT IDENTIFIERS>. Each line of the file should consist of the numerical form of the object identifier followed by white space then the short name followed -by white space and finally the long name. +by white space and finally the long name. =item B<oid_section> @@ -376,7 +375,7 @@ fields. Most users will not need to change this option. It can be set to several values B<default> which is also the default -option uses PrintableStrings, T61Strings and BMPStrings if the +option uses PrintableStrings, T61Strings and BMPStrings if the B<pkix> value is used then only PrintableStrings and BMPStrings will be used. This follows the PKIX recommendation in RFC2459. If the B<utf8only> option is used then only UTF8Strings will be used: this @@ -388,7 +387,7 @@ this specifies the configuration file section containing a list of extensions to add to the certificate request. It can be overridden -by the B<-reqexts> command line switch. See the +by the B<-reqexts> command line switch. See the L<x509v3_config(5)> manual page for details of the extension section format. @@ -499,8 +498,8 @@ Example of a file pointed to by the B<oid_file> option: - 1.2.3.4 shortName A longer Name - 1.2.3.6 otherName Other longer Name + 1.2.3.4 shortName A longer Name + 1.2.3.6 otherName Other longer Name Example of a section pointed to by B<oid_section> making use of variable expansion: @@ -511,34 +510,34 @@ Sample configuration file prompting for field values: [ req ] - default_bits = 2048 - default_keyfile = privkey.pem - distinguished_name = req_distinguished_name - attributes = req_attributes - req_extensions = v3_ca + default_bits = 2048 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + attributes = req_attributes + req_extensions = v3_ca dirstring_type = nobmp [ req_distinguished_name ] - countryName = Country Name (2 letter code) - countryName_default = AU - countryName_min = 2 - countryName_max = 2 + countryName = Country Name (2 letter code) + countryName_default = AU + countryName_min = 2 + countryName_max = 2 - localityName = Locality Name (eg, city) + localityName = Locality Name (eg, city) - organizationalUnitName = Organizational Unit Name (eg, section) + organizationalUnitName = Organizational Unit Name (eg, section) - commonName = Common Name (eg, YOUR name) - commonName_max = 64 + commonName = Common Name (eg, YOUR name) + commonName_max = 64 - emailAddress = Email Address - emailAddress_max = 40 + emailAddress = Email Address + emailAddress_max = 40 [ req_attributes ] - challengePassword = A challenge password - challengePassword_min = 4 - challengePassword_max = 20 + challengePassword = A challenge password + challengePassword_min = 4 + challengePassword_max = 20 [ v3_ca ] @@ -549,27 +548,27 @@ Sample configuration containing all field values: - RANDFILE = $ENV::HOME/.rnd + RANDFILE = $ENV::HOME/.rnd [ req ] - default_bits = 2048 - default_keyfile = keyfile.pem - distinguished_name = req_distinguished_name - attributes = req_attributes - prompt = no - output_password = mypass + default_bits = 2048 + default_keyfile = keyfile.pem + distinguished_name = req_distinguished_name + attributes = req_attributes + prompt = no + output_password = mypass [ req_distinguished_name ] - C = GB - ST = Test State or Province - L = Test Locality - O = Organization Name - OU = Organizational Unit Name - CN = Common Name - emailAddress = test@email.address + C = GB + ST = Test State or Province + L = Test Locality + O = Organization Name + OU = Organizational Unit Name + CN = Common Name + emailAddress = test@email.address [ req_attributes ] - challengePassword = A challenge password + challengePassword = A challenge password =head1 NOTES @@ -596,13 +595,13 @@ The following messages are frequently asked about: - Using configuration from /some/path/openssl.cnf - Unable to load config info + Using configuration from /some/path/openssl.cnf + Unable to load config info This is followed some time later by... - unable to find 'distinguished_name' in config - problems making Certificate Request + unable to find 'distinguished_name' in config + problems making Certificate Request The first error message is the clue: it can't find the configuration file! Certain operations (like examining a certificate request) don't @@ -652,7 +651,7 @@ L<x509(1)>, L<ca(1)>, L<genrsa(1)>, L<gendsa(1)>, L<config(5)>, -L<x509v3_config(5)> +L<x509v3_config(5)> =cut
diff --git a/doc/apps/rsa.pod b/doc/apps/rsa.pod index e216bac..9be51f9 100644 --- a/doc/apps/rsa.pod +++ b/doc/apps/rsa.pod
@@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -61,7 +60,7 @@ =item B<-outform DER|NET|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> @@ -100,7 +99,7 @@ =item B<-text> prints out the various public or private key components in -plain text in addition to the encoded version. +plain text in addition to the encoded version. =item B<-noout> @@ -176,7 +175,7 @@ openssl rsa -in key.pem -des3 -out keyout.pem -To convert a private key from PEM to DER format: +To convert a private key from PEM to DER format: openssl rsa -in key.pem -outform DER -out keyout.der @@ -203,7 +202,7 @@ =head1 SEE ALSO L<pkcs8(1)>, L<dsa(1)>, L<genrsa(1)>, -L<gendsa(1)> +L<gendsa(1)> =cut
diff --git a/doc/apps/rsautl.pod b/doc/apps/rsautl.pod index 94c5dce..3fb2e40 100644 --- a/doc/apps/rsautl.pod +++ b/doc/apps/rsautl.pod
@@ -61,7 +61,7 @@ =item B<-certin> -the input is a certificate containing an RSA public key. +the input is a certificate containing an RSA public key. =item B<-sign> @@ -136,24 +136,24 @@ openssl asn1parse -in pca-cert.pem - 0:d=0 hl=4 l= 742 cons: SEQUENCE - 4:d=1 hl=4 l= 591 cons: SEQUENCE - 8:d=2 hl=2 l= 3 cons: cont [ 0 ] + 0:d=0 hl=4 l= 742 cons: SEQUENCE + 4:d=1 hl=4 l= 591 cons: SEQUENCE + 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 1 prim: INTEGER :00 - 16:d=2 hl=2 l= 13 cons: SEQUENCE + 16:d=2 hl=2 l= 13 cons: SEQUENCE 18:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption - 29:d=3 hl=2 l= 0 prim: NULL - 31:d=2 hl=2 l= 92 cons: SEQUENCE - 33:d=3 hl=2 l= 11 cons: SET - 35:d=4 hl=2 l= 9 cons: SEQUENCE + 29:d=3 hl=2 l= 0 prim: NULL + 31:d=2 hl=2 l= 92 cons: SEQUENCE + 33:d=3 hl=2 l= 11 cons: SET + 35:d=4 hl=2 l= 9 cons: SEQUENCE 37:d=5 hl=2 l= 3 prim: OBJECT :countryName 42:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU .... - 599:d=1 hl=2 l= 13 cons: SEQUENCE + 599:d=1 hl=2 l= 13 cons: SEQUENCE 601:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption - 612:d=2 hl=2 l= 0 prim: NULL - 614:d=1 hl=3 l= 129 prim: BIT STRING + 612:d=2 hl=2 l= 0 prim: NULL + 614:d=1 hl=3 l= 129 prim: BIT STRING The final BIT STRING contains the actual signature. It can be extracted with: @@ -161,18 +161,18 @@ openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614 The certificate public key can be extracted with: - + openssl x509 -in test/testx509.pem -pubkey -noout >pubkey.pem The signature can be analysed with: openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin - 0:d=0 hl=2 l= 32 cons: SEQUENCE - 2:d=1 hl=2 l= 12 cons: SEQUENCE + 0:d=0 hl=2 l= 32 cons: SEQUENCE + 2:d=1 hl=2 l= 12 cons: SEQUENCE 4:d=2 hl=2 l= 8 prim: OBJECT :md5 - 14:d=2 hl=2 l= 0 prim: NULL - 16:d=1 hl=2 l= 16 prim: OCTET STRING + 14:d=2 hl=2 l= 0 prim: NULL + 16:d=1 hl=2 l= 16 prim: OCTET STRING 0000 - f3 46 9e aa 1a 4a 73 c9-37 ea 93 00 48 25 08 b5 .F...Js.7...H%.. This is the parsed version of an ASN1 DigestInfo structure. It can be seen that
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 029da4f..0021983 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod
@@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -416,7 +415,7 @@ =item B<-no_ticket> -disable RFC4507bis session ticket support. +disable RFC4507bis session ticket support. =item B<-sess_out filename> @@ -444,7 +443,7 @@ =item B<-serverinfo types> -a list of comma-separated TLS Extension Types (numbers between 0 and +a list of comma-separated TLS Extension Types (numbers between 0 and 65535). Each type will be sent as an empty ClientHello TLS Extension. The server's response (if any) will be encoded and displayed as a PEM file.
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index 6417451..d7ddb74 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod
@@ -1,4 +1,3 @@ - =pod =head1 NAME
diff --git a/doc/apps/s_time.pod b/doc/apps/s_time.pod index d8ef3c4..5a4381e 100644 --- a/doc/apps/s_time.pod +++ b/doc/apps/s_time.pod
@@ -1,4 +1,3 @@ - =pod =head1 NAME
diff --git a/doc/apps/sess_id.pod b/doc/apps/sess_id.pod index dbfc19d..3eed13f 100644 --- a/doc/apps/sess_id.pod +++ b/doc/apps/sess_id.pod
@@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -57,7 +56,7 @@ =item B<-text> prints out the various public or private key components in -plain text in addition to the encoded version. +plain text in addition to the encoded version. =item B<-cert>
diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index 4dc7378..1d25a41 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod
@@ -170,7 +170,7 @@ this option adds plain text (text/plain) MIME headers to the supplied message if encrypting or signing. If decrypting or verifying it strips -off text headers: if the decrypted or verified message is not of MIME +off text headers: if the decrypted or verified message is not of MIME type text/plain then an error occurs. =item B<-CAfile file> @@ -201,7 +201,7 @@ the encryption algorithm to use. For example DES (56 bits) - B<-des>, triple DES (168 bits) - B<-des3>, -EVP_get_cipherbyname() function) can also be used preceded by a dash, for +EVP_get_cipherbyname() function) can also be used preceded by a dash, for example B<-aes-128-cbc>. See L<B<enc>|enc(1)> for list of ciphers supported by your version of OpenSSL. @@ -301,7 +301,7 @@ =item B<cert.pem...> one or more certificates of message recipients: used when encrypting -a message. +a message. =item B<-to, -from, -subject> @@ -398,29 +398,29 @@ Create a cleartext signed message: openssl smime -sign -in message.txt -text -out mail.msg \ - -signer mycert.pem + -signer mycert.pem Create an opaque signed message: openssl smime -sign -in message.txt -text -out mail.msg -nodetach \ - -signer mycert.pem + -signer mycert.pem Create a signed message, include some additional certificates and read the private key from another file: openssl smime -sign -in in.txt -text -out mail.msg \ - -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem + -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem Create a signed message with two signers: openssl smime -sign -in message.txt -text -out mail.msg \ - -signer mycert.pem -signer othercert.pem + -signer mycert.pem -signer othercert.pem Send a signed message under Unix directly to sendmail, including headers: openssl smime -sign -in in.txt -text -signer mycert.pem \ - -from steve@openssl.org -to someone@somewhere \ - -subject "Signed message" | sendmail someone@somewhere + -from steve@openssl.org -to someone@somewhere \ + -subject "Signed message" | sendmail someone@somewhere Verify a message and extract the signer's certificate if successful: @@ -429,15 +429,15 @@ Send encrypted mail using triple DES: openssl smime -encrypt -in in.txt -from steve@openssl.org \ - -to someone@somewhere -subject "Encrypted message" \ - -des3 user.pem -out mail.msg + -to someone@somewhere -subject "Encrypted message" \ + -des3 user.pem -out mail.msg Sign and encrypt mail: openssl smime -sign -in ml.txt -signer my.pem -text \ - | openssl smime -encrypt -out mail.msg \ - -from steve@openssl.org -to someone@somewhere \ - -subject "Signed and Encrypted message" -des3 user.pem + | openssl smime -encrypt -out mail.msg \ + -from steve@openssl.org -to someone@somewhere \ + -subject "Signed and Encrypted message" -des3 user.pem Note: the encryption command does not include the B<-text> option because the message being encrypted already has MIME headers. @@ -454,7 +454,7 @@ -----BEGIN PKCS7----- -----END PKCS7----- -and using the command: +and using the command: openssl smime -verify -inform PEM -in signature.pem -content content.txt
diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod index dc41003..0f41a15 100644 --- a/doc/apps/ts.pod +++ b/doc/apps/ts.pod
@@ -522,13 +522,13 @@ without nonce and policy and no certificate is required in the response: openssl ts -query -data design1.txt -no_nonce \ - -out design1.tsq + -out design1.tsq To create a similar time stamp request with specifying the message imprint explicitly: openssl ts -query -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \ - -no_nonce -out design1.tsq + -no_nonce -out design1.tsq To print the content of the previous request in human readable format: @@ -540,7 +540,7 @@ OID section of the config file): openssl ts -query -data design2.txt -md5 \ - -tspolicy tsa_policy1 -cert -out design2.tsq + -tspolicy tsa_policy1 -cert -out design2.tsq =head2 Time Stamp Response @@ -557,7 +557,7 @@ To create a time stamp response for a request: openssl ts -reply -queryfile design1.tsq -inkey tsakey.pem \ - -signer tsacert.pem -out design1.tsr + -signer tsacert.pem -out design1.tsr If you want to use the settings in the config file you could just write: @@ -589,20 +589,20 @@ To verify a time stamp reply against a request: openssl ts -verify -queryfile design1.tsq -in design1.tsr \ - -CAfile cacert.pem -untrusted tsacert.pem + -CAfile cacert.pem -untrusted tsacert.pem To verify a time stamp reply that includes the certificate chain: openssl ts -verify -queryfile design2.tsq -in design2.tsr \ - -CAfile cacert.pem + -CAfile cacert.pem To verify a time stamp token against the original data file: openssl ts -verify -data design2.txt -in design2.tsr \ - -CAfile cacert.pem + -CAfile cacert.pem To verify a time stamp token against a message imprint: openssl ts -verify -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \ - -in design2.tsr -CAfile cacert.pem + -in design2.tsr -CAfile cacert.pem You could also look at the 'test' directory for more examples.
diff --git a/doc/apps/tsget.pod b/doc/apps/tsget.pod index 7f30b71..e325697 100644 --- a/doc/apps/tsget.pod +++ b/doc/apps/tsget.pod
@@ -33,15 +33,15 @@ The tool sends the following HTTP request for each time stamp request: - POST url HTTP/1.1 - User-Agent: OpenTSA tsget.pl/<version> - Host: <host>:<port> - Pragma: no-cache - Content-Type: application/timestamp-query - Accept: application/timestamp-reply - Content-Length: length of body + POST url HTTP/1.1 + User-Agent: OpenTSA tsget.pl/<version> + Host: <host>:<port> + Pragma: no-cache + Content-Type: application/timestamp-query + Accept: application/timestamp-reply + Content-Length: length of body - ...binary request specified by the user... + ...binary request specified by the user... B<tsget> expects a response of type application/timestamp-reply, which is written to a file without any interpretation. @@ -142,7 +142,7 @@ and at port 8443 for HTTPS requests, the TSA service is available at the /tsa absolute path. -Get a time stamp response for file1.tsq over HTTP, output is written to +Get a time stamp response for file1.tsq over HTTP, output is written to file1.tsr: tsget -h http://tsa.opentsa.org:8080/tsa file1.tsq @@ -151,40 +151,40 @@ progress, output is written to file1.reply and file2.reply respectively: tsget -h http://tsa.opentsa.org:8080/tsa -v -e .reply \ - file1.tsq file2.tsq + file1.tsq file2.tsq Create a time stamp request, write it to file3.tsq, send it to the server and write the response to file3.tsr: openssl ts -query -data file3.txt -cert | tee file3.tsq \ - | tsget -h http://tsa.opentsa.org:8080/tsa \ - -o file3.tsr + | tsget -h http://tsa.opentsa.org:8080/tsa \ + -o file3.tsr Get a time stamp response for file1.tsq over HTTPS without client authentication: tsget -h https://tsa.opentsa.org:8443/tsa \ - -C cacerts.pem file1.tsq + -C cacerts.pem file1.tsq Get a time stamp response for file1.tsq over HTTPS with certificate-based client authentication (it will ask for the passphrase if client_key.pem is protected): tsget -h https://tsa.opentsa.org:8443/tsa -C cacerts.pem \ - -k client_key.pem -c client_cert.pem file1.tsq + -k client_key.pem -c client_cert.pem file1.tsq You can shorten the previous command line if you make use of the B<TSGET> environment variable. The following commands do the same as the previous example: TSGET='-h https://tsa.opentsa.org:8443/tsa -C cacerts.pem \ - -k client_key.pem -c client_cert.pem' + -k client_key.pem -c client_cert.pem' export TSGET tsget file1.tsq =head1 SEE ALSO -L<openssl(1)>, L<ts(1)>, L<curl(1)>, +L<openssl(1)>, L<ts(1)>, L<curl(1)>, B<RFC 3161> =cut
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index 17dce23..f42b806 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod
@@ -148,8 +148,8 @@ =item B<-no_check_time> -This option suppresses checking the validity period of certificates and CRLs -against the current time. If option B<-attime timestamp> is used to specify +This option suppresses checking the validity period of certificates and CRLs +against the current time. If option B<-attime timestamp> is used to specify a verification time, the check is not suppressed. =item B<-partial_chain>
diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod index ce6f5f7..eb6d06d 100644 --- a/doc/apps/x509.pod +++ b/doc/apps/x509.pod
@@ -1,4 +1,3 @@ - =pod =head1 NAME @@ -93,7 +92,7 @@ =item B<-outform DER|PEM|NET> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> @@ -322,7 +321,7 @@ =item B<-signkey filename> this option causes the input file to be self signed using the supplied -private key. +private key. If the input file is a certificate it sets the issuer name to the subject name (i.e. makes it self signed) changes the public key to the @@ -403,7 +402,7 @@ use the serial number is incremented and written out to the file again. The default filename consists of the CA certificate file base name with -".srl" appended. For example if the CA certificate file is called +".srl" appended. For example if the CA certificate file is called "mycacert.pem" it expects to find a serial number file called "mycacert.srl". =item B<-CAcreateserial> @@ -707,20 +706,20 @@ extensions for a CA: openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \ - -signkey key.pem -out cacert.pem + -signkey key.pem -out cacert.pem Sign a certificate request using the CA certificate above and add user certificate extensions: openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \ - -CA cacert.pem -CAkey key.pem -CAcreateserial + -CA cacert.pem -CAkey key.pem -CAcreateserial Set a certificate to be trusted for SSL client use and change set its alias to "Steve's Class 1 CA" openssl x509 -in cert.pem -addtrust clientAuth \ - -setalias "Steve's Class 1 CA" -out trust.pem + -setalias "Steve's Class 1 CA" -out trust.pem =head1 NOTES @@ -854,7 +853,7 @@ The extended key usage extension must be absent or include the "email protection" OID. Netscape certificate type must be absent or must have the S/MIME CA bit set: this is used as a work around if the basicConstraints -extension is absent. +extension is absent. =item B<CRL Signing> @@ -884,7 +883,7 @@ L<req(1)>, L<ca(1)>, L<genrsa(1)>, L<gendsa(1)>, L<verify(1)>, -L<x509v3_config(5)> +L<x509v3_config(5)> =head1 HISTORY @@ -892,7 +891,7 @@ before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding of the distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical version of the DN using SHA1. This means that any directories using -the old form must have their links rebuilt using B<c_rehash> or similar. +the old form must have their links rebuilt using B<c_rehash> or similar. =cut
diff --git a/doc/apps/x509v3_config.pod b/doc/apps/x509v3_config.pod index ec96e2f..10967b9 100644 --- a/doc/apps/x509v3_config.pod +++ b/doc/apps/x509v3_config.pod
@@ -108,19 +108,19 @@ While any OID can be used only certain values make sense. In particular the following PKIX, NS and MS values are meaningful: - Value Meaning - ----- ------- - serverAuth SSL/TLS Web Server Authentication. - clientAuth SSL/TLS Web Client Authentication. - codeSigning Code signing. - emailProtection E-mail Protection (S/MIME). - timeStamping Trusted Timestamping - OCSPSigning OCSP Signing - ipsecIKE ipsec Internet Key Exchnage - msCodeInd Microsoft Individual Code Signing (authenticode) - msCodeCom Microsoft Commercial Code Signing (authenticode) - msCTLSign Microsoft Trust List Signing - msEFS Microsoft Encrypted File System + Value Meaning + ----- ------- + serverAuth SSL/TLS Web Server Authentication. + clientAuth SSL/TLS Web Client Authentication. + codeSigning Code signing. + emailProtection E-mail Protection (S/MIME). + timeStamping Trusted Timestamping + OCSPSigning OCSP Signing + ipsecIKE ipsec Internet Key Exchnage + msCodeInd Microsoft Individual Code Signing (authenticode) + msCodeCom Microsoft Commercial Code Signing (authenticode) + msCTLSign Microsoft Trust List Signing + msEFS Microsoft Encrypted File System Examples:
diff --git a/doc/crypto/ASN1_STRING_length.pod b/doc/crypto/ASN1_STRING_length.pod index 9fcf6bd..96d7c69 100644 --- a/doc/crypto/ASN1_STRING_length.pod +++ b/doc/crypto/ASN1_STRING_length.pod
@@ -72,8 +72,6 @@ Similar care should be take to ensure the data is in the correct format when calling ASN1_STRING_set(). -=head1 RETURN VALUES - =head1 SEE ALSO L<ERR_get_error(3)>
diff --git a/doc/crypto/ASN1_STRING_print_ex.pod b/doc/crypto/ASN1_STRING_print_ex.pod index 77ddb5e..4f85dbf 100644 --- a/doc/crypto/ASN1_STRING_print_ex.pod +++ b/doc/crypto/ASN1_STRING_print_ex.pod
@@ -30,7 +30,7 @@ ASN1_STRING_print() is a legacy function which should be avoided in new applications. -Although there are a large number of options frequently B<ASN1_STRFLGS_RFC2253> is +Although there are a large number of options frequently B<ASN1_STRFLGS_RFC2253> is suitable, or on UTF8 terminals B<ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB>. The complete set of supported options for B<flags> is listed below. @@ -75,7 +75,7 @@ one byte per character, if B<ASN1_STRFLGS_DUMP_UNKNOWN> is set then they will be dumped instead. -When a type is dumped normally just the content octets are printed, if +When a type is dumped normally just the content octets are printed, if B<ASN1_STRFLGS_DUMP_DER> is set then the complete encoding is dumped instead (including tag and length octets).
diff --git a/doc/crypto/ASN1_TIME_set.pod b/doc/crypto/ASN1_TIME_set.pod index ae73c9b..f314a27 100644 --- a/doc/crypto/ASN1_TIME_set.pod +++ b/doc/crypto/ASN1_TIME_set.pod
@@ -100,7 +100,7 @@ int day, sec; if (!ASN1_TIME_diff(&day, &sec, NULL, to)) - /* Invalid time format */ + /* Invalid time format */ if (day > 0 || sec > 0) printf("Later\n");
diff --git a/doc/crypto/ASN1_generate_nconf.pod b/doc/crypto/ASN1_generate_nconf.pod index fcdc768..32fc918 100644 --- a/doc/crypto/ASN1_generate_nconf.pod +++ b/doc/crypto/ASN1_generate_nconf.pod
@@ -52,7 +52,7 @@ This encodes a boolean type. The B<value> string is mandatory and should be B<TRUE> or B<FALSE>. Additionally B<TRUE>, B<true>, B<Y>, B<y>, B<YES>, B<yes>, B<FALSE>, B<false>, B<N>, B<n>, B<NO> and B<no> -are acceptable. +are acceptable. =item B<NULL> @@ -78,12 +78,12 @@ =item B<UTCTIME>, B<UTC> Encodes an ASN1 B<UTCTime> structure, the value should be in -the format B<YYMMDDHHMMSSZ>. +the format B<YYMMDDHHMMSSZ>. =item B<GENERALIZEDTIME>, B<GENTIME> Encodes an ASN1 B<GeneralizedTime> structure, the value should be in -the format B<YYYYMMDDHHMMSSZ>. +the format B<YYYYMMDDHHMMSSZ>. =item B<OCTETSTRING>, B<OCT>
diff --git a/doc/crypto/ASYNC_start_job.pod b/doc/crypto/ASYNC_start_job.pod index 4551bc0..621dafb 100644 --- a/doc/crypto/ASYNC_start_job.pod +++ b/doc/crypto/ASYNC_start_job.pod
@@ -267,7 +267,7 @@ /* Wait for the job to be woken */ printf("Waiting for the job to be woken up\n"); - + if (!ASYNC_WAIT_CTX_get_all_fds(ctx, NULL, &numfds) || numfds > 1) { printf("Unexpected number of fds\n");
diff --git a/doc/crypto/BIO_ctrl.pod b/doc/crypto/BIO_ctrl.pod index 27ca3c9..e3e2feb 100644 --- a/doc/crypto/BIO_ctrl.pod +++ b/doc/crypto/BIO_ctrl.pod
@@ -13,7 +13,7 @@ long BIO_ctrl(BIO *bp,int cmd,long larg,void *parg); long BIO_callback_ctrl(BIO *b, int cmd, void (*fp)(struct bio_st *, int, const char *, int, long, long)); - char * BIO_ptr_ctrl(BIO *bp,int cmd,long larg); + char * BIO_ptr_ctrl(BIO *bp,int cmd,long larg); long BIO_int_ctrl(BIO *bp,int cmd,long larg,int iarg); int BIO_reset(BIO *b); @@ -94,7 +94,7 @@ =head1 NOTES BIO_flush(), because it can write data may return 0 or -1 indicating -that the call should be retried later in a similar manner to BIO_write(). +that the call should be retried later in a similar manner to BIO_write(). The BIO_should_retry() call should be used and appropriate action taken is the call fails. @@ -121,7 +121,7 @@ Some of the return values are ambiguous and care should be taken. In particular a return value of 0 can be returned if an operation is not supported, if an error occurred, if EOF has not been reached and in -the case of BIO_seek() on a file BIO for a successful operation. +the case of BIO_seek() on a file BIO for a successful operation. =head1 SEE ALSO
diff --git a/doc/crypto/BIO_f_base64.pod b/doc/crypto/BIO_f_base64.pod index 8e2cb8d..9172a91 100644 --- a/doc/crypto/BIO_f_base64.pod +++ b/doc/crypto/BIO_f_base64.pod
@@ -9,7 +9,7 @@ #include <openssl/bio.h> #include <openssl/evp.h> - const BIO_METHOD * BIO_f_base64(void); + const BIO_METHOD * BIO_f_base64(void); =head1 DESCRIPTION @@ -17,7 +17,7 @@ BIO that base64 encodes any data written through it and decodes any data read through it. -Base64 BIOs do not support BIO_gets() or BIO_puts(). +Base64 BIOs do not support BIO_gets() or BIO_puts(). BIO_flush() on a base64 BIO that is being written through is used to signal that no more data is to be encoded: this is used @@ -63,8 +63,8 @@ bio = BIO_new_fp(stdin, BIO_NOCLOSE); bio_out = BIO_new_fp(stdout, BIO_NOCLOSE); BIO_push(b64, bio); - while((inlen = BIO_read(b64, inbuf, 512)) > 0) - BIO_write(bio_out, inbuf, inlen); + while((inlen = BIO_read(b64, inbuf, 512)) > 0) + BIO_write(bio_out, inbuf, inlen); BIO_flush(bio_out); BIO_free_all(b64);
diff --git a/doc/crypto/BIO_f_cipher.pod b/doc/crypto/BIO_f_cipher.pod index 866438f..6cc4efa 100644 --- a/doc/crypto/BIO_f_cipher.pod +++ b/doc/crypto/BIO_f_cipher.pod
@@ -9,9 +9,9 @@ #include <openssl/bio.h> #include <openssl/evp.h> - const BIO_METHOD * BIO_f_cipher(void); + const BIO_METHOD *BIO_f_cipher(void); void BIO_set_cipher(BIO *b,const EVP_CIPHER *cipher, - unsigned char *key, unsigned char *iv, int enc); + unsigned char *key, unsigned char *iv, int enc); int BIO_get_cipher_status(BIO *b) int BIO_get_cipher_ctx(BIO *b, EVP_CIPHER_CTX **pctx) @@ -22,7 +22,7 @@ read from it. It is a BIO wrapper for the cipher routines EVP_CipherInit(), EVP_CipherUpdate() and EVP_CipherFinal(). -Cipher BIOs do not support BIO_gets() or BIO_puts(). +Cipher BIOs do not support BIO_gets() or BIO_puts(). BIO_flush() on an encryption BIO that is being written through is used to signal that no more data is to be encrypted: this is used
diff --git a/doc/crypto/BIO_f_md.pod b/doc/crypto/BIO_f_md.pod index 6a90e70..2ad8a94 100644 --- a/doc/crypto/BIO_f_md.pod +++ b/doc/crypto/BIO_f_md.pod
@@ -9,7 +9,7 @@ #include <openssl/bio.h> #include <openssl/evp.h> - const BIO_METHOD * BIO_f_md(void); + const BIO_METHOD * BIO_f_md(void); int BIO_set_md(BIO *b,EVP_MD *md); int BIO_get_md(BIO *b,EVP_MD **mdp); int BIO_get_md_ctx(BIO *b,EVP_MD_CTX **mdcp); @@ -103,7 +103,7 @@ BIO_set_md(mdtmp, EVP_md5()); bio = BIO_push(mdtmp, bio); do { - rdlen = BIO_read(bio, buf, sizeof(buf)); + rdlen = BIO_read(bio, buf, sizeof(buf)); /* Might want to do something with the data here */ } while(rdlen > 0); @@ -114,17 +114,17 @@ unsigned char mdbuf[EVP_MAX_MD_SIZE]; int mdlen; int i; - mdtmp = bio; /* Assume bio has previously been set up */ + mdtmp = bio; /* Assume bio has previously been set up */ do { - EVP_MD *md; - mdtmp = BIO_find_type(mdtmp, BIO_TYPE_MD); + EVP_MD *md; + mdtmp = BIO_find_type(mdtmp, BIO_TYPE_MD); if(!mdtmp) break; - BIO_get_md(mdtmp, &md); + BIO_get_md(mdtmp, &md); printf("%s digest", OBJ_nid2sn(EVP_MD_type(md))); - mdlen = BIO_gets(mdtmp, mdbuf, EVP_MAX_MD_SIZE); - for(i = 0; i < mdlen; i++) printf(":%02X", mdbuf[i]); - printf("\n"); - mdtmp = BIO_next(mdtmp); + mdlen = BIO_gets(mdtmp, mdbuf, EVP_MAX_MD_SIZE); + for(i = 0; i < mdlen; i++) printf(":%02X", mdbuf[i]); + printf("\n"); + mdtmp = BIO_next(mdtmp); } while(mdtmp); BIO_free_all(bio);
diff --git a/doc/crypto/BIO_f_null.pod b/doc/crypto/BIO_f_null.pod index e34eb52..afbb2a3 100644 --- a/doc/crypto/BIO_f_null.pod +++ b/doc/crypto/BIO_f_null.pod
@@ -8,7 +8,7 @@ #include <openssl/bio.h> - const BIO_METHOD * BIO_f_null(void); + const BIO_METHOD * BIO_f_null(void); =head1 DESCRIPTION
diff --git a/doc/crypto/BIO_f_ssl.pod b/doc/crypto/BIO_f_ssl.pod index d452610..e96b887 100644 --- a/doc/crypto/BIO_f_ssl.pod +++ b/doc/crypto/BIO_f_ssl.pod
@@ -14,15 +14,15 @@ const BIO_METHOD *BIO_f_ssl(void); - #define BIO_set_ssl(b,ssl,c) BIO_ctrl(b,BIO_C_SET_SSL,c,(char *)ssl) - #define BIO_get_ssl(b,sslp) BIO_ctrl(b,BIO_C_GET_SSL,0,(char *)sslp) - #define BIO_set_ssl_mode(b,client) BIO_ctrl(b,BIO_C_SSL_MODE,client,NULL) + #define BIO_set_ssl(b,ssl,c) BIO_ctrl(b,BIO_C_SET_SSL,c,(char *)ssl) + #define BIO_get_ssl(b,sslp) BIO_ctrl(b,BIO_C_GET_SSL,0,(char *)sslp) + #define BIO_set_ssl_mode(b,client) BIO_ctrl(b,BIO_C_SSL_MODE,client,NULL) #define BIO_set_ssl_renegotiate_bytes(b,num) \ - BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_BYTES,num,NULL); + BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_BYTES,num,NULL); #define BIO_set_ssl_renegotiate_timeout(b,seconds) \ - BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT,seconds,NULL); + BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT,seconds,NULL); #define BIO_get_num_renegotiates(b) \ - BIO_ctrl(b,BIO_C_SET_SSL_NUM_RENEGOTIATES,0,NULL); + BIO_ctrl(b,BIO_C_SET_SSL_NUM_RENEGOTIATES,0,NULL); BIO *BIO_new_ssl(SSL_CTX *ctx,int client); BIO *BIO_new_ssl_connect(SSL_CTX *ctx); @@ -30,13 +30,13 @@ int BIO_ssl_copy_session_id(BIO *to,BIO *from); void BIO_ssl_shutdown(BIO *bio); - #define BIO_do_handshake(b) BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL) + #define BIO_do_handshake(b) BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL) =head1 DESCRIPTION BIO_f_ssl() returns the SSL BIO method. This is a filter BIO which is a wrapper round the OpenSSL SSL routines adding a BIO "flavour" to -SSL I/O. +SSL I/O. I/O performed on an SSL BIO communicates using the SSL protocol with the SSLs read and write BIOs. If an SSL connection is not established @@ -63,7 +63,7 @@ is 1 client mode is set. If B<client> is 0 server mode is set. BIO_set_ssl_renegotiate_bytes() sets the renegotiate byte count -to B<num>. When set after every B<num> bytes of I/O (read and write) +to B<num>. When set after every B<num> bytes of I/O (read and write) the SSL session is automatically renegotiated. B<num> must be at least 512 bytes. @@ -84,7 +84,7 @@ of a buffering BIO, an SSL BIO (using B<ctx>) and a connect BIO. -BIO_ssl_copy_session_id() copies an SSL session id between +BIO_ssl_copy_session_id() copies an SSL session id between BIO chains B<from> and B<to>. It does this by locating the SSL BIOs in each chain and calling SSL_copy_session_id() on the internal SSL pointer. @@ -170,24 +170,24 @@ out = BIO_new_fp(stdout, BIO_NOCLOSE); if(BIO_do_connect(sbio) <= 0) { - fprintf(stderr, "Error connecting to server\n"); - ERR_print_errors_fp(stderr); - /* whatever ... */ + fprintf(stderr, "Error connecting to server\n"); + ERR_print_errors_fp(stderr); + /* whatever ... */ } if(BIO_do_handshake(sbio) <= 0) { - fprintf(stderr, "Error establishing SSL connection\n"); - ERR_print_errors_fp(stderr); - /* whatever ... */ + fprintf(stderr, "Error establishing SSL connection\n"); + ERR_print_errors_fp(stderr); + /* whatever ... */ } /* Could examine ssl here to get connection info */ BIO_puts(sbio, "GET / HTTP/1.0\n\n"); - for(;;) { - len = BIO_read(sbio, tmpbuf, 1024); - if(len <= 0) break; - BIO_write(out, tmpbuf, len); + for(;;) { + len = BIO_read(sbio, tmpbuf, 1024); + if(len <= 0) break; + BIO_write(out, tmpbuf, len); } BIO_free_all(sbio); BIO_free(out); @@ -208,12 +208,12 @@ ctx = SSL_CTX_new(TLS_server_method()); if (!SSL_CTX_use_certificate_file(ctx,"server.pem",SSL_FILETYPE_PEM) - || !SSL_CTX_use_PrivateKey_file(ctx,"server.pem",SSL_FILETYPE_PEM) - || !SSL_CTX_check_private_key(ctx)) { + || !SSL_CTX_use_PrivateKey_file(ctx,"server.pem",SSL_FILETYPE_PEM) + || !SSL_CTX_check_private_key(ctx)) { - fprintf(stderr, "Error setting up SSL_CTX\n"); - ERR_print_errors_fp(stderr); - return 0; + fprintf(stderr, "Error setting up SSL_CTX\n"); + ERR_print_errors_fp(stderr); + return 0; } /* Might do other things here like setting verify locations and @@ -245,25 +245,25 @@ /* By doing this when a new connection is established * we automatically have sbio inserted into it. The * BIO chain is now 'swallowed' by the accept BIO and - * will be freed when the accept BIO is freed. + * will be freed when the accept BIO is freed. */ - + BIO_set_accept_bios(acpt,sbio); out = BIO_new_fp(stdout, BIO_NOCLOSE); /* Setup accept BIO */ if(BIO_do_accept(acpt) <= 0) { - fprintf(stderr, "Error setting up accept BIO\n"); - ERR_print_errors_fp(stderr); - return 0; + fprintf(stderr, "Error setting up accept BIO\n"); + ERR_print_errors_fp(stderr); + return 0; } /* Now wait for incoming connection */ if(BIO_do_accept(acpt) <= 0) { - fprintf(stderr, "Error in connection\n"); - ERR_print_errors_fp(stderr); - return 0; + fprintf(stderr, "Error in connection\n"); + ERR_print_errors_fp(stderr); + return 0; } /* We only want one connection so remove and free @@ -275,9 +275,9 @@ BIO_free_all(acpt); if(BIO_do_handshake(sbio) <= 0) { - fprintf(stderr, "Error in SSL handshake\n"); - ERR_print_errors_fp(stderr); - return 0; + fprintf(stderr, "Error in SSL handshake\n"); + ERR_print_errors_fp(stderr); + return 0; } BIO_puts(sbio, "HTTP/1.0 200 OK\r\nContent-type: text/plain\r\n\r\n"); @@ -285,12 +285,12 @@ BIO_puts(sbio, "--------------------------------------------------\r\n"); for(;;) { - len = BIO_gets(sbio, tmpbuf, 1024); + len = BIO_gets(sbio, tmpbuf, 1024); if(len <= 0) break; - BIO_write(sbio, tmpbuf, len); - BIO_write(out, tmpbuf, len); - /* Look for blank line signifying end of headers*/ - if((tmpbuf[0] == '\r') || (tmpbuf[0] == '\n')) break; + BIO_write(sbio, tmpbuf, len); + BIO_write(out, tmpbuf, len); + /* Look for blank line signifying end of headers*/ + if((tmpbuf[0] == '\r') || (tmpbuf[0] == '\n')) break; } BIO_puts(sbio, "--------------------------------------------------\r\n");
diff --git a/doc/crypto/BIO_find_type.pod b/doc/crypto/BIO_find_type.pod index 7905809..dbc0b92 100644 --- a/doc/crypto/BIO_find_type.pod +++ b/doc/crypto/BIO_find_type.pod
@@ -8,35 +8,35 @@ #include <openssl/bio.h> - BIO * BIO_find_type(BIO *b,int bio_type); - BIO * BIO_next(BIO *b); + BIO * BIO_find_type(BIO *b,int bio_type); + BIO * BIO_next(BIO *b); - #define BIO_method_type(b) ((b)->method->type) + #define BIO_method_type(b) ((b)->method->type) - #define BIO_TYPE_NONE 0 - #define BIO_TYPE_MEM (1|0x0400) - #define BIO_TYPE_FILE (2|0x0400) + #define BIO_TYPE_NONE 0 + #define BIO_TYPE_MEM (1|0x0400) + #define BIO_TYPE_FILE (2|0x0400) - #define BIO_TYPE_FD (4|0x0400|0x0100) - #define BIO_TYPE_SOCKET (5|0x0400|0x0100) - #define BIO_TYPE_NULL (6|0x0400) - #define BIO_TYPE_SSL (7|0x0200) - #define BIO_TYPE_MD (8|0x0200) - #define BIO_TYPE_BUFFER (9|0x0200) - #define BIO_TYPE_CIPHER (10|0x0200) - #define BIO_TYPE_BASE64 (11|0x0200) - #define BIO_TYPE_CONNECT (12|0x0400|0x0100) - #define BIO_TYPE_ACCEPT (13|0x0400|0x0100) - #define BIO_TYPE_PROXY_CLIENT (14|0x0200) - #define BIO_TYPE_PROXY_SERVER (15|0x0200) - #define BIO_TYPE_NBIO_TEST (16|0x0200) - #define BIO_TYPE_NULL_FILTER (17|0x0200) - #define BIO_TYPE_BER (18|0x0200) - #define BIO_TYPE_BIO (19|0x0400) + #define BIO_TYPE_FD (4|0x0400|0x0100) + #define BIO_TYPE_SOCKET (5|0x0400|0x0100) + #define BIO_TYPE_NULL (6|0x0400) + #define BIO_TYPE_SSL (7|0x0200) + #define BIO_TYPE_MD (8|0x0200) + #define BIO_TYPE_BUFFER (9|0x0200) + #define BIO_TYPE_CIPHER (10|0x0200) + #define BIO_TYPE_BASE64 (11|0x0200) + #define BIO_TYPE_CONNECT (12|0x0400|0x0100) + #define BIO_TYPE_ACCEPT (13|0x0400|0x0100) + #define BIO_TYPE_PROXY_CLIENT (14|0x0200) + #define BIO_TYPE_PROXY_SERVER (15|0x0200) + #define BIO_TYPE_NBIO_TEST (16|0x0200) + #define BIO_TYPE_NULL_FILTER (17|0x0200) + #define BIO_TYPE_BER (18|0x0200) + #define BIO_TYPE_BIO (19|0x0400) - #define BIO_TYPE_DESCRIPTOR 0x0100 - #define BIO_TYPE_FILTER 0x0200 - #define BIO_TYPE_SOURCE_SINK 0x0400 + #define BIO_TYPE_DESCRIPTOR 0x0100 + #define BIO_TYPE_FILTER 0x0200 + #define BIO_TYPE_SOURCE_SINK 0x0400 =head1 DESCRIPTION @@ -68,15 +68,15 @@ Traverse a chain looking for digest BIOs: BIO *btmp; - btmp = in_bio; /* in_bio is chain to search through */ + btmp = in_bio; /* in_bio is chain to search through */ do { - btmp = BIO_find_type(btmp, BIO_TYPE_MD); - if(btmp == NULL) break; /* Not found */ - /* btmp is a digest BIO, do something with it ...*/ - ... + btmp = BIO_find_type(btmp, BIO_TYPE_MD); + if(btmp == NULL) break; /* Not found */ + /* btmp is a digest BIO, do something with it ...*/ + ... - btmp = BIO_next(btmp); + btmp = BIO_next(btmp); } while(btmp);
diff --git a/doc/crypto/BIO_get_ex_new_index.pod b/doc/crypto/BIO_get_ex_new_index.pod index 55bc10b..153b86a 100644 --- a/doc/crypto/BIO_get_ex_new_index.pod +++ b/doc/crypto/BIO_get_ex_new_index.pod
@@ -23,9 +23,9 @@ #include <openssl/x509.h> int X509_get_ex_new_index(long argl, void *argp, - CRYPTO_EX_new *new_func, - CRYPTO_EX_dup *dup_func, - CRYPTO_EX_free *free_func); + CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func); int X509_set_ex_data(X509 *d, int idx, void *arg);
diff --git a/doc/crypto/BIO_new.pod b/doc/crypto/BIO_new.pod index 0d84cdd..b4a5615 100644 --- a/doc/crypto/BIO_new.pod +++ b/doc/crypto/BIO_new.pod
@@ -8,12 +8,12 @@ #include <openssl/bio.h> - BIO * BIO_new(const BIO_METHOD *type); - int BIO_set(BIO *a,const BIO_METHOD *type); - int BIO_up_ref(BIO *a); - int BIO_free(BIO *a); - void BIO_vfree(BIO *a); - void BIO_free_all(BIO *a); + BIO * BIO_new(const BIO_METHOD *type); + int BIO_set(BIO *a,const BIO_METHOD *type); + int BIO_up_ref(BIO *a); + int BIO_free(BIO *a); + void BIO_vfree(BIO *a); + void BIO_free_all(BIO *a); =head1 DESCRIPTION
diff --git a/doc/crypto/BIO_new_CMS.pod b/doc/crypto/BIO_new_CMS.pod index a1c66b9..057b066 100644 --- a/doc/crypto/BIO_new_CMS.pod +++ b/doc/crypto/BIO_new_CMS.pod
@@ -2,7 +2,7 @@ =head1 NAME - BIO_new_CMS - CMS streaming filter BIO +BIO_new_CMS - CMS streaming filter BIO =head1 SYNOPSIS
diff --git a/doc/crypto/BIO_parse_hostserv.pod b/doc/crypto/BIO_parse_hostserv.pod index 55b7572..4cbae08 100644 --- a/doc/crypto/BIO_parse_hostserv.pod +++ b/doc/crypto/BIO_parse_hostserv.pod
@@ -42,23 +42,18 @@ The returned values will depend on the given B<hostserv> string and B<hostserv_prio>, as follows: -=for comment -The following is ONE verbatim block. To make sure it's rendered as -one block and not several, the blank lines in between have one space. -They should be left as is. - host + ':' + service => *host = "host", *service = "service" host + ':' + '*' => *host = "host", *service = NULL host + ':' => *host = "host", *service = NULL ':' + service => *host = NULL, *service = "service" '*' + ':' + service => *host = NULL, *service = "service" - + in case no ':' is present in the string, the result depends on hostserv_prio, as follows: - + when hostserv_prio == BIO_PARSE_PRIO_HOST host => *host = "host", *service untouched - + when hostserv_prio == BIO_PARSE_PRIO_SERV service => *host untouched, *service = "service"
diff --git a/doc/crypto/BIO_read.pod b/doc/crypto/BIO_read.pod index c2d7cee..57a5c8d 100644 --- a/doc/crypto/BIO_read.pod +++ b/doc/crypto/BIO_read.pod
@@ -8,10 +8,10 @@ #include <openssl/bio.h> - int BIO_read(BIO *b, void *buf, int len); - int BIO_gets(BIO *b, char *buf, int size); - int BIO_write(BIO *b, const void *buf, int len); - int BIO_puts(BIO *b, const char *buf); + int BIO_read(BIO *b, void *buf, int len); + int BIO_gets(BIO *b, char *buf, int size); + int BIO_write(BIO *b, const void *buf, int len); + int BIO_puts(BIO *b, const char *buf); =head1 DESCRIPTION
diff --git a/doc/crypto/BIO_s_accept.pod b/doc/crypto/BIO_s_accept.pod index 9d17fa1..7919620 100644 --- a/doc/crypto/BIO_s_accept.pod +++ b/doc/crypto/BIO_s_accept.pod
@@ -23,9 +23,9 @@ long BIO_set_bind_mode(BIO *b, long mode); long BIO_get_bind_mode(BIO *b); - #define BIO_BIND_NORMAL 0 - #define BIO_BIND_REUSEADDR_IF_UNUSED 1 - #define BIO_BIND_REUSEADDR 2 + #define BIO_BIND_NORMAL 0 + #define BIO_BIND_REUSEADDR_IF_UNUSED 1 + #define BIO_BIND_REUSEADDR 2 int BIO_do_accept(BIO *b); @@ -75,7 +75,7 @@ BIO_set_accept_bios() can be used to set a chain of BIOs which will be duplicated and prepended to the chain when an incoming -connection is received. This is useful if, for example, a +connection is received. This is useful if, for example, a buffering or SSL BIO is required for each connection. The chain of BIOs must not be freed after this call, they will be automatically freed when the accept BIO is freed. @@ -165,16 +165,16 @@ /* First call to BIO_accept() sets up accept BIO */ if(BIO_do_accept(abio) <= 0) { - fprintf(stderr, "Error setting up accept\n"); - ERR_print_errors_fp(stderr); - exit(0); + fprintf(stderr, "Error setting up accept\n"); + ERR_print_errors_fp(stderr); + exit(0); } /* Wait for incoming connection */ if(BIO_do_accept(abio) <= 0) { - fprintf(stderr, "Error accepting connection\n"); - ERR_print_errors_fp(stderr); - exit(0); + fprintf(stderr, "Error accepting connection\n"); + ERR_print_errors_fp(stderr); + exit(0); } fprintf(stderr, "Connection 1 established\n"); /* Retrieve BIO for connection */ @@ -183,9 +183,9 @@ fprintf(stderr, "Sent out data on connection 1\n"); /* Wait for another connection */ if(BIO_do_accept(abio) <= 0) { - fprintf(stderr, "Error accepting connection\n"); - ERR_print_errors_fp(stderr); - exit(0); + fprintf(stderr, "Error accepting connection\n"); + ERR_print_errors_fp(stderr); + exit(0); } fprintf(stderr, "Connection 2 established\n"); /* Close accept BIO to refuse further connections */
diff --git a/doc/crypto/BIO_s_bio.pod b/doc/crypto/BIO_s_bio.pod index 655e03e..c5c8ea2 100644 --- a/doc/crypto/BIO_s_bio.pod +++ b/doc/crypto/BIO_s_bio.pod
@@ -2,7 +2,7 @@ =head1 NAME -BIO_s_bio, BIO_make_bio_pair, BIO_destroy_bio_pair, BIO_shutdown_wr, +BIO_s_bio, BIO_make_bio_pair, BIO_destroy_bio_pair, BIO_shutdown_wr, BIO_set_write_buf_size, BIO_get_write_buf_size, BIO_new_bio_pair, BIO_get_write_guarantee, BIO_ctrl_get_write_guarantee, BIO_get_read_request, BIO_ctrl_get_read_request, BIO_ctrl_reset_read_request - BIO pair BIO @@ -65,7 +65,7 @@ BIO_shutdown_wr() is used to close down a BIO B<b>. After this call no further writes on BIO B<b> are allowed (they will return an error). Reads on the other half of the pair will return any pending data or EOF when all pending data has -been read. +been read. BIO_set_write_buf_size() sets the write buffer size of BIO B<b> to B<size>. If the size is not initialized a default value is used. This is currently @@ -159,7 +159,7 @@ socket ... - SSL_free(ssl); /* implicitly frees internal_bio */ + SSL_free(ssl); /* implicitly frees internal_bio */ BIO_free(network_bio); ...
diff --git a/doc/crypto/BIO_s_connect.pod b/doc/crypto/BIO_s_connect.pod index 1748067..436ce33 100644 --- a/doc/crypto/BIO_s_connect.pod +++ b/doc/crypto/BIO_s_connect.pod
@@ -81,7 +81,7 @@ BIO_set_nbio() sets the non blocking I/O flag to B<n>. If B<n> is zero then blocking I/O is set. If B<n> is 1 then non blocking I/O is set. Blocking I/O is the default. The call to BIO_set_nbio() -should be made before the connection is established because +should be made before the connection is established because non blocking I/O is set during the connect process. BIO_new_connect() combines BIO_new() and BIO_set_conn_hostname() into @@ -168,15 +168,15 @@ cbio = BIO_new_connect("localhost:http"); out = BIO_new_fp(stdout, BIO_NOCLOSE); if(BIO_do_connect(cbio) <= 0) { - fprintf(stderr, "Error connecting to server\n"); - ERR_print_errors_fp(stderr); - /* whatever ... */ - } + fprintf(stderr, "Error connecting to server\n"); + ERR_print_errors_fp(stderr); + /* whatever ... */ + } BIO_puts(cbio, "GET / HTTP/1.0\n\n"); - for(;;) { - len = BIO_read(cbio, tmpbuf, 1024); - if(len <= 0) break; - BIO_write(out, tmpbuf, len); + for(;;) { + len = BIO_read(cbio, tmpbuf, 1024); + if(len <= 0) break; + BIO_write(out, tmpbuf, len); } BIO_free(cbio); BIO_free(out);
diff --git a/doc/crypto/BIO_s_fd.pod b/doc/crypto/BIO_s_fd.pod index 7fc3895..289e691 100644 --- a/doc/crypto/BIO_s_fd.pod +++ b/doc/crypto/BIO_s_fd.pod
@@ -8,10 +8,10 @@ #include <openssl/bio.h> - const BIO_METHOD * BIO_s_fd(void); + const BIO_METHOD * BIO_s_fd(void); - #define BIO_set_fd(b,fd,c) BIO_int_ctrl(b,BIO_C_SET_FD,c,fd) - #define BIO_get_fd(b,c) BIO_ctrl(b,BIO_C_GET_FD,0,(char *)c) + #define BIO_set_fd(b,fd,c) BIO_int_ctrl(b,BIO_C_SET_FD,c,fd) + #define BIO_get_fd(b,c) BIO_ctrl(b,BIO_C_GET_FD,0,(char *)c) BIO *BIO_new_fd(int fd, int close_flag); @@ -46,7 +46,7 @@ =head1 NOTES The behaviour of BIO_read() and BIO_write() depends on the behavior of the -platforms read() and write() calls on the descriptor. If the underlying +platforms read() and write() calls on the descriptor. If the underlying file descriptor is in a non blocking mode then the BIO will behave in the manner described in the L<BIO_read(3)> and L<BIO_should_retry(3)> manual pages.
diff --git a/doc/crypto/BIO_s_file.pod b/doc/crypto/BIO_s_file.pod index eedd818..2007370 100644 --- a/doc/crypto/BIO_s_file.pod +++ b/doc/crypto/BIO_s_file.pod
@@ -10,7 +10,7 @@ #include <openssl/bio.h> - const BIO_METHOD * BIO_s_file(void); + const BIO_METHOD * BIO_s_file(void); BIO *BIO_new_file(const char *filename, const char *mode); BIO *BIO_new_fp(FILE *stream, int flags);
diff --git a/doc/crypto/BIO_s_mem.pod b/doc/crypto/BIO_s_mem.pod index 08c2f92..9348747 100644 --- a/doc/crypto/BIO_s_mem.pod +++ b/doc/crypto/BIO_s_mem.pod
@@ -9,8 +9,8 @@ #include <openssl/bio.h> - const BIO_METHOD * BIO_s_mem(void); - const BIO_METHOD * BIO_s_secmem(void); + const BIO_METHOD * BIO_s_mem(void); + const BIO_METHOD * BIO_s_secmem(void); BIO_set_mem_eof_return(BIO *b,int v) long BIO_get_mem_data(BIO *b, char **pp) @@ -21,7 +21,7 @@ =head1 DESCRIPTION -BIO_s_mem() return the memory BIO method function. +BIO_s_mem() return the memory BIO method function. A memory BIO is a source/sink BIO which uses memory for its I/O. Data written to a memory BIO is stored in a BUF_MEM structure which is extended @@ -41,7 +41,7 @@ Calling BIO_reset() on a read write memory BIO clears any data in it if the flag BIO_FLAGS_NONCLEAR_RST is not set. On a read only BIO or if the flag -BIO_FLAGS_NONCLEAR_RST is set it restores the BIO to its original state and +BIO_FLAGS_NONCLEAR_RST is set it restores the BIO to its original state and the data can be read again. BIO_eof() is true if no data is in the BIO. @@ -96,7 +96,7 @@ Create a memory BIO and write some data to it: BIO *mem = BIO_new(BIO_s_mem()); - BIO_puts(mem, "Hello World\n"); + BIO_puts(mem, "Hello World\n"); Create a read only memory BIO: @@ -110,7 +110,7 @@ BIO_get_mem_ptr(mem, &bptr); BIO_set_close(mem, BIO_NOCLOSE); /* So BIO_free() leaves BUF_MEM alone */ BIO_free(mem); - + =head1 SEE ALSO
diff --git a/doc/crypto/BIO_s_null.pod b/doc/crypto/BIO_s_null.pod index 82b60f7..7d78562 100644 --- a/doc/crypto/BIO_s_null.pod +++ b/doc/crypto/BIO_s_null.pod
@@ -8,7 +8,7 @@ #include <openssl/bio.h> - const BIO_METHOD * BIO_s_null(void); + const BIO_METHOD * BIO_s_null(void); =head1 DESCRIPTION
diff --git a/doc/crypto/BIO_set_callback.pod b/doc/crypto/BIO_set_callback.pod index 843e3fe..a7c52b8 100644 --- a/doc/crypto/BIO_set_callback.pod +++ b/doc/crypto/BIO_set_callback.pod
@@ -9,16 +9,16 @@ #include <openssl/bio.h> - #define BIO_set_callback(b,cb) ((b)->callback=(cb)) - #define BIO_get_callback(b) ((b)->callback) - #define BIO_set_callback_arg(b,arg) ((b)->cb_arg=(char *)(arg)) - #define BIO_get_callback_arg(b) ((b)->cb_arg) + #define BIO_set_callback(b,cb) ((b)->callback=(cb)) + #define BIO_get_callback(b) ((b)->callback) + #define BIO_set_callback_arg(b,arg) ((b)->cb_arg=(char *)(arg)) + #define BIO_get_callback_arg(b) ((b)->cb_arg) long BIO_debug_callback(BIO *bio,int cmd,const char *argp,int argi, - long argl,long ret); + long argl,long ret); typedef long (*callback)(BIO *b, int oper, const char *argp, - int argi, long argl, long retvalue); + int argi, long argl, long retvalue); =head1 DESCRIPTION
diff --git a/doc/crypto/BIO_should_retry.pod b/doc/crypto/BIO_should_retry.pod index 1e63ba5..dfc9757 100644 --- a/doc/crypto/BIO_should_retry.pod +++ b/doc/crypto/BIO_should_retry.pod
@@ -11,17 +11,17 @@ #include <openssl/bio.h> - #define BIO_should_read(a) ((a)->flags & BIO_FLAGS_READ) - #define BIO_should_write(a) ((a)->flags & BIO_FLAGS_WRITE) - #define BIO_should_io_special(a) ((a)->flags & BIO_FLAGS_IO_SPECIAL) - #define BIO_retry_type(a) ((a)->flags & BIO_FLAGS_RWS) - #define BIO_should_retry(a) ((a)->flags & BIO_FLAGS_SHOULD_RETRY) + #define BIO_should_read(a) ((a)->flags & BIO_FLAGS_READ) + #define BIO_should_write(a) ((a)->flags & BIO_FLAGS_WRITE) + #define BIO_should_io_special(a) ((a)->flags & BIO_FLAGS_IO_SPECIAL) + #define BIO_retry_type(a) ((a)->flags & BIO_FLAGS_RWS) + #define BIO_should_retry(a) ((a)->flags & BIO_FLAGS_SHOULD_RETRY) - #define BIO_FLAGS_READ 0x01 - #define BIO_FLAGS_WRITE 0x02 - #define BIO_FLAGS_IO_SPECIAL 0x04 + #define BIO_FLAGS_READ 0x01 + #define BIO_FLAGS_WRITE 0x02 + #define BIO_FLAGS_IO_SPECIAL 0x04 #define BIO_FLAGS_RWS (BIO_FLAGS_READ|BIO_FLAGS_WRITE|BIO_FLAGS_IO_SPECIAL) - #define BIO_FLAGS_SHOULD_RETRY 0x08 + #define BIO_FLAGS_SHOULD_RETRY 0x08 BIO *BIO_get_retry_BIO(BIO *bio, int *reason); int BIO_get_retry_reason(BIO *bio); @@ -53,7 +53,7 @@ these. BIO_get_retry_BIO() determines the precise reason for the special -condition, it returns the BIO that caused this condition and if +condition, it returns the BIO that caused this condition and if B<reason> is not NULL it contains the reason code. The meaning of the reason code and the action that should be taken depends on the type of BIO that resulted in this condition. @@ -99,7 +99,7 @@ conditions of several non blocking BIOs in a single select() call it is possible to service several BIOs in a single thread, though the performance may be poor if SSL BIOs are present because long delays -can occur during the initial handshake process. +can occur during the initial handshake process. It is possible for a BIO to block indefinitely if the underlying I/O structure cannot process or return any data. This depends on the behaviour of
diff --git a/doc/crypto/BN_BLINDING_new.pod b/doc/crypto/BN_BLINDING_new.pod index 405303f..e1e714f 100644 --- a/doc/crypto/BN_BLINDING_new.pod +++ b/doc/crypto/BN_BLINDING_new.pod
@@ -2,8 +2,8 @@ =head1 NAME -BN_BLINDING_new, BN_BLINDING_free, BN_BLINDING_update, BN_BLINDING_convert, -BN_BLINDING_invert, BN_BLINDING_convert_ex, BN_BLINDING_invert_ex, +BN_BLINDING_new, BN_BLINDING_free, BN_BLINDING_update, BN_BLINDING_convert, +BN_BLINDING_invert, BN_BLINDING_convert_ex, BN_BLINDING_invert_ex, BN_BLINDING_is_current_thread, BN_BLINDING_set_current_thread, BN_BLINDING_lock, BN_BLINDING_unlock, BN_BLINDING_get_flags, BN_BLINDING_set_flags, BN_BLINDING_create_param - blinding related BIGNUM functions. @@ -13,15 +13,15 @@ #include <openssl/bn.h> BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, - BIGNUM *mod); + BIGNUM *mod); void BN_BLINDING_free(BN_BLINDING *b); int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx); int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, - BN_CTX *ctx); + BN_CTX *ctx); int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, - BN_CTX *ctx); + BN_CTX *ctx); int BN_BLINDING_is_current_thread(BN_BLINDING *b); void BN_BLINDING_set_current_thread(BN_BLINDING *b); int BN_BLINDING_lock(BN_BLINDING *b); @@ -29,10 +29,10 @@ unsigned long BN_BLINDING_get_flags(const BN_BLINDING *); void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long); BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, - const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, - int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), - BN_MONT_CTX *m_ctx); + const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, + int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), + BN_MONT_CTX *m_ctx); =head1 DESCRIPTION @@ -102,7 +102,7 @@ BN_BLINDING_get_flags() returns the currently set B<BN_BLINDING> flags (a B<unsigned long> value). -BN_BLINDING_create_param() returns the newly created B<BN_BLINDING> +BN_BLINDING_create_param() returns the newly created B<BN_BLINDING> parameters or NULL on error. =head1 SEE ALSO
diff --git a/doc/crypto/BN_generate_prime.pod b/doc/crypto/BN_generate_prime.pod index f33f006..346bfe8 100644 --- a/doc/crypto/BN_generate_prime.pod +++ b/doc/crypto/BN_generate_prime.pod
@@ -39,7 +39,7 @@ BIGNUM *BN_generate_prime(BIGNUM *ret, int num, int safe, BIGNUM *add, BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg); - int BN_is_prime(const BIGNUM *a, int checks, void (*callback)(int, int, + int BN_is_prime(const BIGNUM *a, int checks, void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg); int BN_is_prime_fasttest(const BIGNUM *a, int checks,
diff --git a/doc/crypto/CMS_add0_cert.pod b/doc/crypto/CMS_add0_cert.pod index 0099c5e..af4de60 100644 --- a/doc/crypto/CMS_add0_cert.pod +++ b/doc/crypto/CMS_add0_cert.pod
@@ -20,7 +20,7 @@ =head1 DESCRIPTION CMS_add0_cert() and CMS_add1_cert() add certificate B<cert> to B<cms>. -must be of type signed data or enveloped data. +must be of type signed data or enveloped data. CMS_get1_certs() returns all certificates in B<cms>. @@ -46,7 +46,7 @@ =head1 RETURN VALUES CMS_add0_cert(), CMS_add1_cert() and CMS_add0_crl() and CMS_add1_crl() return -1 for success and 0 for failure. +1 for success and 0 for failure. CMS_get1_certs() and CMS_get1_crls() return the STACK of certificates or CRLs or NULL if there are none or an error occurs. The only error which will occur
diff --git a/doc/crypto/CMS_add1_recipient_cert.pod b/doc/crypto/CMS_add1_recipient_cert.pod index b72ccd4..2a87ef2 100644 --- a/doc/crypto/CMS_add1_recipient_cert.pod +++ b/doc/crypto/CMS_add1_recipient_cert.pod
@@ -2,7 +2,7 @@ =head1 NAME - CMS_add1_recipient_cert, CMS_add0_recipient_key - add recipients to a CMS enveloped data structure +CMS_add1_recipient_cert, CMS_add0_recipient_key - add recipients to a CMS enveloped data structure =head1 SYNOPSIS
diff --git a/doc/crypto/CMS_add1_signer.pod b/doc/crypto/CMS_add1_signer.pod index eda7ddd..f825c61 100644 --- a/doc/crypto/CMS_add1_signer.pod +++ b/doc/crypto/CMS_add1_signer.pod
@@ -2,7 +2,7 @@ =head1 NAME - CMS_add1_signer, CMS_SignerInfo_sign - add a signer to a CMS_ContentInfo signed data structure. +CMS_add1_signer, CMS_SignerInfo_sign - add a signer to a CMS_ContentInfo signed data structure. =head1 SYNOPSIS @@ -52,7 +52,7 @@ The returned CMS_ContentInfo structure will be valid and finalized when this flag is set. -If B<CMS_PARTIAL> is set in addition to B<CMS_REUSE_DIGEST> then the +If B<CMS_PARTIAL> is set in addition to B<CMS_REUSE_DIGEST> then the CMS_SignerInfo structure will not be finalized so additional attributes can be added. In this case an explicit call to CMS_SignerInfo_sign() is needed to finalize it. @@ -81,7 +81,7 @@ not loaded. CMS_add1_signer() returns an internal pointer to the CMS_SignerInfo -structure just added, this can be used to set additional attributes +structure just added, this can be used to set additional attributes before it is finalized. =head1 RETURN VALUES
diff --git a/doc/crypto/CMS_decrypt.pod b/doc/crypto/CMS_decrypt.pod index 62b7ad9..2437548 100644 --- a/doc/crypto/CMS_decrypt.pod +++ b/doc/crypto/CMS_decrypt.pod
@@ -2,7 +2,7 @@ =head1 NAME - CMS_decrypt - decrypt content from a CMS envelopedData structure +CMS_decrypt - decrypt content from a CMS envelopedData structure =head1 SYNOPSIS
diff --git a/doc/crypto/CMS_encrypt.pod b/doc/crypto/CMS_encrypt.pod index 4fc7fd8..df95d52 100644 --- a/doc/crypto/CMS_encrypt.pod +++ b/doc/crypto/CMS_encrypt.pod
@@ -2,7 +2,7 @@ =head1 NAME - CMS_encrypt - create a CMS envelopedData structure +CMS_encrypt - create a CMS envelopedData structure =head1 SYNOPSIS @@ -26,7 +26,7 @@ because most clients will support it. The algorithm passed in the B<cipher> parameter must support ASN1 encoding of -its parameters. +its parameters. Many browsers implement a "sign and encrypt" option which is simply an S/MIME envelopedData containing an S/MIME signed message. This can be readily produced
diff --git a/doc/crypto/CMS_final.pod b/doc/crypto/CMS_final.pod index f1038a7..2549421 100644 --- a/doc/crypto/CMS_final.pod +++ b/doc/crypto/CMS_final.pod
@@ -2,7 +2,7 @@ =head1 NAME - CMS_final - finalise a CMS_ContentInfo structure +CMS_final - finalise a CMS_ContentInfo structure =head1 SYNOPSIS @@ -14,7 +14,7 @@ CMS_final() finalises the structure B<cms>. It's purpose is to perform any operations necessary on B<cms> (digest computation for example) and set the -appropriate fields. The parameter B<data> contains the content to be +appropriate fields. The parameter B<data> contains the content to be processed. The B<dcont> parameter contains a BIO to write content to after processing: this is only used with detached data and will usually be set to NULL.
diff --git a/doc/crypto/CMS_get0_RecipientInfos.pod b/doc/crypto/CMS_get0_RecipientInfos.pod index f1a0a5e..41e8c0d 100644 --- a/doc/crypto/CMS_get0_RecipientInfos.pod +++ b/doc/crypto/CMS_get0_RecipientInfos.pod
@@ -34,7 +34,7 @@ CMS_RecipientInfo_ktri_get0_signer_id() retrieves the certificate recipient identifier associated with a specific CMS_RecipientInfo structure B<ri>, which must be of type CMS_RECIPINFO_TRANS. Either the keyidentifier will be set in -B<keyid> or B<both> issuer name and serial number in B<issuer> and B<sno>. +B<keyid> or B<both> issuer name and serial number in B<issuer> and B<sno>. CMS_RecipientInfo_ktri_cert_cmp() compares the certificate B<cert> against the CMS_RecipientInfo structure B<ri>, which must be of type CMS_RECIPINFO_TRANS.
diff --git a/doc/crypto/CMS_get0_SignerInfos.pod b/doc/crypto/CMS_get0_SignerInfos.pod index d48c262..e1c0559 100644 --- a/doc/crypto/CMS_get0_SignerInfos.pod +++ b/doc/crypto/CMS_get0_SignerInfos.pod
@@ -25,7 +25,7 @@ keyidentifier will be set in B<keyid> or B<both> issuer name and serial number in B<issuer> and B<sno>. -CMS_SignerInfo_get0_signature() retrieves the signature associated with +CMS_SignerInfo_get0_signature() retrieves the signature associated with B<si> in a pointer to an ASN1_OCTET_STRING structure. This pointer returned corresponds to the internal signature value if B<si> so it may be read or modified.
diff --git a/doc/crypto/CMS_get0_type.pod b/doc/crypto/CMS_get0_type.pod index 2cabd4a..df71e31 100644 --- a/doc/crypto/CMS_get0_type.pod +++ b/doc/crypto/CMS_get0_type.pod
@@ -2,7 +2,7 @@ =head1 NAME - CMS_get0_type, CMS_set1_eContentType, CMS_get0_eContentType, CMS_get0_content - get and set CMS content types and content +CMS_get0_type, CMS_set1_eContentType, CMS_get0_eContentType, CMS_get0_content - get and set CMS content types and content =head1 SYNOPSIS
diff --git a/doc/crypto/CMS_get1_ReceiptRequest.pod b/doc/crypto/CMS_get1_ReceiptRequest.pod index 2133cc9..1a5280e 100644 --- a/doc/crypto/CMS_get1_ReceiptRequest.pod +++ b/doc/crypto/CMS_get1_ReceiptRequest.pod
@@ -2,7 +2,7 @@ =head1 NAME - CMS_ReceiptRequest_create0, CMS_add1_ReceiptRequest, CMS_get1_ReceiptRequest, CMS_ReceiptRequest_get0_values - CMS signed receipt request functions. +CMS_ReceiptRequest_create0, CMS_add1_ReceiptRequest, CMS_get1_ReceiptRequest, CMS_ReceiptRequest_get0_values - CMS signed receipt request functions. =head1 SYNOPSIS @@ -45,7 +45,7 @@ =head1 RETURN VALUES -CMS_ReceiptRequest_create0() returns a signed receipt request structure or +CMS_ReceiptRequest_create0() returns a signed receipt request structure or NULL if an error occurred. CMS_add1_ReceiptRequest() returns 1 for success or 0 is an error occurred.
diff --git a/doc/crypto/CMS_sign.pod b/doc/crypto/CMS_sign.pod index 8615bbd..c34c2db 100644 --- a/doc/crypto/CMS_sign.pod +++ b/doc/crypto/CMS_sign.pod
@@ -2,7 +2,7 @@ =head1 NAME - CMS_sign - create a CMS SignedData structure +CMS_sign - create a CMS SignedData structure =head1 SYNOPSIS @@ -96,7 +96,7 @@ B<CMS_PARTIAL> flag set. Then one or more signers can be added using the function CMS_sign_add1_signer(), non default digests can be used and custom attributes added. CMS_final() must then be called to finalize the -structure if streaming is not enabled. +structure if streaming is not enabled. =head1 BUGS
diff --git a/doc/crypto/CMS_sign_receipt.pod b/doc/crypto/CMS_sign_receipt.pod index ff36cf0..b5d56a4 100644 --- a/doc/crypto/CMS_sign_receipt.pod +++ b/doc/crypto/CMS_sign_receipt.pod
@@ -2,7 +2,7 @@ =head1 NAME - CMS_sign_receipt - create a CMS signed receipt +CMS_sign_receipt - create a CMS signed receipt =head1 SYNOPSIS
diff --git a/doc/crypto/CMS_uncompress.pod b/doc/crypto/CMS_uncompress.pod index be15c10..3aa0ffb 100644 --- a/doc/crypto/CMS_uncompress.pod +++ b/doc/crypto/CMS_uncompress.pod
@@ -2,7 +2,7 @@ =head1 NAME - CMS_uncompress - uncompress a CMS CompressedData structure +CMS_uncompress - uncompress a CMS CompressedData structure =head1 SYNOPSIS
diff --git a/doc/crypto/CMS_verify.pod b/doc/crypto/CMS_verify.pod index 9772676..af48164 100644 --- a/doc/crypto/CMS_verify.pod +++ b/doc/crypto/CMS_verify.pod
@@ -67,7 +67,7 @@ If B<CMS_NO_SIGNER_CERT_VERIFY> is set the signing certificates are not verified. -If B<CMS_NO_ATTR_VERIFY> is set the signed attributes signature is not +If B<CMS_NO_ATTR_VERIFY> is set the signed attributes signature is not verified. If B<CMS_NO_CONTENT_VERIFY> is set then the content digest is not checked. @@ -81,13 +81,13 @@ signer cannot be found. In some cases the standard techniques for looking up and validating -certificates are not appropriate: for example an application may wish to +certificates are not appropriate: for example an application may wish to lookup certificates in a database or perform customised verification. This -can be achieved by setting and verifying the signers certificates manually +can be achieved by setting and verifying the signers certificates manually using the signed data utility functions. Care should be taken when modifying the default verify behaviour, for example -setting B<CMS_NO_CONTENT_VERIFY> will totally disable all content verification +setting B<CMS_NO_CONTENT_VERIFY> will totally disable all content verification and any modified content will be considered valid. This combination is however useful if one merely wishes to write the content to B<out> and its validity is not considered important.
diff --git a/doc/crypto/CMS_verify_receipt.pod b/doc/crypto/CMS_verify_receipt.pod index 56d45d1..bf82f1f 100644 --- a/doc/crypto/CMS_verify_receipt.pod +++ b/doc/crypto/CMS_verify_receipt.pod
@@ -2,7 +2,7 @@ =head1 NAME - CMS_verify_receipt - verify a CMS signed receipt +CMS_verify_receipt - verify a CMS signed receipt =head1 SYNOPSIS @@ -16,7 +16,7 @@ receipt to verify. B<ocms> is the original SignedData structure containing the receipt request. B<certs> is a set of certificates in which to search for the signing certificate. B<store> is a trusted certificate store (used for chain -verification). +verification). B<flags> is an optional set of flags, which can be used to modify the verify operation.
diff --git a/doc/crypto/CONF_modules_free.pod b/doc/crypto/CONF_modules_free.pod index 42f823d..3936c6a 100644 --- a/doc/crypto/CONF_modules_free.pod +++ b/doc/crypto/CONF_modules_free.pod
@@ -2,8 +2,8 @@ =head1 NAME - CONF_modules_free, CONF_modules_finish, CONF_modules_unload - - OpenSSL configuration cleanup functions +CONF_modules_free, CONF_modules_finish, CONF_modules_unload - +OpenSSL configuration cleanup functions =head1 SYNOPSIS
diff --git a/doc/crypto/CONF_modules_load_file.pod b/doc/crypto/CONF_modules_load_file.pod index b4bfd65..56272f4 100644 --- a/doc/crypto/CONF_modules_load_file.pod +++ b/doc/crypto/CONF_modules_load_file.pod
@@ -2,16 +2,16 @@ =head1 NAME - CONF_modules_load_file, CONF_modules_load - OpenSSL configuration functions +CONF_modules_load_file, CONF_modules_load - OpenSSL configuration functions =head1 SYNOPSIS #include <openssl/conf.h> int CONF_modules_load_file(const char *filename, const char *appname, - unsigned long flags); + unsigned long flags); int CONF_modules_load(const CONF *cnf, const char *appname, - unsigned long flags); + unsigned long flags); =head1 DESCRIPTION
diff --git a/doc/crypto/CRYPTO_get_ex_new_index.pod b/doc/crypto/CRYPTO_get_ex_new_index.pod index 310cb43..465cbb7 100644 --- a/doc/crypto/CRYPTO_get_ex_new_index.pod +++ b/doc/crypto/CRYPTO_get_ex_new_index.pod
@@ -12,9 +12,9 @@ int CRYPTO_get_ex_new_index(int class_index, long argl, void *argp, - CRYPTO_EX_new *new_func, - CRYPTO_EX_dup *dup_func, - CRYPTO_EX_free *free_func); + CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func); typedef int CRYPTO_EX_new(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp);
diff --git a/doc/crypto/DH_generate_parameters.pod b/doc/crypto/DH_generate_parameters.pod index 0b45ceb..2b6ba73 100644 --- a/doc/crypto/DH_generate_parameters.pod +++ b/doc/crypto/DH_generate_parameters.pod
@@ -2,7 +2,6 @@ =head1 NAME - DH_generate_parameters_ex, DH_generate_parameters, DH_check - generate and check Diffie-Hellman parameters @@ -29,7 +28,7 @@ seeded prior to calling DH_generate_parameters(). B<prime_len> is the length in bits of the safe prime to be generated. -B<generator> is a small number E<gt> 1, typically 2 or 5. +B<generator> is a small number E<gt> 1, typically 2 or 5. A callback function may be used to provide feedback about the progress of the key generation. If B<cb> is not B<NULL>, it will be
diff --git a/doc/crypto/DSA_do_sign.pod b/doc/crypto/DSA_do_sign.pod index 2add9c4..9156b76 100644 --- a/doc/crypto/DSA_do_sign.pod +++ b/doc/crypto/DSA_do_sign.pod
@@ -11,7 +11,7 @@ DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); int DSA_do_verify(const unsigned char *dgst, int dgst_len, - DSA_SIG *sig, DSA *dsa); + DSA_SIG *sig, DSA *dsa); =head1 DESCRIPTION
diff --git a/doc/crypto/DSA_generate_parameters.pod b/doc/crypto/DSA_generate_parameters.pod index 75e7712..f7db526 100644 --- a/doc/crypto/DSA_generate_parameters.pod +++ b/doc/crypto/DSA_generate_parameters.pod
@@ -9,15 +9,15 @@ #include <openssl/dsa.h> int DSA_generate_parameters_ex(DSA *dsa, int bits, - const unsigned char *seed,int seed_len, - int *counter_ret, unsigned long *h_ret, BN_GENCB *cb); + const unsigned char *seed,int seed_len, + int *counter_ret, unsigned long *h_ret, BN_GENCB *cb); Deprecated: #if OPENSSL_API_COMPAT < 0x00908000L DSA *DSA_generate_parameters(int bits, unsigned char *seed, int seed_len, int *counter_ret, unsigned long *h_ret, - void (*callback)(int, int, void *), void *cb_arg); + void (*callback)(int, int, void *), void *cb_arg); #endif =head1 DESCRIPTION
diff --git a/doc/crypto/DSA_set_method.pod b/doc/crypto/DSA_set_method.pod index ef8bc12..faece37 100644 --- a/doc/crypto/DSA_set_method.pod +++ b/doc/crypto/DSA_set_method.pod
@@ -37,7 +37,7 @@ DSA_get_default_method() returns a pointer to the current default DSA_METHOD. However, the meaningfulness of this result is dependent on -whether the ENGINE API is being used, so this function is no longer +whether the ENGINE API is being used, so this function is no longer recommended. DSA_set_method() selects B<meth> to perform all operations using the key
diff --git a/doc/crypto/DSA_sign.pod b/doc/crypto/DSA_sign.pod index bebded0..75f70f3 100644 --- a/doc/crypto/DSA_sign.pod +++ b/doc/crypto/DSA_sign.pod
@@ -8,14 +8,14 @@ #include <openssl/dsa.h> - int DSA_sign(int type, const unsigned char *dgst, int len, - unsigned char *sigret, unsigned int *siglen, DSA *dsa); + int DSA_sign(int type, const unsigned char *dgst, int len, + unsigned char *sigret, unsigned int *siglen, DSA *dsa); - int DSA_sign_setup(DSA *dsa, BN_CTX *ctx, BIGNUM **kinvp, + int DSA_sign_setup(DSA *dsa, BN_CTX *ctx, BIGNUM **kinvp, BIGNUM **rp); - int DSA_verify(int type, const unsigned char *dgst, int len, - unsigned char *sigbuf, int siglen, DSA *dsa); + int DSA_verify(int type, const unsigned char *dgst, int len, + unsigned char *sigbuf, int siglen, DSA *dsa); =head1 DESCRIPTION
diff --git a/doc/crypto/EC_GROUP_copy.pod b/doc/crypto/EC_GROUP_copy.pod index fc50304..18a9fd9 100644 --- a/doc/crypto/EC_GROUP_copy.pod +++ b/doc/crypto/EC_GROUP_copy.pod
@@ -46,8 +46,8 @@ int EC_GROUP_get_basis_type(const EC_GROUP *); int EC_GROUP_get_trinomial_basis(const EC_GROUP *, unsigned int *k); - int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1, - unsigned int *k2, unsigned int *k3); + int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1, + unsigned int *k2, unsigned int *k3); =head1 DESCRIPTION @@ -86,26 +86,25 @@ 1.1.0 and later the named curve form is the default. The point_conversion_form for a curve controls how EC_POINT data is encoded as ASN1 as defined in X9.62 (ECDSA). -point_conversion_form_t is an enum defined as follows: +point_conversion_form_t is an enum defined as follows: typedef enum { - /** the point is encoded as z||x, where the octet z specifies - * which solution of the quadratic equation y is */ - POINT_CONVERSION_COMPRESSED = 2, - /** the point is encoded as z||x||y, where z is the octet 0x02 */ - POINT_CONVERSION_UNCOMPRESSED = 4, - /** the point is encoded as z||x||y, where the octet z specifies + /** the point is encoded as z||x, where the octet z specifies + * which solution of the quadratic equation y is */ + POINT_CONVERSION_COMPRESSED = 2, + /** the point is encoded as z||x||y, where z is the octet 0x02 */ + POINT_CONVERSION_UNCOMPRESSED = 4, + /** the point is encoded as z||x||y, where the octet z specifies * which solution of the quadratic equation y is */ - POINT_CONVERSION_HYBRID = 6 + POINT_CONVERSION_HYBRID = 6 } point_conversion_form_t; - For POINT_CONVERSION_UNCOMPRESSED the point is encoded as an octet signifying the UNCOMPRESSED form has been used followed by the octets for x, followed by the octets for y. For any given x co-ordinate for a point on a curve it is possible to derive two possible y values. For POINT_CONVERSION_COMPRESSED the point is encoded as an octet signifying that the COMPRESSED form has been used AND which of -the two possible solutions for y has been used, followed by the octets for x. +the two possible solutions for y has been used, followed by the octets for x. For POINT_CONVERSION_HYBRID the point is encoded as an octet signifying the HYBRID form has been used AND which of the two possible solutions for y has been used, followed by the octets for x, followed by the octets for y.
diff --git a/doc/crypto/EC_GROUP_new.pod b/doc/crypto/EC_GROUP_new.pod index 6c9a40c..3b305a2 100644 --- a/doc/crypto/EC_GROUP_new.pod +++ b/doc/crypto/EC_GROUP_new.pod
@@ -78,10 +78,10 @@ not). Passing a NULL B<r>, or setting B<nitems> to 0 will do nothing other than return the total number of curves available. The EC_builtin_curve structure is defined as follows: - typedef struct { - int nid; - const char *comment; - } EC_builtin_curve; + typedef struct { + int nid; + const char *comment; + } EC_builtin_curve; Each EC_builtin_curve item has a unique integer id (B<nid>), and a human readable comment string describing the curve.
diff --git a/doc/crypto/ERR_load_crypto_strings.pod b/doc/crypto/ERR_load_crypto_strings.pod index 56276a7..7e4f765 100644 --- a/doc/crypto/ERR_load_crypto_strings.pod +++ b/doc/crypto/ERR_load_crypto_strings.pod
@@ -21,7 +21,7 @@ #if OPENSSL_API_COMPAT < 0x10100000L void SSL_load_error_strings(void); #endif - + =head1 DESCRIPTION All of the following functions are deprecated from OpenSSL 1.1.0. No explicit
diff --git a/doc/crypto/EVP_BytesToKey.pod b/doc/crypto/EVP_BytesToKey.pod index 3d97854..ee5f678 100644 --- a/doc/crypto/EVP_BytesToKey.pod +++ b/doc/crypto/EVP_BytesToKey.pod
@@ -44,7 +44,7 @@ The key and IV is derived by concatenating D_1, D_2, etc until enough data is available for the key and IV. D_i is defined as: - D_i = HASH^count(D_(i-1) || data || salt) + D_i = HASH^count(D_(i-1) || data || salt) where || denotes concatenation, D_0 is empty, HASH is the digest algorithm in use, HASH^1(data) is simply HASH(data), HASH^2(data)
diff --git a/doc/crypto/EVP_CIPHER_meth_new.pod b/doc/crypto/EVP_CIPHER_meth_new.pod index 60ffe42..3410aa3 100644 --- a/doc/crypto/EVP_CIPHER_meth_new.pod +++ b/doc/crypto/EVP_CIPHER_meth_new.pod
@@ -19,7 +19,7 @@ EVP_CIPHER *EVP_CIPHER_meth_new(int cipher_type, int block_size, int key_len); EVP_CIPHER *EVP_CIPHER_meth_dup(const EVP_CIPHER *cipher); void EVP_CIPHER_meth_free(EVP_CIPHER *cipher); - + int EVP_CIPHER_meth_set_iv_length(EVP_CIPHER *cipher, int iv_len); int EVP_CIPHER_meth_set_flags(EVP_CIPHER *cipher, unsigned long flags); int EVP_CIPHER_meth_set_impl_ctx_size(EVP_CIPHER *cipher, int ctx_size); @@ -44,7 +44,7 @@ int EVP_CIPHER_meth_set_ctrl(EVP_CIPHER *cipher, int (*ctrl) (EVP_CIPHER_CTX *, int type, int arg, void *ptr)); - + int (*EVP_CIPHER_meth_get_init(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, @@ -82,37 +82,14 @@ several flags can be or'd together. The available flags are: -=over 4 +=over -=over 4 +=item EVP_CIPH_STREAM_CIPHER, EVP_CIPH_ECB_MODE EVP_CIPH_CBC_MODE, +EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE, EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, +EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE, EVP_CIPH_WRAP_MODE, +EVP_CIPH_OCB_MODE -=item The cipher modes: - -=over 4 - -=item EVP_CIPH_STREAM_CIPHER - -=item EVP_CIPH_ECB_MODE - -=item EVP_CIPH_CBC_MODE - -=item EVP_CIPH_CFB_MODE - -=item EVP_CIPH_OFB_MODE - -=item EVP_CIPH_CTR_MODE - -=item EVP_CIPH_GCM_MODE - -=item EVP_CIPH_CCM_MODE - -=item EVP_CIPH_XTS_MODE - -=item EVP_CIPH_WRAP_MODE - -=item EVP_CIPH_OCB_MODE - -=back +The cipher mode. =item EVP_CIPH_VARIABLE_LENGTH @@ -197,13 +174,8 @@ =item EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK -=begin comment - -I could use some help explaining this one! - -=end comment - -=back +Allow interleaving of crypto blocks, a particular optimization only applicable +to certain TLS ciphers. =back @@ -234,6 +206,7 @@ EVP_CIPHER_meth_set_ctrl() sets the control function for B<cipher>. +=head1 RETURN VALUES EVP_CIPHER_meth_get_input_blocksize(), EVP_CIPHER_meth_get_result_size(), EVP_CIPHER_meth_get_app_datasize(), EVP_CIPHER_meth_get_flags(),
diff --git a/doc/crypto/EVP_DigestInit.pod b/doc/crypto/EVP_DigestInit.pod index 511aca2..a099160 100644 --- a/doc/crypto/EVP_DigestInit.pod +++ b/doc/crypto/EVP_DigestInit.pod
@@ -32,10 +32,10 @@ int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in); - #define EVP_MAX_MD_SIZE 64 /* SHA512 */ + #define EVP_MAX_MD_SIZE 64 /* SHA512 */ int EVP_MD_type(const EVP_MD *md); - int EVP_MD_pkey_type(const EVP_MD *md); + int EVP_MD_pkey_type(const EVP_MD *md); int EVP_MD_size(const EVP_MD *md); int EVP_MD_block_size(const EVP_MD *md); @@ -213,15 +213,15 @@ int md_len, i; if(!argv[1]) { - printf("Usage: mdtest digestname\n"); - exit(1); + printf("Usage: mdtest digestname\n"); + exit(1); } md = EVP_get_digestbyname(argv[1]); if(!md) { - printf("Unknown message digest %s\n", argv[1]); - exit(1); + printf("Unknown message digest %s\n", argv[1]); + exit(1); } mdctx = EVP_MD_CTX_new(); @@ -233,7 +233,7 @@ printf("Digest is: "); for(i = 0; i < md_len; i++) - printf("%02x", md_value[i]); + printf("%02x", md_value[i]); printf("\n"); exit(0);
diff --git a/doc/crypto/EVP_DigestSignInit.pod b/doc/crypto/EVP_DigestSignInit.pod index ab08ecd..b85372e 100644 --- a/doc/crypto/EVP_DigestSignInit.pod +++ b/doc/crypto/EVP_DigestSignInit.pod
@@ -9,7 +9,7 @@ #include <openssl/evp.h> int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, - const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); + const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt); int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen); @@ -56,7 +56,7 @@ the use of clone digest is now discouraged. For some key types and parameters the random number generator must be seeded -or the operation will fail. +or the operation will fail. The call to EVP_DigestSignFinal() internally finalizes a copy of the digest context. This means that calls to EVP_DigestSignUpdate() and @@ -81,7 +81,7 @@ =head1 HISTORY -EVP_DigestSignInit(), EVP_DigestSignUpdate() and EVP_DigestSignFinal() +EVP_DigestSignInit(), EVP_DigestSignUpdate() and EVP_DigestSignFinal() were first added to OpenSSL 1.0.0. =cut
diff --git a/doc/crypto/EVP_DigestVerifyInit.pod b/doc/crypto/EVP_DigestVerifyInit.pod index 8982e70..4c5809f 100644 --- a/doc/crypto/EVP_DigestVerifyInit.pod +++ b/doc/crypto/EVP_DigestVerifyInit.pod
@@ -9,7 +9,7 @@ #include <openssl/evp.h> int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, - const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); + const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt); int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen); @@ -56,7 +56,7 @@ the use of clone digest is now discouraged. For some key types and parameters the random number generator must be seeded -or the operation will fail. +or the operation will fail. The call to EVP_DigestVerifyFinal() internally finalizes a copy of the digest context. This means that EVP_VerifyUpdate() and EVP_VerifyFinal() can @@ -76,7 +76,7 @@ =head1 HISTORY -EVP_DigestVerifyInit(), EVP_DigestVerifyUpdate() and EVP_DigestVerifyFinal() +EVP_DigestVerifyInit(), EVP_DigestVerifyUpdate() and EVP_DigestVerifyFinal() were first added to OpenSSL 1.0.0. =cut
diff --git a/doc/crypto/EVP_EncryptInit.pod b/doc/crypto/EVP_EncryptInit.pod index 4fcd8a3..280f5fe 100644 --- a/doc/crypto/EVP_EncryptInit.pod +++ b/doc/crypto/EVP_EncryptInit.pod
@@ -40,14 +40,14 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx); int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, - ENGINE *impl, unsigned char *key, unsigned char *iv); + ENGINE *impl, unsigned char *key, unsigned char *iv); int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, unsigned char *in, int inl); int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, - ENGINE *impl, unsigned char *key, unsigned char *iv); + ENGINE *impl, unsigned char *key, unsigned char *iv); int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, unsigned char *in, int inl); int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, @@ -83,12 +83,12 @@ #define EVP_get_cipherbynid(a) EVP_get_cipherbyname(OBJ_nid2sn(a)) #define EVP_get_cipherbyobj(a) EVP_get_cipherbynid(OBJ_obj2nid(a)) - #define EVP_CIPHER_nid(e) ((e)->nid) - #define EVP_CIPHER_block_size(e) ((e)->block_size) - #define EVP_CIPHER_key_length(e) ((e)->key_len) - #define EVP_CIPHER_iv_length(e) ((e)->iv_len) - #define EVP_CIPHER_flags(e) ((e)->flags) - #define EVP_CIPHER_mode(e) ((e)->flags) & EVP_CIPH_MODE) + #define EVP_CIPHER_nid(e) ((e)->nid) + #define EVP_CIPHER_block_size(e) ((e)->block_size) + #define EVP_CIPHER_key_length(e) ((e)->key_len) + #define EVP_CIPHER_iv_length(e) ((e)->iv_len) + #define EVP_CIPHER_flags(e) ((e)->flags) + #define EVP_CIPHER_mode(e) ((e)->flags) & EVP_CIPH_MODE) int EVP_CIPHER_type(const EVP_CIPHER *ctx); const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx); @@ -384,13 +384,13 @@ AES Galois Counter Mode (GCM) for 128, 192 and 256 bit keys respectively. These ciphers require additional control operations to function correctly: see -the L</GCM and OCB modes> section below for details. +the L</GCM and OCB Modes> section below for details. =item EVP_aes_128_ocb(void), EVP_aes_192_ocb(void), EVP_aes_256_ocb(void) Offset Codebook Mode (OCB) for 128, 192 and 256 bit keys respectively. These ciphers require additional control operations to function correctly: see -the L</GCM and OCB modes> section below for details. +the L</GCM and OCB Modes> section below for details. =item EVP_aes_128_ccm(), EVP_aes_192_ccm(), EVP_aes_256_ccm() @@ -526,46 +526,46 @@ Encrypt a string using IDEA: int do_crypt(char *outfile) - { - unsigned char outbuf[1024]; - int outlen, tmplen; - /* Bogus key and IV: we'd normally set these from - * another source. - */ - unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; - unsigned char iv[] = {1,2,3,4,5,6,7,8}; - char intext[] = "Some Crypto Text"; - EVP_CIPHER_CTX ctx; - FILE *out; + { + unsigned char outbuf[1024]; + int outlen, tmplen; + /* Bogus key and IV: we'd normally set these from + * another source. + */ + unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; + unsigned char iv[] = {1,2,3,4,5,6,7,8}; + char intext[] = "Some Crypto Text"; + EVP_CIPHER_CTX ctx; + FILE *out; - ctx = EVP_CIPHER_CTX_new(); - EVP_EncryptInit_ex(ctx, EVP_idea_cbc(), NULL, key, iv); + ctx = EVP_CIPHER_CTX_new(); + EVP_EncryptInit_ex(ctx, EVP_idea_cbc(), NULL, key, iv); - if(!EVP_EncryptUpdate(ctx, outbuf, &outlen, intext, strlen(intext))) - { - /* Error */ - return 0; - } - /* Buffer passed to EVP_EncryptFinal() must be after data just - * encrypted to avoid overwriting it. - */ - if(!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen)) - { - /* Error */ - return 0; - } - outlen += tmplen; - EVP_CIPHER_CTX_free(ctx); - /* Need binary mode for fopen because encrypted data is - * binary data. Also cannot use strlen() on it because + if(!EVP_EncryptUpdate(ctx, outbuf, &outlen, intext, strlen(intext))) + { + /* Error */ + return 0; + } + /* Buffer passed to EVP_EncryptFinal() must be after data just + * encrypted to avoid overwriting it. + */ + if(!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen)) + { + /* Error */ + return 0; + } + outlen += tmplen; + EVP_CIPHER_CTX_free(ctx); + /* Need binary mode for fopen because encrypted data is + * binary data. Also cannot use strlen() on it because * it wont be null terminated and may contain embedded - * nulls. - */ - out = fopen(outfile, "wb"); - fwrite(outbuf, 1, outlen, out); - fclose(out); - return 1; - } + * nulls. + */ + out = fopen(outfile, "wb"); + fwrite(outbuf, 1, outlen, out); + fclose(out); + return 1; + } The ciphertext from the above example can be decrypted using the B<openssl> utility with the command line (shown on two lines for clarity): @@ -577,50 +577,50 @@ with a 128-bit key: int do_crypt(FILE *in, FILE *out, int do_encrypt) - { - /* Allow enough space in output buffer for additional block */ - unsigned char inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH]; - int inlen, outlen; - EVP_CIPHER_CTX *ctx; - /* Bogus key and IV: we'd normally set these from - * another source. - */ - unsigned char key[] = "0123456789abcdeF"; - unsigned char iv[] = "1234567887654321"; + { + /* Allow enough space in output buffer for additional block */ + unsigned char inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH]; + int inlen, outlen; + EVP_CIPHER_CTX *ctx; + /* Bogus key and IV: we'd normally set these from + * another source. + */ + unsigned char key[] = "0123456789abcdeF"; + unsigned char iv[] = "1234567887654321"; - /* Don't set key or IV right away; we want to check lengths */ - ctx = EVP_CIPHER_CTX_new(); - EVP_CipherInit_ex(&ctx, EVP_aes_128_cbc(), NULL, NULL, NULL, - do_encrypt); - OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16); - OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16); + /* Don't set key or IV right away; we want to check lengths */ + ctx = EVP_CIPHER_CTX_new(); + EVP_CipherInit_ex(&ctx, EVP_aes_128_cbc(), NULL, NULL, NULL, + do_encrypt); + OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16); + OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16); - /* Now we can set key and IV */ - EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, do_encrypt); + /* Now we can set key and IV */ + EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, do_encrypt); - for(;;) - { - inlen = fread(inbuf, 1, 1024, in); - if(inlen <= 0) break; - if(!EVP_CipherUpdate(ctx, outbuf, &outlen, inbuf, inlen)) - { - /* Error */ - EVP_CIPHER_CTX_free(ctx); - return 0; - } - fwrite(outbuf, 1, outlen, out); - } - if(!EVP_CipherFinal_ex(ctx, outbuf, &outlen)) - { - /* Error */ - EVP_CIPHER_CTX_free(ctx); - return 0; - } - fwrite(outbuf, 1, outlen, out); + for(;;) + { + inlen = fread(inbuf, 1, 1024, in); + if(inlen <= 0) break; + if(!EVP_CipherUpdate(ctx, outbuf, &outlen, inbuf, inlen)) + { + /* Error */ + EVP_CIPHER_CTX_free(ctx); + return 0; + } + fwrite(outbuf, 1, outlen, out); + } + if(!EVP_CipherFinal_ex(ctx, outbuf, &outlen)) + { + /* Error */ + EVP_CIPHER_CTX_free(ctx); + return 0; + } + fwrite(outbuf, 1, outlen, out); - EVP_CIPHER_CTX_free(ctx); - return 1; - } + EVP_CIPHER_CTX_free(ctx); + return 1; + } =head1 SEE ALSO
diff --git a/doc/crypto/EVP_OpenInit.pod b/doc/crypto/EVP_OpenInit.pod index fb70076..e220813 100644 --- a/doc/crypto/EVP_OpenInit.pod +++ b/doc/crypto/EVP_OpenInit.pod
@@ -9,7 +9,7 @@ #include <openssl/evp.h> int EVP_OpenInit(EVP_CIPHER_CTX *ctx,EVP_CIPHER *type,unsigned char *ek, - int ekl,unsigned char *iv,EVP_PKEY *priv); + int ekl,unsigned char *iv,EVP_PKEY *priv); int EVP_OpenUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, unsigned char *in, int inl); int EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, @@ -27,7 +27,7 @@ The IV is supplied in the B<iv> parameter. EVP_OpenUpdate() and EVP_OpenFinal() have exactly the same properties -as the EVP_DecryptUpdate() and EVP_DecryptFinal() routines, as +as the EVP_DecryptUpdate() and EVP_DecryptFinal() routines, as documented on the L<EVP_EncryptInit(3)> manual page.
diff --git a/doc/crypto/EVP_PKEY_CTX_ctrl.pod b/doc/crypto/EVP_PKEY_CTX_ctrl.pod index c673ebe..f29ac04 100644 --- a/doc/crypto/EVP_PKEY_CTX_ctrl.pod +++ b/doc/crypto/EVP_PKEY_CTX_ctrl.pod
@@ -16,9 +16,9 @@ #include <openssl/evp.h> int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype, - int cmd, int p1, void *p2); + int cmd, int p1, void *p2); int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, - const char *value); + const char *value); #include <openssl/rsa.h>
diff --git a/doc/crypto/EVP_PKEY_cmp.pod b/doc/crypto/EVP_PKEY_cmp.pod index d580a5f..ce86913 100644 --- a/doc/crypto/EVP_PKEY_cmp.pod +++ b/doc/crypto/EVP_PKEY_cmp.pod
@@ -56,7 +56,7 @@ =head1 SEE ALSO L<EVP_PKEY_CTX_new(3)>, -L<EVP_PKEY_keygen(3)> +L<EVP_PKEY_keygen(3)> =cut
diff --git a/doc/crypto/EVP_PKEY_decrypt.pod b/doc/crypto/EVP_PKEY_decrypt.pod index 77ef5aa..9a6a218 100644 --- a/doc/crypto/EVP_PKEY_decrypt.pod +++ b/doc/crypto/EVP_PKEY_decrypt.pod
@@ -10,8 +10,8 @@ int EVP_PKEY_decrypt_init(EVP_PKEY_CTX *ctx); int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx, - unsigned char *out, size_t *outlen, - const unsigned char *in, size_t inlen); + unsigned char *out, size_t *outlen, + const unsigned char *in, size_t inlen); =head1 DESCRIPTION @@ -50,30 +50,30 @@ EVP_PKEY_CTX *ctx; unsigned char *out, *in; - size_t outlen, inlen; + size_t outlen, inlen; EVP_PKEY *key; /* NB: assumes key in, inlen are already set up * and that key is an RSA private key */ ctx = EVP_PKEY_CTX_new(key); if (!ctx) - /* Error occurred */ + /* Error occurred */ if (EVP_PKEY_decrypt_init(ctx) <= 0) - /* Error */ + /* Error */ if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_OAEP_PADDING) <= 0) - /* Error */ + /* Error */ /* Determine buffer length */ if (EVP_PKEY_decrypt(ctx, NULL, &outlen, in, inlen) <= 0) - /* Error */ + /* Error */ out = OPENSSL_malloc(outlen); if (!out) - /* malloc failure */ - + /* malloc failure */ + if (EVP_PKEY_decrypt(ctx, out, &outlen, in, inlen) <= 0) - /* Error */ + /* Error */ /* Decrypted data is outlen bytes written to buffer out */ @@ -84,7 +84,7 @@ L<EVP_PKEY_sign(3)>, L<EVP_PKEY_verify(3)>, L<EVP_PKEY_verify_recover(3)>, -L<EVP_PKEY_derive(3)> +L<EVP_PKEY_derive(3)> =head1 HISTORY
diff --git a/doc/crypto/EVP_PKEY_derive.pod b/doc/crypto/EVP_PKEY_derive.pod index f1ddcfb..3105afd 100644 --- a/doc/crypto/EVP_PKEY_derive.pod +++ b/doc/crypto/EVP_PKEY_derive.pod
@@ -57,23 +57,23 @@ ctx = EVP_PKEY_CTX_new(pkey); if (!ctx) - /* Error occurred */ + /* Error occurred */ if (EVP_PKEY_derive_init(ctx) <= 0) - /* Error */ + /* Error */ if (EVP_PKEY_derive_set_peer(ctx, peerkey) <= 0) - /* Error */ + /* Error */ /* Determine buffer length */ if (EVP_PKEY_derive(ctx, NULL, &skeylen) <= 0) - /* Error */ + /* Error */ skey = OPENSSL_malloc(skeylen); if (!skey) - /* malloc failure */ - + /* malloc failure */ + if (EVP_PKEY_derive(ctx, skey, &skeylen) <= 0) - /* Error */ + /* Error */ /* Shared secret is skey bytes written to buffer skey */
diff --git a/doc/crypto/EVP_PKEY_encrypt.pod b/doc/crypto/EVP_PKEY_encrypt.pod index ddeb4dc..721ca2d 100644 --- a/doc/crypto/EVP_PKEY_encrypt.pod +++ b/doc/crypto/EVP_PKEY_encrypt.pod
@@ -10,8 +10,8 @@ int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *ctx); int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx, - unsigned char *out, size_t *outlen, - const unsigned char *in, size_t inlen); + unsigned char *out, size_t *outlen, + const unsigned char *in, size_t inlen); =head1 DESCRIPTION @@ -54,30 +54,30 @@ EVP_PKEY_CTX *ctx; ENGINE *eng; unsigned char *out, *in; - size_t outlen, inlen; + size_t outlen, inlen; EVP_PKEY *key; /* NB: assumes eng, key, in, inlen are already set up, * and that key is an RSA public key */ ctx = EVP_PKEY_CTX_new(key,eng); if (!ctx) - /* Error occurred */ + /* Error occurred */ if (EVP_PKEY_encrypt_init(ctx) <= 0) - /* Error */ + /* Error */ if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_OAEP_PADDING) <= 0) - /* Error */ + /* Error */ /* Determine buffer length */ if (EVP_PKEY_encrypt(ctx, NULL, &outlen, in, inlen) <= 0) - /* Error */ + /* Error */ out = OPENSSL_malloc(outlen); if (!out) - /* malloc failure */ - + /* malloc failure */ + if (EVP_PKEY_encrypt(ctx, out, &outlen, in, inlen) <= 0) - /* Error */ + /* Error */ /* Encrypted data is outlen bytes written to buffer out */ @@ -90,7 +90,7 @@ L<EVP_PKEY_sign(3)>, L<EVP_PKEY_verify(3)>, L<EVP_PKEY_verify_recover(3)>, -L<EVP_PKEY_derive(3)> +L<EVP_PKEY_derive(3)> =head1 HISTORY
diff --git a/doc/crypto/EVP_PKEY_keygen.pod b/doc/crypto/EVP_PKEY_keygen.pod index 3d74183..564bd9b 100644 --- a/doc/crypto/EVP_PKEY_keygen.pod +++ b/doc/crypto/EVP_PKEY_keygen.pod
@@ -28,7 +28,7 @@ The EVP_PKEY_keygen_init() function initializes a public key algorithm context using key B<pkey> for a key generation operation. -The EVP_PKEY_keygen() function performs a key generation operation, the +The EVP_PKEY_keygen() function performs a key generation operation, the generated key is written to B<ppkey>. The functions EVP_PKEY_paramgen_init() and EVP_PKEY_paramgen() are similar @@ -95,15 +95,15 @@ EVP_PKEY *pkey = NULL; ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); if (!ctx) - /* Error occurred */ + /* Error occurred */ if (EVP_PKEY_keygen_init(ctx) <= 0) - /* Error */ + /* Error */ if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0) - /* Error */ + /* Error */ /* Generate key */ if (EVP_PKEY_keygen(ctx, &pkey) <= 0) - /* Error */ + /* Error */ Generate a key from a set of parameters: @@ -115,13 +115,13 @@ /* Assumed param is set up already */ ctx = EVP_PKEY_CTX_new(param); if (!ctx) - /* Error occurred */ + /* Error occurred */ if (EVP_PKEY_keygen_init(ctx) <= 0) - /* Error */ + /* Error */ /* Generate key */ if (EVP_PKEY_keygen(ctx, &pkey) <= 0) - /* Error */ + /* Error */ Example of generation callback for OpenSSL public key implementations: @@ -130,19 +130,19 @@ EVP_PKEY_CTX_set_app_data(ctx, status_bio); static int genpkey_cb(EVP_PKEY_CTX *ctx) - { - char c='*'; - BIO *b = EVP_PKEY_CTX_get_app_data(ctx); - int p; - p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); - if (p == 0) c='.'; - if (p == 1) c='+'; - if (p == 2) c='*'; - if (p == 3) c='\n'; - BIO_write(b,&c,1); - (void)BIO_flush(b); - return 1; - } + { + char c='*'; + BIO *b = EVP_PKEY_CTX_get_app_data(ctx); + int p; + p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); + if (p == 0) c='.'; + if (p == 1) c='+'; + if (p == 2) c='*'; + if (p == 3) c='\n'; + BIO_write(b,&c,1); + (void)BIO_flush(b); + return 1; + } =head1 SEE ALSO @@ -152,7 +152,7 @@ L<EVP_PKEY_sign(3)>, L<EVP_PKEY_verify(3)>, L<EVP_PKEY_verify_recover(3)>, -L<EVP_PKEY_derive(3)> +L<EVP_PKEY_derive(3)> =head1 HISTORY
diff --git a/doc/crypto/EVP_PKEY_print_private.pod b/doc/crypto/EVP_PKEY_print_private.pod index 5f92e6b..06fefe6 100644 --- a/doc/crypto/EVP_PKEY_print_private.pod +++ b/doc/crypto/EVP_PKEY_print_private.pod
@@ -9,11 +9,11 @@ #include <openssl/evp.h> int EVP_PKEY_print_public(BIO *out, const EVP_PKEY *pkey, - int indent, ASN1_PCTX *pctx); + int indent, ASN1_PCTX *pctx); int EVP_PKEY_print_private(BIO *out, const EVP_PKEY *pkey, - int indent, ASN1_PCTX *pctx); + int indent, ASN1_PCTX *pctx); int EVP_PKEY_print_params(BIO *out, const EVP_PKEY *pkey, - int indent, ASN1_PCTX *pctx); + int indent, ASN1_PCTX *pctx); =head1 DESCRIPTION @@ -28,7 +28,7 @@ =head1 NOTES -Currently no public key algorithms include any options in the B<pctx> parameter +Currently no public key algorithms include any options in the B<pctx> parameter parameter. If the key does not include all the components indicated by the function then @@ -44,7 +44,7 @@ =head1 SEE ALSO L<EVP_PKEY_CTX_new(3)>, -L<EVP_PKEY_keygen(3)> +L<EVP_PKEY_keygen(3)> =head1 HISTORY
diff --git a/doc/crypto/EVP_PKEY_sign.pod b/doc/crypto/EVP_PKEY_sign.pod index 9b587e7..d65ce17 100644 --- a/doc/crypto/EVP_PKEY_sign.pod +++ b/doc/crypto/EVP_PKEY_sign.pod
@@ -10,8 +10,8 @@ int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx); int EVP_PKEY_sign(EVP_PKEY_CTX *ctx, - unsigned char *sig, size_t *siglen, - const unsigned char *tbs, size_t tbslen); + unsigned char *sig, size_t *siglen, + const unsigned char *tbs, size_t tbslen); =head1 DESCRIPTION @@ -66,25 +66,25 @@ */ ctx = EVP_PKEY_CTX_new(signing_key, NULL /* no engine */); if (!ctx) - /* Error occurred */ + /* Error occurred */ if (EVP_PKEY_sign_init(ctx) <= 0) - /* Error */ + /* Error */ if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) - /* Error */ + /* Error */ if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) - /* Error */ + /* Error */ /* Determine buffer length */ if (EVP_PKEY_sign(ctx, NULL, &siglen, md, mdlen) <= 0) - /* Error */ + /* Error */ sig = OPENSSL_malloc(siglen); if (!sig) - /* malloc failure */ - + /* malloc failure */ + if (EVP_PKEY_sign(ctx, sig, &siglen, md, mdlen) <= 0) - /* Error */ + /* Error */ /* Signature is siglen bytes written to buffer sig */ @@ -97,7 +97,7 @@ L<EVP_PKEY_decrypt(3)>, L<EVP_PKEY_verify(3)>, L<EVP_PKEY_verify_recover(3)>, -L<EVP_PKEY_derive(3)> +L<EVP_PKEY_derive(3)> =head1 HISTORY
diff --git a/doc/crypto/EVP_PKEY_verify.pod b/doc/crypto/EVP_PKEY_verify.pod index 99bace5..329158b 100644 --- a/doc/crypto/EVP_PKEY_verify.pod +++ b/doc/crypto/EVP_PKEY_verify.pod
@@ -10,8 +10,8 @@ int EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx); int EVP_PKEY_verify(EVP_PKEY_CTX *ctx, - const unsigned char *sig, size_t siglen, - const unsigned char *tbs, size_t tbslen); + const unsigned char *sig, size_t siglen, + const unsigned char *tbs, size_t tbslen); =head1 DESCRIPTION @@ -53,20 +53,20 @@ EVP_PKEY_CTX *ctx; unsigned char *md, *sig; - size_t mdlen, siglen; + size_t mdlen, siglen; EVP_PKEY *verify_key; /* NB: assumes verify_key, sig, siglen md and mdlen are already set up * and that verify_key is an RSA public key */ ctx = EVP_PKEY_CTX_new(verify_key); if (!ctx) - /* Error occurred */ + /* Error occurred */ if (EVP_PKEY_verify_init(ctx) <= 0) - /* Error */ + /* Error */ if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) - /* Error */ + /* Error */ if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) - /* Error */ + /* Error */ /* Perform operation */ ret = EVP_PKEY_verify(ctx, sig, siglen, md, mdlen); @@ -82,7 +82,7 @@ L<EVP_PKEY_decrypt(3)>, L<EVP_PKEY_sign(3)>, L<EVP_PKEY_verify_recover(3)>, -L<EVP_PKEY_derive(3)> +L<EVP_PKEY_derive(3)> =head1 HISTORY
diff --git a/doc/crypto/EVP_PKEY_verify_recover.pod b/doc/crypto/EVP_PKEY_verify_recover.pod index ba7ddfd..b5d196c 100644 --- a/doc/crypto/EVP_PKEY_verify_recover.pod +++ b/doc/crypto/EVP_PKEY_verify_recover.pod
@@ -10,8 +10,8 @@ int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx); int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx, - unsigned char *rout, size_t *routlen, - const unsigned char *sig, size_t siglen); + unsigned char *rout, size_t *routlen, + const unsigned char *sig, size_t siglen); =head1 DESCRIPTION @@ -29,7 +29,7 @@ =head1 NOTES Normally an application is only interested in whether a signature verification -operation is successful in those cases the EVP_verify() function should be +operation is successful in those cases the EVP_verify() function should be used. Sometimes however it is useful to obtain the data originally signed using a @@ -58,32 +58,32 @@ EVP_PKEY_CTX *ctx; unsigned char *rout, *sig; - size_t routlen, siglen; + size_t routlen, siglen; EVP_PKEY *verify_key; /* NB: assumes verify_key, sig and siglen are already set up * and that verify_key is an RSA public key */ ctx = EVP_PKEY_CTX_new(verify_key); if (!ctx) - /* Error occurred */ + /* Error occurred */ if (EVP_PKEY_verify_recover_init(ctx) <= 0) - /* Error */ + /* Error */ if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) - /* Error */ + /* Error */ if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) - /* Error */ + /* Error */ /* Determine buffer length */ if (EVP_PKEY_verify_recover(ctx, NULL, &routlen, sig, siglen) <= 0) - /* Error */ + /* Error */ rout = OPENSSL_malloc(routlen); if (!rout) - /* malloc failure */ - + /* malloc failure */ + if (EVP_PKEY_verify_recover(ctx, rout, &routlen, sig, siglen) <= 0) - /* Error */ + /* Error */ /* Recovered data is routlen bytes written to buffer rout */ @@ -94,7 +94,7 @@ L<EVP_PKEY_decrypt(3)>, L<EVP_PKEY_sign(3)>, L<EVP_PKEY_verify(3)>, -L<EVP_PKEY_derive(3)> +L<EVP_PKEY_derive(3)> =head1 HISTORY
diff --git a/doc/crypto/EVP_SealInit.pod b/doc/crypto/EVP_SealInit.pod index cecd86d..32bf7b0 100644 --- a/doc/crypto/EVP_SealInit.pod +++ b/doc/crypto/EVP_SealInit.pod
@@ -42,9 +42,9 @@ and can be B<NULL>. EVP_SealUpdate() and EVP_SealFinal() have exactly the same properties -as the EVP_EncryptUpdate() and EVP_EncryptFinal() routines, as +as the EVP_EncryptUpdate() and EVP_EncryptFinal() routines, as documented on the L<EVP_EncryptInit(3)> manual -page. +page. =head1 RETURN VALUES
diff --git a/doc/crypto/EVP_SignInit.pod b/doc/crypto/EVP_SignInit.pod index fe0284b..e2d69c5 100644 --- a/doc/crypto/EVP_SignInit.pod +++ b/doc/crypto/EVP_SignInit.pod
@@ -60,7 +60,7 @@ Due to the link between message digests and public key algorithms the correct digest algorithm must be used with the correct public key type. A list of -algorithms and associated public key algorithms appears in +algorithms and associated public key algorithms appears in L<EVP_DigestInit(3)>. When signing with DSA private keys the random number generator must be seeded @@ -77,7 +77,7 @@ =head1 BUGS -Older versions of this documentation wrongly stated that calls to +Older versions of this documentation wrongly stated that calls to EVP_SignUpdate() could not be made after calling EVP_SignFinal(). Since the private key is passed in the call to EVP_SignFinal() any error
diff --git a/doc/crypto/EVP_VerifyInit.pod b/doc/crypto/EVP_VerifyInit.pod index 0513518..e212296 100644 --- a/doc/crypto/EVP_VerifyInit.pod +++ b/doc/crypto/EVP_VerifyInit.pod
@@ -51,7 +51,7 @@ Due to the link between message digests and public key algorithms the correct digest algorithm must be used with the correct public key type. A list of -algorithms and associated public key algorithms appears in +algorithms and associated public key algorithms appears in L<EVP_DigestInit(3)>. The call to EVP_VerifyFinal() internally finalizes a copy of the digest context. @@ -64,7 +64,7 @@ =head1 BUGS -Older versions of this documentation wrongly stated that calls to +Older versions of this documentation wrongly stated that calls to EVP_VerifyUpdate() could not be made after calling EVP_VerifyFinal(). Since the public key is passed in the call to EVP_SignFinal() any error
diff --git a/doc/crypto/OBJ_nid2obj.pod b/doc/crypto/OBJ_nid2obj.pod index a17ba7b..211c355 100644 --- a/doc/crypto/OBJ_nid2obj.pod +++ b/doc/crypto/OBJ_nid2obj.pod
@@ -42,7 +42,7 @@ The ASN1 object utility functions process ASN1_OBJECT structures which are a representation of the ASN1 OBJECT IDENTIFIER (OID) type. -OBJ_nid2obj(), OBJ_nid2ln() and OBJ_nid2sn() convert the NID B<n> to +OBJ_nid2obj(), OBJ_nid2ln() and OBJ_nid2sn() convert the NID B<n> to an ASN1_OBJECT structure, its long name and its short name respectively, or B<NULL> is an error occurred. @@ -70,7 +70,7 @@ OBJ_dup() returns a copy of B<o>. -OBJ_create() adds a new object to the internal table. B<oid> is the +OBJ_create() adds a new object to the internal table. B<oid> is the numerical form of the object, B<sn> the short name and B<ln> the long name. A new NID is returned for the created object. @@ -127,7 +127,7 @@ Check if an object is B<commonName> if (OBJ_obj2nid(obj) == NID_commonName) - /* Do something */ + /* Do something */ Create a new NID and initialize an object from it: @@ -136,14 +136,14 @@ new_nid = OBJ_create("1.2.3.4", "NewOID", "New Object Identifier"); obj = OBJ_nid2obj(new_nid); - + Create a new object directly: obj = OBJ_txt2obj("1.2.3.4", 1); =head1 BUGS -OBJ_obj2txt() is awkward and messy to use: it doesn't follow the +OBJ_obj2txt() is awkward and messy to use: it doesn't follow the convention of other OpenSSL functions where the buffer can be set to B<NULL> to determine the amount of data that should be written. Instead B<buf> must point to a valid buffer and B<buf_len> should
diff --git a/doc/crypto/OCSP_response_status.pod b/doc/crypto/OCSP_response_status.pod index 4e79708..a23d3c8 100644 --- a/doc/crypto/OCSP_response_status.pod +++ b/doc/crypto/OCSP_response_status.pod
@@ -21,7 +21,7 @@ B<OCSP_RESPONSE_STATUS_SIGREQUIRED>, or B<OCSP_RESPONSE_STATUS_UNAUTHORIZED>. OCSP_response_get1_basic() decodes and returns the B<OCSP_BASICRESP> structure -contained in B<resp>. +contained in B<resp>. OCSP_response_create() creates and returns an B<OCSP_RESPONSE> structure for B<status> and optionally including basic response B<bs>.
diff --git a/doc/crypto/OPENSSL_load_builtin_modules.pod b/doc/crypto/OPENSSL_load_builtin_modules.pod index d104824..f656f45 100644 --- a/doc/crypto/OPENSSL_load_builtin_modules.pod +++ b/doc/crypto/OPENSSL_load_builtin_modules.pod
@@ -24,15 +24,15 @@ =head1 NOTES -If the simple configuration function OPENSSL_config() is called then +If the simple configuration function OPENSSL_config() is called then OPENSSL_load_builtin_modules() is called automatically. Applications which use the configuration functions directly will need to -call OPENSSL_load_builtin_modules() themselves I<before> any other +call OPENSSL_load_builtin_modules() themselves I<before> any other configuration code. Applications should call OPENSSL_load_builtin_modules() to load all -configuration modules instead of adding modules selectively: otherwise +configuration modules instead of adding modules selectively: otherwise functionality may be missing from the application if an when new modules are added.
diff --git a/doc/crypto/OPENSSL_malloc.pod b/doc/crypto/OPENSSL_malloc.pod index 89990de..65c50c7 100644 --- a/doc/crypto/OPENSSL_malloc.pod +++ b/doc/crypto/OPENSSL_malloc.pod
@@ -94,10 +94,10 @@ OPENSSL_cleanse() fills B<ptr> of size B<len> with a string of 0's. Use OPENSSL_cleanse() with care if the memory is a mapping of a file. -If the storage controller uses write compression, then its possible -that sensitive tail bytes will survive zeroization because the block of -zeros will be compressed. If the storage controller uses wear leveling, -then the old sensitive data will not be overwritten; rather, a block of +If the storage controller uses write compression, then its possible +that sensitive tail bytes will survive zeroization because the block of +zeros will be compressed. If the storage controller uses wear leveling, +then the old sensitive data will not be overwritten; rather, a block of 0's will be written at a new physical location. OPENSSL_strdup(), OPENSSL_strndup() and OPENSSL_memdup() are like the
diff --git a/doc/crypto/OPENSSL_secure_malloc.pod b/doc/crypto/OPENSSL_secure_malloc.pod index ff82c6f..191c0e4 100644 --- a/doc/crypto/OPENSSL_secure_malloc.pod +++ b/doc/crypto/OPENSSL_secure_malloc.pod
@@ -56,7 +56,7 @@ CRYPTO_secure_malloc_done() releases the heap and makes the memory unavailable to the process if all secure memory has been freed. -It can take noticeably long to complete. +It can take noticeably long to complete. OPENSSL_secure_malloc() allocates C<num> bytes from the heap. If CRYPTO_secure_malloc_init() is not called, this is equivalent to
diff --git a/doc/crypto/PEM_write_bio_CMS_stream.pod b/doc/crypto/PEM_write_bio_CMS_stream.pod index aace1cb..e82ead8 100644 --- a/doc/crypto/PEM_write_bio_CMS_stream.pod +++ b/doc/crypto/PEM_write_bio_CMS_stream.pod
@@ -2,7 +2,7 @@ =head1 NAME - PEM_write_bio_CMS_stream - output CMS_ContentInfo structure in PEM format. +PEM_write_bio_CMS_stream - output CMS_ContentInfo structure in PEM format. =head1 SYNOPSIS
diff --git a/doc/crypto/PKCS12_create.pod b/doc/crypto/PKCS12_create.pod index ada61e5..68c626d 100644 --- a/doc/crypto/PKCS12_create.pod +++ b/doc/crypto/PKCS12_create.pod
@@ -9,7 +9,7 @@ #include <openssl/pkcs12.h> PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, STACK_OF(X509) *ca, - int nid_key, int nid_cert, int iter, int mac_iter, int keytype); + int nid_key, int nid_cert, int iter, int mac_iter, int keytype); =head1 DESCRIPTION @@ -55,7 +55,7 @@ a fatal error is returned. B<nid_key> or B<nid_cert> can be set to -1 indicating that no encryption -should be used. +should be used. B<mac_iter> can be set to -1 and the MAC will then be omitted entirely.
diff --git a/doc/crypto/PKCS5_PBKDF2_HMAC.pod b/doc/crypto/PKCS5_PBKDF2_HMAC.pod index ec8e8ff..a78bc26 100644 --- a/doc/crypto/PKCS5_PBKDF2_HMAC.pod +++ b/doc/crypto/PKCS5_PBKDF2_HMAC.pod
@@ -14,8 +14,8 @@ int keylen, unsigned char *out); int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, - const unsigned char *salt, int saltlen, int iter, - int keylen, unsigned char *out); + const unsigned char *salt, int saltlen, int iter, + int keylen, unsigned char *out); =head1 DESCRIPTION @@ -31,7 +31,7 @@ attempt to calculate the length of the B<salt> because it is not assumed to be NULL terminated. -B<iter> is the iteration count and its value should be greater than or +B<iter> is the iteration count and its value should be greater than or equal to 1. RFC 2898 suggests an iteration count of at least 1000. Any B<iter> less than 1 is treated as a single iteration.
diff --git a/doc/crypto/PKCS7_encrypt.pod b/doc/crypto/PKCS7_encrypt.pod index 125dead..8c885c1 100644 --- a/doc/crypto/PKCS7_encrypt.pod +++ b/doc/crypto/PKCS7_encrypt.pod
@@ -30,7 +30,7 @@ respectively. The algorithm passed in the B<cipher> parameter must support ASN1 encoding of -its parameters. +its parameters. Many browsers implement a "sign and encrypt" option which is simply an S/MIME envelopedData containing an S/MIME signed message. This can be readily produced @@ -55,7 +55,7 @@ If the flag B<PKCS7_STREAM> is set the returned B<PKCS7> structure is B<not> complete and outputting its contents via a function that does not -properly finalize the B<PKCS7> structure will give unpredictable +properly finalize the B<PKCS7> structure will give unpredictable results. Several functions including SMIME_write_PKCS7(), i2d_PKCS7_bio_stream(),
diff --git a/doc/crypto/PKCS7_sign.pod b/doc/crypto/PKCS7_sign.pod index b5ea477..837f4bf 100644 --- a/doc/crypto/PKCS7_sign.pod +++ b/doc/crypto/PKCS7_sign.pod
@@ -15,7 +15,7 @@ PKCS7_sign() creates and returns a PKCS#7 signedData structure. B<signcert> is the certificate to sign with, B<pkey> is the corresponding private key. B<certs> is an optional additional set of certificates to include in the PKCS#7 -structure (for example any intermediate CAs in the chain). +structure (for example any intermediate CAs in the chain). The data to be signed is read from BIO B<data>.
diff --git a/doc/crypto/PKCS7_sign_add_signer.pod b/doc/crypto/PKCS7_sign_add_signer.pod index 9f30e6e..be51b3d 100644 --- a/doc/crypto/PKCS7_sign_add_signer.pod +++ b/doc/crypto/PKCS7_sign_add_signer.pod
@@ -44,7 +44,7 @@ An error occurs if a matching digest value cannot be found to copy. The returned PKCS7 structure will be valid and finalized when this flag is set. -If B<PKCS7_PARTIAL> is set in addition to B<PKCS7_REUSE_DIGEST> then the +If B<PKCS7_PARTIAL> is set in addition to B<PKCS7_REUSE_DIGEST> then the B<PKCS7_SIGNER_INO> structure will not be finalized so additional attributes can be added. In this case an explicit call to PKCS7_SIGNER_INFO_sign() is needed to finalize it. @@ -67,7 +67,7 @@ PKCS7_sign_add_signers() returns an internal pointer to the PKCS7_SIGNER_INFO -structure just added, this can be used to set additional attributes +structure just added, this can be used to set additional attributes before it is finalized. =head1 RETURN VALUES
diff --git a/doc/crypto/PKCS7_verify.pod b/doc/crypto/PKCS7_verify.pod index 74f550e..5ae01f4 100644 --- a/doc/crypto/PKCS7_verify.pod +++ b/doc/crypto/PKCS7_verify.pod
@@ -61,7 +61,7 @@ to change the default verify behaviour. Only the flag B<PKCS7_NOINTERN> is meaningful to PKCS7_get0_signers(). -If B<PKCS7_NOINTERN> is set the certificates in the message itself are not +If B<PKCS7_NOINTERN> is set the certificates in the message itself are not searched when locating the signer's certificate. This means that all the signers certificates must be in the B<certs> parameter. @@ -86,7 +86,7 @@ signer cannot be found. Care should be taken when modifying the default verify behaviour, for example -setting B<PKCS7_NOVERIFY|PKCS7_NOSIGS> will totally disable all verification +setting B<PKCS7_NOVERIFY|PKCS7_NOSIGS> will totally disable all verification and any signed message will be considered valid. This combination is however useful if one merely wishes to write the content to B<out> and its validity is not considered important.
diff --git a/doc/crypto/RAND_set_rand_method.pod b/doc/crypto/RAND_set_rand_method.pod index 86060c9..4c18f92 100644 --- a/doc/crypto/RAND_set_rand_method.pod +++ b/doc/crypto/RAND_set_rand_method.pod
@@ -42,7 +42,7 @@ void (*cleanup)(void); void (*add)(const void *buf, int num, int entropy); int (*pseudorand)(unsigned char *buf, int num); - int (*status)(void); + int (*status)(void); } RAND_METHOD; The components point to method implementations used by (or called by), in order,
diff --git a/doc/crypto/RSA_private_encrypt.pod b/doc/crypto/RSA_private_encrypt.pod index 99cc2a8..bcf514b 100644 --- a/doc/crypto/RSA_private_encrypt.pod +++ b/doc/crypto/RSA_private_encrypt.pod
@@ -11,7 +11,7 @@ int RSA_private_encrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding); - int RSA_public_decrypt(int flen, unsigned char *from, + int RSA_public_decrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding); =head1 DESCRIPTION
diff --git a/doc/crypto/RSA_set_method.pod b/doc/crypto/RSA_set_method.pod index 9d57fa7..d7019ce 100644 --- a/doc/crypto/RSA_set_method.pod +++ b/doc/crypto/RSA_set_method.pod
@@ -43,7 +43,7 @@ RSA_get_default_method() returns a pointer to the current default RSA_METHOD. However, the meaningfulness of this result is dependent on -whether the ENGINE API is being used, so this function is no longer +whether the ENGINE API is being used, so this function is no longer recommended. RSA_set_method() selects B<meth> to perform all operations using the key @@ -80,56 +80,56 @@ typedef struct rsa_meth_st { /* name of the implementation */ - const char *name; + const char *name; /* encrypt */ - int (*rsa_pub_enc)(int flen, unsigned char *from, + int (*rsa_pub_enc)(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding); /* verify arbitrary data */ - int (*rsa_pub_dec)(int flen, unsigned char *from, + int (*rsa_pub_dec)(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding); /* sign arbitrary data */ - int (*rsa_priv_enc)(int flen, unsigned char *from, + int (*rsa_priv_enc)(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding); /* decrypt */ - int (*rsa_priv_dec)(int flen, unsigned char *from, + int (*rsa_priv_dec)(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding); /* compute r0 = r0 ^ I mod rsa->n (May be NULL for some implementations) */ - int (*rsa_mod_exp)(BIGNUM *r0, BIGNUM *I, RSA *rsa); + int (*rsa_mod_exp)(BIGNUM *r0, BIGNUM *I, RSA *rsa); /* compute r = a ^ p mod m (May be NULL for some implementations) */ - int (*bn_mod_exp)(BIGNUM *r, BIGNUM *a, const BIGNUM *p, + int (*bn_mod_exp)(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); /* called at RSA_new */ - int (*init)(RSA *rsa); + int (*init)(RSA *rsa); /* called at RSA_free */ - int (*finish)(RSA *rsa); + int (*finish)(RSA *rsa); /* RSA_FLAG_EXT_PKEY - rsa_mod_exp is called for private key * operations, even if p,q,dmp1,dmq1,iqmp * are NULL * RSA_METHOD_FLAG_NO_CHECK - don't check pub/private match */ - int flags; + int flags; - char *app_data; /* ?? */ + char *app_data; /* ?? */ - int (*rsa_sign)(int type, - const unsigned char *m, unsigned int m_length, - unsigned char *sigret, unsigned int *siglen, const RSA *rsa); - int (*rsa_verify)(int dtype, - const unsigned char *m, unsigned int m_length, - const unsigned char *sigbuf, unsigned int siglen, - const RSA *rsa); + int (*rsa_sign)(int type, + const unsigned char *m, unsigned int m_length, + unsigned char *sigret, unsigned int *siglen, const RSA *rsa); + int (*rsa_verify)(int dtype, + const unsigned char *m, unsigned int m_length, + const unsigned char *sigbuf, unsigned int siglen, + const RSA *rsa); /* keygen. If NULL builtin RSA key generation will be used */ - int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); + int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); } RSA_METHOD;
diff --git a/doc/crypto/RSA_sign.pod b/doc/crypto/RSA_sign.pod index 3383209..11a5a60 100644 --- a/doc/crypto/RSA_sign.pod +++ b/doc/crypto/RSA_sign.pod
@@ -51,7 +51,7 @@ L<ERR_get_error(3)>, L<rsa(3)>, L<RSA_private_encrypt(3)>, -L<RSA_public_decrypt(3)> +L<RSA_public_decrypt(3)> =cut
diff --git a/doc/crypto/SMIME_read_CMS.pod b/doc/crypto/SMIME_read_CMS.pod index a171dc9..fc0b299 100644 --- a/doc/crypto/SMIME_read_CMS.pod +++ b/doc/crypto/SMIME_read_CMS.pod
@@ -2,7 +2,7 @@ =head1 NAME - SMIME_read_CMS - parse S/MIME message. +SMIME_read_CMS - parse S/MIME message. =head1 SYNOPSIS
diff --git a/doc/crypto/SMIME_write_CMS.pod b/doc/crypto/SMIME_write_CMS.pod index 0ba3868..475b666 100644 --- a/doc/crypto/SMIME_write_CMS.pod +++ b/doc/crypto/SMIME_write_CMS.pod
@@ -2,7 +2,7 @@ =head1 NAME - SMIME_write_CMS - convert CMS structure to S/MIME format. +SMIME_write_CMS - convert CMS structure to S/MIME format. =head1 SYNOPSIS
diff --git a/doc/crypto/X509_EXTENSION_set_object.pod b/doc/crypto/X509_EXTENSION_set_object.pod index 1b0a66a..dd792b6 100644 --- a/doc/crypto/X509_EXTENSION_set_object.pod +++ b/doc/crypto/X509_EXTENSION_set_object.pod
@@ -1,3 +1,5 @@ +=pod + =head1 NAME X509_EXTENSION_set_object, X509_EXTENSION_set_critical,
diff --git a/doc/crypto/X509_LOOKUP_hash_dir.pod b/doc/crypto/X509_LOOKUP_hash_dir.pod index 13a6014..5b633bd 100644 --- a/doc/crypto/X509_LOOKUP_hash_dir.pod +++ b/doc/crypto/X509_LOOKUP_hash_dir.pod
@@ -51,7 +51,7 @@ Functions return number of objects loaded from file or 0 in case of -error. +error. Both methods support adding several certificate locations into one B<X509_STORE>.
diff --git a/doc/crypto/X509_NAME_ENTRY_get_object.pod b/doc/crypto/X509_NAME_ENTRY_get_object.pod index 2b1de40..631afb9 100644 --- a/doc/crypto/X509_NAME_ENTRY_get_object.pod +++ b/doc/crypto/X509_NAME_ENTRY_get_object.pod
@@ -35,17 +35,17 @@ B<type> and value determined by B<bytes> and B<len>. X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_NID() -and X509_NAME_ENTRY_create_by_OBJ() create and return an +and X509_NAME_ENTRY_create_by_OBJ() create and return an B<X509_NAME_ENTRY> structure. =head1 NOTES X509_NAME_ENTRY_get_object() and X509_NAME_ENTRY_get_data() can be -used to examine an B<X509_NAME_ENTRY> function as returned by +used to examine an B<X509_NAME_ENTRY> function as returned by X509_NAME_get_entry() for example. X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_NID(), -and X509_NAME_ENTRY_create_by_OBJ() create and return an +and X509_NAME_ENTRY_create_by_OBJ() create and return an X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_OBJ(), X509_NAME_ENTRY_create_by_NID() and X509_NAME_ENTRY_set_data() @@ -60,17 +60,11 @@ B<MBSTRING_ASC> but in the case of X509_set_data() the field name must be set first so the relevant field information can be looked up internally. -=head1 RETURN VALUES - =head1 SEE ALSO L<ERR_get_error(3)>, L<d2i_X509_NAME(3)>, L<OBJ_nid2obj(3)> -=head1 HISTORY - -TBA - =cut =head1 COPYRIGHT
diff --git a/doc/crypto/X509_NAME_add_entry_by_txt.pod b/doc/crypto/X509_NAME_add_entry_by_txt.pod index 739fa28..fc3b453 100644 --- a/doc/crypto/X509_NAME_add_entry_by_txt.pod +++ b/doc/crypto/X509_NAME_add_entry_by_txt.pod
@@ -61,7 +61,7 @@ RelativeDistinguishedName (RDN). B<loc> actually determines the index where the new entry is inserted: -if it is -1 it is appended. +if it is -1 it is appended. B<set> determines how the new type is added. If it is zero a new RDN is created. @@ -80,16 +80,16 @@ X509_NAME *nm; nm = X509_NAME_new(); if (nm == NULL) - /* Some error */ - if (!X509_NAME_add_entry_by_txt(nm, "C", MBSTRING_ASC, - "UK", -1, -1, 0)) - /* Error */ + /* Some error */ + if (!X509_NAME_add_entry_by_txt(nm, "C", MBSTRING_ASC, + "UK", -1, -1, 0)) + /* Error */ if (!X509_NAME_add_entry_by_txt(nm, "O", MBSTRING_ASC, - "Disorganized Organization", -1, -1, 0)) - /* Error */ + "Disorganized Organization", -1, -1, 0)) + /* Error */ if (!X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, - "Joe Bloggs", -1, -1, 0)) - /* Error */ + "Joe Bloggs", -1, -1, 0)) + /* Error */ =head1 RETURN VALUES
diff --git a/doc/crypto/X509_NAME_get_index_by_NID.pod b/doc/crypto/X509_NAME_get_index_by_NID.pod index c8a8715..7b3051e 100644 --- a/doc/crypto/X509_NAME_get_index_by_NID.pod +++ b/doc/crypto/X509_NAME_get_index_by_NID.pod
@@ -44,7 +44,7 @@ will be written and the text written to B<buf> will be null terminated. The length of the output string written is returned excluding the terminating null. If B<buf> is <NULL> then the amount -of space needed in B<buf> (excluding the final null) is returned. +of space needed in B<buf> (excluding the final null) is returned. =head1 NOTES @@ -76,10 +76,10 @@ X509_NAME_ENTRY *e; for (i = 0; i < X509_NAME_entry_count(nm); i++) - { - e = X509_NAME_get_entry(nm, i); - /* Do something with e */ - } + { + e = X509_NAME_get_entry(nm, i); + /* Do something with e */ + } Process all commonName entries: @@ -88,13 +88,13 @@ loc = -1; for (;;) - { - lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos); - if (lastpos == -1) - break; - e = X509_NAME_get_entry(nm, lastpos); - /* Do something with e */ - } + { + lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos); + if (lastpos == -1) + break; + e = X509_NAME_get_entry(nm, lastpos); + /* Do something with e */ + } =head1 RETURN VALUES
diff --git a/doc/crypto/X509_NAME_print_ex.pod b/doc/crypto/X509_NAME_print_ex.pod index 2631213..9ddaa77 100644 --- a/doc/crypto/X509_NAME_print_ex.pod +++ b/doc/crypto/X509_NAME_print_ex.pod
@@ -11,7 +11,7 @@ int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags); int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags); - char * X509_NAME_oneline(X509_NAME *a,char *buf,int size); + char * X509_NAME_oneline(X509_NAME *a,char *buf,int size); int X509_NAME_print(BIO *bp, X509_NAME *name, int obase); =head1 DESCRIPTION @@ -27,7 +27,7 @@ bytes will be written. If B<buf> is B<NULL> then a buffer is dynamically allocated and returned, otherwise B<buf> is returned. -X509_NAME_print() prints out B<name> to B<bp> indenting each line by B<obase> +X509_NAME_print() prints out B<name> to B<bp> indenting each line by B<obase> characters. Multiple lines are used if the output (including indent) exceeds 80 characters. @@ -76,7 +76,7 @@ If B<XN_FLAG_FN_ALIGN> is set then field names are padded to 20 characters: this is only of use for multiline format. -Additionally all the options supported by ASN1_STRING_print_ex() can be used to +Additionally all the options supported by ASN1_STRING_print_ex() can be used to control how each field value is displayed. In addition a number options can be set for commonly used formats.
diff --git a/doc/crypto/X509_STORE_CTX_new.pod b/doc/crypto/X509_STORE_CTX_new.pod index 11c8b41..f174bc3 100644 --- a/doc/crypto/X509_STORE_CTX_new.pod +++ b/doc/crypto/X509_STORE_CTX_new.pod
@@ -24,7 +24,7 @@ void X509_STORE_CTX_free(X509_STORE_CTX *ctx); int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, - X509 *x509, STACK_OF(X509) *chain); + X509 *x509, STACK_OF(X509) *chain); void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); @@ -128,7 +128,7 @@ A verify function is defined as an X509_STORE_CTX_verify type which has the following signature: - int (*verify)(X509_STORE_CTX *); + int (*verify)(X509_STORE_CTX *); This function should receive the current X509_STORE_CTX as a parameter and return 1 on success or 0 on failure.
diff --git a/doc/crypto/X509_STORE_CTX_set_verify_cb.pod b/doc/crypto/X509_STORE_CTX_set_verify_cb.pod index 230dca3..5314536 100644 --- a/doc/crypto/X509_STORE_CTX_set_verify_cb.pod +++ b/doc/crypto/X509_STORE_CTX_set_verify_cb.pod
@@ -14,7 +14,7 @@ X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx); void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, - X509_STORE_CTX_verify_cb verify_cb); + X509_STORE_CTX_verify_cb verify_cb); =head1 DESCRIPTION @@ -68,92 +68,92 @@ Default callback operation: int verify_callback(int ok, X509_STORE_CTX *ctx) - { - return ok; - } + { + return ok; + } Simple example, suppose a certificate in the chain is expired and we wish to continue after this error: int verify_callback(int ok, X509_STORE_CTX *ctx) - { - /* Tolerate certificate expiration */ - if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED) - return 1; - /* Otherwise don't override */ - return ok; - } + { + /* Tolerate certificate expiration */ + if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED) + return 1; + /* Otherwise don't override */ + return ok; + } More complex example, we don't wish to continue after B<any> certificate has expired just one specific case: int verify_callback(int ok, X509_STORE_CTX *ctx) - { - int err = X509_STORE_CTX_get_error(ctx); - X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx); - if (err == X509_V_ERR_CERT_HAS_EXPIRED) - { - if (check_is_acceptable_expired_cert(err_cert) - return 1; - } - return ok; - } + { + int err = X509_STORE_CTX_get_error(ctx); + X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx); + if (err == X509_V_ERR_CERT_HAS_EXPIRED) + { + if (check_is_acceptable_expired_cert(err_cert) + return 1; + } + return ok; + } Full featured logging callback. In this case the B<bio_err> is assumed to be a global logging B<BIO>, an alternative would to store a BIO in B<ctx> using B<ex_data>. - + int verify_callback(int ok, X509_STORE_CTX *ctx) - { - X509 *err_cert; - int err,depth; + { + X509 *err_cert; + int err,depth; - err_cert = X509_STORE_CTX_get_current_cert(ctx); - err = X509_STORE_CTX_get_error(ctx); - depth = X509_STORE_CTX_get_error_depth(ctx); + err_cert = X509_STORE_CTX_get_current_cert(ctx); + err = X509_STORE_CTX_get_error(ctx); + depth = X509_STORE_CTX_get_error_depth(ctx); - BIO_printf(bio_err,"depth=%d ",depth); - if (err_cert) - { - X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), - 0, XN_FLAG_ONELINE); - BIO_puts(bio_err, "\n"); - } - else - BIO_puts(bio_err, "<no cert>\n"); - if (!ok) - BIO_printf(bio_err,"verify error:num=%d:%s\n",err, - X509_verify_cert_error_string(err)); - switch (err) - { - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - BIO_puts(bio_err,"issuer= "); - X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), - 0, XN_FLAG_ONELINE); - BIO_puts(bio_err, "\n"); - break; - case X509_V_ERR_CERT_NOT_YET_VALID: - case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: - BIO_printf(bio_err,"notBefore="); - ASN1_TIME_print(bio_err,X509_get_notBefore(err_cert)); - BIO_printf(bio_err,"\n"); - break; - case X509_V_ERR_CERT_HAS_EXPIRED: - case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: - BIO_printf(bio_err,"notAfter="); - ASN1_TIME_print(bio_err,X509_get_notAfter(err_cert)); - BIO_printf(bio_err,"\n"); - break; - case X509_V_ERR_NO_EXPLICIT_POLICY: - policies_print(bio_err, ctx); - break; - } - if (err == X509_V_OK && ok == 2) - /* print out policies */ + BIO_printf(bio_err,"depth=%d ",depth); + if (err_cert) + { + X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), + 0, XN_FLAG_ONELINE); + BIO_puts(bio_err, "\n"); + } + else + BIO_puts(bio_err, "<no cert>\n"); + if (!ok) + BIO_printf(bio_err,"verify error:num=%d:%s\n",err, + X509_verify_cert_error_string(err)); + switch (err) + { + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: + BIO_puts(bio_err,"issuer= "); + X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), + 0, XN_FLAG_ONELINE); + BIO_puts(bio_err, "\n"); + break; + case X509_V_ERR_CERT_NOT_YET_VALID: + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: + BIO_printf(bio_err,"notBefore="); + ASN1_TIME_print(bio_err,X509_get_notBefore(err_cert)); + BIO_printf(bio_err,"\n"); + break; + case X509_V_ERR_CERT_HAS_EXPIRED: + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: + BIO_printf(bio_err,"notAfter="); + ASN1_TIME_print(bio_err,X509_get_notAfter(err_cert)); + BIO_printf(bio_err,"\n"); + break; + case X509_V_ERR_NO_EXPLICIT_POLICY: + policies_print(bio_err, ctx); + break; + } + if (err == X509_V_OK && ok == 2) + /* print out policies */ - BIO_printf(bio_err,"verify return:%d\n",ok); - return(ok); - } + BIO_printf(bio_err,"verify return:%d\n",ok); + return(ok); + } =head1 SEE ALSO
diff --git a/doc/crypto/X509_STORE_set_verify_cb_func.pod b/doc/crypto/X509_STORE_set_verify_cb_func.pod index f0b4c83..2cc3bcb 100644 --- a/doc/crypto/X509_STORE_set_verify_cb_func.pod +++ b/doc/crypto/X509_STORE_set_verify_cb_func.pod
@@ -9,10 +9,10 @@ #include <openssl/x509_vfy.h> void X509_STORE_set_verify_cb(X509_STORE *st, - int (*verify_cb)(int ok, X509_STORE_CTX *ctx)); + int (*verify_cb)(int ok, X509_STORE_CTX *ctx)); void X509_STORE_set_verify_cb_func(X509_STORE *st, - int (*verify_cb)(int ok, X509_STORE_CTX *ctx)); + int (*verify_cb)(int ok, X509_STORE_CTX *ctx)); =head1 DESCRIPTION @@ -24,14 +24,14 @@ =head1 NOTES -The verification callback from an B<X509_STORE> is inherited by +The verification callback from an B<X509_STORE> is inherited by the corresponding B<X509_STORE_CTX> structure when it is initialized. This can -be used to set the verification callback when the B<X509_STORE_CTX> is +be used to set the verification callback when the B<X509_STORE_CTX> is otherwise inaccessible (for example during S/MIME verification). =head1 BUGS -The macro version of this function was the only one available before +The macro version of this function was the only one available before OpenSSL 1.0.0. =head1 RETURN VALUES
diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index 0e2ea8b..382e181 100644 --- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
@@ -11,7 +11,7 @@ int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags); int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, - unsigned long flags); + unsigned long flags); unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param); int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose); @@ -20,9 +20,9 @@ void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t); int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, - ASN1_OBJECT *policy); - int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, - STACK_OF(ASN1_OBJECT) *policies); + ASN1_OBJECT *policy); + int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, + STACK_OF(ASN1_OBJECT) *policies); void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth); int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); @@ -32,22 +32,22 @@ int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param); int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, - const char *name, size_t namelen); + const char *name, size_t namelen); int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, const char *name, size_t namelen); void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, - unsigned int flags); + unsigned int flags); char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param); int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, - const char *email, size_t emaillen); + const char *email, size_t emaillen); int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, - const unsigned char *ip, size_t iplen); + const unsigned char *ip, size_t iplen); int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc); =head1 DESCRIPTION These functions manipulate the B<X509_VERIFY_PARAM> structure associated with -a certificate verification operation. +a certificate verification operation. The X509_VERIFY_PARAM_set_flags() function sets the flags in B<param> by oring it with B<flags>. See the B<VERIFICATION FLAGS> section for a complete @@ -61,7 +61,7 @@ to B<purpose>. This determines the acceptable purpose of the certificate chain, for example SSL client or SSL server. -X509_VERIFY_PARAM_set_trust() sets the trust setting in B<param> to +X509_VERIFY_PARAM_set_trust() sets the trust setting in B<param> to B<trust>. X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to @@ -177,7 +177,7 @@ ored together. B<X509_V_FLAG_CRL_CHECK> enables CRL checking for the certificate chain leaf -certificate. An error occurs if a suitable CRL cannot be found. +certificate. An error occurs if a suitable CRL cannot be found. B<X509_V_FLAG_CRL_CHECK_ALL> enables CRL checking for the entire certificate chain. @@ -251,7 +251,7 @@ =head1 BUGS Delta CRL checking is currently primitive. Only a single delta can be used and -(partly due to limitations of B<X509_STORE>) constructed CRLs are not +(partly due to limitations of B<X509_STORE>) constructed CRLs are not maintained. If CRLs checking is enable CRLs are expected to be available in the @@ -260,7 +260,7 @@ =head1 EXAMPLE -Enable CRL checking when performing certificate verification during SSL +Enable CRL checking when performing certificate verification during SSL connections associated with an B<SSL_CTX> structure B<ctx>: X509_VERIFY_PARAM *param;
diff --git a/doc/crypto/X509_check_host.pod b/doc/crypto/X509_check_host.pod index b21a650..826fca3 100644 --- a/doc/crypto/X509_check_host.pod +++ b/doc/crypto/X509_check_host.pod
@@ -9,11 +9,11 @@ #include <openssl/x509.h> int X509_check_host(X509 *, const char *name, size_t namelen, - unsigned int flags, char **peername); + unsigned int flags, char **peername); int X509_check_email(X509 *, const char *address, size_t addresslen, - unsigned int flags); + unsigned int flags); int X509_check_ip(X509 *, const unsigned char *address, size_t addresslen, - unsigned int flags); + unsigned int flags); int X509_check_ip_asc(X509 *, const char *address, unsigned int flags); =head1 DESCRIPTION
diff --git a/doc/crypto/X509_check_issued.pod b/doc/crypto/X509_check_issued.pod index 108ff83..c177fdc 100644 --- a/doc/crypto/X509_check_issued.pod +++ b/doc/crypto/X509_check_issued.pod
@@ -15,7 +15,7 @@ =head1 DESCRIPTION This function checks if certificate I<subject> was issued using CA -certificate I<issuer>. This function takes into account not only +certificate I<issuer>. This function takes into account not only matching of issuer field of I<subject> with subject field of I<issuer>, but also compares B<authorityKeyIdentifier> extension of I<subject> with B<subjectKeyIdentifier> of I<issuer> if B<authorityKeyIdentifier>
diff --git a/doc/crypto/X509_get_pubkey.pod b/doc/crypto/X509_get_pubkey.pod index a997109..86ea574 100644 --- a/doc/crypto/X509_get_pubkey.pod +++ b/doc/crypto/X509_get_pubkey.pod
@@ -3,8 +3,8 @@ =head1 NAME X509_get_pubkey, X509_get0_pubkey, X509_set_pubkey, X509_get_X509_PUBKEY, -X509_REQ_get_pubkey, X509_REQ_get0_pubkey, X509_REQ_set_pubkey, -X509_REQ_get_X509_PUBKEY - get or set certificate or certificate request +X509_REQ_get_pubkey, X509_REQ_get0_pubkey, X509_REQ_set_pubkey, +X509_REQ_get_X509_PUBKEY - get or set certificate or certificate request public key. =head1 SYNOPSIS @@ -37,7 +37,7 @@ X509_set_pubkey() attempts to set the public key for certificate B<x> to B<pkey>. The key B<pkey> should be freed up after use. -X509_REQ_get_pubkey(), X509_REQ_get0_pubkey(), X509_REQ_set_pubkey() and +X509_REQ_get_pubkey(), X509_REQ_get0_pubkey(), X509_REQ_set_pubkey() and X509_REQ_get_X509_PUBKEY() are similar but operate on certificate request B<req>. =head1 NOTES
diff --git a/doc/crypto/X509v3_get_ext_by_NID.pod b/doc/crypto/X509v3_get_ext_by_NID.pod index f037bf6..a612cdb 100644 --- a/doc/crypto/X509v3_get_ext_by_NID.pod +++ b/doc/crypto/X509v3_get_ext_by_NID.pod
@@ -75,7 +75,7 @@ the extension is found its index is returned otherwise B<-1> is returned. X509v3_get_ext_by_critical() is similar to X509v3_get_ext_by_NID() except it -looks for an extension of criticality B<crit>. A zero value for B<crit> +looks for an extension of criticality B<crit>. A zero value for B<crit> looks for a non-critical extension a non-zero value looks for a critical extension.
diff --git a/doc/crypto/blowfish.pod b/doc/crypto/blowfish.pod index 2de4675..d477b32 100644 --- a/doc/crypto/blowfish.pod +++ b/doc/crypto/blowfish.pod
@@ -14,12 +14,12 @@ void BF_ecb_encrypt(const unsigned char *in, unsigned char *out, BF_KEY *key, int enc); void BF_cbc_encrypt(const unsigned char *in, unsigned char *out, - long length, BF_KEY *schedule, unsigned char *ivec, int enc); + long length, BF_KEY *schedule, unsigned char *ivec, int enc); void BF_cfb64_encrypt(const unsigned char *in, unsigned char *out, - long length, BF_KEY *schedule, unsigned char *ivec, int *num, + long length, BF_KEY *schedule, unsigned char *ivec, int *num, int enc); void BF_ofb64_encrypt(const unsigned char *in, unsigned char *out, - long length, BF_KEY *schedule, unsigned char *ivec, int *num); + long length, BF_KEY *schedule, unsigned char *ivec, int *num); const char *BF_options(void); void BF_encrypt(BF_LONG *data,const BF_KEY *key); @@ -52,7 +52,7 @@ The mode functions BF_cbc_encrypt(), BF_cfb64_encrypt() and BF_ofb64_encrypt() all operate on variable length data. They all take an initialization vector -B<ivec> which needs to be passed along into the next call of the same function +B<ivec> which needs to be passed along into the next call of the same function for the same message. B<ivec> may be initialized with anything, but the recipient needs to know what it was initialized with, or it won't be able to decrypt. Some programs and protocols simplify this, like SSH, where
diff --git a/doc/crypto/bn.pod b/doc/crypto/bn.pod index cc3b3d3..62f196b 100644 --- a/doc/crypto/bn.pod +++ b/doc/crypto/bn.pod
@@ -129,24 +129,24 @@ BN_CTX *ctx); BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, - BIGNUM *mod); + BIGNUM *mod); void BN_BLINDING_free(BN_BLINDING *b); int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx); int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, - BN_CTX *ctx); + BN_CTX *ctx); int BN_BLINDING_invert_ex(BIGNUM *n,const BIGNUM *r,BN_BLINDING *b, - BN_CTX *ctx); + BN_CTX *ctx); unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *); void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long); unsigned long BN_BLINDING_get_flags(const BN_BLINDING *); void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long); BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, - const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, - int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), - BN_MONT_CTX *m_ctx); + const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, + int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), + BN_MONT_CTX *m_ctx); =head1 DESCRIPTION
diff --git a/doc/crypto/bn_internal.pod b/doc/crypto/bn_internal.pod index fe8f7c7..b849db7 100644 --- a/doc/crypto/bn_internal.pod +++ b/doc/crypto/bn_internal.pod
@@ -95,8 +95,8 @@ bn.top=1. B<neg> is 1 if the number is negative. When a B<BIGNUM> is B<0>, the B<d> field can be B<NULL> and B<top> == B<0>. -B<flags> is a bit field of flags which are defined in C<openssl/bn.h>. The -flags begin with B<BN_FLG_>. The macros BN_set_flags(b,n) and +B<flags> is a bit field of flags which are defined in C<openssl/bn.h>. The +flags begin with B<BN_FLG_>. The macros BN_set_flags(b,n) and BN_get_flags(b,n) exist to enable or fetch flag(s) B<n> from B<BIGNUM> structure B<b>.
diff --git a/doc/crypto/buffer.pod b/doc/crypto/buffer.pod index d61d975..62a429b 100644 --- a/doc/crypto/buffer.pod +++ b/doc/crypto/buffer.pod
@@ -17,9 +17,9 @@ BUF_MEM *BUF_MEM_new_ex(unsigned long flags); - void BUF_MEM_free(BUF_MEM *a); + void BUF_MEM_free(BUF_MEM *a); - int BUF_MEM_grow(BUF_MEM *str, int len); + int BUF_MEM_grow(BUF_MEM *str, int len); =head1 DESCRIPTION
diff --git a/doc/crypto/crypto.pod b/doc/crypto/crypto.pod index 8e68cb8..e75ddb6 100644 --- a/doc/crypto/crypto.pod +++ b/doc/crypto/crypto.pod
@@ -4,8 +4,6 @@ crypto - OpenSSL cryptographic library -=head1 SYNOPSIS - =head1 DESCRIPTION The OpenSSL B<crypto> library implements a wide range of cryptographic
diff --git a/doc/crypto/d2i_DSAPublicKey.pod b/doc/crypto/d2i_DSAPublicKey.pod index 6ef906e..89de585 100644 --- a/doc/crypto/d2i_DSAPublicKey.pod +++ b/doc/crypto/d2i_DSAPublicKey.pod
@@ -66,7 +66,7 @@ The B<DSA> structure passed to the private key encoding functions should have all the private key components present. -The data encoded by the private key functions is unencrypted and therefore +The data encoded by the private key functions is unencrypted and therefore offers no private key security. The B<DSA_PUBKEY> functions should be used in preference to the B<DSAPublicKey>
diff --git a/doc/crypto/d2i_ECPKParameters.pod b/doc/crypto/d2i_ECPKParameters.pod index 7ede1bf..2721640 100644 --- a/doc/crypto/d2i_ECPKParameters.pod +++ b/doc/crypto/d2i_ECPKParameters.pod
@@ -15,7 +15,7 @@ #define d2i_ECPKParameters_fp(fp,x) (EC_GROUP *)ASN1_d2i_fp(NULL, \ (char *(*)())d2i_ECPKParameters,(fp),(unsigned char **)(x)) #define i2d_ECPKParameters_fp(fp,x) ASN1_i2d_fp(i2d_ECPKParameters,(fp), \ - (unsigned char *)(x)) + (unsigned char *)(x)) int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off); int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off); @@ -25,7 +25,7 @@ The ECPKParameters encode and decode routines encode and parse the public parameters for an B<EC_GROUP> structure, which represents a curve. -d2i_ECPKParameters() attempts to decode B<len> bytes at B<*in>. If +d2i_ECPKParameters() attempts to decode B<len> bytes at B<*in>. If successful a pointer to the B<EC_GROUP> structure is returned. If an error occurred then B<NULL> is returned. If B<px> is not B<NULL> then the returned structure is written to B<*px>. If B<*px> is not B<NULL> @@ -38,7 +38,7 @@ If B<out> is not B<NULL> is writes the DER encoded data to the buffer at B<*out>, and increments it to point after the data just written. If the return value is negative an error occurred, otherwise it -returns the length of the encoded data. +returns the length of the encoded data. If B<*out> is B<NULL> memory will be allocated for a buffer and the encoded data written to it. In this case B<*out> is not incremented and it points to @@ -73,7 +73,7 @@ value if an error occurs. i2d_ECPKParameters_bio(), i2d_ECPKParameters_fp(), ECPKParameters_print and ECPKParameters_print_fp -return 1 for success and 0 if an error occurs. +return 1 for success and 0 if an error occurs. =head1 SEE ALSO
diff --git a/doc/crypto/d2i_PKCS8PrivateKey.pod b/doc/crypto/d2i_PKCS8PrivateKey.pod index 720d416..c78a147 100644 --- a/doc/crypto/d2i_PKCS8PrivateKey.pod +++ b/doc/crypto/d2i_PKCS8PrivateKey.pod
@@ -14,20 +14,20 @@ EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u); int i2d_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc, - char *kstr, int klen, - pem_password_cb *cb, void *u); + char *kstr, int klen, + pem_password_cb *cb, void *u); int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, - char *kstr, int klen, - pem_password_cb *cb, void *u); + char *kstr, int klen, + pem_password_cb *cb, void *u); int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, EVP_PKEY *x, int nid, - char *kstr, int klen, - pem_password_cb *cb, void *u); + char *kstr, int klen, + pem_password_cb *cb, void *u); int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, EVP_PKEY *x, int nid, - char *kstr, int klen, - pem_password_cb *cb, void *u); + char *kstr, int klen, + pem_password_cb *cb, void *u); =head1 DESCRIPTION
diff --git a/doc/crypto/d2i_RSAPublicKey.pod b/doc/crypto/d2i_RSAPublicKey.pod index 47d74e9..b20c8a2 100644 --- a/doc/crypto/d2i_RSAPublicKey.pod +++ b/doc/crypto/d2i_RSAPublicKey.pod
@@ -60,8 +60,8 @@ The B<RSA> structure passed to the private key encoding functions should have all the PKCS#1 private key components present. -The data encoded by the private key functions is unencrypted and therefore -offers no private key security. +The data encoded by the private key functions is unencrypted and therefore +offers no private key security. The NET format functions are present to provide compatibility with certain very old software. This format has some severe security weaknesses and should be
diff --git a/doc/crypto/d2i_X509.pod b/doc/crypto/d2i_X509.pod index 42ea738..c05f6e5 100644 --- a/doc/crypto/d2i_X509.pod +++ b/doc/crypto/d2i_X509.pod
@@ -27,7 +27,7 @@ The X509 encode and decode routines encode and parse an B<X509> structure, which represents an X509 certificate. -d2i_X509() attempts to decode B<len> bytes at B<*in>. If +d2i_X509() attempts to decode B<len> bytes at B<*in>. If successful a pointer to the B<X509> structure is returned. If an error occurred then B<NULL> is returned. If B<px> is not B<NULL> then the returned structure is written to B<*px>. If B<*px> is not B<NULL> @@ -48,7 +48,7 @@ If B<out> is not B<NULL> is writes the DER encoded data to the buffer at B<*out>, and increments it to point after the data just written. If the return value is negative an error occurred, otherwise it -returns the length of the encoded data. +returns the length of the encoded data. If B<*out> is B<NULL> memory will be allocated for a buffer and the encoded data written to it. In this @@ -115,7 +115,7 @@ buf = NULL; len = i2d_X509(x, &buf); if (len < 0) - /* error */ + /* error */ Attempt to decode a buffer: @@ -155,7 +155,7 @@ len = i2d_X509(x, NULL); buf = OPENSSL_malloc(len); if (buf == NULL) - /* error */ + /* error */ i2d_X509(x, &buf); /* Other stuff ... */ @@ -171,7 +171,7 @@ X509 *x; if (!d2i_X509(&x, &p, len)) - /* Some error */ + /* Some error */ This will probably crash somewhere in d2i_X509(). The reason for this is that the variable B<x> is uninitialized and an attempt will be made to @@ -181,7 +181,7 @@ =head1 BUGS -In some versions of OpenSSL the "reuse" behaviour of d2i_X509() when +In some versions of OpenSSL the "reuse" behaviour of d2i_X509() when B<*px> is valid is broken and some parts of the reused structure may persist if they are not present in the new one. As a result the use of this "reuse" behaviour is strongly discouraged. @@ -219,10 +219,10 @@ i2d_X509() returns the number of bytes successfully encoded or a negative value if an error occurs. The error code can be obtained by -L<ERR_get_error(3)>. +L<ERR_get_error(3)>. -i2d_X509_bio() and i2d_X509_fp() return 1 for success and 0 if an error -occurs The error code can be obtained by L<ERR_get_error(3)>. +i2d_X509_bio() and i2d_X509_fp() return 1 for success and 0 if an error +occurs The error code can be obtained by L<ERR_get_error(3)>. =head1 SEE ALSO
diff --git a/doc/crypto/d2i_X509_NAME.pod b/doc/crypto/d2i_X509_NAME.pod index bf45f8e..d957e90 100644 --- a/doc/crypto/d2i_X509_NAME.pod +++ b/doc/crypto/d2i_X509_NAME.pod
@@ -32,14 +32,14 @@ =head1 RETURN VALUES -=head1 SEE ALSO - The meanings of the return values of d2i_X509_NAME() and i2d_X509_NAME() are similar to those for d2i_X509() and i2d_X509(). The function X509_NAME_get0_der() returns 1 for success and 0 if an error occurred. +=head1 SEE ALSO + L<d2i_X509(3)> =cut
diff --git a/doc/crypto/des.pod b/doc/crypto/des.pod index 3540f73..8f53210 100644 --- a/doc/crypto/des.pod +++ b/doc/crypto/des.pod
@@ -28,16 +28,16 @@ void DES_set_odd_parity(DES_cblock *key); int DES_is_weak_key(const_DES_cblock *key); - void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output, + void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output, DES_key_schedule *ks, int enc); - void DES_ecb2_encrypt(const_DES_cblock *input, DES_cblock *output, + void DES_ecb2_encrypt(const_DES_cblock *input, DES_cblock *output, DES_key_schedule *ks1, DES_key_schedule *ks2, int enc); - void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output, - DES_key_schedule *ks1, DES_key_schedule *ks2, + void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output, + DES_key_schedule *ks1, DES_key_schedule *ks2, DES_key_schedule *ks3, int enc); - void DES_ncbc_encrypt(const unsigned char *input, unsigned char *output, - long length, DES_key_schedule *schedule, DES_cblock *ivec, + void DES_ncbc_encrypt(const unsigned char *input, unsigned char *output, + long length, DES_key_schedule *schedule, DES_cblock *ivec, int enc); void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, long length, DES_key_schedule *schedule, @@ -45,8 +45,8 @@ void DES_ofb_encrypt(const unsigned char *in, unsigned char *out, int numbits, long length, DES_key_schedule *schedule, DES_cblock *ivec); - void DES_pcbc_encrypt(const unsigned char *input, unsigned char *output, - long length, DES_key_schedule *schedule, DES_cblock *ivec, + void DES_pcbc_encrypt(const unsigned char *input, unsigned char *output, + long length, DES_key_schedule *schedule, DES_cblock *ivec, int enc); void DES_cfb64_encrypt(const unsigned char *in, unsigned char *out, long length, DES_key_schedule *schedule, DES_cblock *ivec, @@ -55,8 +55,8 @@ long length, DES_key_schedule *schedule, DES_cblock *ivec, int *num); - void DES_xcbc_encrypt(const unsigned char *input, unsigned char *output, - long length, DES_key_schedule *schedule, DES_cblock *ivec, + void DES_xcbc_encrypt(const unsigned char *input, unsigned char *output, + long length, DES_key_schedule *schedule, DES_cblock *ivec, const_DES_cblock *inw, const_DES_cblock *outw, int enc); void DES_ede2_cbc_encrypt(const unsigned char *input, @@ -73,18 +73,18 @@ unsigned char *output, long length, DES_key_schedule *ks1, DES_key_schedule *ks2, DES_key_schedule *ks3, DES_cblock *ivec, int enc); - void DES_ede3_cfb64_encrypt(const unsigned char *in, unsigned char *out, + void DES_ede3_cfb64_encrypt(const unsigned char *in, unsigned char *out, long length, DES_key_schedule *ks1, DES_key_schedule *ks2, DES_key_schedule *ks3, DES_cblock *ivec, int *num, int enc); - void DES_ede3_ofb64_encrypt(const unsigned char *in, unsigned char *out, - long length, DES_key_schedule *ks1, - DES_key_schedule *ks2, DES_key_schedule *ks3, + void DES_ede3_ofb64_encrypt(const unsigned char *in, unsigned char *out, + long length, DES_key_schedule *ks1, + DES_key_schedule *ks2, DES_key_schedule *ks3, DES_cblock *ivec, int *num); - DES_LONG DES_cbc_cksum(const unsigned char *input, DES_cblock *output, - long length, DES_key_schedule *schedule, + DES_LONG DES_cbc_cksum(const unsigned char *input, DES_cblock *output, + long length, DES_key_schedule *schedule, const_DES_cblock *ivec); - DES_LONG DES_quad_cksum(const unsigned char *input, DES_cblock output[], + DES_LONG DES_quad_cksum(const unsigned char *input, DES_cblock output[], long length, int out_count, DES_cblock *seed); void DES_string_to_key(const char *str, DES_cblock *key); void DES_string_to_2keys(const char *str, DES_cblock *key1, @@ -127,7 +127,7 @@ DES_set_odd_parity() sets the parity of the passed I<key> to odd. DES_is_weak_key() returns 1 if the passed key is a weak key, 0 if it -is ok. +is ok. The following routines mostly operate on an input and output stream of I<DES_cblock>s.
diff --git a/doc/crypto/des_modes.pod b/doc/crypto/des_modes.pod index 027c741..9d17875 100644 --- a/doc/crypto/des_modes.pod +++ b/doc/crypto/des_modes.pod
@@ -240,11 +240,11 @@ documentation for SSLeay, the predecessor of OpenSSL. In turn, he attributed it to: - AS 2805.5.2 - Australian Standard - Electronic funds transfer - Requirements for interfaces, - Part 5.2: Modes of operation for an n-bit block cipher algorithm - Appendix A + AS 2805.5.2 + Australian Standard + Electronic funds transfer - Requirements for interfaces, + Part 5.2: Modes of operation for an n-bit block cipher algorithm + Appendix A =head1 SEE ALSO
diff --git a/doc/crypto/dh.pod b/doc/crypto/dh.pod index 13448e9..5f3872c 100644 --- a/doc/crypto/dh.pod +++ b/doc/crypto/dh.pod
@@ -9,15 +9,15 @@ #include <openssl/dh.h> #include <openssl/engine.h> - DH * DH_new(void); - void DH_free(DH *dh); + DH * DH_new(void); + void DH_free(DH *dh); - DH * DH_generate_parameters(int prime_len, int generator, - void (*callback)(int, int, void *), void *cb_arg); - int DH_check(const DH *dh, int *codes); + DH * DH_generate_parameters(int prime_len, int generator, + void (*callback)(int, int, void *), void *cb_arg); + int DH_check(const DH *dh, int *codes); - int DH_generate_key(DH *dh); - int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh); + int DH_generate_key(DH *dh); + int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh); void DH_set_default_method(const DH_METHOD *meth); const DH_METHOD *DH_get_default_method(void); @@ -25,11 +25,11 @@ DH *DH_new_method(ENGINE *engine); const DH_METHOD *DH_OpenSSL(void); - DH * d2i_DHparams(DH **a, unsigned char **pp, long length); - int i2d_DHparams(const DH *a, unsigned char **pp); + DH * d2i_DHparams(DH **a, unsigned char **pp, long length); + int i2d_DHparams(const DH *a, unsigned char **pp); - int DHparams_print_fp(FILE *fp, const DH *x); - int DHparams_print(BIO *bp, const DH *x); + int DHparams_print_fp(FILE *fp, const DH *x); + int DHparams_print(BIO *bp, const DH *x); =head1 DESCRIPTION @@ -56,7 +56,7 @@ L<DH_get_ex_new_index(3)>, L<DH_generate_parameters(3)>, L<DH_compute_key(3)>, L<DH_get0_pqg(3)>, L<DH_meth_new(3)>, L<d2i_DHparams(3)>, -L<RSA_print(3)> +L<RSA_print(3)> =cut
diff --git a/doc/crypto/dsa.pod b/doc/crypto/dsa.pod index bc4ace9..9a2d541 100644 --- a/doc/crypto/dsa.pod +++ b/doc/crypto/dsa.pod
@@ -9,25 +9,25 @@ #include <openssl/dsa.h> #include <openssl/engine.h> - DSA * DSA_new(void); - void DSA_free(DSA *dsa); + DSA * DSA_new(void); + void DSA_free(DSA *dsa); - int DSA_size(const DSA *dsa); + int DSA_size(const DSA *dsa); - DSA * DSA_generate_parameters(int bits, unsigned char *seed, + DSA * DSA_generate_parameters(int bits, unsigned char *seed, int seed_len, int *counter_ret, unsigned long *h_ret, - void (*callback)(int, int, void *), void *cb_arg); + void (*callback)(int, int, void *), void *cb_arg); - DH * DSA_dup_DH(const DSA *r); + DH * DSA_dup_DH(const DSA *r); - int DSA_generate_key(DSA *dsa); + int DSA_generate_key(DSA *dsa); - int DSA_sign(int dummy, const unsigned char *dgst, int len, - unsigned char *sigret, unsigned int *siglen, DSA *dsa); - int DSA_sign_setup(DSA *dsa, BN_CTX *ctx, BIGNUM **kinvp, + int DSA_sign(int dummy, const unsigned char *dgst, int len, + unsigned char *sigret, unsigned int *siglen, DSA *dsa); + int DSA_sign_setup(DSA *dsa, BN_CTX *ctx, BIGNUM **kinvp, BIGNUM **rp); - int DSA_verify(int dummy, const unsigned char *dgst, int len, - const unsigned char *sigbuf, int siglen, DSA *dsa); + int DSA_verify(int dummy, const unsigned char *dgst, int len, + const unsigned char *sigbuf, int siglen, DSA *dsa); void DSA_set_default_method(const DSA_METHOD *meth); const DSA_METHOD *DSA_get_default_method(void); @@ -36,25 +36,25 @@ const DSA_METHOD *DSA_OpenSSL(void); DSA_SIG *DSA_SIG_new(void); - void DSA_SIG_free(DSA_SIG *a); - int i2d_DSA_SIG(const DSA_SIG *a, unsigned char **pp); + void DSA_SIG_free(DSA_SIG *a); + int i2d_DSA_SIG(const DSA_SIG *a, unsigned char **pp); DSA_SIG *d2i_DSA_SIG(DSA_SIG **v, unsigned char **pp, long length); DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); - int DSA_do_verify(const unsigned char *dgst, int dgst_len, - DSA_SIG *sig, DSA *dsa); + int DSA_do_verify(const unsigned char *dgst, int dgst_len, + DSA_SIG *sig, DSA *dsa); - DSA * d2i_DSAPublicKey(DSA **a, unsigned char **pp, long length); - DSA * d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length); - DSA * d2i_DSAparams(DSA **a, unsigned char **pp, long length); - int i2d_DSAPublicKey(const DSA *a, unsigned char **pp); - int i2d_DSAPrivateKey(const DSA *a, unsigned char **pp); - int i2d_DSAparams(const DSA *a,unsigned char **pp); + DSA * d2i_DSAPublicKey(DSA **a, unsigned char **pp, long length); + DSA * d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length); + DSA * d2i_DSAparams(DSA **a, unsigned char **pp, long length); + int i2d_DSAPublicKey(const DSA *a, unsigned char **pp); + int i2d_DSAPrivateKey(const DSA *a, unsigned char **pp); + int i2d_DSAparams(const DSA *a,unsigned char **pp); - int DSAparams_print(BIO *bp, const DSA *x); - int DSAparams_print_fp(FILE *fp, const DSA *x); - int DSA_print(BIO *bp, const DSA *x, int off); - int DSA_print_fp(FILE *bp, const DSA *x, int off); + int DSAparams_print(BIO *bp, const DSA *x); + int DSAparams_print_fp(FILE *fp, const DSA *x); + int DSA_print(BIO *bp, const DSA *x, int off); + int DSA_print_fp(FILE *bp, const DSA *x, int off); =head1 DESCRIPTION @@ -69,11 +69,11 @@ struct { - BIGNUM *p; // prime number (public) - BIGNUM *q; // 160-bit subprime, q | p-1 (public) - BIGNUM *g; // generator of subgroup (public) - BIGNUM *priv_key; // private key x - BIGNUM *pub_key; // public key y = g^x + BIGNUM *p; // prime number (public) + BIGNUM *q; // 160-bit subprime, q | p-1 (public) + BIGNUM *g; // generator of subgroup (public) + BIGNUM *priv_key; // private key x + BIGNUM *pub_key; // public key y = g^x // ... } DSA;
diff --git a/doc/crypto/ec.pod b/doc/crypto/ec.pod index b43ff08..8f1b94c 100644 --- a/doc/crypto/ec.pod +++ b/doc/crypto/ec.pod
@@ -60,34 +60,34 @@ const EC_METHOD *EC_POINT_method_of(const EC_POINT *point); int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point); int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *p, - const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx); + const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx); int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group, - const EC_POINT *p, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx); + const EC_POINT *p, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx); int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *p, - const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx); + const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx); int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, - const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx); + const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx); int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *p, - const BIGNUM *x, int y_bit, BN_CTX *ctx); + const BIGNUM *x, int y_bit, BN_CTX *ctx); int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p, - const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx); + const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx); int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, - const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx); + const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx); int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p, - const BIGNUM *x, int y_bit, BN_CTX *ctx); + const BIGNUM *x, int y_bit, BN_CTX *ctx); size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *p, - point_conversion_form_t form, + point_conversion_form_t form, unsigned char *buf, size_t len, BN_CTX *ctx); int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *p, const unsigned char *buf, size_t len, BN_CTX *ctx); BIGNUM *EC_POINT_point2bn(const EC_GROUP *, const EC_POINT *, - point_conversion_form_t form, BIGNUM *, BN_CTX *); + point_conversion_form_t form, BIGNUM *, BN_CTX *); EC_POINT *EC_POINT_bn2point(const EC_GROUP *, const BIGNUM *, - EC_POINT *, BN_CTX *); + EC_POINT *, BN_CTX *); char *EC_POINT_point2hex(const EC_GROUP *, const EC_POINT *, - point_conversion_form_t form, BN_CTX *); + point_conversion_form_t form, BN_CTX *); EC_POINT *EC_POINT_hex2point(const EC_GROUP *, const char *, - EC_POINT *, BN_CTX *); + EC_POINT *, BN_CTX *); int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx); int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx); @@ -104,8 +104,8 @@ int EC_GROUP_get_basis_type(const EC_GROUP *); int EC_GROUP_get_trinomial_basis(const EC_GROUP *, unsigned int *k); - int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1, - unsigned int *k2, unsigned int *k3); + int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1, + unsigned int *k2, unsigned int *k3); EC_GROUP *d2i_ECPKParameters(EC_GROUP **, const unsigned char **in, long len); int i2d_ECPKParameters(const EC_GROUP *, unsigned char **out); #define d2i_ECPKParameters_bio(bp,x) ASN1_d2i_bio_of(EC_GROUP,NULL,d2i_ECPKParameters,bp,x) @@ -113,7 +113,7 @@ #define d2i_ECPKParameters_fp(fp,x) (EC_GROUP *)ASN1_d2i_fp(NULL, \ (char *(*)())d2i_ECPKParameters,(fp),(unsigned char **)(x)) #define i2d_ECPKParameters_fp(fp,x) ASN1_i2d_fp(i2d_ECPKParameters,(fp), \ - (unsigned char *)(x)) + (unsigned char *)(x)) int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off); int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off); @@ -150,14 +150,14 @@ EC_KEY *o2i_ECPublicKey(EC_KEY **key, const unsigned char **in, long len); int i2o_ECPublicKey(EC_KEY *key, unsigned char **out); - int ECParameters_print(BIO *bp, const EC_KEY *key); - int EC_KEY_print(BIO *bp, const EC_KEY *key, int off); - int ECParameters_print_fp(FILE *fp, const EC_KEY *key); - int EC_KEY_print_fp(FILE *fp, const EC_KEY *key, int off); + int ECParameters_print(BIO *bp, const EC_KEY *key); + int EC_KEY_print(BIO *bp, const EC_KEY *key, int off); + int ECParameters_print_fp(FILE *fp, const EC_KEY *key); + int EC_KEY_print_fp(FILE *fp, const EC_KEY *key, int off); #define ECParameters_dup(x) ASN1_dup_of(EC_KEY,i2d_ECParameters,d2i_ECParameters,x) #define EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, EVP_PKEY_OP_PARAMGEN, \ - EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, nid, NULL) + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, EVP_PKEY_OP_PARAMGEN, \ + EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, nid, NULL) const EC_KEY_METHOD *EC_KEY_get_method(const EC_KEY *key); int EC_KEY_set_method(EC_KEY *key, const EC_KEY_METHOD *meth);
diff --git a/doc/crypto/engine.pod b/doc/crypto/engine.pod index 7bb9bbb..a52870a 100644 --- a/doc/crypto/engine.pod +++ b/doc/crypto/engine.pod
@@ -491,15 +491,15 @@ It is using these "core" control commands that one can discover the control commands implemented by a given ENGINE, specifically the commands; - #define ENGINE_HAS_CTRL_FUNCTION 10 - #define ENGINE_CTRL_GET_FIRST_CMD_TYPE 11 - #define ENGINE_CTRL_GET_NEXT_CMD_TYPE 12 - #define ENGINE_CTRL_GET_CMD_FROM_NAME 13 - #define ENGINE_CTRL_GET_NAME_LEN_FROM_CMD 14 - #define ENGINE_CTRL_GET_NAME_FROM_CMD 15 - #define ENGINE_CTRL_GET_DESC_LEN_FROM_CMD 16 - #define ENGINE_CTRL_GET_DESC_FROM_CMD 17 - #define ENGINE_CTRL_GET_CMD_FLAGS 18 + #define ENGINE_HAS_CTRL_FUNCTION 10 + #define ENGINE_CTRL_GET_FIRST_CMD_TYPE 11 + #define ENGINE_CTRL_GET_NEXT_CMD_TYPE 12 + #define ENGINE_CTRL_GET_CMD_FROM_NAME 13 + #define ENGINE_CTRL_GET_NAME_LEN_FROM_CMD 14 + #define ENGINE_CTRL_GET_NAME_FROM_CMD 15 + #define ENGINE_CTRL_GET_DESC_LEN_FROM_CMD 16 + #define ENGINE_CTRL_GET_DESC_FROM_CMD 17 + #define ENGINE_CTRL_GET_CMD_FLAGS 18 Whilst these commands are automatically processed by the OpenSSL framework code, they use various properties exposed by each ENGINE to process these @@ -535,10 +535,10 @@ description. ENGINE_CTRL_GET_FLAGS returns a bitwise-OR'd mask of the following possible values; - #define ENGINE_CMD_FLAG_NUMERIC (unsigned int)0x0001 - #define ENGINE_CMD_FLAG_STRING (unsigned int)0x0002 - #define ENGINE_CMD_FLAG_NO_INPUT (unsigned int)0x0004 - #define ENGINE_CMD_FLAG_INTERNAL (unsigned int)0x0008 + #define ENGINE_CMD_FLAG_NUMERIC (unsigned int)0x0001 + #define ENGINE_CMD_FLAG_STRING (unsigned int)0x0002 + #define ENGINE_CMD_FLAG_NO_INPUT (unsigned int)0x0004 + #define ENGINE_CMD_FLAG_INTERNAL (unsigned int)0x0008 If the ENGINE_CMD_FLAG_INTERNAL flag is set, then any other flags are purely informational to the caller - this flag will prevent the command being usable
diff --git a/doc/crypto/err.pod b/doc/crypto/err.pod index 4b25736..cd258f4 100644 --- a/doc/crypto/err.pod +++ b/doc/crypto/err.pod
@@ -119,7 +119,7 @@ C<ERR_load_XXX_strings()> to the ERR_load_crypto_strings() function (in B<crypto/err/err_all.c>). Finally, add an entry - L XXX xxx.h xxx_err.c + L XXX xxx.h xxx_err.c to B<crypto/err/openssl.ec>, and add B<xxx_err.c> to the Makefile. Running B<make errors> will then generate a file B<xxx_err.c>, and
diff --git a/doc/crypto/evp.pod b/doc/crypto/evp.pod index d8695b1..7109f9f 100644 --- a/doc/crypto/evp.pod +++ b/doc/crypto/evp.pod
@@ -75,7 +75,7 @@ Although low level algorithm specific functions exist for many algorithms their use is discouraged. They cannot be used with an ENGINE and ENGINE versions of new algorithms cannot be accessed using the low level functions. -Also makes code harder to adapt to new algorithms and some options are not +Also makes code harder to adapt to new algorithms and some options are not cleanly supported at the low level and some operations are more efficient using the high level interface.
diff --git a/doc/crypto/hmac.pod b/doc/crypto/hmac.pod index 7e5148e..bb35070 100644 --- a/doc/crypto/hmac.pod +++ b/doc/crypto/hmac.pod
@@ -16,7 +16,7 @@ int HMAC_CTX_reset(HMAC_CTX *ctx); int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len, - const EVP_MD *md, ENGINE *impl); + const EVP_MD *md, ENGINE *impl); int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len); int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
diff --git a/doc/crypto/i2d_CMS_bio_stream.pod b/doc/crypto/i2d_CMS_bio_stream.pod index 6d73295..be4b44f 100644 --- a/doc/crypto/i2d_CMS_bio_stream.pod +++ b/doc/crypto/i2d_CMS_bio_stream.pod
@@ -2,7 +2,7 @@ =head1 NAME - i2d_CMS_bio_stream - output CMS_ContentInfo structure in BER format. +i2d_CMS_bio_stream - output CMS_ContentInfo structure in BER format. =head1 SYNOPSIS
diff --git a/doc/crypto/lhash.pod b/doc/crypto/lhash.pod index f5db636..acc0821 100644 --- a/doc/crypto/lhash.pod +++ b/doc/crypto/lhash.pod
@@ -53,37 +53,37 @@ as; #define DECLARE_LHASH_HASH_FN(name, o_type) \ - unsigned long name##_LHASH_HASH(const void *); + unsigned long name##_LHASH_HASH(const void *); #define IMPLEMENT_LHASH_HASH_FN(name, o_type) \ - unsigned long name##_LHASH_HASH(const void *arg) { \ - const o_type *a = arg; \ - return name##_hash(a); } + unsigned long name##_LHASH_HASH(const void *arg) { \ + const o_type *a = arg; \ + return name##_hash(a); } #define LHASH_HASH_FN(name) name##_LHASH_HASH #define DECLARE_LHASH_COMP_FN(name, o_type) \ - int name##_LHASH_COMP(const void *, const void *); + int name##_LHASH_COMP(const void *, const void *); #define IMPLEMENT_LHASH_COMP_FN(name, o_type) \ - int name##_LHASH_COMP(const void *arg1, const void *arg2) { \ - const o_type *a = arg1; \ - const o_type *b = arg2; \ - return name##_cmp(a,b); } + int name##_LHASH_COMP(const void *arg1, const void *arg2) { \ + const o_type *a = arg1; \ + const o_type *b = arg2; \ + return name##_cmp(a,b); } #define LHASH_COMP_FN(name) name##_LHASH_COMP #define DECLARE_LHASH_DOALL_FN(name, o_type) \ - void name##_LHASH_DOALL(void *); + void name##_LHASH_DOALL(void *); #define IMPLEMENT_LHASH_DOALL_FN(name, o_type) \ - void name##_LHASH_DOALL(void *arg) { \ - o_type *a = arg; \ - name##_doall(a); } + void name##_LHASH_DOALL(void *arg) { \ + o_type *a = arg; \ + name##_doall(a); } #define LHASH_DOALL_FN(name) name##_LHASH_DOALL #define DECLARE_LHASH_DOALL_ARG_FN(name, o_type, a_type) \ - void name##_LHASH_DOALL_ARG(void *, void *); + void name##_LHASH_DOALL_ARG(void *, void *); #define IMPLEMENT_LHASH_DOALL_ARG_FN(name, o_type, a_type) \ - void name##_LHASH_DOALL_ARG(void *arg1, void *arg2) { \ - o_type *a = arg1; \ - a_type *b = arg2; \ - name##_doall_arg(a, b); } + void name##_LHASH_DOALL_ARG(void *arg1, void *arg2) { \ + o_type *a = arg1; \ + a_type *b = arg2; \ + name##_doall_arg(a, b); } #define LHASH_DOALL_ARG_FN(name) name##_LHASH_DOALL_ARG An example of a hash table storing (pointers to) structures of type 'STUFF' @@ -101,7 +101,7 @@ /* Create the new hash table using the hash/compare wrappers */ LHASH_OF(STUFF) *hashtable = lh_STUFF_new(LHASH_HASH_FN(STUFF_hash), LHASH_COMP_FN(STUFF_cmp)); - /* ... */ + /* ... */ } lh_<type>_free() frees the B<LHASH_OF(<type>> structure @@ -168,7 +168,7 @@ /* Print out the entire hashtable to a particular BIO */ lh_STUFF_doall_arg(hashtable, LHASH_DOALL_ARG_FN(STUFF_print), BIO, logging_bio); - + lh_<type>_error() can be used to determine if an error occurred in the last operation. lh_<type>_error() is a macro.
diff --git a/doc/crypto/md5.pod b/doc/crypto/md5.pod index 837641b..6de7cd0 100644 --- a/doc/crypto/md5.pod +++ b/doc/crypto/md5.pod
@@ -75,7 +75,7 @@ =head1 RETURN VALUES -MD2(), MD4(), and MD5() return pointers to the hash value. +MD2(), MD4(), and MD5() return pointers to the hash value. MD2_Init(), MD2_Update(), MD2_Final(), MD4_Init(), MD4_Update(), MD4_Final(), MD5_Init(), MD5_Update(), and MD5_Final() return 1 for
diff --git a/doc/crypto/mdc2.pod b/doc/crypto/mdc2.pod index 1022e7b..0865b7d 100644 --- a/doc/crypto/mdc2.pod +++ b/doc/crypto/mdc2.pod
@@ -44,7 +44,7 @@ =head1 RETURN VALUES -MDC2() returns a pointer to the hash value. +MDC2() returns a pointer to the hash value. MDC2_Init(), MDC2_Update() and MDC2_Final() return 1 for success, 0 otherwise.
diff --git a/doc/crypto/pem.pod b/doc/crypto/pem.pod index ec4d0bd..35354b0 100644 --- a/doc/crypto/pem.pod +++ b/doc/crypto/pem.pod
@@ -216,7 +216,7 @@ any trust settings are discarded. The B<X509_AUX> functions process a trusted X509 certificate using -an X509 structure. +an X509 structure. The B<X509_REQ> and B<X509_REQ_NEW> functions process a PKCS#10 certificate request using an X509_REQ structure. The B<X509_REQ> @@ -340,7 +340,7 @@ char *tmp; /* We'd probably do something else if 'rwflag' is 1 */ - printf("Enter pass phrase for \"%s\"\n", (char *)u); + printf("Enter pass phrase for \"%s\"\n", (char *)u); /* get pass phrase, length 'len' into 'tmp' */ tmp = "hello"; @@ -379,7 +379,7 @@ These old B<PrivateKey> routines use a non standard technique for encryption. -The private key (or other data) takes the following form: +The private key (or other data) takes the following form: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED @@ -433,7 +433,7 @@ PEM_read_bio_X509(bp, &x, 0, NULL); -where B<x> already contains a valid certificate, may not work, whereas: +where B<x> already contains a valid certificate, may not work, whereas: X509_free(x); x = PEM_read_bio_X509(bp, NULL, 0, NULL);
diff --git a/doc/crypto/rand.pod b/doc/crypto/rand.pod index eca3bf5..dad566b 100644 --- a/doc/crypto/rand.pod +++ b/doc/crypto/rand.pod
@@ -64,7 +64,7 @@ seeding process whenever the application is started. L<RAND_bytes(3)> describes how to obtain random data from the -PRNG. +PRNG. =head1 SEE ALSO @@ -72,7 +72,7 @@ L<RAND_load_file(3)>, L<RAND_egd(3)>, L<RAND_bytes(3)>, L<RAND_set_rand_method(3)>, -L<RAND_cleanup(3)> +L<RAND_cleanup(3)> =cut
diff --git a/doc/crypto/ripemd.pod b/doc/crypto/ripemd.pod index c76af8f..61eee8a 100644 --- a/doc/crypto/ripemd.pod +++ b/doc/crypto/ripemd.pod
@@ -41,7 +41,7 @@ =head1 RETURN VALUES -RIPEMD160() returns a pointer to the hash value. +RIPEMD160() returns a pointer to the hash value. RIPEMD160_Init(), RIPEMD160_Update() and RIPEMD160_Final() return 1 for success, 0 otherwise.
diff --git a/doc/crypto/rsa.pod b/doc/crypto/rsa.pod index 2fc6594..864de6c 100644 --- a/doc/crypto/rsa.pod +++ b/doc/crypto/rsa.pod
@@ -18,7 +18,7 @@ unsigned char *to, RSA *rsa, int padding); int RSA_private_encrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa,int padding); - int RSA_public_decrypt(int flen, unsigned char *from, + int RSA_public_decrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa,int padding); int RSA_sign(int type, unsigned char *m, unsigned int m_len, @@ -98,7 +98,7 @@ L<RSA_get_ex_new_index(3)>, L<RSA_private_encrypt(3)>, L<RSA_sign_ASN1_OCTET_STRING(3)>, -L<RSA_padding_add_PKCS1_type_1(3)> +L<RSA_padding_add_PKCS1_type_1(3)> =cut
diff --git a/doc/crypto/sha.pod b/doc/crypto/sha.pod index 3dee43f..0c8b6ad 100644 --- a/doc/crypto/sha.pod +++ b/doc/crypto/sha.pod
@@ -81,7 +81,7 @@ =head1 RETURN VALUES SHA1(), SHA224(), SHA256(), SHA384() and SHA512() return a pointer to the hash -value. +value. SHA1_Init(), SHA1_Update() and SHA1_Final() and equivalent SHA224, SHA256, SHA384 and SHA512 functions return 1 for success, 0 otherwise.
diff --git a/doc/crypto/threads.pod b/doc/crypto/threads.pod index 3795c47..d9f91d2 100644 --- a/doc/crypto/threads.pod +++ b/doc/crypto/threads.pod
@@ -84,31 +84,31 @@ This example safely initializes and uses a lock. #include <openssl/crypto.h> - + static CRYPTO_ONCE once = CRYPTO_ONCE_STATIC_INIT; static CRYPTO_RWLOCK *lock; - + static void myinit(void) { lock = CRYPTO_THREAD_lock_new(); } - + static int mylock(void) { if (!CRYPTO_THREAD_run_once(&once, void init) || lock == NULL) return 0; return CRYPTO_THREAD_write_lock(lock); } - + static int myunlock(void) { return CRYPTO_THREAD_unlock(lock); } - + int serialized(void) { int ret = 0; - + if (mylock()) { /* Your code here, do not return without releasing the lock! */ ret = ... ;
diff --git a/doc/crypto/ui.pod b/doc/crypto/ui.pod index 89aa3b5..d703c16 100644 --- a/doc/crypto/ui.pod +++ b/doc/crypto/ui.pod
@@ -22,30 +22,30 @@ void UI_free(UI *ui); int UI_add_input_string(UI *ui, const char *prompt, int flags, - char *result_buf, int minsize, int maxsize); + char *result_buf, int minsize, int maxsize); int UI_dup_input_string(UI *ui, const char *prompt, int flags, - char *result_buf, int minsize, int maxsize); + char *result_buf, int minsize, int maxsize); int UI_add_verify_string(UI *ui, const char *prompt, int flags, - char *result_buf, int minsize, int maxsize, const char *test_buf); + char *result_buf, int minsize, int maxsize, const char *test_buf); int UI_dup_verify_string(UI *ui, const char *prompt, int flags, - char *result_buf, int minsize, int maxsize, const char *test_buf); + char *result_buf, int minsize, int maxsize, const char *test_buf); int UI_add_input_boolean(UI *ui, const char *prompt, const char *action_desc, - const char *ok_chars, const char *cancel_chars, - int flags, char *result_buf); + const char *ok_chars, const char *cancel_chars, + int flags, char *result_buf); int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc, - const char *ok_chars, const char *cancel_chars, - int flags, char *result_buf); + const char *ok_chars, const char *cancel_chars, + int flags, char *result_buf); int UI_add_info_string(UI *ui, const char *text); int UI_dup_info_string(UI *ui, const char *text); int UI_add_error_string(UI *ui, const char *text); int UI_dup_error_string(UI *ui, const char *text); /* These are the possible flags. They can be or'ed together. */ - #define UI_INPUT_FLAG_ECHO 0x01 - #define UI_INPUT_FLAG_DEFAULT_PWD 0x02 + #define UI_INPUT_FLAG_ECHO 0x01 + #define UI_INPUT_FLAG_DEFAULT_PWD 0x02 char *UI_construct_prompt(UI *ui_method, - const char *object_desc, const char *object_name); + const char *object_desc, const char *object_name); void *UI_add_user_data(UI *ui, void *user_data); void *UI_get0_user_data(UI *ui); @@ -55,8 +55,8 @@ int UI_process(UI *ui); int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)()); - #define UI_CTRL_PRINT_ERRORS 1 - #define UI_CTRL_IS_REDOABLE 2 + #define UI_CTRL_PRINT_ERRORS 1 + #define UI_CTRL_IS_REDOABLE 2 void UI_set_default_method(const UI_METHOD *meth); const UI_METHOD *UI_get_default_method(void);
diff --git a/doc/ssl/SSL_CONF_CTX_set1_prefix.pod b/doc/ssl/SSL_CONF_CTX_set1_prefix.pod index 00b7118..2e82f05 100644 --- a/doc/ssl/SSL_CONF_CTX_set1_prefix.pod +++ b/doc/ssl/SSL_CONF_CTX_set1_prefix.pod
@@ -20,7 +20,7 @@ Command prefixes alter the commands recognised by subsequent SSL_CTX_cmd() calls. For example for files, if the prefix "SSL" is set then command names such as "SSLProtocol", "SSLOptions" etc. are recognised instead of "Protocol" -and "Options". Similarly for command lines if the prefix is "--ssl-" then +and "Options". Similarly for command lines if the prefix is "--ssl-" then "--ssl-no_tls1_2" is recognised instead of "-no_tls1_2". If the B<SSL_CONF_FLAG_CMDLINE> flag is set then prefix checks are case
diff --git a/doc/ssl/SSL_CTX_add_session.pod b/doc/ssl/SSL_CTX_add_session.pod index 4d4c327..fd782b3 100644 --- a/doc/ssl/SSL_CTX_add_session.pod +++ b/doc/ssl/SSL_CTX_add_session.pod
@@ -59,7 +59,7 @@ session was not found in the cache. =item Z<>1 - + The operation succeeded. =back
diff --git a/doc/ssl/SSL_CTX_flush_sessions.pod b/doc/ssl/SSL_CTX_flush_sessions.pod index 4c90016..e16775b 100644 --- a/doc/ssl/SSL_CTX_flush_sessions.pod +++ b/doc/ssl/SSL_CTX_flush_sessions.pod
@@ -26,7 +26,7 @@ removed from the cache to save resources. This can either be done automatically whenever 255 new sessions were established (see L<SSL_CTX_set_session_cache_mode(3)>) -or manually by calling SSL_CTX_flush_sessions(). +or manually by calling SSL_CTX_flush_sessions(). The parameter B<tm> specifies the time which should be used for the expiration test, in most cases the actual time given by time(0) @@ -37,8 +37,6 @@ called to synchronize with the external cache (see L<SSL_CTX_sess_set_get_cb(3)>). -=head1 RETURN VALUES - =head1 SEE ALSO L<ssl(3)>,
diff --git a/doc/ssl/SSL_CTX_sess_set_get_cb.pod b/doc/ssl/SSL_CTX_sess_set_get_cb.pod index 19924da..e8aa8ee 100644 --- a/doc/ssl/SSL_CTX_sess_set_get_cb.pod +++ b/doc/ssl/SSL_CTX_sess_set_get_cb.pod
@@ -9,11 +9,11 @@ #include <openssl/ssl.h> void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, - int (*new_session_cb)(SSL *, SSL_SESSION *)); + int (*new_session_cb)(SSL *, SSL_SESSION *)); void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, - void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *)); + void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *)); void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, - SSL_SESSION (*get_session_cb)(SSL *, const unsigned char *, int, int *)); + SSL_SESSION (*get_session_cb)(SSL *, const unsigned char *, int, int *)); int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess); void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, SSL_SESSION *sess); @@ -22,7 +22,7 @@ int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess); void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess); SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data, - int len, int *copy); + int len, int *copy); =head1 DESCRIPTION
diff --git a/doc/ssl/SSL_CTX_set1_curves.pod b/doc/ssl/SSL_CTX_set1_curves.pod index 5e99d65..2429dfb 100644 --- a/doc/ssl/SSL_CTX_set1_curves.pod +++ b/doc/ssl/SSL_CTX_set1_curves.pod
@@ -23,7 +23,7 @@ SSL_CTX_set1_curves() sets the supported curves for B<ctx> to B<clistlen> curves in the array B<clist>. The array consist of all NIDs of curves in preference order. For a TLS client the curves are used directly in the -supported curves extension. For a TLS server the curves are used to +supported curves extension. For a TLS server the curves are used to determine the set of shared curves. SSL_CTX_set1_curves_list() sets the supported curves for B<ctx> to @@ -34,7 +34,7 @@ supported curves for the SSL structure B<ssl>. SSL_get1_curves() returns the set of supported curves sent by a client -in the supported curves extension. It returns the total number of +in the supported curves extension. It returns the total number of supported curves. The B<curves> parameter can be B<NULL> to simply return the number of curves for memory allocation purposes. The B<curves> array is in the form of a set of curve NIDs in preference
diff --git a/doc/ssl/SSL_CTX_set1_verify_cert_store.pod b/doc/ssl/SSL_CTX_set1_verify_cert_store.pod index 5343aa0..fa6ce56 100644 --- a/doc/ssl/SSL_CTX_set1_verify_cert_store.pod +++ b/doc/ssl/SSL_CTX_set1_verify_cert_store.pod
@@ -54,7 +54,7 @@ The chain store is used to build the certificate chain. If the mode B<SSL_MODE_NO_AUTO_CHAIN> is set or a certificate chain is -configured already (for example using the functions such as +configured already (for example using the functions such as L<SSL_CTX_add1_chain_cert(3)> or L<SSL_CTX_add_extra_chain_cert(3)>) then automatic chain building is disabled.
diff --git a/doc/ssl/SSL_CTX_set_cert_store.pod b/doc/ssl/SSL_CTX_set_cert_store.pod index d53bf4f..27243f3 100644 --- a/doc/ssl/SSL_CTX_set_cert_store.pod +++ b/doc/ssl/SSL_CTX_set_cert_store.pod
@@ -46,7 +46,7 @@ The X509_STORE structure used by an SSL_CTX is used for verifying peer certificates and building certificate chains, it is also shared by -every child SSL structure. Applications wanting finer control can use +every child SSL structure. Applications wanting finer control can use functions such as SSL_CTX_set1_verify_cert_store() instead. =head1 RETURN VALUES
diff --git a/doc/ssl/SSL_CTX_set_cert_verify_callback.pod b/doc/ssl/SSL_CTX_set_cert_verify_callback.pod index 018335f..2eda800 100644 --- a/doc/ssl/SSL_CTX_set_cert_verify_callback.pod +++ b/doc/ssl/SSL_CTX_set_cert_verify_callback.pod
@@ -26,7 +26,7 @@ instead. By setting I<callback> to NULL, the default behaviour is restored. When the verification must be performed, I<callback> will be called with -the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The +the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The argument I<arg> is specified by the application when setting I<callback>. I<callback> should return 1 to indicate verification success and 0 to @@ -35,7 +35,7 @@ allow to continue the connection in case of failure (by always returning 1) the verification result must be set in any case using the B<error> member of I<x509_store_ctx> so that the calling application will be informed -about the detailed result of the verification procedure! +about the detailed result of the verification procedure! Within I<x509_store_ctx>, I<callback> has access to the I<verify_callback> function set using L<SSL_CTX_set_verify(3)>. @@ -54,8 +54,6 @@ =head1 BUGS -=head1 RETURN VALUES - SSL_CTX_set_cert_verify_callback() does not provide diagnostic information. =head1 SEE ALSO
diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod index 57d3f0a..c0656ab 100644 --- a/doc/ssl/SSL_CTX_set_client_CA_list.pod +++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod
@@ -9,7 +9,7 @@ =head1 SYNOPSIS #include <openssl/ssl.h> - + void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list); int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert); @@ -42,7 +42,7 @@ B<ctx> and SSL_set_client_CA_list() for the specific B<ssl>. The list specified overrides the previous setting. The CAs listed do not become trusted (B<list> only contains the names, not the complete certificates); use -L<SSL_CTX_load_verify_locations(3)> +L<SSL_CTX_load_verify_locations(3)> to additionally load them for verification. If the list of acceptable CAs is compiled in a file, the
diff --git a/doc/ssl/SSL_CTX_set_custom_cli_ext.pod b/doc/ssl/SSL_CTX_set_custom_cli_ext.pod index 670ed4b..07b5e94 100644 --- a/doc/ssl/SSL_CTX_set_custom_cli_ext.pod +++ b/doc/ssl/SSL_CTX_set_custom_cli_ext.pod
@@ -9,41 +9,41 @@ #include <openssl/ssl.h> int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type, - custom_ext_add_cb add_cb, - custom_ext_free_cb free_cb, void *add_arg, - custom_ext_parse_cb parse_cb, - void *parse_arg); + custom_ext_add_cb add_cb, + custom_ext_free_cb free_cb, void *add_arg, + custom_ext_parse_cb parse_cb, + void *parse_arg); int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type, - custom_ext_add_cb add_cb, - custom_ext_free_cb free_cb, void *add_arg, - custom_ext_parse_cb parse_cb, - void *parse_arg); + custom_ext_add_cb add_cb, + custom_ext_free_cb free_cb, void *add_arg, + custom_ext_parse_cb parse_cb, + void *parse_arg); int SSL_extension_supported(unsigned int ext_type); typedef int (*custom_ext_add_cb)(SSL *s, unsigned int ext_type, - const unsigned char **out, - size_t *outlen, int *al, - void *add_arg); + const unsigned char **out, + size_t *outlen, int *al, + void *add_arg); typedef void (*custom_ext_free_cb)(SSL *s, unsigned int ext_type, - const unsigned char *out, - void *add_arg); + const unsigned char *out, + void *add_arg); typedef int (*custom_ext_parse_cb)(SSL *s, unsigned int ext_type, - const unsigned char *in, - size_t inlen, int *al, - void *parse_arg); + const unsigned char *in, + size_t inlen, int *al, + void *parse_arg); =head1 DESCRIPTION -SSL_CTX_add_client_custom_ext() adds a custom extension for a TLS client +SSL_CTX_add_client_custom_ext() adds a custom extension for a TLS client with extension type B<ext_type> and callbacks B<add_cb>, B<free_cb> and B<parse_cb>. -SSL_CTX_add_server_custom_ext() adds a custom extension for a TLS server +SSL_CTX_add_server_custom_ext() adds a custom extension for a TLS server with extension type B<ext_type> and callbacks B<add_cb>, B<free_cb> and B<parse_cb>. @@ -55,7 +55,7 @@ =head1 EXTENSION CALLBACKS -The callback B<add_cb> is called to send custom extension data to be +The callback B<add_cb> is called to send custom extension data to be included in ClientHello for TLS clients or ServerHello for servers. The B<ext_type> parameter is set to the extension type which will be added and B<add_arg> to the value set when the extension handler was added.
diff --git a/doc/ssl/SSL_CTX_set_generate_session_id.pod b/doc/ssl/SSL_CTX_set_generate_session_id.pod index 968be76..170f743 100644 --- a/doc/ssl/SSL_CTX_set_generate_session_id.pod +++ b/doc/ssl/SSL_CTX_set_generate_session_id.pod
@@ -14,7 +14,7 @@ int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb); int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB, cb); int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, - unsigned int id_len); + unsigned int id_len); =head1 DESCRIPTION
diff --git a/doc/ssl/SSL_CTX_set_info_callback.pod b/doc/ssl/SSL_CTX_set_info_callback.pod index fd1dee9..f20284f 100644 --- a/doc/ssl/SSL_CTX_set_info_callback.pod +++ b/doc/ssl/SSL_CTX_set_info_callback.pod
@@ -110,40 +110,40 @@ about alerts being handled and error messages to the B<bio_err> BIO. void apps_ssl_info_callback(SSL *s, int where, int ret) - { - const char *str; - int w; + { + const char *str; + int w; - w=where& ~SSL_ST_MASK; + w=where& ~SSL_ST_MASK; - if (w & SSL_ST_CONNECT) str="SSL_connect"; - else if (w & SSL_ST_ACCEPT) str="SSL_accept"; - else str="undefined"; + if (w & SSL_ST_CONNECT) str="SSL_connect"; + else if (w & SSL_ST_ACCEPT) str="SSL_accept"; + else str="undefined"; - if (where & SSL_CB_LOOP) - { - BIO_printf(bio_err,"%s:%s\n",str,SSL_state_string_long(s)); - } - else if (where & SSL_CB_ALERT) - { - str=(where & SSL_CB_READ)?"read":"write"; - BIO_printf(bio_err,"SSL3 alert %s:%s:%s\n", - str, - SSL_alert_type_string_long(ret), - SSL_alert_desc_string_long(ret)); - } - else if (where & SSL_CB_EXIT) - { - if (ret == 0) - BIO_printf(bio_err,"%s:failed in %s\n", - str,SSL_state_string_long(s)); - else if (ret < 0) - { - BIO_printf(bio_err,"%s:error in %s\n", - str,SSL_state_string_long(s)); - } - } - } + if (where & SSL_CB_LOOP) + { + BIO_printf(bio_err,"%s:%s\n",str,SSL_state_string_long(s)); + } + else if (where & SSL_CB_ALERT) + { + str=(where & SSL_CB_READ)?"read":"write"; + BIO_printf(bio_err,"SSL3 alert %s:%s:%s\n", + str, + SSL_alert_type_string_long(ret), + SSL_alert_desc_string_long(ret)); + } + else if (where & SSL_CB_EXIT) + { + if (ret == 0) + BIO_printf(bio_err,"%s:failed in %s\n", + str,SSL_state_string_long(s)); + else if (ret < 0) + { + BIO_printf(bio_err,"%s:error in %s\n", + str,SSL_state_string_long(s)); + } + } + } =head1 SEE ALSO
diff --git a/doc/ssl/SSL_CTX_set_psk_client_callback.pod b/doc/ssl/SSL_CTX_set_psk_client_callback.pod index 6895152..c780bec 100644 --- a/doc/ssl/SSL_CTX_set_psk_client_callback.pod +++ b/doc/ssl/SSL_CTX_set_psk_client_callback.pod
@@ -9,13 +9,13 @@ #include <openssl/ssl.h> void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, - unsigned int (*callback)(SSL *ssl, const char *hint, - char *identity, unsigned int max_identity_len, - unsigned char *psk, unsigned int max_psk_len)); + unsigned int (*callback)(SSL *ssl, const char *hint, + char *identity, unsigned int max_identity_len, + unsigned char *psk, unsigned int max_psk_len)); void SSL_set_psk_client_callback(SSL *ssl, - unsigned int (*callback)(SSL *ssl, const char *hint, - char *identity, unsigned int max_identity_len, - unsigned char *psk, unsigned int max_psk_len)); + unsigned int (*callback)(SSL *ssl, const char *hint, + char *identity, unsigned int max_identity_len, + unsigned char *psk, unsigned int max_psk_len)); =head1 DESCRIPTION
diff --git a/doc/ssl/SSL_CTX_set_security_level.pod b/doc/ssl/SSL_CTX_set_security_level.pod index 446ab1a..60c3e44 100644 --- a/doc/ssl/SSL_CTX_set_security_level.pod +++ b/doc/ssl/SSL_CTX_set_security_level.pod
@@ -15,12 +15,12 @@ int SSL_get_security_level(const SSL *s); void SSL_CTX_set_security_callback(SSL_CTX *ctx, - int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, - void *other, void *ex)); + int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, + void *other, void *ex)); void SSL_set_security_callback(SSL *s, - int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, - void *other, void *ex)); + int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, + void *other, void *ex)); int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx))(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex); int (*SSL_get_security_callback(const SSL *s))(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex);
diff --git a/doc/ssl/SSL_CTX_set_session_cache_mode.pod b/doc/ssl/SSL_CTX_set_session_cache_mode.pod index d891372..d7a4c1c 100644 --- a/doc/ssl/SSL_CTX_set_session_cache_mode.pod +++ b/doc/ssl/SSL_CTX_set_session_cache_mode.pod
@@ -26,7 +26,7 @@ object. In order to reuse a session, a client must send the session's id to the -server. It can only send exactly one id. The server then either +server. It can only send exactly one id. The server then either agrees to reuse the session or it starts a full handshake (to create a new session).
diff --git a/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod b/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod index 4ae3818..4d9cd5e 100644 --- a/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod +++ b/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod
@@ -10,13 +10,13 @@ long SSL_CTX_set_tlsext_ticket_key_cb(SSL_CTX sslctx, int (*cb)(SSL *s, unsigned char key_name[16], - unsigned char iv[EVP_MAX_IV_LENGTH], - EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)); + unsigned char iv[EVP_MAX_IV_LENGTH], + EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)); =head1 DESCRIPTION SSL_CTX_set_tlsext_ticket_key_cb() sets a callback function I<cb> for handling -session tickets for the ssl context I<sslctx>. Session tickets, defined in +session tickets for the ssl context I<sslctx>. Session tickets, defined in RFC5077 provide an enhanced session resumption capability where the server implementation is not required to maintain per session state. It only applies to TLS and there is no SSLv3 implementation. @@ -26,9 +26,9 @@ message. It is the responsibility of this function to create or retrieve the cryptographic parameters and to maintain their state. -The OpenSSL library uses your callback function to help implement a common TLS +The OpenSSL library uses your callback function to help implement a common TLS ticket construction state according to RFC5077 Section 4 such that per session -state is unnecessary and a small set of cryptographic variables needs to be +state is unnecessary and a small set of cryptographic variables needs to be maintained by the callback function implementation. In order to reuse a session, a TLS client must send the a session ticket @@ -56,7 +56,7 @@ set using L<EVP_EncryptInit_ex(3)>. The hmac context can be set using L<HMAC_Init_ex(3)>. -When the client presents a session ticket, the callback function with be called +When the client presents a session ticket, the callback function with be called with I<enc> set to 0 indicating that the I<cb> function should retrieve a set of parameters. In this case I<name> and I<iv> have already been parsed out of the session ticket. The OpenSSL library expects that the I<name> will be used @@ -76,7 +76,7 @@ =item Z<>2 -This indicates that the I<ctx> and I<hctx> have been set and the session can +This indicates that the I<ctx> and I<hctx> have been set and the session can continue on those parameters. Additionally it indicates that the session ticket is in a renewal period and should be replaced. The OpenSSL library will call I<cb> again with an enc argument of 1 to set the new ticket (see RFC5077 @@ -84,12 +84,12 @@ =item Z<>1 -This indicates that the I<ctx> and I<hctx> have been set and the session can +This indicates that the I<ctx> and I<hctx> have been set and the session can continue on those parameters. =item Z<>0 -This indicates that it was not possible to set/retrieve a session ticket and +This indicates that it was not possible to set/retrieve a session ticket and the SSL/TLS session will continue by negotiating a set of cryptographic parameters or using the alternate SSL/TLS resumption mechanism, session ids. @@ -133,7 +133,7 @@ if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) ) { return -1; /* insufficient random */ } - + key = currentkey(); /* something that you need to implement */ if ( !key ) { /* current key doesn't exist or isn't valid */ @@ -146,19 +146,19 @@ } } memcpy(key_name, key->name, 16); - + EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv); HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL); - + return 1; - + } else { /* retrieve session */ key = findkey(name); - + if (!key || key->expire < now() ) { return 0; } - + HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL); EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv ); @@ -167,7 +167,7 @@ return 2; } return 1; - + } }
diff --git a/doc/ssl/SSL_CTX_set_verify.pod b/doc/ssl/SSL_CTX_set_verify.pod index e1cd4d2..60b0d17 100644 --- a/doc/ssl/SSL_CTX_set_verify.pod +++ b/doc/ssl/SSL_CTX_set_verify.pod
@@ -208,7 +208,7 @@ preverify_ok = 0; err = X509_V_ERR_CERT_CHAIN_TOO_LONG; X509_STORE_CTX_set_error(ctx, err); - } + } if (!preverify_ok) { printf("verify error:num=%d:%s:depth=%d:%s\n", err, X509_verify_cert_error_string(err), depth, buf); @@ -258,7 +258,7 @@ SSL_set_ex_data(ssl, mydata_index, &mydata); ... - SSL_accept(ssl); /* check of success left out for clarity */ + SSL_accept(ssl); /* check of success left out for clarity */ if (peer = SSL_get_peer_certificate(ssl)) { if (SSL_get_verify_result(ssl) == X509_V_OK)
diff --git a/doc/ssl/SSL_CTX_use_certificate.pod b/doc/ssl/SSL_CTX_use_certificate.pod index 79b1387..4f39abb 100644 --- a/doc/ssl/SSL_CTX_use_certificate.pod +++ b/doc/ssl/SSL_CTX_use_certificate.pod
@@ -20,7 +20,7 @@ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey); int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, unsigned char *d, - long len); + long len); int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type); int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa); int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len); @@ -67,7 +67,7 @@ See the NOTES section on why SSL_CTX_use_certificate_chain_file() should be preferred. -SSL_CTX_use_certificate_chain_file() loads a certificate chain from +SSL_CTX_use_certificate_chain_file() loads a certificate chain from B<file> into B<ctx>. The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and @@ -82,7 +82,7 @@ to the certificate an error is returned. To change a certificate, private key pair the new certificate needs to be set with SSL_use_certificate() or SSL_CTX_use_certificate() before setting the private key with -SSL_CTX_use_PrivateKey() or SSL_use_PrivateKey(). +SSL_CTX_use_PrivateKey() or SSL_use_PrivateKey(). SSL_CTX_use_PrivateKey_ASN1() adds the private key of type B<pk> @@ -109,14 +109,14 @@ this B<ssl>, the last item added into B<ctx> will be checked. =head1 NOTES - + The internal certificate store of OpenSSL can hold several private key/certificate pairs at a time. The certificate used depends on the cipher selected, see also L<SSL_CTX_set_cipher_list(3)>. When reading certificates and private keys from file, files of type SSL_FILETYPE_ASN1 (also known as B<DER>, binary encoding) can only contain -one certificate or private key, consequently +one certificate or private key, consequently SSL_CTX_use_certificate_chain_file() is only applicable to PEM formatting. Files of type SSL_FILETYPE_PEM can contain more than one item. @@ -124,7 +124,7 @@ in the file to the certificate store. The other certificates are added to the store of chain certificates using L<SSL_CTX_add1_chain_cert(3)>. Note: versions of OpenSSL before 1.0.2 only had a single certificate chain store for all certificate types, OpenSSL 1.0.2 and later -have a separate chain store for each type. SSL_CTX_use_certificate_chain_file() +have a separate chain store for each type. SSL_CTX_use_certificate_chain_file() should be used instead of the SSL_CTX_use_certificate_file() function in order to allow the use of complete certificate chains even when no trusted CA storage is used or when the CA issuing the certificate shall not be added to
diff --git a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod index 27a46c3..b45b2d3 100644 --- a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod +++ b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
@@ -6,7 +6,6 @@ SSL_CTX_set_psk_server_callback, SSL_set_psk_server_callback - set PSK identity hint to use - =head1 SYNOPSIS #include <openssl/ssl.h> @@ -15,11 +14,11 @@ int SSL_use_psk_identity_hint(SSL *ssl, const char *hint); void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, - unsigned int (*callback)(SSL *ssl, const char *identity, - unsigned char *psk, int max_psk_len)); + unsigned int (*callback)(SSL *ssl, const char *identity, + unsigned char *psk, int max_psk_len)); void SSL_set_psk_server_callback(SSL *ssl, - unsigned int (*callback)(SSL *ssl, const char *identity, - unsigned char *psk, int max_psk_len)); + unsigned int (*callback)(SSL *ssl, const char *identity, + unsigned char *psk, int max_psk_len)); =head1 DESCRIPTION
diff --git a/doc/ssl/SSL_CTX_use_serverinfo.pod b/doc/ssl/SSL_CTX_use_serverinfo.pod index bafb1a8..6b1cdf1 100644 --- a/doc/ssl/SSL_CTX_use_serverinfo.pod +++ b/doc/ssl/SSL_CTX_use_serverinfo.pod
@@ -20,8 +20,8 @@ Extension. SSL_CTX_use_serverinfo() loads one or more serverinfo extensions from -a byte array into B<ctx>. The extensions must be concatenated into a -sequence of bytes. Each extension must consist of a 2-byte Extension Type, +a byte array into B<ctx>. The extensions must be concatenated into a +sequence of bytes. Each extension must consist of a 2-byte Extension Type, a 2-byte length, and then length bytes of extension_data. SSL_CTX_use_serverinfo_file() loads one or more serverinfo extensions from @@ -38,19 +38,12 @@ SSL_CTX_use_serverinfo() needs to be called multiple times, once B<after> each time a certificate is loaded. -=head1 NOTES - =head1 RETURN VALUES On success, the functions return 1. On failure, the functions return 0. Check out the error stack to find out the reason. -=head1 SEE ALSO - -=head1 HISTORY - - =cut =head1 COPYRIGHT
diff --git a/doc/ssl/SSL_SESSION_get_time.pod b/doc/ssl/SSL_SESSION_get_time.pod index 911b7e6..c032856 100644 --- a/doc/ssl/SSL_SESSION_get_time.pod +++ b/doc/ssl/SSL_SESSION_get_time.pod
@@ -52,7 +52,7 @@ SSL_SESSION_set_time() and SSL_SESSION_set_timeout() return 1 on success. -If any of the function is passed the NULL pointer for the session B<s>, +If any of the function is passed the NULL pointer for the session B<s>, 0 is returned. =head1 SEE ALSO
diff --git a/doc/ssl/SSL_accept.pod b/doc/ssl/SSL_accept.pod index b3563e4..88d6e8f 100644 --- a/doc/ssl/SSL_accept.pod +++ b/doc/ssl/SSL_accept.pod
@@ -18,7 +18,7 @@ =head1 NOTES -The behaviour of SSL_accept() depends on the underlying BIO. +The behaviour of SSL_accept() depends on the underlying BIO. If the underlying BIO is B<blocking>, SSL_accept() will only return once the handshake has been finished or an error occurred.
diff --git a/doc/ssl/SSL_alert_type_string.pod b/doc/ssl/SSL_alert_type_string.pod index d889dda..2711c9c 100644 --- a/doc/ssl/SSL_alert_type_string.pod +++ b/doc/ssl/SSL_alert_type_string.pod
@@ -217,7 +217,7 @@ =item "UP"/"unknown PSK identity" Sent by the server to indicate that it does not recognize a PSK -identity or an SRP identity. +identity or an SRP identity. =item "UK"/"unknown"
diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod index 34ee086..7c69e5d 100644 --- a/doc/ssl/SSL_connect.pod +++ b/doc/ssl/SSL_connect.pod
@@ -18,7 +18,7 @@ =head1 NOTES -The behaviour of SSL_connect() depends on the underlying BIO. +The behaviour of SSL_connect() depends on the underlying BIO. If the underlying BIO is B<blocking>, SSL_connect() will only return once the handshake has been finished or an error occurred.
diff --git a/doc/ssl/SSL_get_client_CA_list.pod b/doc/ssl/SSL_get_client_CA_list.pod index be79112..2cf5b7d 100644 --- a/doc/ssl/SSL_get_client_CA_list.pod +++ b/doc/ssl/SSL_get_client_CA_list.pod
@@ -9,7 +9,7 @@ #include <openssl/ssl.h> STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s); - STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx); + STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx); =head1 DESCRIPTION
diff --git a/doc/ssl/SSL_get_current_cipher.pod b/doc/ssl/SSL_get_current_cipher.pod index 46d38d0..66918b4 100644 --- a/doc/ssl/SSL_get_current_cipher.pod +++ b/doc/ssl/SSL_get_current_cipher.pod
@@ -27,7 +27,7 @@ SSL_get_cipher() and SSL_get_cipher_name() are identical macros to obtain the name of the currently used cipher. SSL_get_cipher_bits() is a -macro to obtain the number of secret/algorithm bits used and +macro to obtain the number of secret/algorithm bits used and SSL_get_cipher_version() returns the protocol name. See L<SSL_CIPHER_get_name(3)> for more details.
diff --git a/doc/ssl/SSL_get_psk_identity.pod b/doc/ssl/SSL_get_psk_identity.pod index e75e38c..c54f429 100644 --- a/doc/ssl/SSL_get_psk_identity.pod +++ b/doc/ssl/SSL_get_psk_identity.pod
@@ -4,7 +4,6 @@ SSL_get_psk_identity, SSL_get_psk_identity_hint - get PSK client identity and hint - =head1 SYNOPSIS #include <openssl/ssl.h>
diff --git a/doc/ssl/SSL_library_init.pod b/doc/ssl/SSL_library_init.pod index 0235e72..f838b7a 100644 --- a/doc/ssl/SSL_library_init.pod +++ b/doc/ssl/SSL_library_init.pod
@@ -21,7 +21,7 @@ =head1 NOTES SSL_library_init() must be called before any other action takes place. -SSL_library_init() is not reentrant. +SSL_library_init() is not reentrant. =head1 WARNING
diff --git a/doc/ssl/SSL_load_client_CA_file.pod b/doc/ssl/SSL_load_client_CA_file.pod index 86b14b4..0db6cf1 100644 --- a/doc/ssl/SSL_load_client_CA_file.pod +++ b/doc/ssl/SSL_load_client_CA_file.pod
@@ -30,7 +30,7 @@ SSL_CTX *ctx; STACK_OF(X509_NAME) *cert_names; - ... + ... cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem"); if (cert_names != NULL) SSL_CTX_set_client_CA_list(ctx, cert_names);
diff --git a/doc/ssl/SSL_read.pod b/doc/ssl/SSL_read.pod index 95b8c22..18efc76 100644 --- a/doc/ssl/SSL_read.pod +++ b/doc/ssl/SSL_read.pod
@@ -22,7 +22,7 @@ L<SSL_accept(3)>. If the peer requests a re-negotiation, it will be performed transparently during the SSL_read() operation. The behaviour of SSL_read() depends on the -underlying BIO. +underlying BIO. For the transparent negotiation to succeed, the B<ssl> must have been initialized to client or server mode. This is being done by calling @@ -47,7 +47,7 @@ If the underlying BIO is B<blocking>, SSL_read() will only return, once the read operation has been finished or an error occurred, except when a -renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. +renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the L<SSL_CTX_set_mode(3)> call.
diff --git a/doc/ssl/SSL_set1_host.pod b/doc/ssl/SSL_set1_host.pod index 47e2e66..1483c4a 100644 --- a/doc/ssl/SSL_set1_host.pod +++ b/doc/ssl/SSL_set1_host.pod
@@ -2,8 +2,8 @@ =head1 NAME - SSL_set1_host, SSL_add1_host, SSL_set_hostflags, SSL_get0_peername - - SSL server verification parameters +SSL_set1_host, SSL_add1_host, SSL_set_hostflags, SSL_get0_peername - +SSL server verification parameters =head1 SYNOPSIS @@ -72,8 +72,6 @@ matched. Otherwise, it returns the matched peername. To determine whether verification succeeded call L<SSL_get_verify_result(3)>. -=head1 NOTES - =head1 EXAMPLE Suppose "smtp.example.com" is the MX host of the domain "example.com".
diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod index 990a181..b698d94 100644 --- a/doc/ssl/SSL_shutdown.pod +++ b/doc/ssl/SSL_shutdown.pod
@@ -12,7 +12,7 @@ =head1 DESCRIPTION -SSL_shutdown() shuts down an active TLS/SSL connection. It sends the +SSL_shutdown() shuts down an active TLS/SSL connection. It sends the "close notify" shutdown alert to the peer. =head1 NOTES @@ -62,7 +62,7 @@ and call SSL_shutdown() again, if the bidirectional shutdown is not yet complete (return value of the first call is 0). -The behaviour of SSL_shutdown() additionally depends on the underlying BIO. +The behaviour of SSL_shutdown() additionally depends on the underlying BIO. If the underlying BIO is B<blocking>, SSL_shutdown() will only return once the handshake step has been finished or an error occurred.
diff --git a/doc/ssl/SSL_write.pod b/doc/ssl/SSL_write.pod index 42afbd5..838ae3f 100644 --- a/doc/ssl/SSL_write.pod +++ b/doc/ssl/SSL_write.pod
@@ -22,7 +22,7 @@ L<SSL_accept(3)>. If the peer requests a re-negotiation, it will be performed transparently during the SSL_write() operation. The behaviour of SSL_write() depends on the -underlying BIO. +underlying BIO. For the transparent negotiation to succeed, the B<ssl> must have been initialized to client or server mode. This is being done by calling @@ -31,7 +31,7 @@ If the underlying BIO is B<blocking>, SSL_write() will only return, once the write operation has been finished or an error occurred, except when a -renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. +renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the L<SSL_CTX_set_mode(3)> call.
diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod index 863c360..fbda108 100644 --- a/doc/ssl/ssl.pod +++ b/doc/ssl/ssl.pod
@@ -1,12 +1,9 @@ - =pod =head1 NAME SSL - OpenSSL SSL/TLS library -=head1 SYNOPSIS - =head1 DESCRIPTION The OpenSSL B<ssl> library implements the Secure Sockets Layer (SSL v2/v3) and
diff --git a/util/doc-nit-check.pl b/util/doc-nit-check.pl new file mode 100644 index 0000000..f1a7af8 --- /dev/null +++ b/util/doc-nit-check.pl
@@ -0,0 +1,42 @@ +#! /usr/bin/env perl + +require 5.10.0; +use warnings; +use strict; +use Pod::Checker; +use File::Find; + +sub check() +{ + my $errs = 0; + + my $contents = ''; + { + local $/ = undef; + open POD, $_ or die "Couldn't open $_, $!"; + $contents = <POD>; + close POD; + } + if ( $contents !~ /^=pod/ ) { + print "$_ doesn't start with =pod\n"; + return 1; + } + if ( $contents !~ /=cut\n$/ ) { + print "$_ doesn't end with =cut\n"; + return 1; + } + if ( $contents !~ /Copyright .* The OpenSSL Project Authors/ ) { + print "$_ missing copyright\n"; + return 1; + } + + $errs = podchecker($_, \*STDOUT); + $errs = 1 if $errs < 0; + return $errs; +} + +my $errs = 0; +foreach (glob('*/*.pod')) { + $errs += &check($_); +} +exit $errs;