diff options
| author | Enji Cooper <ngie@FreeBSD.org> | 2026-01-31 22:06:28 +0000 |
|---|---|---|
| committer | Enji Cooper <ngie@FreeBSD.org> | 2026-01-31 22:07:17 +0000 |
| commit | 1731fc70f7344af08db49b06c63c963fa12ee354 (patch) | |
| tree | eddef3d6947f3152ca8efd66adc5854003c63c1e | |
| parent | f25b8c9fb4f58cf61adb47d7570abe7caa6d385d (diff) | |
OpenSSL: update vendor sources to match 3.5.5 content
MFC with: f25b8c9fb4f58cf61adb47d7570abe7caa6d385d
MFC after: 1 week
952 files changed, 15618 insertions, 11925 deletions
diff --git a/crypto/openssl/apps/progs.c b/crypto/openssl/apps/progs.c index acc204a3e6e7..317acf5bc8b2 100644 --- a/crypto/openssl/apps/progs.c +++ b/crypto/openssl/apps/progs.c @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by apps/progs.pl * - * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2026 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/apps/progs.h b/crypto/openssl/apps/progs.h index 1b62ec37dec1..2214340fa813 100644 --- a/crypto/openssl/apps/progs.h +++ b/crypto/openssl/apps/progs.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by apps/progs.pl * - * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2026 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/crypto/params_idx.c b/crypto/openssl/crypto/params_idx.c index 9d76ffededc2..e5463ca5c8e5 100644 --- a/crypto/openssl/crypto/params_idx.c +++ b/crypto/openssl/crypto/params_idx.c @@ -9,13 +9,16 @@ * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #include "internal/e_os.h" #include "internal/param_names.h" #include <string.h> /* Machine generated TRIE -- generated by util/perl/OpenSSL/paramnames.pm */ +/* clang-format off */ int ossl_param_find_pidx(const char *s) { switch(s[0]) { @@ -3363,4 +3366,5 @@ int ossl_param_find_pidx(const char *s) return -1; } +/* clang-format on */ /* End of TRIE */ diff --git a/crypto/openssl/exporters/libcrypto.pc b/crypto/openssl/exporters/libcrypto.pc index 3ee633d09bee..829121ff73f5 100644 --- a/crypto/openssl/exporters/libcrypto.pc +++ b/crypto/openssl/exporters/libcrypto.pc @@ -7,7 +7,7 @@ modulesdir=${libdir}/ossl-modules Name: OpenSSL-libcrypto Description: OpenSSL cryptography library -Version: 3.5.4 +Version: 3.5.5 Libs: -L${libdir} -lcrypto Libs.private: -pthread Cflags: -I${includedir} diff --git a/crypto/openssl/exporters/libssl.pc b/crypto/openssl/exporters/libssl.pc index a14763f553f9..154bf1ca64cc 100644 --- a/crypto/openssl/exporters/libssl.pc +++ b/crypto/openssl/exporters/libssl.pc @@ -5,7 +5,7 @@ includedir=${prefix}/include Name: OpenSSL-libssl Description: Secure Sockets Layer and cryptography libraries -Version: 3.5.4 +Version: 3.5.5 Requires.private: libcrypto Libs: -L${libdir} -lssl Cflags: -I${includedir} diff --git a/crypto/openssl/exporters/openssl.pc b/crypto/openssl/exporters/openssl.pc index e964e5e90a34..110c7835e352 100644 --- a/crypto/openssl/exporters/openssl.pc +++ b/crypto/openssl/exporters/openssl.pc @@ -5,5 +5,5 @@ includedir=${prefix}/include Name: OpenSSL Description: Secure Sockets Layer and cryptography libraries and tools -Version: 3.5.4 +Version: 3.5.5 Requires: libssl libcrypto diff --git a/crypto/openssl/include/crypto/bn_conf.h b/crypto/openssl/include/crypto/bn_conf.h index 408242f0f8d0..4187a52e6da5 100644 --- a/crypto/openssl/include/crypto/bn_conf.h +++ b/crypto/openssl/include/crypto/bn_conf.h @@ -1,5 +1,7 @@ +/* clang-format off */ /* WARNING: do not edit! */ /* Generated by Makefile from include/crypto/bn_conf.h.in */ +/* clang-format on */ /* * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * @@ -10,8 +12,8 @@ */ #ifndef OSSL_CRYPTO_BN_CONF_H -# define OSSL_CRYPTO_BN_CONF_H -# pragma once +#define OSSL_CRYPTO_BN_CONF_H +#pragma once /* * The contents of this file are not used in the UEFI build, as @@ -22,9 +24,15 @@ /* Should we define BN_DIV2W here? */ /* Only one for the following should be defined */ +/* clang-format off */ #define SIXTY_FOUR_BIT_LONG + /* clang-format on */ + /* clang-format off */ #undef SIXTY_FOUR_BIT + /* clang-format on */ + /* clang-format off */ #undef THIRTY_TWO_BIT +/* clang-format on */ #endif diff --git a/crypto/openssl/include/crypto/dso_conf.h b/crypto/openssl/include/crypto/dso_conf.h index 795dfa0f1a66..29edacf112c8 100644 --- a/crypto/openssl/include/crypto/dso_conf.h +++ b/crypto/openssl/include/crypto/dso_conf.h @@ -1,5 +1,7 @@ +/* clang-format off */ /* WARNING: do not edit! */ /* Generated by Makefile from include/crypto/dso_conf.h.in */ +/* clang-format on */ /* * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * @@ -10,10 +12,14 @@ */ #ifndef OSSL_CRYPTO_DSO_CONF_H -# define OSSL_CRYPTO_DSO_CONF_H -# pragma once +#define OSSL_CRYPTO_DSO_CONF_H +#pragma once +/* clang-format off */ # define DSO_DLFCN # define HAVE_DLFCN_H +/* clang-format on */ +/* clang-format off */ # define DSO_EXTENSION ".so" +/* clang-format on */ #endif diff --git a/crypto/openssl/include/internal/param_names.h b/crypto/openssl/include/internal/param_names.h index 0a0404a57e82..cefb8dfa75fa 100644 --- a/crypto/openssl/include/internal/param_names.h +++ b/crypto/openssl/include/internal/param_names.h @@ -9,11 +9,14 @@ * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ int ossl_param_find_pidx(const char *s); /* Parameter name definitions - generated by util/perl/OpenSSL/paramnames.pm */ +/* clang-format off */ #define NUM_PIDX 346 #define PIDX_ALG_PARAM_ALGORITHM_ID 0 @@ -467,3 +470,4 @@ int ossl_param_find_pidx(const char *s); #define PIDX_STORE_PARAM_PROPERTIES 7 #define PIDX_STORE_PARAM_SERIAL 344 #define PIDX_STORE_PARAM_SUBJECT 345 +/* clang-format on */ diff --git a/crypto/openssl/include/openssl/asn1.h b/crypto/openssl/include/openssl/asn1.h index 15e9e44674b0..3fd498b2a3e6 100644 --- a/crypto/openssl/include/openssl/asn1.h +++ b/crypto/openssl/include/openssl/asn1.h @@ -10,83 +10,85 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_ASN1_H -# define OPENSSL_ASN1_H -# pragma once - -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_ASN1_H -# endif - -# ifndef OPENSSL_NO_STDIO -# include <stdio.h> -# endif -# include <time.h> -# include <openssl/e_os2.h> -# include <openssl/opensslconf.h> -# include <openssl/bio.h> -# include <openssl/safestack.h> -# include <openssl/asn1err.h> -# include <openssl/symhacks.h> - -# include <openssl/types.h> -# include <openssl/bn.h> - -# ifdef OPENSSL_BUILD_SHLIBCRYPTO -# undef OPENSSL_EXTERN -# define OPENSSL_EXTERN OPENSSL_EXPORT -# endif - -#ifdef __cplusplus +#define OPENSSL_ASN1_H +#pragma once + +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_ASN1_H +#endif + +#ifndef OPENSSL_NO_STDIO +#include <stdio.h> +#endif +#include <time.h> +#include <openssl/e_os2.h> +#include <openssl/opensslconf.h> +#include <openssl/bio.h> +#include <openssl/safestack.h> +#include <openssl/asn1err.h> +#include <openssl/symhacks.h> + +#include <openssl/types.h> +#include <openssl/bn.h> + +#ifdef OPENSSL_BUILD_SHLIBCRYPTO +#undef OPENSSL_EXTERN +#define OPENSSL_EXTERN OPENSSL_EXPORT +#endif + +#ifdef __cplusplus extern "C" { #endif -# define V_ASN1_UNIVERSAL 0x00 -# define V_ASN1_APPLICATION 0x40 -# define V_ASN1_CONTEXT_SPECIFIC 0x80 -# define V_ASN1_PRIVATE 0xc0 +#define V_ASN1_UNIVERSAL 0x00 +#define V_ASN1_APPLICATION 0x40 +#define V_ASN1_CONTEXT_SPECIFIC 0x80 +#define V_ASN1_PRIVATE 0xc0 -# define V_ASN1_CONSTRUCTED 0x20 -# define V_ASN1_PRIMITIVE_TAG 0x1f -# define V_ASN1_PRIMATIVE_TAG /*compat*/ V_ASN1_PRIMITIVE_TAG +#define V_ASN1_CONSTRUCTED 0x20 +#define V_ASN1_PRIMITIVE_TAG 0x1f +#define V_ASN1_PRIMATIVE_TAG /*compat*/ V_ASN1_PRIMITIVE_TAG -# define V_ASN1_APP_CHOOSE -2 /* let the recipient choose */ -# define V_ASN1_OTHER -3 /* used in ASN1_TYPE */ -# define V_ASN1_ANY -4 /* used in ASN1 template code */ +#define V_ASN1_APP_CHOOSE -2 /* let the recipient choose */ +#define V_ASN1_OTHER -3 /* used in ASN1_TYPE */ +#define V_ASN1_ANY -4 /* used in ASN1 template code */ -# define V_ASN1_UNDEF -1 +#define V_ASN1_UNDEF -1 /* ASN.1 tag values */ -# define V_ASN1_EOC 0 -# define V_ASN1_BOOLEAN 1 -# define V_ASN1_INTEGER 2 -# define V_ASN1_BIT_STRING 3 -# define V_ASN1_OCTET_STRING 4 -# define V_ASN1_NULL 5 -# define V_ASN1_OBJECT 6 -# define V_ASN1_OBJECT_DESCRIPTOR 7 -# define V_ASN1_EXTERNAL 8 -# define V_ASN1_REAL 9 -# define V_ASN1_ENUMERATED 10 -# define V_ASN1_UTF8STRING 12 -# define V_ASN1_SEQUENCE 16 -# define V_ASN1_SET 17 -# define V_ASN1_NUMERICSTRING 18 -# define V_ASN1_PRINTABLESTRING 19 -# define V_ASN1_T61STRING 20 -# define V_ASN1_TELETEXSTRING 20 /* alias */ -# define V_ASN1_VIDEOTEXSTRING 21 -# define V_ASN1_IA5STRING 22 -# define V_ASN1_UTCTIME 23 -# define V_ASN1_GENERALIZEDTIME 24 -# define V_ASN1_GRAPHICSTRING 25 -# define V_ASN1_ISO64STRING 26 -# define V_ASN1_VISIBLESTRING 26 /* alias */ -# define V_ASN1_GENERALSTRING 27 -# define V_ASN1_UNIVERSALSTRING 28 -# define V_ASN1_BMPSTRING 30 +#define V_ASN1_EOC 0 +#define V_ASN1_BOOLEAN 1 +#define V_ASN1_INTEGER 2 +#define V_ASN1_BIT_STRING 3 +#define V_ASN1_OCTET_STRING 4 +#define V_ASN1_NULL 5 +#define V_ASN1_OBJECT 6 +#define V_ASN1_OBJECT_DESCRIPTOR 7 +#define V_ASN1_EXTERNAL 8 +#define V_ASN1_REAL 9 +#define V_ASN1_ENUMERATED 10 +#define V_ASN1_UTF8STRING 12 +#define V_ASN1_SEQUENCE 16 +#define V_ASN1_SET 17 +#define V_ASN1_NUMERICSTRING 18 +#define V_ASN1_PRINTABLESTRING 19 +#define V_ASN1_T61STRING 20 +#define V_ASN1_TELETEXSTRING 20 /* alias */ +#define V_ASN1_VIDEOTEXSTRING 21 +#define V_ASN1_IA5STRING 22 +#define V_ASN1_UTCTIME 23 +#define V_ASN1_GENERALIZEDTIME 24 +#define V_ASN1_GRAPHICSTRING 25 +#define V_ASN1_ISO64STRING 26 +#define V_ASN1_VISIBLESTRING 26 /* alias */ +#define V_ASN1_GENERALSTRING 27 +#define V_ASN1_UNIVERSALSTRING 28 +#define V_ASN1_BMPSTRING 30 /* * NB the constants below are used internally by ASN1_INTEGER @@ -94,41 +96,42 @@ extern "C" { * the wire tag values. */ -# define V_ASN1_NEG 0x100 -# define V_ASN1_NEG_INTEGER (2 | V_ASN1_NEG) -# define V_ASN1_NEG_ENUMERATED (10 | V_ASN1_NEG) +#define V_ASN1_NEG 0x100 +#define V_ASN1_NEG_INTEGER (2 | V_ASN1_NEG) +#define V_ASN1_NEG_ENUMERATED (10 | V_ASN1_NEG) /* For use with d2i_ASN1_type_bytes() */ -# define B_ASN1_NUMERICSTRING 0x0001 -# define B_ASN1_PRINTABLESTRING 0x0002 -# define B_ASN1_T61STRING 0x0004 -# define B_ASN1_TELETEXSTRING 0x0004 -# define B_ASN1_VIDEOTEXSTRING 0x0008 -# define B_ASN1_IA5STRING 0x0010 -# define B_ASN1_GRAPHICSTRING 0x0020 -# define B_ASN1_ISO64STRING 0x0040 -# define B_ASN1_VISIBLESTRING 0x0040 -# define B_ASN1_GENERALSTRING 0x0080 -# define B_ASN1_UNIVERSALSTRING 0x0100 -# define B_ASN1_OCTET_STRING 0x0200 -# define B_ASN1_BIT_STRING 0x0400 -# define B_ASN1_BMPSTRING 0x0800 -# define B_ASN1_UNKNOWN 0x1000 -# define B_ASN1_UTF8STRING 0x2000 -# define B_ASN1_UTCTIME 0x4000 -# define B_ASN1_GENERALIZEDTIME 0x8000 -# define B_ASN1_SEQUENCE 0x10000 +#define B_ASN1_NUMERICSTRING 0x0001 +#define B_ASN1_PRINTABLESTRING 0x0002 +#define B_ASN1_T61STRING 0x0004 +#define B_ASN1_TELETEXSTRING 0x0004 +#define B_ASN1_VIDEOTEXSTRING 0x0008 +#define B_ASN1_IA5STRING 0x0010 +#define B_ASN1_GRAPHICSTRING 0x0020 +#define B_ASN1_ISO64STRING 0x0040 +#define B_ASN1_VISIBLESTRING 0x0040 +#define B_ASN1_GENERALSTRING 0x0080 +#define B_ASN1_UNIVERSALSTRING 0x0100 +#define B_ASN1_OCTET_STRING 0x0200 +#define B_ASN1_BIT_STRING 0x0400 +#define B_ASN1_BMPSTRING 0x0800 +#define B_ASN1_UNKNOWN 0x1000 +#define B_ASN1_UTF8STRING 0x2000 +#define B_ASN1_UTCTIME 0x4000 +#define B_ASN1_GENERALIZEDTIME 0x8000 +#define B_ASN1_SEQUENCE 0x10000 /* For use with ASN1_mbstring_copy() */ -# define MBSTRING_FLAG 0x1000 -# define MBSTRING_UTF8 (MBSTRING_FLAG) -# define MBSTRING_ASC (MBSTRING_FLAG|1) -# define MBSTRING_BMP (MBSTRING_FLAG|2) -# define MBSTRING_UNIV (MBSTRING_FLAG|4) -# define SMIME_OLDMIME 0x400 -# define SMIME_CRLFEOL 0x800 -# define SMIME_STREAM 0x1000 +#define MBSTRING_FLAG 0x1000 +#define MBSTRING_UTF8 (MBSTRING_FLAG) +#define MBSTRING_ASC (MBSTRING_FLAG | 1) +#define MBSTRING_BMP (MBSTRING_FLAG | 2) +#define MBSTRING_UNIV (MBSTRING_FLAG | 4) +#define SMIME_OLDMIME 0x400 +#define SMIME_CRLFEOL 0x800 +#define SMIME_STREAM 0x1000 /* Stacks for types not otherwise defined in this header */ +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(X509_ALGOR, X509_ALGOR, X509_ALGOR) #define sk_X509_ALGOR_num(sk) OPENSSL_sk_num(ossl_check_const_X509_ALGOR_sk_type(sk)) #define sk_X509_ALGOR_value(sk, idx) ((X509_ALGOR *)OPENSSL_sk_value(ossl_check_const_X509_ALGOR_sk_type(sk), (idx))) @@ -156,15 +159,15 @@ SKM_DEFINE_STACK_OF_INTERNAL(X509_ALGOR, X509_ALGOR, X509_ALGOR) #define sk_X509_ALGOR_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(X509_ALGOR) *)OPENSSL_sk_deep_copy(ossl_check_const_X509_ALGOR_sk_type(sk), ossl_check_X509_ALGOR_copyfunc_type(copyfunc), ossl_check_X509_ALGOR_freefunc_type(freefunc))) #define sk_X509_ALGOR_set_cmp_func(sk, cmp) ((sk_X509_ALGOR_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_X509_ALGOR_sk_type(sk), ossl_check_X509_ALGOR_compfunc_type(cmp))) +/* clang-format on */ - -# define ASN1_STRING_FLAG_BITS_LEFT 0x08 /* Set if 0x07 has bits left value */ +#define ASN1_STRING_FLAG_BITS_LEFT 0x08 /* Set if 0x07 has bits left value */ /* * This indicates that the ASN1_STRING is not a real value but just a place * holder for the location where indefinite length constructed data should be * inserted in the memory buffer */ -# define ASN1_STRING_FLAG_NDEF 0x010 +#define ASN1_STRING_FLAG_NDEF 0x010 /* * This flag is used by the CMS code to indicate that a string is not @@ -172,16 +175,16 @@ SKM_DEFINE_STACK_OF_INTERNAL(X509_ALGOR, X509_ALGOR, X509_ALGOR) * The flag will be reset when content has been written to it. */ -# define ASN1_STRING_FLAG_CONT 0x020 +#define ASN1_STRING_FLAG_CONT 0x020 /* * This flag is used by ASN1 code to indicate an ASN1_STRING is an MSTRING * type. */ -# define ASN1_STRING_FLAG_MSTRING 0x040 +#define ASN1_STRING_FLAG_MSTRING 0x040 /* String is embedded and only content should be freed */ -# define ASN1_STRING_FLAG_EMBED 0x080 +#define ASN1_STRING_FLAG_EMBED 0x080 /* String should be parsed in RFC 5280's time format */ -# define ASN1_STRING_FLAG_X509_TIME 0x100 +#define ASN1_STRING_FLAG_X509_TIME 0x100 /* This is the base type that holds just about everything :-) */ struct asn1_string_st { int length; @@ -202,26 +205,26 @@ struct asn1_string_st { */ typedef struct ASN1_ENCODING_st { - unsigned char *enc; /* DER encoding */ - long len; /* Length of encoding */ - int modified; /* set to 1 if 'enc' is invalid */ + unsigned char *enc; /* DER encoding */ + long len; /* Length of encoding */ + int modified; /* set to 1 if 'enc' is invalid */ } ASN1_ENCODING; /* Used with ASN1 LONG type: if a long is set to this it is omitted */ -# define ASN1_LONG_UNDEF 0x7fffffffL +#define ASN1_LONG_UNDEF 0x7fffffffL -# define STABLE_FLAGS_MALLOC 0x01 +#define STABLE_FLAGS_MALLOC 0x01 /* * A zero passed to ASN1_STRING_TABLE_new_add for the flags is interpreted * as "don't change" and STABLE_FLAGS_MALLOC is always set. By setting * STABLE_FLAGS_MALLOC only we can clear the existing value. Use the alias * STABLE_FLAGS_CLEAR to reflect this. */ -# define STABLE_FLAGS_CLEAR STABLE_FLAGS_MALLOC -# define STABLE_NO_MASK 0x02 -# define DIRSTRING_TYPE \ - (B_ASN1_PRINTABLESTRING|B_ASN1_T61STRING|B_ASN1_BMPSTRING|B_ASN1_UTF8STRING) -# define PKCS9STRING_TYPE (DIRSTRING_TYPE|B_ASN1_IA5STRING) +#define STABLE_FLAGS_CLEAR STABLE_FLAGS_MALLOC +#define STABLE_NO_MASK 0x02 +#define DIRSTRING_TYPE \ + (B_ASN1_PRINTABLESTRING | B_ASN1_T61STRING | B_ASN1_BMPSTRING | B_ASN1_UTF8STRING) +#define PKCS9STRING_TYPE (DIRSTRING_TYPE | B_ASN1_IA5STRING) struct asn1_string_table_st { int nid; @@ -231,6 +234,7 @@ struct asn1_string_table_st { unsigned long flags; }; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(ASN1_STRING_TABLE, ASN1_STRING_TABLE, ASN1_STRING_TABLE) #define sk_ASN1_STRING_TABLE_num(sk) OPENSSL_sk_num(ossl_check_const_ASN1_STRING_TABLE_sk_type(sk)) #define sk_ASN1_STRING_TABLE_value(sk, idx) ((ASN1_STRING_TABLE *)OPENSSL_sk_value(ossl_check_const_ASN1_STRING_TABLE_sk_type(sk), (idx))) @@ -258,17 +262,18 @@ SKM_DEFINE_STACK_OF_INTERNAL(ASN1_STRING_TABLE, ASN1_STRING_TABLE, ASN1_STRING_T #define sk_ASN1_STRING_TABLE_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(ASN1_STRING_TABLE) *)OPENSSL_sk_deep_copy(ossl_check_const_ASN1_STRING_TABLE_sk_type(sk), ossl_check_ASN1_STRING_TABLE_copyfunc_type(copyfunc), ossl_check_ASN1_STRING_TABLE_freefunc_type(freefunc))) #define sk_ASN1_STRING_TABLE_set_cmp_func(sk, cmp) ((sk_ASN1_STRING_TABLE_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_ASN1_STRING_TABLE_sk_type(sk), ossl_check_ASN1_STRING_TABLE_compfunc_type(cmp))) +/* clang-format on */ /* size limits: this stuff is taken straight from RFC2459 */ -# define ub_name 32768 -# define ub_common_name 64 -# define ub_locality_name 128 -# define ub_state_name 128 -# define ub_organization_name 64 -# define ub_organization_unit_name 64 -# define ub_title 64 -# define ub_email_address 128 +#define ub_name 32768 +#define ub_common_name 64 +#define ub_locality_name 128 +#define ub_state_name 128 +#define ub_organization_name 64 +#define ub_organization_unit_name 64 +#define ub_title 64 +#define ub_email_address 128 /* * Declarations for template structures: for full definitions see asn1t.h @@ -286,88 +291,90 @@ typedef struct ASN1_VALUE_st ASN1_VALUE; * arguments in macro calls. */ -# define DECLARE_ASN1_FUNCTIONS_attr(attr, type) \ +#define DECLARE_ASN1_FUNCTIONS_attr(attr, type) \ DECLARE_ASN1_FUNCTIONS_name_attr(attr, type, type) -# define DECLARE_ASN1_FUNCTIONS(type) \ +#define DECLARE_ASN1_FUNCTIONS(type) \ DECLARE_ASN1_FUNCTIONS_attr(extern, type) -# define DECLARE_ASN1_ALLOC_FUNCTIONS_attr(attr, type) \ +#define DECLARE_ASN1_ALLOC_FUNCTIONS_attr(attr, type) \ DECLARE_ASN1_ALLOC_FUNCTIONS_name_attr(attr, type, type) -# define DECLARE_ASN1_ALLOC_FUNCTIONS(type) \ +#define DECLARE_ASN1_ALLOC_FUNCTIONS(type) \ DECLARE_ASN1_ALLOC_FUNCTIONS_attr(extern, type) -# define DECLARE_ASN1_FUNCTIONS_name_attr(attr, type, name) \ - DECLARE_ASN1_ALLOC_FUNCTIONS_name_attr(attr, type, name) \ +#define DECLARE_ASN1_FUNCTIONS_name_attr(attr, type, name) \ + DECLARE_ASN1_ALLOC_FUNCTIONS_name_attr(attr, type, name) \ DECLARE_ASN1_ENCODE_FUNCTIONS_name_attr(attr, type, name) -# define DECLARE_ASN1_FUNCTIONS_name(type, name) \ +#define DECLARE_ASN1_FUNCTIONS_name(type, name) \ DECLARE_ASN1_FUNCTIONS_name_attr(extern, type, name) -# define DECLARE_ASN1_ENCODE_FUNCTIONS_attr(attr, type, itname, name) \ - DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(attr, type, name) \ +#define DECLARE_ASN1_ENCODE_FUNCTIONS_attr(attr, type, itname, name) \ + DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(attr, type, name) \ DECLARE_ASN1_ITEM_attr(attr, itname) -# define DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) \ +#define DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) \ DECLARE_ASN1_ENCODE_FUNCTIONS_attr(extern, type, itname, name) -# define DECLARE_ASN1_ENCODE_FUNCTIONS_name_attr(attr, type, name) \ +#define DECLARE_ASN1_ENCODE_FUNCTIONS_name_attr(attr, type, name) \ DECLARE_ASN1_ENCODE_FUNCTIONS_attr(attr, type, name, name) -# define DECLARE_ASN1_ENCODE_FUNCTIONS_name(type, name) \ +#define DECLARE_ASN1_ENCODE_FUNCTIONS_name(type, name) \ DECLARE_ASN1_ENCODE_FUNCTIONS_name_attr(extern, type, name) -# define DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(attr, type, name) \ - attr type *d2i_##name(type **a, const unsigned char **in, long len); \ +#define DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(attr, type, name) \ + attr type *d2i_##name(type **a, const unsigned char **in, long len); \ attr int i2d_##name(const type *a, unsigned char **out); -# define DECLARE_ASN1_ENCODE_FUNCTIONS_only(type, name) \ +#define DECLARE_ASN1_ENCODE_FUNCTIONS_only(type, name) \ DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(extern, type, name) -# define DECLARE_ASN1_NDEF_FUNCTION_attr(attr, name) \ +#define DECLARE_ASN1_NDEF_FUNCTION_attr(attr, name) \ attr int i2d_##name##_NDEF(const name *a, unsigned char **out); -# define DECLARE_ASN1_NDEF_FUNCTION(name) \ +#define DECLARE_ASN1_NDEF_FUNCTION(name) \ DECLARE_ASN1_NDEF_FUNCTION_attr(extern, name) -# define DECLARE_ASN1_ALLOC_FUNCTIONS_name_attr(attr, type, name) \ - attr type *name##_new(void); \ +#define DECLARE_ASN1_ALLOC_FUNCTIONS_name_attr(attr, type, name) \ + attr type *name##_new(void); \ attr void name##_free(type *a); -# define DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, name) \ +#define DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, name) \ DECLARE_ASN1_ALLOC_FUNCTIONS_name_attr(extern, type, name) -# define DECLARE_ASN1_DUP_FUNCTION_attr(attr, type) \ +#define DECLARE_ASN1_DUP_FUNCTION_attr(attr, type) \ DECLARE_ASN1_DUP_FUNCTION_name_attr(attr, type, type) -# define DECLARE_ASN1_DUP_FUNCTION(type) \ +#define DECLARE_ASN1_DUP_FUNCTION(type) \ DECLARE_ASN1_DUP_FUNCTION_attr(extern, type) -# define DECLARE_ASN1_DUP_FUNCTION_name_attr(attr, type, name) \ +#define DECLARE_ASN1_DUP_FUNCTION_name_attr(attr, type, name) \ attr type *name##_dup(const type *a); -# define DECLARE_ASN1_DUP_FUNCTION_name(type, name) \ +#define DECLARE_ASN1_DUP_FUNCTION_name(type, name) \ DECLARE_ASN1_DUP_FUNCTION_name_attr(extern, type, name) -# define DECLARE_ASN1_PRINT_FUNCTION_attr(attr, stname) \ +#define DECLARE_ASN1_PRINT_FUNCTION_attr(attr, stname) \ DECLARE_ASN1_PRINT_FUNCTION_fname_attr(attr, stname, stname) -# define DECLARE_ASN1_PRINT_FUNCTION(stname) \ +#define DECLARE_ASN1_PRINT_FUNCTION(stname) \ DECLARE_ASN1_PRINT_FUNCTION_attr(extern, stname) -# define DECLARE_ASN1_PRINT_FUNCTION_fname_attr(attr, stname, fname) \ - attr int fname##_print_ctx(BIO *out, const stname *x, int indent, \ - const ASN1_PCTX *pctx); -# define DECLARE_ASN1_PRINT_FUNCTION_fname(stname, fname) \ +#define DECLARE_ASN1_PRINT_FUNCTION_fname_attr(attr, stname, fname) \ + attr int fname##_print_ctx(BIO *out, const stname *x, int indent, \ + const ASN1_PCTX *pctx); +#define DECLARE_ASN1_PRINT_FUNCTION_fname(stname, fname) \ DECLARE_ASN1_PRINT_FUNCTION_fname_attr(extern, stname, fname) -# define D2I_OF(type) type *(*)(type **,const unsigned char **,long) -# define I2D_OF(type) int (*)(const type *,unsigned char **) - -# define CHECKED_D2I_OF(type, d2i) \ - ((d2i_of_void*) (1 ? d2i : ((D2I_OF(type))0))) -# define CHECKED_I2D_OF(type, i2d) \ - ((i2d_of_void*) (1 ? i2d : ((I2D_OF(type))0))) -# define CHECKED_NEW_OF(type, xnew) \ - ((void *(*)(void)) (1 ? xnew : ((type *(*)(void))0))) -# define CHECKED_PTR_OF(type, p) \ - ((void*) (1 ? p : (type*)0)) -# define CHECKED_PPTR_OF(type, p) \ - ((void**) (1 ? p : (type**)0)) - -# define TYPEDEF_D2I_OF(type) typedef type *d2i_of_##type(type **,const unsigned char **,long) -# define TYPEDEF_I2D_OF(type) typedef int i2d_of_##type(const type *,unsigned char **) -# define TYPEDEF_D2I2D_OF(type) TYPEDEF_D2I_OF(type); TYPEDEF_I2D_OF(type) +#define D2I_OF(type) type *(*)(type **, const unsigned char **, long) +#define I2D_OF(type) int (*)(const type *, unsigned char **) + +#define CHECKED_D2I_OF(type, d2i) \ + ((d2i_of_void *)(1 ? d2i : ((D2I_OF(type))0))) +#define CHECKED_I2D_OF(type, i2d) \ + ((i2d_of_void *)(1 ? i2d : ((I2D_OF(type))0))) +#define CHECKED_NEW_OF(type, xnew) \ + ((void *(*)(void))(1 ? xnew : ((type * (*)(void))0))) +#define CHECKED_PTR_OF(type, p) \ + ((void *)(1 ? p : (type *)0)) +#define CHECKED_PPTR_OF(type, p) \ + ((void **)(1 ? p : (type **)0)) + +#define TYPEDEF_D2I_OF(type) typedef type *d2i_of_##type(type **, const unsigned char **, long) +#define TYPEDEF_I2D_OF(type) typedef int i2d_of_##type(const type *, unsigned char **) +#define TYPEDEF_D2I2D_OF(type) \ + TYPEDEF_D2I_OF(type); \ + TYPEDEF_I2D_OF(type) typedef void *d2i_of_void(void **, const unsigned char **, long); typedef int i2d_of_void(const void *, unsigned char **); @@ -409,26 +416,25 @@ typedef int OSSL_i2d_of_void_ctx(const void *, unsigned char **, void *vctx); * */ - /* * Platforms that can't easily handle shared global variables are declared as * functions returning ASN1_ITEM pointers. */ /* ASN1_ITEM pointer exported type */ -typedef const ASN1_ITEM *ASN1_ITEM_EXP (void); +typedef const ASN1_ITEM *ASN1_ITEM_EXP(void); /* Macro to obtain ASN1_ITEM pointer from exported type */ -# define ASN1_ITEM_ptr(iptr) (iptr()) +#define ASN1_ITEM_ptr(iptr) (iptr()) /* Macro to include ASN1_ITEM pointer from base type */ -# define ASN1_ITEM_ref(iptr) (iptr##_it) +#define ASN1_ITEM_ref(iptr) (iptr##_it) -# define ASN1_ITEM_rptr(ref) (ref##_it()) +#define ASN1_ITEM_rptr(ref) (ref##_it()) -# define DECLARE_ASN1_ITEM_attr(attr, name) \ - attr const ASN1_ITEM * name##_it(void); -# define DECLARE_ASN1_ITEM(name) \ +#define DECLARE_ASN1_ITEM_attr(attr, name) \ + attr const ASN1_ITEM *name##_it(void); +#define DECLARE_ASN1_ITEM(name) \ DECLARE_ASN1_ITEM_attr(extern, name) /* Parameters used by ASN1_STRING_print_ex() */ @@ -438,30 +444,30 @@ typedef const ASN1_ITEM *ASN1_ITEM_EXP (void); * control characters and MSB set characters */ -# define ASN1_STRFLGS_ESC_2253 1 -# define ASN1_STRFLGS_ESC_CTRL 2 -# define ASN1_STRFLGS_ESC_MSB 4 +#define ASN1_STRFLGS_ESC_2253 1 +#define ASN1_STRFLGS_ESC_CTRL 2 +#define ASN1_STRFLGS_ESC_MSB 4 /* Lower 8 bits are reserved as an output type specifier */ -# define ASN1_DTFLGS_TYPE_MASK 0x0FUL -# define ASN1_DTFLGS_RFC822 0x00UL -# define ASN1_DTFLGS_ISO8601 0x01UL +#define ASN1_DTFLGS_TYPE_MASK 0x0FUL +#define ASN1_DTFLGS_RFC822 0x00UL +#define ASN1_DTFLGS_ISO8601 0x01UL /* * This flag determines how we do escaping: normally RC2253 backslash only, * set this to use backslash and quote. */ -# define ASN1_STRFLGS_ESC_QUOTE 8 +#define ASN1_STRFLGS_ESC_QUOTE 8 /* These three flags are internal use only. */ /* Character is a valid PrintableString character */ -# define CHARTYPE_PRINTABLESTRING 0x10 +#define CHARTYPE_PRINTABLESTRING 0x10 /* Character needs escaping if it is the first character */ -# define CHARTYPE_FIRST_ESC_2253 0x20 +#define CHARTYPE_FIRST_ESC_2253 0x20 /* Character needs escaping if it is the last character */ -# define CHARTYPE_LAST_ESC_2253 0x40 +#define CHARTYPE_LAST_ESC_2253 0x40 /* * NB the internal flags are safely reused below by flags handled at the top @@ -472,7 +478,7 @@ typedef const ASN1_ITEM *ASN1_ITEM_EXP (void); * If this is set we convert all character strings to UTF8 first */ -# define ASN1_STRFLGS_UTF8_CONVERT 0x10 +#define ASN1_STRFLGS_UTF8_CONVERT 0x10 /* * If this is set we don't attempt to interpret content: just assume all @@ -480,10 +486,10 @@ typedef const ASN1_ITEM *ASN1_ITEM_EXP (void); * looking output! */ -# define ASN1_STRFLGS_IGNORE_TYPE 0x20 +#define ASN1_STRFLGS_IGNORE_TYPE 0x20 /* If this is set we include the string type in the output */ -# define ASN1_STRFLGS_SHOW_TYPE 0x40 +#define ASN1_STRFLGS_SHOW_TYPE 0x40 /* * This determines which strings to display and which to 'dump' (hex dump of @@ -493,33 +499,27 @@ typedef const ASN1_ITEM *ASN1_ITEM_EXP (void); * options. */ -# define ASN1_STRFLGS_DUMP_ALL 0x80 -# define ASN1_STRFLGS_DUMP_UNKNOWN 0x100 +#define ASN1_STRFLGS_DUMP_ALL 0x80 +#define ASN1_STRFLGS_DUMP_UNKNOWN 0x100 /* * These determine what 'dumping' does, we can dump the content octets or the * DER encoding: both use the RFC2253 #XXXXX notation. */ -# define ASN1_STRFLGS_DUMP_DER 0x200 +#define ASN1_STRFLGS_DUMP_DER 0x200 /* * This flag specifies that RC2254 escaping shall be performed. */ -#define ASN1_STRFLGS_ESC_2254 0x400 +#define ASN1_STRFLGS_ESC_2254 0x400 /* * All the string flags consistent with RFC2253, escaping control characters * isn't essential in RFC2253 but it is advisable anyway. */ -# define ASN1_STRFLGS_RFC2253 (ASN1_STRFLGS_ESC_2253 | \ - ASN1_STRFLGS_ESC_CTRL | \ - ASN1_STRFLGS_ESC_MSB | \ - ASN1_STRFLGS_UTF8_CONVERT | \ - ASN1_STRFLGS_DUMP_UNKNOWN | \ - ASN1_STRFLGS_DUMP_DER) - +#define ASN1_STRFLGS_RFC2253 (ASN1_STRFLGS_ESC_2253 | ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | ASN1_STRFLGS_UTF8_CONVERT | ASN1_STRFLGS_DUMP_UNKNOWN | ASN1_STRFLGS_DUMP_DER) struct asn1_type_st { int type; @@ -552,6 +552,7 @@ struct asn1_type_st { } value; }; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(ASN1_TYPE, ASN1_TYPE, ASN1_TYPE) #define sk_ASN1_TYPE_num(sk) OPENSSL_sk_num(ossl_check_const_ASN1_TYPE_sk_type(sk)) #define sk_ASN1_TYPE_value(sk, idx) ((ASN1_TYPE *)OPENSSL_sk_value(ossl_check_const_ASN1_TYPE_sk_type(sk), (idx))) @@ -579,6 +580,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(ASN1_TYPE, ASN1_TYPE, ASN1_TYPE) #define sk_ASN1_TYPE_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(ASN1_TYPE) *)OPENSSL_sk_deep_copy(ossl_check_const_ASN1_TYPE_sk_type(sk), ossl_check_ASN1_TYPE_copyfunc_type(copyfunc), ossl_check_ASN1_TYPE_freefunc_type(freefunc))) #define sk_ASN1_TYPE_set_cmp_func(sk, cmp) ((sk_ASN1_TYPE_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_ASN1_TYPE_sk_type(sk), ossl_check_ASN1_TYPE_compfunc_type(cmp))) +/* clang-format on */ typedef STACK_OF(ASN1_TYPE) ASN1_SEQUENCE_ANY; @@ -592,34 +594,17 @@ typedef struct BIT_STRING_BITNAME_st { const char *sname; } BIT_STRING_BITNAME; -# define B_ASN1_TIME \ - B_ASN1_UTCTIME | \ - B_ASN1_GENERALIZEDTIME - -# define B_ASN1_PRINTABLE \ - B_ASN1_NUMERICSTRING| \ - B_ASN1_PRINTABLESTRING| \ - B_ASN1_T61STRING| \ - B_ASN1_IA5STRING| \ - B_ASN1_BIT_STRING| \ - B_ASN1_UNIVERSALSTRING|\ - B_ASN1_BMPSTRING|\ - B_ASN1_UTF8STRING|\ - B_ASN1_SEQUENCE|\ - B_ASN1_UNKNOWN - -# define B_ASN1_DIRECTORYSTRING \ - B_ASN1_PRINTABLESTRING| \ - B_ASN1_TELETEXSTRING|\ - B_ASN1_BMPSTRING|\ - B_ASN1_UNIVERSALSTRING|\ - B_ASN1_UTF8STRING - -# define B_ASN1_DISPLAYTEXT \ - B_ASN1_IA5STRING| \ - B_ASN1_VISIBLESTRING| \ - B_ASN1_BMPSTRING|\ - B_ASN1_UTF8STRING +#define B_ASN1_TIME \ + B_ASN1_UTCTIME | B_ASN1_GENERALIZEDTIME + +#define B_ASN1_PRINTABLE \ + B_ASN1_NUMERICSTRING | B_ASN1_PRINTABLESTRING | B_ASN1_T61STRING | B_ASN1_IA5STRING | B_ASN1_BIT_STRING | B_ASN1_UNIVERSALSTRING | B_ASN1_BMPSTRING | B_ASN1_UTF8STRING | B_ASN1_SEQUENCE | B_ASN1_UNKNOWN + +#define B_ASN1_DIRECTORYSTRING \ + B_ASN1_PRINTABLESTRING | B_ASN1_TELETEXSTRING | B_ASN1_BMPSTRING | B_ASN1_UNIVERSALSTRING | B_ASN1_UTF8STRING + +#define B_ASN1_DISPLAYTEXT \ + B_ASN1_IA5STRING | B_ASN1_VISIBLESTRING | B_ASN1_BMPSTRING | B_ASN1_UTF8STRING DECLARE_ASN1_ALLOC_FUNCTIONS_name(ASN1_TYPE, ASN1_TYPE) DECLARE_ASN1_ENCODE_FUNCTIONS(ASN1_TYPE, ASN1_ANY, ASN1_TYPE) @@ -632,6 +617,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b); ASN1_TYPE *ASN1_TYPE_pack_sequence(const ASN1_ITEM *it, void *s, ASN1_TYPE **t); void *ASN1_TYPE_unpack_sequence(const ASN1_ITEM *it, const ASN1_TYPE *t); +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(ASN1_OBJECT, ASN1_OBJECT, ASN1_OBJECT) #define sk_ASN1_OBJECT_num(sk) OPENSSL_sk_num(ossl_check_const_ASN1_OBJECT_sk_type(sk)) #define sk_ASN1_OBJECT_value(sk, idx) ((ASN1_OBJECT *)OPENSSL_sk_value(ossl_check_const_ASN1_OBJECT_sk_type(sk), (idx))) @@ -659,6 +645,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(ASN1_OBJECT, ASN1_OBJECT, ASN1_OBJECT) #define sk_ASN1_OBJECT_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(ASN1_OBJECT) *)OPENSSL_sk_deep_copy(ossl_check_const_ASN1_OBJECT_sk_type(sk), ossl_check_ASN1_OBJECT_copyfunc_type(copyfunc), ossl_check_ASN1_OBJECT_freefunc_type(freefunc))) #define sk_ASN1_OBJECT_set_cmp_func(sk, cmp) ((sk_ASN1_OBJECT_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_ASN1_OBJECT_sk_type(sk), ossl_check_ASN1_OBJECT_compfunc_type(cmp))) +/* clang-format on */ DECLARE_ASN1_FUNCTIONS(ASN1_OBJECT) @@ -669,20 +656,20 @@ int ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str); DECLARE_ASN1_DUP_FUNCTION(ASN1_STRING) ASN1_STRING *ASN1_STRING_type_new(int type); int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b); - /* - * Since this is used to store all sorts of things, via macros, for now, - * make its data void * - */ +/* + * Since this is used to store all sorts of things, via macros, for now, + * make its data void * + */ int ASN1_STRING_set(ASN1_STRING *str, const void *data, int len); void ASN1_STRING_set0(ASN1_STRING *str, void *data, int len); int ASN1_STRING_length(const ASN1_STRING *x); -# ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 void ASN1_STRING_length_set(ASN1_STRING *x, int n); -# endif +#endif int ASN1_STRING_type(const ASN1_STRING *x); -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 OSSL_DEPRECATEDIN_1_1_0 unsigned char *ASN1_STRING_data(ASN1_STRING *x); -# endif +#endif const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x); DECLARE_ASN1_FUNCTIONS(ASN1_BIT_STRING) @@ -690,14 +677,15 @@ int ASN1_BIT_STRING_set(ASN1_BIT_STRING *a, unsigned char *d, int length); int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value); int ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *a, int n); int ASN1_BIT_STRING_check(const ASN1_BIT_STRING *a, - const unsigned char *flags, int flags_len); + const unsigned char *flags, int flags_len); int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs, - BIT_STRING_BITNAME *tbl, int indent); + BIT_STRING_BITNAME *tbl, int indent); int ASN1_BIT_STRING_num_asc(const char *name, BIT_STRING_BITNAME *tbl); int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, const char *name, int value, - BIT_STRING_BITNAME *tbl); + BIT_STRING_BITNAME *tbl); +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(ASN1_INTEGER, ASN1_INTEGER, ASN1_INTEGER) #define sk_ASN1_INTEGER_num(sk) OPENSSL_sk_num(ossl_check_const_ASN1_INTEGER_sk_type(sk)) #define sk_ASN1_INTEGER_value(sk, idx) ((ASN1_INTEGER *)OPENSSL_sk_value(ossl_check_const_ASN1_INTEGER_sk_type(sk), (idx))) @@ -725,11 +713,11 @@ SKM_DEFINE_STACK_OF_INTERNAL(ASN1_INTEGER, ASN1_INTEGER, ASN1_INTEGER) #define sk_ASN1_INTEGER_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(ASN1_INTEGER) *)OPENSSL_sk_deep_copy(ossl_check_const_ASN1_INTEGER_sk_type(sk), ossl_check_ASN1_INTEGER_copyfunc_type(copyfunc), ossl_check_ASN1_INTEGER_freefunc_type(freefunc))) #define sk_ASN1_INTEGER_set_cmp_func(sk, cmp) ((sk_ASN1_INTEGER_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_ASN1_INTEGER_sk_type(sk), ossl_check_ASN1_INTEGER_compfunc_type(cmp))) - +/* clang-format on */ DECLARE_ASN1_FUNCTIONS(ASN1_INTEGER) ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp, - long length); + long length); DECLARE_ASN1_DUP_FUNCTION(ASN1_INTEGER) int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y); @@ -738,28 +726,29 @@ DECLARE_ASN1_FUNCTIONS(ASN1_ENUMERATED) int ASN1_UTCTIME_check(const ASN1_UTCTIME *a); ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t); ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t, - int offset_day, long offset_sec); + int offset_day, long offset_sec); int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str); int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t); int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *a); ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s, - time_t t); + time_t t); ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s, - time_t t, int offset_day, - long offset_sec); + time_t t, int offset_day, + long offset_sec); int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, const char *str); int ASN1_TIME_diff(int *pday, int *psec, - const ASN1_TIME *from, const ASN1_TIME *to); + const ASN1_TIME *from, const ASN1_TIME *to); DECLARE_ASN1_FUNCTIONS(ASN1_OCTET_STRING) DECLARE_ASN1_DUP_FUNCTION(ASN1_OCTET_STRING) int ASN1_OCTET_STRING_cmp(const ASN1_OCTET_STRING *a, - const ASN1_OCTET_STRING *b); + const ASN1_OCTET_STRING *b); int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, const unsigned char *data, - int len); + int len); +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(ASN1_UTF8STRING, ASN1_UTF8STRING, ASN1_UTF8STRING) #define sk_ASN1_UTF8STRING_num(sk) OPENSSL_sk_num(ossl_check_const_ASN1_UTF8STRING_sk_type(sk)) #define sk_ASN1_UTF8STRING_value(sk, idx) ((ASN1_UTF8STRING *)OPENSSL_sk_value(ossl_check_const_ASN1_UTF8STRING_sk_type(sk), (idx))) @@ -787,6 +776,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(ASN1_UTF8STRING, ASN1_UTF8STRING, ASN1_UTF8STRING) #define sk_ASN1_UTF8STRING_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(ASN1_UTF8STRING) *)OPENSSL_sk_deep_copy(ossl_check_const_ASN1_UTF8STRING_sk_type(sk), ossl_check_ASN1_UTF8STRING_copyfunc_type(copyfunc), ossl_check_ASN1_UTF8STRING_freefunc_type(freefunc))) #define sk_ASN1_UTF8STRING_set_cmp_func(sk, cmp) ((sk_ASN1_UTF8STRING_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_ASN1_UTF8STRING_sk_type(sk), ossl_check_ASN1_UTF8STRING_compfunc_type(cmp))) +/* clang-format on */ DECLARE_ASN1_FUNCTIONS(ASN1_VISIBLESTRING) DECLARE_ASN1_FUNCTIONS(ASN1_UNIVERSALSTRING) @@ -797,6 +787,7 @@ DECLARE_ASN1_FUNCTIONS(ASN1_BMPSTRING) int UTF8_getc(const unsigned char *str, int len, unsigned long *val); int UTF8_putc(unsigned char *str, int len, unsigned long value); +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(ASN1_GENERALSTRING, ASN1_GENERALSTRING, ASN1_GENERALSTRING) #define sk_ASN1_GENERALSTRING_num(sk) OPENSSL_sk_num(ossl_check_const_ASN1_GENERALSTRING_sk_type(sk)) #define sk_ASN1_GENERALSTRING_value(sk, idx) ((ASN1_GENERALSTRING *)OPENSSL_sk_value(ossl_check_const_ASN1_GENERALSTRING_sk_type(sk), (idx))) @@ -824,6 +815,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(ASN1_GENERALSTRING, ASN1_GENERALSTRING, ASN1_GENERA #define sk_ASN1_GENERALSTRING_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(ASN1_GENERALSTRING) *)OPENSSL_sk_deep_copy(ossl_check_const_ASN1_GENERALSTRING_sk_type(sk), ossl_check_ASN1_GENERALSTRING_copyfunc_type(copyfunc), ossl_check_ASN1_GENERALSTRING_freefunc_type(freefunc))) #define sk_ASN1_GENERALSTRING_set_cmp_func(sk, cmp) ((sk_ASN1_GENERALSTRING_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_ASN1_GENERALSTRING_sk_type(sk), ossl_check_ASN1_GENERALSTRING_compfunc_type(cmp))) +/* clang-format on */ DECLARE_ASN1_FUNCTIONS_name(ASN1_STRING, ASN1_PRINTABLE) @@ -845,10 +837,10 @@ DECLARE_ASN1_ITEM(ASN1_OCTET_STRING_NDEF) ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t); ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, time_t t, - int offset_day, long offset_sec); + int offset_day, long offset_sec); int ASN1_TIME_check(const ASN1_TIME *t); ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(const ASN1_TIME *t, - ASN1_GENERALIZEDTIME **out); + ASN1_GENERALIZEDTIME **out); int ASN1_TIME_set_string(ASN1_TIME *s, const char *str); int ASN1_TIME_set_string_X509(ASN1_TIME *s, const char *str); int ASN1_TIME_to_tm(const ASN1_TIME *s, struct tm *tm); @@ -867,7 +859,7 @@ int i2t_ASN1_OBJECT(char *buf, int buf_len, const ASN1_OBJECT *a); int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num); ASN1_OBJECT *ASN1_OBJECT_create(int nid, unsigned char *data, int len, - const char *sn, const char *ln); + const char *sn, const char *ln); int ASN1_INTEGER_get_int64(int64_t *pr, const ASN1_INTEGER *a); int ASN1_INTEGER_set_int64(ASN1_INTEGER *a, int64_t r); @@ -882,7 +874,6 @@ BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn); int ASN1_ENUMERATED_get_int64(int64_t *pr, const ASN1_ENUMERATED *a); int ASN1_ENUMERATED_set_int64(ASN1_ENUMERATED *a, int64_t r); - int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v); long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a); ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai); @@ -896,81 +887,81 @@ unsigned long ASN1_tag2bit(int tag); /* SPECIALS */ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag, - int *pclass, long omax); + int *pclass, long omax); int ASN1_check_infinite_end(unsigned char **p, long len); int ASN1_const_check_infinite_end(const unsigned char **p, long len); void ASN1_put_object(unsigned char **pp, int constructed, int length, - int tag, int xclass); + int tag, int xclass); int ASN1_put_eoc(unsigned char **pp); int ASN1_object_size(int constructed, int length, int tag); /* Used to implement other functions */ void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, const void *x); -# define ASN1_dup_of(type,i2d,d2i,x) \ - ((type*)ASN1_dup(CHECKED_I2D_OF(type, i2d), \ - CHECKED_D2I_OF(type, d2i), \ - CHECKED_PTR_OF(const type, x))) +#define ASN1_dup_of(type, i2d, d2i, x) \ + ((type *)ASN1_dup(CHECKED_I2D_OF(type, i2d), \ + CHECKED_D2I_OF(type, d2i), \ + CHECKED_PTR_OF(const type, x))) void *ASN1_item_dup(const ASN1_ITEM *it, const void *x); int ASN1_item_sign_ex(const ASN1_ITEM *it, X509_ALGOR *algor1, - X509_ALGOR *algor2, ASN1_BIT_STRING *signature, - const void *data, const ASN1_OCTET_STRING *id, - EVP_PKEY *pkey, const EVP_MD *md, OSSL_LIB_CTX *libctx, - const char *propq); + X509_ALGOR *algor2, ASN1_BIT_STRING *signature, + const void *data, const ASN1_OCTET_STRING *id, + EVP_PKEY *pkey, const EVP_MD *md, OSSL_LIB_CTX *libctx, + const char *propq); int ASN1_item_verify_ex(const ASN1_ITEM *it, const X509_ALGOR *alg, - const ASN1_BIT_STRING *signature, const void *data, - const ASN1_OCTET_STRING *id, EVP_PKEY *pkey, - OSSL_LIB_CTX *libctx, const char *propq); + const ASN1_BIT_STRING *signature, const void *data, + const ASN1_OCTET_STRING *id, EVP_PKEY *pkey, + OSSL_LIB_CTX *libctx, const char *propq); /* ASN1 alloc/free macros for when a type is only used internally */ -# define M_ASN1_new_of(type) (type *)ASN1_item_new(ASN1_ITEM_rptr(type)) -# define M_ASN1_free_of(x, type) \ - ASN1_item_free(CHECKED_PTR_OF(type, x), ASN1_ITEM_rptr(type)) +#define M_ASN1_new_of(type) (type *)ASN1_item_new(ASN1_ITEM_rptr(type)) +#define M_ASN1_free_of(x, type) \ + ASN1_item_free(CHECKED_PTR_OF(type, x), ASN1_ITEM_rptr(type)) -# ifndef OPENSSL_NO_STDIO -void *ASN1_d2i_fp(void *(*xnew) (void), d2i_of_void *d2i, FILE *in, void **x); +#ifndef OPENSSL_NO_STDIO +void *ASN1_d2i_fp(void *(*xnew)(void), d2i_of_void *d2i, FILE *in, void **x); -# define ASN1_d2i_fp_of(type,xnew,d2i,in,x) \ - ((type*)ASN1_d2i_fp(CHECKED_NEW_OF(type, xnew), \ - CHECKED_D2I_OF(type, d2i), \ - in, \ - CHECKED_PPTR_OF(type, x))) +#define ASN1_d2i_fp_of(type, xnew, d2i, in, x) \ + ((type *)ASN1_d2i_fp(CHECKED_NEW_OF(type, xnew), \ + CHECKED_D2I_OF(type, d2i), \ + in, \ + CHECKED_PPTR_OF(type, x))) void *ASN1_item_d2i_fp_ex(const ASN1_ITEM *it, FILE *in, void *x, - OSSL_LIB_CTX *libctx, const char *propq); + OSSL_LIB_CTX *libctx, const char *propq); void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x); int ASN1_i2d_fp(i2d_of_void *i2d, FILE *out, const void *x); -# define ASN1_i2d_fp_of(type,i2d,out,x) \ +#define ASN1_i2d_fp_of(type, i2d, out, x) \ (ASN1_i2d_fp(CHECKED_I2D_OF(type, i2d), \ - out, \ - CHECKED_PTR_OF(const type, x))) + out, \ + CHECKED_PTR_OF(const type, x))) int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, const void *x); int ASN1_STRING_print_ex_fp(FILE *fp, const ASN1_STRING *str, unsigned long flags); -# endif +#endif int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in); -void *ASN1_d2i_bio(void *(*xnew) (void), d2i_of_void *d2i, BIO *in, void **x); +void *ASN1_d2i_bio(void *(*xnew)(void), d2i_of_void *d2i, BIO *in, void **x); -# define ASN1_d2i_bio_of(type,xnew,d2i,in,x) \ - ((type*)ASN1_d2i_bio( CHECKED_NEW_OF(type, xnew), \ - CHECKED_D2I_OF(type, d2i), \ - in, \ - CHECKED_PPTR_OF(type, x))) +#define ASN1_d2i_bio_of(type, xnew, d2i, in, x) \ + ((type *)ASN1_d2i_bio(CHECKED_NEW_OF(type, xnew), \ + CHECKED_D2I_OF(type, d2i), \ + in, \ + CHECKED_PPTR_OF(type, x))) void *ASN1_item_d2i_bio_ex(const ASN1_ITEM *it, BIO *in, void *pval, - OSSL_LIB_CTX *libctx, const char *propq); + OSSL_LIB_CTX *libctx, const char *propq); void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *pval); int ASN1_i2d_bio(i2d_of_void *i2d, BIO *out, const void *x); -# define ASN1_i2d_bio_of(type,i2d,out,x) \ +#define ASN1_i2d_bio_of(type, i2d, out, x) \ (ASN1_i2d_bio(CHECKED_I2D_OF(type, i2d), \ - out, \ - CHECKED_PTR_OF(const type, x))) + out, \ + CHECKED_PTR_OF(const type, x))) int ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, const void *x); BIO *ASN1_item_i2d_mem_bio(const ASN1_ITEM *it, const ASN1_VALUE *val); @@ -982,10 +973,10 @@ int ASN1_STRING_print(BIO *bp, const ASN1_STRING *v); int ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str, unsigned long flags); int ASN1_buf_print(BIO *bp, const unsigned char *buf, size_t buflen, int off); int ASN1_bn_print(BIO *bp, const char *number, const BIGNUM *num, - unsigned char *buf, int off); + unsigned char *buf, int off); int ASN1_parse(BIO *bp, const unsigned char *pp, long len, int indent); int ASN1_parse_dump(BIO *bp, const unsigned char *pp, long len, int indent, - int dump); + int dump); const char *ASN1_tag2str(int tag); /* Used to load and write Netscape format cert */ @@ -995,29 +986,29 @@ int ASN1_UNIVERSALSTRING_to_string(ASN1_UNIVERSALSTRING *s); int ASN1_TYPE_set_octetstring(ASN1_TYPE *a, unsigned char *data, int len); int ASN1_TYPE_get_octetstring(const ASN1_TYPE *a, unsigned char *data, int max_len); int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, - unsigned char *data, int len); + unsigned char *data, int len); int ASN1_TYPE_get_int_octetstring(const ASN1_TYPE *a, long *num, - unsigned char *data, int max_len); + unsigned char *data, int max_len); void *ASN1_item_unpack(const ASN1_STRING *oct, const ASN1_ITEM *it); void *ASN1_item_unpack_ex(const ASN1_STRING *oct, const ASN1_ITEM *it, - OSSL_LIB_CTX *libctx, const char *propq); + OSSL_LIB_CTX *libctx, const char *propq); ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, - ASN1_OCTET_STRING **oct); + ASN1_OCTET_STRING **oct); void ASN1_STRING_set_default_mask(unsigned long mask); int ASN1_STRING_set_default_mask_asc(const char *p); unsigned long ASN1_STRING_get_default_mask(void); int ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in, int len, - int inform, unsigned long mask); + int inform, unsigned long mask); int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, - int inform, unsigned long mask, - long minsize, long maxsize); + int inform, unsigned long mask, + long minsize, long maxsize); ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, - const unsigned char *in, int inlen, - int inform, int nid); + const unsigned char *in, int inlen, + int inform, int nid); ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid); int ASN1_STRING_TABLE_add(int, long, long, unsigned long, unsigned long); void ASN1_STRING_TABLE_cleanup(void); @@ -1027,16 +1018,16 @@ void ASN1_STRING_TABLE_cleanup(void); /* Old API compatible functions */ ASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it); ASN1_VALUE *ASN1_item_new_ex(const ASN1_ITEM *it, OSSL_LIB_CTX *libctx, - const char *propq); + const char *propq); void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it); ASN1_VALUE *ASN1_item_d2i_ex(ASN1_VALUE **val, const unsigned char **in, - long len, const ASN1_ITEM *it, - OSSL_LIB_CTX *libctx, const char *propq); + long len, const ASN1_ITEM *it, + OSSL_LIB_CTX *libctx, const char *propq); ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **val, const unsigned char **in, - long len, const ASN1_ITEM *it); + long len, const ASN1_ITEM *it); int ASN1_item_i2d(const ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it); int ASN1_item_ndef_i2d(const ASN1_VALUE *val, unsigned char **out, - const ASN1_ITEM *it); + const ASN1_ITEM *it); void ASN1_add_oid_module(void); void ASN1_add_stable_module(void); @@ -1048,26 +1039,26 @@ int ASN1_str2mask(const char *str, unsigned long *pmask); /* ASN1 Print flags */ /* Indicate missing OPTIONAL fields */ -# define ASN1_PCTX_FLAGS_SHOW_ABSENT 0x001 +#define ASN1_PCTX_FLAGS_SHOW_ABSENT 0x001 /* Mark start and end of SEQUENCE */ -# define ASN1_PCTX_FLAGS_SHOW_SEQUENCE 0x002 +#define ASN1_PCTX_FLAGS_SHOW_SEQUENCE 0x002 /* Mark start and end of SEQUENCE/SET OF */ -# define ASN1_PCTX_FLAGS_SHOW_SSOF 0x004 +#define ASN1_PCTX_FLAGS_SHOW_SSOF 0x004 /* Show the ASN1 type of primitives */ -# define ASN1_PCTX_FLAGS_SHOW_TYPE 0x008 +#define ASN1_PCTX_FLAGS_SHOW_TYPE 0x008 /* Don't show ASN1 type of ANY */ -# define ASN1_PCTX_FLAGS_NO_ANY_TYPE 0x010 +#define ASN1_PCTX_FLAGS_NO_ANY_TYPE 0x010 /* Don't show ASN1 type of MSTRINGs */ -# define ASN1_PCTX_FLAGS_NO_MSTRING_TYPE 0x020 +#define ASN1_PCTX_FLAGS_NO_MSTRING_TYPE 0x020 /* Don't show field names in SEQUENCE */ -# define ASN1_PCTX_FLAGS_NO_FIELD_NAME 0x040 +#define ASN1_PCTX_FLAGS_NO_FIELD_NAME 0x040 /* Show structure names of each SEQUENCE field */ -# define ASN1_PCTX_FLAGS_SHOW_FIELD_STRUCT_NAME 0x080 +#define ASN1_PCTX_FLAGS_SHOW_FIELD_STRUCT_NAME 0x080 /* Don't show structure name even at top level */ -# define ASN1_PCTX_FLAGS_NO_STRUCT_NAME 0x100 +#define ASN1_PCTX_FLAGS_NO_STRUCT_NAME 0x100 int ASN1_item_print(BIO *out, const ASN1_VALUE *ifld, int indent, - const ASN1_ITEM *it, const ASN1_PCTX *pctx); + const ASN1_ITEM *it, const ASN1_PCTX *pctx); ASN1_PCTX *ASN1_PCTX_new(void); void ASN1_PCTX_free(ASN1_PCTX *p); unsigned long ASN1_PCTX_get_flags(const ASN1_PCTX *p); @@ -1081,7 +1072,7 @@ void ASN1_PCTX_set_oid_flags(ASN1_PCTX *p, unsigned long flags); unsigned long ASN1_PCTX_get_str_flags(const ASN1_PCTX *p); void ASN1_PCTX_set_str_flags(ASN1_PCTX *p, unsigned long flags); -ASN1_SCTX *ASN1_SCTX_new(int (*scan_cb) (ASN1_SCTX *ctx)); +ASN1_SCTX *ASN1_SCTX_new(int (*scan_cb)(ASN1_SCTX *ctx)); void ASN1_SCTX_free(ASN1_SCTX *p); const ASN1_ITEM *ASN1_SCTX_get_item(ASN1_SCTX *p); const ASN1_TEMPLATE *ASN1_SCTX_get_template(ASN1_SCTX *p); @@ -1095,21 +1086,21 @@ const BIO_METHOD *BIO_f_asn1(void); BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it); int i2d_ASN1_bio_stream(BIO *out, ASN1_VALUE *val, BIO *in, int flags, - const ASN1_ITEM *it); + const ASN1_ITEM *it); int PEM_write_bio_ASN1_stream(BIO *out, ASN1_VALUE *val, BIO *in, int flags, - const char *hdr, const ASN1_ITEM *it); + const char *hdr, const ASN1_ITEM *it); /* cannot constify val because of CMS_dataFinal() */ int SMIME_write_ASN1(BIO *bio, ASN1_VALUE *val, BIO *data, int flags, - int ctype_nid, int econt_nid, - STACK_OF(X509_ALGOR) *mdalgs, const ASN1_ITEM *it); + int ctype_nid, int econt_nid, + STACK_OF(X509_ALGOR) *mdalgs, const ASN1_ITEM *it); int SMIME_write_ASN1_ex(BIO *bio, ASN1_VALUE *val, BIO *data, int flags, - int ctype_nid, int econt_nid, - STACK_OF(X509_ALGOR) *mdalgs, const ASN1_ITEM *it, - OSSL_LIB_CTX *libctx, const char *propq); + int ctype_nid, int econt_nid, + STACK_OF(X509_ALGOR) *mdalgs, const ASN1_ITEM *it, + OSSL_LIB_CTX *libctx, const char *propq); ASN1_VALUE *SMIME_read_ASN1(BIO *bio, BIO **bcont, const ASN1_ITEM *it); ASN1_VALUE *SMIME_read_ASN1_ex(BIO *bio, int flags, BIO **bcont, - const ASN1_ITEM *it, ASN1_VALUE **x, - OSSL_LIB_CTX *libctx, const char *propq); + const ASN1_ITEM *it, ASN1_VALUE **x, + OSSL_LIB_CTX *libctx, const char *propq); int SMIME_crlf_copy(BIO *in, BIO *out, int flags); int SMIME_text(BIO *in, BIO *out); @@ -1117,18 +1108,18 @@ const ASN1_ITEM *ASN1_ITEM_lookup(const char *name); const ASN1_ITEM *ASN1_ITEM_get(size_t i); /* Legacy compatibility */ -# define DECLARE_ASN1_FUNCTIONS_fname(type, itname, name) \ - DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, name) \ - DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) -# define DECLARE_ASN1_FUNCTIONS_const(type) DECLARE_ASN1_FUNCTIONS(type) -# define DECLARE_ASN1_ENCODE_FUNCTIONS_const(type, name) \ - DECLARE_ASN1_ENCODE_FUNCTIONS(type, name) -# define I2D_OF_const(type) I2D_OF(type) -# define ASN1_dup_of_const(type,i2d,d2i,x) ASN1_dup_of(type,i2d,d2i,x) -# define ASN1_i2d_fp_of_const(type,i2d,out,x) ASN1_i2d_fp_of(type,i2d,out,x) -# define ASN1_i2d_bio_of_const(type,i2d,out,x) ASN1_i2d_bio_of(type,i2d,out,x) - -# ifdef __cplusplus +#define DECLARE_ASN1_FUNCTIONS_fname(type, itname, name) \ + DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, name) \ + DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) +#define DECLARE_ASN1_FUNCTIONS_const(type) DECLARE_ASN1_FUNCTIONS(type) +#define DECLARE_ASN1_ENCODE_FUNCTIONS_const(type, name) \ + DECLARE_ASN1_ENCODE_FUNCTIONS(type, name) +#define I2D_OF_const(type) I2D_OF(type) +#define ASN1_dup_of_const(type, i2d, d2i, x) ASN1_dup_of(type, i2d, d2i, x) +#define ASN1_i2d_fp_of_const(type, i2d, out, x) ASN1_i2d_fp_of(type, i2d, out, x) +#define ASN1_i2d_bio_of_const(type, i2d, out, x) ASN1_i2d_bio_of(type, i2d, out, x) + +#ifdef __cplusplus } -# endif +#endif #endif diff --git a/crypto/openssl/include/openssl/asn1t.h b/crypto/openssl/include/openssl/asn1t.h index 74ba47d0cf26..dc9042c812c9 100644 --- a/crypto/openssl/include/openssl/asn1t.h +++ b/crypto/openssl/include/openssl/asn1t.h @@ -10,29 +10,31 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_ASN1T_H -# define OPENSSL_ASN1T_H -# pragma once +#define OPENSSL_ASN1T_H +#pragma once -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_ASN1T_H -# endif +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_ASN1T_H +#endif -# include <stddef.h> -# include <openssl/e_os2.h> -# include <openssl/asn1.h> +#include <stddef.h> +#include <openssl/e_os2.h> +#include <openssl/asn1.h> -# ifdef OPENSSL_BUILD_SHLIBCRYPTO -# undef OPENSSL_EXTERN -# define OPENSSL_EXTERN OPENSSL_EXPORT -# endif +#ifdef OPENSSL_BUILD_SHLIBCRYPTO +#undef OPENSSL_EXTERN +#define OPENSSL_EXTERN OPENSSL_EXPORT +#endif /* ASN1 template defines, structures and functions */ -#ifdef __cplusplus +#ifdef __cplusplus extern "C" { #endif @@ -77,59 +79,58 @@ extern "C" { * */ -# define ASN1_ITYPE_PRIMITIVE 0x0 -# define ASN1_ITYPE_SEQUENCE 0x1 -# define ASN1_ITYPE_CHOICE 0x2 +#define ASN1_ITYPE_PRIMITIVE 0x0 +#define ASN1_ITYPE_SEQUENCE 0x1 +#define ASN1_ITYPE_CHOICE 0x2 /* unused value 0x3 */ -# define ASN1_ITYPE_EXTERN 0x4 -# define ASN1_ITYPE_MSTRING 0x5 -# define ASN1_ITYPE_NDEF_SEQUENCE 0x6 +#define ASN1_ITYPE_EXTERN 0x4 +#define ASN1_ITYPE_MSTRING 0x5 +#define ASN1_ITYPE_NDEF_SEQUENCE 0x6 /* Macro to obtain ASN1_ADB pointer from a type (only used internally) */ -# define ASN1_ADB_ptr(iptr) ((const ASN1_ADB *)((iptr)())) +#define ASN1_ADB_ptr(iptr) ((const ASN1_ADB *)((iptr)())) /* Macros for start and end of ASN1_ITEM definition */ -# define ASN1_ITEM_start(itname) \ - const ASN1_ITEM * itname##_it(void) \ - { \ - static const ASN1_ITEM local_it = { +#define ASN1_ITEM_start(itname) \ + const ASN1_ITEM *itname##_it(void) \ + { \ + static const ASN1_ITEM local_it = { -# define static_ASN1_ITEM_start(itname) \ - static ASN1_ITEM_start(itname) +#define static_ASN1_ITEM_start(itname) \ + static ASN1_ITEM_start(itname) -# define ASN1_ITEM_end(itname) \ - }; \ - return &local_it; \ - } +#define ASN1_ITEM_end(itname) \ + } \ + ; \ + return &local_it; \ + } /* Macros to aid ASN1 template writing */ -# define ASN1_ITEM_TEMPLATE(tname) \ - static const ASN1_TEMPLATE tname##_item_tt - -# define ASN1_ITEM_TEMPLATE_END(tname) \ - ;\ - ASN1_ITEM_start(tname) \ - ASN1_ITYPE_PRIMITIVE,\ - -1,\ - &tname##_item_tt,\ - 0,\ - NULL,\ - 0,\ - #tname \ - ASN1_ITEM_end(tname) -# define static_ASN1_ITEM_TEMPLATE_END(tname) \ - ;\ - static_ASN1_ITEM_start(tname) \ - ASN1_ITYPE_PRIMITIVE,\ - -1,\ - &tname##_item_tt,\ - 0,\ - NULL,\ - 0,\ - #tname \ - ASN1_ITEM_end(tname) +#define ASN1_ITEM_TEMPLATE(tname) \ + static const ASN1_TEMPLATE tname##_item_tt + +#define ASN1_ITEM_TEMPLATE_END(tname) \ + ; \ + ASN1_ITEM_start(tname) \ + ASN1_ITYPE_PRIMITIVE, \ + -1, \ + &tname##_item_tt, \ + 0, \ + NULL, \ + 0, \ + #tname ASN1_ITEM_end(tname) +#define static_ASN1_ITEM_TEMPLATE_END(tname) \ + ; \ + static_ASN1_ITEM_start(tname) \ + ASN1_ITYPE_PRIMITIVE, \ + -1, \ + &tname##_item_tt, \ + 0, \ + NULL, \ + 0, \ + #tname ASN1_ITEM_end(tname) /* This is a ASN1 type which just embeds a template */ @@ -154,128 +155,118 @@ extern "C" { * a structure called stname. */ -# define ASN1_SEQUENCE(tname) \ - static const ASN1_TEMPLATE tname##_seq_tt[] - -# define ASN1_SEQUENCE_END(stname) ASN1_SEQUENCE_END_name(stname, stname) - -# define static_ASN1_SEQUENCE_END(stname) static_ASN1_SEQUENCE_END_name(stname, stname) - -# define ASN1_SEQUENCE_END_name(stname, tname) \ - ;\ - ASN1_ITEM_start(tname) \ - ASN1_ITYPE_SEQUENCE,\ - V_ASN1_SEQUENCE,\ - tname##_seq_tt,\ - sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\ - NULL,\ - sizeof(stname),\ - #tname \ - ASN1_ITEM_end(tname) - -# define static_ASN1_SEQUENCE_END_name(stname, tname) \ - ;\ - static_ASN1_ITEM_start(tname) \ - ASN1_ITYPE_SEQUENCE,\ - V_ASN1_SEQUENCE,\ - tname##_seq_tt,\ - sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\ - NULL,\ - sizeof(stname),\ - #stname \ - ASN1_ITEM_end(tname) - -# define ASN1_NDEF_SEQUENCE(tname) \ - ASN1_SEQUENCE(tname) - -# define ASN1_NDEF_SEQUENCE_cb(tname, cb) \ - ASN1_SEQUENCE_cb(tname, cb) - -# define ASN1_SEQUENCE_cb(tname, cb) \ - static const ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0, NULL}; \ - ASN1_SEQUENCE(tname) - -# define ASN1_SEQUENCE_const_cb(tname, const_cb) \ - static const ASN1_AUX tname##_aux = \ - {NULL, ASN1_AFLG_CONST_CB, 0, 0, NULL, 0, const_cb}; \ - ASN1_SEQUENCE(tname) - -# define ASN1_SEQUENCE_cb_const_cb(tname, cb, const_cb) \ - static const ASN1_AUX tname##_aux = \ - {NULL, ASN1_AFLG_CONST_CB, 0, 0, cb, 0, const_cb}; \ - ASN1_SEQUENCE(tname) - -# define ASN1_SEQUENCE_ref(tname, cb) \ - static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_REFCOUNT, offsetof(tname, references), offsetof(tname, lock), cb, 0, NULL}; \ - ASN1_SEQUENCE(tname) - -# define ASN1_SEQUENCE_enc(tname, enc, cb) \ - static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_ENCODING, 0, 0, cb, offsetof(tname, enc), NULL}; \ - ASN1_SEQUENCE(tname) - -# define ASN1_NDEF_SEQUENCE_END(tname) \ - ;\ - ASN1_ITEM_start(tname) \ - ASN1_ITYPE_NDEF_SEQUENCE,\ - V_ASN1_SEQUENCE,\ - tname##_seq_tt,\ - sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\ - NULL,\ - sizeof(tname),\ - #tname \ - ASN1_ITEM_end(tname) -# define static_ASN1_NDEF_SEQUENCE_END(tname) \ - ;\ - static_ASN1_ITEM_start(tname) \ - ASN1_ITYPE_NDEF_SEQUENCE,\ - V_ASN1_SEQUENCE,\ - tname##_seq_tt,\ - sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\ - NULL,\ - sizeof(tname),\ - #tname \ - ASN1_ITEM_end(tname) - - -# define ASN1_SEQUENCE_END_enc(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname) - -# define ASN1_SEQUENCE_END_cb(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname) -# define static_ASN1_SEQUENCE_END_cb(stname, tname) static_ASN1_SEQUENCE_END_ref(stname, tname) - -# define ASN1_SEQUENCE_END_ref(stname, tname) \ - ;\ - ASN1_ITEM_start(tname) \ - ASN1_ITYPE_SEQUENCE,\ - V_ASN1_SEQUENCE,\ - tname##_seq_tt,\ - sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\ - &tname##_aux,\ - sizeof(stname),\ - #tname \ - ASN1_ITEM_end(tname) -# define static_ASN1_SEQUENCE_END_ref(stname, tname) \ - ;\ - static_ASN1_ITEM_start(tname) \ - ASN1_ITYPE_SEQUENCE,\ - V_ASN1_SEQUENCE,\ - tname##_seq_tt,\ - sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\ - &tname##_aux,\ - sizeof(stname),\ - #stname \ - ASN1_ITEM_end(tname) - -# define ASN1_NDEF_SEQUENCE_END_cb(stname, tname) \ - ;\ - ASN1_ITEM_start(tname) \ - ASN1_ITYPE_NDEF_SEQUENCE,\ - V_ASN1_SEQUENCE,\ - tname##_seq_tt,\ - sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\ - &tname##_aux,\ - sizeof(stname),\ - #stname \ - ASN1_ITEM_end(tname) +#define ASN1_SEQUENCE(tname) \ + static const ASN1_TEMPLATE tname##_seq_tt[] + +#define ASN1_SEQUENCE_END(stname) ASN1_SEQUENCE_END_name(stname, stname) + +#define static_ASN1_SEQUENCE_END(stname) static_ASN1_SEQUENCE_END_name(stname, stname) + +#define ASN1_SEQUENCE_END_name(stname, tname) \ + ; \ + ASN1_ITEM_start(tname) \ + ASN1_ITYPE_SEQUENCE, \ + V_ASN1_SEQUENCE, \ + tname##_seq_tt, \ + sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE), \ + NULL, \ + sizeof(stname), \ + #tname ASN1_ITEM_end(tname) + +#define static_ASN1_SEQUENCE_END_name(stname, tname) \ + ; \ + static_ASN1_ITEM_start(tname) \ + ASN1_ITYPE_SEQUENCE, \ + V_ASN1_SEQUENCE, \ + tname##_seq_tt, \ + sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE), \ + NULL, \ + sizeof(stname), \ + #stname ASN1_ITEM_end(tname) + +#define ASN1_NDEF_SEQUENCE(tname) \ + ASN1_SEQUENCE(tname) + +#define ASN1_NDEF_SEQUENCE_cb(tname, cb) \ + ASN1_SEQUENCE_cb(tname, cb) + +#define ASN1_SEQUENCE_cb(tname, cb) \ + static const ASN1_AUX tname##_aux = { NULL, 0, 0, 0, cb, 0, NULL }; \ + ASN1_SEQUENCE(tname) + +#define ASN1_SEQUENCE_const_cb(tname, const_cb) \ + static const ASN1_AUX tname##_aux = { NULL, ASN1_AFLG_CONST_CB, 0, 0, NULL, 0, const_cb }; \ + ASN1_SEQUENCE(tname) + +#define ASN1_SEQUENCE_cb_const_cb(tname, cb, const_cb) \ + static const ASN1_AUX tname##_aux = { NULL, ASN1_AFLG_CONST_CB, 0, 0, cb, 0, const_cb }; \ + ASN1_SEQUENCE(tname) + +#define ASN1_SEQUENCE_ref(tname, cb) \ + static const ASN1_AUX tname##_aux = { NULL, ASN1_AFLG_REFCOUNT, offsetof(tname, references), offsetof(tname, lock), cb, 0, NULL }; \ + ASN1_SEQUENCE(tname) + +#define ASN1_SEQUENCE_enc(tname, enc, cb) \ + static const ASN1_AUX tname##_aux = { NULL, ASN1_AFLG_ENCODING, 0, 0, cb, offsetof(tname, enc), NULL }; \ + ASN1_SEQUENCE(tname) + +#define ASN1_NDEF_SEQUENCE_END(tname) \ + ; \ + ASN1_ITEM_start(tname) \ + ASN1_ITYPE_NDEF_SEQUENCE, \ + V_ASN1_SEQUENCE, \ + tname##_seq_tt, \ + sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE), \ + NULL, \ + sizeof(tname), \ + #tname ASN1_ITEM_end(tname) +#define static_ASN1_NDEF_SEQUENCE_END(tname) \ + ; \ + static_ASN1_ITEM_start(tname) \ + ASN1_ITYPE_NDEF_SEQUENCE, \ + V_ASN1_SEQUENCE, \ + tname##_seq_tt, \ + sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE), \ + NULL, \ + sizeof(tname), \ + #tname ASN1_ITEM_end(tname) + +#define ASN1_SEQUENCE_END_enc(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname) + +#define ASN1_SEQUENCE_END_cb(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname) +#define static_ASN1_SEQUENCE_END_cb(stname, tname) static_ASN1_SEQUENCE_END_ref(stname, tname) + +#define ASN1_SEQUENCE_END_ref(stname, tname) \ + ; \ + ASN1_ITEM_start(tname) \ + ASN1_ITYPE_SEQUENCE, \ + V_ASN1_SEQUENCE, \ + tname##_seq_tt, \ + sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE), \ + &tname##_aux, \ + sizeof(stname), \ + #tname ASN1_ITEM_end(tname) +#define static_ASN1_SEQUENCE_END_ref(stname, tname) \ + ; \ + static_ASN1_ITEM_start(tname) \ + ASN1_ITYPE_SEQUENCE, \ + V_ASN1_SEQUENCE, \ + tname##_seq_tt, \ + sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE), \ + &tname##_aux, \ + sizeof(stname), \ + #stname ASN1_ITEM_end(tname) + +#define ASN1_NDEF_SEQUENCE_END_cb(stname, tname) \ + ; \ + ASN1_ITEM_start(tname) \ + ASN1_ITYPE_NDEF_SEQUENCE, \ + V_ASN1_SEQUENCE, \ + tname##_seq_tt, \ + sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE), \ + &tname##_aux, \ + sizeof(stname), \ + #stname ASN1_ITEM_end(tname) /*- * This pair helps declare a CHOICE type. We can do: @@ -300,185 +291,183 @@ extern "C" { * ASN1_CHOICE_END_selector() version. */ -# define ASN1_CHOICE(tname) \ - static const ASN1_TEMPLATE tname##_ch_tt[] - -# define ASN1_CHOICE_cb(tname, cb) \ - static const ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0, NULL}; \ - ASN1_CHOICE(tname) - -# define ASN1_CHOICE_END(stname) ASN1_CHOICE_END_name(stname, stname) - -# define static_ASN1_CHOICE_END(stname) static_ASN1_CHOICE_END_name(stname, stname) - -# define ASN1_CHOICE_END_name(stname, tname) ASN1_CHOICE_END_selector(stname, tname, type) - -# define static_ASN1_CHOICE_END_name(stname, tname) static_ASN1_CHOICE_END_selector(stname, tname, type) - -# define ASN1_CHOICE_END_selector(stname, tname, selname) \ - ;\ - ASN1_ITEM_start(tname) \ - ASN1_ITYPE_CHOICE,\ - offsetof(stname,selname) ,\ - tname##_ch_tt,\ - sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\ - NULL,\ - sizeof(stname),\ - #stname \ - ASN1_ITEM_end(tname) - -# define static_ASN1_CHOICE_END_selector(stname, tname, selname) \ - ;\ - static_ASN1_ITEM_start(tname) \ - ASN1_ITYPE_CHOICE,\ - offsetof(stname,selname) ,\ - tname##_ch_tt,\ - sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\ - NULL,\ - sizeof(stname),\ - #stname \ - ASN1_ITEM_end(tname) - -# define ASN1_CHOICE_END_cb(stname, tname, selname) \ - ;\ - ASN1_ITEM_start(tname) \ - ASN1_ITYPE_CHOICE,\ - offsetof(stname,selname) ,\ - tname##_ch_tt,\ - sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\ - &tname##_aux,\ - sizeof(stname),\ - #stname \ - ASN1_ITEM_end(tname) +#define ASN1_CHOICE(tname) \ + static const ASN1_TEMPLATE tname##_ch_tt[] + +#define ASN1_CHOICE_cb(tname, cb) \ + static const ASN1_AUX tname##_aux = { NULL, 0, 0, 0, cb, 0, NULL }; \ + ASN1_CHOICE(tname) + +#define ASN1_CHOICE_END(stname) ASN1_CHOICE_END_name(stname, stname) + +#define static_ASN1_CHOICE_END(stname) static_ASN1_CHOICE_END_name(stname, stname) + +#define ASN1_CHOICE_END_name(stname, tname) ASN1_CHOICE_END_selector(stname, tname, type) + +#define static_ASN1_CHOICE_END_name(stname, tname) static_ASN1_CHOICE_END_selector(stname, tname, type) + +#define ASN1_CHOICE_END_selector(stname, tname, selname) \ + ; \ + ASN1_ITEM_start(tname) \ + ASN1_ITYPE_CHOICE, \ + offsetof(stname, selname), \ + tname##_ch_tt, \ + sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE), \ + NULL, \ + sizeof(stname), \ + #stname ASN1_ITEM_end(tname) + +#define static_ASN1_CHOICE_END_selector(stname, tname, selname) \ + ; \ + static_ASN1_ITEM_start(tname) \ + ASN1_ITYPE_CHOICE, \ + offsetof(stname, selname), \ + tname##_ch_tt, \ + sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE), \ + NULL, \ + sizeof(stname), \ + #stname ASN1_ITEM_end(tname) + +#define ASN1_CHOICE_END_cb(stname, tname, selname) \ + ; \ + ASN1_ITEM_start(tname) \ + ASN1_ITYPE_CHOICE, \ + offsetof(stname, selname), \ + tname##_ch_tt, \ + sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE), \ + &tname##_aux, \ + sizeof(stname), \ + #stname ASN1_ITEM_end(tname) /* This helps with the template wrapper form of ASN1_ITEM */ -# define ASN1_EX_TEMPLATE_TYPE(flags, tag, name, type) { \ - (flags), (tag), 0,\ - #name, ASN1_ITEM_ref(type) } +#define ASN1_EX_TEMPLATE_TYPE(flags, tag, name, type) { \ + (flags), (tag), 0, \ + #name, ASN1_ITEM_ref(type) \ +} /* These help with SEQUENCE or CHOICE components */ /* used to declare other types */ -# define ASN1_EX_TYPE(flags, tag, stname, field, type) { \ - (flags), (tag), offsetof(stname, field),\ - #field, ASN1_ITEM_ref(type) } +#define ASN1_EX_TYPE(flags, tag, stname, field, type) { \ + (flags), (tag), offsetof(stname, field), \ + #field, ASN1_ITEM_ref(type) \ +} /* implicit and explicit helper macros */ -# define ASN1_IMP_EX(stname, field, type, tag, ex) \ - ASN1_EX_TYPE(ASN1_TFLG_IMPLICIT | (ex), tag, stname, field, type) +#define ASN1_IMP_EX(stname, field, type, tag, ex) \ + ASN1_EX_TYPE(ASN1_TFLG_IMPLICIT | (ex), tag, stname, field, type) -# define ASN1_EXP_EX(stname, field, type, tag, ex) \ - ASN1_EX_TYPE(ASN1_TFLG_EXPLICIT | (ex), tag, stname, field, type) +#define ASN1_EXP_EX(stname, field, type, tag, ex) \ + ASN1_EX_TYPE(ASN1_TFLG_EXPLICIT | (ex), tag, stname, field, type) /* Any defined by macros: the field used is in the table itself */ -# define ASN1_ADB_OBJECT(tblname) { ASN1_TFLG_ADB_OID, -1, 0, #tblname, tblname##_adb } -# define ASN1_ADB_INTEGER(tblname) { ASN1_TFLG_ADB_INT, -1, 0, #tblname, tblname##_adb } +#define ASN1_ADB_OBJECT(tblname) { ASN1_TFLG_ADB_OID, -1, 0, #tblname, tblname##_adb } +#define ASN1_ADB_INTEGER(tblname) { ASN1_TFLG_ADB_INT, -1, 0, #tblname, tblname##_adb } /* Plain simple type */ -# define ASN1_SIMPLE(stname, field, type) ASN1_EX_TYPE(0,0, stname, field, type) +#define ASN1_SIMPLE(stname, field, type) ASN1_EX_TYPE(0, 0, stname, field, type) /* Embedded simple type */ -# define ASN1_EMBED(stname, field, type) ASN1_EX_TYPE(ASN1_TFLG_EMBED,0, stname, field, type) +#define ASN1_EMBED(stname, field, type) ASN1_EX_TYPE(ASN1_TFLG_EMBED, 0, stname, field, type) /* OPTIONAL simple type */ -# define ASN1_OPT(stname, field, type) ASN1_EX_TYPE(ASN1_TFLG_OPTIONAL, 0, stname, field, type) -# define ASN1_OPT_EMBED(stname, field, type) ASN1_EX_TYPE(ASN1_TFLG_OPTIONAL|ASN1_TFLG_EMBED, 0, stname, field, type) +#define ASN1_OPT(stname, field, type) ASN1_EX_TYPE(ASN1_TFLG_OPTIONAL, 0, stname, field, type) +#define ASN1_OPT_EMBED(stname, field, type) ASN1_EX_TYPE(ASN1_TFLG_OPTIONAL | ASN1_TFLG_EMBED, 0, stname, field, type) /* IMPLICIT tagged simple type */ -# define ASN1_IMP(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, 0) -# define ASN1_IMP_EMBED(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_EMBED) +#define ASN1_IMP(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, 0) +#define ASN1_IMP_EMBED(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_EMBED) /* IMPLICIT tagged OPTIONAL simple type */ -# define ASN1_IMP_OPT(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL) -# define ASN1_IMP_OPT_EMBED(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL|ASN1_TFLG_EMBED) +#define ASN1_IMP_OPT(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL) +#define ASN1_IMP_OPT_EMBED(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL | ASN1_TFLG_EMBED) /* Same as above but EXPLICIT */ -# define ASN1_EXP(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, 0) -# define ASN1_EXP_EMBED(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_EMBED) -# define ASN1_EXP_OPT(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL) -# define ASN1_EXP_OPT_EMBED(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL|ASN1_TFLG_EMBED) +#define ASN1_EXP(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, 0) +#define ASN1_EXP_EMBED(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_EMBED) +#define ASN1_EXP_OPT(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL) +#define ASN1_EXP_OPT_EMBED(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL | ASN1_TFLG_EMBED) /* SEQUENCE OF type */ -# define ASN1_SEQUENCE_OF(stname, field, type) \ - ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, stname, field, type) +#define ASN1_SEQUENCE_OF(stname, field, type) \ + ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, stname, field, type) /* OPTIONAL SEQUENCE OF */ -# define ASN1_SEQUENCE_OF_OPT(stname, field, type) \ - ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL, 0, stname, field, type) +#define ASN1_SEQUENCE_OF_OPT(stname, field, type) \ + ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL, 0, stname, field, type) /* Same as above but for SET OF */ -# define ASN1_SET_OF(stname, field, type) \ - ASN1_EX_TYPE(ASN1_TFLG_SET_OF, 0, stname, field, type) +#define ASN1_SET_OF(stname, field, type) \ + ASN1_EX_TYPE(ASN1_TFLG_SET_OF, 0, stname, field, type) -# define ASN1_SET_OF_OPT(stname, field, type) \ - ASN1_EX_TYPE(ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL, 0, stname, field, type) +#define ASN1_SET_OF_OPT(stname, field, type) \ + ASN1_EX_TYPE(ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, 0, stname, field, type) /* Finally compound types of SEQUENCE, SET, IMPLICIT, EXPLICIT and OPTIONAL */ -# define ASN1_IMP_SET_OF(stname, field, type, tag) \ - ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF) +#define ASN1_IMP_SET_OF(stname, field, type, tag) \ + ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF) -# define ASN1_EXP_SET_OF(stname, field, type, tag) \ - ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF) +#define ASN1_EXP_SET_OF(stname, field, type, tag) \ + ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF) -# define ASN1_IMP_SET_OF_OPT(stname, field, type, tag) \ - ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL) +#define ASN1_IMP_SET_OF_OPT(stname, field, type, tag) \ + ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL) -# define ASN1_EXP_SET_OF_OPT(stname, field, type, tag) \ - ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL) +#define ASN1_EXP_SET_OF_OPT(stname, field, type, tag) \ + ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL) -# define ASN1_IMP_SEQUENCE_OF(stname, field, type, tag) \ - ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF) +#define ASN1_IMP_SEQUENCE_OF(stname, field, type, tag) \ + ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF) -# define ASN1_IMP_SEQUENCE_OF_OPT(stname, field, type, tag) \ - ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL) +#define ASN1_IMP_SEQUENCE_OF_OPT(stname, field, type, tag) \ + ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL) -# define ASN1_EXP_SEQUENCE_OF(stname, field, type, tag) \ - ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF) +#define ASN1_EXP_SEQUENCE_OF(stname, field, type, tag) \ + ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF) -# define ASN1_EXP_SEQUENCE_OF_OPT(stname, field, type, tag) \ - ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL) +#define ASN1_EXP_SEQUENCE_OF_OPT(stname, field, type, tag) \ + ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL) /* EXPLICIT using indefinite length constructed form */ -# define ASN1_NDEF_EXP(stname, field, type, tag) \ - ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_NDEF) +#define ASN1_NDEF_EXP(stname, field, type, tag) \ + ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_NDEF) /* EXPLICIT OPTIONAL using indefinite length constructed form */ -# define ASN1_NDEF_EXP_OPT(stname, field, type, tag) \ - ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL|ASN1_TFLG_NDEF) +#define ASN1_NDEF_EXP_OPT(stname, field, type, tag) \ + ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL | ASN1_TFLG_NDEF) /* Macros for the ASN1_ADB structure */ -# define ASN1_ADB(name) \ - static const ASN1_ADB_TABLE name##_adbtbl[] - -# define ASN1_ADB_END(name, flags, field, adb_cb, def, none) \ - ;\ - static const ASN1_ITEM *name##_adb(void) \ - { \ - static const ASN1_ADB internal_adb = \ - {\ - flags,\ - offsetof(name, field),\ - adb_cb,\ - name##_adbtbl,\ - sizeof(name##_adbtbl) / sizeof(ASN1_ADB_TABLE),\ - def,\ - none\ - }; \ - return (const ASN1_ITEM *) &internal_adb; \ - } \ - void dummy_function(void) - -# define ADB_ENTRY(val, template) {val, template} - -# define ASN1_ADB_TEMPLATE(name) \ - static const ASN1_TEMPLATE name##_tt +#define ASN1_ADB(name) \ + static const ASN1_ADB_TABLE name##_adbtbl[] + +#define ASN1_ADB_END(name, flags, field, adb_cb, def, none) \ + ; \ + static const ASN1_ITEM *name##_adb(void) \ + { \ + static const ASN1_ADB internal_adb = { \ + flags, \ + offsetof(name, field), \ + adb_cb, \ + name##_adbtbl, \ + sizeof(name##_adbtbl) / sizeof(ASN1_ADB_TABLE), \ + def, \ + none \ + }; \ + return (const ASN1_ITEM *)&internal_adb; \ + } \ + void dummy_function(void) + +#define ADB_ENTRY(val, template) { val, template } + +#define ASN1_ADB_TEMPLATE(name) \ + static const ASN1_TEMPLATE name##_tt /* * This is the ASN1 template structure that defines a wrapper round the @@ -487,56 +476,56 @@ extern "C" { */ struct ASN1_TEMPLATE_st { - unsigned long flags; /* Various flags */ - long tag; /* tag, not used if no tagging */ - unsigned long offset; /* Offset of this field in structure */ - const char *field_name; /* Field name */ - ASN1_ITEM_EXP *item; /* Relevant ASN1_ITEM or ASN1_ADB */ + unsigned long flags; /* Various flags */ + long tag; /* tag, not used if no tagging */ + unsigned long offset; /* Offset of this field in structure */ + const char *field_name; /* Field name */ + ASN1_ITEM_EXP *item; /* Relevant ASN1_ITEM or ASN1_ADB */ }; /* Macro to extract ASN1_ITEM and ASN1_ADB pointer from ASN1_TEMPLATE */ -# define ASN1_TEMPLATE_item(t) (t->item_ptr) -# define ASN1_TEMPLATE_adb(t) (t->item_ptr) +#define ASN1_TEMPLATE_item(t) (t->item_ptr) +#define ASN1_TEMPLATE_adb(t) (t->item_ptr) typedef struct ASN1_ADB_TABLE_st ASN1_ADB_TABLE; typedef struct ASN1_ADB_st ASN1_ADB; struct ASN1_ADB_st { - unsigned long flags; /* Various flags */ - unsigned long offset; /* Offset of selector field */ - int (*adb_cb)(long *psel); /* Application callback */ - const ASN1_ADB_TABLE *tbl; /* Table of possible types */ - long tblcount; /* Number of entries in tbl */ + unsigned long flags; /* Various flags */ + unsigned long offset; /* Offset of selector field */ + int (*adb_cb)(long *psel); /* Application callback */ + const ASN1_ADB_TABLE *tbl; /* Table of possible types */ + long tblcount; /* Number of entries in tbl */ const ASN1_TEMPLATE *default_tt; /* Type to use if no match */ const ASN1_TEMPLATE *null_tt; /* Type to use if selector is NULL */ }; struct ASN1_ADB_TABLE_st { - long value; /* NID for an object or value for an int */ - const ASN1_TEMPLATE tt; /* item for this value */ + long value; /* NID for an object or value for an int */ + const ASN1_TEMPLATE tt; /* item for this value */ }; /* template flags */ /* Field is optional */ -# define ASN1_TFLG_OPTIONAL (0x1) +#define ASN1_TFLG_OPTIONAL (0x1) /* Field is a SET OF */ -# define ASN1_TFLG_SET_OF (0x1 << 1) +#define ASN1_TFLG_SET_OF (0x1 << 1) /* Field is a SEQUENCE OF */ -# define ASN1_TFLG_SEQUENCE_OF (0x2 << 1) +#define ASN1_TFLG_SEQUENCE_OF (0x2 << 1) /* * Special case: this refers to a SET OF that will be sorted into DER order * when encoded *and* the corresponding STACK will be modified to match the * new order. */ -# define ASN1_TFLG_SET_ORDER (0x3 << 1) +#define ASN1_TFLG_SET_ORDER (0x3 << 1) /* Mask for SET OF or SEQUENCE OF */ -# define ASN1_TFLG_SK_MASK (0x3 << 1) +#define ASN1_TFLG_SK_MASK (0x3 << 1) /* * These flags mean the tag should be taken from the tag field. If EXPLICIT @@ -544,18 +533,18 @@ struct ASN1_ADB_TABLE_st { */ /* IMPLICIT tagging */ -# define ASN1_TFLG_IMPTAG (0x1 << 3) +#define ASN1_TFLG_IMPTAG (0x1 << 3) /* EXPLICIT tagging, inner tag from underlying type */ -# define ASN1_TFLG_EXPTAG (0x2 << 3) +#define ASN1_TFLG_EXPTAG (0x2 << 3) -# define ASN1_TFLG_TAG_MASK (0x3 << 3) +#define ASN1_TFLG_TAG_MASK (0x3 << 3) /* context specific IMPLICIT */ -# define ASN1_TFLG_IMPLICIT (ASN1_TFLG_IMPTAG|ASN1_TFLG_CONTEXT) +#define ASN1_TFLG_IMPLICIT (ASN1_TFLG_IMPTAG | ASN1_TFLG_CONTEXT) /* context specific EXPLICIT */ -# define ASN1_TFLG_EXPLICIT (ASN1_TFLG_EXPTAG|ASN1_TFLG_CONTEXT) +#define ASN1_TFLG_EXPLICIT (ASN1_TFLG_EXPTAG | ASN1_TFLG_CONTEXT) /* * If tagging is in force these determine the type of tag to use. Otherwise @@ -564,15 +553,15 @@ struct ASN1_ADB_TABLE_st { */ /* Universal tag */ -# define ASN1_TFLG_UNIVERSAL (0x0<<6) +#define ASN1_TFLG_UNIVERSAL (0x0 << 6) /* Application tag */ -# define ASN1_TFLG_APPLICATION (0x1<<6) +#define ASN1_TFLG_APPLICATION (0x1 << 6) /* Context specific tag */ -# define ASN1_TFLG_CONTEXT (0x2<<6) +#define ASN1_TFLG_CONTEXT (0x2 << 6) /* Private tag */ -# define ASN1_TFLG_PRIVATE (0x3<<6) +#define ASN1_TFLG_PRIVATE (0x3 << 6) -# define ASN1_TFLG_TAG_CLASS (0x3<<6) +#define ASN1_TFLG_TAG_CLASS (0x3 << 6) /* * These are for ANY DEFINED BY type. In this case the 'item' field points to @@ -580,35 +569,35 @@ struct ASN1_ADB_TABLE_st { * relevant type */ -# define ASN1_TFLG_ADB_MASK (0x3<<8) +#define ASN1_TFLG_ADB_MASK (0x3 << 8) -# define ASN1_TFLG_ADB_OID (0x1<<8) +#define ASN1_TFLG_ADB_OID (0x1 << 8) -# define ASN1_TFLG_ADB_INT (0x1<<9) +#define ASN1_TFLG_ADB_INT (0x1 << 9) /* * This flag when present in a SEQUENCE OF, SET OF or EXPLICIT causes * indefinite length constructed encoding to be used if required. */ -# define ASN1_TFLG_NDEF (0x1<<11) +#define ASN1_TFLG_NDEF (0x1 << 11) /* Field is embedded and not a pointer */ -# define ASN1_TFLG_EMBED (0x1 << 12) +#define ASN1_TFLG_EMBED (0x1 << 12) /* This is the actual ASN1 item itself */ struct ASN1_ITEM_st { - char itype; /* The item type, primitive, SEQUENCE, CHOICE - * or extern */ - long utype; /* underlying type */ + char itype; /* The item type, primitive, SEQUENCE, CHOICE + * or extern */ + long utype; /* underlying type */ const ASN1_TEMPLATE *templates; /* If SEQUENCE or CHOICE this contains * the contents */ - long tcount; /* Number of templates if SEQUENCE or CHOICE */ - const void *funcs; /* further data and type-specific functions */ + long tcount; /* Number of templates if SEQUENCE or CHOICE */ + const void *funcs; /* further data and type-specific functions */ /* funcs can be ASN1_PRIMITIVE_FUNCS*, ASN1_EXTERN_FUNCS*, or ASN1_AUX* */ - long size; /* Structure size (usually) */ - const char *sname; /* Structure name */ + long size; /* Structure size (usually) */ + const char *sname; /* Structure name */ }; /* @@ -617,42 +606,42 @@ struct ASN1_ITEM_st { */ struct ASN1_TLC_st { - char valid; /* Values below are valid */ - int ret; /* return value */ - long plen; /* length */ - int ptag; /* class value */ - int pclass; /* class value */ - int hdrlen; /* header length */ + char valid; /* Values below are valid */ + int ret; /* return value */ + long plen; /* length */ + int ptag; /* class value */ + int pclass; /* class value */ + int hdrlen; /* header length */ }; /* Typedefs for ASN1 function pointers */ typedef int ASN1_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, - const ASN1_ITEM *it, int tag, int aclass, char opt, - ASN1_TLC *ctx); + const ASN1_ITEM *it, int tag, int aclass, char opt, + ASN1_TLC *ctx); typedef int ASN1_ex_d2i_ex(ASN1_VALUE **pval, const unsigned char **in, long len, - const ASN1_ITEM *it, int tag, int aclass, char opt, - ASN1_TLC *ctx, OSSL_LIB_CTX *libctx, - const char *propq); + const ASN1_ITEM *it, int tag, int aclass, char opt, + ASN1_TLC *ctx, OSSL_LIB_CTX *libctx, + const char *propq); typedef int ASN1_ex_i2d(const ASN1_VALUE **pval, unsigned char **out, - const ASN1_ITEM *it, int tag, int aclass); + const ASN1_ITEM *it, int tag, int aclass); typedef int ASN1_ex_new_func(ASN1_VALUE **pval, const ASN1_ITEM *it); typedef int ASN1_ex_new_ex_func(ASN1_VALUE **pval, const ASN1_ITEM *it, - OSSL_LIB_CTX *libctx, const char *propq); + OSSL_LIB_CTX *libctx, const char *propq); typedef void ASN1_ex_free_func(ASN1_VALUE **pval, const ASN1_ITEM *it); typedef int ASN1_ex_print_func(BIO *out, const ASN1_VALUE **pval, - int indent, const char *fname, - const ASN1_PCTX *pctx); + int indent, const char *fname, + const ASN1_PCTX *pctx); typedef int ASN1_primitive_i2c(const ASN1_VALUE **pval, unsigned char *cont, - int *putype, const ASN1_ITEM *it); + int *putype, const ASN1_ITEM *it); typedef int ASN1_primitive_c2i(ASN1_VALUE **pval, const unsigned char *cont, - int len, int utype, char *free_cont, - const ASN1_ITEM *it); + int len, int utype, char *free_cont, + const ASN1_ITEM *it); typedef int ASN1_primitive_print(BIO *out, const ASN1_VALUE **pval, - const ASN1_ITEM *it, int indent, - const ASN1_PCTX *pctx); + const ASN1_ITEM *it, int indent, + const ASN1_PCTX *pctx); typedef struct ASN1_EXTERN_FUNCS_st { void *app_data; @@ -695,17 +684,17 @@ typedef struct ASN1_PRIMITIVE_FUNCS_st { */ typedef int ASN1_aux_cb(int operation, ASN1_VALUE **in, const ASN1_ITEM *it, - void *exarg); + void *exarg); typedef int ASN1_aux_const_cb(int operation, const ASN1_VALUE **in, - const ASN1_ITEM *it, void *exarg); + const ASN1_ITEM *it, void *exarg); typedef struct ASN1_AUX_st { void *app_data; int flags; - int ref_offset; /* Offset of reference value */ - int ref_lock; /* Offset of lock value */ + int ref_offset; /* Offset of reference value */ + int ref_lock; /* Offset of lock value */ ASN1_aux_cb *asn1_cb; - int enc_offset; /* Offset of ASN1_ENCODING structure */ + int enc_offset; /* Offset of ASN1_ENCODING structure */ ASN1_aux_const_cb *asn1_const_cb; /* for ASN1_OP_I2D_ and ASN1_OP_PRINT_ */ } ASN1_AUX; @@ -729,143 +718,142 @@ typedef struct ASN1_STREAM_ARG_st { /* Flags in ASN1_AUX */ /* Use a reference count */ -# define ASN1_AFLG_REFCOUNT 1 +#define ASN1_AFLG_REFCOUNT 1 /* Save the encoding of structure (useful for signatures) */ -# define ASN1_AFLG_ENCODING 2 +#define ASN1_AFLG_ENCODING 2 /* The Sequence length is invalid */ -# define ASN1_AFLG_BROKEN 4 +#define ASN1_AFLG_BROKEN 4 /* Use the new asn1_const_cb */ -# define ASN1_AFLG_CONST_CB 8 +#define ASN1_AFLG_CONST_CB 8 /* operation values for asn1_cb */ -# define ASN1_OP_NEW_PRE 0 -# define ASN1_OP_NEW_POST 1 -# define ASN1_OP_FREE_PRE 2 -# define ASN1_OP_FREE_POST 3 -# define ASN1_OP_D2I_PRE 4 -# define ASN1_OP_D2I_POST 5 -# define ASN1_OP_I2D_PRE 6 -# define ASN1_OP_I2D_POST 7 -# define ASN1_OP_PRINT_PRE 8 -# define ASN1_OP_PRINT_POST 9 -# define ASN1_OP_STREAM_PRE 10 -# define ASN1_OP_STREAM_POST 11 -# define ASN1_OP_DETACHED_PRE 12 -# define ASN1_OP_DETACHED_POST 13 -# define ASN1_OP_DUP_PRE 14 -# define ASN1_OP_DUP_POST 15 -# define ASN1_OP_GET0_LIBCTX 16 -# define ASN1_OP_GET0_PROPQ 17 +#define ASN1_OP_NEW_PRE 0 +#define ASN1_OP_NEW_POST 1 +#define ASN1_OP_FREE_PRE 2 +#define ASN1_OP_FREE_POST 3 +#define ASN1_OP_D2I_PRE 4 +#define ASN1_OP_D2I_POST 5 +#define ASN1_OP_I2D_PRE 6 +#define ASN1_OP_I2D_POST 7 +#define ASN1_OP_PRINT_PRE 8 +#define ASN1_OP_PRINT_POST 9 +#define ASN1_OP_STREAM_PRE 10 +#define ASN1_OP_STREAM_POST 11 +#define ASN1_OP_DETACHED_PRE 12 +#define ASN1_OP_DETACHED_POST 13 +#define ASN1_OP_DUP_PRE 14 +#define ASN1_OP_DUP_POST 15 +#define ASN1_OP_GET0_LIBCTX 16 +#define ASN1_OP_GET0_PROPQ 17 /* Macro to implement a primitive type */ -# define IMPLEMENT_ASN1_TYPE(stname) IMPLEMENT_ASN1_TYPE_ex(stname, stname, 0) -# define IMPLEMENT_ASN1_TYPE_ex(itname, vname, ex) \ - ASN1_ITEM_start(itname) \ - ASN1_ITYPE_PRIMITIVE, V_##vname, NULL, 0, NULL, ex, #itname \ - ASN1_ITEM_end(itname) +#define IMPLEMENT_ASN1_TYPE(stname) IMPLEMENT_ASN1_TYPE_ex(stname, stname, 0) +#define IMPLEMENT_ASN1_TYPE_ex(itname, vname, ex) \ + ASN1_ITEM_start(itname) \ + ASN1_ITYPE_PRIMITIVE, \ + V_##vname, NULL, 0, NULL, ex, #itname ASN1_ITEM_end(itname) /* Macro to implement a multi string type */ -# define IMPLEMENT_ASN1_MSTRING(itname, mask) \ - ASN1_ITEM_start(itname) \ - ASN1_ITYPE_MSTRING, mask, NULL, 0, NULL, sizeof(ASN1_STRING), #itname \ - ASN1_ITEM_end(itname) - -# define IMPLEMENT_EXTERN_ASN1(sname, tag, fptrs) \ - ASN1_ITEM_start(sname) \ - ASN1_ITYPE_EXTERN, \ - tag, \ - NULL, \ - 0, \ - &fptrs, \ - 0, \ - #sname \ - ASN1_ITEM_end(sname) +#define IMPLEMENT_ASN1_MSTRING(itname, mask) \ + ASN1_ITEM_start(itname) \ + ASN1_ITYPE_MSTRING, \ + mask, NULL, 0, NULL, sizeof(ASN1_STRING), #itname ASN1_ITEM_end(itname) + +#define IMPLEMENT_EXTERN_ASN1(sname, tag, fptrs) \ + ASN1_ITEM_start(sname) \ + ASN1_ITYPE_EXTERN, \ + tag, \ + NULL, \ + 0, \ + &fptrs, \ + 0, \ + #sname ASN1_ITEM_end(sname) /* Macro to implement standard functions in terms of ASN1_ITEM structures */ -# define IMPLEMENT_ASN1_FUNCTIONS(stname) IMPLEMENT_ASN1_FUNCTIONS_fname(stname, stname, stname) - -# define IMPLEMENT_ASN1_FUNCTIONS_name(stname, itname) IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, itname) - -# define IMPLEMENT_ASN1_FUNCTIONS_ENCODE_name(stname, itname) \ - IMPLEMENT_ASN1_FUNCTIONS_ENCODE_fname(stname, itname, itname) - -# define IMPLEMENT_STATIC_ASN1_ALLOC_FUNCTIONS(stname) \ - IMPLEMENT_ASN1_ALLOC_FUNCTIONS_pfname(static, stname, stname, stname) - -# define IMPLEMENT_ASN1_ALLOC_FUNCTIONS(stname) \ - IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, stname, stname) - -# define IMPLEMENT_ASN1_ALLOC_FUNCTIONS_pfname(pre, stname, itname, fname) \ - pre stname *fname##_new(void) \ - { \ - return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \ - } \ - pre void fname##_free(stname *a) \ - { \ - ASN1_item_free((ASN1_VALUE *)a, ASN1_ITEM_rptr(itname)); \ - } - -# define IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname) \ - stname *fname##_new(void) \ - { \ - return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \ - } \ - void fname##_free(stname *a) \ - { \ - ASN1_item_free((ASN1_VALUE *)a, ASN1_ITEM_rptr(itname)); \ - } - -# define IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, fname) \ - IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \ - IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname) - -# define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \ - stname *d2i_##fname(stname **a, const unsigned char **in, long len) \ - { \ - return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, ASN1_ITEM_rptr(itname));\ - } \ - int i2d_##fname(const stname *a, unsigned char **out) \ - { \ - return ASN1_item_i2d((const ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname));\ - } - -# define IMPLEMENT_ASN1_NDEF_FUNCTION(stname) \ - int i2d_##stname##_NDEF(const stname *a, unsigned char **out) \ - { \ - return ASN1_item_ndef_i2d((const ASN1_VALUE *)a, out, ASN1_ITEM_rptr(stname));\ - } - -# define IMPLEMENT_STATIC_ASN1_ENCODE_FUNCTIONS(stname) \ - static stname *d2i_##stname(stname **a, \ - const unsigned char **in, long len) \ - { \ - return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, \ - ASN1_ITEM_rptr(stname)); \ - } \ - static int i2d_##stname(const stname *a, unsigned char **out) \ - { \ - return ASN1_item_i2d((const ASN1_VALUE *)a, out, \ - ASN1_ITEM_rptr(stname)); \ - } - -# define IMPLEMENT_ASN1_DUP_FUNCTION(stname) \ - stname * stname##_dup(const stname *x) \ - { \ +#define IMPLEMENT_ASN1_FUNCTIONS(stname) IMPLEMENT_ASN1_FUNCTIONS_fname(stname, stname, stname) + +#define IMPLEMENT_ASN1_FUNCTIONS_name(stname, itname) IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, itname) + +#define IMPLEMENT_ASN1_FUNCTIONS_ENCODE_name(stname, itname) \ + IMPLEMENT_ASN1_FUNCTIONS_ENCODE_fname(stname, itname, itname) + +#define IMPLEMENT_STATIC_ASN1_ALLOC_FUNCTIONS(stname) \ + IMPLEMENT_ASN1_ALLOC_FUNCTIONS_pfname(static, stname, stname, stname) + +#define IMPLEMENT_ASN1_ALLOC_FUNCTIONS(stname) \ + IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, stname, stname) + +#define IMPLEMENT_ASN1_ALLOC_FUNCTIONS_pfname(pre, stname, itname, fname) \ + pre stname *fname##_new(void) \ + { \ + return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \ + } \ + pre void fname##_free(stname *a) \ + { \ + ASN1_item_free((ASN1_VALUE *)a, ASN1_ITEM_rptr(itname)); \ + } + +#define IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname) \ + stname *fname##_new(void) \ + { \ + return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \ + } \ + void fname##_free(stname *a) \ + { \ + ASN1_item_free((ASN1_VALUE *)a, ASN1_ITEM_rptr(itname)); \ + } + +#define IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, fname) \ + IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \ + IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname) + +#define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \ + stname *d2i_##fname(stname **a, const unsigned char **in, long len) \ + { \ + return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, ASN1_ITEM_rptr(itname)); \ + } \ + int i2d_##fname(const stname *a, unsigned char **out) \ + { \ + return ASN1_item_i2d((const ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname)); \ + } + +#define IMPLEMENT_ASN1_NDEF_FUNCTION(stname) \ + int i2d_##stname##_NDEF(const stname *a, unsigned char **out) \ + { \ + return ASN1_item_ndef_i2d((const ASN1_VALUE *)a, out, ASN1_ITEM_rptr(stname)); \ + } + +#define IMPLEMENT_STATIC_ASN1_ENCODE_FUNCTIONS(stname) \ + static stname *d2i_##stname(stname **a, \ + const unsigned char **in, long len) \ + { \ + return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, \ + ASN1_ITEM_rptr(stname)); \ + } \ + static int i2d_##stname(const stname *a, unsigned char **out) \ + { \ + return ASN1_item_i2d((const ASN1_VALUE *)a, out, \ + ASN1_ITEM_rptr(stname)); \ + } + +#define IMPLEMENT_ASN1_DUP_FUNCTION(stname) \ + stname *stname##_dup(const stname *x) \ + { \ return ASN1_item_dup(ASN1_ITEM_rptr(stname), x); \ - } + } -# define IMPLEMENT_ASN1_PRINT_FUNCTION(stname) \ - IMPLEMENT_ASN1_PRINT_FUNCTION_fname(stname, stname, stname) +#define IMPLEMENT_ASN1_PRINT_FUNCTION(stname) \ + IMPLEMENT_ASN1_PRINT_FUNCTION_fname(stname, stname, stname) -# define IMPLEMENT_ASN1_PRINT_FUNCTION_fname(stname, itname, fname) \ - int fname##_print_ctx(BIO *out, const stname *x, int indent, \ - const ASN1_PCTX *pctx) \ - { \ - return ASN1_item_print(out, (const ASN1_VALUE *)x, indent, \ - ASN1_ITEM_rptr(itname), pctx); \ - } +#define IMPLEMENT_ASN1_PRINT_FUNCTION_fname(stname, itname, fname) \ + int fname##_print_ctx(BIO *out, const stname *x, int indent, \ + const ASN1_PCTX *pctx) \ + { \ + return ASN1_item_print(out, (const ASN1_VALUE *)x, indent, \ + ASN1_ITEM_rptr(itname), pctx); \ + } /* external definitions for primitive types */ @@ -884,7 +872,7 @@ DECLARE_ASN1_ITEM(ZINT64) DECLARE_ASN1_ITEM(UINT64) DECLARE_ASN1_ITEM(ZUINT64) -# ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_DEPRECATED_3_0 /* * LONG and ZLONG are strongly discouraged for use as stored data, as the * underlying C type (long) differs in size depending on the architecture. @@ -892,8 +880,9 @@ DECLARE_ASN1_ITEM(ZUINT64) */ DECLARE_ASN1_ITEM(LONG) DECLARE_ASN1_ITEM(ZLONG) -# endif +#endif +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(ASN1_VALUE, ASN1_VALUE, ASN1_VALUE) #define sk_ASN1_VALUE_num(sk) OPENSSL_sk_num(ossl_check_const_ASN1_VALUE_sk_type(sk)) #define sk_ASN1_VALUE_value(sk, idx) ((ASN1_VALUE *)OPENSSL_sk_value(ossl_check_const_ASN1_VALUE_sk_type(sk), (idx))) @@ -921,7 +910,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(ASN1_VALUE, ASN1_VALUE, ASN1_VALUE) #define sk_ASN1_VALUE_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(ASN1_VALUE) *)OPENSSL_sk_deep_copy(ossl_check_const_ASN1_VALUE_sk_type(sk), ossl_check_ASN1_VALUE_copyfunc_type(copyfunc), ossl_check_ASN1_VALUE_freefunc_type(freefunc))) #define sk_ASN1_VALUE_set_cmp_func(sk, cmp) ((sk_ASN1_VALUE_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_ASN1_VALUE_sk_type(sk), ossl_check_ASN1_VALUE_compfunc_type(cmp))) - +/* clang-format on */ /* Functions used internally by the ASN1 code */ @@ -929,18 +918,18 @@ int ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it); void ASN1_item_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it); int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, - const ASN1_ITEM *it, int tag, int aclass, char opt, - ASN1_TLC *ctx); + const ASN1_ITEM *it, int tag, int aclass, char opt, + ASN1_TLC *ctx); int ASN1_item_ex_i2d(const ASN1_VALUE **pval, unsigned char **out, - const ASN1_ITEM *it, int tag, int aclass); + const ASN1_ITEM *it, int tag, int aclass); /* Legacy compatibility */ -# define IMPLEMENT_ASN1_FUNCTIONS_const(name) IMPLEMENT_ASN1_FUNCTIONS(name) -# define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(stname, itname, fname) \ - IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) +#define IMPLEMENT_ASN1_FUNCTIONS_const(name) IMPLEMENT_ASN1_FUNCTIONS(name) +#define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(stname, itname, fname) \ + IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) -#ifdef __cplusplus +#ifdef __cplusplus } #endif #endif diff --git a/crypto/openssl/include/openssl/bio.h b/crypto/openssl/include/openssl/bio.h index e02f867beb0e..f87990019926 100644 --- a/crypto/openssl/include/openssl/bio.h +++ b/crypto/openssl/include/openssl/bio.h @@ -9,154 +9,156 @@ * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_BIO_H -# define OPENSSL_BIO_H -# pragma once +#define OPENSSL_BIO_H +#pragma once -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_BIO_H -# endif +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_BIO_H +#endif -# include <openssl/e_os2.h> +#include <openssl/e_os2.h> -# ifndef OPENSSL_NO_STDIO -# include <stdio.h> -# endif -# include <stdarg.h> +#ifndef OPENSSL_NO_STDIO +#include <stdio.h> +#endif +#include <stdarg.h> -# include <openssl/crypto.h> -# include <openssl/bioerr.h> -# include <openssl/core.h> +#include <openssl/crypto.h> +#include <openssl/bioerr.h> +#include <openssl/core.h> -#ifdef __cplusplus +#ifdef __cplusplus extern "C" { #endif /* There are the classes of BIOs */ -# define BIO_TYPE_DESCRIPTOR 0x0100 /* socket, fd, connect or accept */ -# define BIO_TYPE_FILTER 0x0200 -# define BIO_TYPE_SOURCE_SINK 0x0400 +#define BIO_TYPE_DESCRIPTOR 0x0100 /* socket, fd, connect or accept */ +#define BIO_TYPE_FILTER 0x0200 +#define BIO_TYPE_SOURCE_SINK 0x0400 /* These are the 'types' of BIOs */ -# define BIO_TYPE_NONE 0 -# define BIO_TYPE_MEM ( 1|BIO_TYPE_SOURCE_SINK) -# define BIO_TYPE_FILE ( 2|BIO_TYPE_SOURCE_SINK) - -# define BIO_TYPE_FD ( 4|BIO_TYPE_SOURCE_SINK|BIO_TYPE_DESCRIPTOR) -# define BIO_TYPE_SOCKET ( 5|BIO_TYPE_SOURCE_SINK|BIO_TYPE_DESCRIPTOR) -# define BIO_TYPE_NULL ( 6|BIO_TYPE_SOURCE_SINK) -# define BIO_TYPE_SSL ( 7|BIO_TYPE_FILTER) -# define BIO_TYPE_MD ( 8|BIO_TYPE_FILTER) -# define BIO_TYPE_BUFFER ( 9|BIO_TYPE_FILTER) -# define BIO_TYPE_CIPHER (10|BIO_TYPE_FILTER) -# define BIO_TYPE_BASE64 (11|BIO_TYPE_FILTER) -# define BIO_TYPE_CONNECT (12|BIO_TYPE_SOURCE_SINK|BIO_TYPE_DESCRIPTOR) -# define BIO_TYPE_ACCEPT (13|BIO_TYPE_SOURCE_SINK|BIO_TYPE_DESCRIPTOR) - -# define BIO_TYPE_NBIO_TEST (16|BIO_TYPE_FILTER)/* server proxy BIO */ -# define BIO_TYPE_NULL_FILTER (17|BIO_TYPE_FILTER) -# define BIO_TYPE_BIO (19|BIO_TYPE_SOURCE_SINK)/* half a BIO pair */ -# define BIO_TYPE_LINEBUFFER (20|BIO_TYPE_FILTER) -# define BIO_TYPE_DGRAM (21|BIO_TYPE_SOURCE_SINK|BIO_TYPE_DESCRIPTOR) -# define BIO_TYPE_ASN1 (22|BIO_TYPE_FILTER) -# define BIO_TYPE_COMP (23|BIO_TYPE_FILTER) -# ifndef OPENSSL_NO_SCTP -# define BIO_TYPE_DGRAM_SCTP (24|BIO_TYPE_SOURCE_SINK|BIO_TYPE_DESCRIPTOR) -# endif -# define BIO_TYPE_CORE_TO_PROV (25|BIO_TYPE_SOURCE_SINK) -# define BIO_TYPE_DGRAM_PAIR (26|BIO_TYPE_SOURCE_SINK) -# define BIO_TYPE_DGRAM_MEM (27|BIO_TYPE_SOURCE_SINK) +#define BIO_TYPE_NONE 0 +#define BIO_TYPE_MEM (1 | BIO_TYPE_SOURCE_SINK) +#define BIO_TYPE_FILE (2 | BIO_TYPE_SOURCE_SINK) + +#define BIO_TYPE_FD (4 | BIO_TYPE_SOURCE_SINK | BIO_TYPE_DESCRIPTOR) +#define BIO_TYPE_SOCKET (5 | BIO_TYPE_SOURCE_SINK | BIO_TYPE_DESCRIPTOR) +#define BIO_TYPE_NULL (6 | BIO_TYPE_SOURCE_SINK) +#define BIO_TYPE_SSL (7 | BIO_TYPE_FILTER) +#define BIO_TYPE_MD (8 | BIO_TYPE_FILTER) +#define BIO_TYPE_BUFFER (9 | BIO_TYPE_FILTER) +#define BIO_TYPE_CIPHER (10 | BIO_TYPE_FILTER) +#define BIO_TYPE_BASE64 (11 | BIO_TYPE_FILTER) +#define BIO_TYPE_CONNECT (12 | BIO_TYPE_SOURCE_SINK | BIO_TYPE_DESCRIPTOR) +#define BIO_TYPE_ACCEPT (13 | BIO_TYPE_SOURCE_SINK | BIO_TYPE_DESCRIPTOR) + +#define BIO_TYPE_NBIO_TEST (16 | BIO_TYPE_FILTER) /* server proxy BIO */ +#define BIO_TYPE_NULL_FILTER (17 | BIO_TYPE_FILTER) +#define BIO_TYPE_BIO (19 | BIO_TYPE_SOURCE_SINK) /* half a BIO pair */ +#define BIO_TYPE_LINEBUFFER (20 | BIO_TYPE_FILTER) +#define BIO_TYPE_DGRAM (21 | BIO_TYPE_SOURCE_SINK | BIO_TYPE_DESCRIPTOR) +#define BIO_TYPE_ASN1 (22 | BIO_TYPE_FILTER) +#define BIO_TYPE_COMP (23 | BIO_TYPE_FILTER) +#ifndef OPENSSL_NO_SCTP +#define BIO_TYPE_DGRAM_SCTP (24 | BIO_TYPE_SOURCE_SINK | BIO_TYPE_DESCRIPTOR) +#endif +#define BIO_TYPE_CORE_TO_PROV (25 | BIO_TYPE_SOURCE_SINK) +#define BIO_TYPE_DGRAM_PAIR (26 | BIO_TYPE_SOURCE_SINK) +#define BIO_TYPE_DGRAM_MEM (27 | BIO_TYPE_SOURCE_SINK) /* Custom type starting index returned by BIO_get_new_index() */ -#define BIO_TYPE_START 128 +#define BIO_TYPE_START 128 /* Custom type maximum index that can be returned by BIO_get_new_index() */ -#define BIO_TYPE_MASK 0xFF +#define BIO_TYPE_MASK 0xFF /* * BIO_FILENAME_READ|BIO_CLOSE to open or close on free. * BIO_set_fp(in,stdin,BIO_NOCLOSE); */ -# define BIO_NOCLOSE 0x00 -# define BIO_CLOSE 0x01 +#define BIO_NOCLOSE 0x00 +#define BIO_CLOSE 0x01 /* * These are used in the following macros and are passed to BIO_ctrl() */ -# define BIO_CTRL_RESET 1/* opt - rewind/zero etc */ -# define BIO_CTRL_EOF 2/* opt - are we at the eof */ -# define BIO_CTRL_INFO 3/* opt - extra tit-bits */ -# define BIO_CTRL_SET 4/* man - set the 'IO' type */ -# define BIO_CTRL_GET 5/* man - get the 'IO' type */ -# define BIO_CTRL_PUSH 6/* opt - internal, used to signify change */ -# define BIO_CTRL_POP 7/* opt - internal, used to signify change */ -# define BIO_CTRL_GET_CLOSE 8/* man - set the 'close' on free */ -# define BIO_CTRL_SET_CLOSE 9/* man - set the 'close' on free */ -# define BIO_CTRL_PENDING 10/* opt - is their more data buffered */ -# define BIO_CTRL_FLUSH 11/* opt - 'flush' buffered output */ -# define BIO_CTRL_DUP 12/* man - extra stuff for 'duped' BIO */ -# define BIO_CTRL_WPENDING 13/* opt - number of bytes still to write */ -# define BIO_CTRL_SET_CALLBACK 14/* opt - set callback function */ -# define BIO_CTRL_GET_CALLBACK 15/* opt - set callback function */ - -# define BIO_CTRL_PEEK 29/* BIO_f_buffer special */ -# define BIO_CTRL_SET_FILENAME 30/* BIO_s_file special */ +#define BIO_CTRL_RESET 1 /* opt - rewind/zero etc */ +#define BIO_CTRL_EOF 2 /* opt - are we at the eof */ +#define BIO_CTRL_INFO 3 /* opt - extra tit-bits */ +#define BIO_CTRL_SET 4 /* man - set the 'IO' type */ +#define BIO_CTRL_GET 5 /* man - get the 'IO' type */ +#define BIO_CTRL_PUSH 6 /* opt - internal, used to signify change */ +#define BIO_CTRL_POP 7 /* opt - internal, used to signify change */ +#define BIO_CTRL_GET_CLOSE 8 /* man - set the 'close' on free */ +#define BIO_CTRL_SET_CLOSE 9 /* man - set the 'close' on free */ +#define BIO_CTRL_PENDING 10 /* opt - is their more data buffered */ +#define BIO_CTRL_FLUSH 11 /* opt - 'flush' buffered output */ +#define BIO_CTRL_DUP 12 /* man - extra stuff for 'duped' BIO */ +#define BIO_CTRL_WPENDING 13 /* opt - number of bytes still to write */ +#define BIO_CTRL_SET_CALLBACK 14 /* opt - set callback function */ +#define BIO_CTRL_GET_CALLBACK 15 /* opt - set callback function */ + +#define BIO_CTRL_PEEK 29 /* BIO_f_buffer special */ +#define BIO_CTRL_SET_FILENAME 30 /* BIO_s_file special */ /* dgram BIO stuff */ -# define BIO_CTRL_DGRAM_CONNECT 31/* BIO dgram special */ -# define BIO_CTRL_DGRAM_SET_CONNECTED 32/* allow for an externally connected +#define BIO_CTRL_DGRAM_CONNECT 31 /* BIO dgram special */ +#define BIO_CTRL_DGRAM_SET_CONNECTED 32 /* allow for an externally connected \ * socket to be passed in */ -# define BIO_CTRL_DGRAM_SET_RECV_TIMEOUT 33/* setsockopt, essentially */ -# define BIO_CTRL_DGRAM_GET_RECV_TIMEOUT 34/* getsockopt, essentially */ -# define BIO_CTRL_DGRAM_SET_SEND_TIMEOUT 35/* setsockopt, essentially */ -# define BIO_CTRL_DGRAM_GET_SEND_TIMEOUT 36/* getsockopt, essentially */ +#define BIO_CTRL_DGRAM_SET_RECV_TIMEOUT 33 /* setsockopt, essentially */ +#define BIO_CTRL_DGRAM_GET_RECV_TIMEOUT 34 /* getsockopt, essentially */ +#define BIO_CTRL_DGRAM_SET_SEND_TIMEOUT 35 /* setsockopt, essentially */ +#define BIO_CTRL_DGRAM_GET_SEND_TIMEOUT 36 /* getsockopt, essentially */ -# define BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP 37/* flag whether the last */ -# define BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP 38/* I/O operation timed out */ +#define BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP 37 /* flag whether the last */ +#define BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP 38 /* I/O operation timed out */ /* #ifdef IP_MTU_DISCOVER */ -# define BIO_CTRL_DGRAM_MTU_DISCOVER 39/* set DF bit on egress packets */ +#define BIO_CTRL_DGRAM_MTU_DISCOVER 39 /* set DF bit on egress packets */ /* #endif */ -# define BIO_CTRL_DGRAM_QUERY_MTU 40/* as kernel for current MTU */ -# define BIO_CTRL_DGRAM_GET_FALLBACK_MTU 47 -# define BIO_CTRL_DGRAM_GET_MTU 41/* get cached value for MTU */ -# define BIO_CTRL_DGRAM_SET_MTU 42/* set cached value for MTU. - * want to use this if asking - * the kernel fails */ +#define BIO_CTRL_DGRAM_QUERY_MTU 40 /* as kernel for current MTU */ +#define BIO_CTRL_DGRAM_GET_FALLBACK_MTU 47 +#define BIO_CTRL_DGRAM_GET_MTU 41 /* get cached value for MTU */ +#define BIO_CTRL_DGRAM_SET_MTU 42 /* set cached value for MTU. \ + * want to use this if asking \ + * the kernel fails */ -# define BIO_CTRL_DGRAM_MTU_EXCEEDED 43/* check whether the MTU was - * exceed in the previous write - * operation */ +#define BIO_CTRL_DGRAM_MTU_EXCEEDED 43 /* check whether the MTU was \ + * exceed in the previous write \ + * operation */ -# define BIO_CTRL_DGRAM_GET_PEER 46 -# define BIO_CTRL_DGRAM_SET_PEER 44/* Destination for the data */ +#define BIO_CTRL_DGRAM_GET_PEER 46 +#define BIO_CTRL_DGRAM_SET_PEER 44 /* Destination for the data */ -# define BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT 45/* Next DTLS handshake timeout - * to adjust socket timeouts */ -# define BIO_CTRL_DGRAM_SET_DONT_FRAG 48 +#define BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT 45 /* Next DTLS handshake timeout \ + * to adjust socket timeouts */ +#define BIO_CTRL_DGRAM_SET_DONT_FRAG 48 -# define BIO_CTRL_DGRAM_GET_MTU_OVERHEAD 49 +#define BIO_CTRL_DGRAM_GET_MTU_OVERHEAD 49 /* Deliberately outside of OPENSSL_NO_SCTP - used in bss_dgram.c */ -# define BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE 50 -# ifndef OPENSSL_NO_SCTP +#define BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE 50 +#ifndef OPENSSL_NO_SCTP /* SCTP stuff */ -# define BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY 51 -# define BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY 52 -# define BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD 53 -# define BIO_CTRL_DGRAM_SCTP_GET_SNDINFO 60 -# define BIO_CTRL_DGRAM_SCTP_SET_SNDINFO 61 -# define BIO_CTRL_DGRAM_SCTP_GET_RCVINFO 62 -# define BIO_CTRL_DGRAM_SCTP_SET_RCVINFO 63 -# define BIO_CTRL_DGRAM_SCTP_GET_PRINFO 64 -# define BIO_CTRL_DGRAM_SCTP_SET_PRINFO 65 -# define BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN 70 -# endif - -# define BIO_CTRL_DGRAM_SET_PEEK_MODE 71 +#define BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY 51 +#define BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY 52 +#define BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD 53 +#define BIO_CTRL_DGRAM_SCTP_GET_SNDINFO 60 +#define BIO_CTRL_DGRAM_SCTP_SET_SNDINFO 61 +#define BIO_CTRL_DGRAM_SCTP_GET_RCVINFO 62 +#define BIO_CTRL_DGRAM_SCTP_SET_RCVINFO 63 +#define BIO_CTRL_DGRAM_SCTP_GET_PRINFO 64 +#define BIO_CTRL_DGRAM_SCTP_SET_PRINFO 65 +#define BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN 70 +#endif + +#define BIO_CTRL_DGRAM_SET_PEEK_MODE 71 /* * internal BIO: @@ -165,78 +167,78 @@ extern "C" { * # define BIO_CTRL_CLEAR_KTLS_CTRL_MSG 75 */ -# define BIO_CTRL_GET_KTLS_SEND 73 -# define BIO_CTRL_GET_KTLS_RECV 76 +#define BIO_CTRL_GET_KTLS_SEND 73 +#define BIO_CTRL_GET_KTLS_RECV 76 -# define BIO_CTRL_DGRAM_SCTP_WAIT_FOR_DRY 77 -# define BIO_CTRL_DGRAM_SCTP_MSG_WAITING 78 +#define BIO_CTRL_DGRAM_SCTP_WAIT_FOR_DRY 77 +#define BIO_CTRL_DGRAM_SCTP_MSG_WAITING 78 /* BIO_f_prefix controls */ -# define BIO_CTRL_SET_PREFIX 79 -# define BIO_CTRL_SET_INDENT 80 -# define BIO_CTRL_GET_INDENT 81 - -# define BIO_CTRL_DGRAM_GET_LOCAL_ADDR_CAP 82 -# define BIO_CTRL_DGRAM_GET_LOCAL_ADDR_ENABLE 83 -# define BIO_CTRL_DGRAM_SET_LOCAL_ADDR_ENABLE 84 -# define BIO_CTRL_DGRAM_GET_EFFECTIVE_CAPS 85 -# define BIO_CTRL_DGRAM_GET_CAPS 86 -# define BIO_CTRL_DGRAM_SET_CAPS 87 -# define BIO_CTRL_DGRAM_GET_NO_TRUNC 88 -# define BIO_CTRL_DGRAM_SET_NO_TRUNC 89 +#define BIO_CTRL_SET_PREFIX 79 +#define BIO_CTRL_SET_INDENT 80 +#define BIO_CTRL_GET_INDENT 81 + +#define BIO_CTRL_DGRAM_GET_LOCAL_ADDR_CAP 82 +#define BIO_CTRL_DGRAM_GET_LOCAL_ADDR_ENABLE 83 +#define BIO_CTRL_DGRAM_SET_LOCAL_ADDR_ENABLE 84 +#define BIO_CTRL_DGRAM_GET_EFFECTIVE_CAPS 85 +#define BIO_CTRL_DGRAM_GET_CAPS 86 +#define BIO_CTRL_DGRAM_SET_CAPS 87 +#define BIO_CTRL_DGRAM_GET_NO_TRUNC 88 +#define BIO_CTRL_DGRAM_SET_NO_TRUNC 89 /* * internal BIO: * # define BIO_CTRL_SET_KTLS_TX_ZEROCOPY_SENDFILE 90 */ -# define BIO_CTRL_GET_RPOLL_DESCRIPTOR 91 -# define BIO_CTRL_GET_WPOLL_DESCRIPTOR 92 -# define BIO_CTRL_DGRAM_DETECT_PEER_ADDR 93 -# define BIO_CTRL_DGRAM_SET0_LOCAL_ADDR 94 - -# define BIO_DGRAM_CAP_NONE 0U -# define BIO_DGRAM_CAP_HANDLES_SRC_ADDR (1U << 0) -# define BIO_DGRAM_CAP_HANDLES_DST_ADDR (1U << 1) -# define BIO_DGRAM_CAP_PROVIDES_SRC_ADDR (1U << 2) -# define BIO_DGRAM_CAP_PROVIDES_DST_ADDR (1U << 3) - -# ifndef OPENSSL_NO_KTLS -# define BIO_get_ktls_send(b) \ - (BIO_ctrl(b, BIO_CTRL_GET_KTLS_SEND, 0, NULL) > 0) -# define BIO_get_ktls_recv(b) \ - (BIO_ctrl(b, BIO_CTRL_GET_KTLS_RECV, 0, NULL) > 0) -# else -# define BIO_get_ktls_send(b) (0) -# define BIO_get_ktls_recv(b) (0) -# endif +#define BIO_CTRL_GET_RPOLL_DESCRIPTOR 91 +#define BIO_CTRL_GET_WPOLL_DESCRIPTOR 92 +#define BIO_CTRL_DGRAM_DETECT_PEER_ADDR 93 +#define BIO_CTRL_DGRAM_SET0_LOCAL_ADDR 94 + +#define BIO_DGRAM_CAP_NONE 0U +#define BIO_DGRAM_CAP_HANDLES_SRC_ADDR (1U << 0) +#define BIO_DGRAM_CAP_HANDLES_DST_ADDR (1U << 1) +#define BIO_DGRAM_CAP_PROVIDES_SRC_ADDR (1U << 2) +#define BIO_DGRAM_CAP_PROVIDES_DST_ADDR (1U << 3) + +#ifndef OPENSSL_NO_KTLS +#define BIO_get_ktls_send(b) \ + (BIO_ctrl(b, BIO_CTRL_GET_KTLS_SEND, 0, NULL) > 0) +#define BIO_get_ktls_recv(b) \ + (BIO_ctrl(b, BIO_CTRL_GET_KTLS_RECV, 0, NULL) > 0) +#else +#define BIO_get_ktls_send(b) (0) +#define BIO_get_ktls_recv(b) (0) +#endif /* modifiers */ -# define BIO_FP_READ 0x02 -# define BIO_FP_WRITE 0x04 -# define BIO_FP_APPEND 0x08 -# define BIO_FP_TEXT 0x10 - -# define BIO_FLAGS_READ 0x01 -# define BIO_FLAGS_WRITE 0x02 -# define BIO_FLAGS_IO_SPECIAL 0x04 -# define BIO_FLAGS_RWS (BIO_FLAGS_READ|BIO_FLAGS_WRITE|BIO_FLAGS_IO_SPECIAL) -# define BIO_FLAGS_SHOULD_RETRY 0x08 -# ifndef OPENSSL_NO_DEPRECATED_3_0 +#define BIO_FP_READ 0x02 +#define BIO_FP_WRITE 0x04 +#define BIO_FP_APPEND 0x08 +#define BIO_FP_TEXT 0x10 + +#define BIO_FLAGS_READ 0x01 +#define BIO_FLAGS_WRITE 0x02 +#define BIO_FLAGS_IO_SPECIAL 0x04 +#define BIO_FLAGS_RWS (BIO_FLAGS_READ | BIO_FLAGS_WRITE | BIO_FLAGS_IO_SPECIAL) +#define BIO_FLAGS_SHOULD_RETRY 0x08 +#ifndef OPENSSL_NO_DEPRECATED_3_0 /* This #define was replaced by an internal constant and should not be used. */ -# define BIO_FLAGS_UPLINK 0 -# endif +#define BIO_FLAGS_UPLINK 0 +#endif -# define BIO_FLAGS_BASE64_NO_NL 0x100 +#define BIO_FLAGS_BASE64_NO_NL 0x100 /* * This is used with memory BIOs: * BIO_FLAGS_MEM_RDONLY means we shouldn't free up or change the data in any way; * BIO_FLAGS_NONCLEAR_RST means we shouldn't clear data on reset. */ -# define BIO_FLAGS_MEM_RDONLY 0x200 -# define BIO_FLAGS_NONCLEAR_RST 0x400 -# define BIO_FLAGS_IN_EOF 0x800 +#define BIO_FLAGS_MEM_RDONLY 0x200 +#define BIO_FLAGS_NONCLEAR_RST 0x400 +#define BIO_FLAGS_IN_EOF 0x800 /* the BIO FLAGS values 0x1000 to 0x8000 are reserved for internal KTLS flags */ @@ -248,26 +250,26 @@ void BIO_set_flags(BIO *b, int flags); int BIO_test_flags(const BIO *b, int flags); void BIO_clear_flags(BIO *b, int flags); -# define BIO_get_flags(b) BIO_test_flags(b, ~(0x0)) -# define BIO_set_retry_special(b) \ - BIO_set_flags(b, (BIO_FLAGS_IO_SPECIAL|BIO_FLAGS_SHOULD_RETRY)) -# define BIO_set_retry_read(b) \ - BIO_set_flags(b, (BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY)) -# define BIO_set_retry_write(b) \ - BIO_set_flags(b, (BIO_FLAGS_WRITE|BIO_FLAGS_SHOULD_RETRY)) +#define BIO_get_flags(b) BIO_test_flags(b, ~(0x0)) +#define BIO_set_retry_special(b) \ + BIO_set_flags(b, (BIO_FLAGS_IO_SPECIAL | BIO_FLAGS_SHOULD_RETRY)) +#define BIO_set_retry_read(b) \ + BIO_set_flags(b, (BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY)) +#define BIO_set_retry_write(b) \ + BIO_set_flags(b, (BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY)) /* These are normally used internally in BIOs */ -# define BIO_clear_retry_flags(b) \ - BIO_clear_flags(b, (BIO_FLAGS_RWS|BIO_FLAGS_SHOULD_RETRY)) -# define BIO_get_retry_flags(b) \ - BIO_test_flags(b, (BIO_FLAGS_RWS|BIO_FLAGS_SHOULD_RETRY)) +#define BIO_clear_retry_flags(b) \ + BIO_clear_flags(b, (BIO_FLAGS_RWS | BIO_FLAGS_SHOULD_RETRY)) +#define BIO_get_retry_flags(b) \ + BIO_test_flags(b, (BIO_FLAGS_RWS | BIO_FLAGS_SHOULD_RETRY)) /* These should be used by the application to tell why we should retry */ -# define BIO_should_read(a) BIO_test_flags(a, BIO_FLAGS_READ) -# define BIO_should_write(a) BIO_test_flags(a, BIO_FLAGS_WRITE) -# define BIO_should_io_special(a) BIO_test_flags(a, BIO_FLAGS_IO_SPECIAL) -# define BIO_retry_type(a) BIO_test_flags(a, BIO_FLAGS_RWS) -# define BIO_should_retry(a) BIO_test_flags(a, BIO_FLAGS_SHOULD_RETRY) +#define BIO_should_read(a) BIO_test_flags(a, BIO_FLAGS_READ) +#define BIO_should_write(a) BIO_test_flags(a, BIO_FLAGS_WRITE) +#define BIO_should_io_special(a) BIO_test_flags(a, BIO_FLAGS_IO_SPECIAL) +#define BIO_retry_type(a) BIO_test_flags(a, BIO_FLAGS_RWS) +#define BIO_should_retry(a) BIO_test_flags(a, BIO_FLAGS_SHOULD_RETRY) /* * The next three are used in conjunction with the BIO_should_io_special() @@ -279,48 +281,48 @@ void BIO_clear_flags(BIO *b, int flags); /* * Returned from the SSL bio when the certificate retrieval code had an error */ -# define BIO_RR_SSL_X509_LOOKUP 0x01 +#define BIO_RR_SSL_X509_LOOKUP 0x01 /* Returned from the connect BIO when a connect would have blocked */ -# define BIO_RR_CONNECT 0x02 +#define BIO_RR_CONNECT 0x02 /* Returned from the accept BIO when an accept would have blocked */ -# define BIO_RR_ACCEPT 0x03 +#define BIO_RR_ACCEPT 0x03 /* These are passed by the BIO callback */ -# define BIO_CB_FREE 0x01 -# define BIO_CB_READ 0x02 -# define BIO_CB_WRITE 0x03 -# define BIO_CB_PUTS 0x04 -# define BIO_CB_GETS 0x05 -# define BIO_CB_CTRL 0x06 -# define BIO_CB_RECVMMSG 0x07 -# define BIO_CB_SENDMMSG 0x08 +#define BIO_CB_FREE 0x01 +#define BIO_CB_READ 0x02 +#define BIO_CB_WRITE 0x03 +#define BIO_CB_PUTS 0x04 +#define BIO_CB_GETS 0x05 +#define BIO_CB_CTRL 0x06 +#define BIO_CB_RECVMMSG 0x07 +#define BIO_CB_SENDMMSG 0x08 /* * The callback is called before and after the underling operation, The * BIO_CB_RETURN flag indicates if it is after the call */ -# define BIO_CB_RETURN 0x80 -# define BIO_CB_return(a) ((a)|BIO_CB_RETURN) -# define BIO_cb_pre(a) (!((a)&BIO_CB_RETURN)) -# define BIO_cb_post(a) ((a)&BIO_CB_RETURN) +#define BIO_CB_RETURN 0x80 +#define BIO_CB_return(a) ((a) | BIO_CB_RETURN) +#define BIO_cb_pre(a) (!((a) & BIO_CB_RETURN)) +#define BIO_cb_post(a) ((a) & BIO_CB_RETURN) -# ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_DEPRECATED_3_0 typedef long (*BIO_callback_fn)(BIO *b, int oper, const char *argp, int argi, - long argl, long ret); + long argl, long ret); OSSL_DEPRECATEDIN_3_0 BIO_callback_fn BIO_get_callback(const BIO *b); OSSL_DEPRECATEDIN_3_0 void BIO_set_callback(BIO *b, BIO_callback_fn callback); OSSL_DEPRECATEDIN_3_0 long BIO_debug_callback(BIO *bio, int cmd, - const char *argp, int argi, - long argl, long ret); -# endif + const char *argp, int argi, + long argl, long ret); +#endif typedef long (*BIO_callback_fn_ex)(BIO *b, int oper, const char *argp, - size_t len, int argi, - long argl, int ret, size_t *processed); + size_t len, int argi, + long argl, int ret, size_t *processed); BIO_callback_fn_ex BIO_get_callback_ex(const BIO *b); void BIO_set_callback_ex(BIO *b, BIO_callback_fn_ex callback); long BIO_debug_callback_ex(BIO *bio, int oper, const char *argp, size_t len, - int argi, long argl, int ret, size_t *processed); + int argi, long argl, int ret, size_t *processed); char *BIO_get_callback_arg(const BIO *b); void BIO_set_callback_arg(BIO *b, char *arg); @@ -331,8 +333,9 @@ const char *BIO_method_name(const BIO *b); int BIO_method_type(const BIO *b); typedef int BIO_info_cb(BIO *, int, int); -typedef BIO_info_cb bio_info_cb; /* backward compatibility */ +typedef BIO_info_cb bio_info_cb; /* backward compatibility */ +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(BIO, BIO, BIO) #define sk_BIO_num(sk) OPENSSL_sk_num(ossl_check_const_BIO_sk_type(sk)) #define sk_BIO_value(sk, idx) ((BIO *)OPENSSL_sk_value(ossl_check_const_BIO_sk_type(sk), (idx))) @@ -360,16 +363,16 @@ SKM_DEFINE_STACK_OF_INTERNAL(BIO, BIO, BIO) #define sk_BIO_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(BIO) *)OPENSSL_sk_deep_copy(ossl_check_const_BIO_sk_type(sk), ossl_check_BIO_copyfunc_type(copyfunc), ossl_check_BIO_freefunc_type(freefunc))) #define sk_BIO_set_cmp_func(sk, cmp) ((sk_BIO_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_BIO_sk_type(sk), ossl_check_BIO_compfunc_type(cmp))) - +/* clang-format on */ /* Prefix and suffix callback in ASN1 BIO */ -typedef int asn1_ps_func (BIO *b, unsigned char **pbuf, int *plen, - void *parg); +typedef int asn1_ps_func(BIO *b, unsigned char **pbuf, int *plen, + void *parg); -typedef void (*BIO_dgram_sctp_notification_handler_fn) (BIO *b, - void *context, - void *buf); -# ifndef OPENSSL_NO_SCTP +typedef void (*BIO_dgram_sctp_notification_handler_fn)(BIO *b, + void *context, + void *buf); +#ifndef OPENSSL_NO_SCTP /* SCTP parameter structs */ struct bio_dgram_sctp_sndinfo { uint16_t snd_sid; @@ -392,7 +395,7 @@ struct bio_dgram_sctp_prinfo { uint16_t pr_policy; uint32_t pr_value; }; -# endif +#endif /* BIO_sendmmsg/BIO_recvmmsg-related definitions */ typedef struct bio_msg_st { @@ -403,24 +406,24 @@ typedef struct bio_msg_st { } BIO_MSG; typedef struct bio_mmsg_cb_args_st { - BIO_MSG *msg; - size_t stride, num_msg; - uint64_t flags; - size_t *msgs_processed; + BIO_MSG *msg; + size_t stride, num_msg; + uint64_t flags; + size_t *msgs_processed; } BIO_MMSG_CB_ARGS; -#define BIO_POLL_DESCRIPTOR_TYPE_NONE 0 -#define BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD 1 -#define BIO_POLL_DESCRIPTOR_TYPE_SSL 2 -#define BIO_POLL_DESCRIPTOR_CUSTOM_START 8192 +#define BIO_POLL_DESCRIPTOR_TYPE_NONE 0 +#define BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD 1 +#define BIO_POLL_DESCRIPTOR_TYPE_SSL 2 +#define BIO_POLL_DESCRIPTOR_CUSTOM_START 8192 typedef struct bio_poll_descriptor_st { uint32_t type; union { - int fd; - void *custom; - uintptr_t custom_ui; - SSL *ssl; + int fd; + void *custom; + uintptr_t custom_ui; + SSL *ssl; } value; } BIO_POLL_DESCRIPTOR; @@ -428,167 +431,167 @@ typedef struct bio_poll_descriptor_st { * #define BIO_CONN_get_param_hostname BIO_ctrl */ -# define BIO_C_SET_CONNECT 100 -# define BIO_C_DO_STATE_MACHINE 101 -# define BIO_C_SET_NBIO 102 +#define BIO_C_SET_CONNECT 100 +#define BIO_C_DO_STATE_MACHINE 101 +#define BIO_C_SET_NBIO 102 /* # define BIO_C_SET_PROXY_PARAM 103 */ -# define BIO_C_SET_FD 104 -# define BIO_C_GET_FD 105 -# define BIO_C_SET_FILE_PTR 106 -# define BIO_C_GET_FILE_PTR 107 -# define BIO_C_SET_FILENAME 108 -# define BIO_C_SET_SSL 109 -# define BIO_C_GET_SSL 110 -# define BIO_C_SET_MD 111 -# define BIO_C_GET_MD 112 -# define BIO_C_GET_CIPHER_STATUS 113 -# define BIO_C_SET_BUF_MEM 114 -# define BIO_C_GET_BUF_MEM_PTR 115 -# define BIO_C_GET_BUFF_NUM_LINES 116 -# define BIO_C_SET_BUFF_SIZE 117 -# define BIO_C_SET_ACCEPT 118 -# define BIO_C_SSL_MODE 119 -# define BIO_C_GET_MD_CTX 120 +#define BIO_C_SET_FD 104 +#define BIO_C_GET_FD 105 +#define BIO_C_SET_FILE_PTR 106 +#define BIO_C_GET_FILE_PTR 107 +#define BIO_C_SET_FILENAME 108 +#define BIO_C_SET_SSL 109 +#define BIO_C_GET_SSL 110 +#define BIO_C_SET_MD 111 +#define BIO_C_GET_MD 112 +#define BIO_C_GET_CIPHER_STATUS 113 +#define BIO_C_SET_BUF_MEM 114 +#define BIO_C_GET_BUF_MEM_PTR 115 +#define BIO_C_GET_BUFF_NUM_LINES 116 +#define BIO_C_SET_BUFF_SIZE 117 +#define BIO_C_SET_ACCEPT 118 +#define BIO_C_SSL_MODE 119 +#define BIO_C_GET_MD_CTX 120 /* # define BIO_C_GET_PROXY_PARAM 121 */ -# define BIO_C_SET_BUFF_READ_DATA 122/* data to read first */ -# define BIO_C_GET_CONNECT 123 -# define BIO_C_GET_ACCEPT 124 -# define BIO_C_SET_SSL_RENEGOTIATE_BYTES 125 -# define BIO_C_GET_SSL_NUM_RENEGOTIATES 126 -# define BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT 127 -# define BIO_C_FILE_SEEK 128 -# define BIO_C_GET_CIPHER_CTX 129 -# define BIO_C_SET_BUF_MEM_EOF_RETURN 130/* return end of input - * value */ -# define BIO_C_SET_BIND_MODE 131 -# define BIO_C_GET_BIND_MODE 132 -# define BIO_C_FILE_TELL 133 -# define BIO_C_GET_SOCKS 134 -# define BIO_C_SET_SOCKS 135 - -# define BIO_C_SET_WRITE_BUF_SIZE 136/* for BIO_s_bio */ -# define BIO_C_GET_WRITE_BUF_SIZE 137 -# define BIO_C_MAKE_BIO_PAIR 138 -# define BIO_C_DESTROY_BIO_PAIR 139 -# define BIO_C_GET_WRITE_GUARANTEE 140 -# define BIO_C_GET_READ_REQUEST 141 -# define BIO_C_SHUTDOWN_WR 142 -# define BIO_C_NREAD0 143 -# define BIO_C_NREAD 144 -# define BIO_C_NWRITE0 145 -# define BIO_C_NWRITE 146 -# define BIO_C_RESET_READ_REQUEST 147 -# define BIO_C_SET_MD_CTX 148 - -# define BIO_C_SET_PREFIX 149 -# define BIO_C_GET_PREFIX 150 -# define BIO_C_SET_SUFFIX 151 -# define BIO_C_GET_SUFFIX 152 - -# define BIO_C_SET_EX_ARG 153 -# define BIO_C_GET_EX_ARG 154 - -# define BIO_C_SET_CONNECT_MODE 155 - -# define BIO_C_SET_TFO 156 /* like BIO_C_SET_NBIO */ - -# define BIO_C_SET_SOCK_TYPE 157 -# define BIO_C_GET_SOCK_TYPE 158 -# define BIO_C_GET_DGRAM_BIO 159 - -# define BIO_set_app_data(s,arg) BIO_set_ex_data(s,0,arg) -# define BIO_get_app_data(s) BIO_get_ex_data(s,0) - -# define BIO_set_nbio(b,n) BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL) -# define BIO_set_tfo(b,n) BIO_ctrl(b,BIO_C_SET_TFO,(n),NULL) - -# ifndef OPENSSL_NO_SOCK +#define BIO_C_SET_BUFF_READ_DATA 122 /* data to read first */ +#define BIO_C_GET_CONNECT 123 +#define BIO_C_GET_ACCEPT 124 +#define BIO_C_SET_SSL_RENEGOTIATE_BYTES 125 +#define BIO_C_GET_SSL_NUM_RENEGOTIATES 126 +#define BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT 127 +#define BIO_C_FILE_SEEK 128 +#define BIO_C_GET_CIPHER_CTX 129 +#define BIO_C_SET_BUF_MEM_EOF_RETURN 130 /* return end of input \ + * value */ +#define BIO_C_SET_BIND_MODE 131 +#define BIO_C_GET_BIND_MODE 132 +#define BIO_C_FILE_TELL 133 +#define BIO_C_GET_SOCKS 134 +#define BIO_C_SET_SOCKS 135 + +#define BIO_C_SET_WRITE_BUF_SIZE 136 /* for BIO_s_bio */ +#define BIO_C_GET_WRITE_BUF_SIZE 137 +#define BIO_C_MAKE_BIO_PAIR 138 +#define BIO_C_DESTROY_BIO_PAIR 139 +#define BIO_C_GET_WRITE_GUARANTEE 140 +#define BIO_C_GET_READ_REQUEST 141 +#define BIO_C_SHUTDOWN_WR 142 +#define BIO_C_NREAD0 143 +#define BIO_C_NREAD 144 +#define BIO_C_NWRITE0 145 +#define BIO_C_NWRITE 146 +#define BIO_C_RESET_READ_REQUEST 147 +#define BIO_C_SET_MD_CTX 148 + +#define BIO_C_SET_PREFIX 149 +#define BIO_C_GET_PREFIX 150 +#define BIO_C_SET_SUFFIX 151 +#define BIO_C_GET_SUFFIX 152 + +#define BIO_C_SET_EX_ARG 153 +#define BIO_C_GET_EX_ARG 154 + +#define BIO_C_SET_CONNECT_MODE 155 + +#define BIO_C_SET_TFO 156 /* like BIO_C_SET_NBIO */ + +#define BIO_C_SET_SOCK_TYPE 157 +#define BIO_C_GET_SOCK_TYPE 158 +#define BIO_C_GET_DGRAM_BIO 159 + +#define BIO_set_app_data(s, arg) BIO_set_ex_data(s, 0, arg) +#define BIO_get_app_data(s) BIO_get_ex_data(s, 0) + +#define BIO_set_nbio(b, n) BIO_ctrl(b, BIO_C_SET_NBIO, (n), NULL) +#define BIO_set_tfo(b, n) BIO_ctrl(b, BIO_C_SET_TFO, (n), NULL) + +#ifndef OPENSSL_NO_SOCK /* IP families we support, for BIO_s_connect() and BIO_s_accept() */ /* Note: the underlying operating system may not support some of them */ -# define BIO_FAMILY_IPV4 4 -# define BIO_FAMILY_IPV6 6 -# define BIO_FAMILY_IPANY 256 +#define BIO_FAMILY_IPV4 4 +#define BIO_FAMILY_IPV6 6 +#define BIO_FAMILY_IPANY 256 /* BIO_s_connect() */ -# define BIO_set_conn_hostname(b,name) BIO_ctrl(b,BIO_C_SET_CONNECT,0, \ - (char *)(name)) -# define BIO_set_conn_port(b,port) BIO_ctrl(b,BIO_C_SET_CONNECT,1, \ - (char *)(port)) -# define BIO_set_conn_address(b,addr) BIO_ctrl(b,BIO_C_SET_CONNECT,2, \ - (char *)(addr)) -# define BIO_set_conn_ip_family(b,f) BIO_int_ctrl(b,BIO_C_SET_CONNECT,3,f) -# define BIO_get_conn_hostname(b) ((const char *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0)) -# define BIO_get_conn_port(b) ((const char *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1)) -# define BIO_get_conn_address(b) ((const BIO_ADDR *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2)) -# define BIO_get_conn_ip_family(b) BIO_ctrl(b,BIO_C_GET_CONNECT,3,NULL) -# define BIO_get_conn_mode(b) BIO_ctrl(b,BIO_C_GET_CONNECT,4,NULL) -# define BIO_set_conn_mode(b,n) BIO_ctrl(b,BIO_C_SET_CONNECT_MODE,(n),NULL) -# define BIO_set_sock_type(b,t) BIO_ctrl(b,BIO_C_SET_SOCK_TYPE,(t),NULL) -# define BIO_get_sock_type(b) BIO_ctrl(b,BIO_C_GET_SOCK_TYPE,0,NULL) -# define BIO_get0_dgram_bio(b, p) BIO_ctrl(b,BIO_C_GET_DGRAM_BIO,0,(void *)(BIO **)(p)) +#define BIO_set_conn_hostname(b, name) BIO_ctrl(b, BIO_C_SET_CONNECT, 0, \ + (char *)(name)) +#define BIO_set_conn_port(b, port) BIO_ctrl(b, BIO_C_SET_CONNECT, 1, \ + (char *)(port)) +#define BIO_set_conn_address(b, addr) BIO_ctrl(b, BIO_C_SET_CONNECT, 2, \ + (char *)(addr)) +#define BIO_set_conn_ip_family(b, f) BIO_int_ctrl(b, BIO_C_SET_CONNECT, 3, f) +#define BIO_get_conn_hostname(b) ((const char *)BIO_ptr_ctrl(b, BIO_C_GET_CONNECT, 0)) +#define BIO_get_conn_port(b) ((const char *)BIO_ptr_ctrl(b, BIO_C_GET_CONNECT, 1)) +#define BIO_get_conn_address(b) ((const BIO_ADDR *)BIO_ptr_ctrl(b, BIO_C_GET_CONNECT, 2)) +#define BIO_get_conn_ip_family(b) BIO_ctrl(b, BIO_C_GET_CONNECT, 3, NULL) +#define BIO_get_conn_mode(b) BIO_ctrl(b, BIO_C_GET_CONNECT, 4, NULL) +#define BIO_set_conn_mode(b, n) BIO_ctrl(b, BIO_C_SET_CONNECT_MODE, (n), NULL) +#define BIO_set_sock_type(b, t) BIO_ctrl(b, BIO_C_SET_SOCK_TYPE, (t), NULL) +#define BIO_get_sock_type(b) BIO_ctrl(b, BIO_C_GET_SOCK_TYPE, 0, NULL) +#define BIO_get0_dgram_bio(b, p) BIO_ctrl(b, BIO_C_GET_DGRAM_BIO, 0, (void *)(BIO **)(p)) /* BIO_s_accept() */ -# define BIO_set_accept_name(b,name) BIO_ctrl(b,BIO_C_SET_ACCEPT,0, \ - (char *)(name)) -# define BIO_set_accept_port(b,port) BIO_ctrl(b,BIO_C_SET_ACCEPT,1, \ - (char *)(port)) -# define BIO_get_accept_name(b) ((const char *)BIO_ptr_ctrl(b,BIO_C_GET_ACCEPT,0)) -# define BIO_get_accept_port(b) ((const char *)BIO_ptr_ctrl(b,BIO_C_GET_ACCEPT,1)) -# define BIO_get_peer_name(b) ((const char *)BIO_ptr_ctrl(b,BIO_C_GET_ACCEPT,2)) -# define BIO_get_peer_port(b) ((const char *)BIO_ptr_ctrl(b,BIO_C_GET_ACCEPT,3)) +#define BIO_set_accept_name(b, name) BIO_ctrl(b, BIO_C_SET_ACCEPT, 0, \ + (char *)(name)) +#define BIO_set_accept_port(b, port) BIO_ctrl(b, BIO_C_SET_ACCEPT, 1, \ + (char *)(port)) +#define BIO_get_accept_name(b) ((const char *)BIO_ptr_ctrl(b, BIO_C_GET_ACCEPT, 0)) +#define BIO_get_accept_port(b) ((const char *)BIO_ptr_ctrl(b, BIO_C_GET_ACCEPT, 1)) +#define BIO_get_peer_name(b) ((const char *)BIO_ptr_ctrl(b, BIO_C_GET_ACCEPT, 2)) +#define BIO_get_peer_port(b) ((const char *)BIO_ptr_ctrl(b, BIO_C_GET_ACCEPT, 3)) /* #define BIO_set_nbio(b,n) BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL) */ -# define BIO_set_nbio_accept(b,n) BIO_ctrl(b,BIO_C_SET_ACCEPT,2,(n)?(void *)"a":NULL) -# define BIO_set_accept_bios(b,bio) BIO_ctrl(b,BIO_C_SET_ACCEPT,3, \ - (char *)(bio)) -# define BIO_set_accept_ip_family(b,f) BIO_int_ctrl(b,BIO_C_SET_ACCEPT,4,f) -# define BIO_get_accept_ip_family(b) BIO_ctrl(b,BIO_C_GET_ACCEPT,4,NULL) -# define BIO_set_tfo_accept(b,n) BIO_ctrl(b,BIO_C_SET_ACCEPT,5,(n)?(void *)"a":NULL) +#define BIO_set_nbio_accept(b, n) BIO_ctrl(b, BIO_C_SET_ACCEPT, 2, (n) ? (void *)"a" : NULL) +#define BIO_set_accept_bios(b, bio) BIO_ctrl(b, BIO_C_SET_ACCEPT, 3, \ + (char *)(bio)) +#define BIO_set_accept_ip_family(b, f) BIO_int_ctrl(b, BIO_C_SET_ACCEPT, 4, f) +#define BIO_get_accept_ip_family(b) BIO_ctrl(b, BIO_C_GET_ACCEPT, 4, NULL) +#define BIO_set_tfo_accept(b, n) BIO_ctrl(b, BIO_C_SET_ACCEPT, 5, (n) ? (void *)"a" : NULL) /* Aliases kept for backward compatibility */ -# define BIO_BIND_NORMAL 0 -# define BIO_BIND_REUSEADDR BIO_SOCK_REUSEADDR -# define BIO_BIND_REUSEADDR_IF_UNUSED BIO_SOCK_REUSEADDR -# define BIO_set_bind_mode(b,mode) BIO_ctrl(b,BIO_C_SET_BIND_MODE,mode,NULL) -# define BIO_get_bind_mode(b) BIO_ctrl(b,BIO_C_GET_BIND_MODE,0,NULL) -# endif /* OPENSSL_NO_SOCK */ +#define BIO_BIND_NORMAL 0 +#define BIO_BIND_REUSEADDR BIO_SOCK_REUSEADDR +#define BIO_BIND_REUSEADDR_IF_UNUSED BIO_SOCK_REUSEADDR +#define BIO_set_bind_mode(b, mode) BIO_ctrl(b, BIO_C_SET_BIND_MODE, mode, NULL) +#define BIO_get_bind_mode(b) BIO_ctrl(b, BIO_C_GET_BIND_MODE, 0, NULL) +#endif /* OPENSSL_NO_SOCK */ -# define BIO_do_connect(b) BIO_do_handshake(b) -# define BIO_do_accept(b) BIO_do_handshake(b) +#define BIO_do_connect(b) BIO_do_handshake(b) +#define BIO_do_accept(b) BIO_do_handshake(b) -# define BIO_do_handshake(b) BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL) +#define BIO_do_handshake(b) BIO_ctrl(b, BIO_C_DO_STATE_MACHINE, 0, NULL) /* BIO_s_datagram(), BIO_s_fd(), BIO_s_socket(), BIO_s_accept() and BIO_s_connect() */ -# define BIO_set_fd(b,fd,c) BIO_int_ctrl(b,BIO_C_SET_FD,c,fd) -# define BIO_get_fd(b,c) BIO_ctrl(b,BIO_C_GET_FD,0,(char *)(c)) +#define BIO_set_fd(b, fd, c) BIO_int_ctrl(b, BIO_C_SET_FD, c, fd) +#define BIO_get_fd(b, c) BIO_ctrl(b, BIO_C_GET_FD, 0, (char *)(c)) /* BIO_s_file() */ -# define BIO_set_fp(b,fp,c) BIO_ctrl(b,BIO_C_SET_FILE_PTR,c,(char *)(fp)) -# define BIO_get_fp(b,fpp) BIO_ctrl(b,BIO_C_GET_FILE_PTR,0,(char *)(fpp)) +#define BIO_set_fp(b, fp, c) BIO_ctrl(b, BIO_C_SET_FILE_PTR, c, (char *)(fp)) +#define BIO_get_fp(b, fpp) BIO_ctrl(b, BIO_C_GET_FILE_PTR, 0, (char *)(fpp)) /* BIO_s_fd() and BIO_s_file() */ -# define BIO_seek(b,ofs) (int)BIO_ctrl(b,BIO_C_FILE_SEEK,ofs,NULL) -# define BIO_tell(b) (int)BIO_ctrl(b,BIO_C_FILE_TELL,0,NULL) +#define BIO_seek(b, ofs) (int)BIO_ctrl(b, BIO_C_FILE_SEEK, ofs, NULL) +#define BIO_tell(b) (int)BIO_ctrl(b, BIO_C_FILE_TELL, 0, NULL) /* * name is cast to lose const, but might be better to route through a * function so we can do it safely */ -# ifdef CONST_STRICT +#ifdef CONST_STRICT /* * If you are wondering why this isn't defined, its because CONST_STRICT is * purely a compile-time kludge to allow const to be checked. */ int BIO_read_filename(BIO *b, const char *name); -# else -# define BIO_read_filename(b,name) (int)BIO_ctrl(b,BIO_C_SET_FILENAME, \ - BIO_CLOSE|BIO_FP_READ,(char *)(name)) -# endif -# define BIO_write_filename(b,name) (int)BIO_ctrl(b,BIO_C_SET_FILENAME, \ - BIO_CLOSE|BIO_FP_WRITE,name) -# define BIO_append_filename(b,name) (int)BIO_ctrl(b,BIO_C_SET_FILENAME, \ - BIO_CLOSE|BIO_FP_APPEND,name) -# define BIO_rw_filename(b,name) (int)BIO_ctrl(b,BIO_C_SET_FILENAME, \ - BIO_CLOSE|BIO_FP_READ|BIO_FP_WRITE,name) +#else +#define BIO_read_filename(b, name) (int)BIO_ctrl(b, BIO_C_SET_FILENAME, \ + BIO_CLOSE | BIO_FP_READ, (char *)(name)) +#endif +#define BIO_write_filename(b, name) (int)BIO_ctrl(b, BIO_C_SET_FILENAME, \ + BIO_CLOSE | BIO_FP_WRITE, name) +#define BIO_append_filename(b, name) (int)BIO_ctrl(b, BIO_C_SET_FILENAME, \ + BIO_CLOSE | BIO_FP_APPEND, name) +#define BIO_rw_filename(b, name) (int)BIO_ctrl(b, BIO_C_SET_FILENAME, \ + BIO_CLOSE | BIO_FP_READ | BIO_FP_WRITE, name) /* * WARNING WARNING, this ups the reference count on the read bio of the SSL @@ -596,111 +599,111 @@ int BIO_read_filename(BIO *b, const char *name); * next_bio field in the bio. So when you free the BIO, make sure you are * doing a BIO_free_all() to catch the underlying BIO. */ -# define BIO_set_ssl(b,ssl,c) BIO_ctrl(b,BIO_C_SET_SSL,c,(char *)(ssl)) -# define BIO_get_ssl(b,sslp) BIO_ctrl(b,BIO_C_GET_SSL,0,(char *)(sslp)) -# define BIO_set_ssl_mode(b,client) BIO_ctrl(b,BIO_C_SSL_MODE,client,NULL) -# define BIO_set_ssl_renegotiate_bytes(b,num) \ - BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_BYTES,num,NULL) -# define BIO_get_num_renegotiates(b) \ - BIO_ctrl(b,BIO_C_GET_SSL_NUM_RENEGOTIATES,0,NULL) -# define BIO_set_ssl_renegotiate_timeout(b,seconds) \ - BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT,seconds,NULL) +#define BIO_set_ssl(b, ssl, c) BIO_ctrl(b, BIO_C_SET_SSL, c, (char *)(ssl)) +#define BIO_get_ssl(b, sslp) BIO_ctrl(b, BIO_C_GET_SSL, 0, (char *)(sslp)) +#define BIO_set_ssl_mode(b, client) BIO_ctrl(b, BIO_C_SSL_MODE, client, NULL) +#define BIO_set_ssl_renegotiate_bytes(b, num) \ + BIO_ctrl(b, BIO_C_SET_SSL_RENEGOTIATE_BYTES, num, NULL) +#define BIO_get_num_renegotiates(b) \ + BIO_ctrl(b, BIO_C_GET_SSL_NUM_RENEGOTIATES, 0, NULL) +#define BIO_set_ssl_renegotiate_timeout(b, seconds) \ + BIO_ctrl(b, BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT, seconds, NULL) /* defined in evp.h */ /* #define BIO_set_md(b,md) BIO_ctrl(b,BIO_C_SET_MD,1,(char *)(md)) */ -# define BIO_get_mem_data(b,pp) BIO_ctrl(b,BIO_CTRL_INFO,0,(char *)(pp)) -# define BIO_set_mem_buf(b,bm,c) BIO_ctrl(b,BIO_C_SET_BUF_MEM,c,(char *)(bm)) -# define BIO_get_mem_ptr(b,pp) BIO_ctrl(b,BIO_C_GET_BUF_MEM_PTR,0, \ - (char *)(pp)) -# define BIO_set_mem_eof_return(b,v) \ - BIO_ctrl(b,BIO_C_SET_BUF_MEM_EOF_RETURN,v,NULL) +#define BIO_get_mem_data(b, pp) BIO_ctrl(b, BIO_CTRL_INFO, 0, (char *)(pp)) +#define BIO_set_mem_buf(b, bm, c) BIO_ctrl(b, BIO_C_SET_BUF_MEM, c, (char *)(bm)) +#define BIO_get_mem_ptr(b, pp) BIO_ctrl(b, BIO_C_GET_BUF_MEM_PTR, 0, \ + (char *)(pp)) +#define BIO_set_mem_eof_return(b, v) \ + BIO_ctrl(b, BIO_C_SET_BUF_MEM_EOF_RETURN, v, NULL) /* For the BIO_f_buffer() type */ -# define BIO_get_buffer_num_lines(b) BIO_ctrl(b,BIO_C_GET_BUFF_NUM_LINES,0,NULL) -# define BIO_set_buffer_size(b,size) BIO_ctrl(b,BIO_C_SET_BUFF_SIZE,size,NULL) -# define BIO_set_read_buffer_size(b,size) BIO_int_ctrl(b,BIO_C_SET_BUFF_SIZE,size,0) -# define BIO_set_write_buffer_size(b,size) BIO_int_ctrl(b,BIO_C_SET_BUFF_SIZE,size,1) -# define BIO_set_buffer_read_data(b,buf,num) BIO_ctrl(b,BIO_C_SET_BUFF_READ_DATA,num,buf) +#define BIO_get_buffer_num_lines(b) BIO_ctrl(b, BIO_C_GET_BUFF_NUM_LINES, 0, NULL) +#define BIO_set_buffer_size(b, size) BIO_ctrl(b, BIO_C_SET_BUFF_SIZE, size, NULL) +#define BIO_set_read_buffer_size(b, size) BIO_int_ctrl(b, BIO_C_SET_BUFF_SIZE, size, 0) +#define BIO_set_write_buffer_size(b, size) BIO_int_ctrl(b, BIO_C_SET_BUFF_SIZE, size, 1) +#define BIO_set_buffer_read_data(b, buf, num) BIO_ctrl(b, BIO_C_SET_BUFF_READ_DATA, num, buf) /* Don't use the next one unless you know what you are doing :-) */ -# define BIO_dup_state(b,ret) BIO_ctrl(b,BIO_CTRL_DUP,0,(char *)(ret)) - -# define BIO_reset(b) (int)BIO_ctrl(b,BIO_CTRL_RESET,0,NULL) -# define BIO_eof(b) (int)BIO_ctrl(b,BIO_CTRL_EOF,0,NULL) -# define BIO_set_close(b,c) (int)BIO_ctrl(b,BIO_CTRL_SET_CLOSE,(c),NULL) -# define BIO_get_close(b) (int)BIO_ctrl(b,BIO_CTRL_GET_CLOSE,0,NULL) -# define BIO_pending(b) (int)BIO_ctrl(b,BIO_CTRL_PENDING,0,NULL) -# define BIO_wpending(b) (int)BIO_ctrl(b,BIO_CTRL_WPENDING,0,NULL) +#define BIO_dup_state(b, ret) BIO_ctrl(b, BIO_CTRL_DUP, 0, (char *)(ret)) + +#define BIO_reset(b) (int)BIO_ctrl(b, BIO_CTRL_RESET, 0, NULL) +#define BIO_eof(b) (int)BIO_ctrl(b, BIO_CTRL_EOF, 0, NULL) +#define BIO_set_close(b, c) (int)BIO_ctrl(b, BIO_CTRL_SET_CLOSE, (c), NULL) +#define BIO_get_close(b) (int)BIO_ctrl(b, BIO_CTRL_GET_CLOSE, 0, NULL) +#define BIO_pending(b) (int)BIO_ctrl(b, BIO_CTRL_PENDING, 0, NULL) +#define BIO_wpending(b) (int)BIO_ctrl(b, BIO_CTRL_WPENDING, 0, NULL) /* ...pending macros have inappropriate return type */ size_t BIO_ctrl_pending(BIO *b); size_t BIO_ctrl_wpending(BIO *b); -# define BIO_flush(b) (int)BIO_ctrl(b,BIO_CTRL_FLUSH,0,NULL) -# define BIO_get_info_callback(b,cbp) (int)BIO_ctrl(b,BIO_CTRL_GET_CALLBACK,0, \ - cbp) -# define BIO_set_info_callback(b,cb) (int)BIO_callback_ctrl(b,BIO_CTRL_SET_CALLBACK,cb) +#define BIO_flush(b) (int)BIO_ctrl(b, BIO_CTRL_FLUSH, 0, NULL) +#define BIO_get_info_callback(b, cbp) (int)BIO_ctrl(b, BIO_CTRL_GET_CALLBACK, 0, \ + cbp) +#define BIO_set_info_callback(b, cb) (int)BIO_callback_ctrl(b, BIO_CTRL_SET_CALLBACK, cb) /* For the BIO_f_buffer() type */ -# define BIO_buffer_get_num_lines(b) BIO_ctrl(b,BIO_CTRL_GET,0,NULL) -# define BIO_buffer_peek(b,s,l) BIO_ctrl(b,BIO_CTRL_PEEK,(l),(s)) +#define BIO_buffer_get_num_lines(b) BIO_ctrl(b, BIO_CTRL_GET, 0, NULL) +#define BIO_buffer_peek(b, s, l) BIO_ctrl(b, BIO_CTRL_PEEK, (l), (s)) /* For BIO_s_bio() */ -# define BIO_set_write_buf_size(b,size) (int)BIO_ctrl(b,BIO_C_SET_WRITE_BUF_SIZE,size,NULL) -# define BIO_get_write_buf_size(b,size) (size_t)BIO_ctrl(b,BIO_C_GET_WRITE_BUF_SIZE,size,NULL) -# define BIO_make_bio_pair(b1,b2) (int)BIO_ctrl(b1,BIO_C_MAKE_BIO_PAIR,0,b2) -# define BIO_destroy_bio_pair(b) (int)BIO_ctrl(b,BIO_C_DESTROY_BIO_PAIR,0,NULL) -# define BIO_shutdown_wr(b) (int)BIO_ctrl(b, BIO_C_SHUTDOWN_WR, 0, NULL) +#define BIO_set_write_buf_size(b, size) (int)BIO_ctrl(b, BIO_C_SET_WRITE_BUF_SIZE, size, NULL) +#define BIO_get_write_buf_size(b, size) (size_t)BIO_ctrl(b, BIO_C_GET_WRITE_BUF_SIZE, size, NULL) +#define BIO_make_bio_pair(b1, b2) (int)BIO_ctrl(b1, BIO_C_MAKE_BIO_PAIR, 0, b2) +#define BIO_destroy_bio_pair(b) (int)BIO_ctrl(b, BIO_C_DESTROY_BIO_PAIR, 0, NULL) +#define BIO_shutdown_wr(b) (int)BIO_ctrl(b, BIO_C_SHUTDOWN_WR, 0, NULL) /* macros with inappropriate type -- but ...pending macros use int too: */ -# define BIO_get_write_guarantee(b) (int)BIO_ctrl(b,BIO_C_GET_WRITE_GUARANTEE,0,NULL) -# define BIO_get_read_request(b) (int)BIO_ctrl(b,BIO_C_GET_READ_REQUEST,0,NULL) +#define BIO_get_write_guarantee(b) (int)BIO_ctrl(b, BIO_C_GET_WRITE_GUARANTEE, 0, NULL) +#define BIO_get_read_request(b) (int)BIO_ctrl(b, BIO_C_GET_READ_REQUEST, 0, NULL) size_t BIO_ctrl_get_write_guarantee(BIO *b); size_t BIO_ctrl_get_read_request(BIO *b); int BIO_ctrl_reset_read_request(BIO *b); /* ctrl macros for dgram */ -# define BIO_ctrl_dgram_connect(b,peer) \ - (int)BIO_ctrl(b,BIO_CTRL_DGRAM_CONNECT,0, (char *)(peer)) -# define BIO_ctrl_set_connected(b,peer) \ - (int)BIO_ctrl(b, BIO_CTRL_DGRAM_SET_CONNECTED, 0, (char *)(peer)) -# define BIO_dgram_recv_timedout(b) \ - (int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP, 0, NULL) -# define BIO_dgram_send_timedout(b) \ - (int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP, 0, NULL) -# define BIO_dgram_get_peer(b,peer) \ - (int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_PEER, 0, (char *)(peer)) -# define BIO_dgram_set_peer(b,peer) \ - (int)BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, (char *)(peer)) -# define BIO_dgram_detect_peer_addr(b,peer) \ - (int)BIO_ctrl(b, BIO_CTRL_DGRAM_DETECT_PEER_ADDR, 0, (char *)(peer)) -# define BIO_dgram_get_mtu_overhead(b) \ - (unsigned int)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_MTU_OVERHEAD, 0, NULL) -# define BIO_dgram_get_local_addr_cap(b) \ - (int)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_LOCAL_ADDR_CAP, 0, NULL) -# define BIO_dgram_get_local_addr_enable(b, penable) \ - (int)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_LOCAL_ADDR_ENABLE, 0, (char *)(penable)) -# define BIO_dgram_set_local_addr_enable(b, enable) \ - (int)BIO_ctrl((b), BIO_CTRL_DGRAM_SET_LOCAL_ADDR_ENABLE, (enable), NULL) -# define BIO_dgram_get_effective_caps(b) \ - (uint32_t)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_EFFECTIVE_CAPS, 0, NULL) -# define BIO_dgram_get_caps(b) \ - (uint32_t)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_CAPS, 0, NULL) -# define BIO_dgram_set_caps(b, caps) \ - (int)BIO_ctrl((b), BIO_CTRL_DGRAM_SET_CAPS, (long)(caps), NULL) -# define BIO_dgram_get_no_trunc(b) \ - (unsigned int)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_NO_TRUNC, 0, NULL) -# define BIO_dgram_set_no_trunc(b, enable) \ - (int)BIO_ctrl((b), BIO_CTRL_DGRAM_SET_NO_TRUNC, (enable), NULL) -# define BIO_dgram_get_mtu(b) \ - (unsigned int)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_MTU, 0, NULL) -# define BIO_dgram_set_mtu(b, mtu) \ - (int)BIO_ctrl((b), BIO_CTRL_DGRAM_SET_MTU, (mtu), NULL) -# define BIO_dgram_set0_local_addr(b, addr) \ - (int)BIO_ctrl((b), BIO_CTRL_DGRAM_SET0_LOCAL_ADDR, 0, (addr)) +#define BIO_ctrl_dgram_connect(b, peer) \ + (int)BIO_ctrl(b, BIO_CTRL_DGRAM_CONNECT, 0, (char *)(peer)) +#define BIO_ctrl_set_connected(b, peer) \ + (int)BIO_ctrl(b, BIO_CTRL_DGRAM_SET_CONNECTED, 0, (char *)(peer)) +#define BIO_dgram_recv_timedout(b) \ + (int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP, 0, NULL) +#define BIO_dgram_send_timedout(b) \ + (int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP, 0, NULL) +#define BIO_dgram_get_peer(b, peer) \ + (int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_PEER, 0, (char *)(peer)) +#define BIO_dgram_set_peer(b, peer) \ + (int)BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, (char *)(peer)) +#define BIO_dgram_detect_peer_addr(b, peer) \ + (int)BIO_ctrl(b, BIO_CTRL_DGRAM_DETECT_PEER_ADDR, 0, (char *)(peer)) +#define BIO_dgram_get_mtu_overhead(b) \ + (unsigned int)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_MTU_OVERHEAD, 0, NULL) +#define BIO_dgram_get_local_addr_cap(b) \ + (int)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_LOCAL_ADDR_CAP, 0, NULL) +#define BIO_dgram_get_local_addr_enable(b, penable) \ + (int)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_LOCAL_ADDR_ENABLE, 0, (char *)(penable)) +#define BIO_dgram_set_local_addr_enable(b, enable) \ + (int)BIO_ctrl((b), BIO_CTRL_DGRAM_SET_LOCAL_ADDR_ENABLE, (enable), NULL) +#define BIO_dgram_get_effective_caps(b) \ + (uint32_t)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_EFFECTIVE_CAPS, 0, NULL) +#define BIO_dgram_get_caps(b) \ + (uint32_t)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_CAPS, 0, NULL) +#define BIO_dgram_set_caps(b, caps) \ + (int)BIO_ctrl((b), BIO_CTRL_DGRAM_SET_CAPS, (long)(caps), NULL) +#define BIO_dgram_get_no_trunc(b) \ + (unsigned int)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_NO_TRUNC, 0, NULL) +#define BIO_dgram_set_no_trunc(b, enable) \ + (int)BIO_ctrl((b), BIO_CTRL_DGRAM_SET_NO_TRUNC, (enable), NULL) +#define BIO_dgram_get_mtu(b) \ + (unsigned int)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_MTU, 0, NULL) +#define BIO_dgram_set_mtu(b, mtu) \ + (int)BIO_ctrl((b), BIO_CTRL_DGRAM_SET_MTU, (mtu), NULL) +#define BIO_dgram_set0_local_addr(b, addr) \ + (int)BIO_ctrl((b), BIO_CTRL_DGRAM_SET0_LOCAL_ADDR, 0, (addr)) /* ctrl macros for BIO_f_prefix */ -# define BIO_set_prefix(b,p) BIO_ctrl((b), BIO_CTRL_SET_PREFIX, 0, (void *)(p)) -# define BIO_set_indent(b,i) BIO_ctrl((b), BIO_CTRL_SET_INDENT, (i), NULL) -# define BIO_get_indent(b) BIO_ctrl((b), BIO_CTRL_GET_INDENT, 0, NULL) +#define BIO_set_prefix(b, p) BIO_ctrl((b), BIO_CTRL_SET_PREFIX, 0, (void *)(p)) +#define BIO_set_indent(b, i) BIO_ctrl((b), BIO_CTRL_SET_INDENT, (i), NULL) +#define BIO_get_indent(b) BIO_ctrl((b), BIO_CTRL_GET_INDENT, 0, NULL) #define BIO_get_ex_new_index(l, p, newf, dupf, freef) \ CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_BIO, l, p, newf, dupf, freef) @@ -711,20 +714,20 @@ uint64_t BIO_number_written(BIO *bio); /* For BIO_f_asn1() */ int BIO_asn1_set_prefix(BIO *b, asn1_ps_func *prefix, - asn1_ps_func *prefix_free); + asn1_ps_func *prefix_free); int BIO_asn1_get_prefix(BIO *b, asn1_ps_func **pprefix, - asn1_ps_func **pprefix_free); + asn1_ps_func **pprefix_free); int BIO_asn1_set_suffix(BIO *b, asn1_ps_func *suffix, - asn1_ps_func *suffix_free); + asn1_ps_func *suffix_free); int BIO_asn1_get_suffix(BIO *b, asn1_ps_func **psuffix, - asn1_ps_func **psuffix_free); + asn1_ps_func **psuffix_free); const BIO_METHOD *BIO_s_file(void); BIO *BIO_new_file(const char *filename, const char *mode); BIO *BIO_new_from_core_bio(OSSL_LIB_CTX *libctx, OSSL_CORE_BIO *corebio); -# ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_STDIO BIO *BIO_new_fp(FILE *stream, int close_flag); -# endif +#endif BIO *BIO_new_ex(OSSL_LIB_CTX *libctx, const BIO_METHOD *method); BIO *BIO_new(const BIO_METHOD *type); int BIO_free(BIO *a); @@ -739,15 +742,15 @@ int BIO_up_ref(BIO *a); int BIO_read(BIO *b, void *data, int dlen); int BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes); __owur int BIO_recvmmsg(BIO *b, BIO_MSG *msg, - size_t stride, size_t num_msg, uint64_t flags, - size_t *msgs_processed); + size_t stride, size_t num_msg, uint64_t flags, + size_t *msgs_processed); int BIO_gets(BIO *bp, char *buf, int size); int BIO_get_line(BIO *bio, char *buf, int size); int BIO_write(BIO *b, const void *data, int dlen); int BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written); __owur int BIO_sendmmsg(BIO *b, BIO_MSG *msg, - size_t stride, size_t num_msg, uint64_t flags, - size_t *msgs_processed); + size_t stride, size_t num_msg, uint64_t flags, + size_t *msgs_processed); __owur int BIO_get_rpoll_descriptor(BIO *b, BIO_POLL_DESCRIPTOR *desc); __owur int BIO_get_wpoll_descriptor(BIO *b, BIO_POLL_DESCRIPTOR *desc); int BIO_puts(BIO *bp, const char *buf); @@ -773,16 +776,16 @@ int BIO_nwrite0(BIO *bio, char **buf); int BIO_nwrite(BIO *bio, char **buf, int num); const BIO_METHOD *BIO_s_mem(void); -# ifndef OPENSSL_NO_DGRAM +#ifndef OPENSSL_NO_DGRAM const BIO_METHOD *BIO_s_dgram_mem(void); -# endif +#endif const BIO_METHOD *BIO_s_secmem(void); BIO *BIO_new_mem_buf(const void *buf, int len); -# ifndef OPENSSL_NO_SOCK +#ifndef OPENSSL_NO_SOCK const BIO_METHOD *BIO_s_socket(void); const BIO_METHOD *BIO_s_connect(void); const BIO_METHOD *BIO_s_accept(void); -# endif +#endif const BIO_METHOD *BIO_s_fd(void); const BIO_METHOD *BIO_s_log(void); const BIO_METHOD *BIO_s_bio(void); @@ -794,53 +797,53 @@ const BIO_METHOD *BIO_f_linebuffer(void); const BIO_METHOD *BIO_f_nbio_test(void); const BIO_METHOD *BIO_f_prefix(void); const BIO_METHOD *BIO_s_core(void); -# ifndef OPENSSL_NO_DGRAM +#ifndef OPENSSL_NO_DGRAM const BIO_METHOD *BIO_s_dgram_pair(void); const BIO_METHOD *BIO_s_datagram(void); int BIO_dgram_non_fatal_error(int error); BIO *BIO_new_dgram(int fd, int close_flag); -# ifndef OPENSSL_NO_SCTP +#ifndef OPENSSL_NO_SCTP const BIO_METHOD *BIO_s_datagram_sctp(void); BIO *BIO_new_dgram_sctp(int fd, int close_flag); int BIO_dgram_is_sctp(BIO *bio); int BIO_dgram_sctp_notification_cb(BIO *b, - BIO_dgram_sctp_notification_handler_fn handle_notifications, - void *context); + BIO_dgram_sctp_notification_handler_fn handle_notifications, + void *context); int BIO_dgram_sctp_wait_for_dry(BIO *b); int BIO_dgram_sctp_msg_waiting(BIO *b); -# endif -# endif +#endif +#endif -# ifndef OPENSSL_NO_SOCK +#ifndef OPENSSL_NO_SOCK int BIO_sock_should_retry(int i); int BIO_sock_non_fatal_error(int error); int BIO_err_is_non_fatal(unsigned int errcode); int BIO_socket_wait(int fd, int for_read, time_t max_time); -# endif +#endif int BIO_wait(BIO *bio, time_t max_time, unsigned int nap_milliseconds); int BIO_do_connect_retry(BIO *bio, int timeout, int nap_milliseconds); int BIO_fd_should_retry(int i); int BIO_fd_non_fatal_error(int error); -int BIO_dump_cb(int (*cb) (const void *data, size_t len, void *u), - void *u, const void *s, int len); -int BIO_dump_indent_cb(int (*cb) (const void *data, size_t len, void *u), - void *u, const void *s, int len, int indent); +int BIO_dump_cb(int (*cb)(const void *data, size_t len, void *u), + void *u, const void *s, int len); +int BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u), + void *u, const void *s, int len, int indent); int BIO_dump(BIO *b, const void *bytes, int len); int BIO_dump_indent(BIO *b, const void *bytes, int len, int indent); -# ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_STDIO int BIO_dump_fp(FILE *fp, const void *s, int len); int BIO_dump_indent_fp(FILE *fp, const void *s, int len, int indent); -# endif +#endif int BIO_hex_string(BIO *out, int indent, int width, const void *data, - int datalen); + int datalen); -# ifndef OPENSSL_NO_SOCK +#ifndef OPENSSL_NO_SOCK BIO_ADDR *BIO_ADDR_new(void); int BIO_ADDR_copy(BIO_ADDR *dst, const BIO_ADDR *src); BIO_ADDR *BIO_ADDR_dup(const BIO_ADDR *ap); int BIO_ADDR_rawmake(BIO_ADDR *ap, int family, - const void *where, size_t wherelen, unsigned short port); + const void *where, size_t wherelen, unsigned short port); void BIO_ADDR_free(BIO_ADDR *); void BIO_ADDR_clear(BIO_ADDR *ap); int BIO_ADDR_family(const BIO_ADDR *ap); @@ -858,34 +861,38 @@ const BIO_ADDR *BIO_ADDRINFO_address(const BIO_ADDRINFO *bai); void BIO_ADDRINFO_free(BIO_ADDRINFO *bai); enum BIO_hostserv_priorities { - BIO_PARSE_PRIO_HOST, BIO_PARSE_PRIO_SERV + BIO_PARSE_PRIO_HOST, + BIO_PARSE_PRIO_SERV }; int BIO_parse_hostserv(const char *hostserv, char **host, char **service, - enum BIO_hostserv_priorities hostserv_prio); + enum BIO_hostserv_priorities hostserv_prio); enum BIO_lookup_type { - BIO_LOOKUP_CLIENT, BIO_LOOKUP_SERVER + BIO_LOOKUP_CLIENT, + BIO_LOOKUP_SERVER }; int BIO_lookup(const char *host, const char *service, - enum BIO_lookup_type lookup_type, - int family, int socktype, BIO_ADDRINFO **res); + enum BIO_lookup_type lookup_type, + int family, int socktype, BIO_ADDRINFO **res); int BIO_lookup_ex(const char *host, const char *service, - int lookup_type, int family, int socktype, int protocol, - BIO_ADDRINFO **res); + int lookup_type, int family, int socktype, int protocol, + BIO_ADDRINFO **res); int BIO_sock_error(int sock); int BIO_socket_ioctl(int fd, long type, void *arg); int BIO_socket_nbio(int fd, int mode); int BIO_sock_init(void); -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define BIO_sock_cleanup() while(0) continue -# endif +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#define BIO_sock_cleanup() \ + while (0) \ + continue +#endif int BIO_set_tcp_ndelay(int sock, int turn_on); -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 OSSL_DEPRECATEDIN_1_1_0 struct hostent *BIO_gethostbyname(const char *name); OSSL_DEPRECATEDIN_1_1_0 int BIO_get_port(const char *str, unsigned short *port_ptr); OSSL_DEPRECATEDIN_1_1_0 int BIO_get_host_ip(const char *str, unsigned char *ip); OSSL_DEPRECATEDIN_1_1_0 int BIO_get_accept_socket(char *host_port, int mode); OSSL_DEPRECATEDIN_1_1_0 int BIO_accept(int sock, char **ip_port); -# endif +#endif union BIO_sock_info_u { BIO_ADDR *addr; @@ -894,14 +901,14 @@ enum BIO_sock_info_type { BIO_SOCK_INFO_ADDRESS }; int BIO_sock_info(int sock, - enum BIO_sock_info_type type, union BIO_sock_info_u *info); + enum BIO_sock_info_type type, union BIO_sock_info_u *info); -# define BIO_SOCK_REUSEADDR 0x01 -# define BIO_SOCK_V6_ONLY 0x02 -# define BIO_SOCK_KEEPALIVE 0x04 -# define BIO_SOCK_NONBLOCK 0x08 -# define BIO_SOCK_NODELAY 0x10 -# define BIO_SOCK_TFO 0x20 +#define BIO_SOCK_REUSEADDR 0x01 +#define BIO_SOCK_V6_ONLY 0x02 +#define BIO_SOCK_KEEPALIVE 0x04 +#define BIO_SOCK_NONBLOCK 0x08 +#define BIO_SOCK_NODELAY 0x10 +#define BIO_SOCK_TFO 0x20 int BIO_socket(int domain, int socktype, int protocol, int options); int BIO_connect(int sock, const BIO_ADDR *addr, int options); @@ -913,16 +920,16 @@ int BIO_closesocket(int sock); BIO *BIO_new_socket(int sock, int close_flag); BIO *BIO_new_connect(const char *host_port); BIO *BIO_new_accept(const char *host_port); -# endif /* OPENSSL_NO_SOCK*/ +#endif /* OPENSSL_NO_SOCK*/ BIO *BIO_new_fd(int fd, int close_flag); int BIO_new_bio_pair(BIO **bio1, size_t writebuf1, - BIO **bio2, size_t writebuf2); -# ifndef OPENSSL_NO_DGRAM + BIO **bio2, size_t writebuf2); +#ifndef OPENSSL_NO_DGRAM int BIO_new_bio_dgram_pair(BIO **bio1, size_t writebuf1, - BIO **bio2, size_t writebuf2); -# endif + BIO **bio2, size_t writebuf2); +#endif /* * If successful, returns 1 and in *bio1, *bio2 two BIO pair endpoints. @@ -936,87 +943,86 @@ void BIO_copy_next_retry(BIO *b); * long BIO_ghbn_ctrl(int cmd,int iarg,char *parg); */ -# define ossl_bio__attr__(x) -# if defined(__GNUC__) && defined(__STDC_VERSION__) \ +#define ossl_bio__attr__(x) +#if defined(__GNUC__) && defined(__STDC_VERSION__) \ && !defined(__MINGW32__) && !defined(__MINGW64__) \ && !defined(__APPLE__) - /* - * Because we support the 'z' modifier, which made its appearance in C99, - * we can't use __attribute__ with pre C99 dialects. - */ -# if __STDC_VERSION__ >= 199901L -# undef ossl_bio__attr__ -# define ossl_bio__attr__ __attribute__ -# if __GNUC__*10 + __GNUC_MINOR__ >= 44 -# define ossl_bio__printf__ __gnu_printf__ -# else -# define ossl_bio__printf__ __printf__ -# endif -# endif -# endif +/* + * Because we support the 'z' modifier, which made its appearance in C99, + * we can't use __attribute__ with pre C99 dialects. + */ +#if __STDC_VERSION__ >= 199901L +#undef ossl_bio__attr__ +#define ossl_bio__attr__ __attribute__ +#if __GNUC__ * 10 + __GNUC_MINOR__ >= 44 +#define ossl_bio__printf__ __gnu_printf__ +#else +#define ossl_bio__printf__ __printf__ +#endif +#endif +#endif int BIO_printf(BIO *bio, const char *format, ...) -ossl_bio__attr__((__format__(ossl_bio__printf__, 2, 3))); + ossl_bio__attr__((__format__(ossl_bio__printf__, 2, 3))); int BIO_vprintf(BIO *bio, const char *format, va_list args) -ossl_bio__attr__((__format__(ossl_bio__printf__, 2, 0))); + ossl_bio__attr__((__format__(ossl_bio__printf__, 2, 0))); int BIO_snprintf(char *buf, size_t n, const char *format, ...) -ossl_bio__attr__((__format__(ossl_bio__printf__, 3, 4))); + ossl_bio__attr__((__format__(ossl_bio__printf__, 3, 4))); int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args) -ossl_bio__attr__((__format__(ossl_bio__printf__, 3, 0))); -# undef ossl_bio__attr__ -# undef ossl_bio__printf__ - + ossl_bio__attr__((__format__(ossl_bio__printf__, 3, 0))); +#undef ossl_bio__attr__ +#undef ossl_bio__printf__ BIO_METHOD *BIO_meth_new(int type, const char *name); void BIO_meth_free(BIO_METHOD *biom); int BIO_meth_set_write(BIO_METHOD *biom, - int (*write) (BIO *, const char *, int)); + int (*write)(BIO *, const char *, int)); int BIO_meth_set_write_ex(BIO_METHOD *biom, - int (*bwrite) (BIO *, const char *, size_t, size_t *)); + int (*bwrite)(BIO *, const char *, size_t, size_t *)); int BIO_meth_set_sendmmsg(BIO_METHOD *biom, - int (*f) (BIO *, BIO_MSG *, size_t, size_t, - uint64_t, size_t *)); + int (*f)(BIO *, BIO_MSG *, size_t, size_t, + uint64_t, size_t *)); int BIO_meth_set_read(BIO_METHOD *biom, - int (*read) (BIO *, char *, int)); + int (*read)(BIO *, char *, int)); int BIO_meth_set_read_ex(BIO_METHOD *biom, - int (*bread) (BIO *, char *, size_t, size_t *)); + int (*bread)(BIO *, char *, size_t, size_t *)); int BIO_meth_set_recvmmsg(BIO_METHOD *biom, - int (*f) (BIO *, BIO_MSG *, size_t, size_t, - uint64_t, size_t *)); + int (*f)(BIO *, BIO_MSG *, size_t, size_t, + uint64_t, size_t *)); int BIO_meth_set_puts(BIO_METHOD *biom, - int (*puts) (BIO *, const char *)); + int (*puts)(BIO *, const char *)); int BIO_meth_set_gets(BIO_METHOD *biom, - int (*ossl_gets) (BIO *, char *, int)); + int (*ossl_gets)(BIO *, char *, int)); int BIO_meth_set_ctrl(BIO_METHOD *biom, - long (*ctrl) (BIO *, int, long, void *)); -int BIO_meth_set_create(BIO_METHOD *biom, int (*create) (BIO *)); -int BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy) (BIO *)); + long (*ctrl)(BIO *, int, long, void *)); +int BIO_meth_set_create(BIO_METHOD *biom, int (*create)(BIO *)); +int BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy)(BIO *)); int BIO_meth_set_callback_ctrl(BIO_METHOD *biom, - long (*callback_ctrl) (BIO *, int, - BIO_info_cb *)); -# ifndef OPENSSL_NO_DEPRECATED_3_5 -OSSL_DEPRECATEDIN_3_5 int (*BIO_meth_get_write(const BIO_METHOD *biom)) (BIO *, const char *, - int); -OSSL_DEPRECATEDIN_3_5 int (*BIO_meth_get_write_ex(const BIO_METHOD *biom)) (BIO *, const char *, - size_t, size_t *); + long (*callback_ctrl)(BIO *, int, + BIO_info_cb *)); +#ifndef OPENSSL_NO_DEPRECATED_3_5 +OSSL_DEPRECATEDIN_3_5 int (*BIO_meth_get_write(const BIO_METHOD *biom))(BIO *, const char *, + int); +OSSL_DEPRECATEDIN_3_5 int (*BIO_meth_get_write_ex(const BIO_METHOD *biom))(BIO *, const char *, + size_t, size_t *); OSSL_DEPRECATEDIN_3_5 int (*BIO_meth_get_sendmmsg(const BIO_METHOD *biom))(BIO *, BIO_MSG *, - size_t, size_t, - uint64_t, size_t *); -OSSL_DEPRECATEDIN_3_5 int (*BIO_meth_get_read(const BIO_METHOD *biom)) (BIO *, char *, int); -OSSL_DEPRECATEDIN_3_5 int (*BIO_meth_get_read_ex(const BIO_METHOD *biom)) (BIO *, char *, - size_t, size_t *); + size_t, size_t, + uint64_t, size_t *); +OSSL_DEPRECATEDIN_3_5 int (*BIO_meth_get_read(const BIO_METHOD *biom))(BIO *, char *, int); +OSSL_DEPRECATEDIN_3_5 int (*BIO_meth_get_read_ex(const BIO_METHOD *biom))(BIO *, char *, + size_t, size_t *); OSSL_DEPRECATEDIN_3_5 int (*BIO_meth_get_recvmmsg(const BIO_METHOD *biom))(BIO *, BIO_MSG *, - size_t, size_t, - uint64_t, size_t *); -OSSL_DEPRECATEDIN_3_5 int (*BIO_meth_get_puts(const BIO_METHOD *biom)) (BIO *, const char *); -OSSL_DEPRECATEDIN_3_5 int (*BIO_meth_get_gets(const BIO_METHOD *biom)) (BIO *, char *, int); -OSSL_DEPRECATEDIN_3_5 long (*BIO_meth_get_ctrl(const BIO_METHOD *biom)) (BIO *, int, - long, void *); -OSSL_DEPRECATEDIN_3_5 int (*BIO_meth_get_create(const BIO_METHOD *bion)) (BIO *); -OSSL_DEPRECATEDIN_3_5 int (*BIO_meth_get_destroy(const BIO_METHOD *biom)) (BIO *); -OSSL_DEPRECATEDIN_3_5 long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *biom)) (BIO *, int, - BIO_info_cb *); -# endif -# ifdef __cplusplus + size_t, size_t, + uint64_t, size_t *); +OSSL_DEPRECATEDIN_3_5 int (*BIO_meth_get_puts(const BIO_METHOD *biom))(BIO *, const char *); +OSSL_DEPRECATEDIN_3_5 int (*BIO_meth_get_gets(const BIO_METHOD *biom))(BIO *, char *, int); +OSSL_DEPRECATEDIN_3_5 long (*BIO_meth_get_ctrl(const BIO_METHOD *biom))(BIO *, int, + long, void *); +OSSL_DEPRECATEDIN_3_5 int (*BIO_meth_get_create(const BIO_METHOD *bion))(BIO *); +OSSL_DEPRECATEDIN_3_5 int (*BIO_meth_get_destroy(const BIO_METHOD *biom))(BIO *); +OSSL_DEPRECATEDIN_3_5 long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *biom))(BIO *, int, + BIO_info_cb *); +#endif +#ifdef __cplusplus } -# endif +#endif #endif diff --git a/crypto/openssl/include/openssl/cmp.h b/crypto/openssl/include/openssl/cmp.h index 05aed3029d59..d46192c7172c 100644 --- a/crypto/openssl/include/openssl/cmp.h +++ b/crypto/openssl/include/openssl/cmp.h @@ -12,32 +12,34 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_CMP_H -# define OPENSSL_CMP_H +#define OPENSSL_CMP_H -# include <openssl/opensslconf.h> -# ifndef OPENSSL_NO_CMP +#include <openssl/opensslconf.h> +#ifndef OPENSSL_NO_CMP -# include <openssl/crmf.h> -# include <openssl/cmperr.h> -# include <openssl/cmp_util.h> -# include <openssl/http.h> +#include <openssl/crmf.h> +#include <openssl/cmperr.h> +#include <openssl/cmp_util.h> +#include <openssl/http.h> /* explicit #includes not strictly needed since implied by the above: */ -# include <openssl/types.h> -# include <openssl/safestack.h> -# include <openssl/x509.h> -# include <openssl/x509v3.h> +#include <openssl/types.h> +#include <openssl/safestack.h> +#include <openssl/x509.h> +#include <openssl/x509v3.h> -# ifdef __cplusplus +#ifdef __cplusplus extern "C" { -# endif +#endif -# define OSSL_CMP_PVNO_2 2 -# define OSSL_CMP_PVNO_3 3 -# define OSSL_CMP_PVNO OSSL_CMP_PVNO_2 /* v2 is the default */ +#define OSSL_CMP_PVNO_2 2 +#define OSSL_CMP_PVNO_3 3 +#define OSSL_CMP_PVNO OSSL_CMP_PVNO_2 /* v2 is the default */ /*- * PKIFailureInfo ::= BIT STRING { @@ -106,68 +108,68 @@ extern "C" { * -- certificate already exists * } */ -# define OSSL_CMP_PKIFAILUREINFO_badAlg 0 -# define OSSL_CMP_PKIFAILUREINFO_badMessageCheck 1 -# define OSSL_CMP_PKIFAILUREINFO_badRequest 2 -# define OSSL_CMP_PKIFAILUREINFO_badTime 3 -# define OSSL_CMP_PKIFAILUREINFO_badCertId 4 -# define OSSL_CMP_PKIFAILUREINFO_badDataFormat 5 -# define OSSL_CMP_PKIFAILUREINFO_wrongAuthority 6 -# define OSSL_CMP_PKIFAILUREINFO_incorrectData 7 -# define OSSL_CMP_PKIFAILUREINFO_missingTimeStamp 8 -# define OSSL_CMP_PKIFAILUREINFO_badPOP 9 -# define OSSL_CMP_PKIFAILUREINFO_certRevoked 10 -# define OSSL_CMP_PKIFAILUREINFO_certConfirmed 11 -# define OSSL_CMP_PKIFAILUREINFO_wrongIntegrity 12 -# define OSSL_CMP_PKIFAILUREINFO_badRecipientNonce 13 -# define OSSL_CMP_PKIFAILUREINFO_timeNotAvailable 14 -# define OSSL_CMP_PKIFAILUREINFO_unacceptedPolicy 15 -# define OSSL_CMP_PKIFAILUREINFO_unacceptedExtension 16 -# define OSSL_CMP_PKIFAILUREINFO_addInfoNotAvailable 17 -# define OSSL_CMP_PKIFAILUREINFO_badSenderNonce 18 -# define OSSL_CMP_PKIFAILUREINFO_badCertTemplate 19 -# define OSSL_CMP_PKIFAILUREINFO_signerNotTrusted 20 -# define OSSL_CMP_PKIFAILUREINFO_transactionIdInUse 21 -# define OSSL_CMP_PKIFAILUREINFO_unsupportedVersion 22 -# define OSSL_CMP_PKIFAILUREINFO_notAuthorized 23 -# define OSSL_CMP_PKIFAILUREINFO_systemUnavail 24 -# define OSSL_CMP_PKIFAILUREINFO_systemFailure 25 -# define OSSL_CMP_PKIFAILUREINFO_duplicateCertReq 26 -# define OSSL_CMP_PKIFAILUREINFO_MAX 26 -# define OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN \ +#define OSSL_CMP_PKIFAILUREINFO_badAlg 0 +#define OSSL_CMP_PKIFAILUREINFO_badMessageCheck 1 +#define OSSL_CMP_PKIFAILUREINFO_badRequest 2 +#define OSSL_CMP_PKIFAILUREINFO_badTime 3 +#define OSSL_CMP_PKIFAILUREINFO_badCertId 4 +#define OSSL_CMP_PKIFAILUREINFO_badDataFormat 5 +#define OSSL_CMP_PKIFAILUREINFO_wrongAuthority 6 +#define OSSL_CMP_PKIFAILUREINFO_incorrectData 7 +#define OSSL_CMP_PKIFAILUREINFO_missingTimeStamp 8 +#define OSSL_CMP_PKIFAILUREINFO_badPOP 9 +#define OSSL_CMP_PKIFAILUREINFO_certRevoked 10 +#define OSSL_CMP_PKIFAILUREINFO_certConfirmed 11 +#define OSSL_CMP_PKIFAILUREINFO_wrongIntegrity 12 +#define OSSL_CMP_PKIFAILUREINFO_badRecipientNonce 13 +#define OSSL_CMP_PKIFAILUREINFO_timeNotAvailable 14 +#define OSSL_CMP_PKIFAILUREINFO_unacceptedPolicy 15 +#define OSSL_CMP_PKIFAILUREINFO_unacceptedExtension 16 +#define OSSL_CMP_PKIFAILUREINFO_addInfoNotAvailable 17 +#define OSSL_CMP_PKIFAILUREINFO_badSenderNonce 18 +#define OSSL_CMP_PKIFAILUREINFO_badCertTemplate 19 +#define OSSL_CMP_PKIFAILUREINFO_signerNotTrusted 20 +#define OSSL_CMP_PKIFAILUREINFO_transactionIdInUse 21 +#define OSSL_CMP_PKIFAILUREINFO_unsupportedVersion 22 +#define OSSL_CMP_PKIFAILUREINFO_notAuthorized 23 +#define OSSL_CMP_PKIFAILUREINFO_systemUnavail 24 +#define OSSL_CMP_PKIFAILUREINFO_systemFailure 25 +#define OSSL_CMP_PKIFAILUREINFO_duplicateCertReq 26 +#define OSSL_CMP_PKIFAILUREINFO_MAX 26 +#define OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN \ ((1 << (OSSL_CMP_PKIFAILUREINFO_MAX + 1)) - 1) -# if OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN > INT_MAX -# error CMP_PKIFAILUREINFO_MAX bit pattern does not fit in type int -# endif +#if OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN > INT_MAX +#error CMP_PKIFAILUREINFO_MAX bit pattern does not fit in type int +#endif typedef ASN1_BIT_STRING OSSL_CMP_PKIFAILUREINFO; -# define OSSL_CMP_CTX_FAILINFO_badAlg (1 << 0) -# define OSSL_CMP_CTX_FAILINFO_badMessageCheck (1 << 1) -# define OSSL_CMP_CTX_FAILINFO_badRequest (1 << 2) -# define OSSL_CMP_CTX_FAILINFO_badTime (1 << 3) -# define OSSL_CMP_CTX_FAILINFO_badCertId (1 << 4) -# define OSSL_CMP_CTX_FAILINFO_badDataFormat (1 << 5) -# define OSSL_CMP_CTX_FAILINFO_wrongAuthority (1 << 6) -# define OSSL_CMP_CTX_FAILINFO_incorrectData (1 << 7) -# define OSSL_CMP_CTX_FAILINFO_missingTimeStamp (1 << 8) -# define OSSL_CMP_CTX_FAILINFO_badPOP (1 << 9) -# define OSSL_CMP_CTX_FAILINFO_certRevoked (1 << 10) -# define OSSL_CMP_CTX_FAILINFO_certConfirmed (1 << 11) -# define OSSL_CMP_CTX_FAILINFO_wrongIntegrity (1 << 12) -# define OSSL_CMP_CTX_FAILINFO_badRecipientNonce (1 << 13) -# define OSSL_CMP_CTX_FAILINFO_timeNotAvailable (1 << 14) -# define OSSL_CMP_CTX_FAILINFO_unacceptedPolicy (1 << 15) -# define OSSL_CMP_CTX_FAILINFO_unacceptedExtension (1 << 16) -# define OSSL_CMP_CTX_FAILINFO_addInfoNotAvailable (1 << 17) -# define OSSL_CMP_CTX_FAILINFO_badSenderNonce (1 << 18) -# define OSSL_CMP_CTX_FAILINFO_badCertTemplate (1 << 19) -# define OSSL_CMP_CTX_FAILINFO_signerNotTrusted (1 << 20) -# define OSSL_CMP_CTX_FAILINFO_transactionIdInUse (1 << 21) -# define OSSL_CMP_CTX_FAILINFO_unsupportedVersion (1 << 22) -# define OSSL_CMP_CTX_FAILINFO_notAuthorized (1 << 23) -# define OSSL_CMP_CTX_FAILINFO_systemUnavail (1 << 24) -# define OSSL_CMP_CTX_FAILINFO_systemFailure (1 << 25) -# define OSSL_CMP_CTX_FAILINFO_duplicateCertReq (1 << 26) +#define OSSL_CMP_CTX_FAILINFO_badAlg (1 << 0) +#define OSSL_CMP_CTX_FAILINFO_badMessageCheck (1 << 1) +#define OSSL_CMP_CTX_FAILINFO_badRequest (1 << 2) +#define OSSL_CMP_CTX_FAILINFO_badTime (1 << 3) +#define OSSL_CMP_CTX_FAILINFO_badCertId (1 << 4) +#define OSSL_CMP_CTX_FAILINFO_badDataFormat (1 << 5) +#define OSSL_CMP_CTX_FAILINFO_wrongAuthority (1 << 6) +#define OSSL_CMP_CTX_FAILINFO_incorrectData (1 << 7) +#define OSSL_CMP_CTX_FAILINFO_missingTimeStamp (1 << 8) +#define OSSL_CMP_CTX_FAILINFO_badPOP (1 << 9) +#define OSSL_CMP_CTX_FAILINFO_certRevoked (1 << 10) +#define OSSL_CMP_CTX_FAILINFO_certConfirmed (1 << 11) +#define OSSL_CMP_CTX_FAILINFO_wrongIntegrity (1 << 12) +#define OSSL_CMP_CTX_FAILINFO_badRecipientNonce (1 << 13) +#define OSSL_CMP_CTX_FAILINFO_timeNotAvailable (1 << 14) +#define OSSL_CMP_CTX_FAILINFO_unacceptedPolicy (1 << 15) +#define OSSL_CMP_CTX_FAILINFO_unacceptedExtension (1 << 16) +#define OSSL_CMP_CTX_FAILINFO_addInfoNotAvailable (1 << 17) +#define OSSL_CMP_CTX_FAILINFO_badSenderNonce (1 << 18) +#define OSSL_CMP_CTX_FAILINFO_badCertTemplate (1 << 19) +#define OSSL_CMP_CTX_FAILINFO_signerNotTrusted (1 << 20) +#define OSSL_CMP_CTX_FAILINFO_transactionIdInUse (1 << 21) +#define OSSL_CMP_CTX_FAILINFO_unsupportedVersion (1 << 22) +#define OSSL_CMP_CTX_FAILINFO_notAuthorized (1 << 23) +#define OSSL_CMP_CTX_FAILINFO_systemUnavail (1 << 24) +#define OSSL_CMP_CTX_FAILINFO_systemFailure (1 << 25) +#define OSSL_CMP_CTX_FAILINFO_duplicateCertReq (1 << 26) /*- * PKIStatus ::= INTEGER { @@ -194,22 +196,22 @@ typedef ASN1_BIT_STRING OSSL_CMP_PKIFAILUREINFO; * -- CertReqMsg * } */ -# define OSSL_CMP_PKISTATUS_request -3 -# define OSSL_CMP_PKISTATUS_trans -2 -# define OSSL_CMP_PKISTATUS_unspecified -1 -# define OSSL_CMP_PKISTATUS_accepted 0 -# define OSSL_CMP_PKISTATUS_grantedWithMods 1 -# define OSSL_CMP_PKISTATUS_rejection 2 -# define OSSL_CMP_PKISTATUS_waiting 3 -# define OSSL_CMP_PKISTATUS_revocationWarning 4 -# define OSSL_CMP_PKISTATUS_revocationNotification 5 -# define OSSL_CMP_PKISTATUS_keyUpdateWarning 6 +#define OSSL_CMP_PKISTATUS_request -3 +#define OSSL_CMP_PKISTATUS_trans -2 +#define OSSL_CMP_PKISTATUS_unspecified -1 +#define OSSL_CMP_PKISTATUS_accepted 0 +#define OSSL_CMP_PKISTATUS_grantedWithMods 1 +#define OSSL_CMP_PKISTATUS_rejection 2 +#define OSSL_CMP_PKISTATUS_waiting 3 +#define OSSL_CMP_PKISTATUS_revocationWarning 4 +#define OSSL_CMP_PKISTATUS_revocationNotification 5 +#define OSSL_CMP_PKISTATUS_keyUpdateWarning 6 typedef ASN1_INTEGER OSSL_CMP_PKISTATUS; DECLARE_ASN1_ITEM(OSSL_CMP_PKISTATUS) -# define OSSL_CMP_CERTORENCCERT_CERTIFICATE 0 -# define OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT 1 +#define OSSL_CMP_CERTORENCCERT_CERTIFICATE 0 +#define OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT 1 /* data type declarations */ typedef struct ossl_cmp_ctx_st OSSL_CMP_CTX; @@ -219,6 +221,7 @@ typedef struct ossl_cmp_msg_st OSSL_CMP_MSG; DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_MSG) DECLARE_ASN1_ENCODE_FUNCTIONS(OSSL_CMP_MSG, OSSL_CMP_MSG, OSSL_CMP_MSG) typedef struct ossl_cmp_certstatus_st OSSL_CMP_CERTSTATUS; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CMP_CERTSTATUS, OSSL_CMP_CERTSTATUS, OSSL_CMP_CERTSTATUS) #define sk_OSSL_CMP_CERTSTATUS_num(sk) OPENSSL_sk_num(ossl_check_const_OSSL_CMP_CERTSTATUS_sk_type(sk)) #define sk_OSSL_CMP_CERTSTATUS_value(sk, idx) ((OSSL_CMP_CERTSTATUS *)OPENSSL_sk_value(ossl_check_const_OSSL_CMP_CERTSTATUS_sk_type(sk), (idx))) @@ -246,8 +249,10 @@ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CMP_CERTSTATUS, OSSL_CMP_CERTSTATUS, OSSL_CMP_ #define sk_OSSL_CMP_CERTSTATUS_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OSSL_CMP_CERTSTATUS) *)OPENSSL_sk_deep_copy(ossl_check_const_OSSL_CMP_CERTSTATUS_sk_type(sk), ossl_check_OSSL_CMP_CERTSTATUS_copyfunc_type(copyfunc), ossl_check_OSSL_CMP_CERTSTATUS_freefunc_type(freefunc))) #define sk_OSSL_CMP_CERTSTATUS_set_cmp_func(sk, cmp) ((sk_OSSL_CMP_CERTSTATUS_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OSSL_CMP_CERTSTATUS_sk_type(sk), ossl_check_OSSL_CMP_CERTSTATUS_compfunc_type(cmp))) +/* clang-format on */ typedef struct ossl_cmp_itav_st OSSL_CMP_ITAV; DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV) +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CMP_ITAV, OSSL_CMP_ITAV, OSSL_CMP_ITAV) #define sk_OSSL_CMP_ITAV_num(sk) OPENSSL_sk_num(ossl_check_const_OSSL_CMP_ITAV_sk_type(sk)) #define sk_OSSL_CMP_ITAV_value(sk, idx) ((OSSL_CMP_ITAV *)OPENSSL_sk_value(ossl_check_const_OSSL_CMP_ITAV_sk_type(sk), (idx))) @@ -275,8 +280,10 @@ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CMP_ITAV, OSSL_CMP_ITAV, OSSL_CMP_ITAV) #define sk_OSSL_CMP_ITAV_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OSSL_CMP_ITAV) *)OPENSSL_sk_deep_copy(ossl_check_const_OSSL_CMP_ITAV_sk_type(sk), ossl_check_OSSL_CMP_ITAV_copyfunc_type(copyfunc), ossl_check_OSSL_CMP_ITAV_freefunc_type(freefunc))) #define sk_OSSL_CMP_ITAV_set_cmp_func(sk, cmp) ((sk_OSSL_CMP_ITAV_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OSSL_CMP_ITAV_sk_type(sk), ossl_check_OSSL_CMP_ITAV_compfunc_type(cmp))) +/* clang-format on */ typedef struct ossl_cmp_crlstatus_st OSSL_CMP_CRLSTATUS; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CMP_CRLSTATUS, OSSL_CMP_CRLSTATUS, OSSL_CMP_CRLSTATUS) #define sk_OSSL_CMP_CRLSTATUS_num(sk) OPENSSL_sk_num(ossl_check_const_OSSL_CMP_CRLSTATUS_sk_type(sk)) #define sk_OSSL_CMP_CRLSTATUS_value(sk, idx) ((OSSL_CMP_CRLSTATUS *)OPENSSL_sk_value(ossl_check_const_OSSL_CMP_CRLSTATUS_sk_type(sk), (idx))) @@ -304,21 +311,23 @@ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CMP_CRLSTATUS, OSSL_CMP_CRLSTATUS, OSSL_CMP_CR #define sk_OSSL_CMP_CRLSTATUS_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OSSL_CMP_CRLSTATUS) *)OPENSSL_sk_deep_copy(ossl_check_const_OSSL_CMP_CRLSTATUS_sk_type(sk), ossl_check_OSSL_CMP_CRLSTATUS_copyfunc_type(copyfunc), ossl_check_OSSL_CMP_CRLSTATUS_freefunc_type(freefunc))) #define sk_OSSL_CMP_CRLSTATUS_set_cmp_func(sk, cmp) ((sk_OSSL_CMP_CRLSTATUS_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OSSL_CMP_CRLSTATUS_sk_type(sk), ossl_check_OSSL_CMP_CRLSTATUS_compfunc_type(cmp))) +/* clang-format on */ typedef OSSL_CRMF_ATTRIBUTETYPEANDVALUE OSSL_CMP_ATAV; -# define OSSL_CMP_ATAV_free OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free +#define OSSL_CMP_ATAV_free OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free typedef STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) OSSL_CMP_ATAVS; DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ATAVS) -# define stack_st_OSSL_CMP_ATAV stack_st_OSSL_CRMF_ATTRIBUTETYPEANDVALUE -# define sk_OSSL_CMP_ATAV_num sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_num -# define sk_OSSL_CMP_ATAV_value sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_value -# define sk_OSSL_CMP_ATAV_push sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push -# define sk_OSSL_CMP_ATAV_pop_free sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_pop_free +#define stack_st_OSSL_CMP_ATAV stack_st_OSSL_CRMF_ATTRIBUTETYPEANDVALUE +#define sk_OSSL_CMP_ATAV_num sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_num +#define sk_OSSL_CMP_ATAV_value sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_value +#define sk_OSSL_CMP_ATAV_push sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push +#define sk_OSSL_CMP_ATAV_pop_free sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_pop_free typedef struct ossl_cmp_revrepcontent_st OSSL_CMP_REVREPCONTENT; typedef struct ossl_cmp_pkisi_st OSSL_CMP_PKISI; DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKISI) DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI) +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CMP_PKISI, OSSL_CMP_PKISI, OSSL_CMP_PKISI) #define sk_OSSL_CMP_PKISI_num(sk) OPENSSL_sk_num(ossl_check_const_OSSL_CMP_PKISI_sk_type(sk)) #define sk_OSSL_CMP_PKISI_value(sk, idx) ((OSSL_CMP_PKISI *)OPENSSL_sk_value(ossl_check_const_OSSL_CMP_PKISI_sk_type(sk), (idx))) @@ -346,7 +355,9 @@ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CMP_PKISI, OSSL_CMP_PKISI, OSSL_CMP_PKISI) #define sk_OSSL_CMP_PKISI_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OSSL_CMP_PKISI) *)OPENSSL_sk_deep_copy(ossl_check_const_OSSL_CMP_PKISI_sk_type(sk), ossl_check_OSSL_CMP_PKISI_copyfunc_type(copyfunc), ossl_check_OSSL_CMP_PKISI_freefunc_type(freefunc))) #define sk_OSSL_CMP_PKISI_set_cmp_func(sk, cmp) ((sk_OSSL_CMP_PKISI_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OSSL_CMP_PKISI_sk_type(sk), ossl_check_OSSL_CMP_PKISI_compfunc_type(cmp))) +/* clang-format on */ typedef struct ossl_cmp_certrepmessage_st OSSL_CMP_CERTREPMESSAGE; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CMP_CERTREPMESSAGE, OSSL_CMP_CERTREPMESSAGE, OSSL_CMP_CERTREPMESSAGE) #define sk_OSSL_CMP_CERTREPMESSAGE_num(sk) OPENSSL_sk_num(ossl_check_const_OSSL_CMP_CERTREPMESSAGE_sk_type(sk)) #define sk_OSSL_CMP_CERTREPMESSAGE_value(sk, idx) ((OSSL_CMP_CERTREPMESSAGE *)OPENSSL_sk_value(ossl_check_const_OSSL_CMP_CERTREPMESSAGE_sk_type(sk), (idx))) @@ -374,9 +385,11 @@ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CMP_CERTREPMESSAGE, OSSL_CMP_CERTREPMESSAGE, O #define sk_OSSL_CMP_CERTREPMESSAGE_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OSSL_CMP_CERTREPMESSAGE) *)OPENSSL_sk_deep_copy(ossl_check_const_OSSL_CMP_CERTREPMESSAGE_sk_type(sk), ossl_check_OSSL_CMP_CERTREPMESSAGE_copyfunc_type(copyfunc), ossl_check_OSSL_CMP_CERTREPMESSAGE_freefunc_type(freefunc))) #define sk_OSSL_CMP_CERTREPMESSAGE_set_cmp_func(sk, cmp) ((sk_OSSL_CMP_CERTREPMESSAGE_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OSSL_CMP_CERTREPMESSAGE_sk_type(sk), ossl_check_OSSL_CMP_CERTREPMESSAGE_compfunc_type(cmp))) +/* clang-format on */ typedef struct ossl_cmp_pollrep_st OSSL_CMP_POLLREP; typedef STACK_OF(OSSL_CMP_POLLREP) OSSL_CMP_POLLREPCONTENT; typedef struct ossl_cmp_certresponse_st OSSL_CMP_CERTRESPONSE; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CMP_CERTRESPONSE, OSSL_CMP_CERTRESPONSE, OSSL_CMP_CERTRESPONSE) #define sk_OSSL_CMP_CERTRESPONSE_num(sk) OPENSSL_sk_num(ossl_check_const_OSSL_CMP_CERTRESPONSE_sk_type(sk)) #define sk_OSSL_CMP_CERTRESPONSE_value(sk, idx) ((OSSL_CMP_CERTRESPONSE *)OPENSSL_sk_value(ossl_check_const_OSSL_CMP_CERTRESPONSE_sk_type(sk), (idx))) @@ -404,6 +417,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CMP_CERTRESPONSE, OSSL_CMP_CERTRESPONSE, OSSL_ #define sk_OSSL_CMP_CERTRESPONSE_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OSSL_CMP_CERTRESPONSE) *)OPENSSL_sk_deep_copy(ossl_check_const_OSSL_CMP_CERTRESPONSE_sk_type(sk), ossl_check_OSSL_CMP_CERTRESPONSE_copyfunc_type(copyfunc), ossl_check_OSSL_CMP_CERTRESPONSE_freefunc_type(freefunc))) #define sk_OSSL_CMP_CERTRESPONSE_set_cmp_func(sk, cmp) ((sk_OSSL_CMP_CERTRESPONSE_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OSSL_CMP_CERTRESPONSE_sk_type(sk), ossl_check_OSSL_CMP_CERTRESPONSE_compfunc_type(cmp))) +/* clang-format on */ typedef STACK_OF(ASN1_UTF8STRING) OSSL_CMP_PKIFREETEXT; /* @@ -413,55 +427,55 @@ typedef STACK_OF(ASN1_UTF8STRING) OSSL_CMP_PKIFREETEXT; /* from cmp_asn.c */ OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value); void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type, - ASN1_TYPE *value); + ASN1_TYPE *value); ASN1_OBJECT *OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV *itav); ASN1_TYPE *OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV *itav); int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **sk_p, - OSSL_CMP_ITAV *itav); + OSSL_CMP_ITAV *itav); void OSSL_CMP_ITAV_free(OSSL_CMP_ITAV *itav); OSSL_CMP_ITAV *OSSL_CMP_ITAV_new0_certProfile(STACK_OF(ASN1_UTF8STRING) - *certProfile); + *certProfile); int OSSL_CMP_ITAV_get0_certProfile(const OSSL_CMP_ITAV *itav, - STACK_OF(ASN1_UTF8STRING) **out); + STACK_OF(ASN1_UTF8STRING) **out); OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_caCerts(const STACK_OF(X509) *caCerts); int OSSL_CMP_ITAV_get0_caCerts(const OSSL_CMP_ITAV *itav, STACK_OF(X509) **out); OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaCert(const X509 *rootCaCert); int OSSL_CMP_ITAV_get0_rootCaCert(const OSSL_CMP_ITAV *itav, X509 **out); OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaKeyUpdate(const X509 *newWithNew, - const X509 *newWithOld, - const X509 *oldWithNew); + const X509 *newWithOld, + const X509 *oldWithNew); int OSSL_CMP_ITAV_get0_rootCaKeyUpdate(const OSSL_CMP_ITAV *itav, - X509 **newWithNew, - X509 **newWithOld, - X509 **oldWithNew); + X509 **newWithNew, + X509 **newWithOld, + X509 **oldWithNew); OSSL_CMP_CRLSTATUS *OSSL_CMP_CRLSTATUS_create(const X509_CRL *crl, - const X509 *cert, int only_DN); + const X509 *cert, int only_DN); OSSL_CMP_CRLSTATUS *OSSL_CMP_CRLSTATUS_new1(const DIST_POINT_NAME *dpn, - const GENERAL_NAMES *issuer, - const ASN1_TIME *thisUpdate); + const GENERAL_NAMES *issuer, + const ASN1_TIME *thisUpdate); int OSSL_CMP_CRLSTATUS_get0(const OSSL_CMP_CRLSTATUS *crlstatus, - DIST_POINT_NAME **dpn, GENERAL_NAMES **issuer, - ASN1_TIME **thisUpdate); + DIST_POINT_NAME **dpn, GENERAL_NAMES **issuer, + ASN1_TIME **thisUpdate); void OSSL_CMP_CRLSTATUS_free(OSSL_CMP_CRLSTATUS *crlstatus); OSSL_CMP_ITAV *OSSL_CMP_ITAV_new0_crlStatusList(STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList); int OSSL_CMP_ITAV_get0_crlStatusList(const OSSL_CMP_ITAV *itav, - STACK_OF(OSSL_CMP_CRLSTATUS) **out); + STACK_OF(OSSL_CMP_CRLSTATUS) **out); OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_crls(const X509_CRL *crls); int OSSL_CMP_ITAV_get0_crls(const OSSL_CMP_ITAV *it, STACK_OF(X509_CRL) **out); OSSL_CMP_ITAV *OSSL_CMP_ITAV_new0_certReqTemplate(OSSL_CRMF_CERTTEMPLATE *certTemplate, - OSSL_CMP_ATAVS *keySpec); + OSSL_CMP_ATAVS *keySpec); int OSSL_CMP_ITAV_get1_certReqTemplate(const OSSL_CMP_ITAV *itav, - OSSL_CRMF_CERTTEMPLATE **certTemplate, - OSSL_CMP_ATAVS **keySpec); + OSSL_CRMF_CERTTEMPLATE **certTemplate, + OSSL_CMP_ATAVS **keySpec); OSSL_CMP_ATAV *OSSL_CMP_ATAV_create(ASN1_OBJECT *type, ASN1_TYPE *value); void OSSL_CMP_ATAV_set0(OSSL_CMP_ATAV *itav, ASN1_OBJECT *type, - ASN1_TYPE *value); + ASN1_TYPE *value); ASN1_OBJECT *OSSL_CMP_ATAV_get0_type(const OSSL_CMP_ATAV *itav); ASN1_TYPE *OSSL_CMP_ATAV_get0_value(const OSSL_CMP_ATAV *itav); OSSL_CMP_ATAV *OSSL_CMP_ATAV_new_algId(const X509_ALGOR *alg); @@ -479,35 +493,35 @@ int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx); OSSL_LIB_CTX *OSSL_CMP_CTX_get0_libctx(const OSSL_CMP_CTX *ctx); const char *OSSL_CMP_CTX_get0_propq(const OSSL_CMP_CTX *ctx); /* CMP general options: */ -# define OSSL_CMP_OPT_LOG_VERBOSITY 0 +#define OSSL_CMP_OPT_LOG_VERBOSITY 0 /* CMP transfer options: */ -# define OSSL_CMP_OPT_KEEP_ALIVE 10 -# define OSSL_CMP_OPT_MSG_TIMEOUT 11 -# define OSSL_CMP_OPT_TOTAL_TIMEOUT 12 -# define OSSL_CMP_OPT_USE_TLS 13 +#define OSSL_CMP_OPT_KEEP_ALIVE 10 +#define OSSL_CMP_OPT_MSG_TIMEOUT 11 +#define OSSL_CMP_OPT_TOTAL_TIMEOUT 12 +#define OSSL_CMP_OPT_USE_TLS 13 /* CMP request options: */ -# define OSSL_CMP_OPT_VALIDITY_DAYS 20 -# define OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT 21 -# define OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL 22 -# define OSSL_CMP_OPT_POLICIES_CRITICAL 23 -# define OSSL_CMP_OPT_POPO_METHOD 24 -# define OSSL_CMP_OPT_IMPLICIT_CONFIRM 25 -# define OSSL_CMP_OPT_DISABLE_CONFIRM 26 -# define OSSL_CMP_OPT_REVOCATION_REASON 27 +#define OSSL_CMP_OPT_VALIDITY_DAYS 20 +#define OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT 21 +#define OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL 22 +#define OSSL_CMP_OPT_POLICIES_CRITICAL 23 +#define OSSL_CMP_OPT_POPO_METHOD 24 +#define OSSL_CMP_OPT_IMPLICIT_CONFIRM 25 +#define OSSL_CMP_OPT_DISABLE_CONFIRM 26 +#define OSSL_CMP_OPT_REVOCATION_REASON 27 /* CMP protection options: */ -# define OSSL_CMP_OPT_UNPROTECTED_SEND 30 -# define OSSL_CMP_OPT_UNPROTECTED_ERRORS 31 -# define OSSL_CMP_OPT_OWF_ALGNID 32 -# define OSSL_CMP_OPT_MAC_ALGNID 33 -# define OSSL_CMP_OPT_DIGEST_ALGNID 34 -# define OSSL_CMP_OPT_IGNORE_KEYUSAGE 35 -# define OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR 36 -# define OSSL_CMP_OPT_NO_CACHE_EXTRACERTS 37 +#define OSSL_CMP_OPT_UNPROTECTED_SEND 30 +#define OSSL_CMP_OPT_UNPROTECTED_ERRORS 31 +#define OSSL_CMP_OPT_OWF_ALGNID 32 +#define OSSL_CMP_OPT_MAC_ALGNID 33 +#define OSSL_CMP_OPT_DIGEST_ALGNID 34 +#define OSSL_CMP_OPT_IGNORE_KEYUSAGE 35 +#define OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR 36 +#define OSSL_CMP_OPT_NO_CACHE_EXTRACERTS 37 int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val); int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt); /* CMP-specific callback for logging and outputting the error queue: */ int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_log_cb_t cb); -# define OSSL_CMP_CTX_set_log_verbosity(ctx, level) \ +#define OSSL_CMP_CTX_set_log_verbosity(ctx, level) \ OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_LOG_VERBOSITY, level) void OSSL_CMP_CTX_print_errors(const OSSL_CMP_CTX *ctx); /* message transfer: */ @@ -516,13 +530,13 @@ int OSSL_CMP_CTX_set1_server(OSSL_CMP_CTX *ctx, const char *address); int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port); int OSSL_CMP_CTX_set1_proxy(OSSL_CMP_CTX *ctx, const char *name); int OSSL_CMP_CTX_set1_no_proxy(OSSL_CMP_CTX *ctx, const char *names); -# ifndef OPENSSL_NO_HTTP +#ifndef OPENSSL_NO_HTTP int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_HTTP_bio_cb_t cb); int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg); void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx); -# endif -typedef OSSL_CMP_MSG *(*OSSL_CMP_transfer_cb_t) (OSSL_CMP_CTX *ctx, - const OSSL_CMP_MSG *req); +#endif +typedef OSSL_CMP_MSG *(*OSSL_CMP_transfer_cb_t)(OSSL_CMP_CTX *ctx, + const OSSL_CMP_MSG *req); int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_transfer_cb_t cb); int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg); void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx); @@ -530,28 +544,28 @@ void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx); int OSSL_CMP_CTX_set1_srvCert(OSSL_CMP_CTX *ctx, X509 *cert); int OSSL_CMP_CTX_set1_expected_sender(OSSL_CMP_CTX *ctx, const X509_NAME *name); int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store); -# define OSSL_CMP_CTX_set0_trusted OSSL_CMP_CTX_set0_trustedStore +#define OSSL_CMP_CTX_set0_trusted OSSL_CMP_CTX_set0_trustedStore X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx); -# define OSSL_CMP_CTX_get0_trusted OSSL_CMP_CTX_get0_trustedStore +#define OSSL_CMP_CTX_get0_trusted OSSL_CMP_CTX_get0_trustedStore int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs); STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx); /* client authentication: */ int OSSL_CMP_CTX_set1_cert(OSSL_CMP_CTX *ctx, X509 *cert); int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted, - STACK_OF(X509) *candidates); + STACK_OF(X509) *candidates); int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX *ctx, EVP_PKEY *pkey); int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx, - const unsigned char *ref, int len); + const unsigned char *ref, int len); int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, - const unsigned char *sec, int len); + const unsigned char *sec, int len); /* CMP message header and extra certificates: */ int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX *ctx, const X509_NAME *name); int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav); int OSSL_CMP_CTX_reset_geninfo_ITAVs(OSSL_CMP_CTX *ctx); STACK_OF(OSSL_CMP_ITAV) - *OSSL_CMP_CTX_get0_geninfo_ITAVs(const OSSL_CMP_CTX *ctx); +*OSSL_CMP_CTX_get0_geninfo_ITAVs(const OSSL_CMP_CTX *ctx); int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx, - STACK_OF(X509) *extraCertsOut); + STACK_OF(X509) *extraCertsOut); /* certificate template: */ int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey); EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv); @@ -559,7 +573,7 @@ int OSSL_CMP_CTX_set1_issuer(OSSL_CMP_CTX *ctx, const X509_NAME *name); int OSSL_CMP_CTX_set1_serialNumber(OSSL_CMP_CTX *ctx, const ASN1_INTEGER *sn); int OSSL_CMP_CTX_set1_subjectName(OSSL_CMP_CTX *ctx, const X509_NAME *name); int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx, - const GENERAL_NAME *name); + const GENERAL_NAME *name); int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts); int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx); int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo); @@ -568,10 +582,10 @@ int OSSL_CMP_CTX_set1_p10CSR(OSSL_CMP_CTX *ctx, const X509_REQ *csr); /* misc body contents: */ int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav); /* certificate confirmation: */ -typedef int (*OSSL_CMP_certConf_cb_t) (OSSL_CMP_CTX *ctx, X509 *cert, - int fail_info, const char **txt); +typedef int (*OSSL_CMP_certConf_cb_t)(OSSL_CMP_CTX *ctx, X509 *cert, + int fail_info, const char **txt); int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info, - const char **text); + const char **text); int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_certConf_cb_t cb); int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg); void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx); @@ -579,31 +593,30 @@ void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx); int OSSL_CMP_CTX_get_status(const OSSL_CMP_CTX *ctx); OSSL_CMP_PKIFREETEXT *OSSL_CMP_CTX_get0_statusString(const OSSL_CMP_CTX *ctx); int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx); -# define OSSL_CMP_PKISI_BUFLEN 1024 +#define OSSL_CMP_PKISI_BUFLEN 1024 X509 *OSSL_CMP_CTX_get0_validatedSrvCert(const OSSL_CMP_CTX *ctx); X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx); STACK_OF(X509) *OSSL_CMP_CTX_get1_newChain(const OSSL_CMP_CTX *ctx); STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx); STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx); int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx, - const ASN1_OCTET_STRING *id); + const ASN1_OCTET_STRING *id); int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx, - const ASN1_OCTET_STRING *nonce); + const ASN1_OCTET_STRING *nonce); /* from cmp_status.c */ char *OSSL_CMP_CTX_snprint_PKIStatus(const OSSL_CMP_CTX *ctx, char *buf, - size_t bufsize); + size_t bufsize); char *OSSL_CMP_snprint_PKIStatusInfo(const OSSL_CMP_PKISI *statusInfo, - char *buf, size_t bufsize); + char *buf, size_t bufsize); OSSL_CMP_PKISI * OSSL_CMP_STATUSINFO_new(int status, int fail_info, const char *text); /* from cmp_hdr.c */ -ASN1_OCTET_STRING *OSSL_CMP_HDR_get0_transactionID(const - OSSL_CMP_PKIHEADER *hdr); +ASN1_OCTET_STRING *OSSL_CMP_HDR_get0_transactionID(const OSSL_CMP_PKIHEADER *hdr); ASN1_OCTET_STRING *OSSL_CMP_HDR_get0_recipNonce(const OSSL_CMP_PKIHEADER *hdr); STACK_OF(OSSL_CMP_ITAV) - *OSSL_CMP_HDR_get0_geninfo_ITAVs(const OSSL_CMP_PKIHEADER *hdr); +*OSSL_CMP_HDR_get0_geninfo_ITAVs(const OSSL_CMP_PKIHEADER *hdr); /* from cmp_msg.c */ OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg); @@ -613,7 +626,7 @@ int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); int OSSL_CMP_MSG_update_recipNonce(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid); OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx, - const char *propq); + const char *propq); int OSSL_CMP_MSG_write(const char *file, const OSSL_CMP_MSG *msg); OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg); int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg); @@ -621,107 +634,106 @@ int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg); /* from cmp_vfy.c */ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg); int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx, - X509_STORE *trusted_store, X509 *cert); + X509_STORE *trusted_store, X509 *cert); /* from cmp_http.c */ -# ifndef OPENSSL_NO_HTTP +#ifndef OPENSSL_NO_HTTP OSSL_CMP_MSG *OSSL_CMP_MSG_http_perform(OSSL_CMP_CTX *ctx, - const OSSL_CMP_MSG *req); -# endif + const OSSL_CMP_MSG *req); +#endif /* from cmp_server.c */ typedef struct ossl_cmp_srv_ctx_st OSSL_CMP_SRV_CTX; OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, - const OSSL_CMP_MSG *req); -OSSL_CMP_MSG * OSSL_CMP_CTX_server_perform(OSSL_CMP_CTX *client_ctx, - const OSSL_CMP_MSG *req); + const OSSL_CMP_MSG *req); +OSSL_CMP_MSG *OSSL_CMP_CTX_server_perform(OSSL_CMP_CTX *client_ctx, + const OSSL_CMP_MSG *req); OSSL_CMP_SRV_CTX *OSSL_CMP_SRV_CTX_new(OSSL_LIB_CTX *libctx, const char *propq); void OSSL_CMP_SRV_CTX_free(OSSL_CMP_SRV_CTX *srv_ctx); -typedef OSSL_CMP_PKISI *(*OSSL_CMP_SRV_cert_request_cb_t) - (OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *req, int certReqId, - const OSSL_CRMF_MSG *crm, const X509_REQ *p10cr, - X509 **certOut, STACK_OF(X509) **chainOut, STACK_OF(X509) **caPubs); +typedef OSSL_CMP_PKISI *(*OSSL_CMP_SRV_cert_request_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *req, int certReqId, + const OSSL_CRMF_MSG *crm, const X509_REQ *p10cr, + X509 **certOut, STACK_OF(X509) **chainOut, STACK_OF(X509) **caPubs); typedef OSSL_CMP_PKISI *(*OSSL_CMP_SRV_rr_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, - const OSSL_CMP_MSG *req, - const X509_NAME *issuer, - const ASN1_INTEGER *serial); + const OSSL_CMP_MSG *req, + const X509_NAME *issuer, + const ASN1_INTEGER *serial); typedef int (*OSSL_CMP_SRV_genm_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, - const OSSL_CMP_MSG *req, - const STACK_OF(OSSL_CMP_ITAV) *in, - STACK_OF(OSSL_CMP_ITAV) **out); + const OSSL_CMP_MSG *req, + const STACK_OF(OSSL_CMP_ITAV) *in, + STACK_OF(OSSL_CMP_ITAV) **out); typedef void (*OSSL_CMP_SRV_error_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, - const OSSL_CMP_MSG *req, - const OSSL_CMP_PKISI *statusInfo, - const ASN1_INTEGER *errorCode, - const OSSL_CMP_PKIFREETEXT *errDetails); + const OSSL_CMP_MSG *req, + const OSSL_CMP_PKISI *statusInfo, + const ASN1_INTEGER *errorCode, + const OSSL_CMP_PKIFREETEXT *errDetails); typedef int (*OSSL_CMP_SRV_certConf_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, - const OSSL_CMP_MSG *req, - int certReqId, - const ASN1_OCTET_STRING *certHash, - const OSSL_CMP_PKISI *si); + const OSSL_CMP_MSG *req, + int certReqId, + const ASN1_OCTET_STRING *certHash, + const OSSL_CMP_PKISI *si); typedef int (*OSSL_CMP_SRV_pollReq_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, - const OSSL_CMP_MSG *req, int certReqId, - OSSL_CMP_MSG **certReq, - int64_t *check_after); + const OSSL_CMP_MSG *req, int certReqId, + OSSL_CMP_MSG **certReq, + int64_t *check_after); int OSSL_CMP_SRV_CTX_init(OSSL_CMP_SRV_CTX *srv_ctx, void *custom_ctx, - OSSL_CMP_SRV_cert_request_cb_t process_cert_request, - OSSL_CMP_SRV_rr_cb_t process_rr, - OSSL_CMP_SRV_genm_cb_t process_genm, - OSSL_CMP_SRV_error_cb_t process_error, - OSSL_CMP_SRV_certConf_cb_t process_certConf, - OSSL_CMP_SRV_pollReq_cb_t process_pollReq); + OSSL_CMP_SRV_cert_request_cb_t process_cert_request, + OSSL_CMP_SRV_rr_cb_t process_rr, + OSSL_CMP_SRV_genm_cb_t process_genm, + OSSL_CMP_SRV_error_cb_t process_error, + OSSL_CMP_SRV_certConf_cb_t process_certConf, + OSSL_CMP_SRV_pollReq_cb_t process_pollReq); typedef int (*OSSL_CMP_SRV_delayed_delivery_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, - const OSSL_CMP_MSG *req); + const OSSL_CMP_MSG *req); typedef int (*OSSL_CMP_SRV_clean_transaction_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, - const ASN1_OCTET_STRING *id); + const ASN1_OCTET_STRING *id); int OSSL_CMP_SRV_CTX_init_trans(OSSL_CMP_SRV_CTX *srv_ctx, - OSSL_CMP_SRV_delayed_delivery_cb_t delay, - OSSL_CMP_SRV_clean_transaction_cb_t clean); + OSSL_CMP_SRV_delayed_delivery_cb_t delay, + OSSL_CMP_SRV_clean_transaction_cb_t clean); OSSL_CMP_CTX *OSSL_CMP_SRV_CTX_get0_cmp_ctx(const OSSL_CMP_SRV_CTX *srv_ctx); void *OSSL_CMP_SRV_CTX_get0_custom_ctx(const OSSL_CMP_SRV_CTX *srv_ctx); int OSSL_CMP_SRV_CTX_set_send_unprotected_errors(OSSL_CMP_SRV_CTX *srv_ctx, - int val); + int val); int OSSL_CMP_SRV_CTX_set_accept_unprotected(OSSL_CMP_SRV_CTX *srv_ctx, int val); int OSSL_CMP_SRV_CTX_set_accept_raverified(OSSL_CMP_SRV_CTX *srv_ctx, int val); int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx, - int val); + int val); /* from cmp_client.c */ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type, - const OSSL_CRMF_MSG *crm); -# define OSSL_CMP_IR 0 -# define OSSL_CMP_CR 2 -# define OSSL_CMP_P10CR 4 -# define OSSL_CMP_KUR 7 -# define OSSL_CMP_GENM 21 -# define OSSL_CMP_ERROR 23 -# define OSSL_CMP_exec_IR_ses(ctx) \ + const OSSL_CRMF_MSG *crm); +#define OSSL_CMP_IR 0 +#define OSSL_CMP_CR 2 +#define OSSL_CMP_P10CR 4 +#define OSSL_CMP_KUR 7 +#define OSSL_CMP_GENM 21 +#define OSSL_CMP_ERROR 23 +#define OSSL_CMP_exec_IR_ses(ctx) \ OSSL_CMP_exec_certreq(ctx, OSSL_CMP_IR, NULL) -# define OSSL_CMP_exec_CR_ses(ctx) \ +#define OSSL_CMP_exec_CR_ses(ctx) \ OSSL_CMP_exec_certreq(ctx, OSSL_CMP_CR, NULL) -# define OSSL_CMP_exec_P10CR_ses(ctx) \ +#define OSSL_CMP_exec_P10CR_ses(ctx) \ OSSL_CMP_exec_certreq(ctx, OSSL_CMP_P10CR, NULL) -# define OSSL_CMP_exec_KUR_ses(ctx) \ +#define OSSL_CMP_exec_KUR_ses(ctx) \ OSSL_CMP_exec_certreq(ctx, OSSL_CMP_KUR, NULL) int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, - const OSSL_CRMF_MSG *crm, int *checkAfter); + const OSSL_CRMF_MSG *crm, int *checkAfter); int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx); STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx); /* from cmp_genm.c */ int OSSL_CMP_get1_caCerts(OSSL_CMP_CTX *ctx, STACK_OF(X509) **out); int OSSL_CMP_get1_rootCaKeyUpdate(OSSL_CMP_CTX *ctx, - const X509 *oldWithOld, X509 **newWithNew, - X509 **newWithOld, X509 **oldWithNew); + const X509 *oldWithOld, X509 **newWithNew, + X509 **newWithOld, X509 **oldWithNew); int OSSL_CMP_get1_crlUpdate(OSSL_CMP_CTX *ctx, const X509 *crlcert, - const X509_CRL *last_crl, - X509_CRL **crl); + const X509_CRL *last_crl, + X509_CRL **crl); int OSSL_CMP_get1_certReqTemplate(OSSL_CMP_CTX *ctx, - OSSL_CRMF_CERTTEMPLATE **certTemplate, - OSSL_CMP_ATAVS **keySpec); + OSSL_CRMF_CERTTEMPLATE **certTemplate, + OSSL_CMP_ATAVS **keySpec); -# ifdef __cplusplus +#ifdef __cplusplus } -# endif -# endif /* !defined(OPENSSL_NO_CMP) */ +#endif +#endif /* !defined(OPENSSL_NO_CMP) */ #endif /* !defined(OPENSSL_CMP_H) */ diff --git a/crypto/openssl/include/openssl/cms.h b/crypto/openssl/include/openssl/cms.h index 63afab563557..e590224acae5 100644 --- a/crypto/openssl/include/openssl/cms.h +++ b/crypto/openssl/include/openssl/cms.h @@ -10,26 +10,28 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_CMS_H -# define OPENSSL_CMS_H -# pragma once +#define OPENSSL_CMS_H +#pragma once -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_CMS_H -# endif +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_CMS_H +#endif -# include <openssl/opensslconf.h> +#include <openssl/opensslconf.h> -# ifndef OPENSSL_NO_CMS -# include <openssl/x509.h> -# include <openssl/x509v3.h> -# include <openssl/cmserr.h> -# ifdef __cplusplus +#ifndef OPENSSL_NO_CMS +#include <openssl/x509.h> +#include <openssl/x509v3.h> +#include <openssl/cmserr.h> +#ifdef __cplusplus extern "C" { -# endif +#endif typedef struct CMS_EnvelopedData_st CMS_EnvelopedData; typedef struct CMS_ContentInfo_st CMS_ContentInfo; @@ -43,6 +45,7 @@ typedef struct CMS_Receipt_st CMS_Receipt; typedef struct CMS_RecipientEncryptedKey_st CMS_RecipientEncryptedKey; typedef struct CMS_OtherKeyAttribute_st CMS_OtherKeyAttribute; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(CMS_SignerInfo, CMS_SignerInfo, CMS_SignerInfo) #define sk_CMS_SignerInfo_num(sk) OPENSSL_sk_num(ossl_check_const_CMS_SignerInfo_sk_type(sk)) #define sk_CMS_SignerInfo_value(sk, idx) ((CMS_SignerInfo *)OPENSSL_sk_value(ossl_check_const_CMS_SignerInfo_sk_type(sk), (idx))) @@ -148,6 +151,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(CMS_RevocationInfoChoice, CMS_RevocationInfoChoice, #define sk_CMS_RevocationInfoChoice_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(CMS_RevocationInfoChoice) *)OPENSSL_sk_deep_copy(ossl_check_const_CMS_RevocationInfoChoice_sk_type(sk), ossl_check_CMS_RevocationInfoChoice_copyfunc_type(copyfunc), ossl_check_CMS_RevocationInfoChoice_freefunc_type(freefunc))) #define sk_CMS_RevocationInfoChoice_set_cmp_func(sk, cmp) ((sk_CMS_RevocationInfoChoice_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_CMS_RevocationInfoChoice_sk_type(sk), ossl_check_CMS_RevocationInfoChoice_compfunc_type(cmp))) +/* clang-format on */ DECLARE_ASN1_ITEM(CMS_EnvelopedData) DECLARE_ASN1_ALLOC_FUNCTIONS(CMS_SignedData) @@ -159,44 +163,44 @@ DECLARE_ASN1_DUP_FUNCTION(CMS_EnvelopedData) CMS_ContentInfo *CMS_ContentInfo_new_ex(OSSL_LIB_CTX *libctx, const char *propq); -# define CMS_SIGNERINFO_ISSUER_SERIAL 0 -# define CMS_SIGNERINFO_KEYIDENTIFIER 1 +#define CMS_SIGNERINFO_ISSUER_SERIAL 0 +#define CMS_SIGNERINFO_KEYIDENTIFIER 1 -# define CMS_RECIPINFO_NONE -1 -# define CMS_RECIPINFO_TRANS 0 -# define CMS_RECIPINFO_AGREE 1 -# define CMS_RECIPINFO_KEK 2 -# define CMS_RECIPINFO_PASS 3 -# define CMS_RECIPINFO_OTHER 4 +#define CMS_RECIPINFO_NONE -1 +#define CMS_RECIPINFO_TRANS 0 +#define CMS_RECIPINFO_AGREE 1 +#define CMS_RECIPINFO_KEK 2 +#define CMS_RECIPINFO_PASS 3 +#define CMS_RECIPINFO_OTHER 4 /* S/MIME related flags */ -# define CMS_TEXT 0x1 -# define CMS_NOCERTS 0x2 -# define CMS_NO_CONTENT_VERIFY 0x4 -# define CMS_NO_ATTR_VERIFY 0x8 -# define CMS_NOSIGS \ - (CMS_NO_CONTENT_VERIFY|CMS_NO_ATTR_VERIFY) -# define CMS_NOINTERN 0x10 -# define CMS_NO_SIGNER_CERT_VERIFY 0x20 -# define CMS_NOVERIFY 0x20 -# define CMS_DETACHED 0x40 -# define CMS_BINARY 0x80 -# define CMS_NOATTR 0x100 -# define CMS_NOSMIMECAP 0x200 -# define CMS_NOOLDMIMETYPE 0x400 -# define CMS_CRLFEOL 0x800 -# define CMS_STREAM 0x1000 -# define CMS_NOCRL 0x2000 -# define CMS_PARTIAL 0x4000 -# define CMS_REUSE_DIGEST 0x8000 -# define CMS_USE_KEYID 0x10000 -# define CMS_DEBUG_DECRYPT 0x20000 -# define CMS_KEY_PARAM 0x40000 -# define CMS_ASCIICRLF 0x80000 -# define CMS_CADES 0x100000 -# define CMS_USE_ORIGINATOR_KEYID 0x200000 -# define CMS_NO_SIGNING_TIME 0x400000 +#define CMS_TEXT 0x1 +#define CMS_NOCERTS 0x2 +#define CMS_NO_CONTENT_VERIFY 0x4 +#define CMS_NO_ATTR_VERIFY 0x8 +#define CMS_NOSIGS \ + (CMS_NO_CONTENT_VERIFY | CMS_NO_ATTR_VERIFY) +#define CMS_NOINTERN 0x10 +#define CMS_NO_SIGNER_CERT_VERIFY 0x20 +#define CMS_NOVERIFY 0x20 +#define CMS_DETACHED 0x40 +#define CMS_BINARY 0x80 +#define CMS_NOATTR 0x100 +#define CMS_NOSMIMECAP 0x200 +#define CMS_NOOLDMIMETYPE 0x400 +#define CMS_CRLFEOL 0x800 +#define CMS_STREAM 0x1000 +#define CMS_NOCRL 0x2000 +#define CMS_PARTIAL 0x4000 +#define CMS_REUSE_DIGEST 0x8000 +#define CMS_USE_KEYID 0x10000 +#define CMS_DEBUG_DECRYPT 0x20000 +#define CMS_KEY_PARAM 0x40000 +#define CMS_ASCIICRLF 0x80000 +#define CMS_CADES 0x100000 +#define CMS_USE_ORIGINATOR_KEYID 0x200000 +#define CMS_NO_SIGNING_TIME 0x400000 const ASN1_OBJECT *CMS_get0_type(const CMS_ContentInfo *cms); @@ -207,9 +211,9 @@ ASN1_OCTET_STRING **CMS_get0_content(CMS_ContentInfo *cms); int CMS_is_detached(CMS_ContentInfo *cms); int CMS_set_detached(CMS_ContentInfo *cms, int detached); -# ifdef OPENSSL_PEM_H +#ifdef OPENSSL_PEM_H DECLARE_PEM_rw(CMS, CMS_ContentInfo) -# endif +#endif int CMS_stream(unsigned char ***boundary, CMS_ContentInfo *cms); CMS_ContentInfo *d2i_CMS_bio(BIO *bp, CMS_ContentInfo **cms); int i2d_CMS_bio(BIO *bp, CMS_ContentInfo *cms); @@ -217,83 +221,83 @@ int i2d_CMS_bio(BIO *bp, CMS_ContentInfo *cms); BIO *BIO_new_CMS(BIO *out, CMS_ContentInfo *cms); int i2d_CMS_bio_stream(BIO *out, CMS_ContentInfo *cms, BIO *in, int flags); int PEM_write_bio_CMS_stream(BIO *out, CMS_ContentInfo *cms, BIO *in, - int flags); + int flags); CMS_ContentInfo *SMIME_read_CMS(BIO *bio, BIO **bcont); CMS_ContentInfo *SMIME_read_CMS_ex(BIO *bio, int flags, BIO **bcont, CMS_ContentInfo **ci); int SMIME_write_CMS(BIO *bio, CMS_ContentInfo *cms, BIO *data, int flags); int CMS_final(CMS_ContentInfo *cms, BIO *data, BIO *dcont, - unsigned int flags); + unsigned int flags); int CMS_final_digest(CMS_ContentInfo *cms, - const unsigned char *md, unsigned int mdlen, BIO *dcont, - unsigned int flags); + const unsigned char *md, unsigned int mdlen, BIO *dcont, + unsigned int flags); CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey, - STACK_OF(X509) *certs, BIO *data, - unsigned int flags); + STACK_OF(X509) *certs, BIO *data, + unsigned int flags); CMS_ContentInfo *CMS_sign_ex(X509 *signcert, EVP_PKEY *pkey, - STACK_OF(X509) *certs, BIO *data, - unsigned int flags, OSSL_LIB_CTX *libctx, - const char *propq); + STACK_OF(X509) *certs, BIO *data, + unsigned int flags, OSSL_LIB_CTX *libctx, + const char *propq); CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si, - X509 *signcert, EVP_PKEY *pkey, - STACK_OF(X509) *certs, unsigned int flags); + X509 *signcert, EVP_PKEY *pkey, + STACK_OF(X509) *certs, unsigned int flags); int CMS_data(CMS_ContentInfo *cms, BIO *out, unsigned int flags); CMS_ContentInfo *CMS_data_create(BIO *in, unsigned int flags); CMS_ContentInfo *CMS_data_create_ex(BIO *in, unsigned int flags, - OSSL_LIB_CTX *libctx, const char *propq); + OSSL_LIB_CTX *libctx, const char *propq); int CMS_digest_verify(CMS_ContentInfo *cms, BIO *dcont, BIO *out, - unsigned int flags); + unsigned int flags); CMS_ContentInfo *CMS_digest_create(BIO *in, const EVP_MD *md, - unsigned int flags); + unsigned int flags); CMS_ContentInfo *CMS_digest_create_ex(BIO *in, const EVP_MD *md, - unsigned int flags, OSSL_LIB_CTX *libctx, - const char *propq); + unsigned int flags, OSSL_LIB_CTX *libctx, + const char *propq); int CMS_EncryptedData_decrypt(CMS_ContentInfo *cms, - const unsigned char *key, size_t keylen, - BIO *dcont, BIO *out, unsigned int flags); + const unsigned char *key, size_t keylen, + BIO *dcont, BIO *out, unsigned int flags); CMS_ContentInfo *CMS_EncryptedData_encrypt(BIO *in, const EVP_CIPHER *cipher, - const unsigned char *key, - size_t keylen, unsigned int flags); + const unsigned char *key, + size_t keylen, unsigned int flags); CMS_ContentInfo *CMS_EncryptedData_encrypt_ex(BIO *in, const EVP_CIPHER *cipher, - const unsigned char *key, - size_t keylen, unsigned int flags, - OSSL_LIB_CTX *libctx, - const char *propq); + const unsigned char *key, + size_t keylen, unsigned int flags, + OSSL_LIB_CTX *libctx, + const char *propq); int CMS_EncryptedData_set1_key(CMS_ContentInfo *cms, const EVP_CIPHER *ciph, - const unsigned char *key, size_t keylen); + const unsigned char *key, size_t keylen); int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, - X509_STORE *store, BIO *dcont, BIO *out, unsigned int flags); + X509_STORE *store, BIO *dcont, BIO *out, unsigned int flags); int CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms, - STACK_OF(X509) *certs, - X509_STORE *store, unsigned int flags); + STACK_OF(X509) *certs, + X509_STORE *store, unsigned int flags); STACK_OF(X509) *CMS_get0_signers(CMS_ContentInfo *cms); CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *in, - const EVP_CIPHER *cipher, unsigned int flags); + const EVP_CIPHER *cipher, unsigned int flags); CMS_ContentInfo *CMS_encrypt_ex(STACK_OF(X509) *certs, BIO *in, - const EVP_CIPHER *cipher, unsigned int flags, - OSSL_LIB_CTX *libctx, const char *propq); + const EVP_CIPHER *cipher, unsigned int flags, + OSSL_LIB_CTX *libctx, const char *propq); int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pkey, X509 *cert, - BIO *dcont, BIO *out, unsigned int flags); + BIO *dcont, BIO *out, unsigned int flags); int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert); int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, - X509 *cert, X509 *peer); + X509 *cert, X509 *peer); int CMS_decrypt_set1_key(CMS_ContentInfo *cms, - unsigned char *key, size_t keylen, - const unsigned char *id, size_t idlen); + unsigned char *key, size_t keylen, + const unsigned char *id, size_t idlen); int CMS_decrypt_set1_password(CMS_ContentInfo *cms, - unsigned char *pass, ossl_ssize_t passlen); + unsigned char *pass, ossl_ssize_t passlen); STACK_OF(CMS_RecipientInfo) *CMS_get0_RecipientInfos(CMS_ContentInfo *cms); int CMS_RecipientInfo_type(CMS_RecipientInfo *ri); @@ -301,66 +305,66 @@ EVP_PKEY_CTX *CMS_RecipientInfo_get0_pkey_ctx(CMS_RecipientInfo *ri); CMS_ContentInfo *CMS_AuthEnvelopedData_create(const EVP_CIPHER *cipher); CMS_ContentInfo * CMS_AuthEnvelopedData_create_ex(const EVP_CIPHER *cipher, OSSL_LIB_CTX *libctx, - const char *propq); + const char *propq); CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher); CMS_ContentInfo *CMS_EnvelopedData_create_ex(const EVP_CIPHER *cipher, - OSSL_LIB_CTX *libctx, - const char *propq); + OSSL_LIB_CTX *libctx, + const char *propq); BIO *CMS_EnvelopedData_decrypt(CMS_EnvelopedData *env, BIO *detached_data, - EVP_PKEY *pkey, X509 *cert, - ASN1_OCTET_STRING *secret, unsigned int flags, - OSSL_LIB_CTX *libctx, const char *propq); + EVP_PKEY *pkey, X509 *cert, + ASN1_OCTET_STRING *secret, unsigned int flags, + OSSL_LIB_CTX *libctx, const char *propq); CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms, - X509 *recip, unsigned int flags); + X509 *recip, unsigned int flags); CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip, - EVP_PKEY *originatorPrivKey, X509 * originator, unsigned int flags); + EVP_PKEY *originatorPrivKey, X509 *originator, unsigned int flags); int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey); int CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert); int CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri, - EVP_PKEY **pk, X509 **recip, - X509_ALGOR **palg); + EVP_PKEY **pk, X509 **recip, + X509_ALGOR **palg); int CMS_RecipientInfo_ktri_get0_signer_id(CMS_RecipientInfo *ri, - ASN1_OCTET_STRING **keyid, - X509_NAME **issuer, - ASN1_INTEGER **sno); + ASN1_OCTET_STRING **keyid, + X509_NAME **issuer, + ASN1_INTEGER **sno); CMS_RecipientInfo *CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid, - unsigned char *key, size_t keylen, - unsigned char *id, size_t idlen, - ASN1_GENERALIZEDTIME *date, - ASN1_OBJECT *otherTypeId, - ASN1_TYPE *otherType); + unsigned char *key, size_t keylen, + unsigned char *id, size_t idlen, + ASN1_GENERALIZEDTIME *date, + ASN1_OBJECT *otherTypeId, + ASN1_TYPE *otherType); int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri, - X509_ALGOR **palg, - ASN1_OCTET_STRING **pid, - ASN1_GENERALIZEDTIME **pdate, - ASN1_OBJECT **potherid, - ASN1_TYPE **pothertype); + X509_ALGOR **palg, + ASN1_OCTET_STRING **pid, + ASN1_GENERALIZEDTIME **pdate, + ASN1_OBJECT **potherid, + ASN1_TYPE **pothertype); int CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri, - unsigned char *key, size_t keylen); + unsigned char *key, size_t keylen); int CMS_RecipientInfo_kekri_id_cmp(CMS_RecipientInfo *ri, - const unsigned char *id, size_t idlen); + const unsigned char *id, size_t idlen); int CMS_RecipientInfo_set0_password(CMS_RecipientInfo *ri, - unsigned char *pass, - ossl_ssize_t passlen); + unsigned char *pass, + ossl_ssize_t passlen); CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms, - int iter, int wrap_nid, - int pbe_nid, - unsigned char *pass, - ossl_ssize_t passlen, - const EVP_CIPHER *kekciph); + int iter, int wrap_nid, + int pbe_nid, + unsigned char *pass, + ossl_ssize_t passlen, + const EVP_CIPHER *kekciph); int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri); int CMS_RecipientInfo_encrypt(const CMS_ContentInfo *cms, CMS_RecipientInfo *ri); int CMS_uncompress(CMS_ContentInfo *cms, BIO *dcont, BIO *out, - unsigned int flags); + unsigned int flags); CMS_ContentInfo *CMS_compress(BIO *in, int comp_nid, unsigned int flags); int CMS_set1_eContentType(CMS_ContentInfo *cms, const ASN1_OBJECT *oid); @@ -378,77 +382,77 @@ STACK_OF(X509_CRL) *CMS_get1_crls(CMS_ContentInfo *cms); int CMS_SignedData_init(CMS_ContentInfo *cms); CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, - X509 *signer, EVP_PKEY *pk, const EVP_MD *md, - unsigned int flags); + X509 *signer, EVP_PKEY *pk, const EVP_MD *md, + unsigned int flags); EVP_PKEY_CTX *CMS_SignerInfo_get0_pkey_ctx(CMS_SignerInfo *si); EVP_MD_CTX *CMS_SignerInfo_get0_md_ctx(CMS_SignerInfo *si); STACK_OF(CMS_SignerInfo) *CMS_get0_SignerInfos(CMS_ContentInfo *cms); void CMS_SignerInfo_set1_signer_cert(CMS_SignerInfo *si, X509 *signer); int CMS_SignerInfo_get0_signer_id(CMS_SignerInfo *si, - ASN1_OCTET_STRING **keyid, - X509_NAME **issuer, ASN1_INTEGER **sno); + ASN1_OCTET_STRING **keyid, + X509_NAME **issuer, ASN1_INTEGER **sno); int CMS_SignerInfo_cert_cmp(CMS_SignerInfo *si, X509 *cert); int CMS_set1_signers_certs(CMS_ContentInfo *cms, STACK_OF(X509) *certs, - unsigned int flags); + unsigned int flags); void CMS_SignerInfo_get0_algs(CMS_SignerInfo *si, EVP_PKEY **pk, - X509 **signer, X509_ALGOR **pdig, - X509_ALGOR **psig); + X509 **signer, X509_ALGOR **pdig, + X509_ALGOR **psig); ASN1_OCTET_STRING *CMS_SignerInfo_get0_signature(CMS_SignerInfo *si); int CMS_SignerInfo_sign(CMS_SignerInfo *si); int CMS_SignerInfo_verify(CMS_SignerInfo *si); int CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain); BIO *CMS_SignedData_verify(CMS_SignedData *sd, BIO *detached_data, - STACK_OF(X509) *scerts, X509_STORE *store, - STACK_OF(X509) *extra, STACK_OF(X509_CRL) *crls, - unsigned int flags, - OSSL_LIB_CTX *libctx, const char *propq); + STACK_OF(X509) *scerts, X509_STORE *store, + STACK_OF(X509) *extra, STACK_OF(X509_CRL) *crls, + unsigned int flags, + OSSL_LIB_CTX *libctx, const char *propq); int CMS_add_smimecap(CMS_SignerInfo *si, STACK_OF(X509_ALGOR) *algs); int CMS_add_simple_smimecap(STACK_OF(X509_ALGOR) **algs, - int algnid, int keysize); + int algnid, int keysize); int CMS_add_standard_smimecap(STACK_OF(X509_ALGOR) **smcap); int CMS_signed_get_attr_count(const CMS_SignerInfo *si); int CMS_signed_get_attr_by_NID(const CMS_SignerInfo *si, int nid, - int lastpos); + int lastpos); int CMS_signed_get_attr_by_OBJ(const CMS_SignerInfo *si, const ASN1_OBJECT *obj, - int lastpos); + int lastpos); X509_ATTRIBUTE *CMS_signed_get_attr(const CMS_SignerInfo *si, int loc); X509_ATTRIBUTE *CMS_signed_delete_attr(CMS_SignerInfo *si, int loc); int CMS_signed_add1_attr(CMS_SignerInfo *si, X509_ATTRIBUTE *attr); int CMS_signed_add1_attr_by_OBJ(CMS_SignerInfo *si, - const ASN1_OBJECT *obj, int type, - const void *bytes, int len); + const ASN1_OBJECT *obj, int type, + const void *bytes, int len); int CMS_signed_add1_attr_by_NID(CMS_SignerInfo *si, - int nid, int type, - const void *bytes, int len); + int nid, int type, + const void *bytes, int len); int CMS_signed_add1_attr_by_txt(CMS_SignerInfo *si, - const char *attrname, int type, - const void *bytes, int len); + const char *attrname, int type, + const void *bytes, int len); void *CMS_signed_get0_data_by_OBJ(const CMS_SignerInfo *si, - const ASN1_OBJECT *oid, - int lastpos, int type); + const ASN1_OBJECT *oid, + int lastpos, int type); int CMS_unsigned_get_attr_count(const CMS_SignerInfo *si); int CMS_unsigned_get_attr_by_NID(const CMS_SignerInfo *si, int nid, - int lastpos); + int lastpos); int CMS_unsigned_get_attr_by_OBJ(const CMS_SignerInfo *si, - const ASN1_OBJECT *obj, int lastpos); + const ASN1_OBJECT *obj, int lastpos); X509_ATTRIBUTE *CMS_unsigned_get_attr(const CMS_SignerInfo *si, int loc); X509_ATTRIBUTE *CMS_unsigned_delete_attr(CMS_SignerInfo *si, int loc); int CMS_unsigned_add1_attr(CMS_SignerInfo *si, X509_ATTRIBUTE *attr); int CMS_unsigned_add1_attr_by_OBJ(CMS_SignerInfo *si, - const ASN1_OBJECT *obj, int type, - const void *bytes, int len); + const ASN1_OBJECT *obj, int type, + const void *bytes, int len); int CMS_unsigned_add1_attr_by_NID(CMS_SignerInfo *si, - int nid, int type, - const void *bytes, int len); + int nid, int type, + const void *bytes, int len); int CMS_unsigned_add1_attr_by_txt(CMS_SignerInfo *si, - const char *attrname, int type, - const void *bytes, int len); + const char *attrname, int type, + const void *bytes, int len); void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid, - int lastpos, int type); + int lastpos, int type); int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr); CMS_ReceiptRequest *CMS_ReceiptRequest_create0( @@ -463,49 +467,49 @@ CMS_ReceiptRequest *CMS_ReceiptRequest_create0_ex( int CMS_add1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest *rr); void CMS_ReceiptRequest_get0_values(CMS_ReceiptRequest *rr, - ASN1_STRING **pcid, - int *pallorfirst, - STACK_OF(GENERAL_NAMES) **plist, - STACK_OF(GENERAL_NAMES) **prto); + ASN1_STRING **pcid, + int *pallorfirst, + STACK_OF(GENERAL_NAMES) **plist, + STACK_OF(GENERAL_NAMES) **prto); int CMS_RecipientInfo_kari_get0_alg(CMS_RecipientInfo *ri, - X509_ALGOR **palg, - ASN1_OCTET_STRING **pukm); + X509_ALGOR **palg, + ASN1_OCTET_STRING **pukm); STACK_OF(CMS_RecipientEncryptedKey) *CMS_RecipientInfo_kari_get0_reks(CMS_RecipientInfo *ri); int CMS_RecipientInfo_kari_get0_orig_id(CMS_RecipientInfo *ri, - X509_ALGOR **pubalg, - ASN1_BIT_STRING **pubkey, - ASN1_OCTET_STRING **keyid, - X509_NAME **issuer, - ASN1_INTEGER **sno); + X509_ALGOR **pubalg, + ASN1_BIT_STRING **pubkey, + ASN1_OCTET_STRING **keyid, + X509_NAME **issuer, + ASN1_INTEGER **sno); int CMS_RecipientInfo_kari_orig_id_cmp(CMS_RecipientInfo *ri, X509 *cert); int CMS_RecipientEncryptedKey_get0_id(CMS_RecipientEncryptedKey *rek, - ASN1_OCTET_STRING **keyid, - ASN1_GENERALIZEDTIME **tm, - CMS_OtherKeyAttribute **other, - X509_NAME **issuer, ASN1_INTEGER **sno); + ASN1_OCTET_STRING **keyid, + ASN1_GENERALIZEDTIME **tm, + CMS_OtherKeyAttribute **other, + X509_NAME **issuer, ASN1_INTEGER **sno); int CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek, - X509 *cert); + X509 *cert); int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk); int CMS_RecipientInfo_kari_set0_pkey_and_peer(CMS_RecipientInfo *ri, EVP_PKEY *pk, X509 *peer); EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri); int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms, - CMS_RecipientInfo *ri, - CMS_RecipientEncryptedKey *rek); + CMS_RecipientInfo *ri, + CMS_RecipientEncryptedKey *rek); int CMS_SharedInfo_encode(unsigned char **pder, X509_ALGOR *kekalg, - ASN1_OCTET_STRING *ukm, int keylen); + ASN1_OCTET_STRING *ukm, int keylen); /* Backward compatibility for spelling errors. */ -# define CMS_R_UNKNOWN_DIGEST_ALGORITM CMS_R_UNKNOWN_DIGEST_ALGORITHM -# define CMS_R_UNSUPPORTED_RECPIENTINFO_TYPE \ +#define CMS_R_UNKNOWN_DIGEST_ALGORITM CMS_R_UNKNOWN_DIGEST_ALGORITHM +#define CMS_R_UNSUPPORTED_RECPIENTINFO_TYPE \ CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE -# ifdef __cplusplus +#ifdef __cplusplus } -# endif -# endif +#endif +#endif #endif diff --git a/crypto/openssl/include/openssl/comp.h b/crypto/openssl/include/openssl/comp.h index 90e39511fe8d..d47246a1a202 100644 --- a/crypto/openssl/include/openssl/comp.h +++ b/crypto/openssl/include/openssl/comp.h @@ -7,40 +7,40 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_COMP_H -# define OPENSSL_COMP_H -# pragma once +#define OPENSSL_COMP_H +#pragma once -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_COMP_H -# endif +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_COMP_H +#endif -# include <openssl/opensslconf.h> +#include <openssl/opensslconf.h> -# include <openssl/crypto.h> -# include <openssl/comperr.h> -# ifdef __cplusplus +#include <openssl/crypto.h> +#include <openssl/comperr.h> +#ifdef __cplusplus extern "C" { -# endif - - +#endif -# ifndef OPENSSL_NO_COMP +#ifndef OPENSSL_NO_COMP COMP_CTX *COMP_CTX_new(COMP_METHOD *meth); const COMP_METHOD *COMP_CTX_get_method(const COMP_CTX *ctx); -int COMP_CTX_get_type(const COMP_CTX* comp); +int COMP_CTX_get_type(const COMP_CTX *comp); int COMP_get_type(const COMP_METHOD *meth); const char *COMP_get_name(const COMP_METHOD *meth); void COMP_CTX_free(COMP_CTX *ctx); int COMP_compress_block(COMP_CTX *ctx, unsigned char *out, int olen, - unsigned char *in, int ilen); + unsigned char *in, int ilen); int COMP_expand_block(COMP_CTX *ctx, unsigned char *out, int olen, - unsigned char *in, int ilen); + unsigned char *in, int ilen); COMP_METHOD *COMP_zlib(void); COMP_METHOD *COMP_zlib_oneshot(void); @@ -49,20 +49,23 @@ COMP_METHOD *COMP_brotli_oneshot(void); COMP_METHOD *COMP_zstd(void); COMP_METHOD *COMP_zstd_oneshot(void); -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define COMP_zlib_cleanup() while(0) continue -# endif +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#define COMP_zlib_cleanup() \ + while (0) \ + continue +#endif -# ifdef OPENSSL_BIO_H +#ifdef OPENSSL_BIO_H const BIO_METHOD *BIO_f_zlib(void); const BIO_METHOD *BIO_f_brotli(void); const BIO_METHOD *BIO_f_zstd(void); -# endif +#endif -# endif +#endif typedef struct ssl_comp_st SSL_COMP; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(SSL_COMP, SSL_COMP, SSL_COMP) #define sk_SSL_COMP_num(sk) OPENSSL_sk_num(ossl_check_const_SSL_COMP_sk_type(sk)) #define sk_SSL_COMP_value(sk, idx) ((SSL_COMP *)OPENSSL_sk_value(ossl_check_const_SSL_COMP_sk_type(sk), (idx))) @@ -90,9 +93,9 @@ SKM_DEFINE_STACK_OF_INTERNAL(SSL_COMP, SSL_COMP, SSL_COMP) #define sk_SSL_COMP_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(SSL_COMP) *)OPENSSL_sk_deep_copy(ossl_check_const_SSL_COMP_sk_type(sk), ossl_check_SSL_COMP_copyfunc_type(copyfunc), ossl_check_SSL_COMP_freefunc_type(freefunc))) #define sk_SSL_COMP_set_cmp_func(sk, cmp) ((sk_SSL_COMP_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_SSL_COMP_sk_type(sk), ossl_check_SSL_COMP_compfunc_type(cmp))) +/* clang-format on */ - -# ifdef __cplusplus +#ifdef __cplusplus } -# endif +#endif #endif diff --git a/crypto/openssl/include/openssl/conf.h b/crypto/openssl/include/openssl/conf.h index 38576290bf64..96b1c6803088 100644 --- a/crypto/openssl/include/openssl/conf.h +++ b/crypto/openssl/include/openssl/conf.h @@ -10,28 +10,30 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ -#ifndef OPENSSL_CONF_H -# define OPENSSL_CONF_H -# pragma once +#ifndef OPENSSL_CONF_H +#define OPENSSL_CONF_H +#pragma once -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_CONF_H -# endif +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_CONF_H +#endif -# include <openssl/bio.h> -# include <openssl/lhash.h> -# include <openssl/safestack.h> -# include <openssl/e_os2.h> -# include <openssl/types.h> -# include <openssl/conferr.h> -# ifndef OPENSSL_NO_STDIO -# include <stdio.h> -# endif +#include <openssl/bio.h> +#include <openssl/lhash.h> +#include <openssl/safestack.h> +#include <openssl/e_os2.h> +#include <openssl/types.h> +#include <openssl/conferr.h> +#ifndef OPENSSL_NO_STDIO +#include <stdio.h> +#endif -#ifdef __cplusplus +#ifdef __cplusplus extern "C" { #endif @@ -41,6 +43,7 @@ typedef struct { char *value; } CONF_VALUE; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(CONF_VALUE, CONF_VALUE, CONF_VALUE) #define sk_CONF_VALUE_num(sk) OPENSSL_sk_num(ossl_check_const_CONF_VALUE_sk_type(sk)) #define sk_CONF_VALUE_value(sk, idx) ((CONF_VALUE *)OPENSSL_sk_value(ossl_check_const_CONF_VALUE_sk_type(sk), (idx))) @@ -83,14 +86,15 @@ DEFINE_LHASH_OF_INTERNAL(CONF_VALUE); #define lh_CONF_VALUE_set_down_load(lh, dl) OPENSSL_LH_set_down_load(ossl_check_CONF_VALUE_lh_type(lh), dl) #define lh_CONF_VALUE_doall(lh, dfn) OPENSSL_LH_doall(ossl_check_CONF_VALUE_lh_type(lh), ossl_check_CONF_VALUE_lh_doallfunc_type(dfn)) +/* clang-format on */ struct conf_st; struct conf_method_st; typedef struct conf_method_st CONF_METHOD; -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# include <openssl/conftypes.h> -# endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#include <openssl/conftypes.h> +#endif /* Module definitions */ typedef struct conf_imodule_st CONF_IMODULE; @@ -100,32 +104,32 @@ STACK_OF(CONF_MODULE); STACK_OF(CONF_IMODULE); /* DSO module function typedefs */ -typedef int conf_init_func (CONF_IMODULE *md, const CONF *cnf); -typedef void conf_finish_func (CONF_IMODULE *md); +typedef int conf_init_func(CONF_IMODULE *md, const CONF *cnf); +typedef void conf_finish_func(CONF_IMODULE *md); -# define CONF_MFLAGS_IGNORE_ERRORS 0x1 -# define CONF_MFLAGS_IGNORE_RETURN_CODES 0x2 -# define CONF_MFLAGS_SILENT 0x4 -# define CONF_MFLAGS_NO_DSO 0x8 -# define CONF_MFLAGS_IGNORE_MISSING_FILE 0x10 -# define CONF_MFLAGS_DEFAULT_SECTION 0x20 +#define CONF_MFLAGS_IGNORE_ERRORS 0x1 +#define CONF_MFLAGS_IGNORE_RETURN_CODES 0x2 +#define CONF_MFLAGS_SILENT 0x4 +#define CONF_MFLAGS_NO_DSO 0x8 +#define CONF_MFLAGS_IGNORE_MISSING_FILE 0x10 +#define CONF_MFLAGS_DEFAULT_SECTION 0x20 int CONF_set_default_method(CONF_METHOD *meth); void CONF_set_nconf(CONF *conf, LHASH_OF(CONF_VALUE) *hash); LHASH_OF(CONF_VALUE) *CONF_load(LHASH_OF(CONF_VALUE) *conf, const char *file, - long *eline); -# ifndef OPENSSL_NO_STDIO + long *eline); +#ifndef OPENSSL_NO_STDIO LHASH_OF(CONF_VALUE) *CONF_load_fp(LHASH_OF(CONF_VALUE) *conf, FILE *fp, - long *eline); -# endif + long *eline); +#endif LHASH_OF(CONF_VALUE) *CONF_load_bio(LHASH_OF(CONF_VALUE) *conf, BIO *bp, - long *eline); + long *eline); STACK_OF(CONF_VALUE) *CONF_get_section(LHASH_OF(CONF_VALUE) *conf, - const char *section); + const char *section); char *CONF_get_string(LHASH_OF(CONF_VALUE) *conf, const char *group, - const char *name); + const char *name); long CONF_get_number(LHASH_OF(CONF_VALUE) *conf, const char *group, - const char *name); + const char *name); void CONF_free(LHASH_OF(CONF_VALUE) *conf); #ifndef OPENSSL_NO_STDIO int CONF_dump_fp(LHASH_OF(CONF_VALUE) *conf, FILE *out); @@ -136,7 +140,7 @@ OSSL_DEPRECATEDIN_1_1_0 void OPENSSL_config(const char *config_name); #endif #ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define OPENSSL_no_config() \ +#define OPENSSL_no_config() \ OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL) #endif @@ -156,38 +160,40 @@ void NCONF_free(CONF *conf); void NCONF_free_data(CONF *conf); int NCONF_load(CONF *conf, const char *file, long *eline); -# ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_STDIO int NCONF_load_fp(CONF *conf, FILE *fp, long *eline); -# endif +#endif int NCONF_load_bio(CONF *conf, BIO *bp, long *eline); STACK_OF(OPENSSL_CSTRING) *NCONF_get_section_names(const CONF *conf); STACK_OF(CONF_VALUE) *NCONF_get_section(const CONF *conf, - const char *section); + const char *section); char *NCONF_get_string(const CONF *conf, const char *group, const char *name); int NCONF_get_number_e(const CONF *conf, const char *group, const char *name, - long *result); + long *result); #ifndef OPENSSL_NO_STDIO int NCONF_dump_fp(const CONF *conf, FILE *out); #endif int NCONF_dump_bio(const CONF *conf, BIO *out); -#define NCONF_get_number(c,g,n,r) NCONF_get_number_e(c,g,n,r) +#define NCONF_get_number(c, g, n, r) NCONF_get_number_e(c, g, n, r) /* Module functions */ int CONF_modules_load(const CONF *cnf, const char *appname, - unsigned long flags); + unsigned long flags); int CONF_modules_load_file_ex(OSSL_LIB_CTX *libctx, const char *filename, - const char *appname, unsigned long flags); + const char *appname, unsigned long flags); int CONF_modules_load_file(const char *filename, const char *appname, - unsigned long flags); + unsigned long flags); void CONF_modules_unload(int all); void CONF_modules_finish(void); #ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define CONF_modules_free() while(0) continue +#define CONF_modules_free() \ + while (0) \ + continue #endif int CONF_module_add(const char *name, conf_init_func *ifunc, - conf_finish_func *ffunc); + conf_finish_func *ffunc); const char *CONF_imodule_get_name(const CONF_IMODULE *md); const char *CONF_imodule_get_value(const CONF_IMODULE *md); @@ -202,13 +208,12 @@ void CONF_module_set_usr_data(CONF_MODULE *pmod, void *usr_data); char *CONF_get1_default_config_file(void); int CONF_parse_list(const char *list, int sep, int nospc, - int (*list_cb) (const char *elem, int len, void *usr), - void *arg); + int (*list_cb)(const char *elem, int len, void *usr), + void *arg); void OPENSSL_load_builtin_modules(void); - -# ifdef __cplusplus +#ifdef __cplusplus } -# endif +#endif #endif diff --git a/crypto/openssl/include/openssl/configuration.h b/crypto/openssl/include/openssl/configuration.h index b4d8283a8b98..487404bf55d0 100644 --- a/crypto/openssl/include/openssl/configuration.h +++ b/crypto/openssl/include/openssl/configuration.h @@ -12,21 +12,22 @@ */ #ifndef OPENSSL_CONFIGURATION_H -# define OPENSSL_CONFIGURATION_H -# pragma once +#define OPENSSL_CONFIGURATION_H +#pragma once -# ifdef __cplusplus +#ifdef __cplusplus extern "C" { -# endif +#endif -# ifdef OPENSSL_ALGORITHM_DEFINES -# error OPENSSL_ALGORITHM_DEFINES no longer supported -# endif +#ifdef OPENSSL_ALGORITHM_DEFINES +#error OPENSSL_ALGORITHM_DEFINES no longer supported +#endif /* * OpenSSL was configured with the following options: */ +/* clang-format off */ # define OPENSSL_CONFIGURED_API 30500 # ifndef OPENSSL_RAND_SEED_OS # define OPENSSL_RAND_SEED_OS @@ -164,34 +165,47 @@ extern "C" { # define OPENSSL_NO_STATIC_ENGINE # endif +/* clang-format on */ /* Generate 80386 code? */ +/* clang-format off */ # undef I386_ONLY +/* clang-format on */ /* * The following are cipher-specific, but are part of the public API. */ -# if !defined(OPENSSL_SYS_UEFI) +#if !defined(OPENSSL_SYS_UEFI) + /* clang-format off */ # undef BN_LLONG -/* Only one for the following should be defined */ + /* clang-format on */ + /* Only one for the following should be defined */ + /* clang-format off */ # define SIXTY_FOUR_BIT_LONG + /* clang-format on */ + /* clang-format off */ # undef SIXTY_FOUR_BIT + /* clang-format on */ + /* clang-format off */ # undef THIRTY_TWO_BIT -# endif +/* clang-format on */ +#endif +/* clang-format off */ # define RC4_INT unsigned int +/* clang-format on */ -# if defined(OPENSSL_NO_COMP) || (defined(OPENSSL_NO_BROTLI) && defined(OPENSSL_NO_ZSTD) && defined(OPENSSL_NO_ZLIB)) -# define OPENSSL_NO_COMP_ALG -# else -# undef OPENSSL_NO_COMP_ALG -# endif +#if defined(OPENSSL_NO_COMP) || (defined(OPENSSL_NO_BROTLI) && defined(OPENSSL_NO_ZSTD) && defined(OPENSSL_NO_ZLIB)) +#define OPENSSL_NO_COMP_ALG +#else +#undef OPENSSL_NO_COMP_ALG +#endif -# ifdef __cplusplus +#ifdef __cplusplus } -# endif +#endif -#endif /* OPENSSL_CONFIGURATION_H */ +#endif /* OPENSSL_CONFIGURATION_H */ /** * OpenSSL's Configure script generates these values automatically for the host diff --git a/crypto/openssl/include/openssl/core_names.h b/crypto/openssl/include/openssl/core_names.h index e93e79a52bc9..aa445e8f1de7 100644 --- a/crypto/openssl/include/openssl/core_names.h +++ b/crypto/openssl/include/openssl/core_names.h @@ -9,113 +9,116 @@ * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_CORE_NAMES_H -# define OPENSSL_CORE_NAMES_H -# pragma once +#define OPENSSL_CORE_NAMES_H +#pragma once -# ifdef __cplusplus +#ifdef __cplusplus extern "C" { -# endif +#endif /* OSSL_CIPHER_PARAM_CTS_MODE Values */ -# define OSSL_CIPHER_CTS_MODE_CS1 "CS1" -# define OSSL_CIPHER_CTS_MODE_CS2 "CS2" -# define OSSL_CIPHER_CTS_MODE_CS3 "CS3" +#define OSSL_CIPHER_CTS_MODE_CS1 "CS1" +#define OSSL_CIPHER_CTS_MODE_CS2 "CS2" +#define OSSL_CIPHER_CTS_MODE_CS3 "CS3" /* Known CIPHER names (not a complete list) */ -# define OSSL_CIPHER_NAME_AES_128_GCM_SIV "AES-128-GCM-SIV" -# define OSSL_CIPHER_NAME_AES_192_GCM_SIV "AES-192-GCM-SIV" -# define OSSL_CIPHER_NAME_AES_256_GCM_SIV "AES-256-GCM-SIV" +#define OSSL_CIPHER_NAME_AES_128_GCM_SIV "AES-128-GCM-SIV" +#define OSSL_CIPHER_NAME_AES_192_GCM_SIV "AES-192-GCM-SIV" +#define OSSL_CIPHER_NAME_AES_256_GCM_SIV "AES-256-GCM-SIV" /* Known DIGEST names (not a complete list) */ -# define OSSL_DIGEST_NAME_MD5 "MD5" -# define OSSL_DIGEST_NAME_MD5_SHA1 "MD5-SHA1" -# define OSSL_DIGEST_NAME_SHA1 "SHA1" -# define OSSL_DIGEST_NAME_SHA2_224 "SHA2-224" -# define OSSL_DIGEST_NAME_SHA2_256 "SHA2-256" -# define OSSL_DIGEST_NAME_SHA2_256_192 "SHA2-256/192" -# define OSSL_DIGEST_NAME_SHA2_384 "SHA2-384" -# define OSSL_DIGEST_NAME_SHA2_512 "SHA2-512" -# define OSSL_DIGEST_NAME_SHA2_512_224 "SHA2-512/224" -# define OSSL_DIGEST_NAME_SHA2_512_256 "SHA2-512/256" -# define OSSL_DIGEST_NAME_MD2 "MD2" -# define OSSL_DIGEST_NAME_MD4 "MD4" -# define OSSL_DIGEST_NAME_MDC2 "MDC2" -# define OSSL_DIGEST_NAME_RIPEMD160 "RIPEMD160" -# define OSSL_DIGEST_NAME_SHA3_224 "SHA3-224" -# define OSSL_DIGEST_NAME_SHA3_256 "SHA3-256" -# define OSSL_DIGEST_NAME_SHA3_384 "SHA3-384" -# define OSSL_DIGEST_NAME_SHA3_512 "SHA3-512" -# define OSSL_DIGEST_NAME_KECCAK_KMAC128 "KECCAK-KMAC-128" -# define OSSL_DIGEST_NAME_KECCAK_KMAC256 "KECCAK-KMAC-256" -# define OSSL_DIGEST_NAME_SM3 "SM3" +#define OSSL_DIGEST_NAME_MD5 "MD5" +#define OSSL_DIGEST_NAME_MD5_SHA1 "MD5-SHA1" +#define OSSL_DIGEST_NAME_SHA1 "SHA1" +#define OSSL_DIGEST_NAME_SHA2_224 "SHA2-224" +#define OSSL_DIGEST_NAME_SHA2_256 "SHA2-256" +#define OSSL_DIGEST_NAME_SHA2_256_192 "SHA2-256/192" +#define OSSL_DIGEST_NAME_SHA2_384 "SHA2-384" +#define OSSL_DIGEST_NAME_SHA2_512 "SHA2-512" +#define OSSL_DIGEST_NAME_SHA2_512_224 "SHA2-512/224" +#define OSSL_DIGEST_NAME_SHA2_512_256 "SHA2-512/256" +#define OSSL_DIGEST_NAME_MD2 "MD2" +#define OSSL_DIGEST_NAME_MD4 "MD4" +#define OSSL_DIGEST_NAME_MDC2 "MDC2" +#define OSSL_DIGEST_NAME_RIPEMD160 "RIPEMD160" +#define OSSL_DIGEST_NAME_SHA3_224 "SHA3-224" +#define OSSL_DIGEST_NAME_SHA3_256 "SHA3-256" +#define OSSL_DIGEST_NAME_SHA3_384 "SHA3-384" +#define OSSL_DIGEST_NAME_SHA3_512 "SHA3-512" +#define OSSL_DIGEST_NAME_KECCAK_KMAC128 "KECCAK-KMAC-128" +#define OSSL_DIGEST_NAME_KECCAK_KMAC256 "KECCAK-KMAC-256" +#define OSSL_DIGEST_NAME_SM3 "SM3" /* Known MAC names */ -# define OSSL_MAC_NAME_BLAKE2BMAC "BLAKE2BMAC" -# define OSSL_MAC_NAME_BLAKE2SMAC "BLAKE2SMAC" -# define OSSL_MAC_NAME_CMAC "CMAC" -# define OSSL_MAC_NAME_GMAC "GMAC" -# define OSSL_MAC_NAME_HMAC "HMAC" -# define OSSL_MAC_NAME_KMAC128 "KMAC128" -# define OSSL_MAC_NAME_KMAC256 "KMAC256" -# define OSSL_MAC_NAME_POLY1305 "POLY1305" -# define OSSL_MAC_NAME_SIPHASH "SIPHASH" +#define OSSL_MAC_NAME_BLAKE2BMAC "BLAKE2BMAC" +#define OSSL_MAC_NAME_BLAKE2SMAC "BLAKE2SMAC" +#define OSSL_MAC_NAME_CMAC "CMAC" +#define OSSL_MAC_NAME_GMAC "GMAC" +#define OSSL_MAC_NAME_HMAC "HMAC" +#define OSSL_MAC_NAME_KMAC128 "KMAC128" +#define OSSL_MAC_NAME_KMAC256 "KMAC256" +#define OSSL_MAC_NAME_POLY1305 "POLY1305" +#define OSSL_MAC_NAME_SIPHASH "SIPHASH" /* Known KDF names */ -# define OSSL_KDF_NAME_HKDF "HKDF" -# define OSSL_KDF_NAME_TLS1_3_KDF "TLS13-KDF" -# define OSSL_KDF_NAME_PBKDF1 "PBKDF1" -# define OSSL_KDF_NAME_PBKDF2 "PBKDF2" -# define OSSL_KDF_NAME_SCRYPT "SCRYPT" -# define OSSL_KDF_NAME_SSHKDF "SSHKDF" -# define OSSL_KDF_NAME_SSKDF "SSKDF" -# define OSSL_KDF_NAME_TLS1_PRF "TLS1-PRF" -# define OSSL_KDF_NAME_X942KDF_ASN1 "X942KDF-ASN1" -# define OSSL_KDF_NAME_X942KDF_CONCAT "X942KDF-CONCAT" -# define OSSL_KDF_NAME_X963KDF "X963KDF" -# define OSSL_KDF_NAME_KBKDF "KBKDF" -# define OSSL_KDF_NAME_KRB5KDF "KRB5KDF" -# define OSSL_KDF_NAME_HMACDRBGKDF "HMAC-DRBG-KDF" +#define OSSL_KDF_NAME_HKDF "HKDF" +#define OSSL_KDF_NAME_TLS1_3_KDF "TLS13-KDF" +#define OSSL_KDF_NAME_PBKDF1 "PBKDF1" +#define OSSL_KDF_NAME_PBKDF2 "PBKDF2" +#define OSSL_KDF_NAME_SCRYPT "SCRYPT" +#define OSSL_KDF_NAME_SSHKDF "SSHKDF" +#define OSSL_KDF_NAME_SSKDF "SSKDF" +#define OSSL_KDF_NAME_TLS1_PRF "TLS1-PRF" +#define OSSL_KDF_NAME_X942KDF_ASN1 "X942KDF-ASN1" +#define OSSL_KDF_NAME_X942KDF_CONCAT "X942KDF-CONCAT" +#define OSSL_KDF_NAME_X963KDF "X963KDF" +#define OSSL_KDF_NAME_KBKDF "KBKDF" +#define OSSL_KDF_NAME_KRB5KDF "KRB5KDF" +#define OSSL_KDF_NAME_HMACDRBGKDF "HMAC-DRBG-KDF" /* RSA padding modes */ -# define OSSL_PKEY_RSA_PAD_MODE_NONE "none" -# define OSSL_PKEY_RSA_PAD_MODE_PKCSV15 "pkcs1" -# define OSSL_PKEY_RSA_PAD_MODE_OAEP "oaep" -# define OSSL_PKEY_RSA_PAD_MODE_X931 "x931" -# define OSSL_PKEY_RSA_PAD_MODE_PSS "pss" +#define OSSL_PKEY_RSA_PAD_MODE_NONE "none" +#define OSSL_PKEY_RSA_PAD_MODE_PKCSV15 "pkcs1" +#define OSSL_PKEY_RSA_PAD_MODE_OAEP "oaep" +#define OSSL_PKEY_RSA_PAD_MODE_X931 "x931" +#define OSSL_PKEY_RSA_PAD_MODE_PSS "pss" /* RSA pss padding salt length */ -# define OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST "digest" -# define OSSL_PKEY_RSA_PSS_SALT_LEN_MAX "max" -# define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO "auto" -# define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX "auto-digestmax" +#define OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST "digest" +#define OSSL_PKEY_RSA_PSS_SALT_LEN_MAX "max" +#define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO "auto" +#define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX "auto-digestmax" /* OSSL_PKEY_PARAM_EC_ENCODING values */ -# define OSSL_PKEY_EC_ENCODING_EXPLICIT "explicit" -# define OSSL_PKEY_EC_ENCODING_GROUP "named_curve" +#define OSSL_PKEY_EC_ENCODING_EXPLICIT "explicit" +#define OSSL_PKEY_EC_ENCODING_GROUP "named_curve" -# define OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_UNCOMPRESSED "uncompressed" -# define OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_COMPRESSED "compressed" -# define OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_HYBRID "hybrid" +#define OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_UNCOMPRESSED "uncompressed" +#define OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_COMPRESSED "compressed" +#define OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_HYBRID "hybrid" -# define OSSL_PKEY_EC_GROUP_CHECK_DEFAULT "default" -# define OSSL_PKEY_EC_GROUP_CHECK_NAMED "named" -# define OSSL_PKEY_EC_GROUP_CHECK_NAMED_NIST "named-nist" +#define OSSL_PKEY_EC_GROUP_CHECK_DEFAULT "default" +#define OSSL_PKEY_EC_GROUP_CHECK_NAMED "named" +#define OSSL_PKEY_EC_GROUP_CHECK_NAMED_NIST "named-nist" /* PROV_SKEY well known key types */ -# define OSSL_SKEY_TYPE_GENERIC "GENERIC-SECRET" -# define OSSL_SKEY_TYPE_AES "AES" +#define OSSL_SKEY_TYPE_GENERIC "GENERIC-SECRET" +#define OSSL_SKEY_TYPE_AES "AES" /* OSSL_KEM_PARAM_OPERATION values */ -#define OSSL_KEM_PARAM_OPERATION_RSASVE "RSASVE" -#define OSSL_KEM_PARAM_OPERATION_DHKEM "DHKEM" +#define OSSL_KEM_PARAM_OPERATION_RSASVE "RSASVE" +#define OSSL_KEM_PARAM_OPERATION_DHKEM "DHKEM" /* Provider configuration variables */ -#define OSSL_PKEY_RETAIN_SEED "pkey_retain_seed" +#define OSSL_PKEY_RETAIN_SEED "pkey_retain_seed" /* Parameter name definitions - generated by util/perl/OpenSSL/paramnames.pm */ +/* clang-format off */ # define OSSL_ALG_PARAM_ALGORITHM_ID "algorithm-id" # define OSSL_ALG_PARAM_ALGORITHM_ID_PARAMS "algorithm-id-params" # define OSSL_ALG_PARAM_CIPHER "cipher" @@ -567,9 +570,10 @@ extern "C" { # define OSSL_STORE_PARAM_PROPERTIES "properties" # define OSSL_STORE_PARAM_SERIAL "serial" # define OSSL_STORE_PARAM_SUBJECT "subject" +/* clang-format on */ -# ifdef __cplusplus +#ifdef __cplusplus } -# endif +#endif #endif diff --git a/crypto/openssl/include/openssl/crmf.h b/crypto/openssl/include/openssl/crmf.h index 4bf550fd47da..8b32ffb136b6 100644 --- a/crypto/openssl/include/openssl/crmf.h +++ b/crypto/openssl/include/openssl/crmf.h @@ -14,36 +14,38 @@ * CRMF (RFC 4211) implementation by M. Peylo, M. Viljanen, and D. von Oheimb. */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_CRMF_H -# define OPENSSL_CRMF_H +#define OPENSSL_CRMF_H -# include <openssl/opensslconf.h> +#include <openssl/opensslconf.h> -# ifndef OPENSSL_NO_CRMF -# include <openssl/opensslv.h> -# include <openssl/safestack.h> -# include <openssl/crmferr.h> -# include <openssl/x509v3.h> /* for GENERAL_NAME etc. */ -# include <openssl/cms.h> +#ifndef OPENSSL_NO_CRMF +#include <openssl/opensslv.h> +#include <openssl/safestack.h> +#include <openssl/crmferr.h> +#include <openssl/x509v3.h> /* for GENERAL_NAME etc. */ +#include <openssl/cms.h> /* explicit #includes not strictly needed since implied by the above: */ -# include <openssl/types.h> -# include <openssl/x509.h> +#include <openssl/types.h> +#include <openssl/x509.h> -# ifdef __cplusplus +#ifdef __cplusplus extern "C" { -# endif +#endif -# define OSSL_CRMF_POPOPRIVKEY_THISMESSAGE 0 -# define OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE 1 -# define OSSL_CRMF_POPOPRIVKEY_DHMAC 2 -# define OSSL_CRMF_POPOPRIVKEY_AGREEMAC 3 -# define OSSL_CRMF_POPOPRIVKEY_ENCRYPTEDKEY 4 +#define OSSL_CRMF_POPOPRIVKEY_THISMESSAGE 0 +#define OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE 1 +#define OSSL_CRMF_POPOPRIVKEY_DHMAC 2 +#define OSSL_CRMF_POPOPRIVKEY_AGREEMAC 3 +#define OSSL_CRMF_POPOPRIVKEY_ENCRYPTEDKEY 4 -# define OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT 0 -# define OSSL_CRMF_SUBSEQUENTMESSAGE_CHALLENGERESP 1 +#define OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT 0 +#define OSSL_CRMF_SUBSEQUENTMESSAGE_CHALLENGERESP 1 typedef struct ossl_crmf_encryptedvalue_st OSSL_CRMF_ENCRYPTEDVALUE; DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCRYPTEDVALUE) @@ -53,6 +55,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCRYPTEDKEY) typedef struct ossl_crmf_msg_st OSSL_CRMF_MSG; DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_MSG) DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_MSG) +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CRMF_MSG, OSSL_CRMF_MSG, OSSL_CRMF_MSG) #define sk_OSSL_CRMF_MSG_num(sk) OPENSSL_sk_num(ossl_check_const_OSSL_CRMF_MSG_sk_type(sk)) #define sk_OSSL_CRMF_MSG_value(sk, idx) ((OSSL_CRMF_MSG *)OPENSSL_sk_value(ossl_check_const_OSSL_CRMF_MSG_sk_type(sk), (idx))) @@ -80,9 +83,11 @@ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CRMF_MSG, OSSL_CRMF_MSG, OSSL_CRMF_MSG) #define sk_OSSL_CRMF_MSG_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OSSL_CRMF_MSG) *)OPENSSL_sk_deep_copy(ossl_check_const_OSSL_CRMF_MSG_sk_type(sk), ossl_check_OSSL_CRMF_MSG_copyfunc_type(copyfunc), ossl_check_OSSL_CRMF_MSG_freefunc_type(freefunc))) #define sk_OSSL_CRMF_MSG_set_cmp_func(sk, cmp) ((sk_OSSL_CRMF_MSG_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OSSL_CRMF_MSG_sk_type(sk), ossl_check_OSSL_CRMF_MSG_compfunc_type(cmp))) +/* clang-format on */ typedef struct ossl_crmf_attributetypeandvalue_st OSSL_CRMF_ATTRIBUTETYPEANDVALUE; void OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(OSSL_CRMF_ATTRIBUTETYPEANDVALUE *v); DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CRMF_ATTRIBUTETYPEANDVALUE, OSSL_CRMF_ATTRIBUTETYPEANDVALUE, OSSL_CRMF_ATTRIBUTETYPEANDVALUE) #define sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_num(sk) OPENSSL_sk_num(ossl_check_const_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_sk_type(sk)) #define sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_value(sk, idx) ((OSSL_CRMF_ATTRIBUTETYPEANDVALUE *)OPENSSL_sk_value(ossl_check_const_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_sk_type(sk), (idx))) @@ -110,6 +115,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CRMF_ATTRIBUTETYPEANDVALUE, OSSL_CRMF_ATTRIBUT #define sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *)OPENSSL_sk_deep_copy(ossl_check_const_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_sk_type(sk), ossl_check_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_copyfunc_type(copyfunc), ossl_check_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_freefunc_type(freefunc))) #define sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_set_cmp_func(sk, cmp) ((sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_sk_type(sk), ossl_check_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_compfunc_type(cmp))) +/* clang-format on */ typedef struct ossl_crmf_pbmparameter_st OSSL_CRMF_PBMPARAMETER; DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PBMPARAMETER) @@ -118,6 +124,7 @@ typedef struct ossl_crmf_certrequest_st OSSL_CRMF_CERTREQUEST; typedef struct ossl_crmf_certid_st OSSL_CRMF_CERTID; DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTID) DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTID) +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CRMF_CERTID, OSSL_CRMF_CERTID, OSSL_CRMF_CERTID) #define sk_OSSL_CRMF_CERTID_num(sk) OPENSSL_sk_num(ossl_check_const_OSSL_CRMF_CERTID_sk_type(sk)) #define sk_OSSL_CRMF_CERTID_value(sk, idx) ((OSSL_CRMF_CERTID *)OPENSSL_sk_value(ossl_check_const_OSSL_CRMF_CERTID_sk_type(sk), (idx))) @@ -145,6 +152,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CRMF_CERTID, OSSL_CRMF_CERTID, OSSL_CRMF_CERTI #define sk_OSSL_CRMF_CERTID_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OSSL_CRMF_CERTID) *)OPENSSL_sk_deep_copy(ossl_check_const_OSSL_CRMF_CERTID_sk_type(sk), ossl_check_OSSL_CRMF_CERTID_copyfunc_type(copyfunc), ossl_check_OSSL_CRMF_CERTID_freefunc_type(freefunc))) #define sk_OSSL_CRMF_CERTID_set_cmp_func(sk, cmp) ((sk_OSSL_CRMF_CERTID_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OSSL_CRMF_CERTID_sk_type(sk), ossl_check_OSSL_CRMF_CERTID_compfunc_type(cmp))) +/* clang-format on */ typedef struct ossl_crmf_pkipublicationinfo_st OSSL_CRMF_PKIPUBLICATIONINFO; DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKIPUBLICATIONINFO) @@ -160,119 +168,112 @@ typedef struct ossl_crmf_optionalvalidity_st OSSL_CRMF_OPTIONALVALIDITY; /* crmf_pbm.c */ OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OSSL_LIB_CTX *libctx, size_t slen, - int owfnid, size_t itercnt, - int macnid); + int owfnid, size_t itercnt, + int macnid); int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq, - const OSSL_CRMF_PBMPARAMETER *pbmp, - const unsigned char *msg, size_t msglen, - const unsigned char *sec, size_t seclen, - unsigned char **mac, size_t *maclen); + const OSSL_CRMF_PBMPARAMETER *pbmp, + const unsigned char *msg, size_t msglen, + const unsigned char *sec, size_t seclen, + unsigned char **mac, size_t *maclen); /* crmf_lib.c */ int OSSL_CRMF_MSG_set1_regCtrl_regToken(OSSL_CRMF_MSG *msg, - const ASN1_UTF8STRING *tok); + const ASN1_UTF8STRING *tok); ASN1_UTF8STRING *OSSL_CRMF_MSG_get0_regCtrl_regToken(const OSSL_CRMF_MSG *msg); int OSSL_CRMF_MSG_set1_regCtrl_authenticator(OSSL_CRMF_MSG *msg, - const ASN1_UTF8STRING *auth); + const ASN1_UTF8STRING *auth); ASN1_UTF8STRING *OSSL_CRMF_MSG_get0_regCtrl_authenticator(const OSSL_CRMF_MSG *msg); -int -OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo(OSSL_CRMF_PKIPUBLICATIONINFO *pi, - OSSL_CRMF_SINGLEPUBINFO *spi); -# define OSSL_CRMF_PUB_METHOD_DONTCARE 0 -# define OSSL_CRMF_PUB_METHOD_X500 1 -# define OSSL_CRMF_PUB_METHOD_WEB 2 -# define OSSL_CRMF_PUB_METHOD_LDAP 3 +int OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo(OSSL_CRMF_PKIPUBLICATIONINFO *pi, + OSSL_CRMF_SINGLEPUBINFO *spi); +#define OSSL_CRMF_PUB_METHOD_DONTCARE 0 +#define OSSL_CRMF_PUB_METHOD_X500 1 +#define OSSL_CRMF_PUB_METHOD_WEB 2 +#define OSSL_CRMF_PUB_METHOD_LDAP 3 int OSSL_CRMF_MSG_set0_SinglePubInfo(OSSL_CRMF_SINGLEPUBINFO *spi, - int method, GENERAL_NAME *nm); -# define OSSL_CRMF_PUB_ACTION_DONTPUBLISH 0 -# define OSSL_CRMF_PUB_ACTION_PLEASEPUBLISH 1 + int method, GENERAL_NAME *nm); +#define OSSL_CRMF_PUB_ACTION_DONTPUBLISH 0 +#define OSSL_CRMF_PUB_ACTION_PLEASEPUBLISH 1 int OSSL_CRMF_MSG_set_PKIPublicationInfo_action(OSSL_CRMF_PKIPUBLICATIONINFO *pi, - int action); + int action); int OSSL_CRMF_MSG_set1_regCtrl_pkiPublicationInfo(OSSL_CRMF_MSG *msg, - const OSSL_CRMF_PKIPUBLICATIONINFO *pi); + const OSSL_CRMF_PKIPUBLICATIONINFO *pi); OSSL_CRMF_PKIPUBLICATIONINFO *OSSL_CRMF_MSG_get0_regCtrl_pkiPublicationInfo(const OSSL_CRMF_MSG *msg); int OSSL_CRMF_MSG_set1_regCtrl_protocolEncrKey(OSSL_CRMF_MSG *msg, - const X509_PUBKEY *pubkey); + const X509_PUBKEY *pubkey); X509_PUBKEY *OSSL_CRMF_MSG_get0_regCtrl_protocolEncrKey(const OSSL_CRMF_MSG *msg); int OSSL_CRMF_MSG_set1_regCtrl_oldCertID(OSSL_CRMF_MSG *msg, - const OSSL_CRMF_CERTID *cid); + const OSSL_CRMF_CERTID *cid); OSSL_CRMF_CERTID *OSSL_CRMF_MSG_get0_regCtrl_oldCertID(const OSSL_CRMF_MSG *msg); OSSL_CRMF_CERTID *OSSL_CRMF_CERTID_gen(const X509_NAME *issuer, - const ASN1_INTEGER *serial); + const ASN1_INTEGER *serial); int OSSL_CRMF_MSG_set1_regInfo_utf8Pairs(OSSL_CRMF_MSG *msg, - const ASN1_UTF8STRING *utf8pairs); + const ASN1_UTF8STRING *utf8pairs); ASN1_UTF8STRING *OSSL_CRMF_MSG_get0_regInfo_utf8Pairs(const OSSL_CRMF_MSG *msg); int OSSL_CRMF_MSG_set1_regInfo_certReq(OSSL_CRMF_MSG *msg, - const OSSL_CRMF_CERTREQUEST *cr); + const OSSL_CRMF_CERTREQUEST *cr); OSSL_CRMF_CERTREQUEST *OSSL_CRMF_MSG_get0_regInfo_certReq(const OSSL_CRMF_MSG *msg); int OSSL_CRMF_MSG_set0_validity(OSSL_CRMF_MSG *crm, - ASN1_TIME *notBefore, ASN1_TIME *notAfter); + ASN1_TIME *notBefore, ASN1_TIME *notAfter); int OSSL_CRMF_MSG_set_certReqId(OSSL_CRMF_MSG *crm, int rid); int OSSL_CRMF_MSG_get_certReqId(const OSSL_CRMF_MSG *crm); int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm, X509_EXTENSIONS *exts); int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, X509_EXTENSION *ext); -# define OSSL_CRMF_POPO_NONE -1 -# define OSSL_CRMF_POPO_RAVERIFIED 0 -# define OSSL_CRMF_POPO_SIGNATURE 1 -# define OSSL_CRMF_POPO_KEYENC 2 -# define OSSL_CRMF_POPO_KEYAGREE 3 +#define OSSL_CRMF_POPO_NONE -1 +#define OSSL_CRMF_POPO_RAVERIFIED 0 +#define OSSL_CRMF_POPO_SIGNATURE 1 +#define OSSL_CRMF_POPO_KEYENC 2 +#define OSSL_CRMF_POPO_KEYAGREE 3 int OSSL_CRMF_MSG_create_popo(int meth, OSSL_CRMF_MSG *crm, - EVP_PKEY *pkey, const EVP_MD *digest, - OSSL_LIB_CTX *libctx, const char *propq); + EVP_PKEY *pkey, const EVP_MD *digest, + OSSL_LIB_CTX *libctx, const char *propq); int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs, - int rid, int acceptRAVerified, - OSSL_LIB_CTX *libctx, const char *propq); + int rid, int acceptRAVerified, + OSSL_LIB_CTX *libctx, const char *propq); OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm); X509_PUBKEY *OSSL_CRMF_CERTTEMPLATE_get0_publicKey(const OSSL_CRMF_CERTTEMPLATE *tmpl); -const X509_NAME -*OSSL_CRMF_CERTTEMPLATE_get0_subject(const OSSL_CRMF_CERTTEMPLATE *tmpl); -const X509_NAME -*OSSL_CRMF_CERTTEMPLATE_get0_issuer(const OSSL_CRMF_CERTTEMPLATE *tmpl); -const ASN1_INTEGER -*OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(const OSSL_CRMF_CERTTEMPLATE *tmpl); +const X509_NAME *OSSL_CRMF_CERTTEMPLATE_get0_subject(const OSSL_CRMF_CERTTEMPLATE *tmpl); +const X509_NAME *OSSL_CRMF_CERTTEMPLATE_get0_issuer(const OSSL_CRMF_CERTTEMPLATE *tmpl); +const ASN1_INTEGER *OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(const OSSL_CRMF_CERTTEMPLATE *tmpl); X509_EXTENSIONS *OSSL_CRMF_CERTTEMPLATE_get0_extensions(const OSSL_CRMF_CERTTEMPLATE *tmpl); -const X509_NAME -*OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid); -const ASN1_INTEGER -*OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid); +const X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid); +const ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid); int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl, - EVP_PKEY *pubkey, - const X509_NAME *subject, - const X509_NAME *issuer, - const ASN1_INTEGER *serial); + EVP_PKEY *pubkey, + const X509_NAME *subject, + const X509_NAME *issuer, + const ASN1_INTEGER *serial); X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecert, - OSSL_LIB_CTX *libctx, const char *propq, - EVP_PKEY *pkey); + OSSL_LIB_CTX *libctx, const char *propq, + EVP_PKEY *pkey); X509 *OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(const OSSL_CRMF_ENCRYPTEDKEY *ecert, - OSSL_LIB_CTX *libctx, const char *propq, - EVP_PKEY *pkey, unsigned int flags); -unsigned char -*OSSL_CRMF_ENCRYPTEDVALUE_decrypt(const OSSL_CRMF_ENCRYPTEDVALUE *enc, - OSSL_LIB_CTX *libctx, const char *propq, - EVP_PKEY *pkey, int *outlen); + OSSL_LIB_CTX *libctx, const char *propq, + EVP_PKEY *pkey, unsigned int flags); +unsigned char *OSSL_CRMF_ENCRYPTEDVALUE_decrypt(const OSSL_CRMF_ENCRYPTEDVALUE *enc, + OSSL_LIB_CTX *libctx, const char *propq, + EVP_PKEY *pkey, int *outlen); EVP_PKEY *OSSL_CRMF_ENCRYPTEDKEY_get1_pkey(const OSSL_CRMF_ENCRYPTEDKEY *encryptedKey, - X509_STORE *ts, STACK_OF(X509) *extra, EVP_PKEY *pkey, - X509 *cert, ASN1_OCTET_STRING *secret, - OSSL_LIB_CTX *libctx, const char *propq); + X509_STORE *ts, STACK_OF(X509) *extra, EVP_PKEY *pkey, + X509 *cert, ASN1_OCTET_STRING *secret, + OSSL_LIB_CTX *libctx, const char *propq); int OSSL_CRMF_MSG_centralkeygen_requested(const OSSL_CRMF_MSG *crm, const X509_REQ *p10cr); -# ifndef OPENSSL_NO_CMS +#ifndef OPENSSL_NO_CMS OSSL_CRMF_ENCRYPTEDKEY *OSSL_CRMF_ENCRYPTEDKEY_init_envdata(CMS_EnvelopedData *envdata); -# endif +#endif -# ifdef __cplusplus +#ifdef __cplusplus } -# endif -# endif /* !defined(OPENSSL_NO_CRMF) */ +#endif +#endif /* !defined(OPENSSL_NO_CRMF) */ #endif /* !defined(OPENSSL_CRMF_H) */ diff --git a/crypto/openssl/include/openssl/crypto.h b/crypto/openssl/include/openssl/crypto.h index 87fefd4ab73b..cce93833c2cb 100644 --- a/crypto/openssl/include/openssl/crypto.h +++ b/crypto/openssl/include/openssl/crypto.h @@ -11,60 +11,62 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_CRYPTO_H -# define OPENSSL_CRYPTO_H -# pragma once +#define OPENSSL_CRYPTO_H +#pragma once -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_CRYPTO_H -# endif +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_CRYPTO_H +#endif -# include <stdlib.h> -# include <time.h> +#include <stdlib.h> +#include <time.h> -# include <openssl/e_os2.h> +#include <openssl/e_os2.h> -# ifndef OPENSSL_NO_STDIO -# include <stdio.h> -# endif +#ifndef OPENSSL_NO_STDIO +#include <stdio.h> +#endif -# include <openssl/safestack.h> -# include <openssl/opensslv.h> -# include <openssl/types.h> -# include <openssl/opensslconf.h> -# include <openssl/cryptoerr.h> -# include <openssl/core.h> +#include <openssl/safestack.h> +#include <openssl/opensslv.h> +#include <openssl/types.h> +#include <openssl/opensslconf.h> +#include <openssl/cryptoerr.h> +#include <openssl/core.h> -# ifdef CHARSET_EBCDIC -# include <openssl/ebcdic.h> -# endif +#ifdef CHARSET_EBCDIC +#include <openssl/ebcdic.h> +#endif /* * Resolve problems on some operating systems with symbol names that clash * one way or another */ -# include <openssl/symhacks.h> +#include <openssl/symhacks.h> -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# include <openssl/opensslv.h> -# endif +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#include <openssl/opensslv.h> +#endif -#ifdef __cplusplus +#ifdef __cplusplus extern "C" { #endif -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define SSLeay OpenSSL_version_num -# define SSLeay_version OpenSSL_version -# define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER -# define SSLEAY_VERSION OPENSSL_VERSION -# define SSLEAY_CFLAGS OPENSSL_CFLAGS -# define SSLEAY_BUILT_ON OPENSSL_BUILT_ON -# define SSLEAY_PLATFORM OPENSSL_PLATFORM -# define SSLEAY_DIR OPENSSL_DIR +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#define SSLeay OpenSSL_version_num +#define SSLeay_version OpenSSL_version +#define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER +#define SSLEAY_VERSION OPENSSL_VERSION +#define SSLEAY_CFLAGS OPENSSL_CFLAGS +#define SSLEAY_BUILT_ON OPENSSL_BUILT_ON +#define SSLEAY_PLATFORM OPENSSL_PLATFORM +#define SSLEAY_DIR OPENSSL_DIR /* * Old type for allocating dynamic locks. No longer used. Use the new thread @@ -74,7 +76,7 @@ typedef struct { int dummy; } CRYPTO_dynlock; -# endif /* OPENSSL_NO_DEPRECATED_1_1_0 */ +#endif /* OPENSSL_NO_DEPRECATED_1_1_0 */ typedef void CRYPTO_RWLOCK; @@ -86,66 +88,68 @@ void CRYPTO_THREAD_lock_free(CRYPTO_RWLOCK *lock); int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock); int CRYPTO_atomic_add64(uint64_t *val, uint64_t op, uint64_t *ret, - CRYPTO_RWLOCK *lock); + CRYPTO_RWLOCK *lock); int CRYPTO_atomic_and(uint64_t *val, uint64_t op, uint64_t *ret, - CRYPTO_RWLOCK *lock); + CRYPTO_RWLOCK *lock); int CRYPTO_atomic_or(uint64_t *val, uint64_t op, uint64_t *ret, - CRYPTO_RWLOCK *lock); + CRYPTO_RWLOCK *lock); int CRYPTO_atomic_load(uint64_t *val, uint64_t *ret, CRYPTO_RWLOCK *lock); int CRYPTO_atomic_load_int(int *val, int *ret, CRYPTO_RWLOCK *lock); int CRYPTO_atomic_store(uint64_t *dst, uint64_t val, CRYPTO_RWLOCK *lock); /* No longer needed, so this is a no-op */ -#define OPENSSL_malloc_init() while(0) continue - -# define OPENSSL_malloc(num) \ - CRYPTO_malloc(num, OPENSSL_FILE, OPENSSL_LINE) -# define OPENSSL_zalloc(num) \ - CRYPTO_zalloc(num, OPENSSL_FILE, OPENSSL_LINE) -# define OPENSSL_aligned_alloc(num, alignment, freeptr) \ - CRYPTO_aligned_alloc(num, alignment, freeptr, \ - OPENSSL_FILE, OPENSSL_LINE) -# define OPENSSL_realloc(addr, num) \ - CRYPTO_realloc(addr, num, OPENSSL_FILE, OPENSSL_LINE) -# define OPENSSL_clear_realloc(addr, old_num, num) \ - CRYPTO_clear_realloc(addr, old_num, num, OPENSSL_FILE, OPENSSL_LINE) -# define OPENSSL_clear_free(addr, num) \ - CRYPTO_clear_free(addr, num, OPENSSL_FILE, OPENSSL_LINE) -# define OPENSSL_free(addr) \ - CRYPTO_free(addr, OPENSSL_FILE, OPENSSL_LINE) -# define OPENSSL_memdup(str, s) \ - CRYPTO_memdup((str), s, OPENSSL_FILE, OPENSSL_LINE) -# define OPENSSL_strdup(str) \ - CRYPTO_strdup(str, OPENSSL_FILE, OPENSSL_LINE) -# define OPENSSL_strndup(str, n) \ - CRYPTO_strndup(str, n, OPENSSL_FILE, OPENSSL_LINE) -# define OPENSSL_secure_malloc(num) \ - CRYPTO_secure_malloc(num, OPENSSL_FILE, OPENSSL_LINE) -# define OPENSSL_secure_zalloc(num) \ - CRYPTO_secure_zalloc(num, OPENSSL_FILE, OPENSSL_LINE) -# define OPENSSL_secure_free(addr) \ - CRYPTO_secure_free(addr, OPENSSL_FILE, OPENSSL_LINE) -# define OPENSSL_secure_clear_free(addr, num) \ - CRYPTO_secure_clear_free(addr, num, OPENSSL_FILE, OPENSSL_LINE) -# define OPENSSL_secure_actual_size(ptr) \ - CRYPTO_secure_actual_size(ptr) +#define OPENSSL_malloc_init() \ + while (0) \ + continue + +#define OPENSSL_malloc(num) \ + CRYPTO_malloc(num, OPENSSL_FILE, OPENSSL_LINE) +#define OPENSSL_zalloc(num) \ + CRYPTO_zalloc(num, OPENSSL_FILE, OPENSSL_LINE) +#define OPENSSL_aligned_alloc(num, alignment, freeptr) \ + CRYPTO_aligned_alloc(num, alignment, freeptr, \ + OPENSSL_FILE, OPENSSL_LINE) +#define OPENSSL_realloc(addr, num) \ + CRYPTO_realloc(addr, num, OPENSSL_FILE, OPENSSL_LINE) +#define OPENSSL_clear_realloc(addr, old_num, num) \ + CRYPTO_clear_realloc(addr, old_num, num, OPENSSL_FILE, OPENSSL_LINE) +#define OPENSSL_clear_free(addr, num) \ + CRYPTO_clear_free(addr, num, OPENSSL_FILE, OPENSSL_LINE) +#define OPENSSL_free(addr) \ + CRYPTO_free(addr, OPENSSL_FILE, OPENSSL_LINE) +#define OPENSSL_memdup(str, s) \ + CRYPTO_memdup((str), s, OPENSSL_FILE, OPENSSL_LINE) +#define OPENSSL_strdup(str) \ + CRYPTO_strdup(str, OPENSSL_FILE, OPENSSL_LINE) +#define OPENSSL_strndup(str, n) \ + CRYPTO_strndup(str, n, OPENSSL_FILE, OPENSSL_LINE) +#define OPENSSL_secure_malloc(num) \ + CRYPTO_secure_malloc(num, OPENSSL_FILE, OPENSSL_LINE) +#define OPENSSL_secure_zalloc(num) \ + CRYPTO_secure_zalloc(num, OPENSSL_FILE, OPENSSL_LINE) +#define OPENSSL_secure_free(addr) \ + CRYPTO_secure_free(addr, OPENSSL_FILE, OPENSSL_LINE) +#define OPENSSL_secure_clear_free(addr, num) \ + CRYPTO_secure_clear_free(addr, num, OPENSSL_FILE, OPENSSL_LINE) +#define OPENSSL_secure_actual_size(ptr) \ + CRYPTO_secure_actual_size(ptr) size_t OPENSSL_strlcpy(char *dst, const char *src, size_t siz); size_t OPENSSL_strlcat(char *dst, const char *src, size_t siz); size_t OPENSSL_strnlen(const char *str, size_t maxlen); int OPENSSL_strtoul(const char *str, char **endptr, int base, unsigned long *num); int OPENSSL_buf2hexstr_ex(char *str, size_t str_n, size_t *strlength, - const unsigned char *buf, size_t buflen, - const char sep); + const unsigned char *buf, size_t buflen, + const char sep); char *OPENSSL_buf2hexstr(const unsigned char *buf, long buflen); int OPENSSL_hexstr2buf_ex(unsigned char *buf, size_t buf_n, size_t *buflen, - const char *str, const char sep); + const char *str, const char sep); unsigned char *OPENSSL_hexstr2buf(const char *str, long *buflen); int OPENSSL_hexchar2int(unsigned char c); int OPENSSL_strcasecmp(const char *s1, const char *s2); int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n); -# define OPENSSL_MALLOC_MAX_NELEMS(type) (((1U<<(sizeof(int)*8-1))-1)/sizeof(type)) +#define OPENSSL_MALLOC_MAX_NELEMS(type) (((1U << (sizeof(int) * 8 - 1)) - 1) / sizeof(type)) /* * These functions return the values of OPENSSL_VERSION_MAJOR, @@ -160,32 +164,32 @@ const char *OPENSSL_version_build_metadata(void); unsigned long OpenSSL_version_num(void); const char *OpenSSL_version(int type); -# define OPENSSL_VERSION 0 -# define OPENSSL_CFLAGS 1 -# define OPENSSL_BUILT_ON 2 -# define OPENSSL_PLATFORM 3 -# define OPENSSL_DIR 4 -# define OPENSSL_ENGINES_DIR 5 -# define OPENSSL_VERSION_STRING 6 -# define OPENSSL_FULL_VERSION_STRING 7 -# define OPENSSL_MODULES_DIR 8 -# define OPENSSL_CPU_INFO 9 -# define OPENSSL_WINCTX 10 +#define OPENSSL_VERSION 0 +#define OPENSSL_CFLAGS 1 +#define OPENSSL_BUILT_ON 2 +#define OPENSSL_PLATFORM 3 +#define OPENSSL_DIR 4 +#define OPENSSL_ENGINES_DIR 5 +#define OPENSSL_VERSION_STRING 6 +#define OPENSSL_FULL_VERSION_STRING 7 +#define OPENSSL_MODULES_DIR 8 +#define OPENSSL_CPU_INFO 9 +#define OPENSSL_WINCTX 10 const char *OPENSSL_info(int type); /* * The series starts at 1001 to avoid confusion with the OpenSSL_version * types. */ -# define OPENSSL_INFO_CONFIG_DIR 1001 -# define OPENSSL_INFO_ENGINES_DIR 1002 -# define OPENSSL_INFO_MODULES_DIR 1003 -# define OPENSSL_INFO_DSO_EXTENSION 1004 -# define OPENSSL_INFO_DIR_FILENAME_SEPARATOR 1005 -# define OPENSSL_INFO_LIST_SEPARATOR 1006 -# define OPENSSL_INFO_SEED_SOURCE 1007 -# define OPENSSL_INFO_CPU_SETTINGS 1008 -# define OPENSSL_INFO_WINDOWS_CONTEXT 1009 +#define OPENSSL_INFO_CONFIG_DIR 1001 +#define OPENSSL_INFO_ENGINES_DIR 1002 +#define OPENSSL_INFO_MODULES_DIR 1003 +#define OPENSSL_INFO_DSO_EXTENSION 1004 +#define OPENSSL_INFO_DIR_FILENAME_SEPARATOR 1005 +#define OPENSSL_INFO_LIST_SEPARATOR 1006 +#define OPENSSL_INFO_SEED_SOURCE 1007 +#define OPENSSL_INFO_CPU_SETTINGS 1008 +#define OPENSSL_INFO_WINDOWS_CONTEXT 1009 int OPENSSL_issetugid(void); @@ -194,6 +198,7 @@ struct crypto_ex_data_st { STACK_OF(void) *sk; }; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(void, void, void) #define sk_void_num(sk) OPENSSL_sk_num(ossl_check_const_void_sk_type(sk)) #define sk_void_value(sk, idx) ((void *)OPENSSL_sk_value(ossl_check_const_void_sk_type(sk), (idx))) @@ -221,42 +226,42 @@ SKM_DEFINE_STACK_OF_INTERNAL(void, void, void) #define sk_void_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(void) *)OPENSSL_sk_deep_copy(ossl_check_const_void_sk_type(sk), ossl_check_void_copyfunc_type(copyfunc), ossl_check_void_freefunc_type(freefunc))) #define sk_void_set_cmp_func(sk, cmp) ((sk_void_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_void_sk_type(sk), ossl_check_void_compfunc_type(cmp))) - +/* clang-format on */ /* * Per class, we have a STACK of function pointers. */ -# define CRYPTO_EX_INDEX_SSL 0 -# define CRYPTO_EX_INDEX_SSL_CTX 1 -# define CRYPTO_EX_INDEX_SSL_SESSION 2 -# define CRYPTO_EX_INDEX_X509 3 -# define CRYPTO_EX_INDEX_X509_STORE 4 -# define CRYPTO_EX_INDEX_X509_STORE_CTX 5 -# define CRYPTO_EX_INDEX_DH 6 -# define CRYPTO_EX_INDEX_DSA 7 -# define CRYPTO_EX_INDEX_EC_KEY 8 -# define CRYPTO_EX_INDEX_RSA 9 -# define CRYPTO_EX_INDEX_ENGINE 10 -# define CRYPTO_EX_INDEX_UI 11 -# define CRYPTO_EX_INDEX_BIO 12 -# define CRYPTO_EX_INDEX_APP 13 -# define CRYPTO_EX_INDEX_UI_METHOD 14 -# define CRYPTO_EX_INDEX_RAND_DRBG 15 -# define CRYPTO_EX_INDEX_DRBG CRYPTO_EX_INDEX_RAND_DRBG -# define CRYPTO_EX_INDEX_OSSL_LIB_CTX 16 -# define CRYPTO_EX_INDEX_EVP_PKEY 17 -# define CRYPTO_EX_INDEX__COUNT 18 - -typedef void CRYPTO_EX_new (void *parent, void *ptr, CRYPTO_EX_DATA *ad, - int idx, long argl, void *argp); -typedef void CRYPTO_EX_free (void *parent, void *ptr, CRYPTO_EX_DATA *ad, - int idx, long argl, void *argp); -typedef int CRYPTO_EX_dup (CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, - void **from_d, int idx, long argl, void *argp); +#define CRYPTO_EX_INDEX_SSL 0 +#define CRYPTO_EX_INDEX_SSL_CTX 1 +#define CRYPTO_EX_INDEX_SSL_SESSION 2 +#define CRYPTO_EX_INDEX_X509 3 +#define CRYPTO_EX_INDEX_X509_STORE 4 +#define CRYPTO_EX_INDEX_X509_STORE_CTX 5 +#define CRYPTO_EX_INDEX_DH 6 +#define CRYPTO_EX_INDEX_DSA 7 +#define CRYPTO_EX_INDEX_EC_KEY 8 +#define CRYPTO_EX_INDEX_RSA 9 +#define CRYPTO_EX_INDEX_ENGINE 10 +#define CRYPTO_EX_INDEX_UI 11 +#define CRYPTO_EX_INDEX_BIO 12 +#define CRYPTO_EX_INDEX_APP 13 +#define CRYPTO_EX_INDEX_UI_METHOD 14 +#define CRYPTO_EX_INDEX_RAND_DRBG 15 +#define CRYPTO_EX_INDEX_DRBG CRYPTO_EX_INDEX_RAND_DRBG +#define CRYPTO_EX_INDEX_OSSL_LIB_CTX 16 +#define CRYPTO_EX_INDEX_EVP_PKEY 17 +#define CRYPTO_EX_INDEX__COUNT 18 + +typedef void CRYPTO_EX_new(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); +typedef void CRYPTO_EX_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); +typedef int CRYPTO_EX_dup(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, + void **from_d, int idx, long argl, void *argp); __owur int CRYPTO_get_ex_new_index(int class_index, long argl, void *argp, - CRYPTO_EX_new *new_func, - CRYPTO_EX_dup *dup_func, - CRYPTO_EX_free *free_func); + CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func); /* No longer use an index. */ int CRYPTO_free_ex_index(int class_index, int idx); @@ -266,13 +271,13 @@ int CRYPTO_free_ex_index(int class_index, int idx); */ int CRYPTO_new_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad); int CRYPTO_dup_ex_data(int class_index, CRYPTO_EX_DATA *to, - const CRYPTO_EX_DATA *from); + const CRYPTO_EX_DATA *from); void CRYPTO_free_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad); /* Allocate a single item in the CRYPTO_EX_DATA variable */ int CRYPTO_alloc_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad, - int idx); + int idx); /* * Get/set data in a CRYPTO_EX_DATA variable corresponding to a particular @@ -281,12 +286,14 @@ int CRYPTO_alloc_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad, int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val); void *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *ad, int idx); -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 /* * This function cleans up all "ex_data" state. It mustn't be called under * potential race-conditions. */ -# define CRYPTO_cleanup_all_ex_data() while(0) continue +#define CRYPTO_cleanup_all_ex_data() \ + while (0) \ + continue /* * The old locking functions have been removed completely without compatibility @@ -298,66 +305,66 @@ void *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *ad, int idx); * On the other hand, the locking callbacks are no longer used. Consequently, * the callback management functions can be safely replaced with no-op macros. */ -# define CRYPTO_num_locks() (1) -# define CRYPTO_set_locking_callback(func) -# define CRYPTO_get_locking_callback() (NULL) -# define CRYPTO_set_add_lock_callback(func) -# define CRYPTO_get_add_lock_callback() (NULL) +#define CRYPTO_num_locks() (1) +#define CRYPTO_set_locking_callback(func) +#define CRYPTO_get_locking_callback() (NULL) +#define CRYPTO_set_add_lock_callback(func) +#define CRYPTO_get_add_lock_callback() (NULL) /* * These defines where used in combination with the old locking callbacks, * they are not called anymore, but old code that's not called might still * use them. */ -# define CRYPTO_LOCK 1 -# define CRYPTO_UNLOCK 2 -# define CRYPTO_READ 4 -# define CRYPTO_WRITE 8 +#define CRYPTO_LOCK 1 +#define CRYPTO_UNLOCK 2 +#define CRYPTO_READ 4 +#define CRYPTO_WRITE 8 /* This structure is no longer used */ typedef struct crypto_threadid_st { int dummy; } CRYPTO_THREADID; /* Only use CRYPTO_THREADID_set_[numeric|pointer]() within callbacks */ -# define CRYPTO_THREADID_set_numeric(id, val) -# define CRYPTO_THREADID_set_pointer(id, ptr) -# define CRYPTO_THREADID_set_callback(threadid_func) (0) -# define CRYPTO_THREADID_get_callback() (NULL) -# define CRYPTO_THREADID_current(id) -# define CRYPTO_THREADID_cmp(a, b) (-1) -# define CRYPTO_THREADID_cpy(dest, src) -# define CRYPTO_THREADID_hash(id) (0UL) - -# ifndef OPENSSL_NO_DEPRECATED_1_0_0 -# define CRYPTO_set_id_callback(func) -# define CRYPTO_get_id_callback() (NULL) -# define CRYPTO_thread_id() (0UL) -# endif /* OPENSSL_NO_DEPRECATED_1_0_0 */ - -# define CRYPTO_set_dynlock_create_callback(dyn_create_function) -# define CRYPTO_set_dynlock_lock_callback(dyn_lock_function) -# define CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function) -# define CRYPTO_get_dynlock_create_callback() (NULL) -# define CRYPTO_get_dynlock_lock_callback() (NULL) -# define CRYPTO_get_dynlock_destroy_callback() (NULL) -# endif /* OPENSSL_NO_DEPRECATED_1_1_0 */ +#define CRYPTO_THREADID_set_numeric(id, val) +#define CRYPTO_THREADID_set_pointer(id, ptr) +#define CRYPTO_THREADID_set_callback(threadid_func) (0) +#define CRYPTO_THREADID_get_callback() (NULL) +#define CRYPTO_THREADID_current(id) +#define CRYPTO_THREADID_cmp(a, b) (-1) +#define CRYPTO_THREADID_cpy(dest, src) +#define CRYPTO_THREADID_hash(id) (0UL) + +#ifndef OPENSSL_NO_DEPRECATED_1_0_0 +#define CRYPTO_set_id_callback(func) +#define CRYPTO_get_id_callback() (NULL) +#define CRYPTO_thread_id() (0UL) +#endif /* OPENSSL_NO_DEPRECATED_1_0_0 */ + +#define CRYPTO_set_dynlock_create_callback(dyn_create_function) +#define CRYPTO_set_dynlock_lock_callback(dyn_lock_function) +#define CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function) +#define CRYPTO_get_dynlock_create_callback() (NULL) +#define CRYPTO_get_dynlock_lock_callback() (NULL) +#define CRYPTO_get_dynlock_destroy_callback() (NULL) +#endif /* OPENSSL_NO_DEPRECATED_1_1_0 */ typedef void *(*CRYPTO_malloc_fn)(size_t num, const char *file, int line); typedef void *(*CRYPTO_realloc_fn)(void *addr, size_t num, const char *file, - int line); + int line); typedef void (*CRYPTO_free_fn)(void *addr, const char *file, int line); int CRYPTO_set_mem_functions(CRYPTO_malloc_fn malloc_fn, - CRYPTO_realloc_fn realloc_fn, - CRYPTO_free_fn free_fn); + CRYPTO_realloc_fn realloc_fn, + CRYPTO_free_fn free_fn); void CRYPTO_get_mem_functions(CRYPTO_malloc_fn *malloc_fn, - CRYPTO_realloc_fn *realloc_fn, - CRYPTO_free_fn *free_fn); + CRYPTO_realloc_fn *realloc_fn, + CRYPTO_free_fn *free_fn); OSSL_CRYPTO_ALLOC void *CRYPTO_malloc(size_t num, const char *file, int line); OSSL_CRYPTO_ALLOC void *CRYPTO_zalloc(size_t num, const char *file, int line); OSSL_CRYPTO_ALLOC void *CRYPTO_aligned_alloc(size_t num, size_t align, - void **freeptr, const char *file, - int line); + void **freeptr, const char *file, + int line); void *CRYPTO_memdup(const void *str, size_t siz, const char *file, int line); char *CRYPTO_strdup(const char *str, const char *file, int line); char *CRYPTO_strndup(const char *str, size_t s, const char *file, int line); @@ -365,7 +372,7 @@ void CRYPTO_free(void *ptr, const char *file, int line); void CRYPTO_clear_free(void *ptr, size_t num, const char *file, int line); void *CRYPTO_realloc(void *addr, size_t num, const char *file, int line); void *CRYPTO_clear_realloc(void *addr, size_t old_num, size_t num, - const char *file, int line); + const char *file, int line); int CRYPTO_secure_malloc_init(size_t sz, size_t minsize); int CRYPTO_secure_malloc_done(void); @@ -373,7 +380,7 @@ OSSL_CRYPTO_ALLOC void *CRYPTO_secure_malloc(size_t num, const char *file, int l OSSL_CRYPTO_ALLOC void *CRYPTO_secure_zalloc(size_t num, const char *file, int line); void CRYPTO_secure_free(void *ptr, const char *file, int line); void CRYPTO_secure_clear_free(void *ptr, size_t num, - const char *file, int line); + const char *file, int line); int CRYPTO_secure_allocated(const void *ptr); int CRYPTO_secure_malloc_initialized(void); size_t CRYPTO_secure_actual_size(void *ptr); @@ -381,77 +388,77 @@ size_t CRYPTO_secure_used(void); void OPENSSL_cleanse(void *ptr, size_t len); -# ifndef OPENSSL_NO_CRYPTO_MDEBUG +#ifndef OPENSSL_NO_CRYPTO_MDEBUG /* * The following can be used to detect memory leaks in the library. If * used, it turns on malloc checking */ -# define CRYPTO_MEM_CHECK_OFF 0x0 /* Control only */ -# define CRYPTO_MEM_CHECK_ON 0x1 /* Control and mode bit */ -# define CRYPTO_MEM_CHECK_ENABLE 0x2 /* Control and mode bit */ -# define CRYPTO_MEM_CHECK_DISABLE 0x3 /* Control only */ +#define CRYPTO_MEM_CHECK_OFF 0x0 /* Control only */ +#define CRYPTO_MEM_CHECK_ON 0x1 /* Control and mode bit */ +#define CRYPTO_MEM_CHECK_ENABLE 0x2 /* Control and mode bit */ +#define CRYPTO_MEM_CHECK_DISABLE 0x3 /* Control only */ /* max allowed length for value of OPENSSL_MALLOC_FAILURES env var. */ -# define CRYPTO_MEM_CHECK_MAX_FS 256 +#define CRYPTO_MEM_CHECK_MAX_FS 256 void CRYPTO_get_alloc_counts(int *mcount, int *rcount, int *fcount); -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define OPENSSL_mem_debug_push(info) \ - CRYPTO_mem_debug_push(info, OPENSSL_FILE, OPENSSL_LINE) -# define OPENSSL_mem_debug_pop() \ - CRYPTO_mem_debug_pop() -# endif -# ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define OPENSSL_mem_debug_push(info) \ + CRYPTO_mem_debug_push(info, OPENSSL_FILE, OPENSSL_LINE) +#define OPENSSL_mem_debug_pop() \ + CRYPTO_mem_debug_pop() +#endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 int CRYPTO_set_mem_debug(int flag); OSSL_DEPRECATEDIN_3_0 int CRYPTO_mem_ctrl(int mode); OSSL_DEPRECATEDIN_3_0 int CRYPTO_mem_debug_push(const char *info, - const char *file, int line); + const char *file, int line); OSSL_DEPRECATEDIN_3_0 int CRYPTO_mem_debug_pop(void); OSSL_DEPRECATEDIN_3_0 void CRYPTO_mem_debug_malloc(void *addr, size_t num, - int flag, - const char *file, int line); + int flag, + const char *file, int line); OSSL_DEPRECATEDIN_3_0 void CRYPTO_mem_debug_realloc(void *addr1, void *addr2, - size_t num, int flag, - const char *file, int line); + size_t num, int flag, + const char *file, int line); OSSL_DEPRECATEDIN_3_0 void CRYPTO_mem_debug_free(void *addr, int flag, - const char *file, int line); + const char *file, int line); OSSL_DEPRECATEDIN_3_0 int CRYPTO_mem_leaks_cb(int (*cb)(const char *str, size_t len, void *u), - void *u); -# endif -# ifndef OPENSSL_NO_STDIO -# ifndef OPENSSL_NO_DEPRECATED_3_0 + void *u); +#endif +#ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 int CRYPTO_mem_leaks_fp(FILE *); -# endif -# endif -# ifndef OPENSSL_NO_DEPRECATED_3_0 +#endif +#endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 int CRYPTO_mem_leaks(BIO *bio); -# endif -# endif /* OPENSSL_NO_CRYPTO_MDEBUG */ +#endif +#endif /* OPENSSL_NO_CRYPTO_MDEBUG */ /* die if we have to */ ossl_noreturn void OPENSSL_die(const char *assertion, const char *file, int line); -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define OpenSSLDie(f,l,a) OPENSSL_die((a),(f),(l)) -# endif -# define OPENSSL_assert(e) \ +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#define OpenSSLDie(f, l, a) OPENSSL_die((a), (f), (l)) +#endif +#define OPENSSL_assert(e) \ (void)((e) ? 0 : (OPENSSL_die("assertion failed: " #e, OPENSSL_FILE, OPENSSL_LINE), 1)) int OPENSSL_isservice(void); void OPENSSL_init(void); -# ifdef OPENSSL_SYS_UNIX -# ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifdef OPENSSL_SYS_UNIX +#ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 void OPENSSL_fork_prepare(void); OSSL_DEPRECATEDIN_3_0 void OPENSSL_fork_parent(void); OSSL_DEPRECATEDIN_3_0 void OPENSSL_fork_child(void); -# endif -# endif +#endif +#endif struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result); int OPENSSL_gmtime_adj(struct tm *tm, int offset_day, long offset_sec); int OPENSSL_gmtime_diff(int *pday, int *psec, - const struct tm *from, const struct tm *to); + const struct tm *from, const struct tm *to); /* * CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. @@ -460,29 +467,29 @@ int OPENSSL_gmtime_diff(int *pday, int *psec, * into a defined order as the return value when a != b is undefined, other * than to be non-zero. */ -int CRYPTO_memcmp(const void * in_a, const void * in_b, size_t len); +int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len); /* Standard initialisation options */ -# define OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS 0x00000001L -# define OPENSSL_INIT_LOAD_CRYPTO_STRINGS 0x00000002L -# define OPENSSL_INIT_ADD_ALL_CIPHERS 0x00000004L -# define OPENSSL_INIT_ADD_ALL_DIGESTS 0x00000008L -# define OPENSSL_INIT_NO_ADD_ALL_CIPHERS 0x00000010L -# define OPENSSL_INIT_NO_ADD_ALL_DIGESTS 0x00000020L -# define OPENSSL_INIT_LOAD_CONFIG 0x00000040L -# define OPENSSL_INIT_NO_LOAD_CONFIG 0x00000080L -# define OPENSSL_INIT_ASYNC 0x00000100L -# define OPENSSL_INIT_ENGINE_RDRAND 0x00000200L -# define OPENSSL_INIT_ENGINE_DYNAMIC 0x00000400L -# define OPENSSL_INIT_ENGINE_OPENSSL 0x00000800L -# define OPENSSL_INIT_ENGINE_CRYPTODEV 0x00001000L -# define OPENSSL_INIT_ENGINE_CAPI 0x00002000L -# define OPENSSL_INIT_ENGINE_PADLOCK 0x00004000L -# define OPENSSL_INIT_ENGINE_AFALG 0x00008000L +#define OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS 0x00000001L +#define OPENSSL_INIT_LOAD_CRYPTO_STRINGS 0x00000002L +#define OPENSSL_INIT_ADD_ALL_CIPHERS 0x00000004L +#define OPENSSL_INIT_ADD_ALL_DIGESTS 0x00000008L +#define OPENSSL_INIT_NO_ADD_ALL_CIPHERS 0x00000010L +#define OPENSSL_INIT_NO_ADD_ALL_DIGESTS 0x00000020L +#define OPENSSL_INIT_LOAD_CONFIG 0x00000040L +#define OPENSSL_INIT_NO_LOAD_CONFIG 0x00000080L +#define OPENSSL_INIT_ASYNC 0x00000100L +#define OPENSSL_INIT_ENGINE_RDRAND 0x00000200L +#define OPENSSL_INIT_ENGINE_DYNAMIC 0x00000400L +#define OPENSSL_INIT_ENGINE_OPENSSL 0x00000800L +#define OPENSSL_INIT_ENGINE_CRYPTODEV 0x00001000L +#define OPENSSL_INIT_ENGINE_CAPI 0x00002000L +#define OPENSSL_INIT_ENGINE_PADLOCK 0x00004000L +#define OPENSSL_INIT_ENGINE_AFALG 0x00008000L /* FREE: 0x00010000L */ -# define OPENSSL_INIT_ATFORK 0x00020000L +#define OPENSSL_INIT_ATFORK 0x00020000L /* OPENSSL_INIT_BASE_ONLY 0x00040000L */ -# define OPENSSL_INIT_NO_ATEXIT 0x00080000L +#define OPENSSL_INIT_NO_ATEXIT 0x00080000L /* OPENSSL_INIT flag range 0x03f00000 reserved for OPENSSL_init_ssl() */ /* FREE: 0x04000000L */ /* FREE: 0x08000000L */ @@ -493,10 +500,9 @@ int CRYPTO_memcmp(const void * in_a, const void * in_b, size_t len); /* Max OPENSSL_INIT flag value is 0x80000000 */ /* openssl and dasync not counted as builtin */ -# define OPENSSL_INIT_ENGINE_ALL_BUILTIN \ +#define OPENSSL_INIT_ENGINE_ALL_BUILTIN \ (OPENSSL_INIT_ENGINE_RDRAND | OPENSSL_INIT_ENGINE_DYNAMIC \ - | OPENSSL_INIT_ENGINE_CRYPTODEV | OPENSSL_INIT_ENGINE_CAPI | \ - OPENSSL_INIT_ENGINE_PADLOCK) + | OPENSSL_INIT_ENGINE_CRYPTODEV | OPENSSL_INIT_ENGINE_CAPI | OPENSSL_INIT_ENGINE_PADLOCK) /* Library initialisation functions */ void OPENSSL_cleanup(void); @@ -507,48 +513,48 @@ void OPENSSL_thread_stop_ex(OSSL_LIB_CTX *ctx); /* Low-level control of initialization */ OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(void); -# ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_STDIO int OPENSSL_INIT_set_config_filename(OPENSSL_INIT_SETTINGS *settings, - const char *config_filename); + const char *config_filename); void OPENSSL_INIT_set_config_file_flags(OPENSSL_INIT_SETTINGS *settings, - unsigned long flags); + unsigned long flags); int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *settings, - const char *config_appname); -# endif + const char *config_appname); +#endif void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *settings); -# if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) -# if defined(_WIN32) -# if defined(BASETYPES) || defined(_WINDEF_H) +#if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) +#if defined(_WIN32) +#if defined(BASETYPES) || defined(_WINDEF_H) /* application has to include <windows.h> in order to use this */ typedef DWORD CRYPTO_THREAD_LOCAL; typedef DWORD CRYPTO_THREAD_ID; typedef LONG CRYPTO_ONCE; -# define CRYPTO_ONCE_STATIC_INIT 0 -# endif -# else -# if defined(__TANDEM) && defined(_SPT_MODEL_) -# define SPT_THREAD_SIGNAL 1 -# define SPT_THREAD_AWARE 1 -# include <spthread.h> -# else -# include <pthread.h> -# endif +#define CRYPTO_ONCE_STATIC_INIT 0 +#endif +#else +#if defined(__TANDEM) && defined(_SPT_MODEL_) +#define SPT_THREAD_SIGNAL 1 +#define SPT_THREAD_AWARE 1 +#include <spthread.h> +#else +#include <pthread.h> +#endif typedef pthread_once_t CRYPTO_ONCE; typedef pthread_key_t CRYPTO_THREAD_LOCAL; typedef pthread_t CRYPTO_THREAD_ID; -# define CRYPTO_ONCE_STATIC_INIT PTHREAD_ONCE_INIT -# endif -# endif +#define CRYPTO_ONCE_STATIC_INIT PTHREAD_ONCE_INIT +#endif +#endif -# if !defined(CRYPTO_ONCE_STATIC_INIT) +#if !defined(CRYPTO_ONCE_STATIC_INIT) typedef unsigned int CRYPTO_ONCE; typedef unsigned int CRYPTO_THREAD_LOCAL; typedef unsigned int CRYPTO_THREAD_ID; -# define CRYPTO_ONCE_STATIC_INIT 0 -# endif +#define CRYPTO_ONCE_STATIC_INIT 0 +#endif int CRYPTO_THREAD_run_once(CRYPTO_ONCE *once, void (*init)(void)); @@ -562,9 +568,9 @@ int CRYPTO_THREAD_compare_id(CRYPTO_THREAD_ID a, CRYPTO_THREAD_ID b); OSSL_LIB_CTX *OSSL_LIB_CTX_new(void); OSSL_LIB_CTX *OSSL_LIB_CTX_new_from_dispatch(const OSSL_CORE_HANDLE *handle, - const OSSL_DISPATCH *in); + const OSSL_DISPATCH *in); OSSL_LIB_CTX *OSSL_LIB_CTX_new_child(const OSSL_CORE_HANDLE *handle, - const OSSL_DISPATCH *in); + const OSSL_DISPATCH *in); int OSSL_LIB_CTX_load_config(OSSL_LIB_CTX *ctx, const char *config_file); void OSSL_LIB_CTX_free(OSSL_LIB_CTX *); OSSL_LIB_CTX *OSSL_LIB_CTX_get0_global_default(void); @@ -574,10 +580,9 @@ void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *ctx, int value); void OSSL_sleep(uint64_t millis); - void *OSSL_LIB_CTX_get_data(OSSL_LIB_CTX *ctx, int index); -# ifdef __cplusplus +#ifdef __cplusplus } -# endif +#endif #endif diff --git a/crypto/openssl/include/openssl/ct.h b/crypto/openssl/include/openssl/ct.h index e6dd1192a4e0..0b60803f98ca 100644 --- a/crypto/openssl/include/openssl/ct.h +++ b/crypto/openssl/include/openssl/ct.h @@ -10,35 +10,37 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_CT_H -# define OPENSSL_CT_H -# pragma once - -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_CT_H -# endif - -# include <openssl/opensslconf.h> - -# ifndef OPENSSL_NO_CT -# include <openssl/types.h> -# include <openssl/safestack.h> -# include <openssl/x509.h> -# include <openssl/cterr.h> -# ifdef __cplusplus -extern "C" { -# endif +#define OPENSSL_CT_H +#pragma once + +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_CT_H +#endif +#include <openssl/opensslconf.h> + +#ifndef OPENSSL_NO_CT +#include <openssl/types.h> +#include <openssl/safestack.h> +#include <openssl/x509.h> +#include <openssl/cterr.h> +#ifdef __cplusplus +extern "C" { +#endif /* Minimum RSA key size, from RFC6962 */ -# define SCT_MIN_RSA_BITS 2048 +#define SCT_MIN_RSA_BITS 2048 /* All hashes are SHA256 in v1 of Certificate Transparency */ -# define CT_V1_HASHLEN SHA256_DIGEST_LENGTH +#define CT_V1_HASHLEN SHA256_DIGEST_LENGTH +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(SCT, SCT, SCT) #define sk_SCT_num(sk) OPENSSL_sk_num(ossl_check_const_SCT_sk_type(sk)) #define sk_SCT_value(sk, idx) ((SCT *)OPENSSL_sk_value(ossl_check_const_SCT_sk_type(sk), (idx))) @@ -92,7 +94,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(CTLOG, CTLOG, CTLOG) #define sk_CTLOG_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(CTLOG) *)OPENSSL_sk_deep_copy(ossl_check_const_CTLOG_sk_type(sk), ossl_check_CTLOG_copyfunc_type(copyfunc), ossl_check_CTLOG_freefunc_type(freefunc))) #define sk_CTLOG_set_cmp_func(sk, cmp) ((sk_CTLOG_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_CTLOG_sk_type(sk), ossl_check_CTLOG_compfunc_type(cmp))) - +/* clang-format on */ typedef enum { CT_LOG_ENTRY_TYPE_NOT_SET = -1, @@ -132,7 +134,7 @@ typedef enum { * with the CT_POLICY_EVAL_CTX. */ CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new_ex(OSSL_LIB_CTX *libctx, - const char *propq); + const char *propq); /* * The same as CT_POLICY_EVAL_CTX_new_ex() but the default library @@ -144,7 +146,7 @@ CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void); void CT_POLICY_EVAL_CTX_free(CT_POLICY_EVAL_CTX *ctx); /* Gets the peer certificate that the SCTs are for */ -X509* CT_POLICY_EVAL_CTX_get0_cert(const CT_POLICY_EVAL_CTX *ctx); +X509 *CT_POLICY_EVAL_CTX_get0_cert(const CT_POLICY_EVAL_CTX *ctx); /* * Sets the certificate associated with the received SCTs. @@ -154,7 +156,7 @@ X509* CT_POLICY_EVAL_CTX_get0_cert(const CT_POLICY_EVAL_CTX *ctx); int CT_POLICY_EVAL_CTX_set1_cert(CT_POLICY_EVAL_CTX *ctx, X509 *cert); /* Gets the issuer of the aforementioned certificate */ -X509* CT_POLICY_EVAL_CTX_get0_issuer(const CT_POLICY_EVAL_CTX *ctx); +X509 *CT_POLICY_EVAL_CTX_get0_issuer(const CT_POLICY_EVAL_CTX *ctx); /* * Sets the issuer of the certificate associated with the received SCTs. @@ -168,7 +170,7 @@ const CTLOG_STORE *CT_POLICY_EVAL_CTX_get0_log_store(const CT_POLICY_EVAL_CTX *c /* Sets the log store that is in use. It must outlive the CT_POLICY_EVAL_CTX. */ void CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(CT_POLICY_EVAL_CTX *ctx, - CTLOG_STORE *log_store); + CTLOG_STORE *log_store); /* * Gets the time, in milliseconds since the Unix epoch, that will be used as the @@ -200,11 +202,11 @@ SCT *SCT_new(void); * The caller is responsible for calling SCT_free when finished with the SCT. */ SCT *SCT_new_from_base64(unsigned char version, - const char *logid_base64, - ct_log_entry_type_t entry_type, - uint64_t timestamp, - const char *extensions_base64, - const char *signature_base64); + const char *logid_base64, + ct_log_entry_type_t entry_type, + uint64_t timestamp, + const char *extensions_base64, + const char *signature_base64); /* * Frees the SCT and the underlying data structures. @@ -259,7 +261,7 @@ __owur int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len); * Returns 1 on success, 0 otherwise. */ __owur int SCT_set1_log_id(SCT *sct, const unsigned char *log_id, - size_t log_id_len); + size_t log_id_len); /* * Returns the timestamp for the SCT (epoch time in milliseconds). @@ -305,7 +307,7 @@ void SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len); * Returns 1 on success, 0 otherwise. */ __owur int SCT_set1_extensions(SCT *sct, const unsigned char *ext, - size_t ext_len); + size_t ext_len); /* * Set *sig to point to the signature for the SCT. sig must not be NULL. @@ -325,7 +327,7 @@ void SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len); * Returns 1 on success, 0 otherwise. */ __owur int SCT_set1_signature(SCT *sct, const unsigned char *sig, - size_t sig_len); + size_t sig_len); /* * The origin of this SCT, e.g. TLS extension, OCSP response, etc. @@ -359,7 +361,7 @@ void SCT_print(const SCT *sct, BIO *out, int indent, const CTLOG_STORE *logs); * came from, so that the log names can be printed. */ void SCT_LIST_print(const STACK_OF(SCT) *sct_list, BIO *out, int indent, - const char *separator, const CTLOG_STORE *logs); + const char *separator, const CTLOG_STORE *logs); /* * Gets the last result of validating this SCT. @@ -384,8 +386,7 @@ __owur int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx); * Returns a negative integer if an error occurs. */ __owur int SCT_LIST_validate(const STACK_OF(SCT) *scts, - CT_POLICY_EVAL_CTX *ctx); - + CT_POLICY_EVAL_CTX *ctx); /********************************* * SCT parsing and serialization * @@ -416,7 +417,7 @@ __owur int i2o_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp); * not defined. */ STACK_OF(SCT) *o2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, - size_t len); + size_t len); /* * Serialize (to DER format) a stack of SCTs and return the length. @@ -443,7 +444,7 @@ __owur int i2d_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp); * not defined. */ STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, - long len); + long len); /* * Serialize (to TLS format) an |sct| and write it to |out|. @@ -482,7 +483,7 @@ SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len); * Should be deleted by the caller using CTLOG_free when no longer needed. */ CTLOG *CTLOG_new_ex(EVP_PKEY *public_key, const char *name, OSSL_LIB_CTX *libctx, - const char *propq); + const char *propq); /* * The same as CTLOG_new_ex except that the default library context and @@ -499,16 +500,16 @@ CTLOG *CTLOG_new(EVP_PKEY *public_key, const char *name); * Should be deleted by the caller using CTLOG_free when no longer needed. */ int CTLOG_new_from_base64_ex(CTLOG **ct_log, const char *pkey_base64, - const char *name, OSSL_LIB_CTX *libctx, - const char *propq); + const char *name, OSSL_LIB_CTX *libctx, + const char *propq); /* * The same as CTLOG_new_from_base64_ex() except that the default * library context and property query string are used. * Returns 1 on success, 0 on failure. */ -int CTLOG_new_from_base64(CTLOG ** ct_log, - const char *pkey_base64, const char *name); +int CTLOG_new_from_base64(CTLOG **ct_log, + const char *pkey_base64, const char *name); /* * Deletes a CT log instance and its fields. @@ -519,7 +520,7 @@ void CTLOG_free(CTLOG *log); const char *CTLOG_get0_name(const CTLOG *log); /* Gets the ID of the CT log */ void CTLOG_get0_log_id(const CTLOG *log, const uint8_t **log_id, - size_t *log_id_len); + size_t *log_id_len); /* Gets the public key of the CT log */ EVP_PKEY *CTLOG_get0_public_key(const CTLOG *log); @@ -551,8 +552,8 @@ void CTLOG_STORE_free(CTLOG_STORE *store); * Returns the CT log, or NULL if no match is found. */ const CTLOG *CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store, - const uint8_t *log_id, - size_t log_id_len); + const uint8_t *log_id, + size_t log_id_len); /* * Loads a CT log list into a |store| from a |file|. @@ -566,8 +567,8 @@ __owur int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file); */ __owur int CTLOG_STORE_load_default_file(CTLOG_STORE *store); -# ifdef __cplusplus +#ifdef __cplusplus } -# endif -# endif +#endif +#endif #endif diff --git a/crypto/openssl/include/openssl/err.h b/crypto/openssl/include/openssl/err.h index daca18e7b757..a15ac6ac1f78 100644 --- a/crypto/openssl/include/openssl/err.h +++ b/crypto/openssl/include/openssl/err.h @@ -7,52 +7,54 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_ERR_H -# define OPENSSL_ERR_H -# pragma once +#define OPENSSL_ERR_H +#pragma once -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_ERR_H -# endif +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_ERR_H +#endif -# include <openssl/e_os2.h> +#include <openssl/e_os2.h> -# ifndef OPENSSL_NO_STDIO -# include <stdio.h> -# include <stdlib.h> -# endif +#ifndef OPENSSL_NO_STDIO +#include <stdio.h> +#include <stdlib.h> +#endif -# include <openssl/types.h> -# include <openssl/bio.h> -# include <openssl/lhash.h> -# include <openssl/cryptoerr_legacy.h> +#include <openssl/types.h> +#include <openssl/bio.h> +#include <openssl/lhash.h> +#include <openssl/cryptoerr_legacy.h> -#ifdef __cplusplus +#ifdef __cplusplus extern "C" { #endif -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# ifndef OPENSSL_NO_FILENAMES -# define ERR_PUT_error(l,f,r,fn,ln) ERR_put_error(l,f,r,fn,ln) -# else -# define ERR_PUT_error(l,f,r,fn,ln) ERR_put_error(l,f,r,NULL,0) -# endif -# endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_FILENAMES +#define ERR_PUT_error(l, f, r, fn, ln) ERR_put_error(l, f, r, fn, ln) +#else +#define ERR_PUT_error(l, f, r, fn, ln) ERR_put_error(l, f, r, NULL, 0) +#endif +#endif -# include <limits.h> -# include <errno.h> +#include <limits.h> +#include <errno.h> -# define ERR_TXT_MALLOCED 0x01 -# define ERR_TXT_STRING 0x02 +#define ERR_TXT_MALLOCED 0x01 +#define ERR_TXT_STRING 0x02 -# if !defined(OPENSSL_NO_DEPRECATED_3_0) || defined(OSSL_FORCE_ERR_STATE) -# define ERR_FLAG_MARK 0x01 -# define ERR_FLAG_CLEAR 0x02 +#if !defined(OPENSSL_NO_DEPRECATED_3_0) || defined(OSSL_FORCE_ERR_STATE) +#define ERR_FLAG_MARK 0x01 +#define ERR_FLAG_CLEAR 0x02 -# define ERR_NUM_ERRORS 16 +#define ERR_NUM_ERRORS 16 struct err_state_st { int err_flags[ERR_NUM_ERRORS]; int err_marks[ERR_NUM_ERRORS]; @@ -65,109 +67,109 @@ struct err_state_st { char *err_func[ERR_NUM_ERRORS]; int top, bottom; }; -# endif +#endif /* library */ -# define ERR_LIB_NONE 1 -# define ERR_LIB_SYS 2 -# define ERR_LIB_BN 3 -# define ERR_LIB_RSA 4 -# define ERR_LIB_DH 5 -# define ERR_LIB_EVP 6 -# define ERR_LIB_BUF 7 -# define ERR_LIB_OBJ 8 -# define ERR_LIB_PEM 9 -# define ERR_LIB_DSA 10 -# define ERR_LIB_X509 11 +#define ERR_LIB_NONE 1 +#define ERR_LIB_SYS 2 +#define ERR_LIB_BN 3 +#define ERR_LIB_RSA 4 +#define ERR_LIB_DH 5 +#define ERR_LIB_EVP 6 +#define ERR_LIB_BUF 7 +#define ERR_LIB_OBJ 8 +#define ERR_LIB_PEM 9 +#define ERR_LIB_DSA 10 +#define ERR_LIB_X509 11 /* #define ERR_LIB_METH 12 */ -# define ERR_LIB_ASN1 13 -# define ERR_LIB_CONF 14 -# define ERR_LIB_CRYPTO 15 -# define ERR_LIB_EC 16 -# define ERR_LIB_SSL 20 +#define ERR_LIB_ASN1 13 +#define ERR_LIB_CONF 14 +#define ERR_LIB_CRYPTO 15 +#define ERR_LIB_EC 16 +#define ERR_LIB_SSL 20 /* #define ERR_LIB_SSL23 21 */ /* #define ERR_LIB_SSL2 22 */ /* #define ERR_LIB_SSL3 23 */ /* #define ERR_LIB_RSAREF 30 */ /* #define ERR_LIB_PROXY 31 */ -# define ERR_LIB_BIO 32 -# define ERR_LIB_PKCS7 33 -# define ERR_LIB_X509V3 34 -# define ERR_LIB_PKCS12 35 -# define ERR_LIB_RAND 36 -# define ERR_LIB_DSO 37 -# define ERR_LIB_ENGINE 38 -# define ERR_LIB_OCSP 39 -# define ERR_LIB_UI 40 -# define ERR_LIB_COMP 41 -# define ERR_LIB_ECDSA 42 -# define ERR_LIB_ECDH 43 -# define ERR_LIB_OSSL_STORE 44 -# define ERR_LIB_FIPS 45 -# define ERR_LIB_CMS 46 -# define ERR_LIB_TS 47 -# define ERR_LIB_HMAC 48 +#define ERR_LIB_BIO 32 +#define ERR_LIB_PKCS7 33 +#define ERR_LIB_X509V3 34 +#define ERR_LIB_PKCS12 35 +#define ERR_LIB_RAND 36 +#define ERR_LIB_DSO 37 +#define ERR_LIB_ENGINE 38 +#define ERR_LIB_OCSP 39 +#define ERR_LIB_UI 40 +#define ERR_LIB_COMP 41 +#define ERR_LIB_ECDSA 42 +#define ERR_LIB_ECDH 43 +#define ERR_LIB_OSSL_STORE 44 +#define ERR_LIB_FIPS 45 +#define ERR_LIB_CMS 46 +#define ERR_LIB_TS 47 +#define ERR_LIB_HMAC 48 /* # define ERR_LIB_JPAKE 49 */ -# define ERR_LIB_CT 50 -# define ERR_LIB_ASYNC 51 -# define ERR_LIB_KDF 52 -# define ERR_LIB_SM2 53 -# define ERR_LIB_ESS 54 -# define ERR_LIB_PROP 55 -# define ERR_LIB_CRMF 56 -# define ERR_LIB_PROV 57 -# define ERR_LIB_CMP 58 -# define ERR_LIB_OSSL_ENCODER 59 -# define ERR_LIB_OSSL_DECODER 60 -# define ERR_LIB_HTTP 61 - -# define ERR_LIB_USER 128 - -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define ASN1err(f, r) ERR_raise_data(ERR_LIB_ASN1, (r), NULL) -# define ASYNCerr(f, r) ERR_raise_data(ERR_LIB_ASYNC, (r), NULL) -# define BIOerr(f, r) ERR_raise_data(ERR_LIB_BIO, (r), NULL) -# define BNerr(f, r) ERR_raise_data(ERR_LIB_BN, (r), NULL) -# define BUFerr(f, r) ERR_raise_data(ERR_LIB_BUF, (r), NULL) -# define CMPerr(f, r) ERR_raise_data(ERR_LIB_CMP, (r), NULL) -# define CMSerr(f, r) ERR_raise_data(ERR_LIB_CMS, (r), NULL) -# define COMPerr(f, r) ERR_raise_data(ERR_LIB_COMP, (r), NULL) -# define CONFerr(f, r) ERR_raise_data(ERR_LIB_CONF, (r), NULL) -# define CRMFerr(f, r) ERR_raise_data(ERR_LIB_CRMF, (r), NULL) -# define CRYPTOerr(f, r) ERR_raise_data(ERR_LIB_CRYPTO, (r), NULL) -# define CTerr(f, r) ERR_raise_data(ERR_LIB_CT, (r), NULL) -# define DHerr(f, r) ERR_raise_data(ERR_LIB_DH, (r), NULL) -# define DSAerr(f, r) ERR_raise_data(ERR_LIB_DSA, (r), NULL) -# define DSOerr(f, r) ERR_raise_data(ERR_LIB_DSO, (r), NULL) -# define ECDHerr(f, r) ERR_raise_data(ERR_LIB_ECDH, (r), NULL) -# define ECDSAerr(f, r) ERR_raise_data(ERR_LIB_ECDSA, (r), NULL) -# define ECerr(f, r) ERR_raise_data(ERR_LIB_EC, (r), NULL) -# define ENGINEerr(f, r) ERR_raise_data(ERR_LIB_ENGINE, (r), NULL) -# define ESSerr(f, r) ERR_raise_data(ERR_LIB_ESS, (r), NULL) -# define EVPerr(f, r) ERR_raise_data(ERR_LIB_EVP, (r), NULL) -# define FIPSerr(f, r) ERR_raise_data(ERR_LIB_FIPS, (r), NULL) -# define HMACerr(f, r) ERR_raise_data(ERR_LIB_HMAC, (r), NULL) -# define HTTPerr(f, r) ERR_raise_data(ERR_LIB_HTTP, (r), NULL) -# define KDFerr(f, r) ERR_raise_data(ERR_LIB_KDF, (r), NULL) -# define OBJerr(f, r) ERR_raise_data(ERR_LIB_OBJ, (r), NULL) -# define OCSPerr(f, r) ERR_raise_data(ERR_LIB_OCSP, (r), NULL) -# define OSSL_STOREerr(f, r) ERR_raise_data(ERR_LIB_OSSL_STORE, (r), NULL) -# define PEMerr(f, r) ERR_raise_data(ERR_LIB_PEM, (r), NULL) -# define PKCS12err(f, r) ERR_raise_data(ERR_LIB_PKCS12, (r), NULL) -# define PKCS7err(f, r) ERR_raise_data(ERR_LIB_PKCS7, (r), NULL) -# define PROPerr(f, r) ERR_raise_data(ERR_LIB_PROP, (r), NULL) -# define PROVerr(f, r) ERR_raise_data(ERR_LIB_PROV, (r), NULL) -# define RANDerr(f, r) ERR_raise_data(ERR_LIB_RAND, (r), NULL) -# define RSAerr(f, r) ERR_raise_data(ERR_LIB_RSA, (r), NULL) -# define KDFerr(f, r) ERR_raise_data(ERR_LIB_KDF, (r), NULL) -# define SM2err(f, r) ERR_raise_data(ERR_LIB_SM2, (r), NULL) -# define SSLerr(f, r) ERR_raise_data(ERR_LIB_SSL, (r), NULL) -# define SYSerr(f, r) ERR_raise_data(ERR_LIB_SYS, (r), NULL) -# define TSerr(f, r) ERR_raise_data(ERR_LIB_TS, (r), NULL) -# define UIerr(f, r) ERR_raise_data(ERR_LIB_UI, (r), NULL) -# define X509V3err(f, r) ERR_raise_data(ERR_LIB_X509V3, (r), NULL) -# define X509err(f, r) ERR_raise_data(ERR_LIB_X509, (r), NULL) -# endif +#define ERR_LIB_CT 50 +#define ERR_LIB_ASYNC 51 +#define ERR_LIB_KDF 52 +#define ERR_LIB_SM2 53 +#define ERR_LIB_ESS 54 +#define ERR_LIB_PROP 55 +#define ERR_LIB_CRMF 56 +#define ERR_LIB_PROV 57 +#define ERR_LIB_CMP 58 +#define ERR_LIB_OSSL_ENCODER 59 +#define ERR_LIB_OSSL_DECODER 60 +#define ERR_LIB_HTTP 61 + +#define ERR_LIB_USER 128 + +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define ASN1err(f, r) ERR_raise_data(ERR_LIB_ASN1, (r), NULL) +#define ASYNCerr(f, r) ERR_raise_data(ERR_LIB_ASYNC, (r), NULL) +#define BIOerr(f, r) ERR_raise_data(ERR_LIB_BIO, (r), NULL) +#define BNerr(f, r) ERR_raise_data(ERR_LIB_BN, (r), NULL) +#define BUFerr(f, r) ERR_raise_data(ERR_LIB_BUF, (r), NULL) +#define CMPerr(f, r) ERR_raise_data(ERR_LIB_CMP, (r), NULL) +#define CMSerr(f, r) ERR_raise_data(ERR_LIB_CMS, (r), NULL) +#define COMPerr(f, r) ERR_raise_data(ERR_LIB_COMP, (r), NULL) +#define CONFerr(f, r) ERR_raise_data(ERR_LIB_CONF, (r), NULL) +#define CRMFerr(f, r) ERR_raise_data(ERR_LIB_CRMF, (r), NULL) +#define CRYPTOerr(f, r) ERR_raise_data(ERR_LIB_CRYPTO, (r), NULL) +#define CTerr(f, r) ERR_raise_data(ERR_LIB_CT, (r), NULL) +#define DHerr(f, r) ERR_raise_data(ERR_LIB_DH, (r), NULL) +#define DSAerr(f, r) ERR_raise_data(ERR_LIB_DSA, (r), NULL) +#define DSOerr(f, r) ERR_raise_data(ERR_LIB_DSO, (r), NULL) +#define ECDHerr(f, r) ERR_raise_data(ERR_LIB_ECDH, (r), NULL) +#define ECDSAerr(f, r) ERR_raise_data(ERR_LIB_ECDSA, (r), NULL) +#define ECerr(f, r) ERR_raise_data(ERR_LIB_EC, (r), NULL) +#define ENGINEerr(f, r) ERR_raise_data(ERR_LIB_ENGINE, (r), NULL) +#define ESSerr(f, r) ERR_raise_data(ERR_LIB_ESS, (r), NULL) +#define EVPerr(f, r) ERR_raise_data(ERR_LIB_EVP, (r), NULL) +#define FIPSerr(f, r) ERR_raise_data(ERR_LIB_FIPS, (r), NULL) +#define HMACerr(f, r) ERR_raise_data(ERR_LIB_HMAC, (r), NULL) +#define HTTPerr(f, r) ERR_raise_data(ERR_LIB_HTTP, (r), NULL) +#define KDFerr(f, r) ERR_raise_data(ERR_LIB_KDF, (r), NULL) +#define OBJerr(f, r) ERR_raise_data(ERR_LIB_OBJ, (r), NULL) +#define OCSPerr(f, r) ERR_raise_data(ERR_LIB_OCSP, (r), NULL) +#define OSSL_STOREerr(f, r) ERR_raise_data(ERR_LIB_OSSL_STORE, (r), NULL) +#define PEMerr(f, r) ERR_raise_data(ERR_LIB_PEM, (r), NULL) +#define PKCS12err(f, r) ERR_raise_data(ERR_LIB_PKCS12, (r), NULL) +#define PKCS7err(f, r) ERR_raise_data(ERR_LIB_PKCS7, (r), NULL) +#define PROPerr(f, r) ERR_raise_data(ERR_LIB_PROP, (r), NULL) +#define PROVerr(f, r) ERR_raise_data(ERR_LIB_PROV, (r), NULL) +#define RANDerr(f, r) ERR_raise_data(ERR_LIB_RAND, (r), NULL) +#define RSAerr(f, r) ERR_raise_data(ERR_LIB_RSA, (r), NULL) +#define KDFerr(f, r) ERR_raise_data(ERR_LIB_KDF, (r), NULL) +#define SM2err(f, r) ERR_raise_data(ERR_LIB_SM2, (r), NULL) +#define SSLerr(f, r) ERR_raise_data(ERR_LIB_SSL, (r), NULL) +#define SYSerr(f, r) ERR_raise_data(ERR_LIB_SYS, (r), NULL) +#define TSerr(f, r) ERR_raise_data(ERR_LIB_TS, (r), NULL) +#define UIerr(f, r) ERR_raise_data(ERR_LIB_UI, (r), NULL) +#define X509V3err(f, r) ERR_raise_data(ERR_LIB_X509V3, (r), NULL) +#define X509err(f, r) ERR_raise_data(ERR_LIB_X509, (r), NULL) +#endif /*- * The error code packs differently depending on if it records a system @@ -215,28 +217,28 @@ struct err_state_st { */ /* Macros to help decode recorded system errors */ -# define ERR_SYSTEM_FLAG ((unsigned int)INT_MAX + 1) -# define ERR_SYSTEM_MASK ((unsigned int)INT_MAX) +#define ERR_SYSTEM_FLAG ((unsigned int)INT_MAX + 1) +#define ERR_SYSTEM_MASK ((unsigned int)INT_MAX) /* * Macros to help decode recorded OpenSSL errors * As expressed above, RFLAGS and REASON overlap by one bit to allow * ERR_R_FATAL to use ERR_RFLAG_FATAL as its reason code. */ -# define ERR_LIB_OFFSET 23L -# define ERR_LIB_MASK 0xFF -# define ERR_RFLAGS_OFFSET 18L -# define ERR_RFLAGS_MASK 0x1F -# define ERR_REASON_MASK 0X7FFFFF +#define ERR_LIB_OFFSET 23L +#define ERR_LIB_MASK 0xFF +#define ERR_RFLAGS_OFFSET 18L +#define ERR_RFLAGS_MASK 0x1F +#define ERR_REASON_MASK 0X7FFFFF /* * Reason flags are defined pre-shifted to easily combine with the reason * number. */ -# define ERR_RFLAG_FATAL (0x1 << ERR_RFLAGS_OFFSET) -# define ERR_RFLAG_COMMON (0x2 << ERR_RFLAGS_OFFSET) +#define ERR_RFLAG_FATAL (0x1 << ERR_RFLAGS_OFFSET) +#define ERR_RFLAG_COMMON (0x2 << ERR_RFLAGS_OFFSET) -# define ERR_SYSTEM_ERROR(errcode) (((errcode) & ERR_SYSTEM_FLAG) != 0) +#define ERR_SYSTEM_ERROR(errcode) (((errcode) & ERR_SYSTEM_FLAG) != 0) static ossl_unused ossl_inline int ERR_GET_LIB(unsigned long errcode) { @@ -275,102 +277,102 @@ static ossl_unused ossl_inline int ERR_COMMON_ERROR(unsigned long errcode) * ERR_PACK takes reason flags and reason code combined in |reason|. * ERR_PACK ignores |func|, that parameter is just legacy from pre-3.0 OpenSSL. */ -# define ERR_PACK(lib,func,reason) \ - ( (((unsigned long)(lib) & ERR_LIB_MASK ) << ERR_LIB_OFFSET) | \ - (((unsigned long)(reason) & ERR_REASON_MASK)) ) - -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define SYS_F_FOPEN 0 -# define SYS_F_CONNECT 0 -# define SYS_F_GETSERVBYNAME 0 -# define SYS_F_SOCKET 0 -# define SYS_F_IOCTLSOCKET 0 -# define SYS_F_BIND 0 -# define SYS_F_LISTEN 0 -# define SYS_F_ACCEPT 0 -# define SYS_F_WSASTARTUP 0 -# define SYS_F_OPENDIR 0 -# define SYS_F_FREAD 0 -# define SYS_F_GETADDRINFO 0 -# define SYS_F_GETNAMEINFO 0 -# define SYS_F_SETSOCKOPT 0 -# define SYS_F_GETSOCKOPT 0 -# define SYS_F_GETSOCKNAME 0 -# define SYS_F_GETHOSTBYNAME 0 -# define SYS_F_FFLUSH 0 -# define SYS_F_OPEN 0 -# define SYS_F_CLOSE 0 -# define SYS_F_IOCTL 0 -# define SYS_F_STAT 0 -# define SYS_F_FCNTL 0 -# define SYS_F_FSTAT 0 -# define SYS_F_SENDFILE 0 -# endif +#define ERR_PACK(lib, func, reason) \ + ((((unsigned long)(lib) & ERR_LIB_MASK) << ERR_LIB_OFFSET) | (((unsigned long)(reason) & ERR_REASON_MASK))) + +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define SYS_F_FOPEN 0 +#define SYS_F_CONNECT 0 +#define SYS_F_GETSERVBYNAME 0 +#define SYS_F_SOCKET 0 +#define SYS_F_IOCTLSOCKET 0 +#define SYS_F_BIND 0 +#define SYS_F_LISTEN 0 +#define SYS_F_ACCEPT 0 +#define SYS_F_WSASTARTUP 0 +#define SYS_F_OPENDIR 0 +#define SYS_F_FREAD 0 +#define SYS_F_GETADDRINFO 0 +#define SYS_F_GETNAMEINFO 0 +#define SYS_F_SETSOCKOPT 0 +#define SYS_F_GETSOCKOPT 0 +#define SYS_F_GETSOCKNAME 0 +#define SYS_F_GETHOSTBYNAME 0 +#define SYS_F_FFLUSH 0 +#define SYS_F_OPEN 0 +#define SYS_F_CLOSE 0 +#define SYS_F_IOCTL 0 +#define SYS_F_STAT 0 +#define SYS_F_FCNTL 0 +#define SYS_F_FSTAT 0 +#define SYS_F_SENDFILE 0 +#endif /* * All ERR_R_ codes must be combined with ERR_RFLAG_COMMON. */ /* "we came from here" global reason codes, range 1..255 */ -# define ERR_R_SYS_LIB (ERR_LIB_SYS/* 2 */ | ERR_RFLAG_COMMON) -# define ERR_R_BN_LIB (ERR_LIB_BN/* 3 */ | ERR_RFLAG_COMMON) -# define ERR_R_RSA_LIB (ERR_LIB_RSA/* 4 */ | ERR_RFLAG_COMMON) -# define ERR_R_DH_LIB (ERR_LIB_DH/* 5 */ | ERR_RFLAG_COMMON) -# define ERR_R_EVP_LIB (ERR_LIB_EVP/* 6 */ | ERR_RFLAG_COMMON) -# define ERR_R_BUF_LIB (ERR_LIB_BUF/* 7 */ | ERR_RFLAG_COMMON) -# define ERR_R_OBJ_LIB (ERR_LIB_OBJ/* 8 */ | ERR_RFLAG_COMMON) -# define ERR_R_PEM_LIB (ERR_LIB_PEM/* 9 */ | ERR_RFLAG_COMMON) -# define ERR_R_DSA_LIB (ERR_LIB_DSA/* 10 */ | ERR_RFLAG_COMMON) -# define ERR_R_X509_LIB (ERR_LIB_X509/* 11 */ | ERR_RFLAG_COMMON) -# define ERR_R_ASN1_LIB (ERR_LIB_ASN1/* 13 */ | ERR_RFLAG_COMMON) -# define ERR_R_CONF_LIB (ERR_LIB_CONF/* 14 */ | ERR_RFLAG_COMMON) -# define ERR_R_CRYPTO_LIB (ERR_LIB_CRYPTO/* 15 */ | ERR_RFLAG_COMMON) -# define ERR_R_EC_LIB (ERR_LIB_EC/* 16 */ | ERR_RFLAG_COMMON) -# define ERR_R_SSL_LIB (ERR_LIB_SSL/* 20 */ | ERR_RFLAG_COMMON) -# define ERR_R_BIO_LIB (ERR_LIB_BIO/* 32 */ | ERR_RFLAG_COMMON) -# define ERR_R_PKCS7_LIB (ERR_LIB_PKCS7/* 33 */ | ERR_RFLAG_COMMON) -# define ERR_R_X509V3_LIB (ERR_LIB_X509V3/* 34 */ | ERR_RFLAG_COMMON) -# define ERR_R_PKCS12_LIB (ERR_LIB_PKCS12/* 35 */ | ERR_RFLAG_COMMON) -# define ERR_R_RAND_LIB (ERR_LIB_RAND/* 36 */ | ERR_RFLAG_COMMON) -# define ERR_R_DSO_LIB (ERR_LIB_DSO/* 37 */ | ERR_RFLAG_COMMON) -# define ERR_R_ENGINE_LIB (ERR_LIB_ENGINE/* 38 */ | ERR_RFLAG_COMMON) -# define ERR_R_UI_LIB (ERR_LIB_UI/* 40 */ | ERR_RFLAG_COMMON) -# define ERR_R_ECDSA_LIB (ERR_LIB_ECDSA/* 42 */ | ERR_RFLAG_COMMON) -# define ERR_R_OSSL_STORE_LIB (ERR_LIB_OSSL_STORE/* 44 */ | ERR_RFLAG_COMMON) -# define ERR_R_CMS_LIB (ERR_LIB_CMS/* 46 */ | ERR_RFLAG_COMMON) -# define ERR_R_TS_LIB (ERR_LIB_TS/* 47 */ | ERR_RFLAG_COMMON) -# define ERR_R_CT_LIB (ERR_LIB_CT/* 50 */ | ERR_RFLAG_COMMON) -# define ERR_R_PROV_LIB (ERR_LIB_PROV/* 57 */ | ERR_RFLAG_COMMON) -# define ERR_R_ESS_LIB (ERR_LIB_ESS/* 54 */ | ERR_RFLAG_COMMON) -# define ERR_R_CMP_LIB (ERR_LIB_CMP/* 58 */ | ERR_RFLAG_COMMON) -# define ERR_R_OSSL_ENCODER_LIB (ERR_LIB_OSSL_ENCODER/* 59 */ | ERR_RFLAG_COMMON) -# define ERR_R_OSSL_DECODER_LIB (ERR_LIB_OSSL_DECODER/* 60 */ | ERR_RFLAG_COMMON) +#define ERR_R_SYS_LIB (ERR_LIB_SYS /* 2 */ | ERR_RFLAG_COMMON) +#define ERR_R_BN_LIB (ERR_LIB_BN /* 3 */ | ERR_RFLAG_COMMON) +#define ERR_R_RSA_LIB (ERR_LIB_RSA /* 4 */ | ERR_RFLAG_COMMON) +#define ERR_R_DH_LIB (ERR_LIB_DH /* 5 */ | ERR_RFLAG_COMMON) +#define ERR_R_EVP_LIB (ERR_LIB_EVP /* 6 */ | ERR_RFLAG_COMMON) +#define ERR_R_BUF_LIB (ERR_LIB_BUF /* 7 */ | ERR_RFLAG_COMMON) +#define ERR_R_OBJ_LIB (ERR_LIB_OBJ /* 8 */ | ERR_RFLAG_COMMON) +#define ERR_R_PEM_LIB (ERR_LIB_PEM /* 9 */ | ERR_RFLAG_COMMON) +#define ERR_R_DSA_LIB (ERR_LIB_DSA /* 10 */ | ERR_RFLAG_COMMON) +#define ERR_R_X509_LIB (ERR_LIB_X509 /* 11 */ | ERR_RFLAG_COMMON) +#define ERR_R_ASN1_LIB (ERR_LIB_ASN1 /* 13 */ | ERR_RFLAG_COMMON) +#define ERR_R_CONF_LIB (ERR_LIB_CONF /* 14 */ | ERR_RFLAG_COMMON) +#define ERR_R_CRYPTO_LIB (ERR_LIB_CRYPTO /* 15 */ | ERR_RFLAG_COMMON) +#define ERR_R_EC_LIB (ERR_LIB_EC /* 16 */ | ERR_RFLAG_COMMON) +#define ERR_R_SSL_LIB (ERR_LIB_SSL /* 20 */ | ERR_RFLAG_COMMON) +#define ERR_R_BIO_LIB (ERR_LIB_BIO /* 32 */ | ERR_RFLAG_COMMON) +#define ERR_R_PKCS7_LIB (ERR_LIB_PKCS7 /* 33 */ | ERR_RFLAG_COMMON) +#define ERR_R_X509V3_LIB (ERR_LIB_X509V3 /* 34 */ | ERR_RFLAG_COMMON) +#define ERR_R_PKCS12_LIB (ERR_LIB_PKCS12 /* 35 */ | ERR_RFLAG_COMMON) +#define ERR_R_RAND_LIB (ERR_LIB_RAND /* 36 */ | ERR_RFLAG_COMMON) +#define ERR_R_DSO_LIB (ERR_LIB_DSO /* 37 */ | ERR_RFLAG_COMMON) +#define ERR_R_ENGINE_LIB (ERR_LIB_ENGINE /* 38 */ | ERR_RFLAG_COMMON) +#define ERR_R_UI_LIB (ERR_LIB_UI /* 40 */ | ERR_RFLAG_COMMON) +#define ERR_R_ECDSA_LIB (ERR_LIB_ECDSA /* 42 */ | ERR_RFLAG_COMMON) +#define ERR_R_OSSL_STORE_LIB (ERR_LIB_OSSL_STORE /* 44 */ | ERR_RFLAG_COMMON) +#define ERR_R_CMS_LIB (ERR_LIB_CMS /* 46 */ | ERR_RFLAG_COMMON) +#define ERR_R_TS_LIB (ERR_LIB_TS /* 47 */ | ERR_RFLAG_COMMON) +#define ERR_R_CT_LIB (ERR_LIB_CT /* 50 */ | ERR_RFLAG_COMMON) +#define ERR_R_PROV_LIB (ERR_LIB_PROV /* 57 */ | ERR_RFLAG_COMMON) +#define ERR_R_ESS_LIB (ERR_LIB_ESS /* 54 */ | ERR_RFLAG_COMMON) +#define ERR_R_CMP_LIB (ERR_LIB_CMP /* 58 */ | ERR_RFLAG_COMMON) +#define ERR_R_OSSL_ENCODER_LIB (ERR_LIB_OSSL_ENCODER /* 59 */ | ERR_RFLAG_COMMON) +#define ERR_R_OSSL_DECODER_LIB (ERR_LIB_OSSL_DECODER /* 60 */ | ERR_RFLAG_COMMON) /* Other common error codes, range 256..2^ERR_RFLAGS_OFFSET-1 */ -# define ERR_R_FATAL (ERR_RFLAG_FATAL|ERR_RFLAG_COMMON) -# define ERR_R_MALLOC_FAILURE (256|ERR_R_FATAL) -# define ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED (257|ERR_R_FATAL) -# define ERR_R_PASSED_NULL_PARAMETER (258|ERR_R_FATAL) -# define ERR_R_INTERNAL_ERROR (259|ERR_R_FATAL) -# define ERR_R_DISABLED (260|ERR_R_FATAL) -# define ERR_R_INIT_FAIL (261|ERR_R_FATAL) -# define ERR_R_PASSED_INVALID_ARGUMENT (262|ERR_RFLAG_COMMON) -# define ERR_R_OPERATION_FAIL (263|ERR_R_FATAL) -# define ERR_R_INVALID_PROVIDER_FUNCTIONS (264|ERR_R_FATAL) -# define ERR_R_INTERRUPTED_OR_CANCELLED (265|ERR_RFLAG_COMMON) -# define ERR_R_NESTED_ASN1_ERROR (266|ERR_RFLAG_COMMON) -# define ERR_R_MISSING_ASN1_EOS (267|ERR_RFLAG_COMMON) -# define ERR_R_UNSUPPORTED (268|ERR_RFLAG_COMMON) -# define ERR_R_FETCH_FAILED (269|ERR_RFLAG_COMMON) -# define ERR_R_INVALID_PROPERTY_DEFINITION (270|ERR_RFLAG_COMMON) -# define ERR_R_UNABLE_TO_GET_READ_LOCK (271|ERR_R_FATAL) -# define ERR_R_UNABLE_TO_GET_WRITE_LOCK (272|ERR_R_FATAL) +#define ERR_R_FATAL (ERR_RFLAG_FATAL | ERR_RFLAG_COMMON) +#define ERR_R_MALLOC_FAILURE (256 | ERR_R_FATAL) +#define ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED (257 | ERR_R_FATAL) +#define ERR_R_PASSED_NULL_PARAMETER (258 | ERR_R_FATAL) +#define ERR_R_INTERNAL_ERROR (259 | ERR_R_FATAL) +#define ERR_R_DISABLED (260 | ERR_R_FATAL) +#define ERR_R_INIT_FAIL (261 | ERR_R_FATAL) +#define ERR_R_PASSED_INVALID_ARGUMENT (262 | ERR_RFLAG_COMMON) +#define ERR_R_OPERATION_FAIL (263 | ERR_R_FATAL) +#define ERR_R_INVALID_PROVIDER_FUNCTIONS (264 | ERR_R_FATAL) +#define ERR_R_INTERRUPTED_OR_CANCELLED (265 | ERR_RFLAG_COMMON) +#define ERR_R_NESTED_ASN1_ERROR (266 | ERR_RFLAG_COMMON) +#define ERR_R_MISSING_ASN1_EOS (267 | ERR_RFLAG_COMMON) +#define ERR_R_UNSUPPORTED (268 | ERR_RFLAG_COMMON) +#define ERR_R_FETCH_FAILED (269 | ERR_RFLAG_COMMON) +#define ERR_R_INVALID_PROPERTY_DEFINITION (270 | ERR_RFLAG_COMMON) +#define ERR_R_UNABLE_TO_GET_READ_LOCK (271 | ERR_R_FATAL) +#define ERR_R_UNABLE_TO_GET_WRITE_LOCK (272 | ERR_R_FATAL) typedef struct ERR_string_data_st { unsigned long error; const char *string; } ERR_STRING_DATA; +/* clang-format off */ DEFINE_LHASH_OF_INTERNAL(ERR_STRING_DATA); #define lh_ERR_STRING_DATA_new(hfn, cmp) ((LHASH_OF(ERR_STRING_DATA) *)OPENSSL_LH_set_thunks(OPENSSL_LH_new(ossl_check_ERR_STRING_DATA_lh_hashfunc_type(hfn), ossl_check_ERR_STRING_DATA_lh_compfunc_type(cmp)), lh_ERR_STRING_DATA_hash_thunk, lh_ERR_STRING_DATA_comp_thunk, lh_ERR_STRING_DATA_doall_thunk, lh_ERR_STRING_DATA_doall_arg_thunk)) #define lh_ERR_STRING_DATA_free(lh) OPENSSL_LH_free(ossl_check_ERR_STRING_DATA_lh_type(lh)) @@ -387,9 +389,10 @@ DEFINE_LHASH_OF_INTERNAL(ERR_STRING_DATA); #define lh_ERR_STRING_DATA_set_down_load(lh, dl) OPENSSL_LH_set_down_load(ossl_check_ERR_STRING_DATA_lh_type(lh), dl) #define lh_ERR_STRING_DATA_doall(lh, dfn) OPENSSL_LH_doall(ossl_check_ERR_STRING_DATA_lh_type(lh), ossl_check_ERR_STRING_DATA_lh_doallfunc_type(dfn)) +/* clang-format on */ /* 12 lines and some on an 80 column terminal */ -#define ERR_MAX_DATA_SIZE 1024 +#define ERR_MAX_DATA_SIZE 1024 /* Building blocks */ void ERR_new(void); @@ -398,73 +401,73 @@ void ERR_set_error(int lib, int reason, const char *fmt, ...); void ERR_vset_error(int lib, int reason, const char *fmt, va_list args); /* Main error raising functions */ -# define ERR_raise(lib, reason) ERR_raise_data((lib),(reason),NULL) -# define ERR_raise_data \ - (ERR_new(), \ - ERR_set_debug(OPENSSL_FILE,OPENSSL_LINE,OPENSSL_FUNC), \ - ERR_set_error) +#define ERR_raise(lib, reason) ERR_raise_data((lib), (reason), NULL) +#define ERR_raise_data \ + (ERR_new(), \ + ERR_set_debug(OPENSSL_FILE, OPENSSL_LINE, OPENSSL_FUNC), \ + ERR_set_error) -# ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_DEPRECATED_3_0 /* Backward compatibility */ -# define ERR_put_error(lib, func, reason, file, line) \ - (ERR_new(), \ - ERR_set_debug((file), (line), OPENSSL_FUNC), \ - ERR_set_error((lib), (reason), NULL)) -# endif +#define ERR_put_error(lib, func, reason, file, line) \ + (ERR_new(), \ + ERR_set_debug((file), (line), OPENSSL_FUNC), \ + ERR_set_error((lib), (reason), NULL)) +#endif void ERR_set_error_data(char *data, int flags); unsigned long ERR_get_error(void); unsigned long ERR_get_error_all(const char **file, int *line, - const char **func, - const char **data, int *flags); -# ifndef OPENSSL_NO_DEPRECATED_3_0 + const char **func, + const char **data, int *flags); +#ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 unsigned long ERR_get_error_line(const char **file, int *line); OSSL_DEPRECATEDIN_3_0 unsigned long ERR_get_error_line_data(const char **file, int *line, - const char **data, int *flags); + const char **data, int *flags); #endif unsigned long ERR_peek_error(void); unsigned long ERR_peek_error_line(const char **file, int *line); unsigned long ERR_peek_error_func(const char **func); unsigned long ERR_peek_error_data(const char **data, int *flags); unsigned long ERR_peek_error_all(const char **file, int *line, - const char **func, - const char **data, int *flags); -# ifndef OPENSSL_NO_DEPRECATED_3_0 + const char **func, + const char **data, int *flags); +#ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 unsigned long ERR_peek_error_line_data(const char **file, int *line, - const char **data, int *flags); -# endif + const char **data, int *flags); +#endif unsigned long ERR_peek_last_error(void); unsigned long ERR_peek_last_error_line(const char **file, int *line); unsigned long ERR_peek_last_error_func(const char **func); unsigned long ERR_peek_last_error_data(const char **data, int *flags); unsigned long ERR_peek_last_error_all(const char **file, int *line, - const char **func, - const char **data, int *flags); -# ifndef OPENSSL_NO_DEPRECATED_3_0 + const char **func, + const char **data, int *flags); +#ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 unsigned long ERR_peek_last_error_line_data(const char **file, int *line, - const char **data, int *flags); -# endif + const char **data, int *flags); +#endif void ERR_clear_error(void); char *ERR_error_string(unsigned long e, char *buf); void ERR_error_string_n(unsigned long e, char *buf, size_t len); const char *ERR_lib_error_string(unsigned long e); -# ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 const char *ERR_func_error_string(unsigned long e); -# endif +#endif const char *ERR_reason_error_string(unsigned long e); -void ERR_print_errors_cb(int (*cb) (const char *str, size_t len, void *u), - void *u); -# ifndef OPENSSL_NO_STDIO +void ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u), + void *u); +#ifndef OPENSSL_NO_STDIO void ERR_print_errors_fp(FILE *fp); -# endif +#endif void ERR_print_errors(BIO *bp); void ERR_add_error_data(int num, ...); @@ -477,9 +480,11 @@ int ERR_load_strings_const(const ERR_STRING_DATA *str); int ERR_unload_strings(int lib, ERR_STRING_DATA *str); #ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define ERR_load_crypto_strings() \ +#define ERR_load_crypto_strings() \ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL) -# define ERR_free_strings() while(0) continue +#define ERR_free_strings() \ + while (0) \ + continue #endif #ifndef OPENSSL_NO_DEPRECATED_1_1_0 OSSL_DEPRECATEDIN_1_1_0 void ERR_remove_thread_state(void *); @@ -505,7 +510,7 @@ void OSSL_ERR_STATE_save_to_mark(ERR_STATE *es); void OSSL_ERR_STATE_restore(const ERR_STATE *es); void OSSL_ERR_STATE_free(ERR_STATE *es); -#ifdef __cplusplus +#ifdef __cplusplus } #endif diff --git a/crypto/openssl/include/openssl/ess.h b/crypto/openssl/include/openssl/ess.h index 4055bebbea2f..82f38894763d 100644 --- a/crypto/openssl/include/openssl/ess.h +++ b/crypto/openssl/include/openssl/ess.h @@ -10,27 +10,29 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_ESS_H -# define OPENSSL_ESS_H -# pragma once +#define OPENSSL_ESS_H +#pragma once -# include <openssl/opensslconf.h> +#include <openssl/opensslconf.h> -# include <openssl/safestack.h> -# include <openssl/x509.h> -# include <openssl/esserr.h> +#include <openssl/safestack.h> +#include <openssl/x509.h> +#include <openssl/esserr.h> -# ifdef __cplusplus +#ifdef __cplusplus extern "C" { -# endif - +#endif typedef struct ESS_issuer_serial ESS_ISSUER_SERIAL; typedef struct ESS_cert_id ESS_CERT_ID; typedef struct ESS_signing_cert ESS_SIGNING_CERT; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(ESS_CERT_ID, ESS_CERT_ID, ESS_CERT_ID) #define sk_ESS_CERT_ID_num(sk) OPENSSL_sk_num(ossl_check_const_ESS_CERT_ID_sk_type(sk)) #define sk_ESS_CERT_ID_value(sk, idx) ((ESS_CERT_ID *)OPENSSL_sk_value(ossl_check_const_ESS_CERT_ID_sk_type(sk), (idx))) @@ -58,11 +60,12 @@ SKM_DEFINE_STACK_OF_INTERNAL(ESS_CERT_ID, ESS_CERT_ID, ESS_CERT_ID) #define sk_ESS_CERT_ID_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(ESS_CERT_ID) *)OPENSSL_sk_deep_copy(ossl_check_const_ESS_CERT_ID_sk_type(sk), ossl_check_ESS_CERT_ID_copyfunc_type(copyfunc), ossl_check_ESS_CERT_ID_freefunc_type(freefunc))) #define sk_ESS_CERT_ID_set_cmp_func(sk, cmp) ((sk_ESS_CERT_ID_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_ESS_CERT_ID_sk_type(sk), ossl_check_ESS_CERT_ID_compfunc_type(cmp))) - +/* clang-format on */ typedef struct ESS_signing_cert_v2_st ESS_SIGNING_CERT_V2; typedef struct ESS_cert_id_v2_st ESS_CERT_ID_V2; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(ESS_CERT_ID_V2, ESS_CERT_ID_V2, ESS_CERT_ID_V2) #define sk_ESS_CERT_ID_V2_num(sk) OPENSSL_sk_num(ossl_check_const_ESS_CERT_ID_V2_sk_type(sk)) #define sk_ESS_CERT_ID_V2_value(sk, idx) ((ESS_CERT_ID_V2 *)OPENSSL_sk_value(ossl_check_const_ESS_CERT_ID_V2_sk_type(sk), (idx))) @@ -90,6 +93,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(ESS_CERT_ID_V2, ESS_CERT_ID_V2, ESS_CERT_ID_V2) #define sk_ESS_CERT_ID_V2_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(ESS_CERT_ID_V2) *)OPENSSL_sk_deep_copy(ossl_check_const_ESS_CERT_ID_V2_sk_type(sk), ossl_check_ESS_CERT_ID_V2_copyfunc_type(copyfunc), ossl_check_ESS_CERT_ID_V2_freefunc_type(freefunc))) #define sk_ESS_CERT_ID_V2_set_cmp_func(sk, cmp) ((sk_ESS_CERT_ID_V2_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_ESS_CERT_ID_V2_sk_type(sk), ossl_check_ESS_CERT_ID_V2_compfunc_type(cmp))) +/* clang-format on */ DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_ISSUER_SERIAL) DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_ISSUER_SERIAL, ESS_ISSUER_SERIAL) @@ -110,19 +114,18 @@ DECLARE_ASN1_FUNCTIONS(ESS_SIGNING_CERT_V2) DECLARE_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2) ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert, - const STACK_OF(X509) *certs, - int set_issuer_serial); + const STACK_OF(X509) *certs, + int set_issuer_serial); ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg, - const X509 *signcert, - const - STACK_OF(X509) *certs, - int set_issuer_serial); + const X509 *signcert, + const STACK_OF(X509) *certs, + int set_issuer_serial); int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss, - const ESS_SIGNING_CERT_V2 *ssv2, - const STACK_OF(X509) *chain, - int require_signing_cert); + const ESS_SIGNING_CERT_V2 *ssv2, + const STACK_OF(X509) *chain, + int require_signing_cert); -# ifdef __cplusplus +#ifdef __cplusplus } -# endif +#endif #endif diff --git a/crypto/openssl/include/openssl/fipskey.h b/crypto/openssl/include/openssl/fipskey.h index 620812bf0a5f..5a5b8449386d 100644 --- a/crypto/openssl/include/openssl/fipskey.h +++ b/crypto/openssl/include/openssl/fipskey.h @@ -11,31 +11,37 @@ */ #ifndef OPENSSL_FIPSKEY_H -# define OPENSSL_FIPSKEY_H -# pragma once +#define OPENSSL_FIPSKEY_H +#pragma once -# ifdef __cplusplus +#ifdef __cplusplus extern "C" { -# endif +#endif /* * The FIPS validation HMAC key, usable as an array initializer. */ +/* clang-format off */ #define FIPS_KEY_ELEMENTS \ 0xf4, 0x55, 0x66, 0x50, 0xac, 0x31, 0xd3, 0x54, 0x61, 0x61, 0x0b, 0xac, 0x4e, 0xd8, 0x1b, 0x1a, 0x18, 0x1b, 0x2d, 0x8a, 0x43, 0xea, 0x28, 0x54, 0xcb, 0xae, 0x22, 0xca, 0x74, 0x56, 0x08, 0x13 +/* clang-format on */ /* * The FIPS validation key, as a string. */ +/* clang-format off */ #define FIPS_KEY_STRING "f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813" +/* clang-format on */ /* * The FIPS provider vendor name, as a string. */ +/* clang-format off */ #define FIPS_VENDOR "OpenSSL non-compliant FIPS Provider" +/* clang-format on */ -# ifdef __cplusplus +#ifdef __cplusplus } -# endif +#endif #endif diff --git a/crypto/openssl/include/openssl/lhash.h b/crypto/openssl/include/openssl/lhash.h index 62c55b20fd97..dab9372b0b67 100644 --- a/crypto/openssl/include/openssl/lhash.h +++ b/crypto/openssl/include/openssl/lhash.h @@ -7,40 +7,42 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ /* * Header for dynamic hash table routines Author - Eric Young */ #ifndef OPENSSL_LHASH_H -# define OPENSSL_LHASH_H -# pragma once +#define OPENSSL_LHASH_H +#pragma once -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_LHASH_H -# endif +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_LHASH_H +#endif -# include <openssl/e_os2.h> -# include <openssl/bio.h> -# ifndef OPENSSL_NO_STDIO -# include <stdio.h> -# endif +#include <openssl/e_os2.h> +#include <openssl/bio.h> +#ifndef OPENSSL_NO_STDIO +#include <stdio.h> +#endif -#ifdef __cplusplus +#ifdef __cplusplus extern "C" { #endif typedef struct lhash_node_st OPENSSL_LH_NODE; -typedef int (*OPENSSL_LH_COMPFUNC) (const void *, const void *); -typedef int (*OPENSSL_LH_COMPFUNCTHUNK) (const void *, const void *, OPENSSL_LH_COMPFUNC cfn); -typedef unsigned long (*OPENSSL_LH_HASHFUNC) (const void *); -typedef unsigned long (*OPENSSL_LH_HASHFUNCTHUNK) (const void *, OPENSSL_LH_HASHFUNC hfn); -typedef void (*OPENSSL_LH_DOALL_FUNC) (void *); -typedef void (*OPENSSL_LH_DOALL_FUNC_THUNK) (void *, OPENSSL_LH_DOALL_FUNC doall); -typedef void (*OPENSSL_LH_DOALL_FUNCARG) (void *, void *); -typedef void (*OPENSSL_LH_DOALL_FUNCARG_THUNK) (void *, void *, OPENSSL_LH_DOALL_FUNCARG doall); +typedef int (*OPENSSL_LH_COMPFUNC)(const void *, const void *); +typedef int (*OPENSSL_LH_COMPFUNCTHUNK)(const void *, const void *, OPENSSL_LH_COMPFUNC cfn); +typedef unsigned long (*OPENSSL_LH_HASHFUNC)(const void *); +typedef unsigned long (*OPENSSL_LH_HASHFUNCTHUNK)(const void *, OPENSSL_LH_HASHFUNC hfn); +typedef void (*OPENSSL_LH_DOALL_FUNC)(void *); +typedef void (*OPENSSL_LH_DOALL_FUNC_THUNK)(void *, OPENSSL_LH_DOALL_FUNC doall); +typedef void (*OPENSSL_LH_DOALL_FUNCARG)(void *, void *); +typedef void (*OPENSSL_LH_DOALL_FUNCARG_THUNK)(void *, void *, OPENSSL_LH_DOALL_FUNCARG doall); typedef struct lhash_st OPENSSL_LHASH; /* @@ -53,44 +55,49 @@ typedef struct lhash_st OPENSSL_LHASH; */ /* First: "hash" functions */ -# define DECLARE_LHASH_HASH_FN(name, o_type) \ - unsigned long name##_LHASH_HASH(const void *); -# define IMPLEMENT_LHASH_HASH_FN(name, o_type) \ - unsigned long name##_LHASH_HASH(const void *arg) { \ - const o_type *a = arg; \ - return name##_hash(a); } -# define LHASH_HASH_FN(name) name##_LHASH_HASH +#define DECLARE_LHASH_HASH_FN(name, o_type) \ + unsigned long name##_LHASH_HASH(const void *); +#define IMPLEMENT_LHASH_HASH_FN(name, o_type) \ + unsigned long name##_LHASH_HASH(const void *arg) \ + { \ + const o_type *a = arg; \ + return name##_hash(a); \ + } +#define LHASH_HASH_FN(name) name##_LHASH_HASH /* Second: "compare" functions */ -# define DECLARE_LHASH_COMP_FN(name, o_type) \ - int name##_LHASH_COMP(const void *, const void *); -# define IMPLEMENT_LHASH_COMP_FN(name, o_type) \ - int name##_LHASH_COMP(const void *arg1, const void *arg2) { \ - const o_type *a = arg1; \ - const o_type *b = arg2; \ - return name##_cmp(a,b); } -# define LHASH_COMP_FN(name) name##_LHASH_COMP +#define DECLARE_LHASH_COMP_FN(name, o_type) \ + int name##_LHASH_COMP(const void *, const void *); +#define IMPLEMENT_LHASH_COMP_FN(name, o_type) \ + int name##_LHASH_COMP(const void *arg1, const void *arg2) \ + { \ + const o_type *a = arg1; \ + const o_type *b = arg2; \ + return name##_cmp(a, b); \ + } +#define LHASH_COMP_FN(name) name##_LHASH_COMP /* Fourth: "doall_arg" functions */ -# define DECLARE_LHASH_DOALL_ARG_FN(name, o_type, a_type) \ - void name##_LHASH_DOALL_ARG(void *, void *); -# define IMPLEMENT_LHASH_DOALL_ARG_FN(name, o_type, a_type) \ - void name##_LHASH_DOALL_ARG(void *arg1, void *arg2) { \ - o_type *a = arg1; \ - a_type *b = arg2; \ - name##_doall_arg(a, b); } -# define LHASH_DOALL_ARG_FN(name) name##_LHASH_DOALL_ARG - +#define DECLARE_LHASH_DOALL_ARG_FN(name, o_type, a_type) \ + void name##_LHASH_DOALL_ARG(void *, void *); +#define IMPLEMENT_LHASH_DOALL_ARG_FN(name, o_type, a_type) \ + void name##_LHASH_DOALL_ARG(void *arg1, void *arg2) \ + { \ + o_type *a = arg1; \ + a_type *b = arg2; \ + name##_doall_arg(a, b); \ + } +#define LHASH_DOALL_ARG_FN(name) name##_LHASH_DOALL_ARG -# define LH_LOAD_MULT 256 +#define LH_LOAD_MULT 256 int OPENSSL_LH_error(OPENSSL_LHASH *lh); OPENSSL_LHASH *OPENSSL_LH_new(OPENSSL_LH_HASHFUNC h, OPENSSL_LH_COMPFUNC c); OPENSSL_LHASH *OPENSSL_LH_set_thunks(OPENSSL_LHASH *lh, - OPENSSL_LH_HASHFUNCTHUNK hw, - OPENSSL_LH_COMPFUNCTHUNK cw, - OPENSSL_LH_DOALL_FUNC_THUNK daw, - OPENSSL_LH_DOALL_FUNCARG_THUNK daaw); + OPENSSL_LH_HASHFUNCTHUNK hw, + OPENSSL_LH_COMPFUNCTHUNK cw, + OPENSSL_LH_DOALL_FUNC_THUNK daw, + OPENSSL_LH_DOALL_FUNCARG_THUNK daaw); void OPENSSL_LH_free(OPENSSL_LHASH *lh); void OPENSSL_LH_flush(OPENSSL_LHASH *lh); void *OPENSSL_LH_insert(OPENSSL_LHASH *lh, void *data); @@ -98,239 +105,249 @@ void *OPENSSL_LH_delete(OPENSSL_LHASH *lh, const void *data); void *OPENSSL_LH_retrieve(OPENSSL_LHASH *lh, const void *data); void OPENSSL_LH_doall(OPENSSL_LHASH *lh, OPENSSL_LH_DOALL_FUNC func); void OPENSSL_LH_doall_arg(OPENSSL_LHASH *lh, - OPENSSL_LH_DOALL_FUNCARG func, void *arg); + OPENSSL_LH_DOALL_FUNCARG func, void *arg); void OPENSSL_LH_doall_arg_thunk(OPENSSL_LHASH *lh, - OPENSSL_LH_DOALL_FUNCARG_THUNK daaw, - OPENSSL_LH_DOALL_FUNCARG fn, void *arg); + OPENSSL_LH_DOALL_FUNCARG_THUNK daaw, + OPENSSL_LH_DOALL_FUNCARG fn, void *arg); unsigned long OPENSSL_LH_strhash(const char *c); unsigned long OPENSSL_LH_num_items(const OPENSSL_LHASH *lh); unsigned long OPENSSL_LH_get_down_load(const OPENSSL_LHASH *lh); void OPENSSL_LH_set_down_load(OPENSSL_LHASH *lh, unsigned long down_load); -# ifndef OPENSSL_NO_STDIO -# ifndef OPENSSL_NO_DEPRECATED_3_1 +#ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_DEPRECATED_3_1 OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_stats(const OPENSSL_LHASH *lh, FILE *fp); OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_node_stats(const OPENSSL_LHASH *lh, FILE *fp); OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_node_usage_stats(const OPENSSL_LHASH *lh, FILE *fp); -# endif -# endif -# ifndef OPENSSL_NO_DEPRECATED_3_1 +#endif +#endif +#ifndef OPENSSL_NO_DEPRECATED_3_1 OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_stats_bio(const OPENSSL_LHASH *lh, BIO *out); OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_node_stats_bio(const OPENSSL_LHASH *lh, BIO *out); OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH *lh, BIO *out); -# endif +#endif -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define _LHASH OPENSSL_LHASH -# define LHASH_NODE OPENSSL_LH_NODE -# define lh_error OPENSSL_LH_error -# define lh_new OPENSSL_LH_new -# define lh_free OPENSSL_LH_free -# define lh_insert OPENSSL_LH_insert -# define lh_delete OPENSSL_LH_delete -# define lh_retrieve OPENSSL_LH_retrieve -# define lh_doall OPENSSL_LH_doall -# define lh_doall_arg OPENSSL_LH_doall_arg -# define lh_strhash OPENSSL_LH_strhash -# define lh_num_items OPENSSL_LH_num_items -# ifndef OPENSSL_NO_STDIO -# define lh_stats OPENSSL_LH_stats -# define lh_node_stats OPENSSL_LH_node_stats -# define lh_node_usage_stats OPENSSL_LH_node_usage_stats -# endif -# define lh_stats_bio OPENSSL_LH_stats_bio -# define lh_node_stats_bio OPENSSL_LH_node_stats_bio -# define lh_node_usage_stats_bio OPENSSL_LH_node_usage_stats_bio -# endif +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#define _LHASH OPENSSL_LHASH +#define LHASH_NODE OPENSSL_LH_NODE +#define lh_error OPENSSL_LH_error +#define lh_new OPENSSL_LH_new +#define lh_free OPENSSL_LH_free +#define lh_insert OPENSSL_LH_insert +#define lh_delete OPENSSL_LH_delete +#define lh_retrieve OPENSSL_LH_retrieve +#define lh_doall OPENSSL_LH_doall +#define lh_doall_arg OPENSSL_LH_doall_arg +#define lh_strhash OPENSSL_LH_strhash +#define lh_num_items OPENSSL_LH_num_items +#ifndef OPENSSL_NO_STDIO +#define lh_stats OPENSSL_LH_stats +#define lh_node_stats OPENSSL_LH_node_stats +#define lh_node_usage_stats OPENSSL_LH_node_usage_stats +#endif +#define lh_stats_bio OPENSSL_LH_stats_bio +#define lh_node_stats_bio OPENSSL_LH_node_stats_bio +#define lh_node_usage_stats_bio OPENSSL_LH_node_usage_stats_bio +#endif /* Type checking... */ -# define LHASH_OF(type) struct lhash_st_##type +#define LHASH_OF(type) struct lhash_st_##type /* Helper macro for internal use */ -# define DEFINE_LHASH_OF_INTERNAL(type) \ - LHASH_OF(type) { \ - union lh_##type##_dummy { void* d1; unsigned long d2; int d3; } dummy; \ - }; \ - typedef int (*lh_##type##_compfunc)(const type *a, const type *b); \ - typedef unsigned long (*lh_##type##_hashfunc)(const type *a); \ - typedef void (*lh_##type##_doallfunc)(type *a); \ - static ossl_inline unsigned long lh_##type##_hash_thunk(const void *data, OPENSSL_LH_HASHFUNC hfn) \ - { \ - unsigned long (*hfn_conv)(const type *) = (unsigned long (*)(const type *))hfn; \ - return hfn_conv((const type *)data); \ - } \ - static ossl_inline int lh_##type##_comp_thunk(const void *da, const void *db, OPENSSL_LH_COMPFUNC cfn) \ - { \ - int (*cfn_conv)(const type *, const type *) = (int (*)(const type *, const type *))cfn; \ - return cfn_conv((const type *)da, (const type *)db); \ - } \ - static ossl_inline void lh_##type##_doall_thunk(void *node, OPENSSL_LH_DOALL_FUNC doall) \ - { \ - void (*doall_conv)(type *) = (void (*)(type *))doall; \ - doall_conv((type *)node); \ - } \ +#define DEFINE_LHASH_OF_INTERNAL(type) \ + LHASH_OF(type) \ + { \ + union lh_##type##_dummy { \ + void *d1; \ + unsigned long d2; \ + int d3; \ + } dummy; \ + }; \ + typedef int (*lh_##type##_compfunc)(const type *a, const type *b); \ + typedef unsigned long (*lh_##type##_hashfunc)(const type *a); \ + typedef void (*lh_##type##_doallfunc)(type * a); \ + static ossl_inline unsigned long lh_##type##_hash_thunk(const void *data, OPENSSL_LH_HASHFUNC hfn) \ + { \ + unsigned long (*hfn_conv)(const type *) = (unsigned long (*)(const type *))hfn; \ + return hfn_conv((const type *)data); \ + } \ + static ossl_inline int lh_##type##_comp_thunk(const void *da, const void *db, OPENSSL_LH_COMPFUNC cfn) \ + { \ + int (*cfn_conv)(const type *, const type *) = (int (*)(const type *, const type *))cfn; \ + return cfn_conv((const type *)da, (const type *)db); \ + } \ + static ossl_inline void lh_##type##_doall_thunk(void *node, OPENSSL_LH_DOALL_FUNC doall) \ + { \ + void (*doall_conv)(type *) = (void (*)(type *))doall; \ + doall_conv((type *)node); \ + } \ static ossl_inline void lh_##type##_doall_arg_thunk(void *node, void *arg, OPENSSL_LH_DOALL_FUNCARG doall) \ - { \ - void (*doall_conv)(type *, void *) = (void (*)(type *, void *))doall; \ - doall_conv((type *)node, arg); \ - } \ - static ossl_unused ossl_inline type *\ - ossl_check_##type##_lh_plain_type(type *ptr) \ - { \ - return ptr; \ - } \ - static ossl_unused ossl_inline const type * \ - ossl_check_const_##type##_lh_plain_type(const type *ptr) \ - { \ - return ptr; \ - } \ - static ossl_unused ossl_inline const OPENSSL_LHASH * \ - ossl_check_const_##type##_lh_type(const LHASH_OF(type) *lh) \ - { \ - return (const OPENSSL_LHASH *)lh; \ - } \ - static ossl_unused ossl_inline OPENSSL_LHASH * \ - ossl_check_##type##_lh_type(LHASH_OF(type) *lh) \ - { \ - return (OPENSSL_LHASH *)lh; \ - } \ - static ossl_unused ossl_inline OPENSSL_LH_COMPFUNC \ - ossl_check_##type##_lh_compfunc_type(lh_##type##_compfunc cmp) \ - { \ - return (OPENSSL_LH_COMPFUNC)cmp; \ - } \ - static ossl_unused ossl_inline OPENSSL_LH_HASHFUNC \ - ossl_check_##type##_lh_hashfunc_type(lh_##type##_hashfunc hfn) \ - { \ - return (OPENSSL_LH_HASHFUNC)hfn; \ - } \ - static ossl_unused ossl_inline OPENSSL_LH_DOALL_FUNC \ - ossl_check_##type##_lh_doallfunc_type(lh_##type##_doallfunc dfn) \ - { \ - return (OPENSSL_LH_DOALL_FUNC)dfn; \ - } \ + { \ + void (*doall_conv)(type *, void *) = (void (*)(type *, void *))doall; \ + doall_conv((type *)node, arg); \ + } \ + static ossl_unused ossl_inline type * \ + ossl_check_##type##_lh_plain_type(type *ptr) \ + { \ + return ptr; \ + } \ + static ossl_unused ossl_inline const type * \ + ossl_check_const_##type##_lh_plain_type(const type *ptr) \ + { \ + return ptr; \ + } \ + static ossl_unused ossl_inline const OPENSSL_LHASH * \ + ossl_check_const_##type##_lh_type(const LHASH_OF(type) *lh) \ + { \ + return (const OPENSSL_LHASH *)lh; \ + } \ + static ossl_unused ossl_inline OPENSSL_LHASH * \ + ossl_check_##type##_lh_type(LHASH_OF(type) *lh) \ + { \ + return (OPENSSL_LHASH *)lh; \ + } \ + static ossl_unused ossl_inline OPENSSL_LH_COMPFUNC \ + ossl_check_##type##_lh_compfunc_type(lh_##type##_compfunc cmp) \ + { \ + return (OPENSSL_LH_COMPFUNC)cmp; \ + } \ + static ossl_unused ossl_inline OPENSSL_LH_HASHFUNC \ + ossl_check_##type##_lh_hashfunc_type(lh_##type##_hashfunc hfn) \ + { \ + return (OPENSSL_LH_HASHFUNC)hfn; \ + } \ + static ossl_unused ossl_inline OPENSSL_LH_DOALL_FUNC \ + ossl_check_##type##_lh_doallfunc_type(lh_##type##_doallfunc dfn) \ + { \ + return (OPENSSL_LH_DOALL_FUNC)dfn; \ + } \ LHASH_OF(type) -# ifndef OPENSSL_NO_DEPRECATED_3_1 -# define DEFINE_LHASH_OF_DEPRECATED(type) \ - static ossl_unused ossl_inline void \ - lh_##type##_node_stats_bio(const LHASH_OF(type) *lh, BIO *out) \ - { \ - OPENSSL_LH_node_stats_bio((const OPENSSL_LHASH *)lh, out); \ - } \ - static ossl_unused ossl_inline void \ +#ifndef OPENSSL_NO_DEPRECATED_3_1 +#define DEFINE_LHASH_OF_DEPRECATED(type) \ + static ossl_unused ossl_inline void \ + lh_##type##_node_stats_bio(const LHASH_OF(type) *lh, BIO *out) \ + { \ + OPENSSL_LH_node_stats_bio((const OPENSSL_LHASH *)lh, out); \ + } \ + static ossl_unused ossl_inline void \ lh_##type##_node_usage_stats_bio(const LHASH_OF(type) *lh, BIO *out) \ - { \ + { \ OPENSSL_LH_node_usage_stats_bio((const OPENSSL_LHASH *)lh, out); \ - } \ - static ossl_unused ossl_inline void \ - lh_##type##_stats_bio(const LHASH_OF(type) *lh, BIO *out) \ - { \ - OPENSSL_LH_stats_bio((const OPENSSL_LHASH *)lh, out); \ + } \ + static ossl_unused ossl_inline void \ + lh_##type##_stats_bio(const LHASH_OF(type) *lh, BIO *out) \ + { \ + OPENSSL_LH_stats_bio((const OPENSSL_LHASH *)lh, out); \ } -# else -# define DEFINE_LHASH_OF_DEPRECATED(type) -# endif +#else +#define DEFINE_LHASH_OF_DEPRECATED(type) +#endif -# define DEFINE_LHASH_OF_EX(type) \ - LHASH_OF(type) { \ - union lh_##type##_dummy { void* d1; unsigned long d2; int d3; } dummy; \ - }; \ - static unsigned long \ - lh_##type##_hfn_thunk(const void *data, OPENSSL_LH_HASHFUNC hfn) \ - { \ - unsigned long (*hfn_conv)(const type *) = (unsigned long (*)(const type *))hfn; \ - return hfn_conv((const type *)data); \ - } \ - static int lh_##type##_cfn_thunk(const void *da, const void *db, OPENSSL_LH_COMPFUNC cfn) \ - { \ - int (*cfn_conv)(const type *, const type *) = (int (*)(const type *, const type *))cfn; \ - return cfn_conv((const type *)da, (const type *)db); \ - } \ - static ossl_unused ossl_inline void \ - lh_##type##_free(LHASH_OF(type) *lh) \ - { \ - OPENSSL_LH_free((OPENSSL_LHASH *)lh); \ - } \ - static ossl_unused ossl_inline void \ - lh_##type##_flush(LHASH_OF(type) *lh) \ - { \ - OPENSSL_LH_flush((OPENSSL_LHASH *)lh); \ - } \ - static ossl_unused ossl_inline type * \ - lh_##type##_insert(LHASH_OF(type) *lh, type *d) \ - { \ - return (type *)OPENSSL_LH_insert((OPENSSL_LHASH *)lh, d); \ - } \ - static ossl_unused ossl_inline type * \ - lh_##type##_delete(LHASH_OF(type) *lh, const type *d) \ - { \ - return (type *)OPENSSL_LH_delete((OPENSSL_LHASH *)lh, d); \ - } \ - static ossl_unused ossl_inline type * \ - lh_##type##_retrieve(LHASH_OF(type) *lh, const type *d) \ - { \ - return (type *)OPENSSL_LH_retrieve((OPENSSL_LHASH *)lh, d); \ - } \ - static ossl_unused ossl_inline int \ - lh_##type##_error(LHASH_OF(type) *lh) \ - { \ - return OPENSSL_LH_error((OPENSSL_LHASH *)lh); \ - } \ - static ossl_unused ossl_inline unsigned long \ - lh_##type##_num_items(LHASH_OF(type) *lh) \ - { \ - return OPENSSL_LH_num_items((OPENSSL_LHASH *)lh); \ - } \ - static ossl_unused ossl_inline unsigned long \ - lh_##type##_get_down_load(LHASH_OF(type) *lh) \ - { \ - return OPENSSL_LH_get_down_load((OPENSSL_LHASH *)lh); \ - } \ - static ossl_unused ossl_inline void \ - lh_##type##_set_down_load(LHASH_OF(type) *lh, unsigned long dl) \ - { \ - OPENSSL_LH_set_down_load((OPENSSL_LHASH *)lh, dl); \ - } \ - static ossl_unused ossl_inline void \ - lh_##type##_doall_thunk(void *node, OPENSSL_LH_DOALL_FUNC doall) \ - { \ - void (*doall_conv)(type *) = (void (*)(type *))doall; \ - doall_conv((type *)node); \ - } \ - static ossl_unused ossl_inline void \ - lh_##type##_doall_arg_thunk(void *node, void *arg, OPENSSL_LH_DOALL_FUNCARG doall) \ - { \ - void (*doall_conv)(type *, void *) = (void (*)(type *, void *))doall; \ - doall_conv((type *)node, arg); \ - } \ - static ossl_unused ossl_inline void \ - lh_##type##_doall(LHASH_OF(type) *lh, void (*doall)(type *)) \ - { \ - OPENSSL_LH_doall((OPENSSL_LHASH *)lh, (OPENSSL_LH_DOALL_FUNC)doall); \ - } \ - static ossl_unused ossl_inline LHASH_OF(type) * \ - lh_##type##_new(unsigned long (*hfn)(const type *), \ - int (*cfn)(const type *, const type *)) \ - { \ +#define DEFINE_LHASH_OF_EX(type) \ + LHASH_OF(type) \ + { \ + union lh_##type##_dummy { \ + void *d1; \ + unsigned long d2; \ + int d3; \ + } dummy; \ + }; \ + static unsigned long \ + lh_##type##_hfn_thunk(const void *data, OPENSSL_LH_HASHFUNC hfn) \ + { \ + unsigned long (*hfn_conv)(const type *) = (unsigned long (*)(const type *))hfn; \ + return hfn_conv((const type *)data); \ + } \ + static int lh_##type##_cfn_thunk(const void *da, const void *db, OPENSSL_LH_COMPFUNC cfn) \ + { \ + int (*cfn_conv)(const type *, const type *) = (int (*)(const type *, const type *))cfn; \ + return cfn_conv((const type *)da, (const type *)db); \ + } \ + static ossl_unused ossl_inline void \ + lh_##type##_free(LHASH_OF(type) *lh) \ + { \ + OPENSSL_LH_free((OPENSSL_LHASH *)lh); \ + } \ + static ossl_unused ossl_inline void \ + lh_##type##_flush(LHASH_OF(type) *lh) \ + { \ + OPENSSL_LH_flush((OPENSSL_LHASH *)lh); \ + } \ + static ossl_unused ossl_inline type * \ + lh_##type##_insert(LHASH_OF(type) *lh, type *d) \ + { \ + return (type *)OPENSSL_LH_insert((OPENSSL_LHASH *)lh, d); \ + } \ + static ossl_unused ossl_inline type * \ + lh_##type##_delete(LHASH_OF(type) *lh, const type *d) \ + { \ + return (type *)OPENSSL_LH_delete((OPENSSL_LHASH *)lh, d); \ + } \ + static ossl_unused ossl_inline type * \ + lh_##type##_retrieve(LHASH_OF(type) *lh, const type *d) \ + { \ + return (type *)OPENSSL_LH_retrieve((OPENSSL_LHASH *)lh, d); \ + } \ + static ossl_unused ossl_inline int \ + lh_##type##_error(LHASH_OF(type) *lh) \ + { \ + return OPENSSL_LH_error((OPENSSL_LHASH *)lh); \ + } \ + static ossl_unused ossl_inline unsigned long \ + lh_##type##_num_items(LHASH_OF(type) *lh) \ + { \ + return OPENSSL_LH_num_items((OPENSSL_LHASH *)lh); \ + } \ + static ossl_unused ossl_inline unsigned long \ + lh_##type##_get_down_load(LHASH_OF(type) *lh) \ + { \ + return OPENSSL_LH_get_down_load((OPENSSL_LHASH *)lh); \ + } \ + static ossl_unused ossl_inline void \ + lh_##type##_set_down_load(LHASH_OF(type) *lh, unsigned long dl) \ + { \ + OPENSSL_LH_set_down_load((OPENSSL_LHASH *)lh, dl); \ + } \ + static ossl_unused ossl_inline void \ + lh_##type##_doall_thunk(void *node, OPENSSL_LH_DOALL_FUNC doall) \ + { \ + void (*doall_conv)(type *) = (void (*)(type *))doall; \ + doall_conv((type *)node); \ + } \ + static ossl_unused ossl_inline void \ + lh_##type##_doall_arg_thunk(void *node, void *arg, OPENSSL_LH_DOALL_FUNCARG doall) \ + { \ + void (*doall_conv)(type *, void *) = (void (*)(type *, void *))doall; \ + doall_conv((type *)node, arg); \ + } \ + static ossl_unused ossl_inline void \ + lh_##type##_doall(LHASH_OF(type) *lh, void (*doall)(type *)) \ + { \ + OPENSSL_LH_doall((OPENSSL_LHASH *)lh, (OPENSSL_LH_DOALL_FUNC)doall); \ + } \ + static ossl_unused ossl_inline LHASH_OF(type) * \ + lh_##type##_new(unsigned long (*hfn)(const type *), \ + int (*cfn)(const type *, const type *)) \ + { \ return (LHASH_OF(type) *)OPENSSL_LH_set_thunks(OPENSSL_LH_new((OPENSSL_LH_HASHFUNC)hfn, (OPENSSL_LH_COMPFUNC)cfn), \ - lh_##type##_hfn_thunk, lh_##type##_cfn_thunk, \ - lh_##type##_doall_thunk, \ - lh_##type##_doall_arg_thunk); \ - } \ - static ossl_unused ossl_inline void \ - lh_##type##_doall_arg(LHASH_OF(type) *lh, \ - void (*doallarg)(type *, void *), void *arg) \ - { \ - OPENSSL_LH_doall_arg((OPENSSL_LHASH *)lh, \ - (OPENSSL_LH_DOALL_FUNCARG)doallarg, arg); \ - } \ + lh_##type##_hfn_thunk, lh_##type##_cfn_thunk, \ + lh_##type##_doall_thunk, \ + lh_##type##_doall_arg_thunk); \ + } \ + static ossl_unused ossl_inline void \ + lh_##type##_doall_arg(LHASH_OF(type) *lh, \ + void (*doallarg)(type *, void *), void *arg) \ + { \ + OPENSSL_LH_doall_arg((OPENSSL_LHASH *)lh, \ + (OPENSSL_LH_DOALL_FUNCARG)doallarg, arg); \ + } \ LHASH_OF(type) -# define DEFINE_LHASH_OF(type) \ - DEFINE_LHASH_OF_EX(type); \ +#define DEFINE_LHASH_OF(type) \ + DEFINE_LHASH_OF_EX(type); \ DEFINE_LHASH_OF_DEPRECATED(type) \ LHASH_OF(type) @@ -340,25 +357,26 @@ OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH * #define IMPLEMENT_LHASH_DOALL_ARG(type, argtype) \ int_implement_lhash_doall(type, argtype, type) -#define int_implement_lhash_doall(type, argtype, cbargtype) \ - static ossl_unused ossl_inline void \ +#define int_implement_lhash_doall(type, argtype, cbargtype) \ + static ossl_unused ossl_inline void \ lh_##type##_doall_##argtype##_thunk(void *node, void *arg, OPENSSL_LH_DOALL_FUNCARG fn) \ - { \ - void (*fn_conv)(cbargtype *, argtype *) = (void (*)(cbargtype *, argtype *))fn; \ - fn_conv((cbargtype *)node, (argtype *)arg); \ - } \ - static ossl_unused ossl_inline void \ - lh_##type##_doall_##argtype(LHASH_OF(type) *lh, \ - void (*fn)(cbargtype *, argtype *), \ - argtype *arg) \ - { \ - OPENSSL_LH_doall_arg_thunk((OPENSSL_LHASH *)lh, \ - lh_##type##_doall_##argtype##_thunk, \ - (OPENSSL_LH_DOALL_FUNCARG)fn, \ - (void *)arg); \ - } \ + { \ + void (*fn_conv)(cbargtype *, argtype *) = (void (*)(cbargtype *, argtype *))fn; \ + fn_conv((cbargtype *)node, (argtype *)arg); \ + } \ + static ossl_unused ossl_inline void \ + lh_##type##_doall_##argtype(LHASH_OF(type) *lh, \ + void (*fn)(cbargtype *, argtype *), \ + argtype *arg) \ + { \ + OPENSSL_LH_doall_arg_thunk((OPENSSL_LHASH *)lh, \ + lh_##type##_doall_##argtype##_thunk, \ + (OPENSSL_LH_DOALL_FUNCARG)fn, \ + (void *)arg); \ + } \ LHASH_OF(type) +/* clang-format off */ DEFINE_LHASH_OF_INTERNAL(OPENSSL_STRING); #define lh_OPENSSL_STRING_new(hfn, cmp) ((LHASH_OF(OPENSSL_STRING) *)OPENSSL_LH_set_thunks(OPENSSL_LH_new(ossl_check_OPENSSL_STRING_lh_hashfunc_type(hfn), ossl_check_OPENSSL_STRING_lh_compfunc_type(cmp)), lh_OPENSSL_STRING_hash_thunk, lh_OPENSSL_STRING_comp_thunk, lh_OPENSSL_STRING_doall_thunk, lh_OPENSSL_STRING_doall_arg_thunk)) #define lh_OPENSSL_STRING_free(lh) OPENSSL_LH_free(ossl_check_OPENSSL_STRING_lh_type(lh)) @@ -390,8 +408,9 @@ DEFINE_LHASH_OF_INTERNAL(OPENSSL_CSTRING); #define lh_OPENSSL_CSTRING_set_down_load(lh, dl) OPENSSL_LH_set_down_load(ossl_check_OPENSSL_CSTRING_lh_type(lh), dl) #define lh_OPENSSL_CSTRING_doall(lh, dfn) OPENSSL_LH_doall(ossl_check_OPENSSL_CSTRING_lh_type(lh), ossl_check_OPENSSL_CSTRING_lh_doallfunc_type(dfn)) +/* clang-format on */ -#ifdef __cplusplus +#ifdef __cplusplus } #endif diff --git a/crypto/openssl/include/openssl/ocsp.h b/crypto/openssl/include/openssl/ocsp.h index 142b183140ba..70a4f484d7e7 100644 --- a/crypto/openssl/include/openssl/ocsp.h +++ b/crypto/openssl/include/openssl/ocsp.h @@ -10,20 +10,22 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_OCSP_H -# define OPENSSL_OCSP_H -# pragma once +#define OPENSSL_OCSP_H +#pragma once -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_OCSP_H -# endif +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_OCSP_H +#endif -# include <openssl/opensslconf.h> -# include <openssl/http.h> -# include <openssl/asn1.h> +#include <openssl/opensslconf.h> +#include <openssl/http.h> +#include <openssl/asn1.h> /* * These definitions are outside the OPENSSL_NO_OCSP guard because although for @@ -44,47 +46,46 @@ * privilegeWithdrawn (9), * aACompromise (10) } */ -# define OCSP_REVOKED_STATUS_NOSTATUS -1 -# define OCSP_REVOKED_STATUS_UNSPECIFIED 0 -# define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1 -# define OCSP_REVOKED_STATUS_CACOMPROMISE 2 -# define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED 3 -# define OCSP_REVOKED_STATUS_SUPERSEDED 4 -# define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5 -# define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6 -# define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8 -# define OCSP_REVOKED_STATUS_PRIVILEGEWITHDRAWN 9 -# define OCSP_REVOKED_STATUS_AACOMPROMISE 10 - - -# ifndef OPENSSL_NO_OCSP - -# include <openssl/x509.h> -# include <openssl/x509v3.h> -# include <openssl/safestack.h> -# include <openssl/ocsperr.h> - -# ifdef __cplusplus +#define OCSP_REVOKED_STATUS_NOSTATUS -1 +#define OCSP_REVOKED_STATUS_UNSPECIFIED 0 +#define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1 +#define OCSP_REVOKED_STATUS_CACOMPROMISE 2 +#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED 3 +#define OCSP_REVOKED_STATUS_SUPERSEDED 4 +#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5 +#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6 +#define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8 +#define OCSP_REVOKED_STATUS_PRIVILEGEWITHDRAWN 9 +#define OCSP_REVOKED_STATUS_AACOMPROMISE 10 + +#ifndef OPENSSL_NO_OCSP + +#include <openssl/x509.h> +#include <openssl/x509v3.h> +#include <openssl/safestack.h> +#include <openssl/ocsperr.h> + +#ifdef __cplusplus extern "C" { -# endif +#endif /* Various flags and values */ -# define OCSP_DEFAULT_NONCE_LENGTH 16 - -# define OCSP_NOCERTS 0x1 -# define OCSP_NOINTERN 0x2 -# define OCSP_NOSIGS 0x4 -# define OCSP_NOCHAIN 0x8 -# define OCSP_NOVERIFY 0x10 -# define OCSP_NOEXPLICIT 0x20 -# define OCSP_NOCASIGN 0x40 -# define OCSP_NODELEGATED 0x80 -# define OCSP_NOCHECKS 0x100 -# define OCSP_TRUSTOTHER 0x200 -# define OCSP_RESPID_KEY 0x400 -# define OCSP_NOTIME 0x800 -# define OCSP_PARTIAL_CHAIN 0x1000 +#define OCSP_DEFAULT_NONCE_LENGTH 16 + +#define OCSP_NOCERTS 0x1 +#define OCSP_NOINTERN 0x2 +#define OCSP_NOSIGS 0x4 +#define OCSP_NOCHAIN 0x8 +#define OCSP_NOVERIFY 0x10 +#define OCSP_NOEXPLICIT 0x20 +#define OCSP_NOCASIGN 0x40 +#define OCSP_NODELEGATED 0x80 +#define OCSP_NOCHECKS 0x100 +#define OCSP_TRUSTOTHER 0x200 +#define OCSP_RESPID_KEY 0x400 +#define OCSP_NOTIME 0x800 +#define OCSP_PARTIAL_CHAIN 0x1000 typedef struct ocsp_cert_id_st OCSP_CERTID; typedef struct ocsp_one_request_st OCSP_ONEREQ; @@ -92,6 +93,7 @@ typedef struct ocsp_req_info_st OCSP_REQINFO; typedef struct ocsp_signature_st OCSP_SIGNATURE; typedef struct ocsp_request_st OCSP_REQUEST; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OCSP_CERTID, OCSP_CERTID, OCSP_CERTID) #define sk_OCSP_CERTID_num(sk) OPENSSL_sk_num(ossl_check_const_OCSP_CERTID_sk_type(sk)) #define sk_OCSP_CERTID_value(sk, idx) ((OCSP_CERTID *)OPENSSL_sk_value(ossl_check_const_OCSP_CERTID_sk_type(sk), (idx))) @@ -145,19 +147,21 @@ SKM_DEFINE_STACK_OF_INTERNAL(OCSP_ONEREQ, OCSP_ONEREQ, OCSP_ONEREQ) #define sk_OCSP_ONEREQ_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OCSP_ONEREQ) *)OPENSSL_sk_deep_copy(ossl_check_const_OCSP_ONEREQ_sk_type(sk), ossl_check_OCSP_ONEREQ_copyfunc_type(copyfunc), ossl_check_OCSP_ONEREQ_freefunc_type(freefunc))) #define sk_OCSP_ONEREQ_set_cmp_func(sk, cmp) ((sk_OCSP_ONEREQ_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OCSP_ONEREQ_sk_type(sk), ossl_check_OCSP_ONEREQ_compfunc_type(cmp))) +/* clang-format on */ -# define OCSP_RESPONSE_STATUS_SUCCESSFUL 0 -# define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1 -# define OCSP_RESPONSE_STATUS_INTERNALERROR 2 -# define OCSP_RESPONSE_STATUS_TRYLATER 3 -# define OCSP_RESPONSE_STATUS_SIGREQUIRED 5 -# define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6 +#define OCSP_RESPONSE_STATUS_SUCCESSFUL 0 +#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1 +#define OCSP_RESPONSE_STATUS_INTERNALERROR 2 +#define OCSP_RESPONSE_STATUS_TRYLATER 3 +#define OCSP_RESPONSE_STATUS_SIGREQUIRED 5 +#define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6 typedef struct ocsp_resp_bytes_st OCSP_RESPBYTES; -# define V_OCSP_RESPID_NAME 0 -# define V_OCSP_RESPID_KEY 1 +#define V_OCSP_RESPID_NAME 0 +#define V_OCSP_RESPID_KEY 1 +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OCSP_RESPID, OCSP_RESPID, OCSP_RESPID) #define sk_OCSP_RESPID_num(sk) OPENSSL_sk_num(ossl_check_const_OCSP_RESPID_sk_type(sk)) #define sk_OCSP_RESPID_value(sk, idx) ((OCSP_RESPID *)OPENSSL_sk_value(ossl_check_const_OCSP_RESPID_sk_type(sk), (idx))) @@ -185,16 +189,18 @@ SKM_DEFINE_STACK_OF_INTERNAL(OCSP_RESPID, OCSP_RESPID, OCSP_RESPID) #define sk_OCSP_RESPID_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OCSP_RESPID) *)OPENSSL_sk_deep_copy(ossl_check_const_OCSP_RESPID_sk_type(sk), ossl_check_OCSP_RESPID_copyfunc_type(copyfunc), ossl_check_OCSP_RESPID_freefunc_type(freefunc))) #define sk_OCSP_RESPID_set_cmp_func(sk, cmp) ((sk_OCSP_RESPID_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OCSP_RESPID_sk_type(sk), ossl_check_OCSP_RESPID_compfunc_type(cmp))) +/* clang-format on */ typedef struct ocsp_revoked_info_st OCSP_REVOKEDINFO; -# define V_OCSP_CERTSTATUS_GOOD 0 -# define V_OCSP_CERTSTATUS_REVOKED 1 -# define V_OCSP_CERTSTATUS_UNKNOWN 2 +#define V_OCSP_CERTSTATUS_GOOD 0 +#define V_OCSP_CERTSTATUS_REVOKED 1 +#define V_OCSP_CERTSTATUS_UNKNOWN 2 typedef struct ocsp_cert_status_st OCSP_CERTSTATUS; typedef struct ocsp_single_response_st OCSP_SINGLERESP; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OCSP_SINGLERESP, OCSP_SINGLERESP, OCSP_SINGLERESP) #define sk_OCSP_SINGLERESP_num(sk) OPENSSL_sk_num(ossl_check_const_OCSP_SINGLERESP_sk_type(sk)) #define sk_OCSP_SINGLERESP_value(sk, idx) ((OCSP_SINGLERESP *)OPENSSL_sk_value(ossl_check_const_OCSP_SINGLERESP_sk_type(sk), (idx))) @@ -222,6 +228,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(OCSP_SINGLERESP, OCSP_SINGLERESP, OCSP_SINGLERESP) #define sk_OCSP_SINGLERESP_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OCSP_SINGLERESP) *)OPENSSL_sk_deep_copy(ossl_check_const_OCSP_SINGLERESP_sk_type(sk), ossl_check_OCSP_SINGLERESP_copyfunc_type(copyfunc), ossl_check_OCSP_SINGLERESP_freefunc_type(freefunc))) #define sk_OCSP_SINGLERESP_set_cmp_func(sk, cmp) ((sk_OCSP_SINGLERESP_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OCSP_SINGLERESP_sk_type(sk), ossl_check_OCSP_SINGLERESP_compfunc_type(cmp))) +/* clang-format on */ typedef struct ocsp_response_data_st OCSP_RESPDATA; @@ -230,76 +237,74 @@ typedef struct ocsp_basic_response_st OCSP_BASICRESP; typedef struct ocsp_crl_id_st OCSP_CRLID; typedef struct ocsp_service_locator_st OCSP_SERVICELOC; -# define PEM_STRING_OCSP_REQUEST "OCSP REQUEST" -# define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE" +#define PEM_STRING_OCSP_REQUEST "OCSP REQUEST" +#define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE" -# define d2i_OCSP_REQUEST_bio(bp,p) ASN1_d2i_bio_of(OCSP_REQUEST,OCSP_REQUEST_new,d2i_OCSP_REQUEST,bp,p) +#define d2i_OCSP_REQUEST_bio(bp, p) ASN1_d2i_bio_of(OCSP_REQUEST, OCSP_REQUEST_new, d2i_OCSP_REQUEST, bp, p) -# define d2i_OCSP_RESPONSE_bio(bp,p) ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p) +#define d2i_OCSP_RESPONSE_bio(bp, p) ASN1_d2i_bio_of(OCSP_RESPONSE, OCSP_RESPONSE_new, d2i_OCSP_RESPONSE, bp, p) -# define PEM_read_bio_OCSP_REQUEST(bp,x,cb) (OCSP_REQUEST *)PEM_ASN1_read_bio( \ - (char *(*)())d2i_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST, \ - bp,(char **)(x),cb,NULL) +#define PEM_read_bio_OCSP_REQUEST(bp, x, cb) (OCSP_REQUEST *)PEM_ASN1_read_bio( \ + (d2i_of_void *)d2i_OCSP_REQUEST, PEM_STRING_OCSP_REQUEST, \ + bp, (char **)(x), cb, NULL) -# define PEM_read_bio_OCSP_RESPONSE(bp,x,cb) (OCSP_RESPONSE *)PEM_ASN1_read_bio(\ - (char *(*)())d2i_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE, \ - bp,(char **)(x),cb,NULL) +#define PEM_read_bio_OCSP_RESPONSE(bp, x, cb) (OCSP_RESPONSE *)PEM_ASN1_read_bio( \ + (d2i_of_void *)d2i_OCSP_RESPONSE, PEM_STRING_OCSP_RESPONSE, \ + bp, (char **)(x), cb, NULL) -# define PEM_write_bio_OCSP_REQUEST(bp,o) \ - PEM_ASN1_write_bio((int (*)())i2d_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,\ - bp,(char *)(o), NULL,NULL,0,NULL,NULL) +#define PEM_write_bio_OCSP_REQUEST(bp, o) \ + PEM_ASN1_write_bio((i2d_of_void *)i2d_OCSP_REQUEST, PEM_STRING_OCSP_REQUEST, \ + bp, (char *)(o), NULL, NULL, 0, NULL, NULL) -# define PEM_write_bio_OCSP_RESPONSE(bp,o) \ - PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\ - bp,(char *)(o), NULL,NULL,0,NULL,NULL) +#define PEM_write_bio_OCSP_RESPONSE(bp, o) \ + PEM_ASN1_write_bio((i2d_of_void *)i2d_OCSP_RESPONSE, PEM_STRING_OCSP_RESPONSE, \ + bp, (char *)(o), NULL, NULL, 0, NULL, NULL) -# define i2d_OCSP_RESPONSE_bio(bp,o) ASN1_i2d_bio_of(OCSP_RESPONSE,i2d_OCSP_RESPONSE,bp,o) +#define i2d_OCSP_RESPONSE_bio(bp, o) ASN1_i2d_bio_of(OCSP_RESPONSE, i2d_OCSP_RESPONSE, bp, o) -# define i2d_OCSP_REQUEST_bio(bp,o) ASN1_i2d_bio_of(OCSP_REQUEST,i2d_OCSP_REQUEST,bp,o) +#define i2d_OCSP_REQUEST_bio(bp, o) ASN1_i2d_bio_of(OCSP_REQUEST, i2d_OCSP_REQUEST, bp, o) -# define ASN1_BIT_STRING_digest(data,type,md,len) \ - ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len) +#define ASN1_BIT_STRING_digest(data, type, md, len) \ + ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING), type, data, md, len) -# define OCSP_CERTSTATUS_dup(cs)\ - (OCSP_CERTSTATUS*)ASN1_dup((i2d_of_void *)i2d_OCSP_CERTSTATUS,\ - (d2i_of_void *)d2i_OCSP_CERTSTATUS,(char *)(cs)) +#define OCSP_CERTSTATUS_dup(cs) \ + (OCSP_CERTSTATUS *)ASN1_dup((i2d_of_void *)i2d_OCSP_CERTSTATUS, \ + (d2i_of_void *)d2i_OCSP_CERTSTATUS, (char *)(cs)) DECLARE_ASN1_DUP_FUNCTION(OCSP_CERTID) OSSL_HTTP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, - const OCSP_REQUEST *req, int buf_size); + const OCSP_REQUEST *req, int buf_size); OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req); -# ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_DEPRECATED_3_0 typedef OSSL_HTTP_REQ_CTX OCSP_REQ_CTX; -# define OCSP_REQ_CTX_new(io, buf_size) \ - OSSL_HTTP_REQ_CTX_new(io, io, buf_size) -# define OCSP_REQ_CTX_free OSSL_HTTP_REQ_CTX_free -# define OCSP_REQ_CTX_http(rctx, op, path) \ - (OSSL_HTTP_REQ_CTX_set_expected(rctx, NULL, 1 /* asn1 */, 0, 0) && \ - OSSL_HTTP_REQ_CTX_set_request_line(rctx, strcmp(op, "POST") == 0, \ - NULL, NULL, path)) -# define OCSP_REQ_CTX_add1_header OSSL_HTTP_REQ_CTX_add1_header -# define OCSP_REQ_CTX_i2d(r, it, req) \ - OSSL_HTTP_REQ_CTX_set1_req(r, "application/ocsp-request", it, req) -# define OCSP_REQ_CTX_set1_req(r, req) \ - OCSP_REQ_CTX_i2d(r, ASN1_ITEM_rptr(OCSP_REQUEST), (ASN1_VALUE *)(req)) -# define OCSP_REQ_CTX_nbio OSSL_HTTP_REQ_CTX_nbio -# define OCSP_REQ_CTX_nbio_d2i OSSL_HTTP_REQ_CTX_nbio_d2i -# define OCSP_sendreq_nbio(p, r) \ - OSSL_HTTP_REQ_CTX_nbio_d2i(r, (ASN1_VALUE **)(p), \ - ASN1_ITEM_rptr(OCSP_RESPONSE)) -# define OCSP_REQ_CTX_get0_mem_bio OSSL_HTTP_REQ_CTX_get0_mem_bio -# define OCSP_set_max_response_length OSSL_HTTP_REQ_CTX_set_max_response_length -# endif +#define OCSP_REQ_CTX_new(io, buf_size) \ + OSSL_HTTP_REQ_CTX_new(io, io, buf_size) +#define OCSP_REQ_CTX_free OSSL_HTTP_REQ_CTX_free +#define OCSP_REQ_CTX_http(rctx, op, path) \ + (OSSL_HTTP_REQ_CTX_set_expected(rctx, NULL, 1 /* asn1 */, 0, 0) && OSSL_HTTP_REQ_CTX_set_request_line(rctx, strcmp(op, "POST") == 0, NULL, NULL, path)) +#define OCSP_REQ_CTX_add1_header OSSL_HTTP_REQ_CTX_add1_header +#define OCSP_REQ_CTX_i2d(r, it, req) \ + OSSL_HTTP_REQ_CTX_set1_req(r, "application/ocsp-request", it, req) +#define OCSP_REQ_CTX_set1_req(r, req) \ + OCSP_REQ_CTX_i2d(r, ASN1_ITEM_rptr(OCSP_REQUEST), (ASN1_VALUE *)(req)) +#define OCSP_REQ_CTX_nbio OSSL_HTTP_REQ_CTX_nbio +#define OCSP_REQ_CTX_nbio_d2i OSSL_HTTP_REQ_CTX_nbio_d2i +#define OCSP_sendreq_nbio(p, r) \ + OSSL_HTTP_REQ_CTX_nbio_d2i(r, (ASN1_VALUE **)(p), \ + ASN1_ITEM_rptr(OCSP_RESPONSE)) +#define OCSP_REQ_CTX_get0_mem_bio OSSL_HTTP_REQ_CTX_get0_mem_bio +#define OCSP_set_max_response_length OSSL_HTTP_REQ_CTX_set_max_response_length +#endif OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject, - const X509 *issuer); + const X509 *issuer); OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, - const X509_NAME *issuerName, - const ASN1_BIT_STRING *issuerKey, - const ASN1_INTEGER *serialNumber); + const X509_NAME *issuerName, + const ASN1_BIT_STRING *issuerKey, + const ASN1_INTEGER *serialNumber); OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid); @@ -312,10 +317,10 @@ int OCSP_request_set1_name(OCSP_REQUEST *req, const X509_NAME *nm); int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert); int OCSP_request_sign(OCSP_REQUEST *req, - X509 *signer, - EVP_PKEY *key, - const EVP_MD *dgst, - STACK_OF(X509) *certs, unsigned long flags); + X509 *signer, + EVP_PKEY *key, + const EVP_MD *dgst, + STACK_OF(X509) *certs, unsigned long flags); int OCSP_response_status(OCSP_RESPONSE *resp); OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp); @@ -324,36 +329,36 @@ const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs); const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs); const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs); int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, - STACK_OF(X509) *extra_certs); + STACK_OF(X509) *extra_certs); int OCSP_resp_count(OCSP_BASICRESP *bs); OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx); -const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(const OCSP_BASICRESP* bs); +const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(const OCSP_BASICRESP *bs); const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs); int OCSP_resp_get0_id(const OCSP_BASICRESP *bs, - const ASN1_OCTET_STRING **pid, - const X509_NAME **pname); + const ASN1_OCTET_STRING **pid, + const X509_NAME **pname); int OCSP_resp_get1_id(const OCSP_BASICRESP *bs, - ASN1_OCTET_STRING **pid, - X509_NAME **pname); + ASN1_OCTET_STRING **pid, + X509_NAME **pname); int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last); int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason, - ASN1_GENERALIZEDTIME **revtime, - ASN1_GENERALIZEDTIME **thisupd, - ASN1_GENERALIZEDTIME **nextupd); + ASN1_GENERALIZEDTIME **revtime, + ASN1_GENERALIZEDTIME **thisupd, + ASN1_GENERALIZEDTIME **nextupd); int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status, - int *reason, - ASN1_GENERALIZEDTIME **revtime, - ASN1_GENERALIZEDTIME **thisupd, - ASN1_GENERALIZEDTIME **nextupd); + int *reason, + ASN1_GENERALIZEDTIME **revtime, + ASN1_GENERALIZEDTIME **thisupd, + ASN1_GENERALIZEDTIME **nextupd); int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, - ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec); + ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec); int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, - X509_STORE *store, unsigned long flags); + X509_STORE *store, unsigned long flags); -# define OCSP_parse_url(url, host, port, path, ssl) \ +#define OCSP_parse_url(url, host, port, path, ssl) \ OSSL_HTTP_parse_url(url, ssl, NULL, host, port, NULL, path, NULL, NULL) int OCSP_id_issuer_cmp(const OCSP_CERTID *a, const OCSP_CERTID *b); @@ -363,29 +368,29 @@ int OCSP_request_onereq_count(OCSP_REQUEST *req); OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i); OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one); int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd, - ASN1_OCTET_STRING **pikeyHash, - ASN1_INTEGER **pserial, OCSP_CERTID *cid); + ASN1_OCTET_STRING **pikeyHash, + ASN1_INTEGER **pserial, OCSP_CERTID *cid); int OCSP_request_is_signed(OCSP_REQUEST *req); OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs); OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, - OCSP_CERTID *cid, - int status, int reason, - ASN1_TIME *revtime, - ASN1_TIME *thisupd, - ASN1_TIME *nextupd); + OCSP_CERTID *cid, + int status, int reason, + ASN1_TIME *revtime, + ASN1_TIME *thisupd, + ASN1_TIME *nextupd); int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert); int OCSP_basic_sign(OCSP_BASICRESP *brsp, - X509 *signer, EVP_PKEY *key, const EVP_MD *dgst, - STACK_OF(X509) *certs, unsigned long flags); + X509 *signer, EVP_PKEY *key, const EVP_MD *dgst, + STACK_OF(X509) *certs, unsigned long flags); int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp, - X509 *signer, EVP_MD_CTX *ctx, - STACK_OF(X509) *certs, unsigned long flags); + X509 *signer, EVP_MD_CTX *ctx, + STACK_OF(X509) *certs, unsigned long flags); int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert); int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert, - OSSL_LIB_CTX *libctx, const char *propq); + OSSL_LIB_CTX *libctx, const char *propq); int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert); int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx, - const char *propq); + const char *propq); int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert); X509_EXTENSION *OCSP_crlID_new(const char *url, long *n, char *tim); @@ -399,14 +404,14 @@ X509_EXTENSION *OCSP_url_svcloc_new(const X509_NAME *issuer, const char **urls); int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x); int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos); int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, const ASN1_OBJECT *obj, - int lastpos); + int lastpos); int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos); X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc); X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc); void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, - int *idx); + int *idx); int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit, - unsigned long flags); + unsigned long flags); int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc); int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x); @@ -417,35 +422,35 @@ X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc); X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc); void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx); int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit, - unsigned long flags); + unsigned long flags); int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc); int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x); int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos); int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, const ASN1_OBJECT *obj, - int lastpos); + int lastpos); int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, - int lastpos); + int lastpos); X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc); X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc); void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, - int *idx); + int *idx); int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, - int crit, unsigned long flags); + int crit, unsigned long flags); int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc); int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x); int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos); int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, const ASN1_OBJECT *obj, - int lastpos); + int lastpos); int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, - int lastpos); + int lastpos); X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc); X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc); void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, - int *idx); + int *idx); int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, - int crit, unsigned long flags); + int crit, unsigned long flags); int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc); const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *x); @@ -473,11 +478,10 @@ int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *a, unsigned long flags); int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags); int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, - X509_STORE *st, unsigned long flags); + X509_STORE *st, unsigned long flags); - -# ifdef __cplusplus +#ifdef __cplusplus } -# endif -# endif /* !defined(OPENSSL_NO_OCSP) */ +#endif +#endif /* !defined(OPENSSL_NO_OCSP) */ #endif diff --git a/crypto/openssl/include/openssl/opensslv.h b/crypto/openssl/include/openssl/opensslv.h index 05af9abc456b..371ddef5c2bf 100644 --- a/crypto/openssl/include/openssl/opensslv.h +++ b/crypto/openssl/include/openssl/opensslv.h @@ -11,12 +11,12 @@ */ #ifndef OPENSSL_OPENSSLV_H -# define OPENSSL_OPENSSLV_H -# pragma once +#define OPENSSL_OPENSSLV_H +#pragma once -# ifdef __cplusplus +#ifdef __cplusplus extern "C" { -# endif +#endif /* * SECTION 1: VERSION DATA. These will change for each release @@ -27,9 +27,15 @@ extern "C" { * * These macros express version number MAJOR.MINOR.PATCH exactly */ +/* clang-format off */ # define OPENSSL_VERSION_MAJOR 3 +/* clang-format on */ +/* clang-format off */ # define OPENSSL_VERSION_MINOR 5 -# define OPENSSL_VERSION_PATCH 4 +/* clang-format on */ +/* clang-format off */ +# define OPENSSL_VERSION_PATCH 5 +/* clang-format on */ /* * Additional version information @@ -39,10 +45,14 @@ extern "C" { */ /* Could be: #define OPENSSL_VERSION_PRE_RELEASE "-alpha.1" */ +/* clang-format off */ # define OPENSSL_VERSION_PRE_RELEASE "" +/* clang-format on */ /* Could be: #define OPENSSL_VERSION_BUILD_METADATA "+fips" */ /* Could be: #define OPENSSL_VERSION_BUILD_METADATA "+vendor.1" */ +/* clang-format off */ # define OPENSSL_VERSION_BUILD_METADATA "" +/* clang-format on */ /* * Note: The OpenSSL Project will never define OPENSSL_VERSION_BUILD_METADATA @@ -57,14 +67,16 @@ extern "C" { * be related to the API version expressed with the macros above. * This is defined in free form. */ +/* clang-format off */ # define OPENSSL_SHLIB_VERSION 3 +/* clang-format on */ /* * SECTION 2: USEFUL MACROS */ /* For checking general API compatibility when preprocessing */ -# define OPENSSL_VERSION_PREREQ(maj,min) \ +#define OPENSSL_VERSION_PREREQ(maj, min) \ ((OPENSSL_VERSION_MAJOR << 16) + OPENSSL_VERSION_MINOR >= ((maj) << 16) + (min)) /* @@ -74,36 +86,46 @@ extern "C" { * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and * OPENSSL_VERSION_BUILD_METADATA_STR appended. */ -# define OPENSSL_VERSION_STR "3.5.4" -# define OPENSSL_FULL_VERSION_STR "3.5.4" +/* clang-format off */ +# define OPENSSL_VERSION_STR "3.5.5" +/* clang-format on */ +/* clang-format off */ +# define OPENSSL_FULL_VERSION_STR "3.5.5" +/* clang-format on */ /* * SECTION 3: ADDITIONAL METADATA * * These strings are defined separately to allow them to be parsable. */ -# define OPENSSL_RELEASE_DATE "30 Sep 2025" +/* clang-format off */ +# define OPENSSL_RELEASE_DATE "27 Jan 2026" +/* clang-format on */ /* * SECTION 4: BACKWARD COMPATIBILITY */ -# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.4 30 Sep 2025" +/* clang-format off */ +# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.5 27 Jan 2026" +/* clang-format on */ +/* clang-format off */ /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PP0L */ # define OPENSSL_VERSION_NUMBER \ ( (OPENSSL_VERSION_MAJOR<<28) \ |(OPENSSL_VERSION_MINOR<<20) \ |(OPENSSL_VERSION_PATCH<<4) \ |0x0L ) +/* clang-format on */ -# ifdef __cplusplus +#ifdef __cplusplus } -# endif +#endif -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_OPENSSLV_H -# endif +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_OPENSSLV_H +#endif -#endif /* OPENSSL_OPENSSLV_H */ +#endif /* OPENSSL_OPENSSLV_H */ diff --git a/crypto/openssl/include/openssl/pkcs12.h b/crypto/openssl/include/openssl/pkcs12.h index 0809645dad0b..f7e38ace03bc 100644 --- a/crypto/openssl/include/openssl/pkcs12.h +++ b/crypto/openssl/include/openssl/pkcs12.h @@ -10,51 +10,53 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_PKCS12_H -# define OPENSSL_PKCS12_H -# pragma once - -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_PKCS12_H -# endif - -# include <openssl/bio.h> -# include <openssl/core.h> -# include <openssl/x509.h> -# include <openssl/pkcs12err.h> -# ifndef OPENSSL_NO_STDIO -# include <stdio.h> -# endif +#define OPENSSL_PKCS12_H +#pragma once + +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_PKCS12_H +#endif + +#include <openssl/bio.h> +#include <openssl/core.h> +#include <openssl/x509.h> +#include <openssl/pkcs12err.h> +#ifndef OPENSSL_NO_STDIO +#include <stdio.h> +#endif #ifdef __cplusplus extern "C" { #endif -# define PKCS12_KEY_ID 1 -# define PKCS12_IV_ID 2 -# define PKCS12_MAC_ID 3 +#define PKCS12_KEY_ID 1 +#define PKCS12_IV_ID 2 +#define PKCS12_MAC_ID 3 /* Default iteration count */ -# ifndef PKCS12_DEFAULT_ITER -# define PKCS12_DEFAULT_ITER PKCS5_DEFAULT_ITER -# endif +#ifndef PKCS12_DEFAULT_ITER +#define PKCS12_DEFAULT_ITER PKCS5_DEFAULT_ITER +#endif -# define PKCS12_MAC_KEY_LENGTH 20 +#define PKCS12_MAC_KEY_LENGTH 20 /* The macro is expected to be used only internally. Kept for backwards compatibility. */ -# define PKCS12_SALT_LEN 8 +#define PKCS12_SALT_LEN 8 /* It's not clear if these are actually needed... */ -# define PKCS12_key_gen PKCS12_key_gen_utf8 -# define PKCS12_add_friendlyname PKCS12_add_friendlyname_utf8 +#define PKCS12_key_gen PKCS12_key_gen_utf8 +#define PKCS12_add_friendlyname PKCS12_add_friendlyname_utf8 /* MS key usage constants */ -# define KEY_EX 0x10 -# define KEY_SIG 0x80 +#define KEY_EX 0x10 +#define KEY_SIG 0x80 typedef struct PKCS12_MAC_DATA_st PKCS12_MAC_DATA; @@ -62,6 +64,7 @@ typedef struct PKCS12_st PKCS12; typedef struct PKCS12_SAFEBAG_st PKCS12_SAFEBAG; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(PKCS12_SAFEBAG, PKCS12_SAFEBAG, PKCS12_SAFEBAG) #define sk_PKCS12_SAFEBAG_num(sk) OPENSSL_sk_num(ossl_check_const_PKCS12_SAFEBAG_sk_type(sk)) #define sk_PKCS12_SAFEBAG_value(sk, idx) ((PKCS12_SAFEBAG *)OPENSSL_sk_value(ossl_check_const_PKCS12_SAFEBAG_sk_type(sk), (idx))) @@ -89,45 +92,46 @@ SKM_DEFINE_STACK_OF_INTERNAL(PKCS12_SAFEBAG, PKCS12_SAFEBAG, PKCS12_SAFEBAG) #define sk_PKCS12_SAFEBAG_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(PKCS12_SAFEBAG) *)OPENSSL_sk_deep_copy(ossl_check_const_PKCS12_SAFEBAG_sk_type(sk), ossl_check_PKCS12_SAFEBAG_copyfunc_type(copyfunc), ossl_check_PKCS12_SAFEBAG_freefunc_type(freefunc))) #define sk_PKCS12_SAFEBAG_set_cmp_func(sk, cmp) ((sk_PKCS12_SAFEBAG_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_PKCS12_SAFEBAG_sk_type(sk), ossl_check_PKCS12_SAFEBAG_compfunc_type(cmp))) +/* clang-format on */ typedef struct pkcs12_bag_st PKCS12_BAGS; -# define PKCS12_ERROR 0 -# define PKCS12_OK 1 +#define PKCS12_ERROR 0 +#define PKCS12_OK 1 /* Compatibility macros */ #ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define M_PKCS12_bag_type PKCS12_bag_type -# define M_PKCS12_cert_bag_type PKCS12_cert_bag_type -# define M_PKCS12_crl_bag_type PKCS12_cert_bag_type +#define M_PKCS12_bag_type PKCS12_bag_type +#define M_PKCS12_cert_bag_type PKCS12_cert_bag_type +#define M_PKCS12_crl_bag_type PKCS12_cert_bag_type -# define PKCS12_certbag2x509 PKCS12_SAFEBAG_get1_cert -# define PKCS12_certbag2scrl PKCS12_SAFEBAG_get1_crl -# define PKCS12_bag_type PKCS12_SAFEBAG_get_nid -# define PKCS12_cert_bag_type PKCS12_SAFEBAG_get_bag_nid -# define PKCS12_x5092certbag PKCS12_SAFEBAG_create_cert -# define PKCS12_x509crl2certbag PKCS12_SAFEBAG_create_crl -# define PKCS12_MAKE_KEYBAG PKCS12_SAFEBAG_create0_p8inf -# define PKCS12_MAKE_SHKEYBAG PKCS12_SAFEBAG_create_pkcs8_encrypt +#define PKCS12_certbag2x509 PKCS12_SAFEBAG_get1_cert +#define PKCS12_certbag2scrl PKCS12_SAFEBAG_get1_crl +#define PKCS12_bag_type PKCS12_SAFEBAG_get_nid +#define PKCS12_cert_bag_type PKCS12_SAFEBAG_get_bag_nid +#define PKCS12_x5092certbag PKCS12_SAFEBAG_create_cert +#define PKCS12_x509crl2certbag PKCS12_SAFEBAG_create_crl +#define PKCS12_MAKE_KEYBAG PKCS12_SAFEBAG_create0_p8inf +#define PKCS12_MAKE_SHKEYBAG PKCS12_SAFEBAG_create_pkcs8_encrypt #endif #ifndef OPENSSL_NO_DEPRECATED_1_1_0 OSSL_DEPRECATEDIN_1_1_0 ASN1_TYPE *PKCS12_get_attr(const PKCS12_SAFEBAG *bag, - int attr_nid); + int attr_nid); #endif ASN1_TYPE *PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid); int PKCS12_mac_present(const PKCS12 *p12); void PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac, - const X509_ALGOR **pmacalg, - const ASN1_OCTET_STRING **psalt, - const ASN1_INTEGER **piter, - const PKCS12 *p12); + const X509_ALGOR **pmacalg, + const ASN1_OCTET_STRING **psalt, + const ASN1_INTEGER **piter, + const PKCS12 *p12); const ASN1_TYPE *PKCS12_SAFEBAG_get0_attr(const PKCS12_SAFEBAG *bag, - int attr_nid); + int attr_nid); const ASN1_OBJECT *PKCS12_SAFEBAG_get0_type(const PKCS12_SAFEBAG *bag); int PKCS12_SAFEBAG_get_nid(const PKCS12_SAFEBAG *bag); int PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag); @@ -149,159 +153,159 @@ PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_secret(int type, int vtype, const unsigned PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_p8inf(PKCS8_PRIV_KEY_INFO *p8); PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_pkcs8(X509_SIG *p8); PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid, - const char *pass, - int passlen, - unsigned char *salt, - int saltlen, int iter, - PKCS8_PRIV_KEY_INFO *p8inf); + const char *pass, + int passlen, + unsigned char *salt, + int saltlen, int iter, + PKCS8_PRIV_KEY_INFO *p8inf); PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(int pbe_nid, - const char *pass, - int passlen, - unsigned char *salt, - int saltlen, int iter, - PKCS8_PRIV_KEY_INFO *p8inf, - OSSL_LIB_CTX *ctx, - const char *propq); + const char *pass, + int passlen, + unsigned char *salt, + int saltlen, int iter, + PKCS8_PRIV_KEY_INFO *p8inf, + OSSL_LIB_CTX *ctx, + const char *propq); PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, - int nid1, int nid2); + int nid1, int nid2); PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(const X509_SIG *p8, const char *pass, - int passlen); + int passlen); PKCS8_PRIV_KEY_INFO *PKCS8_decrypt_ex(const X509_SIG *p8, const char *pass, - int passlen, OSSL_LIB_CTX *ctx, - const char *propq); + int passlen, OSSL_LIB_CTX *ctx, + const char *propq); PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(const PKCS12_SAFEBAG *bag, - const char *pass, int passlen); + const char *pass, int passlen); PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey_ex(const PKCS12_SAFEBAG *bag, - const char *pass, int passlen, - OSSL_LIB_CTX *ctx, - const char *propq); + const char *pass, int passlen, + OSSL_LIB_CTX *ctx, + const char *propq); X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, - const char *pass, int passlen, unsigned char *salt, - int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8); + const char *pass, int passlen, unsigned char *salt, + int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8); X509_SIG *PKCS8_encrypt_ex(int pbe_nid, const EVP_CIPHER *cipher, - const char *pass, int passlen, unsigned char *salt, - int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8, - OSSL_LIB_CTX *ctx, const char *propq); + const char *pass, int passlen, unsigned char *salt, + int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8, + OSSL_LIB_CTX *ctx, const char *propq); X509_SIG *PKCS8_set0_pbe(const char *pass, int passlen, - PKCS8_PRIV_KEY_INFO *p8inf, X509_ALGOR *pbe); + PKCS8_PRIV_KEY_INFO *p8inf, X509_ALGOR *pbe); X509_SIG *PKCS8_set0_pbe_ex(const char *pass, int passlen, - PKCS8_PRIV_KEY_INFO *p8inf, X509_ALGOR *pbe, - OSSL_LIB_CTX *ctx, const char *propq); + PKCS8_PRIV_KEY_INFO *p8inf, X509_ALGOR *pbe, + OSSL_LIB_CTX *ctx, const char *propq); PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk); STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7); PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen, - unsigned char *salt, int saltlen, int iter, - STACK_OF(PKCS12_SAFEBAG) *bags); + unsigned char *salt, int saltlen, int iter, + STACK_OF(PKCS12_SAFEBAG) *bags); PKCS7 *PKCS12_pack_p7encdata_ex(int pbe_nid, const char *pass, int passlen, - unsigned char *salt, int saltlen, int iter, - STACK_OF(PKCS12_SAFEBAG) *bags, - OSSL_LIB_CTX *ctx, const char *propq); + unsigned char *salt, int saltlen, int iter, + STACK_OF(PKCS12_SAFEBAG) *bags, + OSSL_LIB_CTX *ctx, const char *propq); STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, - int passlen); + int passlen); int PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes); STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12); int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, - int namelen); + int namelen); int PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name, - int namelen); + int namelen); int PKCS12_add_friendlyname_utf8(PKCS12_SAFEBAG *bag, const char *name, - int namelen); + int namelen); int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name, - int namelen); + int namelen); int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag, - const unsigned char *name, int namelen); + const unsigned char *name, int namelen); int PKCS12_add1_attr_by_NID(PKCS12_SAFEBAG *bag, int nid, int type, - const unsigned char *bytes, int len); + const unsigned char *bytes, int len); int PKCS12_add1_attr_by_txt(PKCS12_SAFEBAG *bag, const char *attrname, int type, - const unsigned char *bytes, int len); + const unsigned char *bytes, int len); int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage); ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs, - int attr_nid); + int attr_nid); char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag); const STACK_OF(X509_ATTRIBUTE) * PKCS12_SAFEBAG_get0_attrs(const PKCS12_SAFEBAG *bag); void PKCS12_SAFEBAG_set0_attrs(PKCS12_SAFEBAG *bag, STACK_OF(X509_ATTRIBUTE) *attrs); unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor, - const char *pass, int passlen, - const unsigned char *in, int inlen, - unsigned char **data, int *datalen, - int en_de); + const char *pass, int passlen, + const unsigned char *in, int inlen, + unsigned char **data, int *datalen, + int en_de); unsigned char *PKCS12_pbe_crypt_ex(const X509_ALGOR *algor, - const char *pass, int passlen, - const unsigned char *in, int inlen, - unsigned char **data, int *datalen, - int en_de, OSSL_LIB_CTX *libctx, - const char *propq); + const char *pass, int passlen, + const unsigned char *in, int inlen, + unsigned char **data, int *datalen, + int en_de, OSSL_LIB_CTX *libctx, + const char *propq); void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it, - const char *pass, int passlen, - const ASN1_OCTET_STRING *oct, int zbuf); + const char *pass, int passlen, + const ASN1_OCTET_STRING *oct, int zbuf); void *PKCS12_item_decrypt_d2i_ex(const X509_ALGOR *algor, const ASN1_ITEM *it, - const char *pass, int passlen, - const ASN1_OCTET_STRING *oct, int zbuf, - OSSL_LIB_CTX *libctx, - const char *propq); + const char *pass, int passlen, + const ASN1_OCTET_STRING *oct, int zbuf, + OSSL_LIB_CTX *libctx, + const char *propq); ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, - const ASN1_ITEM *it, - const char *pass, int passlen, - void *obj, int zbuf); + const ASN1_ITEM *it, + const char *pass, int passlen, + void *obj, int zbuf); ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt_ex(X509_ALGOR *algor, - const ASN1_ITEM *it, - const char *pass, int passlen, - void *obj, int zbuf, - OSSL_LIB_CTX *ctx, - const char *propq); + const ASN1_ITEM *it, + const char *pass, int passlen, + void *obj, int zbuf, + OSSL_LIB_CTX *ctx, + const char *propq); PKCS12 *PKCS12_init(int mode); PKCS12 *PKCS12_init_ex(int mode, OSSL_LIB_CTX *ctx, const char *propq); int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt, - int saltlen, int id, int iter, int n, - unsigned char *out, const EVP_MD *md_type); + int saltlen, int id, int iter, int n, + unsigned char *out, const EVP_MD *md_type); int PKCS12_key_gen_asc_ex(const char *pass, int passlen, unsigned char *salt, - int saltlen, int id, int iter, int n, - unsigned char *out, const EVP_MD *md_type, - OSSL_LIB_CTX *ctx, const char *propq); + int saltlen, int id, int iter, int n, + unsigned char *out, const EVP_MD *md_type, + OSSL_LIB_CTX *ctx, const char *propq); int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, - int saltlen, int id, int iter, int n, - unsigned char *out, const EVP_MD *md_type); + int saltlen, int id, int iter, int n, + unsigned char *out, const EVP_MD *md_type); int PKCS12_key_gen_uni_ex(unsigned char *pass, int passlen, unsigned char *salt, - int saltlen, int id, int iter, int n, - unsigned char *out, const EVP_MD *md_type, - OSSL_LIB_CTX *ctx, const char *propq); + int saltlen, int id, int iter, int n, + unsigned char *out, const EVP_MD *md_type, + OSSL_LIB_CTX *ctx, const char *propq); int PKCS12_key_gen_utf8(const char *pass, int passlen, unsigned char *salt, - int saltlen, int id, int iter, int n, - unsigned char *out, const EVP_MD *md_type); + int saltlen, int id, int iter, int n, + unsigned char *out, const EVP_MD *md_type); int PKCS12_key_gen_utf8_ex(const char *pass, int passlen, unsigned char *salt, - int saltlen, int id, int iter, int n, - unsigned char *out, const EVP_MD *md_type, - OSSL_LIB_CTX *ctx, const char *propq); + int saltlen, int id, int iter, int n, + unsigned char *out, const EVP_MD *md_type, + OSSL_LIB_CTX *ctx, const char *propq); int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, - ASN1_TYPE *param, const EVP_CIPHER *cipher, - const EVP_MD *md_type, int en_de); + ASN1_TYPE *param, const EVP_CIPHER *cipher, + const EVP_MD *md_type, int en_de); int PKCS12_PBE_keyivgen_ex(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, - ASN1_TYPE *param, const EVP_CIPHER *cipher, - const EVP_MD *md_type, int en_de, - OSSL_LIB_CTX *libctx, const char *propq); + ASN1_TYPE *param, const EVP_CIPHER *cipher, + const EVP_MD *md_type, int en_de, + OSSL_LIB_CTX *libctx, const char *propq); int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen, - unsigned char *mac, unsigned int *maclen); + unsigned char *mac, unsigned int *maclen); int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen); int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, - unsigned char *salt, int saltlen, int iter, - const EVP_MD *md_type); + unsigned char *salt, int saltlen, int iter, + const EVP_MD *md_type); int PKCS12_set_pbmac1_pbkdf2(PKCS12 *p12, const char *pass, int passlen, - unsigned char *salt, int saltlen, int iter, - const EVP_MD *md_type, const char *prf_md_name); + unsigned char *salt, int saltlen, int iter, + const EVP_MD *md_type, const char *prf_md_name); int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, - int saltlen, const EVP_MD *md_type); + int saltlen, const EVP_MD *md_type); unsigned char *OPENSSL_asc2uni(const char *asc, int asclen, - unsigned char **uni, int *unilen); + unsigned char **uni, int *unilen); char *OPENSSL_uni2asc(const unsigned char *uni, int unilen); unsigned char *OPENSSL_utf82uni(const char *asc, int asclen, - unsigned char **uni, int *unilen); + unsigned char **uni, int *unilen); char *OPENSSL_uni2utf8(const unsigned char *uni, int unilen); DECLARE_ASN1_FUNCTIONS(PKCS12) @@ -314,53 +318,53 @@ DECLARE_ASN1_ITEM(PKCS12_AUTHSAFES) void PKCS12_PBE_add(void); int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, - STACK_OF(X509) **ca); + STACK_OF(X509) **ca); typedef int PKCS12_create_cb(PKCS12_SAFEBAG *bag, void *cbarg); PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, - X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert, - int iter, int mac_iter, int keytype); + X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert, + int iter, int mac_iter, int keytype); PKCS12 *PKCS12_create_ex(const char *pass, const char *name, EVP_PKEY *pkey, - X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert, - int iter, int mac_iter, int keytype, - OSSL_LIB_CTX *ctx, const char *propq); + X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert, + int iter, int mac_iter, int keytype, + OSSL_LIB_CTX *ctx, const char *propq); PKCS12 *PKCS12_create_ex2(const char *pass, const char *name, EVP_PKEY *pkey, - X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert, - int iter, int mac_iter, int keytype, - OSSL_LIB_CTX *ctx, const char *propq, - PKCS12_create_cb *cb, void *cbarg); + X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert, + int iter, int mac_iter, int keytype, + OSSL_LIB_CTX *ctx, const char *propq, + PKCS12_create_cb *cb, void *cbarg); PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert); PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, - EVP_PKEY *key, int key_usage, int iter, - int key_nid, const char *pass); + EVP_PKEY *key, int key_usage, int iter, + int key_nid, const char *pass); PKCS12_SAFEBAG *PKCS12_add_key_ex(STACK_OF(PKCS12_SAFEBAG) **pbags, - EVP_PKEY *key, int key_usage, int iter, - int key_nid, const char *pass, - OSSL_LIB_CTX *ctx, const char *propq); + EVP_PKEY *key, int key_usage, int iter, + int key_nid, const char *pass, + OSSL_LIB_CTX *ctx, const char *propq); PKCS12_SAFEBAG *PKCS12_add_secret(STACK_OF(PKCS12_SAFEBAG) **pbags, - int nid_type, const unsigned char *value, int len); + int nid_type, const unsigned char *value, int len); int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, - int safe_nid, int iter, const char *pass); + int safe_nid, int iter, const char *pass); int PKCS12_add_safe_ex(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, - int safe_nid, int iter, const char *pass, - OSSL_LIB_CTX *ctx, const char *propq); + int safe_nid, int iter, const char *pass, + OSSL_LIB_CTX *ctx, const char *propq); PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int p7_nid); PKCS12 *PKCS12_add_safes_ex(STACK_OF(PKCS7) *safes, int p7_nid, - OSSL_LIB_CTX *ctx, const char *propq); + OSSL_LIB_CTX *ctx, const char *propq); int i2d_PKCS12_bio(BIO *bp, const PKCS12 *p12); -# ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_STDIO int i2d_PKCS12_fp(FILE *fp, const PKCS12 *p12); -# endif +#endif PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12); -# ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_STDIO PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12); -# endif +#endif int PKCS12_newpass(PKCS12 *p12, const char *oldpass, const char *newpass); -# ifdef __cplusplus +#ifdef __cplusplus } -# endif +#endif #endif diff --git a/crypto/openssl/include/openssl/pkcs7.h b/crypto/openssl/include/openssl/pkcs7.h index fa68462aff97..b6ab21e8b423 100644 --- a/crypto/openssl/include/openssl/pkcs7.h +++ b/crypto/openssl/include/openssl/pkcs7.h @@ -10,32 +10,33 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_PKCS7_H -# define OPENSSL_PKCS7_H -# pragma once - -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_PKCS7_H -# endif - -# include <openssl/asn1.h> -# include <openssl/bio.h> -# include <openssl/e_os2.h> - -# include <openssl/symhacks.h> -# include <openssl/types.h> -# include <openssl/pkcs7err.h> -# ifndef OPENSSL_NO_STDIO -# include <stdio.h> -# endif - -#ifdef __cplusplus -extern "C" { +#define OPENSSL_PKCS7_H +#pragma once + +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_PKCS7_H #endif +#include <openssl/asn1.h> +#include <openssl/bio.h> +#include <openssl/e_os2.h> + +#include <openssl/symhacks.h> +#include <openssl/types.h> +#include <openssl/pkcs7err.h> +#ifndef OPENSSL_NO_STDIO +#include <stdio.h> +#endif + +#ifdef __cplusplus +extern "C" { +#endif /*- Encryption_ID DES-CBC @@ -55,7 +56,7 @@ typedef struct pkcs7_issuer_and_serial_st { } PKCS7_ISSUER_AND_SERIAL; typedef struct pkcs7_signer_info_st { - ASN1_INTEGER *version; /* version 1 */ + ASN1_INTEGER *version; /* version 1 */ PKCS7_ISSUER_AND_SERIAL *issuer_and_serial; X509_ALGOR *digest_alg; STACK_OF(X509_ATTRIBUTE) *auth_attr; /* [ 0 ] */ @@ -66,6 +67,7 @@ typedef struct pkcs7_signer_info_st { EVP_PKEY *pkey; const PKCS7_CTX *ctx; } PKCS7_SIGNER_INFO; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(PKCS7_SIGNER_INFO, PKCS7_SIGNER_INFO, PKCS7_SIGNER_INFO) #define sk_PKCS7_SIGNER_INFO_num(sk) OPENSSL_sk_num(ossl_check_const_PKCS7_SIGNER_INFO_sk_type(sk)) #define sk_PKCS7_SIGNER_INFO_value(sk, idx) ((PKCS7_SIGNER_INFO *)OPENSSL_sk_value(ossl_check_const_PKCS7_SIGNER_INFO_sk_type(sk), (idx))) @@ -93,15 +95,17 @@ SKM_DEFINE_STACK_OF_INTERNAL(PKCS7_SIGNER_INFO, PKCS7_SIGNER_INFO, PKCS7_SIGNER_ #define sk_PKCS7_SIGNER_INFO_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(PKCS7_SIGNER_INFO) *)OPENSSL_sk_deep_copy(ossl_check_const_PKCS7_SIGNER_INFO_sk_type(sk), ossl_check_PKCS7_SIGNER_INFO_copyfunc_type(copyfunc), ossl_check_PKCS7_SIGNER_INFO_freefunc_type(freefunc))) #define sk_PKCS7_SIGNER_INFO_set_cmp_func(sk, cmp) ((sk_PKCS7_SIGNER_INFO_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_PKCS7_SIGNER_INFO_sk_type(sk), ossl_check_PKCS7_SIGNER_INFO_compfunc_type(cmp))) +/* clang-format on */ typedef struct pkcs7_recip_info_st { - ASN1_INTEGER *version; /* version 0 */ + ASN1_INTEGER *version; /* version 0 */ PKCS7_ISSUER_AND_SERIAL *issuer_and_serial; X509_ALGOR *key_enc_algor; ASN1_OCTET_STRING *enc_key; - X509 *cert; /* get the pub-key from this */ + X509 *cert; /* get the pub-key from this */ const PKCS7_CTX *ctx; } PKCS7_RECIP_INFO; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(PKCS7_RECIP_INFO, PKCS7_RECIP_INFO, PKCS7_RECIP_INFO) #define sk_PKCS7_RECIP_INFO_num(sk) OPENSSL_sk_num(ossl_check_const_PKCS7_RECIP_INFO_sk_type(sk)) #define sk_PKCS7_RECIP_INFO_value(sk, idx) ((PKCS7_RECIP_INFO *)OPENSSL_sk_value(ossl_check_const_PKCS7_RECIP_INFO_sk_type(sk), (idx))) @@ -129,13 +133,13 @@ SKM_DEFINE_STACK_OF_INTERNAL(PKCS7_RECIP_INFO, PKCS7_RECIP_INFO, PKCS7_RECIP_INF #define sk_PKCS7_RECIP_INFO_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(PKCS7_RECIP_INFO) *)OPENSSL_sk_deep_copy(ossl_check_const_PKCS7_RECIP_INFO_sk_type(sk), ossl_check_PKCS7_RECIP_INFO_copyfunc_type(copyfunc), ossl_check_PKCS7_RECIP_INFO_freefunc_type(freefunc))) #define sk_PKCS7_RECIP_INFO_set_cmp_func(sk, cmp) ((sk_PKCS7_RECIP_INFO_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_PKCS7_RECIP_INFO_sk_type(sk), ossl_check_PKCS7_RECIP_INFO_compfunc_type(cmp))) - +/* clang-format on */ typedef struct pkcs7_signed_st { - ASN1_INTEGER *version; /* version 1 */ + ASN1_INTEGER *version; /* version 1 */ STACK_OF(X509_ALGOR) *md_algs; /* md used */ - STACK_OF(X509) *cert; /* [ 0 ] */ /* name should be 'certificates' */ - STACK_OF(X509_CRL) *crl; /* [ 1 ] */ /* name should be 'crls' */ + STACK_OF(X509) *cert; /* [ 0 ] */ /* name should be 'certificates' */ + STACK_OF(X509_CRL) *crl; /* [ 1 ] */ /* name should be 'crls' */ STACK_OF(PKCS7_SIGNER_INFO) *signer_info; struct pkcs7_st *contents; } PKCS7_SIGNED; @@ -153,30 +157,30 @@ typedef struct pkcs7_enc_content_st { } PKCS7_ENC_CONTENT; typedef struct pkcs7_enveloped_st { - ASN1_INTEGER *version; /* version 0 */ + ASN1_INTEGER *version; /* version 0 */ STACK_OF(PKCS7_RECIP_INFO) *recipientinfo; PKCS7_ENC_CONTENT *enc_data; } PKCS7_ENVELOPE; typedef struct pkcs7_signedandenveloped_st { - ASN1_INTEGER *version; /* version 1 */ + ASN1_INTEGER *version; /* version 1 */ STACK_OF(X509_ALGOR) *md_algs; /* md used */ - STACK_OF(X509) *cert; /* [ 0 ] */ /* name should be 'certificates' */ - STACK_OF(X509_CRL) *crl; /* [ 1 ] */ /* name should be 'crls' */ + STACK_OF(X509) *cert; /* [ 0 ] */ /* name should be 'certificates' */ + STACK_OF(X509_CRL) *crl; /* [ 1 ] */ /* name should be 'crls' */ STACK_OF(PKCS7_SIGNER_INFO) *signer_info; PKCS7_ENC_CONTENT *enc_data; STACK_OF(PKCS7_RECIP_INFO) *recipientinfo; } PKCS7_SIGN_ENVELOPE; typedef struct pkcs7_digest_st { - ASN1_INTEGER *version; /* version 0 */ - X509_ALGOR *md; /* md used */ + ASN1_INTEGER *version; /* version 0 */ + X509_ALGOR *md; /* md used */ struct pkcs7_st *contents; ASN1_OCTET_STRING *digest; } PKCS7_DIGEST; typedef struct pkcs7_encrypted_st { - ASN1_INTEGER *version; /* version 0 */ + ASN1_INTEGER *version; /* version 0 */ PKCS7_ENC_CONTENT *enc_data; } PKCS7_ENCRYPT; @@ -187,10 +191,10 @@ typedef struct pkcs7_st { */ unsigned char *asn1; long length; -# define PKCS7_S_HEADER 0 -# define PKCS7_S_BODY 1 -# define PKCS7_S_TAIL 2 - int state; /* used during processing */ +#define PKCS7_S_HEADER 0 +#define PKCS7_S_BODY 1 +#define PKCS7_S_TAIL 2 + int state; /* used during processing */ int detached; ASN1_OBJECT *type; /* content as defined by the type */ @@ -217,6 +221,7 @@ typedef struct pkcs7_st { } d; PKCS7_CTX ctx; } PKCS7; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(PKCS7, PKCS7, PKCS7) #define sk_PKCS7_num(sk) OPENSSL_sk_num(ossl_check_const_PKCS7_sk_type(sk)) #define sk_PKCS7_value(sk, idx) ((PKCS7 *)OPENSSL_sk_value(ossl_check_const_PKCS7_sk_type(sk), (idx))) @@ -244,73 +249,73 @@ SKM_DEFINE_STACK_OF_INTERNAL(PKCS7, PKCS7, PKCS7) #define sk_PKCS7_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(PKCS7) *)OPENSSL_sk_deep_copy(ossl_check_const_PKCS7_sk_type(sk), ossl_check_PKCS7_copyfunc_type(copyfunc), ossl_check_PKCS7_freefunc_type(freefunc))) #define sk_PKCS7_set_cmp_func(sk, cmp) ((sk_PKCS7_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_PKCS7_sk_type(sk), ossl_check_PKCS7_compfunc_type(cmp))) +/* clang-format on */ +#define PKCS7_OP_SET_DETACHED_SIGNATURE 1 +#define PKCS7_OP_GET_DETACHED_SIGNATURE 2 -# define PKCS7_OP_SET_DETACHED_SIGNATURE 1 -# define PKCS7_OP_GET_DETACHED_SIGNATURE 2 - -# define PKCS7_get_signed_attributes(si) ((si)->auth_attr) -# define PKCS7_get_attributes(si) ((si)->unauth_attr) +#define PKCS7_get_signed_attributes(si) ((si)->auth_attr) +#define PKCS7_get_attributes(si) ((si)->unauth_attr) -# define PKCS7_type_is_signed(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_signed) -# define PKCS7_type_is_encrypted(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_encrypted) -# define PKCS7_type_is_enveloped(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_enveloped) -# define PKCS7_type_is_signedAndEnveloped(a) \ - (OBJ_obj2nid((a)->type) == NID_pkcs7_signedAndEnveloped) -# define PKCS7_type_is_data(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_data) -# define PKCS7_type_is_digest(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_digest) +#define PKCS7_type_is_signed(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_signed) +#define PKCS7_type_is_encrypted(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_encrypted) +#define PKCS7_type_is_enveloped(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_enveloped) +#define PKCS7_type_is_signedAndEnveloped(a) \ + (OBJ_obj2nid((a)->type) == NID_pkcs7_signedAndEnveloped) +#define PKCS7_type_is_data(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_data) +#define PKCS7_type_is_digest(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_digest) -# define PKCS7_set_detached(p,v) \ - PKCS7_ctrl(p,PKCS7_OP_SET_DETACHED_SIGNATURE,v,NULL) -# define PKCS7_get_detached(p) \ - PKCS7_ctrl(p,PKCS7_OP_GET_DETACHED_SIGNATURE,0,NULL) +#define PKCS7_set_detached(p, v) \ + PKCS7_ctrl(p, PKCS7_OP_SET_DETACHED_SIGNATURE, v, NULL) +#define PKCS7_get_detached(p) \ + PKCS7_ctrl(p, PKCS7_OP_GET_DETACHED_SIGNATURE, 0, NULL) -# define PKCS7_is_detached(p7) (PKCS7_type_is_signed(p7) && PKCS7_get_detached(p7)) +#define PKCS7_is_detached(p7) (PKCS7_type_is_signed(p7) && PKCS7_get_detached(p7)) /* S/MIME related flags */ -# define PKCS7_TEXT 0x1 -# define PKCS7_NOCERTS 0x2 -# define PKCS7_NOSIGS 0x4 -# define PKCS7_NOCHAIN 0x8 -# define PKCS7_NOINTERN 0x10 -# define PKCS7_NOVERIFY 0x20 -# define PKCS7_DETACHED 0x40 -# define PKCS7_BINARY 0x80 -# define PKCS7_NOATTR 0x100 -# define PKCS7_NOSMIMECAP 0x200 -# define PKCS7_NOOLDMIMETYPE 0x400 -# define PKCS7_CRLFEOL 0x800 -# define PKCS7_STREAM 0x1000 -# define PKCS7_NOCRL 0x2000 -# define PKCS7_PARTIAL 0x4000 -# define PKCS7_REUSE_DIGEST 0x8000 -# define PKCS7_NO_DUAL_CONTENT 0x10000 +#define PKCS7_TEXT 0x1 +#define PKCS7_NOCERTS 0x2 +#define PKCS7_NOSIGS 0x4 +#define PKCS7_NOCHAIN 0x8 +#define PKCS7_NOINTERN 0x10 +#define PKCS7_NOVERIFY 0x20 +#define PKCS7_DETACHED 0x40 +#define PKCS7_BINARY 0x80 +#define PKCS7_NOATTR 0x100 +#define PKCS7_NOSMIMECAP 0x200 +#define PKCS7_NOOLDMIMETYPE 0x400 +#define PKCS7_CRLFEOL 0x800 +#define PKCS7_STREAM 0x1000 +#define PKCS7_NOCRL 0x2000 +#define PKCS7_PARTIAL 0x4000 +#define PKCS7_REUSE_DIGEST 0x8000 +#define PKCS7_NO_DUAL_CONTENT 0x10000 /* Flags: for compatibility with older code */ -# define SMIME_TEXT PKCS7_TEXT -# define SMIME_NOCERTS PKCS7_NOCERTS -# define SMIME_NOSIGS PKCS7_NOSIGS -# define SMIME_NOCHAIN PKCS7_NOCHAIN -# define SMIME_NOINTERN PKCS7_NOINTERN -# define SMIME_NOVERIFY PKCS7_NOVERIFY -# define SMIME_DETACHED PKCS7_DETACHED -# define SMIME_BINARY PKCS7_BINARY -# define SMIME_NOATTR PKCS7_NOATTR +#define SMIME_TEXT PKCS7_TEXT +#define SMIME_NOCERTS PKCS7_NOCERTS +#define SMIME_NOSIGS PKCS7_NOSIGS +#define SMIME_NOCHAIN PKCS7_NOCHAIN +#define SMIME_NOINTERN PKCS7_NOINTERN +#define SMIME_NOVERIFY PKCS7_NOVERIFY +#define SMIME_DETACHED PKCS7_DETACHED +#define SMIME_BINARY PKCS7_BINARY +#define SMIME_NOATTR PKCS7_NOATTR /* CRLF ASCII canonicalisation */ -# define SMIME_ASCIICRLF 0x80000 +#define SMIME_ASCIICRLF 0x80000 DECLARE_ASN1_FUNCTIONS(PKCS7_ISSUER_AND_SERIAL) int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, - const EVP_MD *type, unsigned char *md, - unsigned int *len); -# ifndef OPENSSL_NO_STDIO + const EVP_MD *type, unsigned char *md, + unsigned int *len); +#ifndef OPENSSL_NO_STDIO PKCS7 *d2i_PKCS7_fp(FILE *fp, PKCS7 **p7); int i2d_PKCS7_fp(FILE *fp, const PKCS7 *p7); -# endif +#endif DECLARE_ASN1_DUP_FUNCTION(PKCS7) PKCS7 *d2i_PKCS7_bio(BIO *bp, PKCS7 **p7); int i2d_PKCS7_bio(BIO *bp, const PKCS7 *p7); @@ -341,30 +346,30 @@ int PKCS7_set_type(PKCS7 *p7, int type); int PKCS7_set0_type_other(PKCS7 *p7, int type, ASN1_TYPE *other); int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data); int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, - const EVP_MD *dgst); + const EVP_MD *dgst); int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si); int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *p7i); int PKCS7_add_certificate(PKCS7 *p7, X509 *cert); int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl); int PKCS7_content_new(PKCS7 *p7, int nid); int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, - BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si); + BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si); int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, - X509 *signer); + X509 *signer); BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio); int PKCS7_dataFinal(PKCS7 *p7, BIO *bio); BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert); PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, - EVP_PKEY *pkey, const EVP_MD *dgst); + EVP_PKEY *pkey, const EVP_MD *dgst); X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si); int PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md); STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7); PKCS7_RECIP_INFO *PKCS7_add_recipient(PKCS7 *p7, X509 *x509); void PKCS7_SIGNER_INFO_get0_algs(PKCS7_SIGNER_INFO *si, EVP_PKEY **pk, - X509_ALGOR **pdig, X509_ALGOR **psig); + X509_ALGOR **pdig, X509_ALGOR **psig); void PKCS7_RECIP_INFO_get0_alg(PKCS7_RECIP_INFO *ri, X509_ALGOR **penc); int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri); int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509); @@ -375,48 +380,48 @@ PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx); ASN1_OCTET_STRING *PKCS7_get_octet_string(PKCS7 *p7); ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk); int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int type, - void *data); + void *data); int PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, - void *value); + void *value); ASN1_TYPE *PKCS7_get_attribute(const PKCS7_SIGNER_INFO *si, int nid); ASN1_TYPE *PKCS7_get_signed_attribute(const PKCS7_SIGNER_INFO *si, int nid); int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si, - STACK_OF(X509_ATTRIBUTE) *sk); + STACK_OF(X509_ATTRIBUTE) *sk); int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, - STACK_OF(X509_ATTRIBUTE) *sk); + STACK_OF(X509_ATTRIBUTE) *sk); PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, - BIO *data, int flags); + BIO *data, int flags); PKCS7 *PKCS7_sign_ex(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, - BIO *data, int flags, OSSL_LIB_CTX *libctx, - const char *propq); + BIO *data, int flags, OSSL_LIB_CTX *libctx, + const char *propq); PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, - X509 *signcert, EVP_PKEY *pkey, - const EVP_MD *md, int flags); + X509 *signcert, EVP_PKEY *pkey, + const EVP_MD *md, int flags); int PKCS7_final(PKCS7 *p7, BIO *data, int flags); int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, - BIO *indata, BIO *out, int flags); + BIO *indata, BIO *out, int flags); STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, - int flags); + int flags); PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, - int flags); + int flags); PKCS7 *PKCS7_encrypt_ex(STACK_OF(X509) *certs, BIO *in, - const EVP_CIPHER *cipher, int flags, - OSSL_LIB_CTX *libctx, const char *propq); + const EVP_CIPHER *cipher, int flags, + OSSL_LIB_CTX *libctx, const char *propq); int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, - int flags); + int flags); int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, - STACK_OF(X509_ALGOR) *cap); + STACK_OF(X509_ALGOR) *cap); STACK_OF(X509_ALGOR) *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si); int PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int arg); int PKCS7_add_attrib_content_type(PKCS7_SIGNER_INFO *si, ASN1_OBJECT *coid); int PKCS7_add0_attrib_signing_time(PKCS7_SIGNER_INFO *si, ASN1_TIME *t); int PKCS7_add1_attrib_digest(PKCS7_SIGNER_INFO *si, - const unsigned char *md, int mdlen); + const unsigned char *md, int mdlen); int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags); PKCS7 *SMIME_read_PKCS7_ex(BIO *bio, BIO **bcont, PKCS7 **p7); @@ -424,7 +429,7 @@ PKCS7 *SMIME_read_PKCS7(BIO *bio, BIO **bcont); BIO *BIO_new_PKCS7(BIO *out, PKCS7 *p7); -# ifdef __cplusplus +#ifdef __cplusplus } -# endif +#endif #endif diff --git a/crypto/openssl/include/openssl/safestack.h b/crypto/openssl/include/openssl/safestack.h index 0499700b5625..084f610b5bf7 100644 --- a/crypto/openssl/include/openssl/safestack.h +++ b/crypto/openssl/include/openssl/safestack.h @@ -10,173 +10,175 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_SAFESTACK_H -# define OPENSSL_SAFESTACK_H -# pragma once +#define OPENSSL_SAFESTACK_H +#pragma once -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_SAFESTACK_H -# endif +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_SAFESTACK_H +#endif -# include <openssl/stack.h> -# include <openssl/e_os2.h> +#include <openssl/stack.h> +#include <openssl/e_os2.h> #ifdef __cplusplus extern "C" { #endif -# define STACK_OF(type) struct stack_st_##type +#define STACK_OF(type) struct stack_st_##type /* Helper macro for internal use */ -# define SKM_DEFINE_STACK_OF_INTERNAL(t1, t2, t3) \ - STACK_OF(t1); \ - typedef int (*sk_##t1##_compfunc)(const t3 * const *a, const t3 *const *b); \ - typedef void (*sk_##t1##_freefunc)(t3 *a); \ - typedef t3 * (*sk_##t1##_copyfunc)(const t3 *a); \ - static ossl_unused ossl_inline t2 *ossl_check_##t1##_type(t2 *ptr) \ - { \ - return ptr; \ - } \ +#define SKM_DEFINE_STACK_OF_INTERNAL(t1, t2, t3) \ + STACK_OF(t1); \ + typedef int (*sk_##t1##_compfunc)(const t3 *const *a, const t3 *const *b); \ + typedef void (*sk_##t1##_freefunc)(t3 * a); \ + typedef t3 *(*sk_##t1##_copyfunc)(const t3 *a); \ + static ossl_unused ossl_inline t2 *ossl_check_##t1##_type(t2 *ptr) \ + { \ + return ptr; \ + } \ static ossl_unused ossl_inline const OPENSSL_STACK *ossl_check_const_##t1##_sk_type(const STACK_OF(t1) *sk) \ - { \ - return (const OPENSSL_STACK *)sk; \ - } \ - static ossl_unused ossl_inline OPENSSL_STACK *ossl_check_##t1##_sk_type(STACK_OF(t1) *sk) \ - { \ - return (OPENSSL_STACK *)sk; \ - } \ - static ossl_unused ossl_inline OPENSSL_sk_compfunc ossl_check_##t1##_compfunc_type(sk_##t1##_compfunc cmp) \ - { \ - return (OPENSSL_sk_compfunc)cmp; \ - } \ - static ossl_unused ossl_inline OPENSSL_sk_copyfunc ossl_check_##t1##_copyfunc_type(sk_##t1##_copyfunc cpy) \ - { \ - return (OPENSSL_sk_copyfunc)cpy; \ - } \ - static ossl_unused ossl_inline OPENSSL_sk_freefunc ossl_check_##t1##_freefunc_type(sk_##t1##_freefunc fr) \ - { \ - return (OPENSSL_sk_freefunc)fr; \ + { \ + return (const OPENSSL_STACK *)sk; \ + } \ + static ossl_unused ossl_inline OPENSSL_STACK *ossl_check_##t1##_sk_type(STACK_OF(t1) *sk) \ + { \ + return (OPENSSL_STACK *)sk; \ + } \ + static ossl_unused ossl_inline OPENSSL_sk_compfunc ossl_check_##t1##_compfunc_type(sk_##t1##_compfunc cmp) \ + { \ + return (OPENSSL_sk_compfunc)cmp; \ + } \ + static ossl_unused ossl_inline OPENSSL_sk_copyfunc ossl_check_##t1##_copyfunc_type(sk_##t1##_copyfunc cpy) \ + { \ + return (OPENSSL_sk_copyfunc)cpy; \ + } \ + static ossl_unused ossl_inline OPENSSL_sk_freefunc ossl_check_##t1##_freefunc_type(sk_##t1##_freefunc fr) \ + { \ + return (OPENSSL_sk_freefunc)fr; \ } -# define SKM_DEFINE_STACK_OF(t1, t2, t3) \ - STACK_OF(t1); \ - typedef int (*sk_##t1##_compfunc)(const t3 * const *a, const t3 *const *b); \ - typedef void (*sk_##t1##_freefunc)(t3 *a); \ - typedef t3 * (*sk_##t1##_copyfunc)(const t3 *a); \ - static ossl_unused ossl_inline int sk_##t1##_num(const STACK_OF(t1) *sk) \ - { \ - return OPENSSL_sk_num((const OPENSSL_STACK *)sk); \ - } \ - static ossl_unused ossl_inline t2 *sk_##t1##_value(const STACK_OF(t1) *sk, int idx) \ - { \ - return (t2 *)OPENSSL_sk_value((const OPENSSL_STACK *)sk, idx); \ - } \ - static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_new(sk_##t1##_compfunc compare) \ - { \ - return (STACK_OF(t1) *)OPENSSL_sk_new((OPENSSL_sk_compfunc)compare); \ - } \ - static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_new_null(void) \ - { \ - return (STACK_OF(t1) *)OPENSSL_sk_new_null(); \ - } \ - static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_new_reserve(sk_##t1##_compfunc compare, int n) \ - { \ - return (STACK_OF(t1) *)OPENSSL_sk_new_reserve((OPENSSL_sk_compfunc)compare, n); \ - } \ - static ossl_unused ossl_inline int sk_##t1##_reserve(STACK_OF(t1) *sk, int n) \ - { \ - return OPENSSL_sk_reserve((OPENSSL_STACK *)sk, n); \ - } \ - static ossl_unused ossl_inline void sk_##t1##_free(STACK_OF(t1) *sk) \ - { \ - OPENSSL_sk_free((OPENSSL_STACK *)sk); \ - } \ - static ossl_unused ossl_inline void sk_##t1##_zero(STACK_OF(t1) *sk) \ - { \ - OPENSSL_sk_zero((OPENSSL_STACK *)sk); \ - } \ - static ossl_unused ossl_inline t2 *sk_##t1##_delete(STACK_OF(t1) *sk, int i) \ - { \ - return (t2 *)OPENSSL_sk_delete((OPENSSL_STACK *)sk, i); \ - } \ - static ossl_unused ossl_inline t2 *sk_##t1##_delete_ptr(STACK_OF(t1) *sk, t2 *ptr) \ - { \ - return (t2 *)OPENSSL_sk_delete_ptr((OPENSSL_STACK *)sk, \ - (const void *)ptr); \ - } \ - static ossl_unused ossl_inline int sk_##t1##_push(STACK_OF(t1) *sk, t2 *ptr) \ - { \ - return OPENSSL_sk_push((OPENSSL_STACK *)sk, (const void *)ptr); \ - } \ - static ossl_unused ossl_inline int sk_##t1##_unshift(STACK_OF(t1) *sk, t2 *ptr) \ - { \ - return OPENSSL_sk_unshift((OPENSSL_STACK *)sk, (const void *)ptr); \ - } \ - static ossl_unused ossl_inline t2 *sk_##t1##_pop(STACK_OF(t1) *sk) \ - { \ - return (t2 *)OPENSSL_sk_pop((OPENSSL_STACK *)sk); \ - } \ - static ossl_unused ossl_inline t2 *sk_##t1##_shift(STACK_OF(t1) *sk) \ - { \ - return (t2 *)OPENSSL_sk_shift((OPENSSL_STACK *)sk); \ - } \ - static ossl_unused ossl_inline void sk_##t1##_pop_free(STACK_OF(t1) *sk, sk_##t1##_freefunc freefunc) \ - { \ - OPENSSL_sk_pop_free((OPENSSL_STACK *)sk, (OPENSSL_sk_freefunc)freefunc); \ - } \ - static ossl_unused ossl_inline int sk_##t1##_insert(STACK_OF(t1) *sk, t2 *ptr, int idx) \ - { \ - return OPENSSL_sk_insert((OPENSSL_STACK *)sk, (const void *)ptr, idx); \ - } \ - static ossl_unused ossl_inline t2 *sk_##t1##_set(STACK_OF(t1) *sk, int idx, t2 *ptr) \ - { \ - return (t2 *)OPENSSL_sk_set((OPENSSL_STACK *)sk, idx, (const void *)ptr); \ - } \ - static ossl_unused ossl_inline int sk_##t1##_find(STACK_OF(t1) *sk, t2 *ptr) \ - { \ - return OPENSSL_sk_find((OPENSSL_STACK *)sk, (const void *)ptr); \ - } \ - static ossl_unused ossl_inline int sk_##t1##_find_ex(STACK_OF(t1) *sk, t2 *ptr) \ - { \ - return OPENSSL_sk_find_ex((OPENSSL_STACK *)sk, (const void *)ptr); \ - } \ - static ossl_unused ossl_inline int sk_##t1##_find_all(STACK_OF(t1) *sk, t2 *ptr, int *pnum) \ - { \ - return OPENSSL_sk_find_all((OPENSSL_STACK *)sk, (const void *)ptr, pnum); \ - } \ - static ossl_unused ossl_inline void sk_##t1##_sort(STACK_OF(t1) *sk) \ - { \ - OPENSSL_sk_sort((OPENSSL_STACK *)sk); \ - } \ - static ossl_unused ossl_inline int sk_##t1##_is_sorted(const STACK_OF(t1) *sk) \ - { \ - return OPENSSL_sk_is_sorted((const OPENSSL_STACK *)sk); \ - } \ - static ossl_unused ossl_inline STACK_OF(t1) * sk_##t1##_dup(const STACK_OF(t1) *sk) \ - { \ - return (STACK_OF(t1) *)OPENSSL_sk_dup((const OPENSSL_STACK *)sk); \ - } \ - static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_deep_copy(const STACK_OF(t1) *sk, \ - sk_##t1##_copyfunc copyfunc, \ - sk_##t1##_freefunc freefunc) \ - { \ - return (STACK_OF(t1) *)OPENSSL_sk_deep_copy((const OPENSSL_STACK *)sk, \ - (OPENSSL_sk_copyfunc)copyfunc, \ - (OPENSSL_sk_freefunc)freefunc); \ - } \ +#define SKM_DEFINE_STACK_OF(t1, t2, t3) \ + STACK_OF(t1); \ + typedef int (*sk_##t1##_compfunc)(const t3 *const *a, const t3 *const *b); \ + typedef void (*sk_##t1##_freefunc)(t3 * a); \ + typedef t3 *(*sk_##t1##_copyfunc)(const t3 *a); \ + static ossl_unused ossl_inline int sk_##t1##_num(const STACK_OF(t1) *sk) \ + { \ + return OPENSSL_sk_num((const OPENSSL_STACK *)sk); \ + } \ + static ossl_unused ossl_inline t2 *sk_##t1##_value(const STACK_OF(t1) *sk, int idx) \ + { \ + return (t2 *)OPENSSL_sk_value((const OPENSSL_STACK *)sk, idx); \ + } \ + static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_new(sk_##t1##_compfunc compare) \ + { \ + return (STACK_OF(t1) *)OPENSSL_sk_new((OPENSSL_sk_compfunc)compare); \ + } \ + static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_new_null(void) \ + { \ + return (STACK_OF(t1) *)OPENSSL_sk_new_null(); \ + } \ + static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_new_reserve(sk_##t1##_compfunc compare, int n) \ + { \ + return (STACK_OF(t1) *)OPENSSL_sk_new_reserve((OPENSSL_sk_compfunc)compare, n); \ + } \ + static ossl_unused ossl_inline int sk_##t1##_reserve(STACK_OF(t1) *sk, int n) \ + { \ + return OPENSSL_sk_reserve((OPENSSL_STACK *)sk, n); \ + } \ + static ossl_unused ossl_inline void sk_##t1##_free(STACK_OF(t1) *sk) \ + { \ + OPENSSL_sk_free((OPENSSL_STACK *)sk); \ + } \ + static ossl_unused ossl_inline void sk_##t1##_zero(STACK_OF(t1) *sk) \ + { \ + OPENSSL_sk_zero((OPENSSL_STACK *)sk); \ + } \ + static ossl_unused ossl_inline t2 *sk_##t1##_delete(STACK_OF(t1) *sk, int i) \ + { \ + return (t2 *)OPENSSL_sk_delete((OPENSSL_STACK *)sk, i); \ + } \ + static ossl_unused ossl_inline t2 *sk_##t1##_delete_ptr(STACK_OF(t1) *sk, t2 *ptr) \ + { \ + return (t2 *)OPENSSL_sk_delete_ptr((OPENSSL_STACK *)sk, \ + (const void *)ptr); \ + } \ + static ossl_unused ossl_inline int sk_##t1##_push(STACK_OF(t1) *sk, t2 *ptr) \ + { \ + return OPENSSL_sk_push((OPENSSL_STACK *)sk, (const void *)ptr); \ + } \ + static ossl_unused ossl_inline int sk_##t1##_unshift(STACK_OF(t1) *sk, t2 *ptr) \ + { \ + return OPENSSL_sk_unshift((OPENSSL_STACK *)sk, (const void *)ptr); \ + } \ + static ossl_unused ossl_inline t2 *sk_##t1##_pop(STACK_OF(t1) *sk) \ + { \ + return (t2 *)OPENSSL_sk_pop((OPENSSL_STACK *)sk); \ + } \ + static ossl_unused ossl_inline t2 *sk_##t1##_shift(STACK_OF(t1) *sk) \ + { \ + return (t2 *)OPENSSL_sk_shift((OPENSSL_STACK *)sk); \ + } \ + static ossl_unused ossl_inline void sk_##t1##_pop_free(STACK_OF(t1) *sk, sk_##t1##_freefunc freefunc) \ + { \ + OPENSSL_sk_pop_free((OPENSSL_STACK *)sk, (OPENSSL_sk_freefunc)freefunc); \ + } \ + static ossl_unused ossl_inline int sk_##t1##_insert(STACK_OF(t1) *sk, t2 *ptr, int idx) \ + { \ + return OPENSSL_sk_insert((OPENSSL_STACK *)sk, (const void *)ptr, idx); \ + } \ + static ossl_unused ossl_inline t2 *sk_##t1##_set(STACK_OF(t1) *sk, int idx, t2 *ptr) \ + { \ + return (t2 *)OPENSSL_sk_set((OPENSSL_STACK *)sk, idx, (const void *)ptr); \ + } \ + static ossl_unused ossl_inline int sk_##t1##_find(STACK_OF(t1) *sk, t2 *ptr) \ + { \ + return OPENSSL_sk_find((OPENSSL_STACK *)sk, (const void *)ptr); \ + } \ + static ossl_unused ossl_inline int sk_##t1##_find_ex(STACK_OF(t1) *sk, t2 *ptr) \ + { \ + return OPENSSL_sk_find_ex((OPENSSL_STACK *)sk, (const void *)ptr); \ + } \ + static ossl_unused ossl_inline int sk_##t1##_find_all(STACK_OF(t1) *sk, t2 *ptr, int *pnum) \ + { \ + return OPENSSL_sk_find_all((OPENSSL_STACK *)sk, (const void *)ptr, pnum); \ + } \ + static ossl_unused ossl_inline void sk_##t1##_sort(STACK_OF(t1) *sk) \ + { \ + OPENSSL_sk_sort((OPENSSL_STACK *)sk); \ + } \ + static ossl_unused ossl_inline int sk_##t1##_is_sorted(const STACK_OF(t1) *sk) \ + { \ + return OPENSSL_sk_is_sorted((const OPENSSL_STACK *)sk); \ + } \ + static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_dup(const STACK_OF(t1) *sk) \ + { \ + return (STACK_OF(t1) *)OPENSSL_sk_dup((const OPENSSL_STACK *)sk); \ + } \ + static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_deep_copy(const STACK_OF(t1) *sk, \ + sk_##t1##_copyfunc copyfunc, \ + sk_##t1##_freefunc freefunc) \ + { \ + return (STACK_OF(t1) *)OPENSSL_sk_deep_copy((const OPENSSL_STACK *)sk, \ + (OPENSSL_sk_copyfunc)copyfunc, \ + (OPENSSL_sk_freefunc)freefunc); \ + } \ static ossl_unused ossl_inline sk_##t1##_compfunc sk_##t1##_set_cmp_func(STACK_OF(t1) *sk, sk_##t1##_compfunc compare) \ - { \ - return (sk_##t1##_compfunc)OPENSSL_sk_set_cmp_func((OPENSSL_STACK *)sk, (OPENSSL_sk_compfunc)compare); \ + { \ + return (sk_##t1##_compfunc)OPENSSL_sk_set_cmp_func((OPENSSL_STACK *)sk, (OPENSSL_sk_compfunc)compare); \ } -# define DEFINE_STACK_OF(t) SKM_DEFINE_STACK_OF(t, t, t) -# define DEFINE_STACK_OF_CONST(t) SKM_DEFINE_STACK_OF(t, const t, t) -# define DEFINE_SPECIAL_STACK_OF(t1, t2) SKM_DEFINE_STACK_OF(t1, t2, t2) -# define DEFINE_SPECIAL_STACK_OF_CONST(t1, t2) \ - SKM_DEFINE_STACK_OF(t1, const t2, t2) +#define DEFINE_STACK_OF(t) SKM_DEFINE_STACK_OF(t, t, t) +#define DEFINE_STACK_OF_CONST(t) SKM_DEFINE_STACK_OF(t, const t, t) +#define DEFINE_SPECIAL_STACK_OF(t1, t2) SKM_DEFINE_STACK_OF(t1, t2, t2) +#define DEFINE_SPECIAL_STACK_OF_CONST(t1, t2) \ + SKM_DEFINE_STACK_OF(t1, const t2, t2) /*- * Strings are special: normally an lhash entry will point to a single @@ -202,6 +204,7 @@ typedef const char *OPENSSL_CSTRING; * chars. So, we have to implement STRING specially for STACK_OF. This is * dealt with in the autogenerated macros below. */ +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OPENSSL_STRING, char, char) #define sk_OPENSSL_STRING_num(sk) OPENSSL_sk_num(ossl_check_const_OPENSSL_STRING_sk_type(sk)) #define sk_OPENSSL_STRING_value(sk, idx) ((char *)OPENSSL_sk_value(ossl_check_const_OPENSSL_STRING_sk_type(sk), (idx))) @@ -255,6 +258,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(OPENSSL_CSTRING, const char, char) #define sk_OPENSSL_CSTRING_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OPENSSL_CSTRING) *)OPENSSL_sk_deep_copy(ossl_check_const_OPENSSL_CSTRING_sk_type(sk), ossl_check_OPENSSL_CSTRING_copyfunc_type(copyfunc), ossl_check_OPENSSL_CSTRING_freefunc_type(freefunc))) #define sk_OPENSSL_CSTRING_set_cmp_func(sk, cmp) ((sk_OPENSSL_CSTRING_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OPENSSL_CSTRING_sk_type(sk), ossl_check_OPENSSL_CSTRING_compfunc_type(cmp))) +/* clang-format on */ #if !defined(OPENSSL_NO_DEPRECATED_3_0) /* @@ -262,6 +266,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(OPENSSL_CSTRING, const char, char) * These should also be distinguished from "normal" stacks. */ typedef void *OPENSSL_BLOCK; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OPENSSL_BLOCK, void, void) #define sk_OPENSSL_BLOCK_num(sk) OPENSSL_sk_num(ossl_check_const_OPENSSL_BLOCK_sk_type(sk)) #define sk_OPENSSL_BLOCK_value(sk, idx) ((void *)OPENSSL_sk_value(ossl_check_const_OPENSSL_BLOCK_sk_type(sk), (idx))) @@ -289,9 +294,10 @@ SKM_DEFINE_STACK_OF_INTERNAL(OPENSSL_BLOCK, void, void) #define sk_OPENSSL_BLOCK_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OPENSSL_BLOCK) *)OPENSSL_sk_deep_copy(ossl_check_const_OPENSSL_BLOCK_sk_type(sk), ossl_check_OPENSSL_BLOCK_copyfunc_type(copyfunc), ossl_check_OPENSSL_BLOCK_freefunc_type(freefunc))) #define sk_OPENSSL_BLOCK_set_cmp_func(sk, cmp) ((sk_OPENSSL_BLOCK_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OPENSSL_BLOCK_sk_type(sk), ossl_check_OPENSSL_BLOCK_compfunc_type(cmp))) +/* clang-format on */ #endif -# ifdef __cplusplus +#ifdef __cplusplus } -# endif +#endif #endif diff --git a/crypto/openssl/include/openssl/srp.h b/crypto/openssl/include/openssl/srp.h index a48766c6ce8b..4ef926d61fc8 100644 --- a/crypto/openssl/include/openssl/srp.h +++ b/crypto/openssl/include/openssl/srp.h @@ -14,36 +14,39 @@ * for the EdelKey project. */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_SRP_H -# define OPENSSL_SRP_H -# pragma once +#define OPENSSL_SRP_H +#pragma once -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_SRP_H -# endif +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_SRP_H +#endif #include <openssl/opensslconf.h> #ifndef OPENSSL_NO_SRP -# include <stdio.h> -# include <string.h> -# include <openssl/safestack.h> -# include <openssl/bn.h> -# include <openssl/crypto.h> +#include <stdio.h> +#include <string.h> +#include <openssl/safestack.h> +#include <openssl/bn.h> +#include <openssl/crypto.h> -# ifdef __cplusplus +#ifdef __cplusplus extern "C" { -# endif +#endif -# ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_DEPRECATED_3_0 typedef struct SRP_gN_cache_st { char *b64_bn; BIGNUM *bn; } SRP_gN_cache; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(SRP_gN_cache, SRP_gN_cache, SRP_gN_cache) #define sk_SRP_gN_cache_num(sk) OPENSSL_sk_num(ossl_check_const_SRP_gN_cache_sk_type(sk)) #define sk_SRP_gN_cache_value(sk, idx) ((SRP_gN_cache *)OPENSSL_sk_value(ossl_check_const_SRP_gN_cache_sk_type(sk), (idx))) @@ -71,7 +74,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(SRP_gN_cache, SRP_gN_cache, SRP_gN_cache) #define sk_SRP_gN_cache_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(SRP_gN_cache) *)OPENSSL_sk_deep_copy(ossl_check_const_SRP_gN_cache_sk_type(sk), ossl_check_SRP_gN_cache_copyfunc_type(copyfunc), ossl_check_SRP_gN_cache_freefunc_type(freefunc))) #define sk_SRP_gN_cache_set_cmp_func(sk, cmp) ((sk_SRP_gN_cache_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_SRP_gN_cache_sk_type(sk), ossl_check_SRP_gN_cache_compfunc_type(cmp))) - +/* clang-format on */ typedef struct SRP_user_pwd_st { /* Owned by us. */ @@ -84,6 +87,7 @@ typedef struct SRP_user_pwd_st { /* Owned by us. */ char *info; } SRP_user_pwd; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(SRP_user_pwd, SRP_user_pwd, SRP_user_pwd) #define sk_SRP_user_pwd_num(sk) OPENSSL_sk_num(ossl_check_const_SRP_user_pwd_sk_type(sk)) #define sk_SRP_user_pwd_value(sk, idx) ((SRP_user_pwd *)OPENSSL_sk_value(ossl_check_const_SRP_user_pwd_sk_type(sk), (idx))) @@ -111,6 +115,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(SRP_user_pwd, SRP_user_pwd, SRP_user_pwd) #define sk_SRP_user_pwd_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(SRP_user_pwd) *)OPENSSL_sk_deep_copy(ossl_check_const_SRP_user_pwd_sk_type(sk), ossl_check_SRP_user_pwd_copyfunc_type(copyfunc), ossl_check_SRP_user_pwd_freefunc_type(freefunc))) #define sk_SRP_user_pwd_set_cmp_func(sk, cmp) ((sk_SRP_user_pwd_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_SRP_user_pwd_sk_type(sk), ossl_check_SRP_user_pwd_compfunc_type(cmp))) +/* clang-format on */ OSSL_DEPRECATEDIN_3_0 SRP_user_pwd *SRP_user_pwd_new(void); @@ -119,17 +124,17 @@ void SRP_user_pwd_free(SRP_user_pwd *user_pwd); OSSL_DEPRECATEDIN_3_0 void SRP_user_pwd_set_gN(SRP_user_pwd *user_pwd, const BIGNUM *g, - const BIGNUM *N); + const BIGNUM *N); OSSL_DEPRECATEDIN_3_0 int SRP_user_pwd_set1_ids(SRP_user_pwd *user_pwd, const char *id, - const char *info); + const char *info); OSSL_DEPRECATEDIN_3_0 int SRP_user_pwd_set0_sv(SRP_user_pwd *user_pwd, BIGNUM *s, BIGNUM *v); typedef struct SRP_VBASE_st { STACK_OF(SRP_user_pwd) *users_pwd; STACK_OF(SRP_gN_cache) *gN_cache; -/* to simulate a user */ + /* to simulate a user */ char *seed_key; const BIGNUM *default_g; const BIGNUM *default_N; @@ -143,6 +148,7 @@ typedef struct SRP_gN_st { const BIGNUM *g; const BIGNUM *N; } SRP_gN; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(SRP_gN, SRP_gN, SRP_gN) #define sk_SRP_gN_num(sk) OPENSSL_sk_num(ossl_check_const_SRP_gN_sk_type(sk)) #define sk_SRP_gN_value(sk, idx) ((SRP_gN *)OPENSSL_sk_value(ossl_check_const_SRP_gN_sk_type(sk), (idx))) @@ -170,7 +176,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(SRP_gN, SRP_gN, SRP_gN) #define sk_SRP_gN_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(SRP_gN) *)OPENSSL_sk_deep_copy(ossl_check_const_SRP_gN_sk_type(sk), ossl_check_SRP_gN_copyfunc_type(copyfunc), ossl_check_SRP_gN_freefunc_type(freefunc))) #define sk_SRP_gN_set_cmp_func(sk, cmp) ((sk_SRP_gN_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_SRP_gN_sk_type(sk), ossl_check_SRP_gN_compfunc_type(cmp))) - +/* clang-format on */ OSSL_DEPRECATEDIN_3_0 SRP_VBASE *SRP_VBASE_new(char *seed_key); @@ -188,40 +194,40 @@ SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username); OSSL_DEPRECATEDIN_3_0 char *SRP_create_verifier_ex(const char *user, const char *pass, char **salt, - char **verifier, const char *N, const char *g, - OSSL_LIB_CTX *libctx, const char *propq); + char **verifier, const char *N, const char *g, + OSSL_LIB_CTX *libctx, const char *propq); OSSL_DEPRECATEDIN_3_0 char *SRP_create_verifier(const char *user, const char *pass, char **salt, - char **verifier, const char *N, const char *g); + char **verifier, const char *N, const char *g); OSSL_DEPRECATEDIN_3_0 int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt, - BIGNUM **verifier, const BIGNUM *N, - const BIGNUM *g, OSSL_LIB_CTX *libctx, - const char *propq); + BIGNUM **verifier, const BIGNUM *N, + const BIGNUM *g, OSSL_LIB_CTX *libctx, + const char *propq); OSSL_DEPRECATEDIN_3_0 int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, - BIGNUM **verifier, const BIGNUM *N, - const BIGNUM *g); - -# define SRP_NO_ERROR 0 -# define SRP_ERR_VBASE_INCOMPLETE_FILE 1 -# define SRP_ERR_VBASE_BN_LIB 2 -# define SRP_ERR_OPEN_FILE 3 -# define SRP_ERR_MEMORY 4 - -# define DB_srptype 0 -# define DB_srpverifier 1 -# define DB_srpsalt 2 -# define DB_srpid 3 -# define DB_srpgN 4 -# define DB_srpinfo 5 -# undef DB_NUMBER -# define DB_NUMBER 6 - -# define DB_SRP_INDEX 'I' -# define DB_SRP_VALID 'V' -# define DB_SRP_REVOKED 'R' -# define DB_SRP_MODIF 'v' + BIGNUM **verifier, const BIGNUM *N, + const BIGNUM *g); + +#define SRP_NO_ERROR 0 +#define SRP_ERR_VBASE_INCOMPLETE_FILE 1 +#define SRP_ERR_VBASE_BN_LIB 2 +#define SRP_ERR_OPEN_FILE 3 +#define SRP_ERR_MEMORY 4 + +#define DB_srptype 0 +#define DB_srpverifier 1 +#define DB_srpsalt 2 +#define DB_srpid 3 +#define DB_srpgN 4 +#define DB_srpinfo 5 +#undef DB_NUMBER +#define DB_NUMBER 6 + +#define DB_SRP_INDEX 'I' +#define DB_SRP_VALID 'V' +#define DB_SRP_REVOKED 'R' +#define DB_SRP_MODIF 'v' /* see srp.c */ OSSL_DEPRECATEDIN_3_0 @@ -232,19 +238,19 @@ SRP_gN *SRP_get_default_gN(const char *id); /* server side .... */ OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_server_key(const BIGNUM *A, const BIGNUM *v, const BIGNUM *u, - const BIGNUM *b, const BIGNUM *N); + const BIGNUM *b, const BIGNUM *N); OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_B_ex(const BIGNUM *b, const BIGNUM *N, const BIGNUM *g, - const BIGNUM *v, OSSL_LIB_CTX *libctx, const char *propq); + const BIGNUM *v, OSSL_LIB_CTX *libctx, const char *propq); OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_B(const BIGNUM *b, const BIGNUM *N, const BIGNUM *g, - const BIGNUM *v); + const BIGNUM *v); OSSL_DEPRECATEDIN_3_0 int SRP_Verify_A_mod_N(const BIGNUM *A, const BIGNUM *N); OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_u_ex(const BIGNUM *A, const BIGNUM *B, const BIGNUM *N, - OSSL_LIB_CTX *libctx, const char *propq); + OSSL_LIB_CTX *libctx, const char *propq); OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_u(const BIGNUM *A, const BIGNUM *B, const BIGNUM *N); @@ -252,34 +258,34 @@ BIGNUM *SRP_Calc_u(const BIGNUM *A, const BIGNUM *B, const BIGNUM *N); OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_x_ex(const BIGNUM *s, const char *user, const char *pass, - OSSL_LIB_CTX *libctx, const char *propq); + OSSL_LIB_CTX *libctx, const char *propq); OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_x(const BIGNUM *s, const char *user, const char *pass); OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_A(const BIGNUM *a, const BIGNUM *N, const BIGNUM *g); OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_client_key_ex(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g, - const BIGNUM *x, const BIGNUM *a, const BIGNUM *u, - OSSL_LIB_CTX *libctx, const char *propq); + const BIGNUM *x, const BIGNUM *a, const BIGNUM *u, + OSSL_LIB_CTX *libctx, const char *propq); OSSL_DEPRECATEDIN_3_0 BIGNUM *SRP_Calc_client_key(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g, - const BIGNUM *x, const BIGNUM *a, const BIGNUM *u); + const BIGNUM *x, const BIGNUM *a, const BIGNUM *u); OSSL_DEPRECATEDIN_3_0 int SRP_Verify_B_mod_N(const BIGNUM *B, const BIGNUM *N); -# define SRP_MINIMAL_N 1024 +#define SRP_MINIMAL_N 1024 -# endif /* OPENSSL_NO_DEPRECATED_3_0 */ +#endif /* OPENSSL_NO_DEPRECATED_3_0 */ /* This method ignores the configured seed and fails for an unknown user. */ -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 OSSL_DEPRECATEDIN_1_1_0 SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username); -# endif +#endif -# ifdef __cplusplus +#ifdef __cplusplus } -# endif -# endif +#endif +#endif #endif diff --git a/crypto/openssl/include/openssl/ssl.h b/crypto/openssl/include/openssl/ssl.h index 7e3d89c7ef3d..8d581c772412 100644 --- a/crypto/openssl/include/openssl/ssl.h +++ b/crypto/openssl/include/openssl/ssl.h @@ -12,42 +12,44 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_SSL_H -# define OPENSSL_SSL_H -# pragma once - -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_SSL_H -# endif - -# include <openssl/e_os2.h> -# include <openssl/e_ostime.h> -# include <openssl/opensslconf.h> -# include <openssl/comp.h> -# include <openssl/bio.h> -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# include <openssl/x509.h> -# include <openssl/crypto.h> -# include <openssl/buffer.h> -# endif -# include <openssl/lhash.h> -# include <openssl/pem.h> -# include <openssl/hmac.h> -# include <openssl/async.h> - -# include <openssl/safestack.h> -# include <openssl/symhacks.h> -# include <openssl/ct.h> -# include <openssl/sslerr.h> -# include <openssl/prov_ssl.h> -# ifndef OPENSSL_NO_STDIO -# include <stdio.h> -# endif - -#ifdef __cplusplus +#define OPENSSL_SSL_H +#pragma once + +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_SSL_H +#endif + +#include <openssl/e_os2.h> +#include <openssl/e_ostime.h> +#include <openssl/opensslconf.h> +#include <openssl/comp.h> +#include <openssl/bio.h> +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#include <openssl/x509.h> +#include <openssl/crypto.h> +#include <openssl/buffer.h> +#endif +#include <openssl/lhash.h> +#include <openssl/pem.h> +#include <openssl/hmac.h> +#include <openssl/async.h> + +#include <openssl/safestack.h> +#include <openssl/symhacks.h> +#include <openssl/ct.h> +#include <openssl/sslerr.h> +#include <openssl/prov_ssl.h> +#ifndef OPENSSL_NO_STDIO +#include <stdio.h> +#endif + +#ifdef __cplusplus extern "C" { #endif @@ -56,116 +58,116 @@ extern "C" { * Version 0 - initial version * Version 1 - added the optional peer certificate */ -# define SSL_SESSION_ASN1_VERSION 0x0001 +#define SSL_SESSION_ASN1_VERSION 0x0001 -# define SSL_MAX_SSL_SESSION_ID_LENGTH 32 -# define SSL_MAX_SID_CTX_LENGTH 32 +#define SSL_MAX_SSL_SESSION_ID_LENGTH 32 +#define SSL_MAX_SID_CTX_LENGTH 32 -# define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES (512/8) -# define SSL_MAX_KEY_ARG_LENGTH 8 +#define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES (512 / 8) +#define SSL_MAX_KEY_ARG_LENGTH 8 /* SSL_MAX_MASTER_KEY_LENGTH is defined in prov_ssl.h */ /* The maximum number of encrypt/decrypt pipelines we can support */ -# define SSL_MAX_PIPELINES 32 +#define SSL_MAX_PIPELINES 32 /* text strings for the ciphers */ /* These are used to specify which ciphers to use and not to use */ -# define SSL_TXT_LOW "LOW" -# define SSL_TXT_MEDIUM "MEDIUM" -# define SSL_TXT_HIGH "HIGH" -# define SSL_TXT_FIPS "FIPS" - -# define SSL_TXT_aNULL "aNULL" -# define SSL_TXT_eNULL "eNULL" -# define SSL_TXT_NULL "NULL" - -# define SSL_TXT_kRSA "kRSA" -# define SSL_TXT_kDHr "kDHr"/* this cipher class has been removed */ -# define SSL_TXT_kDHd "kDHd"/* this cipher class has been removed */ -# define SSL_TXT_kDH "kDH"/* this cipher class has been removed */ -# define SSL_TXT_kEDH "kEDH"/* alias for kDHE */ -# define SSL_TXT_kDHE "kDHE" -# define SSL_TXT_kECDHr "kECDHr"/* this cipher class has been removed */ -# define SSL_TXT_kECDHe "kECDHe"/* this cipher class has been removed */ -# define SSL_TXT_kECDH "kECDH"/* this cipher class has been removed */ -# define SSL_TXT_kEECDH "kEECDH"/* alias for kECDHE */ -# define SSL_TXT_kECDHE "kECDHE" -# define SSL_TXT_kPSK "kPSK" -# define SSL_TXT_kRSAPSK "kRSAPSK" -# define SSL_TXT_kECDHEPSK "kECDHEPSK" -# define SSL_TXT_kDHEPSK "kDHEPSK" -# define SSL_TXT_kGOST "kGOST" -# define SSL_TXT_kGOST18 "kGOST18" -# define SSL_TXT_kSRP "kSRP" - -# define SSL_TXT_aRSA "aRSA" -# define SSL_TXT_aDSS "aDSS" -# define SSL_TXT_aDH "aDH"/* this cipher class has been removed */ -# define SSL_TXT_aECDH "aECDH"/* this cipher class has been removed */ -# define SSL_TXT_aECDSA "aECDSA" -# define SSL_TXT_aPSK "aPSK" -# define SSL_TXT_aGOST94 "aGOST94" -# define SSL_TXT_aGOST01 "aGOST01" -# define SSL_TXT_aGOST12 "aGOST12" -# define SSL_TXT_aGOST "aGOST" -# define SSL_TXT_aSRP "aSRP" - -# define SSL_TXT_DSS "DSS" -# define SSL_TXT_DH "DH" -# define SSL_TXT_DHE "DHE"/* same as "kDHE:-ADH" */ -# define SSL_TXT_EDH "EDH"/* alias for DHE */ -# define SSL_TXT_ADH "ADH" -# define SSL_TXT_RSA "RSA" -# define SSL_TXT_ECDH "ECDH" -# define SSL_TXT_EECDH "EECDH"/* alias for ECDHE" */ -# define SSL_TXT_ECDHE "ECDHE"/* same as "kECDHE:-AECDH" */ -# define SSL_TXT_AECDH "AECDH" -# define SSL_TXT_ECDSA "ECDSA" -# define SSL_TXT_PSK "PSK" -# define SSL_TXT_SRP "SRP" - -# define SSL_TXT_DES "DES" -# define SSL_TXT_3DES "3DES" -# define SSL_TXT_RC4 "RC4" -# define SSL_TXT_RC2 "RC2" -# define SSL_TXT_IDEA "IDEA" -# define SSL_TXT_SEED "SEED" -# define SSL_TXT_AES128 "AES128" -# define SSL_TXT_AES256 "AES256" -# define SSL_TXT_AES "AES" -# define SSL_TXT_AES_GCM "AESGCM" -# define SSL_TXT_AES_CCM "AESCCM" -# define SSL_TXT_AES_CCM_8 "AESCCM8" -# define SSL_TXT_CAMELLIA128 "CAMELLIA128" -# define SSL_TXT_CAMELLIA256 "CAMELLIA256" -# define SSL_TXT_CAMELLIA "CAMELLIA" -# define SSL_TXT_CHACHA20 "CHACHA20" -# define SSL_TXT_GOST "GOST89" -# define SSL_TXT_ARIA "ARIA" -# define SSL_TXT_ARIA_GCM "ARIAGCM" -# define SSL_TXT_ARIA128 "ARIA128" -# define SSL_TXT_ARIA256 "ARIA256" -# define SSL_TXT_GOST2012_GOST8912_GOST8912 "GOST2012-GOST8912-GOST8912" -# define SSL_TXT_CBC "CBC" - -# define SSL_TXT_MD5 "MD5" -# define SSL_TXT_SHA1 "SHA1" -# define SSL_TXT_SHA "SHA"/* same as "SHA1" */ -# define SSL_TXT_GOST94 "GOST94" -# define SSL_TXT_GOST89MAC "GOST89MAC" -# define SSL_TXT_GOST12 "GOST12" -# define SSL_TXT_GOST89MAC12 "GOST89MAC12" -# define SSL_TXT_SHA256 "SHA256" -# define SSL_TXT_SHA384 "SHA384" - -# define SSL_TXT_SSLV3 "SSLv3" -# define SSL_TXT_TLSV1 "TLSv1" -# define SSL_TXT_TLSV1_1 "TLSv1.1" -# define SSL_TXT_TLSV1_2 "TLSv1.2" - -# define SSL_TXT_ALL "ALL" +#define SSL_TXT_LOW "LOW" +#define SSL_TXT_MEDIUM "MEDIUM" +#define SSL_TXT_HIGH "HIGH" +#define SSL_TXT_FIPS "FIPS" + +#define SSL_TXT_aNULL "aNULL" +#define SSL_TXT_eNULL "eNULL" +#define SSL_TXT_NULL "NULL" + +#define SSL_TXT_kRSA "kRSA" +#define SSL_TXT_kDHr "kDHr" /* this cipher class has been removed */ +#define SSL_TXT_kDHd "kDHd" /* this cipher class has been removed */ +#define SSL_TXT_kDH "kDH" /* this cipher class has been removed */ +#define SSL_TXT_kEDH "kEDH" /* alias for kDHE */ +#define SSL_TXT_kDHE "kDHE" +#define SSL_TXT_kECDHr "kECDHr" /* this cipher class has been removed */ +#define SSL_TXT_kECDHe "kECDHe" /* this cipher class has been removed */ +#define SSL_TXT_kECDH "kECDH" /* this cipher class has been removed */ +#define SSL_TXT_kEECDH "kEECDH" /* alias for kECDHE */ +#define SSL_TXT_kECDHE "kECDHE" +#define SSL_TXT_kPSK "kPSK" +#define SSL_TXT_kRSAPSK "kRSAPSK" +#define SSL_TXT_kECDHEPSK "kECDHEPSK" +#define SSL_TXT_kDHEPSK "kDHEPSK" +#define SSL_TXT_kGOST "kGOST" +#define SSL_TXT_kGOST18 "kGOST18" +#define SSL_TXT_kSRP "kSRP" + +#define SSL_TXT_aRSA "aRSA" +#define SSL_TXT_aDSS "aDSS" +#define SSL_TXT_aDH "aDH" /* this cipher class has been removed */ +#define SSL_TXT_aECDH "aECDH" /* this cipher class has been removed */ +#define SSL_TXT_aECDSA "aECDSA" +#define SSL_TXT_aPSK "aPSK" +#define SSL_TXT_aGOST94 "aGOST94" +#define SSL_TXT_aGOST01 "aGOST01" +#define SSL_TXT_aGOST12 "aGOST12" +#define SSL_TXT_aGOST "aGOST" +#define SSL_TXT_aSRP "aSRP" + +#define SSL_TXT_DSS "DSS" +#define SSL_TXT_DH "DH" +#define SSL_TXT_DHE "DHE" /* same as "kDHE:-ADH" */ +#define SSL_TXT_EDH "EDH" /* alias for DHE */ +#define SSL_TXT_ADH "ADH" +#define SSL_TXT_RSA "RSA" +#define SSL_TXT_ECDH "ECDH" +#define SSL_TXT_EECDH "EECDH" /* alias for ECDHE" */ +#define SSL_TXT_ECDHE "ECDHE" /* same as "kECDHE:-AECDH" */ +#define SSL_TXT_AECDH "AECDH" +#define SSL_TXT_ECDSA "ECDSA" +#define SSL_TXT_PSK "PSK" +#define SSL_TXT_SRP "SRP" + +#define SSL_TXT_DES "DES" +#define SSL_TXT_3DES "3DES" +#define SSL_TXT_RC4 "RC4" +#define SSL_TXT_RC2 "RC2" +#define SSL_TXT_IDEA "IDEA" +#define SSL_TXT_SEED "SEED" +#define SSL_TXT_AES128 "AES128" +#define SSL_TXT_AES256 "AES256" +#define SSL_TXT_AES "AES" +#define SSL_TXT_AES_GCM "AESGCM" +#define SSL_TXT_AES_CCM "AESCCM" +#define SSL_TXT_AES_CCM_8 "AESCCM8" +#define SSL_TXT_CAMELLIA128 "CAMELLIA128" +#define SSL_TXT_CAMELLIA256 "CAMELLIA256" +#define SSL_TXT_CAMELLIA "CAMELLIA" +#define SSL_TXT_CHACHA20 "CHACHA20" +#define SSL_TXT_GOST "GOST89" +#define SSL_TXT_ARIA "ARIA" +#define SSL_TXT_ARIA_GCM "ARIAGCM" +#define SSL_TXT_ARIA128 "ARIA128" +#define SSL_TXT_ARIA256 "ARIA256" +#define SSL_TXT_GOST2012_GOST8912_GOST8912 "GOST2012-GOST8912-GOST8912" +#define SSL_TXT_CBC "CBC" + +#define SSL_TXT_MD5 "MD5" +#define SSL_TXT_SHA1 "SHA1" +#define SSL_TXT_SHA "SHA" /* same as "SHA1" */ +#define SSL_TXT_GOST94 "GOST94" +#define SSL_TXT_GOST89MAC "GOST89MAC" +#define SSL_TXT_GOST12 "GOST12" +#define SSL_TXT_GOST89MAC12 "GOST89MAC12" +#define SSL_TXT_SHA256 "SHA256" +#define SSL_TXT_SHA384 "SHA384" + +#define SSL_TXT_SSLV3 "SSLv3" +#define SSL_TXT_TLSV1 "TLSv1" +#define SSL_TXT_TLSV1_1 "TLSv1.1" +#define SSL_TXT_TLSV1_2 "TLSv1.2" + +#define SSL_TXT_ALL "ALL" /*- * COMPLEMENTOF* definitions. These identifiers are used to (de-select) @@ -181,8 +183,8 @@ extern "C" { * DEFAULT gets, as only selection is being done and no sorting as needed * for DEFAULT. */ -# define SSL_TXT_CMPALL "COMPLEMENTOFALL" -# define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT" +#define SSL_TXT_CMPALL "COMPLEMENTOFALL" +#define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT" /* * The following cipher list is used by default. It also is substituted when @@ -191,17 +193,17 @@ extern "C" { * DEPRECATED IN 3.0.0, in favor of OSSL_default_cipher_list() * Update both macro and function simultaneously */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" /* * This is the default set of TLSv1.3 ciphersuites * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites() * Update both macro and function simultaneously */ -# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ - "TLS_CHACHA20_POLY1305_SHA256:" \ - "TLS_AES_128_GCM_SHA256" -# endif +#define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ + "TLS_CHACHA20_POLY1305_SHA256:" \ + "TLS_AES_128_GCM_SHA256" +#endif /* * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always * starts with a reasonable order, and all we have to do for DEFAULT is @@ -210,19 +212,19 @@ extern "C" { */ /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ -# define SSL_SENT_SHUTDOWN 1 -# define SSL_RECEIVED_SHUTDOWN 2 +#define SSL_SENT_SHUTDOWN 1 +#define SSL_RECEIVED_SHUTDOWN 2 #ifdef __cplusplus } #endif -#ifdef __cplusplus +#ifdef __cplusplus extern "C" { #endif -# define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1 -# define SSL_FILETYPE_PEM X509_FILETYPE_PEM +#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1 +#define SSL_FILETYPE_PEM X509_FILETYPE_PEM /* * This is needed to stop compilers complaining about the 'struct ssl_st *' @@ -243,6 +245,7 @@ typedef struct srtp_protection_profile_st { const char *name; unsigned long id; } SRTP_PROTECTION_PROFILE; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(SRTP_PROTECTION_PROFILE, SRTP_PROTECTION_PROFILE, SRTP_PROTECTION_PROFILE) #define sk_SRTP_PROTECTION_PROFILE_num(sk) OPENSSL_sk_num(ossl_check_const_SRTP_PROTECTION_PROFILE_sk_type(sk)) #define sk_SRTP_PROTECTION_PROFILE_value(sk, idx) ((SRTP_PROTECTION_PROFILE *)OPENSSL_sk_value(ossl_check_const_SRTP_PROTECTION_PROFILE_sk_type(sk), (idx))) @@ -270,74 +273,73 @@ SKM_DEFINE_STACK_OF_INTERNAL(SRTP_PROTECTION_PROFILE, SRTP_PROTECTION_PROFILE, S #define sk_SRTP_PROTECTION_PROFILE_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(SRTP_PROTECTION_PROFILE) *)OPENSSL_sk_deep_copy(ossl_check_const_SRTP_PROTECTION_PROFILE_sk_type(sk), ossl_check_SRTP_PROTECTION_PROFILE_copyfunc_type(copyfunc), ossl_check_SRTP_PROTECTION_PROFILE_freefunc_type(freefunc))) #define sk_SRTP_PROTECTION_PROFILE_set_cmp_func(sk, cmp) ((sk_SRTP_PROTECTION_PROFILE_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_SRTP_PROTECTION_PROFILE_sk_type(sk), ossl_check_SRTP_PROTECTION_PROFILE_compfunc_type(cmp))) - +/* clang-format on */ typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, - int len, void *arg); + int len, void *arg); typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, - STACK_OF(SSL_CIPHER) *peer_ciphers, - const SSL_CIPHER **cipher, void *arg); + STACK_OF(SSL_CIPHER) *peer_ciphers, + const SSL_CIPHER **cipher, void *arg); /* Extension context codes */ /* This extension is only allowed in TLS */ -#define SSL_EXT_TLS_ONLY 0x00001 +#define SSL_EXT_TLS_ONLY 0x00001 /* This extension is only allowed in DTLS */ -#define SSL_EXT_DTLS_ONLY 0x00002 +#define SSL_EXT_DTLS_ONLY 0x00002 /* Some extensions may be allowed in DTLS but we don't implement them for it */ -#define SSL_EXT_TLS_IMPLEMENTATION_ONLY 0x00004 +#define SSL_EXT_TLS_IMPLEMENTATION_ONLY 0x00004 /* Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is */ -#define SSL_EXT_SSL3_ALLOWED 0x00008 +#define SSL_EXT_SSL3_ALLOWED 0x00008 /* Extension is only defined for TLS1.2 and below */ -#define SSL_EXT_TLS1_2_AND_BELOW_ONLY 0x00010 +#define SSL_EXT_TLS1_2_AND_BELOW_ONLY 0x00010 /* Extension is only defined for TLS1.3 and above */ -#define SSL_EXT_TLS1_3_ONLY 0x00020 +#define SSL_EXT_TLS1_3_ONLY 0x00020 /* Ignore this extension during parsing if we are resuming */ -#define SSL_EXT_IGNORE_ON_RESUMPTION 0x00040 -#define SSL_EXT_CLIENT_HELLO 0x00080 +#define SSL_EXT_IGNORE_ON_RESUMPTION 0x00040 +#define SSL_EXT_CLIENT_HELLO 0x00080 /* Really means TLS1.2 or below */ -#define SSL_EXT_TLS1_2_SERVER_HELLO 0x00100 -#define SSL_EXT_TLS1_3_SERVER_HELLO 0x00200 -#define SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS 0x00400 -#define SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST 0x00800 -#define SSL_EXT_TLS1_3_CERTIFICATE 0x01000 -#define SSL_EXT_TLS1_3_NEW_SESSION_TICKET 0x02000 -#define SSL_EXT_TLS1_3_CERTIFICATE_REQUEST 0x04000 -#define SSL_EXT_TLS1_3_CERTIFICATE_COMPRESSION 0x08000 +#define SSL_EXT_TLS1_2_SERVER_HELLO 0x00100 +#define SSL_EXT_TLS1_3_SERVER_HELLO 0x00200 +#define SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS 0x00400 +#define SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST 0x00800 +#define SSL_EXT_TLS1_3_CERTIFICATE 0x01000 +#define SSL_EXT_TLS1_3_NEW_SESSION_TICKET 0x02000 +#define SSL_EXT_TLS1_3_CERTIFICATE_REQUEST 0x04000 +#define SSL_EXT_TLS1_3_CERTIFICATE_COMPRESSION 0x08000 /* When sending a raw public key in a certificate message */ -#define SSL_EXT_TLS1_3_RAW_PUBLIC_KEY 0x10000 +#define SSL_EXT_TLS1_3_RAW_PUBLIC_KEY 0x10000 /* Typedefs for handling custom extensions */ typedef int (*custom_ext_add_cb)(SSL *s, unsigned int ext_type, - const unsigned char **out, size_t *outlen, - int *al, void *add_arg); + const unsigned char **out, size_t *outlen, + int *al, void *add_arg); typedef void (*custom_ext_free_cb)(SSL *s, unsigned int ext_type, - const unsigned char *out, void *add_arg); + const unsigned char *out, void *add_arg); typedef int (*custom_ext_parse_cb)(SSL *s, unsigned int ext_type, - const unsigned char *in, size_t inlen, - int *al, void *parse_arg); - + const unsigned char *in, size_t inlen, + int *al, void *parse_arg); typedef int (*SSL_custom_ext_add_cb_ex)(SSL *s, unsigned int ext_type, - unsigned int context, - const unsigned char **out, - size_t *outlen, X509 *x, - size_t chainidx, - int *al, void *add_arg); + unsigned int context, + const unsigned char **out, + size_t *outlen, X509 *x, + size_t chainidx, + int *al, void *add_arg); typedef void (*SSL_custom_ext_free_cb_ex)(SSL *s, unsigned int ext_type, - unsigned int context, - const unsigned char *out, - void *add_arg); + unsigned int context, + const unsigned char *out, + void *add_arg); typedef int (*SSL_custom_ext_parse_cb_ex)(SSL *s, unsigned int ext_type, - unsigned int context, - const unsigned char *in, - size_t inlen, X509 *x, - size_t chainidx, - int *al, void *parse_arg); + unsigned int context, + const unsigned char *in, + size_t inlen, X509 *x, + size_t chainidx, + int *al, void *parse_arg); /* Typedef for verification callback */ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); @@ -345,96 +347,96 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); /* Typedef for SSL async callback */ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); -#define SSL_OP_BIT(n) ((uint64_t)1 << (uint64_t)n) +#define SSL_OP_BIT(n) ((uint64_t)1 << (uint64_t)n) /* * SSL/TLS connection options. */ - /* Disable Extended master secret */ -# define SSL_OP_NO_EXTENDED_MASTER_SECRET SSL_OP_BIT(0) - /* Cleanse plaintext copies of data delivered to the application */ -# define SSL_OP_CLEANSE_PLAINTEXT SSL_OP_BIT(1) - /* Allow initial connection to servers that don't support RI */ -# define SSL_OP_LEGACY_SERVER_CONNECT SSL_OP_BIT(2) - /* Enable support for Kernel TLS */ -# define SSL_OP_ENABLE_KTLS SSL_OP_BIT(3) -# define SSL_OP_TLSEXT_PADDING SSL_OP_BIT(4) -# define SSL_OP_SAFARI_ECDHE_ECDSA_BUG SSL_OP_BIT(6) -# define SSL_OP_IGNORE_UNEXPECTED_EOF SSL_OP_BIT(7) -# define SSL_OP_ALLOW_CLIENT_RENEGOTIATION SSL_OP_BIT(8) -# define SSL_OP_DISABLE_TLSEXT_CA_NAMES SSL_OP_BIT(9) - /* In TLSv1.3 allow a non-(ec)dhe based kex_mode */ -# define SSL_OP_ALLOW_NO_DHE_KEX SSL_OP_BIT(10) - /* - * Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added - * in OpenSSL 0.9.6d. Usually (depending on the application protocol) - * the workaround is not needed. Unfortunately some broken SSL/TLS - * implementations cannot handle it at all, which is why we include it - * in SSL_OP_ALL. Added in 0.9.6e - */ -# define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_BIT(11) - /* DTLS options */ -# define SSL_OP_NO_QUERY_MTU SSL_OP_BIT(12) - /* Turn on Cookie Exchange (on relevant for servers) */ -# define SSL_OP_COOKIE_EXCHANGE SSL_OP_BIT(13) - /* Don't use RFC4507 ticket extension */ -# define SSL_OP_NO_TICKET SSL_OP_BIT(14) -# ifndef OPENSSL_NO_DTLS1_METHOD - /* - * Use Cisco's version identifier of DTLS_BAD_VER - * (only with deprecated DTLSv1_client_method()) - */ -# define SSL_OP_CISCO_ANYCONNECT SSL_OP_BIT(15) -# endif - /* As server, disallow session resumption on renegotiation */ -# define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_BIT(16) - /* Don't use compression even if supported */ -# define SSL_OP_NO_COMPRESSION SSL_OP_BIT(17) - /* Permit unsafe legacy renegotiation */ -# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_BIT(18) - /* Disable encrypt-then-mac */ -# define SSL_OP_NO_ENCRYPT_THEN_MAC SSL_OP_BIT(19) - /* - * Enable TLSv1.3 Compatibility mode. This is on by default. A future - * version of OpenSSL may have this disabled by default. - */ -# define SSL_OP_ENABLE_MIDDLEBOX_COMPAT SSL_OP_BIT(20) - /* - * Prioritize Chacha20Poly1305 when client does. - * Modifies SSL_OP_CIPHER_SERVER_PREFERENCE - */ -# define SSL_OP_PRIORITIZE_CHACHA SSL_OP_BIT(21) - /* - * Set on servers to choose the cipher according to server's preferences. - */ -# define SSL_OP_CIPHER_SERVER_PREFERENCE SSL_OP_BIT(22) - /* - * If set, a server will allow a client to issue an SSLv3.0 version - * number as latest version supported in the premaster secret, even when - * TLSv1.0 (version 3.1) was announced in the client hello. Normally - * this is forbidden to prevent version rollback attacks. - */ -# define SSL_OP_TLS_ROLLBACK_BUG SSL_OP_BIT(23) - /* - * Switches off automatic TLSv1.3 anti-replay protection for early data. - * This is a server-side option only (no effect on the client). - */ -# define SSL_OP_NO_ANTI_REPLAY SSL_OP_BIT(24) -# define SSL_OP_NO_SSLv3 SSL_OP_BIT(25) -# define SSL_OP_NO_TLSv1 SSL_OP_BIT(26) -# define SSL_OP_NO_TLSv1_2 SSL_OP_BIT(27) -# define SSL_OP_NO_TLSv1_1 SSL_OP_BIT(28) -# define SSL_OP_NO_TLSv1_3 SSL_OP_BIT(29) -# define SSL_OP_NO_DTLSv1 SSL_OP_BIT(26) -# define SSL_OP_NO_DTLSv1_2 SSL_OP_BIT(27) - /* Disallow all renegotiation */ -# define SSL_OP_NO_RENEGOTIATION SSL_OP_BIT(30) - /* - * Make server add server-hello extension from early version of - * cryptopro draft, when GOST ciphersuite is negotiated. Required for - * interoperability with CryptoPro CSP 3.x - */ -# define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31) +/* Disable Extended master secret */ +#define SSL_OP_NO_EXTENDED_MASTER_SECRET SSL_OP_BIT(0) +/* Cleanse plaintext copies of data delivered to the application */ +#define SSL_OP_CLEANSE_PLAINTEXT SSL_OP_BIT(1) +/* Allow initial connection to servers that don't support RI */ +#define SSL_OP_LEGACY_SERVER_CONNECT SSL_OP_BIT(2) +/* Enable support for Kernel TLS */ +#define SSL_OP_ENABLE_KTLS SSL_OP_BIT(3) +#define SSL_OP_TLSEXT_PADDING SSL_OP_BIT(4) +#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG SSL_OP_BIT(6) +#define SSL_OP_IGNORE_UNEXPECTED_EOF SSL_OP_BIT(7) +#define SSL_OP_ALLOW_CLIENT_RENEGOTIATION SSL_OP_BIT(8) +#define SSL_OP_DISABLE_TLSEXT_CA_NAMES SSL_OP_BIT(9) +/* In TLSv1.3 allow a non-(ec)dhe based kex_mode */ +#define SSL_OP_ALLOW_NO_DHE_KEX SSL_OP_BIT(10) +/* + * Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added + * in OpenSSL 0.9.6d. Usually (depending on the application protocol) + * the workaround is not needed. Unfortunately some broken SSL/TLS + * implementations cannot handle it at all, which is why we include it + * in SSL_OP_ALL. Added in 0.9.6e + */ +#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_BIT(11) +/* DTLS options */ +#define SSL_OP_NO_QUERY_MTU SSL_OP_BIT(12) +/* Turn on Cookie Exchange (on relevant for servers) */ +#define SSL_OP_COOKIE_EXCHANGE SSL_OP_BIT(13) +/* Don't use RFC4507 ticket extension */ +#define SSL_OP_NO_TICKET SSL_OP_BIT(14) +#ifndef OPENSSL_NO_DTLS1_METHOD +/* + * Use Cisco's version identifier of DTLS_BAD_VER + * (only with deprecated DTLSv1_client_method()) + */ +#define SSL_OP_CISCO_ANYCONNECT SSL_OP_BIT(15) +#endif +/* As server, disallow session resumption on renegotiation */ +#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_BIT(16) +/* Don't use compression even if supported */ +#define SSL_OP_NO_COMPRESSION SSL_OP_BIT(17) +/* Permit unsafe legacy renegotiation */ +#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_BIT(18) +/* Disable encrypt-then-mac */ +#define SSL_OP_NO_ENCRYPT_THEN_MAC SSL_OP_BIT(19) +/* + * Enable TLSv1.3 Compatibility mode. This is on by default. A future + * version of OpenSSL may have this disabled by default. + */ +#define SSL_OP_ENABLE_MIDDLEBOX_COMPAT SSL_OP_BIT(20) +/* + * Prioritize Chacha20Poly1305 when client does. + * Modifies SSL_OP_CIPHER_SERVER_PREFERENCE + */ +#define SSL_OP_PRIORITIZE_CHACHA SSL_OP_BIT(21) +/* + * Set on servers to choose the cipher according to server's preferences. + */ +#define SSL_OP_CIPHER_SERVER_PREFERENCE SSL_OP_BIT(22) +/* + * If set, a server will allow a client to issue an SSLv3.0 version + * number as latest version supported in the premaster secret, even when + * TLSv1.0 (version 3.1) was announced in the client hello. Normally + * this is forbidden to prevent version rollback attacks. + */ +#define SSL_OP_TLS_ROLLBACK_BUG SSL_OP_BIT(23) +/* + * Switches off automatic TLSv1.3 anti-replay protection for early data. + * This is a server-side option only (no effect on the client). + */ +#define SSL_OP_NO_ANTI_REPLAY SSL_OP_BIT(24) +#define SSL_OP_NO_SSLv3 SSL_OP_BIT(25) +#define SSL_OP_NO_TLSv1 SSL_OP_BIT(26) +#define SSL_OP_NO_TLSv1_2 SSL_OP_BIT(27) +#define SSL_OP_NO_TLSv1_1 SSL_OP_BIT(28) +#define SSL_OP_NO_TLSv1_3 SSL_OP_BIT(29) +#define SSL_OP_NO_DTLSv1 SSL_OP_BIT(26) +#define SSL_OP_NO_DTLSv1_2 SSL_OP_BIT(27) +/* Disallow all renegotiation */ +#define SSL_OP_NO_RENEGOTIATION SSL_OP_BIT(30) +/* + * Make server add server-hello extension from early version of + * cryptopro draft, when GOST ciphersuite is negotiated. Required for + * interoperability with CryptoPro CSP 3.x + */ +#define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31) /* * Disable RFC8879 certificate compression * SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates, @@ -442,79 +444,79 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); * SSL_OP_NO_RX_CERTIFICATE_COMPRESSION: don't send the extension, and * subsequently indicating that receiving is not supported */ -# define SSL_OP_NO_TX_CERTIFICATE_COMPRESSION SSL_OP_BIT(32) -# define SSL_OP_NO_RX_CERTIFICATE_COMPRESSION SSL_OP_BIT(33) - /* Enable KTLS TX zerocopy on Linux */ -# define SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE SSL_OP_BIT(34) +#define SSL_OP_NO_TX_CERTIFICATE_COMPRESSION SSL_OP_BIT(32) +#define SSL_OP_NO_RX_CERTIFICATE_COMPRESSION SSL_OP_BIT(33) +/* Enable KTLS TX zerocopy on Linux */ +#define SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE SSL_OP_BIT(34) -#define SSL_OP_PREFER_NO_DHE_KEX SSL_OP_BIT(35) +#define SSL_OP_PREFER_NO_DHE_KEX SSL_OP_BIT(35) /* * Option "collections." */ -# define SSL_OP_NO_SSL_MASK \ - ( SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 \ - | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3 ) -# define SSL_OP_NO_DTLS_MASK \ - ( SSL_OP_NO_DTLSv1 | SSL_OP_NO_DTLSv1_2 ) +#define SSL_OP_NO_SSL_MASK \ + (SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 \ + | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3) +#define SSL_OP_NO_DTLS_MASK \ + (SSL_OP_NO_DTLSv1 | SSL_OP_NO_DTLSv1_2) /* Various bug workarounds that should be rather harmless. */ -# define SSL_OP_ALL \ - ( SSL_OP_CRYPTOPRO_TLSEXT_BUG | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS \ - | SSL_OP_TLSEXT_PADDING | SSL_OP_SAFARI_ECDHE_ECDSA_BUG ) +#define SSL_OP_ALL \ + (SSL_OP_CRYPTOPRO_TLSEXT_BUG | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS \ + | SSL_OP_TLSEXT_PADDING | SSL_OP_SAFARI_ECDHE_ECDSA_BUG) /* * OBSOLETE OPTIONS retained for compatibility */ -# define SSL_OP_MICROSOFT_SESS_ID_BUG 0x0 -# define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x0 -# define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x0 -# define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0 -# define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x0 -# define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0 -# define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0 -# define SSL_OP_TLS_D5_BUG 0x0 -# define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0 -# define SSL_OP_SINGLE_ECDH_USE 0x0 -# define SSL_OP_SINGLE_DH_USE 0x0 -# define SSL_OP_EPHEMERAL_RSA 0x0 -# define SSL_OP_NO_SSLv2 0x0 -# define SSL_OP_PKCS1_CHECK_1 0x0 -# define SSL_OP_PKCS1_CHECK_2 0x0 -# define SSL_OP_NETSCAPE_CA_DN_BUG 0x0 -# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x0 +#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x0 +#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x0 +#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x0 +#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0 +#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x0 +#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0 +#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0 +#define SSL_OP_TLS_D5_BUG 0x0 +#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0 +#define SSL_OP_SINGLE_ECDH_USE 0x0 +#define SSL_OP_SINGLE_DH_USE 0x0 +#define SSL_OP_EPHEMERAL_RSA 0x0 +#define SSL_OP_NO_SSLv2 0x0 +#define SSL_OP_PKCS1_CHECK_1 0x0 +#define SSL_OP_PKCS1_CHECK_2 0x0 +#define SSL_OP_NETSCAPE_CA_DN_BUG 0x0 +#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x0 /* * Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success * when just a single record has been written): */ -# define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001U +#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001U /* * Make it possible to retry SSL_write() with changed buffer location (buffer * contents must stay the same!); this is not the default to avoid the * misconception that non-blocking SSL_write() behaves like non-blocking * write(): */ -# define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002U +#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002U /* * Never bother the application with retries if the transport is blocking: */ -# define SSL_MODE_AUTO_RETRY 0x00000004U +#define SSL_MODE_AUTO_RETRY 0x00000004U /* Don't attempt to automatically build certificate chain */ -# define SSL_MODE_NO_AUTO_CHAIN 0x00000008U +#define SSL_MODE_NO_AUTO_CHAIN 0x00000008U /* * Save RAM by releasing read and write buffers when they're empty. (SSL3 and * TLS only.) Released buffers are freed. */ -# define SSL_MODE_RELEASE_BUFFERS 0x00000010U +#define SSL_MODE_RELEASE_BUFFERS 0x00000010U /* * Send the current time in the Random fields of the ClientHello and * ServerHello records for compatibility with hypothetical implementations * that require it. */ -# define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020U -# define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040U +#define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020U +#define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040U /* * Send TLS_FALLBACK_SCSV in the ClientHello. To be set only by applications * that reconnect with a downgraded protocol version; see @@ -523,11 +525,11 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); * fallback retries, following the guidance in * draft-ietf-tls-downgrade-scsv-00. */ -# define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080U +#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080U /* * Support Asynchronous operation */ -# define SSL_MODE_ASYNC 0x00000100U +#define SSL_MODE_ASYNC 0x00000100U /* * When using DTLS/SCTP, include the terminating zero in the label @@ -540,78 +542,78 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); * - OpenSSL 1.1.0 series * - OpenSSL 1.1.1 and 1.1.1a */ -# define SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG 0x00000400U +#define SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG 0x00000400U /* Cert related flags */ /* * Many implementations ignore some aspects of the TLS standards such as * enforcing certificate chain algorithms. When this is set we enforce them. */ -# define SSL_CERT_FLAG_TLS_STRICT 0x00000001U +#define SSL_CERT_FLAG_TLS_STRICT 0x00000001U /* Suite B modes, takes same values as certificate verify flags */ -# define SSL_CERT_FLAG_SUITEB_128_LOS_ONLY 0x10000 +#define SSL_CERT_FLAG_SUITEB_128_LOS_ONLY 0x10000 /* Suite B 192 bit only mode */ -# define SSL_CERT_FLAG_SUITEB_192_LOS 0x20000 +#define SSL_CERT_FLAG_SUITEB_192_LOS 0x20000 /* Suite B 128 bit mode allowing 192 bit algorithms */ -# define SSL_CERT_FLAG_SUITEB_128_LOS 0x30000 +#define SSL_CERT_FLAG_SUITEB_128_LOS 0x30000 /* Perform all sorts of protocol violations for testing purposes */ -# define SSL_CERT_FLAG_BROKEN_PROTOCOL 0x10000000 +#define SSL_CERT_FLAG_BROKEN_PROTOCOL 0x10000000 /* Flags for building certificate chains */ /* Treat any existing certificates as untrusted CAs */ -# define SSL_BUILD_CHAIN_FLAG_UNTRUSTED 0x1 +#define SSL_BUILD_CHAIN_FLAG_UNTRUSTED 0x1 /* Don't include root CA in chain */ -# define SSL_BUILD_CHAIN_FLAG_NO_ROOT 0x2 +#define SSL_BUILD_CHAIN_FLAG_NO_ROOT 0x2 /* Just check certificates already there */ -# define SSL_BUILD_CHAIN_FLAG_CHECK 0x4 +#define SSL_BUILD_CHAIN_FLAG_CHECK 0x4 /* Ignore verification errors */ -# define SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR 0x8 +#define SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR 0x8 /* Clear verification errors from queue */ -# define SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR 0x10 +#define SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR 0x10 /* Flags returned by SSL_check_chain */ /* Certificate can be used with this session */ -# define CERT_PKEY_VALID 0x1 +#define CERT_PKEY_VALID 0x1 /* Certificate can also be used for signing */ -# define CERT_PKEY_SIGN 0x2 +#define CERT_PKEY_SIGN 0x2 /* EE certificate signing algorithm OK */ -# define CERT_PKEY_EE_SIGNATURE 0x10 +#define CERT_PKEY_EE_SIGNATURE 0x10 /* CA signature algorithms OK */ -# define CERT_PKEY_CA_SIGNATURE 0x20 +#define CERT_PKEY_CA_SIGNATURE 0x20 /* EE certificate parameters OK */ -# define CERT_PKEY_EE_PARAM 0x40 +#define CERT_PKEY_EE_PARAM 0x40 /* CA certificate parameters OK */ -# define CERT_PKEY_CA_PARAM 0x80 +#define CERT_PKEY_CA_PARAM 0x80 /* Signing explicitly allowed as opposed to SHA1 fallback */ -# define CERT_PKEY_EXPLICIT_SIGN 0x100 +#define CERT_PKEY_EXPLICIT_SIGN 0x100 /* Client CA issuer names match (always set for server cert) */ -# define CERT_PKEY_ISSUER_NAME 0x200 +#define CERT_PKEY_ISSUER_NAME 0x200 /* Cert type matches client types (always set for server cert) */ -# define CERT_PKEY_CERT_TYPE 0x400 +#define CERT_PKEY_CERT_TYPE 0x400 /* Cert chain suitable to Suite B */ -# define CERT_PKEY_SUITEB 0x800 +#define CERT_PKEY_SUITEB 0x800 /* Cert pkey valid for raw public key use */ -# define CERT_PKEY_RPK 0x1000 - -# define SSL_CONF_FLAG_CMDLINE 0x1 -# define SSL_CONF_FLAG_FILE 0x2 -# define SSL_CONF_FLAG_CLIENT 0x4 -# define SSL_CONF_FLAG_SERVER 0x8 -# define SSL_CONF_FLAG_SHOW_ERRORS 0x10 -# define SSL_CONF_FLAG_CERTIFICATE 0x20 -# define SSL_CONF_FLAG_REQUIRE_PRIVATE 0x40 +#define CERT_PKEY_RPK 0x1000 + +#define SSL_CONF_FLAG_CMDLINE 0x1 +#define SSL_CONF_FLAG_FILE 0x2 +#define SSL_CONF_FLAG_CLIENT 0x4 +#define SSL_CONF_FLAG_SERVER 0x8 +#define SSL_CONF_FLAG_SHOW_ERRORS 0x10 +#define SSL_CONF_FLAG_CERTIFICATE 0x20 +#define SSL_CONF_FLAG_REQUIRE_PRIVATE 0x40 /* Configuration value types */ -# define SSL_CONF_TYPE_UNKNOWN 0x0 -# define SSL_CONF_TYPE_STRING 0x1 -# define SSL_CONF_TYPE_FILE 0x2 -# define SSL_CONF_TYPE_DIR 0x3 -# define SSL_CONF_TYPE_NONE 0x4 -# define SSL_CONF_TYPE_STORE 0x5 +#define SSL_CONF_TYPE_UNKNOWN 0x0 +#define SSL_CONF_TYPE_STRING 0x1 +#define SSL_CONF_TYPE_FILE 0x2 +#define SSL_CONF_TYPE_DIR 0x3 +#define SSL_CONF_TYPE_NONE 0x4 +#define SSL_CONF_TYPE_STORE 0x5 /* Maximum length of the application-controlled segment of a a TLSv1.3 cookie */ -# define SSL_COOKIE_LENGTH 4096 +#define SSL_COOKIE_LENGTH 4096 /* * Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, they @@ -625,68 +627,68 @@ uint64_t SSL_clear_options(SSL *s, uint64_t op); uint64_t SSL_CTX_set_options(SSL_CTX *ctx, uint64_t op); uint64_t SSL_set_options(SSL *s, uint64_t op); -# define SSL_CTX_set_mode(ctx,op) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL) -# define SSL_CTX_clear_mode(ctx,op) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL) -# define SSL_CTX_get_mode(ctx) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL) -# define SSL_clear_mode(ssl,op) \ - SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL) -# define SSL_set_mode(ssl,op) \ - SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL) -# define SSL_get_mode(ssl) \ - SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL) -# define SSL_set_mtu(ssl, mtu) \ - SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL) -# define DTLS_set_link_mtu(ssl, mtu) \ - SSL_ctrl((ssl),DTLS_CTRL_SET_LINK_MTU,(mtu),NULL) -# define DTLS_get_link_min_mtu(ssl) \ - SSL_ctrl((ssl),DTLS_CTRL_GET_LINK_MIN_MTU,0,NULL) - -# define SSL_get_secure_renegotiation_support(ssl) \ - SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL) - -# define SSL_CTX_set_cert_flags(ctx,op) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_CERT_FLAGS,(op),NULL) -# define SSL_set_cert_flags(s,op) \ - SSL_ctrl((s),SSL_CTRL_CERT_FLAGS,(op),NULL) -# define SSL_CTX_clear_cert_flags(ctx,op) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_CERT_FLAGS,(op),NULL) -# define SSL_clear_cert_flags(s,op) \ - SSL_ctrl((s),SSL_CTRL_CLEAR_CERT_FLAGS,(op),NULL) +#define SSL_CTX_set_mode(ctx, op) \ + SSL_CTX_ctrl((ctx), SSL_CTRL_MODE, (op), NULL) +#define SSL_CTX_clear_mode(ctx, op) \ + SSL_CTX_ctrl((ctx), SSL_CTRL_CLEAR_MODE, (op), NULL) +#define SSL_CTX_get_mode(ctx) \ + SSL_CTX_ctrl((ctx), SSL_CTRL_MODE, 0, NULL) +#define SSL_clear_mode(ssl, op) \ + SSL_ctrl((ssl), SSL_CTRL_CLEAR_MODE, (op), NULL) +#define SSL_set_mode(ssl, op) \ + SSL_ctrl((ssl), SSL_CTRL_MODE, (op), NULL) +#define SSL_get_mode(ssl) \ + SSL_ctrl((ssl), SSL_CTRL_MODE, 0, NULL) +#define SSL_set_mtu(ssl, mtu) \ + SSL_ctrl((ssl), SSL_CTRL_SET_MTU, (mtu), NULL) +#define DTLS_set_link_mtu(ssl, mtu) \ + SSL_ctrl((ssl), DTLS_CTRL_SET_LINK_MTU, (mtu), NULL) +#define DTLS_get_link_min_mtu(ssl) \ + SSL_ctrl((ssl), DTLS_CTRL_GET_LINK_MIN_MTU, 0, NULL) + +#define SSL_get_secure_renegotiation_support(ssl) \ + SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL) + +#define SSL_CTX_set_cert_flags(ctx, op) \ + SSL_CTX_ctrl((ctx), SSL_CTRL_CERT_FLAGS, (op), NULL) +#define SSL_set_cert_flags(s, op) \ + SSL_ctrl((s), SSL_CTRL_CERT_FLAGS, (op), NULL) +#define SSL_CTX_clear_cert_flags(ctx, op) \ + SSL_CTX_ctrl((ctx), SSL_CTRL_CLEAR_CERT_FLAGS, (op), NULL) +#define SSL_clear_cert_flags(s, op) \ + SSL_ctrl((s), SSL_CTRL_CLEAR_CERT_FLAGS, (op), NULL) void SSL_CTX_set_msg_callback(SSL_CTX *ctx, - void (*cb) (int write_p, int version, - int content_type, const void *buf, - size_t len, SSL *ssl, void *arg)); + void (*cb)(int write_p, int version, + int content_type, const void *buf, + size_t len, SSL *ssl, void *arg)); void SSL_set_msg_callback(SSL *ssl, - void (*cb) (int write_p, int version, - int content_type, const void *buf, - size_t len, SSL *ssl, void *arg)); -# define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) -# define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) + void (*cb)(int write_p, int version, + int content_type, const void *buf, + size_t len, SSL *ssl, void *arg)); +#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) +#define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) -# define SSL_get_extms_support(s) \ - SSL_ctrl((s),SSL_CTRL_GET_EXTMS_SUPPORT,0,NULL) +#define SSL_get_extms_support(s) \ + SSL_ctrl((s), SSL_CTRL_GET_EXTMS_SUPPORT, 0, NULL) -# ifndef OPENSSL_NO_SRP +#ifndef OPENSSL_NO_SRP /* see tls_srp.c */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 __owur int SSL_SRP_CTX_init(SSL *s); OSSL_DEPRECATEDIN_3_0 __owur int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx); OSSL_DEPRECATEDIN_3_0 int SSL_SRP_CTX_free(SSL *ctx); OSSL_DEPRECATEDIN_3_0 int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx); OSSL_DEPRECATEDIN_3_0 __owur int SSL_srp_server_param_with_username(SSL *s, - int *ad); + int *ad); OSSL_DEPRECATEDIN_3_0 __owur int SRP_Calc_A_param(SSL *s); -# endif -# endif +#endif +#endif /* 100k max cert list */ -# define SSL_MAX_CERT_LIST_DEFAULT (1024*100) +#define SSL_MAX_CERT_LIST_DEFAULT (1024 * 100) -# define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20) +#define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024 * 20) /* * This callback type is used inside SSL_CTX, SSL, and in the functions that @@ -700,174 +702,174 @@ OSSL_DEPRECATEDIN_3_0 __owur int SRP_Calc_A_param(SSL *s); * bytes. The callback can alter this length to be less if desired. It is * also an error for the callback to set the size to zero. */ -typedef int (*GEN_SESSION_CB) (SSL *ssl, unsigned char *id, - unsigned int *id_len); - -# define SSL_SESS_CACHE_OFF 0x0000 -# define SSL_SESS_CACHE_CLIENT 0x0001 -# define SSL_SESS_CACHE_SERVER 0x0002 -# define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER) -# define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080 +typedef int (*GEN_SESSION_CB)(SSL *ssl, unsigned char *id, + unsigned int *id_len); + +#define SSL_SESS_CACHE_OFF 0x0000 +#define SSL_SESS_CACHE_CLIENT 0x0001 +#define SSL_SESS_CACHE_SERVER 0x0002 +#define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_SERVER) +#define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080 /* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */ -# define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100 -# define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200 -# define SSL_SESS_CACHE_NO_INTERNAL \ - (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE) -# define SSL_SESS_CACHE_UPDATE_TIME 0x0400 +#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100 +#define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200 +#define SSL_SESS_CACHE_NO_INTERNAL \ + (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP | SSL_SESS_CACHE_NO_INTERNAL_STORE) +#define SSL_SESS_CACHE_UPDATE_TIME 0x0400 LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx); -# define SSL_CTX_sess_number(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL) -# define SSL_CTX_sess_connect(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL) -# define SSL_CTX_sess_connect_good(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL) -# define SSL_CTX_sess_connect_renegotiate(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL) -# define SSL_CTX_sess_accept(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL) -# define SSL_CTX_sess_accept_renegotiate(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL) -# define SSL_CTX_sess_accept_good(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL) -# define SSL_CTX_sess_hits(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL) -# define SSL_CTX_sess_cb_hits(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL) -# define SSL_CTX_sess_misses(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL) -# define SSL_CTX_sess_timeouts(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL) -# define SSL_CTX_sess_cache_full(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL) +#define SSL_CTX_sess_number(ctx) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_NUMBER, 0, NULL) +#define SSL_CTX_sess_connect(ctx) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_CONNECT, 0, NULL) +#define SSL_CTX_sess_connect_good(ctx) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_CONNECT_GOOD, 0, NULL) +#define SSL_CTX_sess_connect_renegotiate(ctx) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_CONNECT_RENEGOTIATE, 0, NULL) +#define SSL_CTX_sess_accept(ctx) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_ACCEPT, 0, NULL) +#define SSL_CTX_sess_accept_renegotiate(ctx) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_ACCEPT_RENEGOTIATE, 0, NULL) +#define SSL_CTX_sess_accept_good(ctx) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_ACCEPT_GOOD, 0, NULL) +#define SSL_CTX_sess_hits(ctx) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_HIT, 0, NULL) +#define SSL_CTX_sess_cb_hits(ctx) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_CB_HIT, 0, NULL) +#define SSL_CTX_sess_misses(ctx) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_MISSES, 0, NULL) +#define SSL_CTX_sess_timeouts(ctx) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_TIMEOUTS, 0, NULL) +#define SSL_CTX_sess_cache_full(ctx) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_CACHE_FULL, 0, NULL) void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, - int (*new_session_cb) (struct ssl_st *ssl, - SSL_SESSION *sess)); -int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx)) (struct ssl_st *ssl, - SSL_SESSION *sess); + int (*new_session_cb)(struct ssl_st *ssl, + SSL_SESSION *sess)); +int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, + SSL_SESSION *sess); void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, - void (*remove_session_cb) (struct ssl_ctx_st - *ctx, - SSL_SESSION *sess)); -void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx)) (struct ssl_ctx_st *ctx, - SSL_SESSION *sess); + void (*remove_session_cb)(struct ssl_ctx_st + *ctx, + SSL_SESSION *sess)); +void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, + SSL_SESSION *sess); void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, - SSL_SESSION *(*get_session_cb) (struct ssl_st - *ssl, - const unsigned char - *data, int len, - int *copy)); -SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx)) (struct ssl_st *ssl, - const unsigned char *data, - int len, int *copy); + SSL_SESSION *(*get_session_cb)(struct ssl_st + *ssl, + const unsigned char + *data, + int len, + int *copy)); +SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl, + const unsigned char *data, + int len, int *copy); void SSL_CTX_set_info_callback(SSL_CTX *ctx, - void (*cb) (const SSL *ssl, int type, int val)); -void (*SSL_CTX_get_info_callback(SSL_CTX *ctx)) (const SSL *ssl, int type, - int val); + void (*cb)(const SSL *ssl, int type, int val)); +void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type, + int val); void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, - int (*client_cert_cb) (SSL *ssl, X509 **x509, - EVP_PKEY **pkey)); -int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx)) (SSL *ssl, X509 **x509, - EVP_PKEY **pkey); -# ifndef OPENSSL_NO_ENGINE + int (*client_cert_cb)(SSL *ssl, X509 **x509, + EVP_PKEY **pkey)); +int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, + EVP_PKEY **pkey); +#ifndef OPENSSL_NO_ENGINE __owur int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e); -# endif +#endif void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, - int (*app_gen_cookie_cb) (SSL *ssl, - unsigned char - *cookie, - unsigned int - *cookie_len)); + int (*app_gen_cookie_cb)(SSL *ssl, + unsigned char + *cookie, + unsigned int + *cookie_len)); void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, - int (*app_verify_cookie_cb) (SSL *ssl, - const unsigned - char *cookie, - unsigned int - cookie_len)); + int (*app_verify_cookie_cb)(SSL *ssl, + const unsigned char *cookie, + unsigned int + cookie_len)); void SSL_CTX_set_stateless_cookie_generate_cb( SSL_CTX *ctx, - int (*gen_stateless_cookie_cb) (SSL *ssl, - unsigned char *cookie, - size_t *cookie_len)); + int (*gen_stateless_cookie_cb)(SSL *ssl, + unsigned char *cookie, + size_t *cookie_len)); void SSL_CTX_set_stateless_cookie_verify_cb( SSL_CTX *ctx, - int (*verify_stateless_cookie_cb) (SSL *ssl, - const unsigned char *cookie, - size_t cookie_len)); -# ifndef OPENSSL_NO_NEXTPROTONEG + int (*verify_stateless_cookie_cb)(SSL *ssl, + const unsigned char *cookie, + size_t cookie_len)); +#ifndef OPENSSL_NO_NEXTPROTONEG typedef int (*SSL_CTX_npn_advertised_cb_func)(SSL *ssl, - const unsigned char **out, - unsigned int *outlen, - void *arg); + const unsigned char **out, + unsigned int *outlen, + void *arg); void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s, - SSL_CTX_npn_advertised_cb_func cb, - void *arg); -# define SSL_CTX_set_npn_advertised_cb SSL_CTX_set_next_protos_advertised_cb + SSL_CTX_npn_advertised_cb_func cb, + void *arg); +#define SSL_CTX_set_npn_advertised_cb SSL_CTX_set_next_protos_advertised_cb typedef int (*SSL_CTX_npn_select_cb_func)(SSL *s, - unsigned char **out, - unsigned char *outlen, - const unsigned char *in, - unsigned int inlen, - void *arg); + unsigned char **out, + unsigned char *outlen, + const unsigned char *in, + unsigned int inlen, + void *arg); void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s, - SSL_CTX_npn_select_cb_func cb, - void *arg); -# define SSL_CTX_set_npn_select_cb SSL_CTX_set_next_proto_select_cb + SSL_CTX_npn_select_cb_func cb, + void *arg); +#define SSL_CTX_set_npn_select_cb SSL_CTX_set_next_proto_select_cb void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, - unsigned *len); -# define SSL_get0_npn_negotiated SSL_get0_next_proto_negotiated -# endif + unsigned *len); +#define SSL_get0_npn_negotiated SSL_get0_next_proto_negotiated +#endif __owur int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, - const unsigned char *in, unsigned int inlen, - const unsigned char *client, - unsigned int client_len); + const unsigned char *in, unsigned int inlen, + const unsigned char *client, + unsigned int client_len); -# define OPENSSL_NPN_UNSUPPORTED 0 -# define OPENSSL_NPN_NEGOTIATED 1 -# define OPENSSL_NPN_NO_OVERLAP 2 +#define OPENSSL_NPN_UNSUPPORTED 0 +#define OPENSSL_NPN_NEGOTIATED 1 +#define OPENSSL_NPN_NO_OVERLAP 2 __owur int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, - unsigned int protos_len); + unsigned int protos_len); __owur int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos, - unsigned int protos_len); + unsigned int protos_len); typedef int (*SSL_CTX_alpn_select_cb_func)(SSL *ssl, - const unsigned char **out, - unsigned char *outlen, - const unsigned char *in, - unsigned int inlen, - void *arg); + const unsigned char **out, + unsigned char *outlen, + const unsigned char *in, + unsigned int inlen, + void *arg); void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, - SSL_CTX_alpn_select_cb_func cb, - void *arg); + SSL_CTX_alpn_select_cb_func cb, + void *arg); void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, - unsigned int *len); + unsigned int *len); -# ifndef OPENSSL_NO_PSK +#ifndef OPENSSL_NO_PSK /* * the maximum length of the buffer given to callbacks containing the * resulting identity/psk */ -# define PSK_MAX_IDENTITY_LEN 256 -# define PSK_MAX_PSK_LEN 512 +#define PSK_MAX_IDENTITY_LEN 256 +#define PSK_MAX_PSK_LEN 512 typedef unsigned int (*SSL_psk_client_cb_func)(SSL *ssl, - const char *hint, - char *identity, - unsigned int max_identity_len, - unsigned char *psk, - unsigned int max_psk_len); + const char *hint, + char *identity, + unsigned int max_identity_len, + unsigned char *psk, + unsigned int max_psk_len); void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb); void SSL_set_psk_client_callback(SSL *ssl, SSL_psk_client_cb_func cb); typedef unsigned int (*SSL_psk_server_cb_func)(SSL *ssl, - const char *identity, - unsigned char *psk, - unsigned int max_psk_len); + const char *identity, + unsigned char *psk, + unsigned int max_psk_len); void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb); void SSL_set_psk_server_callback(SSL *ssl, SSL_psk_server_cb_func cb); @@ -875,78 +877,78 @@ __owur int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint __owur int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint); const char *SSL_get_psk_identity_hint(const SSL *s); const char *SSL_get_psk_identity(const SSL *s); -# endif +#endif typedef int (*SSL_psk_find_session_cb_func)(SSL *ssl, - const unsigned char *identity, - size_t identity_len, - SSL_SESSION **sess); + const unsigned char *identity, + size_t identity_len, + SSL_SESSION **sess); typedef int (*SSL_psk_use_session_cb_func)(SSL *ssl, const EVP_MD *md, - const unsigned char **id, - size_t *idlen, - SSL_SESSION **sess); + const unsigned char **id, + size_t *idlen, + SSL_SESSION **sess); void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb); void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx, - SSL_psk_find_session_cb_func cb); + SSL_psk_find_session_cb_func cb); void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb); void SSL_CTX_set_psk_use_session_callback(SSL_CTX *ctx, - SSL_psk_use_session_cb_func cb); + SSL_psk_use_session_cb_func cb); /* Register callbacks to handle custom TLS Extensions for client or server. */ __owur int SSL_CTX_has_client_custom_ext(const SSL_CTX *ctx, - unsigned int ext_type); + unsigned int ext_type); __owur int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, - unsigned int ext_type, - custom_ext_add_cb add_cb, - custom_ext_free_cb free_cb, - void *add_arg, - custom_ext_parse_cb parse_cb, - void *parse_arg); + unsigned int ext_type, + custom_ext_add_cb add_cb, + custom_ext_free_cb free_cb, + void *add_arg, + custom_ext_parse_cb parse_cb, + void *parse_arg); __owur int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, - unsigned int ext_type, - custom_ext_add_cb add_cb, - custom_ext_free_cb free_cb, - void *add_arg, - custom_ext_parse_cb parse_cb, - void *parse_arg); + unsigned int ext_type, + custom_ext_add_cb add_cb, + custom_ext_free_cb free_cb, + void *add_arg, + custom_ext_parse_cb parse_cb, + void *parse_arg); __owur int SSL_CTX_add_custom_ext(SSL_CTX *ctx, unsigned int ext_type, - unsigned int context, - SSL_custom_ext_add_cb_ex add_cb, - SSL_custom_ext_free_cb_ex free_cb, - void *add_arg, - SSL_custom_ext_parse_cb_ex parse_cb, - void *parse_arg); + unsigned int context, + SSL_custom_ext_add_cb_ex add_cb, + SSL_custom_ext_free_cb_ex free_cb, + void *add_arg, + SSL_custom_ext_parse_cb_ex parse_cb, + void *parse_arg); __owur int SSL_extension_supported(unsigned int ext_type); -# define SSL_NOTHING 1 -# define SSL_WRITING 2 -# define SSL_READING 3 -# define SSL_X509_LOOKUP 4 -# define SSL_ASYNC_PAUSED 5 -# define SSL_ASYNC_NO_JOBS 6 -# define SSL_CLIENT_HELLO_CB 7 -# define SSL_RETRY_VERIFY 8 +#define SSL_NOTHING 1 +#define SSL_WRITING 2 +#define SSL_READING 3 +#define SSL_X509_LOOKUP 4 +#define SSL_ASYNC_PAUSED 5 +#define SSL_ASYNC_NO_JOBS 6 +#define SSL_CLIENT_HELLO_CB 7 +#define SSL_RETRY_VERIFY 8 /* These will only be used when doing non-blocking IO */ -# define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING) -# define SSL_want_read(s) (SSL_want(s) == SSL_READING) -# define SSL_want_write(s) (SSL_want(s) == SSL_WRITING) -# define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP) -# define SSL_want_retry_verify(s) (SSL_want(s) == SSL_RETRY_VERIFY) -# define SSL_want_async(s) (SSL_want(s) == SSL_ASYNC_PAUSED) -# define SSL_want_async_job(s) (SSL_want(s) == SSL_ASYNC_NO_JOBS) -# define SSL_want_client_hello_cb(s) (SSL_want(s) == SSL_CLIENT_HELLO_CB) - -# define SSL_MAC_FLAG_READ_MAC_STREAM 1 -# define SSL_MAC_FLAG_WRITE_MAC_STREAM 2 -# define SSL_MAC_FLAG_READ_MAC_TLSTREE 4 -# define SSL_MAC_FLAG_WRITE_MAC_TLSTREE 8 +#define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING) +#define SSL_want_read(s) (SSL_want(s) == SSL_READING) +#define SSL_want_write(s) (SSL_want(s) == SSL_WRITING) +#define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP) +#define SSL_want_retry_verify(s) (SSL_want(s) == SSL_RETRY_VERIFY) +#define SSL_want_async(s) (SSL_want(s) == SSL_ASYNC_PAUSED) +#define SSL_want_async_job(s) (SSL_want(s) == SSL_ASYNC_NO_JOBS) +#define SSL_want_client_hello_cb(s) (SSL_want(s) == SSL_CLIENT_HELLO_CB) + +#define SSL_MAC_FLAG_READ_MAC_STREAM 1 +#define SSL_MAC_FLAG_WRITE_MAC_STREAM 2 +#define SSL_MAC_FLAG_READ_MAC_TLSTREE 4 +#define SSL_MAC_FLAG_WRITE_MAC_TLSTREE 8 /* * A callback for logging out TLS key material. This callback should log out @@ -980,14 +982,14 @@ uint32_t SSL_get_recv_max_early_data(const SSL *s); } #endif -# include <openssl/ssl2.h> -# include <openssl/ssl3.h> -# include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */ -# include <openssl/dtls1.h> /* Datagram TLS */ -# include <openssl/srtp.h> /* Support for the use_srtp extension */ -# include <openssl/quic.h> +#include <openssl/ssl2.h> +#include <openssl/ssl3.h> +#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */ +#include <openssl/dtls1.h> /* Datagram TLS */ +#include <openssl/srtp.h> /* Support for the use_srtp extension */ +#include <openssl/quic.h> -#ifdef __cplusplus +#ifdef __cplusplus extern "C" { #endif @@ -995,6 +997,7 @@ extern "C" { * These need to be after the above set of includes due to a compiler bug * in VisualStudio 2015 */ +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(SSL_CIPHER, const SSL_CIPHER, SSL_CIPHER) #define sk_SSL_CIPHER_num(sk) OPENSSL_sk_num(ossl_check_const_SSL_CIPHER_sk_type(sk)) #define sk_SSL_CIPHER_value(sk, idx) ((const SSL_CIPHER *)OPENSSL_sk_value(ossl_check_const_SSL_CIPHER_sk_type(sk), (idx))) @@ -1022,26 +1025,27 @@ SKM_DEFINE_STACK_OF_INTERNAL(SSL_CIPHER, const SSL_CIPHER, SSL_CIPHER) #define sk_SSL_CIPHER_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(SSL_CIPHER) *)OPENSSL_sk_deep_copy(ossl_check_const_SSL_CIPHER_sk_type(sk), ossl_check_SSL_CIPHER_copyfunc_type(copyfunc), ossl_check_SSL_CIPHER_freefunc_type(freefunc))) #define sk_SSL_CIPHER_set_cmp_func(sk, cmp) ((sk_SSL_CIPHER_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_SSL_CIPHER_sk_type(sk), ossl_check_SSL_CIPHER_compfunc_type(cmp))) +/* clang-format on */ /* compatibility */ -# define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)(arg))) -# define SSL_get_app_data(s) (SSL_get_ex_data(s,0)) -# define SSL_SESSION_set_app_data(s,a) (SSL_SESSION_set_ex_data(s,0, \ - (char *)(a))) -# define SSL_SESSION_get_app_data(s) (SSL_SESSION_get_ex_data(s,0)) -# define SSL_CTX_get_app_data(ctx) (SSL_CTX_get_ex_data(ctx,0)) -# define SSL_CTX_set_app_data(ctx,arg) (SSL_CTX_set_ex_data(ctx,0, \ - (char *)(arg))) -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#define SSL_set_app_data(s, arg) (SSL_set_ex_data(s, 0, (char *)(arg))) +#define SSL_get_app_data(s) (SSL_get_ex_data(s, 0)) +#define SSL_SESSION_set_app_data(s, a) (SSL_SESSION_set_ex_data(s, 0, \ + (char *)(a))) +#define SSL_SESSION_get_app_data(s) (SSL_SESSION_get_ex_data(s, 0)) +#define SSL_CTX_get_app_data(ctx) (SSL_CTX_get_ex_data(ctx, 0)) +#define SSL_CTX_set_app_data(ctx, arg) (SSL_CTX_set_ex_data(ctx, 0, \ + (char *)(arg))) +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 OSSL_DEPRECATEDIN_1_1_0 void SSL_set_debug(SSL *s, int debug); -# endif +#endif /* TLSv1.3 KeyUpdate message types */ /* -1 used so that this is an invalid value for the on-the-wire protocol */ -#define SSL_KEY_UPDATE_NONE -1 +#define SSL_KEY_UPDATE_NONE -1 /* Values as defined for the on-the-wire protocol */ -#define SSL_KEY_UPDATE_NOT_REQUESTED 0 -#define SSL_KEY_UPDATE_REQUESTED 1 +#define SSL_KEY_UPDATE_NOT_REQUESTED 0 +#define SSL_KEY_UPDATE_REQUESTED 1 /* * The valid handshake states (one for each type message sent and one for each @@ -1120,28 +1124,28 @@ typedef enum { * SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP and SSL_CB_CONNECT_EXIT. */ -# define SSL_ST_CONNECT 0x1000 -# define SSL_ST_ACCEPT 0x2000 - -# define SSL_ST_MASK 0x0FFF - -# define SSL_CB_LOOP 0x01 -# define SSL_CB_EXIT 0x02 -# define SSL_CB_READ 0x04 -# define SSL_CB_WRITE 0x08 -# define SSL_CB_ALERT 0x4000/* used in callback */ -# define SSL_CB_READ_ALERT (SSL_CB_ALERT|SSL_CB_READ) -# define SSL_CB_WRITE_ALERT (SSL_CB_ALERT|SSL_CB_WRITE) -# define SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT|SSL_CB_LOOP) -# define SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT|SSL_CB_EXIT) -# define SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT|SSL_CB_LOOP) -# define SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT|SSL_CB_EXIT) -# define SSL_CB_HANDSHAKE_START 0x10 -# define SSL_CB_HANDSHAKE_DONE 0x20 +#define SSL_ST_CONNECT 0x1000 +#define SSL_ST_ACCEPT 0x2000 + +#define SSL_ST_MASK 0x0FFF + +#define SSL_CB_LOOP 0x01 +#define SSL_CB_EXIT 0x02 +#define SSL_CB_READ 0x04 +#define SSL_CB_WRITE 0x08 +#define SSL_CB_ALERT 0x4000 /* used in callback */ +#define SSL_CB_READ_ALERT (SSL_CB_ALERT | SSL_CB_READ) +#define SSL_CB_WRITE_ALERT (SSL_CB_ALERT | SSL_CB_WRITE) +#define SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT | SSL_CB_LOOP) +#define SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT | SSL_CB_EXIT) +#define SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT | SSL_CB_LOOP) +#define SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT | SSL_CB_EXIT) +#define SSL_CB_HANDSHAKE_START 0x10 +#define SSL_CB_HANDSHAKE_DONE 0x20 /* Is the SSL_connection established? */ -# define SSL_in_connect_init(a) (SSL_in_init(a) && !SSL_is_server(a)) -# define SSL_in_accept_init(a) (SSL_in_init(a) && SSL_is_server(a)) +#define SSL_in_connect_init(a) (SSL_in_init(a) && !SSL_is_server(a)) +#define SSL_in_accept_init(a) (SSL_in_init(a) && SSL_is_server(a)) int SSL_in_init(const SSL *s); int SSL_in_before(const SSL *s); int SSL_is_init_finished(const SSL *s); @@ -1150,9 +1154,9 @@ int SSL_is_init_finished(const SSL *s); * The following 3 states are kept in ssl->rlayer.rstate when reads fail, you * should not need these */ -# define SSL_ST_READ_HEADER 0xF0 -# define SSL_ST_READ_BODY 0xF1 -# define SSL_ST_READ_DONE 0xF2 +#define SSL_ST_READ_HEADER 0xF0 +#define SSL_ST_READ_BODY 0xF1 +#define SSL_ST_READ_DONE 0xF2 /*- * Obtain latest Finished message @@ -1167,408 +1171,408 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count); * use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 3 options are * 'ored' with SSL_VERIFY_PEER if they are desired */ -# define SSL_VERIFY_NONE 0x00 -# define SSL_VERIFY_PEER 0x01 -# define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02 -# define SSL_VERIFY_CLIENT_ONCE 0x04 -# define SSL_VERIFY_POST_HANDSHAKE 0x08 - -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define OpenSSL_add_ssl_algorithms() SSL_library_init() -# define SSLeay_add_ssl_algorithms() SSL_library_init() -# endif +#define SSL_VERIFY_NONE 0x00 +#define SSL_VERIFY_PEER 0x01 +#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02 +#define SSL_VERIFY_CLIENT_ONCE 0x04 +#define SSL_VERIFY_POST_HANDSHAKE 0x08 + +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#define OpenSSL_add_ssl_algorithms() SSL_library_init() +#define SSLeay_add_ssl_algorithms() SSL_library_init() +#endif /* More backward compatibility */ -# define SSL_get_cipher(s) \ - SSL_CIPHER_get_name(SSL_get_current_cipher(s)) -# define SSL_get_cipher_bits(s,np) \ - SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np) -# define SSL_get_cipher_version(s) \ - SSL_CIPHER_get_version(SSL_get_current_cipher(s)) -# define SSL_get_cipher_name(s) \ - SSL_CIPHER_get_name(SSL_get_current_cipher(s)) -# define SSL_get_time(a) SSL_SESSION_get_time(a) -# define SSL_set_time(a,b) SSL_SESSION_set_time((a),(b)) -# define SSL_get_timeout(a) SSL_SESSION_get_timeout(a) -# define SSL_set_timeout(a,b) SSL_SESSION_set_timeout((a),(b)) - -# define d2i_SSL_SESSION_bio(bp,s_id) ASN1_d2i_bio_of(SSL_SESSION,SSL_SESSION_new,d2i_SSL_SESSION,bp,s_id) -# define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio_of(SSL_SESSION,i2d_SSL_SESSION,bp,s_id) +#define SSL_get_cipher(s) \ + SSL_CIPHER_get_name(SSL_get_current_cipher(s)) +#define SSL_get_cipher_bits(s, np) \ + SSL_CIPHER_get_bits(SSL_get_current_cipher(s), np) +#define SSL_get_cipher_version(s) \ + SSL_CIPHER_get_version(SSL_get_current_cipher(s)) +#define SSL_get_cipher_name(s) \ + SSL_CIPHER_get_name(SSL_get_current_cipher(s)) +#define SSL_get_time(a) SSL_SESSION_get_time(a) +#define SSL_set_time(a, b) SSL_SESSION_set_time((a), (b)) +#define SSL_get_timeout(a) SSL_SESSION_get_timeout(a) +#define SSL_set_timeout(a, b) SSL_SESSION_set_timeout((a), (b)) + +#define d2i_SSL_SESSION_bio(bp, s_id) ASN1_d2i_bio_of(SSL_SESSION, SSL_SESSION_new, d2i_SSL_SESSION, bp, s_id) +#define i2d_SSL_SESSION_bio(bp, s_id) ASN1_i2d_bio_of(SSL_SESSION, i2d_SSL_SESSION, bp, s_id) DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) -# define SSL_AD_REASON_OFFSET 1000/* offset to get SSL_R_... value - * from SSL_AD_... */ +#define SSL_AD_REASON_OFFSET 1000 /* offset to get SSL_R_... value \ + * from SSL_AD_... */ /* These alert types are for SSLv3 and TLSv1 */ -# define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY +#define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY /* fatal */ -# define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE +#define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE /* fatal */ -# define SSL_AD_BAD_RECORD_MAC SSL3_AD_BAD_RECORD_MAC -# define SSL_AD_DECRYPTION_FAILED TLS1_AD_DECRYPTION_FAILED -# define SSL_AD_RECORD_OVERFLOW TLS1_AD_RECORD_OVERFLOW +#define SSL_AD_BAD_RECORD_MAC SSL3_AD_BAD_RECORD_MAC +#define SSL_AD_DECRYPTION_FAILED TLS1_AD_DECRYPTION_FAILED +#define SSL_AD_RECORD_OVERFLOW TLS1_AD_RECORD_OVERFLOW /* fatal */ -# define SSL_AD_DECOMPRESSION_FAILURE SSL3_AD_DECOMPRESSION_FAILURE +#define SSL_AD_DECOMPRESSION_FAILURE SSL3_AD_DECOMPRESSION_FAILURE /* fatal */ -# define SSL_AD_HANDSHAKE_FAILURE SSL3_AD_HANDSHAKE_FAILURE +#define SSL_AD_HANDSHAKE_FAILURE SSL3_AD_HANDSHAKE_FAILURE /* Not for TLS */ -# define SSL_AD_NO_CERTIFICATE SSL3_AD_NO_CERTIFICATE -# define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE -# define SSL_AD_UNSUPPORTED_CERTIFICATE SSL3_AD_UNSUPPORTED_CERTIFICATE -# define SSL_AD_CERTIFICATE_REVOKED SSL3_AD_CERTIFICATE_REVOKED -# define SSL_AD_CERTIFICATE_EXPIRED SSL3_AD_CERTIFICATE_EXPIRED -# define SSL_AD_CERTIFICATE_UNKNOWN SSL3_AD_CERTIFICATE_UNKNOWN +#define SSL_AD_NO_CERTIFICATE SSL3_AD_NO_CERTIFICATE +#define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE +#define SSL_AD_UNSUPPORTED_CERTIFICATE SSL3_AD_UNSUPPORTED_CERTIFICATE +#define SSL_AD_CERTIFICATE_REVOKED SSL3_AD_CERTIFICATE_REVOKED +#define SSL_AD_CERTIFICATE_EXPIRED SSL3_AD_CERTIFICATE_EXPIRED +#define SSL_AD_CERTIFICATE_UNKNOWN SSL3_AD_CERTIFICATE_UNKNOWN /* fatal */ -# define SSL_AD_ILLEGAL_PARAMETER SSL3_AD_ILLEGAL_PARAMETER +#define SSL_AD_ILLEGAL_PARAMETER SSL3_AD_ILLEGAL_PARAMETER /* fatal */ -# define SSL_AD_UNKNOWN_CA TLS1_AD_UNKNOWN_CA +#define SSL_AD_UNKNOWN_CA TLS1_AD_UNKNOWN_CA /* fatal */ -# define SSL_AD_ACCESS_DENIED TLS1_AD_ACCESS_DENIED +#define SSL_AD_ACCESS_DENIED TLS1_AD_ACCESS_DENIED /* fatal */ -# define SSL_AD_DECODE_ERROR TLS1_AD_DECODE_ERROR -# define SSL_AD_DECRYPT_ERROR TLS1_AD_DECRYPT_ERROR +#define SSL_AD_DECODE_ERROR TLS1_AD_DECODE_ERROR +#define SSL_AD_DECRYPT_ERROR TLS1_AD_DECRYPT_ERROR /* fatal */ -# define SSL_AD_EXPORT_RESTRICTION TLS1_AD_EXPORT_RESTRICTION +#define SSL_AD_EXPORT_RESTRICTION TLS1_AD_EXPORT_RESTRICTION /* fatal */ -# define SSL_AD_PROTOCOL_VERSION TLS1_AD_PROTOCOL_VERSION +#define SSL_AD_PROTOCOL_VERSION TLS1_AD_PROTOCOL_VERSION /* fatal */ -# define SSL_AD_INSUFFICIENT_SECURITY TLS1_AD_INSUFFICIENT_SECURITY +#define SSL_AD_INSUFFICIENT_SECURITY TLS1_AD_INSUFFICIENT_SECURITY /* fatal */ -# define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR -# define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED -# define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION -# define SSL_AD_MISSING_EXTENSION TLS13_AD_MISSING_EXTENSION -# define SSL_AD_CERTIFICATE_REQUIRED TLS13_AD_CERTIFICATE_REQUIRED -# define SSL_AD_UNSUPPORTED_EXTENSION TLS1_AD_UNSUPPORTED_EXTENSION -# define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE -# define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME -# define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE -# define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE +#define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR +#define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED +#define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION +#define SSL_AD_MISSING_EXTENSION TLS13_AD_MISSING_EXTENSION +#define SSL_AD_CERTIFICATE_REQUIRED TLS13_AD_CERTIFICATE_REQUIRED +#define SSL_AD_UNSUPPORTED_EXTENSION TLS1_AD_UNSUPPORTED_EXTENSION +#define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE +#define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME +#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE +#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE /* fatal */ -# define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY +#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */ -# define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK -# define SSL_AD_NO_APPLICATION_PROTOCOL TLS1_AD_NO_APPLICATION_PROTOCOL -# define SSL_ERROR_NONE 0 -# define SSL_ERROR_SSL 1 -# define SSL_ERROR_WANT_READ 2 -# define SSL_ERROR_WANT_WRITE 3 -# define SSL_ERROR_WANT_X509_LOOKUP 4 -# define SSL_ERROR_SYSCALL 5/* look at error stack/return - * value/errno */ -# define SSL_ERROR_ZERO_RETURN 6 -# define SSL_ERROR_WANT_CONNECT 7 -# define SSL_ERROR_WANT_ACCEPT 8 -# define SSL_ERROR_WANT_ASYNC 9 -# define SSL_ERROR_WANT_ASYNC_JOB 10 -# define SSL_ERROR_WANT_CLIENT_HELLO_CB 11 -# define SSL_ERROR_WANT_RETRY_VERIFY 12 - -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define SSL_CTRL_SET_TMP_DH 3 -# define SSL_CTRL_SET_TMP_ECDH 4 -# define SSL_CTRL_SET_TMP_DH_CB 6 -# endif - -# define SSL_CTRL_GET_CLIENT_CERT_REQUEST 9 -# define SSL_CTRL_GET_NUM_RENEGOTIATIONS 10 -# define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 11 -# define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 12 -# define SSL_CTRL_GET_FLAGS 13 -# define SSL_CTRL_EXTRA_CHAIN_CERT 14 -# define SSL_CTRL_SET_MSG_CALLBACK 15 -# define SSL_CTRL_SET_MSG_CALLBACK_ARG 16 +#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK +#define SSL_AD_NO_APPLICATION_PROTOCOL TLS1_AD_NO_APPLICATION_PROTOCOL +#define SSL_ERROR_NONE 0 +#define SSL_ERROR_SSL 1 +#define SSL_ERROR_WANT_READ 2 +#define SSL_ERROR_WANT_WRITE 3 +#define SSL_ERROR_WANT_X509_LOOKUP 4 +#define SSL_ERROR_SYSCALL 5 /* look at error stack/return \ + * value/errno */ +#define SSL_ERROR_ZERO_RETURN 6 +#define SSL_ERROR_WANT_CONNECT 7 +#define SSL_ERROR_WANT_ACCEPT 8 +#define SSL_ERROR_WANT_ASYNC 9 +#define SSL_ERROR_WANT_ASYNC_JOB 10 +#define SSL_ERROR_WANT_CLIENT_HELLO_CB 11 +#define SSL_ERROR_WANT_RETRY_VERIFY 12 + +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define SSL_CTRL_SET_TMP_DH 3 +#define SSL_CTRL_SET_TMP_ECDH 4 +#define SSL_CTRL_SET_TMP_DH_CB 6 +#endif + +#define SSL_CTRL_GET_CLIENT_CERT_REQUEST 9 +#define SSL_CTRL_GET_NUM_RENEGOTIATIONS 10 +#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 11 +#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 12 +#define SSL_CTRL_GET_FLAGS 13 +#define SSL_CTRL_EXTRA_CHAIN_CERT 14 +#define SSL_CTRL_SET_MSG_CALLBACK 15 +#define SSL_CTRL_SET_MSG_CALLBACK_ARG 16 /* only applies to datagram connections */ -# define SSL_CTRL_SET_MTU 17 +#define SSL_CTRL_SET_MTU 17 /* Stats */ -# define SSL_CTRL_SESS_NUMBER 20 -# define SSL_CTRL_SESS_CONNECT 21 -# define SSL_CTRL_SESS_CONNECT_GOOD 22 -# define SSL_CTRL_SESS_CONNECT_RENEGOTIATE 23 -# define SSL_CTRL_SESS_ACCEPT 24 -# define SSL_CTRL_SESS_ACCEPT_GOOD 25 -# define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE 26 -# define SSL_CTRL_SESS_HIT 27 -# define SSL_CTRL_SESS_CB_HIT 28 -# define SSL_CTRL_SESS_MISSES 29 -# define SSL_CTRL_SESS_TIMEOUTS 30 -# define SSL_CTRL_SESS_CACHE_FULL 31 -# define SSL_CTRL_MODE 33 -# define SSL_CTRL_GET_READ_AHEAD 40 -# define SSL_CTRL_SET_READ_AHEAD 41 -# define SSL_CTRL_SET_SESS_CACHE_SIZE 42 -# define SSL_CTRL_GET_SESS_CACHE_SIZE 43 -# define SSL_CTRL_SET_SESS_CACHE_MODE 44 -# define SSL_CTRL_GET_SESS_CACHE_MODE 45 -# define SSL_CTRL_GET_MAX_CERT_LIST 50 -# define SSL_CTRL_SET_MAX_CERT_LIST 51 -# define SSL_CTRL_SET_MAX_SEND_FRAGMENT 52 +#define SSL_CTRL_SESS_NUMBER 20 +#define SSL_CTRL_SESS_CONNECT 21 +#define SSL_CTRL_SESS_CONNECT_GOOD 22 +#define SSL_CTRL_SESS_CONNECT_RENEGOTIATE 23 +#define SSL_CTRL_SESS_ACCEPT 24 +#define SSL_CTRL_SESS_ACCEPT_GOOD 25 +#define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE 26 +#define SSL_CTRL_SESS_HIT 27 +#define SSL_CTRL_SESS_CB_HIT 28 +#define SSL_CTRL_SESS_MISSES 29 +#define SSL_CTRL_SESS_TIMEOUTS 30 +#define SSL_CTRL_SESS_CACHE_FULL 31 +#define SSL_CTRL_MODE 33 +#define SSL_CTRL_GET_READ_AHEAD 40 +#define SSL_CTRL_SET_READ_AHEAD 41 +#define SSL_CTRL_SET_SESS_CACHE_SIZE 42 +#define SSL_CTRL_GET_SESS_CACHE_SIZE 43 +#define SSL_CTRL_SET_SESS_CACHE_MODE 44 +#define SSL_CTRL_GET_SESS_CACHE_MODE 45 +#define SSL_CTRL_GET_MAX_CERT_LIST 50 +#define SSL_CTRL_SET_MAX_CERT_LIST 51 +#define SSL_CTRL_SET_MAX_SEND_FRAGMENT 52 /* see tls1.h for macros based on these */ -# define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53 -# define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54 -# define SSL_CTRL_SET_TLSEXT_HOSTNAME 55 -# define SSL_CTRL_SET_TLSEXT_DEBUG_CB 56 -# define SSL_CTRL_SET_TLSEXT_DEBUG_ARG 57 -# define SSL_CTRL_GET_TLSEXT_TICKET_KEYS 58 -# define SSL_CTRL_SET_TLSEXT_TICKET_KEYS 59 +#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53 +#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54 +#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55 +#define SSL_CTRL_SET_TLSEXT_DEBUG_CB 56 +#define SSL_CTRL_SET_TLSEXT_DEBUG_ARG 57 +#define SSL_CTRL_GET_TLSEXT_TICKET_KEYS 58 +#define SSL_CTRL_SET_TLSEXT_TICKET_KEYS 59 /*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT 60 */ /*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB 61 */ /*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG 62 */ -# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63 -# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64 -# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE 65 -# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS 66 -# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS 67 -# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS 68 -# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS 69 -# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP 70 -# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP 71 -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72 -# endif -# define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB 75 -# define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB 76 -# define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB 77 -# define SSL_CTRL_SET_SRP_ARG 78 -# define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 79 -# define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 80 -# define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD 81 -# define DTLS_CTRL_GET_TIMEOUT 73 -# define DTLS_CTRL_HANDLE_TIMEOUT 74 -# define SSL_CTRL_GET_RI_SUPPORT 76 -# define SSL_CTRL_CLEAR_MODE 78 -# define SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB 79 -# define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82 -# define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83 -# define SSL_CTRL_CHAIN 88 -# define SSL_CTRL_CHAIN_CERT 89 -# define SSL_CTRL_GET_GROUPS 90 -# define SSL_CTRL_SET_GROUPS 91 -# define SSL_CTRL_SET_GROUPS_LIST 92 -# define SSL_CTRL_GET_SHARED_GROUP 93 -# define SSL_CTRL_SET_SIGALGS 97 -# define SSL_CTRL_SET_SIGALGS_LIST 98 -# define SSL_CTRL_CERT_FLAGS 99 -# define SSL_CTRL_CLEAR_CERT_FLAGS 100 -# define SSL_CTRL_SET_CLIENT_SIGALGS 101 -# define SSL_CTRL_SET_CLIENT_SIGALGS_LIST 102 -# define SSL_CTRL_GET_CLIENT_CERT_TYPES 103 -# define SSL_CTRL_SET_CLIENT_CERT_TYPES 104 -# define SSL_CTRL_BUILD_CERT_CHAIN 105 -# define SSL_CTRL_SET_VERIFY_CERT_STORE 106 -# define SSL_CTRL_SET_CHAIN_CERT_STORE 107 -# define SSL_CTRL_GET_PEER_SIGNATURE_NID 108 -# define SSL_CTRL_GET_PEER_TMP_KEY 109 -# define SSL_CTRL_GET_RAW_CIPHERLIST 110 -# define SSL_CTRL_GET_EC_POINT_FORMATS 111 -# define SSL_CTRL_GET_CHAIN_CERTS 115 -# define SSL_CTRL_SELECT_CURRENT_CERT 116 -# define SSL_CTRL_SET_CURRENT_CERT 117 -# define SSL_CTRL_SET_DH_AUTO 118 -# define DTLS_CTRL_SET_LINK_MTU 120 -# define DTLS_CTRL_GET_LINK_MIN_MTU 121 -# define SSL_CTRL_GET_EXTMS_SUPPORT 122 -# define SSL_CTRL_SET_MIN_PROTO_VERSION 123 -# define SSL_CTRL_SET_MAX_PROTO_VERSION 124 -# define SSL_CTRL_SET_SPLIT_SEND_FRAGMENT 125 -# define SSL_CTRL_SET_MAX_PIPELINES 126 -# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE 127 -# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128 -# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129 -# define SSL_CTRL_GET_MIN_PROTO_VERSION 130 -# define SSL_CTRL_GET_MAX_PROTO_VERSION 131 -# define SSL_CTRL_GET_SIGNATURE_NID 132 -# define SSL_CTRL_GET_TMP_KEY 133 -# define SSL_CTRL_GET_NEGOTIATED_GROUP 134 -# define SSL_CTRL_GET_IANA_GROUPS 135 -# define SSL_CTRL_SET_RETRY_VERIFY 136 -# define SSL_CTRL_GET_VERIFY_CERT_STORE 137 -# define SSL_CTRL_GET_CHAIN_CERT_STORE 138 -# define SSL_CTRL_GET0_IMPLEMENTED_GROUPS 139 -# define SSL_CTRL_GET_SIGNATURE_NAME 140 -# define SSL_CTRL_GET_PEER_SIGNATURE_NAME 141 -# define SSL_CERT_SET_FIRST 1 -# define SSL_CERT_SET_NEXT 2 -# define SSL_CERT_SET_SERVER 3 -# define DTLSv1_get_timeout(ssl, arg) \ - SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)(arg)) -# define DTLSv1_handle_timeout(ssl) \ - SSL_ctrl(ssl,DTLS_CTRL_HANDLE_TIMEOUT,0, NULL) -# define SSL_num_renegotiations(ssl) \ - SSL_ctrl((ssl),SSL_CTRL_GET_NUM_RENEGOTIATIONS,0,NULL) -# define SSL_clear_num_renegotiations(ssl) \ - SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL) -# define SSL_total_renegotiations(ssl) \ - SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL) -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define SSL_CTX_set_tmp_dh(ctx,dh) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)(dh)) -# endif -# define SSL_CTX_set_dh_auto(ctx, onoff) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_DH_AUTO,onoff,NULL) -# define SSL_set_dh_auto(s, onoff) \ - SSL_ctrl(s,SSL_CTRL_SET_DH_AUTO,onoff,NULL) -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define SSL_set_tmp_dh(ssl,dh) \ - SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)(dh)) -# endif -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)(ecdh)) -# define SSL_set_tmp_ecdh(ssl,ecdh) \ - SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)(ecdh)) -# endif -# define SSL_CTX_add_extra_chain_cert(ctx,x509) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)(x509)) -# define SSL_CTX_get_extra_chain_certs(ctx,px509) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509) -# define SSL_CTX_get_extra_chain_certs_only(ctx,px509) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,1,px509) -# define SSL_CTX_clear_extra_chain_certs(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL) -# define SSL_CTX_set0_chain(ctx,sk) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_CHAIN,0,(char *)(sk)) -# define SSL_CTX_set1_chain(ctx,sk) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_CHAIN,1,(char *)(sk)) -# define SSL_CTX_add0_chain_cert(ctx,x509) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_CHAIN_CERT,0,(char *)(x509)) -# define SSL_CTX_add1_chain_cert(ctx,x509) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_CHAIN_CERT,1,(char *)(x509)) -# define SSL_CTX_get0_chain_certs(ctx,px509) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_GET_CHAIN_CERTS,0,px509) -# define SSL_CTX_clear_chain_certs(ctx) \ - SSL_CTX_set0_chain(ctx,NULL) -# define SSL_CTX_build_cert_chain(ctx, flags) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL) -# define SSL_CTX_select_current_cert(ctx,x509) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SELECT_CURRENT_CERT,0,(char *)(x509)) -# define SSL_CTX_set_current_cert(ctx, op) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CURRENT_CERT, op, NULL) -# define SSL_CTX_set0_verify_cert_store(ctx,st) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)(st)) -# define SSL_CTX_set1_verify_cert_store(ctx,st) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)(st)) -# define SSL_CTX_get0_verify_cert_store(ctx,st) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_GET_VERIFY_CERT_STORE,0,(char *)(st)) -# define SSL_CTX_set0_chain_cert_store(ctx,st) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st)) -# define SSL_CTX_set1_chain_cert_store(ctx,st) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st)) -# define SSL_CTX_get0_chain_cert_store(ctx,st) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_GET_CHAIN_CERT_STORE,0,(char *)(st)) -# define SSL_set0_chain(s,sk) \ - SSL_ctrl(s,SSL_CTRL_CHAIN,0,(char *)(sk)) -# define SSL_set1_chain(s,sk) \ - SSL_ctrl(s,SSL_CTRL_CHAIN,1,(char *)(sk)) -# define SSL_add0_chain_cert(s,x509) \ - SSL_ctrl(s,SSL_CTRL_CHAIN_CERT,0,(char *)(x509)) -# define SSL_add1_chain_cert(s,x509) \ - SSL_ctrl(s,SSL_CTRL_CHAIN_CERT,1,(char *)(x509)) -# define SSL_get0_chain_certs(s,px509) \ - SSL_ctrl(s,SSL_CTRL_GET_CHAIN_CERTS,0,px509) -# define SSL_clear_chain_certs(s) \ - SSL_set0_chain(s,NULL) -# define SSL_build_cert_chain(s, flags) \ - SSL_ctrl(s,SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL) -# define SSL_select_current_cert(s,x509) \ - SSL_ctrl(s,SSL_CTRL_SELECT_CURRENT_CERT,0,(char *)(x509)) -# define SSL_set_current_cert(s,op) \ - SSL_ctrl(s,SSL_CTRL_SET_CURRENT_CERT, op, NULL) -# define SSL_set0_verify_cert_store(s,st) \ - SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)(st)) -# define SSL_set1_verify_cert_store(s,st) \ - SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)(st)) -#define SSL_get0_verify_cert_store(s,st) \ - SSL_ctrl(s,SSL_CTRL_GET_VERIFY_CERT_STORE,0,(char *)(st)) -# define SSL_set0_chain_cert_store(s,st) \ - SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st)) -# define SSL_set1_chain_cert_store(s,st) \ - SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st)) -#define SSL_get0_chain_cert_store(s,st) \ - SSL_ctrl(s,SSL_CTRL_GET_CHAIN_CERT_STORE,0,(char *)(st)) - -# define SSL_get1_groups(s, glist) \ - SSL_ctrl(s,SSL_CTRL_GET_GROUPS,0,(int*)(glist)) -# define SSL_get0_iana_groups(s, plst) \ - SSL_ctrl(s,SSL_CTRL_GET_IANA_GROUPS,0,(uint16_t **)(plst)) -# define SSL_CTX_set1_groups(ctx, glist, glistlen) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS,glistlen,(int *)(glist)) -# define SSL_CTX_set1_groups_list(ctx, s) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(s)) -# define SSL_CTX_get0_implemented_groups(ctx, all, out) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_GET0_IMPLEMENTED_GROUPS, all, \ +#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63 +#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64 +#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE 65 +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS 66 +#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS 67 +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS 68 +#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS 69 +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP 70 +#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP 71 +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72 +#endif +#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB 75 +#define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB 76 +#define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB 77 +#define SSL_CTRL_SET_SRP_ARG 78 +#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 79 +#define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 80 +#define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD 81 +#define DTLS_CTRL_GET_TIMEOUT 73 +#define DTLS_CTRL_HANDLE_TIMEOUT 74 +#define SSL_CTRL_GET_RI_SUPPORT 76 +#define SSL_CTRL_CLEAR_MODE 78 +#define SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB 79 +#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82 +#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83 +#define SSL_CTRL_CHAIN 88 +#define SSL_CTRL_CHAIN_CERT 89 +#define SSL_CTRL_GET_GROUPS 90 +#define SSL_CTRL_SET_GROUPS 91 +#define SSL_CTRL_SET_GROUPS_LIST 92 +#define SSL_CTRL_GET_SHARED_GROUP 93 +#define SSL_CTRL_SET_SIGALGS 97 +#define SSL_CTRL_SET_SIGALGS_LIST 98 +#define SSL_CTRL_CERT_FLAGS 99 +#define SSL_CTRL_CLEAR_CERT_FLAGS 100 +#define SSL_CTRL_SET_CLIENT_SIGALGS 101 +#define SSL_CTRL_SET_CLIENT_SIGALGS_LIST 102 +#define SSL_CTRL_GET_CLIENT_CERT_TYPES 103 +#define SSL_CTRL_SET_CLIENT_CERT_TYPES 104 +#define SSL_CTRL_BUILD_CERT_CHAIN 105 +#define SSL_CTRL_SET_VERIFY_CERT_STORE 106 +#define SSL_CTRL_SET_CHAIN_CERT_STORE 107 +#define SSL_CTRL_GET_PEER_SIGNATURE_NID 108 +#define SSL_CTRL_GET_PEER_TMP_KEY 109 +#define SSL_CTRL_GET_RAW_CIPHERLIST 110 +#define SSL_CTRL_GET_EC_POINT_FORMATS 111 +#define SSL_CTRL_GET_CHAIN_CERTS 115 +#define SSL_CTRL_SELECT_CURRENT_CERT 116 +#define SSL_CTRL_SET_CURRENT_CERT 117 +#define SSL_CTRL_SET_DH_AUTO 118 +#define DTLS_CTRL_SET_LINK_MTU 120 +#define DTLS_CTRL_GET_LINK_MIN_MTU 121 +#define SSL_CTRL_GET_EXTMS_SUPPORT 122 +#define SSL_CTRL_SET_MIN_PROTO_VERSION 123 +#define SSL_CTRL_SET_MAX_PROTO_VERSION 124 +#define SSL_CTRL_SET_SPLIT_SEND_FRAGMENT 125 +#define SSL_CTRL_SET_MAX_PIPELINES 126 +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE 127 +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128 +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129 +#define SSL_CTRL_GET_MIN_PROTO_VERSION 130 +#define SSL_CTRL_GET_MAX_PROTO_VERSION 131 +#define SSL_CTRL_GET_SIGNATURE_NID 132 +#define SSL_CTRL_GET_TMP_KEY 133 +#define SSL_CTRL_GET_NEGOTIATED_GROUP 134 +#define SSL_CTRL_GET_IANA_GROUPS 135 +#define SSL_CTRL_SET_RETRY_VERIFY 136 +#define SSL_CTRL_GET_VERIFY_CERT_STORE 137 +#define SSL_CTRL_GET_CHAIN_CERT_STORE 138 +#define SSL_CTRL_GET0_IMPLEMENTED_GROUPS 139 +#define SSL_CTRL_GET_SIGNATURE_NAME 140 +#define SSL_CTRL_GET_PEER_SIGNATURE_NAME 141 +#define SSL_CERT_SET_FIRST 1 +#define SSL_CERT_SET_NEXT 2 +#define SSL_CERT_SET_SERVER 3 +#define DTLSv1_get_timeout(ssl, arg) \ + SSL_ctrl(ssl, DTLS_CTRL_GET_TIMEOUT, 0, (void *)(arg)) +#define DTLSv1_handle_timeout(ssl) \ + SSL_ctrl(ssl, DTLS_CTRL_HANDLE_TIMEOUT, 0, NULL) +#define SSL_num_renegotiations(ssl) \ + SSL_ctrl((ssl), SSL_CTRL_GET_NUM_RENEGOTIATIONS, 0, NULL) +#define SSL_clear_num_renegotiations(ssl) \ + SSL_ctrl((ssl), SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS, 0, NULL) +#define SSL_total_renegotiations(ssl) \ + SSL_ctrl((ssl), SSL_CTRL_GET_TOTAL_RENEGOTIATIONS, 0, NULL) +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define SSL_CTX_set_tmp_dh(ctx, dh) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, (char *)(dh)) +#endif +#define SSL_CTX_set_dh_auto(ctx, onoff) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_DH_AUTO, onoff, NULL) +#define SSL_set_dh_auto(s, onoff) \ + SSL_ctrl(s, SSL_CTRL_SET_DH_AUTO, onoff, NULL) +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define SSL_set_tmp_dh(ssl, dh) \ + SSL_ctrl(ssl, SSL_CTRL_SET_TMP_DH, 0, (char *)(dh)) +#endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define SSL_CTX_set_tmp_ecdh(ctx, ecdh) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH, 0, (char *)(ecdh)) +#define SSL_set_tmp_ecdh(ssl, ecdh) \ + SSL_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH, 0, (char *)(ecdh)) +#endif +#define SSL_CTX_add_extra_chain_cert(ctx, x509) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, (char *)(x509)) +#define SSL_CTX_get_extra_chain_certs(ctx, px509) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_EXTRA_CHAIN_CERTS, 0, px509) +#define SSL_CTX_get_extra_chain_certs_only(ctx, px509) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_EXTRA_CHAIN_CERTS, 1, px509) +#define SSL_CTX_clear_extra_chain_certs(ctx) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS, 0, NULL) +#define SSL_CTX_set0_chain(ctx, sk) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_CHAIN, 0, (char *)(sk)) +#define SSL_CTX_set1_chain(ctx, sk) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_CHAIN, 1, (char *)(sk)) +#define SSL_CTX_add0_chain_cert(ctx, x509) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_CHAIN_CERT, 0, (char *)(x509)) +#define SSL_CTX_add1_chain_cert(ctx, x509) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_CHAIN_CERT, 1, (char *)(x509)) +#define SSL_CTX_get0_chain_certs(ctx, px509) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_CHAIN_CERTS, 0, px509) +#define SSL_CTX_clear_chain_certs(ctx) \ + SSL_CTX_set0_chain(ctx, NULL) +#define SSL_CTX_build_cert_chain(ctx, flags) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL) +#define SSL_CTX_select_current_cert(ctx, x509) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SELECT_CURRENT_CERT, 0, (char *)(x509)) +#define SSL_CTX_set_current_cert(ctx, op) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CURRENT_CERT, op, NULL) +#define SSL_CTX_set0_verify_cert_store(ctx, st) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, (char *)(st)) +#define SSL_CTX_set1_verify_cert_store(ctx, st) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_VERIFY_CERT_STORE, 1, (char *)(st)) +#define SSL_CTX_get0_verify_cert_store(ctx, st) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_VERIFY_CERT_STORE, 0, (char *)(st)) +#define SSL_CTX_set0_chain_cert_store(ctx, st) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CHAIN_CERT_STORE, 0, (char *)(st)) +#define SSL_CTX_set1_chain_cert_store(ctx, st) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CHAIN_CERT_STORE, 1, (char *)(st)) +#define SSL_CTX_get0_chain_cert_store(ctx, st) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_CHAIN_CERT_STORE, 0, (char *)(st)) +#define SSL_set0_chain(s, sk) \ + SSL_ctrl(s, SSL_CTRL_CHAIN, 0, (char *)(sk)) +#define SSL_set1_chain(s, sk) \ + SSL_ctrl(s, SSL_CTRL_CHAIN, 1, (char *)(sk)) +#define SSL_add0_chain_cert(s, x509) \ + SSL_ctrl(s, SSL_CTRL_CHAIN_CERT, 0, (char *)(x509)) +#define SSL_add1_chain_cert(s, x509) \ + SSL_ctrl(s, SSL_CTRL_CHAIN_CERT, 1, (char *)(x509)) +#define SSL_get0_chain_certs(s, px509) \ + SSL_ctrl(s, SSL_CTRL_GET_CHAIN_CERTS, 0, px509) +#define SSL_clear_chain_certs(s) \ + SSL_set0_chain(s, NULL) +#define SSL_build_cert_chain(s, flags) \ + SSL_ctrl(s, SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL) +#define SSL_select_current_cert(s, x509) \ + SSL_ctrl(s, SSL_CTRL_SELECT_CURRENT_CERT, 0, (char *)(x509)) +#define SSL_set_current_cert(s, op) \ + SSL_ctrl(s, SSL_CTRL_SET_CURRENT_CERT, op, NULL) +#define SSL_set0_verify_cert_store(s, st) \ + SSL_ctrl(s, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, (char *)(st)) +#define SSL_set1_verify_cert_store(s, st) \ + SSL_ctrl(s, SSL_CTRL_SET_VERIFY_CERT_STORE, 1, (char *)(st)) +#define SSL_get0_verify_cert_store(s, st) \ + SSL_ctrl(s, SSL_CTRL_GET_VERIFY_CERT_STORE, 0, (char *)(st)) +#define SSL_set0_chain_cert_store(s, st) \ + SSL_ctrl(s, SSL_CTRL_SET_CHAIN_CERT_STORE, 0, (char *)(st)) +#define SSL_set1_chain_cert_store(s, st) \ + SSL_ctrl(s, SSL_CTRL_SET_CHAIN_CERT_STORE, 1, (char *)(st)) +#define SSL_get0_chain_cert_store(s, st) \ + SSL_ctrl(s, SSL_CTRL_GET_CHAIN_CERT_STORE, 0, (char *)(st)) + +#define SSL_get1_groups(s, glist) \ + SSL_ctrl(s, SSL_CTRL_GET_GROUPS, 0, (int *)(glist)) +#define SSL_get0_iana_groups(s, plst) \ + SSL_ctrl(s, SSL_CTRL_GET_IANA_GROUPS, 0, (uint16_t **)(plst)) +#define SSL_CTX_set1_groups(ctx, glist, glistlen) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_GROUPS, glistlen, (int *)(glist)) +#define SSL_CTX_set1_groups_list(ctx, s) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_GROUPS_LIST, 0, (char *)(s)) +#define SSL_CTX_get0_implemented_groups(ctx, all, out) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_GET0_IMPLEMENTED_GROUPS, all, \ (STACK_OF(OPENSSL_CSTRING) *)(out)) -# define SSL_set1_groups(s, glist, glistlen) \ - SSL_ctrl(s,SSL_CTRL_SET_GROUPS,glistlen,(char *)(glist)) -# define SSL_set1_groups_list(s, str) \ - SSL_ctrl(s,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(str)) -# define SSL_get_shared_group(s, n) \ - SSL_ctrl(s,SSL_CTRL_GET_SHARED_GROUP,n,NULL) -# define SSL_get_negotiated_group(s) \ - SSL_ctrl(s,SSL_CTRL_GET_NEGOTIATED_GROUP,0,NULL) -# define SSL_CTX_set1_sigalgs(ctx, slist, slistlen) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS,slistlen,(int *)(slist)) -# define SSL_CTX_set1_sigalgs_list(ctx, s) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)(s)) -# define SSL_set1_sigalgs(s, slist, slistlen) \ - SSL_ctrl(s,SSL_CTRL_SET_SIGALGS,slistlen,(int *)(slist)) -# define SSL_set1_sigalgs_list(s, str) \ - SSL_ctrl(s,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)(str)) -# define SSL_CTX_set1_client_sigalgs(ctx, slist, slistlen) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS,slistlen,(int *)(slist)) -# define SSL_CTX_set1_client_sigalgs_list(ctx, s) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)(s)) -# define SSL_set1_client_sigalgs(s, slist, slistlen) \ - SSL_ctrl(s,SSL_CTRL_SET_CLIENT_SIGALGS,slistlen,(int *)(slist)) -# define SSL_set1_client_sigalgs_list(s, str) \ - SSL_ctrl(s,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)(str)) -# define SSL_get0_certificate_types(s, clist) \ - SSL_ctrl(s, SSL_CTRL_GET_CLIENT_CERT_TYPES, 0, (char *)(clist)) -# define SSL_CTX_set1_client_certificate_types(ctx, clist, clistlen) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen, \ - (char *)(clist)) -# define SSL_set1_client_certificate_types(s, clist, clistlen) \ - SSL_ctrl(s,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen,(char *)(clist)) -# define SSL_get0_signature_name(s, str) \ - SSL_ctrl(s,SSL_CTRL_GET_SIGNATURE_NAME,0,(1?(str):(const char **)NULL)) -# define SSL_get_signature_nid(s, pn) \ - SSL_ctrl(s,SSL_CTRL_GET_SIGNATURE_NID,0,pn) -# define SSL_get0_peer_signature_name(s, str) \ - SSL_ctrl(s,SSL_CTRL_GET_PEER_SIGNATURE_NAME,0,(1?(str):(const char **)NULL)) -# define SSL_get_peer_signature_nid(s, pn) \ - SSL_ctrl(s,SSL_CTRL_GET_PEER_SIGNATURE_NID,0,pn) -# define SSL_get_peer_tmp_key(s, pk) \ - SSL_ctrl(s,SSL_CTRL_GET_PEER_TMP_KEY,0,pk) -# define SSL_get_tmp_key(s, pk) \ - SSL_ctrl(s,SSL_CTRL_GET_TMP_KEY,0,pk) -# define SSL_get0_raw_cipherlist(s, plst) \ - SSL_ctrl(s,SSL_CTRL_GET_RAW_CIPHERLIST,0,plst) -# define SSL_get0_ec_point_formats(s, plst) \ - SSL_ctrl(s,SSL_CTRL_GET_EC_POINT_FORMATS,0,plst) -# define SSL_CTX_set_min_proto_version(ctx, version) \ - SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) -# define SSL_CTX_set_max_proto_version(ctx, version) \ - SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) -# define SSL_CTX_get_min_proto_version(ctx) \ - SSL_CTX_ctrl(ctx, SSL_CTRL_GET_MIN_PROTO_VERSION, 0, NULL) -# define SSL_CTX_get_max_proto_version(ctx) \ - SSL_CTX_ctrl(ctx, SSL_CTRL_GET_MAX_PROTO_VERSION, 0, NULL) -# define SSL_set_min_proto_version(s, version) \ - SSL_ctrl(s, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) -# define SSL_set_max_proto_version(s, version) \ - SSL_ctrl(s, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) -# define SSL_get_min_proto_version(s) \ - SSL_ctrl(s, SSL_CTRL_GET_MIN_PROTO_VERSION, 0, NULL) -# define SSL_get_max_proto_version(s) \ - SSL_ctrl(s, SSL_CTRL_GET_MAX_PROTO_VERSION, 0, NULL) +#define SSL_set1_groups(s, glist, glistlen) \ + SSL_ctrl(s, SSL_CTRL_SET_GROUPS, glistlen, (char *)(glist)) +#define SSL_set1_groups_list(s, str) \ + SSL_ctrl(s, SSL_CTRL_SET_GROUPS_LIST, 0, (char *)(str)) +#define SSL_get_shared_group(s, n) \ + SSL_ctrl(s, SSL_CTRL_GET_SHARED_GROUP, n, NULL) +#define SSL_get_negotiated_group(s) \ + SSL_ctrl(s, SSL_CTRL_GET_NEGOTIATED_GROUP, 0, NULL) +#define SSL_CTX_set1_sigalgs(ctx, slist, slistlen) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_SIGALGS, slistlen, (int *)(slist)) +#define SSL_CTX_set1_sigalgs_list(ctx, s) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_SIGALGS_LIST, 0, (char *)(s)) +#define SSL_set1_sigalgs(s, slist, slistlen) \ + SSL_ctrl(s, SSL_CTRL_SET_SIGALGS, slistlen, (int *)(slist)) +#define SSL_set1_sigalgs_list(s, str) \ + SSL_ctrl(s, SSL_CTRL_SET_SIGALGS_LIST, 0, (char *)(str)) +#define SSL_CTX_set1_client_sigalgs(ctx, slist, slistlen) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CLIENT_SIGALGS, slistlen, (int *)(slist)) +#define SSL_CTX_set1_client_sigalgs_list(ctx, s) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CLIENT_SIGALGS_LIST, 0, (char *)(s)) +#define SSL_set1_client_sigalgs(s, slist, slistlen) \ + SSL_ctrl(s, SSL_CTRL_SET_CLIENT_SIGALGS, slistlen, (int *)(slist)) +#define SSL_set1_client_sigalgs_list(s, str) \ + SSL_ctrl(s, SSL_CTRL_SET_CLIENT_SIGALGS_LIST, 0, (char *)(str)) +#define SSL_get0_certificate_types(s, clist) \ + SSL_ctrl(s, SSL_CTRL_GET_CLIENT_CERT_TYPES, 0, (char *)(clist)) +#define SSL_CTX_set1_client_certificate_types(ctx, clist, clistlen) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CLIENT_CERT_TYPES, clistlen, \ + (char *)(clist)) +#define SSL_set1_client_certificate_types(s, clist, clistlen) \ + SSL_ctrl(s, SSL_CTRL_SET_CLIENT_CERT_TYPES, clistlen, (char *)(clist)) +#define SSL_get0_signature_name(s, str) \ + SSL_ctrl(s, SSL_CTRL_GET_SIGNATURE_NAME, 0, (1 ? (str) : (const char **)NULL)) +#define SSL_get_signature_nid(s, pn) \ + SSL_ctrl(s, SSL_CTRL_GET_SIGNATURE_NID, 0, pn) +#define SSL_get0_peer_signature_name(s, str) \ + SSL_ctrl(s, SSL_CTRL_GET_PEER_SIGNATURE_NAME, 0, (1 ? (str) : (const char **)NULL)) +#define SSL_get_peer_signature_nid(s, pn) \ + SSL_ctrl(s, SSL_CTRL_GET_PEER_SIGNATURE_NID, 0, pn) +#define SSL_get_peer_tmp_key(s, pk) \ + SSL_ctrl(s, SSL_CTRL_GET_PEER_TMP_KEY, 0, pk) +#define SSL_get_tmp_key(s, pk) \ + SSL_ctrl(s, SSL_CTRL_GET_TMP_KEY, 0, pk) +#define SSL_get0_raw_cipherlist(s, plst) \ + SSL_ctrl(s, SSL_CTRL_GET_RAW_CIPHERLIST, 0, plst) +#define SSL_get0_ec_point_formats(s, plst) \ + SSL_ctrl(s, SSL_CTRL_GET_EC_POINT_FORMATS, 0, plst) +#define SSL_CTX_set_min_proto_version(ctx, version) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) +#define SSL_CTX_set_max_proto_version(ctx, version) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) +#define SSL_CTX_get_min_proto_version(ctx) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_MIN_PROTO_VERSION, 0, NULL) +#define SSL_CTX_get_max_proto_version(ctx) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_MAX_PROTO_VERSION, 0, NULL) +#define SSL_set_min_proto_version(s, version) \ + SSL_ctrl(s, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) +#define SSL_set_max_proto_version(s, version) \ + SSL_ctrl(s, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) +#define SSL_get_min_proto_version(s) \ + SSL_ctrl(s, SSL_CTRL_GET_MIN_PROTO_VERSION, 0, NULL) +#define SSL_get_max_proto_version(s) \ + SSL_ctrl(s, SSL_CTRL_GET_MAX_PROTO_VERSION, 0, NULL) const char *SSL_get0_group_name(SSL *s); const char *SSL_group_to_name(SSL *s, int id); /* Backwards compatibility, original 1.1.0 names */ -# define SSL_CTRL_GET_SERVER_TMP_KEY \ - SSL_CTRL_GET_PEER_TMP_KEY -# define SSL_get_server_tmp_key(s, pk) \ - SSL_get_peer_tmp_key(s, pk) +#define SSL_CTRL_GET_SERVER_TMP_KEY \ + SSL_CTRL_GET_PEER_TMP_KEY +#define SSL_get_server_tmp_key(s, pk) \ + SSL_get_peer_tmp_key(s, pk) int SSL_set0_tmp_dh_pkey(SSL *s, EVP_PKEY *dhpkey); int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey); @@ -1577,34 +1581,37 @@ int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey); * The following symbol names are old and obsolete. They are kept * for compatibility reasons only and should not be used anymore. */ -# define SSL_CTRL_GET_CURVES SSL_CTRL_GET_GROUPS -# define SSL_CTRL_SET_CURVES SSL_CTRL_SET_GROUPS -# define SSL_CTRL_SET_CURVES_LIST SSL_CTRL_SET_GROUPS_LIST -# define SSL_CTRL_GET_SHARED_CURVE SSL_CTRL_GET_SHARED_GROUP - -# define SSL_get1_curves SSL_get1_groups -# define SSL_CTX_set1_curves SSL_CTX_set1_groups -# define SSL_CTX_set1_curves_list SSL_CTX_set1_groups_list -# define SSL_set1_curves SSL_set1_groups -# define SSL_set1_curves_list SSL_set1_groups_list -# define SSL_get_shared_curve SSL_get_shared_group - - -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#define SSL_CTRL_GET_CURVES SSL_CTRL_GET_GROUPS +#define SSL_CTRL_SET_CURVES SSL_CTRL_SET_GROUPS +#define SSL_CTRL_SET_CURVES_LIST SSL_CTRL_SET_GROUPS_LIST +#define SSL_CTRL_GET_SHARED_CURVE SSL_CTRL_GET_SHARED_GROUP + +#define SSL_get1_curves SSL_get1_groups +#define SSL_CTX_set1_curves SSL_CTX_set1_groups +#define SSL_CTX_set1_curves_list SSL_CTX_set1_groups_list +#define SSL_set1_curves SSL_set1_groups +#define SSL_set1_curves_list SSL_set1_groups_list +#define SSL_get_shared_curve SSL_get_shared_group + +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 /* Provide some compatibility macros for removed functionality. */ -# define SSL_CTX_need_tmp_RSA(ctx) 0 -# define SSL_CTX_set_tmp_rsa(ctx,rsa) 1 -# define SSL_need_tmp_RSA(ssl) 0 -# define SSL_set_tmp_rsa(ssl,rsa) 1 -# define SSL_CTX_set_ecdh_auto(dummy, onoff) ((onoff) != 0) -# define SSL_set_ecdh_auto(dummy, onoff) ((onoff) != 0) +#define SSL_CTX_need_tmp_RSA(ctx) 0 +#define SSL_CTX_set_tmp_rsa(ctx, rsa) 1 +#define SSL_need_tmp_RSA(ssl) 0 +#define SSL_set_tmp_rsa(ssl, rsa) 1 +#define SSL_CTX_set_ecdh_auto(dummy, onoff) ((onoff) != 0) +#define SSL_set_ecdh_auto(dummy, onoff) ((onoff) != 0) /* * We "pretend" to call the callback to avoid warnings about unused static * functions. */ -# define SSL_CTX_set_tmp_rsa_callback(ctx, cb) while(0) (cb)(NULL, 0, 0) -# define SSL_set_tmp_rsa_callback(ssl, cb) while(0) (cb)(NULL, 0, 0) -# endif +#define SSL_CTX_set_tmp_rsa_callback(ctx, cb) \ + while (0) \ + (cb)(NULL, 0, 0) +#define SSL_set_tmp_rsa_callback(ssl, cb) \ + while (0) \ + (cb)(NULL, 0, 0) +#endif __owur const BIO_METHOD *BIO_f_ssl(void); __owur BIO *BIO_new_ssl(SSL_CTX *ctx, int client); __owur BIO *BIO_new_ssl_connect(SSL_CTX *ctx); @@ -1615,7 +1622,7 @@ void BIO_ssl_shutdown(BIO *ssl_bio); __owur int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str); __owur SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); __owur SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, - const SSL_METHOD *meth); + const SSL_METHOD *meth); int SSL_CTX_up_ref(SSL_CTX *ctx); void SSL_CTX_free(SSL_CTX *); __owur long SSL_CTX_set_timeout(SSL_CTX *ctx, long t); @@ -1654,11 +1661,11 @@ __owur char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size); __owur int SSL_get_read_ahead(const SSL *s); __owur int SSL_pending(const SSL *s); __owur int SSL_has_pending(const SSL *s); -# ifndef OPENSSL_NO_SOCK +#ifndef OPENSSL_NO_SOCK __owur int SSL_set_fd(SSL *s, int fd); __owur int SSL_set_rfd(SSL *s, int fd); __owur int SSL_set_wfd(SSL *s, int fd); -# endif +#endif void SSL_set0_rbio(SSL *s, BIO *rbio); void SSL_set0_wbio(SSL *s, BIO *wbio); void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio); @@ -1673,32 +1680,31 @@ __owur int SSL_get_verify_depth(const SSL *s); __owur SSL_verify_cb SSL_get_verify_callback(const SSL *s); void SSL_set_verify(SSL *s, int mode, SSL_verify_cb callback); void SSL_set_verify_depth(SSL *s, int depth); -void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg); -# ifndef OPENSSL_NO_DEPRECATED_3_0 +void SSL_set_cert_cb(SSL *s, int (*cb)(SSL *ssl, void *arg), void *arg); +#ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 __owur int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa); OSSL_DEPRECATEDIN_3_0 __owur int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, - const unsigned char *d, long len); -# endif + const unsigned char *d, long len); +#endif __owur int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey); __owur int SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, const unsigned char *d, - long len); + long len); __owur int SSL_use_certificate(SSL *ssl, X509 *x); __owur int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len); __owur int SSL_use_cert_and_key(SSL *ssl, X509 *x509, EVP_PKEY *privatekey, - STACK_OF(X509) *chain, int override); - + STACK_OF(X509) *chain, int override); /* serverinfo file format versions */ -# define SSL_SERVERINFOV1 1 -# define SSL_SERVERINFOV2 2 +#define SSL_SERVERINFOV1 1 +#define SSL_SERVERINFOV2 2 /* Set serverinfo data for the current active cert. */ __owur int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, - size_t serverinfo_length); + size_t serverinfo_length); __owur int SSL_CTX_use_serverinfo_ex(SSL_CTX *ctx, unsigned int version, - const unsigned char *serverinfo, - size_t serverinfo_length); + const unsigned char *serverinfo, + size_t serverinfo_length); __owur int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file); #ifndef OPENSSL_NO_DEPRECATED_3_0 @@ -1712,31 +1718,31 @@ __owur int SSL_use_certificate_file(SSL *ssl, const char *file, int type); #ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 __owur int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, - int type); + int type); #endif __owur int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, - int type); + int type); __owur int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, - int type); + int type); /* PEM type */ __owur int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); __owur int SSL_use_certificate_chain_file(SSL *ssl, const char *file); __owur STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file); -__owur STACK_OF(X509_NAME) -*SSL_load_client_CA_file_ex(const char *file, OSSL_LIB_CTX *libctx, - const char *propq); +__owur STACK_OF(X509_NAME) *SSL_load_client_CA_file_ex(const char *file, OSSL_LIB_CTX *libctx, + const char *propq); __owur int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs, - const char *file); + const char *file); int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs, - const char *dir); + const char *dir); int SSL_add_store_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs, - const char *uri); + const char *uri); -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define SSL_load_error_strings() \ +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#define SSL_load_error_strings() \ OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS \ - | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL) -# endif + | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, \ + NULL) +#endif __owur const char *SSL_state_string(const SSL *s); __owur const char *SSL_rstate_string(const SSL *s); @@ -1760,39 +1766,39 @@ __owur time_t SSL_SESSION_set_time_ex(SSL_SESSION *s, time_t t); __owur const char *SSL_SESSION_get0_hostname(const SSL_SESSION *s); __owur int SSL_SESSION_set1_hostname(SSL_SESSION *s, const char *hostname); void SSL_SESSION_get0_alpn_selected(const SSL_SESSION *s, - const unsigned char **alpn, - size_t *len); + const unsigned char **alpn, + size_t *len); __owur int SSL_SESSION_set1_alpn_selected(SSL_SESSION *s, - const unsigned char *alpn, - size_t len); + const unsigned char *alpn, + size_t len); __owur const SSL_CIPHER *SSL_SESSION_get0_cipher(const SSL_SESSION *s); __owur int SSL_SESSION_set_cipher(SSL_SESSION *s, const SSL_CIPHER *cipher); __owur int SSL_SESSION_has_ticket(const SSL_SESSION *s); __owur unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s); void SSL_SESSION_get0_ticket(const SSL_SESSION *s, const unsigned char **tick, - size_t *len); + size_t *len); __owur uint32_t SSL_SESSION_get_max_early_data(const SSL_SESSION *s); __owur int SSL_SESSION_set_max_early_data(SSL_SESSION *s, - uint32_t max_early_data); + uint32_t max_early_data); __owur int SSL_copy_session_id(SSL *to, const SSL *from); __owur X509 *SSL_SESSION_get0_peer(SSL_SESSION *s); __owur int SSL_SESSION_set1_id_context(SSL_SESSION *s, - const unsigned char *sid_ctx, - unsigned int sid_ctx_len); + const unsigned char *sid_ctx, + unsigned int sid_ctx_len); __owur int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid, - unsigned int sid_len); + unsigned int sid_len); __owur int SSL_SESSION_is_resumable(const SSL_SESSION *s); __owur SSL_SESSION *SSL_SESSION_new(void); __owur SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src); const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, - unsigned int *len); + unsigned int *len); const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *s, - unsigned int *len); + unsigned int *len); __owur unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s); -# ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_STDIO int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *ses); -# endif +#endif int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses); int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x); int SSL_SESSION_up_ref(SSL_SESSION *ses); @@ -1804,22 +1810,22 @@ int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *session); __owur int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb); __owur int SSL_set_generate_session_id(SSL *s, GEN_SESSION_CB cb); __owur int SSL_has_matching_session_id(const SSL *s, - const unsigned char *id, - unsigned int id_len); + const unsigned char *id, + unsigned int id_len); SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, - long length); + long length); SSL_SESSION *d2i_SSL_SESSION_ex(SSL_SESSION **a, const unsigned char **pp, - long length, OSSL_LIB_CTX *libctx, - const char *propq); + long length, OSSL_LIB_CTX *libctx, + const char *propq); -# ifdef OPENSSL_X509_H +#ifdef OPENSSL_X509_H __owur X509 *SSL_get0_peer_certificate(const SSL *s); __owur X509 *SSL_get1_peer_certificate(const SSL *s); /* Deprecated in 3.0.0 */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define SSL_get_peer_certificate SSL_get1_peer_certificate -# endif -# endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define SSL_get_peer_certificate SSL_get1_peer_certificate +#endif +#endif __owur STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s); @@ -1829,25 +1835,25 @@ __owur SSL_verify_cb SSL_CTX_get_verify_callback(const SSL_CTX *ctx); void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, SSL_verify_cb callback); void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth); void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, - int (*cb) (X509_STORE_CTX *, void *), - void *arg); -void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb) (SSL *ssl, void *arg), - void *arg); -# ifndef OPENSSL_NO_DEPRECATED_3_0 + int (*cb)(X509_STORE_CTX *, void *), + void *arg); +void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb)(SSL *ssl, void *arg), + void *arg); +#ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 __owur int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa); OSSL_DEPRECATEDIN_3_0 __owur int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, - long len); -# endif + long len); +#endif __owur int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey); __owur int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, - const unsigned char *d, long len); + const unsigned char *d, long len); __owur int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x); __owur int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, - const unsigned char *d); + const unsigned char *d); __owur int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x509, EVP_PKEY *privatekey, - STACK_OF(X509) *chain, int override); + STACK_OF(X509) *chain, int override); void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb); void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u); @@ -1862,8 +1868,8 @@ __owur int SSL_CTX_check_private_key(const SSL_CTX *ctx); __owur int SSL_check_private_key(const SSL *ctx); __owur int SSL_CTX_set_session_id_context(SSL_CTX *ctx, - const unsigned char *sid_ctx, - unsigned int sid_ctx_len); + const unsigned char *sid_ctx, + unsigned int sid_ctx_len); SSL *SSL_new(SSL_CTX *ctx); int SSL_up_ref(SSL *s); @@ -1871,7 +1877,7 @@ int SSL_is_dtls(const SSL *s); int SSL_is_tls(const SSL *s); int SSL_is_quic(const SSL *s); __owur int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx, - unsigned int sid_ctx_len); + unsigned int sid_ctx_len); __owur int SSL_CTX_set_purpose(SSL_CTX *ctx, int purpose); __owur int SSL_set_purpose(SSL *ssl, int purpose); @@ -1885,14 +1891,14 @@ void SSL_set_hostflags(SSL *s, unsigned int flags); __owur int SSL_CTX_dane_enable(SSL_CTX *ctx); __owur int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md, - uint8_t mtype, uint8_t ord); + uint8_t mtype, uint8_t ord); __owur int SSL_dane_enable(SSL *s, const char *basedomain); __owur int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector, - uint8_t mtype, const unsigned char *data, size_t dlen); + uint8_t mtype, const unsigned char *data, size_t dlen); __owur int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki); __owur int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector, - uint8_t *mtype, const unsigned char **data, - size_t *dlen); + uint8_t *mtype, const unsigned char **data, + size_t *dlen); /* * Bridge opacity barrier between libcrypt and libssl, also needed to support * offline testing in test/danetest.c @@ -1912,52 +1918,52 @@ __owur int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm); __owur X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx); __owur X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl); -# ifndef OPENSSL_NO_SRP -# ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_SRP +#ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name); OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password); OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength); OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx, - char *(*cb) (SSL *, void *)); + char *(*cb)(SSL *, void *)); OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx, - int (*cb) (SSL *, void *)); + int (*cb)(SSL *, void *)); OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx, - int (*cb) (SSL *, int *, void *)); + int (*cb)(SSL *, int *, void *)); OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg); OSSL_DEPRECATEDIN_3_0 int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g, - BIGNUM *sa, BIGNUM *v, char *info); + BIGNUM *sa, BIGNUM *v, char *info); OSSL_DEPRECATEDIN_3_0 int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass, - const char *grp); + const char *grp); OSSL_DEPRECATEDIN_3_0 __owur BIGNUM *SSL_get_srp_g(SSL *s); OSSL_DEPRECATEDIN_3_0 __owur BIGNUM *SSL_get_srp_N(SSL *s); OSSL_DEPRECATEDIN_3_0 __owur char *SSL_get_srp_username(SSL *s); OSSL_DEPRECATEDIN_3_0 __owur char *SSL_get_srp_userinfo(SSL *s); -# endif -# endif +#endif +#endif /* * ClientHello callback and helpers. */ -# define SSL_CLIENT_HELLO_SUCCESS 1 -# define SSL_CLIENT_HELLO_ERROR 0 -# define SSL_CLIENT_HELLO_RETRY (-1) +#define SSL_CLIENT_HELLO_SUCCESS 1 +#define SSL_CLIENT_HELLO_ERROR 0 +#define SSL_CLIENT_HELLO_RETRY (-1) -typedef int (*SSL_client_hello_cb_fn) (SSL *s, int *al, void *arg); +typedef int (*SSL_client_hello_cb_fn)(SSL *s, int *al, void *arg); void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb, - void *arg); -typedef int (*SSL_new_pending_conn_cb_fn) (SSL_CTX *ctx, SSL *new_ssl, - void *arg); + void *arg); +typedef int (*SSL_new_pending_conn_cb_fn)(SSL_CTX *ctx, SSL *new_ssl, + void *arg); void SSL_CTX_set_new_pending_conn_cb(SSL_CTX *c, SSL_new_pending_conn_cb_fn cb, - void *arg); + void *arg); int SSL_client_hello_isv2(SSL *s); unsigned int SSL_client_hello_get0_legacy_version(SSL *s); @@ -1965,65 +1971,65 @@ size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out); size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out); size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out); size_t SSL_client_hello_get0_compression_methods(SSL *s, - const unsigned char **out); + const unsigned char **out); int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen); int SSL_client_hello_get_extension_order(SSL *s, uint16_t *exts, - size_t *num_exts); + size_t *num_exts); int SSL_client_hello_get0_ext(SSL *s, unsigned int type, - const unsigned char **out, size_t *outlen); + const unsigned char **out, size_t *outlen); void SSL_certs_clear(SSL *s); void SSL_free(SSL *ssl); -# ifdef OSSL_ASYNC_FD +#ifdef OSSL_ASYNC_FD /* * Windows application developer has to include windows.h to use these. */ __owur int SSL_waiting_for_async(SSL *s); __owur int SSL_get_all_async_fds(SSL *s, OSSL_ASYNC_FD *fds, size_t *numfds); __owur int SSL_get_changed_async_fds(SSL *s, OSSL_ASYNC_FD *addfd, - size_t *numaddfds, OSSL_ASYNC_FD *delfd, - size_t *numdelfds); + size_t *numaddfds, OSSL_ASYNC_FD *delfd, + size_t *numdelfds); __owur int SSL_CTX_set_async_callback(SSL_CTX *ctx, SSL_async_callback_fn callback); __owur int SSL_CTX_set_async_callback_arg(SSL_CTX *ctx, void *arg); __owur int SSL_set_async_callback(SSL *s, SSL_async_callback_fn callback); __owur int SSL_set_async_callback_arg(SSL *s, void *arg); __owur int SSL_get_async_status(SSL *s, int *status); -# endif +#endif __owur int SSL_accept(SSL *ssl); __owur int SSL_stateless(SSL *s); __owur int SSL_connect(SSL *ssl); __owur int SSL_read(SSL *ssl, void *buf, int num); __owur int SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes); -# define SSL_READ_EARLY_DATA_ERROR 0 -# define SSL_READ_EARLY_DATA_SUCCESS 1 -# define SSL_READ_EARLY_DATA_FINISH 2 +#define SSL_READ_EARLY_DATA_ERROR 0 +#define SSL_READ_EARLY_DATA_SUCCESS 1 +#define SSL_READ_EARLY_DATA_FINISH 2 __owur int SSL_read_early_data(SSL *s, void *buf, size_t num, - size_t *readbytes); + size_t *readbytes); __owur int SSL_peek(SSL *ssl, void *buf, int num); __owur int SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes); __owur ossl_ssize_t SSL_sendfile(SSL *s, int fd, off_t offset, size_t size, - int flags); + int flags); __owur int SSL_write(SSL *ssl, const void *buf, int num); __owur int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written); __owur int SSL_write_early_data(SSL *s, const void *buf, size_t num, - size_t *written); + size_t *written); long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg); long SSL_callback_ctrl(SSL *, int, void (*)(void)); long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg); long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)(void)); -# define SSL_WRITE_FLAG_CONCLUDE (1U << 0) +#define SSL_WRITE_FLAG_CONCLUDE (1U << 0) __owur int SSL_write_ex2(SSL *s, const void *buf, size_t num, - uint64_t flags, - size_t *written); + uint64_t flags, + size_t *written); -# define SSL_EARLY_DATA_NOT_SENT 0 -# define SSL_EARLY_DATA_REJECTED 1 -# define SSL_EARLY_DATA_ACCEPTED 2 +#define SSL_EARLY_DATA_NOT_SENT 0 +#define SSL_EARLY_DATA_REJECTED 1 +#define SSL_EARLY_DATA_ACCEPTED 2 __owur int SSL_get_early_data_status(const SSL *s); @@ -2032,68 +2038,68 @@ __owur const char *SSL_get_version(const SSL *s); __owur int SSL_get_handshake_rtt(const SSL *s, uint64_t *rtt); /* This sets the 'default' SSL version that SSL_new() will create */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 __owur int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth); -# endif +#endif -# ifndef OPENSSL_NO_SSL3_METHOD -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#ifndef OPENSSL_NO_SSL3_METHOD +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *SSLv3_method(void); /* SSLv3 */ OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *SSLv3_server_method(void); OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *SSLv3_client_method(void); -# endif -# endif +#endif +#endif -#define SSLv23_method TLS_method -#define SSLv23_server_method TLS_server_method -#define SSLv23_client_method TLS_client_method +#define SSLv23_method TLS_method +#define SSLv23_server_method TLS_server_method +#define SSLv23_client_method TLS_client_method /* Negotiate highest available SSL/TLS version */ __owur const SSL_METHOD *TLS_method(void); __owur const SSL_METHOD *TLS_server_method(void); __owur const SSL_METHOD *TLS_client_method(void); -# ifndef OPENSSL_NO_TLS1_METHOD -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#ifndef OPENSSL_NO_TLS1_METHOD +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */ OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_server_method(void); OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_client_method(void); -# endif -# endif +#endif +#endif -# ifndef OPENSSL_NO_TLS1_1_METHOD -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#ifndef OPENSSL_NO_TLS1_1_METHOD +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_1_method(void); /* TLSv1.1 */ OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_1_server_method(void); OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_1_client_method(void); -# endif -# endif +#endif +#endif -# ifndef OPENSSL_NO_TLS1_2_METHOD -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#ifndef OPENSSL_NO_TLS1_2_METHOD +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_2_method(void); /* TLSv1.2 */ OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_2_server_method(void); OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_2_client_method(void); -# endif -# endif +#endif +#endif -# ifndef OPENSSL_NO_DTLS1_METHOD -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#ifndef OPENSSL_NO_DTLS1_METHOD +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */ OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *DTLSv1_server_method(void); OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *DTLSv1_client_method(void); -# endif -# endif +#endif +#endif -# ifndef OPENSSL_NO_DTLS1_2_METHOD +#ifndef OPENSSL_NO_DTLS1_2_METHOD /* DTLSv1.2 */ -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *DTLSv1_2_method(void); OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *DTLSv1_2_server_method(void); OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *DTLSv1_2_client_method(void); -# endif -# endif +#endif +#endif __owur const SSL_METHOD *DTLS_method(void); /* DTLS 1.0 and 1.2 */ __owur const SSL_METHOD *DTLS_server_method(void); /* DTLS 1.0 and 1.2 */ @@ -2146,9 +2152,9 @@ void SSL_set_accept_state(SSL *s); __owur long SSL_get_default_timeout(const SSL *s); -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define SSL_library_init() OPENSSL_init_ssl(0, NULL) -# endif +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#define SSL_library_init() OPENSSL_init_ssl(0, NULL) +#endif __owur char *SSL_CIPHER_description(const SSL_CIPHER *, char *buf, int size); __owur STACK_OF(X509_NAME) *SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk); @@ -2180,17 +2186,17 @@ __owur int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile); __owur int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath); __owur int SSL_CTX_load_verify_store(SSL_CTX *ctx, const char *CAstore); __owur int SSL_CTX_load_verify_locations(SSL_CTX *ctx, - const char *CAfile, - const char *CApath); -# define SSL_get0_session SSL_get_session/* just peek at pointer */ + const char *CAfile, + const char *CApath); +#define SSL_get0_session SSL_get_session /* just peek at pointer */ __owur SSL_SESSION *SSL_get_session(const SSL *ssl); __owur SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */ __owur SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl); SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx); void SSL_set_info_callback(SSL *ssl, - void (*cb) (const SSL *ssl, int type, int val)); -void (*SSL_get_info_callback(const SSL *ssl)) (const SSL *ssl, int type, - int val); + void (*cb)(const SSL *ssl, int type, int val)); +void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, + int val); __owur OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl); void SSL_set_verify_result(SSL *ssl, long v); @@ -2198,13 +2204,13 @@ __owur long SSL_get_verify_result(const SSL *ssl); __owur STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s); __owur size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, - size_t outlen); + size_t outlen); __owur size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, - size_t outlen); + size_t outlen); __owur size_t SSL_SESSION_get_master_key(const SSL_SESSION *sess, - unsigned char *out, size_t outlen); + unsigned char *out, size_t outlen); __owur int SSL_SESSION_set1_master_key(SSL_SESSION *sess, - const unsigned char *in, size_t len); + const unsigned char *in, size_t len); uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *sess); #define SSL_get_ex_new_index(l, p, newf, dupf, freef) \ @@ -2222,61 +2228,61 @@ void *SSL_CTX_get_ex_data(const SSL_CTX *ssl, int idx); __owur int SSL_get_ex_data_X509_STORE_CTX_idx(void); -# define SSL_CTX_sess_set_cache_size(ctx,t) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL) -# define SSL_CTX_sess_get_cache_size(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL) -# define SSL_CTX_set_session_cache_mode(ctx,m) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL) -# define SSL_CTX_get_session_cache_mode(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL) - -# define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx) -# define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m) -# define SSL_CTX_get_read_ahead(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL) -# define SSL_CTX_set_read_ahead(ctx,m) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL) -# define SSL_CTX_get_max_cert_list(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL) -# define SSL_CTX_set_max_cert_list(ctx,m) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL) -# define SSL_get_max_cert_list(ssl) \ - SSL_ctrl(ssl,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL) -# define SSL_set_max_cert_list(ssl,m) \ - SSL_ctrl(ssl,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL) - -# define SSL_CTX_set_max_send_fragment(ctx,m) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL) -# define SSL_set_max_send_fragment(ssl,m) \ - SSL_ctrl(ssl,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL) -# define SSL_CTX_set_split_send_fragment(ctx,m) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SPLIT_SEND_FRAGMENT,m,NULL) -# define SSL_set_split_send_fragment(ssl,m) \ - SSL_ctrl(ssl,SSL_CTRL_SET_SPLIT_SEND_FRAGMENT,m,NULL) -# define SSL_CTX_set_max_pipelines(ctx,m) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_PIPELINES,m,NULL) -# define SSL_set_max_pipelines(ssl,m) \ - SSL_ctrl(ssl,SSL_CTRL_SET_MAX_PIPELINES,m,NULL) -# define SSL_set_retry_verify(ssl) \ - (SSL_ctrl(ssl,SSL_CTRL_SET_RETRY_VERIFY,0,NULL) > 0) +#define SSL_CTX_sess_set_cache_size(ctx, t) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_SESS_CACHE_SIZE, t, NULL) +#define SSL_CTX_sess_get_cache_size(ctx) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_SESS_CACHE_SIZE, 0, NULL) +#define SSL_CTX_set_session_cache_mode(ctx, m) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_SESS_CACHE_MODE, m, NULL) +#define SSL_CTX_get_session_cache_mode(ctx) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_SESS_CACHE_MODE, 0, NULL) + +#define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx) +#define SSL_CTX_set_default_read_ahead(ctx, m) SSL_CTX_set_read_ahead(ctx, m) +#define SSL_CTX_get_read_ahead(ctx) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_READ_AHEAD, 0, NULL) +#define SSL_CTX_set_read_ahead(ctx, m) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_READ_AHEAD, m, NULL) +#define SSL_CTX_get_max_cert_list(ctx) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_MAX_CERT_LIST, 0, NULL) +#define SSL_CTX_set_max_cert_list(ctx, m) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_CERT_LIST, m, NULL) +#define SSL_get_max_cert_list(ssl) \ + SSL_ctrl(ssl, SSL_CTRL_GET_MAX_CERT_LIST, 0, NULL) +#define SSL_set_max_cert_list(ssl, m) \ + SSL_ctrl(ssl, SSL_CTRL_SET_MAX_CERT_LIST, m, NULL) + +#define SSL_CTX_set_max_send_fragment(ctx, m) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_SEND_FRAGMENT, m, NULL) +#define SSL_set_max_send_fragment(ssl, m) \ + SSL_ctrl(ssl, SSL_CTRL_SET_MAX_SEND_FRAGMENT, m, NULL) +#define SSL_CTX_set_split_send_fragment(ctx, m) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_SPLIT_SEND_FRAGMENT, m, NULL) +#define SSL_set_split_send_fragment(ssl, m) \ + SSL_ctrl(ssl, SSL_CTRL_SET_SPLIT_SEND_FRAGMENT, m, NULL) +#define SSL_CTX_set_max_pipelines(ctx, m) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PIPELINES, m, NULL) +#define SSL_set_max_pipelines(ssl, m) \ + SSL_ctrl(ssl, SSL_CTRL_SET_MAX_PIPELINES, m, NULL) +#define SSL_set_retry_verify(ssl) \ + (SSL_ctrl(ssl, SSL_CTRL_SET_RETRY_VERIFY, 0, NULL) > 0) void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len); void SSL_set_default_read_buffer_len(SSL *s, size_t len); -# ifndef OPENSSL_NO_DH -# ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_DH +#ifndef OPENSSL_NO_DEPRECATED_3_0 /* NB: the |keylength| is only applicable when is_export is true */ OSSL_DEPRECATEDIN_3_0 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, - DH *(*dh) (SSL *ssl, int is_export, - int keylength)); + DH *(*dh)(SSL *ssl, int is_export, + int keylength)); OSSL_DEPRECATEDIN_3_0 void SSL_set_tmp_dh_callback(SSL *ssl, - DH *(*dh) (SSL *ssl, int is_export, - int keylength)); -# endif -# endif + DH *(*dh)(SSL *ssl, int is_export, + int keylength)); +#endif +#endif __owur const COMP_METHOD *SSL_get_current_compression(const SSL *s); __owur const COMP_METHOD *SSL_get_current_expansion(const SSL *s); @@ -2285,57 +2291,59 @@ __owur const char *SSL_COMP_get0_name(const SSL_COMP *comp); __owur int SSL_COMP_get_id(const SSL_COMP *comp); STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void); __owur STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP) - *meths); -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define SSL_COMP_free_compression_methods() while(0) continue -# endif + *meths); +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#define SSL_COMP_free_compression_methods() \ + while (0) \ + continue +#endif __owur int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm); const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr); int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c); int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c); int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len, - int isv2format, STACK_OF(SSL_CIPHER) **sk, - STACK_OF(SSL_CIPHER) **scsvs); + int isv2format, STACK_OF(SSL_CIPHER) **sk, + STACK_OF(SSL_CIPHER) **scsvs); /* TLS extensions functions */ __owur int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len); __owur int SSL_set_session_ticket_ext_cb(SSL *s, - tls_session_ticket_ext_cb_fn cb, - void *arg); + tls_session_ticket_ext_cb_fn cb, + void *arg); /* Pre-shared secret session resumption functions */ __owur int SSL_set_session_secret_cb(SSL *s, - tls_session_secret_cb_fn session_secret_cb, - void *arg); + tls_session_secret_cb_fn session_secret_cb, + void *arg); void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, - int (*cb) (SSL *ssl, - int - is_forward_secure)); + int (*cb)(SSL *ssl, + int + is_forward_secure)); void SSL_set_not_resumable_session_callback(SSL *ssl, - int (*cb) (SSL *ssl, - int is_forward_secure)); + int (*cb)(SSL *ssl, + int is_forward_secure)); void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx, - size_t (*cb) (SSL *ssl, int type, - size_t len, void *arg)); + size_t (*cb)(SSL *ssl, int type, + size_t len, void *arg)); void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg); void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx); int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size); int SSL_CTX_set_block_padding_ex(SSL_CTX *ctx, size_t app_block_size, - size_t hs_block_size); + size_t hs_block_size); int SSL_set_record_padding_callback(SSL *ssl, - size_t (*cb) (SSL *ssl, int type, - size_t len, void *arg)); + size_t (*cb)(SSL *ssl, int type, + size_t len, void *arg)); void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg); void *SSL_get_record_padding_callback_arg(const SSL *ssl); int SSL_set_block_padding(SSL *ssl, size_t block_size); int SSL_set_block_padding_ex(SSL *ssl, size_t app_block_size, - size_t hs_block_size); + size_t hs_block_size); int SSL_set_num_tickets(SSL *s, size_t num_tickets); size_t SSL_get_num_tickets(const SSL *s); int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets); @@ -2356,11 +2364,11 @@ __owur int SSL_is_connection(SSL *s); __owur int SSL_is_listener(SSL *ssl); __owur SSL *SSL_get0_listener(SSL *s); -#define SSL_LISTENER_FLAG_NO_VALIDATE (1UL << 1) +#define SSL_LISTENER_FLAG_NO_VALIDATE (1UL << 1) __owur SSL *SSL_new_listener(SSL_CTX *ctx, uint64_t flags); __owur SSL *SSL_new_listener_from(SSL *ssl, uint64_t flags); __owur SSL *SSL_new_from_listener(SSL *ssl, uint64_t flags); -#define SSL_ACCEPT_CONNECTION_NO_BLOCK (1UL << 0) +#define SSL_ACCEPT_CONNECTION_NO_BLOCK (1UL << 0) __owur SSL *SSL_accept_connection(SSL *ssl, uint64_t flags); __owur size_t SSL_get_accept_connection_queue_len(SSL *ssl); __owur int SSL_listen(SSL *ssl); @@ -2369,64 +2377,64 @@ __owur int SSL_is_domain(SSL *s); __owur SSL *SSL_get0_domain(SSL *s); __owur SSL *SSL_new_domain(SSL_CTX *ctx, uint64_t flags); -#define SSL_DOMAIN_FLAG_SINGLE_THREAD (1U << 0) -#define SSL_DOMAIN_FLAG_MULTI_THREAD (1U << 1) -#define SSL_DOMAIN_FLAG_THREAD_ASSISTED (1U << 2) -#define SSL_DOMAIN_FLAG_BLOCKING (1U << 3) -#define SSL_DOMAIN_FLAG_LEGACY_BLOCKING (1U << 4) +#define SSL_DOMAIN_FLAG_SINGLE_THREAD (1U << 0) +#define SSL_DOMAIN_FLAG_MULTI_THREAD (1U << 1) +#define SSL_DOMAIN_FLAG_THREAD_ASSISTED (1U << 2) +#define SSL_DOMAIN_FLAG_BLOCKING (1U << 3) +#define SSL_DOMAIN_FLAG_LEGACY_BLOCKING (1U << 4) __owur int SSL_CTX_set_domain_flags(SSL_CTX *ctx, uint64_t domain_flags); __owur int SSL_CTX_get_domain_flags(const SSL_CTX *ctx, uint64_t *domain_flags); __owur int SSL_get_domain_flags(const SSL *ssl, uint64_t *domain_flags); -#define SSL_STREAM_TYPE_NONE 0 -#define SSL_STREAM_TYPE_READ (1U << 0) -#define SSL_STREAM_TYPE_WRITE (1U << 1) -#define SSL_STREAM_TYPE_BIDI (SSL_STREAM_TYPE_READ | SSL_STREAM_TYPE_WRITE) +#define SSL_STREAM_TYPE_NONE 0 +#define SSL_STREAM_TYPE_READ (1U << 0) +#define SSL_STREAM_TYPE_WRITE (1U << 1) +#define SSL_STREAM_TYPE_BIDI (SSL_STREAM_TYPE_READ | SSL_STREAM_TYPE_WRITE) __owur int SSL_get_stream_type(SSL *s); __owur uint64_t SSL_get_stream_id(SSL *s); __owur int SSL_is_stream_local(SSL *s); -#define SSL_DEFAULT_STREAM_MODE_NONE 0 -#define SSL_DEFAULT_STREAM_MODE_AUTO_BIDI 1 -#define SSL_DEFAULT_STREAM_MODE_AUTO_UNI 2 +#define SSL_DEFAULT_STREAM_MODE_NONE 0 +#define SSL_DEFAULT_STREAM_MODE_AUTO_BIDI 1 +#define SSL_DEFAULT_STREAM_MODE_AUTO_UNI 2 __owur int SSL_set_default_stream_mode(SSL *s, uint32_t mode); -#define SSL_STREAM_FLAG_UNI (1U << 0) -#define SSL_STREAM_FLAG_NO_BLOCK (1U << 1) -#define SSL_STREAM_FLAG_ADVANCE (1U << 2) +#define SSL_STREAM_FLAG_UNI (1U << 0) +#define SSL_STREAM_FLAG_NO_BLOCK (1U << 1) +#define SSL_STREAM_FLAG_ADVANCE (1U << 2) __owur SSL *SSL_new_stream(SSL *s, uint64_t flags); -#define SSL_INCOMING_STREAM_POLICY_AUTO 0 -#define SSL_INCOMING_STREAM_POLICY_ACCEPT 1 -#define SSL_INCOMING_STREAM_POLICY_REJECT 2 +#define SSL_INCOMING_STREAM_POLICY_AUTO 0 +#define SSL_INCOMING_STREAM_POLICY_ACCEPT 1 +#define SSL_INCOMING_STREAM_POLICY_REJECT 2 __owur int SSL_set_incoming_stream_policy(SSL *s, int policy, uint64_t aec); -#define SSL_ACCEPT_STREAM_NO_BLOCK (1U << 0) +#define SSL_ACCEPT_STREAM_NO_BLOCK (1U << 0) __owur SSL *SSL_accept_stream(SSL *s, uint64_t flags); __owur size_t SSL_get_accept_stream_queue_len(SSL *s); -# ifndef OPENSSL_NO_QUIC +#ifndef OPENSSL_NO_QUIC __owur int SSL_inject_net_dgram(SSL *s, const unsigned char *buf, - size_t buf_len, - const BIO_ADDR *peer, - const BIO_ADDR *local); -# endif + size_t buf_len, + const BIO_ADDR *peer, + const BIO_ADDR *local); +#endif typedef struct ssl_shutdown_ex_args_st { - uint64_t quic_error_code; - const char *quic_reason; + uint64_t quic_error_code; + const char *quic_reason; } SSL_SHUTDOWN_EX_ARGS; -#define SSL_SHUTDOWN_FLAG_RAPID (1U << 0) -#define SSL_SHUTDOWN_FLAG_NO_STREAM_FLUSH (1U << 1) -#define SSL_SHUTDOWN_FLAG_NO_BLOCK (1U << 2) -#define SSL_SHUTDOWN_FLAG_WAIT_PEER (1U << 3) +#define SSL_SHUTDOWN_FLAG_RAPID (1U << 0) +#define SSL_SHUTDOWN_FLAG_NO_STREAM_FLUSH (1U << 1) +#define SSL_SHUTDOWN_FLAG_NO_BLOCK (1U << 2) +#define SSL_SHUTDOWN_FLAG_WAIT_PEER (1U << 3) __owur int SSL_shutdown_ex(SSL *ssl, uint64_t flags, - const SSL_SHUTDOWN_EX_ARGS *args, - size_t args_len); + const SSL_SHUTDOWN_EX_ARGS *args, + size_t args_len); __owur int SSL_stream_conclude(SSL *ssl, uint64_t flags); @@ -2435,157 +2443,157 @@ typedef struct ssl_stream_reset_args_st { } SSL_STREAM_RESET_ARGS; __owur int SSL_stream_reset(SSL *ssl, - const SSL_STREAM_RESET_ARGS *args, - size_t args_len); - -#define SSL_STREAM_STATE_NONE 0 -#define SSL_STREAM_STATE_OK 1 -#define SSL_STREAM_STATE_WRONG_DIR 2 -#define SSL_STREAM_STATE_FINISHED 3 -#define SSL_STREAM_STATE_RESET_LOCAL 4 -#define SSL_STREAM_STATE_RESET_REMOTE 5 -#define SSL_STREAM_STATE_CONN_CLOSED 6 + const SSL_STREAM_RESET_ARGS *args, + size_t args_len); + +#define SSL_STREAM_STATE_NONE 0 +#define SSL_STREAM_STATE_OK 1 +#define SSL_STREAM_STATE_WRONG_DIR 2 +#define SSL_STREAM_STATE_FINISHED 3 +#define SSL_STREAM_STATE_RESET_LOCAL 4 +#define SSL_STREAM_STATE_RESET_REMOTE 5 +#define SSL_STREAM_STATE_CONN_CLOSED 6 __owur int SSL_get_stream_read_state(SSL *ssl); __owur int SSL_get_stream_write_state(SSL *ssl); __owur int SSL_get_stream_read_error_code(SSL *ssl, uint64_t *app_error_code); __owur int SSL_get_stream_write_error_code(SSL *ssl, uint64_t *app_error_code); -#define SSL_CONN_CLOSE_FLAG_LOCAL (1U << 0) -#define SSL_CONN_CLOSE_FLAG_TRANSPORT (1U << 1) +#define SSL_CONN_CLOSE_FLAG_LOCAL (1U << 0) +#define SSL_CONN_CLOSE_FLAG_TRANSPORT (1U << 1) typedef struct ssl_conn_close_info_st { - uint64_t error_code, frame_type; - const char *reason; - size_t reason_len; - uint32_t flags; + uint64_t error_code, frame_type; + const char *reason; + size_t reason_len; + uint32_t flags; } SSL_CONN_CLOSE_INFO; __owur int SSL_get_conn_close_info(SSL *ssl, - SSL_CONN_CLOSE_INFO *info, - size_t info_len); - -# define SSL_VALUE_CLASS_GENERIC 0 -# define SSL_VALUE_CLASS_FEATURE_REQUEST 1 -# define SSL_VALUE_CLASS_FEATURE_PEER_REQUEST 2 -# define SSL_VALUE_CLASS_FEATURE_NEGOTIATED 3 - -# define SSL_VALUE_NONE 0 -# define SSL_VALUE_QUIC_STREAM_BIDI_LOCAL_AVAIL 1 -# define SSL_VALUE_QUIC_STREAM_BIDI_REMOTE_AVAIL 2 -# define SSL_VALUE_QUIC_STREAM_UNI_LOCAL_AVAIL 3 -# define SSL_VALUE_QUIC_STREAM_UNI_REMOTE_AVAIL 4 -# define SSL_VALUE_QUIC_IDLE_TIMEOUT 5 -# define SSL_VALUE_EVENT_HANDLING_MODE 6 -# define SSL_VALUE_STREAM_WRITE_BUF_SIZE 7 -# define SSL_VALUE_STREAM_WRITE_BUF_USED 8 -# define SSL_VALUE_STREAM_WRITE_BUF_AVAIL 9 - -# define SSL_VALUE_EVENT_HANDLING_MODE_INHERIT 0 -# define SSL_VALUE_EVENT_HANDLING_MODE_IMPLICIT 1 -# define SSL_VALUE_EVENT_HANDLING_MODE_EXPLICIT 2 + SSL_CONN_CLOSE_INFO *info, + size_t info_len); + +#define SSL_VALUE_CLASS_GENERIC 0 +#define SSL_VALUE_CLASS_FEATURE_REQUEST 1 +#define SSL_VALUE_CLASS_FEATURE_PEER_REQUEST 2 +#define SSL_VALUE_CLASS_FEATURE_NEGOTIATED 3 + +#define SSL_VALUE_NONE 0 +#define SSL_VALUE_QUIC_STREAM_BIDI_LOCAL_AVAIL 1 +#define SSL_VALUE_QUIC_STREAM_BIDI_REMOTE_AVAIL 2 +#define SSL_VALUE_QUIC_STREAM_UNI_LOCAL_AVAIL 3 +#define SSL_VALUE_QUIC_STREAM_UNI_REMOTE_AVAIL 4 +#define SSL_VALUE_QUIC_IDLE_TIMEOUT 5 +#define SSL_VALUE_EVENT_HANDLING_MODE 6 +#define SSL_VALUE_STREAM_WRITE_BUF_SIZE 7 +#define SSL_VALUE_STREAM_WRITE_BUF_USED 8 +#define SSL_VALUE_STREAM_WRITE_BUF_AVAIL 9 + +#define SSL_VALUE_EVENT_HANDLING_MODE_INHERIT 0 +#define SSL_VALUE_EVENT_HANDLING_MODE_IMPLICIT 1 +#define SSL_VALUE_EVENT_HANDLING_MODE_EXPLICIT 2 int SSL_get_value_uint(SSL *s, uint32_t class_, uint32_t id, uint64_t *v); int SSL_set_value_uint(SSL *s, uint32_t class_, uint32_t id, uint64_t v); -# define SSL_get_generic_value_uint(ssl, id, v) \ +#define SSL_get_generic_value_uint(ssl, id, v) \ SSL_get_value_uint((ssl), SSL_VALUE_CLASS_GENERIC, (id), (v)) -# define SSL_set_generic_value_uint(ssl, id, v) \ +#define SSL_set_generic_value_uint(ssl, id, v) \ SSL_set_value_uint((ssl), SSL_VALUE_CLASS_GENERIC, (id), (v)) -# define SSL_get_feature_request_uint(ssl, id, v) \ +#define SSL_get_feature_request_uint(ssl, id, v) \ SSL_get_value_uint((ssl), SSL_VALUE_CLASS_FEATURE_REQUEST, (id), (v)) -# define SSL_set_feature_request_uint(ssl, id, v) \ +#define SSL_set_feature_request_uint(ssl, id, v) \ SSL_set_value_uint((ssl), SSL_VALUE_CLASS_FEATURE_REQUEST, (id), (v)) -# define SSL_get_feature_peer_request_uint(ssl, id, v) \ +#define SSL_get_feature_peer_request_uint(ssl, id, v) \ SSL_get_value_uint((ssl), SSL_VALUE_CLASS_FEATURE_PEER_REQUEST, (id), (v)) -# define SSL_get_feature_negotiated_uint(ssl, id, v) \ +#define SSL_get_feature_negotiated_uint(ssl, id, v) \ SSL_get_value_uint((ssl), SSL_VALUE_CLASS_FEATURE_NEGOTIATED, (id), (v)) -# define SSL_get_quic_stream_bidi_local_avail(ssl, value) \ +#define SSL_get_quic_stream_bidi_local_avail(ssl, value) \ SSL_get_generic_value_uint((ssl), SSL_VALUE_QUIC_STREAM_BIDI_LOCAL_AVAIL, \ - (value)) -# define SSL_get_quic_stream_bidi_remote_avail(ssl, value) \ + (value)) +#define SSL_get_quic_stream_bidi_remote_avail(ssl, value) \ SSL_get_generic_value_uint((ssl), SSL_VALUE_QUIC_STREAM_BIDI_REMOTE_AVAIL, \ - (value)) -# define SSL_get_quic_stream_uni_local_avail(ssl, value) \ + (value)) +#define SSL_get_quic_stream_uni_local_avail(ssl, value) \ SSL_get_generic_value_uint((ssl), SSL_VALUE_QUIC_STREAM_UNI_LOCAL_AVAIL, \ - (value)) -# define SSL_get_quic_stream_uni_remote_avail(ssl, value) \ + (value)) +#define SSL_get_quic_stream_uni_remote_avail(ssl, value) \ SSL_get_generic_value_uint((ssl), SSL_VALUE_QUIC_STREAM_UNI_REMOTE_AVAIL, \ - (value)) + (value)) -# define SSL_get_event_handling_mode(ssl, value) \ +#define SSL_get_event_handling_mode(ssl, value) \ SSL_get_generic_value_uint((ssl), SSL_VALUE_EVENT_HANDLING_MODE, \ - (value)) -# define SSL_set_event_handling_mode(ssl, value) \ + (value)) +#define SSL_set_event_handling_mode(ssl, value) \ SSL_set_generic_value_uint((ssl), SSL_VALUE_EVENT_HANDLING_MODE, \ - (value)) + (value)) -# define SSL_get_stream_write_buf_size(ssl, value) \ +#define SSL_get_stream_write_buf_size(ssl, value) \ SSL_get_generic_value_uint((ssl), SSL_VALUE_STREAM_WRITE_BUF_SIZE, \ - (value)) -# define SSL_get_stream_write_buf_used(ssl, value) \ + (value)) +#define SSL_get_stream_write_buf_used(ssl, value) \ SSL_get_generic_value_uint((ssl), SSL_VALUE_STREAM_WRITE_BUF_USED, \ - (value)) -# define SSL_get_stream_write_buf_avail(ssl, value) \ + (value)) +#define SSL_get_stream_write_buf_avail(ssl, value) \ SSL_get_generic_value_uint((ssl), SSL_VALUE_STREAM_WRITE_BUF_AVAIL, \ - (value)) - -# define SSL_POLL_EVENT_NONE 0 - -# define SSL_POLL_EVENT_F (1U << 0) /* F (Failure) */ -# define SSL_POLL_EVENT_EL (1U << 1) /* EL (Exception on Listener) */ -# define SSL_POLL_EVENT_EC (1U << 2) /* EC (Exception on Conn) */ -# define SSL_POLL_EVENT_ECD (1U << 3) /* ECD (Exception on Conn Drained) */ -# define SSL_POLL_EVENT_ER (1U << 4) /* ER (Exception on Read) */ -# define SSL_POLL_EVENT_EW (1U << 5) /* EW (Exception on Write) */ -# define SSL_POLL_EVENT_R (1U << 6) /* R (Readable) */ -# define SSL_POLL_EVENT_W (1U << 7) /* W (Writable) */ -# define SSL_POLL_EVENT_IC (1U << 8) /* IC (Incoming Connection) */ -# define SSL_POLL_EVENT_ISB (1U << 9) /* ISB (Incoming Stream: Bidi) */ -# define SSL_POLL_EVENT_ISU (1U << 10) /* ISU (Incoming Stream: Uni) */ -# define SSL_POLL_EVENT_OSB (1U << 11) /* OSB (Outgoing Stream: Bidi) */ -# define SSL_POLL_EVENT_OSU (1U << 12) /* OSU (Outgoing Stream: Uni) */ - -# define SSL_POLL_EVENT_RW (SSL_POLL_EVENT_R | SSL_POLL_EVENT_W) -# define SSL_POLL_EVENT_RE (SSL_POLL_EVENT_R | SSL_POLL_EVENT_ER) -# define SSL_POLL_EVENT_WE (SSL_POLL_EVENT_W | SSL_POLL_EVENT_EW) -# define SSL_POLL_EVENT_RWE (SSL_POLL_EVENT_RE | SSL_POLL_EVENT_WE) -# define SSL_POLL_EVENT_E (SSL_POLL_EVENT_EL | SSL_POLL_EVENT_EC \ - | SSL_POLL_EVENT_ER | SSL_POLL_EVENT_EW) -# define SSL_POLL_EVENT_IS (SSL_POLL_EVENT_ISB | SSL_POLL_EVENT_ISU) -# define SSL_POLL_EVENT_ISE (SSL_POLL_EVENT_IS | SSL_POLL_EVENT_EC) -# define SSL_POLL_EVENT_I (SSL_POLL_EVENT_IS | SSL_POLL_EVENT_IC) -# define SSL_POLL_EVENT_OS (SSL_POLL_EVENT_OSB | SSL_POLL_EVENT_OSU) -# define SSL_POLL_EVENT_OSE (SSL_POLL_EVENT_OS | SSL_POLL_EVENT_EC) + (value)) + +#define SSL_POLL_EVENT_NONE 0 + +#define SSL_POLL_EVENT_F (1U << 0) /* F (Failure) */ +#define SSL_POLL_EVENT_EL (1U << 1) /* EL (Exception on Listener) */ +#define SSL_POLL_EVENT_EC (1U << 2) /* EC (Exception on Conn) */ +#define SSL_POLL_EVENT_ECD (1U << 3) /* ECD (Exception on Conn Drained) */ +#define SSL_POLL_EVENT_ER (1U << 4) /* ER (Exception on Read) */ +#define SSL_POLL_EVENT_EW (1U << 5) /* EW (Exception on Write) */ +#define SSL_POLL_EVENT_R (1U << 6) /* R (Readable) */ +#define SSL_POLL_EVENT_W (1U << 7) /* W (Writable) */ +#define SSL_POLL_EVENT_IC (1U << 8) /* IC (Incoming Connection) */ +#define SSL_POLL_EVENT_ISB (1U << 9) /* ISB (Incoming Stream: Bidi) */ +#define SSL_POLL_EVENT_ISU (1U << 10) /* ISU (Incoming Stream: Uni) */ +#define SSL_POLL_EVENT_OSB (1U << 11) /* OSB (Outgoing Stream: Bidi) */ +#define SSL_POLL_EVENT_OSU (1U << 12) /* OSU (Outgoing Stream: Uni) */ + +#define SSL_POLL_EVENT_RW (SSL_POLL_EVENT_R | SSL_POLL_EVENT_W) +#define SSL_POLL_EVENT_RE (SSL_POLL_EVENT_R | SSL_POLL_EVENT_ER) +#define SSL_POLL_EVENT_WE (SSL_POLL_EVENT_W | SSL_POLL_EVENT_EW) +#define SSL_POLL_EVENT_RWE (SSL_POLL_EVENT_RE | SSL_POLL_EVENT_WE) +#define SSL_POLL_EVENT_E (SSL_POLL_EVENT_EL | SSL_POLL_EVENT_EC \ + | SSL_POLL_EVENT_ER | SSL_POLL_EVENT_EW) +#define SSL_POLL_EVENT_IS (SSL_POLL_EVENT_ISB | SSL_POLL_EVENT_ISU) +#define SSL_POLL_EVENT_ISE (SSL_POLL_EVENT_IS | SSL_POLL_EVENT_EC) +#define SSL_POLL_EVENT_I (SSL_POLL_EVENT_IS | SSL_POLL_EVENT_IC) +#define SSL_POLL_EVENT_OS (SSL_POLL_EVENT_OSB | SSL_POLL_EVENT_OSU) +#define SSL_POLL_EVENT_OSE (SSL_POLL_EVENT_OS | SSL_POLL_EVENT_EC) typedef struct ssl_poll_item_st { BIO_POLL_DESCRIPTOR desc; - uint64_t events, revents; + uint64_t events, revents; } SSL_POLL_ITEM; -# define SSL_POLL_FLAG_NO_HANDLE_EVENTS (1U << 0) +#define SSL_POLL_FLAG_NO_HANDLE_EVENTS (1U << 0) __owur int SSL_poll(SSL_POLL_ITEM *items, - size_t num_items, - size_t stride, - const struct timeval *timeout, - uint64_t flags, - size_t *result_count); + size_t num_items, + size_t stride, + const struct timeval *timeout, + uint64_t flags, + size_t *result_count); static ossl_inline ossl_unused BIO_POLL_DESCRIPTOR SSL_as_poll_descriptor(SSL *s) { BIO_POLL_DESCRIPTOR d; - d.type = BIO_POLL_DESCRIPTOR_TYPE_SSL; + d.type = BIO_POLL_DESCRIPTOR_TYPE_SSL; d.value.ssl = s; return d; } -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define SSL_cache_hit(s) SSL_session_reused(s) -# endif +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#define SSL_cache_hit(s) SSL_session_reused(s) +#endif __owur int SSL_session_reused(const SSL *s); __owur int SSL_is_server(const SSL *s); @@ -2595,7 +2603,7 @@ int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx); void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx); unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags); __owur unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, - unsigned int flags); + unsigned int flags); __owur int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre); void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl); @@ -2609,16 +2617,16 @@ void SSL_add_ssl_module(void); int SSL_config(SSL *s, const char *name); int SSL_CTX_config(SSL_CTX *ctx, const char *name); -# ifndef OPENSSL_NO_SSL_TRACE +#ifndef OPENSSL_NO_SSL_TRACE void SSL_trace(int write_p, int version, int content_type, - const void *buf, size_t len, SSL *ssl, void *arg); -# endif + const void *buf, size_t len, SSL *ssl, void *arg); +#endif -# ifndef OPENSSL_NO_SOCK +#ifndef OPENSSL_NO_SOCK int DTLSv1_listen(SSL *s, BIO_ADDR *client); -# endif +#endif -# ifndef OPENSSL_NO_CT +#ifndef OPENSSL_NO_CT /* * A callback for verifying that the received SCTs are sufficient. @@ -2627,7 +2635,7 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client); * A connection should be aborted if the SCTs are deemed insufficient. */ typedef int (*ssl_ct_validation_cb)(const CT_POLICY_EVAL_CTX *ctx, - const STACK_OF(SCT) *scts, void *arg); + const STACK_OF(SCT) *scts, void *arg); /* * Sets a |callback| that is invoked upon receipt of ServerHelloDone to validate @@ -2642,14 +2650,14 @@ typedef int (*ssl_ct_validation_cb)(const CT_POLICY_EVAL_CTX *ctx, * will be requested. */ int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback, - void *arg); + void *arg); int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx, - ssl_ct_validation_cb callback, - void *arg); + ssl_ct_validation_cb callback, + void *arg); #define SSL_disable_ct(s) \ - ((void) SSL_set_validation_callback((s), NULL, NULL)) + ((void)SSL_set_validation_callback((s), NULL, NULL)) #define SSL_CTX_disable_ct(ctx) \ - ((void) SSL_CTX_set_validation_callback((ctx), NULL, NULL)) + ((void)SSL_CTX_set_validation_callback((ctx), NULL, NULL)) /* * The validation type enumerates the available behaviours of the built-in SSL @@ -2714,106 +2722,106 @@ void SSL_CTX_set0_ctlog_store(SSL_CTX *ctx, CTLOG_STORE *logs); */ const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx); -# endif /* OPENSSL_NO_CT */ +#endif /* OPENSSL_NO_CT */ /* What the "other" parameter contains in security callback */ /* Mask for type */ -# define SSL_SECOP_OTHER_TYPE 0xffff0000 -# define SSL_SECOP_OTHER_NONE 0 -# define SSL_SECOP_OTHER_CIPHER (1 << 16) -# define SSL_SECOP_OTHER_CURVE (2 << 16) -# define SSL_SECOP_OTHER_DH (3 << 16) -# define SSL_SECOP_OTHER_PKEY (4 << 16) -# define SSL_SECOP_OTHER_SIGALG (5 << 16) -# define SSL_SECOP_OTHER_CERT (6 << 16) +#define SSL_SECOP_OTHER_TYPE 0xffff0000 +#define SSL_SECOP_OTHER_NONE 0 +#define SSL_SECOP_OTHER_CIPHER (1 << 16) +#define SSL_SECOP_OTHER_CURVE (2 << 16) +#define SSL_SECOP_OTHER_DH (3 << 16) +#define SSL_SECOP_OTHER_PKEY (4 << 16) +#define SSL_SECOP_OTHER_SIGALG (5 << 16) +#define SSL_SECOP_OTHER_CERT (6 << 16) /* Indicated operation refers to peer key or certificate */ -# define SSL_SECOP_PEER 0x1000 +#define SSL_SECOP_PEER 0x1000 /* Values for "op" parameter in security callback */ /* Called to filter ciphers */ /* Ciphers client supports */ -# define SSL_SECOP_CIPHER_SUPPORTED (1 | SSL_SECOP_OTHER_CIPHER) +#define SSL_SECOP_CIPHER_SUPPORTED (1 | SSL_SECOP_OTHER_CIPHER) /* Cipher shared by client/server */ -# define SSL_SECOP_CIPHER_SHARED (2 | SSL_SECOP_OTHER_CIPHER) +#define SSL_SECOP_CIPHER_SHARED (2 | SSL_SECOP_OTHER_CIPHER) /* Sanity check of cipher server selects */ -# define SSL_SECOP_CIPHER_CHECK (3 | SSL_SECOP_OTHER_CIPHER) +#define SSL_SECOP_CIPHER_CHECK (3 | SSL_SECOP_OTHER_CIPHER) /* Curves supported by client */ -# define SSL_SECOP_CURVE_SUPPORTED (4 | SSL_SECOP_OTHER_CURVE) +#define SSL_SECOP_CURVE_SUPPORTED (4 | SSL_SECOP_OTHER_CURVE) /* Curves shared by client/server */ -# define SSL_SECOP_CURVE_SHARED (5 | SSL_SECOP_OTHER_CURVE) +#define SSL_SECOP_CURVE_SHARED (5 | SSL_SECOP_OTHER_CURVE) /* Sanity check of curve server selects */ -# define SSL_SECOP_CURVE_CHECK (6 | SSL_SECOP_OTHER_CURVE) +#define SSL_SECOP_CURVE_CHECK (6 | SSL_SECOP_OTHER_CURVE) /* Temporary DH key */ -# define SSL_SECOP_TMP_DH (7 | SSL_SECOP_OTHER_PKEY) +#define SSL_SECOP_TMP_DH (7 | SSL_SECOP_OTHER_PKEY) /* SSL/TLS version */ -# define SSL_SECOP_VERSION (9 | SSL_SECOP_OTHER_NONE) +#define SSL_SECOP_VERSION (9 | SSL_SECOP_OTHER_NONE) /* Session tickets */ -# define SSL_SECOP_TICKET (10 | SSL_SECOP_OTHER_NONE) +#define SSL_SECOP_TICKET (10 | SSL_SECOP_OTHER_NONE) /* Supported signature algorithms sent to peer */ -# define SSL_SECOP_SIGALG_SUPPORTED (11 | SSL_SECOP_OTHER_SIGALG) +#define SSL_SECOP_SIGALG_SUPPORTED (11 | SSL_SECOP_OTHER_SIGALG) /* Shared signature algorithm */ -# define SSL_SECOP_SIGALG_SHARED (12 | SSL_SECOP_OTHER_SIGALG) +#define SSL_SECOP_SIGALG_SHARED (12 | SSL_SECOP_OTHER_SIGALG) /* Sanity check signature algorithm allowed */ -# define SSL_SECOP_SIGALG_CHECK (13 | SSL_SECOP_OTHER_SIGALG) +#define SSL_SECOP_SIGALG_CHECK (13 | SSL_SECOP_OTHER_SIGALG) /* Used to get mask of supported public key signature algorithms */ -# define SSL_SECOP_SIGALG_MASK (14 | SSL_SECOP_OTHER_SIGALG) +#define SSL_SECOP_SIGALG_MASK (14 | SSL_SECOP_OTHER_SIGALG) /* Use to see if compression is allowed */ -# define SSL_SECOP_COMPRESSION (15 | SSL_SECOP_OTHER_NONE) +#define SSL_SECOP_COMPRESSION (15 | SSL_SECOP_OTHER_NONE) /* EE key in certificate */ -# define SSL_SECOP_EE_KEY (16 | SSL_SECOP_OTHER_CERT) +#define SSL_SECOP_EE_KEY (16 | SSL_SECOP_OTHER_CERT) /* CA key in certificate */ -# define SSL_SECOP_CA_KEY (17 | SSL_SECOP_OTHER_CERT) +#define SSL_SECOP_CA_KEY (17 | SSL_SECOP_OTHER_CERT) /* CA digest algorithm in certificate */ -# define SSL_SECOP_CA_MD (18 | SSL_SECOP_OTHER_CERT) +#define SSL_SECOP_CA_MD (18 | SSL_SECOP_OTHER_CERT) /* Peer EE key in certificate */ -# define SSL_SECOP_PEER_EE_KEY (SSL_SECOP_EE_KEY | SSL_SECOP_PEER) +#define SSL_SECOP_PEER_EE_KEY (SSL_SECOP_EE_KEY | SSL_SECOP_PEER) /* Peer CA key in certificate */ -# define SSL_SECOP_PEER_CA_KEY (SSL_SECOP_CA_KEY | SSL_SECOP_PEER) +#define SSL_SECOP_PEER_CA_KEY (SSL_SECOP_CA_KEY | SSL_SECOP_PEER) /* Peer CA digest algorithm in certificate */ -# define SSL_SECOP_PEER_CA_MD (SSL_SECOP_CA_MD | SSL_SECOP_PEER) +#define SSL_SECOP_PEER_CA_MD (SSL_SECOP_CA_MD | SSL_SECOP_PEER) void SSL_set_security_level(SSL *s, int level); __owur int SSL_get_security_level(const SSL *s); void SSL_set_security_callback(SSL *s, - int (*cb) (const SSL *s, const SSL_CTX *ctx, - int op, int bits, int nid, - void *other, void *ex)); -int (*SSL_get_security_callback(const SSL *s)) (const SSL *s, - const SSL_CTX *ctx, int op, - int bits, int nid, void *other, - void *ex); + int (*cb)(const SSL *s, const SSL_CTX *ctx, + int op, int bits, int nid, + void *other, void *ex)); +int (*SSL_get_security_callback(const SSL *s))(const SSL *s, + const SSL_CTX *ctx, int op, + int bits, int nid, void *other, + void *ex); void SSL_set0_security_ex_data(SSL *s, void *ex); __owur void *SSL_get0_security_ex_data(const SSL *s); void SSL_CTX_set_security_level(SSL_CTX *ctx, int level); __owur int SSL_CTX_get_security_level(const SSL_CTX *ctx); void SSL_CTX_set_security_callback(SSL_CTX *ctx, - int (*cb) (const SSL *s, const SSL_CTX *ctx, - int op, int bits, int nid, - void *other, void *ex)); -int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx)) (const SSL *s, - const SSL_CTX *ctx, - int op, int bits, - int nid, - void *other, - void *ex); + int (*cb)(const SSL *s, const SSL_CTX *ctx, + int op, int bits, int nid, + void *other, void *ex)); +int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx))(const SSL *s, + const SSL_CTX *ctx, + int op, int bits, + int nid, + void *other, + void *ex); void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex); __owur void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx); /* OPENSSL_INIT flag 0x010000 reserved for internal use */ -# define OPENSSL_INIT_NO_LOAD_SSL_STRINGS 0x00100000L -# define OPENSSL_INIT_LOAD_SSL_STRINGS 0x00200000L +#define OPENSSL_INIT_NO_LOAD_SSL_STRINGS 0x00100000L +#define OPENSSL_INIT_LOAD_SSL_STRINGS 0x00200000L -# define OPENSSL_INIT_SSL_DEFAULT \ - (OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS) +#define OPENSSL_INIT_SSL_DEFAULT \ + (OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS) int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); -# ifndef OPENSSL_NO_UNIT_TEST +#ifndef OPENSSL_NO_UNIT_TEST __owur const struct openssl_ssl_test_functions *SSL_test_functions(void); -# endif +#endif __owur int SSL_free_buffers(SSL *ssl); __owur int SSL_alloc_buffers(SSL *ssl); @@ -2824,44 +2832,44 @@ typedef int SSL_TICKET_STATUS; /* Support for ticket appdata */ /* fatal error, malloc failure */ -# define SSL_TICKET_FATAL_ERR_MALLOC 0 +#define SSL_TICKET_FATAL_ERR_MALLOC 0 /* fatal error, either from parsing or decrypting the ticket */ -# define SSL_TICKET_FATAL_ERR_OTHER 1 +#define SSL_TICKET_FATAL_ERR_OTHER 1 /* No ticket present */ -# define SSL_TICKET_NONE 2 +#define SSL_TICKET_NONE 2 /* Empty ticket present */ -# define SSL_TICKET_EMPTY 3 +#define SSL_TICKET_EMPTY 3 /* the ticket couldn't be decrypted */ -# define SSL_TICKET_NO_DECRYPT 4 +#define SSL_TICKET_NO_DECRYPT 4 /* a ticket was successfully decrypted */ -# define SSL_TICKET_SUCCESS 5 +#define SSL_TICKET_SUCCESS 5 /* same as above but the ticket needs to be renewed */ -# define SSL_TICKET_SUCCESS_RENEW 6 +#define SSL_TICKET_SUCCESS_RENEW 6 /* Return codes for the decrypt session ticket callback */ typedef int SSL_TICKET_RETURN; /* An error occurred */ -#define SSL_TICKET_RETURN_ABORT 0 +#define SSL_TICKET_RETURN_ABORT 0 /* Do not use the ticket, do not send a renewed ticket to the client */ -#define SSL_TICKET_RETURN_IGNORE 1 +#define SSL_TICKET_RETURN_IGNORE 1 /* Do not use the ticket, send a renewed ticket to the client */ -#define SSL_TICKET_RETURN_IGNORE_RENEW 2 +#define SSL_TICKET_RETURN_IGNORE_RENEW 2 /* Use the ticket, do not send a renewed ticket to the client */ -#define SSL_TICKET_RETURN_USE 3 +#define SSL_TICKET_RETURN_USE 3 /* Use the ticket, send a renewed ticket to the client */ -#define SSL_TICKET_RETURN_USE_RENEW 4 +#define SSL_TICKET_RETURN_USE_RENEW 4 typedef int (*SSL_CTX_generate_session_ticket_fn)(SSL *s, void *arg); typedef SSL_TICKET_RETURN (*SSL_CTX_decrypt_session_ticket_fn)(SSL *s, SSL_SESSION *ss, - const unsigned char *keyname, - size_t keyname_length, - SSL_TICKET_STATUS status, - void *arg); + const unsigned char *keyname, + size_t keyname_length, + SSL_TICKET_STATUS status, + void *arg); int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx, - SSL_CTX_generate_session_ticket_fn gen_cb, - SSL_CTX_decrypt_session_ticket_fn dec_cb, - void *arg); + SSL_CTX_generate_session_ticket_fn gen_cb, + SSL_CTX_decrypt_session_ticket_fn dec_cb, + void *arg); int SSL_SESSION_set1_ticket_appdata(SSL_SESSION *ss, const void *data, size_t len); int SSL_SESSION_get0_ticket_appdata(SSL_SESSION *ss, void **data, size_t *len); @@ -2869,14 +2877,13 @@ typedef unsigned int (*DTLS_timer_cb)(SSL *s, unsigned int timer_us); void DTLS_set_timer_cb(SSL *s, DTLS_timer_cb cb); - typedef int (*SSL_allow_early_data_cb_fn)(SSL *s, void *arg); void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx, - SSL_allow_early_data_cb_fn cb, - void *arg); + SSL_allow_early_data_cb_fn cb, + void *arg); void SSL_set_allow_early_data_cb(SSL *s, - SSL_allow_early_data_cb_fn cb, - void *arg); + SSL_allow_early_data_cb_fn cb, + void *arg); /* store the default cipher strings inside the library */ const char *OSSL_default_cipher_list(void); @@ -2891,9 +2898,9 @@ int SSL_CTX_set1_cert_comp_preference(SSL_CTX *ctx, int *algs, size_t len); int SSL_set1_cert_comp_preference(SSL *ssl, int *algs, size_t len); int SSL_CTX_set1_compressed_cert(SSL_CTX *ctx, int algorithm, unsigned char *comp_data, - size_t comp_length, size_t orig_length); + size_t comp_length, size_t orig_length); int SSL_set1_compressed_cert(SSL *ssl, int algorithm, unsigned char *comp_data, - size_t comp_length, size_t orig_length); + size_t comp_length, size_t orig_length); size_t SSL_CTX_get1_compressed_cert(SSL_CTX *ctx, int alg, unsigned char **data, size_t *orig_len); size_t SSL_get1_compressed_cert(SSL *ssl, int alg, unsigned char **data, size_t *orig_len); @@ -2915,19 +2922,19 @@ __owur int SSL_CTX_get0_server_cert_type(const SSL_CTX *s, unsigned char **t, si /* * Protection level. For <= TLSv1.2 only "NONE" and "APPLICATION" are used. */ -# define OSSL_RECORD_PROTECTION_LEVEL_NONE 0 -# define OSSL_RECORD_PROTECTION_LEVEL_EARLY 1 -# define OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE 2 -# define OSSL_RECORD_PROTECTION_LEVEL_APPLICATION 3 +#define OSSL_RECORD_PROTECTION_LEVEL_NONE 0 +#define OSSL_RECORD_PROTECTION_LEVEL_EARLY 1 +#define OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE 2 +#define OSSL_RECORD_PROTECTION_LEVEL_APPLICATION 3 int SSL_set_quic_tls_cbs(SSL *s, const OSSL_DISPATCH *qtdis, void *arg); int SSL_set_quic_tls_transport_params(SSL *s, - const unsigned char *params, - size_t params_len); + const unsigned char *params, + size_t params_len); int SSL_set_quic_tls_early_data_enabled(SSL *s, int enabled); -# ifdef __cplusplus +#ifdef __cplusplus } -# endif +#endif #endif diff --git a/crypto/openssl/include/openssl/ui.h b/crypto/openssl/include/openssl/ui.h index e64ec3b37fba..901af471fd0b 100644 --- a/crypto/openssl/include/openssl/ui.h +++ b/crypto/openssl/include/openssl/ui.h @@ -10,37 +10,39 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_UI_H -# define OPENSSL_UI_H -# pragma once +#define OPENSSL_UI_H +#pragma once -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_UI_H -# endif +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_UI_H +#endif -# include <openssl/opensslconf.h> +#include <openssl/opensslconf.h> -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# include <openssl/crypto.h> -# endif -# include <openssl/safestack.h> -# include <openssl/pem.h> -# include <openssl/types.h> -# include <openssl/uierr.h> +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#include <openssl/crypto.h> +#endif +#include <openssl/safestack.h> +#include <openssl/pem.h> +#include <openssl/types.h> +#include <openssl/uierr.h> /* For compatibility reasons, the macro OPENSSL_NO_UI is currently retained */ -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# ifdef OPENSSL_NO_UI_CONSOLE -# define OPENSSL_NO_UI -# endif -# endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifdef OPENSSL_NO_UI_CONSOLE +#define OPENSSL_NO_UI +#endif +#endif -# ifdef __cplusplus +#ifdef __cplusplus extern "C" { -# endif +#endif /* * All the following functions return -1 or NULL on error and in some cases @@ -98,21 +100,21 @@ void UI_free(UI *ui); On success, the all return an index of the added information. That index is useful when retrieving results with UI_get0_result(). */ int UI_add_input_string(UI *ui, const char *prompt, int flags, - char *result_buf, int minsize, int maxsize); + char *result_buf, int minsize, int maxsize); int UI_dup_input_string(UI *ui, const char *prompt, int flags, - char *result_buf, int minsize, int maxsize); + char *result_buf, int minsize, int maxsize); int UI_add_verify_string(UI *ui, const char *prompt, int flags, - char *result_buf, int minsize, int maxsize, - const char *test_buf); + char *result_buf, int minsize, int maxsize, + const char *test_buf); int UI_dup_verify_string(UI *ui, const char *prompt, int flags, - char *result_buf, int minsize, int maxsize, - const char *test_buf); + char *result_buf, int minsize, int maxsize, + const char *test_buf); int UI_add_input_boolean(UI *ui, const char *prompt, const char *action_desc, - const char *ok_chars, const char *cancel_chars, - int flags, char *result_buf); + const char *ok_chars, const char *cancel_chars, + int flags, char *result_buf); int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc, - const char *ok_chars, const char *cancel_chars, - int flags, char *result_buf); + const char *ok_chars, const char *cancel_chars, + int flags, char *result_buf); int UI_add_info_string(UI *ui, const char *text); int UI_dup_info_string(UI *ui, const char *text); int UI_add_error_string(UI *ui, const char *text); @@ -120,7 +122,7 @@ int UI_dup_error_string(UI *ui, const char *text); /* These are the possible flags. They can be or'ed together. */ /* Use to have echoing of input */ -# define UI_INPUT_FLAG_ECHO 0x01 +#define UI_INPUT_FLAG_ECHO 0x01 /* * Use a default password. Where that password is found is completely up to * the application, it might for example be in the user data set with @@ -128,7 +130,7 @@ int UI_dup_error_string(UI *ui, const char *text); * each UI being marked with this flag, or the application might get * confused. */ -# define UI_INPUT_FLAG_DEFAULT_PWD 0x02 +#define UI_INPUT_FLAG_DEFAULT_PWD 0x02 /*- * The user of these routines may want to define flags of their own. The core @@ -139,8 +141,8 @@ int UI_dup_error_string(UI *ui, const char *text); * * #define MY_UI_FLAG1 (0x01 << UI_INPUT_FLAG_USER_BASE) * -*/ -# define UI_INPUT_FLAG_USER_BASE 16 + */ +#define UI_INPUT_FLAG_USER_BASE 16 /*- * The following function helps construct a prompt. @@ -160,9 +162,9 @@ int UI_dup_error_string(UI *ui, const char *text); * the value "foo.key", the resulting string is: * * "Enter pass phrase for foo.key:" -*/ + */ char *UI_construct_prompt(UI *ui_method, - const char *phrase_desc, const char *object_name); + const char *phrase_desc, const char *object_name); /* * The following function is used to store a pointer to user-specific data. @@ -197,7 +199,7 @@ int UI_process(UI *ui); * send down an integer, a data pointer or a function pointer, as well as be * used to get information from a UI. */ -int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f) (void)); +int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)(void)); /* The commands */ /* @@ -205,19 +207,19 @@ int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f) (void)); * OpenSSL error stack before printing any info or added error messages and * before any prompting. */ -# define UI_CTRL_PRINT_ERRORS 1 +#define UI_CTRL_PRINT_ERRORS 1 /* * Check if a UI_process() is possible to do again with the same instance of * a user interface. This makes UI_ctrl() return 1 if it is redoable, and 0 * if not. */ -# define UI_CTRL_IS_REDOABLE 2 +#define UI_CTRL_IS_REDOABLE 2 /* Some methods may use extra data */ -# define UI_set_app_data(s,arg) UI_set_ex_data(s,0,arg) -# define UI_get_app_data(s) UI_get_ex_data(s,0) +#define UI_set_app_data(s, arg) UI_set_ex_data(s, 0, arg) +#define UI_get_app_data(s) UI_get_ex_data(s, 0) -# define UI_get_ex_new_index(l, p, newf, dupf, freef) \ +#define UI_get_ex_new_index(l, p, newf, dupf, freef) \ CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_UI, l, p, newf, dupf, freef) int UI_set_ex_data(UI *r, int idx, void *arg); void *UI_get_ex_data(const UI *r, int idx); @@ -228,12 +230,12 @@ const UI_METHOD *UI_get_default_method(void); const UI_METHOD *UI_get_method(UI *ui); const UI_METHOD *UI_set_method(UI *ui, const UI_METHOD *meth); -# ifndef OPENSSL_NO_UI_CONSOLE +#ifndef OPENSSL_NO_UI_CONSOLE /* The method with all the built-in thingies */ UI_METHOD *UI_OpenSSL(void); -# endif +#endif /* * NULL method. Literally does nothing, but may serve as a placeholder @@ -290,6 +292,7 @@ const UI_METHOD *UI_null(void); */ typedef struct ui_string_st UI_STRING; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(UI_STRING, UI_STRING, UI_STRING) #define sk_UI_STRING_num(sk) OPENSSL_sk_num(ossl_check_const_UI_STRING_sk_type(sk)) #define sk_UI_STRING_value(sk, idx) ((UI_STRING *)OPENSSL_sk_value(ossl_check_const_UI_STRING_sk_type(sk), (idx))) @@ -317,6 +320,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(UI_STRING, UI_STRING, UI_STRING) #define sk_UI_STRING_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(UI_STRING) *)OPENSSL_sk_deep_copy(ossl_check_const_UI_STRING_sk_type(sk), ossl_check_UI_STRING_copyfunc_type(copyfunc), ossl_check_UI_STRING_freefunc_type(freefunc))) #define sk_UI_STRING_set_cmp_func(sk, cmp) ((sk_UI_STRING_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_UI_STRING_sk_type(sk), ossl_check_UI_STRING_compfunc_type(cmp))) +/* clang-format on */ /* * The different types of strings that are currently supported. This is only @@ -324,42 +328,41 @@ SKM_DEFINE_STACK_OF_INTERNAL(UI_STRING, UI_STRING, UI_STRING) */ enum UI_string_types { UIT_NONE = 0, - UIT_PROMPT, /* Prompt for a string */ - UIT_VERIFY, /* Prompt for a string and verify */ - UIT_BOOLEAN, /* Prompt for a yes/no response */ - UIT_INFO, /* Send info to the user */ - UIT_ERROR /* Send an error message to the user */ + UIT_PROMPT, /* Prompt for a string */ + UIT_VERIFY, /* Prompt for a string and verify */ + UIT_BOOLEAN, /* Prompt for a yes/no response */ + UIT_INFO, /* Send info to the user */ + UIT_ERROR /* Send an error message to the user */ }; /* Create and manipulate methods */ UI_METHOD *UI_create_method(const char *name); void UI_destroy_method(UI_METHOD *ui_method); -int UI_method_set_opener(UI_METHOD *method, int (*opener) (UI *ui)); +int UI_method_set_opener(UI_METHOD *method, int (*opener)(UI *ui)); int UI_method_set_writer(UI_METHOD *method, - int (*writer) (UI *ui, UI_STRING *uis)); -int UI_method_set_flusher(UI_METHOD *method, int (*flusher) (UI *ui)); + int (*writer)(UI *ui, UI_STRING *uis)); +int UI_method_set_flusher(UI_METHOD *method, int (*flusher)(UI *ui)); int UI_method_set_reader(UI_METHOD *method, - int (*reader) (UI *ui, UI_STRING *uis)); -int UI_method_set_closer(UI_METHOD *method, int (*closer) (UI *ui)); + int (*reader)(UI *ui, UI_STRING *uis)); +int UI_method_set_closer(UI_METHOD *method, int (*closer)(UI *ui)); int UI_method_set_data_duplicator(UI_METHOD *method, - void *(*duplicator) (UI *ui, void *ui_data), - void (*destructor)(UI *ui, void *ui_data)); + void *(*duplicator)(UI *ui, void *ui_data), + void (*destructor)(UI *ui, void *ui_data)); int UI_method_set_prompt_constructor(UI_METHOD *method, - char *(*prompt_constructor) (UI *ui, - const char - *phrase_desc, - const char - *object_name)); + char *(*prompt_constructor)(UI *ui, + const char + *phrase_desc, + const char + *object_name)); int UI_method_set_ex_data(UI_METHOD *method, int idx, void *data); -int (*UI_method_get_opener(const UI_METHOD *method)) (UI *); -int (*UI_method_get_writer(const UI_METHOD *method)) (UI *, UI_STRING *); -int (*UI_method_get_flusher(const UI_METHOD *method)) (UI *); -int (*UI_method_get_reader(const UI_METHOD *method)) (UI *, UI_STRING *); -int (*UI_method_get_closer(const UI_METHOD *method)) (UI *); -char *(*UI_method_get_prompt_constructor(const UI_METHOD *method)) - (UI *, const char *, const char *); -void *(*UI_method_get_data_duplicator(const UI_METHOD *method)) (UI *, void *); -void (*UI_method_get_data_destructor(const UI_METHOD *method)) (UI *, void *); +int (*UI_method_get_opener(const UI_METHOD *method))(UI *); +int (*UI_method_get_writer(const UI_METHOD *method))(UI *, UI_STRING *); +int (*UI_method_get_flusher(const UI_METHOD *method))(UI *); +int (*UI_method_get_reader(const UI_METHOD *method))(UI *, UI_STRING *); +int (*UI_method_get_closer(const UI_METHOD *method))(UI *); +char *(*UI_method_get_prompt_constructor(const UI_METHOD *method))(UI *, const char *, const char *); +void *(*UI_method_get_data_duplicator(const UI_METHOD *method))(UI *, void *); +void (*UI_method_get_data_destructor(const UI_METHOD *method))(UI *, void *); const void *UI_method_get_ex_data(const UI_METHOD *method, int idx); /* @@ -395,13 +398,12 @@ int UI_set_result_ex(UI *ui, UI_STRING *uis, const char *result, int len); /* A couple of popular utility functions */ int UI_UTIL_read_pw_string(char *buf, int length, const char *prompt, - int verify); + int verify); int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt, - int verify); + int verify); UI_METHOD *UI_UTIL_wrap_read_pem_callback(pem_password_cb *cb, int rwflag); - -# ifdef __cplusplus +#ifdef __cplusplus } -# endif +#endif #endif diff --git a/crypto/openssl/include/openssl/x509.h b/crypto/openssl/include/openssl/x509.h index d013458c2264..30681e4fb698 100644 --- a/crypto/openssl/include/openssl/x509.h +++ b/crypto/openssl/include/openssl/x509.h @@ -11,44 +11,47 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_X509_H -# define OPENSSL_X509_H -# pragma once - -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_X509_H -# endif - -# include <openssl/e_os2.h> -# include <openssl/types.h> -# include <openssl/symhacks.h> -# include <openssl/buffer.h> -# include <openssl/evp.h> -# include <openssl/bio.h> -# include <openssl/asn1.h> -# include <openssl/safestack.h> -# include <openssl/ec.h> - -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# include <openssl/rsa.h> -# include <openssl/dsa.h> -# include <openssl/dh.h> -# endif - -# include <openssl/sha.h> -# include <openssl/x509err.h> -# ifndef OPENSSL_NO_STDIO -# include <stdio.h> -# endif - -#ifdef __cplusplus +#define OPENSSL_X509_H +#pragma once + +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_X509_H +#endif + +#include <openssl/e_os2.h> +#include <openssl/types.h> +#include <openssl/symhacks.h> +#include <openssl/buffer.h> +#include <openssl/evp.h> +#include <openssl/bio.h> +#include <openssl/asn1.h> +#include <openssl/safestack.h> +#include <openssl/ec.h> + +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#include <openssl/rsa.h> +#include <openssl/dsa.h> +#include <openssl/dh.h> +#endif + +#include <openssl/sha.h> +#include <openssl/x509err.h> +#ifndef OPENSSL_NO_STDIO +#include <stdio.h> +#endif + +#ifdef __cplusplus extern "C" { #endif /* Needed stacks for types defined in other headers */ +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(X509_NAME, X509_NAME, X509_NAME) #define sk_X509_NAME_num(sk) OPENSSL_sk_num(ossl_check_const_X509_NAME_sk_type(sk)) #define sk_X509_NAME_value(sk, idx) ((X509_NAME *)OPENSSL_sk_value(ossl_check_const_X509_NAME_sk_type(sk), (idx))) @@ -154,16 +157,17 @@ SKM_DEFINE_STACK_OF_INTERNAL(X509_CRL, X509_CRL, X509_CRL) #define sk_X509_CRL_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(X509_CRL) *)OPENSSL_sk_deep_copy(ossl_check_const_X509_CRL_sk_type(sk), ossl_check_X509_CRL_copyfunc_type(copyfunc), ossl_check_X509_CRL_freefunc_type(freefunc))) #define sk_X509_CRL_set_cmp_func(sk, cmp) ((sk_X509_CRL_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_X509_CRL_sk_type(sk), ossl_check_X509_CRL_compfunc_type(cmp))) +/* clang-format on */ /* Flags for X509_get_signature_info() */ /* Signature info is valid */ -# define X509_SIG_INFO_VALID 0x1 +#define X509_SIG_INFO_VALID 0x1 /* Signature is suitable for TLS use */ -# define X509_SIG_INFO_TLS 0x2 +#define X509_SIG_INFO_TLS 0x2 -# define X509_FILETYPE_PEM 1 -# define X509_FILETYPE_ASN1 2 -# define X509_FILETYPE_DEFAULT 3 +#define X509_FILETYPE_PEM 1 +#define X509_FILETYPE_ASN1 2 +#define X509_FILETYPE_DEFAULT 3 /*- * <https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3>: @@ -171,23 +175,23 @@ SKM_DEFINE_STACK_OF_INTERNAL(X509_CRL, X509_CRL, X509_CRL) * is 0x80, while bit `7` is 0x01 (the LSB of the integer value), bit `8` is * then the MSB of the second octet, or 0x8000. */ -# define X509v3_KU_DIGITAL_SIGNATURE 0x0080 /* (0) */ -# define X509v3_KU_NON_REPUDIATION 0x0040 /* (1) */ -# define X509v3_KU_KEY_ENCIPHERMENT 0x0020 /* (2) */ -# define X509v3_KU_DATA_ENCIPHERMENT 0x0010 /* (3) */ -# define X509v3_KU_KEY_AGREEMENT 0x0008 /* (4) */ -# define X509v3_KU_KEY_CERT_SIGN 0x0004 /* (5) */ -# define X509v3_KU_CRL_SIGN 0x0002 /* (6) */ -# define X509v3_KU_ENCIPHER_ONLY 0x0001 /* (7) */ -# define X509v3_KU_DECIPHER_ONLY 0x8000 /* (8) */ -# ifndef OPENSSL_NO_DEPRECATED_3_4 -# define X509v3_KU_UNDEF 0xffff /* vestigial, not used */ -# endif +#define X509v3_KU_DIGITAL_SIGNATURE 0x0080 /* (0) */ +#define X509v3_KU_NON_REPUDIATION 0x0040 /* (1) */ +#define X509v3_KU_KEY_ENCIPHERMENT 0x0020 /* (2) */ +#define X509v3_KU_DATA_ENCIPHERMENT 0x0010 /* (3) */ +#define X509v3_KU_KEY_AGREEMENT 0x0008 /* (4) */ +#define X509v3_KU_KEY_CERT_SIGN 0x0004 /* (5) */ +#define X509v3_KU_CRL_SIGN 0x0002 /* (6) */ +#define X509v3_KU_ENCIPHER_ONLY 0x0001 /* (7) */ +#define X509v3_KU_DECIPHER_ONLY 0x8000 /* (8) */ +#ifndef OPENSSL_NO_DEPRECATED_3_4 +#define X509v3_KU_UNDEF 0xffff /* vestigial, not used */ +#endif struct X509_algor_st { ASN1_OBJECT *algorithm; ASN1_TYPE *parameter; -} /* X509_ALGOR */ ; +} /* X509_ALGOR */; typedef STACK_OF(X509_ALGOR) X509_ALGORS; @@ -200,6 +204,7 @@ typedef struct X509_sig_st X509_SIG; typedef struct X509_name_entry_st X509_NAME_ENTRY; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(X509_NAME_ENTRY, X509_NAME_ENTRY, X509_NAME_ENTRY) #define sk_X509_NAME_ENTRY_num(sk) OPENSSL_sk_num(ossl_check_const_X509_NAME_ENTRY_sk_type(sk)) #define sk_X509_NAME_ENTRY_value(sk, idx) ((X509_NAME_ENTRY *)OPENSSL_sk_value(ossl_check_const_X509_NAME_ENTRY_sk_type(sk), (idx))) @@ -227,10 +232,12 @@ SKM_DEFINE_STACK_OF_INTERNAL(X509_NAME_ENTRY, X509_NAME_ENTRY, X509_NAME_ENTRY) #define sk_X509_NAME_ENTRY_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(X509_NAME_ENTRY) *)OPENSSL_sk_deep_copy(ossl_check_const_X509_NAME_ENTRY_sk_type(sk), ossl_check_X509_NAME_ENTRY_copyfunc_type(copyfunc), ossl_check_X509_NAME_ENTRY_freefunc_type(freefunc))) #define sk_X509_NAME_ENTRY_set_cmp_func(sk, cmp) ((sk_X509_NAME_ENTRY_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_X509_NAME_ENTRY_sk_type(sk), ossl_check_X509_NAME_ENTRY_compfunc_type(cmp))) +/* clang-format on */ -# define X509_EX_V_NETSCAPE_HACK 0x8000 -# define X509_EX_V_INIT 0x0001 +#define X509_EX_V_NETSCAPE_HACK 0x8000 +#define X509_EX_V_INIT 0x0001 typedef struct X509_extension_st X509_EXTENSION; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(X509_EXTENSION, X509_EXTENSION, X509_EXTENSION) #define sk_X509_EXTENSION_num(sk) OPENSSL_sk_num(ossl_check_const_X509_EXTENSION_sk_type(sk)) #define sk_X509_EXTENSION_value(sk, idx) ((X509_EXTENSION *)OPENSSL_sk_value(ossl_check_const_X509_EXTENSION_sk_type(sk), (idx))) @@ -258,8 +265,10 @@ SKM_DEFINE_STACK_OF_INTERNAL(X509_EXTENSION, X509_EXTENSION, X509_EXTENSION) #define sk_X509_EXTENSION_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(X509_EXTENSION) *)OPENSSL_sk_deep_copy(ossl_check_const_X509_EXTENSION_sk_type(sk), ossl_check_X509_EXTENSION_copyfunc_type(copyfunc), ossl_check_X509_EXTENSION_freefunc_type(freefunc))) #define sk_X509_EXTENSION_set_cmp_func(sk, cmp) ((sk_X509_EXTENSION_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_X509_EXTENSION_sk_type(sk), ossl_check_X509_EXTENSION_compfunc_type(cmp))) +/* clang-format on */ typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS; typedef struct x509_attributes_st X509_ATTRIBUTE; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(X509_ATTRIBUTE, X509_ATTRIBUTE, X509_ATTRIBUTE) #define sk_X509_ATTRIBUTE_num(sk) OPENSSL_sk_num(ossl_check_const_X509_ATTRIBUTE_sk_type(sk)) #define sk_X509_ATTRIBUTE_value(sk, idx) ((X509_ATTRIBUTE *)OPENSSL_sk_value(ossl_check_const_X509_ATTRIBUTE_sk_type(sk), (idx))) @@ -287,6 +296,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(X509_ATTRIBUTE, X509_ATTRIBUTE, X509_ATTRIBUTE) #define sk_X509_ATTRIBUTE_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(X509_ATTRIBUTE) *)OPENSSL_sk_deep_copy(ossl_check_const_X509_ATTRIBUTE_sk_type(sk), ossl_check_X509_ATTRIBUTE_copyfunc_type(copyfunc), ossl_check_X509_ATTRIBUTE_freefunc_type(freefunc))) #define sk_X509_ATTRIBUTE_set_cmp_func(sk, cmp) ((sk_X509_ATTRIBUTE_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_X509_ATTRIBUTE_sk_type(sk), ossl_check_X509_ATTRIBUTE_compfunc_type(cmp))) +/* clang-format on */ typedef struct X509_req_info_st X509_REQ_INFO; typedef struct X509_req_st X509_REQ; typedef struct x509_cert_aux_st X509_CERT_AUX; @@ -294,81 +304,68 @@ typedef struct x509_cinf_st X509_CINF; /* Flags for X509_print_ex() */ -# define X509_FLAG_COMPAT 0 -# define X509_FLAG_NO_HEADER 1L -# define X509_FLAG_NO_VERSION (1L << 1) -# define X509_FLAG_NO_SERIAL (1L << 2) -# define X509_FLAG_NO_SIGNAME (1L << 3) -# define X509_FLAG_NO_ISSUER (1L << 4) -# define X509_FLAG_NO_VALIDITY (1L << 5) -# define X509_FLAG_NO_SUBJECT (1L << 6) -# define X509_FLAG_NO_PUBKEY (1L << 7) -# define X509_FLAG_NO_EXTENSIONS (1L << 8) -# define X509_FLAG_NO_SIGDUMP (1L << 9) -# define X509_FLAG_NO_AUX (1L << 10) -# define X509_FLAG_NO_ATTRIBUTES (1L << 11) -# define X509_FLAG_NO_IDS (1L << 12) -# define X509_FLAG_EXTENSIONS_ONLY_KID (1L << 13) +#define X509_FLAG_COMPAT 0 +#define X509_FLAG_NO_HEADER 1L +#define X509_FLAG_NO_VERSION (1L << 1) +#define X509_FLAG_NO_SERIAL (1L << 2) +#define X509_FLAG_NO_SIGNAME (1L << 3) +#define X509_FLAG_NO_ISSUER (1L << 4) +#define X509_FLAG_NO_VALIDITY (1L << 5) +#define X509_FLAG_NO_SUBJECT (1L << 6) +#define X509_FLAG_NO_PUBKEY (1L << 7) +#define X509_FLAG_NO_EXTENSIONS (1L << 8) +#define X509_FLAG_NO_SIGDUMP (1L << 9) +#define X509_FLAG_NO_AUX (1L << 10) +#define X509_FLAG_NO_ATTRIBUTES (1L << 11) +#define X509_FLAG_NO_IDS (1L << 12) +#define X509_FLAG_EXTENSIONS_ONLY_KID (1L << 13) /* Flags specific to X509_NAME_print_ex() */ /* The field separator information */ -# define XN_FLAG_SEP_MASK (0xf << 16) +#define XN_FLAG_SEP_MASK (0xf << 16) -# define XN_FLAG_COMPAT 0/* Traditional; use old X509_NAME_print */ -# define XN_FLAG_SEP_COMMA_PLUS (1 << 16)/* RFC2253 ,+ */ -# define XN_FLAG_SEP_CPLUS_SPC (2 << 16)/* ,+ spaced: more readable */ -# define XN_FLAG_SEP_SPLUS_SPC (3 << 16)/* ;+ spaced */ -# define XN_FLAG_SEP_MULTILINE (4 << 16)/* One line per field */ +#define XN_FLAG_COMPAT 0 /* Traditional; use old X509_NAME_print */ +#define XN_FLAG_SEP_COMMA_PLUS (1 << 16) /* RFC2253 ,+ */ +#define XN_FLAG_SEP_CPLUS_SPC (2 << 16) /* ,+ spaced: more readable */ +#define XN_FLAG_SEP_SPLUS_SPC (3 << 16) /* ;+ spaced */ +#define XN_FLAG_SEP_MULTILINE (4 << 16) /* One line per field */ -# define XN_FLAG_DN_REV (1 << 20)/* Reverse DN order */ +#define XN_FLAG_DN_REV (1 << 20) /* Reverse DN order */ /* How the field name is shown */ -# define XN_FLAG_FN_MASK (0x3 << 21) +#define XN_FLAG_FN_MASK (0x3 << 21) -# define XN_FLAG_FN_SN 0/* Object short name */ -# define XN_FLAG_FN_LN (1 << 21)/* Object long name */ -# define XN_FLAG_FN_OID (2 << 21)/* Always use OIDs */ -# define XN_FLAG_FN_NONE (3 << 21)/* No field names */ +#define XN_FLAG_FN_SN 0 /* Object short name */ +#define XN_FLAG_FN_LN (1 << 21) /* Object long name */ +#define XN_FLAG_FN_OID (2 << 21) /* Always use OIDs */ +#define XN_FLAG_FN_NONE (3 << 21) /* No field names */ -# define XN_FLAG_SPC_EQ (1 << 23)/* Put spaces round '=' */ +#define XN_FLAG_SPC_EQ (1 << 23) /* Put spaces round '=' */ /* * This determines if we dump fields we don't recognise: RFC2253 requires * this. */ -# define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24) +#define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24) -# define XN_FLAG_FN_ALIGN (1 << 25)/* Align field names to 20 - * characters */ +#define XN_FLAG_FN_ALIGN (1 << 25) /* Align field names to 20 \ + * characters */ /* Complete set of RFC2253 flags */ -# define XN_FLAG_RFC2253 (ASN1_STRFLGS_RFC2253 | \ - XN_FLAG_SEP_COMMA_PLUS | \ - XN_FLAG_DN_REV | \ - XN_FLAG_FN_SN | \ - XN_FLAG_DUMP_UNKNOWN_FIELDS) +#define XN_FLAG_RFC2253 (ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS) /* readable oneline form */ -# define XN_FLAG_ONELINE (ASN1_STRFLGS_RFC2253 | \ - ASN1_STRFLGS_ESC_QUOTE | \ - XN_FLAG_SEP_CPLUS_SPC | \ - XN_FLAG_SPC_EQ | \ - XN_FLAG_FN_SN) +#define XN_FLAG_ONELINE (ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_SPC_EQ | XN_FLAG_FN_SN) /* readable multiline form */ -# define XN_FLAG_MULTILINE (ASN1_STRFLGS_ESC_CTRL | \ - ASN1_STRFLGS_ESC_MSB | \ - XN_FLAG_SEP_MULTILINE | \ - XN_FLAG_SPC_EQ | \ - XN_FLAG_FN_LN | \ - XN_FLAG_FN_ALIGN) +#define XN_FLAG_MULTILINE (ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | XN_FLAG_SEP_MULTILINE | XN_FLAG_SPC_EQ | XN_FLAG_FN_LN | XN_FLAG_FN_ALIGN) typedef struct X509_crl_info_st X509_CRL_INFO; @@ -382,7 +379,7 @@ typedef struct private_key_st { /* used to encrypt and decrypt */ int key_length; char *key_data; - int key_free; /* true if we should auto free key_data */ + int key_free; /* true if we should auto free key_data */ /* expanded version of 'enc_algor' */ EVP_CIPHER_INFO cipher; } X509_PKEY; @@ -395,6 +392,7 @@ typedef struct X509_info_st { int enc_len; char *enc_data; } X509_INFO; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(X509_INFO, X509_INFO, X509_INFO) #define sk_X509_INFO_num(sk) OPENSSL_sk_num(ossl_check_const_X509_INFO_sk_type(sk)) #define sk_X509_INFO_value(sk, idx) ((X509_INFO *)OPENSSL_sk_value(ossl_check_const_X509_INFO_sk_type(sk), (idx))) @@ -422,6 +420,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(X509_INFO, X509_INFO, X509_INFO) #define sk_X509_INFO_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(X509_INFO) *)OPENSSL_sk_deep_copy(ossl_check_const_X509_INFO_sk_type(sk), ossl_check_X509_INFO_copyfunc_type(copyfunc), ossl_check_X509_INFO_freefunc_type(freefunc))) #define sk_X509_INFO_set_cmp_func(sk, cmp) ((sk_X509_INFO_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_X509_INFO_sk_type(sk), ossl_check_X509_INFO_compfunc_type(cmp))) +/* clang-format on */ /* * The next 2 structures and their 8 routines are used to manipulate Netscape's @@ -429,11 +428,11 @@ SKM_DEFINE_STACK_OF_INTERNAL(X509_INFO, X509_INFO, X509_INFO) */ typedef struct Netscape_spkac_st { X509_PUBKEY *pubkey; - ASN1_IA5STRING *challenge; /* challenge sent in atlas >= PR2 */ + ASN1_IA5STRING *challenge; /* challenge sent in atlas >= PR2 */ } NETSCAPE_SPKAC; typedef struct Netscape_spki_st { - NETSCAPE_SPKAC *spkac; /* signed public key and challenge */ + NETSCAPE_SPKAC *spkac; /* signed public key and challenge */ X509_ALGOR sig_algor; ASN1_BIT_STRING *signature; } NETSCAPE_SPKI; @@ -466,7 +465,7 @@ typedef struct PBE2PARAM_st { } PBE2PARAM; typedef struct PBKDF2PARAM_st { -/* Usually OCTET STRING but could be anything */ + /* Usually OCTET STRING but could be anything */ ASN1_TYPE *salt; ASN1_INTEGER *iter; ASN1_INTEGER *keylength; @@ -478,7 +477,7 @@ typedef struct { X509_ALGOR *messageAuthScheme; } PBMAC1PARAM; -# ifndef OPENSSL_NO_SCRYPT +#ifndef OPENSSL_NO_SCRYPT typedef struct SCRYPT_PARAMS_st { ASN1_OCTET_STRING *salt; ASN1_INTEGER *costParameter; @@ -486,37 +485,35 @@ typedef struct SCRYPT_PARAMS_st { ASN1_INTEGER *parallelizationParameter; ASN1_INTEGER *keyLength; } SCRYPT_PARAMS; -# endif +#endif -#ifdef __cplusplus +#ifdef __cplusplus } #endif -# include <openssl/x509_vfy.h> -# include <openssl/pkcs7.h> +#include <openssl/x509_vfy.h> +#include <openssl/pkcs7.h> -#ifdef __cplusplus +#ifdef __cplusplus extern "C" { #endif -# define X509_EXT_PACK_UNKNOWN 1 -# define X509_EXT_PACK_STRING 2 +#define X509_EXT_PACK_UNKNOWN 1 +#define X509_EXT_PACK_STRING 2 -# define X509_extract_key(x) X509_get_pubkey(x)/*****/ -# define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a) -# define X509_name_cmp(a,b) X509_NAME_cmp((a),(b)) +#define X509_extract_key(x) X509_get_pubkey(x) /*****/ +#define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a) +#define X509_name_cmp(a, b) X509_NAME_cmp((a), (b)) void X509_CRL_set_default_method(const X509_CRL_METHOD *meth); -X509_CRL_METHOD *X509_CRL_METHOD_new(int (*crl_init) (X509_CRL *crl), - int (*crl_free) (X509_CRL *crl), - int (*crl_lookup) (X509_CRL *crl, - X509_REVOKED **ret, - const - ASN1_INTEGER *serial, - const - X509_NAME *issuer), - int (*crl_verify) (X509_CRL *crl, - EVP_PKEY *pk)); +X509_CRL_METHOD *X509_CRL_METHOD_new(int (*crl_init)(X509_CRL *crl), + int (*crl_free)(X509_CRL *crl), + int (*crl_lookup)(X509_CRL *crl, + X509_REVOKED **ret, + const ASN1_INTEGER *serial, + const X509_NAME *issuer), + int (*crl_verify)(X509_CRL *crl, + EVP_PKEY *pk)); void X509_CRL_METHOD_free(X509_CRL_METHOD *m); void X509_CRL_set_meth_data(X509_CRL *crl, void *dat); @@ -528,7 +525,7 @@ int X509_verify(X509 *a, EVP_PKEY *r); int X509_self_signed(X509 *cert, int verify_signature); int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *r, OSSL_LIB_CTX *libctx, - const char *propq); + const char *propq); int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r); int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r); int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r); @@ -542,7 +539,7 @@ int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki); int X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent); int X509_signature_print(BIO *bp, const X509_ALGOR *alg, - const ASN1_STRING *sig); + const ASN1_STRING *sig); int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md); int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx); @@ -553,76 +550,76 @@ int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx); int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md); int X509_pubkey_digest(const X509 *data, const EVP_MD *type, - unsigned char *md, unsigned int *len); + unsigned char *md, unsigned int *len); int X509_digest(const X509 *data, const EVP_MD *type, - unsigned char *md, unsigned int *len); + unsigned char *md, unsigned int *len); ASN1_OCTET_STRING *X509_digest_sig(const X509 *cert, - EVP_MD **md_used, int *md_is_fallback); + EVP_MD **md_used, int *md_is_fallback); int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, - unsigned char *md, unsigned int *len); + unsigned char *md, unsigned int *len); int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type, - unsigned char *md, unsigned int *len); + unsigned char *md, unsigned int *len); int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type, - unsigned char *md, unsigned int *len); + unsigned char *md, unsigned int *len); X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout); X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout); -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# include <openssl/http.h> /* OSSL_HTTP_REQ_CTX_nbio_d2i */ -# define X509_http_nbio(rctx, pcert) \ - OSSL_HTTP_REQ_CTX_nbio_d2i(rctx, pcert, ASN1_ITEM_rptr(X509)) -# define X509_CRL_http_nbio(rctx, pcrl) \ - OSSL_HTTP_REQ_CTX_nbio_d2i(rctx, pcrl, ASN1_ITEM_rptr(X509_CRL)) -# endif - -# ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#include <openssl/http.h> /* OSSL_HTTP_REQ_CTX_nbio_d2i */ +#define X509_http_nbio(rctx, pcert) \ + OSSL_HTTP_REQ_CTX_nbio_d2i(rctx, pcert, ASN1_ITEM_rptr(X509)) +#define X509_CRL_http_nbio(rctx, pcrl) \ + OSSL_HTTP_REQ_CTX_nbio_d2i(rctx, pcrl, ASN1_ITEM_rptr(X509_CRL)) +#endif + +#ifndef OPENSSL_NO_STDIO X509 *d2i_X509_fp(FILE *fp, X509 **x509); int i2d_X509_fp(FILE *fp, const X509 *x509); X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl); int i2d_X509_CRL_fp(FILE *fp, const X509_CRL *crl); X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req); int i2d_X509_REQ_fp(FILE *fp, const X509_REQ *req); -# ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa); OSSL_DEPRECATEDIN_3_0 int i2d_RSAPrivateKey_fp(FILE *fp, const RSA *rsa); OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa); OSSL_DEPRECATEDIN_3_0 int i2d_RSAPublicKey_fp(FILE *fp, const RSA *rsa); OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa); OSSL_DEPRECATEDIN_3_0 int i2d_RSA_PUBKEY_fp(FILE *fp, const RSA *rsa); -# endif -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# ifndef OPENSSL_NO_DSA +#endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_DSA OSSL_DEPRECATEDIN_3_0 DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa); OSSL_DEPRECATEDIN_3_0 int i2d_DSA_PUBKEY_fp(FILE *fp, const DSA *dsa); OSSL_DEPRECATEDIN_3_0 DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa); OSSL_DEPRECATEDIN_3_0 int i2d_DSAPrivateKey_fp(FILE *fp, const DSA *dsa); -# endif -# endif -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# ifndef OPENSSL_NO_EC +#endif +#endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_EC OSSL_DEPRECATEDIN_3_0 EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey); OSSL_DEPRECATEDIN_3_0 int i2d_EC_PUBKEY_fp(FILE *fp, const EC_KEY *eckey); OSSL_DEPRECATEDIN_3_0 EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey); OSSL_DEPRECATEDIN_3_0 int i2d_ECPrivateKey_fp(FILE *fp, const EC_KEY *eckey); -# endif /* OPENSSL_NO_EC */ -# endif /* OPENSSL_NO_DEPRECATED_3_0 */ +#endif /* OPENSSL_NO_EC */ +#endif /* OPENSSL_NO_DEPRECATED_3_0 */ X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8); int i2d_PKCS8_fp(FILE *fp, const X509_SIG *p8); X509_PUBKEY *d2i_X509_PUBKEY_fp(FILE *fp, X509_PUBKEY **xpk); int i2d_X509_PUBKEY_fp(FILE *fp, const X509_PUBKEY *xpk); PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, - PKCS8_PRIV_KEY_INFO **p8inf); + PKCS8_PRIV_KEY_INFO **p8inf); int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, const PKCS8_PRIV_KEY_INFO *p8inf); int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, const EVP_PKEY *key); int i2d_PrivateKey_fp(FILE *fp, const EVP_PKEY *pkey); EVP_PKEY *d2i_PrivateKey_ex_fp(FILE *fp, EVP_PKEY **a, OSSL_LIB_CTX *libctx, - const char *propq); + const char *propq); EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a); int i2d_PUBKEY_fp(FILE *fp, const EVP_PKEY *pkey); EVP_PKEY *d2i_PUBKEY_ex_fp(FILE *fp, EVP_PKEY **a, OSSL_LIB_CTX *libctx, - const char *propq); + const char *propq); EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a); -# endif +#endif X509 *d2i_X509_bio(BIO *bp, X509 **x509); int i2d_X509_bio(BIO *bp, const X509 *x509); @@ -630,47 +627,47 @@ X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl); int i2d_X509_CRL_bio(BIO *bp, const X509_CRL *crl); X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req); int i2d_X509_REQ_bio(BIO *bp, const X509_REQ *req); -# ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa); OSSL_DEPRECATEDIN_3_0 int i2d_RSAPrivateKey_bio(BIO *bp, const RSA *rsa); OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa); OSSL_DEPRECATEDIN_3_0 int i2d_RSAPublicKey_bio(BIO *bp, const RSA *rsa); OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa); OSSL_DEPRECATEDIN_3_0 int i2d_RSA_PUBKEY_bio(BIO *bp, const RSA *rsa); -# endif -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# ifndef OPENSSL_NO_DSA +#endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_DSA OSSL_DEPRECATEDIN_3_0 DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa); OSSL_DEPRECATEDIN_3_0 int i2d_DSA_PUBKEY_bio(BIO *bp, const DSA *dsa); OSSL_DEPRECATEDIN_3_0 DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa); OSSL_DEPRECATEDIN_3_0 int i2d_DSAPrivateKey_bio(BIO *bp, const DSA *dsa); -# endif -# endif +#endif +#endif -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_EC OSSL_DEPRECATEDIN_3_0 EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey); OSSL_DEPRECATEDIN_3_0 int i2d_EC_PUBKEY_bio(BIO *bp, const EC_KEY *eckey); OSSL_DEPRECATEDIN_3_0 EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey); OSSL_DEPRECATEDIN_3_0 int i2d_ECPrivateKey_bio(BIO *bp, const EC_KEY *eckey); -# endif /* OPENSSL_NO_EC */ -# endif /* OPENSSL_NO_DEPRECATED_3_0 */ +#endif /* OPENSSL_NO_EC */ +#endif /* OPENSSL_NO_DEPRECATED_3_0 */ X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8); int i2d_PKCS8_bio(BIO *bp, const X509_SIG *p8); X509_PUBKEY *d2i_X509_PUBKEY_bio(BIO *bp, X509_PUBKEY **xpk); int i2d_X509_PUBKEY_bio(BIO *bp, const X509_PUBKEY *xpk); PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, - PKCS8_PRIV_KEY_INFO **p8inf); + PKCS8_PRIV_KEY_INFO **p8inf); int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, const PKCS8_PRIV_KEY_INFO *p8inf); int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, const EVP_PKEY *key); int i2d_PrivateKey_bio(BIO *bp, const EVP_PKEY *pkey); EVP_PKEY *d2i_PrivateKey_ex_bio(BIO *bp, EVP_PKEY **a, OSSL_LIB_CTX *libctx, - const char *propq); + const char *propq); EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a); int i2d_PUBKEY_bio(BIO *bp, const EVP_PKEY *pkey); EVP_PKEY *d2i_PUBKEY_ex_bio(BIO *bp, EVP_PKEY **a, OSSL_LIB_CTX *libctx, - const char *propq); + const char *propq); EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a); DECLARE_ASN1_DUP_FUNCTION(X509) @@ -682,9 +679,9 @@ DECLARE_ASN1_DUP_FUNCTION(X509_PUBKEY) DECLARE_ASN1_DUP_FUNCTION(X509_REQ) DECLARE_ASN1_DUP_FUNCTION(X509_REVOKED) int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, - void *pval); + void *pval); void X509_ALGOR_get0(const ASN1_OBJECT **paobj, int *pptype, - const void **ppval, const X509_ALGOR *algor); + const void **ppval, const X509_ALGOR *algor); void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md); int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b); int X509_ALGOR_copy(X509_ALGOR *dest, const X509_ALGOR *src); @@ -695,10 +692,10 @@ DECLARE_ASN1_DUP_FUNCTION(X509_NAME_ENTRY) int X509_cmp_time(const ASN1_TIME *s, time_t *t); int X509_cmp_current_time(const ASN1_TIME *s); int X509_cmp_timeframe(const X509_VERIFY_PARAM *vpm, - const ASN1_TIME *start, const ASN1_TIME *end); + const ASN1_TIME *start, const ASN1_TIME *end); ASN1_TIME *X509_time_adj(ASN1_TIME *s, long adj, time_t *t); ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, - int offset_day, long offset_sec, time_t *t); + int offset_day, long offset_sec, time_t *t); ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj); const char *X509_get_default_cert_area(void); @@ -725,26 +722,26 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain); long X509_get_pathlen(X509 *x); DECLARE_ASN1_ENCODE_FUNCTIONS_only(EVP_PKEY, PUBKEY) EVP_PKEY *d2i_PUBKEY_ex(EVP_PKEY **a, const unsigned char **pp, long length, - OSSL_LIB_CTX *libctx, const char *propq); -# ifndef OPENSSL_NO_DEPRECATED_3_0 -DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,RSA, RSA_PUBKEY) -# endif -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# ifndef OPENSSL_NO_DSA -DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,DSA, DSA_PUBKEY) -# endif -# endif -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# ifndef OPENSSL_NO_EC + OSSL_LIB_CTX *libctx, const char *propq); +#ifndef OPENSSL_NO_DEPRECATED_3_0 +DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0, RSA, RSA_PUBKEY) +#endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_DSA +DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0, DSA, DSA_PUBKEY) +#endif +#endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OPENSSL_NO_EC DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0, EC_KEY, EC_PUBKEY) -# endif -# endif +#endif +#endif DECLARE_ASN1_FUNCTIONS(X509_SIG) void X509_SIG_get0(const X509_SIG *sig, const X509_ALGOR **palg, - const ASN1_OCTET_STRING **pdigest); + const ASN1_OCTET_STRING **pdigest); void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg, - ASN1_OCTET_STRING **pdigest); + ASN1_OCTET_STRING **pdigest); DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO) DECLARE_ASN1_FUNCTIONS(X509_REQ) @@ -771,20 +768,20 @@ DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX) CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509, l, p, newf, dupf, freef) int X509_set_ex_data(X509 *r, int idx, void *arg); void *X509_get_ex_data(const X509 *r, int idx); -DECLARE_ASN1_ENCODE_FUNCTIONS_only(X509,X509_AUX) +DECLARE_ASN1_ENCODE_FUNCTIONS_only(X509, X509_AUX) int i2d_re_X509_tbs(X509 *x, unsigned char **pp); int X509_SIG_INFO_get(const X509_SIG_INFO *siginf, int *mdnid, int *pknid, - int *secbits, uint32_t *flags); + int *secbits, uint32_t *flags); void X509_SIG_INFO_set(X509_SIG_INFO *siginf, int mdnid, int pknid, - int secbits, uint32_t flags); + int secbits, uint32_t flags); int X509_get_signature_info(X509 *x, int *mdnid, int *pknid, int *secbits, - uint32_t *flags); + uint32_t *flags); void X509_get0_signature(const ASN1_BIT_STRING **psig, - const X509_ALGOR **palg, const X509 *x); + const X509_ALGOR **palg, const X509 *x); int X509_get_signature_nid(const X509 *x); void X509_set0_distinguishing_id(X509 *x, ASN1_OCTET_STRING *d_id); @@ -804,7 +801,7 @@ X509_CRL *X509_CRL_new_ex(OSSL_LIB_CTX *libctx, const char *propq); int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev); int X509_CRL_get0_by_serial(X509_CRL *crl, - X509_REVOKED **ret, const ASN1_INTEGER *serial); + X509_REVOKED **ret, const ASN1_INTEGER *serial); int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x); X509_PKEY *X509_PKEY_new(void); @@ -821,29 +818,29 @@ char *X509_NAME_oneline(const X509_NAME *a, char *buf, int size); #ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *algor1, - ASN1_BIT_STRING *signature, char *data, EVP_PKEY *pkey); + ASN1_BIT_STRING *signature, char *data, EVP_PKEY *pkey); OSSL_DEPRECATEDIN_3_0 int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data, - unsigned char *md, unsigned int *len); + unsigned char *md, unsigned int *len); OSSL_DEPRECATEDIN_3_0 int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2, - ASN1_BIT_STRING *signature, char *data, EVP_PKEY *pkey, - const EVP_MD *type); + ASN1_BIT_STRING *signature, char *data, EVP_PKEY *pkey, + const EVP_MD *type); #endif int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, void *data, - unsigned char *md, unsigned int *len); + unsigned char *md, unsigned int *len); int ASN1_item_verify(const ASN1_ITEM *it, const X509_ALGOR *alg, - const ASN1_BIT_STRING *signature, const void *data, - EVP_PKEY *pkey); + const ASN1_BIT_STRING *signature, const void *data, + EVP_PKEY *pkey); int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg, - const ASN1_BIT_STRING *signature, const void *data, - EVP_MD_CTX *ctx); + const ASN1_BIT_STRING *signature, const void *data, + EVP_MD_CTX *ctx); int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, - ASN1_BIT_STRING *signature, const void *data, - EVP_PKEY *pkey, const EVP_MD *md); + ASN1_BIT_STRING *signature, const void *data, + EVP_PKEY *pkey, const EVP_MD *md); int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, - X509_ALGOR *algor2, ASN1_BIT_STRING *signature, - const void *data, EVP_MD_CTX *ctx); + X509_ALGOR *algor2, ASN1_BIT_STRING *signature, + const void *data, EVP_MD_CTX *ctx); #define X509_VERSION_1 0 #define X509_VERSION_2 1 @@ -858,7 +855,7 @@ int X509_set_issuer_name(X509 *x, const X509_NAME *name); X509_NAME *X509_get_issuer_name(const X509 *a); int X509_set_subject_name(X509 *x, const X509_NAME *name); X509_NAME *X509_get_subject_name(const X509 *a); -const ASN1_TIME * X509_get0_notBefore(const X509 *x); +const ASN1_TIME *X509_get0_notBefore(const X509 *x); ASN1_TIME *X509_getm_notBefore(const X509 *x); int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm); const ASN1_TIME *X509_get0_notAfter(const X509 *x); @@ -868,14 +865,13 @@ int X509_set_pubkey(X509 *x, EVP_PKEY *pkey); int X509_up_ref(X509 *x); int X509_get_signature_type(const X509 *x); -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define X509_get_notBefore X509_getm_notBefore -# define X509_get_notAfter X509_getm_notAfter -# define X509_set_notBefore X509_set1_notBefore -# define X509_set_notAfter X509_set1_notAfter +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#define X509_get_notBefore X509_getm_notBefore +#define X509_get_notAfter X509_getm_notAfter +#define X509_set_notBefore X509_set1_notBefore +#define X509_set_notAfter X509_set1_notAfter #endif - /* * This one is only used so that a binary form can output, as in * i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &buf) @@ -883,7 +879,7 @@ int X509_get_signature_type(const X509 *x); X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x); const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x); void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid, - const ASN1_BIT_STRING **psuid); + const ASN1_BIT_STRING **psuid); const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x); EVP_PKEY *X509_get0_pubkey(const X509 *x); @@ -897,7 +893,7 @@ int X509_REQ_set_version(X509_REQ *x, long version); X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req); int X509_REQ_set_subject_name(X509_REQ *req, const X509_NAME *name); void X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig, - const X509_ALGOR **palg); + const X509_ALGOR **palg); void X509_REQ_set0_signature(X509_REQ *req, ASN1_BIT_STRING *psig); int X509_REQ_set1_signature_algo(X509_REQ *req, X509_ALGOR *palg); int X509_REQ_get_signature_nid(const X509_REQ *req); @@ -911,24 +907,24 @@ int *X509_REQ_get_extension_nids(void); void X509_REQ_set_extension_nids(int *nids); STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(OSSL_FUTURE_CONST X509_REQ *req); int X509_REQ_add_extensions_nid(X509_REQ *req, - const STACK_OF(X509_EXTENSION) *exts, int nid); + const STACK_OF(X509_EXTENSION) *exts, int nid); int X509_REQ_add_extensions(X509_REQ *req, const STACK_OF(X509_EXTENSION) *ext); int X509_REQ_get_attr_count(const X509_REQ *req); int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos); int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, const ASN1_OBJECT *obj, - int lastpos); + int lastpos); X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc); X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc); int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr); int X509_REQ_add1_attr_by_OBJ(X509_REQ *req, - const ASN1_OBJECT *obj, int type, - const unsigned char *bytes, int len); + const ASN1_OBJECT *obj, int type, + const unsigned char *bytes, int len); int X509_REQ_add1_attr_by_NID(X509_REQ *req, - int nid, int type, - const unsigned char *bytes, int len); + int nid, int type, + const unsigned char *bytes, int len); int X509_REQ_add1_attr_by_txt(X509_REQ *req, - const char *attrname, int type, - const unsigned char *bytes, int len); + const char *attrname, int type, + const unsigned char *bytes, int len); #define X509_CRL_VERSION_1 0 #define X509_CRL_VERSION_2 1 @@ -940,9 +936,9 @@ int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm); int X509_CRL_sort(X509_CRL *crl); int X509_CRL_up_ref(X509_CRL *crl); -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate -# define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate +#define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate #endif long X509_CRL_get_version(const X509_CRL *crl); @@ -956,7 +952,7 @@ X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl); const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl); STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl); void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig, - const X509_ALGOR **palg); + const X509_ALGOR **palg); int X509_CRL_get_signature_nid(const X509_CRL *crl); int i2d_re_X509_CRL_tbs(X509_CRL *req, unsigned char **pp); @@ -968,14 +964,14 @@ const STACK_OF(X509_EXTENSION) * X509_REVOKED_get0_extensions(const X509_REVOKED *r); X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, - EVP_PKEY *skey, const EVP_MD *md, unsigned int flags); + EVP_PKEY *skey, const EVP_MD *md, unsigned int flags); int X509_REQ_check_private_key(const X509_REQ *req, EVP_PKEY *pkey); int X509_check_private_key(const X509 *cert, const EVP_PKEY *pkey); int X509_chain_check_suiteb(int *perror_depth, - X509 *x, STACK_OF(X509) *chain, - unsigned long flags); + X509 *x, STACK_OF(X509) *chain, + unsigned long flags); int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags); void OSSL_STACK_OF_X509_free(STACK_OF(X509) *certs); STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain); @@ -989,61 +985,61 @@ unsigned long X509_issuer_name_hash(X509 *a); int X509_subject_name_cmp(const X509 *a, const X509 *b); unsigned long X509_subject_name_hash(X509 *x); -# ifndef OPENSSL_NO_MD5 +#ifndef OPENSSL_NO_MD5 unsigned long X509_issuer_name_hash_old(X509 *a); unsigned long X509_subject_name_hash_old(X509 *x); -# endif +#endif -# define X509_ADD_FLAG_DEFAULT 0 -# define X509_ADD_FLAG_UP_REF 0x1 -# define X509_ADD_FLAG_PREPEND 0x2 -# define X509_ADD_FLAG_NO_DUP 0x4 -# define X509_ADD_FLAG_NO_SS 0x8 +#define X509_ADD_FLAG_DEFAULT 0 +#define X509_ADD_FLAG_UP_REF 0x1 +#define X509_ADD_FLAG_PREPEND 0x2 +#define X509_ADD_FLAG_NO_DUP 0x4 +#define X509_ADD_FLAG_NO_SS 0x8 int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags); int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags); int X509_cmp(const X509 *a, const X509 *b); int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); #ifndef OPENSSL_NO_DEPRECATED_3_0 -# define X509_NAME_hash(x) X509_NAME_hash_ex(x, NULL, NULL, NULL) +#define X509_NAME_hash(x) X509_NAME_hash_ex(x, NULL, NULL, NULL) OSSL_DEPRECATEDIN_3_0 int X509_certificate_type(const X509 *x, - const EVP_PKEY *pubkey); + const EVP_PKEY *pubkey); #endif unsigned long X509_NAME_hash_ex(const X509_NAME *x, OSSL_LIB_CTX *libctx, - const char *propq, int *ok); + const char *propq, int *ok); unsigned long X509_NAME_hash_old(const X509_NAME *x); int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b); int X509_CRL_match(const X509_CRL *a, const X509_CRL *b); int X509_aux_print(BIO *out, X509 *x, int indent); -# ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_STDIO int X509_print_ex_fp(FILE *bp, X509 *x, unsigned long nmflag, - unsigned long cflag); + unsigned long cflag); int X509_print_fp(FILE *bp, X509 *x); int X509_CRL_print_fp(FILE *bp, X509_CRL *x); int X509_REQ_print_fp(FILE *bp, X509_REQ *req); int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, int indent, - unsigned long flags); -# endif + unsigned long flags); +#endif int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase); int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent, - unsigned long flags); + unsigned long flags); int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflag, - unsigned long cflag); + unsigned long cflag); int X509_print(BIO *bp, X509 *x); int X509_ocspid_print(BIO *bp, X509 *x); int X509_CRL_print_ex(BIO *out, X509_CRL *x, unsigned long nmflag); int X509_CRL_print(BIO *bp, X509_CRL *x); int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag, - unsigned long cflag); + unsigned long cflag); int X509_REQ_print(BIO *bp, X509_REQ *req); int X509_NAME_entry_count(const X509_NAME *name); int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid, - char *buf, int len); + char *buf, int len); int X509_NAME_get_text_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj, - char *buf, int len); + char *buf, int len); /* * NOTE: you should be passing -1, not 0 as lastpos. The functions that use @@ -1051,55 +1047,55 @@ int X509_NAME_get_text_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj, */ int X509_NAME_get_index_by_NID(const X509_NAME *name, int nid, int lastpos); int X509_NAME_get_index_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj, - int lastpos); + int lastpos); X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name, int loc); X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc); int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, - int loc, int set); + int loc, int set); int X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int type, - const unsigned char *bytes, int len, int loc, - int set); + const unsigned char *bytes, int len, int loc, + int set); int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, - const unsigned char *bytes, int len, int loc, - int set); + const unsigned char *bytes, int len, int loc, + int set); X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, - const char *field, int type, - const unsigned char *bytes, - int len); + const char *field, int type, + const unsigned char *bytes, + int len); X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, - int type, - const unsigned char *bytes, - int len); + int type, + const unsigned char *bytes, + int len); int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, - const unsigned char *bytes, int len, int loc, - int set); + const unsigned char *bytes, int len, int loc, + int set); X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, - const ASN1_OBJECT *obj, int type, - const unsigned char *bytes, - int len); + const ASN1_OBJECT *obj, int type, + const unsigned char *bytes, + int len); int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, const ASN1_OBJECT *obj); int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, - const unsigned char *bytes, int len); + const unsigned char *bytes, int len); ASN1_OBJECT *X509_NAME_ENTRY_get_object(const X509_NAME_ENTRY *ne); -ASN1_STRING * X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne); +ASN1_STRING *X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne); int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne); int X509_NAME_get0_der(const X509_NAME *nm, const unsigned char **pder, - size_t *pderlen); + size_t *pderlen); int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x); int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, - int nid, int lastpos); + int nid, int lastpos); int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x, - const ASN1_OBJECT *obj, int lastpos); + const ASN1_OBJECT *obj, int lastpos); int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x, - int crit, int lastpos); + int crit, int lastpos); X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc); X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc); STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, - X509_EXTENSION *ex, int loc); + X509_EXTENSION *ex, int loc); STACK_OF(X509_EXTENSION) *X509v3_add_extensions(STACK_OF(X509_EXTENSION) **target, - const STACK_OF(X509_EXTENSION) *exts); + const STACK_OF(X509_EXTENSION) *exts); int X509_get_ext_count(const X509 *x); int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos); @@ -1110,40 +1106,40 @@ X509_EXTENSION *X509_delete_ext(X509 *x, int loc); int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc); void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx); int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, - unsigned long flags); + unsigned long flags); int X509_CRL_get_ext_count(const X509_CRL *x); int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos); int X509_CRL_get_ext_by_OBJ(const X509_CRL *x, const ASN1_OBJECT *obj, - int lastpos); + int lastpos); int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, int lastpos); X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc); X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc); int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc); void *X509_CRL_get_ext_d2i(const X509_CRL *x, int nid, int *crit, int *idx); int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit, - unsigned long flags); + unsigned long flags); int X509_REVOKED_get_ext_count(const X509_REVOKED *x); int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid, int lastpos); int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, const ASN1_OBJECT *obj, - int lastpos); + int lastpos); int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, int crit, - int lastpos); + int lastpos); X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, int loc); X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc); int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc); void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *x, int nid, int *crit, - int *idx); + int *idx); int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit, - unsigned long flags); + unsigned long flags); X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, - int nid, int crit, - ASN1_OCTET_STRING *data); + int nid, int crit, + ASN1_OCTET_STRING *data); X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, - const ASN1_OBJECT *obj, int crit, - ASN1_OCTET_STRING *data); + const ASN1_OBJECT *obj, int crit, + ASN1_OCTET_STRING *data); int X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj); int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit); int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data); @@ -1153,45 +1149,48 @@ int X509_EXTENSION_get_critical(const X509_EXTENSION *ex); int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x); int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid, - int lastpos); + int lastpos); int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, - const ASN1_OBJECT *obj, int lastpos); + const ASN1_OBJECT *obj, int lastpos); X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc); X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc); STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x, - X509_ATTRIBUTE *attr); + X509_ATTRIBUTE *attr); STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) - **x, const ASN1_OBJECT *obj, - int type, - const unsigned char *bytes, - int len); + **x, + const ASN1_OBJECT *obj, + int type, + const unsigned char *bytes, + int len); STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) - **x, int nid, int type, - const unsigned char *bytes, - int len); + **x, + int nid, int type, + const unsigned char *bytes, + int len); STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) - **x, const char *attrname, - int type, - const unsigned char *bytes, - int len); + **x, + const char *attrname, + int type, + const unsigned char *bytes, + int len); void *X509at_get0_data_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *x, - const ASN1_OBJECT *obj, int lastpos, int type); + const ASN1_OBJECT *obj, int lastpos, int type); X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid, - int atrtype, const void *data, - int len); + int atrtype, const void *data, + int len); X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr, - const ASN1_OBJECT *obj, - int atrtype, const void *data, - int len); + const ASN1_OBJECT *obj, + int atrtype, const void *data, + int len); X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr, - const char *atrname, int type, - const unsigned char *bytes, - int len); + const char *atrname, int type, + const unsigned char *bytes, + int len); int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj); int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, - const void *data, int len); + const void *data, int len); void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, int atrtype, - void *data); + void *data); int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr); ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr); ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx); @@ -1199,67 +1198,67 @@ ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx); int EVP_PKEY_get_attr_count(const EVP_PKEY *key); int EVP_PKEY_get_attr_by_NID(const EVP_PKEY *key, int nid, int lastpos); int EVP_PKEY_get_attr_by_OBJ(const EVP_PKEY *key, const ASN1_OBJECT *obj, - int lastpos); + int lastpos); X509_ATTRIBUTE *EVP_PKEY_get_attr(const EVP_PKEY *key, int loc); X509_ATTRIBUTE *EVP_PKEY_delete_attr(EVP_PKEY *key, int loc); int EVP_PKEY_add1_attr(EVP_PKEY *key, X509_ATTRIBUTE *attr); int EVP_PKEY_add1_attr_by_OBJ(EVP_PKEY *key, - const ASN1_OBJECT *obj, int type, - const unsigned char *bytes, int len); + const ASN1_OBJECT *obj, int type, + const unsigned char *bytes, int len); int EVP_PKEY_add1_attr_by_NID(EVP_PKEY *key, - int nid, int type, - const unsigned char *bytes, int len); + int nid, int type, + const unsigned char *bytes, int len); int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key, - const char *attrname, int type, - const unsigned char *bytes, int len); + const char *attrname, int type, + const unsigned char *bytes, int len); /* lookup a cert from a X509 STACK */ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, const X509_NAME *name, - const ASN1_INTEGER *serial); + const ASN1_INTEGER *serial); X509 *X509_find_by_subject(STACK_OF(X509) *sk, const X509_NAME *name); DECLARE_ASN1_FUNCTIONS(PBEPARAM) DECLARE_ASN1_FUNCTIONS(PBE2PARAM) DECLARE_ASN1_FUNCTIONS(PBKDF2PARAM) DECLARE_ASN1_FUNCTIONS(PBMAC1PARAM) -# ifndef OPENSSL_NO_SCRYPT +#ifndef OPENSSL_NO_SCRYPT DECLARE_ASN1_FUNCTIONS(SCRYPT_PARAMS) -# endif +#endif int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter, - const unsigned char *salt, int saltlen); + const unsigned char *salt, int saltlen); int PKCS5_pbe_set0_algor_ex(X509_ALGOR *algor, int alg, int iter, - const unsigned char *salt, int saltlen, - OSSL_LIB_CTX *libctx); + const unsigned char *salt, int saltlen, + OSSL_LIB_CTX *libctx); X509_ALGOR *PKCS5_pbe_set(int alg, int iter, - const unsigned char *salt, int saltlen); + const unsigned char *salt, int saltlen); X509_ALGOR *PKCS5_pbe_set_ex(int alg, int iter, - const unsigned char *salt, int saltlen, - OSSL_LIB_CTX *libctx); + const unsigned char *salt, int saltlen, + OSSL_LIB_CTX *libctx); X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter, - unsigned char *salt, int saltlen); + unsigned char *salt, int saltlen); X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, - unsigned char *salt, int saltlen, - unsigned char *aiv, int prf_nid); + unsigned char *salt, int saltlen, + unsigned char *aiv, int prf_nid); X509_ALGOR *PKCS5_pbe2_set_iv_ex(const EVP_CIPHER *cipher, int iter, - unsigned char *salt, int saltlen, - unsigned char *aiv, int prf_nid, - OSSL_LIB_CTX *libctx); + unsigned char *salt, int saltlen, + unsigned char *aiv, int prf_nid, + OSSL_LIB_CTX *libctx); #ifndef OPENSSL_NO_SCRYPT X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher, - const unsigned char *salt, int saltlen, - unsigned char *aiv, uint64_t N, uint64_t r, - uint64_t p); + const unsigned char *salt, int saltlen, + unsigned char *aiv, uint64_t N, uint64_t r, + uint64_t p); #endif X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, - int prf_nid, int keylen); + int prf_nid, int keylen); X509_ALGOR *PKCS5_pbkdf2_set_ex(int iter, unsigned char *salt, int saltlen, - int prf_nid, int keylen, - OSSL_LIB_CTX *libctx); + int prf_nid, int keylen, + OSSL_LIB_CTX *libctx); PBKDF2PARAM *PBMAC1_get1_pbkdf2_param(const X509_ALGOR *macalg); /* PKCS#8 utilities */ @@ -1268,36 +1267,35 @@ DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO) EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8); EVP_PKEY *EVP_PKCS82PKEY_ex(const PKCS8_PRIV_KEY_INFO *p8, OSSL_LIB_CTX *libctx, - const char *propq); + const char *propq); PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(const EVP_PKEY *pkey); int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj, - int version, int ptype, void *pval, - unsigned char *penc, int penclen); + int version, int ptype, void *pval, + unsigned char *penc, int penclen); int PKCS8_pkey_get0(const ASN1_OBJECT **ppkalg, - const unsigned char **pk, int *ppklen, - const X509_ALGOR **pa, const PKCS8_PRIV_KEY_INFO *p8); + const unsigned char **pk, int *ppklen, + const X509_ALGOR **pa, const PKCS8_PRIV_KEY_INFO *p8); const STACK_OF(X509_ATTRIBUTE) * PKCS8_pkey_get0_attrs(const PKCS8_PRIV_KEY_INFO *p8); int PKCS8_pkey_add1_attr(PKCS8_PRIV_KEY_INFO *p8, X509_ATTRIBUTE *attr); int PKCS8_pkey_add1_attr_by_NID(PKCS8_PRIV_KEY_INFO *p8, int nid, int type, - const unsigned char *bytes, int len); + const unsigned char *bytes, int len); int PKCS8_pkey_add1_attr_by_OBJ(PKCS8_PRIV_KEY_INFO *p8, const ASN1_OBJECT *obj, - int type, const unsigned char *bytes, int len); - + int type, const unsigned char *bytes, int len); void X509_PUBKEY_set0_public_key(X509_PUBKEY *pub, - unsigned char *penc, int penclen); + unsigned char *penc, int penclen); int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj, - int ptype, void *pval, - unsigned char *penc, int penclen); + int ptype, void *pval, + unsigned char *penc, int penclen); int X509_PUBKEY_get0_param(ASN1_OBJECT **ppkalg, - const unsigned char **pk, int *ppklen, - X509_ALGOR **pa, const X509_PUBKEY *pub); + const unsigned char **pk, int *ppklen, + X509_ALGOR **pa, const X509_PUBKEY *pub); int X509_PUBKEY_eq(const X509_PUBKEY *a, const X509_PUBKEY *b); -# ifdef __cplusplus +#ifdef __cplusplus } -# endif +#endif #endif diff --git a/crypto/openssl/include/openssl/x509_acert.h b/crypto/openssl/include/openssl/x509_acert.h index 9dde625677f9..f235c08ff369 100644 --- a/crypto/openssl/include/openssl/x509_acert.h +++ b/crypto/openssl/include/openssl/x509_acert.h @@ -10,15 +10,17 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_X509_ACERT_H -# define OPENSSL_X509_ACERT_H -# pragma once +#define OPENSSL_X509_ACERT_H +#pragma once -# include <openssl/x509v3.h> -# include <openssl/x509.h> -# include <openssl/pem.h> +#include <openssl/x509v3.h> +#include <openssl/x509.h> +#include <openssl/pem.h> typedef struct X509_acert_st X509_ACERT; typedef struct X509_acert_info_st X509_ACERT_INFO; @@ -34,10 +36,10 @@ DECLARE_ASN1_ALLOC_FUNCTIONS(OSSL_OBJECT_DIGEST_INFO) DECLARE_ASN1_ALLOC_FUNCTIONS(OSSL_ISSUER_SERIAL) DECLARE_ASN1_ALLOC_FUNCTIONS(X509_ACERT_ISSUER_V2FORM) -# ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_STDIO X509_ACERT *d2i_X509_ACERT_fp(FILE *fp, X509_ACERT **acert); int i2d_X509_ACERT_fp(FILE *fp, const X509_ACERT *acert); -# endif +#endif DECLARE_PEM_rw(X509_ACERT, X509_ACERT) @@ -48,16 +50,16 @@ int X509_ACERT_sign(X509_ACERT *x, EVP_PKEY *pkey, const EVP_MD *md); int X509_ACERT_sign_ctx(X509_ACERT *x, EVP_MD_CTX *ctx); int X509_ACERT_verify(X509_ACERT *a, EVP_PKEY *r); -# define X509_ACERT_VERSION_2 1 +#define X509_ACERT_VERSION_2 1 const GENERAL_NAMES *X509_ACERT_get0_holder_entityName(const X509_ACERT *x); const OSSL_ISSUER_SERIAL *X509_ACERT_get0_holder_baseCertId(const X509_ACERT *x); -const OSSL_OBJECT_DIGEST_INFO * X509_ACERT_get0_holder_digest(const X509_ACERT *x); +const OSSL_OBJECT_DIGEST_INFO *X509_ACERT_get0_holder_digest(const X509_ACERT *x); const X509_NAME *X509_ACERT_get0_issuerName(const X509_ACERT *x); long X509_ACERT_get_version(const X509_ACERT *x); void X509_ACERT_get0_signature(const X509_ACERT *x, - const ASN1_BIT_STRING **psig, - const X509_ALGOR **palg); + const ASN1_BIT_STRING **psig, + const X509_ALGOR **palg); int X509_ACERT_get_signature_nid(const X509_ACERT *x); const X509_ALGOR *X509_ACERT_get0_info_sigalg(const X509_ACERT *x); const ASN1_INTEGER *X509_ACERT_get0_serialNumber(const X509_ACERT *x); @@ -67,38 +69,38 @@ const ASN1_BIT_STRING *X509_ACERT_get0_issuerUID(const X509_ACERT *x); int X509_ACERT_print(BIO *bp, X509_ACERT *x); int X509_ACERT_print_ex(BIO *bp, X509_ACERT *x, unsigned long nmflags, - unsigned long cflag); + unsigned long cflag); int X509_ACERT_get_attr_count(const X509_ACERT *x); int X509_ACERT_get_attr_by_NID(const X509_ACERT *x, int nid, int lastpos); int X509_ACERT_get_attr_by_OBJ(const X509_ACERT *x, const ASN1_OBJECT *obj, - int lastpos); + int lastpos); X509_ATTRIBUTE *X509_ACERT_get_attr(const X509_ACERT *x, int loc); X509_ATTRIBUTE *X509_ACERT_delete_attr(X509_ACERT *x, int loc); void *X509_ACERT_get_ext_d2i(const X509_ACERT *x, int nid, int *crit, int *idx); int X509_ACERT_add1_ext_i2d(X509_ACERT *x, int nid, void *value, int crit, - unsigned long flags); + unsigned long flags); const STACK_OF(X509_EXTENSION) *X509_ACERT_get0_extensions(const X509_ACERT *x); -# define OSSL_OBJECT_DIGEST_INFO_PUBLIC_KEY 0 -# define OSSL_OBJECT_DIGEST_INFO_PUBLIC_KEY_CERT 1 -# define OSSL_OBJECT_DIGEST_INFO_OTHER 2 /* must not be used in RFC 5755 profile */ +#define OSSL_OBJECT_DIGEST_INFO_PUBLIC_KEY 0 +#define OSSL_OBJECT_DIGEST_INFO_PUBLIC_KEY_CERT 1 +#define OSSL_OBJECT_DIGEST_INFO_OTHER 2 /* must not be used in RFC 5755 profile */ int X509_ACERT_set_version(X509_ACERT *x, long version); void X509_ACERT_set0_holder_entityName(X509_ACERT *x, GENERAL_NAMES *name); void X509_ACERT_set0_holder_baseCertId(X509_ACERT *x, OSSL_ISSUER_SERIAL *isss); void X509_ACERT_set0_holder_digest(X509_ACERT *x, - OSSL_OBJECT_DIGEST_INFO *dinfo); + OSSL_OBJECT_DIGEST_INFO *dinfo); int X509_ACERT_add1_attr(X509_ACERT *x, X509_ATTRIBUTE *attr); int X509_ACERT_add1_attr_by_OBJ(X509_ACERT *x, const ASN1_OBJECT *obj, - int type, const void *bytes, int len); + int type, const void *bytes, int len); int X509_ACERT_add1_attr_by_NID(X509_ACERT *x, int nid, int type, - const void *bytes, int len); + const void *bytes, int len); int X509_ACERT_add1_attr_by_txt(X509_ACERT *x, const char *attrname, int type, - const unsigned char *bytes, int len); + const unsigned char *bytes, int len); int X509_ACERT_add_attr_nconf(CONF *conf, const char *section, - X509_ACERT *acert); + X509_ACERT *acert); int X509_ACERT_set1_issuerName(X509_ACERT *x, const X509_NAME *name); int X509_ACERT_set1_serialNumber(X509_ACERT *x, const ASN1_INTEGER *serial); @@ -106,32 +108,33 @@ int X509_ACERT_set1_notBefore(X509_ACERT *x, const ASN1_GENERALIZEDTIME *time); int X509_ACERT_set1_notAfter(X509_ACERT *x, const ASN1_GENERALIZEDTIME *time); void OSSL_OBJECT_DIGEST_INFO_get0_digest(const OSSL_OBJECT_DIGEST_INFO *o, - int *digestedObjectType, - const X509_ALGOR **digestAlgorithm, - const ASN1_BIT_STRING **digest); + int *digestedObjectType, + const X509_ALGOR **digestAlgorithm, + const ASN1_BIT_STRING **digest); int OSSL_OBJECT_DIGEST_INFO_set1_digest(OSSL_OBJECT_DIGEST_INFO *o, - int digestedObjectType, - X509_ALGOR *digestAlgorithm, - ASN1_BIT_STRING *digest); + int digestedObjectType, + X509_ALGOR *digestAlgorithm, + ASN1_BIT_STRING *digest); const X509_NAME *OSSL_ISSUER_SERIAL_get0_issuer(const OSSL_ISSUER_SERIAL *isss); const ASN1_INTEGER *OSSL_ISSUER_SERIAL_get0_serial(const OSSL_ISSUER_SERIAL *isss); const ASN1_BIT_STRING *OSSL_ISSUER_SERIAL_get0_issuerUID(const OSSL_ISSUER_SERIAL *isss); int OSSL_ISSUER_SERIAL_set1_issuer(OSSL_ISSUER_SERIAL *isss, - const X509_NAME *issuer); + const X509_NAME *issuer); int OSSL_ISSUER_SERIAL_set1_serial(OSSL_ISSUER_SERIAL *isss, - const ASN1_INTEGER *serial); + const ASN1_INTEGER *serial); int OSSL_ISSUER_SERIAL_set1_issuerUID(OSSL_ISSUER_SERIAL *isss, - const ASN1_BIT_STRING *uid); + const ASN1_BIT_STRING *uid); -# define OSSL_IETFAS_OCTETS 0 -# define OSSL_IETFAS_OID 1 -# define OSSL_IETFAS_STRING 2 +#define OSSL_IETFAS_OCTETS 0 +#define OSSL_IETFAS_OID 1 +#define OSSL_IETFAS_STRING 2 typedef struct OSSL_IETF_ATTR_SYNTAX_VALUE_st OSSL_IETF_ATTR_SYNTAX_VALUE; typedef struct OSSL_IETF_ATTR_SYNTAX_st OSSL_IETF_ATTR_SYNTAX; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_IETF_ATTR_SYNTAX_VALUE, OSSL_IETF_ATTR_SYNTAX_VALUE, OSSL_IETF_ATTR_SYNTAX_VALUE) #define sk_OSSL_IETF_ATTR_SYNTAX_VALUE_num(sk) OPENSSL_sk_num(ossl_check_const_OSSL_IETF_ATTR_SYNTAX_VALUE_sk_type(sk)) #define sk_OSSL_IETF_ATTR_SYNTAX_VALUE_value(sk, idx) ((OSSL_IETF_ATTR_SYNTAX_VALUE *)OPENSSL_sk_value(ossl_check_const_OSSL_IETF_ATTR_SYNTAX_VALUE_sk_type(sk), (idx))) @@ -159,6 +162,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_IETF_ATTR_SYNTAX_VALUE, OSSL_IETF_ATTR_SYNTAX_ #define sk_OSSL_IETF_ATTR_SYNTAX_VALUE_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OSSL_IETF_ATTR_SYNTAX_VALUE) *)OPENSSL_sk_deep_copy(ossl_check_const_OSSL_IETF_ATTR_SYNTAX_VALUE_sk_type(sk), ossl_check_OSSL_IETF_ATTR_SYNTAX_VALUE_copyfunc_type(copyfunc), ossl_check_OSSL_IETF_ATTR_SYNTAX_VALUE_freefunc_type(freefunc))) #define sk_OSSL_IETF_ATTR_SYNTAX_VALUE_set_cmp_func(sk, cmp) ((sk_OSSL_IETF_ATTR_SYNTAX_VALUE_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OSSL_IETF_ATTR_SYNTAX_VALUE_sk_type(sk), ossl_check_OSSL_IETF_ATTR_SYNTAX_VALUE_compfunc_type(cmp))) +/* clang-format on */ DECLARE_ASN1_ITEM(OSSL_IETF_ATTR_SYNTAX_VALUE) DECLARE_ASN1_ALLOC_FUNCTIONS(OSSL_IETF_ATTR_SYNTAX_VALUE) @@ -167,13 +171,13 @@ DECLARE_ASN1_FUNCTIONS(OSSL_IETF_ATTR_SYNTAX) const GENERAL_NAMES * OSSL_IETF_ATTR_SYNTAX_get0_policyAuthority(const OSSL_IETF_ATTR_SYNTAX *a); void OSSL_IETF_ATTR_SYNTAX_set0_policyAuthority(OSSL_IETF_ATTR_SYNTAX *a, - GENERAL_NAMES *names); + GENERAL_NAMES *names); int OSSL_IETF_ATTR_SYNTAX_get_value_num(const OSSL_IETF_ATTR_SYNTAX *a); void *OSSL_IETF_ATTR_SYNTAX_get0_value(const OSSL_IETF_ATTR_SYNTAX *a, - int ind, int *type); + int ind, int *type); int OSSL_IETF_ATTR_SYNTAX_add1_value(OSSL_IETF_ATTR_SYNTAX *a, int type, - void *data); + void *data); int OSSL_IETF_ATTR_SYNTAX_print(BIO *bp, OSSL_IETF_ATTR_SYNTAX *a, int indent); struct TARGET_CERT_st { @@ -184,9 +188,9 @@ struct TARGET_CERT_st { typedef struct TARGET_CERT_st OSSL_TARGET_CERT; -# define OSSL_TGT_TARGET_NAME 0 -# define OSSL_TGT_TARGET_GROUP 1 -# define OSSL_TGT_TARGET_CERT 2 +#define OSSL_TGT_TARGET_NAME 0 +#define OSSL_TGT_TARGET_GROUP 1 +#define OSSL_TGT_TARGET_CERT 2 typedef struct TARGET_st { int type; @@ -200,6 +204,7 @@ typedef struct TARGET_st { typedef STACK_OF(OSSL_TARGET) OSSL_TARGETS; typedef STACK_OF(OSSL_TARGETS) OSSL_TARGETING_INFORMATION; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_TARGET, OSSL_TARGET, OSSL_TARGET) #define sk_OSSL_TARGET_num(sk) OPENSSL_sk_num(ossl_check_const_OSSL_TARGET_sk_type(sk)) #define sk_OSSL_TARGET_value(sk, idx) ((OSSL_TARGET *)OPENSSL_sk_value(ossl_check_const_OSSL_TARGET_sk_type(sk), (idx))) @@ -227,7 +232,9 @@ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_TARGET, OSSL_TARGET, OSSL_TARGET) #define sk_OSSL_TARGET_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OSSL_TARGET) *)OPENSSL_sk_deep_copy(ossl_check_const_OSSL_TARGET_sk_type(sk), ossl_check_OSSL_TARGET_copyfunc_type(copyfunc), ossl_check_OSSL_TARGET_freefunc_type(freefunc))) #define sk_OSSL_TARGET_set_cmp_func(sk, cmp) ((sk_OSSL_TARGET_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OSSL_TARGET_sk_type(sk), ossl_check_OSSL_TARGET_compfunc_type(cmp))) +/* clang-format on */ +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_TARGETS, OSSL_TARGETS, OSSL_TARGETS) #define sk_OSSL_TARGETS_num(sk) OPENSSL_sk_num(ossl_check_const_OSSL_TARGETS_sk_type(sk)) #define sk_OSSL_TARGETS_value(sk, idx) ((OSSL_TARGETS *)OPENSSL_sk_value(ossl_check_const_OSSL_TARGETS_sk_type(sk), (idx))) @@ -255,6 +262,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_TARGETS, OSSL_TARGETS, OSSL_TARGETS) #define sk_OSSL_TARGETS_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OSSL_TARGETS) *)OPENSSL_sk_deep_copy(ossl_check_const_OSSL_TARGETS_sk_type(sk), ossl_check_OSSL_TARGETS_copyfunc_type(copyfunc), ossl_check_OSSL_TARGETS_freefunc_type(freefunc))) #define sk_OSSL_TARGETS_set_cmp_func(sk, cmp) ((sk_OSSL_TARGETS_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OSSL_TARGETS_sk_type(sk), ossl_check_OSSL_TARGETS_compfunc_type(cmp))) +/* clang-format on */ DECLARE_ASN1_FUNCTIONS(OSSL_TARGET) DECLARE_ASN1_FUNCTIONS(OSSL_TARGETS) @@ -263,6 +271,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_TARGETING_INFORMATION) typedef STACK_OF(OSSL_ISSUER_SERIAL) OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX; DECLARE_ASN1_FUNCTIONS(OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX) +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_ISSUER_SERIAL, OSSL_ISSUER_SERIAL, OSSL_ISSUER_SERIAL) #define sk_OSSL_ISSUER_SERIAL_num(sk) OPENSSL_sk_num(ossl_check_const_OSSL_ISSUER_SERIAL_sk_type(sk)) #define sk_OSSL_ISSUER_SERIAL_value(sk, idx) ((OSSL_ISSUER_SERIAL *)OPENSSL_sk_value(ossl_check_const_OSSL_ISSUER_SERIAL_sk_type(sk), (idx))) @@ -290,5 +299,6 @@ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_ISSUER_SERIAL, OSSL_ISSUER_SERIAL, OSSL_ISSUER #define sk_OSSL_ISSUER_SERIAL_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OSSL_ISSUER_SERIAL) *)OPENSSL_sk_deep_copy(ossl_check_const_OSSL_ISSUER_SERIAL_sk_type(sk), ossl_check_OSSL_ISSUER_SERIAL_copyfunc_type(copyfunc), ossl_check_OSSL_ISSUER_SERIAL_freefunc_type(freefunc))) #define sk_OSSL_ISSUER_SERIAL_set_cmp_func(sk, cmp) ((sk_OSSL_ISSUER_SERIAL_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OSSL_ISSUER_SERIAL_sk_type(sk), ossl_check_OSSL_ISSUER_SERIAL_compfunc_type(cmp))) +/* clang-format on */ #endif diff --git a/crypto/openssl/include/openssl/x509_vfy.h b/crypto/openssl/include/openssl/x509_vfy.h index c9bdc3b39d68..22e713f1ec3d 100644 --- a/crypto/openssl/include/openssl/x509_vfy.h +++ b/crypto/openssl/include/openssl/x509_vfy.h @@ -10,31 +10,33 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_X509_VFY_H -# define OPENSSL_X509_VFY_H -# pragma once +#define OPENSSL_X509_VFY_H +#pragma once -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_X509_VFY_H -# endif +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_X509_VFY_H +#endif /* * Protect against recursion, x509.h and x509_vfy.h each include the other. */ -# ifndef OPENSSL_X509_H -# include <openssl/x509.h> -# endif +#ifndef OPENSSL_X509_H +#include <openssl/x509.h> +#endif -# include <openssl/opensslconf.h> -# include <openssl/lhash.h> -# include <openssl/bio.h> -# include <openssl/crypto.h> -# include <openssl/symhacks.h> +#include <openssl/opensslconf.h> +#include <openssl/lhash.h> +#include <openssl/bio.h> +#include <openssl/crypto.h> +#include <openssl/symhacks.h> -#ifdef __cplusplus +#ifdef __cplusplus extern "C" { #endif @@ -57,14 +59,16 @@ certificate chain. typedef enum { X509_LU_NONE = 0, - X509_LU_X509, X509_LU_CRL + X509_LU_X509, + X509_LU_CRL } X509_LOOKUP_TYPE; #ifndef OPENSSL_NO_DEPRECATED_1_1_0 -#define X509_LU_RETRY -1 -#define X509_LU_FAIL 0 +#define X509_LU_RETRY -1 +#define X509_LU_FAIL 0 #endif +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(X509_LOOKUP, X509_LOOKUP, X509_LOOKUP) #define sk_X509_LOOKUP_num(sk) OPENSSL_sk_num(ossl_check_const_X509_LOOKUP_sk_type(sk)) #define sk_X509_LOOKUP_value(sk, idx) ((X509_LOOKUP *)OPENSSL_sk_value(ossl_check_const_X509_LOOKUP_sk_type(sk), (idx))) @@ -144,16 +148,18 @@ SKM_DEFINE_STACK_OF_INTERNAL(X509_VERIFY_PARAM, X509_VERIFY_PARAM, X509_VERIFY_P #define sk_X509_VERIFY_PARAM_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(X509_VERIFY_PARAM) *)OPENSSL_sk_deep_copy(ossl_check_const_X509_VERIFY_PARAM_sk_type(sk), ossl_check_X509_VERIFY_PARAM_copyfunc_type(copyfunc), ossl_check_X509_VERIFY_PARAM_freefunc_type(freefunc))) #define sk_X509_VERIFY_PARAM_set_cmp_func(sk, cmp) ((sk_X509_VERIFY_PARAM_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_X509_VERIFY_PARAM_sk_type(sk), ossl_check_X509_VERIFY_PARAM_compfunc_type(cmp))) +/* clang-format on */ /* This is used for a table of trust checking functions */ typedef struct x509_trust_st { int trust; int flags; - int (*check_trust) (struct x509_trust_st *, X509 *, int); + int (*check_trust)(struct x509_trust_st *, X509 *, int); char *name; int arg1; void *arg2; } X509_TRUST; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(X509_TRUST, X509_TRUST, X509_TRUST) #define sk_X509_TRUST_num(sk) OPENSSL_sk_num(ossl_check_const_X509_TRUST_sk_type(sk)) #define sk_X509_TRUST_value(sk, idx) ((X509_TRUST *)OPENSSL_sk_value(ossl_check_const_X509_TRUST_sk_type(sk), (idx))) @@ -181,42 +187,43 @@ SKM_DEFINE_STACK_OF_INTERNAL(X509_TRUST, X509_TRUST, X509_TRUST) #define sk_X509_TRUST_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(X509_TRUST) *)OPENSSL_sk_deep_copy(ossl_check_const_X509_TRUST_sk_type(sk), ossl_check_X509_TRUST_copyfunc_type(copyfunc), ossl_check_X509_TRUST_freefunc_type(freefunc))) #define sk_X509_TRUST_set_cmp_func(sk, cmp) ((sk_X509_TRUST_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_X509_TRUST_sk_type(sk), ossl_check_X509_TRUST_compfunc_type(cmp))) +/* clang-format on */ /* standard trust ids */ -# define X509_TRUST_DEFAULT 0 /* Only valid in purpose settings */ -# define X509_TRUST_COMPAT 1 -# define X509_TRUST_SSL_CLIENT 2 -# define X509_TRUST_SSL_SERVER 3 -# define X509_TRUST_EMAIL 4 -# define X509_TRUST_OBJECT_SIGN 5 -# define X509_TRUST_OCSP_SIGN 6 -# define X509_TRUST_OCSP_REQUEST 7 -# define X509_TRUST_TSA 8 +#define X509_TRUST_DEFAULT 0 /* Only valid in purpose settings */ +#define X509_TRUST_COMPAT 1 +#define X509_TRUST_SSL_CLIENT 2 +#define X509_TRUST_SSL_SERVER 3 +#define X509_TRUST_EMAIL 4 +#define X509_TRUST_OBJECT_SIGN 5 +#define X509_TRUST_OCSP_SIGN 6 +#define X509_TRUST_OCSP_REQUEST 7 +#define X509_TRUST_TSA 8 /* Keep these up to date! */ -# define X509_TRUST_MIN 1 -# define X509_TRUST_MAX 8 +#define X509_TRUST_MIN 1 +#define X509_TRUST_MAX 8 /* trust_flags values */ -# define X509_TRUST_DYNAMIC (1U << 0) -# define X509_TRUST_DYNAMIC_NAME (1U << 1) +#define X509_TRUST_DYNAMIC (1U << 0) +#define X509_TRUST_DYNAMIC_NAME (1U << 1) /* No compat trust if self-signed, preempts "DO_SS" */ -# define X509_TRUST_NO_SS_COMPAT (1U << 2) +#define X509_TRUST_NO_SS_COMPAT (1U << 2) /* Compat trust if no explicit accepted trust EKUs */ -# define X509_TRUST_DO_SS_COMPAT (1U << 3) +#define X509_TRUST_DO_SS_COMPAT (1U << 3) /* Accept "anyEKU" as a wildcard rejection OID and as a wildcard trust OID */ -# define X509_TRUST_OK_ANY_EKU (1U << 4) +#define X509_TRUST_OK_ANY_EKU (1U << 4) /* check_trust return codes */ -# define X509_TRUST_TRUSTED 1 -# define X509_TRUST_REJECTED 2 -# define X509_TRUST_UNTRUSTED 3 +#define X509_TRUST_TRUSTED 1 +#define X509_TRUST_REJECTED 2 +#define X509_TRUST_UNTRUSTED 3 int X509_TRUST_set(int *t, int trust); int X509_TRUST_get_count(void); X509_TRUST *X509_TRUST_get0(int idx); int X509_TRUST_get_by_id(int id); -int X509_TRUST_add(int id, int flags, int (*ck) (X509_TRUST *, X509 *, int), - const char *name, int arg1, void *arg2); +int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), + const char *name, int arg1, void *arg2); void X509_TRUST_cleanup(void); int X509_TRUST_get_flags(const X509_TRUST *xp); char *X509_TRUST_get0_name(const X509_TRUST *xp); @@ -230,15 +237,15 @@ void X509_reject_clear(X509 *x); STACK_OF(ASN1_OBJECT) *X509_get0_trust_objects(X509 *x); STACK_OF(ASN1_OBJECT) *X509_get0_reject_objects(X509 *x); -int (*X509_TRUST_set_default(int (*trust) (int, X509 *, int))) (int, X509 *, - int); +int (*X509_TRUST_set_default(int (*trust)(int, X509 *, int)))(int, X509 *, + int); int X509_check_trust(X509 *x, int id, int flags); int X509_verify_cert(X509_STORE_CTX *ctx); int X509_STORE_CTX_verify(X509_STORE_CTX *ctx); STACK_OF(X509) *X509_build_chain(X509 *target, STACK_OF(X509) *certs, - X509_STORE *store, int with_self_signed, - OSSL_LIB_CTX *libctx, const char *propq); + X509_STORE *store, int with_self_signed, + OSSL_LIB_CTX *libctx, const char *propq); int X509_STORE_set_depth(X509_STORE *store, int depth); @@ -246,243 +253,243 @@ typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); int X509_STORE_CTX_print_verify_cb(int ok, X509_STORE_CTX *ctx); typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *); typedef int (*X509_STORE_CTX_get_issuer_fn)(X509 **issuer, - X509_STORE_CTX *ctx, X509 *x); + X509_STORE_CTX *ctx, X509 *x); typedef int (*X509_STORE_CTX_check_issued_fn)(X509_STORE_CTX *ctx, - X509 *x, X509 *issuer); + X509 *x, X509 *issuer); typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx); typedef int (*X509_STORE_CTX_get_crl_fn)(X509_STORE_CTX *ctx, - X509_CRL **crl, X509 *x); + X509_CRL **crl, X509 *x); typedef int (*X509_STORE_CTX_check_crl_fn)(X509_STORE_CTX *ctx, X509_CRL *crl); typedef int (*X509_STORE_CTX_cert_crl_fn)(X509_STORE_CTX *ctx, - X509_CRL *crl, X509 *x); + X509_CRL *crl, X509 *x); typedef int (*X509_STORE_CTX_check_policy_fn)(X509_STORE_CTX *ctx); typedef STACK_OF(X509) *(*X509_STORE_CTX_lookup_certs_fn)(X509_STORE_CTX *ctx, - const X509_NAME *nm); + const X509_NAME *nm); typedef STACK_OF(X509_CRL) *(*X509_STORE_CTX_lookup_crls_fn)(const X509_STORE_CTX *ctx, - const X509_NAME *nm); + const X509_NAME *nm); typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx); void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); -# define X509_STORE_CTX_set_app_data(ctx,data) \ - X509_STORE_CTX_set_ex_data(ctx,0,data) -# define X509_STORE_CTX_get_app_data(ctx) \ - X509_STORE_CTX_get_ex_data(ctx,0) - -# define X509_L_FILE_LOAD 1 -# define X509_L_ADD_DIR 2 -# define X509_L_ADD_STORE 3 -# define X509_L_LOAD_STORE 4 - -# define X509_LOOKUP_load_file(x,name,type) \ - X509_LOOKUP_ctrl((x),X509_L_FILE_LOAD,(name),(long)(type),NULL) - -# define X509_LOOKUP_add_dir(x,name,type) \ - X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL) - -# define X509_LOOKUP_add_store(x,name) \ - X509_LOOKUP_ctrl((x),X509_L_ADD_STORE,(name),0,NULL) - -# define X509_LOOKUP_load_store(x,name) \ - X509_LOOKUP_ctrl((x),X509_L_LOAD_STORE,(name),0,NULL) - -# define X509_LOOKUP_load_file_ex(x, name, type, libctx, propq) \ -X509_LOOKUP_ctrl_ex((x), X509_L_FILE_LOAD, (name), (long)(type), NULL,\ - (libctx), (propq)) - -# define X509_LOOKUP_load_store_ex(x, name, libctx, propq) \ -X509_LOOKUP_ctrl_ex((x), X509_L_LOAD_STORE, (name), 0, NULL, \ - (libctx), (propq)) - -# define X509_LOOKUP_add_store_ex(x, name, libctx, propq) \ -X509_LOOKUP_ctrl_ex((x), X509_L_ADD_STORE, (name), 0, NULL, \ - (libctx), (propq)) - -# define X509_V_OK 0 -# define X509_V_ERR_UNSPECIFIED 1 -# define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 -# define X509_V_ERR_UNABLE_TO_GET_CRL 3 -# define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 -# define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5 -# define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 -# define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 -# define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 -# define X509_V_ERR_CERT_NOT_YET_VALID 9 -# define X509_V_ERR_CERT_HAS_EXPIRED 10 -# define X509_V_ERR_CRL_NOT_YET_VALID 11 -# define X509_V_ERR_CRL_HAS_EXPIRED 12 -# define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13 -# define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14 -# define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15 -# define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16 -# define X509_V_ERR_OUT_OF_MEM 17 -# define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18 -# define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19 -# define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20 -# define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21 -# define X509_V_ERR_CERT_CHAIN_TOO_LONG 22 -# define X509_V_ERR_CERT_REVOKED 23 -# define X509_V_ERR_NO_ISSUER_PUBLIC_KEY 24 -# define X509_V_ERR_PATH_LENGTH_EXCEEDED 25 -# define X509_V_ERR_INVALID_PURPOSE 26 -# define X509_V_ERR_CERT_UNTRUSTED 27 -# define X509_V_ERR_CERT_REJECTED 28 +#define X509_STORE_CTX_set_app_data(ctx, data) \ + X509_STORE_CTX_set_ex_data(ctx, 0, data) +#define X509_STORE_CTX_get_app_data(ctx) \ + X509_STORE_CTX_get_ex_data(ctx, 0) + +#define X509_L_FILE_LOAD 1 +#define X509_L_ADD_DIR 2 +#define X509_L_ADD_STORE 3 +#define X509_L_LOAD_STORE 4 + +#define X509_LOOKUP_load_file(x, name, type) \ + X509_LOOKUP_ctrl((x), X509_L_FILE_LOAD, (name), (long)(type), NULL) + +#define X509_LOOKUP_add_dir(x, name, type) \ + X509_LOOKUP_ctrl((x), X509_L_ADD_DIR, (name), (long)(type), NULL) + +#define X509_LOOKUP_add_store(x, name) \ + X509_LOOKUP_ctrl((x), X509_L_ADD_STORE, (name), 0, NULL) + +#define X509_LOOKUP_load_store(x, name) \ + X509_LOOKUP_ctrl((x), X509_L_LOAD_STORE, (name), 0, NULL) + +#define X509_LOOKUP_load_file_ex(x, name, type, libctx, propq) \ + X509_LOOKUP_ctrl_ex((x), X509_L_FILE_LOAD, (name), (long)(type), NULL, \ + (libctx), (propq)) + +#define X509_LOOKUP_load_store_ex(x, name, libctx, propq) \ + X509_LOOKUP_ctrl_ex((x), X509_L_LOAD_STORE, (name), 0, NULL, \ + (libctx), (propq)) + +#define X509_LOOKUP_add_store_ex(x, name, libctx, propq) \ + X509_LOOKUP_ctrl_ex((x), X509_L_ADD_STORE, (name), 0, NULL, \ + (libctx), (propq)) + +#define X509_V_OK 0 +#define X509_V_ERR_UNSPECIFIED 1 +#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 +#define X509_V_ERR_UNABLE_TO_GET_CRL 3 +#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 +#define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5 +#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 +#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 +#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 +#define X509_V_ERR_CERT_NOT_YET_VALID 9 +#define X509_V_ERR_CERT_HAS_EXPIRED 10 +#define X509_V_ERR_CRL_NOT_YET_VALID 11 +#define X509_V_ERR_CRL_HAS_EXPIRED 12 +#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13 +#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14 +#define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15 +#define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16 +#define X509_V_ERR_OUT_OF_MEM 17 +#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18 +#define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19 +#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20 +#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21 +#define X509_V_ERR_CERT_CHAIN_TOO_LONG 22 +#define X509_V_ERR_CERT_REVOKED 23 +#define X509_V_ERR_NO_ISSUER_PUBLIC_KEY 24 +#define X509_V_ERR_PATH_LENGTH_EXCEEDED 25 +#define X509_V_ERR_INVALID_PURPOSE 26 +#define X509_V_ERR_CERT_UNTRUSTED 27 +#define X509_V_ERR_CERT_REJECTED 28 /* These are 'informational' when looking for issuer cert */ -# define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29 -# define X509_V_ERR_AKID_SKID_MISMATCH 30 -# define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31 -# define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 -# define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 -# define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 -# define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 -# define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 -# define X509_V_ERR_INVALID_NON_CA 37 -# define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 -# define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 -# define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 -# define X509_V_ERR_INVALID_EXTENSION 41 -# define X509_V_ERR_INVALID_POLICY_EXTENSION 42 -# define X509_V_ERR_NO_EXPLICIT_POLICY 43 -# define X509_V_ERR_DIFFERENT_CRL_SCOPE 44 -# define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45 -# define X509_V_ERR_UNNESTED_RESOURCE 46 -# define X509_V_ERR_PERMITTED_VIOLATION 47 -# define X509_V_ERR_EXCLUDED_VIOLATION 48 -# define X509_V_ERR_SUBTREE_MINMAX 49 +#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29 +#define X509_V_ERR_AKID_SKID_MISMATCH 30 +#define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31 +#define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 +#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 +#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 +#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 +#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 +#define X509_V_ERR_INVALID_NON_CA 37 +#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 +#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 +#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 +#define X509_V_ERR_INVALID_EXTENSION 41 +#define X509_V_ERR_INVALID_POLICY_EXTENSION 42 +#define X509_V_ERR_NO_EXPLICIT_POLICY 43 +#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44 +#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45 +#define X509_V_ERR_UNNESTED_RESOURCE 46 +#define X509_V_ERR_PERMITTED_VIOLATION 47 +#define X509_V_ERR_EXCLUDED_VIOLATION 48 +#define X509_V_ERR_SUBTREE_MINMAX 49 /* The application is not happy */ -# define X509_V_ERR_APPLICATION_VERIFICATION 50 -# define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51 -# define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52 -# define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53 -# define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54 +#define X509_V_ERR_APPLICATION_VERIFICATION 50 +#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51 +#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52 +#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53 +#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54 /* Another issuer check debug option */ -# define X509_V_ERR_PATH_LOOP 55 +#define X509_V_ERR_PATH_LOOP 55 /* Suite B mode algorithm violation */ -# define X509_V_ERR_SUITE_B_INVALID_VERSION 56 -# define X509_V_ERR_SUITE_B_INVALID_ALGORITHM 57 -# define X509_V_ERR_SUITE_B_INVALID_CURVE 58 -# define X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM 59 -# define X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED 60 -# define X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61 +#define X509_V_ERR_SUITE_B_INVALID_VERSION 56 +#define X509_V_ERR_SUITE_B_INVALID_ALGORITHM 57 +#define X509_V_ERR_SUITE_B_INVALID_CURVE 58 +#define X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM 59 +#define X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED 60 +#define X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61 /* Host, email and IP check errors */ -# define X509_V_ERR_HOSTNAME_MISMATCH 62 -# define X509_V_ERR_EMAIL_MISMATCH 63 -# define X509_V_ERR_IP_ADDRESS_MISMATCH 64 +#define X509_V_ERR_HOSTNAME_MISMATCH 62 +#define X509_V_ERR_EMAIL_MISMATCH 63 +#define X509_V_ERR_IP_ADDRESS_MISMATCH 64 /* DANE TLSA errors */ -# define X509_V_ERR_DANE_NO_MATCH 65 +#define X509_V_ERR_DANE_NO_MATCH 65 /* security level errors */ -# define X509_V_ERR_EE_KEY_TOO_SMALL 66 -# define X509_V_ERR_CA_KEY_TOO_SMALL 67 -# define X509_V_ERR_CA_MD_TOO_WEAK 68 +#define X509_V_ERR_EE_KEY_TOO_SMALL 66 +#define X509_V_ERR_CA_KEY_TOO_SMALL 67 +#define X509_V_ERR_CA_MD_TOO_WEAK 68 /* Caller error */ -# define X509_V_ERR_INVALID_CALL 69 +#define X509_V_ERR_INVALID_CALL 69 /* Issuer lookup error */ -# define X509_V_ERR_STORE_LOOKUP 70 +#define X509_V_ERR_STORE_LOOKUP 70 /* Certificate transparency */ -# define X509_V_ERR_NO_VALID_SCTS 71 +#define X509_V_ERR_NO_VALID_SCTS 71 -# define X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION 72 +#define X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION 72 /* OCSP status errors */ -# define X509_V_ERR_OCSP_VERIFY_NEEDED 73 /* Need OCSP verification */ -# define X509_V_ERR_OCSP_VERIFY_FAILED 74 /* Couldn't verify cert through OCSP */ -# define X509_V_ERR_OCSP_CERT_UNKNOWN 75 /* Certificate wasn't recognized by the OCSP responder */ +#define X509_V_ERR_OCSP_VERIFY_NEEDED 73 /* Need OCSP verification */ +#define X509_V_ERR_OCSP_VERIFY_FAILED 74 /* Couldn't verify cert through OCSP */ +#define X509_V_ERR_OCSP_CERT_UNKNOWN 75 /* Certificate wasn't recognized by the OCSP responder */ -# define X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM 76 -# define X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH 77 +#define X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM 76 +#define X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH 77 /* Errors in case a check in X509_V_FLAG_X509_STRICT mode fails */ -# define X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY 78 -# define X509_V_ERR_INVALID_CA 79 -# define X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA 80 -# define X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN 81 -# define X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA 82 -# define X509_V_ERR_ISSUER_NAME_EMPTY 83 -# define X509_V_ERR_SUBJECT_NAME_EMPTY 84 -# define X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER 85 -# define X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER 86 -# define X509_V_ERR_EMPTY_SUBJECT_ALT_NAME 87 -# define X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL 88 -# define X509_V_ERR_CA_BCONS_NOT_CRITICAL 89 -# define X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL 90 -# define X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL 91 -# define X509_V_ERR_CA_CERT_MISSING_KEY_USAGE 92 -# define X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3 93 -# define X509_V_ERR_EC_KEY_EXPLICIT_PARAMS 94 -# define X509_V_ERR_RPK_UNTRUSTED 95 +#define X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY 78 +#define X509_V_ERR_INVALID_CA 79 +#define X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA 80 +#define X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN 81 +#define X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA 82 +#define X509_V_ERR_ISSUER_NAME_EMPTY 83 +#define X509_V_ERR_SUBJECT_NAME_EMPTY 84 +#define X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER 85 +#define X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER 86 +#define X509_V_ERR_EMPTY_SUBJECT_ALT_NAME 87 +#define X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL 88 +#define X509_V_ERR_CA_BCONS_NOT_CRITICAL 89 +#define X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL 90 +#define X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL 91 +#define X509_V_ERR_CA_CERT_MISSING_KEY_USAGE 92 +#define X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3 93 +#define X509_V_ERR_EC_KEY_EXPLICIT_PARAMS 94 +#define X509_V_ERR_RPK_UNTRUSTED 95 /* Certificate verify flags */ -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define X509_V_FLAG_CB_ISSUER_CHECK 0x0 /* Deprecated */ -# endif +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 +#define X509_V_FLAG_CB_ISSUER_CHECK 0x0 /* Deprecated */ +#endif /* Use check time instead of current time */ -# define X509_V_FLAG_USE_CHECK_TIME 0x2 +#define X509_V_FLAG_USE_CHECK_TIME 0x2 /* Lookup CRLs */ -# define X509_V_FLAG_CRL_CHECK 0x4 +#define X509_V_FLAG_CRL_CHECK 0x4 /* Lookup CRLs for whole chain */ -# define X509_V_FLAG_CRL_CHECK_ALL 0x8 +#define X509_V_FLAG_CRL_CHECK_ALL 0x8 /* Ignore unhandled critical extensions */ -# define X509_V_FLAG_IGNORE_CRITICAL 0x10 +#define X509_V_FLAG_IGNORE_CRITICAL 0x10 /* Disable workarounds for broken certificates */ -# define X509_V_FLAG_X509_STRICT 0x20 +#define X509_V_FLAG_X509_STRICT 0x20 /* Enable proxy certificate validation */ -# define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40 +#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40 /* Enable policy checking */ -# define X509_V_FLAG_POLICY_CHECK 0x80 +#define X509_V_FLAG_POLICY_CHECK 0x80 /* Policy variable require-explicit-policy */ -# define X509_V_FLAG_EXPLICIT_POLICY 0x100 +#define X509_V_FLAG_EXPLICIT_POLICY 0x100 /* Policy variable inhibit-any-policy */ -# define X509_V_FLAG_INHIBIT_ANY 0x200 +#define X509_V_FLAG_INHIBIT_ANY 0x200 /* Policy variable inhibit-policy-mapping */ -# define X509_V_FLAG_INHIBIT_MAP 0x400 +#define X509_V_FLAG_INHIBIT_MAP 0x400 /* Notify callback that policy is OK */ -# define X509_V_FLAG_NOTIFY_POLICY 0x800 +#define X509_V_FLAG_NOTIFY_POLICY 0x800 /* Extended CRL features such as indirect CRLs, alternate CRL signing keys */ -# define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000 +#define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000 /* Delta CRL support */ -# define X509_V_FLAG_USE_DELTAS 0x2000 +#define X509_V_FLAG_USE_DELTAS 0x2000 /* Check self-signed CA signature */ -# define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 +#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 /* Use trusted store first */ -# define X509_V_FLAG_TRUSTED_FIRST 0x8000 +#define X509_V_FLAG_TRUSTED_FIRST 0x8000 /* Suite B 128 bit only mode: not normally used */ -# define X509_V_FLAG_SUITEB_128_LOS_ONLY 0x10000 +#define X509_V_FLAG_SUITEB_128_LOS_ONLY 0x10000 /* Suite B 192 bit only mode */ -# define X509_V_FLAG_SUITEB_192_LOS 0x20000 +#define X509_V_FLAG_SUITEB_192_LOS 0x20000 /* Suite B 128 bit mode allowing 192 bit algorithms */ -# define X509_V_FLAG_SUITEB_128_LOS 0x30000 +#define X509_V_FLAG_SUITEB_128_LOS 0x30000 /* Allow partial chains if at least one certificate is in trusted store */ -# define X509_V_FLAG_PARTIAL_CHAIN 0x80000 +#define X509_V_FLAG_PARTIAL_CHAIN 0x80000 /* * If the initial chain is not trusted, do not attempt to build an alternative * chain. Alternate chain checking was introduced in 1.1.0. Setting this flag * will force the behaviour to match that of previous versions. */ -# define X509_V_FLAG_NO_ALT_CHAINS 0x100000 +#define X509_V_FLAG_NO_ALT_CHAINS 0x100000 /* Do not check certificate/CRL validity against current time */ -# define X509_V_FLAG_NO_CHECK_TIME 0x200000 +#define X509_V_FLAG_NO_CHECK_TIME 0x200000 -# define X509_VP_FLAG_DEFAULT 0x1 -# define X509_VP_FLAG_OVERWRITE 0x2 -# define X509_VP_FLAG_RESET_FLAGS 0x4 -# define X509_VP_FLAG_LOCKED 0x8 -# define X509_VP_FLAG_ONCE 0x10 +#define X509_VP_FLAG_DEFAULT 0x1 +#define X509_VP_FLAG_OVERWRITE 0x2 +#define X509_VP_FLAG_RESET_FLAGS 0x4 +#define X509_VP_FLAG_LOCKED 0x8 +#define X509_VP_FLAG_ONCE 0x10 /* Internal use: mask of policy related options */ -# define X509_V_FLAG_POLICY_MASK (X509_V_FLAG_POLICY_CHECK \ - | X509_V_FLAG_EXPLICIT_POLICY \ - | X509_V_FLAG_INHIBIT_ANY \ - | X509_V_FLAG_INHIBIT_MAP) +#define X509_V_FLAG_POLICY_MASK (X509_V_FLAG_POLICY_CHECK \ + | X509_V_FLAG_EXPLICIT_POLICY \ + | X509_V_FLAG_INHIBIT_ANY \ + | X509_V_FLAG_INHIBIT_MAP) int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type, - const X509_NAME *name); + const X509_NAME *name); X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, - X509_LOOKUP_TYPE type, - const X509_NAME *name); + X509_LOOKUP_TYPE type, + const X509_NAME *name); X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, - X509_OBJECT *x); + X509_OBJECT *x); int X509_OBJECT_up_ref_count(X509_OBJECT *a); X509_OBJECT *X509_OBJECT_new(void); void X509_OBJECT_free(X509_OBJECT *a); @@ -500,9 +507,9 @@ STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(const X509_STORE *xs); STACK_OF(X509_OBJECT) *X509_STORE_get1_objects(X509_STORE *xs); STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *xs); STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *xs, - const X509_NAME *nm); + const X509_NAME *nm); STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(const X509_STORE_CTX *st, - const X509_NAME *nm); + const X509_NAME *nm); int X509_STORE_set_flags(X509_STORE *xs, unsigned long flags); int X509_STORE_set_purpose(X509_STORE *xs, int purpose); int X509_STORE_set_trust(X509_STORE *xs, int trust); @@ -511,47 +518,47 @@ X509_VERIFY_PARAM *X509_STORE_get0_param(const X509_STORE *xs); void X509_STORE_set_verify(X509_STORE *xs, X509_STORE_CTX_verify_fn verify); #define X509_STORE_set_verify_func(ctx, func) \ - X509_STORE_set_verify((ctx),(func)) + X509_STORE_set_verify((ctx), (func)) void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, - X509_STORE_CTX_verify_fn verify); + X509_STORE_CTX_verify_fn verify); X509_STORE_CTX_verify_fn X509_STORE_get_verify(const X509_STORE *xs); void X509_STORE_set_verify_cb(X509_STORE *xs, - X509_STORE_CTX_verify_cb verify_cb); -# define X509_STORE_set_verify_cb_func(ctx,func) \ - X509_STORE_set_verify_cb((ctx),(func)) + X509_STORE_CTX_verify_cb verify_cb); +#define X509_STORE_set_verify_cb_func(ctx, func) \ + X509_STORE_set_verify_cb((ctx), (func)) X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(const X509_STORE *xs); void X509_STORE_set_get_issuer(X509_STORE *xs, - X509_STORE_CTX_get_issuer_fn get_issuer); + X509_STORE_CTX_get_issuer_fn get_issuer); X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(const X509_STORE *xs); void X509_STORE_set_check_issued(X509_STORE *xs, - X509_STORE_CTX_check_issued_fn check_issued); + X509_STORE_CTX_check_issued_fn check_issued); X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(const X509_STORE *s); void X509_STORE_set_check_revocation(X509_STORE *xs, - X509_STORE_CTX_check_revocation_fn check_revocation); + X509_STORE_CTX_check_revocation_fn check_revocation); X509_STORE_CTX_check_revocation_fn - X509_STORE_get_check_revocation(const X509_STORE *xs); +X509_STORE_get_check_revocation(const X509_STORE *xs); void X509_STORE_set_get_crl(X509_STORE *xs, - X509_STORE_CTX_get_crl_fn get_crl); + X509_STORE_CTX_get_crl_fn get_crl); X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(const X509_STORE *xs); void X509_STORE_set_check_crl(X509_STORE *xs, - X509_STORE_CTX_check_crl_fn check_crl); + X509_STORE_CTX_check_crl_fn check_crl); X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(const X509_STORE *xs); void X509_STORE_set_cert_crl(X509_STORE *xs, - X509_STORE_CTX_cert_crl_fn cert_crl); + X509_STORE_CTX_cert_crl_fn cert_crl); X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(const X509_STORE *xs); void X509_STORE_set_check_policy(X509_STORE *xs, - X509_STORE_CTX_check_policy_fn check_policy); + X509_STORE_CTX_check_policy_fn check_policy); X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(const X509_STORE *s); void X509_STORE_set_lookup_certs(X509_STORE *xs, - X509_STORE_CTX_lookup_certs_fn lookup_certs); + X509_STORE_CTX_lookup_certs_fn lookup_certs); X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(const X509_STORE *s); void X509_STORE_set_lookup_crls(X509_STORE *xs, - X509_STORE_CTX_lookup_crls_fn lookup_crls); + X509_STORE_CTX_lookup_crls_fn lookup_crls); #define X509_STORE_set_lookup_crls_cb(ctx, func) \ X509_STORE_set_lookup_crls((ctx), (func)) X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(const X509_STORE *xs); void X509_STORE_set_cleanup(X509_STORE *xs, - X509_STORE_CTX_cleanup_fn cleanup); + X509_STORE_CTX_cleanup_fn cleanup); X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(const X509_STORE *xs); #define X509_STORE_get_ex_new_index(l, p, newf, dupf, freef) \ @@ -566,26 +573,26 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); void X509_STORE_CTX_free(X509_STORE_CTX *ctx); int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *trust_store, - X509 *target, STACK_OF(X509) *untrusted); + X509 *target, STACK_OF(X509) *untrusted); int X509_STORE_CTX_init_rpk(X509_STORE_CTX *ctx, X509_STORE *trust_store, - EVP_PKEY* rpk); + EVP_PKEY *rpk); void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx); X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx); X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx); EVP_PKEY *X509_STORE_CTX_get0_rpk(const X509_STORE_CTX *ctx); -STACK_OF(X509)* X509_STORE_CTX_get0_untrusted(const X509_STORE_CTX *ctx); +STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(const X509_STORE_CTX *ctx); void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, - X509_STORE_CTX_verify_cb verify); + X509_STORE_CTX_verify_cb verify); X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(const X509_STORE_CTX *ctx); X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(const X509_STORE_CTX *ctx); X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(const X509_STORE_CTX *ctx); X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(const X509_STORE_CTX *ctx); X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(const X509_STORE_CTX *ctx); void X509_STORE_CTX_set_get_crl(X509_STORE_CTX *ctx, - X509_STORE_CTX_get_crl_fn get_crl); + X509_STORE_CTX_get_crl_fn get_crl); X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(const X509_STORE_CTX *ctx); X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(const X509_STORE_CTX *ctx); X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(const X509_STORE_CTX *ctx); @@ -595,16 +602,16 @@ X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(const X509_STORE_CT X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(const X509_STORE_CTX *ctx); #ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define X509_STORE_CTX_get_chain X509_STORE_CTX_get0_chain -# define X509_STORE_CTX_set_chain X509_STORE_CTX_set0_untrusted -# define X509_STORE_CTX_trusted_stack X509_STORE_CTX_set0_trusted_stack -# define X509_STORE_get_by_subject X509_STORE_CTX_get_by_subject -# define X509_STORE_get1_certs X509_STORE_CTX_get1_certs -# define X509_STORE_get1_crls X509_STORE_CTX_get1_crls +#define X509_STORE_CTX_get_chain X509_STORE_CTX_get0_chain +#define X509_STORE_CTX_set_chain X509_STORE_CTX_set0_untrusted +#define X509_STORE_CTX_trusted_stack X509_STORE_CTX_set0_trusted_stack +#define X509_STORE_get_by_subject X509_STORE_CTX_get_by_subject +#define X509_STORE_get1_certs X509_STORE_CTX_get1_certs +#define X509_STORE_get1_crls X509_STORE_CTX_get1_crls /* the following macro is misspelled; use X509_STORE_get1_certs instead */ -# define X509_STORE_get1_cert X509_STORE_CTX_get1_certs +#define X509_STORE_get1_cert X509_STORE_CTX_get1_certs /* the following macro is misspelled; use X509_STORE_get1_crls instead */ -# define X509_STORE_get1_crl X509_STORE_CTX_get1_crls +#define X509_STORE_get1_crl X509_STORE_CTX_get1_crls #endif X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *xs, X509_LOOKUP_METHOD *m); @@ -613,66 +620,62 @@ X509_LOOKUP_METHOD *X509_LOOKUP_file(void); X509_LOOKUP_METHOD *X509_LOOKUP_store(void); typedef int (*X509_LOOKUP_ctrl_fn)(X509_LOOKUP *ctx, int cmd, const char *argc, - long argl, char **ret); + long argl, char **ret); typedef int (*X509_LOOKUP_ctrl_ex_fn)( X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret, OSSL_LIB_CTX *libctx, const char *propq); typedef int (*X509_LOOKUP_get_by_subject_fn)(X509_LOOKUP *ctx, - X509_LOOKUP_TYPE type, - const X509_NAME *name, - X509_OBJECT *ret); + X509_LOOKUP_TYPE type, + const X509_NAME *name, + X509_OBJECT *ret); typedef int (*X509_LOOKUP_get_by_subject_ex_fn)(X509_LOOKUP *ctx, - X509_LOOKUP_TYPE type, - const X509_NAME *name, - X509_OBJECT *ret, - OSSL_LIB_CTX *libctx, - const char *propq); + X509_LOOKUP_TYPE type, + const X509_NAME *name, + X509_OBJECT *ret, + OSSL_LIB_CTX *libctx, + const char *propq); typedef int (*X509_LOOKUP_get_by_issuer_serial_fn)(X509_LOOKUP *ctx, - X509_LOOKUP_TYPE type, - const X509_NAME *name, - const ASN1_INTEGER *serial, - X509_OBJECT *ret); + X509_LOOKUP_TYPE type, + const X509_NAME *name, + const ASN1_INTEGER *serial, + X509_OBJECT *ret); typedef int (*X509_LOOKUP_get_by_fingerprint_fn)(X509_LOOKUP *ctx, - X509_LOOKUP_TYPE type, - const unsigned char* bytes, - int len, - X509_OBJECT *ret); + X509_LOOKUP_TYPE type, + const unsigned char *bytes, + int len, + X509_OBJECT *ret); typedef int (*X509_LOOKUP_get_by_alias_fn)(X509_LOOKUP *ctx, - X509_LOOKUP_TYPE type, - const char *str, - int len, - X509_OBJECT *ret); + X509_LOOKUP_TYPE type, + const char *str, + int len, + X509_OBJECT *ret); X509_LOOKUP_METHOD *X509_LOOKUP_meth_new(const char *name); void X509_LOOKUP_meth_free(X509_LOOKUP_METHOD *method); int X509_LOOKUP_meth_set_new_item(X509_LOOKUP_METHOD *method, - int (*new_item) (X509_LOOKUP *ctx)); -int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD* method)) - (X509_LOOKUP *ctx); + int (*new_item)(X509_LOOKUP *ctx)); +int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD *method))(X509_LOOKUP *ctx); int X509_LOOKUP_meth_set_free(X509_LOOKUP_METHOD *method, - void (*free_fn) (X509_LOOKUP *ctx)); -void (*X509_LOOKUP_meth_get_free(const X509_LOOKUP_METHOD* method)) - (X509_LOOKUP *ctx); + void (*free_fn)(X509_LOOKUP *ctx)); +void (*X509_LOOKUP_meth_get_free(const X509_LOOKUP_METHOD *method))(X509_LOOKUP *ctx); int X509_LOOKUP_meth_set_init(X509_LOOKUP_METHOD *method, - int (*init) (X509_LOOKUP *ctx)); -int (*X509_LOOKUP_meth_get_init(const X509_LOOKUP_METHOD* method)) - (X509_LOOKUP *ctx); + int (*init)(X509_LOOKUP *ctx)); +int (*X509_LOOKUP_meth_get_init(const X509_LOOKUP_METHOD *method))(X509_LOOKUP *ctx); int X509_LOOKUP_meth_set_shutdown(X509_LOOKUP_METHOD *method, - int (*shutdown) (X509_LOOKUP *ctx)); -int (*X509_LOOKUP_meth_get_shutdown(const X509_LOOKUP_METHOD* method)) - (X509_LOOKUP *ctx); + int (*shutdown)(X509_LOOKUP *ctx)); +int (*X509_LOOKUP_meth_get_shutdown(const X509_LOOKUP_METHOD *method))(X509_LOOKUP *ctx); int X509_LOOKUP_meth_set_ctrl(X509_LOOKUP_METHOD *method, - X509_LOOKUP_ctrl_fn ctrl_fn); + X509_LOOKUP_ctrl_fn ctrl_fn); X509_LOOKUP_ctrl_fn X509_LOOKUP_meth_get_ctrl(const X509_LOOKUP_METHOD *method); int X509_LOOKUP_meth_set_get_by_subject(X509_LOOKUP_METHOD *method, - X509_LOOKUP_get_by_subject_fn fn); + X509_LOOKUP_get_by_subject_fn fn); X509_LOOKUP_get_by_subject_fn X509_LOOKUP_meth_get_get_by_subject( const X509_LOOKUP_METHOD *method); @@ -687,51 +690,50 @@ X509_LOOKUP_get_by_fingerprint_fn X509_LOOKUP_meth_get_get_by_fingerprint( const X509_LOOKUP_METHOD *method); int X509_LOOKUP_meth_set_get_by_alias(X509_LOOKUP_METHOD *method, - X509_LOOKUP_get_by_alias_fn fn); + X509_LOOKUP_get_by_alias_fn fn); X509_LOOKUP_get_by_alias_fn X509_LOOKUP_meth_get_get_by_alias( const X509_LOOKUP_METHOD *method); - int X509_STORE_add_cert(X509_STORE *xs, X509 *x); int X509_STORE_add_crl(X509_STORE *xs, X509_CRL *x); int X509_STORE_CTX_get_by_subject(const X509_STORE_CTX *vs, - X509_LOOKUP_TYPE type, - const X509_NAME *name, X509_OBJECT *ret); + X509_LOOKUP_TYPE type, + const X509_NAME *name, X509_OBJECT *ret); X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs, - X509_LOOKUP_TYPE type, - const X509_NAME *name); + X509_LOOKUP_TYPE type, + const X509_NAME *name); int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, - long argl, char **ret); + long argl, char **ret); int X509_LOOKUP_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, - char **ret, OSSL_LIB_CTX *libctx, const char *propq); + char **ret, OSSL_LIB_CTX *libctx, const char *propq); int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type); int X509_load_cert_file_ex(X509_LOOKUP *ctx, const char *file, int type, - OSSL_LIB_CTX *libctx, const char *propq); + OSSL_LIB_CTX *libctx, const char *propq); int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type); int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type); int X509_load_cert_crl_file_ex(X509_LOOKUP *ctx, const char *file, int type, - OSSL_LIB_CTX *libctx, const char *propq); + OSSL_LIB_CTX *libctx, const char *propq); X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method); void X509_LOOKUP_free(X509_LOOKUP *ctx); int X509_LOOKUP_init(X509_LOOKUP *ctx); int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, - const X509_NAME *name, X509_OBJECT *ret); + const X509_NAME *name, X509_OBJECT *ret); int X509_LOOKUP_by_subject_ex(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, - const X509_NAME *name, X509_OBJECT *ret, - OSSL_LIB_CTX *libctx, const char *propq); + const X509_NAME *name, X509_OBJECT *ret, + OSSL_LIB_CTX *libctx, const char *propq); int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, - const X509_NAME *name, - const ASN1_INTEGER *serial, - X509_OBJECT *ret); + const X509_NAME *name, + const ASN1_INTEGER *serial, + X509_OBJECT *ret); int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, - const unsigned char *bytes, int len, - X509_OBJECT *ret); + const unsigned char *bytes, int len, + X509_OBJECT *ret); int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, - const char *str, int len, X509_OBJECT *ret); + const char *str, int len, X509_OBJECT *ret); int X509_LOOKUP_set_method_data(X509_LOOKUP *ctx, void *data); void *X509_LOOKUP_get_method_data(const X509_LOOKUP *ctx); X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx); @@ -744,14 +746,14 @@ int X509_STORE_load_locations(X509_STORE *s, const char *file, const char *dir); int X509_STORE_set_default_paths(X509_STORE *xs); int X509_STORE_load_file_ex(X509_STORE *xs, const char *file, - OSSL_LIB_CTX *libctx, const char *propq); + OSSL_LIB_CTX *libctx, const char *propq); int X509_STORE_load_store_ex(X509_STORE *xs, const char *store, - OSSL_LIB_CTX *libctx, const char *propq); + OSSL_LIB_CTX *libctx, const char *propq); int X509_STORE_load_locations_ex(X509_STORE *xs, - const char *file, const char *dir, - OSSL_LIB_CTX *libctx, const char *propq); + const char *file, const char *dir, + OSSL_LIB_CTX *libctx, const char *propq); int X509_STORE_set_default_paths_ex(X509_STORE *xs, - OSSL_LIB_CTX *libctx, const char *propq); + OSSL_LIB_CTX *libctx, const char *propq); #define X509_STORE_CTX_get_ex_new_index(l, p, newf, dupf, freef) \ CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, l, p, newf, dupf, freef) @@ -775,12 +777,12 @@ void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk); int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust); int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, - int purpose, int trust); + int purpose, int trust); void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags); void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, - time_t t); + time_t t); void X509_STORE_CTX_set_current_reasons(X509_STORE_CTX *ctx, - unsigned int current_reasons); + unsigned int current_reasons); X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(const X509_STORE_CTX *ctx); int X509_STORE_CTX_get_explicit_policy(const X509_STORE_CTX *ctx); @@ -802,14 +804,14 @@ void X509_STORE_CTX_set0_dane(X509_STORE_CTX *ctx, SSL_DANE *dane); X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void); void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param); int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to, - const X509_VERIFY_PARAM *from); + const X509_VERIFY_PARAM *from); int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, - const X509_VERIFY_PARAM *from); + const X509_VERIFY_PARAM *from); int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name); int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, - unsigned long flags); + unsigned long flags); int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, - unsigned long flags); + unsigned long flags); unsigned long X509_VERIFY_PARAM_get_flags(const X509_VERIFY_PARAM *param); int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose); int X509_VERIFY_PARAM_get_purpose(const X509_VERIFY_PARAM *param); @@ -819,32 +821,32 @@ void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, int auth_level); time_t X509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM *param); void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t); int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, - ASN1_OBJECT *policy); + ASN1_OBJECT *policy); int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, - STACK_OF(ASN1_OBJECT) *policies); + STACK_OF(ASN1_OBJECT) *policies); int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param, - uint32_t flags); + uint32_t flags); uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param); char *X509_VERIFY_PARAM_get0_host(X509_VERIFY_PARAM *param, int idx); int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, - const char *name, size_t namelen); + const char *name, size_t namelen); int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, - const char *name, size_t namelen); + const char *name, size_t namelen); void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, - unsigned int flags); + unsigned int flags); unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param); char *X509_VERIFY_PARAM_get0_peername(const X509_VERIFY_PARAM *param); void X509_VERIFY_PARAM_move_peername(X509_VERIFY_PARAM *, X509_VERIFY_PARAM *); char *X509_VERIFY_PARAM_get0_email(X509_VERIFY_PARAM *param); int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, - const char *email, size_t emaillen); + const char *email, size_t emaillen); char *X509_VERIFY_PARAM_get1_ip_asc(X509_VERIFY_PARAM *param); int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, - const unsigned char *ip, size_t iplen); + const unsigned char *ip, size_t iplen); int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, - const char *ipasc); + const char *ipasc); int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param); @@ -857,47 +859,46 @@ const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name); void X509_VERIFY_PARAM_table_cleanup(void); /* Non positive return values are errors */ -#define X509_PCY_TREE_FAILURE -2 /* Failure to satisfy explicit policy */ -#define X509_PCY_TREE_INVALID -1 /* Inconsistent or invalid extensions */ -#define X509_PCY_TREE_INTERNAL 0 /* Internal error, most likely malloc */ +#define X509_PCY_TREE_FAILURE -2 /* Failure to satisfy explicit policy */ +#define X509_PCY_TREE_INVALID -1 /* Inconsistent or invalid extensions */ +#define X509_PCY_TREE_INTERNAL 0 /* Internal error, most likely malloc */ /* * Positive return values form a bit mask, all but the first are internal to * the library and don't appear in results from X509_policy_check(). */ -#define X509_PCY_TREE_VALID 1 /* The policy tree is valid */ -#define X509_PCY_TREE_EMPTY 2 /* The policy tree is empty */ -#define X509_PCY_TREE_EXPLICIT 4 /* Explicit policy required */ +#define X509_PCY_TREE_VALID 1 /* The policy tree is valid */ +#define X509_PCY_TREE_EMPTY 2 /* The policy tree is empty */ +#define X509_PCY_TREE_EXPLICIT 4 /* Explicit policy required */ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, - STACK_OF(X509) *certs, - STACK_OF(ASN1_OBJECT) *policy_oids, unsigned int flags); + STACK_OF(X509) *certs, + STACK_OF(ASN1_OBJECT) *policy_oids, unsigned int flags); void X509_policy_tree_free(X509_POLICY_TREE *tree); int X509_policy_tree_level_count(const X509_POLICY_TREE *tree); X509_POLICY_LEVEL *X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, - int i); + int i); STACK_OF(X509_POLICY_NODE) - *X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree); +*X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree); STACK_OF(X509_POLICY_NODE) - *X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree); +*X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree); int X509_policy_level_node_count(X509_POLICY_LEVEL *level); X509_POLICY_NODE *X509_policy_level_get0_node(const X509_POLICY_LEVEL *level, - int i); + int i); const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node); STACK_OF(POLICYQUALINFO) - *X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node); -const X509_POLICY_NODE - *X509_policy_node_get0_parent(const X509_POLICY_NODE *node); +*X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node); +const X509_POLICY_NODE *X509_policy_node_get0_parent(const X509_POLICY_NODE *node); -#ifdef __cplusplus +#ifdef __cplusplus } #endif #endif diff --git a/crypto/openssl/include/openssl/x509v3.h b/crypto/openssl/include/openssl/x509v3.h index b8dabac35a49..5dd402d2a913 100644 --- a/crypto/openssl/include/openssl/x509v3.h +++ b/crypto/openssl/include/openssl/x509v3.h @@ -10,24 +10,26 @@ * https://www.openssl.org/source/license.html */ +/* clang-format off */ +/* clang-format on */ #ifndef OPENSSL_X509V3_H -# define OPENSSL_X509V3_H -# pragma once - -# include <openssl/macros.h> -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_X509V3_H -# endif - -# include <openssl/bio.h> -# include <openssl/x509.h> -# include <openssl/conf.h> -# include <openssl/x509v3err.h> -# ifndef OPENSSL_NO_STDIO -# include <stdio.h> -# endif +#define OPENSSL_X509V3_H +#pragma once + +#include <openssl/macros.h> +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define HEADER_X509V3_H +#endif + +#include <openssl/bio.h> +#include <openssl/x509.h> +#include <openssl/conf.h> +#include <openssl/x509v3err.h> +#ifndef OPENSSL_NO_STDIO +#include <stdio.h> +#endif #ifdef __cplusplus extern "C" { @@ -40,62 +42,61 @@ struct v3_ext_ctx; /* Useful typedefs */ typedef void *(*X509V3_EXT_NEW)(void); -typedef void (*X509V3_EXT_FREE) (void *); +typedef void (*X509V3_EXT_FREE)(void *); typedef void *(*X509V3_EXT_D2I)(void *, const unsigned char **, long); -typedef int (*X509V3_EXT_I2D) (const void *, unsigned char **); -typedef STACK_OF(CONF_VALUE) * - (*X509V3_EXT_I2V) (const struct v3_ext_method *method, void *ext, - STACK_OF(CONF_VALUE) *extlist); +typedef int (*X509V3_EXT_I2D)(const void *, unsigned char **); +typedef STACK_OF(CONF_VALUE) *(*X509V3_EXT_I2V)(const struct v3_ext_method *method, void *ext, + STACK_OF(CONF_VALUE) *extlist); typedef void *(*X509V3_EXT_V2I)(const struct v3_ext_method *method, - struct v3_ext_ctx *ctx, - STACK_OF(CONF_VALUE) *values); + struct v3_ext_ctx *ctx, + STACK_OF(CONF_VALUE) *values); typedef char *(*X509V3_EXT_I2S)(const struct v3_ext_method *method, - void *ext); + void *ext); typedef void *(*X509V3_EXT_S2I)(const struct v3_ext_method *method, - struct v3_ext_ctx *ctx, const char *str); -typedef int (*X509V3_EXT_I2R) (const struct v3_ext_method *method, void *ext, - BIO *out, int indent); + struct v3_ext_ctx *ctx, const char *str); +typedef int (*X509V3_EXT_I2R)(const struct v3_ext_method *method, void *ext, + BIO *out, int indent); typedef void *(*X509V3_EXT_R2I)(const struct v3_ext_method *method, - struct v3_ext_ctx *ctx, const char *str); + struct v3_ext_ctx *ctx, const char *str); /* V3 extension structure */ struct v3_ext_method { int ext_nid; int ext_flags; -/* If this is set the following four fields are ignored */ + /* If this is set the following four fields are ignored */ ASN1_ITEM_EXP *it; -/* Old style ASN1 calls */ + /* Old style ASN1 calls */ X509V3_EXT_NEW ext_new; X509V3_EXT_FREE ext_free; X509V3_EXT_D2I d2i; X509V3_EXT_I2D i2d; -/* The following pair is used for string extensions */ + /* The following pair is used for string extensions */ X509V3_EXT_I2S i2s; X509V3_EXT_S2I s2i; -/* The following pair is used for multi-valued extensions */ + /* The following pair is used for multi-valued extensions */ X509V3_EXT_I2V i2v; X509V3_EXT_V2I v2i; -/* The following are used for raw extensions */ + /* The following are used for raw extensions */ X509V3_EXT_I2R i2r; X509V3_EXT_R2I r2i; - void *usr_data; /* Any extension specific data */ + void *usr_data; /* Any extension specific data */ }; typedef struct X509V3_CONF_METHOD_st { - char *(*get_string) (void *db, const char *section, const char *value); - STACK_OF(CONF_VALUE) *(*get_section) (void *db, const char *section); - void (*free_string) (void *db, char *string); - void (*free_section) (void *db, STACK_OF(CONF_VALUE) *section); + char *(*get_string)(void *db, const char *section, const char *value); + STACK_OF(CONF_VALUE) *(*get_section)(void *db, const char *section); + void (*free_string)(void *db, char *string); + void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section); } X509V3_CONF_METHOD; /* Context specific info for producing X509 v3 extensions*/ struct v3_ext_ctx { -# define X509V3_CTX_TEST 0x1 -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define CTX_TEST X509V3_CTX_TEST -# endif -# define X509V3_CTX_REPLACE 0x2 +#define X509V3_CTX_TEST 0x1 +#ifndef OPENSSL_NO_DEPRECATED_3_0 +#define CTX_TEST X509V3_CTX_TEST +#endif +#define X509V3_CTX_REPLACE 0x2 int flags; X509 *issuer_cert; X509 *subject_cert; @@ -104,11 +105,12 @@ struct v3_ext_ctx { X509V3_CONF_METHOD *db_meth; void *db; EVP_PKEY *issuer_pkey; -/* Maybe more here */ + /* Maybe more here */ }; typedef struct v3_ext_method X509V3_EXT_METHOD; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(X509V3_EXT_METHOD, X509V3_EXT_METHOD, X509V3_EXT_METHOD) #define sk_X509V3_EXT_METHOD_num(sk) OPENSSL_sk_num(ossl_check_const_X509V3_EXT_METHOD_sk_type(sk)) #define sk_X509V3_EXT_METHOD_value(sk, idx) ((X509V3_EXT_METHOD *)OPENSSL_sk_value(ossl_check_const_X509V3_EXT_METHOD_sk_type(sk), (idx))) @@ -136,11 +138,12 @@ SKM_DEFINE_STACK_OF_INTERNAL(X509V3_EXT_METHOD, X509V3_EXT_METHOD, X509V3_EXT_ME #define sk_X509V3_EXT_METHOD_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(X509V3_EXT_METHOD) *)OPENSSL_sk_deep_copy(ossl_check_const_X509V3_EXT_METHOD_sk_type(sk), ossl_check_X509V3_EXT_METHOD_copyfunc_type(copyfunc), ossl_check_X509V3_EXT_METHOD_freefunc_type(freefunc))) #define sk_X509V3_EXT_METHOD_set_cmp_func(sk, cmp) ((sk_X509V3_EXT_METHOD_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_X509V3_EXT_METHOD_sk_type(sk), ossl_check_X509V3_EXT_METHOD_compfunc_type(cmp))) +/* clang-format on */ /* ext_flags values */ -# define X509V3_EXT_DYNAMIC 0x1 -# define X509V3_EXT_CTX_DEP 0x2 -# define X509V3_EXT_MULTILINE 0x4 +#define X509V3_EXT_DYNAMIC 0x1 +#define X509V3_EXT_CTX_DEP 0x2 +#define X509V3_EXT_MULTILINE 0x4 typedef BIT_STRING_BITNAME ENUMERATED_NAMES; @@ -170,19 +173,19 @@ typedef struct EDIPartyName_st { } EDIPARTYNAME; typedef struct GENERAL_NAME_st { -# define GEN_OTHERNAME 0 -# define GEN_EMAIL 1 -# define GEN_DNS 2 -# define GEN_X400 3 -# define GEN_DIRNAME 4 -# define GEN_EDIPARTY 5 -# define GEN_URI 6 -# define GEN_IPADD 7 -# define GEN_RID 8 +#define GEN_OTHERNAME 0 +#define GEN_EMAIL 1 +#define GEN_DNS 2 +#define GEN_X400 3 +#define GEN_DIRNAME 4 +#define GEN_EDIPARTY 5 +#define GEN_URI 6 +#define GEN_IPADD 7 +#define GEN_RID 8 int type; union { char *ptr; - OTHERNAME *otherName; /* otherName */ + OTHERNAME *otherName; /* otherName */ ASN1_IA5STRING *rfc822Name; ASN1_IA5STRING *dNSName; ASN1_STRING *x400Address; @@ -192,12 +195,12 @@ typedef struct GENERAL_NAME_st { ASN1_OCTET_STRING *iPAddress; ASN1_OBJECT *registeredID; /* Old names */ - ASN1_OCTET_STRING *ip; /* iPAddress */ - X509_NAME *dirn; /* dirn */ - ASN1_IA5STRING *ia5; /* rfc822Name, dNSName, - * uniformResourceIdentifier */ - ASN1_OBJECT *rid; /* registeredID */ - ASN1_TYPE *other; /* x400Address */ + ASN1_OCTET_STRING *ip; /* iPAddress */ + X509_NAME *dirn; /* dirn */ + ASN1_IA5STRING *ia5; /* rfc822Name, dNSName, + * uniformResourceIdentifier */ + ASN1_OBJECT *rid; /* registeredID */ + ASN1_TYPE *other; /* x400Address */ } d; } GENERAL_NAME; @@ -208,6 +211,7 @@ typedef struct ACCESS_DESCRIPTION_st { int GENERAL_NAME_set1_X509_NAME(GENERAL_NAME **tgt, const X509_NAME *src); +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(ACCESS_DESCRIPTION, ACCESS_DESCRIPTION, ACCESS_DESCRIPTION) #define sk_ACCESS_DESCRIPTION_num(sk) OPENSSL_sk_num(ossl_check_const_ACCESS_DESCRIPTION_sk_type(sk)) #define sk_ACCESS_DESCRIPTION_value(sk, idx) ((ACCESS_DESCRIPTION *)OPENSSL_sk_value(ossl_check_const_ACCESS_DESCRIPTION_sk_type(sk), (idx))) @@ -261,12 +265,14 @@ SKM_DEFINE_STACK_OF_INTERNAL(GENERAL_NAME, GENERAL_NAME, GENERAL_NAME) #define sk_GENERAL_NAME_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(GENERAL_NAME) *)OPENSSL_sk_deep_copy(ossl_check_const_GENERAL_NAME_sk_type(sk), ossl_check_GENERAL_NAME_copyfunc_type(copyfunc), ossl_check_GENERAL_NAME_freefunc_type(freefunc))) #define sk_GENERAL_NAME_set_cmp_func(sk, cmp) ((sk_GENERAL_NAME_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_GENERAL_NAME_sk_type(sk), ossl_check_GENERAL_NAME_compfunc_type(cmp))) +/* clang-format on */ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE; typedef STACK_OF(ASN1_INTEGER) TLS_FEATURE; typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(GENERAL_NAMES, GENERAL_NAMES, GENERAL_NAMES) #define sk_GENERAL_NAMES_num(sk) OPENSSL_sk_num(ossl_check_const_GENERAL_NAMES_sk_type(sk)) #define sk_GENERAL_NAMES_value(sk, idx) ((GENERAL_NAMES *)OPENSSL_sk_value(ossl_check_const_GENERAL_NAMES_sk_type(sk), (idx))) @@ -294,6 +300,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(GENERAL_NAMES, GENERAL_NAMES, GENERAL_NAMES) #define sk_GENERAL_NAMES_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(GENERAL_NAMES) *)OPENSSL_sk_deep_copy(ossl_check_const_GENERAL_NAMES_sk_type(sk), ossl_check_GENERAL_NAMES_copyfunc_type(copyfunc), ossl_check_GENERAL_NAMES_freefunc_type(freefunc))) #define sk_GENERAL_NAMES_set_cmp_func(sk, cmp) ((sk_GENERAL_NAMES_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_GENERAL_NAMES_sk_type(sk), ossl_check_GENERAL_NAMES_compfunc_type(cmp))) +/* clang-format on */ typedef struct DIST_POINT_NAME_st { int type; @@ -301,24 +308,24 @@ typedef struct DIST_POINT_NAME_st { GENERAL_NAMES *fullname; STACK_OF(X509_NAME_ENTRY) *relativename; } name; -/* If relativename then this contains the full distribution point name */ + /* If relativename then this contains the full distribution point name */ X509_NAME *dpname; } DIST_POINT_NAME; DECLARE_ASN1_DUP_FUNCTION(DIST_POINT_NAME) /* All existing reasons */ -# define CRLDP_ALL_REASONS 0x807f - -# define CRL_REASON_NONE -1 -# define CRL_REASON_UNSPECIFIED 0 -# define CRL_REASON_KEY_COMPROMISE 1 -# define CRL_REASON_CA_COMPROMISE 2 -# define CRL_REASON_AFFILIATION_CHANGED 3 -# define CRL_REASON_SUPERSEDED 4 -# define CRL_REASON_CESSATION_OF_OPERATION 5 -# define CRL_REASON_CERTIFICATE_HOLD 6 -# define CRL_REASON_REMOVE_FROM_CRL 8 -# define CRL_REASON_PRIVILEGE_WITHDRAWN 9 -# define CRL_REASON_AA_COMPROMISE 10 +#define CRLDP_ALL_REASONS 0x807f + +#define CRL_REASON_NONE -1 +#define CRL_REASON_UNSPECIFIED 0 +#define CRL_REASON_KEY_COMPROMISE 1 +#define CRL_REASON_CA_COMPROMISE 2 +#define CRL_REASON_AFFILIATION_CHANGED 3 +#define CRL_REASON_SUPERSEDED 4 +#define CRL_REASON_CESSATION_OF_OPERATION 5 +#define CRL_REASON_CERTIFICATE_HOLD 6 +#define CRL_REASON_REMOVE_FROM_CRL 8 +#define CRL_REASON_PRIVILEGE_WITHDRAWN 9 +#define CRL_REASON_AA_COMPROMISE 10 struct DIST_POINT_st { DIST_POINT_NAME *distpoint; @@ -327,6 +334,7 @@ struct DIST_POINT_st { int dp_reasons; }; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(DIST_POINT, DIST_POINT, DIST_POINT) #define sk_DIST_POINT_num(sk) OPENSSL_sk_num(ossl_check_const_DIST_POINT_sk_type(sk)) #define sk_DIST_POINT_value(sk, idx) ((DIST_POINT *)OPENSSL_sk_value(ossl_check_const_DIST_POINT_sk_type(sk), (idx))) @@ -354,6 +362,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(DIST_POINT, DIST_POINT, DIST_POINT) #define sk_DIST_POINT_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(DIST_POINT) *)OPENSSL_sk_deep_copy(ossl_check_const_DIST_POINT_sk_type(sk), ossl_check_DIST_POINT_copyfunc_type(copyfunc), ossl_check_DIST_POINT_freefunc_type(freefunc))) #define sk_DIST_POINT_set_cmp_func(sk, cmp) ((sk_DIST_POINT_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_DIST_POINT_sk_type(sk), ossl_check_DIST_POINT_compfunc_type(cmp))) +/* clang-format on */ typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS; @@ -370,6 +379,7 @@ typedef struct SXNET_ID_st { ASN1_OCTET_STRING *user; } SXNETID; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(SXNETID, SXNETID, SXNETID) #define sk_SXNETID_num(sk) OPENSSL_sk_num(ossl_check_const_SXNETID_sk_type(sk)) #define sk_SXNETID_value(sk, idx) ((SXNETID *)OPENSSL_sk_value(ossl_check_const_SXNETID_sk_type(sk), (idx))) @@ -397,7 +407,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(SXNETID, SXNETID, SXNETID) #define sk_SXNETID_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(SXNETID) *)OPENSSL_sk_deep_copy(ossl_check_const_SXNETID_sk_type(sk), ossl_check_SXNETID_copyfunc_type(copyfunc), ossl_check_SXNETID_freefunc_type(freefunc))) #define sk_SXNETID_set_cmp_func(sk, cmp) ((sk_SXNETID_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_SXNETID_sk_type(sk), ossl_check_SXNETID_compfunc_type(cmp))) - +/* clang-format on */ typedef struct SXNET_st { ASN1_INTEGER *version; @@ -430,6 +440,7 @@ typedef struct POLICYQUALINFO_st { } d; } POLICYQUALINFO; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(POLICYQUALINFO, POLICYQUALINFO, POLICYQUALINFO) #define sk_POLICYQUALINFO_num(sk) OPENSSL_sk_num(ossl_check_const_POLICYQUALINFO_sk_type(sk)) #define sk_POLICYQUALINFO_value(sk, idx) ((POLICYQUALINFO *)OPENSSL_sk_value(ossl_check_const_POLICYQUALINFO_sk_type(sk), (idx))) @@ -457,13 +468,14 @@ SKM_DEFINE_STACK_OF_INTERNAL(POLICYQUALINFO, POLICYQUALINFO, POLICYQUALINFO) #define sk_POLICYQUALINFO_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(POLICYQUALINFO) *)OPENSSL_sk_deep_copy(ossl_check_const_POLICYQUALINFO_sk_type(sk), ossl_check_POLICYQUALINFO_copyfunc_type(copyfunc), ossl_check_POLICYQUALINFO_freefunc_type(freefunc))) #define sk_POLICYQUALINFO_set_cmp_func(sk, cmp) ((sk_POLICYQUALINFO_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_POLICYQUALINFO_sk_type(sk), ossl_check_POLICYQUALINFO_compfunc_type(cmp))) - +/* clang-format on */ typedef struct POLICYINFO_st { ASN1_OBJECT *policyid; STACK_OF(POLICYQUALINFO) *qualifiers; } POLICYINFO; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(POLICYINFO, POLICYINFO, POLICYINFO) #define sk_POLICYINFO_num(sk) OPENSSL_sk_num(ossl_check_const_POLICYINFO_sk_type(sk)) #define sk_POLICYINFO_value(sk, idx) ((POLICYINFO *)OPENSSL_sk_value(ossl_check_const_POLICYINFO_sk_type(sk), (idx))) @@ -491,6 +503,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(POLICYINFO, POLICYINFO, POLICYINFO) #define sk_POLICYINFO_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(POLICYINFO) *)OPENSSL_sk_deep_copy(ossl_check_const_POLICYINFO_sk_type(sk), ossl_check_POLICYINFO_copyfunc_type(copyfunc), ossl_check_POLICYINFO_freefunc_type(freefunc))) #define sk_POLICYINFO_set_cmp_func(sk, cmp) ((sk_POLICYINFO_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_POLICYINFO_sk_type(sk), ossl_check_POLICYINFO_compfunc_type(cmp))) +/* clang-format on */ typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES; @@ -499,6 +512,7 @@ typedef struct POLICY_MAPPING_st { ASN1_OBJECT *subjectDomainPolicy; } POLICY_MAPPING; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(POLICY_MAPPING, POLICY_MAPPING, POLICY_MAPPING) #define sk_POLICY_MAPPING_num(sk) OPENSSL_sk_num(ossl_check_const_POLICY_MAPPING_sk_type(sk)) #define sk_POLICY_MAPPING_value(sk, idx) ((POLICY_MAPPING *)OPENSSL_sk_value(ossl_check_const_POLICY_MAPPING_sk_type(sk), (idx))) @@ -526,6 +540,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(POLICY_MAPPING, POLICY_MAPPING, POLICY_MAPPING) #define sk_POLICY_MAPPING_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(POLICY_MAPPING) *)OPENSSL_sk_deep_copy(ossl_check_const_POLICY_MAPPING_sk_type(sk), ossl_check_POLICY_MAPPING_copyfunc_type(copyfunc), ossl_check_POLICY_MAPPING_freefunc_type(freefunc))) #define sk_POLICY_MAPPING_set_cmp_func(sk, cmp) ((sk_POLICY_MAPPING_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_POLICY_MAPPING_sk_type(sk), ossl_check_POLICY_MAPPING_compfunc_type(cmp))) +/* clang-format on */ typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS; @@ -535,6 +550,7 @@ typedef struct GENERAL_SUBTREE_st { ASN1_INTEGER *maximum; } GENERAL_SUBTREE; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(GENERAL_SUBTREE, GENERAL_SUBTREE, GENERAL_SUBTREE) #define sk_GENERAL_SUBTREE_num(sk) OPENSSL_sk_num(ossl_check_const_GENERAL_SUBTREE_sk_type(sk)) #define sk_GENERAL_SUBTREE_value(sk, idx) ((GENERAL_SUBTREE *)OPENSSL_sk_value(ossl_check_const_GENERAL_SUBTREE_sk_type(sk), (idx))) @@ -562,6 +578,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(GENERAL_SUBTREE, GENERAL_SUBTREE, GENERAL_SUBTREE) #define sk_GENERAL_SUBTREE_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(GENERAL_SUBTREE) *)OPENSSL_sk_deep_copy(ossl_check_const_GENERAL_SUBTREE_sk_type(sk), ossl_check_GENERAL_SUBTREE_copyfunc_type(copyfunc), ossl_check_GENERAL_SUBTREE_freefunc_type(freefunc))) #define sk_GENERAL_SUBTREE_set_cmp_func(sk, cmp) ((sk_GENERAL_SUBTREE_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_GENERAL_SUBTREE_sk_type(sk), ossl_check_GENERAL_SUBTREE_compfunc_type(cmp))) +/* clang-format on */ struct NAME_CONSTRAINTS_st { STACK_OF(GENERAL_SUBTREE) *permittedSubtrees; @@ -598,121 +615,124 @@ struct ISSUING_DIST_POINT_st { /* Values in idp_flags field */ /* IDP present */ -# define IDP_PRESENT 0x1 +#define IDP_PRESENT 0x1 /* IDP values inconsistent */ -# define IDP_INVALID 0x2 +#define IDP_INVALID 0x2 /* onlyuser true */ -# define IDP_ONLYUSER 0x4 +#define IDP_ONLYUSER 0x4 /* onlyCA true */ -# define IDP_ONLYCA 0x8 +#define IDP_ONLYCA 0x8 /* onlyattr true */ -# define IDP_ONLYATTR 0x10 +#define IDP_ONLYATTR 0x10 /* indirectCRL true */ -# define IDP_INDIRECT 0x20 +#define IDP_INDIRECT 0x20 /* onlysomereasons present */ -# define IDP_REASONS 0x40 +#define IDP_REASONS 0x40 -# define X509V3_conf_err(val) ERR_add_error_data(6, \ - "section:", (val)->section, \ - ",name:", (val)->name, ",value:", (val)->value) +#define X509V3_conf_err(val) ERR_add_error_data(6, \ + "section:", (val)->section, \ + ",name:", (val)->name, ",value:", (val)->value) -# define X509V3_set_ctx_test(ctx) \ +#define X509V3_set_ctx_test(ctx) \ X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, X509V3_CTX_TEST) -# define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL; - -# define EXT_BITSTRING(nid, table) { nid, 0, ASN1_ITEM_ref(ASN1_BIT_STRING), \ - 0,0,0,0, \ - 0,0, \ - (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \ - (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \ - NULL, NULL, \ - table} - -# define EXT_IA5STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_IA5STRING), \ - 0,0,0,0, \ - (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \ - (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \ - 0,0,0,0, \ - NULL} +#define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL; + +#define EXT_BITSTRING(nid, table) { nid, 0, ASN1_ITEM_ref(ASN1_BIT_STRING), \ + 0, 0, 0, 0, \ + 0, 0, \ + (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \ + (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \ + NULL, NULL, \ + table } + +#define EXT_IA5STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_IA5STRING), \ + 0, 0, 0, 0, \ + (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \ + (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \ + 0, 0, 0, 0, \ + NULL } #define EXT_UTF8STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_UTF8STRING), \ - 0,0,0,0, \ - (X509V3_EXT_I2S)i2s_ASN1_UTF8STRING, \ - (X509V3_EXT_S2I)s2i_ASN1_UTF8STRING, \ - 0,0,0,0, \ - NULL} + 0, 0, 0, 0, \ + (X509V3_EXT_I2S)i2s_ASN1_UTF8STRING, \ + (X509V3_EXT_S2I)s2i_ASN1_UTF8STRING, \ + 0, 0, 0, 0, \ + NULL } +/* clang-format off */ # define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} +/* clang-format on */ /* X509_PURPOSE stuff */ -# define EXFLAG_BCONS 0x1 -# define EXFLAG_KUSAGE 0x2 -# define EXFLAG_XKUSAGE 0x4 -# define EXFLAG_NSCERT 0x8 +#define EXFLAG_BCONS 0x1 +#define EXFLAG_KUSAGE 0x2 +#define EXFLAG_XKUSAGE 0x4 +#define EXFLAG_NSCERT 0x8 -# define EXFLAG_CA 0x10 -# define EXFLAG_SI 0x20 /* self-issued, maybe not self-signed */ -# define EXFLAG_V1 0x40 -# define EXFLAG_INVALID 0x80 +#define EXFLAG_CA 0x10 +#define EXFLAG_SI 0x20 /* self-issued, maybe not self-signed */ +#define EXFLAG_V1 0x40 +#define EXFLAG_INVALID 0x80 /* EXFLAG_SET is set to indicate that some values have been precomputed */ -# define EXFLAG_SET 0x100 -# define EXFLAG_CRITICAL 0x200 -# define EXFLAG_PROXY 0x400 +#define EXFLAG_SET 0x100 +#define EXFLAG_CRITICAL 0x200 +#define EXFLAG_PROXY 0x400 -# define EXFLAG_INVALID_POLICY 0x800 -# define EXFLAG_FRESHEST 0x1000 -# define EXFLAG_SS 0x2000 /* cert is apparently self-signed */ +#define EXFLAG_INVALID_POLICY 0x800 +#define EXFLAG_FRESHEST 0x1000 +#define EXFLAG_SS 0x2000 /* cert is apparently self-signed */ -# define EXFLAG_BCONS_CRITICAL 0x10000 -# define EXFLAG_AKID_CRITICAL 0x20000 -# define EXFLAG_SKID_CRITICAL 0x40000 -# define EXFLAG_SAN_CRITICAL 0x80000 -# define EXFLAG_NO_FINGERPRINT 0x100000 +#define EXFLAG_BCONS_CRITICAL 0x10000 +#define EXFLAG_AKID_CRITICAL 0x20000 +#define EXFLAG_SKID_CRITICAL 0x40000 +#define EXFLAG_SAN_CRITICAL 0x80000 +#define EXFLAG_NO_FINGERPRINT 0x100000 /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3 */ -# define KU_DIGITAL_SIGNATURE X509v3_KU_DIGITAL_SIGNATURE -# define KU_NON_REPUDIATION X509v3_KU_NON_REPUDIATION -# define KU_KEY_ENCIPHERMENT X509v3_KU_KEY_ENCIPHERMENT -# define KU_DATA_ENCIPHERMENT X509v3_KU_DATA_ENCIPHERMENT -# define KU_KEY_AGREEMENT X509v3_KU_KEY_AGREEMENT -# define KU_KEY_CERT_SIGN X509v3_KU_KEY_CERT_SIGN -# define KU_CRL_SIGN X509v3_KU_CRL_SIGN -# define KU_ENCIPHER_ONLY X509v3_KU_ENCIPHER_ONLY -# define KU_DECIPHER_ONLY X509v3_KU_DECIPHER_ONLY - -# define NS_SSL_CLIENT 0x80 -# define NS_SSL_SERVER 0x40 -# define NS_SMIME 0x20 -# define NS_OBJSIGN 0x10 -# define NS_SSL_CA 0x04 -# define NS_SMIME_CA 0x02 -# define NS_OBJSIGN_CA 0x01 -# define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA) - -# define XKU_SSL_SERVER 0x1 -# define XKU_SSL_CLIENT 0x2 -# define XKU_SMIME 0x4 -# define XKU_CODE_SIGN 0x8 -# define XKU_SGC 0x10 /* Netscape or MS Server-Gated Crypto */ -# define XKU_OCSP_SIGN 0x20 -# define XKU_TIMESTAMP 0x40 -# define XKU_DVCS 0x80 -# define XKU_ANYEKU 0x100 - -# define X509_PURPOSE_DYNAMIC 0x1 -# define X509_PURPOSE_DYNAMIC_NAME 0x2 +#define KU_DIGITAL_SIGNATURE X509v3_KU_DIGITAL_SIGNATURE +#define KU_NON_REPUDIATION X509v3_KU_NON_REPUDIATION +#define KU_KEY_ENCIPHERMENT X509v3_KU_KEY_ENCIPHERMENT +#define KU_DATA_ENCIPHERMENT X509v3_KU_DATA_ENCIPHERMENT +#define KU_KEY_AGREEMENT X509v3_KU_KEY_AGREEMENT +#define KU_KEY_CERT_SIGN X509v3_KU_KEY_CERT_SIGN +#define KU_CRL_SIGN X509v3_KU_CRL_SIGN +#define KU_ENCIPHER_ONLY X509v3_KU_ENCIPHER_ONLY +#define KU_DECIPHER_ONLY X509v3_KU_DECIPHER_ONLY + +#define NS_SSL_CLIENT 0x80 +#define NS_SSL_SERVER 0x40 +#define NS_SMIME 0x20 +#define NS_OBJSIGN 0x10 +#define NS_SSL_CA 0x04 +#define NS_SMIME_CA 0x02 +#define NS_OBJSIGN_CA 0x01 +#define NS_ANY_CA (NS_SSL_CA | NS_SMIME_CA | NS_OBJSIGN_CA) + +#define XKU_SSL_SERVER 0x1 +#define XKU_SSL_CLIENT 0x2 +#define XKU_SMIME 0x4 +#define XKU_CODE_SIGN 0x8 +#define XKU_SGC 0x10 /* Netscape or MS Server-Gated Crypto */ +#define XKU_OCSP_SIGN 0x20 +#define XKU_TIMESTAMP 0x40 +#define XKU_DVCS 0x80 +#define XKU_ANYEKU 0x100 + +#define X509_PURPOSE_DYNAMIC 0x1 +#define X509_PURPOSE_DYNAMIC_NAME 0x2 typedef struct x509_purpose_st { int purpose; - int trust; /* Default trust ID */ + int trust; /* Default trust ID */ int flags; - int (*check_purpose) (const struct x509_purpose_st *, const X509 *, int); + int (*check_purpose)(const struct x509_purpose_st *, const X509 *, int); char *name; char *sname; void *usr_data; } X509_PURPOSE; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(X509_PURPOSE, X509_PURPOSE, X509_PURPOSE) #define sk_X509_PURPOSE_num(sk) OPENSSL_sk_num(ossl_check_const_X509_PURPOSE_sk_type(sk)) #define sk_X509_PURPOSE_value(sk, idx) ((X509_PURPOSE *)OPENSSL_sk_value(ossl_check_const_X509_PURPOSE_sk_type(sk), (idx))) @@ -740,44 +760,45 @@ SKM_DEFINE_STACK_OF_INTERNAL(X509_PURPOSE, X509_PURPOSE, X509_PURPOSE) #define sk_X509_PURPOSE_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(X509_PURPOSE) *)OPENSSL_sk_deep_copy(ossl_check_const_X509_PURPOSE_sk_type(sk), ossl_check_X509_PURPOSE_copyfunc_type(copyfunc), ossl_check_X509_PURPOSE_freefunc_type(freefunc))) #define sk_X509_PURPOSE_set_cmp_func(sk, cmp) ((sk_X509_PURPOSE_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_X509_PURPOSE_sk_type(sk), ossl_check_X509_PURPOSE_compfunc_type(cmp))) +/* clang-format on */ -# define X509_PURPOSE_DEFAULT_ANY 0 -# define X509_PURPOSE_SSL_CLIENT 1 -# define X509_PURPOSE_SSL_SERVER 2 -# define X509_PURPOSE_NS_SSL_SERVER 3 -# define X509_PURPOSE_SMIME_SIGN 4 -# define X509_PURPOSE_SMIME_ENCRYPT 5 -# define X509_PURPOSE_CRL_SIGN 6 -# define X509_PURPOSE_ANY 7 -# define X509_PURPOSE_OCSP_HELPER 8 -# define X509_PURPOSE_TIMESTAMP_SIGN 9 -# define X509_PURPOSE_CODE_SIGN 10 +#define X509_PURPOSE_DEFAULT_ANY 0 +#define X509_PURPOSE_SSL_CLIENT 1 +#define X509_PURPOSE_SSL_SERVER 2 +#define X509_PURPOSE_NS_SSL_SERVER 3 +#define X509_PURPOSE_SMIME_SIGN 4 +#define X509_PURPOSE_SMIME_ENCRYPT 5 +#define X509_PURPOSE_CRL_SIGN 6 +#define X509_PURPOSE_ANY 7 +#define X509_PURPOSE_OCSP_HELPER 8 +#define X509_PURPOSE_TIMESTAMP_SIGN 9 +#define X509_PURPOSE_CODE_SIGN 10 -# define X509_PURPOSE_MIN 1 -# define X509_PURPOSE_MAX 10 +#define X509_PURPOSE_MIN 1 +#define X509_PURPOSE_MAX 10 /* Flags for X509V3_EXT_print() */ -# define X509V3_EXT_UNKNOWN_MASK (0xfL << 16) +#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16) /* Return error for unknown extensions */ -# define X509V3_EXT_DEFAULT 0 +#define X509V3_EXT_DEFAULT 0 /* Print error for unknown extensions */ -# define X509V3_EXT_ERROR_UNKNOWN (1L << 16) +#define X509V3_EXT_ERROR_UNKNOWN (1L << 16) /* ASN1 parse unknown extensions */ -# define X509V3_EXT_PARSE_UNKNOWN (2L << 16) +#define X509V3_EXT_PARSE_UNKNOWN (2L << 16) /* BIO_dump unknown extensions */ -# define X509V3_EXT_DUMP_UNKNOWN (3L << 16) +#define X509V3_EXT_DUMP_UNKNOWN (3L << 16) /* Flags for X509V3_add1_i2d */ -# define X509V3_ADD_OP_MASK 0xfL -# define X509V3_ADD_DEFAULT 0L -# define X509V3_ADD_APPEND 1L -# define X509V3_ADD_REPLACE 2L -# define X509V3_ADD_REPLACE_EXISTING 3L -# define X509V3_ADD_KEEP_EXISTING 4L -# define X509V3_ADD_DELETE 5L -# define X509V3_ADD_SILENT 0x10 +#define X509V3_ADD_OP_MASK 0xfL +#define X509V3_ADD_DEFAULT 0L +#define X509V3_ADD_APPEND 1L +#define X509V3_ADD_REPLACE 2L +#define X509V3_ADD_REPLACE_EXISTING 3L +#define X509V3_ADD_KEEP_EXISTING 4L +#define X509V3_ADD_DELETE 5L +#define X509V3_ADD_SILENT 0x10 DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS) DECLARE_ASN1_FUNCTIONS(OSSL_BASIC_ATTR_CONSTRAINTS) @@ -789,9 +810,9 @@ DECLARE_ASN1_FUNCTIONS(ISSUER_SIGN_TOOL) int SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user, int userlen); int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user, - int userlen); + int userlen); int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, const char *user, - int userlen); + int userlen); ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, const char *zone); ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone); @@ -806,30 +827,30 @@ DECLARE_ASN1_DUP_FUNCTION(GENERAL_NAME) int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b); ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, - STACK_OF(CONF_VALUE) *nval); + X509V3_CTX *ctx, + STACK_OF(CONF_VALUE) *nval); STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, - ASN1_BIT_STRING *bits, - STACK_OF(CONF_VALUE) *extlist); + ASN1_BIT_STRING *bits, + STACK_OF(CONF_VALUE) *extlist); char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5); ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, const char *str); + X509V3_CTX *ctx, const char *str); char *i2s_ASN1_UTF8STRING(X509V3_EXT_METHOD *method, ASN1_UTF8STRING *utf8); ASN1_UTF8STRING *s2i_ASN1_UTF8STRING(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, const char *str); + X509V3_CTX *ctx, const char *str); STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, - GENERAL_NAME *gen, - STACK_OF(CONF_VALUE) *ret); + GENERAL_NAME *gen, + STACK_OF(CONF_VALUE) *ret); int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen); DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES) STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, - GENERAL_NAMES *gen, - STACK_OF(CONF_VALUE) *extlist); + GENERAL_NAMES *gen, + STACK_OF(CONF_VALUE) *extlist); GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); + X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); DECLARE_ASN1_FUNCTIONS(OTHERNAME) DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME) @@ -837,14 +858,14 @@ int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b); void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value); void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype); int GENERAL_NAME_set0_othername(GENERAL_NAME *gen, - ASN1_OBJECT *oid, ASN1_TYPE *value); + ASN1_OBJECT *oid, ASN1_TYPE *value); int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen, - ASN1_OBJECT **poid, ASN1_TYPE **pvalue); + ASN1_OBJECT **poid, ASN1_TYPE **pvalue); char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, - const ASN1_OCTET_STRING *ia5); + const ASN1_OCTET_STRING *ia5); ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, const char *str); + X509V3_CTX *ctx, const char *str); DECLARE_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE) int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION *a); @@ -884,75 +905,75 @@ DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS) DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS) GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out, - const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, int gen_type, - const char *value, int is_nc); + const X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, int gen_type, + const char *value, int is_nc); -# ifdef OPENSSL_CONF_H +#ifdef OPENSSL_CONF_H GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, CONF_VALUE *cnf); + X509V3_CTX *ctx, CONF_VALUE *cnf); GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out, - const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, CONF_VALUE *cnf, - int is_nc); + const X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, CONF_VALUE *cnf, + int is_nc); void X509V3_conf_free(CONF_VALUE *val); X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, - const char *value); + const char *value); X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name, - const char *value); + const char *value); int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section, - STACK_OF(X509_EXTENSION) **sk); + STACK_OF(X509_EXTENSION) **sk); int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section, - X509 *cert); + X509 *cert); int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section, - X509_REQ *req); + X509_REQ *req); int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section, - X509_CRL *crl); + X509_CRL *crl); X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, - X509V3_CTX *ctx, int ext_nid, - const char *value); + X509V3_CTX *ctx, int ext_nid, + const char *value); X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - const char *name, const char *value); + const char *name, const char *value); int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - const char *section, X509 *cert); + const char *section, X509 *cert); int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - const char *section, X509_REQ *req); + const char *section, X509_REQ *req); int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - const char *section, X509_CRL *crl); + const char *section, X509_CRL *crl); int X509V3_add_value_bool_nf(const char *name, int asn1_bool, - STACK_OF(CONF_VALUE) **extlist); + STACK_OF(CONF_VALUE) **extlist); int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool); int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint); void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf); void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash); -# endif +#endif char *X509V3_get_string(X509V3_CTX *ctx, const char *name, const char *section); STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, const char *section); void X509V3_string_free(X509V3_CTX *ctx, char *str); void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section); void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject, - X509_REQ *req, X509_CRL *crl, int flags); + X509_REQ *req, X509_CRL *crl, int flags); /* For API backward compatibility, this is separate from X509V3_set_ctx(): */ int X509V3_set_issuer_pkey(X509V3_CTX *ctx, EVP_PKEY *pkey); int X509V3_add_value(const char *name, const char *value, - STACK_OF(CONF_VALUE) **extlist); + STACK_OF(CONF_VALUE) **extlist); int X509V3_add_value_uchar(const char *name, const unsigned char *value, - STACK_OF(CONF_VALUE) **extlist); + STACK_OF(CONF_VALUE) **extlist); int X509V3_add_value_bool(const char *name, int asn1_bool, - STACK_OF(CONF_VALUE) **extlist); + STACK_OF(CONF_VALUE) **extlist); int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint, - STACK_OF(CONF_VALUE) **extlist); + STACK_OF(CONF_VALUE) **extlist); char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const ASN1_INTEGER *aint); ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const char *value); char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, const ASN1_ENUMERATED *aint); char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *meth, - const ASN1_ENUMERATED *aint); + const ASN1_ENUMERATED *aint); int X509V3_EXT_add(X509V3_EXT_METHOD *ext); int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist); int X509V3_EXT_add_alias(int nid_to, int nid_from); @@ -964,28 +985,28 @@ int X509V3_add_standard_extensions(void); STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line); void *X509V3_EXT_d2i(X509_EXTENSION *ext); void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit, - int *idx); + int *idx); X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc); int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, - int crit, unsigned long flags); + int crit, unsigned long flags); #ifndef OPENSSL_NO_DEPRECATED_1_1_0 /* The new declarations are in crypto.h, but the old ones were here. */ -# define hex_to_string OPENSSL_buf2hexstr -# define string_to_hex OPENSSL_hexstr2buf +#define hex_to_string OPENSSL_buf2hexstr +#define string_to_hex OPENSSL_hexstr2buf #endif void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, - int ml); + int ml); int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, - int indent); + int indent); #ifndef OPENSSL_NO_STDIO int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent); #endif int X509V3_extensions_print(BIO *out, const char *title, - const STACK_OF(X509_EXTENSION) *exts, - unsigned long flag, int indent); + const STACK_OF(X509_EXTENSION) *exts, + unsigned long flag, int indent); int X509_check_ca(X509 *x); int X509_check_purpose(X509 *x, int id, int ca); @@ -1009,8 +1030,8 @@ int X509_PURPOSE_get_unused_id(OSSL_LIB_CTX *libctx); int X509_PURPOSE_get_by_sname(const char *sname); int X509_PURPOSE_get_by_id(int id); int X509_PURPOSE_add(int id, int trust, int flags, - int (*ck) (const X509_PURPOSE *, const X509 *, int), - const char *name, const char *sname, void *arg); + int (*ck)(const X509_PURPOSE *, const X509 *, int), + const char *name, const char *sname, void *arg); void X509_PURPOSE_cleanup(void); X509_PURPOSE *X509_PURPOSE_get0(int idx); @@ -1030,38 +1051,39 @@ STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x); /* * Always check subject name for host match even if subject alt names present */ -# define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0x1 +#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0x1 /* Disable wildcard matching for dnsName fields and common name. */ -# define X509_CHECK_FLAG_NO_WILDCARDS 0x2 +#define X509_CHECK_FLAG_NO_WILDCARDS 0x2 /* Wildcards must not match a partial label. */ -# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0x4 +#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0x4 /* Allow (non-partial) wildcards to match multiple labels. */ -# define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8 +#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8 /* Constraint verifier subdomain patterns to match a single labels. */ -# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10 +#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10 /* Never check the subject CN */ -# define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20 +#define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20 /* * Match reference identifiers starting with "." to any sub-domain. * This is a non-public flag, turned on implicitly when the subject * reference identity is a DNS name. */ -# define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000 +#define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000 int X509_check_host(X509 *x, const char *chk, size_t chklen, - unsigned int flags, char **peername); + unsigned int flags, char **peername); int X509_check_email(X509 *x, const char *chk, size_t chklen, - unsigned int flags); + unsigned int flags); int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen, - unsigned int flags); + unsigned int flags); int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags); ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc); ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc); int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE) *dn_sk, - unsigned long chtype); + unsigned long chtype); void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent); +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(X509_POLICY_NODE, X509_POLICY_NODE, X509_POLICY_NODE) #define sk_X509_POLICY_NODE_num(sk) OPENSSL_sk_num(ossl_check_const_X509_POLICY_NODE_sk_type(sk)) #define sk_X509_POLICY_NODE_value(sk, idx) ((X509_POLICY_NODE *)OPENSSL_sk_value(ossl_check_const_X509_POLICY_NODE_sk_type(sk), (idx))) @@ -1089,15 +1111,15 @@ SKM_DEFINE_STACK_OF_INTERNAL(X509_POLICY_NODE, X509_POLICY_NODE, X509_POLICY_NOD #define sk_X509_POLICY_NODE_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(X509_POLICY_NODE) *)OPENSSL_sk_deep_copy(ossl_check_const_X509_POLICY_NODE_sk_type(sk), ossl_check_X509_POLICY_NODE_copyfunc_type(copyfunc), ossl_check_X509_POLICY_NODE_freefunc_type(freefunc))) #define sk_X509_POLICY_NODE_set_cmp_func(sk, cmp) ((sk_X509_POLICY_NODE_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_X509_POLICY_NODE_sk_type(sk), ossl_check_X509_POLICY_NODE_compfunc_type(cmp))) - +/* clang-format on */ #ifndef OPENSSL_NO_RFC3779 typedef struct ASRange_st { ASN1_INTEGER *min, *max; } ASRange; -# define ASIdOrRange_id 0 -# define ASIdOrRange_range 1 +#define ASIdOrRange_id 0 +#define ASIdOrRange_range 1 typedef struct ASIdOrRange_st { int type; @@ -1107,6 +1129,7 @@ typedef struct ASIdOrRange_st { } u; } ASIdOrRange; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(ASIdOrRange, ASIdOrRange, ASIdOrRange) #define sk_ASIdOrRange_num(sk) OPENSSL_sk_num(ossl_check_const_ASIdOrRange_sk_type(sk)) #define sk_ASIdOrRange_value(sk, idx) ((ASIdOrRange *)OPENSSL_sk_value(ossl_check_const_ASIdOrRange_sk_type(sk), (idx))) @@ -1134,11 +1157,12 @@ SKM_DEFINE_STACK_OF_INTERNAL(ASIdOrRange, ASIdOrRange, ASIdOrRange) #define sk_ASIdOrRange_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(ASIdOrRange) *)OPENSSL_sk_deep_copy(ossl_check_const_ASIdOrRange_sk_type(sk), ossl_check_ASIdOrRange_copyfunc_type(copyfunc), ossl_check_ASIdOrRange_freefunc_type(freefunc))) #define sk_ASIdOrRange_set_cmp_func(sk, cmp) ((sk_ASIdOrRange_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_ASIdOrRange_sk_type(sk), ossl_check_ASIdOrRange_compfunc_type(cmp))) +/* clang-format on */ typedef STACK_OF(ASIdOrRange) ASIdOrRanges; -# define ASIdentifierChoice_inherit 0 -# define ASIdentifierChoice_asIdsOrRanges 1 +#define ASIdentifierChoice_inherit 0 +#define ASIdentifierChoice_asIdsOrRanges 1 typedef struct ASIdentifierChoice_st { int type; @@ -1161,8 +1185,8 @@ typedef struct IPAddressRange_st { ASN1_BIT_STRING *min, *max; } IPAddressRange; -# define IPAddressOrRange_addressPrefix 0 -# define IPAddressOrRange_addressRange 1 +#define IPAddressOrRange_addressPrefix 0 +#define IPAddressOrRange_addressRange 1 typedef struct IPAddressOrRange_st { int type; @@ -1172,6 +1196,7 @@ typedef struct IPAddressOrRange_st { } u; } IPAddressOrRange; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(IPAddressOrRange, IPAddressOrRange, IPAddressOrRange) #define sk_IPAddressOrRange_num(sk) OPENSSL_sk_num(ossl_check_const_IPAddressOrRange_sk_type(sk)) #define sk_IPAddressOrRange_value(sk, idx) ((IPAddressOrRange *)OPENSSL_sk_value(ossl_check_const_IPAddressOrRange_sk_type(sk), (idx))) @@ -1199,11 +1224,12 @@ SKM_DEFINE_STACK_OF_INTERNAL(IPAddressOrRange, IPAddressOrRange, IPAddressOrRang #define sk_IPAddressOrRange_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(IPAddressOrRange) *)OPENSSL_sk_deep_copy(ossl_check_const_IPAddressOrRange_sk_type(sk), ossl_check_IPAddressOrRange_copyfunc_type(copyfunc), ossl_check_IPAddressOrRange_freefunc_type(freefunc))) #define sk_IPAddressOrRange_set_cmp_func(sk, cmp) ((sk_IPAddressOrRange_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_IPAddressOrRange_sk_type(sk), ossl_check_IPAddressOrRange_compfunc_type(cmp))) +/* clang-format on */ typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges; -# define IPAddressChoice_inherit 0 -# define IPAddressChoice_addressesOrRanges 1 +#define IPAddressChoice_inherit 0 +#define IPAddressChoice_addressesOrRanges 1 typedef struct IPAddressChoice_st { int type; @@ -1218,6 +1244,7 @@ typedef struct IPAddressFamily_st { IPAddressChoice *ipAddressChoice; } IPAddressFamily; +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(IPAddressFamily, IPAddressFamily, IPAddressFamily) #define sk_IPAddressFamily_num(sk) OPENSSL_sk_num(ossl_check_const_IPAddressFamily_sk_type(sk)) #define sk_IPAddressFamily_value(sk, idx) ((IPAddressFamily *)OPENSSL_sk_value(ossl_check_const_IPAddressFamily_sk_type(sk), (idx))) @@ -1245,7 +1272,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(IPAddressFamily, IPAddressFamily, IPAddressFamily) #define sk_IPAddressFamily_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(IPAddressFamily) *)OPENSSL_sk_deep_copy(ossl_check_const_IPAddressFamily_sk_type(sk), ossl_check_IPAddressFamily_copyfunc_type(copyfunc), ossl_check_IPAddressFamily_freefunc_type(freefunc))) #define sk_IPAddressFamily_set_cmp_func(sk, cmp) ((sk_IPAddressFamily_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_IPAddressFamily_sk_type(sk), ossl_check_IPAddressFamily_compfunc_type(cmp))) - +/* clang-format on */ typedef STACK_OF(IPAddressFamily) IPAddrBlocks; @@ -1257,8 +1284,8 @@ DECLARE_ASN1_FUNCTIONS(IPAddressFamily) /* * API tag for elements of the ASIdentifer SEQUENCE. */ -# define V3_ASID_ASNUM 0 -# define V3_ASID_RDI 1 +#define V3_ASID_ASNUM 0 +#define V3_ASID_RDI 1 /* * AFI values, assigned by IANA. It'd be nice to make the AFI @@ -1266,8 +1293,8 @@ DECLARE_ASN1_FUNCTIONS(IPAddressFamily) * that would need to be defined for other address families for it to * be worth the trouble. */ -# define IANA_AFI_IPV4 1 -# define IANA_AFI_IPV6 2 +#define IANA_AFI_IPV4 1 +#define IANA_AFI_IPV6 2 /* * Utilities to construct and extract values from RFC3779 extensions, @@ -1276,19 +1303,19 @@ DECLARE_ASN1_FUNCTIONS(IPAddressFamily) */ int X509v3_asid_add_inherit(ASIdentifiers *asid, int which); int X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which, - ASN1_INTEGER *min, ASN1_INTEGER *max); + ASN1_INTEGER *min, ASN1_INTEGER *max); int X509v3_addr_add_inherit(IPAddrBlocks *addr, - const unsigned afi, const unsigned *safi); + const unsigned afi, const unsigned *safi); int X509v3_addr_add_prefix(IPAddrBlocks *addr, - const unsigned afi, const unsigned *safi, - unsigned char *a, const int prefixlen); + const unsigned afi, const unsigned *safi, + unsigned char *a, const int prefixlen); int X509v3_addr_add_range(IPAddrBlocks *addr, - const unsigned afi, const unsigned *safi, - unsigned char *min, unsigned char *max); + const unsigned afi, const unsigned *safi, + unsigned char *min, unsigned char *max); unsigned X509v3_addr_get_afi(const IPAddressFamily *f); int X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi, - unsigned char *min, unsigned char *max, - const int length); + unsigned char *min, unsigned char *max, + const int length); /* * Canonical forms. @@ -1312,13 +1339,14 @@ int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b); int X509v3_asid_validate_path(X509_STORE_CTX *); int X509v3_addr_validate_path(X509_STORE_CTX *); int X509v3_asid_validate_resource_set(STACK_OF(X509) *chain, - ASIdentifiers *ext, - int allow_inheritance); + ASIdentifiers *ext, + int allow_inheritance); int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain, - IPAddrBlocks *ext, int allow_inheritance); + IPAddrBlocks *ext, int allow_inheritance); -#endif /* OPENSSL_NO_RFC3779 */ +#endif /* OPENSSL_NO_RFC3779 */ +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(ASN1_STRING, ASN1_STRING, ASN1_STRING) #define sk_ASN1_STRING_num(sk) OPENSSL_sk_num(ossl_check_const_ASN1_STRING_sk_type(sk)) #define sk_ASN1_STRING_value(sk, idx) ((ASN1_STRING *)OPENSSL_sk_value(ossl_check_const_ASN1_STRING_sk_type(sk), (idx))) @@ -1346,6 +1374,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(ASN1_STRING, ASN1_STRING, ASN1_STRING) #define sk_ASN1_STRING_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(ASN1_STRING) *)OPENSSL_sk_deep_copy(ossl_check_const_ASN1_STRING_sk_type(sk), ossl_check_ASN1_STRING_copyfunc_type(copyfunc), ossl_check_ASN1_STRING_freefunc_type(freefunc))) #define sk_ASN1_STRING_set_cmp_func(sk, cmp) ((sk_ASN1_STRING_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_ASN1_STRING_sk_type(sk), ossl_check_ASN1_STRING_compfunc_type(cmp))) +/* clang-format on */ /* * Admission Syntax @@ -1358,6 +1387,7 @@ DECLARE_ASN1_FUNCTIONS(NAMING_AUTHORITY) DECLARE_ASN1_FUNCTIONS(PROFESSION_INFO) DECLARE_ASN1_FUNCTIONS(ADMISSIONS) DECLARE_ASN1_FUNCTIONS(ADMISSION_SYNTAX) +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(PROFESSION_INFO, PROFESSION_INFO, PROFESSION_INFO) #define sk_PROFESSION_INFO_num(sk) OPENSSL_sk_num(ossl_check_const_PROFESSION_INFO_sk_type(sk)) #define sk_PROFESSION_INFO_value(sk, idx) ((PROFESSION_INFO *)OPENSSL_sk_value(ossl_check_const_PROFESSION_INFO_sk_type(sk), (idx))) @@ -1411,6 +1441,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(ADMISSIONS, ADMISSIONS, ADMISSIONS) #define sk_ADMISSIONS_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(ADMISSIONS) *)OPENSSL_sk_deep_copy(ossl_check_const_ADMISSIONS_sk_type(sk), ossl_check_ADMISSIONS_copyfunc_type(copyfunc), ossl_check_ADMISSIONS_freefunc_type(freefunc))) #define sk_ADMISSIONS_set_cmp_func(sk, cmp) ((sk_ADMISSIONS_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_ADMISSIONS_sk_type(sk), ossl_check_ADMISSIONS_compfunc_type(cmp))) +/* clang-format on */ typedef STACK_OF(PROFESSION_INFO) PROFESSION_INFOS; const ASN1_OBJECT *NAMING_AUTHORITY_get0_authorityId( @@ -1420,11 +1451,11 @@ const ASN1_IA5STRING *NAMING_AUTHORITY_get0_authorityURL( const ASN1_STRING *NAMING_AUTHORITY_get0_authorityText( const NAMING_AUTHORITY *n); void NAMING_AUTHORITY_set0_authorityId(NAMING_AUTHORITY *n, - ASN1_OBJECT* namingAuthorityId); + ASN1_OBJECT *namingAuthorityId); void NAMING_AUTHORITY_set0_authorityURL(NAMING_AUTHORITY *n, - ASN1_IA5STRING* namingAuthorityUrl); + ASN1_IA5STRING *namingAuthorityUrl); void NAMING_AUTHORITY_set0_authorityText(NAMING_AUTHORITY *n, - ASN1_STRING* namingAuthorityText); + ASN1_STRING *namingAuthorityText); const GENERAL_NAME *ADMISSION_SYNTAX_get0_admissionAuthority( const ADMISSION_SYNTAX *as); @@ -1469,6 +1500,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_ATTRIBUTES_SYNTAX) typedef STACK_OF(USERNOTICE) OSSL_USER_NOTICE_SYNTAX; DECLARE_ASN1_FUNCTIONS(OSSL_USER_NOTICE_SYNTAX) +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(USERNOTICE, USERNOTICE, USERNOTICE) #define sk_USERNOTICE_num(sk) OPENSSL_sk_num(ossl_check_const_USERNOTICE_sk_type(sk)) #define sk_USERNOTICE_value(sk, idx) ((USERNOTICE *)OPENSSL_sk_value(ossl_check_const_USERNOTICE_sk_type(sk), (idx))) @@ -1496,6 +1528,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(USERNOTICE, USERNOTICE, USERNOTICE) #define sk_USERNOTICE_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(USERNOTICE) *)OPENSSL_sk_deep_copy(ossl_check_const_USERNOTICE_sk_type(sk), ossl_check_USERNOTICE_copyfunc_type(copyfunc), ossl_check_USERNOTICE_freefunc_type(freefunc))) #define sk_USERNOTICE_set_cmp_func(sk, cmp) ((sk_USERNOTICE_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_USERNOTICE_sk_type(sk), ossl_check_USERNOTICE_compfunc_type(cmp))) +/* clang-format on */ typedef struct OSSL_ROLE_SPEC_CERT_ID_st { GENERAL_NAME *roleName; @@ -1506,6 +1539,7 @@ typedef struct OSSL_ROLE_SPEC_CERT_ID_st { DECLARE_ASN1_FUNCTIONS(OSSL_ROLE_SPEC_CERT_ID) +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_ROLE_SPEC_CERT_ID, OSSL_ROLE_SPEC_CERT_ID, OSSL_ROLE_SPEC_CERT_ID) #define sk_OSSL_ROLE_SPEC_CERT_ID_num(sk) OPENSSL_sk_num(ossl_check_const_OSSL_ROLE_SPEC_CERT_ID_sk_type(sk)) #define sk_OSSL_ROLE_SPEC_CERT_ID_value(sk, idx) ((OSSL_ROLE_SPEC_CERT_ID *)OPENSSL_sk_value(ossl_check_const_OSSL_ROLE_SPEC_CERT_ID_sk_type(sk), (idx))) @@ -1533,6 +1567,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_ROLE_SPEC_CERT_ID, OSSL_ROLE_SPEC_CERT_ID, OSS #define sk_OSSL_ROLE_SPEC_CERT_ID_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OSSL_ROLE_SPEC_CERT_ID) *)OPENSSL_sk_deep_copy(ossl_check_const_OSSL_ROLE_SPEC_CERT_ID_sk_type(sk), ossl_check_OSSL_ROLE_SPEC_CERT_ID_copyfunc_type(copyfunc), ossl_check_OSSL_ROLE_SPEC_CERT_ID_freefunc_type(freefunc))) #define sk_OSSL_ROLE_SPEC_CERT_ID_set_cmp_func(sk, cmp) ((sk_OSSL_ROLE_SPEC_CERT_ID_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OSSL_ROLE_SPEC_CERT_ID_sk_type(sk), ossl_check_OSSL_ROLE_SPEC_CERT_ID_compfunc_type(cmp))) +/* clang-format on */ typedef STACK_OF(OSSL_ROLE_SPEC_CERT_ID) OSSL_ROLE_SPEC_CERT_ID_SYNTAX; @@ -1547,8 +1582,8 @@ typedef struct OSSL_INFO_SYNTAX_POINTER_st { OSSL_HASH *hash; } OSSL_INFO_SYNTAX_POINTER; -# define OSSL_INFO_SYNTAX_TYPE_CONTENT 0 -# define OSSL_INFO_SYNTAX_TYPE_POINTER 1 +#define OSSL_INFO_SYNTAX_TYPE_CONTENT 0 +#define OSSL_INFO_SYNTAX_TYPE_POINTER 1 typedef struct OSSL_INFO_SYNTAX_st { int type; @@ -1593,22 +1628,22 @@ typedef struct OSSL_DAY_TIME_BAND_st { OSSL_DAY_TIME *endDayTime; } OSSL_DAY_TIME_BAND; -# define OSSL_NAMED_DAY_TYPE_INT 0 -# define OSSL_NAMED_DAY_TYPE_BIT 1 -# define OSSL_NAMED_DAY_INT_SUN 1 -# define OSSL_NAMED_DAY_INT_MON 2 -# define OSSL_NAMED_DAY_INT_TUE 3 -# define OSSL_NAMED_DAY_INT_WED 4 -# define OSSL_NAMED_DAY_INT_THU 5 -# define OSSL_NAMED_DAY_INT_FRI 6 -# define OSSL_NAMED_DAY_INT_SAT 7 -# define OSSL_NAMED_DAY_BIT_SUN 0 -# define OSSL_NAMED_DAY_BIT_MON 1 -# define OSSL_NAMED_DAY_BIT_TUE 2 -# define OSSL_NAMED_DAY_BIT_WED 3 -# define OSSL_NAMED_DAY_BIT_THU 4 -# define OSSL_NAMED_DAY_BIT_FRI 5 -# define OSSL_NAMED_DAY_BIT_SAT 6 +#define OSSL_NAMED_DAY_TYPE_INT 0 +#define OSSL_NAMED_DAY_TYPE_BIT 1 +#define OSSL_NAMED_DAY_INT_SUN 1 +#define OSSL_NAMED_DAY_INT_MON 2 +#define OSSL_NAMED_DAY_INT_TUE 3 +#define OSSL_NAMED_DAY_INT_WED 4 +#define OSSL_NAMED_DAY_INT_THU 5 +#define OSSL_NAMED_DAY_INT_FRI 6 +#define OSSL_NAMED_DAY_INT_SAT 7 +#define OSSL_NAMED_DAY_BIT_SUN 0 +#define OSSL_NAMED_DAY_BIT_MON 1 +#define OSSL_NAMED_DAY_BIT_TUE 2 +#define OSSL_NAMED_DAY_BIT_WED 3 +#define OSSL_NAMED_DAY_BIT_THU 4 +#define OSSL_NAMED_DAY_BIT_FRI 5 +#define OSSL_NAMED_DAY_BIT_SAT 6 typedef struct OSSL_NAMED_DAY_st { int type; @@ -1618,11 +1653,11 @@ typedef struct OSSL_NAMED_DAY_st { } choice; } OSSL_NAMED_DAY; -# define OSSL_TIME_SPEC_X_DAY_OF_FIRST 0 -# define OSSL_TIME_SPEC_X_DAY_OF_SECOND 1 -# define OSSL_TIME_SPEC_X_DAY_OF_THIRD 2 -# define OSSL_TIME_SPEC_X_DAY_OF_FOURTH 3 -# define OSSL_TIME_SPEC_X_DAY_OF_FIFTH 4 +#define OSSL_TIME_SPEC_X_DAY_OF_FIRST 0 +#define OSSL_TIME_SPEC_X_DAY_OF_SECOND 1 +#define OSSL_TIME_SPEC_X_DAY_OF_THIRD 2 +#define OSSL_TIME_SPEC_X_DAY_OF_FOURTH 3 +#define OSSL_TIME_SPEC_X_DAY_OF_FIFTH 4 typedef struct OSSL_TIME_SPEC_X_DAY_OF_st { int type; @@ -1635,23 +1670,23 @@ typedef struct OSSL_TIME_SPEC_X_DAY_OF_st { } choice; } OSSL_TIME_SPEC_X_DAY_OF; -# define OSSL_TIME_SPEC_DAY_TYPE_INT 0 -# define OSSL_TIME_SPEC_DAY_TYPE_BIT 1 -# define OSSL_TIME_SPEC_DAY_TYPE_DAY_OF 2 -# define OSSL_TIME_SPEC_DAY_BIT_SUN 0 -# define OSSL_TIME_SPEC_DAY_BIT_MON 1 -# define OSSL_TIME_SPEC_DAY_BIT_TUE 2 -# define OSSL_TIME_SPEC_DAY_BIT_WED 3 -# define OSSL_TIME_SPEC_DAY_BIT_THU 4 -# define OSSL_TIME_SPEC_DAY_BIT_FRI 5 -# define OSSL_TIME_SPEC_DAY_BIT_SAT 6 -# define OSSL_TIME_SPEC_DAY_INT_SUN 1 -# define OSSL_TIME_SPEC_DAY_INT_MON 2 -# define OSSL_TIME_SPEC_DAY_INT_TUE 3 -# define OSSL_TIME_SPEC_DAY_INT_WED 4 -# define OSSL_TIME_SPEC_DAY_INT_THU 5 -# define OSSL_TIME_SPEC_DAY_INT_FRI 6 -# define OSSL_TIME_SPEC_DAY_INT_SAT 7 +#define OSSL_TIME_SPEC_DAY_TYPE_INT 0 +#define OSSL_TIME_SPEC_DAY_TYPE_BIT 1 +#define OSSL_TIME_SPEC_DAY_TYPE_DAY_OF 2 +#define OSSL_TIME_SPEC_DAY_BIT_SUN 0 +#define OSSL_TIME_SPEC_DAY_BIT_MON 1 +#define OSSL_TIME_SPEC_DAY_BIT_TUE 2 +#define OSSL_TIME_SPEC_DAY_BIT_WED 3 +#define OSSL_TIME_SPEC_DAY_BIT_THU 4 +#define OSSL_TIME_SPEC_DAY_BIT_FRI 5 +#define OSSL_TIME_SPEC_DAY_BIT_SAT 6 +#define OSSL_TIME_SPEC_DAY_INT_SUN 1 +#define OSSL_TIME_SPEC_DAY_INT_MON 2 +#define OSSL_TIME_SPEC_DAY_INT_TUE 3 +#define OSSL_TIME_SPEC_DAY_INT_WED 4 +#define OSSL_TIME_SPEC_DAY_INT_THU 5 +#define OSSL_TIME_SPEC_DAY_INT_FRI 6 +#define OSSL_TIME_SPEC_DAY_INT_SAT 7 typedef struct OSSL_TIME_SPEC_DAY_st { int type; @@ -1662,14 +1697,14 @@ typedef struct OSSL_TIME_SPEC_DAY_st { } choice; } OSSL_TIME_SPEC_DAY; -# define OSSL_TIME_SPEC_WEEKS_TYPE_ALL 0 -# define OSSL_TIME_SPEC_WEEKS_TYPE_INT 1 -# define OSSL_TIME_SPEC_WEEKS_TYPE_BIT 2 -# define OSSL_TIME_SPEC_BIT_WEEKS_1 0 -# define OSSL_TIME_SPEC_BIT_WEEKS_2 1 -# define OSSL_TIME_SPEC_BIT_WEEKS_3 2 -# define OSSL_TIME_SPEC_BIT_WEEKS_4 3 -# define OSSL_TIME_SPEC_BIT_WEEKS_5 4 +#define OSSL_TIME_SPEC_WEEKS_TYPE_ALL 0 +#define OSSL_TIME_SPEC_WEEKS_TYPE_INT 1 +#define OSSL_TIME_SPEC_WEEKS_TYPE_BIT 2 +#define OSSL_TIME_SPEC_BIT_WEEKS_1 0 +#define OSSL_TIME_SPEC_BIT_WEEKS_2 1 +#define OSSL_TIME_SPEC_BIT_WEEKS_3 2 +#define OSSL_TIME_SPEC_BIT_WEEKS_4 3 +#define OSSL_TIME_SPEC_BIT_WEEKS_5 4 typedef struct OSSL_TIME_SPEC_WEEKS_st { int type; @@ -1680,33 +1715,33 @@ typedef struct OSSL_TIME_SPEC_WEEKS_st { } choice; } OSSL_TIME_SPEC_WEEKS; -# define OSSL_TIME_SPEC_MONTH_TYPE_ALL 0 -# define OSSL_TIME_SPEC_MONTH_TYPE_INT 1 -# define OSSL_TIME_SPEC_MONTH_TYPE_BIT 2 -# define OSSL_TIME_SPEC_INT_MONTH_JAN 1 -# define OSSL_TIME_SPEC_INT_MONTH_FEB 2 -# define OSSL_TIME_SPEC_INT_MONTH_MAR 3 -# define OSSL_TIME_SPEC_INT_MONTH_APR 4 -# define OSSL_TIME_SPEC_INT_MONTH_MAY 5 -# define OSSL_TIME_SPEC_INT_MONTH_JUN 6 -# define OSSL_TIME_SPEC_INT_MONTH_JUL 7 -# define OSSL_TIME_SPEC_INT_MONTH_AUG 8 -# define OSSL_TIME_SPEC_INT_MONTH_SEP 9 -# define OSSL_TIME_SPEC_INT_MONTH_OCT 10 -# define OSSL_TIME_SPEC_INT_MONTH_NOV 11 -# define OSSL_TIME_SPEC_INT_MONTH_DEC 12 -# define OSSL_TIME_SPEC_BIT_MONTH_JAN 0 -# define OSSL_TIME_SPEC_BIT_MONTH_FEB 1 -# define OSSL_TIME_SPEC_BIT_MONTH_MAR 2 -# define OSSL_TIME_SPEC_BIT_MONTH_APR 3 -# define OSSL_TIME_SPEC_BIT_MONTH_MAY 4 -# define OSSL_TIME_SPEC_BIT_MONTH_JUN 5 -# define OSSL_TIME_SPEC_BIT_MONTH_JUL 6 -# define OSSL_TIME_SPEC_BIT_MONTH_AUG 7 -# define OSSL_TIME_SPEC_BIT_MONTH_SEP 8 -# define OSSL_TIME_SPEC_BIT_MONTH_OCT 9 -# define OSSL_TIME_SPEC_BIT_MONTH_NOV 10 -# define OSSL_TIME_SPEC_BIT_MONTH_DEC 11 +#define OSSL_TIME_SPEC_MONTH_TYPE_ALL 0 +#define OSSL_TIME_SPEC_MONTH_TYPE_INT 1 +#define OSSL_TIME_SPEC_MONTH_TYPE_BIT 2 +#define OSSL_TIME_SPEC_INT_MONTH_JAN 1 +#define OSSL_TIME_SPEC_INT_MONTH_FEB 2 +#define OSSL_TIME_SPEC_INT_MONTH_MAR 3 +#define OSSL_TIME_SPEC_INT_MONTH_APR 4 +#define OSSL_TIME_SPEC_INT_MONTH_MAY 5 +#define OSSL_TIME_SPEC_INT_MONTH_JUN 6 +#define OSSL_TIME_SPEC_INT_MONTH_JUL 7 +#define OSSL_TIME_SPEC_INT_MONTH_AUG 8 +#define OSSL_TIME_SPEC_INT_MONTH_SEP 9 +#define OSSL_TIME_SPEC_INT_MONTH_OCT 10 +#define OSSL_TIME_SPEC_INT_MONTH_NOV 11 +#define OSSL_TIME_SPEC_INT_MONTH_DEC 12 +#define OSSL_TIME_SPEC_BIT_MONTH_JAN 0 +#define OSSL_TIME_SPEC_BIT_MONTH_FEB 1 +#define OSSL_TIME_SPEC_BIT_MONTH_MAR 2 +#define OSSL_TIME_SPEC_BIT_MONTH_APR 3 +#define OSSL_TIME_SPEC_BIT_MONTH_MAY 4 +#define OSSL_TIME_SPEC_BIT_MONTH_JUN 5 +#define OSSL_TIME_SPEC_BIT_MONTH_JUL 6 +#define OSSL_TIME_SPEC_BIT_MONTH_AUG 7 +#define OSSL_TIME_SPEC_BIT_MONTH_SEP 8 +#define OSSL_TIME_SPEC_BIT_MONTH_OCT 9 +#define OSSL_TIME_SPEC_BIT_MONTH_NOV 10 +#define OSSL_TIME_SPEC_BIT_MONTH_DEC 11 typedef struct OSSL_TIME_SPEC_MONTH_st { int type; @@ -1725,8 +1760,8 @@ typedef struct OSSL_TIME_PERIOD_st { STACK_OF(ASN1_INTEGER) *years; } OSSL_TIME_PERIOD; -# define OSSL_TIME_SPEC_TIME_TYPE_ABSOLUTE 0 -# define OSSL_TIME_SPEC_TIME_TYPE_PERIODIC 1 +#define OSSL_TIME_SPEC_TIME_TYPE_ABSOLUTE 0 +#define OSSL_TIME_SPEC_TIME_TYPE_PERIODIC 1 typedef struct OSSL_TIME_SPEC_TIME_st { int type; @@ -1754,6 +1789,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_TIME_SPEC_TIME) DECLARE_ASN1_FUNCTIONS(OSSL_TIME_SPEC) DECLARE_ASN1_FUNCTIONS(OSSL_TIME_PERIOD) +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_TIME_PERIOD, OSSL_TIME_PERIOD, OSSL_TIME_PERIOD) #define sk_OSSL_TIME_PERIOD_num(sk) OPENSSL_sk_num(ossl_check_const_OSSL_TIME_PERIOD_sk_type(sk)) #define sk_OSSL_TIME_PERIOD_value(sk, idx) ((OSSL_TIME_PERIOD *)OPENSSL_sk_value(ossl_check_const_OSSL_TIME_PERIOD_sk_type(sk), (idx))) @@ -1781,7 +1817,9 @@ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_TIME_PERIOD, OSSL_TIME_PERIOD, OSSL_TIME_PERIO #define sk_OSSL_TIME_PERIOD_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OSSL_TIME_PERIOD) *)OPENSSL_sk_deep_copy(ossl_check_const_OSSL_TIME_PERIOD_sk_type(sk), ossl_check_OSSL_TIME_PERIOD_copyfunc_type(copyfunc), ossl_check_OSSL_TIME_PERIOD_freefunc_type(freefunc))) #define sk_OSSL_TIME_PERIOD_set_cmp_func(sk, cmp) ((sk_OSSL_TIME_PERIOD_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OSSL_TIME_PERIOD_sk_type(sk), ossl_check_OSSL_TIME_PERIOD_compfunc_type(cmp))) +/* clang-format on */ +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_DAY_TIME_BAND, OSSL_DAY_TIME_BAND, OSSL_DAY_TIME_BAND) #define sk_OSSL_DAY_TIME_BAND_num(sk) OPENSSL_sk_num(ossl_check_const_OSSL_DAY_TIME_BAND_sk_type(sk)) #define sk_OSSL_DAY_TIME_BAND_value(sk, idx) ((OSSL_DAY_TIME_BAND *)OPENSSL_sk_value(ossl_check_const_OSSL_DAY_TIME_BAND_sk_type(sk), (idx))) @@ -1809,6 +1847,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_DAY_TIME_BAND, OSSL_DAY_TIME_BAND, OSSL_DAY_TI #define sk_OSSL_DAY_TIME_BAND_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OSSL_DAY_TIME_BAND) *)OPENSSL_sk_deep_copy(ossl_check_const_OSSL_DAY_TIME_BAND_sk_type(sk), ossl_check_OSSL_DAY_TIME_BAND_copyfunc_type(copyfunc), ossl_check_OSSL_DAY_TIME_BAND_freefunc_type(freefunc))) #define sk_OSSL_DAY_TIME_BAND_set_cmp_func(sk, cmp) ((sk_OSSL_DAY_TIME_BAND_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OSSL_DAY_TIME_BAND_sk_type(sk), ossl_check_OSSL_DAY_TIME_BAND_compfunc_type(cmp))) +/* clang-format on */ /* Attribute Type and Value */ typedef struct atav_st { @@ -1826,8 +1865,8 @@ typedef struct ATTRIBUTE_VALUE_MAPPING_st { OSSL_ATAV *remote; } OSSL_ATTRIBUTE_VALUE_MAPPING; -# define OSSL_ATTR_MAP_TYPE 0 -# define OSSL_ATTR_MAP_VALUE 1 +#define OSSL_ATTR_MAP_TYPE 0 +#define OSSL_ATTR_MAP_VALUE 1 typedef struct ATTRIBUTE_MAPPING_st { int type; @@ -1844,6 +1883,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_ATTRIBUTE_VALUE_MAPPING) DECLARE_ASN1_FUNCTIONS(OSSL_ATTRIBUTE_MAPPING) DECLARE_ASN1_FUNCTIONS(OSSL_ATTRIBUTE_MAPPINGS) +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_ATTRIBUTE_MAPPING, OSSL_ATTRIBUTE_MAPPING, OSSL_ATTRIBUTE_MAPPING) #define sk_OSSL_ATTRIBUTE_MAPPING_num(sk) OPENSSL_sk_num(ossl_check_const_OSSL_ATTRIBUTE_MAPPING_sk_type(sk)) #define sk_OSSL_ATTRIBUTE_MAPPING_value(sk, idx) ((OSSL_ATTRIBUTE_MAPPING *)OPENSSL_sk_value(ossl_check_const_OSSL_ATTRIBUTE_MAPPING_sk_type(sk), (idx))) @@ -1871,9 +1911,10 @@ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_ATTRIBUTE_MAPPING, OSSL_ATTRIBUTE_MAPPING, OSS #define sk_OSSL_ATTRIBUTE_MAPPING_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OSSL_ATTRIBUTE_MAPPING) *)OPENSSL_sk_deep_copy(ossl_check_const_OSSL_ATTRIBUTE_MAPPING_sk_type(sk), ossl_check_OSSL_ATTRIBUTE_MAPPING_copyfunc_type(copyfunc), ossl_check_OSSL_ATTRIBUTE_MAPPING_freefunc_type(freefunc))) #define sk_OSSL_ATTRIBUTE_MAPPING_set_cmp_func(sk, cmp) ((sk_OSSL_ATTRIBUTE_MAPPING_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OSSL_ATTRIBUTE_MAPPING_sk_type(sk), ossl_check_OSSL_ATTRIBUTE_MAPPING_compfunc_type(cmp))) +/* clang-format on */ -# define OSSL_AAA_ATTRIBUTE_TYPE 0 -# define OSSL_AAA_ATTRIBUTE_VALUES 1 +#define OSSL_AAA_ATTRIBUTE_TYPE 0 +#define OSSL_AAA_ATTRIBUTE_VALUES 1 typedef struct ALLOWED_ATTRIBUTES_CHOICE_st { int type; @@ -1894,6 +1935,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_CHOICE) DECLARE_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_ITEM) DECLARE_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_SYNTAX) +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_ALLOWED_ATTRIBUTES_CHOICE, OSSL_ALLOWED_ATTRIBUTES_CHOICE, OSSL_ALLOWED_ATTRIBUTES_CHOICE) #define sk_OSSL_ALLOWED_ATTRIBUTES_CHOICE_num(sk) OPENSSL_sk_num(ossl_check_const_OSSL_ALLOWED_ATTRIBUTES_CHOICE_sk_type(sk)) #define sk_OSSL_ALLOWED_ATTRIBUTES_CHOICE_value(sk, idx) ((OSSL_ALLOWED_ATTRIBUTES_CHOICE *)OPENSSL_sk_value(ossl_check_const_OSSL_ALLOWED_ATTRIBUTES_CHOICE_sk_type(sk), (idx))) @@ -1921,7 +1963,9 @@ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_ALLOWED_ATTRIBUTES_CHOICE, OSSL_ALLOWED_ATTRIB #define sk_OSSL_ALLOWED_ATTRIBUTES_CHOICE_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OSSL_ALLOWED_ATTRIBUTES_CHOICE) *)OPENSSL_sk_deep_copy(ossl_check_const_OSSL_ALLOWED_ATTRIBUTES_CHOICE_sk_type(sk), ossl_check_OSSL_ALLOWED_ATTRIBUTES_CHOICE_copyfunc_type(copyfunc), ossl_check_OSSL_ALLOWED_ATTRIBUTES_CHOICE_freefunc_type(freefunc))) #define sk_OSSL_ALLOWED_ATTRIBUTES_CHOICE_set_cmp_func(sk, cmp) ((sk_OSSL_ALLOWED_ATTRIBUTES_CHOICE_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OSSL_ALLOWED_ATTRIBUTES_CHOICE_sk_type(sk), ossl_check_OSSL_ALLOWED_ATTRIBUTES_CHOICE_compfunc_type(cmp))) +/* clang-format on */ +/* clang-format off */ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_ALLOWED_ATTRIBUTES_ITEM, OSSL_ALLOWED_ATTRIBUTES_ITEM, OSSL_ALLOWED_ATTRIBUTES_ITEM) #define sk_OSSL_ALLOWED_ATTRIBUTES_ITEM_num(sk) OPENSSL_sk_num(ossl_check_const_OSSL_ALLOWED_ATTRIBUTES_ITEM_sk_type(sk)) #define sk_OSSL_ALLOWED_ATTRIBUTES_ITEM_value(sk, idx) ((OSSL_ALLOWED_ATTRIBUTES_ITEM *)OPENSSL_sk_value(ossl_check_const_OSSL_ALLOWED_ATTRIBUTES_ITEM_sk_type(sk), (idx))) @@ -1949,6 +1993,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(OSSL_ALLOWED_ATTRIBUTES_ITEM, OSSL_ALLOWED_ATTRIBUT #define sk_OSSL_ALLOWED_ATTRIBUTES_ITEM_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(OSSL_ALLOWED_ATTRIBUTES_ITEM) *)OPENSSL_sk_deep_copy(ossl_check_const_OSSL_ALLOWED_ATTRIBUTES_ITEM_sk_type(sk), ossl_check_OSSL_ALLOWED_ATTRIBUTES_ITEM_copyfunc_type(copyfunc), ossl_check_OSSL_ALLOWED_ATTRIBUTES_ITEM_freefunc_type(freefunc))) #define sk_OSSL_ALLOWED_ATTRIBUTES_ITEM_set_cmp_func(sk, cmp) ((sk_OSSL_ALLOWED_ATTRIBUTES_ITEM_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_OSSL_ALLOWED_ATTRIBUTES_ITEM_sk_type(sk), ossl_check_OSSL_ALLOWED_ATTRIBUTES_ITEM_compfunc_type(cmp))) +/* clang-format on */ typedef struct AA_DIST_POINT_st { DIST_POINT_NAME *distpoint; @@ -1962,7 +2007,7 @@ typedef struct AA_DIST_POINT_st { DECLARE_ASN1_FUNCTIONS(OSSL_AA_DIST_POINT) -# ifdef __cplusplus +#ifdef __cplusplus } -# endif +#endif #endif diff --git a/crypto/openssl/providers/common/der/der_digests_gen.c b/crypto/openssl/providers/common/der/der_digests_gen.c index e4e14e82e564..340f5148298d 100644 --- a/crypto/openssl/providers/common/der/der_digests_gen.c +++ b/crypto/openssl/providers/common/der/der_digests_gen.c @@ -13,6 +13,7 @@ #include "prov/der_digests.h" /* Well known OIDs precompiled */ +/* clang-format off */ /* * sigAlgs OBJECT IDENTIFIER ::= { nistAlgorithms 3 } @@ -158,3 +159,4 @@ const unsigned char ossl_der_oid_id_KMACWithSHAKE256[DER_OID_SZ_id_KMACWithSHAKE DER_OID_V_id_KMACWithSHAKE256 }; +/* clang-format on */ diff --git a/crypto/openssl/providers/common/der/der_dsa_gen.c b/crypto/openssl/providers/common/der/der_dsa_gen.c index e5cfe91e0f25..025981560501 100644 --- a/crypto/openssl/providers/common/der/der_dsa_gen.c +++ b/crypto/openssl/providers/common/der/der_dsa_gen.c @@ -19,6 +19,7 @@ #include "prov/der_dsa.h" /* Well known OIDs precompiled */ +/* clang-format off */ /* * id-dsa OBJECT IDENTIFIER ::= { @@ -92,3 +93,4 @@ const unsigned char ossl_der_oid_id_dsa_with_sha3_512[DER_OID_SZ_id_dsa_with_sha DER_OID_V_id_dsa_with_sha3_512 }; +/* clang-format on */ diff --git a/crypto/openssl/providers/common/der/der_ec_gen.c b/crypto/openssl/providers/common/der/der_ec_gen.c index e1ed54ba05b6..49ce209ec40a 100644 --- a/crypto/openssl/providers/common/der/der_ec_gen.c +++ b/crypto/openssl/providers/common/der/der_ec_gen.c @@ -13,6 +13,7 @@ #include "prov/der_ec.h" /* Well known OIDs precompiled */ +/* clang-format off */ /* * ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { id-ecSigType 1 } @@ -277,3 +278,4 @@ const unsigned char ossl_der_oid_id_ecdsa_with_sha3_512[DER_OID_SZ_id_ecdsa_with DER_OID_V_id_ecdsa_with_sha3_512 }; +/* clang-format on */ diff --git a/crypto/openssl/providers/common/der/der_ecx_gen.c b/crypto/openssl/providers/common/der/der_ecx_gen.c index ba7bf14b5e15..64d73e3fc525 100644 --- a/crypto/openssl/providers/common/der/der_ecx_gen.c +++ b/crypto/openssl/providers/common/der/der_ecx_gen.c @@ -13,6 +13,7 @@ #include "prov/der_ecx.h" /* Well known OIDs precompiled */ +/* clang-format off */ /* * id-X25519 OBJECT IDENTIFIER ::= { id-edwards-curve-algs 110 } @@ -42,3 +43,4 @@ const unsigned char ossl_der_oid_id_Ed448[DER_OID_SZ_id_Ed448] = { DER_OID_V_id_Ed448 }; +/* clang-format on */ diff --git a/crypto/openssl/providers/common/der/der_ml_dsa_gen.c b/crypto/openssl/providers/common/der/der_ml_dsa_gen.c index 4a8a113a2685..69f4e8521231 100644 --- a/crypto/openssl/providers/common/der/der_ml_dsa_gen.c +++ b/crypto/openssl/providers/common/der/der_ml_dsa_gen.c @@ -13,6 +13,7 @@ #include "prov/der_ml_dsa.h" /* Well known OIDs precompiled */ +/* clang-format off */ /* * id-ml-dsa-44 OBJECT IDENTIFIER ::= { sigAlgs 17 } @@ -35,3 +36,4 @@ const unsigned char ossl_der_oid_id_ml_dsa_87[DER_OID_SZ_id_ml_dsa_87] = { DER_OID_V_id_ml_dsa_87 }; +/* clang-format on */ diff --git a/crypto/openssl/providers/common/der/der_rsa_gen.c b/crypto/openssl/providers/common/der/der_rsa_gen.c index a3431798402f..911b6e58936f 100644 --- a/crypto/openssl/providers/common/der/der_rsa_gen.c +++ b/crypto/openssl/providers/common/der/der_rsa_gen.c @@ -13,6 +13,7 @@ #include "prov/der_rsa.h" /* Well known OIDs precompiled */ +/* clang-format off */ /* * hashAlgs OBJECT IDENTIFIER ::= { nistAlgorithms 2 } @@ -172,3 +173,4 @@ const unsigned char ossl_der_oid_mdc2WithRSASignature[DER_OID_SZ_mdc2WithRSASign DER_OID_V_mdc2WithRSASignature }; +/* clang-format on */ diff --git a/crypto/openssl/providers/common/der/der_slh_dsa_gen.c b/crypto/openssl/providers/common/der/der_slh_dsa_gen.c index 1419a9515097..81adc3b65869 100644 --- a/crypto/openssl/providers/common/der/der_slh_dsa_gen.c +++ b/crypto/openssl/providers/common/der/der_slh_dsa_gen.c @@ -13,6 +13,7 @@ #include "prov/der_slh_dsa.h" /* Well known OIDs precompiled */ +/* clang-format off */ /* * id-slh-dsa-sha2-128s OBJECT IDENTIFIER ::= { sigAlgs 20 } @@ -98,3 +99,4 @@ const unsigned char ossl_der_oid_id_slh_dsa_shake_256f[DER_OID_SZ_id_slh_dsa_sha DER_OID_V_id_slh_dsa_shake_256f }; +/* clang-format on */ diff --git a/crypto/openssl/providers/common/der/der_wrap_gen.c b/crypto/openssl/providers/common/der/der_wrap_gen.c index 6cf93972f48b..def5c3524185 100644 --- a/crypto/openssl/providers/common/der/der_wrap_gen.c +++ b/crypto/openssl/providers/common/der/der_wrap_gen.c @@ -13,6 +13,7 @@ #include "prov/der_wrap.h" /* Well known OIDs precompiled */ +/* clang-format off */ /* * id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { @@ -44,3 +45,4 @@ const unsigned char ossl_der_oid_id_aes256_wrap[DER_OID_SZ_id_aes256_wrap] = { DER_OID_V_id_aes256_wrap }; +/* clang-format on */ diff --git a/crypto/openssl/providers/common/include/prov/der_digests.h b/crypto/openssl/providers/common/include/prov/der_digests.h index b184807c80ce..c6531033f279 100644 --- a/crypto/openssl/providers/common/include/prov/der_digests.h +++ b/crypto/openssl/providers/common/include/prov/der_digests.h @@ -13,6 +13,7 @@ #include "internal/der.h" /* Well known OIDs precompiled */ +/* clang-format off */ /* * sigAlgs OBJECT IDENTIFIER ::= { nistAlgorithms 3 } @@ -158,3 +159,4 @@ extern const unsigned char ossl_der_oid_id_KMACWithSHAKE128[DER_OID_SZ_id_KMACWi #define DER_OID_SZ_id_KMACWithSHAKE256 11 extern const unsigned char ossl_der_oid_id_KMACWithSHAKE256[DER_OID_SZ_id_KMACWithSHAKE256]; +/* clang-format on */ diff --git a/crypto/openssl/providers/common/include/prov/der_dsa.h b/crypto/openssl/providers/common/include/prov/der_dsa.h index b12a56282b25..3dcd57ebec43 100644 --- a/crypto/openssl/providers/common/include/prov/der_dsa.h +++ b/crypto/openssl/providers/common/include/prov/der_dsa.h @@ -13,6 +13,7 @@ #include "internal/der.h" /* Well known OIDs precompiled */ +/* clang-format off */ /* * id-dsa OBJECT IDENTIFIER ::= { @@ -86,9 +87,10 @@ extern const unsigned char ossl_der_oid_id_dsa_with_sha3_384[DER_OID_SZ_id_dsa_w #define DER_OID_SZ_id_dsa_with_sha3_512 11 extern const unsigned char ossl_der_oid_id_dsa_with_sha3_512[DER_OID_SZ_id_dsa_with_sha3_512]; +/* clang-format on */ /* Subject Public Key Info */ int ossl_DER_w_algorithmIdentifier_DSA(WPACKET *pkt, int tag, DSA *dsa); /* Signature */ int ossl_DER_w_algorithmIdentifier_DSA_with_MD(WPACKET *pkt, int tag, - DSA *dsa, int mdnid); + DSA *dsa, int mdnid); diff --git a/crypto/openssl/providers/common/include/prov/der_ec.h b/crypto/openssl/providers/common/include/prov/der_ec.h index dd697771f711..059c77d38ea7 100644 --- a/crypto/openssl/providers/common/include/prov/der_ec.h +++ b/crypto/openssl/providers/common/include/prov/der_ec.h @@ -14,6 +14,7 @@ #include "internal/der.h" /* Well known OIDs precompiled */ +/* clang-format off */ /* * ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { id-ecSigType 1 } @@ -278,9 +279,10 @@ extern const unsigned char ossl_der_oid_id_ecdsa_with_sha3_384[DER_OID_SZ_id_ecd #define DER_OID_SZ_id_ecdsa_with_sha3_512 11 extern const unsigned char ossl_der_oid_id_ecdsa_with_sha3_512[DER_OID_SZ_id_ecdsa_with_sha3_512]; +/* clang-format on */ /* Subject Public Key Info */ int ossl_DER_w_algorithmIdentifier_EC(WPACKET *pkt, int cont, EC_KEY *ec); /* Signature */ int ossl_DER_w_algorithmIdentifier_ECDSA_with_MD(WPACKET *pkt, int cont, - EC_KEY *ec, int mdnid); + EC_KEY *ec, int mdnid); diff --git a/crypto/openssl/providers/common/include/prov/der_ecx.h b/crypto/openssl/providers/common/include/prov/der_ecx.h index fc85738055b5..80e15fad803d 100644 --- a/crypto/openssl/providers/common/include/prov/der_ecx.h +++ b/crypto/openssl/providers/common/include/prov/der_ecx.h @@ -14,6 +14,7 @@ #include "crypto/ecx.h" /* Well known OIDs precompiled */ +/* clang-format off */ /* * id-X25519 OBJECT IDENTIFIER ::= { id-edwards-curve-algs 110 } @@ -43,6 +44,7 @@ extern const unsigned char ossl_der_oid_id_Ed25519[DER_OID_SZ_id_Ed25519]; #define DER_OID_SZ_id_Ed448 5 extern const unsigned char ossl_der_oid_id_Ed448[DER_OID_SZ_id_Ed448]; +/* clang-format on */ int ossl_DER_w_algorithmIdentifier_ED25519(WPACKET *pkt, int cont, ECX_KEY *ec); int ossl_DER_w_algorithmIdentifier_ED448(WPACKET *pkt, int cont, ECX_KEY *ec); diff --git a/crypto/openssl/providers/common/include/prov/der_ml_dsa.h b/crypto/openssl/providers/common/include/prov/der_ml_dsa.h index c55f780ab452..a6c4c87d7824 100644 --- a/crypto/openssl/providers/common/include/prov/der_ml_dsa.h +++ b/crypto/openssl/providers/common/include/prov/der_ml_dsa.h @@ -14,6 +14,7 @@ #include "crypto/ml_dsa.h" /* Well known OIDs precompiled */ +/* clang-format off */ /* * id-ml-dsa-44 OBJECT IDENTIFIER ::= { sigAlgs 17 } @@ -36,5 +37,6 @@ extern const unsigned char ossl_der_oid_id_ml_dsa_65[DER_OID_SZ_id_ml_dsa_65]; #define DER_OID_SZ_id_ml_dsa_87 11 extern const unsigned char ossl_der_oid_id_ml_dsa_87[DER_OID_SZ_id_ml_dsa_87]; +/* clang-format on */ int ossl_DER_w_algorithmIdentifier_ML_DSA(WPACKET *pkt, int tag, ML_DSA_KEY *key); diff --git a/crypto/openssl/providers/common/include/prov/der_rsa.h b/crypto/openssl/providers/common/include/prov/der_rsa.h index 5ec3c515a1bd..9c374ceb2b0e 100644 --- a/crypto/openssl/providers/common/include/prov/der_rsa.h +++ b/crypto/openssl/providers/common/include/prov/der_rsa.h @@ -14,6 +14,7 @@ #include "internal/der.h" /* Well known OIDs precompiled */ +/* clang-format off */ /* * hashAlgs OBJECT IDENTIFIER ::= { nistAlgorithms 2 } @@ -173,15 +174,16 @@ extern const unsigned char ossl_der_oid_ripemd160WithRSAEncryption[DER_OID_SZ_ri #define DER_OID_SZ_mdc2WithRSASignature 7 extern const unsigned char ossl_der_oid_mdc2WithRSASignature[DER_OID_SZ_mdc2WithRSASignature]; +/* clang-format on */ /* PSS parameters */ int ossl_DER_w_RSASSA_PSS_params(WPACKET *pkt, int tag, - const RSA_PSS_PARAMS_30 *pss); + const RSA_PSS_PARAMS_30 *pss); /* Subject Public Key Info */ int ossl_DER_w_algorithmIdentifier_RSA(WPACKET *pkt, int tag, RSA *rsa); int ossl_DER_w_algorithmIdentifier_RSA_PSS(WPACKET *pkt, int tag, - int rsa_type, - const RSA_PSS_PARAMS_30 *pss); + int rsa_type, + const RSA_PSS_PARAMS_30 *pss); /* Signature */ int ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(WPACKET *pkt, int tag, - int mdnid); + int mdnid); diff --git a/crypto/openssl/providers/common/include/prov/der_slh_dsa.h b/crypto/openssl/providers/common/include/prov/der_slh_dsa.h index 760f8e7699be..eaf1ab14fd00 100644 --- a/crypto/openssl/providers/common/include/prov/der_slh_dsa.h +++ b/crypto/openssl/providers/common/include/prov/der_slh_dsa.h @@ -14,6 +14,7 @@ #include "crypto/slh_dsa.h" /* Well known OIDs precompiled */ +/* clang-format off */ /* * id-slh-dsa-sha2-128s OBJECT IDENTIFIER ::= { sigAlgs 20 } @@ -99,5 +100,6 @@ extern const unsigned char ossl_der_oid_id_slh_dsa_shake_256s[DER_OID_SZ_id_slh_ #define DER_OID_SZ_id_slh_dsa_shake_256f 11 extern const unsigned char ossl_der_oid_id_slh_dsa_shake_256f[DER_OID_SZ_id_slh_dsa_shake_256f]; +/* clang-format on */ int ossl_DER_w_algorithmIdentifier_SLH_DSA(WPACKET *pkt, int tag, SLH_DSA_KEY *key); diff --git a/crypto/openssl/providers/common/include/prov/der_wrap.h b/crypto/openssl/providers/common/include/prov/der_wrap.h index ff2954037727..56d4777bb3d2 100644 --- a/crypto/openssl/providers/common/include/prov/der_wrap.h +++ b/crypto/openssl/providers/common/include/prov/der_wrap.h @@ -13,6 +13,7 @@ #include "internal/der.h" /* Well known OIDs precompiled */ +/* clang-format off */ /* * id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { @@ -44,3 +45,4 @@ extern const unsigned char ossl_der_oid_id_aes192_wrap[DER_OID_SZ_id_aes192_wrap #define DER_OID_SZ_id_aes256_wrap 11 extern const unsigned char ossl_der_oid_id_aes256_wrap[DER_OID_SZ_id_aes256_wrap]; +/* clang-format on */ diff --git a/crypto/openssl/tools/c_rehash b/crypto/openssl/tools/c_rehash index f3fbdae831d9..8083217683c4 100755 --- a/crypto/openssl/tools/c_rehash +++ b/crypto/openssl/tools/c_rehash @@ -193,6 +193,7 @@ sub compute_hash { print STDERR "Cannot compute hash on '$fname'\n"; return; } + binmode($fh, ":crlf"); } return (<$fh>, <$fh>); } diff --git a/secure/lib/libcrypto/man/man3/ADMISSIONS.3 b/secure/lib/libcrypto/man/man3/ADMISSIONS.3 index 445637880987..6a75c283ffba 100644 --- a/secure/lib/libcrypto/man/man3/ADMISSIONS.3 +++ b/secure/lib/libcrypto/man/man3/ADMISSIONS.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ADMISSIONS 3ossl" -.TH ADMISSIONS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ADMISSIONS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ASN1_EXTERN_FUNCS.3 b/secure/lib/libcrypto/man/man3/ASN1_EXTERN_FUNCS.3 index cb458f74017b..9669c657f472 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_EXTERN_FUNCS.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_EXTERN_FUNCS.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_EXTERN_FUNCS 3ossl" -.TH ASN1_EXTERN_FUNCS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_EXTERN_FUNCS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -143,7 +146,7 @@ macro. .IP \fIasn1_ex_d2i\fR 4 .IX Item "asn1_ex_d2i" A "d2i" function responsible for converting DER data with the tag \fItag\fR and -class \fIclass\fR into an \fBASN1_VALUE\fR. If \fI*pval\fR is non-NULL then the +class \fIclass\fR into an \fBASN1_VALUE\fR. If \fI*pval\fR is non\-NULL then the \&\fBASN_VALUE\fR it points to should be reused. Otherwise a new \fBASN1_VALUE\fR should be allocated and stored in \fI*pval\fR. \fI*in\fR points to the DER data to be decoded and \fIlen\fR is the length of that data. After decoding \fI*in\fR should be @@ -177,7 +180,7 @@ The \fIasn1_ex_i2d\fR entry may be NULL if \fIasn1_ex_i2d_ex\fR has been specifi instead. .Sp The return value should be negative if a fatal error occurred, or 0 if a -non-fatal error occurred. Otherwise it should return the length of the encoded +non\-fatal error occurred. Otherwise it should return the length of the encoded data. .IP \fIasn1_ex_print\fR 4 .IX Item "asn1_ex_print" diff --git a/secure/lib/libcrypto/man/man3/ASN1_INTEGER_get_int64.3 b/secure/lib/libcrypto/man/man3/ASN1_INTEGER_get_int64.3 index 0f298ce0727d..46172edfeca9 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_INTEGER_get_int64.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_INTEGER_get_int64.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_INTEGER_GET_INT64 3ossl" -.TH ASN1_INTEGER_GET_INT64 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_INTEGER_GET_INT64 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ASN1_INTEGER_new.3 b/secure/lib/libcrypto/man/man3/ASN1_INTEGER_new.3 index 967d636f7550..afa6c212f329 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_INTEGER_new.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_INTEGER_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_INTEGER_NEW 3ossl" -.TH ASN1_INTEGER_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_INTEGER_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ASN1_ITEM_lookup.3 b/secure/lib/libcrypto/man/man3/ASN1_ITEM_lookup.3 index e7a3e468edcb..3b09ecf48bef 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_ITEM_lookup.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_ITEM_lookup.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_ITEM_LOOKUP 3ossl" -.TH ASN1_ITEM_LOOKUP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_ITEM_LOOKUP 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ASN1_OBJECT_new.3 b/secure/lib/libcrypto/man/man3/ASN1_OBJECT_new.3 index 847469c18a63..c110ace197d4 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_OBJECT_new.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_OBJECT_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_OBJECT_NEW 3ossl" -.TH ASN1_OBJECT_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_OBJECT_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ASN1_STRING_TABLE_add.3 b/secure/lib/libcrypto/man/man3/ASN1_STRING_TABLE_add.3 index 0a020e53cf1e..7a2de3728e3c 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_STRING_TABLE_add.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_STRING_TABLE_add.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_STRING_TABLE_ADD 3ossl" -.TH ASN1_STRING_TABLE_ADD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_STRING_TABLE_ADD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ASN1_STRING_length.3 b/secure/lib/libcrypto/man/man3/ASN1_STRING_length.3 index 8c20ba8451ef..9c881ae09ede 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_STRING_length.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_STRING_length.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_STRING_LENGTH 3ossl" -.TH ASN1_STRING_LENGTH 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_STRING_LENGTH 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -116,7 +119,7 @@ should be freed using \fBOPENSSL_free()\fR. .SH NOTES .IX Header "NOTES" Almost all ASN1 types in OpenSSL are represented as an \fBASN1_STRING\fR -structure. Other types such as \fBASN1_OCTET_STRING\fR are simply typedef'ed +structure. Other types such as \fBASN1_OCTET_STRING\fR are simply typedef\*(Aqed to \fBASN1_STRING\fR and the functions call the \fBASN1_STRING\fR equivalents. \&\fBASN1_STRING\fR is also used for some \fBCHOICE\fR types which consist entirely of primitive string types such as \fBDirectoryString\fR and diff --git a/secure/lib/libcrypto/man/man3/ASN1_STRING_new.3 b/secure/lib/libcrypto/man/man3/ASN1_STRING_new.3 index 9269ed3d19c6..9c5663bd37ba 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_STRING_new.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_STRING_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_STRING_NEW 3ossl" -.TH ASN1_STRING_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_STRING_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ASN1_STRING_print_ex.3 b/secure/lib/libcrypto/man/man3/ASN1_STRING_print_ex.3 index eb7d5bf0dd8a..60d090017bd6 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_STRING_print_ex.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_STRING_print_ex.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_STRING_PRINT_EX 3ossl" -.TH ASN1_STRING_PRINT_EX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_STRING_PRINT_EX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,9 +88,9 @@ to \fIfp\fR instead. .PP \&\fBASN1_STRING_print()\fR prints \fIstr\fR to \fIout\fR but using a different format to \&\fBASN1_STRING_print_ex()\fR. It replaces unprintable characters (other than CR, LF) -with '.'. +with \*(Aq.\*(Aq. .PP -\&\fBASN1_tag2str()\fR returns a human-readable name of the specified ASN.1 \fItag\fR. +\&\fBASN1_tag2str()\fR returns a human\-readable name of the specified ASN.1 \fItag\fR. .SH NOTES .IX Header "NOTES" \&\fBASN1_STRING_print()\fR is a deprecated function which should be avoided; use @@ -111,7 +114,7 @@ using exactly four characters for the hex representation. If it is 32 bits then "\eWXXXXXXXX" is used using eight characters of its hex representation. These forms will only be used if UTF8 conversion is not set (see below). .PP -Printable characters are normally escaped using the backslash '\e' character. If +Printable characters are normally escaped using the backslash \*(Aq\e\*(Aq character. If \&\fBASN1_STRFLGS_ESC_QUOTE\fR is set then the whole string is instead surrounded by double quote characters: this is arguably more readable than the backslash notation. Other characters use the "\eXX" using exactly two characters of the hex @@ -153,7 +156,7 @@ characters written or \-1 if an error occurred. .PP \&\fBASN1_STRING_print()\fR returns 1 on success or 0 on error. .PP -\&\fBASN1_tag2str()\fR returns a human-readable name of the specified ASN.1 \fItag\fR. +\&\fBASN1_tag2str()\fR returns a human\-readable name of the specified ASN.1 \fItag\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBX509_NAME_print_ex\fR\|(3), diff --git a/secure/lib/libcrypto/man/man3/ASN1_TIME_set.3 b/secure/lib/libcrypto/man/man3/ASN1_TIME_set.3 index 7047a8bdd2ea..732ac2e6d82f 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_TIME_set.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_TIME_set.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_TIME_SET 3ossl" -.TH ASN1_TIME_SET 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_TIME_SET 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -275,7 +278,7 @@ return 1 if the time is successfully printed out and error occurred (invalid time format). .PP \&\fBASN1_TIME_diff()\fR returns 1 for success and 0 for failure. It can fail if the -passed-in time structure has invalid syntax, for example. +passed\-in time structure has invalid syntax, for example. .PP \&\fBASN1_TIME_cmp_time_t()\fR and \fBASN1_UTCTIME_cmp_time_t()\fR return \-1 if \fIs\fR is before \fIt\fR, 0 if \fIs\fR equals \fIt\fR, or 1 if \fIs\fR is after \fIt\fR. \-2 is returned diff --git a/secure/lib/libcrypto/man/man3/ASN1_TYPE_get.3 b/secure/lib/libcrypto/man/man3/ASN1_TYPE_get.3 index daf451be0ac8..c58a626dfb37 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_TYPE_get.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_TYPE_get.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_TYPE_GET 3ossl" -.TH ASN1_TYPE_GET 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_TYPE_GET 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ASN1_aux_cb.3 b/secure/lib/libcrypto/man/man3/ASN1_aux_cb.3 index fbe4eec75b6c..6a1fc5db6c33 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_aux_cb.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_aux_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_AUX_CB 3ossl" -.TH ASN1_AUX_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_AUX_CB 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -125,7 +128,7 @@ The \fBASN1_AFLG_BROKEN\fR flag is a work around for broken encoders where the sequence length value may not be correct. This should generally not be used. .Sp The \fBASN1_AFLG_CONST_CB\fR flag indicates that the "const" form of the -\&\fBASN1_AUX\fR callback should be used in preference to the non-const form. +\&\fBASN1_AUX\fR callback should be used in preference to the non\-const form. .IP \fIref_offset\fR 4 .IX Item "ref_offset" If the \fBASN1_AFLG_REFCOUNT\fR flag is set then this value is assumed to be an @@ -178,7 +181,7 @@ success or 0 on error. .IP \fBASN1_OP_FREE_POST\fR 4 .IX Item "ASN1_OP_FREE_POST" Invoked when processing a \fBCHOICE\fR, \fBSEQUENCE\fR or \fBNDEF_SEQUENCE\fR structure -immediately after \fBASN1_VALUE\fR sub-structures are freed. +immediately after \fBASN1_VALUE\fR sub\-structures are freed. .IP \fBASN1_OP_D2I_PRE\fR 4 .IX Item "ASN1_OP_D2I_PRE" Invoked when processing a \fBCHOICE\fR, \fBSEQUENCE\fR or \fBNDEF_SEQUENCE\fR structure diff --git a/secure/lib/libcrypto/man/man3/ASN1_generate_nconf.3 b/secure/lib/libcrypto/man/man3/ASN1_generate_nconf.3 index 5bf73ccdfb6f..49c146754859 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_generate_nconf.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_generate_nconf.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_GENERATE_NCONF 3ossl" -.TH ASN1_GENERATE_NCONF 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_GENERATE_NCONF 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -234,7 +237,7 @@ SEQUENCE consisting of a BOOL an OID and a UTF8String: .PP This example produces an RSAPrivateKey structure, this is the key contained in the file client.pem in all OpenSSL distributions -(note: the field names such as 'coeff' are ignored and are present just +(note: the field names such as \*(Aqcoeff\*(Aq are ignored and are present just for clarity): .PP .Vb 3 diff --git a/secure/lib/libcrypto/man/man3/ASN1_item_d2i_bio.3 b/secure/lib/libcrypto/man/man3/ASN1_item_d2i_bio.3 index 50d35753a2fd..2705399cbda3 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_item_d2i_bio.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_item_d2i_bio.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_ITEM_D2I_BIO 3ossl" -.TH ASN1_ITEM_D2I_BIO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_ITEM_D2I_BIO 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -96,9 +99,9 @@ ASN1_item_pack, ASN1_item_unpack_ex, ASN1_item_unpack .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBASN1_item_d2i_ex()\fR decodes the contents of the data stored in \fI*in\fR of length -\&\fIlen\fR which must be a DER-encoded ASN.1 structure, using the ASN.1 template +\&\fIlen\fR which must be a DER\-encoded ASN.1 structure, using the ASN.1 template \&\fIit\fR. It places the result in \fI*pval\fR unless \fIpval\fR is NULL. If \fI*pval\fR is -non-NULL on entry then the \fBASN1_VALUE\fR present there will be reused. Otherwise +non\-NULL on entry then the \fBASN1_VALUE\fR present there will be reused. Otherwise a new \fBASN1_VALUE\fR will be allocated. If any algorithm fetches are required during the process then they will use the \fBOSSL_LIB_CTX\fRprovided in the \&\fIlibctx\fR parameter and the property query string in \fIpropq\fR. See @@ -110,7 +113,7 @@ decoded structure. OSSL_LIB_CTX is used (i.e. NULL) and with a NULL property query string. .PP \&\fBASN1_item_d2i_bio_ex()\fR decodes the contents of its input BIO \fIin\fR, -which must be a DER-encoded ASN.1 structure, using the ASN.1 template \fIit\fR +which must be a DER\-encoded ASN.1 structure, using the ASN.1 template \fIit\fR and places the result in \fI*pval\fR unless \fIpval\fR is NULL. If \fIin\fR is NULL it returns NULL, else a pointer to the parsed structure. If any algorithm fetches are required during the process then they will use the @@ -140,7 +143,7 @@ then the returned return is also set into \fI*oct\fR. If there is an error the o passed in \fBASN1_STRING\fR will not be freed, but the previous value may be cleared when ASN1_STRING_set0(*oct, NULL, 0) is called internally. .PP -\&\fBASN1_item_unpack()\fR uses \fBASN1_item_d2i()\fR to decode the DER-encoded \fBASN1_STRING\fR +\&\fBASN1_item_unpack()\fR uses \fBASN1_item_d2i()\fR to decode the DER\-encoded \fBASN1_STRING\fR \&\fIoct\fR using the ASN.1 template \fIit\fR. .PP \&\fBASN1_item_unpack_ex()\fR is similar to \fBASN1_item_unpack()\fR, but uses \fBASN1_item_d2i_ex()\fR so diff --git a/secure/lib/libcrypto/man/man3/ASN1_item_new.3 b/secure/lib/libcrypto/man/man3/ASN1_item_new.3 index 5b7b0e038395..c33e1a270ec9 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_item_new.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_item_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_ITEM_NEW 3ossl" -.TH ASN1_ITEM_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_ITEM_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ASN1_item_sign.3 b/secure/lib/libcrypto/man/man3/ASN1_item_sign.3 index a849af987445..158d2a095606 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_item_sign.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_item_sign.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_ITEM_SIGN 3ossl" -.TH ASN1_ITEM_SIGN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_ITEM_SIGN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -145,10 +148,10 @@ zero for failure. .PP All verify functions return 1 if the signature is valid and 0 if the signature check fails. If the signature could not be checked at all because it was -ill-formed or some other error occurred then \-1 is returned. +ill\-formed or some other error occurred then \-1 is returned. .SH EXAMPLES .IX Header "EXAMPLES" -In the following example a 'MyObject' object is signed using the key contained +In the following example a \*(AqMyObject\*(Aq object is signed using the key contained in an EVP_MD_CTX. The signature is written to MyObject.signature. The object is then output in DER format and then loaded back in and verified. .PP diff --git a/secure/lib/libcrypto/man/man3/ASYNC_WAIT_CTX_new.3 b/secure/lib/libcrypto/man/man3/ASYNC_WAIT_CTX_new.3 index ff0c1d01162b..1b60cf6d465c 100644 --- a/secure/lib/libcrypto/man/man3/ASYNC_WAIT_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/ASYNC_WAIT_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASYNC_WAIT_CTX_NEW 3ossl" -.TH ASYNC_WAIT_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASYNC_WAIT_CTX_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -108,7 +111,7 @@ ASYNC_STATUS_EAGAIN For an overview of how asynchronous operations are implemented in OpenSSL see \&\fBASYNC_start_job\fR\|(3). An \fBASYNC_WAIT_CTX\fR object represents an asynchronous "session", i.e. a related set of crypto operations. For example in SSL terms -this would have a one-to-one correspondence with an SSL connection. +this would have a one\-to\-one correspondence with an SSL connection. .PP Application code must create an \fBASYNC_WAIT_CTX\fR using the \fBASYNC_WAIT_CTX_new()\fR function prior to calling \fBASYNC_start_job()\fR (see \fBASYNC_start_job\fR\|(3)). When @@ -122,7 +125,7 @@ is closed), application code cleans up with \fBASYNC_WAIT_CTX_free()\fR. Calling \fBASYNC_WAIT_CTX_get_all_fds()\fR and passing in a pointer to an \&\fBASYNC_WAIT_CTX\fR in the \fIctx\fR parameter will return the wait file descriptors associated with that job in \fI*fd\fR. The number of file descriptors returned will -be stored in \fI*numfds\fR. It is the caller's responsibility to ensure that +be stored in \fI*numfds\fR. It is the caller\*(Aqs responsibility to ensure that sufficient memory has been allocated in \fI*fd\fR to receive all the file descriptors. Calling \fBASYNC_WAIT_CTX_get_all_fds()\fR with a NULL \fIfd\fR value will return no file descriptors but will still populate \fI*numfds\fR. Therefore, @@ -246,7 +249,7 @@ On Windows platforms the \fI<openssl/async.h>\fR header is dependent on some of the types customarily made available by including \fI<windows.h>\fR. The application developer is likely to require control over when the latter is included, commonly as one of the first included headers. Therefore, -it is defined as an application developer's responsibility to include +it is defined as an application developer\*(Aqs responsibility to include \&\fI<windows.h>\fR prior to \fI<openssl/async.h>\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/ASYNC_start_job.3 b/secure/lib/libcrypto/man/man3/ASYNC_start_job.3 index c3c95ed7b585..a9a963743cfe 100644 --- a/secure/lib/libcrypto/man/man3/ASYNC_start_job.3 +++ b/secure/lib/libcrypto/man/man3/ASYNC_start_job.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASYNC_START_JOB 3ossl" -.TH ASYNC_START_JOB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASYNC_START_JOB 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,16 +100,16 @@ ASYNC_stack_alloc_fn, ASYNC_stack_free_fn, ASYNC_set_mem_functions, ASYNC_get_me OpenSSL implements asynchronous capabilities through an \fBASYNC_JOB\fR. This represents code that can be started and executes until some event occurs. At that point the code can be paused and control returns to user code until some -subsequent event indicates that the job can be resumed. It's OpenSSL +subsequent event indicates that the job can be resumed. It\*(Aqs OpenSSL specific implementation of cooperative multitasking. .PP The creation of an \fBASYNC_JOB\fR is a relatively expensive operation. Therefore, for efficiency reasons, jobs can be created up front and reused many times. They are held in a pool until they are needed, at which point they are removed from the pool, used, and then returned to the pool when the job completes. If the -user application is multi-threaded, then \fBASYNC_init_thread()\fR may be called for +user application is multi\-threaded, then \fBASYNC_init_thread()\fR may be called for each thread that will initiate asynchronous jobs. Before -user code exits per-thread resources need to be cleaned up. This will normally +user code exits per\-thread resources need to be cleaned up. This will normally occur automatically (see \fBOPENSSL_init_crypto\fR\|(3)) but may be explicitly initiated by using \fBASYNC_cleanup_thread()\fR. No asynchronous jobs must be outstanding for the thread when \fBASYNC_cleanup_thread()\fR is called. Failing to @@ -195,7 +198,7 @@ The \fBASYNC_block_pause()\fR function will prevent the currently active job fro pausing. The block will remain in place until a subsequent call to \&\fBASYNC_unblock_pause()\fR. These functions can be nested, e.g. if you call \&\fBASYNC_block_pause()\fR twice then you must call \fBASYNC_unblock_pause()\fR twice in -order to re-enable pausing. If these functions are called while there is no +order to re\-enable pausing. If these functions are called while there is no currently active job then they have no effect. This functionality can be useful to avoid deadlock scenarios. For example during the execution of an \fBASYNC_JOB\fR an application acquires a lock. It then calls some cryptographic function which @@ -215,7 +218,7 @@ stack memory such as mmap, or using stack memory from the current thread. Using an ASYNC_stack_alloc_fn callback also allows manipulation of the stack size, which defaults to 32k. The stack size can be altered by allocating a stack of a size different to -the requested size, and passing back the new stack size in the callback's \fI*num\fR +the requested size, and passing back the new stack size in the callback\*(Aqs \fI*num\fR parameter. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -244,7 +247,7 @@ On Windows platforms the \fI<openssl/async.h>\fR header is dependent on some of the types customarily made available by including \fI<windows.h>\fR. The application developer is likely to require control over when the latter is included, commonly as one of the first included headers. Therefore, -it is defined as an application developer's responsibility to include +it is defined as an application developer\*(Aqs responsibility to include \&\fI<windows.h>\fR prior to \fI<openssl/async.h>\fR. .SH EXAMPLES .IX Header "EXAMPLES" diff --git a/secure/lib/libcrypto/man/man3/BF_encrypt.3 b/secure/lib/libcrypto/man/man3/BF_encrypt.3 index a6a7b26d517e..2e1a6008d417 100644 --- a/secure/lib/libcrypto/man/man3/BF_encrypt.3 +++ b/secure/lib/libcrypto/man/man3/BF_encrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BF_ENCRYPT 3ossl" -.TH BF_ENCRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BF_ENCRYPT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -125,7 +128,7 @@ The mode functions \fBBF_cbc_encrypt()\fR, \fBBF_cfb64_encrypt()\fR and \fBBF_of all operate on variable length data. They all take an initialization vector \&\fBivec\fR which needs to be passed along into the next call of the same function for the same message. \fBivec\fR may be initialized with anything, but the -recipient needs to know what it was initialized with, or it won't be able +recipient needs to know what it was initialized with, or it won\*(Aqt be able to decrypt. Some programs and protocols simplify this, like SSH, where \&\fBivec\fR is simply initialized to zero. \&\fBBF_cbc_encrypt()\fR operates on data that is a multiple of 8 bytes long, while @@ -156,10 +159,10 @@ the same way. \&\fBBF_encrypt()\fR and \fBBF_decrypt()\fR are the lowest level functions for Blowfish encryption. They encrypt/decrypt the first 64 bits of the vector pointed by \&\fBdata\fR, using the key \fBkey\fR. These functions should not be used unless you -implement 'modes' of Blowfish. The alternative is to use \fBBF_ecb_encrypt()\fR. +implement \*(Aqmodes\*(Aq of Blowfish. The alternative is to use \fBBF_ecb_encrypt()\fR. If you still want to use these functions, you should be aware that they take -each 32\-bit chunk in host-byte order, which is little-endian on little-endian -platforms and big-endian on big-endian ones. +each 32\-bit chunk in host\-byte order, which is little\-endian on little\-endian +platforms and big\-endian on big\-endian ones. .SH "RETURN VALUES" .IX Header "RETURN VALUES" None of the functions presented here return any value. diff --git a/secure/lib/libcrypto/man/man3/BIO_ADDR.3 b/secure/lib/libcrypto/man/man3/BIO_ADDR.3 index a3bd60aaeaa1..fb5e2f77b800 100644 --- a/secure/lib/libcrypto/man/man3/BIO_ADDR.3 +++ b/secure/lib/libcrypto/man/man3/BIO_ADDR.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_ADDR 3ossl" -.TH BIO_ADDR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_ADDR 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -92,7 +95,7 @@ BIO_ADDR_path_string \- BIO_ADDR routines .IX Header "DESCRIPTION" The \fBBIO_ADDR\fR type is a wrapper around all types of socket addresses that OpenSSL deals with, currently transparently -supporting AF_INET, AF_INET6 and AF_UNIX according to what's +supporting AF_INET, AF_INET6 and AF_UNIX according to what\*(Aqs available on the platform at hand. .PP \&\fBBIO_ADDR_new()\fR creates a new unfilled \fBBIO_ADDR\fR, to be used @@ -122,14 +125,14 @@ NUL, such as the result of a call to \fBstrlen()\fR). Read on about the addresses in "RAW ADDRESSES" below. .PP \&\fBBIO_ADDR_family()\fR returns the protocol family of the given -\&\fBBIO_ADDR\fR. The possible non-error results are one of the +\&\fBBIO_ADDR\fR. The possible non\-error results are one of the constants AF_INET, AF_INET6 and AF_UNIX. It will also return AF_UNSPEC if the BIO_ADDR has not been initialised. .PP \&\fBBIO_ADDR_rawaddress()\fR will write the raw address of the given -\&\fBBIO_ADDR\fR in the area pointed at by \fBp\fR if \fBp\fR is non-NULL, +\&\fBBIO_ADDR\fR in the area pointed at by \fBp\fR if \fBp\fR is non\-NULL, and will set \fB*l\fR to be the amount of bytes the raw address -takes up if \fBl\fR is non-NULL. +takes up if \fBl\fR is non\-NULL. A technique to only find out the size of the address is a call with \fBp\fR set to \fBNULL\fR. The raw address will be in network byte order, most significant byte first. @@ -176,7 +179,7 @@ OpenSSL error stack. \&\fBBIO_ADDR_copy()\fR returns 1 on success or 0 on error. .PP All other functions described here return 0 or \fBNULL\fR when the -information they should return isn't available. +information they should return isn\*(Aqt available. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBBIO_connect\fR\|(3), \fBBIO_s_connect\fR\|(3) diff --git a/secure/lib/libcrypto/man/man3/BIO_ADDRINFO.3 b/secure/lib/libcrypto/man/man3/BIO_ADDRINFO.3 index 8963474ea4e5..04b45b7f05f0 100644 --- a/secure/lib/libcrypto/man/man3/BIO_ADDRINFO.3 +++ b/secure/lib/libcrypto/man/man3/BIO_ADDRINFO.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_ADDRINFO 3ossl" -.TH BIO_ADDRINFO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_ADDRINFO 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -145,7 +148,7 @@ occurred, and will leave an error indication on the OpenSSL error stack in that case. .PP All other functions described here return 0 or \fBNULL\fR when the -information they should return isn't available. +information they should return isn\*(Aqt available. .SH NOTES .IX Header "NOTES" The \fBBIO_lookup_ex()\fR implementation uses the platform provided \fBgetaddrinfo()\fR diff --git a/secure/lib/libcrypto/man/man3/BIO_connect.3 b/secure/lib/libcrypto/man/man3/BIO_connect.3 index 85a50ca6a6ec..c74ce3fbc39f 100644 --- a/secure/lib/libcrypto/man/man3/BIO_connect.3 +++ b/secure/lib/libcrypto/man/man3/BIO_connect.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_CONNECT 3ossl" -.TH BIO_CONNECT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_CONNECT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,7 +101,7 @@ The flags are described in "FLAGS" below. .PP \&\fBBIO_accept_ex()\fR waits for an incoming connections on the given socket \fBaccept_sock\fR. When it gets a connection, the address and -port of the peer gets stored in \fBpeer\fR if that one is non-NULL. +port of the peer gets stored in \fBpeer\fR if that one is non\-NULL. Accept \fBoptions\fR may be zero or \fBBIO_SOCK_NONBLOCK\fR, and is applied on the accepted socket. The flags are described in "FLAGS" below. .PP @@ -107,7 +110,7 @@ on the accepted socket. The flags are described in "FLAGS" below. .IX Header "FLAGS" .IP BIO_SOCK_KEEPALIVE 4 .IX Item "BIO_SOCK_KEEPALIVE" -Enables regular sending of keep-alive messages. +Enables regular sending of keep\-alive messages. .IP BIO_SOCK_NONBLOCK 4 .IX Item "BIO_SOCK_NONBLOCK" Sets the socket to nonblocking mode. @@ -115,7 +118,7 @@ Sets the socket to nonblocking mode. .IX Item "BIO_SOCK_NODELAY" Corresponds to \fBTCP_NODELAY\fR, and disables the Nagle algorithm. With this set, any data will be sent as soon as possible instead of being -buffered until there's enough for the socket to send out in one go. +buffered until there\*(Aqs enough for the socket to send out in one go. .IP BIO_SOCK_REUSEADDR 4 .IX Item "BIO_SOCK_REUSEADDR" Try to reuse the address and port combination for a recently closed diff --git a/secure/lib/libcrypto/man/man3/BIO_ctrl.3 b/secure/lib/libcrypto/man/man3/BIO_ctrl.3 index 3717891171e6..1500d57e7e99 100644 --- a/secure/lib/libcrypto/man/man3/BIO_ctrl.3 +++ b/secure/lib/libcrypto/man/man3/BIO_ctrl.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_CTRL 3ossl" -.TH BIO_CTRL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_CTRL 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -116,7 +119,7 @@ calls. of file related BIOs for example it rewinds the file pointer to the start of the file. .PP -\&\fBBIO_seek()\fR resets a file related BIO's (that is file descriptor and +\&\fBBIO_seek()\fR resets a file related BIO\*(Aqs (that is file descriptor and FILE BIOs) file position pointer to \fBofs\fR bytes from start of file. .PP \&\fBBIO_tell()\fR returns the current file position of a file related BIO. @@ -140,9 +143,9 @@ Not all BIOs support these calls. \fBBIO_ctrl_pending()\fR and \fBBIO_ctrl_wpend return a size_t type and are functions, \fBBIO_pending()\fR and \fBBIO_wpending()\fR are macros which call \fBBIO_ctrl()\fR. .PP -\&\fBBIO_get_ktls_send()\fR returns 1 if the BIO is using the Kernel TLS data-path for +\&\fBBIO_get_ktls_send()\fR returns 1 if the BIO is using the Kernel TLS data\-path for sending. Otherwise, it returns zero. -\&\fBBIO_get_ktls_recv()\fR returns 1 if the BIO is using the Kernel TLS data-path for +\&\fBBIO_get_ktls_recv()\fR returns 1 if the BIO is using the Kernel TLS data\-path for receiving. Otherwise, it returns zero. .PP \&\fBBIO_get_conn_mode()\fR returns the BIO connection mode. \fBBIO_set_conn_mode()\fR sets @@ -174,13 +177,13 @@ return the amount of pending data. \fBBIO_pending()\fR and \fBBIO_wpending()\fR negative value or 0 on error. \fBBIO_ctrl_pending()\fR and \fBBIO_ctrl_wpending()\fR return 0 on error. .PP -\&\fBBIO_get_ktls_send()\fR returns 1 if the BIO is using the Kernel TLS data-path for +\&\fBBIO_get_ktls_send()\fR returns 1 if the BIO is using the Kernel TLS data\-path for sending. Otherwise, it returns zero. -\&\fBBIO_get_ktls_recv()\fR returns 1 if the BIO is using the Kernel TLS data-path for +\&\fBBIO_get_ktls_recv()\fR returns 1 if the BIO is using the Kernel TLS data\-path for receiving. Otherwise, it returns zero. .PP \&\fBBIO_set_conn_mode()\fR returns 1 for success and 0 for failure. \fBBIO_get_conn_mode()\fR -returns the current connection mode. Which may contain the bitwise-or of the +returns the current connection mode. Which may contain the bitwise\-or of the following flags: .PP .Vb 6 diff --git a/secure/lib/libcrypto/man/man3/BIO_f_base64.3 b/secure/lib/libcrypto/man/man3/BIO_f_base64.3 index 34b51f086dff..7a84697967d7 100644 --- a/secure/lib/libcrypto/man/man3/BIO_f_base64.3 +++ b/secure/lib/libcrypto/man/man3/BIO_f_base64.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_F_BASE64 3ossl" -.TH BIO_F_BASE64 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_F_BASE64 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -93,7 +96,7 @@ skipped, as are lines longer than 1024 bytes. Decoding starts with the first line that is shorter than 1024 bytes (including the newline) and consists of only (at least one) valid base64 characters plus optional whitespace. -Decoding stops when base64 padding is encountered, a soft end-of-input +Decoding stops when base64 padding is encountered, a soft end\-of\-input character (\fB\-\fR, see \fBEVP_DecodeUpdate\fR\|(3)) occurs as the first byte after a complete group of 4 valid base64 characters is decoded, or when an error occurs (e.g. due to input characters other than valid base64 or whitespace). @@ -157,12 +160,12 @@ data to standard output: .Ve .SH BUGS .IX Header "BUGS" -The hyphen character (\fB\-\fR) is treated as an ad hoc soft end-of-input +The hyphen character (\fB\-\fR) is treated as an ad hoc soft end\-of\-input character when it occurs at the start of a base64 group of 4 encoded characters. .PP This heuristic works to detect the ends of base64 blocks in PEM or -multi-part MIME, provided there are no stray hyphens in the middle +multi\-part MIME, provided there are no stray hyphens in the middle input. But it is just a heuristic, and sufficiently unusual input could produce unexpected results. diff --git a/secure/lib/libcrypto/man/man3/BIO_f_buffer.3 b/secure/lib/libcrypto/man/man3/BIO_f_buffer.3 index c7246d65d9d3..876da9defbb4 100644 --- a/secure/lib/libcrypto/man/man3/BIO_f_buffer.3 +++ b/secure/lib/libcrypto/man/man3/BIO_f_buffer.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_F_BUFFER 3ossl" -.TH BIO_F_BUFFER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_F_BUFFER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -112,7 +115,7 @@ Buffering BIOs implement \fBBIO_read_ex()\fR and \fBBIO_gets()\fR by using result in an internal buffer, from which bytes are given back to the caller as appropriate for the call; a \fBBIO_gets()\fR is guaranteed to give the caller a whole line, and \fBBIO_read_ex()\fR is guaranteed to give the -caller the number of bytes it asks for, unless there's an error or end +caller the number of bytes it asks for, unless there\*(Aqs an error or end of communication is reached in the next BIO. By prepending a buffering BIO to a chain it is therefore possible to provide \&\fBBIO_gets()\fR or exact size \fBBIO_read_ex()\fR functionality if the following diff --git a/secure/lib/libcrypto/man/man3/BIO_f_cipher.3 b/secure/lib/libcrypto/man/man3/BIO_f_cipher.3 index 915dfca393d4..b267a15917f2 100644 --- a/secure/lib/libcrypto/man/man3/BIO_f_cipher.3 +++ b/secure/lib/libcrypto/man/man3/BIO_f_cipher.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_F_CIPHER 3ossl" -.TH BIO_F_CIPHER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_F_CIPHER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_f_md.3 b/secure/lib/libcrypto/man/man3/BIO_f_md.3 index c54342a68926..35d42c41e2dd 100644 --- a/secure/lib/libcrypto/man/man3/BIO_f_md.3 +++ b/secure/lib/libcrypto/man/man3/BIO_f_md.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_F_MD 3ossl" -.TH BIO_F_MD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_F_MD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_f_null.3 b/secure/lib/libcrypto/man/man3/BIO_f_null.3 index f1b49042a9d7..122fdf9f570c 100644 --- a/secure/lib/libcrypto/man/man3/BIO_f_null.3 +++ b/secure/lib/libcrypto/man/man3/BIO_f_null.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_F_NULL 3ossl" -.TH BIO_F_NULL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_F_NULL 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_f_prefix.3 b/secure/lib/libcrypto/man/man3/BIO_f_prefix.3 index b1b54e6a1397..dc6e534631b6 100644 --- a/secure/lib/libcrypto/man/man3/BIO_f_prefix.3 +++ b/secure/lib/libcrypto/man/man3/BIO_f_prefix.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_F_PREFIX 3ossl" -.TH BIO_F_PREFIX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_F_PREFIX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,7 +91,7 @@ By default, there is no prefix, and indentation is set to 0. .PP \&\fBBIO_set_prefix()\fR sets the prefix to be used for future lines of text, using \fIprefix\fR. \fIprefix\fR may be NULL, signifying that there -should be no prefix. If \fIprefix\fR isn't NULL, this function makes a +should be no prefix. If \fIprefix\fR isn\*(Aqt NULL, this function makes a copy of it. .PP \&\fBBIO_set_indent()\fR sets the indentation to be used for future lines of diff --git a/secure/lib/libcrypto/man/man3/BIO_f_readbuffer.3 b/secure/lib/libcrypto/man/man3/BIO_f_readbuffer.3 index c967deb494cb..2b4130ac5745 100644 --- a/secure/lib/libcrypto/man/man3/BIO_f_readbuffer.3 +++ b/secure/lib/libcrypto/man/man3/BIO_f_readbuffer.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_F_READBUFFER 3ossl" -.TH BIO_F_READBUFFER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_F_READBUFFER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -74,7 +77,7 @@ BIO_f_readbuffer .IX Header "DESCRIPTION" \&\fBBIO_f_readbuffer()\fR returns the read buffering BIO method. .PP -This BIO filter can be inserted on top of BIO's that do not support \fBBIO_tell()\fR +This BIO filter can be inserted on top of BIO\*(Aqs that do not support \fBBIO_tell()\fR or \fBBIO_seek()\fR (e.g. A file BIO that uses stdin). .PP Data read from a read buffering BIO comes from an internal buffer which is @@ -90,7 +93,7 @@ Read buffering BIOs implement \fBBIO_read_ex()\fR by using \fBBIO_read_ex()\fR o on the next BIO (e.g. a file BIO) in the chain and storing the result in an internal buffer, from which bytes are given back to the caller as appropriate for the call. \fBBIO_read_ex()\fR is guaranteed to give the caller the number of bytes -it asks for, unless there's an error or end of communication is reached in the +it asks for, unless there\*(Aqs an error or end of communication is reached in the next BIO. The internal buffer can grow to cache the entire contents of the next BIO in the chain. \fBBIO_seek()\fR uses the internal buffer, so that it can only seek into data that is already read. diff --git a/secure/lib/libcrypto/man/man3/BIO_f_ssl.3 b/secure/lib/libcrypto/man/man3/BIO_f_ssl.3 index 61a5d59ce8ba..f6a0f35dc7f4 100644 --- a/secure/lib/libcrypto/man/man3/BIO_f_ssl.3 +++ b/secure/lib/libcrypto/man/man3/BIO_f_ssl.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_F_SSL 3ossl" -.TH BIO_F_SSL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_F_SSL 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -153,7 +156,7 @@ pointer. .PP \&\fBBIO_do_handshake()\fR attempts to complete an SSL handshake on the supplied BIO and establish the SSL connection. -For non-SSL BIOs the connection is done typically at TCP level. +For non\-SSL BIOs the connection is done typically at TCP level. If domain name resolution yields multiple IP addresses all of them are tried after \fBconnect()\fR failures. The function returns 1 if the connection was established successfully. diff --git a/secure/lib/libcrypto/man/man3/BIO_find_type.3 b/secure/lib/libcrypto/man/man3/BIO_find_type.3 index fdf4104ff85d..47d46ece4a48 100644 --- a/secure/lib/libcrypto/man/man3/BIO_find_type.3 +++ b/secure/lib/libcrypto/man/man3/BIO_find_type.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_FIND_TYPE 3ossl" -.TH BIO_FIND_TYPE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_FIND_TYPE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_get_data.3 b/secure/lib/libcrypto/man/man3/BIO_get_data.3 index a0a98acad594..add9524083ad 100644 --- a/secure/lib/libcrypto/man/man3/BIO_get_data.3 +++ b/secure/lib/libcrypto/man/man3/BIO_get_data.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_GET_DATA 3ossl" -.TH BIO_GET_DATA 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_GET_DATA 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,7 +86,7 @@ The \fBBIO_set_data()\fR function associates the custom data pointed to by \fBpt the BIO. This data can subsequently be retrieved via a call to \fBBIO_get_data()\fR. This can be used by custom BIOs for storing implementation specific information. .PP -The \fBBIO_set_init()\fR function sets the value of the BIO's "init" flag to indicate +The \fBBIO_set_init()\fR function sets the value of the BIO\*(Aqs "init" flag to indicate whether initialisation has been completed for this BIO or not. A nonzero value indicates that initialisation is complete, whilst zero indicates that it is not. Often initialisation will complete during initial construction of the BIO. For @@ -92,16 +95,16 @@ have occurred (for example through calling custom ctrls). The \fBBIO_get_init()\ function returns the value of the "init" flag. .PP The \fBBIO_set_shutdown()\fR and \fBBIO_get_shutdown()\fR functions set and get the state of -this BIO's shutdown (i.e. BIO_CLOSE) flag. If set then the underlying resource +this BIO\*(Aqs shutdown (i.e. BIO_CLOSE) flag. If set then the underlying resource is also closed when the BIO is freed. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBBIO_get_data()\fR returns a pointer to the implementation specific custom data associated with this BIO, or NULL if none has been set. .PP -\&\fBBIO_get_init()\fR returns the state of the BIO's init flag. +\&\fBBIO_get_init()\fR returns the state of the BIO\*(Aqs init flag. .PP -\&\fBBIO_get_shutdown()\fR returns the stat of the BIO's shutdown (i.e. BIO_CLOSE) flag. +\&\fBBIO_get_shutdown()\fR returns the stat of the BIO\*(Aqs shutdown (i.e. BIO_CLOSE) flag. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBbio\fR\|(7), \fBBIO_meth_new\fR\|(3) diff --git a/secure/lib/libcrypto/man/man3/BIO_get_ex_new_index.3 b/secure/lib/libcrypto/man/man3/BIO_get_ex_new_index.3 index e6ec1d3ee4a3..bb42f72870f2 100644 --- a/secure/lib/libcrypto/man/man3/BIO_get_ex_new_index.3 +++ b/secure/lib/libcrypto/man/man3/BIO_get_ex_new_index.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_GET_EX_NEW_INDEX 3ossl" -.TH BIO_GET_EX_NEW_INDEX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_GET_EX_NEW_INDEX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,7 +144,7 @@ Applications should instead use \fBEVP_PKEY_set_ex_data()\fR, All functions with a \fITYPE\fR of \fBENGINE\fR are deprecated. Applications using engines should be replaced by providers. .PP -These functions handle application-specific data for OpenSSL data +These functions handle application\-specific data for OpenSSL data structures. .PP \&\fBTYPE_get_ex_new_index()\fR is a macro that calls \fBCRYPTO_get_ex_new_index()\fR diff --git a/secure/lib/libcrypto/man/man3/BIO_get_rpoll_descriptor.3 b/secure/lib/libcrypto/man/man3/BIO_get_rpoll_descriptor.3 index 98299ffb6c0c..45cf366c648a 100644 --- a/secure/lib/libcrypto/man/man3/BIO_get_rpoll_descriptor.3 +++ b/secure/lib/libcrypto/man/man3/BIO_get_rpoll_descriptor.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_GET_RPOLL_DESCRIPTOR 3ossl" -.TH BIO_GET_RPOLL_DESCRIPTOR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_GET_RPOLL_DESCRIPTOR 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -84,7 +87,7 @@ can be used to determine when a BIO object can next be read or written .IX Header "DESCRIPTION" \&\fBBIO_get_rpoll_descriptor()\fR and \fBBIO_get_wpoll_descriptor()\fR, on success, fill \&\fI*desc\fR with a poll descriptor. A poll descriptor is a tagged union structure -which represents some kind of OS or non-OS resource which can be used to +which represents some kind of OS or non\-OS resource which can be used to synchronise on I/O availability events. .PP \&\fBBIO_get_rpoll_descriptor()\fR outputs a descriptor which can be used to determine @@ -115,7 +118,7 @@ in the \fBBIO_POLL_DESCRIPTOR\fR is valid if it is not set to \-1. .Sp The resource is whatever kind of handle is used by a given OS to represent sockets, which may vary by OS. For example, on Windows, the value is a \fBSOCKET\fR -for use with the Winsock API. On POSIX-like platforms, it is a file descriptor. +for use with the Winsock API. On POSIX\-like platforms, it is a file descriptor. .Sp Where a poll descriptor of this type is output by \fBBIO_get_rpoll_descriptor()\fR, it should be polled for readability to determine when the BIO might next be able to diff --git a/secure/lib/libcrypto/man/man3/BIO_meth_new.3 b/secure/lib/libcrypto/man/man3/BIO_meth_new.3 index 10cd19ec2686..ec8fb630b205 100644 --- a/secure/lib/libcrypto/man/man3/BIO_meth_new.3 +++ b/secure/lib/libcrypto/man/man3/BIO_meth_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_METH_NEW 3ossl" -.TH BIO_METH_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_METH_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -244,7 +247,7 @@ The \fBBIO_meth_get\fR functions return the corresponding function pointers. .IX Header "BUGS" It is not safe to use \f(CW\*(C`BIO_meth_get_\*(C'\fR functions to reuse the \fBBIO\fR implementation of \fBBIO\fRs implemented by OpenSSL itself with -application-implemented \fBBIO\fRs. Instead either the applications ought to +application\-implemented \fBBIO\fRs. Instead either the applications ought to implement these functions themselves or they should implement a filter BIO. .PP For more details please see <https://github.com/openssl/openssl/issues/26047>. diff --git a/secure/lib/libcrypto/man/man3/BIO_new.3 b/secure/lib/libcrypto/man/man3/BIO_new.3 index 44176f4c34d5..1219e978c3aa 100644 --- a/secure/lib/libcrypto/man/man3/BIO_new.3 +++ b/secure/lib/libcrypto/man/man3/BIO_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_NEW 3ossl" -.TH BIO_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_new_CMS.3 b/secure/lib/libcrypto/man/man3/BIO_new_CMS.3 index f5b95ea32949..2653be493c28 100644 --- a/secure/lib/libcrypto/man/man3/BIO_new_CMS.3 +++ b/secure/lib/libcrypto/man/man3/BIO_new_CMS.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_NEW_CMS 3ossl" -.TH BIO_NEW_CMS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_NEW_CMS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_parse_hostserv.3 b/secure/lib/libcrypto/man/man3/BIO_parse_hostserv.3 index 2062eb8254a5..ee07a046ee13 100644 --- a/secure/lib/libcrypto/man/man3/BIO_parse_hostserv.3 +++ b/secure/lib/libcrypto/man/man3/BIO_parse_hostserv.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_PARSE_HOSTSERV 3ossl" -.TH BIO_PARSE_HOSTSERV 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_PARSE_HOSTSERV 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -96,8 +99,8 @@ The syntax the \fBBIO_parse_hostserv()\fR recognises is: \& service .Ve .PP -The host part can be a name or an IP address. If it's a IPv6 -address, it MUST be enclosed in brackets, such as '[::1]'. +The host part can be a name or an IP address. If it\*(Aqs a IPv6 +address, it MUST be enclosed in brackets, such as \*(Aq[::1]\*(Aq. .PP The service part can be a service name or its port number. A service name will be mapped to a port number using the system function \fBgetservbyname()\fR. diff --git a/secure/lib/libcrypto/man/man3/BIO_printf.3 b/secure/lib/libcrypto/man/man3/BIO_printf.3 index dc64e86dcf74..34c4185db6df 100644 --- a/secure/lib/libcrypto/man/man3/BIO_printf.3 +++ b/secure/lib/libcrypto/man/man3/BIO_printf.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_PRINTF 3ossl" -.TH BIO_PRINTF 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_PRINTF 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_push.3 b/secure/lib/libcrypto/man/man3/BIO_push.3 index 5ea891c8ccfc..f031f95c3bf4 100644 --- a/secure/lib/libcrypto/man/man3/BIO_push.3 +++ b/secure/lib/libcrypto/man/man3/BIO_push.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_PUSH 3ossl" -.TH BIO_PUSH 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_PUSH 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_read.3 b/secure/lib/libcrypto/man/man3/BIO_read.3 index 29926d5ad6e7..ff633eeaaa87 100644 --- a/secure/lib/libcrypto/man/man3/BIO_read.3 +++ b/secure/lib/libcrypto/man/man3/BIO_read.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_READ 3ossl" -.TH BIO_READ 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_READ 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -96,22 +99,22 @@ in \fIbuf\fR. Usually this operation will attempt to read a line of data from the BIO of maximum length \fIsize\-1\fR. There are exceptions to this, however; for example, \fBBIO_gets()\fR on a digest BIO will calculate and return the digest and other BIOs may not support \fBBIO_gets()\fR at all. -The returned string is always NUL-terminated and the '\en' is preserved +The returned string is always NUL\-terminated and the \*(Aq\en\*(Aq is preserved if present in the input data. On binary input there may be NUL characters within the string; in this case the return value (if nonnegative) may give an incorrect length. .PP -\&\fBBIO_get_line()\fR attempts to read from BIO \fIb\fR a line of data up to the next '\en' +\&\fBBIO_get_line()\fR attempts to read from BIO \fIb\fR a line of data up to the next \*(Aq\en\*(Aq or the maximum length \fIsize\-1\fR is reached and places the data in \fIbuf\fR. -The returned string is always NUL-terminated and the '\en' is preserved +The returned string is always NUL\-terminated and the \*(Aq\en\*(Aq is preserved if present in the input data. On binary input there may be NUL characters within the string; in this case the return value (if nonnegative) gives the actual length read. -For implementing this, unfortunately the data needs to be read byte-by-byte. +For implementing this, unfortunately the data needs to be read byte\-by\-byte. .PP \&\fBBIO_write()\fR attempts to write \fIlen\fR bytes from \fIbuf\fR to BIO \fIb\fR. .PP -\&\fBBIO_puts()\fR attempts to write a NUL-terminated string \fIbuf\fR to BIO \fIb\fR. +\&\fBBIO_puts()\fR attempts to write a NUL\-terminated string \fIbuf\fR to BIO \fIb\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBBIO_read_ex()\fR returns 1 if data was successfully read, and 0 otherwise. @@ -165,7 +168,7 @@ supported by adding a buffering BIO \fBBIO_f_buffer\fR\|(3) to the chain. .SH HISTORY .IX Header "HISTORY" \&\fBBIO_gets()\fR on 1.1.0 and older when called on \fBBIO_fd()\fR based BIO did not -keep the '\en' at the end of the line in the buffer. +keep the \*(Aq\en\*(Aq at the end of the line in the buffer. .PP \&\fBBIO_get_line()\fR was added in OpenSSL 3.0. .PP diff --git a/secure/lib/libcrypto/man/man3/BIO_s_accept.3 b/secure/lib/libcrypto/man/man3/BIO_s_accept.3 index 4b5af5e98860..151f8cc536ec 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_accept.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_accept.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_ACCEPT 3ossl" -.TH BIO_S_ACCEPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_ACCEPT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,7 +101,7 @@ BIO_set_bind_mode, BIO_get_bind_mode, BIO_do_accept \- accept BIO .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBBIO_s_accept()\fR returns the accept BIO method. This is a wrapper -round the platform's TCP/IP socket accept routines. +round the platform\*(Aqs TCP/IP socket accept routines. .PP Using accept BIOs, TCP/IP connections can be accepted and data transferred using only BIO routines. In this way any platform diff --git a/secure/lib/libcrypto/man/man3/BIO_s_bio.3 b/secure/lib/libcrypto/man/man3/BIO_s_bio.3 index 1194bae9daf9..064c90832259 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_bio.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_bio.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_BIO 3ossl" -.TH BIO_S_BIO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_BIO 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -193,7 +196,7 @@ locations for \fBbio1\fR and \fBbio2\fR. Check the error stack for more informat .IX Header "EXAMPLES" The BIO pair can be used to have full control over the network access of an application. The application can call \fBselect()\fR on the socket as required -without having to go through the SSL-interface. +without having to go through the SSL\-interface. .PP .Vb 1 \& BIO *internal_bio, *network_bio; diff --git a/secure/lib/libcrypto/man/man3/BIO_s_connect.3 b/secure/lib/libcrypto/man/man3/BIO_s_connect.3 index e6665553950b..4666a8c4623a 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_connect.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_connect.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_CONNECT 3ossl" -.TH BIO_S_CONNECT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_CONNECT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,7 +100,7 @@ BIO_do_connect \- connect BIO .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBBIO_s_connect()\fR returns the connect BIO method. This is a wrapper -round the platform's TCP/IP socket connection routines. +round the platform\*(Aqs TCP/IP socket connection routines. .PP Using connect BIOs, TCP/IP connections can be made and data transferred using only BIO routines. In this way any platform @@ -156,7 +159,7 @@ non blocking I/O is set during the connect process. .PP \&\fBBIO_do_connect()\fR attempts to connect the supplied BIO. This performs an SSL/TLS handshake as far as supported by the BIO. -For non-SSL BIOs the connection is done typically at TCP level. +For non\-SSL BIOs the connection is done typically at TCP level. If domain name resolution yields multiple IP addresses all of them are tried after \fBconnect()\fR failures. The function returns 1 if the connection was established successfully. @@ -186,7 +189,7 @@ will normally mean that the connection was closed. If the port name is supplied as part of the hostname then this will override any value set with \fBBIO_set_conn_port()\fR. This may be undesirable if the application does not wish to allow connection to arbitrary -ports. This can be avoided by checking for the presence of the ':' +ports. This can be avoided by checking for the presence of the \*(Aq:\*(Aq character in the passed hostname and either indicating an error or truncating the string at that point. .PP diff --git a/secure/lib/libcrypto/man/man3/BIO_s_core.3 b/secure/lib/libcrypto/man/man3/BIO_s_core.3 index 3104f3ab3ac6..de92010515f9 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_core.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_core.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_CORE 3ossl" -.TH BIO_S_CORE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_CORE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_s_datagram.3 b/secure/lib/libcrypto/man/man3/BIO_s_datagram.3 index 6f7da894ab39..2ee0b104a41d 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_datagram.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_datagram.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_DATAGRAM 3ossl" -.TH BIO_S_DATAGRAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_DATAGRAM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,7 +101,7 @@ a single datagram and a single \fBBIO_read()\fR call receives a single datagram. the size of the buffer passed to \fBBIO_read()\fR is inadequate, the datagram is silently truncated. .PP -For a memory-based BIO which provides datagram semantics identical to those of +For a memory\-based BIO which provides datagram semantics identical to those of \&\fBBIO_s_datagram()\fR, see \fBBIO_s_dgram_pair\fR\|(3). .PP This BIO supports the \fBBIO_sendmmsg\fR\|(3) and \fBBIO_recvmmsg\fR\|(3) functions. @@ -107,7 +110,7 @@ When using \fBBIO_s_datagram()\fR, it is important to note that: .IP \(bu 4 This BIO can be used with either a connected or unconnected network socket. A connected socket is a network socket which has had \fBBIO_connect\fR\|(3) or a -similar OS-specific function called on it. Such a socket can only receive +similar OS\-specific function called on it. Such a socket can only receive datagrams from the specified peer. Any other socket is an unconnected socket and can receive datagrams from any host. .IP \(bu 4 @@ -147,7 +150,7 @@ This informs the \fBBIO_s_datagram()\fR whether the underlying socket has been connected, and therefore how the \fBBIO_s_datagram()\fR should attempt to use the socket. .Sp -If the \fIpeer\fR argument is non-NULL, \fBBIO_s_datagram()\fR assumes that the +If the \fIpeer\fR argument is non\-NULL, \fBBIO_s_datagram()\fR assumes that the underlying socket has been connected and will attempt to use the socket using OS APIs which do not specify peer addresses (for example, \fBsend\fR\|(3) and \fBrecv\fR\|(3) or similar). The \fIpeer\fR argument should specify the peer address to which the socket @@ -215,9 +218,9 @@ higher in atypical network configurations, for example where IPv6 extension headers or IPv4 options are used. .IP BIO_CTRL_DGRAM_SET_DONT_FRAG 4 .IX Item "BIO_CTRL_DGRAM_SET_DONT_FRAG" -If \fInum\fR is nonzero, configures the underlying network socket to enable Don't -Fragment mode, in which datagrams will be set with the IP Don't Fragment (DF) -bit set. If \fInum\fR is zero, Don't Fragment mode is disabled. +If \fInum\fR is nonzero, configures the underlying network socket to enable Don\*(Aqt +Fragment mode, in which datagrams will be set with the IP Don\*(Aqt Fragment (DF) +bit set. If \fInum\fR is zero, Don\*(Aqt Fragment mode is disabled. .IP BIO_CTRL_DGRAM_QUERY_MTU 4 .IX Item "BIO_CTRL_DGRAM_QUERY_MTU" Queries the OS for its assessment of the Path MTU for the destination to which diff --git a/secure/lib/libcrypto/man/man3/BIO_s_dgram_pair.3 b/secure/lib/libcrypto/man/man3/BIO_s_dgram_pair.3 index 3c94c37ff121..e355c0605eb7 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_dgram_pair.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_dgram_pair.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_DGRAM_PAIR 3ossl" -.TH BIO_S_DGRAM_PAIR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_DGRAM_PAIR 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -134,8 +137,8 @@ size of the next datagram waiting to be read in bytes. An application can use this function to ensure it provides an adequate buffer to a subsequent read call. If no datagram is waiting to be read, zero is returned. .PP -This BIO does not support sending or receiving zero-length datagrams. Passing a -zero-length buffer to BIO_write is treated as a no-op. +This BIO does not support sending or receiving zero\-length datagrams. Passing a +zero\-length buffer to BIO_write is treated as a no\-op. .PP \&\fBBIO_eof\fR\|(3) returns 1 only if the given BIO datagram pair BIO is not currently connected to a peer BIO. @@ -149,9 +152,9 @@ intending to write it to a BIO datagram pair, but where the received datagram ends up being too large to write to the BIO datagram pair. .PP \&\fBBIO_dgram_set_no_trunc()\fR and \fBBIO_ctrl_get_no_trunc()\fR set and retrieve the -truncation mode for the given half of a BIO datagram pair. When no-truncate mode +truncation mode for the given half of a BIO datagram pair. When no\-truncate mode is enabled, \fBBIO_read()\fR will fail if the buffer provided is inadequate to hold -the next datagram to be read. If no-truncate mode is disabled (the default), the +the next datagram to be read. If no\-truncate mode is disabled (the default), the datagram will be silently truncated. This default behaviour maintains compatibility with the semantics of the Berkeley sockets API. .PP @@ -171,7 +174,7 @@ explicitly specified local address takes precedence. The reference to the BIO_ADDR is passed to the BIO by this call and will be freed automatically when the BIO is freed. .PP -\&\fBBIO_flush\fR\|(3) is a no-op. +\&\fBBIO_flush\fR\|(3) is a no\-op. .SH NOTES .IX Header "NOTES" The halves of a BIO datagram pair have independent lifetimes and must be @@ -254,8 +257,8 @@ locations for \fBbio1\fR and \fBbio2\fR. Check the error stack for more informat \&\fBBIO_dgram_set_no_trunc()\fR, \fBBIO_dgram_set_caps()\fR and \fBBIO_dgram_set_mtu()\fR return 1 on success and 0 on failure. .PP -\&\fBBIO_dgram_get_no_trunc()\fR returns 1 if no-truncate mode is enabled on a BIO, or 0 -if no-truncate mode is not enabled or not supported on a given BIO. +\&\fBBIO_dgram_get_no_trunc()\fR returns 1 if no\-truncate mode is enabled on a BIO, or 0 +if no\-truncate mode is not enabled or not supported on a given BIO. .PP \&\fBBIO_dgram_get_effective_caps()\fR and \fBBIO_dgram_get_caps()\fR return zero if no capabilities are supported. diff --git a/secure/lib/libcrypto/man/man3/BIO_s_fd.3 b/secure/lib/libcrypto/man/man3/BIO_s_fd.3 index e90758f383d1..2530a67f4bb7 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_fd.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_fd.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_FD 3ossl" -.TH BIO_S_FD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_FD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_s_file.3 b/secure/lib/libcrypto/man/man3/BIO_s_file.3 index 4e90637aa3c5..4a4453d4de31 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_file.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_file.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_FILE 3ossl" -.TH BIO_S_FILE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_FILE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_s_mem.3 b/secure/lib/libcrypto/man/man3/BIO_s_mem.3 index 58320b109713..84b50ed14bda 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_mem.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_mem.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_MEM 3ossl" -.TH BIO_S_MEM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_MEM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_s_null.3 b/secure/lib/libcrypto/man/man3/BIO_s_null.3 index b2c14922bcb3..01e1b12a69c5 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_null.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_null.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_NULL 3ossl" -.TH BIO_S_NULL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_NULL 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_s_socket.3 b/secure/lib/libcrypto/man/man3/BIO_s_socket.3 index 949cade498a1..0990a7980335 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_socket.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_socket.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_SOCKET 3ossl" -.TH BIO_S_SOCKET 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_SOCKET 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -74,7 +77,7 @@ BIO_s_socket, BIO_new_socket \- socket BIO .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBBIO_s_socket()\fR returns the socket BIO method. This is a wrapper -round the platform's socket routines. +round the platform\*(Aqs socket routines. .PP \&\fBBIO_read_ex()\fR and \fBBIO_write_ex()\fR read or write the underlying socket. \&\fBBIO_puts()\fR is supported but \fBBIO_gets()\fR is not. diff --git a/secure/lib/libcrypto/man/man3/BIO_sendmmsg.3 b/secure/lib/libcrypto/man/man3/BIO_sendmmsg.3 index f415219e8130..ed94f2d0d394 100644 --- a/secure/lib/libcrypto/man/man3/BIO_sendmmsg.3 +++ b/secure/lib/libcrypto/man/man3/BIO_sendmmsg.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_SENDMMSG 3ossl" -.TH BIO_SENDMMSG 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_SENDMMSG 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,14 +108,14 @@ The caller should set the \fIdata\fR member of a \fBBIO_MSG\fR to a buffer conta the data to send, or to be filled with a received message. \fIdata_len\fR should be set to the size of the buffer in bytes. If the given \fBBIO_MSG\fR is processed (in other words, if the integer returned by the function is greater than or equal to -that \fBBIO_MSG\fR's array index), \fIdata_len\fR will be modified to specify the +that \fBBIO_MSG\fR\*(Aqs array index), \fIdata_len\fR will be modified to specify the actual amount of data sent or received. .PP -The \fIflags\fR field of a \fBBIO_MSG\fR provides input per-message flags to the +The \fIflags\fR field of a \fBBIO_MSG\fR provides input per\-message flags to the invocation. If the invocation processes that \fBBIO_MSG\fR, the \fIflags\fR field is -written with output per-message flags, or zero if no such flags are applicable. +written with output per\-message flags, or zero if no such flags are applicable. .PP -Currently, no input or output per-message flags are defined and this field +Currently, no input or output per\-message flags are defined and this field should be set to zero before calling \fBBIO_sendmmsg()\fR or \fBBIO_recvmmsg()\fR. .PP The \fIflags\fR argument to \fBBIO_sendmmsg()\fR and \fBBIO_recvmmsg()\fR provides global @@ -121,47 +124,47 @@ defined and this argument should be set to zero. .PP When these functions are used to send and receive datagrams, the \fIpeer\fR field of a \fBBIO_MSG\fR allows the destination address of sent datagrams to be specified -on a per-datagram basis, and the source address of received datagrams to be +on a per\-datagram basis, and the source address of received datagrams to be determined. The \fIpeer\fR field should be set to point to a \fBBIO_ADDR\fR, which will be read by \fBBIO_sendmmsg()\fR and used as the destination address for sent datagrams, and written by \fBBIO_recvmmsg()\fR with the source address of received datagrams. .PP Similarly, the \fIlocal\fR field of a \fBBIO_MSG\fR allows the source address of sent -datagrams to be specified on a per-datagram basis, and the destination address +datagrams to be specified on a per\-datagram basis, and the destination address of received datagrams to be determined. Unlike \fIpeer\fR, support for \fIlocal\fR must be explicitly enabled on a \fBBIO\fR before it can be used; see -\&\fBBIO_dgram_set_local_addr_enable()\fR. If \fIlocal\fR is non-NULL in a \fBBIO_MSG\fR and +\&\fBBIO_dgram_set_local_addr_enable()\fR. If \fIlocal\fR is non\-NULL in a \fBBIO_MSG\fR and support for \fIlocal\fR has not been enabled, processing of that \fBBIO_MSG\fR fails. .PP \&\fIpeer\fR and \fIlocal\fR should be set to NULL if they are not required. Support for \&\fIlocal\fR may not be available on all platforms; on these platforms, these -functions always fail if \fIlocal\fR is non-NULL. +functions always fail if \fIlocal\fR is non\-NULL. .PP If \fIlocal\fR is specified and local address support is enabled, but the operating system does not report a local address for a specific received message, the \&\fBBIO_ADDR\fR it points to will be cleared (address family set to \f(CW\*(C`AF_UNSPEC\*(C'\fR). This is known to happen on Windows when a packet is received which was sent by -the local system, regardless of whether the packet's destination address was the -loopback address or the IP address of a local non-loopback interface. This is +the local system, regardless of whether the packet\*(Aqs destination address was the +loopback address or the IP address of a local non\-loopback interface. This is also known to happen on macOS in some circumstances, such as for packets sent before local address support was enabled for a receiving socket. These are -OS-specific limitations. As such, users of this API using local address support +OS\-specific limitations. As such, users of this API using local address support should expect to sometimes receive a cleared local \fBBIO_ADDR\fR instead of the correct value. .PP The \fIstride\fR argument must be set to \f(CWsizeof(BIO_MSG)\fR. This argument facilitates backwards compatibility if fields are added to \fBBIO_MSG\fR. Callers -must zero-initialize \fBBIO_MSG\fR. +must zero\-initialize \fBBIO_MSG\fR. .PP \&\fInum_msg\fR should be sent to the maximum number of messages to send or receive, which is also the length of the array pointed to by \fImsg\fR. .PP -\&\fImsgs_processed\fR must be non-NULL and points to an integer written with the +\&\fImsgs_processed\fR must be non\-NULL and points to an integer written with the number of messages successfully processed; see the RETURN VALUES section for further discussion. .PP -Unlike most BIO functions, these functions explicitly support multi-threaded +Unlike most BIO functions, these functions explicitly support multi\-threaded use. Multiple concurrent writers and multiple concurrent readers of the same BIO are permitted in any combination. As such, these functions do not clear, set, or otherwise modify BIO retry flags. The return value must be used to determine @@ -186,7 +189,7 @@ which is transient in nature. .SH NOTES .IX Header "NOTES" Some implementations of the \fBBIO_sendmmsg()\fR and \fBBIO_recvmmsg()\fR BIO methods might -always process at most one message at a time, for example when OS-level +always process at most one message at a time, for example when OS\-level functionality to transmit or receive multiple messages at a time is not available. .SH "RETURN VALUES" @@ -197,7 +200,7 @@ the number of messages successfully processed (which need not be nonzero) to entries in the \fBBIO_MSG\fR array from 0 through n\-1 inclusive have their \&\fIdata_len\fR and \fIflags\fR fields updated with the results of the operation on that message. If the call was to \fBBIO_recvmmsg()\fR and the \fIpeer\fR or \fIlocal\fR -fields of that message are non-NULL, the \fBBIO_ADDR\fR structures they point to +fields of that message are non\-NULL, the \fBBIO_ADDR\fR structures they point to are written with the relevant address. .PP On failure, the functions \fBBIO_sendmmsg()\fR and \fBBIO_recvmmsg()\fR return 0 and write @@ -209,35 +212,35 @@ error using \fBERR_raise\fR\|(3). Any error may be raised, but the following in particular may be noted: .IP \fBBIO_R_LOCAL_ADDR_NOT_AVAILABLE\fR 2 .IX Item "BIO_R_LOCAL_ADDR_NOT_AVAILABLE" -The \fIlocal\fR field was set to a non-NULL value, but local address support is not +The \fIlocal\fR field was set to a non\-NULL value, but local address support is not available or not enabled on the BIO. .IP \fBBIO_R_PEER_ADDR_NOT_AVAILABLE\fR 2 .IX Item "BIO_R_PEER_ADDR_NOT_AVAILABLE" -The \fIpeer\fR field was set to a non-NULL value, but peer address support is not +The \fIpeer\fR field was set to a non\-NULL value, but peer address support is not available on the BIO. .IP \fBBIO_R_UNSUPPORTED_METHOD\fR 2 .IX Item "BIO_R_UNSUPPORTED_METHOD" The \fBBIO_sendmmsg()\fR or \fBBIO_recvmmsg()\fR method is not supported on the BIO. .IP \fBBIO_R_NON_FATAL\fR 2 .IX Item "BIO_R_NON_FATAL" -The call failed due to a transient, non-fatal error (for example, because the +The call failed due to a transient, non\-fatal error (for example, because the BIO is in nonblocking mode and the call would otherwise have blocked). .Sp Implementations of this interface which do not make system calls and thereby -pass through system error codes using \fBERR_LIB_SYS\fR (for example, memory-based +pass through system error codes using \fBERR_LIB_SYS\fR (for example, memory\-based implementations) should issue this reason code to indicate a transient failure. However, users of this interface should not test for this reason code directly, as there are multiple possible packed error codes representing a transient failure; use \fBBIO_err_is_non_fatal()\fR instead (discussed below). .IP "Socket errors" 2 .IX Item "Socket errors" -OS-level socket errors are reported using an error with library code +OS\-level socket errors are reported using an error with library code \&\fBERR_LIB_SYS\fR; for a packed error code \fBerrcode\fR where -\&\f(CW\*(C`ERR_SYSTEM_ERROR(errcode) == 1\*(C'\fR, the OS-level socket error code can be +\&\f(CW\*(C`ERR_SYSTEM_ERROR(errcode) == 1\*(C'\fR, the OS\-level socket error code can be retrieved using \f(CWERR_GET_REASON(errcode)\fR. The packed error code can be retrieved by calling \fBERR_peek_last_error\fR\|(3) after the call to \fBBIO_sendmmsg()\fR or \fBBIO_recvmmsg()\fR returns 0. -.IP "Non-fatal errors" 2 +.IP "Non\-fatal errors" 2 .IX Item "Non-fatal errors" Whether an error is transient can be determined by passing the packed error code to \fBBIO_err_is_non_fatal()\fR. Callers should do this instead of testing the reason diff --git a/secure/lib/libcrypto/man/man3/BIO_set_callback.3 b/secure/lib/libcrypto/man/man3/BIO_set_callback.3 index dc4c5c455021..a4a1cc7641e9 100644 --- a/secure/lib/libcrypto/man/man3/BIO_set_callback.3 +++ b/secure/lib/libcrypto/man/man3/BIO_set_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_SET_CALLBACK 3ossl" -.TH BIO_SET_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_SET_CALLBACK 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -106,7 +109,7 @@ see \fBopenssl_user_macros\fR\|(7): .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBBIO_set_callback_ex()\fR and \fBBIO_get_callback_ex()\fR set and retrieve the BIO -callback. The callback is called during most high-level BIO operations. It can +callback. The callback is called during most high\-level BIO operations. It can be used for debugging purposes to trace operations on a BIO or to modify its operation. .PP @@ -135,7 +138,7 @@ The BIO the callback is attached to is passed in \fBb\fR. .IX Item "oper" \&\fBoper\fR is set to the operation being performed. For some operations the callback is called twice, once before and once after the actual -operation, the latter case has \fBoper\fR or'ed with BIO_CB_RETURN. +operation, the latter case has \fBoper\fR or\*(Aqed with BIO_CB_RETURN. .IP \fBlen\fR 4 .IX Item "len" The length of the data requested to be read or written. This is only useful if @@ -353,7 +356,7 @@ respectively. \&\fBBIO_get_callback_arg()\fR returns a \fBchar\fR pointer to the value previously set via a call to \fBBIO_set_callback_arg()\fR. .PP -\&\fBBIO_debug_callback()\fR returns 1 or \fBret\fR if it's called after specific BIO +\&\fBBIO_debug_callback()\fR returns 1 or \fBret\fR if it\*(Aqs called after specific BIO operations. .SH EXAMPLES .IX Header "EXAMPLES" @@ -364,7 +367,7 @@ in crypto/bio/bio_cb.c The \fBBIO_debug_callback_ex()\fR function was added in OpenSSL 3.0. .PP \&\fBBIO_set_callback()\fR, \fBBIO_get_callback()\fR, and \fBBIO_debug_callback()\fR were -deprecated in OpenSSL 3.0. Use the non-deprecated _ex functions instead. +deprecated in OpenSSL 3.0. Use the non\-deprecated _ex functions instead. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man3/BIO_set_flags.3 b/secure/lib/libcrypto/man/man3/BIO_set_flags.3 new file mode 100644 index 000000000000..c1d2e90b2b30 --- /dev/null +++ b/secure/lib/libcrypto/man/man3/BIO_set_flags.3 @@ -0,0 +1,236 @@ +.\" -*- mode: troff; coding: utf-8 -*- +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. +.ie n \{\ +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{\ +. if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +. \} +.\} +.rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l +.\" ======================================================================== +.\" +.IX Title "BIO_SET_FLAGS 3ossl" +.TH BIO_SET_FLAGS 3ossl 2026-01-27 3.5.5 OpenSSL +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH NAME +BIO_set_flags, BIO_clear_flags, BIO_test_flags, BIO_get_flags, +BIO_set_retry_read, BIO_set_retry_write, BIO_set_retry_special, +BIO_clear_retry_flags, BIO_get_retry_flags +\&\- manipulate and interpret BIO flags +.SH SYNOPSIS +.IX Header "SYNOPSIS" +.Vb 1 +\& #include <openssl/bio.h> +\& +\& void BIO_set_flags(BIO *b, int flags); +\& void BIO_clear_flags(BIO *b, int flags); +\& int BIO_test_flags(const BIO *b, int flags); +\& int BIO_get_flags(const BIO *b); +\& +\& void BIO_set_retry_read(BIO *b); +\& void BIO_set_retry_write(BIO *b); +\& void BIO_set_retry_special(BIO *b); +\& void BIO_clear_retry_flags(BIO *b); +\& int BIO_get_retry_flags(BIO *b); +.Ve +.SH DESCRIPTION +.IX Header "DESCRIPTION" +A \fBBIO\fR has an internal set of bit flags that describe its state. These +functions and macros are used primarily by \fBBIO\fR implementations and by code +that builds \fBBIO\fR chains to manipulate those flags. +.PP +\&\fBBIO_set_flags()\fR sets the bits given in \fIflags\fR in the \fBBIO\fR \fIb\fR. Any bits +already set in the \fBBIO\fR\*(Aqs flag word remain set. +.PP +\&\fBBIO_clear_flags()\fR clears the bits given in \fIflags\fR from the \fBBIO\fR \fIb\fR. Any +other bits in the flag word are left unchanged. +.PP +\&\fBBIO_test_flags()\fR tests the bits given in \fIflags\fR in the \fBBIO\fR \fIb\fR and +returns a nonzero value if any of them are currently set and zero +otherwise. +.PP +\&\fBBIO_get_flags()\fR returns the current flag word from the \fBBIO\fR \fIb\fR. This is +equivalent to testing for all bits and returning the result. +.PP +The following convenience macros are built on top of these primitives and are +used to maintain the retry state of a BIO: +.PP +\&\fBBIO_set_retry_read()\fR marks the \fBBIO\fR \fIb\fR as being in a retryable state +by setting the \fBBIO_FLAGS_SHOULD_RETRY\fR flag. In addition, it sets the +\&\fBBIO_FLAGS_READ\fR flag to indicate that the retry condition is +associated with a read operation. +.PP +\&\fBBIO_set_retry_write()\fR marks the \fBBIO\fR \fIb\fR as being in a retryable state +by setting the \fBBIO_FLAGS_SHOULD_RETRY\fR flag. In addition, it sets the +\&\fBBIO_FLAGS_WRITE\fR flag to indicate that the retry condition is +associated with a write operation. +.PP +\&\fBBIO_set_retry_special()\fR marks the \fBBIO\fR \fIb\fR as being in a retryable state +by setting the \fBBIO_FLAGS_SHOULD_RETRY\fR flag. In addition, it sets the +\&\fBBIO_FLAGS_IO_SPECIAL\fR flag to indicate that the retry condition is +associated with a read operation some "special" condition. +The precise meaning of this condition depends on the \fBBIO\fR type. +.PP +\&\fBBIO_clear_retry_flags()\fR clears all retry\-related bits from \fIb\fR, i.e. +\&\fBBIO_FLAGS_READ\fR, \fBBIO_FLAGS_WRITE\fR, \fBBIO_FLAGS_IO_SPECIAL\fR, and +\&\fBBIO_FLAGS_SHOULD_RETRY\fR. +.PP +\&\fBBIO_get_retry_flags()\fR returns retry\-related bits that are +currently set in \fIb\fR. The result is a subset of +\&\fBBIO_FLAGS_RWS|BIO_FLAGS_SHOULD_RETRY\fR. +.PP +The retry bits are interpreted by the higher level macros +\&\fBBIO_should_read()\fR, \fBBIO_should_write()\fR, \fBBIO_should_io_special()\fR, +\&\fBBIO_retry_type()\fR and \fBBIO_should_retry()\fR, as documented in +\&\fBBIO_should_retry\fR\|(3). Application code will typically use those macros +rather than manipulate the underlying flags directly. +.PP +The following flag bits are currently defined for use with \fBBIO_set_flags()\fR, +\&\fBBIO_clear_flags()\fR and \fBBIO_test_flags()\fR: +.IP \fBBIO_FLAGS_READ\fR 4 +.IX Item "BIO_FLAGS_READ" +The last I/O operation should be retried when the \fBBIO\fR becomes readable. +This flag is normally set by the \fBBIO\fR implementation via \fBBIO_set_retry_read()\fR +after a failed read operation. +.IP \fBBIO_FLAGS_WRITE\fR 4 +.IX Item "BIO_FLAGS_WRITE" +The last I/O operation should be retried when the \fBBIO\fR becomes writable. +This flag is normally set by the \fBBIO\fR implementation via \fBBIO_set_retry_write()\fR +after a failed write operation. +.IP \fBBIO_FLAGS_IO_SPECIAL\fR 4 +.IX Item "BIO_FLAGS_IO_SPECIAL" +The last I/O operation should be retried when some "special" condition +becomes true. The precise meaning of this condition depends on the \fBBIO\fR +type and is usually obtained via \fBBIO_get_retry_BIO()\fR and +\&\fBBIO_get_retry_reason()\fR as described in \fBBIO_should_retry\fR\|(3). +This flag is normally set by the \fBBIO\fR implementation via +\&\fBBIO_set_retry_special()\fR. +.IP \fBBIO_FLAGS_RWS\fR 4 +.IX Item "BIO_FLAGS_RWS" +The bitwise OR of \fBBIO_FLAGS_READ\fR, \fBBIO_FLAGS_WRITE\fR and +\&\fBBIO_FLAGS_IO_SPECIAL\fR. This mask is used when clearing or extracting +the retry\-direction bits. +.IP \fBBIO_FLAGS_SHOULD_RETRY\fR 4 +.IX Item "BIO_FLAGS_SHOULD_RETRY" +Set if the last I/O operation on the \fBBIO\fR should be retried at a later time. +If this bit is not set then the condition is treated as an error. +This flag is normally set by the \fBBIO\fR implementation. +.IP \fBBIO_FLAGS_BASE64_NO_NL\fR 4 +.IX Item "BIO_FLAGS_BASE64_NO_NL" +When set on a base64 filter \fBBIO\fR this flag disables the generation of +newline characters in the encoded output and causes newlines to be ignored +in the input. See also \fBBIO_f_base64\fR\|(3). +The flag has no effect on any other built\-in \fBBIO\fR types. +.IP \fBBIO_FLAGS_MEM_RDONLY\fR 4 +.IX Item "BIO_FLAGS_MEM_RDONLY" +When set on a memory \fBBIO\fR this flag indicates that the underlying buffer is +read only. Attempts to write to such a \fBBIO\fR will fail. +The flag has no effect on any other built\-in \fBBIO\fR types. +.IP \fBBIO_FLAGS_NONCLEAR_RST\fR 4 +.IX Item "BIO_FLAGS_NONCLEAR_RST" +On a memory \fBBIO\fR this flag modifies the behaviour of \fBBIO_reset()\fR. When it +is set, resetting the \fBBIO\fR does not clear the underlying buffer but only +resets the current read position. +The flag has no effect on any other built\-in \fBBIO\fR types. +.IP \fBBIO_FLAGS_IN_EOF\fR 4 +.IX Item "BIO_FLAGS_IN_EOF" +This flag may be used by a \fBBIO\fR implementation to indicate that the end +of the input stream has been reached. However, \fBBIO\fR types are not +required to use this flag to signal end\-of\-file conditions; they may rely +on other mechanisms such as system calls or by querying the next \fBBIO\fR in a +chain. Applications must therefore not test this flag directly to +determine whether EOF has been reached, and must use \fBBIO_eof()\fR instead. +.PP +A range of additional flag values is reserved for internal use by OpenSSL +to track kernel TLS (KTLS) state. This range and the corresponding flag +macros are not part of the public API and must not be used by applications. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fBBIO_get_flags()\fR returns a bit mask of the flags currently set on the \fBBIO\fR. +.PP +\&\fBBIO_test_flags()\fR returns a bit mask consisting of those flags from the +argument that are currently set in the \fBBIO\fR. Consequently, it returns a +nonzero value if and only if at least one of the requested flags is set. +.PP +\&\fBBIO_get_retry_flags()\fR returns a bit mask consisting of those flags from +\&\fBBIO_FLAGS_READ\fR, \fBBIO_FLAGS_WRITE\fR, \fBBIO_FLAGS_IO_SPECIAL\fR, and +\&\fBBIO_FLAGS_SHOULD_RETRY\fR that are currently set in the \fIBIO\fR. +.SH NOTES +.IX Header "NOTES" +Ordinary application code will rarely need to call \fBBIO_set_flags()\fR, +\&\fBBIO_clear_flags()\fR or \fBBIO_test_flags()\fR directly. They are intended for \fBBIO\fR +implementations and for code that forwards retry state from one \fBBIO\fR in a +chain to another. +After a failed I/O operation, applications should normally use +\&\fBBIO_should_retry()\fR and related macros as described in +\&\fBBIO_should_retry\fR\|(3) instead of inspecting the flags directly. +.PP +These functions and macros are not thread\-safe. If a single \fBBIO\fR +is accessed from multiple threads, the caller must provide appropriate +external synchronisation. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fBBIO_should_retry\fR\|(3), \fBBIO_f_base64\fR\|(3), \fBbio\fR\|(7) +.SH HISTORY +.IX Header "HISTORY" +The functions and macros described here have been available in OpenSSL since +at least 1.1.0 (\fBBIO_FLAGS_IN_EOF\fR since 1.1.1). +.SH COPYRIGHT +.IX Header "COPYRIGHT" +Copyright 2025 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/lib/libcrypto/man/man3/BIO_should_retry.3 b/secure/lib/libcrypto/man/man3/BIO_should_retry.3 index c53a7e8c9834..beefb80c1339 100644 --- a/secure/lib/libcrypto/man/man3/BIO_should_retry.3 +++ b/secure/lib/libcrypto/man/man3/BIO_should_retry.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_SHOULD_RETRY 3ossl" -.TH BIO_SHOULD_RETRY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_SHOULD_RETRY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_socket_wait.3 b/secure/lib/libcrypto/man/man3/BIO_socket_wait.3 index 7dc0e990fb22..076e27354fb6 100644 --- a/secure/lib/libcrypto/man/man3/BIO_socket_wait.3 +++ b/secure/lib/libcrypto/man/man3/BIO_socket_wait.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_SOCKET_WAIT 3ossl" -.TH BIO_SOCKET_WAIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_SOCKET_WAIT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,7 +85,7 @@ BIO_do_connect_retry else for writing, at most until \fBmax_time\fR. It succeeds immediately if \fBmax_time\fR == 0 (which means no timeout given). .PP -\&\fBBIO_wait()\fR waits at most until \fBmax_time\fR on the given (typically socket-based) +\&\fBBIO_wait()\fR waits at most until \fBmax_time\fR on the given (typically socket\-based) \&\fBbio\fR, for reading if \fBbio\fR is supposed to read, else for writing. It is used by \fBBIO_do_connect_retry()\fR and can be used together \fBBIO_read\fR\|(3). It succeeds immediately if \fBmax_time\fR == 0 (which means no timeout given). @@ -93,7 +96,7 @@ Via \fBnap_milliseconds\fR the caller determines the polling granularity. \&\fBBIO_do_connect_retry()\fR connects via the given \fBbio\fR. It retries \fBBIO_do_connect()\fR as far as needed to reach a definite outcome, i.e., connection succeeded, timeout has been reached, or an error occurred. -For nonblocking and potentially even non-socket BIOs it polls +For nonblocking and potentially even non\-socket BIOs it polls every \fBnap_milliseconds\fR and sleeps in between using \fBBIO_wait()\fR. If \fBnap_milliseconds\fR is < 0 then a default value of 100 ms is used. If the \fBtimeout\fR parameter is > 0 this indicates the maximum number of seconds diff --git a/secure/lib/libcrypto/man/man3/BN_BLINDING_new.3 b/secure/lib/libcrypto/man/man3/BN_BLINDING_new.3 index 00a96d818bd0..d4e363e9518d 100644 --- a/secure/lib/libcrypto/man/man3/BN_BLINDING_new.3 +++ b/secure/lib/libcrypto/man/man3/BN_BLINDING_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_BLINDING_NEW 3ossl" -.TH BN_BLINDING_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_BLINDING_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -107,7 +110,7 @@ If \fBb\fR is NULL, nothing is done. .PP \&\fBBN_BLINDING_update()\fR updates the \fBBN_BLINDING\fR parameters by squaring the \fBA\fR and \fBAi\fR or, after specific number of uses and if the -necessary parameters are set, by re-creating the blinding parameters. +necessary parameters are set, by re\-creating the blinding parameters. .PP \&\fBBN_BLINDING_convert_ex()\fR multiplies \fBn\fR with the blinding factor \fBA\fR. If \fBr\fR is not NULL a copy the inverse blinding factor \fBAi\fR will be @@ -122,7 +125,7 @@ with \fBr\fR set to NULL. .PP \&\fBBN_BLINDING_is_current_thread()\fR returns whether the \fBBN_BLINDING\fR structure is owned by the current thread. This is to help users -provide proper locking if needed for multi-threaded use. +provide proper locking if needed for multi\-threaded use. .PP \&\fBBN_BLINDING_set_current_thread()\fR sets the current thread as the owner of the \fBBN_BLINDING\fR structure. @@ -135,7 +138,7 @@ owner of the \fBBN_BLINDING\fR structure. there are two supported flags: \fBBN_BLINDING_NO_UPDATE\fR and \&\fBBN_BLINDING_NO_RECREATE\fR. \fBBN_BLINDING_NO_UPDATE\fR inhibits the automatic update of the \fBBN_BLINDING\fR parameters after each use -and \fBBN_BLINDING_NO_RECREATE\fR inhibits the automatic re-creation +and \fBBN_BLINDING_NO_RECREATE\fR inhibits the automatic re\-creation of the \fBBN_BLINDING\fR parameters after a fixed number of uses (currently 32). In newly allocated \fBBN_BLINDING\fR objects no flags are set. \&\fBBN_BLINDING_set_flags()\fR sets the \fBBN_BLINDING\fR parameters flags. @@ -156,7 +159,7 @@ success and 0 if an error occurred. \&\fBBN_BLINDING_is_current_thread()\fR returns 1 if the current thread owns the \fBBN_BLINDING\fR object, 0 otherwise. .PP -\&\fBBN_BLINDING_set_current_thread()\fR doesn't return anything. +\&\fBBN_BLINDING_set_current_thread()\fR doesn\*(Aqt return anything. .PP \&\fBBN_BLINDING_lock()\fR, \fBBN_BLINDING_unlock()\fR return 1 if the operation succeeded or 0 on error. diff --git a/secure/lib/libcrypto/man/man3/BN_CTX_new.3 b/secure/lib/libcrypto/man/man3/BN_CTX_new.3 index fe4057eb9b91..0e0e09b1b638 100644 --- a/secure/lib/libcrypto/man/man3/BN_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/BN_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_CTX_NEW 3ossl" -.TH BN_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_CTX_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BN_CTX_start.3 b/secure/lib/libcrypto/man/man3/BN_CTX_start.3 index e94824d54266..5f6c674523b1 100644 --- a/secure/lib/libcrypto/man/man3/BN_CTX_start.3 +++ b/secure/lib/libcrypto/man/man3/BN_CTX_start.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_CTX_START 3ossl" -.TH BN_CTX_START 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_CTX_START 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BN_add.3 b/secure/lib/libcrypto/man/man3/BN_add.3 index 64cc8fdf843e..f92ce771c135 100644 --- a/secure/lib/libcrypto/man/man3/BN_add.3 +++ b/secure/lib/libcrypto/man/man3/BN_add.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_ADD 3ossl" -.TH BN_ADD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_ADD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BN_add_word.3 b/secure/lib/libcrypto/man/man3/BN_add_word.3 index 7302f2c88233..78e9a6381e03 100644 --- a/secure/lib/libcrypto/man/man3/BN_add_word.3 +++ b/secure/lib/libcrypto/man/man3/BN_add_word.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_ADD_WORD 3ossl" -.TH BN_ADD_WORD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_ADD_WORD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BN_bn2bin.3 b/secure/lib/libcrypto/man/man3/BN_bn2bin.3 index 6a12bf279781..82997e1fcf6f 100644 --- a/secure/lib/libcrypto/man/man3/BN_bn2bin.3 +++ b/secure/lib/libcrypto/man/man3/BN_bn2bin.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_BN2BIN 3ossl" -.TH BN_BN2BIN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_BN2BIN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -100,46 +103,46 @@ BN_print, BN_print_fp, BN_bn2mpi, BN_mpi2bn \- format conversions .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBBN_bn2bin()\fR converts the absolute value of \fBa\fR into big-endian form +\&\fBBN_bn2bin()\fR converts the absolute value of \fBa\fR into big\-endian form and stores it at \fBto\fR. \fBto\fR must point to BN_num_bytes(\fBa\fR) bytes of memory. \fBa\fR and \fBto\fR \fBMUST NOT\fR be NULL. .PP -\&\fBBN_bn2binpad()\fR also converts the absolute value of \fBa\fR into big-endian form +\&\fBBN_bn2binpad()\fR also converts the absolute value of \fBa\fR into big\-endian form and stores it at \fBto\fR. \fBtolen\fR indicates the length of the output buffer \&\fBto\fR. The result is padded with zeros if necessary. If \fBtolen\fR is less than BN_num_bytes(\fBa\fR) an error is returned. .PP -\&\fBBN_signed_bn2bin()\fR converts the value of \fBa\fR into big-endian signed 2's +\&\fBBN_signed_bn2bin()\fR converts the value of \fBa\fR into big\-endian signed 2\*(Aqs complements form and stores it at \fBto\fR. \fBtolen\fR indicates the length of the output buffer \fBto\fR. The result is signed extended (padded with 0x00 for positive numbers or with 0xff for negative numbers) if necessary. If \fBtolen\fR is smaller than the necessary size (which may be \&\f(CW\*(C`<BN_num_bytes(\fR\f(CBa\fR\f(CW) + 1\*(C'\fR>), an error is returned. .PP -\&\fBBN_bin2bn()\fR converts the positive integer in big-endian form of length +\&\fBBN_bin2bn()\fR converts the positive integer in big\-endian form of length \&\fBlen\fR at \fBs\fR into a \fBBIGNUM\fR and places it in \fBret\fR. If \fBret\fR is NULL, a new \fBBIGNUM\fR is created. \fBs\fR \fBMUST NOT\fR be NULL. .PP -\&\fBBN_signed_bin2bn()\fR converts the integer in big-endian signed 2's complement +\&\fBBN_signed_bin2bn()\fR converts the integer in big\-endian signed 2\*(Aqs complement form of length \fBlen\fR at \fBs\fR into a \fBBIGNUM\fR and places it in \fBret\fR. If \&\fBret\fR is NULL, a new \fBBIGNUM\fR is created. .PP \&\fBBN_bn2lebinpad()\fR, \fBBN_signed_bn2lebin()\fR and \fBBN_lebin2bn()\fR are identical to \&\fBBN_bn2binpad()\fR, \fBBN_signed_bn2bin()\fR and \fBBN_bin2bn()\fR except the buffer is in -little-endian format. +little\-endian format. .PP \&\fBBN_bn2nativepad()\fR, \fBBN_signed_bn2native()\fR and \fBBN_native2bn()\fR are identical to \fBBN_bn2binpad()\fR, \fBBN_signed_bn2bin()\fR and \fBBN_bin2bn()\fR except the buffer is -in native format, i.e. most significant byte first on big-endian platforms, -and least significant byte first on little-endian platforms. +in native format, i.e. most significant byte first on big\-endian platforms, +and least significant byte first on little\-endian platforms. .PP \&\fBBN_bn2hex()\fR and \fBBN_bn2dec()\fR return printable strings containing the hexadecimal and decimal encoding of \fBa\fR respectively. For negative -numbers, the string is prefaced with a leading '\-'. The string must be +numbers, the string is prefaced with a leading \*(Aq\-\*(Aq. The string must be freed later using \fBOPENSSL_free()\fR. .PP \&\fBBN_hex2bn()\fR takes as many characters as possible from the string \fBstr\fR, -including the leading character '\-' which means negative, to form a valid +including the leading character \*(Aq\-\*(Aq which means negative, to form a valid hexadecimal number representation and converts them to a \fBBIGNUM\fR and stores it in **\fBa\fR. If *\fBa\fR is NULL, a new \fBBIGNUM\fR is created. If \&\fBa\fR is NULL, it only computes the length of valid representation. @@ -147,12 +150,12 @@ A "negative zero" is converted to zero. \&\fBBN_dec2bn()\fR is the same using the decimal system. .PP \&\fBBN_print()\fR and \fBBN_print_fp()\fR write the hexadecimal encoding of \fBa\fR, -with a leading '\-' for negative numbers, to the \fBBIO\fR or \fBFILE\fR +with a leading \*(Aq\-\*(Aq for negative numbers, to the \fBBIO\fR or \fBFILE\fR \&\fBfp\fR. .PP \&\fBBN_bn2mpi()\fR and \fBBN_mpi2bn()\fR convert \fBBIGNUM\fRs from and to a format -that consists of the number's length in bytes represented as a 4\-byte -big-endian number, and the number itself in big-endian format, where +that consists of the number\*(Aqs length in bytes represented as a 4\-byte +big\-endian number, and the number itself in big\-endian format, where the most significant bit signals a negative number (the representation of numbers with the MSB set is prefixed with null byte). .PP @@ -165,14 +168,14 @@ a \fBBIGNUM\fR and stores it at \fBret\fR, or in a newly allocated \fBBIGNUM\fR if \fBret\fR is NULL. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fBBN_bn2bin()\fR returns the length of the big-endian number placed at \fBto\fR. +\&\fBBN_bn2bin()\fR returns the length of the big\-endian number placed at \fBto\fR. \&\fBBN_bin2bn()\fR returns the \fBBIGNUM\fR, NULL on error. .PP \&\fBBN_bn2binpad()\fR, \fBBN_signed_bn2bin()\fR, \fBBN_bn2lebinpad()\fR, \fBBN_signed_bn2lebin()\fR, \&\fBBN_bn2nativepad()\fR, and_signed \fBBN_bn2native()\fR return the number of bytes written or \-1 if the supplied buffer is too small. .PP -\&\fBBN_bn2hex()\fR and \fBBN_bn2dec()\fR return a NUL-terminated string, or NULL +\&\fBBN_bn2hex()\fR and \fBBN_bn2dec()\fR return a NUL\-terminated string, or NULL on error. \fBBN_hex2bn()\fR and \fBBN_dec2bn()\fR return the number of characters used in parsing, or 0 on error, in which case no new \fBBIGNUM\fR will be created. diff --git a/secure/lib/libcrypto/man/man3/BN_cmp.3 b/secure/lib/libcrypto/man/man3/BN_cmp.3 index ec3c67a4d46d..2ed58da859ee 100644 --- a/secure/lib/libcrypto/man/man3/BN_cmp.3 +++ b/secure/lib/libcrypto/man/man3/BN_cmp.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_CMP 3ossl" -.TH BN_CMP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_CMP 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -100,7 +103,7 @@ of \fIa\fR and \fIb\fR. \&\fBBN_is_zero()\fR, \fBBN_is_one()\fR \fBBN_is_word()\fR, \fBBN_abs_is_word()\fR and \&\fBBN_is_odd()\fR return 1 if the condition is true, 0 otherwise. .PP -\&\fBBN_are_coprime()\fR returns 1 if the \fBBIGNUM\fR's are coprime, otherwise it +\&\fBBN_are_coprime()\fR returns 1 if the \fBBIGNUM\fR\*(Aqs are coprime, otherwise it returns 0. .SH HISTORY .IX Header "HISTORY" diff --git a/secure/lib/libcrypto/man/man3/BN_copy.3 b/secure/lib/libcrypto/man/man3/BN_copy.3 index 6db6baa3b82b..2ff0d9ff2154 100644 --- a/secure/lib/libcrypto/man/man3/BN_copy.3 +++ b/secure/lib/libcrypto/man/man3/BN_copy.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_COPY 3ossl" -.TH BN_COPY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_COPY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,7 +94,7 @@ restrictions apply to the use of \fBdest\fR: \&\fBdest\fR should be a newly allocated BIGNUM obtained via a call to \fBBN_new()\fR. It should not have been used for other purposes or initialised in any way. .IP \(bu 2 -\&\fBdest\fR must only be used in "read-only" operations, i.e. typically those +\&\fBdest\fR must only be used in "read\-only" operations, i.e. typically those functions where the relevant parameter is declared "const". .IP \(bu 2 \&\fBdest\fR must be used and freed before any further subsequent use of \fBb\fR diff --git a/secure/lib/libcrypto/man/man3/BN_generate_prime.3 b/secure/lib/libcrypto/man/man3/BN_generate_prime.3 index 08d428611b8f..921042ce5342 100644 --- a/secure/lib/libcrypto/man/man3/BN_generate_prime.3 +++ b/secure/lib/libcrypto/man/man3/BN_generate_prime.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_GENERATE_PRIME 3ossl" -.TH BN_GENERATE_PRIME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_GENERATE_PRIME 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -123,13 +126,13 @@ see \fBopenssl_user_macros\fR\|(7): .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBBN_generate_prime_ex2()\fR generates a pseudo-random prime number of +\&\fBBN_generate_prime_ex2()\fR generates a pseudo\-random prime number of at least bit length \fBbits\fR using the BN_CTX provided in \fBctx\fR. The value of \&\fBctx\fR must not be NULL. .PP The returned number is probably prime with a negligible error. The maximum error rate is 2^\-128. -It's 2^\-287 for a 512 bit prime, 2^\-435 for a 1024 bit prime, +It\*(Aqs 2^\-287 for a 512 bit prime, 2^\-435 for a 1024 bit prime, 2^\-648 for a 2048 bit prime, and lower than 2^\-882 for primes larger than 2048 bit. .PP @@ -152,7 +155,7 @@ The callers of \fBBN_generate_prime_ex()\fR may call \fBBN_GENCB_call(cb, i, j)\ other values as described in their respective man pages; see "SEE ALSO". .PP The prime may have to fulfill additional requirements for use in -Diffie-Hellman key exchange: +Diffie\-Hellman key exchange: .PP If \fBadd\fR is not \fBNULL\fR, the prime will fulfill the condition p % \fBadd\fR == \fBrem\fR (p % \fBadd\fR == 1 if \fBrem\fR == \fBNULL\fR) in order to suit a given @@ -181,15 +184,15 @@ or all the tests passed. If \fBp\fR passes all these tests, it is considered a probable prime. .PP The test performed on \fBp\fR are trial division by a number of small primes -and rounds of the Miller-Rabin probabilistic primality test. +and rounds of the Miller\-Rabin probabilistic primality test. .PP -The functions do at least 64 rounds of the Miller-Rabin test giving a maximum +The functions do at least 64 rounds of the Miller\-Rabin test giving a maximum false positive rate of 2^\-128. If the size of \fBp\fR is more than 2048 bits, they do at least 128 rounds giving a maximum false positive rate of 2^\-256. .PP If \fBnchecks\fR is larger than the minimum above (64 or 128), \fBnchecks\fR -rounds of the Miller-Rabin test will be done. +rounds of the Miller\-Rabin test will be done. .PP If \fBdo_trial_division\fR set to \fB0\fR, the trial division will be skipped. \&\fBBN_is_prime_ex()\fR and \fBBN_is_prime()\fR always skip the trial division. @@ -207,7 +210,7 @@ freeing the structure in a loop), or \fBNULL\fR. If the trial division is done, and no divisors are found and \fBcb\fR is not \fBNULL\fR, \fBBN_GENCB_call(cb, 1, \-1)\fR is called. .PP -After each round of the Miller-Rabin probabilistic primality test, +After each round of the Miller\-Rabin probabilistic primality test, if \fBcb\fR is not \fBNULL\fR, \fBBN_GENCB_call(cb, 1, j)\fR is called with \fBj\fR the iteration (j = 0, 1, ...). .PP @@ -236,7 +239,7 @@ It is possible to obtain the argument associated with a BN_GENCB structure (set via a call to BN_GENCB_set or BN_GENCB_set_old) using BN_GENCB_get_arg. .PP \&\fBBN_generate_prime()\fR (deprecated) works in the same way as -\&\fBBN_generate_prime_ex()\fR but expects an old-style callback function +\&\fBBN_generate_prime_ex()\fR but expects an old\-style callback function directly in the \fBcallback\fR parameter, and an argument to pass to it in the \fBcb_arg\fR. \fBBN_is_prime()\fR and \fBBN_is_prime_fasttest()\fR can similarly be compared to \fBBN_is_prime_ex()\fR and diff --git a/secure/lib/libcrypto/man/man3/BN_mod_exp_mont.3 b/secure/lib/libcrypto/man/man3/BN_mod_exp_mont.3 index 6ccfb89ee779..f8329b36d10f 100644 --- a/secure/lib/libcrypto/man/man3/BN_mod_exp_mont.3 +++ b/secure/lib/libcrypto/man/man3/BN_mod_exp_mont.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_MOD_EXP_MONT 3ossl" -.TH BN_MOD_EXP_MONT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_MOD_EXP_MONT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -92,7 +95,7 @@ function, so you can save time on initialization if you provide it in advance. \&\fBBN_mod_exp_mont_consttime()\fR computes \fIa\fR to the \fIp\fR\-th power modulo \fIm\fR (\f(CW\*(C`rr=a^p % m\*(C'\fR) using Montgomery multiplication. It is a variant of \&\fBBN_mod_exp_mont\fR\|(3) that uses fixed windows and the special precomputation -memory layout to limit data-dependency to a minimum to protect secret exponents. +memory layout to limit data\-dependency to a minimum to protect secret exponents. It is called automatically when \fBBN_mod_exp_mont\fR\|(3) is called with parameters \&\fIa\fR, \fIp\fR, \fIm\fR, any of which have \fBBN_FLG_CONSTTIME\fR flag. .PP diff --git a/secure/lib/libcrypto/man/man3/BN_mod_inverse.3 b/secure/lib/libcrypto/man/man3/BN_mod_inverse.3 index 0bb0ea7d79a5..d9d59e03f83b 100644 --- a/secure/lib/libcrypto/man/man3/BN_mod_inverse.3 +++ b/secure/lib/libcrypto/man/man3/BN_mod_inverse.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_MOD_INVERSE 3ossl" -.TH BN_MOD_INVERSE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_MOD_INVERSE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BN_mod_mul_montgomery.3 b/secure/lib/libcrypto/man/man3/BN_mod_mul_montgomery.3 index dc70f6f451a9..55f092f3c071 100644 --- a/secure/lib/libcrypto/man/man3/BN_mod_mul_montgomery.3 +++ b/secure/lib/libcrypto/man/man3/BN_mod_mul_montgomery.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_MOD_MUL_MONTGOMERY 3ossl" -.TH BN_MOD_MUL_MONTGOMERY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_MOD_MUL_MONTGOMERY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BN_mod_mul_reciprocal.3 b/secure/lib/libcrypto/man/man3/BN_mod_mul_reciprocal.3 index 922808c50555..26f079500a89 100644 --- a/secure/lib/libcrypto/man/man3/BN_mod_mul_reciprocal.3 +++ b/secure/lib/libcrypto/man/man3/BN_mod_mul_reciprocal.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_MOD_MUL_RECIPROCAL 3ossl" -.TH BN_MOD_MUL_RECIPROCAL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_MOD_MUL_RECIPROCAL 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BN_new.3 b/secure/lib/libcrypto/man/man3/BN_new.3 index 685c65fbaf19..22da07d73be6 100644 --- a/secure/lib/libcrypto/man/man3/BN_new.3 +++ b/secure/lib/libcrypto/man/man3/BN_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_NEW 3ossl" -.TH BN_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BN_num_bytes.3 b/secure/lib/libcrypto/man/man3/BN_num_bytes.3 index 0e96d80dcccb..d3d660b87a2f 100644 --- a/secure/lib/libcrypto/man/man3/BN_num_bytes.3 +++ b/secure/lib/libcrypto/man/man3/BN_num_bytes.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_NUM_BYTES 3ossl" -.TH BN_NUM_BYTES 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_NUM_BYTES 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,14 +94,14 @@ The size. .SH NOTES .IX Header "NOTES" Some have tried using \fBBN_num_bits()\fR on individual numbers in RSA keys, -DH keys and DSA keys, and found that they don't always come up with +DH keys and DSA keys, and found that they don\*(Aqt always come up with the number of bits they expected (something like 512, 1024, 2048, \&...). This is because generating a number with some specific number -of bits doesn't always set the highest bits, thereby making the number +of bits doesn\*(Aqt always set the highest bits, thereby making the number of \fIsignificant\fR bits a little lower. If you want to know the "key size" of such a key, either use functions like \fBRSA_size()\fR, \fBDH_size()\fR and \fBDSA_size()\fR, or use \fBBN_num_bytes()\fR and multiply with 8 (although -there's no real guarantee that will match the "key size", just a lot +there\*(Aqs no real guarantee that will match the "key size", just a lot more probability). .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/BN_rand.3 b/secure/lib/libcrypto/man/man3/BN_rand.3 index 37868bbe0e30..00191fb5a30b 100644 --- a/secure/lib/libcrypto/man/man3/BN_rand.3 +++ b/secure/lib/libcrypto/man/man3/BN_rand.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_RAND 3ossl" -.TH BN_RAND 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_RAND 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,7 +100,7 @@ see \fBopenssl_user_macros\fR\|(7): .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBBN_rand_ex()\fR generates a cryptographically strong pseudo-random +\&\fBBN_rand_ex()\fR generates a cryptographically strong pseudo\-random number of \fIbits\fR in length and security strength at least \fIstrength\fR bits using the random number generator for the library context associated with \&\fIctx\fR. The function stores the generated data in \fIrnd\fR. The parameter \fIctx\fR @@ -119,7 +122,7 @@ If \fIbits\fR is 1 then \fItop\fR cannot also be \fBBN_RAND_TOP_TWO\fR. \&\fBBN_rand()\fR is the same as \fBBN_rand_ex()\fR except that the default library context is always used. .PP -\&\fBBN_rand_range_ex()\fR generates a cryptographically strong pseudo-random +\&\fBBN_rand_range_ex()\fR generates a cryptographically strong pseudo\-random number \fIrnd\fR, of security strength at least \fIstrength\fR bits, in the range 0 <= \fIrnd\fR < \fIrange\fR using the random number generator for the library context associated with \fIctx\fR. The parameter \fIctx\fR diff --git a/secure/lib/libcrypto/man/man3/BN_security_bits.3 b/secure/lib/libcrypto/man/man3/BN_security_bits.3 index 15449df90a33..bfe46a0064ab 100644 --- a/secure/lib/libcrypto/man/man3/BN_security_bits.3 +++ b/secure/lib/libcrypto/man/man3/BN_security_bits.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_SECURITY_BITS 3ossl" -.TH BN_SECURITY_BITS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_SECURITY_BITS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ of asymmetric algorithms: the FFC (Finite Field Cryptography) and IFC (Integer Factorization Cryptography). For FFC, e.g., DSA and DH, both parameters \fBL\fR and \fBN\fR are used to decide the bits of security, where \&\fBL\fR is the size of the public key and \fBN\fR is the size of the private -key. For IFC, e.g., RSA, only \fBL\fR is used and it's commonly considered +key. For IFC, e.g., RSA, only \fBL\fR is used and it\*(Aqs commonly considered to be the key size (modulus). .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/BN_set_bit.3 b/secure/lib/libcrypto/man/man3/BN_set_bit.3 index 955ca4459ddb..4cac4429ee50 100644 --- a/secure/lib/libcrypto/man/man3/BN_set_bit.3 +++ b/secure/lib/libcrypto/man/man3/BN_set_bit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_SET_BIT 3ossl" -.TH BN_SET_BIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_SET_BIT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,7 +97,7 @@ error occurs if \fBa\fR is shorter than \fBn\fR bits. \&\fBBN_mask_bits()\fR truncates \fBa\fR to an \fBn\fR bit number (\f(CW\*(C`a&=~((~0)<<n)\*(C'\fR). An error occurs if \fBn\fR is negative. An error is also returned if the internal representation of \fBa\fR is already shorter than -\&\fBn\fR bits. The internal representation depends on the platform's word size, and +\&\fBn\fR bits. The internal representation depends on the platform\*(Aqs word size, and this error can be safely ignored. Use \fBBN_num_bits\fR\|(3) to determine the exact number of bits if needed. .PP diff --git a/secure/lib/libcrypto/man/man3/BN_swap.3 b/secure/lib/libcrypto/man/man3/BN_swap.3 index bb898c1a4516..dc3ccb9d0cac 100644 --- a/secure/lib/libcrypto/man/man3/BN_swap.3 +++ b/secure/lib/libcrypto/man/man3/BN_swap.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_SWAP 3ossl" -.TH BN_SWAP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_SWAP 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BN_zero.3 b/secure/lib/libcrypto/man/man3/BN_zero.3 index f4a6f25b5eeb..3047705e4488 100644 --- a/secure/lib/libcrypto/man/man3/BN_zero.3 +++ b/secure/lib/libcrypto/man/man3/BN_zero.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_ZERO 3ossl" -.TH BN_ZERO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_ZERO 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,7 +93,7 @@ is useful for use in comparisons and assignment. \&\fBBN_get_word()\fR returns \fBa\fR, if it can be represented as a \fBBN_ULONG\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fBBN_get_word()\fR returns the value \fBa\fR, or all-bits-set if \fBa\fR cannot +\&\fBBN_get_word()\fR returns the value \fBa\fR, or all\-bits\-set if \fBa\fR cannot be represented as a single integer. .PP \&\fBBN_one()\fR and \fBBN_set_word()\fR return 1 on success, 0 otherwise. @@ -98,7 +101,7 @@ be represented as a single integer. \&\fBBN_zero()\fR never fails and returns no value. .SH BUGS .IX Header "BUGS" -If a \fBBIGNUM\fR is equal to the value of all-bits-set, it will collide +If a \fBBIGNUM\fR is equal to the value of all\-bits\-set, it will collide with the error condition returned by \fBBN_get_word()\fR which uses that as an error value. .PP diff --git a/secure/lib/libcrypto/man/man3/BUF_MEM_new.3 b/secure/lib/libcrypto/man/man3/BUF_MEM_new.3 index ce09ddfef899..cee091fba6e8 100644 --- a/secure/lib/libcrypto/man/man3/BUF_MEM_new.3 +++ b/secure/lib/libcrypto/man/man3/BUF_MEM_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BUF_MEM_NEW 3ossl" -.TH BUF_MEM_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BUF_MEM_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -99,11 +102,11 @@ If the argument is NULL, nothing is done. \&\fBlen\fR. Any data already in the buffer is preserved if it increases in size. .PP -\&\fBBUF_MEM_grow_clean()\fR is similar to \fBBUF_MEM_grow()\fR but it sets any free'd -or additionally-allocated memory to zero. +\&\fBBUF_MEM_grow_clean()\fR is similar to \fBBUF_MEM_grow()\fR but it sets any free\*(Aqd +or additionally\-allocated memory to zero. .PP \&\fBBUF_reverse()\fR reverses \fBsize\fR bytes at \fBin\fR into \fBout\fR. If \fBin\fR -is NULL, the array is reversed in-place. +is NULL, the array is reversed in\-place. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBBUF_MEM_new()\fR returns the buffer or NULL on error. diff --git a/secure/lib/libcrypto/man/man3/CMAC_CTX.3 b/secure/lib/libcrypto/man/man3/CMAC_CTX.3 index c122160ae7ce..25b63745eb85 100644 --- a/secure/lib/libcrypto/man/man3/CMAC_CTX.3 +++ b/secure/lib/libcrypto/man/man3/CMAC_CTX.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMAC_CTX 3ossl" -.TH CMAC_CTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMAC_CTX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,7 +94,7 @@ value, see \fBopenssl_user_macros\fR\|(7). .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The low-level MAC functions documented on this page are deprecated. +The low\-level MAC functions documented on this page are deprecated. Applications should use the new \fBEVP_MAC\fR\|(3) interface. Specifically, utilize the following functions for MAC operations: .IP "\fBEVP_MAC_CTX_new\fR\|(3) to create a new MAC context." 4 @@ -107,11 +110,11 @@ Specifically, utilize the following functions for MAC operations: .IX Item "EVP_MAC_final to finalize the MAC and retrieve the output." .PD .PP -Alternatively, for a single-step MAC computation, use the \fBEVP_Q_mac\fR\|(3) +Alternatively, for a single\-step MAC computation, use the \fBEVP_Q_mac\fR\|(3) function. .PP The \fBCMAC_CTX\fR type is a structure used for the provision of CMAC -(Cipher-based Message Authentication Code) operations. +(Cipher\-based Message Authentication Code) operations. .PP \&\fBCMAC_CTX_new()\fR creates a new \fBCMAC_CTX\fR structure and returns a pointer to it. .PP diff --git a/secure/lib/libcrypto/man/man3/CMS_EncryptedData_decrypt.3 b/secure/lib/libcrypto/man/man3/CMS_EncryptedData_decrypt.3 index a79b613587ba..67a3112d67bd 100644 --- a/secure/lib/libcrypto/man/man3/CMS_EncryptedData_decrypt.3 +++ b/secure/lib/libcrypto/man/man3/CMS_EncryptedData_decrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_ENCRYPTEDDATA_DECRYPT 3ossl" -.TH CMS_ENCRYPTEDDATA_DECRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_ENCRYPTEDDATA_DECRYPT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,10 +83,10 @@ CMS_EncryptedData_decrypt, CMS_EnvelopedData_decrypt .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBCMS_EncryptedData_decrypt()\fR decrypts a \fIcms\fR EncryptedData object using the -symmetric \fIkey\fR of size \fIkeylen\fR bytes. \fIout\fR is a BIO to write the content -to and \fIflags\fR is an optional set of flags. -\&\fIdcont\fR is used in the rare case where the encrypted content is detached. It -will normally be set to NULL. +symmetric \fIkey\fR of size \fIkeylen\fR bytes. AEAD cipher algorithms are not +supported. \fIout\fR is a BIO to write the content to and \fIflags\fR is an optional +set of flags. \fIdcont\fR is used in the rare case where the encrypted content is +detached. It will normally be set to NULL. .PP The following flags can be passed in the \fIflags\fR parameter. .PP diff --git a/secure/lib/libcrypto/man/man3/CMS_EncryptedData_encrypt.3 b/secure/lib/libcrypto/man/man3/CMS_EncryptedData_encrypt.3 index c1b0e6330951..9b706e20c5e4 100644 --- a/secure/lib/libcrypto/man/man3/CMS_EncryptedData_encrypt.3 +++ b/secure/lib/libcrypto/man/man3/CMS_EncryptedData_encrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_ENCRYPTEDDATA_ENCRYPT 3ossl" -.TH CMS_ENCRYPTEDDATA_ENCRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_ENCRYPTEDDATA_ENCRYPT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -93,7 +96,7 @@ The \fIflags\fR field supports the options \fBCMS_DETACHED\fR, \fBCMS_STREAM\fR \&\fBCMS_PARTIAL\fR is specified. .PP The algorithm passed in the \fIcipher\fR parameter must support ASN1 encoding of -its parameters. +its parameters. AEAD cipher algorithms are not supported. .PP The \fBCMS_ContentInfo\fR structure can be freed using \fBCMS_ContentInfo_free\fR\|(3). .PP diff --git a/secure/lib/libcrypto/man/man3/CMS_EncryptedData_set1_key.3 b/secure/lib/libcrypto/man/man3/CMS_EncryptedData_set1_key.3 new file mode 100644 index 000000000000..78059b910dea --- /dev/null +++ b/secure/lib/libcrypto/man/man3/CMS_EncryptedData_set1_key.3 @@ -0,0 +1,96 @@ +.\" -*- mode: troff; coding: utf-8 -*- +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. +.ie n \{\ +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{\ +. if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +. \} +.\} +.rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l +.\" ======================================================================== +.\" +.IX Title "CMS_ENCRYPTEDDATA_SET1_KEY 3ossl" +.TH CMS_ENCRYPTEDDATA_SET1_KEY 3ossl 2026-01-27 3.5.5 OpenSSL +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH NAME +CMS_EncryptedData_set1_key \- Sets the cipher and key for +CMS EncryptedData +.SH SYNOPSIS +.IX Header "SYNOPSIS" +.Vb 1 +\& #include <openssl/cms.h> +\& +\& int CMS_EncryptedData_set1_key(CMS_ContentInfo *cms, const EVP_CIPHER *ciph, +\& const unsigned char *key, size_t keylen); +.Ve +.SH DESCRIPTION +.IX Header "DESCRIPTION" +\&\fBCMS_EncryptedData_set1_key()\fR takes in a \fIcms\fR EncryptedData object and sets +the appropriate attributes to \fIciph\fR, it makes a copy of the symmetric \fIkey\fR +of size \fIkeylen\fR. AEAD cipher algorithms are not supported. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fBCMS_EncryptedData_set1_key()\fR returns 0 if an error occurred otherwise +returns 1. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fBCMS_EncryptedData_encrypt\fR\|(3), \fBCMS_EncryptedData_decrypt\fR\|(3) +.SH COPYRIGHT +.IX Header "COPYRIGHT" +Copyright 2025 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/lib/libcrypto/man/man3/CMS_EnvelopedData_create.3 b/secure/lib/libcrypto/man/man3/CMS_EnvelopedData_create.3 index 491621ef8ee9..aff82695d11c 100644 --- a/secure/lib/libcrypto/man/man3/CMS_EnvelopedData_create.3 +++ b/secure/lib/libcrypto/man/man3/CMS_EnvelopedData_create.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_ENVELOPEDDATA_CREATE 3ossl" -.TH CMS_ENVELOPEDDATA_CREATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_ENVELOPEDDATA_CREATE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_add0_cert.3 b/secure/lib/libcrypto/man/man3/CMS_add0_cert.3 index 9563c6a8f286..1bc2d75a8fce 100644 --- a/secure/lib/libcrypto/man/man3/CMS_add0_cert.3 +++ b/secure/lib/libcrypto/man/man3/CMS_add0_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_ADD0_CERT 3ossl" -.TH CMS_ADD0_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_ADD0_CERT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -116,7 +119,7 @@ For enveloped data they are added to \fBOriginatorInfo\fR. .PP \&\fBCMS_get1_certs()\fR and \fBCMS_get1_crls()\fR return the STACK of certificates or CRLs or NULL if there are none or an error occurs. -Besides out-of-memory, the only error which will occur +Besides out\-of\-memory, the only error which will occur in practice is if the \fIcms\fR type is invalid. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/CMS_add1_recipient_cert.3 b/secure/lib/libcrypto/man/man3/CMS_add1_recipient_cert.3 index c2f2eef5e2b9..87712f8a1937 100644 --- a/secure/lib/libcrypto/man/man3/CMS_add1_recipient_cert.3 +++ b/secure/lib/libcrypto/man/man3/CMS_add1_recipient_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_ADD1_RECIPIENT_CERT 3ossl" -.TH CMS_ADD1_RECIPIENT_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_ADD1_RECIPIENT_CERT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,7 +88,7 @@ CMS_add1_recipient, CMS_add1_recipient_cert, CMS_add0_recipient_key \- add recip .IX Header "DESCRIPTION" \&\fBCMS_add1_recipient()\fR adds recipient \fBrecip\fR and provides the originator pkey \&\fBoriginatorPrivKey\fR and originator certificate \fBoriginator\fR to CMS_ContentInfo. -The originator-related fields are relevant only in case when the keyAgreement +The originator\-related fields are relevant only in case when the keyAgreement method of providing of the shared key is in use. .PP \&\fBCMS_add1_recipient_cert()\fR adds recipient \fBrecip\fR to CMS_ContentInfo enveloped diff --git a/secure/lib/libcrypto/man/man3/CMS_add1_signer.3 b/secure/lib/libcrypto/man/man3/CMS_add1_signer.3 index f9597c29985c..9a516debd878 100644 --- a/secure/lib/libcrypto/man/man3/CMS_add1_signer.3 +++ b/secure/lib/libcrypto/man/man3/CMS_add1_signer.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_ADD1_SIGNER 3ossl" -.TH CMS_ADD1_SIGNER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_ADD1_SIGNER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,7 +83,7 @@ key \fBpkey\fR using message digest \fBmd\fR to CMS_ContentInfo SignedData structure \fBcms\fR. .PP The CMS_ContentInfo structure should be obtained from an initial call to -\&\fBCMS_sign()\fR with the flag \fBCMS_PARTIAL\fR set or in the case or re-signing a +\&\fBCMS_sign()\fR with the flag \fBCMS_PARTIAL\fR set or in the case or re\-signing a valid CMS_ContentInfo SignedData structure. .PP If the \fBmd\fR parameter is \fBNULL\fR then the default digest for the public @@ -116,8 +119,8 @@ CMS_SignerInfo structure will not be finalized so additional attributes can be added. In this case an explicit call to \fBCMS_SignerInfo_sign()\fR is needed to finalize it. .PP -If \fBCMS_NOCERTS\fR is set the signer's certificate will not be included in the -CMS_ContentInfo structure, the signer's certificate must still be supplied in +If \fBCMS_NOCERTS\fR is set the signer\*(Aqs certificate will not be included in the +CMS_ContentInfo structure, the signer\*(Aqs certificate must still be supplied in the \fBsigncert\fR parameter though. This can reduce the size of the signature if the signers certificate can be obtained by other means: for example a previously signed message. diff --git a/secure/lib/libcrypto/man/man3/CMS_compress.3 b/secure/lib/libcrypto/man/man3/CMS_compress.3 index f7bc05d07d65..d13e87370cdd 100644 --- a/secure/lib/libcrypto/man/man3/CMS_compress.3 +++ b/secure/lib/libcrypto/man/man3/CMS_compress.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_COMPRESS 3ossl" -.TH CMS_COMPRESS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_COMPRESS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_data_create.3 b/secure/lib/libcrypto/man/man3/CMS_data_create.3 index 292efbd0f55a..4f7e39ffc997 100644 --- a/secure/lib/libcrypto/man/man3/CMS_data_create.3 +++ b/secure/lib/libcrypto/man/man3/CMS_data_create.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_DATA_CREATE 3ossl" -.TH CMS_DATA_CREATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_DATA_CREATE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_decrypt.3 b/secure/lib/libcrypto/man/man3/CMS_decrypt.3 index 4bc1b0f9c31a..d1fab46ccbbb 100644 --- a/secure/lib/libcrypto/man/man3/CMS_decrypt.3 +++ b/secure/lib/libcrypto/man/man3/CMS_decrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_DECRYPT 3ossl" -.TH CMS_DECRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_DECRYPT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -115,7 +118,7 @@ needed to locate the appropriate (of possible several) recipients in the CMS structure. .PP If \fIcert\fR is set to NULL all possible recipients are tried. This case however -is problematic. To thwart the MMA attack (Bleichenbacher's attack on +is problematic. To thwart the MMA attack (Bleichenbacher\*(Aqs attack on PKCS #1 v1.5 RSA padding) all recipients are tried whether they succeed or not. If no recipient succeeds then a random symmetric key is used to decrypt the content: this will typically output garbage and may (but is not guaranteed diff --git a/secure/lib/libcrypto/man/man3/CMS_digest_create.3 b/secure/lib/libcrypto/man/man3/CMS_digest_create.3 index 3ba012aaf81d..e1296075f9df 100644 --- a/secure/lib/libcrypto/man/man3/CMS_digest_create.3 +++ b/secure/lib/libcrypto/man/man3/CMS_digest_create.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_DIGEST_CREATE 3ossl" -.TH CMS_DIGEST_CREATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_DIGEST_CREATE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_encrypt.3 b/secure/lib/libcrypto/man/man3/CMS_encrypt.3 index 23f67683d4c2..cfe8c3691a27 100644 --- a/secure/lib/libcrypto/man/man3/CMS_encrypt.3 +++ b/secure/lib/libcrypto/man/man3/CMS_encrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_ENCRYPT 3ossl" -.TH CMS_ENCRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_ENCRYPT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,7 +85,7 @@ AuthEnvelopedData structure. \fIcerts\fR is a list of recipient certificates. property query \fIpropq\fR are used internally when retrieving algorithms from providers. .PP -Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this +Only certificates carrying RSA, Diffie\-Hellman or EC keys are supported by this function. .PP \&\fBEVP_des_ede3_cbc()\fR (triple DES) is the algorithm of choice for S/MIME use diff --git a/secure/lib/libcrypto/man/man3/CMS_final.3 b/secure/lib/libcrypto/man/man3/CMS_final.3 index eb4ccf8eda32..d23dda7d56ea 100644 --- a/secure/lib/libcrypto/man/man3/CMS_final.3 +++ b/secure/lib/libcrypto/man/man3/CMS_final.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_FINAL 3ossl" -.TH CMS_FINAL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_FINAL 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,7 +83,7 @@ processed. The \fBdcont\fR parameter contains a BIO to write content to after processing: this is only used with detached data and will usually be set to NULL. .PP -\&\fBCMS_final_digest()\fR finalises the structure \fBcms\fR using a pre-computed digest, +\&\fBCMS_final_digest()\fR finalises the structure \fBcms\fR using a pre\-computed digest, rather than computing the digest from the original data. .SH NOTES .IX Header "NOTES" @@ -88,10 +91,10 @@ These functions will normally be called when the \fBCMS_PARTIAL\fR flag is used. should only be used when streaming is not performed because the streaming I/O functions perform finalisation operations internally. .PP -To sign a pre-computed digest, \fBCMS_sign\fR\|(3) or \fBCMS_sign_ex()\fR is called +To sign a pre\-computed digest, \fBCMS_sign\fR\|(3) or \fBCMS_sign_ex()\fR is called with the \fBdata\fR parameter set to NULL before the CMS structure is finalised with the digest provided to \fBCMS_final_digest()\fR in binary form. -When signing a pre-computed digest, the security relies on the digest and its +When signing a pre\-computed digest, the security relies on the digest and its computation from the original message being trusted. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/CMS_get0_RecipientInfos.3 b/secure/lib/libcrypto/man/man3/CMS_get0_RecipientInfos.3 index a15dc438afeb..84234b08e5df 100644 --- a/secure/lib/libcrypto/man/man3/CMS_get0_RecipientInfos.3 +++ b/secure/lib/libcrypto/man/man3/CMS_get0_RecipientInfos.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_GET0_RECIPIENTINFOS 3ossl" -.TH CMS_GET0_RECIPIENTINFOS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_GET0_RECIPIENTINFOS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_get0_SignerInfos.3 b/secure/lib/libcrypto/man/man3/CMS_get0_SignerInfos.3 index b7f6e94d81b0..be68ff1b31e2 100644 --- a/secure/lib/libcrypto/man/man3/CMS_get0_SignerInfos.3 +++ b/secure/lib/libcrypto/man/man3/CMS_get0_SignerInfos.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_GET0_SIGNERINFOS 3ossl" -.TH CMS_GET0_SIGNERINFOS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_GET0_SIGNERINFOS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,7 +100,7 @@ modified. identifier \fBsi\fR. It returns zero if the comparison is successful and non zero if not. .PP -\&\fBCMS_SignerInfo_set1_signer_cert()\fR sets the signer's certificate of \fBsi\fR to +\&\fBCMS_SignerInfo_set1_signer_cert()\fR sets the signer\*(Aqs certificate of \fBsi\fR to \&\fBsigner\fR. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man3/CMS_get0_type.3 b/secure/lib/libcrypto/man/man3/CMS_get0_type.3 index 52a169d06c85..70c68a6496ac 100644 --- a/secure/lib/libcrypto/man/man3/CMS_get0_type.3 +++ b/secure/lib/libcrypto/man/man3/CMS_get0_type.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_GET0_TYPE 3ossl" -.TH CMS_GET0_TYPE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_GET0_TYPE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_get1_ReceiptRequest.3 b/secure/lib/libcrypto/man/man3/CMS_get1_ReceiptRequest.3 index a50549b0d269..eb86b825a386 100644 --- a/secure/lib/libcrypto/man/man3/CMS_get1_ReceiptRequest.3 +++ b/secure/lib/libcrypto/man/man3/CMS_get1_ReceiptRequest.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_GET1_RECEIPTREQUEST 3ossl" -.TH CMS_GET1_RECEIPTREQUEST 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_GET1_RECEIPTREQUEST 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_sign.3 b/secure/lib/libcrypto/man/man3/CMS_sign.3 index 65ca28081f89..3e9a0d1d6305 100644 --- a/secure/lib/libcrypto/man/man3/CMS_sign.3 +++ b/secure/lib/libcrypto/man/man3/CMS_sign.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_SIGN 3ossl" -.TH CMS_SIGN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_SIGN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -99,8 +102,8 @@ Many S/MIME clients expect the signed content to include valid MIME headers. If the \fBCMS_TEXT\fR flag is set MIME headers for type \fBtext/plain\fR are prepended to the data. .PP -If \fBCMS_NOCERTS\fR is set the signer's certificate will not be included in the -CMS_ContentInfo structure, the signer's certificate must still be supplied in +If \fBCMS_NOCERTS\fR is set the signer\*(Aqs certificate will not be included in the +CMS_ContentInfo structure, the signer\*(Aqs certificate must still be supplied in the \fBsigncert\fR parameter though. This can reduce the size of the signature if the signers certificate can be obtained by other means: for example a previously signed message. diff --git a/secure/lib/libcrypto/man/man3/CMS_sign_receipt.3 b/secure/lib/libcrypto/man/man3/CMS_sign_receipt.3 index a486f9468583..627b51057625 100644 --- a/secure/lib/libcrypto/man/man3/CMS_sign_receipt.3 +++ b/secure/lib/libcrypto/man/man3/CMS_sign_receipt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_SIGN_RECEIPT 3ossl" -.TH CMS_SIGN_RECEIPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_SIGN_RECEIPT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_signed_get_attr.3 b/secure/lib/libcrypto/man/man3/CMS_signed_get_attr.3 index 22b156943dbd..91340861b3c6 100644 --- a/secure/lib/libcrypto/man/man3/CMS_signed_get_attr.3 +++ b/secure/lib/libcrypto/man/man3/CMS_signed_get_attr.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_SIGNED_GET_ATTR 3ossl" -.TH CMS_SIGNED_GET_ATTR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_SIGNED_GET_ATTR 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -130,7 +133,7 @@ Since the \fBCMS_unsigned_XXX()\fR functions work in the same way as the described below. .PP \&\fBCMS_signed_get_attr_by_OBJ()\fR finds the location of the first matching object -\&\fIobj\fR in the SignerInfo's \fIsi\fR signed attribute list. The search starts at the +\&\fIobj\fR in the SignerInfo\*(Aqs \fIsi\fR signed attribute list. The search starts at the position after \fIlastpos\fR. If the returned value is positive then it can be used on the next call to \fBCMS_signed_get_attr_by_OBJ()\fR as the value of \fIlastpos\fR in order to iterate through the remaining attributes. \fIlastpos\fR can be set to any @@ -156,7 +159,7 @@ required. An error occurs if \fIattr\fR is NULL. \&\fBCMS_signed_add1_attr_by_OBJ()\fR creates a new signed \fBX509_ATTRIBUTE\fR using \&\fBX509_ATTRIBUTE_set1_object()\fR and \fBX509_ATTRIBUTE_set1_data()\fR to assign a new \&\fIobj\fR with type \fItype\fR and data \fIbytes\fR of length \fIlen\fR and then pushes it -to the \fIkey\fR object's attribute list. +to the \fIkey\fR object\*(Aqs attribute list. .PP \&\fBCMS_signed_add1_attr_by_NID()\fR is similar to \fBCMS_signed_add1_attr_by_OBJ()\fR except that it passes the numerical identifier (NID) \fInid\fR associated with the object. @@ -188,7 +191,7 @@ SignerInfo \fIsi\fR, or \-1 if the signed attribute list is NULL. .PP \&\fBCMS_signed_get_attr_by_OBJ()\fR returns \-1 if either the signed attribute list of \&\fIsi\fR is empty OR if \fIobj\fR is not found, otherwise it returns the location of -the \fIobj\fR in the SignerInfo's \fIsi\fR signed attribute list. +the \fIobj\fR in the SignerInfo\*(Aqs \fIsi\fR signed attribute list. .PP \&\fBCMS_signed_get_attr_by_NID()\fR is similar to \fBCMS_signed_get_attr_by_OBJ()\fR except that it returns \-2 if the \fInid\fR is not known by OpenSSL. diff --git a/secure/lib/libcrypto/man/man3/CMS_uncompress.3 b/secure/lib/libcrypto/man/man3/CMS_uncompress.3 index 20002585d252..ffbbf69bde8e 100644 --- a/secure/lib/libcrypto/man/man3/CMS_uncompress.3 +++ b/secure/lib/libcrypto/man/man3/CMS_uncompress.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_UNCOMPRESS 3ossl" -.TH CMS_UNCOMPRESS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_UNCOMPRESS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_verify.3 b/secure/lib/libcrypto/man/man3/CMS_verify.3 index 76f55dab3dcf..318dc8f25822 100644 --- a/secure/lib/libcrypto/man/man3/CMS_verify.3 +++ b/secure/lib/libcrypto/man/man3/CMS_verify.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_VERIFY 3ossl" -.TH CMS_VERIFY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_VERIFY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_verify_receipt.3 b/secure/lib/libcrypto/man/man3/CMS_verify_receipt.3 index 455286122272..f48a3eb45ced 100644 --- a/secure/lib/libcrypto/man/man3/CMS_verify_receipt.3 +++ b/secure/lib/libcrypto/man/man3/CMS_verify_receipt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_VERIFY_RECEIPT 3ossl" -.TH CMS_VERIFY_RECEIPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_VERIFY_RECEIPT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/COMP_CTX_new.3 b/secure/lib/libcrypto/man/man3/COMP_CTX_new.3 index 1fe1bac3e017..55b47da84b25 100644 --- a/secure/lib/libcrypto/man/man3/COMP_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/COMP_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "COMP_CTX_NEW 3ossl" -.TH COMP_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH COMP_CTX_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -133,17 +136,17 @@ Methods (\fBCOMP_METHOD\fR) may be specified by one of these functions. These fu will be available even if their corresponding compression algorithm is not configured into the OpenSSL library. In such a case, NULL will be returned. .IP \(bu 4 -\&\fBCOMP_zlib()\fR returns a \fBCOMP_METHOD\fR for stream-based ZLIB compression. +\&\fBCOMP_zlib()\fR returns a \fBCOMP_METHOD\fR for stream\-based ZLIB compression. .IP \(bu 4 -\&\fBCOMP_zlib_oneshot()\fR returns a \fBCOMP_METHOD\fR for one-shot ZLIB compression. +\&\fBCOMP_zlib_oneshot()\fR returns a \fBCOMP_METHOD\fR for one\-shot ZLIB compression. .IP \(bu 4 -\&\fBCOMP_brotli()\fR returns a \fBCOMP_METHOD\fR for stream-based Brotli compression. +\&\fBCOMP_brotli()\fR returns a \fBCOMP_METHOD\fR for stream\-based Brotli compression. .IP \(bu 4 -\&\fBCOMP_brotli_oneshot()\fR returns a \fBCOMP_METHOD\fR for one-shot Brotli compression. +\&\fBCOMP_brotli_oneshot()\fR returns a \fBCOMP_METHOD\fR for one\-shot Brotli compression. .IP \(bu 4 -\&\fBCOMP_zstd()\fR returns a \fBCOMP_METHOD\fR for stream-based Zstandard compression. +\&\fBCOMP_zstd()\fR returns a \fBCOMP_METHOD\fR for stream\-based Zstandard compression. .IP \(bu 4 -\&\fBCOMP_zstd_oneshot()\fR returns a \fBCOMP_METHOD\fR for one-shot Zstandard compression. +\&\fBCOMP_zstd_oneshot()\fR returns a \fBCOMP_METHOD\fR for one\-shot Zstandard compression. .PP \&\fBBIO_f_zlib()\fR, \fBBIO_f_brotli()\fR \fBBIO_f_zstd()\fR each return a \fBBIO_METHOD\fR that may be used to create a \fBBIO\fR via \fBBIO_new\|(3)\fR to read and write compressed files or streams. @@ -151,7 +154,7 @@ The functions are only available if the corresponding algorithm is compiled into the OpenSSL library. NULL may be returned if the algorithm fails to load dynamically. .SH NOTES .IX Header "NOTES" -While compressing non-compressible data, the output may be larger than the +While compressing non\-compressible data, the output may be larger than the input. Care should be taken to size output buffers appropriate for both compression and expansion. .PP @@ -177,11 +180,11 @@ It may be disabled via the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION and SSL_OP_NO_RX_CERTIFICATE_COMPRESSION options of the \&\fBSSL_CTX_set_options\fR\|(3) or \fBSSL_set_options\fR\|(3) functions. .PP -\&\fBCOMP_zlib()\fR, \fBCOMP_brotli()\fR and \fBCOMP_zstd()\fR are stream-based compression methods. +\&\fBCOMP_zlib()\fR, \fBCOMP_brotli()\fR and \fBCOMP_zstd()\fR are stream\-based compression methods. Internal state (including compression dictionary) is maintained between calls. If an error is returned, the stream is corrupted, and should be closed. .PP -\&\fBCOMP_zlib_oneshot()\fR, \fBCOMP_brotli_oneshot()\fR and \fBCOMP_zstd_oneshot()\fR are not stream-based. These +\&\fBCOMP_zlib_oneshot()\fR, \fBCOMP_brotli_oneshot()\fR and \fBCOMP_zstd_oneshot()\fR are not stream\-based. These methods do not maintain state between calls. An error in one call does not affect future calls. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/CONF_modules_free.3 b/secure/lib/libcrypto/man/man3/CONF_modules_free.3 index a8df993da09e..d4f48cf2e8c1 100644 --- a/secure/lib/libcrypto/man/man3/CONF_modules_free.3 +++ b/secure/lib/libcrypto/man/man3/CONF_modules_free.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CONF_MODULES_FREE 3ossl" -.TH CONF_MODULES_FREE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CONF_MODULES_FREE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,7 +94,7 @@ to free up any configuration that module may have performed. .PP \&\fBCONF_modules_unload()\fR finishes and unloads configuration modules. If \&\fBall\fR is set to \fB0\fR only modules loaded from DSOs will be unloads. If -\&\fBall\fR is \fB1\fR all modules, including built-in modules will be unloaded. +\&\fBall\fR is \fB1\fR all modules, including built\-in modules will be unloaded. .SH "RETURN VALUES" .IX Header "RETURN VALUES" None of the functions return a value. diff --git a/secure/lib/libcrypto/man/man3/CONF_modules_load_file.3 b/secure/lib/libcrypto/man/man3/CONF_modules_load_file.3 index 8131eecadf1d..0a244a1b1356 100644 --- a/secure/lib/libcrypto/man/man3/CONF_modules_load_file.3 +++ b/secure/lib/libcrypto/man/man3/CONF_modules_load_file.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CONF_MODULES_LOAD_FILE 3ossl" -.TH CONF_MODULES_LOAD_FILE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CONF_MODULES_LOAD_FILE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -114,7 +117,7 @@ Normally any modules errors will add error information to the error queue. If If \fBCONF_MFLAGS_IGNORE_RETURN_CODES\fR is set the function unconditionally returns success. This is used by default in \fBOPENSSL_init_crypto\fR\|(3) to ignore any errors in -the default system-wide configuration file, as having all OpenSSL applications +the default system\-wide configuration file, as having all OpenSSL applications fail to start when there are potentially minor issues in the file is too risky. Applications calling \fBCONF_modules_load_file_ex\fR explicitly should not generally set this flag. diff --git a/secure/lib/libcrypto/man/man3/CRYPTO_THREAD_run_once.3 b/secure/lib/libcrypto/man/man3/CRYPTO_THREAD_run_once.3 index a632d28f876c..459af4681814 100644 --- a/secure/lib/libcrypto/man/man3/CRYPTO_THREAD_run_once.3 +++ b/secure/lib/libcrypto/man/man3/CRYPTO_THREAD_run_once.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CRYPTO_THREAD_RUN_ONCE 3ossl" -.TH CRYPTO_THREAD_RUN_ONCE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CRYPTO_THREAD_RUN_ONCE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -103,22 +106,22 @@ OSSL_THREAD_SUPPORT_FLAG_DEFAULT_SPAWN \- OpenSSL thread support .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -OpenSSL can be safely used in multi-threaded applications provided that -support for the underlying OS threading API is built-in. Currently, OpenSSL +OpenSSL can be safely used in multi\-threaded applications provided that +support for the underlying OS threading API is built\-in. Currently, OpenSSL supports the pthread and Windows APIs. OpenSSL can also be built without -any multi-threading support, for example on platforms that don't provide +any multi\-threading support, for example on platforms that don\*(Aqt provide any threading support or that provide a threading API that is not yet supported by OpenSSL. .PP -The following multi-threading function are provided: +The following multi\-threading function are provided: .IP \(bu 2 -\&\fBCRYPTO_THREAD_run_once()\fR can be used to perform one-time initialization. +\&\fBCRYPTO_THREAD_run_once()\fR can be used to perform one\-time initialization. The \fIonce\fR argument must be a pointer to a static object of type \&\fBCRYPTO_ONCE\fR that was statically initialized to the value \&\fBCRYPTO_ONCE_STATIC_INIT\fR. The \fIinit\fR argument is a pointer to a function that performs the desired exactly once initialization. -In particular, this can be used to allocate locks in a thread-safe manner, +In particular, this can be used to allocate locks in a thread\-safe manner, which can then be used with the locking functions below. .IP \(bu 2 \&\fBCRYPTO_THREAD_lock_new()\fR allocates, initializes and returns a new read/write @@ -202,7 +205,7 @@ functionality to be used. \&\fBCRYPTO_THREAD_lock_free()\fR returns no value. .PP \&\fBOSSL_set_max_threads()\fR returns 1 on success and 0 on failure. Returns failure -if OpenSSL-managed thread pooling is not supported (for example, if it is not +if OpenSSL\-managed thread pooling is not supported (for example, if it is not supported on the current platform, or because OpenSSL is not built with the necessary support). .PP @@ -221,7 +224,7 @@ On Windows platforms the CRYPTO_THREAD_* types and functions in the customarily made available by including \fI<windows.h>\fR. The application developer is likely to require control over when the latter is included, commonly as one of the first included headers. Therefore, it is defined as an -application developer's responsibility to include \fI<windows.h>\fR prior to +application developer\*(Aqs responsibility to include \fI<windows.h>\fR prior to \&\fI<openssl/crypto.h>\fR where use of CRYPTO_THREAD_* types and functions is required. .SH EXAMPLES diff --git a/secure/lib/libcrypto/man/man3/CRYPTO_get_ex_new_index.3 b/secure/lib/libcrypto/man/man3/CRYPTO_get_ex_new_index.3 index 5c86bd8de67f..e34eed6ba7b6 100644 --- a/secure/lib/libcrypto/man/man3/CRYPTO_get_ex_new_index.3 +++ b/secure/lib/libcrypto/man/man3/CRYPTO_get_ex_new_index.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CRYPTO_GET_EX_NEW_INDEX 3ossl" -.TH CRYPTO_GET_EX_NEW_INDEX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CRYPTO_GET_EX_NEW_INDEX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -99,7 +102,7 @@ CRYPTO_free_ex_data, CRYPTO_new_ex_data .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -Several OpenSSL structures can have application-specific data attached to them, +Several OpenSSL structures can have application\-specific data attached to them, known as "exdata." The specific structures are: .PP @@ -150,24 +153,24 @@ are called in increasing order of their \fBindex\fR value. .PP If a dynamic library can be unloaded, it should call \fBCRYPTO_free_ex_index()\fR when this is done. -This will replace the callbacks with no-ops -so that applications don't crash. Any existing exdata will be leaked. +This will replace the callbacks with no\-ops +so that applications don\*(Aqt crash. Any existing exdata will be leaked. .PP -To set or get the exdata on an object, the appropriate type-specific +To set or get the exdata on an object, the appropriate type\-specific routine must be used. This is because the containing structure is opaque -and the \fBCRYPTO_EX_DATA\fR field is not accessible. In both API's, the -\&\fBidx\fR parameter should be an already-created index value. +and the \fBCRYPTO_EX_DATA\fR field is not accessible. In both API\*(Aqs, the +\&\fBidx\fR parameter should be an already\-created index value. .PP When setting exdata, the pointer specified with a particular index is saved, and returned on a subsequent "get" call. If the application is going to release the data, it must make sure to set a \fBNULL\fR value at the index, -to avoid likely double-free crashes. +to avoid likely double\-free crashes. .PP The function \fBCRYPTO_free_ex_data\fR is used to free all exdata attached -to a structure. The appropriate type-specific routine must be used. +to a structure. The appropriate type\-specific routine must be used. The \fBclass_index\fR identifies the structure type, the \fBobj\fR is a pointer to the actual structure, and \fBr\fR is a pointer to the -structure's exdata field. +structure\*(Aqs exdata field. .SS "Callback Functions" .IX Subsection "Callback Functions" This section describes how the callback functions are used. Applications @@ -182,7 +185,7 @@ exdata, and perhaps an "initialized" flag within that memory. The exdata value may be allocated later on with \fBCRYPTO_alloc_ex_data()\fR, or may be set by calling \fBCRYPTO_set_ex_data()\fR. .PP -When a structure is free'd (such as \fBSSL_CTX_free()\fR) then the +When a structure is free\*(Aqd (such as \fBSSL_CTX_free()\fR) then the \&\fBfree_func()\fR is called for every defined index. Again, the state of the parent structure is not guaranteed. The \fBfree_func()\fR may be called with a NULL pointer. diff --git a/secure/lib/libcrypto/man/man3/CRYPTO_memcmp.3 b/secure/lib/libcrypto/man/man3/CRYPTO_memcmp.3 index 445313242edd..69687ff2eb61 100644 --- a/secure/lib/libcrypto/man/man3/CRYPTO_memcmp.3 +++ b/secure/lib/libcrypto/man/man3/CRYPTO_memcmp.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CRYPTO_MEMCMP 3ossl" -.TH CRYPTO_MEMCMP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CRYPTO_MEMCMP 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CTLOG_STORE_get0_log_by_id.3 b/secure/lib/libcrypto/man/man3/CTLOG_STORE_get0_log_by_id.3 index 04697b8f3185..f5a3c92f116d 100644 --- a/secure/lib/libcrypto/man/man3/CTLOG_STORE_get0_log_by_id.3 +++ b/secure/lib/libcrypto/man/man3/CTLOG_STORE_get0_log_by_id.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CTLOG_STORE_GET0_LOG_BY_ID 3ossl" -.TH CTLOG_STORE_GET0_LOG_BY_ID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CTLOG_STORE_GET0_LOG_BY_ID 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -75,7 +78,7 @@ Get a Certificate Transparency log from a CTLOG_STORE .SH DESCRIPTION .IX Header "DESCRIPTION" A Signed Certificate Timestamp (SCT) identifies the Certificate Transparency -(CT) log that issued it using the log's LogID (see RFC 6962, Section 3.2). +(CT) log that issued it using the log\*(Aqs LogID (see RFC 6962, Section 3.2). Therefore, it is useful to be able to look up more information about a log (e.g. its public key) using this LogID. .PP diff --git a/secure/lib/libcrypto/man/man3/CTLOG_STORE_new.3 b/secure/lib/libcrypto/man/man3/CTLOG_STORE_new.3 index 8d8fcef0093f..dd68edbe5236 100644 --- a/secure/lib/libcrypto/man/man3/CTLOG_STORE_new.3 +++ b/secure/lib/libcrypto/man/man3/CTLOG_STORE_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CTLOG_STORE_NEW 3ossl" -.TH CTLOG_STORE_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CTLOG_STORE_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -93,7 +96,7 @@ The CTLOG_STORE is then populated by \fBCTLOG_STORE_load_default_file()\fR or \&\fBCTLOG_STORE_load_file()\fR. \fBCTLOG_STORE_load_default_file()\fR loads from the default file, which is named \fIct_log_list.cnf\fR in OPENSSLDIR (see the output of \&\fBopenssl\-version\fR\|(1)). This can be overridden using an environment variable -named \fBCTLOG_FILE\fR. \fBCTLOG_STORE_load_file()\fR loads from a caller-specified file +named \fBCTLOG_FILE\fR. \fBCTLOG_STORE_load_file()\fR loads from a caller\-specified file path instead. Both of these functions append any loaded CT logs to the CTLOG_STORE. .PP diff --git a/secure/lib/libcrypto/man/man3/CTLOG_new.3 b/secure/lib/libcrypto/man/man3/CTLOG_new.3 index e9e278b72278..c1c7b7d55562 100644 --- a/secure/lib/libcrypto/man/man3/CTLOG_new.3 +++ b/secure/lib/libcrypto/man/man3/CTLOG_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CTLOG_NEW 3ossl" -.TH CTLOG_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CTLOG_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -107,14 +110,14 @@ string \fIpropq\fR. property query string are used. .PP Regardless of whether \fBCTLOG_new()\fR or \fBCTLOG_new_from_base64()\fR is used, it is the -caller's responsibility to pass the CTLOG to \fBCTLOG_free()\fR once it is no longer +caller\*(Aqs responsibility to pass the CTLOG to \fBCTLOG_free()\fR once it is no longer needed. This will delete it and, if created by \fBCTLOG_new()\fR, the EVP_PKEY that was passed to it. If the argument to \fBCTLOG_free()\fR is NULL, nothing is done. .PP \&\fBCTLOG_get0_name()\fR returns the name of the log, as provided when the CTLOG was created. Ownership of the string remains with the CTLOG. .PP -\&\fBCTLOG_get0_log_id()\fR sets *log_id to point to a string containing that log's +\&\fBCTLOG_get0_log_id()\fR sets *log_id to point to a string containing that log\*(Aqs LogID (see RFC 6962). It sets *log_id_len to the length of that LogID. For a v1 CT log, the LogID will be a SHA\-256 hash (i.e. 32 bytes long). Ownership of the string remains with the CTLOG. diff --git a/secure/lib/libcrypto/man/man3/CT_POLICY_EVAL_CTX_new.3 b/secure/lib/libcrypto/man/man3/CT_POLICY_EVAL_CTX_new.3 index 72d0f72614e5..bce535df847e 100644 --- a/secure/lib/libcrypto/man/man3/CT_POLICY_EVAL_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/CT_POLICY_EVAL_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CT_POLICY_EVAL_CTX_NEW 3ossl" -.TH CT_POLICY_EVAL_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CT_POLICY_EVAL_CTX_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -92,14 +95,14 @@ Encapsulates the data required to evaluate whether SCTs meet a Certificate Trans A \fBCT_POLICY_EVAL_CTX\fR is used by functions that evaluate whether Signed Certificate Timestamps (SCTs) fulfil a Certificate Transparency (CT) policy. This policy may be, for example, that at least one valid SCT is available. To -determine this, an SCT's timestamp and signature must be verified. +determine this, an SCT\*(Aqs timestamp and signature must be verified. This requires: .IP \(bu 2 the public key of the log that issued the SCT .IP \(bu 2 the certificate that the SCT was issued for .IP \(bu 2 -the issuer certificate (if the SCT was issued for a pre-certificate) +the issuer certificate (if the SCT was issued for a pre\-certificate) .IP \(bu 2 the current time .PP @@ -145,7 +148,7 @@ When no longer required, the \fBCT_POLICY_EVAL_CTX\fR should be passed to .SH NOTES .IX Header "NOTES" The issuer certificate only needs to be provided if at least one of the SCTs -was issued for a pre-certificate. This will be the case for SCTs embedded in a +was issued for a pre\-certificate. This will be the case for SCTs embedded in a certificate (i.e. those in an X.509 extension), but may not be the case for SCTs found in the TLS SCT extension or OCSP response. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/DEFINE_STACK_OF.3 b/secure/lib/libcrypto/man/man3/DEFINE_STACK_OF.3 index 32022ed0b083..4bc601c2105c 100644 --- a/secure/lib/libcrypto/man/man3/DEFINE_STACK_OF.3 +++ b/secure/lib/libcrypto/man/man3/DEFINE_STACK_OF.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DEFINE_STACK_OF 3ossl" -.TH DEFINE_STACK_OF 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DEFINE_STACK_OF 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -136,7 +139,7 @@ This can be used in every header file that references the stack. There are several \fBDEFINE...\fR macros that create static inline functions for all of the functions described on this page. This should normally be used in one source file, and the stack manipulation -is wrapped with application-specific functions. +is wrapped with application\-specific functions. .PP \&\fBDEFINE_STACK_OF()\fR creates set of functions for a stack of \fR\f(BITYPE\fR\fB\fR elements. The type is referenced by @@ -270,7 +273,7 @@ Copying is performed by the supplied \fBcopyfunc()\fR and freeing by \fBfreefunc The function \fBfreefunc()\fR is only called if an error occurs. .SH NOTES .IX Header "NOTES" -Care should be taken when accessing stacks in multi-threaded environments. +Care should be taken when accessing stacks in multi\-threaded environments. Any operation which increases the size of a stack such as \fBsk_\fR\f(BITYPE\fR\fB_insert\fR() or \fBsk_\fR\f(BITYPE\fR\fB_push\fR() can "grow" the size of an internal array and cause race conditions if the same stack is accessed in a different thread. Operations such @@ -353,7 +356,7 @@ and was not a public API. 1.1.1. .PP From OpenSSL 3.2.0, the \fBsk_\fR\f(BITYPE\fR\fB_find\fR(), \fBsk_\fR\f(BITYPE\fR\fB_find_ex\fR() -and \fBsk_\fR\f(BITYPE\fR\fB_find_all\fR() calls are read-only and do not sort the +and \fBsk_\fR\f(BITYPE\fR\fB_find_all\fR() calls are read\-only and do not sort the stack. To avoid any performance implications this change introduces, \&\fBsk_\fR\f(BITYPE\fR\fB_sort\fR() should be called before these find operations. .PP diff --git a/secure/lib/libcrypto/man/man3/DES_random_key.3 b/secure/lib/libcrypto/man/man3/DES_random_key.3 index 6e24554063f3..65d1b7dd6258 100644 --- a/secure/lib/libcrypto/man/man3/DES_random_key.3 +++ b/secure/lib/libcrypto/man/man3/DES_random_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DES_RANDOM_KEY 3ossl" -.TH DES_RANDOM_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DES_RANDOM_KEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -184,7 +187,7 @@ architecture dependent \fIDES_key_schedule\fR via the \&\fBDES_set_key_checked()\fR or \fBDES_set_key_unchecked()\fR function. .PP \&\fBDES_set_key_checked()\fR will check that the key passed is of odd parity -and is not a weak or semi-weak key. If the parity is wrong, then \-1 +and is not a weak or semi\-weak key. If the parity is wrong, then \-1 is returned. If the key is a weak key, then \-2 is returned. If an error is returned, the key schedule is not generated. .PP @@ -211,19 +214,19 @@ ciphertext) is decrypted into the \fIoutput\fR (now cleartext). Input and output may overlap. \fBDES_ecb_encrypt()\fR does not return a value. .PP \&\fBDES_ecb3_encrypt()\fR encrypts/decrypts the \fIinput\fR block by using -three-key Triple-DES encryption in ECB mode. This involves encrypting +three\-key Triple\-DES encryption in ECB mode. This involves encrypting the input with \fIks1\fR, decrypting with the key schedule \fIks2\fR, and then encrypting with \fIks3\fR. This routine greatly reduces the chances of brute force breaking of DES and has the advantage of if \fIks1\fR, \&\fIks2\fR and \fIks3\fR are the same, it is equivalent to just encryption using ECB mode and \fIks1\fR as the key. .PP -The macro \fBDES_ecb2_encrypt()\fR is provided to perform two-key Triple-DES +The macro \fBDES_ecb2_encrypt()\fR is provided to perform two\-key Triple\-DES encryption by using \fIks1\fR for the final encryption. .PP -\&\fBDES_ncbc_encrypt()\fR encrypts/decrypts using the \fIcipher-block-chaining\fR +\&\fBDES_ncbc_encrypt()\fR encrypts/decrypts using the \fIcipher\-block\-chaining\fR (CBC) mode of DES. If the \fIencrypt\fR argument is nonzero, the -routine cipher-block-chain encrypts the cleartext data pointed to by +routine cipher\-block\-chain encrypts the cleartext data pointed to by the \fIinput\fR argument into the ciphertext pointed to by the \fIoutput\fR argument, using the key schedule provided by the \fIschedule\fR argument, and initialization vector provided by the \fIivec\fR argument. If the @@ -231,8 +234,8 @@ and initialization vector provided by the \fIivec\fR argument. If the last block is copied to a temporary area and zero filled. The output is always an integral multiple of eight bytes. .PP -\&\fBDES_xcbc_encrypt()\fR is RSA's DESX mode of DES. It uses \fIinw\fR and -\&\fIoutw\fR to 'whiten' the encryption. \fIinw\fR and \fIoutw\fR are secret +\&\fBDES_xcbc_encrypt()\fR is RSA\*(Aqs DESX mode of DES. It uses \fIinw\fR and +\&\fIoutw\fR to \*(Aqwhiten\*(Aq the encryption. \fIinw\fR and \fIoutw\fR are secret (unlike the iv) and are as such, part of the key. So the key is sort of 24 bytes. This is much better than CBC DES. .PP @@ -240,9 +243,9 @@ of 24 bytes. This is much better than CBC DES. three keys. This means that each DES operation inside the CBC mode is \&\f(CW\*(C`C=E(ks3,D(ks2,E(ks1,M)))\*(C'\fR. This mode is used by SSL. .PP -The \fBDES_ede2_cbc_encrypt()\fR macro implements two-key Triple-DES by +The \fBDES_ede2_cbc_encrypt()\fR macro implements two\-key Triple\-DES by reusing \fIks1\fR for the final encryption. \f(CW\*(C`C=E(ks1,D(ks2,E(ks1,M)))\*(C'\fR. -This form of Triple-DES is used by the RSAREF library. +This form of Triple\-DES is used by the RSAREF library. .PP \&\fBDES_pcbc_encrypt()\fR encrypts/decrypts using the propagating cipher block chaining mode used by Kerberos v4. Its parameters are the same as @@ -261,11 +264,11 @@ implements CFB mode of DES with 64\-bit feedback. Why is this useful you ask? Because this routine will allow you to encrypt an arbitrary number of bytes, without 8 byte padding. Each call to this routine will encrypt the input bytes to output and then update ivec -and num. num contains 'how far' we are though ivec. If this does +and num. num contains \*(Aqhow far\*(Aq we are though ivec. If this does not make much sense, read more about CFB mode of DES. .PP \&\fBDES_ede3_cfb64_encrypt()\fR and \fBDES_ede2_cfb64_encrypt()\fR is the same as -\&\fBDES_cfb64_encrypt()\fR except that Triple-DES is used. +\&\fBDES_cfb64_encrypt()\fR except that Triple\-DES is used. .PP \&\fBDES_ofb_encrypt()\fR encrypts using output feedback mode. This method takes an array of characters as input and outputs an array of @@ -279,7 +282,7 @@ suggested for use when sending a small number of characters. Feed Back mode. .PP \&\fBDES_ede3_ofb64_encrypt()\fR and \fBDES_ede2_ofb64_encrypt()\fR is the same as -\&\fBDES_ofb64_encrypt()\fR, using Triple-DES. +\&\fBDES_ofb64_encrypt()\fR, using Triple\-DES. .PP The following functions are included in the DES library for compatibility with the MIT Kerberos library. @@ -293,10 +296,10 @@ used by Kerberos v4. Other applications should use \&\fBDES_quad_cksum()\fR is a Kerberos v4 function. It returns a 4 byte checksum from the input bytes. The algorithm can be iterated over the input, depending on \fIout_count\fR, 1, 2, 3 or 4 times. If \fIoutput\fR is -non-NULL, the 8 bytes generated by each pass are written into +non\-NULL, the 8 bytes generated by each pass are written into \&\fIoutput\fR. .PP -The following are DES-based transformations: +The following are DES\-based transformations: .PP \&\fBDES_fcrypt()\fR is a fast version of the Unix \fBcrypt\fR\|(3) function. This version takes only a small amount of space relative to other fast @@ -307,7 +310,7 @@ is thread safe, unlike the normal \fBcrypt()\fR. .PP \&\fBDES_crypt()\fR is a faster replacement for the normal system \fBcrypt()\fR. This function calls \fBDES_fcrypt()\fR with a static array passed as the -third parameter. This mostly emulates the normal non-thread-safe semantics +third parameter. This mostly emulates the normal non\-thread\-safe semantics of \fBcrypt\fR\|(3). The \fBsalt\fR must be two ASCII characters. .PP @@ -348,7 +351,7 @@ Applications should use the higher level functions \&\fBEVP_EncryptInit\fR\|(3) etc. instead of calling these functions directly. .PP -Single-key DES is insecure due to its short key size. ECB mode is +Single\-key DES is insecure due to its short key size. ECB mode is not suitable for most applications; see \fBdes_modes\fR\|(7). .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -361,7 +364,7 @@ is ok. \&\fBDES_cbc_cksum()\fR and \fBDES_quad_cksum()\fR return 4\-byte integer representing the last 4 bytes of the checksum of the input. .PP -\&\fBDES_fcrypt()\fR returns a pointer to the caller-provided buffer and \fBDES_crypt()\fR \- +\&\fBDES_fcrypt()\fR returns a pointer to the caller\-provided buffer and \fBDES_crypt()\fR \- to a static buffer on success; otherwise they return NULL. .SH "SEE ALSO" .IX Header "SEE ALSO" @@ -374,7 +377,7 @@ All of these functions were deprecated in OpenSSL 3.0. The requirement that the \fBsalt\fR parameter to \fBDES_crypt()\fR and \fBDES_fcrypt()\fR be two ASCII characters was first enforced in OpenSSL 1.1.0. Previous versions tried to use the letter uppercase \fBA\fR -if both character were not present, and could crash when given non-ASCII +if both character were not present, and could crash when given non\-ASCII on some platforms. .SH COPYRIGHT .IX Header "COPYRIGHT" diff --git a/secure/lib/libcrypto/man/man3/DH_generate_key.3 b/secure/lib/libcrypto/man/man3/DH_generate_key.3 index 67f658806672..0d50b9e1da99 100644 --- a/secure/lib/libcrypto/man/man3/DH_generate_key.3 +++ b/secure/lib/libcrypto/man/man3/DH_generate_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DH_GENERATE_KEY 3ossl" -.TH DH_GENERATE_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DH_GENERATE_KEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,10 +89,10 @@ All of the functions described on this page are deprecated. Applications should instead use \fBEVP_PKEY_derive_init\fR\|(3) and \fBEVP_PKEY_derive\fR\|(3). .PP -\&\fBDH_generate_key()\fR performs the first step of a Diffie-Hellman key +\&\fBDH_generate_key()\fR performs the first step of a Diffie\-Hellman key exchange by generating private and public DH values. By calling \&\fBDH_compute_key()\fR or \fBDH_compute_key_padded()\fR, these are combined with -the other party's public value to compute the shared key. +the other party\*(Aqs public value to compute the shared key. .PP \&\fBDH_generate_key()\fR expects \fBdh\fR to contain the shared parameters \&\fBdh\->p\fR and \fBdh\->g\fR. It generates a random private DH value @@ -98,7 +101,7 @@ corresponding public value \fBdh\->pub_key\fR, which can then be published. .PP \&\fBDH_compute_key()\fR computes the shared secret from the private DH value -in \fBdh\fR and the other party's public value in \fBpub_key\fR and stores +in \fBdh\fR and the other party\*(Aqs public value in \fBpub_key\fR and stores it in \fBkey\fR. \fBkey\fR must point to \fBDH_size(dh)\fR bytes of memory. The padding style is RFC 5246 (8.1.2) that strips leading zero bytes. It is not constant time due to the leading zero bytes being stripped. diff --git a/secure/lib/libcrypto/man/man3/DH_generate_parameters.3 b/secure/lib/libcrypto/man/man3/DH_generate_parameters.3 index 70a6c57ca2c4..beff7b9b37eb 100644 --- a/secure/lib/libcrypto/man/man3/DH_generate_parameters.3 +++ b/secure/lib/libcrypto/man/man3/DH_generate_parameters.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DH_GENERATE_PARAMETERS 3ossl" -.TH DH_GENERATE_PARAMETERS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DH_GENERATE_PARAMETERS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -102,9 +105,9 @@ Applications should instead use \fBEVP_PKEY_check\fR\|(3), \&\fBEVP_PKEY_public_check\fR\|(3), \fBEVP_PKEY_private_check\fR\|(3) and \&\fBEVP_PKEY_param_check\fR\|(3). .PP -\&\fBDH_generate_parameters_ex()\fR generates Diffie-Hellman parameters that can +\&\fBDH_generate_parameters_ex()\fR generates Diffie\-Hellman parameters that can be shared among a group of users, and stores them in the provided \fBDH\fR -structure. The pseudo-random number generator must be +structure. The pseudo\-random number generator must be seeded before calling it. The parameters generated by \fBDH_generate_parameters_ex()\fR should not be used in signature schemes. @@ -120,8 +123,8 @@ is called. See \fBBN_generate_prime_ex\fR\|(3) for information on the \fBBN_GENCB_call()\fR function. .PP \&\fBDH_generate_parameters()\fR is similar to \fBDH_generate_prime_ex()\fR but -expects an old-style callback function; see -\&\fBBN_generate_prime\fR\|(3) for information on the old-style callback. +expects an old\-style callback function; see +\&\fBBN_generate_prime\fR\|(3) for information on the old\-style callback. .PP \&\fBDH_check_params()\fR confirms that the \fBp\fR and \fBg\fR are likely enough to be valid. @@ -133,12 +136,12 @@ following bits may be set: .IP DH_CHECK_P_NOT_PRIME 4 .IX Item "DH_CHECK_P_NOT_PRIME" The parameter \fBp\fR has been determined to not being an odd prime. -Note that the lack of this bit doesn't guarantee that \fBp\fR is a +Note that the lack of this bit doesn\*(Aqt guarantee that \fBp\fR is a prime. .IP DH_NOT_SUITABLE_GENERATOR 4 .IX Item "DH_NOT_SUITABLE_GENERATOR" The generator \fBg\fR is not suitable. -Note that the lack of this bit doesn't guarantee that \fBg\fR is +Note that the lack of this bit doesn\*(Aqt guarantee that \fBg\fR is suitable, unless \fBp\fR is known to be a strong prime. .IP DH_MODULUS_TOO_SMALL 4 .IX Item "DH_MODULUS_TOO_SMALL" @@ -147,7 +150,7 @@ The modulus is too small. .IX Item "DH_MODULUS_TOO_LARGE" The modulus is too large. .PP -\&\fBDH_check()\fR confirms that the Diffie-Hellman parameters \fBdh\fR are valid. The +\&\fBDH_check()\fR confirms that the Diffie\-Hellman parameters \fBdh\fR are valid. The value of \fB*codes\fR is updated with any problems found. If \fB*codes\fR is zero then no problems were found, otherwise the following bits may be set: .IP DH_CHECK_P_NOT_PRIME 4 @@ -173,12 +176,12 @@ The parameter \fBq\fR is invalid. The parameter \fBj\fR is invalid. .PP If 0 is returned or \fB*codes\fR is set to a nonzero value the supplied -parameters should not be used for Diffie-Hellman operations otherwise +parameters should not be used for Diffie\-Hellman operations otherwise the security properties of the key exchange are not guaranteed. .PP \&\fBDH_check_ex()\fR, \fBDH_check_params()\fR and \fBDH_check_pub_key_ex()\fR are similar to \&\fBDH_check()\fR and \fBDH_check_params()\fR respectively, but the error reasons are added -to the thread's error queue instead of provided as return values from the +to the thread\*(Aqs error queue instead of provided as return values from the function. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/DH_get0_pqg.3 b/secure/lib/libcrypto/man/man3/DH_get0_pqg.3 index 5450e6078044..fde6594fd407 100644 --- a/secure/lib/libcrypto/man/man3/DH_get0_pqg.3 +++ b/secure/lib/libcrypto/man/man3/DH_get0_pqg.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DH_GET0_PQG 3ossl" -.TH DH_GET0_PQG 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DH_GET0_PQG 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DH_get_1024_160.3 b/secure/lib/libcrypto/man/man3/DH_get_1024_160.3 index c1b0ec1f8d8e..4393908d3a83 100644 --- a/secure/lib/libcrypto/man/man3/DH_get_1024_160.3 +++ b/secure/lib/libcrypto/man/man3/DH_get_1024_160.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DH_GET_1024_160 3ossl" -.TH DH_GET_1024_160 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DH_GET_1024_160 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DH_meth_new.3 b/secure/lib/libcrypto/man/man3/DH_meth_new.3 index 4d33a6b49731..e39cb9937631 100644 --- a/secure/lib/libcrypto/man/man3/DH_meth_new.3 +++ b/secure/lib/libcrypto/man/man3/DH_meth_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DH_METH_NEW 3ossl" -.TH DH_METH_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DH_METH_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -155,7 +158,7 @@ DH_METHOD. \fBDH_meth_set_flags()\fR provides the ability to set these flags. .PP The functions \fBDH_meth_get0_app_data()\fR and \fBDH_meth_set0_app_data()\fR provide the ability to associate implementation specific data with the DH_METHOD. It is -the application's responsibility to free this data before the DH_METHOD is +the application\*(Aqs responsibility to free this data before the DH_METHOD is freed via a call to \fBDH_meth_free()\fR. .PP \&\fBDH_meth_get_generate_key()\fR and \fBDH_meth_set_generate_key()\fR get and set the diff --git a/secure/lib/libcrypto/man/man3/DH_new.3 b/secure/lib/libcrypto/man/man3/DH_new.3 index ca761c6ee5b3..6df4197fe090 100644 --- a/secure/lib/libcrypto/man/man3/DH_new.3 +++ b/secure/lib/libcrypto/man/man3/DH_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DH_NEW 3ossl" -.TH DH_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DH_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DH_new_by_nid.3 b/secure/lib/libcrypto/man/man3/DH_new_by_nid.3 index b318f663e42b..c7273df386d1 100644 --- a/secure/lib/libcrypto/man/man3/DH_new_by_nid.3 +++ b/secure/lib/libcrypto/man/man3/DH_new_by_nid.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DH_NEW_BY_NID 3ossl" -.TH DH_NEW_BY_NID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DH_NEW_BY_NID 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DH_set_method.3 b/secure/lib/libcrypto/man/man3/DH_set_method.3 index 5755d60ea442..467ebac1ef07 100644 --- a/secure/lib/libcrypto/man/man3/DH_set_method.3 +++ b/secure/lib/libcrypto/man/man3/DH_set_method.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DH_SET_METHOD 3ossl" -.TH DH_SET_METHOD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DH_SET_METHOD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -89,7 +92,7 @@ see \fBopenssl_user_macros\fR\|(7): All of the functions described on this page are deprecated. Applications should instead use the provider APIs. .PP -A \fBDH_METHOD\fR specifies the functions that OpenSSL uses for Diffie-Hellman +A \fBDH_METHOD\fR specifies the functions that OpenSSL uses for Diffie\-Hellman operations. By modifying the method, alternative implementations such as hardware accelerators may be used. IMPORTANT: See the NOTES section for important information about how these DH API functions are affected by the use @@ -102,7 +105,7 @@ returned by \fBDH_OpenSSL()\fR. structures created later. \&\fBNB\fR: This is true only whilst no ENGINE has been set as a default for DH, so this function is no longer recommended. -This function is not thread-safe and should not be called at the same time +This function is not thread\-safe and should not be called at the same time as other OpenSSL functions. .PP \&\fBDH_get_default_method()\fR returns a pointer to the current default DH_METHOD. @@ -114,7 +117,7 @@ This will replace the DH_METHOD used by the DH key and if the previous method was supplied by an ENGINE, the handle to that ENGINE will be released during the change. It is possible to have DH keys that only work with certain DH_METHOD implementations (e.g. from an ENGINE module that supports embedded -hardware-protected keys), and in such cases attempting to change the DH_METHOD +hardware\-protected keys), and in such cases attempting to change the DH_METHOD for the key can have unexpected results. .PP \&\fBDH_new_method()\fR allocates and initializes a DH structure so that \fBengine\fR will diff --git a/secure/lib/libcrypto/man/man3/DH_size.3 b/secure/lib/libcrypto/man/man3/DH_size.3 index dad280298cf3..8c47e181a5c2 100644 --- a/secure/lib/libcrypto/man/man3/DH_size.3 +++ b/secure/lib/libcrypto/man/man3/DH_size.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DH_SIZE 3ossl" -.TH DH_SIZE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DH_SIZE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,7 +93,7 @@ Applications should instead use \fBEVP_PKEY_get_bits\fR\|(3), .PP \&\fBdh\fR and \fBdh\->p\fR must not be \fBNULL\fR. .PP -\&\fBDH_size()\fR returns the Diffie-Hellman prime size in bytes. It can be used +\&\fBDH_size()\fR returns the Diffie\-Hellman prime size in bytes. It can be used to determine how much memory must be allocated for the shared secret computed by \fBDH_compute_key\fR\|(3). .PP @@ -99,13 +102,13 @@ key. See \fBBN_security_bits\fR\|(3). .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBDH_bits()\fR returns the number of bits in the key, or \-1 if -\&\fBdh\fR doesn't hold any key parameters. +\&\fBdh\fR doesn\*(Aqt hold any key parameters. .PP -\&\fBDH_size()\fR returns the prime size of Diffie-Hellman in bytes, or \-1 if -\&\fBdh\fR doesn't hold any key parameters. +\&\fBDH_size()\fR returns the prime size of Diffie\-Hellman in bytes, or \-1 if +\&\fBdh\fR doesn\*(Aqt hold any key parameters. .PP \&\fBDH_security_bits()\fR returns the number of security bits, or \-1 if -\&\fBdh\fR doesn't hold any key parameters. +\&\fBdh\fR doesn\*(Aqt hold any key parameters. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_PKEY_get_bits\fR\|(3), diff --git a/secure/lib/libcrypto/man/man3/DSA_SIG_new.3 b/secure/lib/libcrypto/man/man3/DSA_SIG_new.3 index 669f39363e3a..e54ae12290f4 100644 --- a/secure/lib/libcrypto/man/man3/DSA_SIG_new.3 +++ b/secure/lib/libcrypto/man/man3/DSA_SIG_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_SIG_NEW 3ossl" -.TH DSA_SIG_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_SIG_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DSA_do_sign.3 b/secure/lib/libcrypto/man/man3/DSA_do_sign.3 index 76f04b7d9230..d6c640ccdc63 100644 --- a/secure/lib/libcrypto/man/man3/DSA_do_sign.3 +++ b/secure/lib/libcrypto/man/man3/DSA_do_sign.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_DO_SIGN 3ossl" -.TH DSA_DO_SIGN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_DO_SIGN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,10 +93,10 @@ newly allocated \fBDSA_SIG\fR structure. .PP \&\fBDSA_sign_setup\fR\|(3) may be used to precompute part of the signing operation in case signature generation is -time-critical. +time\-critical. .PP \&\fBDSA_do_verify()\fR verifies that the signature \fBsig\fR matches a given -message digest \fBdgst\fR of size \fBlen\fR. \fBdsa\fR is the signer's public +message digest \fBdgst\fR of size \fBlen\fR. \fBdsa\fR is the signer\*(Aqs public key. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/DSA_dup_DH.3 b/secure/lib/libcrypto/man/man3/DSA_dup_DH.3 index 7dc83c25f08b..2eb4110ce76f 100644 --- a/secure/lib/libcrypto/man/man3/DSA_dup_DH.3 +++ b/secure/lib/libcrypto/man/man3/DSA_dup_DH.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_DUP_DH 3ossl" -.TH DSA_DUP_DH 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_DUP_DH 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ see \fBopenssl_user_macros\fR\|(7): .SH DESCRIPTION .IX Header "DESCRIPTION" The function described on this page is deprecated. There is no direct -replacement, applications should use the EVP_PKEY APIs for Diffie-Hellman +replacement, applications should use the EVP_PKEY APIs for Diffie\-Hellman operations. .PP \&\fBDSA_dup_DH()\fR duplicates DSA parameters/keys as DH parameters/keys. q diff --git a/secure/lib/libcrypto/man/man3/DSA_generate_key.3 b/secure/lib/libcrypto/man/man3/DSA_generate_key.3 index ecb848df0459..ec7c4d2b049d 100644 --- a/secure/lib/libcrypto/man/man3/DSA_generate_key.3 +++ b/secure/lib/libcrypto/man/man3/DSA_generate_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_GENERATE_KEY 3ossl" -.TH DSA_GENERATE_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_GENERATE_KEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DSA_generate_parameters.3 b/secure/lib/libcrypto/man/man3/DSA_generate_parameters.3 index 16f01ddbc65c..91602b0644f1 100644 --- a/secure/lib/libcrypto/man/man3/DSA_generate_parameters.3 +++ b/secure/lib/libcrypto/man/man3/DSA_generate_parameters.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_GENERATE_PARAMETERS 3ossl" -.TH DSA_GENERATE_PARAMETERS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_GENERATE_PARAMETERS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -115,15 +118,15 @@ BN_GENCB_call function discussed below, refer to \&\fBBN_generate_prime\fR\|(3). .PP \&\fBDSA_generate_parameters()\fR is similar to \fBDSA_generate_parameters_ex()\fR but -expects an old-style callback function; see -\&\fBBN_generate_prime\fR\|(3) for information on the old-style callback. +expects an old\-style callback function; see +\&\fBBN_generate_prime\fR\|(3) for information on the old\-style callback. .IP \(bu 2 When a candidate for q is generated, \fBBN_GENCB_call(cb, 0, m++)\fR is called (m is 0 for the first candidate). .IP \(bu 2 When a candidate for q has passed a test by trial division, \&\fBBN_GENCB_call(cb, 1, \-1)\fR is called. -While a candidate for q is tested by Miller-Rabin primality tests, +While a candidate for q is tested by Miller\-Rabin primality tests, \&\fBBN_GENCB_call(cb, 1, i)\fR is called in the outer loop (once for each witness that confirms that the candidate may be prime); i is the loop counter (starting at 0). @@ -136,7 +139,7 @@ Before a candidate for p (other than the first) is generated and tested, .IP \(bu 2 When a candidate for p has passed the test by trial division, \&\fBBN_GENCB_call(cb, 1, \-1)\fR is called. -While it is tested by the Miller-Rabin primality test, +While it is tested by the Miller\-Rabin primality test, \&\fBBN_GENCB_call(cb, 1, i)\fR is called in the outer loop (once for each witness that confirms that the candidate may be prime). i is the loop counter (starting at 0). diff --git a/secure/lib/libcrypto/man/man3/DSA_get0_pqg.3 b/secure/lib/libcrypto/man/man3/DSA_get0_pqg.3 index 1352fee08312..9f1d7cde0e3a 100644 --- a/secure/lib/libcrypto/man/man3/DSA_get0_pqg.3 +++ b/secure/lib/libcrypto/man/man3/DSA_get0_pqg.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_GET0_PQG 3ossl" -.TH DSA_GET0_PQG 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_GET0_PQG 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -122,7 +125,7 @@ be. The values point to the internal representation of the public key and private key values. This memory should not be freed directly. .PP The public and private key values can be set using \fBDSA_set0_key()\fR. The public -key must be non-NULL the first time this function is called on a given DSA +key must be non\-NULL the first time this function is called on a given DSA object. The private key may be NULL. On subsequent calls, either may be NULL, which means the corresponding DSA field is left untouched. As for \fBDSA_set0_pqg()\fR this function transfers the memory management of the key values to the DSA diff --git a/secure/lib/libcrypto/man/man3/DSA_meth_new.3 b/secure/lib/libcrypto/man/man3/DSA_meth_new.3 index 1e4a90a1a7f5..c5aec03716dd 100644 --- a/secure/lib/libcrypto/man/man3/DSA_meth_new.3 +++ b/secure/lib/libcrypto/man/man3/DSA_meth_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_METH_NEW 3ossl" -.TH DSA_METH_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_METH_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -184,7 +187,7 @@ DSA_METHOD. \fBDSA_meth_set_flags()\fR provides the ability to set these flags. .PP The functions \fBDSA_meth_get0_app_data()\fR and \fBDSA_meth_set0_app_data()\fR provide the ability to associate implementation specific data with the DSA_METHOD. It is -the application's responsibility to free this data before the DSA_METHOD is +the application\*(Aqs responsibility to free this data before the DSA_METHOD is freed via a call to \fBDSA_meth_free()\fR. .PP \&\fBDSA_meth_get_sign()\fR and \fBDSA_meth_set_sign()\fR get and set the function used for diff --git a/secure/lib/libcrypto/man/man3/DSA_new.3 b/secure/lib/libcrypto/man/man3/DSA_new.3 index 79ae74063079..828ffbe85a7a 100644 --- a/secure/lib/libcrypto/man/man3/DSA_new.3 +++ b/secure/lib/libcrypto/man/man3/DSA_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_NEW 3ossl" -.TH DSA_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DSA_set_method.3 b/secure/lib/libcrypto/man/man3/DSA_set_method.3 index f063f53a19db..68876e4e2c64 100644 --- a/secure/lib/libcrypto/man/man3/DSA_set_method.3 +++ b/secure/lib/libcrypto/man/man3/DSA_set_method.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_SET_METHOD 3ossl" -.TH DSA_SET_METHOD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_SET_METHOD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -102,7 +105,7 @@ as returned by \fBDSA_OpenSSL()\fR. structures created later. \&\fBNB\fR: This is true only whilst no ENGINE has been set as a default for DSA, so this function is no longer recommended. -This function is not thread-safe and should not be called at the same time +This function is not thread\-safe and should not be called at the same time as other OpenSSL functions. .PP \&\fBDSA_get_default_method()\fR returns a pointer to the current default @@ -115,7 +118,7 @@ recommended. previous method was supplied by an ENGINE, the handle to that ENGINE will be released during the change. It is possible to have DSA keys that only work with certain DSA_METHOD implementations (e.g. from an ENGINE module -that supports embedded hardware-protected keys), and in such cases +that supports embedded hardware\-protected keys), and in such cases attempting to change the DSA_METHOD for the key can have unexpected results. See \fBDSA_meth_new\fR\|(3) for information on constructing custom DSA_METHOD objects; diff --git a/secure/lib/libcrypto/man/man3/DSA_sign.3 b/secure/lib/libcrypto/man/man3/DSA_sign.3 index 54d16a1e197f..05a7c06ee955 100644 --- a/secure/lib/libcrypto/man/man3/DSA_sign.3 +++ b/secure/lib/libcrypto/man/man3/DSA_sign.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_SIGN 3ossl" -.TH DSA_SIGN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_SIGN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,7 +104,7 @@ cause overhead, and does not affect the actual signature .PP \&\fBDSA_verify()\fR verifies that the signature \fBsigbuf\fR of size \fBsiglen\fR matches a given message digest \fBdgst\fR of size \fBlen\fR. -\&\fBdsa\fR is the signer's public key. +\&\fBdsa\fR is the signer\*(Aqs public key. .PP The \fBtype\fR parameter is ignored. .PP diff --git a/secure/lib/libcrypto/man/man3/DSA_size.3 b/secure/lib/libcrypto/man/man3/DSA_size.3 index 517c5ce83301..72cdc51c2f8c 100644 --- a/secure/lib/libcrypto/man/man3/DSA_size.3 +++ b/secure/lib/libcrypto/man/man3/DSA_size.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_SIZE 3ossl" -.TH DSA_SIZE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_SIZE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,12 +100,12 @@ key. See \fBBN_security_bits\fR\|(3). .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBDSA_security_bits()\fR returns the number of security bits in the key, or \-1 if -\&\fIdsa\fR doesn't hold any key parameters. +\&\fIdsa\fR doesn\*(Aqt hold any key parameters. .PP -\&\fBDSA_bits()\fR returns the number of bits in the key, or \-1 if \fIdsa\fR doesn't +\&\fBDSA_bits()\fR returns the number of bits in the key, or \-1 if \fIdsa\fR doesn\*(Aqt hold any key parameters. .PP -\&\fBDSA_size()\fR returns the signature size in bytes, or \-1 if \fIdsa\fR doesn't +\&\fBDSA_size()\fR returns the signature size in bytes, or \-1 if \fIdsa\fR doesn\*(Aqt hold any key parameters. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/DTLS_get_data_mtu.3 b/secure/lib/libcrypto/man/man3/DTLS_get_data_mtu.3 index 873f4cb89d21..51e7e3a0fca7 100644 --- a/secure/lib/libcrypto/man/man3/DTLS_get_data_mtu.3 +++ b/secure/lib/libcrypto/man/man3/DTLS_get_data_mtu.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DTLS_GET_DATA_MTU 3ossl" -.TH DTLS_GET_DATA_MTU 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DTLS_GET_DATA_MTU 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DTLS_set_timer_cb.3 b/secure/lib/libcrypto/man/man3/DTLS_set_timer_cb.3 index 1e262e61ac10..d43825ad54b7 100644 --- a/secure/lib/libcrypto/man/man3/DTLS_set_timer_cb.3 +++ b/secure/lib/libcrypto/man/man3/DTLS_set_timer_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DTLS_SET_TIMER_CB 3ossl" -.TH DTLS_SET_TIMER_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DTLS_SET_TIMER_CB 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DTLSv1_get_timeout.3 b/secure/lib/libcrypto/man/man3/DTLSv1_get_timeout.3 index 1580ed7918cc..c8c293d0af9e 100644 --- a/secure/lib/libcrypto/man/man3/DTLSv1_get_timeout.3 +++ b/secure/lib/libcrypto/man/man3/DTLSv1_get_timeout.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DTLSV1_GET_TIMEOUT 3ossl" -.TH DTLSV1_GET_TIMEOUT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DTLSV1_GET_TIMEOUT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DTLSv1_handle_timeout.3 b/secure/lib/libcrypto/man/man3/DTLSv1_handle_timeout.3 index 5500937efa5c..261ef0256d91 100644 --- a/secure/lib/libcrypto/man/man3/DTLSv1_handle_timeout.3 +++ b/secure/lib/libcrypto/man/man3/DTLSv1_handle_timeout.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DTLSV1_HANDLE_TIMEOUT 3ossl" -.TH DTLSV1_HANDLE_TIMEOUT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DTLSV1_HANDLE_TIMEOUT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DTLSv1_listen.3 b/secure/lib/libcrypto/man/man3/DTLSv1_listen.3 index bc9e228ed008..be796834b13c 100644 --- a/secure/lib/libcrypto/man/man3/DTLSv1_listen.3 +++ b/secure/lib/libcrypto/man/man3/DTLSv1_listen.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DTLSV1_LISTEN 3ossl" -.TH DTLSV1_LISTEN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DTLSV1_LISTEN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -92,9 +95,9 @@ message then the amplification attack has succeeded. .PP If DTLS is used over UDP (or any datagram based protocol that does not validate the source IP) then it is susceptible to this type of attack. TLSv1.3 is -designed to operate over a stream-based transport protocol (such as TCP). +designed to operate over a stream\-based transport protocol (such as TCP). If TCP is being used then there is no need to use \fBSSL_stateless()\fR. However, some -stream-based transport protocols (e.g. QUIC) may not validate the source +stream\-based transport protocols (e.g. QUIC) may not validate the source address. In this case a TLSv1.3 application would be susceptible to this attack. .PP As a countermeasure to this issue TLSv1.3 and DTLS include a stateless cookie @@ -128,11 +131,11 @@ the peer after making use of \fBDTLSv1_listen()\fR. In the typical case where datagram on an unconnected socket. If the socket is not connected, it can receive datagrams from any host on the network, which will cause subsequent outgoing datagrams transmitted by DTLS to be transmitted to that host. In other -words, failing to call \fBBIO_connect()\fR or a similar OS-specific function on a +words, failing to call \fBBIO_connect()\fR or a similar OS\-specific function on a socket means that any host on the network can cause outgoing DTLS traffic to be redirected to it by sending a datagram to the socket in question. This does not break the cryptographic protections of DTLS but may facilitate a -denial-of-service attack or allow unencrypted information in the DTLS handshake +denial\-of\-service attack or allow unencrypted information in the DTLS handshake to be learned by an attacker. This is due to the historical design of \&\fBBIO_s_datagram\fR\|(3); see \fBBIO_s_datagram\fR\|(3) for details on this issue. .PP @@ -152,7 +155,7 @@ require the allocation of state). An implication of this is that \fBDTLSv1_liste .PP For \fBSSL_stateless()\fR if an entire ClientHello message cannot be read without the "read" BIO becoming empty then the \fBSSL_stateless()\fR call will fail. It is the -application's responsibility to ensure that data read from the "read" BIO during +application\*(Aqs responsibility to ensure that data read from the "read" BIO during a single \fBSSL_stateless()\fR call is all from the same peer. .PP \&\fBSSL_stateless()\fR will fail (with a 0 return value) if some TLS version less than @@ -174,18 +177,18 @@ For \fBDTLSv1_listen()\fR a return value of >= 1 indicates success. The \fBssl\f will be set up ready to continue the handshake. the \fBpeer\fR value will also be filled in. .PP -A return value of 0 indicates a non-fatal error. This could (for +A return value of 0 indicates a non\-fatal error. This could (for example) be because of nonblocking IO, or some invalid message having been received from a peer. Errors may be placed on the OpenSSL error queue with further information if appropriate. Typically user code is expected to retry the -call to \fBDTLSv1_listen()\fR in the event of a non-fatal error. +call to \fBDTLSv1_listen()\fR in the event of a non\-fatal error. .PP A return value of <0 indicates a fatal error. This could (for example) be because of a failure to allocate sufficient memory for the operation. .PP -For \fBDTLSv1_listen()\fR, prior to OpenSSL 1.1.0, fatal and non-fatal errors both +For \fBDTLSv1_listen()\fR, prior to OpenSSL 1.1.0, fatal and non\-fatal errors both produce return codes <= 0 (in typical implementations user code treats all -errors as non-fatal), whilst return codes >0 indicate success. +errors as non\-fatal), whilst return codes >0 indicate success. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBSSL_CTX_set_cookie_generate_cb\fR\|(3), \fBSSL_CTX_set_cookie_verify_cb\fR\|(3), diff --git a/secure/lib/libcrypto/man/man3/ECDSA_SIG_new.3 b/secure/lib/libcrypto/man/man3/ECDSA_SIG_new.3 index e49d84202ed6..b1f0c6fe4a05 100644 --- a/secure/lib/libcrypto/man/man3/ECDSA_SIG_new.3 +++ b/secure/lib/libcrypto/man/man3/ECDSA_SIG_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ECDSA_SIG_NEW 3ossl" -.TH ECDSA_SIG_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ECDSA_SIG_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -100,7 +103,7 @@ is not returned. The values \fIr\fR, \fIs\fR can also be retrieved separately by the corresponding function \fBECDSA_SIG_get0_r()\fR and \fBECDSA_SIG_get0_s()\fR, respectively. .PP -Non-NULL \fIr\fR and \fIs\fR values can be set on the \fIsig\fR by calling +Non\-NULL \fIr\fR and \fIs\fR values can be set on the \fIsig\fR by calling \&\fBECDSA_SIG_set0()\fR. Calling this function transfers the memory management of the values to the \fBECDSA_SIG\fR object, and therefore the values that have been passed in should not be freed by the caller. diff --git a/secure/lib/libcrypto/man/man3/ECDSA_sign.3 b/secure/lib/libcrypto/man/man3/ECDSA_sign.3 index 021f96320ba7..5d3a86bc99f6 100644 --- a/secure/lib/libcrypto/man/man3/ECDSA_sign.3 +++ b/secure/lib/libcrypto/man/man3/ECDSA_sign.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ECDSA_SIGN 3ossl" -.TH ECDSA_SIGN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ECDSA_SIGN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,7 +144,7 @@ either \fIkinv\fR or \fIr\fR is not NULL. used in a later call to \fBECDSA_sign_ex()\fR or \fBECDSA_do_sign_ex()\fR. .PP \&\fBECDSA_sign_ex()\fR computes a digital signature of the \fIdgstlen\fR bytes hash value -\&\fIdgst\fR using the private EC key \fIeckey\fR and the optional pre-computed values +\&\fIdgst\fR using the private EC key \fIeckey\fR and the optional pre\-computed values \&\fIkinv\fR and \fIrp\fR. The DER encoded signature is stored in \fIsig\fR and its length is returned in \fIsiglen\fR. Note: \fIsig\fR must point to ECDSA_size(eckey) bytes of memory. The parameter \fItype\fR is ignored. diff --git a/secure/lib/libcrypto/man/man3/ECPKParameters_print.3 b/secure/lib/libcrypto/man/man3/ECPKParameters_print.3 index c7dc05db3a83..7a96acb6f6f9 100644 --- a/secure/lib/libcrypto/man/man3/ECPKParameters_print.3 +++ b/secure/lib/libcrypto/man/man3/ECPKParameters_print.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ECPKPARAMETERS_PRINT 3ossl" -.TH ECPKPARAMETERS_PRINT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ECPKPARAMETERS_PRINT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,7 +89,7 @@ The ECPKParameters represent the public parameters for an \&\fBEC_GROUP\fR structure, which represents a curve. .PP The \fBECPKParameters_print()\fR and \fBECPKParameters_print_fp()\fR functions print -a human-readable output of the public parameters of the EC_GROUP to \fBbp\fR +a human\-readable output of the public parameters of the EC_GROUP to \fBbp\fR or \fBfp\fR. The output lines are indented by \fBoff\fR spaces. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/EC_GFp_simple_method.3 b/secure/lib/libcrypto/man/man3/EC_GFp_simple_method.3 index 592758e68d8c..741d64a894e8 100644 --- a/secure/lib/libcrypto/man/man3/EC_GFp_simple_method.3 +++ b/secure/lib/libcrypto/man/man3/EC_GFp_simple_method.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EC_GFP_SIMPLE_METHOD 3ossl" -.TH EC_GFP_SIMPLE_METHOD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EC_GFP_SIMPLE_METHOD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EC_GROUP_copy.3 b/secure/lib/libcrypto/man/man3/EC_GROUP_copy.3 index 1b4c9b929c1a..09d4f2391a40 100644 --- a/secure/lib/libcrypto/man/man3/EC_GROUP_copy.3 +++ b/secure/lib/libcrypto/man/man3/EC_GROUP_copy.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EC_GROUP_COPY 3ossl" -.TH EC_GROUP_COPY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EC_GROUP_COPY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -207,7 +210,7 @@ in that a parameter obtained in this way is highly unlikely to be susceptible to If the seed is present for a curve then the b parameter was generated in a verifiable fashion using that seed. The OpenSSL EC library does not use this seed value but does enable you to inspect it using \fBEC_GROUP_get0_seed()\fR. This returns a pointer to a memory block containing the seed that was used. The length of the memory block can be obtained using \fBEC_GROUP_get_seed_len()\fR. A number of the -built-in curves within the library provide seed values that can be obtained. It is also possible to set a custom seed using +built\-in curves within the library provide seed values that can be obtained. It is also possible to set a custom seed using \&\fBEC_GROUP_set_seed()\fR and passing a pointer to a memory block, along with the length of the seed. Again, the EC library will not use this seed value, although it will be preserved in any ASN1 based communications. .PP @@ -227,13 +230,13 @@ For the OpenSSL default provider it performs a number of checks on a curve to ve verifying that the discriminant is non zero; that a generator has been defined; that the generator is on the curve and has the correct order. For the OpenSSL FIPS provider it uses \fBEC_GROUP_check_named_curve()\fR to conform to SP800\-56Ar3. .PP -The function \fBEC_GROUP_check_named_curve()\fR determines if the group's domain parameters match one of the built-in curves supported by the library. -The curve name is returned as a \fBNID\fR if it matches. If the group's domain parameters have been modified then no match will be found. +The function \fBEC_GROUP_check_named_curve()\fR determines if the group\*(Aqs domain parameters match one of the built\-in curves supported by the library. +The curve name is returned as a \fBNID\fR if it matches. If the group\*(Aqs domain parameters have been modified then no match will be found. If the curve name of the given group is \fBNID_undef\fR (e.g. it has been created by using explicit parameters with no curve name), -then this method can be used to lookup the name of the curve that matches the group domain parameters. The built-in curves contain -aliases, so that multiple NID's can map to the same domain parameters. For such curves it is unspecified which of the aliases will be +then this method can be used to lookup the name of the curve that matches the group domain parameters. The built\-in curves contain +aliases, so that multiple NID\*(Aqs can map to the same domain parameters. For such curves it is unspecified which of the aliases will be returned if the curve name of the given group is NID_undef. -If \fBnist_only\fR is 1 it will only look for NIST approved curves, otherwise it searches all built-in curves. +If \fBnist_only\fR is 1 it will only look for NIST approved curves, otherwise it searches all built\-in curves. This function may be passed a BN_CTX object in the \fBctx\fR parameter. The \fBctx\fR parameter may be NULL. .PP diff --git a/secure/lib/libcrypto/man/man3/EC_GROUP_new.3 b/secure/lib/libcrypto/man/man3/EC_GROUP_new.3 index e9adf2f72149..0e4f6ecd1446 100644 --- a/secure/lib/libcrypto/man/man3/EC_GROUP_new.3 +++ b/secure/lib/libcrypto/man/man3/EC_GROUP_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EC_GROUP_NEW 3ossl" -.TH EC_GROUP_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EC_GROUP_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -213,7 +216,7 @@ above, there are also a number of predefined curves that are available. In order to obtain a list of all of the predefined curves, call the function \&\fBEC_get_builtin_curves()\fR. The parameter \fIr\fR should be an array of EC_builtin_curve structures of size \fInitems\fR. The function will populate the -\&\fIr\fR array with information about the built-in curves. If \fInitems\fR is less than +\&\fIr\fR array with information about the built\-in curves. If \fInitems\fR is less than the total number of curves available, then the first \fInitems\fR curves will be returned. Otherwise the total number of curves will be provided. The return value is the total number of curves available (whether that number has been @@ -231,7 +234,7 @@ The EC_builtin_curve structure is defined as follows: Each EC_builtin_curve item has a unique integer id (\fInid\fR), and a human readable comment string describing the curve. .PP -In order to construct a built-in curve use the function +In order to construct a built\-in curve use the function \&\fBEC_GROUP_new_by_curve_name_ex()\fR and provide the \fInid\fR of the curve to be constructed, the associated library context to be used in \fIctx\fR (see \&\fBOSSL_LIB_CTX\fR\|(3)) and any property query string in \fIpropq\fR. The \fIctx\fR value @@ -257,7 +260,7 @@ If \fIgroup\fR is NULL nothing is done. All EC_GROUP_new* functions return a pointer to the newly constructed group, or NULL on error. .PP -\&\fBEC_get_builtin_curves()\fR returns the number of built-in curves that are +\&\fBEC_get_builtin_curves()\fR returns the number of built\-in curves that are available. .PP \&\fBEC_GROUP_set_curve_GFp()\fR, \fBEC_GROUP_get_curve_GFp()\fR, \fBEC_GROUP_set_curve_GF2m()\fR, diff --git a/secure/lib/libcrypto/man/man3/EC_KEY_get_enc_flags.3 b/secure/lib/libcrypto/man/man3/EC_KEY_get_enc_flags.3 index b9f681bc11e1..1ca8722f525d 100644 --- a/secure/lib/libcrypto/man/man3/EC_KEY_get_enc_flags.3 +++ b/secure/lib/libcrypto/man/man3/EC_KEY_get_enc_flags.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EC_KEY_GET_ENC_FLAGS 3ossl" -.TH EC_KEY_GET_ENC_FLAGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EC_KEY_GET_ENC_FLAGS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EC_KEY_new.3 b/secure/lib/libcrypto/man/man3/EC_KEY_new.3 index af9dc57a8c46..e89949653ce4 100644 --- a/secure/lib/libcrypto/man/man3/EC_KEY_new.3 +++ b/secure/lib/libcrypto/man/man3/EC_KEY_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EC_KEY_NEW 3ossl" -.TH EC_KEY_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EC_KEY_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -257,7 +260,7 @@ integer. .PP \&\fBEC_KEY_copy()\fR returns a pointer to the destination key, or NULL on error. .PP -\&\fBEC_KEY_get0_engine()\fR returns a pointer to an ENGINE, or NULL if it wasn't set. +\&\fBEC_KEY_get0_engine()\fR returns a pointer to an ENGINE, or NULL if it wasn\*(Aqt set. .PP \&\fBEC_KEY_up_ref()\fR, \fBEC_KEY_set_group()\fR, \fBEC_KEY_set_public_key()\fR, \&\fBEC_KEY_precompute_mult()\fR, \fBEC_KEY_generate_key()\fR, \fBEC_KEY_check_key()\fR, diff --git a/secure/lib/libcrypto/man/man3/EC_POINT_add.3 b/secure/lib/libcrypto/man/man3/EC_POINT_add.3 index e23957d68d10..1061b251c80c 100644 --- a/secure/lib/libcrypto/man/man3/EC_POINT_add.3 +++ b/secure/lib/libcrypto/man/man3/EC_POINT_add.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EC_POINT_ADD 3ossl" -.TH EC_POINT_ADD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EC_POINT_ADD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,12 +113,12 @@ forced. These functions were deprecated in OpenSSL 3.0 and should no longer be u Modern versions automatically perform this conversion when needed. .PP EC_POINT_mul calculates the value generator * \fBn\fR + \fBq\fR * \fBm\fR and stores the result in \fBr\fR. -The value \fBn\fR may be NULL in which case the result is just \fBq\fR * \fBm\fR (variable point multiplication). Alternatively, both \fBq\fR and \fBm\fR may be NULL, and \fBn\fR non-NULL, in which case the result is just generator * \fBn\fR (fixed point multiplication). +The value \fBn\fR may be NULL in which case the result is just \fBq\fR * \fBm\fR (variable point multiplication). Alternatively, both \fBq\fR and \fBm\fR may be NULL, and \fBn\fR non\-NULL, in which case the result is just generator * \fBn\fR (fixed point multiplication). When performing a single fixed or variable point multiplication, the underlying implementation uses a constant time algorithm, when the input scalar (either \fBn\fR or \fBm\fR) is in the range [0, ec_group_order). .PP Although deprecated in OpenSSL 3.0 and should no longer be used, EC_POINTs_mul calculates the value generator * \fBn\fR + \fBq[0]\fR * \fBm[0]\fR + ... + \fBq[num\-1]\fR * \fBm[num\-1]\fR. As for EC_POINT_mul the value \fBn\fR may be NULL or \fBnum\fR may be zero. -When performing a fixed point multiplication (\fBn\fR is non-NULL and \fBnum\fR is 0) or a variable point multiplication (\fBn\fR is NULL and \fBnum\fR is 1), the underlying implementation uses a constant time algorithm, when the input scalar (either \fBn\fR or \fBm[0]\fR) is in the range [0, ec_group_order). +When performing a fixed point multiplication (\fBn\fR is non\-NULL and \fBnum\fR is 0) or a variable point multiplication (\fBn\fR is NULL and \fBnum\fR is 1), the underlying implementation uses a constant time algorithm, when the input scalar (either \fBn\fR or \fBm[0]\fR) is in the range [0, ec_group_order). Modern versions should instead use \fBEC_POINT_mul()\fR, combined (if needed) with \fBEC_POINT_add()\fR in such rare circumstances. .PP The function EC_GROUP_precompute_mult stores multiples of the generator for faster point multiplication, whilst diff --git a/secure/lib/libcrypto/man/man3/EC_POINT_new.3 b/secure/lib/libcrypto/man/man3/EC_POINT_new.3 index 04c93e0244d7..7f02c61cff56 100644 --- a/secure/lib/libcrypto/man/man3/EC_POINT_new.3 +++ b/secure/lib/libcrypto/man/man3/EC_POINT_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EC_POINT_NEW 3ossl" -.TH EC_POINT_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EC_POINT_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -274,7 +277,7 @@ buffer with a call to \fBOPENSSL_free()\fR. Since the allocated buffer value is written to \fB*pbuf\fR the \fBpbuf\fR parameter \fBMUST NOT\fR be \fBNULL\fR. .PP The function \fBEC_POINT_point2hex()\fR will allocate sufficient memory to store the -hexadecimal string. It is the caller's responsibility to free this memory with +hexadecimal string. It is the caller\*(Aqs responsibility to free this memory with a subsequent call to \fBOPENSSL_free()\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/ENGINE_add.3 b/secure/lib/libcrypto/man/man3/ENGINE_add.3 index 39fef76e327e..5245c01abf5f 100644 --- a/secure/lib/libcrypto/man/man3/ENGINE_add.3 +++ b/secure/lib/libcrypto/man/man3/ENGINE_add.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ENGINE_ADD 3ossl" -.TH ENGINE_ADD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ENGINE_ADD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -235,7 +238,7 @@ Applications should instead use the provider APIs. These functions create, manipulate, and use cryptographic modules in the form of \fBENGINE\fR objects. These objects act as containers for implementations of cryptographic algorithms, and support a -reference-counted mechanism to allow them to be dynamically loaded in and +reference\-counted mechanism to allow them to be dynamically loaded in and out of the running application. .PP The cryptographic functionality that can be provided by an \fBENGINE\fR @@ -257,7 +260,7 @@ the underlying ENGINE object. Ie. one should obtain a new reference when making copies of an ENGINE pointer if the copies will be used (and released) independently. .PP -ENGINE objects have two levels of reference-counting to match the way in +ENGINE objects have two levels of reference\-counting to match the way in which the objects are used. At the most basic level, each ENGINE pointer is inherently a \fBstructural\fR reference \- a structural reference is required to use the pointer value at all, as this kind of reference is a guarantee @@ -265,13 +268,13 @@ that the structure can not be deallocated until the reference is released. .PP However, a structural reference provides no guarantee that the ENGINE is initialised and able to use any of its cryptographic -implementations. Indeed it's quite possible that most ENGINEs will not +implementations. Indeed it\*(Aqs quite possible that most ENGINEs will not initialise at all in typical environments, as ENGINEs are typically used to -support specialised hardware. To use an ENGINE's functionality, you need a +support specialised hardware. To use an ENGINE\*(Aqs functionality, you need a \&\fBfunctional\fR reference. This kind of reference can be considered a specialised form of structural reference, because each functional reference implicitly contains a structural reference as well \- however to avoid -difficult-to-find programming bugs, it is recommended to treat the two +difficult\-to\-find programming bugs, it is recommended to treat the two kinds of reference independently. If you have a functional reference to an ENGINE, you have a guarantee that the ENGINE has been initialised and is ready to perform cryptographic operations, and will remain initialised @@ -280,7 +283,7 @@ until after you have released your reference. \&\fIStructural references\fR .PP This basic type of reference is used for instantiating new ENGINEs, -iterating across OpenSSL's internal linked-list of loaded +iterating across OpenSSL\*(Aqs internal linked\-list of loaded ENGINEs, reading information about an ENGINE, etc. Essentially a structural reference is sufficient if you only need to query or manipulate the data of an ENGINE implementation rather than use its functionality. @@ -298,20 +301,20 @@ It should also be noted that many ENGINE API function calls that accept a structural reference will internally obtain another reference \- typically this happens whenever the supplied ENGINE will be needed by OpenSSL after the function has returned. Eg. the function to add a new ENGINE to -OpenSSL's internal list is \fBENGINE_add()\fR \- if this function returns success, +OpenSSL\*(Aqs internal list is \fBENGINE_add()\fR \- if this function returns success, then OpenSSL will have stored a new structural reference internally so the caller is still responsible for freeing their own reference with \&\fBENGINE_free()\fR when they are finished with it. In a similar way, some functions will automatically release the structural reference passed to it -if part of the function's job is to do so. Eg. the \fBENGINE_get_next()\fR and +if part of the function\*(Aqs job is to do so. Eg. the \fBENGINE_get_next()\fR and \&\fBENGINE_get_prev()\fR functions are used for iterating across the internal ENGINE list \- they will return a new structural reference to the next (or previous) ENGINE in the list or NULL if at the end (or beginning) of the list, but in either case the structural reference passed to the function is released on behalf of the caller. .PP -To clarify a particular function's handling of references, one should -always consult that function's documentation "man" page, or failing that +To clarify a particular function\*(Aqs handling of references, one should +always consult that function\*(Aqs documentation "man" page, or failing that the \fI<openssl/engine.h>\fR header file includes some hints. .PP \&\fIFunctional references\fR @@ -324,7 +327,7 @@ operational ENGINE for a given cryptographic purpose. .PP To obtain a functional reference from an existing structural reference, call the \fBENGINE_init()\fR function. This returns zero if the ENGINE was not -already operational and couldn't be successfully initialised (e.g. lack of +already operational and couldn\*(Aqt be successfully initialised (e.g. lack of system drivers, no special hardware attached, etc), otherwise it will return nonzero to indicate that the ENGINE is now operational and will have allocated a new \fBfunctional\fR reference to the ENGINE. All functional @@ -336,17 +339,17 @@ default implementation for a given task, e.g. by \fBENGINE_get_default_RSA()\fR, \&\fBENGINE_get_default_cipher_engine()\fR, etc. These are discussed in the next section, though they are not usually required by application programmers as they are used automatically when creating and using the relevant -algorithm-specific types in OpenSSL, such as RSA, DSA, EVP_CIPHER_CTX, etc. +algorithm\-specific types in OpenSSL, such as RSA, DSA, EVP_CIPHER_CTX, etc. .SS "Default implementations" .IX Subsection "Default implementations" For each supported abstraction, the ENGINE code maintains an internal table of state to control which implementations are available for a given abstraction and which should be used by default. These implementations are -registered in the tables and indexed by an 'nid' value, because +registered in the tables and indexed by an \*(Aqnid\*(Aq value, because abstractions like EVP_CIPHER and EVP_DIGEST support many distinct algorithms and modes, and ENGINEs can support arbitrarily many of them. In the case of other abstractions like RSA, DSA, etc, there is only one -"algorithm" so all implementations implicitly register using the same 'nid' +"algorithm" so all implementations implicitly register using the same \*(Aqnid\*(Aq index. .PP When a default ENGINE is requested for a given abstraction/algorithm/mode, (e.g. @@ -365,16 +368,16 @@ table trying to initialise each of them in turn, in case one of them is operational. If it returns a functional reference to an ENGINE, it will also cache another reference to speed up processing future queries (without needing to iterate across the table). Likewise, it will cache a NULL -response if no ENGINE was available so that future queries won't repeat the +response if no ENGINE was available so that future queries won\*(Aqt repeat the same iteration unless the state table changes. This behaviour can also be changed; if the ENGINE_TABLE_FLAG_NOINIT flag is set (using \&\fBENGINE_set_table_flags()\fR), no attempted initialisations will take place, -instead the only way for the state table to return a non-NULL ENGINE to the +instead the only way for the state table to return a non\-NULL ENGINE to the "get_default" query will be if one is expressly set in the table. Eg. \&\fBENGINE_set_default_RSA()\fR does the same job as \fBENGINE_register_RSA()\fR except -that it also sets the state table's cached response for the "get_default" +that it also sets the state table\*(Aqs cached response for the "get_default" query. In the case of abstractions like EVP_CIPHER, where implementations are -indexed by 'nid', these flags and cached-responses are distinct for each 'nid' +indexed by \*(Aqnid\*(Aq, these flags and cached\-responses are distinct for each \*(Aqnid\*(Aq value. .SS "Application requirements" .IX Subsection "Application requirements" @@ -383,7 +386,7 @@ support to make the most useful elements of the ENGINE functionality available to the user. The first thing to consider is whether the programmer wishes to make alternative ENGINE modules available to the application and user. OpenSSL maintains an internal linked list of -"visible" ENGINEs from which it has to operate \- at start-up, this list is +"visible" ENGINEs from which it has to operate \- at start\-up, this list is empty and in fact if an application does not call any ENGINE API calls and it uses static linking against openssl, then the resulting application binary will not contain any alternative ENGINE code at all. So the first @@ -392,18 +395,18 @@ made visible to OpenSSL \- this is controlled by calling the various "load" functions. .PP The fact that ENGINEs are made visible to OpenSSL (and thus are linked into -the program and loaded into memory at run-time) does not mean they are +the program and loaded into memory at run\-time) does not mean they are "registered" or called into use by OpenSSL automatically \- that behaviour is something for the application to control. Some applications will want to allow the user to specify exactly which ENGINE they want used if any is to be used at all. Others may prefer to load all support and have -OpenSSL automatically use at run-time any ENGINE that is able to +OpenSSL automatically use at run\-time any ENGINE that is able to successfully initialise \- i.e. to assume that this corresponds to acceleration hardware attached to the machine or some such thing. There are probably numerous other ways in which applications may prefer to handle things, so we will simply illustrate the consequences as they apply to a couple of simple cases and leave developers to consider these and the -source code to openssl's built-in utilities as guides. +source code to openssl\*(Aqs built\-in utilities as guides. .PP If no ENGINE API functions are called within an application, then OpenSSL will not allocate any internal resources. Prior to OpenSSL 1.1.0, however, @@ -412,11 +415,11 @@ call \fBENGINE_cleanup()\fR before the program exits. .PP \&\fIUsing a specific ENGINE implementation\fR .PP -Here we'll assume an application has been configured by its user or admin +Here we\*(Aqll assume an application has been configured by its user or admin to want to use the "ACME" ENGINE if it is available in the version of OpenSSL the application was compiled with. If it is available, it should be used by default for all RSA, DSA, and symmetric cipher operations, otherwise -OpenSSL should use its built-in software as per usual. The following code +OpenSSL should use its built\-in software as per usual. The following code illustrates how to approach this; .PP .Vb 10 @@ -446,9 +449,9 @@ illustrates how to approach this; \& ENGINE_free(e); .Ve .PP -\&\fIAutomatically using built-in ENGINE implementations\fR +\&\fIAutomatically using built\-in ENGINE implementations\fR .PP -Here we'll assume we want to load and register all ENGINE implementations +Here we\*(Aqll assume we want to load and register all ENGINE implementations bundled with OpenSSL, such that for any cryptographic algorithm required by OpenSSL \- if there is an ENGINE that implements it and can be initialised, it should be used. The following code illustrates how this can work; @@ -460,7 +463,7 @@ it should be used. The following code illustrates how this can work; \& ENGINE_register_all_complete(); .Ve .PP -That's all that's required. Eg. the next time OpenSSL tries to set up an +That\*(Aqs all that\*(Aqs required. Eg. the next time OpenSSL tries to set up an RSA key, any bundled ENGINEs that implement RSA_METHOD will be passed to \&\fBENGINE_init()\fR and if any of those succeed, that ENGINE will be set as the default for RSA use from then on. @@ -469,7 +472,7 @@ default for RSA use from then on. There is a mechanism supported by the ENGINE framework that allows each ENGINE implementation to define an arbitrary set of configuration "commands" and expose them to OpenSSL and any applications based on -OpenSSL. This mechanism is entirely based on the use of name-value pairs +OpenSSL. This mechanism is entirely based on the use of name\-value pairs and assumes ASCII input (no unicode or UTF for now!), so it is ideal if applications want to provide a transparent way for users to provide arbitrary configuration "directives" directly to such ENGINEs. It is also @@ -488,22 +491,22 @@ control commands; the first is to provide the necessary details to the implementation (which may know nothing at all specific to the host system) so that it can be initialised for use. This could include the path to any driver or config files it needs to load, required network addresses, -smart-card identifiers, passwords to initialise protected devices, +smart\-card identifiers, passwords to initialise protected devices, logging information, etc etc. This class of commands typically needs to be passed to an ENGINE \fBbefore\fR attempting to initialise it, i.e. before calling \fBENGINE_init()\fR. The other class of commands consist of settings or operations that tweak certain behaviour or cause certain operations to take place, and these commands may work either before or after \fBENGINE_init()\fR, or in some cases both. ENGINE implementations should provide indications of -this in the descriptions attached to built-in control commands and/or in +this in the descriptions attached to built\-in control commands and/or in external product documentation. .PP \&\fIIssuing control commands to an ENGINE\fR .PP -Let's illustrate by example; a function for which the caller supplies the -name of the ENGINE it wishes to use, a table of string-pairs for use before +Let\*(Aqs illustrate by example; a function for which the caller supplies the +name of the ENGINE it wishes to use, a table of string\-pairs for use before initialisation, and another table for use after initialisation. Note that -the string-pairs used for control commands consist of a command "name" +the string\-pairs used for control commands consist of a command "name" followed by the command "parameter" \- the parameter could be NULL in some cases but the name can not. This function should initialise the ENGINE (issuing the "pre" commands beforehand and the "post" commands afterwards) @@ -554,18 +557,18 @@ boolean success or failure. Note that \fBENGINE_ctrl_cmd_string()\fR accepts a boolean argument that can relax the semantics of the function \- if set nonzero it will only return failure if the ENGINE supported the given command name but failed while -executing it, if the ENGINE doesn't support the command name it will simply +executing it, if the ENGINE doesn\*(Aqt support the command name it will simply return success without doing anything. In this case we assume the user is only supplying commands specific to the given ENGINE so we set this to FALSE. .PP \&\fIDiscovering supported control commands\fR .PP -It is possible to discover at run-time the names, numerical-ids, descriptions +It is possible to discover at run\-time the names, numerical\-ids, descriptions and input parameters of the control commands supported by an ENGINE using a structural reference. Note that some control commands are defined by OpenSSL itself and it will intercept and handle these control commands on behalf of the -ENGINE, i.e. the ENGINE's \fBctrl()\fR handler is not used for the control command. +ENGINE, i.e. the ENGINE\*(Aqs \fBctrl()\fR handler is not used for the control command. \&\fI<openssl/engine.h>\fR defines an index, ENGINE_CMD_BASE, that all control commands implemented by ENGINEs should be numbered from. Any command value lower than this symbol is considered a "generic" command is handled directly @@ -590,9 +593,9 @@ Whilst these commands are automatically processed by the OpenSSL framework code, they use various properties exposed by each ENGINE to process these queries. An ENGINE has 3 properties it exposes that can affect how this behaves; it can supply a \fBctrl()\fR handler, it can specify ENGINE_FLAGS_MANUAL_CMD_CTRL in -the ENGINE's flags, and it can expose an array of control command descriptions. +the ENGINE\*(Aqs flags, and it can expose an array of control command descriptions. If an ENGINE specifies the ENGINE_FLAGS_MANUAL_CMD_CTRL flag, then it will -simply pass all these "core" control commands directly to the ENGINE's \fBctrl()\fR +simply pass all these "core" control commands directly to the ENGINE\*(Aqs \fBctrl()\fR handler (and thus, it must have supplied one), so it is up to the ENGINE to reply to these "discovery" commands itself. If that flag is not set, then the OpenSSL framework code will work with the following rules: @@ -609,7 +612,7 @@ OpenSSL framework code will work with the following rules: \& all other commands proceed processing ... .Ve .PP -If the ENGINE's array of control commands is empty then all other commands will +If the ENGINE\*(Aqs array of control commands is empty then all other commands will fail, otherwise; ENGINE_CTRL_GET_FIRST_CMD_TYPE returns the identifier of the first command supported by the ENGINE, ENGINE_GET_NEXT_CMD_TYPE takes the identifier of a command supported by the ENGINE and returns the next command @@ -619,7 +622,7 @@ command name exists, and the remaining commands take a command identifier and return properties of the corresponding commands. All except ENGINE_CTRL_GET_FLAGS return the string length of a command name or description, or populate a supplied character buffer with a copy of the command name or -description. ENGINE_CTRL_GET_FLAGS returns a bitwise-OR'd mask of the following +description. ENGINE_CTRL_GET_FLAGS returns a bitwise\-OR\*(Aqd mask of the following possible values: .PP .Vb 4 @@ -631,8 +634,8 @@ possible values: .PP If the ENGINE_CMD_FLAG_INTERNAL flag is set, then any other flags are purely informational to the caller \- this flag will prevent the command being usable -for any higher-level ENGINE functions such as \fBENGINE_ctrl_cmd_string()\fR. -"INTERNAL" commands are not intended to be exposed to text-based configuration +for any higher\-level ENGINE functions such as \fBENGINE_ctrl_cmd_string()\fR. +"INTERNAL" commands are not intended to be exposed to text\-based configuration by applications, administrations, users, etc. These can support arbitrary operations via \fBENGINE_ctrl()\fR, including passing to and/or from the control commands data of any arbitrary type. These commands are supported in the @@ -646,7 +649,7 @@ extension). .IP \fBOPENSSL_ENGINES\fR 4 .IX Item "OPENSSL_ENGINES" The path to the engines directory. -Ignored in set-user-ID and set-group-ID programs. +Ignored in set\-user\-ID and set\-group\-ID programs. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBENGINE_get_first()\fR, \fBENGINE_get_last()\fR, \fBENGINE_get_next()\fR and \fBENGINE_get_prev()\fR @@ -712,7 +715,7 @@ error occurred. \&\fBENGINE_get_flags()\fR returns an integer representing the ENGINE flags which are used to control various behaviours of an ENGINE. .PP -\&\fBENGINE_get_cmd_defns()\fR returns an \fBENGINE_CMD_DEFN\fR structure or NULL if it's +\&\fBENGINE_get_cmd_defns()\fR returns an \fBENGINE_CMD_DEFN\fR structure or NULL if it\*(Aqs not set. .PP \&\fBENGINE_load_private_key()\fR and \fBENGINE_load_public_key()\fR return a valid \fBEVP_PKEY\fR diff --git a/secure/lib/libcrypto/man/man3/ERR_GET_LIB.3 b/secure/lib/libcrypto/man/man3/ERR_GET_LIB.3 index 11cb0f7b10c4..6b263f9e2f9d 100644 --- a/secure/lib/libcrypto/man/man3/ERR_GET_LIB.3 +++ b/secure/lib/libcrypto/man/man3/ERR_GET_LIB.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_GET_LIB 3ossl" -.TH ERR_GET_LIB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_GET_LIB 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,12 +88,12 @@ and \fBERR_GET_REASON()\fR can be used to extract these. The library number describes where the error occurred, the reason code is the information about what went wrong. .PP -Each sub-library of OpenSSL has a unique library number; the -reason code is unique within each sub-library. Note that different +Each sub\-library of OpenSSL has a unique library number; the +reason code is unique within each sub\-library. Note that different libraries may use the same value to signal different reasons. .PP \&\fBERR_R_...\fR reason codes such as \fBERR_R_MALLOC_FAILURE\fR are globally -unique. However, when checking for sub-library specific reason codes, +unique. However, when checking for sub\-library specific reason codes, be sure to also compare the library number. .PP \&\fBERR_GET_LIB()\fR, \fBERR_GET_REASON()\fR, and \fBERR_FATAL_ERROR()\fR are macros. diff --git a/secure/lib/libcrypto/man/man3/ERR_clear_error.3 b/secure/lib/libcrypto/man/man3/ERR_clear_error.3 index 6fed0f11268f..98a8217fd2de 100644 --- a/secure/lib/libcrypto/man/man3/ERR_clear_error.3 +++ b/secure/lib/libcrypto/man/man3/ERR_clear_error.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_CLEAR_ERROR 3ossl" -.TH ERR_CLEAR_ERROR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_CLEAR_ERROR 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -71,7 +74,7 @@ ERR_clear_error \- clear the error queue .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBERR_clear_error()\fR empties the current thread's error queue. +\&\fBERR_clear_error()\fR empties the current thread\*(Aqs error queue. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBERR_clear_error()\fR has no return value. diff --git a/secure/lib/libcrypto/man/man3/ERR_error_string.3 b/secure/lib/libcrypto/man/man3/ERR_error_string.3 index 2f6366df534c..650d896e72fa 100644 --- a/secure/lib/libcrypto/man/man3/ERR_error_string.3 +++ b/secure/lib/libcrypto/man/man3/ERR_error_string.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_ERROR_STRING 3ossl" -.TH ERR_ERROR_STRING 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_ERROR_STRING 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,11 +86,11 @@ Deprecated in OpenSSL 3.0: .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBERR_error_string()\fR generates a human-readable string representing the +\&\fBERR_error_string()\fR generates a human\-readable string representing the error code \fIe\fR, and places it at \fIbuf\fR. \fIbuf\fR must be at least 256 bytes long. If \fIbuf\fR is \fBNULL\fR, the error string is placed in a static buffer. -Note that this function is not thread-safe and does no checks on the size +Note that this function is not thread\-safe and does no checks on the size of the buffer; use \fBERR_error_string_n()\fR instead. .PP \&\fBERR_error_string_n()\fR is a variant of \fBERR_error_string()\fR that writes diff --git a/secure/lib/libcrypto/man/man3/ERR_get_error.3 b/secure/lib/libcrypto/man/man3/ERR_get_error.3 index 92346798a406..90e9aa222276 100644 --- a/secure/lib/libcrypto/man/man3/ERR_get_error.3 +++ b/secure/lib/libcrypto/man/man3/ERR_get_error.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_GET_ERROR 3ossl" -.TH ERR_GET_ERROR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_GET_ERROR 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -112,19 +115,19 @@ see \fBopenssl_user_macros\fR\|(7): .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBERR_get_error()\fR returns the earliest error code from the thread's error +\&\fBERR_get_error()\fR returns the earliest error code from the thread\*(Aqs error queue and removes the entry. This function can be called repeatedly until there are no more error codes to return. .PP -\&\fBERR_peek_error()\fR returns the earliest error code from the thread's +\&\fBERR_peek_error()\fR returns the earliest error code from the thread\*(Aqs error queue without modifying it. .PP -\&\fBERR_peek_last_error()\fR returns the latest error code from the thread's +\&\fBERR_peek_last_error()\fR returns the latest error code from the thread\*(Aqs error queue without modifying it. .PP See \fBERR_GET_LIB\fR\|(3) for obtaining further specific information such as the reason of the error, -and \fBERR_error_string\fR\|(3) for human-readable error messages. +and \fBERR_error_string\fR\|(3) for human\-readable error messages. .PP \&\fBERR_get_error_all()\fR is the same as \fBERR_get_error()\fR, but on success it additionally stores the filename, line number and function where the error diff --git a/secure/lib/libcrypto/man/man3/ERR_load_crypto_strings.3 b/secure/lib/libcrypto/man/man3/ERR_load_crypto_strings.3 index 758a1a359705..3ca0267d985f 100644 --- a/secure/lib/libcrypto/man/man3/ERR_load_crypto_strings.3 +++ b/secure/lib/libcrypto/man/man3/ERR_load_crypto_strings.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_LOAD_CRYPTO_STRINGS 3ossl" -.TH ERR_LOAD_CRYPTO_STRINGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_LOAD_CRYPTO_STRINGS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ERR_load_strings.3 b/secure/lib/libcrypto/man/man3/ERR_load_strings.3 index a7ecca4af127..770d3ed080d7 100644 --- a/secure/lib/libcrypto/man/man3/ERR_load_strings.3 +++ b/secure/lib/libcrypto/man/man3/ERR_load_strings.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_LOAD_STRINGS 3ossl" -.TH ERR_LOAD_STRINGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_LOAD_STRINGS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ERR_new.3 b/secure/lib/libcrypto/man/man3/ERR_new.3 index 4c4f1e259ec5..99a8e4329de1 100644 --- a/secure/lib/libcrypto/man/man3/ERR_new.3 +++ b/secure/lib/libcrypto/man/man3/ERR_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_NEW 3ossl" -.TH ERR_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,10 +83,10 @@ rather through macros such as \fBERR_raise\fR\|(3). They can still be useful for anyone that wants to make their own macros. .PP -\&\fBERR_new()\fR allocates a new slot in the thread's error queue. +\&\fBERR_new()\fR allocates a new slot in the thread\*(Aqs error queue. .PP \&\fBERR_set_debug()\fR sets the debug information related to the current -error in the thread's error queue. +error in the thread\*(Aqs error queue. The values that can be given are the filename \fIfile\fR, line in the file \fIline\fR and the name of the function \fIfunc\fR where the error occurred. diff --git a/secure/lib/libcrypto/man/man3/ERR_print_errors.3 b/secure/lib/libcrypto/man/man3/ERR_print_errors.3 index 7aeccac9086d..39f532160f44 100644 --- a/secure/lib/libcrypto/man/man3/ERR_print_errors.3 +++ b/secure/lib/libcrypto/man/man3/ERR_print_errors.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_PRINT_ERRORS 3ossl" -.TH ERR_PRINT_ERRORS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_PRINT_ERRORS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ERR_put_error.3 b/secure/lib/libcrypto/man/man3/ERR_put_error.3 index 47ddb8c28e8c..67efd451a390 100644 --- a/secure/lib/libcrypto/man/man3/ERR_put_error.3 +++ b/secure/lib/libcrypto/man/man3/ERR_put_error.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_PUT_ERROR 3ossl" -.TH ERR_PUT_ERROR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_PUT_ERROR 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,7 +91,7 @@ see \fBopenssl_user_macros\fR\|(7): .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBERR_raise()\fR adds a new error to the thread's error queue. The +\&\fBERR_raise()\fR adds a new error to the thread\*(Aqs error queue. The error occurred in the library \fBlib\fR for the reason given by the \&\fBreason\fR code. Furthermore, the name of the file, the line, and name of the function where the error occurred is saved with the error @@ -98,7 +101,7 @@ record. caller specify additional information as a format string \fBfmt\fR and an arbitrary number of values, which are processed with \fBBIO_snprintf\fR\|(3). .PP -\&\fBERR_put_error()\fR adds an error code to the thread's error queue. It +\&\fBERR_put_error()\fR adds an error code to the thread\*(Aqs error queue. It signals that the error of reason code \fBreason\fR occurred in function \&\fBfunc\fR of library \fBlib\fR, in line number \fBline\fR of \fBfile\fR. This function is usually called by a macro. @@ -120,23 +123,23 @@ it is split over sufficiently many new copies of the last error queue entry. .PP \&\fBERR_add_error_mem_bio()\fR is the same as \fBERR_add_error_txt()\fR except that the text string is taken from the given memory BIO. -It appends '\e0' to the BIO contents if not already NUL-terminated. +It appends \*(Aq\e0\*(Aq to the BIO contents if not already NUL\-terminated. .PP \&\fBERR_load_strings\fR\|(3) can be used to register -error strings so that the application can a generate human-readable +error strings so that the application can a generate human\-readable error messages for the error code. .SS "Reporting errors" .IX Subsection "Reporting errors" \fIOpenSSL library reports\fR .IX Subsection "OpenSSL library reports" .PP -Each OpenSSL sub-library has library code \fBERR_LIB_XXX\fR and has its own set +Each OpenSSL sub\-library has library code \fBERR_LIB_XXX\fR and has its own set of reason codes \fBXXX_R_...\fR. These are both passed in combination to \&\fBERR_raise()\fR and \fBERR_raise_data()\fR, and the combination ultimately produces the correct error text for the reported error. .PP All these macros and the numbers they have as values are specific to -OpenSSL's libraries. OpenSSL reason codes normally consist of textual error +OpenSSL\*(Aqs libraries. OpenSSL reason codes normally consist of textual error descriptions. For example, the function \fBssl3_read_bytes()\fR reports a "handshake failure" as follows: .PP @@ -157,7 +160,7 @@ be \fBerrno\fR\|(3). .IP \fBERR_R_XXX\fR 4 .IX Item "ERR_R_XXX" This set of error codes is considered global, and may be used in combination -with any sub-library code. +with any sub\-library code. .Sp .Vb 1 \& ERR_raise(ERR_LIB_RSA, ERR_R_PASSED_INVALID_ARGUMENT); @@ -166,7 +169,7 @@ with any sub-library code. \fIOther pieces of software\fR .IX Subsection "Other pieces of software" .PP -Other pieces of software that may want to use OpenSSL's error reporting +Other pieces of software that may want to use OpenSSL\*(Aqs error reporting system, such as engines or applications, must normally get their own numbers. .IP \(bu 4 diff --git a/secure/lib/libcrypto/man/man3/ERR_remove_state.3 b/secure/lib/libcrypto/man/man3/ERR_remove_state.3 index b29bfd79b080..4092f15a04dd 100644 --- a/secure/lib/libcrypto/man/man3/ERR_remove_state.3 +++ b/secure/lib/libcrypto/man/man3/ERR_remove_state.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_REMOVE_STATE 3ossl" -.TH ERR_REMOVE_STATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_REMOVE_STATE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ERR_set_mark.3 b/secure/lib/libcrypto/man/man3/ERR_set_mark.3 index 68bc094fa9d6..a981b4ad6b2f 100644 --- a/secure/lib/libcrypto/man/man3/ERR_set_mark.3 +++ b/secure/lib/libcrypto/man/man3/ERR_set_mark.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_SET_MARK 3ossl" -.TH ERR_SET_MARK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_SET_MARK 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_ASYM_CIPHER_free.3 b/secure/lib/libcrypto/man/man3/EVP_ASYM_CIPHER_free.3 index 521b47659e49..24c97336b798 100644 --- a/secure/lib/libcrypto/man/man3/EVP_ASYM_CIPHER_free.3 +++ b/secure/lib/libcrypto/man/man3/EVP_ASYM_CIPHER_free.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_ASYM_CIPHER_FREE 3ossl" -.TH EVP_ASYM_CIPHER_FREE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_ASYM_CIPHER_FREE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,7 +113,7 @@ structure is freed. If the argument is NULL, nothing is done. \&\fBEVP_ASYM_CIPHER\fR structure. .PP \&\fBEVP_ASYM_CIPHER_is_a()\fR returns 1 if \fIcipher\fR is an implementation of an -algorithm that's identifiable with \fIname\fR, otherwise 0. +algorithm that\*(Aqs identifiable with \fIname\fR, otherwise 0. .PP \&\fBEVP_ASYM_CIPHER_get0_provider()\fR returns the provider that \fIcipher\fR was fetched from. diff --git a/secure/lib/libcrypto/man/man3/EVP_BytesToKey.3 b/secure/lib/libcrypto/man/man3/EVP_BytesToKey.3 index a5bb1af62b0a..26c2843bd0a0 100644 --- a/secure/lib/libcrypto/man/man3/EVP_BytesToKey.3 +++ b/secure/lib/libcrypto/man/man3/EVP_BytesToKey.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_BYTESTOKEY 3ossl" -.TH EVP_BYTESTOKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_BYTESTOKEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_app_data.3 b/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_app_data.3 new file mode 100644 index 000000000000..af451059503c --- /dev/null +++ b/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_app_data.3 @@ -0,0 +1,96 @@ +.\" -*- mode: troff; coding: utf-8 -*- +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. +.ie n \{\ +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{\ +. if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +. \} +.\} +.rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l +.\" ======================================================================== +.\" +.IX Title "EVP_CIPHER_CTX_GET_APP_DATA 3ossl" +.TH EVP_CIPHER_CTX_GET_APP_DATA 3ossl 2026-01-27 3.5.5 OpenSSL +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH NAME +EVP_CIPHER_CTX_get_app_data, EVP_CIPHER_CTX_set_app_data \- Routines to +inspect and modify application data related to EVP_CIPHER_CTX +.SH SYNOPSIS +.IX Header "SYNOPSIS" +.Vb 1 +\& #include <openssl/evp.h> +\& +\& void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx); +\& void EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx, void *data); +.Ve +.SH DESCRIPTION +.IX Header "DESCRIPTION" +The functions \fBEVP_CIPHER_CTX_set_app_data()\fR and \fBEVP_CIPHER_CTX_get_app_data()\fR +associate an opaque, application\-defined pointer with an EVP_CIPHER_CTX object. +.PP +This pointer is not interpreted by the library and is reserved entirely for use +by the application. It may be used to store arbitrary context or state that +needs to be accessible wherever the corresponding EVP_CIPHER_CTX is available. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +The \fBEVP_CIPHER_CTX_get_app_data()\fR function returns a opaque pointer to the +current application data for the EVP_CIPHER_CTX. +.SH COPYRIGHT +.IX Header "COPYRIGHT" +Copyright 2026 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_cipher_data.3 b/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_cipher_data.3 index 0b19d485c9c0..3b6733f275e9 100644 --- a/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_cipher_data.3 +++ b/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_cipher_data.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER_CTX_GET_CIPHER_DATA 3ossl" -.TH EVP_CIPHER_CTX_GET_CIPHER_DATA 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER_CTX_GET_CIPHER_DATA 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_original_iv.3 b/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_original_iv.3 index 369cb2dad790..af7793a8aa30 100644 --- a/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_original_iv.3 +++ b/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_original_iv.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER_CTX_GET_ORIGINAL_IV 3ossl" -.TH EVP_CIPHER_CTX_GET_ORIGINAL_IV 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER_CTX_GET_ORIGINAL_IV 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,7 +89,7 @@ see \fBopenssl_user_macros\fR\|(7): .IX Header "DESCRIPTION" \&\fBEVP_CIPHER_CTX_get_original_iv()\fR and \fBEVP_CIPHER_CTX_get_updated_iv()\fR copy initialization vector (IV) information from the \fBEVP_CIPHER_CTX\fR into the -caller-supplied buffer. \fBEVP_CIPHER_CTX_get_iv_length\fR\|(3) can be used to +caller\-supplied buffer. \fBEVP_CIPHER_CTX_get_iv_length\fR\|(3) can be used to determine an appropriate buffer size, and if the supplied buffer is too small, an error will be returned (and no data copied). \&\fBEVP_CIPHER_CTX_get_original_iv()\fR accesses the ("original") IV that was diff --git a/secure/lib/libcrypto/man/man3/EVP_CIPHER_meth_new.3 b/secure/lib/libcrypto/man/man3/EVP_CIPHER_meth_new.3 index 52987c8f3ffb..7c5f46a71e14 100644 --- a/secure/lib/libcrypto/man/man3/EVP_CIPHER_meth_new.3 +++ b/secure/lib/libcrypto/man/man3/EVP_CIPHER_meth_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER_METH_NEW 3ossl" -.TH EVP_CIPHER_METH_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER_METH_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -149,7 +152,7 @@ This is only needed when the implemented cipher mode requires it. \&\fBEVP_CIPHER_meth_set_flags()\fR sets the flags to describe optional behaviours in the particular \fBcipher\fR. With the exception of cipher modes, of which only one may be present, -several flags can be or'd together. +several flags can be or\*(Aqd together. The available flags are: .IP "EVP_CIPH_STREAM_CIPHER, EVP_CIPH_ECB_MODE EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE, EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE, EVP_CIPH_WRAP_MODE, EVP_CIPH_OCB_MODE, EVP_CIPH_SIV_MODE" 4 .IX Item "EVP_CIPH_STREAM_CIPHER, EVP_CIPH_ECB_MODE EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE, EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE, EVP_CIPH_WRAP_MODE, EVP_CIPH_OCB_MODE, EVP_CIPH_SIV_MODE" @@ -163,32 +166,32 @@ Storing and initialising the IV is left entirely to the implementation. .IP EVP_CIPH_ALWAYS_CALL_INIT 4 .IX Item "EVP_CIPH_ALWAYS_CALL_INIT" -Set this if the implementation's \fBinit()\fR function should be called even +Set this if the implementation\*(Aqs \fBinit()\fR function should be called even if \fBkey\fR is \fBNULL\fR. .IP EVP_CIPH_CTRL_INIT 4 .IX Item "EVP_CIPH_CTRL_INIT" -Set this to have the implementation's \fBctrl()\fR function called with +Set this to have the implementation\*(Aqs \fBctrl()\fR function called with command code \fBEVP_CTRL_INIT\fR early in its setup. .IP EVP_CIPH_CUSTOM_KEY_LENGTH 4 .IX Item "EVP_CIPH_CUSTOM_KEY_LENGTH" Checking and setting the key length after creating the \fBEVP_CIPHER\fR is left to the implementation. Whenever someone uses \fBEVP_CIPHER_CTX_set_key_length()\fR on a -\&\fBEVP_CIPHER\fR with this flag set, the implementation's \fBctrl()\fR function +\&\fBEVP_CIPHER\fR with this flag set, the implementation\*(Aqs \fBctrl()\fR function will be called with the control code \fBEVP_CTRL_SET_KEY_LENGTH\fR and the key length in \fBarg\fR. .IP EVP_CIPH_NO_PADDING 4 .IX Item "EVP_CIPH_NO_PADDING" -Don't use standard block padding. +Don\*(Aqt use standard block padding. .IP EVP_CIPH_RAND_KEY 4 .IX Item "EVP_CIPH_RAND_KEY" Making a key with random content is left to the implementation. -This is done by calling the implementation's \fBctrl()\fR function with the +This is done by calling the implementation\*(Aqs \fBctrl()\fR function with the control code \fBEVP_CTRL_RAND_KEY\fR and the pointer to the key memory storage in \fBptr\fR. .IP EVP_CIPH_CUSTOM_COPY 4 .IX Item "EVP_CIPH_CUSTOM_COPY" -Set this to have the implementation's \fBctrl()\fR function called with +Set this to have the implementation\*(Aqs \fBctrl()\fR function called with command code \fBEVP_CTRL_COPY\fR at the end of \fBEVP_CIPHER_CTX_copy()\fR. The intended use is for further things to deal with after the implementation specific data block has been copied. @@ -223,7 +226,7 @@ This indicates that this is an AEAD cipher implementation. Allow interleaving of crypto blocks, a particular optimization only applicable to certain TLS ciphers. .PP -\&\fBEVP_CIPHER_meth_set_impl_ctx_size()\fR sets the size of the EVP_CIPHER's +\&\fBEVP_CIPHER_meth_set_impl_ctx_size()\fR sets the size of the EVP_CIPHER\*(Aqs implementation context so that it can be automatically allocated. .PP \&\fBEVP_CIPHER_meth_set_init()\fR sets the cipher init function for @@ -240,7 +243,7 @@ The cipher function is called by \fBEVP_CipherUpdate()\fR, \&\fBEVP_DecryptFinal_ex()\fR. .PP \&\fBEVP_CIPHER_meth_set_cleanup()\fR sets the function for \fBcipher\fR to do -extra cleanup before the method's private data structure is cleaned +extra cleanup before the method\*(Aqs private data structure is cleaned out and freed. Note that the cleanup function is passed a \fBEVP_CIPHER_CTX *\fR, the private data structure is then available with diff --git a/secure/lib/libcrypto/man/man3/EVP_DigestInit.3 b/secure/lib/libcrypto/man/man3/EVP_DigestInit.3 index c768ea135206..92880b74fe68 100644 --- a/secure/lib/libcrypto/man/man3/EVP_DigestInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_DigestInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_DIGESTINIT 3ossl" -.TH EVP_DIGESTINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_DIGESTINIT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -199,7 +202,7 @@ see \fBopenssl_user_macros\fR\|(7): .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP digest routines are a high-level interface to message digests, and +The EVP digest routines are a high\-level interface to message digests, and Extendable Output Functions (XOF). .PP The \fBEVP_MD\fR type is a structure for digest method implementation. @@ -246,7 +249,7 @@ If the argument is NULL, nothing is done. is the mechanism that should be used to set and get parameters that are used by providers.\fR .Sp -Performs digest-specific control actions on context \fIctx\fR. The control command +Performs digest\-specific control actions on context \fIctx\fR. The control command is indicated in \fIcmd\fR and any additional arguments in \fIp1\fR and \fIp2\fR. \&\fBEVP_MD_CTX_ctrl()\fR must be called after \fBEVP_DigestInit_ex2()\fR. Other restrictions may apply depending on the control type and digest implementation. @@ -280,18 +283,18 @@ Get a constant \fBOSSL_PARAM\fR\|(3) array that describes the retrievable parame that can be used with \fBEVP_MD_CTX_get_params()\fR. \fBEVP_MD_gettable_ctx_params()\fR returns the parameters that can be retrieved from the algorithm, whereas \&\fBEVP_MD_CTX_gettable_params()\fR returns the parameters that can be retrieved -in the context's current state. +in the context\*(Aqs current state. .IP "\fBEVP_MD_settable_ctx_params()\fR, \fBEVP_MD_CTX_settable_params()\fR" 4 .IX Item "EVP_MD_settable_ctx_params(), EVP_MD_CTX_settable_params()" Get a constant \fBOSSL_PARAM\fR\|(3) array that describes the settable parameters that can be used with \fBEVP_MD_CTX_set_params()\fR. \fBEVP_MD_settable_ctx_params()\fR returns the parameters that can be set from the algorithm, whereas \&\fBEVP_MD_CTX_settable_params()\fR returns the parameters that can be set in the -context's current state. +context\*(Aqs current state. .IP "\fBEVP_MD_CTX_set_flags()\fR, \fBEVP_MD_CTX_clear_flags()\fR, \fBEVP_MD_CTX_test_flags()\fR" 4 .IX Item "EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags(), EVP_MD_CTX_test_flags()" Sets, clears and tests \fIctx\fR flags. See "FLAGS" below for more information. -.IP "\fBEVP_Q_digest()\fR is a quick one-shot digest function." 4 +.IP "\fBEVP_Q_digest()\fR is a quick one\-shot digest function." 4 .IX Item "EVP_Q_digest() is a quick one-shot digest function." It hashes \fIdatalen\fR bytes of data at \fIdata\fR using the digest algorithm \&\fIname\fR, which is fetched using the optional \fIlibctx\fR and \fIpropq\fR parameters. @@ -321,7 +324,7 @@ Sets up digest context \fIctx\fR to use a digest \fItype\fR. \&\fItype\fR is typically supplied by a function such as \fBEVP_sha1()\fR, or a value explicitly fetched with \fBEVP_MD_fetch()\fR. .Sp -If \fIimpl\fR is non-NULL, its implementation of the digest \fItype\fR is used if +If \fIimpl\fR is non\-NULL, its implementation of the digest \fItype\fR is used if there is one, and if not, the default implementation is used. .Sp The \fItype\fR parameter can be NULL if \fIctx\fR has been already initialized @@ -344,7 +347,7 @@ application. After calling \fBEVP_DigestFinal_ex()\fR no additional calls to initialize a new digest operation. \fIctx\fR \fBMUST NOT\fR be NULL. .IP \fBEVP_DigestFinalXOF()\fR 4 .IX Item "EVP_DigestFinalXOF()" -Interfaces to extendable-output functions, XOFs, such as SHAKE128 and SHAKE256. +Interfaces to extendable\-output functions, XOFs, such as SHAKE128 and SHAKE256. It retrieves the digest value from \fIctx\fR and places it in \fIoutlen\fR\-sized \fIout\fR. After calling this function no additional calls to \fBEVP_DigestUpdate()\fR can be made, but \fBEVP_DigestInit_ex2()\fR can be called to initialize a new operation. @@ -366,7 +369,7 @@ useful if large amounts of data are to be hashed which only differ in the last few bytes. .IP \fBEVP_DigestInit()\fR 4 .IX Item "EVP_DigestInit()" -Behaves in the same way as \fBEVP_DigestInit_ex2()\fR except it doesn't set any +Behaves in the same way as \fBEVP_DigestInit_ex2()\fR except it doesn\*(Aqt set any parameters and calls \fBEVP_MD_CTX_reset()\fR so it cannot be used with an \fItype\fR of NULL. .IP \fBEVP_DigestFinal()\fR 4 @@ -379,22 +382,22 @@ Similar to \fBEVP_MD_CTX_copy_ex()\fR except the destination \fIout\fR does not be initialized. .IP \fBEVP_MD_is_a()\fR 4 .IX Item "EVP_MD_is_a()" -Returns 1 if \fImd\fR is an implementation of an algorithm that's +Returns 1 if \fImd\fR is an implementation of an algorithm that\*(Aqs identifiable with \fIname\fR, otherwise 0. .Sp -If \fImd\fR is a legacy digest (it's the return value from the likes of +If \fImd\fR is a legacy digest (it\*(Aqs the return value from the likes of \&\fBEVP_sha256()\fR rather than the result of an \fBEVP_MD_fetch()\fR), only cipher names registered with the default library context (see \&\fBOSSL_LIB_CTX\fR\|(3)) will be considered. .IP \fBEVP_MD_xof()\fR 4 .IX Item "EVP_MD_xof()" -Returns 1 if \fImd\fR is an Extendable-output Function (XOF) otherwise it returns +Returns 1 if \fImd\fR is an Extendable\-output Function (XOF) otherwise it returns 0. SHAKE128 and SHAKE256 are XOF functions. It returns 0 for BLAKE2B algorithms. .IP "\fBEVP_MD_get0_name()\fR, \fBEVP_MD_CTX_get0_name()\fR" 4 .IX Item "EVP_MD_get0_name(), EVP_MD_CTX_get0_name()" Return the name of the given message digest. For fetched message -digests with multiple names, only one of them is returned; it's +digests with multiple names, only one of them is returned; it\*(Aqs recommended to use \fBEVP_MD_names_do_all()\fR instead. .IP \fBEVP_MD_names_do_all()\fR 4 .IX Item "EVP_MD_names_do_all()" @@ -472,7 +475,7 @@ Returns an \fBEVP_MD\fR structure when passed a digest name, a digest \fBNID\fR The \fBEVP_get_digestbyname()\fR function is present for backwards compatibility with OpenSSL prior to version 3 and is different to the \fBEVP_MD_fetch()\fR function since it does not attempt to "fetch" an implementation of the cipher. -Additionally, it only knows about digests that are built-in to OpenSSL and have +Additionally, it only knows about digests that are built\-in to OpenSSL and have an associated NID. Similarly \fBEVP_get_digestbynid()\fR and \fBEVP_get_digestbyobj()\fR also return objects without an associated implementation. .Sp @@ -524,7 +527,7 @@ It may be used by BLAKE2B\-512 to set the output length used by \&\fBEVP_DigestFinal_ex()\fR and \fBEVP_DigestFinal()\fR. .PP \&\fBEVP_MD_CTX_set_params()\fR can be used with the following OSSL_PARAM keys: -.IP """pad-type"" (\fBOSSL_DIGEST_PARAM_PAD_TYPE\fR) <unsigned integer>" 4 +.IP """pad\-type"" (\fBOSSL_DIGEST_PARAM_PAD_TYPE\fR) <unsigned integer>" 4 .IX Item """pad-type"" (OSSL_DIGEST_PARAM_PAD_TYPE) <unsigned integer>" Sets the padding type. It is used by the MDC2 algorithm. @@ -629,7 +632,7 @@ that the callback was not called for any names. .SH NOTES .IX Header "NOTES" The \fBEVP\fR interface to message digests should almost always be used in -preference to the low-level interfaces. This is because the code then becomes +preference to the low\-level interfaces. This is because the code then becomes transparent to the digest used and much more flexible. .PP New applications should use the SHA\-2 (such as \fBEVP_sha256\fR\|(3)) or the SHA\-3 @@ -775,7 +778,7 @@ The \fBEVP_MD_type()\fR, \fBEVP_MD_nid()\fR, \fBEVP_MD_name()\fR, \fBEVP_MD_pkey \&\fBEVP_MD_size()\fR, \fBEVP_MD_block_size()\fR, \fBEVP_MD_flags()\fR, \fBEVP_MD_CTX_size()\fR, \&\fBEVP_MD_CTX_block_size()\fR, \fBEVP_MD_CTX_type()\fR, and \fBEVP_MD_CTX_md_data()\fR functions were renamed to include \f(CW\*(C`get\*(C'\fR or \f(CW\*(C`get0\*(C'\fR in their names in -OpenSSL 3.0, respectively. The old names are kept as non-deprecated +OpenSSL 3.0, respectively. The old names are kept as non\-deprecated alias macros. .PP The \fBEVP_MD_CTX_md()\fR function was deprecated in OpenSSL 3.0; use diff --git a/secure/lib/libcrypto/man/man3/EVP_DigestSignInit.3 b/secure/lib/libcrypto/man/man3/EVP_DigestSignInit.3 index 284a9acd5781..f087e045ed28 100644 --- a/secure/lib/libcrypto/man/man3/EVP_DigestSignInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_DigestSignInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_DIGESTSIGNINIT 3ossl" -.TH EVP_DIGESTSIGNINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_DIGESTSIGNINIT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,7 +86,7 @@ EVP_DigestSignFinal, EVP_DigestSign \- EVP signing functions .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP signature routines are a high-level interface to digital signatures. +The EVP signature routines are a high\-level interface to digital signatures. Input data is digested first before the signing takes place. .PP \&\fBEVP_DigestSignInit_ex()\fR sets up signing context \fIctx\fR to use a digest @@ -126,7 +129,7 @@ See also \fBSM2\fR\|(7). .PP Only EVP_PKEY types that support signing can be used with these functions. This includes MAC algorithms where the MAC generation is considered as a form of -"signing". Built-in EVP_PKEY types supported by these functions are CMAC, +"signing". Built\-in EVP_PKEY types supported by these functions are CMAC, Poly1305, DSA, ECDSA, HMAC, RSA, SipHash, Ed25519 and Ed448. .PP Not all digests can be used for all key types. The following combinations apply. @@ -156,7 +159,7 @@ Supports any digest .IX Item "CMAC, Poly1305 and SipHash" Will ignore any digest provided. .PP -If RSA-PSS is used and restrictions apply then the digest must match. +If RSA\-PSS is used and restrictions apply then the digest must match. .PP \&\fBEVP_DigestSignInit()\fR works in the same way as \fBEVP_DigestSignInit_ex()\fR except that the \fImdname\fR parameter will be inferred from the supplied @@ -190,7 +193,7 @@ The error codes can be obtained from \fBERR_get_error\fR\|(3). .SH NOTES .IX Header "NOTES" The \fBEVP\fR interface to digital signatures should almost always be used in -preference to the low-level interfaces. This is because the code then becomes +preference to the low\-level interfaces. This is because the code then becomes transparent to the algorithm used and much more flexible. .PP \&\fBEVP_DigestSign()\fR is a one shot operation which signs a single block of data diff --git a/secure/lib/libcrypto/man/man3/EVP_DigestVerifyInit.3 b/secure/lib/libcrypto/man/man3/EVP_DigestVerifyInit.3 index fd3d18afcd24..9d3692ff6f6f 100644 --- a/secure/lib/libcrypto/man/man3/EVP_DigestVerifyInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_DigestVerifyInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_DIGESTVERIFYINIT 3ossl" -.TH EVP_DIGESTVERIFYINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_DIGESTVERIFYINIT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,7 +85,7 @@ EVP_DigestVerifyFinal, EVP_DigestVerify \- EVP signature verification functions .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP signature routines are a high-level interface to digital signatures. +The EVP signature routines are a high\-level interface to digital signatures. Input data is digested first before the signature verification takes place. .PP \&\fBEVP_DigestVerifyInit_ex()\fR sets up verification context \fBctx\fR to use a @@ -147,7 +150,7 @@ Supports any digest .IX Item "CMAC, Poly1305 and Siphash" Will ignore any digest provided. .PP -If RSA-PSS is used and restrictions apply then the digest must match. +If RSA\-PSS is used and restrictions apply then the digest must match. .PP \&\fBEVP_DigestVerifyInit()\fR works in the same way as \&\fBEVP_DigestVerifyInit_ex()\fR except that the \fBmdname\fR parameter will be @@ -179,7 +182,7 @@ The error codes can be obtained from \fBERR_get_error\fR\|(3). .SH NOTES .IX Header "NOTES" The \fBEVP\fR interface to digital signatures should almost always be used in -preference to the low-level interfaces. This is because the code then becomes +preference to the low\-level interfaces. This is because the code then becomes transparent to the algorithm used and much more flexible. .PP \&\fBEVP_DigestVerify()\fR is a one shot operation which verifies a single block of diff --git a/secure/lib/libcrypto/man/man3/EVP_EncodeInit.3 b/secure/lib/libcrypto/man/man3/EVP_EncodeInit.3 index 9b16686cf317..a8e205d2e63f 100644 --- a/secure/lib/libcrypto/man/man3/EVP_EncodeInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_EncodeInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_ENCODEINIT 3ossl" -.TH EVP_ENCODEINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_ENCODEINIT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,7 +91,7 @@ EVP_DecodeBlock \- EVP base64 encode/decode routines .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP encode routines provide a high-level interface to base64 encoding and +The EVP encode routines provide a high\-level interface to base64 encoding and decoding. Base64 encoding converts binary data into a printable form that uses the characters A\-Z, a\-z, 0\-9, "+" and "/" to represent the data. For every 3 @@ -116,7 +119,7 @@ will also be output. .PP \&\fBEVP_EncodeUpdate()\fR encode \fBinl\fR bytes of data found in the buffer pointed to by \&\fBin\fR. The output is stored in the buffer \fBout\fR and the number of bytes output -is stored in \fB*outl\fR. It is the caller's responsibility to ensure that the +is stored in \fB*outl\fR. It is the caller\*(Aqs responsibility to ensure that the buffer at \fBout\fR is sufficiently large to accommodate the output data. Only full blocks of data (48 bytes) will be immediately processed and output by this function. Any remainder is held in the \fBctx\fR object and will be processed by a @@ -133,7 +136,7 @@ returned. \&\fBEVP_EncodeFinal()\fR must be called at the end of an encoding operation. It will process any partial block of data remaining in the \fBctx\fR object. The output data will be stored in \fBout\fR and the length of the data written will be stored -in \fB*outl\fR. It is the caller's responsibility to ensure that \fBout\fR is +in \fB*outl\fR. It is the caller\*(Aqs responsibility to ensure that \fBout\fR is sufficiently large to accommodate the output data which will never be more than 65 bytes plus an additional NUL terminator (i.e. 66 bytes in total). .PP @@ -158,7 +161,7 @@ the data generated \fIwithout\fR the NUL terminator is returned from the functio pointed to by \fBin\fR. The output is stored in the buffer \fBout\fR and the number of bytes output is stored in \fB*outl\fR. -It is the caller's responsibility to ensure that the buffer at \fBout\fR is +It is the caller\*(Aqs responsibility to ensure that the buffer at \fBout\fR is sufficiently large to accommodate the output data. This function will attempt to decode as much data as possible in chunks of up to 80 base64 characters at a time. @@ -170,11 +173,11 @@ not buffered. .PP Any whitespace, newline or carriage return characters are ignored. For compatibility with \fBPEM\fR, the \fB\-\fR (hyphen) character is treated as a soft -end-of-input, subsequent bytes are not buffered, and the return value will be +end\-of\-input, subsequent bytes are not buffered, and the return value will be 0 to indicate that the end of the base64 input has been detected. -The soft end-of-input, if present, MUST occur after a multiple of 4 valid base64 +The soft end\-of\-input, if present, MUST occur after a multiple of 4 valid base64 input bytes. -The soft end-of-input condition is not remembered in \fBctx\fR, it is up to the +The soft end\-of\-input condition is not remembered in \fBctx\fR, it is up to the caller to avoid further calls to \fBEVP_DecodeUpdate()\fR after a 0 or negative (error) return. .PP @@ -184,7 +187,7 @@ character (\fB=\fR) is encountered in the middle of the data then A return value of 0 or 1 indicates successful processing of the data. A return value of 0 additionally indicates that the last 4 bytes processed ended with base64 padding (\fB=\fR), or that the next 4 byte group starts with the -soft end-of-input (\fB\-\fR) character, and therefore no more input data is +soft end\-of\-input (\fB\-\fR) character, and therefore no more input data is expected to be processed. .PP For every 4 valid base64 bytes processed (ignoring whitespace, carriage returns @@ -224,7 +227,7 @@ object or NULL on error. terminator. .PP \&\fBEVP_DecodeUpdate()\fR returns \-1 on error and 0 or 1 on success. If 0 is returned -then no more non-padding base64 characters are expected. +then no more non\-padding base64 characters are expected. .PP \&\fBEVP_DecodeFinal()\fR returns \-1 on error or 1 on success. .PP diff --git a/secure/lib/libcrypto/man/man3/EVP_EncryptInit.3 b/secure/lib/libcrypto/man/man3/EVP_EncryptInit.3 index 4026ef899f2a..b30b3d783b34 100644 --- a/secure/lib/libcrypto/man/man3/EVP_EncryptInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_EncryptInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_ENCRYPTINIT 3ossl" -.TH EVP_ENCRYPTINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_ENCRYPTINIT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -128,8 +131,6 @@ EVP_CIPHER_CTX_get_block_size, EVP_CIPHER_CTX_get_key_length, EVP_CIPHER_CTX_get_iv_length, EVP_CIPHER_CTX_get_tag_length, -EVP_CIPHER_CTX_get_app_data, -EVP_CIPHER_CTX_set_app_data, EVP_CIPHER_CTX_flags, EVP_CIPHER_CTX_set_flags, EVP_CIPHER_CTX_clear_flags, @@ -285,8 +286,6 @@ EVP_CIPHER_CTX_mode \& int EVP_CIPHER_CTX_get_key_length(const EVP_CIPHER_CTX *ctx); \& int EVP_CIPHER_CTX_get_iv_length(const EVP_CIPHER_CTX *ctx); \& int EVP_CIPHER_CTX_get_tag_length(const EVP_CIPHER_CTX *ctx); -\& void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx); -\& void EVP_CIPHER_CTX_set_app_data(const EVP_CIPHER_CTX *ctx, void *data); \& int EVP_CIPHER_CTX_get_type(const EVP_CIPHER_CTX *ctx); \& int EVP_CIPHER_CTX_get_mode(const EVP_CIPHER_CTX *ctx); \& int EVP_CIPHER_CTX_get_num(const EVP_CIPHER_CTX *ctx); @@ -336,7 +335,7 @@ see \fBopenssl_user_macros\fR\|(7): .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP cipher routines are a high-level interface to certain +The EVP cipher routines are a high\-level interface to certain symmetric ciphers. .PP The \fBEVP_CIPHER\fR type is a structure for cipher method implementation. @@ -380,7 +379,7 @@ Can be used to copy the cipher state from \fIin\fR to \fIout\fR. \&\fBEVP_CIPHER_CTX_get_params()\fR is the mechanism that should be used to set and get parameters that are used by providers. .Sp -Performs cipher-specific control actions on context \fIctx\fR. The control command +Performs cipher\-specific control actions on context \fIctx\fR. The control command is indicated in \fIcmd\fR and any additional arguments in \fIp1\fR and \fIp2\fR. \&\fBEVP_CIPHER_CTX_ctrl()\fR must be called after \fBEVP_CipherInit_ex2()\fR. Other restrictions may apply depending on the control type and cipher implementation. @@ -414,14 +413,14 @@ Get a constant \fBOSSL_PARAM\fR\|(3) array that describes the retrievable parame that can be used with \fBEVP_CIPHER_CTX_get_params()\fR. \&\fBEVP_CIPHER_gettable_ctx_params()\fR returns the parameters that can be retrieved from the algorithm, whereas \fBEVP_CIPHER_CTX_gettable_params()\fR returns the -parameters that can be retrieved in the context's current state. +parameters that can be retrieved in the context\*(Aqs current state. .IP "\fBEVP_CIPHER_settable_ctx_params()\fR and \fBEVP_CIPHER_CTX_settable_params()\fR" 4 .IX Item "EVP_CIPHER_settable_ctx_params() and EVP_CIPHER_CTX_settable_params()" Get a constant \fBOSSL_PARAM\fR\|(3) array that describes the settable parameters that can be used with \fBEVP_CIPHER_CTX_set_params()\fR. \&\fBEVP_CIPHER_settable_ctx_params()\fR returns the parameters that can be set from the algorithm, whereas \fBEVP_CIPHER_CTX_settable_params()\fR returns the parameters that -can be set in the context's current state. +can be set in the context\*(Aqs current state. .IP \fBEVP_EncryptInit_ex2()\fR 4 .IX Item "EVP_EncryptInit_ex2()" Sets up cipher context \fIctx\fR for encryption with cipher \fItype\fR. \fIctx\fR \fBMUST NOT\fR be NULL. @@ -445,10 +444,10 @@ exists. .IX Item "EVP_EncryptUpdate()" Encrypts \fIinl\fR bytes from the buffer \fIin\fR and writes the encrypted version to \&\fIout\fR. The pointers \fIout\fR and \fIin\fR may point to the same location, in which -case the encryption will be done in-place. However, in-place encryption is +case the encryption will be done in\-place. However, in\-place encryption is guaranteed to work only if the encryption context (\fIctx\fR) has processed data in multiples of the block size. If the context contains an incomplete data block -from previous operations, in-place encryption will fail. \fIctx\fR \fBMUST NOT\fR be NULL. +from previous operations, in\-place encryption will fail. \fIctx\fR \fBMUST NOT\fR be NULL. .Sp If \fIout\fR and \fIin\fR point to different locations, the two buffers must be disjoint, otherwise the operation might fail or the outcome might be undefined. @@ -489,7 +488,7 @@ identical to the encryption operations. \fIctx\fR \fBMUST NOT\fR be NULL. These functions can be used for decryption or encryption. The operation performed depends on the value of the \fIenc\fR parameter. It should be set to 1 for encryption, 0 for decryption and \-1 to leave the value unchanged -(the actual value of 'enc' being supplied in a previous call). +(the actual value of \*(Aqenc\*(Aq being supplied in a previous call). .IP \fBEVP_CipherInit_SKEY()\fR 4 .IX Item "EVP_CipherInit_SKEY()" This function is similar to \fBEVP_CipherInit_ex2()\fR but accepts a @@ -516,20 +515,20 @@ must be called to free any context resources. Encrypts or decrypts a maximum \fIinl\fR amount of bytes from \fIin\fR and leaves the result in \fIout\fR. .Sp -For legacy ciphers \- If the cipher doesn't have the flag +For legacy ciphers \- If the cipher doesn\*(Aqt have the flag \&\fBEVP_CIPH_FLAG_CUSTOM_CIPHER\fR set, then \fIinl\fR must be a multiple of -\&\fBEVP_CIPHER_get_block_size()\fR. If it isn't, the result is undefined. If the cipher +\&\fBEVP_CIPHER_get_block_size()\fR. If it isn\*(Aqt, the result is undefined. If the cipher has that flag set, then \fIinl\fR can be any size. .Sp -Due to the constraints of the API contract of this function it shouldn't be used +Due to the constraints of the API contract of this function it shouldn\*(Aqt be used in applications, please consider using \fBEVP_CipherUpdate()\fR and \&\fBEVP_CipherFinal_ex()\fR instead. .IP \fBEVP_CIPHER_can_pipeline()\fR 4 .IX Item "EVP_CIPHER_can_pipeline()" This function checks if a \fBEVP_CIPHER\fR fetched using \fBEVP_CIPHER_fetch()\fR supports cipher pipelining. If the cipher supports pipelining, it returns 1, otherwise 0. -This function will return 0 for non-fetched ciphers such as \fBEVP_aes_128_gcm()\fR. -There are currently no built-in ciphers that support pipelining. +This function will return 0 for non\-fetched ciphers such as \fBEVP_aes_128_gcm()\fR. +There are currently no built\-in ciphers that support pipelining. .Sp Cipher pipelining support allows an application to submit multiple chunks of data in one set of \fBEVP_CipherUpdate()\fR/EVP_CipherFinal calls, thereby allowing @@ -537,7 +536,7 @@ the provided implementation to take advantage of parallel computing. This is beneficial for hardware accelerators as pipeline amortizes the latency over multiple chunks. .Sp -For non-fetched ciphers, \fBEVP_CipherPipelineEncryptInit()\fR or +For non\-fetched ciphers, \fBEVP_CipherPipelineEncryptInit()\fR or \&\fBEVP_CipherPipelineDecryptInit()\fR may be directly called, which will perform a fetch and return an error if a pipeline supported implementation is not found. .IP "\fBEVP_CipherPipelineEncryptInit()\fR, \fBEVP_CipherPipelineDecryptInit()\fR, \fBEVP_CipherPipelineUpdate()\fR and \fBEVP_CipherPipelineFinal()\fR" 4 @@ -579,7 +578,7 @@ accessible via low level interfaces. The \fBEVP_get_cipherbyname()\fR function is present for backwards compatibility with OpenSSL prior to version 3 and is different to the \fBEVP_CIPHER_fetch()\fR function since it does not attempt to "fetch" an implementation of the cipher. -Additionally, it only knows about ciphers that are built-in to OpenSSL and have +Additionally, it only knows about ciphers that are built\-in to OpenSSL and have an associated NID. Similarly \fBEVP_get_cipherbynid()\fR and \fBEVP_get_cipherbyobj()\fR also return objects without an associated implementation. .Sp @@ -659,8 +658,8 @@ object identifier or does not have ASN1 support this function will return \&\fBNID_undef\fR. .IP \fBEVP_CIPHER_is_a()\fR 4 .IX Item "EVP_CIPHER_is_a()" -Returns 1 if \fIcipher\fR is an implementation of an algorithm that's identifiable -with \fIname\fR, otherwise 0. If \fIcipher\fR is a legacy cipher (it's the return +Returns 1 if \fIcipher\fR is an implementation of an algorithm that\*(Aqs identifiable +with \fIname\fR, otherwise 0. If \fIcipher\fR is a legacy cipher (it\*(Aqs the return value from the likes of \fBEVP_aes128()\fR rather than the result of an \&\fBEVP_CIPHER_fetch()\fR), only cipher names registered with the default library context (see \fBOSSL_LIB_CTX\fR\|(3)) will be considered. @@ -700,7 +699,7 @@ for a list of currently defined flags. .IP "\fBEVP_CIPHER_CTX_get_num()\fR and \fBEVP_CIPHER_CTX_set_num()\fR" 4 .IX Item "EVP_CIPHER_CTX_get_num() and EVP_CIPHER_CTX_set_num()" Gets or sets the cipher specific "num" parameter for the associated \fIctx\fR. -Built-in ciphers typically use this to track how much of the current underlying block +Built\-in ciphers typically use this to track how much of the current underlying block has been "used" already. .IP \fBEVP_CIPHER_CTX_is_encrypting()\fR 4 .IX Item "EVP_CIPHER_CTX_is_encrypting()" @@ -776,7 +775,7 @@ Use \fBEVP_CIPHER_get_block_size()\fR to retrieve the cached value. Gets 1 if this is an AEAD cipher algorithm, otherwise it gets 0. Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) to retrieve the cached value. -.IP """custom-iv"" (\fBOSSL_CIPHER_PARAM_CUSTOM_IV\fR) <integer>" 4 +.IP """custom\-iv"" (\fBOSSL_CIPHER_PARAM_CUSTOM_IV\fR) <integer>" 4 .IX Item """custom-iv"" (OSSL_CIPHER_PARAM_CUSTOM_IV) <integer>" Gets 1 if the cipher algorithm \fIcipher\fR has a custom IV, otherwise it gets 0. Storing and initializing the IV is left entirely to the implementation, if a @@ -791,19 +790,19 @@ This is currently used to indicate that the cipher is a one shot that only allows a single call to \fBEVP_CipherUpdate()\fR. Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_CTS) to retrieve the cached value. -.IP """tls-multi"" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK\fR) <integer>" 4 +.IP """tls\-multi"" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK\fR) <integer>" 4 .IX Item """tls-multi"" (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK) <integer>" Gets 1 if the cipher algorithm \fIcipher\fR supports interleaving of crypto blocks, otherwise it gets 0. The interleaving is an optimization only applicable to certain TLS ciphers. Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) to retrieve the cached value. -.IP """has-randkey"" (\fBOSSL_CIPHER_PARAM_HAS_RANDKEY\fR) <integer>" 4 +.IP """has\-randkey"" (\fBOSSL_CIPHER_PARAM_HAS_RANDKEY\fR) <integer>" 4 .IX Item """has-randkey"" (OSSL_CIPHER_PARAM_HAS_RANDKEY) <integer>" Gets 1 if the cipher algorithm \fIcipher\fR supports the gettable EVP_CIPHER_CTX parameter \fBOSSL_CIPHER_PARAM_RANDOM_KEY\fR. Only DES and 3DES set this to 1, all other OpenSSL ciphers return 0. -.IP """decrypt-only"" (\fBOSSL_CIPHER_PARAM_DECRYPT_ONLY) <integer\fR" 4 +.IP """decrypt\-only"" (\fBOSSL_CIPHER_PARAM_DECRYPT_ONLY) <integer\fR" 4 .IX Item """decrypt-only"" (OSSL_CIPHER_PARAM_DECRYPT_ONLY) <integer" Gets 1 if the cipher algorithm \fIcipher\fR implementation supports only the decryption operation such as the 3DES ciphers in the fips provider. @@ -820,7 +819,7 @@ See also \fBEVP_CIPHER_CTX_set_padding()\fR. .IP """num"" (\fBOSSL_CIPHER_PARAM_NUM\fR) <unsigned integer>" 4 .IX Item """num"" (OSSL_CIPHER_PARAM_NUM) <unsigned integer>" Gets or sets the cipher specific "num" parameter for the cipher context \fIctx\fR. -Built-in ciphers typically use this to track how much of the current underlying +Built\-in ciphers typically use this to track how much of the current underlying block has been "used" already. See also \fBEVP_CIPHER_CTX_get_num()\fR and \fBEVP_CIPHER_CTX_set_num()\fR. .IP """keylen"" (\fBOSSL_CIPHER_PARAM_KEYLEN\fR) <unsigned integer>" 4 @@ -832,7 +831,7 @@ See also \fBEVP_CIPHER_CTX_get_key_length()\fR and \fBEVP_CIPHER_CTX_set_key_len .IX Item """tag"" (OSSL_CIPHER_PARAM_AEAD_TAG) <octet string>" Gets or sets the AEAD tag for the associated cipher context \fIctx\fR. See "AEAD INTERFACE" in \fBEVP_EncryptInit\fR\|(3). -.IP """pipeline-tag"" (\fBOSSL_CIPHER_PARAM_PIPELINE_AEAD_TAG\fR) <octet ptr>" 4 +.IP """pipeline\-tag"" (\fBOSSL_CIPHER_PARAM_PIPELINE_AEAD_TAG\fR) <octet ptr>" 4 .IX Item """pipeline-tag"" (OSSL_CIPHER_PARAM_PIPELINE_AEAD_TAG) <octet ptr>" Gets or sets the AEAD tag when using cipher pipelining. The pointer must point to an array of buffers, where the aead tag will be read from or written to. @@ -846,12 +845,12 @@ The length of the "keybits" parameter should not exceed that of a \fBsize_t\fR. .IX Item """rounds"" (OSSL_CIPHER_PARAM_ROUNDS) <unsigned integer>" Gets or sets the number of rounds to be used for a cipher. This is used by the RC5 cipher. -.IP """algorithm-id"" (\fBOSSL_CIPHER_PARAM_ALGORITHM_ID\fR) <octet string>" 4 +.IP """algorithm\-id"" (\fBOSSL_CIPHER_PARAM_ALGORITHM_ID\fR) <octet string>" 4 .IX Item """algorithm-id"" (OSSL_CIPHER_PARAM_ALGORITHM_ID) <octet string>" Used to get the DER encoded AlgorithmIdentifier from the cipher implementation. Functions like \fBEVP_PKEY_CTX_get_algor\fR\|(3) use this parameter. -.IP """algorithm-id-params"" (\fBOSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS\fR) <octet string>" 4 +.IP """algorithm\-id\-params"" (\fBOSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS\fR) <octet string>" 4 .IX Item """algorithm-id-params"" (OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS) <octet string>" Used to pass the DER encoded AlgorithmIdentifier parameter to or from the cipher implementation. @@ -859,7 +858,7 @@ Functions like \fBEVP_CIPHER_CTX_set_algor_params\fR\|(3) and \&\fBEVP_CIPHER_CTX_get_algor_params\fR\|(3) use this parameter. .IP """alg_id_params"" (\fBOSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD\fR) <octet string>" 4 .IX Item """alg_id_params"" (OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD) <octet string>" -An deprecated alias for "algorithm-id-params", only used by +An deprecated alias for "algorithm\-id\-params", only used by \&\fBEVP_CIPHER_param_to_asn1\fR\|(3) and \fBEVP_CIPHER_asn1_to_param\fR\|(3). .IP """cts_mode"" (\fBOSSL_CIPHER_PARAM_CTS_MODE\fR) <UTF8 string>" 4 .IX Item """cts_mode"" (OSSL_CIPHER_PARAM_CTS_MODE) <UTF8 string>" @@ -873,19 +872,19 @@ Valid values for the mode are: .IX Item """CS1""" The NIST variant of cipher text stealing. For input lengths that are multiples of the block size it is equivalent to -using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher otherwise the second last +using a "AES\-XXX\-CBC" or "CAMELLIA\-XXX\-CBC" cipher otherwise the second last cipher text block is a partial block. .IP """CS2""" 4 .IX Item """CS2""" For input lengths that are multiples of the block size it is equivalent to -using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher, otherwise it is the same as +using a "AES\-XXX\-CBC" or "CAMELLIA\-XXX\-CBC" cipher, otherwise it is the same as "CS3" mode. .IP """CS3""" 4 .IX Item """CS3""" The Kerberos5 variant of cipher text stealing which always swaps the last cipher text block with the previous block (which may be a partial or full block depending on the input length). If the input length is exactly one full block -then this is equivalent to using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher. +then this is equivalent to using a "AES\-XXX\-CBC" or "CAMELLIA\-XXX\-CBC" cipher. .RE .RS 4 .Sp @@ -909,9 +908,9 @@ See also \fBEVP_CIPHER_CTX_get_iv_length()\fR. .IX Item """iv"" (OSSL_CIPHER_PARAM_IV) <octet string OR octet ptr>" Gets the IV used to initialize the associated cipher context \fIctx\fR. See also \fBEVP_CIPHER_CTX_get_original_iv()\fR. -.IP """updated-iv"" (\fBOSSL_CIPHER_PARAM_UPDATED_IV\fR) <octet string OR octet ptr>" 4 +.IP """updated\-iv"" (\fBOSSL_CIPHER_PARAM_UPDATED_IV\fR) <octet string OR octet ptr>" 4 .IX Item """updated-iv"" (OSSL_CIPHER_PARAM_UPDATED_IV) <octet string OR octet ptr>" -Gets the updated pseudo-IV state for the associated cipher context, e.g., +Gets the updated pseudo\-IV state for the associated cipher context, e.g., the previous ciphertext block for CBC mode or the iteratively encrypted IV value for OFB mode. Note that octet pointer access is deprecated and is provided only for backwards compatibility with historical libcrypto APIs. @@ -947,17 +946,17 @@ The length of the "tls1multi_maxbufsz" parameter should not exceed that of a \fB .IP """tls1multi_aadpacklen"" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN\fR) <unsigned integer>" 4 .IX Item """tls1multi_aadpacklen"" (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN) <unsigned integer>" Gets the result of running the "tls1multi_aad" operation. -.IP """tls-mac"" (\fBOSSL_CIPHER_PARAM_TLS_MAC\fR) <octet ptr>" 4 +.IP """tls\-mac"" (\fBOSSL_CIPHER_PARAM_TLS_MAC\fR) <octet ptr>" 4 .IX Item """tls-mac"" (OSSL_CIPHER_PARAM_TLS_MAC) <octet ptr>" Used to pass the TLS MAC data. -.IP """fips-indicator"" (\fBOSSL_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_CIPHER_PARAM_FIPS_APPROVED_INDICATOR) <integer>" This option is used by the OpenSSL FIPS provider. .Sp A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling a cipher final operation such as -\&\fBEVP_EncryptFinal_ex()\fR. It may return 0 if the "encrypt-check" option is set to 0. -.IP """iv-generated"" (\fBOSSL_CIPHER_PARAM_AEAD_IV_GENERATED\fR) <unsigned integer>" 4 +\&\fBEVP_EncryptFinal_ex()\fR. It may return 0 if the "encrypt\-check" option is set to 0. +.IP """iv\-generated"" (\fBOSSL_CIPHER_PARAM_AEAD_IV_GENERATED\fR) <unsigned integer>" 4 .IX Item """iv-generated"" (OSSL_CIPHER_PARAM_AEAD_IV_GENERATED) <unsigned integer>" An indicator that returns 1 if an IV was generated internally during encryption, or O otherwise. @@ -978,18 +977,18 @@ Sets the speed option for the associated cipher context. This is only supported by AES SIV ciphers which disallow multiple operations by default. Setting "speed" to 1 allows another encrypt or decrypt operation to be performed. This is used for performance testing. -.IP """use-bits"" (\fBOSSL_CIPHER_PARAM_USE_BITS\fR) <unsigned integer>" 4 +.IP """use\-bits"" (\fBOSSL_CIPHER_PARAM_USE_BITS\fR) <unsigned integer>" 4 .IX Item """use-bits"" (OSSL_CIPHER_PARAM_USE_BITS) <unsigned integer>" Determines if the input length \fIinl\fR passed to \fBEVP_EncryptUpdate()\fR, \&\fBEVP_DecryptUpdate()\fR and \fBEVP_CipherUpdate()\fR is the number of bits or number of bytes. -Setting "use-bits" to 1 uses bits. The default is in bytes. +Setting "use\-bits" to 1 uses bits. The default is in bytes. This is only used for \fBCFB1\fR ciphers. .Sp This can be set using EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS). -.IP """tls-version"" (\fBOSSL_CIPHER_PARAM_TLS_VERSION\fR) <integer>" 4 +.IP """tls\-version"" (\fBOSSL_CIPHER_PARAM_TLS_VERSION\fR) <integer>" 4 .IX Item """tls-version"" (OSSL_CIPHER_PARAM_TLS_VERSION) <integer>" Sets the TLS version. -.IP """tls-mac-size"" (\fBOSSL_CIPHER_PARAM_TLS_MAC_SIZE\fR) <unsigned integer>" 4 +.IP """tls\-mac\-size"" (\fBOSSL_CIPHER_PARAM_TLS_MAC_SIZE\fR) <unsigned integer>" 4 .IX Item """tls-mac-size"" (OSSL_CIPHER_PARAM_TLS_MAC_SIZE) <unsigned integer>" Set the TLS MAC size. .IP """tlsaad"" (\fBOSSL_CIPHER_PARAM_AEAD_TLS1_AAD\fR) <octet string>" 4 @@ -1092,16 +1091,16 @@ The IEEE Std. 1619\-2007 variant of SM4\-XTS algorithm. .Sp The default value is "GB". .RE -.IP """encrypt-check"" (\fBOSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK\fR) <integer>" 4 +.IP """encrypt\-check"" (\fBOSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK\fR) <integer>" 4 .IX Item """encrypt-check"" (OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK) <integer>" This option is used by the OpenSSL FIPS provider. .Sp If required this parameter should be set early via an cipher encrypt init function such as \fBEVP_EncryptInit_ex2()\fR. The default value of 1 causes an error when an encryption operation is triggered. -Setting this to 0 will ignore the error and set the approved "fips-indicator" to +Setting this to 0 will ignore the error and set the approved "fips\-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH CONTROLS .IX Header "CONTROLS" @@ -1213,7 +1212,7 @@ Used by \fBEVP_CIPHER_CTX_set_padding()\fR. See also "Gettable and Settable EVP_CIPHER_CTX parameters" "padding" .IP EVP_CIPH_FLAG_LENGTH_BITS 4 .IX Item "EVP_CIPH_FLAG_LENGTH_BITS" -See "Settable EVP_CIPHER_CTX parameters" "use-bits". +See "Settable EVP_CIPHER_CTX parameters" "use\-bits". .IP EVP_CIPHER_CTX_FLAG_WRAP_ALLOW 4 .IX Item "EVP_CIPHER_CTX_FLAG_WRAP_ALLOW" Used for Legacy purposes only. This flag needed to be set to indicate the @@ -1226,16 +1225,16 @@ have mappings to "Gettable EVP_CIPHER parameters": See "Gettable EVP_CIPHER parameters" "aead". .IP EVP_CIPH_CUSTOM_IV 4 .IX Item "EVP_CIPH_CUSTOM_IV" -See "Gettable EVP_CIPHER parameters" "custom-iv". +See "Gettable EVP_CIPHER parameters" "custom\-iv". .IP EVP_CIPH_FLAG_CTS 4 .IX Item "EVP_CIPH_FLAG_CTS" See "Gettable EVP_CIPHER parameters" "cts". .IP EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK; 4 .IX Item "EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK;" -See "Gettable EVP_CIPHER parameters" "tls-multi". +See "Gettable EVP_CIPHER parameters" "tls\-multi". .IP EVP_CIPH_RAND_KEY 4 .IX Item "EVP_CIPH_RAND_KEY" -See "Gettable EVP_CIPHER parameters" "has-randkey". +See "Gettable EVP_CIPHER parameters" "has\-randkey". .PP \&\fBEVP_CIPHER_flags()\fR uses the following flags for legacy purposes only: .IP EVP_CIPH_VARIABLE_LENGTH 4 @@ -1319,7 +1318,7 @@ length, zero if the cipher does not use an IV and a negative value on error. does not use a tag. .PP \&\fBEVP_CIPHER_get_type()\fR and \fBEVP_CIPHER_CTX_get_type()\fR return the NID of the -cipher's OBJECT IDENTIFIER or NID_undef if it has no defined +cipher\*(Aqs OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER. .PP \&\fBEVP_CIPHER_CTX_cipher()\fR returns an \fBEVP_CIPHER\fR structure. @@ -1440,7 +1439,7 @@ nonce value. The nonce length is given by \fB15 \- L\fR so it is 7 by default fo AES. .SS "SIV Mode" .IX Subsection "SIV Mode" -Both the AES-SIV and AES-GCM-SIV ciphers fall under this mode. +Both the AES\-SIV and AES\-GCM\-SIV ciphers fall under this mode. .PP For SIV mode ciphers the behaviour of the EVP interface is subtly altered and several additional ctrl operations are supported. @@ -1484,7 +1483,7 @@ calls). For SIV mode the taglen must be 16. .PP SIV mode makes two passes over the input data, thus, only one call to \&\fBEVP_CipherUpdate()\fR, \fBEVP_EncryptUpdate()\fR or \fBEVP_DecryptUpdate()\fR should be made -with \fIout\fR set to a non-NULL value. A call to \fBEVP_DecryptFinal()\fR or +with \fIout\fR set to a non\-NULL value. A call to \fBEVP_DecryptFinal()\fR or \&\fBEVP_CipherFinal()\fR is not required, but will indicate if the update operation succeeded. .SS ChaCha20\-Poly1305 @@ -1513,10 +1512,10 @@ This call is only valid when decrypting data. .SH NOTES .IX Header "NOTES" Where possible the \fBEVP\fR interface to symmetric ciphers should be used in -preference to the low-level interfaces. This is because the code then becomes +preference to the low\-level interfaces. This is because the code then becomes transparent to the cipher used and much more flexible. Additionally, the \&\fBEVP\fR interface will ensure the use of platform specific cryptographic -acceleration such as AES-NI (the low-level interfaces do not provide the +acceleration such as AES\-NI (the low\-level interfaces do not provide the guarantee). .PP PKCS padding works by adding \fBn\fR padding bytes of value \fBn\fR to make the total @@ -1547,7 +1546,7 @@ it up on each call. There are some differences between functions \fBEVP_CipherInit()\fR and \&\fBEVP_CipherInit_ex()\fR, significant in some circumstances. \fBEVP_CipherInit()\fR fills the passed context object with zeros. As a consequence, \fBEVP_CipherInit()\fR does -not allow step-by-step initialization of the ctx when the \fIkey\fR and \fIiv\fR are +not allow step\-by\-step initialization of the ctx when the \fIkey\fR and \fIiv\fR are passed in separate calls. It also means that the flags set for the CTX are removed, and it is especially important for the \&\fBEVP_CIPHER_CTX_FLAG_WRAP_ALLOW\fR flag treated specially in @@ -1695,7 +1694,7 @@ with a 128\-bit key: \& } .Ve .PP -Encryption using AES-CBC with a 256\-bit key with "CS1" ciphertext stealing. +Encryption using AES\-CBC with a 256\-bit key with "CS1" ciphertext stealing. .PP .Vb 10 \& int encrypt(const unsigned char *key, const unsigned char *iv, @@ -1792,12 +1791,12 @@ The \fBEVP_CIPHER_nid()\fR, \fBEVP_CIPHER_name()\fR, \fBEVP_CIPHER_block_size()\ \&\fBEVP_CIPHER_CTX_iv_length()\fR, \fBEVP_CIPHER_CTX_tag_length()\fR, \&\fBEVP_CIPHER_CTX_num()\fR, \fBEVP_CIPHER_CTX_type()\fR, and \fBEVP_CIPHER_CTX_mode()\fR functions were renamed to include \f(CW\*(C`get\*(C'\fR or \f(CW\*(C`get0\*(C'\fR in their names in -OpenSSL 3.0, respectively. The old names are kept as non-deprecated +OpenSSL 3.0, respectively. The old names are kept as non\-deprecated alias macros. .PP The \fBEVP_CIPHER_CTX_encrypting()\fR function was renamed to \&\fBEVP_CIPHER_CTX_is_encrypting()\fR in OpenSSL 3.0. The old name is kept as -non-deprecated alias macro. +non\-deprecated alias macro. .PP The \fBEVP_CIPHER_CTX_flags()\fR macro was deprecated in OpenSSL 1.1.0. .PP @@ -1810,7 +1809,7 @@ Prior to OpenSSL 3.5, passing a NULL \fIctx\fR to rather than a 0 return value indicating an error. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2000\-2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/EVP_KDF.3 b/secure/lib/libcrypto/man/man3/EVP_KDF.3 index bb8e293a0421..3d7637bbb08b 100644 --- a/secure/lib/libcrypto/man/man3/EVP_KDF.3 +++ b/secure/lib/libcrypto/man/man3/EVP_KDF.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF 3ossl" -.TH EVP_KDF 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -113,8 +116,8 @@ EVP_KDF_CTX_gettable_params, EVP_KDF_CTX_settable_params \- EVP KDF routines .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP KDF routines are a high-level interface to Key Derivation Function -algorithms and should be used instead of algorithm-specific functions. +The EVP KDF routines are a high\-level interface to Key Derivation Function +algorithms and should be used instead of algorithm\-specific functions. .PP After creating a \fBEVP_KDF_CTX\fR for the required algorithm using \&\fBEVP_KDF_CTX_new()\fR, inputs to the algorithm are supplied either by @@ -142,7 +145,7 @@ The returned value must eventually be freed with KDF. .PP \&\fBEVP_KDF_free()\fR frees a fetched algorithm. -NULL is a valid parameter, for which this function is a no-op. +NULL is a valid parameter, for which this function is a no\-op. .SS "Context manipulation functions" .IX Subsection "Context manipulation functions" \&\fBEVP_KDF_CTX_new()\fR creates a new context for the KDF implementation \fIkdf\fR. @@ -183,7 +186,7 @@ The set of parameters given with \fIparams\fR determine exactly what parameters are passed down. Note that a parameter that is unknown in the underlying context is simply ignored. -Also, what happens when a needed parameter isn't passed down is +Also, what happens when a needed parameter isn\*(Aqt passed down is defined by the implementation. .PP \&\fBEVP_KDF_gettable_params()\fR returns an \fBOSSL_PARAM\fR\|(3) array that describes @@ -195,14 +198,14 @@ return constant \fBOSSL_PARAM\fR\|(3) arrays that describe the retrievable parameters that can be used with \fBEVP_KDF_CTX_get_params()\fR. \&\fBEVP_KDF_gettable_ctx_params()\fR returns the parameters that can be retrieved from the algorithm, whereas \fBEVP_KDF_CTX_gettable_params()\fR returns -the parameters that can be retrieved in the context's current state. +the parameters that can be retrieved in the context\*(Aqs current state. .PP \&\fBEVP_KDF_settable_ctx_params()\fR and \fBEVP_KDF_CTX_settable_params()\fR return constant \fBOSSL_PARAM\fR\|(3) arrays that describe the settable parameters that can be used with \fBEVP_KDF_CTX_set_params()\fR. \fBEVP_KDF_settable_ctx_params()\fR returns the parameters that can be retrieved from the algorithm, whereas \fBEVP_KDF_CTX_settable_params()\fR returns the parameters that can -be retrieved in the context's current state. +be retrieved in the context\*(Aqs current state. .SS "Information functions" .IX Subsection "Information functions" \&\fBEVP_KDF_CTX_get_kdf_size()\fR returns the output size if the algorithm produces a fixed amount @@ -211,7 +214,7 @@ For some algorithms an error may result if input parameters necessary to calculate a fixed output size have not yet been supplied. .PP \&\fBEVP_KDF_is_a()\fR returns 1 if \fIkdf\fR is an implementation of an -algorithm that's identifiable with \fIname\fR, otherwise 0. +algorithm that\*(Aqs identifiable with \fIname\fR, otherwise 0. .PP \&\fBEVP_KDF_get0_provider()\fR returns the provider that holds the implementation of the given \fIkdf\fR. @@ -222,7 +225,7 @@ implementations, calls the given function \fIfn\fR with the implementation metho and the given \fIarg\fR as argument. .PP \&\fBEVP_KDF_get0_name()\fR return the name of the given KDF. For fetched KDFs -with multiple names, only one of them is returned; it's +with multiple names, only one of them is returned; it\*(Aqs recommended to use \fBEVP_KDF_names_do_all()\fR instead. .PP \&\fBEVP_KDF_names_do_all()\fR traverses all names for \fIkdf\fR, and calls @@ -240,7 +243,7 @@ Some KDF implementations require a password. For those KDF implementations that support it, this parameter sets the password. .IP """salt"" (\fBOSSL_KDF_PARAM_SALT\fR) <octet string>" 4 .IX Item """salt"" (OSSL_KDF_PARAM_SALT) <octet string>" -Some KDF implementations can take a non-secret unique cryptographic salt. +Some KDF implementations can take a non\-secret unique cryptographic salt. For those KDF implementations that support it, this parameter sets the salt. .Sp The default value, if any, is implementation dependent. @@ -276,9 +279,9 @@ For those KDF implementations that support it, this octet string parameter sets the key. .IP """info"" (\fBOSSL_KDF_PARAM_INFO\fR) <octet string>" 4 .IX Item """info"" (OSSL_KDF_PARAM_INFO) <octet string>" -Some KDF implementations, such as \fBEVP_KDF\-HKDF\fR\|(7), take an 'info' parameter +Some KDF implementations, such as \fBEVP_KDF\-HKDF\fR\|(7), take an \*(Aqinfo\*(Aq parameter for binding the derived key material -to application\- and context-specific information. +to application\- and context\-specific information. This parameter sets the info, fixed info, other info or shared info argument. You can specify this parameter multiple times, and each instance will be concatenated to form the final value. @@ -292,7 +295,7 @@ The default value, if any, is implementation dependent. The length must never exceed what can be given with a \fBsize_t\fR. .IP """maxmem_bytes"" (\fBOSSL_KDF_PARAM_SCRYPT_MAXMEM\fR) <unsigned integer>" 4 .IX Item """maxmem_bytes"" (OSSL_KDF_PARAM_SCRYPT_MAXMEM) <unsigned integer>" -Memory-hard password-based KDF algorithms, such as scrypt, use an amount of +Memory\-hard password\-based KDF algorithms, such as scrypt, use an amount of memory that depends on the load factors provided as input. For those KDF implementations that support it, this \fBuint64_t\fR parameter sets an upper limit on the amount of memory that may be consumed while performing @@ -328,7 +331,7 @@ return value of 0 means that the callback was not called for any names. The remaining functions return 1 for success and 0 for failure. .SH NOTES .IX Header "NOTES" -The KDF life-cycle is described in \fBlife_cycle\-kdf\fR\|(7). In the future, +The KDF life\-cycle is described in \fBlife_cycle\-kdf\fR\|(7). In the future, the transitions described there will be enforced. When this is done, it will not be considered a breaking change to the API. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/EVP_KEM_free.3 b/secure/lib/libcrypto/man/man3/EVP_KEM_free.3 index 94f2feeb02e8..481b63148187 100644 --- a/secure/lib/libcrypto/man/man3/EVP_KEM_free.3 +++ b/secure/lib/libcrypto/man/man3/EVP_KEM_free.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEM_FREE 3ossl" -.TH EVP_KEM_FREE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEM_FREE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,7 +108,7 @@ If the argument is NULL, nothing is done. \&\fBEVP_KEM_up_ref()\fR increments the reference count for an \fBEVP_KEM\fR structure. .PP \&\fBEVP_KEM_is_a()\fR returns 1 if \fIkem\fR is an implementation of an -algorithm that's identifiable with \fIname\fR, otherwise 0. +algorithm that\*(Aqs identifiable with \fIname\fR, otherwise 0. .PP \&\fBEVP_KEM_get0_provider()\fR returns the provider that \fIkem\fR was fetched from. .PP diff --git a/secure/lib/libcrypto/man/man3/EVP_KEYEXCH_free.3 b/secure/lib/libcrypto/man/man3/EVP_KEYEXCH_free.3 index 50cb7406be41..2f24bd39eeaa 100644 --- a/secure/lib/libcrypto/man/man3/EVP_KEYEXCH_free.3 +++ b/secure/lib/libcrypto/man/man3/EVP_KEYEXCH_free.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEYEXCH_FREE 3ossl" -.TH EVP_KEYEXCH_FREE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEYEXCH_FREE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -109,7 +112,7 @@ structure. fetched from. .PP \&\fBEVP_KEYEXCH_is_a()\fR checks if \fIexchange\fR is an implementation of an -algorithm that's identifiable with \fIname\fR. +algorithm that\*(Aqs identifiable with \fIname\fR. .PP \&\fBEVP_KEYEXCH_get0_name()\fR returns the algorithm name from the provided implementation for the given \fIexchange\fR. Note that the \fIexchange\fR may have diff --git a/secure/lib/libcrypto/man/man3/EVP_KEYMGMT.3 b/secure/lib/libcrypto/man/man3/EVP_KEYMGMT.3 index fd2695a7018c..46de0a6196f4 100644 --- a/secure/lib/libcrypto/man/man3/EVP_KEYMGMT.3 +++ b/secure/lib/libcrypto/man/man3/EVP_KEYMGMT.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEYMGMT 3ossl" -.TH EVP_KEYMGMT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEYMGMT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -129,7 +132,7 @@ If the argument is NULL, nothing is done. implementation. .PP \&\fBEVP_KEYMGMT_is_a()\fR checks if \fIkeymgmt\fR is an implementation of an -algorithm that's identifiable with \fIname\fR. +algorithm that\*(Aqs identifiable with \fIname\fR. .PP \&\fBEVP_KEYMGMT_get0_name()\fR returns the algorithm name from the provided implementation for the given \fIkeymgmt\fR. Note that the \fIkeymgmt\fR may have @@ -174,7 +177,7 @@ error. \&\fBEVP_KEYMGMT_names_do_all()\fR returns 1 if the callback was called for all names. A return value of 0 means that the callback was not called for any names. .PP -\&\fBEVP_KEYMGMT_free()\fR doesn't return any value. +\&\fBEVP_KEYMGMT_free()\fR doesn\*(Aqt return any value. .PP \&\fBEVP_KEYMGMT_get0_provider()\fR returns a pointer to a provider object, or NULL on error. @@ -185,7 +188,7 @@ otherwise 0. \&\fBEVP_KEYMGMT_get0_name()\fR returns the algorithm name, or NULL on error. .PP \&\fBEVP_KEYMGMT_get0_description()\fR returns a pointer to a description, or NULL if -there isn't one. +there isn\*(Aqt one. .PP \&\fBEVP_KEYMGMT_gettable_params()\fR, \fBEVP_KEYMGMT_settable_params()\fR, \&\fBEVP_KEYMGMT_gen_gettable_params()\fR and \fBEVP_KEYMGMT_gen_settable_params()\fR diff --git a/secure/lib/libcrypto/man/man3/EVP_MAC.3 b/secure/lib/libcrypto/man/man3/EVP_MAC.3 index 08b99f1be6f9..9b9da774542d 100644 --- a/secure/lib/libcrypto/man/man3/EVP_MAC.3 +++ b/secure/lib/libcrypto/man/man3/EVP_MAC.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MAC 3ossl" -.TH EVP_MAC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MAC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -163,7 +166,7 @@ The returned value must eventually be freed with MAC. .PP \&\fBEVP_MAC_free()\fR frees a fetched algorithm. -NULL is a valid parameter, for which this function is a no-op. +NULL is a valid parameter, for which this function is a no\-op. .SS "Context manipulation functions" .IX Subsection "Context manipulation functions" \&\fBEVP_MAC_CTX_new()\fR creates a new context for the MAC type \fImac\fR. @@ -172,7 +175,7 @@ described here. .PP \&\fBEVP_MAC_CTX_free()\fR frees the contents of the context, including an underlying context if there is one, as well as the context itself. -NULL is a valid parameter, for which this function is a no-op. +NULL is a valid parameter, for which this function is a no\-op. .PP \&\fBEVP_MAC_CTX_dup()\fR duplicates the \fIsrc\fR context and returns a newly allocated context. @@ -199,10 +202,10 @@ via the \fIkey\fR and \fIparams\fR arguments. The MAC \fIkey\fR has a length of \&\fIkeylen\fR and the parameters in \fIparams\fR are processed before setting the key. If \fIkey\fR is NULL, the key must be set via \fIparams\fR either as part of this call or separately using \fBEVP_MAC_CTX_set_params()\fR. -Providing non-NULL \fIparams\fR to this function is equivalent to calling +Providing non\-NULL \fIparams\fR to this function is equivalent to calling \&\fBEVP_MAC_CTX_set_params()\fR with those \fIparams\fR for the same \fIctx\fR beforehand. Note: There are additional requirements for some MAC algorithms during -re-initalization (i.e. calling \fBEVP_MAC_init()\fR on an EVP_MAC after \fBEVP_MAC_final()\fR +re\-initalization (i.e. calling \fBEVP_MAC_init()\fR on an EVP_MAC after \fBEVP_MAC_final()\fR has been called on the same object). See the NOTES section below. .PP \&\fBEVP_MAC_init()\fR should be called before \fBEVP_MAC_update()\fR and \fBEVP_MAC_final()\fR. @@ -246,7 +249,7 @@ parameters are passed down. If \fIparams\fR are NULL, the underlying context should do nothing and return 1. Note that a parameter that is unknown in the underlying context is simply ignored. -Also, what happens when a needed parameter isn't passed down is +Also, what happens when a needed parameter isn\*(Aqt passed down is defined by the implementation. .PP \&\fBEVP_MAC_gettable_params()\fR returns an \fBOSSL_PARAM\fR\|(3) array that describes @@ -258,14 +261,14 @@ return constant \fBOSSL_PARAM\fR\|(3) arrays that describe the retrievable parameters that can be used with \fBEVP_MAC_CTX_get_params()\fR. \&\fBEVP_MAC_gettable_ctx_params()\fR returns the parameters that can be retrieved from the algorithm, whereas \fBEVP_MAC_CTX_gettable_params()\fR returns -the parameters that can be retrieved in the context's current state. +the parameters that can be retrieved in the context\*(Aqs current state. .PP \&\fBEVP_MAC_settable_ctx_params()\fR and \fBEVP_MAC_CTX_settable_params()\fR return constant \fBOSSL_PARAM\fR\|(3) arrays that describe the settable parameters that can be used with \fBEVP_MAC_CTX_set_params()\fR. \fBEVP_MAC_settable_ctx_params()\fR returns the parameters that can be retrieved from the algorithm, whereas \fBEVP_MAC_CTX_settable_params()\fR returns the parameters that can -be retrieved in the context's current state. +be retrieved in the context\*(Aqs current state. .SS "Information functions" .IX Subsection "Information functions" \&\fBEVP_MAC_CTX_get_mac_size()\fR returns the MAC output size for the given context. @@ -274,7 +277,7 @@ be retrieved in the context's current state. Not all MAC algorithms support this. .PP \&\fBEVP_MAC_is_a()\fR checks if the given \fImac\fR is an implementation of an -algorithm that's identifiable with \fIname\fR. +algorithm that\*(Aqs identifiable with \fIname\fR. .PP \&\fBEVP_MAC_get0_provider()\fR returns the provider that holds the implementation of the given \fImac\fR. @@ -285,7 +288,7 @@ implementations, calls the given function \fIfn\fR with the implementation metho and the given \fIarg\fR as argument. .PP \&\fBEVP_MAC_get0_name()\fR return the name of the given MAC. For fetched MACs -with multiple names, only one of them is returned; it's +with multiple names, only one of them is returned; it\*(Aqs recommended to use \fBEVP_MAC_names_do_all()\fR instead. .PP \&\fBEVP_MAC_names_do_all()\fR traverses all names for \fImac\fR, and calls @@ -323,17 +326,17 @@ empty string. This option is used by BLAKE2 MAC. .IP """xof"" (\fBOSSL_MAC_PARAM_XOF\fR) <integer>" 4 .IX Item """xof"" (OSSL_MAC_PARAM_XOF) <integer>" -It's a simple flag, the value 0 or 1 are expected. +It\*(Aqs a simple flag, the value 0 or 1 are expected. .Sp This option is used by KMAC. -.IP """digest-noinit"" (\fBOSSL_MAC_PARAM_DIGEST_NOINIT\fR) <integer>" 4 +.IP """digest\-noinit"" (\fBOSSL_MAC_PARAM_DIGEST_NOINIT\fR) <integer>" 4 .IX Item """digest-noinit"" (OSSL_MAC_PARAM_DIGEST_NOINIT) <integer>" A simple flag to set the MAC digest to not initialise the implementation specific data. The value 0 or 1 is expected. .Sp This option is deprecated and will be removed in a future release. The option may be set, but is ignored. -.IP """digest-oneshot"" (\fBOSSL_MAC_PARAM_DIGEST_ONESHOT\fR) <integer>" 4 +.IP """digest\-oneshot"" (\fBOSSL_MAC_PARAM_DIGEST_ONESHOT\fR) <integer>" 4 .IX Item """digest-oneshot"" (OSSL_MAC_PARAM_DIGEST_ONESHOT) <integer>" A simple flag to set the MAC digest to be a oneshot operation. The value 0 or 1 is expected. @@ -363,10 +366,10 @@ For MAC implementations that support it, set the output size that \&\fBEVP_MAC_final()\fR should produce. The allowed sizes vary between MAC implementations, but must never exceed what can be given with a \fBsize_t\fR. -.IP """tls-data-size"" (\fBOSSL_MAC_PARAM_TLS_DATA_SIZE\fR) <unsigned integer>" 4 +.IP """tls\-data\-size"" (\fBOSSL_MAC_PARAM_TLS_DATA_SIZE\fR) <unsigned integer>" 4 .IX Item """tls-data-size"" (OSSL_MAC_PARAM_TLS_DATA_SIZE) <unsigned integer>" This parameter is only supported by HMAC. If set then special handling is -activated for calculating the MAC of a received mac-then-encrypt TLS record +activated for calculating the MAC of a received mac\-then\-encrypt TLS record where variable length record padding has been used (as in the case of CBC mode ciphersuites). The value represents the total length of the record that is having the MAC calculated including the received MAC and the record padding. @@ -374,7 +377,7 @@ having the MAC calculated including the received MAC and the record padding. When used EVP_MAC_update must be called precisely twice. The first time with the 13 bytes of TLS "header" data, and the second time with the entire record including the MAC itself and any padding. The entire record length must equal -the value passed in the "tls-data-size" parameter. The length passed in the +the value passed in the "tls\-data\-size" parameter. The length passed in the \&\fBdatalen\fR parameter to \fBEVP_MAC_update()\fR should be equal to the length of the record after the MAC and any padding has been removed. .PP @@ -384,7 +387,7 @@ computation. Anything else may give undefined results. .SH NOTES .IX Header "NOTES" -The MAC life-cycle is described in \fBlife_cycle\-mac\fR\|(7). In the future, +The MAC life\-cycle is described in \fBlife_cycle\-mac\fR\|(7). In the future, the transitions described there will be enforced. When this is done, it will not be considered a breaking change to the API. .PP @@ -392,7 +395,7 @@ The usage of the parameter names "custom", "iv" and "salt" correspond to the names used in the standard where the algorithm was defined. .PP Some MAC algorithms store internal state that cannot be extracted during -re-initalization. For example GMAC cannot extract an \fBIV\fR from the +re\-initalization. For example GMAC cannot extract an \fBIV\fR from the underlying CIPHER context, and so calling \fBEVP_MAC_init()\fR on an EVP_MAC object after \fBEVP_MAC_final()\fR has been called cannot reset its cipher state to what it was when the \fBIV\fR was initially generated. For such instances, an @@ -430,11 +433,11 @@ success, 0 on error. \&\fBEVP_MAC_init()\fR, \fBEVP_MAC_init_SKEY()\fR, \fBEVP_MAC_update()\fR, \fBEVP_MAC_final()\fR, and \&\fBEVP_MAC_finalXOF()\fR return 1 on success, 0 on error. .PP -\&\fBEVP_MAC_CTX_get_mac_size()\fR returns the expected output size, or 0 if it isn't -set. If it isn't set, a call to \fBEVP_MAC_init()\fR will set it. +\&\fBEVP_MAC_CTX_get_mac_size()\fR returns the expected output size, or 0 if it isn\*(Aqt +set. If it isn\*(Aqt set, a call to \fBEVP_MAC_init()\fR will set it. .PP -\&\fBEVP_MAC_CTX_get_block_size()\fR returns the block size, or 0 if it isn't set. -If it isn't set, a call to \fBEVP_MAC_init()\fR will set it. +\&\fBEVP_MAC_CTX_get_block_size()\fR returns the block size, or 0 if it isn\*(Aqt set. +If it isn\*(Aqt set, a call to \fBEVP_MAC_init()\fR will set it. .PP \&\fBEVP_MAC_do_all_provided()\fR returns nothing at all. .SH EXAMPLES diff --git a/secure/lib/libcrypto/man/man3/EVP_MD_meth_new.3 b/secure/lib/libcrypto/man/man3/EVP_MD_meth_new.3 index 6dc600cc64f9..50444a1b89f7 100644 --- a/secure/lib/libcrypto/man/man3/EVP_MD_meth_new.3 +++ b/secure/lib/libcrypto/man/man3/EVP_MD_meth_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD_METH_NEW 3ossl" -.TH EVP_MD_METH_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD_METH_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -148,14 +151,14 @@ allocate for it. \fBEVP_MD_meth_set_app_datasize()\fR should be used to set the size for it to \fBdatasize\fR. .PP \&\fBEVP_MD_meth_set_flags()\fR sets the flags to describe optional -behaviours in the particular \fBmd\fR. Several flags can be or'd +behaviours in the particular \fBmd\fR. Several flags can be or\*(Aqd together. The available flags are: .IP EVP_MD_FLAG_ONESHOT 4 .IX Item "EVP_MD_FLAG_ONESHOT" This digest method can only handle one block of input. .IP EVP_MD_FLAG_XOF 4 .IX Item "EVP_MD_FLAG_XOF" -This digest method is an extensible-output function (XOF) and supports +This digest method is an extensible\-output function (XOF) and supports the \fBEVP_MD_CTRL_XOF_LEN\fR control. .IP EVP_MD_FLAG_DIGALGID_NULL 4 .IX Item "EVP_MD_FLAG_DIGALGID_NULL" @@ -192,8 +195,8 @@ The digest final function is called by \fBEVP_Digest()\fR, \fBEVP_DigestFinal()\ \&\fBEVP_DigestFinal_ex()\fR, \fBEVP_SignFinal()\fR and \fBEVP_VerifyFinal()\fR. .PP \&\fBEVP_MD_meth_set_copy()\fR sets the function for \fBmd\fR to do extra -computations after the method's private data structure has been copied -from one \fBEVP_MD_CTX\fR to another. If all that's needed is to copy +computations after the method\*(Aqs private data structure has been copied +from one \fBEVP_MD_CTX\fR to another. If all that\*(Aqs needed is to copy the data, there is no need for this copy function. Note that the copy function is passed two \fBEVP_MD_CTX *\fR, the private data structure is then available with \fBEVP_MD_CTX_get0_md_data()\fR. @@ -201,7 +204,7 @@ This copy function is called by \fBEVP_MD_CTX_copy()\fR and \&\fBEVP_MD_CTX_copy_ex()\fR. .PP \&\fBEVP_MD_meth_set_cleanup()\fR sets the function for \fBmd\fR to do extra -cleanup before the method's private data structure is cleaned out and +cleanup before the method\*(Aqs private data structure is cleaned out and freed. Note that the cleanup function is passed a \fBEVP_MD_CTX *\fR, the private data structure is then available with \fBEVP_MD_CTX_get0_md_data()\fR. diff --git a/secure/lib/libcrypto/man/man3/EVP_OpenInit.3 b/secure/lib/libcrypto/man/man3/EVP_OpenInit.3 index 96c17f2627f6..13ec3cd73bff 100644 --- a/secure/lib/libcrypto/man/man3/EVP_OpenInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_OpenInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_OPENINIT 3ossl" -.TH EVP_OPENINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_OPENINIT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -75,7 +78,7 @@ EVP_OpenInit, EVP_OpenUpdate, EVP_OpenFinal \- EVP envelope decryption .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP envelope routines are a high-level interface to envelope +The EVP envelope routines are a high\-level interface to envelope decryption. They decrypt a public key encrypted symmetric key and then decrypt data using it. .PP diff --git a/secure/lib/libcrypto/man/man3/EVP_PBE_CipherInit.3 b/secure/lib/libcrypto/man/man3/EVP_PBE_CipherInit.3 index 836a618439b9..57c6a86df965 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PBE_CipherInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PBE_CipherInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PBE_CIPHERINIT 3ossl" -.TH EVP_PBE_CIPHERINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PBE_CIPHERINIT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,14 +108,14 @@ implementations. .IP \(bu 4 EVP_PBE_TYPE_OUTER \- A PBE algorithm .IP \(bu 4 -EVP_PBE_TYPE_PRF \- A pseudo-random function +EVP_PBE_TYPE_PRF \- A pseudo\-random function .IP \(bu 4 EVP_PBE_TYPE_KDF \- A key derivation function .PP 2. A \fIpbe_nid\fR which can represent the algorithm identifier with parameters e.g. \&\fBNID_pbeWithSHA1AndRC2_CBC\fR or an algorithm class e.g. \fBNID_pbes2\fR. .PP -They return the algorithm's cipher ID \fIpcnid\fR, digest ID \fIpmnid\fR and a key +They return the algorithm\*(Aqs cipher ID \fIpcnid\fR, digest ID \fIpmnid\fR and a key generation function for the algorithm \fIpkeygen\fR. \fBEVP_PBE_CipherInit_ex()\fR also returns an extended key generation function \fIkeygen_ex\fR which takes a library context and property query. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY2PKCS8.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY2PKCS8.3 index bb69458a7af5..1441b08eeebf 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY2PKCS8.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY2PKCS8.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY2PKCS8 3ossl" -.TH EVP_PKEY2PKCS8 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY2PKCS8 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_ASN1_METHOD.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_ASN1_METHOD.3 index 6786a4f44a07..9c616b415234 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_ASN1_METHOD.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_ASN1_METHOD.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_ASN1_METHOD 3ossl" -.TH EVP_PKEY_ASN1_METHOD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_ASN1_METHOD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -205,9 +208,9 @@ conversion, printing and information methods for a specific public key algorithm. .PP There are two places where the \fBEVP_PKEY_ASN1_METHOD\fR objects are -stored: one is a built-in array representing the standard methods for -different algorithms, and the other one is a stack of user-defined -application-specific methods, which can be manipulated by using +stored: one is a built\-in array representing the standard methods for +different algorithms, and the other one is a stack of user\-defined +application\-specific methods, which can be manipulated by using \&\fBEVP_PKEY_asn1_add0\fR\|(3). .SS Methods .IX Subsection "Methods" @@ -225,17 +228,17 @@ key algorithm present by the \fBEVP_PKEY\fR object. The \fBpub_decode()\fR and \fBpub_encode()\fR methods are called to decode / encode \fBX509_PUBKEY\fR ASN.1 parameters to / from \fBpk\fR. They MUST return 0 on error, 1 on success. -They're called by \fBX509_PUBKEY_get0\fR\|(3) and \fBX509_PUBKEY_set\fR\|(3). +They\*(Aqre called by \fBX509_PUBKEY_get0\fR\|(3) and \fBX509_PUBKEY_set\fR\|(3). .PP The \fBpub_cmp()\fR method is called when two public keys are to be compared. It MUST return 1 when the keys are equal, 0 otherwise. -It's called by \fBEVP_PKEY_eq\fR\|(3). +It\*(Aqs called by \fBEVP_PKEY_eq\fR\|(3). .PP The \fBpub_print()\fR method is called to print a public key in humanly readable text to \fBout\fR, indented \fBindent\fR spaces. It MUST return 0 on error, 1 on success. -It's called by \fBEVP_PKEY_print_public\fR\|(3). +It\*(Aqs called by \fBEVP_PKEY_print_public\fR\|(3). .PP .Vb 4 \& int (*priv_decode) (EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO *p8inf); @@ -247,12 +250,12 @@ It's called by \fBEVP_PKEY_print_public\fR\|(3). The \fBpriv_decode()\fR and \fBpriv_encode()\fR methods are called to decode / encode \fBPKCS8_PRIV_KEY_INFO\fR form private key to / from \fBpk\fR. They MUST return 0 on error, 1 on success. -They're called by \fBEVP_PKCS82PKEY\fR\|(3) and \fBEVP_PKEY2PKCS8\fR\|(3). +They\*(Aqre called by \fBEVP_PKCS82PKEY\fR\|(3) and \fBEVP_PKEY2PKCS8\fR\|(3). .PP The \fBpriv_print()\fR method is called to print a private key in humanly readable text to \fBout\fR, indented \fBindent\fR spaces. It MUST return 0 on error, 1 on success. -It's called by \fBEVP_PKEY_print_private\fR\|(3). +It\*(Aqs called by \fBEVP_PKEY_print_private\fR\|(3). .PP .Vb 3 \& int (*pkey_size) (const EVP_PKEY *pk); @@ -261,10 +264,10 @@ It's called by \fBEVP_PKEY_print_private\fR\|(3). .Ve .PP The \fBpkey_size()\fR method returns the key size in bytes. -It's called by \fBEVP_PKEY_get_size\fR\|(3). +It\*(Aqs called by \fBEVP_PKEY_get_size\fR\|(3). .PP The \fBpkey_bits()\fR method returns the key size in bits. -It's called by \fBEVP_PKEY_get_bits\fR\|(3). +It\*(Aqs called by \fBEVP_PKEY_get_bits\fR\|(3). .PP .Vb 8 \& int (*param_decode) (EVP_PKEY *pkey, @@ -280,26 +283,26 @@ It's called by \fBEVP_PKEY_get_bits\fR\|(3). The \fBparam_decode()\fR and \fBparam_encode()\fR methods are called to decode / encode DER formatted parameters to / from \fBpk\fR. They MUST return 0 on error, 1 on success. -They're called by \fBPEM_read_bio_Parameters\fR\|(3) and the \fBfile:\fR +They\*(Aqre called by \fBPEM_read_bio_Parameters\fR\|(3) and the \fBfile:\fR \&\fBOSSL_STORE_LOADER\fR\|(3). .PP The \fBparam_missing()\fR method returns 0 if a key parameter is missing, otherwise 1. -It's called by \fBEVP_PKEY_missing_parameters\fR\|(3). +It\*(Aqs called by \fBEVP_PKEY_missing_parameters\fR\|(3). .PP The \fBparam_copy()\fR method copies key parameters from \fBfrom\fR to \fBto\fR. It MUST return 0 on error, 1 on success. -It's called by \fBEVP_PKEY_copy_parameters\fR\|(3). +It\*(Aqs called by \fBEVP_PKEY_copy_parameters\fR\|(3). .PP The \fBparam_cmp()\fR method compares the parameters of keys \fBa\fR and \fBb\fR. It MUST return 1 when the keys are equal, 0 when not equal, or a negative number on error. -It's called by \fBEVP_PKEY_parameters_eq\fR\|(3). +It\*(Aqs called by \fBEVP_PKEY_parameters_eq\fR\|(3). .PP The \fBparam_print()\fR method prints the private key parameters in humanly readable text to \fBout\fR, indented \fBindent\fR spaces. It MUST return 0 on error, 1 on success. -It's called by \fBEVP_PKEY_print_params\fR\|(3). +It\*(Aqs called by \fBEVP_PKEY_print_params\fR\|(3). .PP .Vb 3 \& int (*sig_print) (BIO *out, @@ -310,17 +313,17 @@ It's called by \fBEVP_PKEY_print_params\fR\|(3). The \fBsig_print()\fR method prints a signature in humanly readable text to \&\fBout\fR, indented \fBindent\fR spaces. \&\fBsigalg\fR contains the exact signature algorithm. -If the signature in \fBsig\fR doesn't correspond to what this method +If the signature in \fBsig\fR doesn\*(Aqt correspond to what this method expects, \fBX509_signature_dump()\fR must be used as a last resort. It MUST return 0 on error, 1 on success. -It's called by \fBX509_signature_print\fR\|(3). +It\*(Aqs called by \fBX509_signature_print\fR\|(3). .PP .Vb 1 \& void (*pkey_free) (EVP_PKEY *pkey); .Ve .PP The \fBpkey_free()\fR method helps freeing the internals of \fBpkey\fR. -It's called by \fBEVP_PKEY_free\fR\|(3), \fBEVP_PKEY_set_type\fR\|(3), +It\*(Aqs called by \fBEVP_PKEY_free\fR\|(3), \fBEVP_PKEY_set_type\fR\|(3), \&\fBEVP_PKEY_set_type_str\fR\|(3), and \fBEVP_PKEY_assign\fR\|(3). .PP .Vb 1 @@ -328,7 +331,7 @@ It's called by \fBEVP_PKEY_free\fR\|(3), \fBEVP_PKEY_set_type\fR\|(3), .Ve .PP The \fBpkey_ctrl()\fR method adds extra algorithm specific control. -It's called by \fBEVP_PKEY_get_default_digest_nid\fR\|(3), +It\*(Aqs called by \fBEVP_PKEY_get_default_digest_nid\fR\|(3), \&\fBEVP_PKEY_set1_encoded_public_key\fR\|(3), \&\fBEVP_PKEY_get1_encoded_public_key\fR\|(3), \fBPKCS7_SIGNER_INFO_set\fR\|(3), \&\fBPKCS7_RECIP_INFO_set\fR\|(3), ... @@ -346,7 +349,7 @@ PKCS#8) PEM formatted encrypted private keys. \&\fBold_priv_decode()\fR MUST return 0 on error, 1 on success. \&\fBold_priv_encode()\fR MUST the return same kind of values as \&\fBi2d_PrivateKey()\fR. -They're called by \fBd2i_PrivateKey\fR\|(3) and \fBi2d_PrivateKey\fR\|(3). +They\*(Aqre called by \fBd2i_PrivateKey\fR\|(3) and \fBi2d_PrivateKey\fR\|(3). .PP .Vb 5 \& int (*item_verify) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, @@ -401,7 +404,7 @@ expected to continue with the default signature production. The \fBsiginf_set()\fR method is used to set custom \fBX509_SIG_INFO\fR parameters. It MUST return 0 on error, or 1 on success. -It's called as part of \fBX509_check_purpose\fR\|(3), \fBX509_check_ca\fR\|(3) +It\*(Aqs called as part of \fBX509_check_purpose\fR\|(3), \fBX509_check_ca\fR\|(3) and \fBX509_check_issued\fR\|(3). .PP .Vb 3 @@ -411,7 +414,7 @@ and \fBX509_check_issued\fR\|(3). .Ve .PP The \fBpkey_check()\fR, \fBpkey_public_check()\fR and \fBpkey_param_check()\fR methods are used -to check the validity of \fBpk\fR for key-pair, public component and parameters, +to check the validity of \fBpk\fR for key\-pair, public component and parameters, respectively. They MUST return 0 for an invalid key, or 1 for a valid key. They are called by \fBEVP_PKEY_check\fR\|(3), \fBEVP_PKEY_public_check\fR\|(3) and @@ -432,7 +435,7 @@ They are called by \fBEVP_PKEY_new_raw_private_key\fR\|(3), and \& void *(*export_to) (const EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); .Ve .PP -\&\fBdirty_cnt()\fR returns the internal key's dirty count. +\&\fBdirty_cnt()\fR returns the internal key\*(Aqs dirty count. This can be used to synchronise different copies of the same keys. .PP The \fBexport_to()\fR method exports the key material from the given key to @@ -459,7 +462,7 @@ See \fBX509_ALGOR_set0\fR\|(3) for more information. .PP \&\fBEVP_PKEY_asn1_copy()\fR copies an \fBEVP_PKEY_ASN1_METHOD\fR object from \&\fBsrc\fR to \fBdst\fR. -This function is not thread safe, it's recommended to only use this +This function is not thread safe, it\*(Aqs recommended to only use this when initializing the application. .PP \&\fBEVP_PKEY_asn1_free()\fR frees an existing \fBEVP_PKEY_ASN1_METHOD\fR pointed @@ -468,13 +471,13 @@ by \fBameth\fR. If the argument is NULL, nothing is done. \&\fBEVP_PKEY_asn1_add0()\fR adds \fBameth\fR to the user defined stack of methods unless another \fBEVP_PKEY_ASN1_METHOD\fR with the same NID is already there. -This function is not thread safe, it's recommended to only use this +This function is not thread safe, it\*(Aqs recommended to only use this when initializing the application. .PP \&\fBEVP_PKEY_asn1_add_alias()\fR creates an alias with the NID \fBto\fR for the \&\fBEVP_PKEY_ASN1_METHOD\fR with NID \fBfrom\fR unless another \&\fBEVP_PKEY_ASN1_METHOD\fR with the same NID is already added. -This function is not thread safe, it's recommended to only use this +This function is not thread safe, it\*(Aqs recommended to only use this when initializing the application. .PP \&\fBEVP_PKEY_asn1_set_public()\fR, \fBEVP_PKEY_asn1_set_private()\fR, diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_ctrl.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_ctrl.3 index ee376a4116ec..3a6c90a103de 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_ctrl.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_ctrl.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_CTRL 3ossl" -.TH EVP_PKEY_CTX_CTRL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_CTRL 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -301,7 +304,7 @@ the \fBEVP_PKEY_new_raw_private_key\fR\|(3) function. key generation. For example for EC keys this will set the curve name and for DH keys it will set the name of the finite field group. .PP -\&\fBEVP_PKEY_CTX_get_group_name()\fR finds the group name that's currently +\&\fBEVP_PKEY_CTX_get_group_name()\fR finds the group name that\*(Aqs currently set with \fIctx\fR, and writes it to the location that \fIname\fR points at, as long as its size \fInamelen\fR is large enough to store that name, including a terminating NUL byte. @@ -388,7 +391,7 @@ The padding mode must have been set to \fBRSA_PKCS1_OAEP_PADDING\fR or .PP \&\fBEVP_PKEY_CTX_get_rsa_mgf1_md()\fR does the same as \&\fBEVP_PKEY_CTX_get_rsa_mgf1_md_name()\fR except that it returns a pointer to an -EVP_MD object instead. Note that only known, built-in EVP_MD objects will be +EVP_MD object instead. Note that only known, built\-in EVP_MD objects will be returned. The EVP_MD object may be NULL if the digest is not one of these (such as a digest only implemented in a third party provider). .PP @@ -411,7 +414,7 @@ expected digest algorithm names or the function will fail. .PP \&\fBEVP_PKEY_CTX_get_rsa_oaep_md()\fR does the same as \&\fBEVP_PKEY_CTX_get_rsa_oaep_md_name()\fR except that it returns a pointer to an -EVP_MD object instead. Note that only known, built-in EVP_MD objects will be +EVP_MD object instead. Note that only known, built\-in EVP_MD objects will be returned. The EVP_MD object may be NULL if the digest is not one of these (such as a digest only implemented in a third party provider). .PP @@ -427,7 +430,7 @@ must have been set to \fBRSA_PKCS1_OAEP_PADDING\fR. The resulting pointer is own by the library and should not be freed by the caller. .PP \&\fBRSA_PKCS1_WITH_TLS_PADDING\fR is used when decrypting an RSA encrypted TLS -pre-master secret in a TLS ClientKeyExchange message. It is the same as +pre\-master secret in a TLS ClientKeyExchange message. It is the same as RSA_PKCS1_PADDING except that it additionally verifies that the result is the correct length and the first two bytes are the protocol version initially requested by the client. If the encrypted content is publicly invalid then the @@ -449,7 +452,7 @@ Similarly to the \fBRSA_PKCS1_WITH_TLS_PADDING\fR above, since OpenSSL version 3.2.0, the use of \fBRSA_PKCS1_PADDING\fR will return a randomly generated message instead of padding errors in case padding checks fail. Applications that want to remain secure while using earlier versions of OpenSSL, or a provider -that doesn't implement the implicit rejection mechanism, still need to +that doesn\*(Aqt implement the implicit rejection mechanism, still need to handle both the error code from the RSA decryption operation and the returned message in a side channel secure manner. This protection against Bleichenbacher attacks can be disabled by setting @@ -473,7 +476,7 @@ parameter generation using \fImd_name\fR and \fImd_properties\fR to retrieve the digest from a provider. If not specified, \fImd_name\fR will be set to one of SHA\-1, SHA\-224, or SHA\-256 depending on the bit length of \fIq\fR above. \fImd_properties\fR is a -property query string that has a default value of '' if not specified. +property query string that has a default value of \*(Aq\*(Aq if not specified. .PP \&\fBEVP_PKEY_CTX_set_dsa_paramgen_gindex()\fR sets the \fIgindex\fR used by the generator G. The default value is \-1 which uses unverifiable g, otherwise a positive value @@ -622,7 +625,7 @@ These function can also be called to set the curve explicitly when generating an EC key. .PP \&\fBEVP_PKEY_CTX_get_group_name()\fR (described above) can be used to obtain the curve -name that's currently set with \fIctx\fR. +name that\*(Aqs currently set with \fIctx\fR. .PP \&\fBEVP_PKEY_CTX_set_ec_param_enc()\fR sets the EC parameter encoding to \fIparam_enc\fR when generating EC parameters or an EC key. The encoding can be @@ -689,11 +692,11 @@ allocate adequate memory space for the \fIid\fR before calling \fBEVP_PKEY_CTX_g .PP \&\fBEVP_PKEY_CTX_set_kem_op()\fR sets the KEM operation to run. This can be set after \&\fBEVP_PKEY_encapsulate_init()\fR or \fBEVP_PKEY_decapsulate_init()\fR to select the kem -operation. For the key types that support encapsulation and don't have the +operation. For the key types that support encapsulation and don\*(Aqt have the default operation, e.g. RSA, this function must be called before \&\fBEVP_PKEY_encapsulate()\fR or \fBEVP_PKEY_decapsulate()\fR. .PP -The supported parameters for the built-in algorithms are documented in +The supported parameters for the built\-in algorithms are documented in \&\fBEVP_KEM\-RSA\fR\|(7), \fBEVP_KEM\-EC\fR\|(7), \fBEVP_KEM\-X25519\fR\|(7), \&\fBEVP_KEM\-X448\fR\|(7), and \fBEVP_KEM\-ML\-KEM\fR\|(7). .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_libctx.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_libctx.3 index e4049d33dfb9..b216d0452f77 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_libctx.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_libctx.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_GET0_LIBCTX 3ossl" -.TH EVP_PKEY_CTX_GET0_LIBCTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_GET0_LIBCTX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_pkey.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_pkey.3 index 90242ee6643e..1dd7d82bcd0a 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_pkey.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_pkey.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_GET0_PKEY 3ossl" -.TH EVP_PKEY_CTX_GET0_PKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_GET0_PKEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get_algor.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get_algor.3 index 645f00e12fde..084f3fa23820 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get_algor.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get_algor.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_GET_ALGOR 3ossl" -.TH EVP_PKEY_CTX_GET_ALGOR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_GET_ALGOR 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,7 +108,7 @@ function is supported at all by the \fBEVP_\fR\f(BITYPE\fR\fB\fR implementation. .SH "RETURN VALUES" .IX Header "RETURN VALUES" All functions return 1 for success, and 0 or a negative number if an error -occurs. In particular, \-2 is returned when the function isn't supported by +occurs. In particular, \-2 is returned when the function isn\*(Aqt supported by the \fBEVP_\fR\f(BITYPE\fR implementation. .SH HISTORY .IX Header "HISTORY" diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_new.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_new.3 index 56ff4f039fdd..392d74a96932 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_NEW 3ossl" -.TH EVP_PKEY_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -123,7 +126,7 @@ If \fIctx\fR is NULL, nothing is done. .SS "On \fBEVP_PKEY_CTX\fP" .IX Subsection "On EVP_PKEY_CTX" The \fBEVP_PKEY_CTX\fR structure is an opaque public key algorithm context used -by the OpenSSL high-level public key API. Contexts \fBMUST NOT\fR be shared between +by the OpenSSL high\-level public key API. Contexts \fBMUST NOT\fR be shared between threads: that is it is not permissible to use the same context simultaneously in two threads. .SS "On Key Types" @@ -146,7 +149,7 @@ These are \fBEVP_PKEY_RSA\fR, \fBEVP_PKEY_RSA_PSS\fR, \fBEVP_PKEY_DSA\fR, .IX Item "Name strings" This is the \fIname\fR used with \fBEVP_PKEY_CTX_new_from_name()\fR. .Sp -These are names like "RSA", "DSA", and what's available depends on what +These are names like "RSA", "DSA", and what\*(Aqs available depends on what providers are currently accessible. .Sp The OpenSSL providers offer a set of key types available this way, please diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set1_pbe_pass.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set1_pbe_pass.3 index fe5cd9c5c091..72e2ef743c73 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set1_pbe_pass.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set1_pbe_pass.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_SET1_PBE_PASS 3ossl" -.TH EVP_PKEY_CTX_SET1_PBE_PASS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_SET1_PBE_PASS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_hkdf_md.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_hkdf_md.3 index ef4d1cd5d68d..f2a56dad03a6 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_hkdf_md.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_hkdf_md.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_SET_HKDF_MD 3ossl" -.TH EVP_PKEY_CTX_SET_HKDF_MD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_SET_HKDF_MD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,9 +89,9 @@ HMAC\-based Extract\-and\-Expand key derivation algorithm .SH DESCRIPTION .IX Header "DESCRIPTION" The EVP_PKEY_HKDF algorithm implements the HKDF key derivation function. -HKDF follows the "extract-then-expand" paradigm, where the KDF logically +HKDF follows the "extract\-then\-expand" paradigm, where the KDF logically consists of two modules. The first stage takes the input keying material -and "extracts" from it a fixed-length pseudorandom key K. The second stage +and "extracts" from it a fixed\-length pseudorandom key K. The second stage "expands" the key K into several additional pseudorandom keys (the output of the KDF). .PP @@ -99,14 +102,14 @@ are three modes that are currently defined: This is the default mode. Calling \fBEVP_PKEY_derive\fR\|(3) on an EVP_PKEY_CTX set up for HKDF will perform an extract followed by an expand operation in one go. The derived key returned will be the result after the expand operation. The -intermediate fixed-length pseudorandom key K is not returned. +intermediate fixed\-length pseudorandom key K is not returned. .Sp In this mode the digest, key, salt and info values must be set before a key is derived or an error occurs. .IP EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY 4 .IX Item "EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY" In this mode calling \fBEVP_PKEY_derive\fR\|(3) will just perform the extract -operation. The value returned will be the intermediate fixed-length pseudorandom +operation. The value returned will be the intermediate fixed\-length pseudorandom key K. .Sp The digest, key and salt values must be set before a key is derived or an @@ -114,7 +117,7 @@ error occurs. .IP EVP_PKEY_HKDEF_MODE_EXPAND_ONLY 4 .IX Item "EVP_PKEY_HKDEF_MODE_EXPAND_ONLY" In this mode calling \fBEVP_PKEY_derive\fR\|(3) will just perform the expand -operation. The input key should be set to the intermediate fixed-length +operation. The input key should be set to the intermediate fixed\-length pseudorandom key K returned from a previous extract operation. .Sp The digest, key and info values must be set before a key is derived or an diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_params.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_params.3 index 2016a3178679..626d1ba35233 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_params.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_params.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_SET_PARAMS 3ossl" -.TH EVP_PKEY_CTX_SET_PARAMS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_SET_PARAMS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,7 +144,7 @@ of \-2 indicates the operation is not supported by the public key algorithm. .IX Header "HISTORY" All functions were added in OpenSSL 3.0. .PP -Support for \fBML-DSA\fR> and \fBML-KEM\fR was added in OpenSSL 3.5. +Support for \fBML\-DSA\fR> and \fBML\-KEM\fR was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 index 7704b48587a7..4d41271a185e 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_SET_RSA_PSS_KEYGEN_MD 3ossl" -.TH EVP_PKEY_CTX_SET_RSA_PSS_KEYGEN_MD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_SET_RSA_PSS_KEYGEN_MD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -108,7 +111,7 @@ similar to the \fBRSA\fR versions. .SS "Key Generation" .IX Subsection "Key Generation" As with RSA key generation the \fBEVP_PKEY_CTX_set_rsa_keygen_bits()\fR -and \fBEVP_PKEY_CTX_set_rsa_keygen_pubexp()\fR macros are supported for RSA-PSS: +and \fBEVP_PKEY_CTX_set_rsa_keygen_pubexp()\fR macros are supported for RSA\-PSS: they have exactly the same meaning as for the RSA algorithm. .PP Optional parameter restrictions can be specified when generating a PSS key. @@ -132,7 +135,7 @@ passes the algorithm by name rather than by \fBEVP_MD\fR. to \fIsaltlen\fR. .SH NOTES .IX Header "NOTES" -A context for the \fBRSA-PSS\fR algorithm can be obtained by calling: +A context for the \fBRSA\-PSS\fR algorithm can be obtained by calling: .PP .Vb 1 \& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA_PSS, NULL); diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_scrypt_N.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_scrypt_N.3 index 7df058edaba8..245836ebc73c 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_scrypt_N.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_scrypt_N.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_SET_SCRYPT_N 3ossl" -.TH EVP_PKEY_CTX_SET_SCRYPT_N 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_SET_SCRYPT_N 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3 index 72b97de3ae6e..ac75f6b286ad 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_SET_TLS1_PRF_MD 3ossl" -.TH EVP_PKEY_CTX_SET_TLS1_PRF_MD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_SET_TLS1_PRF_MD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_asn1_get_count.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_asn1_get_count.3 index 027b8324c613..7deb7422f12f 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_asn1_get_count.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_asn1_get_count.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_ASN1_GET_COUNT 3ossl" -.TH EVP_PKEY_ASN1_GET_COUNT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_ASN1_GET_COUNT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,13 +97,13 @@ The value of \fBidx\fR must be between zero and \fBEVP_PKEY_asn1_get_count()\fR .PP \&\fBEVP_PKEY_asn1_find()\fR looks up the \fBEVP_PKEY_ASN1_METHOD\fR with NID \&\fBtype\fR. -If \fBpe\fR isn't \fBNULL\fR, then it will look up an engine implementing a +If \fBpe\fR isn\*(Aqt \fBNULL\fR, then it will look up an engine implementing a \&\fBEVP_PKEY_ASN1_METHOD\fR for the NID \fBtype\fR and return that instead, and also set \fB*pe\fR to point at the engine that implements it. .PP \&\fBEVP_PKEY_asn1_find_str()\fR looks up the \fBEVP_PKEY_ASN1_METHOD\fR with PEM type string \fBstr\fR. -Just like \fBEVP_PKEY_asn1_find()\fR, if \fBpe\fR isn't \fBNULL\fR, then it will +Just like \fBEVP_PKEY_asn1_find()\fR, if \fBpe\fR isn\*(Aqt \fBNULL\fR, then it will look up an engine implementing a \fBEVP_PKEY_ASN1_METHOD\fR for the NID \&\fBtype\fR and return that instead, and also set \fB*pe\fR to point at the engine that implements it. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_check.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_check.3 index 8e69b04543cd..4aa4b9612740 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_check.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_check.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CHECK 3ossl" -.TH EVP_PKEY_CHECK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CHECK 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_copy_parameters.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_copy_parameters.3 index 030fd8e56522..7c33419baa84 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_copy_parameters.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_copy_parameters.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_COPY_PARAMETERS 3ossl" -.TH EVP_PKEY_COPY_PARAMETERS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_COPY_PARAMETERS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,7 +91,7 @@ see \fBopenssl_user_macros\fR\|(7): .IX Header "DESCRIPTION" The function \fBEVP_PKEY_missing_parameters()\fR returns 1 if the public key parameters of \fBpkey\fR are missing and 0 if they are present or the algorithm -doesn't use parameters. +doesn\*(Aqt use parameters. .PP The function \fBEVP_PKEY_copy_parameters()\fR copies the parameters from key \&\fBfrom\fR to key \fBto\fR. An error is returned if the parameters are missing in @@ -114,7 +117,7 @@ their return values compared to other \fB_cmp()\fR functions. They are aliases f The function \fBEVP_PKEY_cmp()\fR previously only checked the key parameters (if there are any) and the public key, assuming that there always was a public key and that private key equality could be derived from that. -Because it's no longer assumed that the private key in an \fBEVP_PKEY\fR\|(3) is +Because it\*(Aqs no longer assumed that the private key in an \fBEVP_PKEY\fR\|(3) is always accompanied by a public key, the comparison can not rely on public key comparison alone. .PP @@ -128,14 +131,14 @@ what they both contain. .IX Header "RETURN VALUES" The function \fBEVP_PKEY_missing_parameters()\fR returns 1 if the public key parameters of \fBpkey\fR are missing and 0 if they are present or the algorithm -doesn't use parameters. +doesn\*(Aqt use parameters. .PP These functions \fBEVP_PKEY_copy_parameters()\fR returns 1 for success and 0 for failure. .PP The functions \fBEVP_PKEY_cmp_parameters()\fR, \fBEVP_PKEY_parameters_eq()\fR, \&\fBEVP_PKEY_cmp()\fR and \fBEVP_PKEY_eq()\fR return 1 if their -inputs match, 0 if they don't match, \-1 if the key types are different and +inputs match, 0 if they don\*(Aqt match, \-1 if the key types are different and \&\-2 if the operation is not supported. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_decapsulate.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_decapsulate.3 index d8d382c2346c..102caca59631 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_decapsulate.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_decapsulate.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_DECAPSULATE 3ossl" -.TH EVP_PKEY_DECAPSULATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_DECAPSULATE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -89,11 +92,11 @@ key that is used during decapsulation. .PP The \fBEVP_PKEY_decapsulate()\fR function performs a private key decapsulation operation using \fIctx\fR. The data to be decapsulated is specified using the -\&\fIwrapped\fR and \fIwrappedlen\fR parameters (which must both non-NULL). +\&\fIwrapped\fR and \fIwrappedlen\fR parameters (which must both non\-NULL). .PP The \fIwrapped\fR parameter is an output argument, to which the decapsulated shared secret is written. -The shared secret may not match the peer's value even when decapsulation +The shared secret may not match the peer\*(Aqs value even when decapsulation returns success. Instead, the shared secret must be used to derive a key that is used to authenticate data subsequently received from the peer. @@ -114,7 +117,7 @@ The length returned via \fI*unwrappedlen\fR SHOULD be used to determine the actu length of the output. .SH NOTES .IX Header "NOTES" -After the call to \fBEVP_PKEY_decapsulate_init()\fR algorithm-specific parameters +After the call to \fBEVP_PKEY_decapsulate_init()\fR algorithm\-specific parameters for the operation may be set or modified using \fBEVP_PKEY_CTX_set_params\fR\|(3). .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -177,7 +180,7 @@ in OpenSSL 3.0. .PP The function \fBEVP_PKEY_auth_decapsulate_init()\fR was added in OpenSSL 3.2. .PP -Support for \fBML-KEM\fR was added in OpenSSL 3.5. +Support for \fBML\-KEM\fR was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_decrypt.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_decrypt.3 index 145f011bc139..5e3b25360057 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_decrypt.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_decrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_DECRYPT 3ossl" -.TH EVP_PKEY_DECRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_DECRYPT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -112,19 +115,19 @@ algorithm. In OpenSSL versions before 3.2.0, when used in PKCS#1 v1.5 padding, both the return value from the \fBEVP_PKEY_decrypt()\fR and the \fBoutlen\fR provided information useful in mounting a Bleichenbacher attack against the -used private key. They had to be processed in a side-channel free way. +used private key. They had to be processed in a side\-channel free way. .PP Since version 3.2.0, the \fBEVP_PKEY_decrypt()\fR method when used with PKCS#1 v1.5 padding as implemented in the \fBdefault\fR provider implements the implicit rejection mechanism (see \&\fBOSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION\fR in \fBprovider\-asym_cipher\fR\|(7)). -That means it doesn't return an error when it detects an error in padding, -instead it returns a pseudo-randomly generated message, removing the need -of side-channel secure code from applications using OpenSSL. -If OpenSSL is configured to use a provider that doesn't implement implicit +That means it doesn\*(Aqt return an error when it detects an error in padding, +instead it returns a pseudo\-randomly generated message, removing the need +of side\-channel secure code from applications using OpenSSL. +If OpenSSL is configured to use a provider that doesn\*(Aqt implement implicit rejection, the code still needs to handle the returned values -using side-channel free code. -Side-channel free handling of the error stack can be performed using +using side\-channel free code. +Side\-channel free handling of the error stack can be performed using either a pair of unconditional \fBERR_set_mark\fR\|(3) and \fBERR_pop_to_mark\fR\|(3) calls or by using the \fBERR_clear_error\fR\|(3) call. .SH EXAMPLES diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_derive.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_derive.3 index 7d7382bf8252..3161c43ecfe4 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_derive.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_derive.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_DERIVE 3ossl" -.TH EVP_PKEY_DERIVE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_DERIVE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_digestsign_supports_digest.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_digestsign_supports_digest.3 index f1cab50bdcd0..42e4456a06dc 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_digestsign_supports_digest.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_digestsign_supports_digest.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_DIGESTSIGN_SUPPORTS_DIGEST 3ossl" -.TH EVP_PKEY_DIGESTSIGN_SUPPORTS_DIGEST 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_DIGESTSIGN_SUPPORTS_DIGEST 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_encapsulate.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_encapsulate.3 index 99630a34c7dc..f562281c98a6 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_encapsulate.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_encapsulate.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_ENCAPSULATE 3ossl" -.TH EVP_PKEY_ENCAPSULATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_ENCAPSULATE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,7 +100,7 @@ size of the provided buffer. The ciphertext written to \fIwrappedkey\fR is an encapsulated form, which is expected to be only usable by the holder of the private key corresponding to the public key associated with \fIctx\fR. -This ciphertext is then communicated to the private-key holder, who can use +This ciphertext is then communicated to the private\-key holder, who can use \&\fBEVP_PKEY_decapsulate\fR\|(3) to securely recover the same shared secret. .PP If \fIwrappedkey\fR is NULL then the maximum size of the output buffer is written @@ -107,9 +110,9 @@ maximum size of the generated key buffer is written to \fI*genkeylen\fR unless .PP If \fIwrappedkey\fR is not NULL and the call is successful then the generated shared secret is written to \fIgenkey\fR and its size is written to -\&\fI*genkeylen\fR (which must be non-NULL). +\&\fI*genkeylen\fR (which must be non\-NULL). The encapsulated ciphertext is written to \fIwrappedkey\fR and -its size is written to \fI*wrappedkeylen\fR (must also be non-NULL), +its size is written to \fI*wrappedkeylen\fR (must also be non\-NULL), The value pointed to by \fIwrappedlen\fR initially hold the size of the \&\fIunwrapped\fR buffer so that its size can be validated by the call, ensuring it is large enough to hold the result written to \fIwrapped\fR. @@ -121,7 +124,7 @@ The lengths returned via \fI*wrappedkeylen\fR and \fI*genkeylen\fR SHOULD be used to determine the actual lengths of the outputs. .SH NOTES .IX Header "NOTES" -After the call to \fBEVP_PKEY_encapsulate_init()\fR, algorithm-specific parameters +After the call to \fBEVP_PKEY_encapsulate_init()\fR, algorithm\-specific parameters for the operation may be set or modified using \fBEVP_PKEY_CTX_set_params\fR\|(3). .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -186,7 +189,7 @@ The functions \fBEVP_PKEY_encapsulate_init()\fR and \fBEVP_PKEY_encapsulate()\fR added in OpenSSL 3.0. The function \fBEVP_PKEY_auth_encapsulate_init()\fR was added in OpenSSL 3.2. .PP -Support for \fBML-KEM\fR was added in OpenSSL 3.5. +Support for \fBML\-KEM\fR was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_encrypt.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_encrypt.3 index befd74468727..0102eaa2e8d1 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_encrypt.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_encrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_ENCRYPT 3ossl" -.TH EVP_PKEY_ENCRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_ENCRYPT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -109,7 +112,7 @@ algorithm. .IX Header "EXAMPLES" Encrypt data using OAEP (for RSA keys). See also \fBPEM_read_PUBKEY\fR\|(3) or \&\fBd2i_X509\fR\|(3) for means to load a public key. You may also simply -set 'eng = NULL;' to start with the default OpenSSL RSA implementation: +set \*(Aqeng = NULL;\*(Aq to start with the default OpenSSL RSA implementation: .PP .Vb 3 \& #include <openssl/evp.h> diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_fromdata.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_fromdata.3 index 989086f2e882..b823aa18662c 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_fromdata.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_fromdata.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_FROMDATA 3ossl" -.TH EVP_PKEY_FROMDATA 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_FROMDATA 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,7 +93,7 @@ These are passed as an \fBOSSL_PARAM\fR\|(3) array. for creating a key or key parameters from user data. .PP \&\fBEVP_PKEY_fromdata()\fR creates the structure to store a key or key parameters, -given data from \fIparams\fR, \fIselection\fR and a context that's been initialized +given data from \fIparams\fR, \fIselection\fR and a context that\*(Aqs been initialized with \fBEVP_PKEY_fromdata_init()\fR. The result is written to \fI*ppkey\fR. \&\fIselection\fR is described in "Selections". The parameters that can be used for various types of key are as described by @@ -142,7 +145,7 @@ operation is not supported by the public key algorithm. These examples are very terse for the sake of staying on topic, which is the \fBEVP_PKEY_fromdata()\fR set of functions. In real applications, BIGNUMs would be handled and converted to byte arrays with -\&\fBBN_bn2nativepad()\fR, but that's off topic here. +\&\fBBN_bn2nativepad()\fR, but that\*(Aqs off topic here. .SS "Creating an RSA keypair using raw key data" .IX Subsection "Creating an RSA keypair using raw key data" .Vb 1 @@ -320,7 +323,7 @@ example with \fBOSSL_PARAM_allocate_from_text\fR\|(3). .IX Header "HISTORY" These functions were added in OpenSSL 3.0. .PP -Support for \fBML-DSA\fR, \fBML-KEM\fR and \fBSLH-DSA\fR was added in OpenSSL 3.5. +Support for \fBML\-DSA\fR, \fBML\-KEM\fR and \fBSLH\-DSA\fR was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_attr.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_attr.3 index 437beaa7ad79..651589b03550 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_attr.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_attr.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_GET_ATTR 3ossl" -.TH EVP_PKEY_GET_ATTR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_GET_ATTR 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -119,7 +122,7 @@ An error occurs if either \fIattr\fR is NULL, or the attribute already exists. \&\fBEVP_PKEY_add1_attr_by_OBJ()\fR creates a new \fBX509_ATTRIBUTE\fR using \&\fBX509_ATTRIBUTE_set1_object()\fR and \fBX509_ATTRIBUTE_set1_data()\fR to assign a new \&\fIobj\fR with type \fItype\fR and data \fIbytes\fR of length \fIlen\fR and then pushes it -to the \fIkey\fR object's attribute list. If \fIobj\fR already exists in the attribute +to the \fIkey\fR object\*(Aqs attribute list. If \fIobj\fR already exists in the attribute list then an error occurs. .PP \&\fBEVP_PKEY_add1_attr_by_NID()\fR is similar to \fBEVP_PKEY_add1_attr_by_OBJ()\fR except @@ -150,7 +153,7 @@ there is a error. and \fBEVP_PKEY_add1_attr_by_txt()\fR return 1 on success or 0 otherwise. .SH NOTES .IX Header "NOTES" -A \fBEVP_PKEY\fR object's attribute list is initially NULL. All the above functions +A \fBEVP_PKEY\fR object\*(Aqs attribute list is initially NULL. All the above functions listed will return an error unless \fBEVP_PKEY_add1_attr()\fR is called. All functions listed assume that the \fIkey\fR is not NULL. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_default_digest_nid.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_default_digest_nid.3 index 6eb8d2050411..2b69c8eba7a9 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_default_digest_nid.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_default_digest_nid.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_GET_DEFAULT_DIGEST_NID 3ossl" -.TH EVP_PKEY_GET_DEFAULT_DIGEST_NID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_GET_DEFAULT_DIGEST_NID 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_field_type.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_field_type.3 index e0bf93d32c1b..52df2070b412 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_field_type.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_field_type.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_GET_FIELD_TYPE 3ossl" -.TH EVP_PKEY_GET_FIELD_TYPE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_GET_FIELD_TYPE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -74,13 +77,13 @@ or point conversion form of a key .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBEVP_PKEY_get_field_type()\fR returns the field type NID of the \fIpkey\fR, if -\&\fIpkey\fR's key type supports it. The types currently supported -by the built-in OpenSSL providers are either \fBNID_X9_62_prime_field\fR +\&\fIpkey\fR\*(Aqs key type supports it. The types currently supported +by the built\-in OpenSSL providers are either \fBNID_X9_62_prime_field\fR for prime curves or \fBNID_X9_62_characteristic_two_field\fR for binary curves; these values are defined in the \fI<openssl/obj_mac.h>\fR header file. .PP \&\fBEVP_PKEY_get_ec_point_conv_form()\fR returns the point conversion format -of the \fIpkey\fR, if \fIpkey\fR's key type supports it. +of the \fIpkey\fR, if \fIpkey\fR\*(Aqs key type supports it. .SH NOTES .IX Header "NOTES" Among the standard OpenSSL key types, this is only supported for EC and diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_group_name.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_group_name.3 index 97ed946d3009..bb3e357bf283 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_group_name.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_group_name.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_GET_GROUP_NAME 3ossl" -.TH EVP_PKEY_GET_GROUP_NAME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_GET_GROUP_NAME 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -75,8 +78,8 @@ EVP_PKEY_get_group_name \- get group name of a key \&\fBEVP_PKEY_get_group_name()\fR fills in the group name of the \fIpkey\fR into \&\fIgname\fR, up to at most \fIgname_sz\fR bytes including the ending NUL byte and assigns \fI*gname_len\fR the actual length of the name not including -the NUL byte, if \fIpkey\fR's key type supports it. -\&\fIgname\fR as well as \fIgname_len\fR may individually be NULL, and won't be +the NUL byte, if \fIpkey\fR\*(Aqs key type supports it. +\&\fIgname\fR as well as \fIgname_len\fR may individually be NULL, and won\*(Aqt be filled in or assigned in that case. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_size.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_size.3 index 243f94fa846e..34425108c966 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_size.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_size.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_GET_SIZE 3ossl" -.TH EVP_PKEY_GET_SIZE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_GET_SIZE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,12 +86,12 @@ EVP_PKEY_bits, EVP_PKEY_security_bits, EVP_PKEY_size buffers for almost all operations that can be done with \fIpkey\fR. This corresponds to the provider parameter \fBOSSL_PKEY_PARAM_MAX_SIZE\fR. The primary documented use is with \fBEVP_SignFinal\fR\|(3) and -\&\fBEVP_SealInit\fR\|(3), but it isn't limited there. The returned size is +\&\fBEVP_SealInit\fR\|(3), but it isn\*(Aqt limited there. The returned size is also large enough for the output buffer of \fBEVP_PKEY_sign\fR\|(3), \&\fBEVP_PKEY_encrypt\fR\|(3), \fBEVP_PKEY_decrypt\fR\|(3), \fBEVP_PKEY_derive\fR\|(3). .PP It must be stressed that, unless the documentation for the operation -that's being performed says otherwise, the size returned by +that\*(Aqs being performed says otherwise, the size returned by \&\fBEVP_PKEY_get_size()\fR is only preliminary and not exact, so the final contents of the target buffer may be smaller. It is therefore crucial to take note of the size given back by the function that performs the @@ -106,21 +109,21 @@ This corresponds to the provider parameter \fBOSSL_PKEY_PARAM_SECURITY_BITS\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBEVP_PKEY_get_size()\fR, \fBEVP_PKEY_get_bits()\fR and \fBEVP_PKEY_get_security_bits()\fR -return a positive number, or 0 if this size isn't available. +return a positive number, or 0 if this size isn\*(Aqt available. .SH NOTES .IX Header "NOTES" Most functions that have an output buffer and are mentioned with \&\fBEVP_PKEY_get_size()\fR have a functionality where you can pass NULL for the buffer and still pass a pointer to an integer and get the exact size -that this function call delivers in the context that it's called in. +that this function call delivers in the context that it\*(Aqs called in. This allows those functions to be called twice, once to find out the exact buffer size, then allocate the buffer in between, and call that function again actually output the data. For those functions, it -isn't strictly necessary to call \fBEVP_PKEY_get_size()\fR to find out the -buffer size, but may be useful in cases where it's desirable to know +isn\*(Aqt strictly necessary to call \fBEVP_PKEY_get_size()\fR to find out the +buffer size, but may be useful in cases where it\*(Aqs desirable to know the upper limit in advance. .PP -It should also be especially noted that \fBEVP_PKEY_get_size()\fR shouldn't be +It should also be especially noted that \fBEVP_PKEY_get_size()\fR shouldn\*(Aqt be used to get the output size for \fBEVP_DigestSignFinal()\fR, according to "NOTES" in \fBEVP_DigestSignFinal\fR\|(3). .SH "SEE ALSO" @@ -136,7 +139,7 @@ used to get the output size for \fBEVP_DigestSignFinal()\fR, according to .IX Header "HISTORY" The \fBEVP_PKEY_bits()\fR, \fBEVP_PKEY_security_bits()\fR, and \fBEVP_PKEY_size()\fR functions were renamed to include \f(CW\*(C`get\*(C'\fR in their names in OpenSSL 3.0, respectively. -The old names are kept as non-deprecated alias macros. +The old names are kept as non\-deprecated alias macros. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_gettable_params.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_gettable_params.3 index 97f226e029ad..21b8a4282eea 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_gettable_params.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_gettable_params.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_GETTABLE_PARAMS 3ossl" -.TH EVP_PKEY_GETTABLE_PARAMS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_GETTABLE_PARAMS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -126,7 +129,7 @@ not including the terminating NUL byte. The required buffer size not including the terminating NUL byte can be obtained from \fI*out_len\fR by calling the function with \fIstr\fR set to NULL. .PP -\&\fBEVP_PKEY_get_octet_string_param()\fR get a key \fIpkey\fR's octet string value into a +\&\fBEVP_PKEY_get_octet_string_param()\fR get a key \fIpkey\fR\*(Aqs octet string value into a buffer \fIbuf\fR of maximum size \fImax_buf_sz\fR associated with a name of \fIkey_name\fR. If \fIout_len\fR is not NULL, \fI*out_len\fR is set to the length of the contents. The required buffer size can be obtained from \fI*out_len\fR by calling the @@ -138,7 +141,7 @@ These functions only work for \fBEVP_PKEY\fRs that contain a provider side key. .IX Header "RETURN VALUES" \&\fBEVP_PKEY_gettable_params()\fR returns NULL on error or if it is not supported. .PP -All other methods return 1 if a value associated with the key's \fIkey_name\fR was +All other methods return 1 if a value associated with the key\*(Aqs \fIkey_name\fR was successfully returned, or 0 if there was an error. An error may be returned by methods \fBEVP_PKEY_get_utf8_string_param()\fR and \&\fBEVP_PKEY_get_octet_string_param()\fR if \fImax_buf_sz\fR is not big enough to hold the diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_is_a.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_is_a.3 index ca49be720bee..441909d80738 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_is_a.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_is_a.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_IS_A 3ossl" -.TH EVP_PKEY_IS_A 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_IS_A 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,7 +89,7 @@ EVP_PKEY_get0_type_name, EVP_PKEY_get0_description, EVP_PKEY_get0_provider \&\fIpkey\fR supports signing. No other check is done, such as whether \&\fIpkey\fR contains a private key. .PP -\&\fBEVP_PKEY_type_names_do_all()\fR traverses all names for \fIpkey\fR's key type, and +\&\fBEVP_PKEY_type_names_do_all()\fR traverses all names for \fIpkey\fR\*(Aqs key type, and calls \fIfn\fR with each name and \fIdata\fR. For example, an RSA \fBEVP_PKEY\fR may be named both \f(CW\*(C`RSA\*(C'\fR and \f(CW\*(C`rsaEncryption\*(C'\fR. The order of the names depends on the provider implementation that holds @@ -103,7 +106,7 @@ not be freed by the caller. meant for display and human consumption. The description is at the discretion of the key type implementation. .PP -\&\fBEVP_PKEY_get0_provider()\fR returns the provider of the \fBEVP_PKEY\fR's +\&\fBEVP_PKEY_get0_provider()\fR returns the provider of the \fBEVP_PKEY\fR\*(Aqs \&\fBEVP_KEYMGMT\fR\|(3). .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_keygen.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_keygen.3 index efd1719b72fa..bee4f925ae14 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_keygen.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_keygen.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_KEYGEN 3ossl" -.TH EVP_PKEY_KEYGEN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_KEYGEN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -95,14 +98,14 @@ EVP_PKEY_paramgen, EVP_PKEY_keygen .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -Generating keys is sometimes straight forward, just generate the key's +Generating keys is sometimes straight forward, just generate the key\*(Aqs numbers and be done with it. However, there are certain key types that need key parameters, often called domain parameters but not necessarily limited to that, that also need to be generated. In addition to this, the caller may want to set user provided generation parameters that further affect key parameter or key generation, such as the desired key size. .PP -To flexibly allow all that's just been described, key parameter and key +To flexibly allow all that\*(Aqs just been described, key parameter and key generation is divided into an initialization of a key algorithm context, functions to set user provided parameters, and finally the key parameter or key generation function itself. @@ -145,13 +148,15 @@ If the callback returns 0 then the key generation operation is aborted and an error occurs. This might occur during a time consuming operation where a user clicks on a "cancel" button. .PP -The functions \fBEVP_PKEY_CTX_set_app_data()\fR and \fBEVP_PKEY_CTX_get_app_data()\fR set -and retrieve an opaque pointer. This can be used to set some application -defined value which can be retrieved in the callback: for example a handle -which is used to update a "progress dialog". +The functions \fBEVP_PKEY_CTX_set_app_data()\fR and \fBEVP_PKEY_CTX_get_app_data()\fR +associate an opaque, application\-defined pointer with an EVP_PKEY_CTX object. +.PP +This pointer is not interpreted by the library and is reserved entirely for use +by the application. It may be used to store arbitrary context or state that +needs to be accessible wherever the corresponding EVP_PKEY_CTX is available. .PP \&\fBEVP_PKEY_Q_keygen()\fR abstracts from the explicit use of \fBEVP_PKEY_CTX\fR while -providing a 'quick' but limited way of generating a new asymmetric key pair. +providing a \*(Aqquick\*(Aq but limited way of generating a new asymmetric key pair. It provides shorthands for simple and common cases of key generation. As usual, the library context \fIlibctx\fR and property query \fIpropq\fR can be given for fetching algorithms from providers. @@ -298,7 +303,7 @@ OpenSSL 1.0.0. \&\fBEVP_PKEY_Q_keygen()\fR and \fBEVP_PKEY_generate()\fR were added in OpenSSL 3.0. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2006\-2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_get_count.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_get_count.3 index 76008c2a709f..102052b93123 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_get_count.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_get_count.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_METH_GET_COUNT 3ossl" -.TH EVP_PKEY_METH_GET_COUNT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_METH_GET_COUNT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_new.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_new.3 index dd1a6b45e7e0..72e5c6f00c05 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_new.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_METH_NEW 3ossl" -.TH EVP_PKEY_METH_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_METH_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -314,8 +317,8 @@ used to perform different jobs, such as generating a key, signing or verifying, encrypting or decrypting, etc. .PP There are two places where the \fBEVP_PKEY_METHOD\fR objects are stored: one -is a built-in static array representing the standard methods for different -algorithms, and the other one is a stack of user-defined application-specific +is a built\-in static array representing the standard methods for different +algorithms, and the other one is a stack of user\-defined application\-specific methods, which can be manipulated by using \fBEVP_PKEY_meth_add0\fR\|(3). .PP The \fBEVP_PKEY_METHOD\fR objects are usually referenced by \fBEVP_PKEY_CTX\fR @@ -331,7 +334,7 @@ algorithm present by the \fBEVP_PKEY_CTX\fR object. \& void (*cleanup) (EVP_PKEY_CTX *ctx); .Ve .PP -The \fBinit()\fR method is called to initialize algorithm-specific data when a new +The \fBinit()\fR method is called to initialize algorithm\-specific data when a new \&\fBEVP_PKEY_CTX\fR is created. As opposed to \fBinit()\fR, the \fBcleanup()\fR method is called when an \fBEVP_PKEY_CTX\fR is freed. The \fBcopy()\fR method is called when an \fBEVP_PKEY_CTX\fR is being duplicated. Refer to \fBEVP_PKEY_CTX_new\fR\|(3), \fBEVP_PKEY_CTX_new_id\fR\|(3), @@ -439,7 +442,7 @@ from a public key algorithm (for instance, the DH algorithm). They are called by \& int (*ctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value); .Ve .PP -The \fBctrl()\fR and \fBctrl_str()\fR methods are used to adjust algorithm-specific +The \fBctrl()\fR and \fBctrl_str()\fR methods are used to adjust algorithm\-specific settings. See \fBEVP_PKEY_CTX_ctrl\fR\|(3) and related functions for details. .PP .Vb 5 @@ -451,7 +454,7 @@ settings. See \fBEVP_PKEY_CTX_ctrl\fR\|(3) and related functions for details. .Ve .PP The \fBdigestsign()\fR and \fBdigestverify()\fR methods are used to generate or verify -a signature in a one-shot mode. They could be called by \fBEVP_DigestSign\fR\|(3) +a signature in a one\-shot mode. They could be called by \fBEVP_DigestSign\fR\|(3) and \fBEVP_DigestVerify\fR\|(3). .PP .Vb 3 @@ -461,7 +464,7 @@ and \fBEVP_DigestVerify\fR\|(3). .Ve .PP The \fBcheck()\fR, \fBpublic_check()\fR and \fBparam_check()\fR methods are used to validate a -key-pair, the public component and parameters respectively for a given \fBpkey\fR. +key\-pair, the public component and parameters respectively for a given \fBpkey\fR. They could be called by \fBEVP_PKEY_check\fR\|(3), \fBEVP_PKEY_public_check\fR\|(3) and \&\fBEVP_PKEY_param_check\fR\|(3) respectively. .PP @@ -489,7 +492,7 @@ supported: If an \fBEVP_PKEY_METHOD\fR is set with the \fBEVP_PKEY_FLAG_AUTOARGLEN\fR flag, the maximum size of the output buffer will be automatically calculated or checked in corresponding EVP methods by the EVP framework. Thus the implementations of -these methods don't need to care about handling the case of returning output +these methods don\*(Aqt need to care about handling the case of returning output buffer size by themselves. For details on the output buffer size, refer to \&\fBEVP_PKEY_sign\fR\|(3). .PP @@ -504,8 +507,8 @@ digest signing operation by calling \fBEVP_DigestSignFinal\fR\|(3). to \fBdst\fR. .PP \&\fBEVP_PKEY_meth_find()\fR finds an \fBEVP_PKEY_METHOD\fR object with the \fBid\fR. -This function first searches through the user-defined method objects and -then the built-in objects. +This function first searches through the user\-defined method objects and +then the built\-in objects. .PP \&\fBEVP_PKEY_meth_add0()\fR adds \fBpmeth\fR to the user defined stack of methods. .PP @@ -534,7 +537,7 @@ if an error occurred. 0 if an error occurred. .PP All EVP_PKEY_meth_set and EVP_PKEY_meth_get functions have no return -values. For the 'get' functions, function pointers are returned by +values. For the \*(Aqget\*(Aq functions, function pointers are returned by arguments. .SH HISTORY .IX Header "HISTORY" diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_new.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_new.3 index 6d478bb51674..6ff766bbc7ed 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_new.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_NEW 3ossl" -.TH EVP_PKEY_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -173,7 +176,7 @@ algorithm type). .PP \&\fBEVP_PKEY_new_raw_private_key()\fR does the same as \&\fBEVP_PKEY_new_raw_private_key_ex()\fR except that the default library context and -default property query are used instead. If \fIe\fR is non-NULL then the new +default property query are used instead. If \fIe\fR is non\-NULL then the new \&\fBEVP_PKEY\fR structure is associated with the engine \fIe\fR. The \fItype\fR argument indicates what kind of key this is. The value should be a NID for a public key algorithm that supports raw private keys, i.e. one of \fBEVP_PKEY_X25519\fR, @@ -233,7 +236,7 @@ and \&\fBML\-KEM\-512\fR, \&\fBML\-KEM\-768\fR and \&\fBML\-KEM\-1024\fR -keys, which don't have legacy numeric \fINID\fR assignments, but their raw form is +keys, which don\*(Aqt have legacy numeric \fINID\fR assignments, but their raw form is nevertheless available. .PP \&\fBEVP_PKEY_get_raw_public_key()\fR fills the buffer provided by \fIpub\fR with raw @@ -256,14 +259,14 @@ and \&\fBML\-KEM\-512\fR, \&\fBML\-KEM\-768\fR and \&\fBML\-KEM\-1024\fR -keys, which don't have legacy numeric \fINID\fR assignments, but their raw form is +keys, which don\*(Aqt have legacy numeric \fINID\fR assignments, but their raw form is nevertheless available. .PP \&\fBEVP_PKEY_new_CMAC_key()\fR works in the same way as \fBEVP_PKEY_new_raw_private_key()\fR except it is only for the \fBEVP_PKEY_CMAC\fR algorithm type. In addition to the raw private key data, it also takes a cipher algorithm to be used during creation of a CMAC in the \fBcipher\fR argument. The cipher should be a standard -encryption-only cipher. For example AEAD and XTS ciphers should not be used. +encryption\-only cipher. For example AEAD and XTS ciphers should not be used. .PP Applications should use the \fBEVP_MAC\fR\|(3) API instead and set the \fBOSSL_MAC_PARAM_CIPHER\fR parameter on the \fBEVP_MAC_CTX\fR object @@ -279,7 +282,7 @@ key to this empty structure use the appropriate functions described in \&\fBEVP_PKEY_set1_EC_KEY\fR\|(3) for legacy key types implemented in internal OpenSSL providers. .PP -For fully provider-managed key types (see \fBprovider\-keymgmt\fR\|(7)), +For fully provider\-managed key types (see \fBprovider\-keymgmt\fR\|(7)), possibly implemented in external providers, use functions such as \&\fBEVP_PKEY_set1_encoded_public_key\fR\|(3) or \fBEVP_PKEY_fromdata\fR\|(3) to populate key data. @@ -336,7 +339,7 @@ The documentation of \fBEVP_PKEY\fR was amended in OpenSSL 3.0 to allow there to be the private part of the keypair without the public part, where this was previously implied to be disallowed. .PP -Support for \fBML-DSA\fR and \fBML-KEM\fR was added in OpenSSL 3.5. +Support for \fBML\-DSA\fR and \fBML\-KEM\fR was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2002\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_print_private.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_print_private.3 index eb5b3b496e68..a4f297c25955 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_print_private.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_print_private.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_PRINT_PRIVATE 3ossl" -.TH EVP_PKEY_PRINT_PRIVATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_PRINT_PRIVATE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_RSA.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_RSA.3 index 580779e93f99..86d89dd42b87 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_RSA.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_RSA.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_SET1_RSA 3ossl" -.TH EVP_PKEY_SET1_RSA 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_SET1_RSA 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -124,12 +127,12 @@ see \fBopenssl_user_macros\fR\|(7): an RSA key will return \fBEVP_PKEY_RSA\fR. .PP \&\fBEVP_PKEY_get_id()\fR returns the actual NID associated with \fIpkey\fR -only if the \fIpkey\fR type isn't implemented just in a \fBprovider\fR\|(7). +only if the \fIpkey\fR type isn\*(Aqt implemented just in a \fBprovider\fR\|(7). Historically keys using the same algorithm could use different NIDs. For example an RSA key could use the NIDs corresponding to the NIDs \fBNID_rsaEncryption\fR (equivalent to \fBEVP_PKEY_RSA\fR) or \&\fBNID_rsa\fR (equivalent to \fBEVP_PKEY_RSA2\fR). The use of -alternative non-standard NIDs is now rare so \fBEVP_PKEY_RSA2\fR et al are not +alternative non\-standard NIDs is now rare so \fBEVP_PKEY_RSA2\fR et al are not often seen in practice. \&\fBEVP_PKEY_get_id()\fR returns \-1 (\fBEVP_PKEY_KEYMGMT\fR) if the \fIpkey\fR is only implemented in a \fBprovider\fR\|(7). @@ -180,10 +183,10 @@ described above then the internal key will be managed by a provider (see \&\fBEVP_PKEY_get1_DSA()\fR, \fBEVP_PKEY_get1_DH()\fR, \fBEVP_PKEY_get1_EC_KEY()\fR, \&\fBEVP_PKEY_get0_hmac()\fR, \fBEVP_PKEY_get0_poly1305()\fR, \fBEVP_PKEY_get0_siphash()\fR, \&\fBEVP_PKEY_get0_RSA()\fR, \fBEVP_PKEY_get0_DSA()\fR, \fBEVP_PKEY_get0_DH()\fR or -\&\fBEVP_PKEY_get0_EC_KEY()\fR will be a cached copy of the provider's key. Subsequent -updates to the provider's key will not be reflected back in the cached copy, and +\&\fBEVP_PKEY_get0_EC_KEY()\fR will be a cached copy of the provider\*(Aqs key. Subsequent +updates to the provider\*(Aqs key will not be reflected back in the cached copy, and updates made by an application to the returned key will not be reflected back in -the provider's key. Subsequent calls to \fBEVP_PKEY_get1_RSA()\fR, +the provider\*(Aqs key. Subsequent calls to \fBEVP_PKEY_get1_RSA()\fR, \&\fBEVP_PKEY_get1_DSA()\fR, \fBEVP_PKEY_get1_DH()\fR and \fBEVP_PKEY_get1_EC_KEY()\fR will always return the cached copy returned by the first call. .PP @@ -212,12 +215,12 @@ The keys returned from the functions \fBEVP_PKEY_get0_RSA()\fR, \fBEVP_PKEY_get0 \&\fBEVP_PKEY_get0_DH()\fR and \fBEVP_PKEY_get0_EC_KEY()\fR were changed to have a "const" return type in OpenSSL 3.0. As described above the keys returned may be cached copies of the key held in a provider. Due to this, and unlike in earlier -versions of OpenSSL, they should be considered read-only copies of the key. +versions of OpenSSL, they should be considered read\-only copies of the key. Updates to these keys will not be reflected back in the provider side key. The \&\fBEVP_PKEY_get1_RSA()\fR, \fBEVP_PKEY_get1_DSA()\fR, \fBEVP_PKEY_get1_DH()\fR and \&\fBEVP_PKEY_get1_EC_KEY()\fR functions were not changed to have a "const" return type in order that applications can "free" the return value. However applications -should still consider them as read-only copies. +should still consider them as read\-only copies. .SH NOTES .IX Header "NOTES" In accordance with the OpenSSL naming convention the key obtained @@ -266,7 +269,7 @@ type or \fBNID_undef\fR (equivalently \fBEVP_PKEY_NONE\fR) on error. .IX Header "HISTORY" The \fBEVP_PKEY_id()\fR and \fBEVP_PKEY_base_id()\fR functions were renamed to include \f(CW\*(C`get\*(C'\fR in their names in OpenSSL 3.0, respectively. The old names -are kept as non-deprecated alias macros. +are kept as non\-deprecated alias macros. .PP EVP_PKEY_set1_RSA, EVP_PKEY_set1_DSA, EVP_PKEY_set1_DH, EVP_PKEY_set1_EC_KEY, EVP_PKEY_get1_RSA, EVP_PKEY_get1_DSA, EVP_PKEY_get1_DH, EVP_PKEY_get1_EC_KEY, diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_encoded_public_key.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_encoded_public_key.3 index a1d9270fe8a7..247f60f41246 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_encoded_public_key.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_encoded_public_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_SET1_ENCODED_PUBLIC_KEY 3ossl" -.TH EVP_PKEY_SET1_ENCODED_PUBLIC_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_SET1_ENCODED_PUBLIC_KEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,7 +93,7 @@ see \fBopenssl_user_macros\fR\|(7): \&\fBEVP_PKEY_set1_encoded_public_key()\fR can be used to set the public key value within an existing EVP_PKEY object, which does not yet have either a public or private key assigned. -For the built-in OpenSSL algorithms this currently only works for those that +For the built\-in OpenSSL algorithms this currently only works for those that support key exchange or key encapsulation. Parameters are not set as part of this operation, so typically an application will create an EVP_PKEY first, set the parameters on it, and then call this @@ -99,12 +102,12 @@ For example setting the parameters might be done using \&\fBEVP_PKEY_copy_parameters\fR\|(3). .PP The format for the encoded public key will depend on the algorithm in use. For -DH it should be encoded as a positive integer in big-endian form. For EC is +DH it should be encoded as a positive integer in big\-endian form. For EC is should be a point conforming to Sec. 2.3.4 of the SECG SEC 1 ("Elliptic Curve Cryptography") standard. For \fBX25519\fR and \fBX448\fR it should be encoded in the format defined by RFC7748. For \fBML\-KEM\-512\fR, \fBML\-KEM\-768\fR and \fBML\-KEM\-1024\fR, this is the public key -format defined in \fBFIPS 203\fR (the 12\-bit per-coefficient encoded public \fIt\fR +format defined in \fBFIPS 203\fR (the 12\-bit per\-coefficient encoded public \fIt\fR vector and 32\-byte matrix seed \fIrho\fR). .PP The key to be updated is supplied in \fBpkey\fR. The buffer containing the encoded @@ -134,7 +137,7 @@ value for failure. .IX Header "EXAMPLES" See \fBEVP_PKEY_derive_init\fR\|(3) and \fBEVP_PKEY_derive\fR\|(3) for information about performing a key exchange operation. -.SS "Set up a peer's EVP_PKEY ready for a key exchange operation" +.SS "Set up a peer\*(Aqs EVP_PKEY ready for a key exchange operation" .IX Subsection "Set up a peer's EVP_PKEY ready for a key exchange operation" .Vb 1 \& #include <openssl/evp.h> @@ -201,7 +204,7 @@ added in OpenSSL 3.0. \&\fBEVP_PKEY_set1_tls_encodedpoint()\fR and \fBEVP_PKEY_get1_tls_encodedpoint()\fR were deprecated in OpenSSL 3.0. .PP -Support for \fBML-KEM\fR was added in OpenSSL 3.5. +Support for \fBML\-KEM\fR was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_set_type.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_set_type.3 index 26b1fbad43b2..5fb2b224ce72 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_set_type.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_set_type.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_SET_TYPE 3ossl" -.TH EVP_PKEY_SET_TYPE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_SET_TYPE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ All the functions described here behave the same in so far that they clear all the previous key data and methods from \fIpkey\fR, and reset it to be of the type of key given by the different arguments. If \&\fIpkey\fR is NULL, these functions will still return the same return -values as if it wasn't. +values as if it wasn\*(Aqt. .PP \&\fBEVP_PKEY_set_type()\fR initialises \fIpkey\fR to contain an internal legacy key. When doing this, it finds a \fBEVP_PKEY_ASN1_METHOD\fR\|(3) diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_settable_params.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_settable_params.3 index 67fa0773f1bc..9c93b41f3b27 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_settable_params.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_settable_params.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_SETTABLE_PARAMS 3ossl" -.TH EVP_PKEY_SETTABLE_PARAMS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_SETTABLE_PARAMS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_sign.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_sign.3 index 3b9d67165356..4a5277e6e6cd 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_sign.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_sign.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_SIGN 3ossl" -.TH EVP_PKEY_SIGN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_SIGN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -95,12 +98,12 @@ for more information about implicit fetches. sets the passed parameters \fIparams\fR on the context before returning. .PP \&\fBEVP_PKEY_sign_init_ex2()\fR initializes a public key algorithm context \fIctx\fR for -signing a pre-computed message digest using the algorithm given by \fIalgo\fR and +signing a pre\-computed message digest using the algorithm given by \fIalgo\fR and the key given through \fBEVP_PKEY_CTX_new\fR\|(3) or \fBEVP_PKEY_CTX_new_from_pkey\fR\|(3). -A context \fIctx\fR without a pre-loaded key cannot be used with this function. +A context \fIctx\fR without a pre\-loaded key cannot be used with this function. This function provides almost the same functionality as \fBEVP_PKEY_sign_init_ex()\fR, -but is uniquely intended to be used with a pre-computed message digest, and -allows pre-determining the exact conditions for that message digest, if a +but is uniquely intended to be used with a pre\-computed message digest, and +allows pre\-determining the exact conditions for that message digest, if a composite signature algorithm (such as RSA\-SHA256) was fetched. Following a call to this function, setting parameters that modifies the digest implementation or padding is not normally supported. @@ -108,7 +111,7 @@ implementation or padding is not normally supported. \&\fBEVP_PKEY_sign_message_init()\fR initializes a public key algorithm context \fIctx\fR for signing an unlimited size message using the algorithm given by \fIalgo\fR and the key given through \fBEVP_PKEY_CTX_new\fR\|(3) or \fBEVP_PKEY_CTX_new_from_pkey\fR\|(3). -Passing the message is supported both in a one-shot fashion using +Passing the message is supported both in a one\-shot fashion using \&\fBEVP_PKEY_sign()\fR, and through the combination of \fBEVP_PKEY_sign_message_update()\fR and \fBEVP_PKEY_sign_message_final()\fR. This function enables using algorithms that can process input of arbitrary @@ -116,17 +119,17 @@ length, such as ED25519, RSA\-SHA256 and similar. .PP \&\fBEVP_PKEY_sign_message_update()\fR adds \fIinlen\fR bytes from \fIin\fR to the data to be processed for signature. The signature algorithm specification and -implementation determine how the input bytes are processed and if there's a +implementation determine how the input bytes are processed and if there\*(Aqs a limit on the total size of the input. See "NOTES" below for a deeper explanation. .PP \&\fBEVP_PKEY_sign_message_final()\fR signs the processed data and places the data in \&\fIsig\fR, and the number of signature bytes in \fI*siglen\fR, if the number of -bytes doesn't surpass the size given by \fIsigsize\fR. +bytes doesn\*(Aqt surpass the size given by \fIsigsize\fR. \&\fIsig\fR may be NULL, and in that case, only \fI*siglen\fR is updated with the number of signature bytes. .PP -\&\fBEVP_PKEY_sign()\fR is a one-shot function that can be used with all the init +\&\fBEVP_PKEY_sign()\fR is a one\-shot function that can be used with all the init functions above. When initialization was done with \fBEVP_PKEY_sign_init()\fR, \fBEVP_PKEY_sign_init_ex()\fR or \fBEVP_PKEY_sign_init_ex2()\fR, the data specified by \fItbs\fR and \fItbslen\fR is @@ -161,13 +164,13 @@ Similarly, an RSA implementation usually expects additional details to be set, like the message digest algorithm that the input is supposed to be digested with, as well as the padding mode (see \fBEVP_PKEY_CTX_set_signature_md\fR\|(3) and \&\fBEVP_PKEY_CTX_set_rsa_padding\fR\|(3) and similar others), while an RSA\-SHA256 -implementation usually has these details pre-set and immutable. +implementation usually has these details pre\-set and immutable. .PP -The functions described here can't be used to combine separate algorithms. In +The functions described here can\*(Aqt be used to combine separate algorithms. In particular, neither \fBEVP_PKEY_CTX_set_signature_md\fR\|(3) nor the \fBOSSL_PARAM\fR parameter "digest" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) can be used to combine a signature algorithm with a hash algorithm to process the input. In other -words, it's not possible to specify a \fIctx\fR pre-loaded with an RSA pkey, or +words, it\*(Aqs not possible to specify a \fIctx\fR pre\-loaded with an RSA pkey, or an \fIalgo\fR that fetched \f(CW\*(C`RSA\*(C'\fR and try to specify SHA256 separately to get the functionality of RSA\-SHA256. If combining algorithms in that manner is desired, please use \fBEVP_DigestSignInit\fR\|(3) and associated functions. @@ -175,9 +178,9 @@ desired, please use \fBEVP_DigestSignInit\fR\|(3) and associated functions. .IX Subsection "Performing multiple signatures" When initialized using \fBEVP_PKEY_sign_init_ex()\fR or \fBEVP_PKEY_sign_init_ex2()\fR, \&\fBEVP_PKEY_sign()\fR can be called more than once on the same context to have -several one-shot operations performed using the same parameters. +several one\-shot operations performed using the same parameters. .PP -When initialized using \fBEVP_PKEY_sign_message_init()\fR, it's not possible to +When initialized using \fBEVP_PKEY_sign_message_init()\fR, it\*(Aqs not possible to call \fBEVP_PKEY_sign()\fR multiple times. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -230,11 +233,11 @@ Sign data using RSA with PKCS#1 padding and a SHA256 digest as input: \& \& /* Signature is siglen bytes written to buffer sig */ .Ve -.SS "RSA\-SHA256 with a pre-computed digest" +.SS "RSA\-SHA256 with a pre\-computed digest" .IX Subsection "RSA-SHA256 with a pre-computed digest" -Sign a digest with RSA\-SHA256 using one-shot functions. To be noted is that +Sign a digest with RSA\-SHA256 using one\-shot functions. To be noted is that RSA\-SHA256 is assumed to be an implementation of \f(CW\*(C`sha256WithRSAEncryption\*(C'\fR, -for which the padding is pre-determined to be \fBRSA_PKCS1_PADDING\fR, and the +for which the padding is pre\-determined to be \fBRSA_PKCS1_PADDING\fR, and the input digest is assumed to have been computed using SHA256. .PP .Vb 2 @@ -274,11 +277,11 @@ input digest is assumed to have been computed using SHA256. \& \& /* Signature is siglen bytes written to buffer sig */ .Ve -.SS "RSA\-SHA256, one-shot" +.SS "RSA\-SHA256, one\-shot" .IX Subsection "RSA-SHA256, one-shot" -Sign a document with RSA\-SHA256 using one-shot functions. +Sign a document with RSA\-SHA256 using one\-shot functions. To be noted is that RSA\-SHA256 is assumed to be an implementation of -\&\f(CW\*(C`sha256WithRSAEncryption\*(C'\fR, for which the padding is pre-determined to be +\&\f(CW\*(C`sha256WithRSAEncryption\*(C'\fR, for which the padding is pre\-determined to be \&\fBRSA_PKCS1_PADDING\fR. .PP .Vb 2 @@ -323,7 +326,7 @@ To be noted is that RSA\-SHA256 is assumed to be an implementation of .Ve .SS "RSA\-SHA256, using update and final" .IX Subsection "RSA-SHA256, using update and final" -This is the same as the previous example, but allowing stream-like +This is the same as the previous example, but allowing stream\-like functionality. .PP .Vb 2 diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_todata.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_todata.3 index 8e886927e932..6fba0e592277 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_todata.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_todata.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_TODATA 3ossl" -.TH EVP_PKEY_TODATA 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_TODATA 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -115,7 +118,7 @@ This is the mirror function to \fBEVP_PKEY_fromdata\fR\|(3). .IX Header "HISTORY" These functions were added in OpenSSL 3.0. .PP -Support for \fBML-DSA\fR, \fBML-KEM\fR and \fBSLH-DSA\fR was added in OpenSSL 3.5. +Support for \fBML\-DSA\fR, \fBML\-KEM\fR and \fBSLH\-DSA\fR was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2021\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_verify.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_verify.3 index cc23de159372..cb8981dfc20d 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_verify.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_verify.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_VERIFY 3ossl" -.TH EVP_PKEY_VERIFY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_VERIFY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,9 +101,9 @@ sets the passed parameters \fIparams\fR on the context before returning. .PP \&\fBEVP_PKEY_verify_init_ex2()\fR is the same as \fBEVP_PKEY_verify_init_ex()\fR, but works with an explicitly fetched \fBEVP_SIGNATURE\fR \fIalgo\fR. -A context \fIctx\fR without a pre-loaded key cannot be used with this function. +A context \fIctx\fR without a pre\-loaded key cannot be used with this function. Depending on what algorithm was fetched, certain details revolving around the -treatment of the input to \fBEVP_PKEY_verify()\fR may be pre-determined, and in that +treatment of the input to \fBEVP_PKEY_verify()\fR may be pre\-determined, and in that case, those details may normally not be changed. See "NOTES" below for a deeper explanation. .PP @@ -108,7 +111,7 @@ See "NOTES" below for a deeper explanation. \&\fIctx\fR for verifying an unlimited size message using the algorithm given by \&\fIalgo\fR and the key given through \fBEVP_PKEY_CTX_new\fR\|(3) or \&\fBEVP_PKEY_CTX_new_from_pkey\fR\|(3). -Passing the message is supported both in a one-shot fashion using +Passing the message is supported both in a one\-shot fashion using \&\fBEVP_PKEY_verify()\fR, and through the combination of \fBEVP_PKEY_verify_update()\fR and \&\fBEVP_PKEY_verify_final()\fR. This function enables using algorithms that can process input of arbitrary @@ -122,7 +125,7 @@ See "NOTES" below for a deeper explanation. .PP \&\fBEVP_PKEY_verify_update()\fR adds \fIinlen\fR bytes from \fIin\fR to the data to be processed for verification. The signature algorithm specification and -implementation determine how the input bytes are processed and if there's a +implementation determine how the input bytes are processed and if there\*(Aqs a limit on the total size of the input. See "NOTES" below for a deeper explanation. .PP @@ -130,7 +133,7 @@ explanation. The signature to verify against must have been given with \&\fBEVP_PKEY_CTX_set_signature()\fR. .PP -\&\fBEVP_PKEY_verify()\fR is a one-shot function that performs the same thing as +\&\fBEVP_PKEY_verify()\fR is a one\-shot function that performs the same thing as \&\fBEVP_PKEY_CTX_set_signature()\fR call with \fIsig\fR and \fIsiglen\fR as parameters, followed by a single \fBEVP_PKEY_verify_update()\fR call with \fItbs\fR and \fItbslen\fR, followed by \fBEVP_PKEY_verify_final()\fR call. @@ -156,13 +159,13 @@ Similarly, an RSA implementation usually expects additional details to be set, like the message digest algorithm that the input is supposed to be digested with, as well as the padding mode (see \fBEVP_PKEY_CTX_set_signature_md\fR\|(3) and \&\fBEVP_PKEY_CTX_set_rsa_padding\fR\|(3) and similar others), while an RSA\-SHA256 -implementation usually has these details pre-set and immutable. +implementation usually has these details pre\-set and immutable. .PP -The functions described here can't be used to combine separate algorithms. In +The functions described here can\*(Aqt be used to combine separate algorithms. In particular, neither \fBEVP_PKEY_CTX_set_signature_md\fR\|(3) nor the \fBOSSL_PARAM\fR parameter "digest" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) can be used to combine a signature algorithm with a hash algorithm to process the input. In other -words, it's not possible to specify a \fIctx\fR pre-loaded with an RSA pkey, or +words, it\*(Aqs not possible to specify a \fIctx\fR pre\-loaded with an RSA pkey, or an \fIalgo\fR that fetched \f(CW\*(C`RSA\*(C'\fR and try to specify SHA256 separately to get the functionality of RSA\-SHA256. If combining algorithms in that manner is desired, please use \fBEVP_DigestVerifyInit\fR\|(3) and associated functions, or @@ -171,16 +174,16 @@ desired, please use \fBEVP_DigestVerifyInit\fR\|(3) and associated functions, or .IX Subsection "Performing multiple verifications" When initialized using \fBEVP_PKEY_verify_init_ex()\fR or \fBEVP_PKEY_verify_init_ex2()\fR, \&\fBEVP_PKEY_verify()\fR can be called more than once on the same context to have -several one-shot operations performed using the same parameters. +several one\-shot operations performed using the same parameters. .PP -When initialized using \fBEVP_PKEY_verify_message_init()\fR, it's not possible to +When initialized using \fBEVP_PKEY_verify_message_init()\fR, it\*(Aqs not possible to call \fBEVP_PKEY_verify()\fR multiple times. .SS "On \fBEVP_PKEY_CTX_set_signature()\fP" .IX Subsection "On EVP_PKEY_CTX_set_signature()" Some signature algorithms (such as LMS) require the signature verification data be specified before verifying the message. Other algorithms allow the signature to be specified late. -To allow either way (which may depend on the application's flow of input), the +To allow either way (which may depend on the application\*(Aqs flow of input), the signature to be verified against \fImust\fR be specified using this function when using \fBEVP_PKEY_verify_message_update()\fR and \fBEVP_PKEY_verify_message_final()\fR to perform the verification. @@ -233,11 +236,11 @@ Verify signature using PKCS#1 padding and a SHA256 digest as input: \& * other error. \& */ .Ve -.SS "RSA\-SHA256 with a pre-computed digest" +.SS "RSA\-SHA256 with a pre\-computed digest" .IX Subsection "RSA-SHA256 with a pre-computed digest" -Verify a digest with RSA\-SHA256 using one-shot functions. To be noted is that +Verify a digest with RSA\-SHA256 using one\-shot functions. To be noted is that RSA\-SHA256 is assumed to be an implementation of \f(CW\*(C`sha256WithRSAEncryption\*(C'\fR, -for which the padding is pre-determined to be \fBRSA_PKCS1_PADDING\fR, and the +for which the padding is pre\-determined to be \fBRSA_PKCS1_PADDING\fR, and the input digest is assumed to have been computed using SHA256. .PP .Vb 2 @@ -274,11 +277,11 @@ input digest is assumed to have been computed using SHA256. \& * other error. \& */ .Ve -.SS "RSA\-SHA256, one-shot" +.SS "RSA\-SHA256, one\-shot" .IX Subsection "RSA-SHA256, one-shot" -Verify a document with RSA\-SHA256 using one-shot functions. +Verify a document with RSA\-SHA256 using one\-shot functions. To be noted is that RSA\-SHA256 is assumed to be an implementation of -\&\f(CW\*(C`sha256WithRSAEncryption\*(C'\fR, for which the padding is pre-determined to be +\&\f(CW\*(C`sha256WithRSAEncryption\*(C'\fR, for which the padding is pre\-determined to be \&\fBRSA_PKCS1_PADDING\fR. .PP .Vb 2 @@ -317,7 +320,7 @@ To be noted is that RSA\-SHA256 is assumed to be an implementation of .Ve .SS "RSA\-SHA256, using update and final" .IX Subsection "RSA-SHA256, using update and final" -This is the same as the previous example, but allowing stream-like +This is the same as the previous example, but allowing stream\-like functionality. .PP .Vb 2 diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_verify_recover.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_verify_recover.3 index 1b33d9ed499c..6ebf9f00c365 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_verify_recover.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_verify_recover.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_VERIFY_RECOVER 3ossl" -.TH EVP_PKEY_VERIFY_RECOVER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_VERIFY_RECOVER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -92,9 +95,9 @@ for more information about implicit fetches. .PP \&\fBEVP_PKEY_verify_recover_init_ex2()\fR is the same as \fBEVP_PKEY_verify_recover_init_ex()\fR, but works with an explicitly fetched \fBEVP_SIGNATURE\fR \fIalgo\fR. -A context \fIctx\fR without a pre-loaded key cannot be used with this function. +A context \fIctx\fR without a pre\-loaded key cannot be used with this function. Depending on what algorithm was fetched, certain details revolving around the -treatment of the input to \fBEVP_PKEY_verify()\fR may be pre-determined, and in that +treatment of the input to \fBEVP_PKEY_verify()\fR may be pre\-determined, and in that case, those details may normally not be changed. See "NOTES" below for a deeper explanation. .PP @@ -121,7 +124,7 @@ operation. .PP After the call to \fBEVP_PKEY_verify_recover_init_ex2()\fR, algorithm specific control operations may not be needed if the chosen algorithm implies that those controls -pre-set (and immutable). +pre\-set (and immutable). .PP The function \fBEVP_PKEY_verify_recover()\fR can be called more than once on the same context if several operations are performed using the same parameters. diff --git a/secure/lib/libcrypto/man/man3/EVP_RAND.3 b/secure/lib/libcrypto/man/man3/EVP_RAND.3 index 5b3c03fb6a8b..fcb153b67788 100644 --- a/secure/lib/libcrypto/man/man3/EVP_RAND.3 +++ b/secure/lib/libcrypto/man/man3/EVP_RAND.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RAND 3ossl" -.TH EVP_RAND 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RAND 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -133,9 +136,9 @@ EVP_RAND_STATE_ERROR \- EVP RAND routines .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP RAND routines are a high-level interface to random number generators +The EVP RAND routines are a high\-level interface to random number generators both deterministic and not. -If you just want to generate random bytes then you don't need to use +If you just want to generate random bytes then you don\*(Aqt need to use these functions: just call \fBRAND_bytes()\fR or \fBRAND_priv_bytes()\fR. If you want to do more, these calls should be used instead of the older RAND and RAND_DRBG functions. @@ -164,7 +167,7 @@ The returned value must eventually be freed with RAND. .PP \&\fBEVP_RAND_free()\fR frees a fetched algorithm. -NULL is a valid parameter, for which this function is a no-op. +NULL is a valid parameter, for which this function is a no\-op. .SS "Context manipulation functions" .IX Subsection "Context manipulation functions" \&\fBEVP_RAND_CTX_new()\fR creates a new context for the RAND implementation \fIrand\fR. @@ -202,7 +205,7 @@ will be sought. This call operates as per NIST SP 800\-90A and SP 800\-90C. Entropy \fIent\fR of length \fIent_len\fR bytes can be supplied as can additional input \fIaddin\fR of length \fIaddin_len\fR bytes. In the FIPS provider, both are treated as additional input as per NIST SP\-800\-90Ar1, Sections 9.1 and 9.2. -Additional seed material is also drawn from the RAND's parent or the +Additional seed material is also drawn from the RAND\*(Aqs parent or the operating system. If \fIprediction_resistance\fR is specified, fresh entropy from a live source will be sought. This call operates as per NIST SP 800\-90A and SP 800\-90C. @@ -236,7 +239,7 @@ The set of parameters given with \fIparams\fR determine exactly what parameters are passed down. Note that a parameter that is unknown in the underlying context is simply ignored. -Also, what happens when a needed parameter isn't passed down is +Also, what happens when a needed parameter isn\*(Aqt passed down is defined by the implementation. .PP \&\fBEVP_RAND_gettable_params()\fR returns an \fBOSSL_PARAM\fR\|(3) array that describes @@ -248,14 +251,14 @@ constant \fBOSSL_PARAM\fR\|(3) arrays that describe the retrievable parameters t can be used with \fBEVP_RAND_CTX_get_params()\fR. \fBEVP_RAND_gettable_ctx_params()\fR returns the parameters that can be retrieved from the algorithm, whereas \&\fBEVP_RAND_CTX_gettable_params()\fR returns the parameters that can be retrieved -in the context's current state. +in the context\*(Aqs current state. .PP \&\fBEVP_RAND_settable_ctx_params()\fR and \fBEVP_RAND_CTX_settable_params()\fR return constant \fBOSSL_PARAM\fR\|(3) arrays that describe the settable parameters that can be used with \fBEVP_RAND_CTX_set_params()\fR. \fBEVP_RAND_settable_ctx_params()\fR returns the parameters that can be retrieved from the algorithm, whereas \&\fBEVP_RAND_CTX_settable_params()\fR returns the parameters that can be retrieved -in the context's current state. +in the context\*(Aqs current state. .SS "Information functions" .IX Subsection "Information functions" \&\fBEVP_RAND_get_strength()\fR returns the security strength of the RAND \fIctx\fR. @@ -271,7 +274,7 @@ EVP_RAND_STATE_READY: this RNG is currently ready to generate output. EVP_RAND_STATE_ERROR: this RNG is in an error state. .PP \&\fBEVP_RAND_is_a()\fR returns 1 if \fIrand\fR is an implementation of an -algorithm that's identifiable with \fIname\fR, otherwise 0. +algorithm that\*(Aqs identifiable with \fIname\fR, otherwise 0. .PP \&\fBEVP_RAND_get0_provider()\fR returns the provider that holds the implementation of the given \fIrand\fR. @@ -302,7 +305,7 @@ Returns the state of the random number generator. .IP """strength"" (\fBOSSL_RAND_PARAM_STRENGTH\fR) <unsigned integer>" 4 .IX Item """strength"" (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>" Returns the bit strength of the random number generator. -.IP """fips-indicator"" (\fBOSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This option is used by the OpenSSL FIPS provider and is not supported @@ -372,18 +375,18 @@ The use of a nonzero value for the \fIprediction_resistance\fR argument to be used sparingly. In the default setup, this will cause all public and private DRBGs to be reseeded on next use. Since, by default, public and private DRBGs are allocated on a per thread basis, this can result in -significant overhead for highly multi-threaded applications. For normal -use-cases, the default "reseed_requests" and "reseed_time_interval" +significant overhead for highly multi\-threaded applications. For normal +use\-cases, the default "reseed_requests" and "reseed_time_interval" thresholds ensure sufficient prediction resistance over time and you can reduce those values if you think they are too high. Explicitly -requesting prediction resistance is intended for more special use-cases -like generating long-term secrets. +requesting prediction resistance is intended for more special use\-cases +like generating long\-term secrets. .PP An \fBEVP_RAND_CTX\fR needs to have locking enabled if it acts as the parent of more than one child and the children can be accessed concurrently. This must be done by explicitly calling \fBEVP_RAND_enable_locking()\fR. .PP -The RAND life-cycle is described in \fBlife_cycle\-rand\fR\|(7). In the future, +The RAND life\-cycle is described in \fBlife_cycle\-rand\fR\|(7). In the future, the transitions described there will be enforced. When this is done, it will not be considered a breaking change to the API. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/EVP_SIGNATURE.3 b/secure/lib/libcrypto/man/man3/EVP_SIGNATURE.3 index c176bd86fca6..43f4baeae413 100644 --- a/secure/lib/libcrypto/man/man3/EVP_SIGNATURE.3 +++ b/secure/lib/libcrypto/man/man3/EVP_SIGNATURE.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SIGNATURE 3ossl" -.TH EVP_SIGNATURE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SIGNATURE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -114,7 +117,7 @@ structure is freed. If the argument is NULL, nothing is done. structure. .PP \&\fBEVP_SIGNATURE_is_a()\fR returns 1 if \fIsignature\fR is an implementation of an -algorithm that's identifiable with \fIname\fR, otherwise 0. +algorithm that\*(Aqs identifiable with \fIname\fR, otherwise 0. .PP \&\fBEVP_SIGNATURE_get0_provider()\fR returns the provider that \fIsignature\fR was fetched from. diff --git a/secure/lib/libcrypto/man/man3/EVP_SKEY.3 b/secure/lib/libcrypto/man/man3/EVP_SKEY.3 index 311551ecf454..3fd0f6a1bfc0 100644 --- a/secure/lib/libcrypto/man/man3/EVP_SKEY.3 +++ b/secure/lib/libcrypto/man/man3/EVP_SKEY.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SKEY 3ossl" -.TH EVP_SKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SKEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,7 +83,7 @@ EVP_SKEY_free, EVP_SKEY_is_a, EVP_SKEY_to_provider \& const char *propquery, \& int selection, const OSSL_PARAM *params); \& EVP_SKEY *EVP_SKEY_import_raw_key(OSSL_LIB_CTX *libctx, const char *skeymgmtname, -\& unsigned char *key, size_t *len, +\& unsigned char *key, size_t len, \& const char *propquery); \& int EVP_SKEY_export(const EVP_SKEY *skey, int selection, \& OSSL_CALLBACK *export_cb, void *export_cbarg); @@ -114,8 +117,10 @@ which is used by OpenSSL to store symmetric keys, assigns the \&\fBEVP_SKEYMGMT\fR object associated with the key, and initializes the object from the \fBparams\fR argument. .PP -The \fBEVP_SKEY_import_raw_key()\fR function is a helper that creates an \fBEVP_SKEY\fR object -containing the raw byte representation of the symmetric keys. +The \fBEVP_SKEY_import_raw_key()\fR function is a helper that creates an \fBEVP_SKEY\fR +object containing the raw byte representation of the symmetric keys from the +buffer \fIkey\fR having length \fIlen\fR. The \fIskeymgmtname\fR defines the name of the +target \fBEVP_SKEYMGMT\fR for the newly created key. .PP The \fBEVP_SKEY_export()\fR function extracts values from a key \fIskey\fR using the \&\fIselection\fR. \fIselection\fR is described below. It uses a callback \fIexport_cb\fR @@ -125,11 +130,11 @@ is passed to the callback is not persistent after the callback returns. .PP The \fBEVP_SKEY_get0_raw_key()\fR returns a pointer to a raw key bytes to the passed address and sets the key len. The returned address is managed by the internal -key management and shouldn't be freed explicitly. The operation can fail when -the underlying key management doesn't support export of the secret key. +key management and shouldn\*(Aqt be freed explicitly. The operation can fail when +the underlying key management doesn\*(Aqt support export of the secret key. .PP -The \fBEVP_SKEY_get0_key_id()\fR returns a NUL-terminated string providing some -human-readable identifier of the key if provided by the underlying key +The \fBEVP_SKEY_get0_key_id()\fR returns a NUL\-terminated string providing some +human\-readable identifier of the key if provided by the underlying key management. The pointer becomes invalid after freeing the EVP_SKEY object. .PP The \fBEVP_SKEY_get0_skeymgmt_name()\fR and \fBEVP_SKEY_get0_provider_name()\fR return the @@ -177,7 +182,7 @@ either the newly allocated \fBEVP_SKEY\fR structure or NULL if an error occurred \&\fBEVP_SKEY_export()\fR and \fBEVP_SKEY_get0_raw_key()\fR return 1 for success and 0 on failure. .PP \&\fBEVP_SKEY_get0_skeymgmt_name()\fR and \fBEVP_SKEY_get0_provider_name()\fR return the -names of the associated EVP_SKEYMGMT object and its provider correspondigly. +names of the associated EVP_SKEYMGMT object and its provider correspondingly. .PP \&\fBEVP_SKEY_is_a()\fR returns 1 if \fIskey\fR has the key type \fIname\fR, otherwise 0. @@ -197,7 +202,7 @@ The \fBEVP_SKEY\fR API and functions \fBEVP_SKEY_export()\fR, were introduced in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2025\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/EVP_SKEYMGMT.3 b/secure/lib/libcrypto/man/man3/EVP_SKEYMGMT.3 index ea56e4d608dc..0079ba4668e4 100644 --- a/secure/lib/libcrypto/man/man3/EVP_SKEYMGMT.3 +++ b/secure/lib/libcrypto/man/man3/EVP_SKEYMGMT.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SKEYMGMT 3ossl" -.TH EVP_SKEYMGMT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SKEYMGMT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -125,7 +128,7 @@ If the argument is NULL, nothing is done. implementation. .PP \&\fBEVP_SKEYMGMT_is_a()\fR checks if \fIskeymgmt\fR is an implementation of an -algorithm that's identified by \fIname\fR. +algorithm that\*(Aqs identified by \fIname\fR. .PP \&\fBEVP_SKEYMGMT_get0_name()\fR returns the algorithm name from the provided implementation for the given \fIskeymgmt\fR. Note that the \fIskeymgmt\fR may have @@ -164,7 +167,7 @@ error. \&\fBEVP_SKEYMGMT_names_do_all()\fR returns 1 if the callback was called for all names. A return value of 0 means that the callback was not called for any names. .PP -\&\fBEVP_SKEYMGMT_free()\fR doesn't return any value. +\&\fBEVP_SKEYMGMT_free()\fR doesn\*(Aqt return any value. .PP \&\fBEVP_SKEYMGMT_get0_provider()\fR returns a pointer to a provider object, or NULL on error. @@ -174,7 +177,7 @@ on error. \&\fBEVP_SKEYMGMT_get0_name()\fR returns the algorithm name, or NULL on error. .PP \&\fBEVP_SKEYMGMT_get0_description()\fR returns a pointer to a description, or NULL if -there isn't one. +there isn\*(Aqt one. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_SKEY\fR\|(3), \fBEVP_MD_fetch\fR\|(3), \fBOSSL_LIB_CTX\fR\|(3) diff --git a/secure/lib/libcrypto/man/man3/EVP_SealInit.3 b/secure/lib/libcrypto/man/man3/EVP_SealInit.3 index a703ae757efc..5abb0fb3f2f2 100644 --- a/secure/lib/libcrypto/man/man3/EVP_SealInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_SealInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SEALINIT 3ossl" -.TH EVP_SEALINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SEALINIT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -76,7 +79,7 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal \- EVP envelope encryption .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP envelope routines are a high-level interface to envelope +The EVP envelope routines are a high\-level interface to envelope encryption. They generate a random key and IV (if required) then "envelope" it by using public key encryption. Data can then be encrypted using this key. @@ -93,7 +96,7 @@ size of each encrypted secret key is written to the array \fBekl\fR. \fBpubk\fR an array of \fBnpubk\fR public keys. .PP The \fBiv\fR parameter is a buffer where the generated IV is written to. It must -contain enough room for the corresponding cipher's IV, as determined by (for +contain enough room for the corresponding cipher\*(Aqs IV, as determined by (for example) EVP_CIPHER_get_iv_length(type). .PP If the cipher does not require an IV then the \fBiv\fR parameter is ignored diff --git a/secure/lib/libcrypto/man/man3/EVP_SignInit.3 b/secure/lib/libcrypto/man/man3/EVP_SignInit.3 index 87996c93b70b..0b8f1370695d 100644 --- a/secure/lib/libcrypto/man/man3/EVP_SignInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_SignInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SIGNINIT 3ossl" -.TH EVP_SIGNINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SIGNINIT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,7 +83,7 @@ EVP_SignFinal_ex, EVP_SignFinal .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP signature routines are a high-level interface to digital +The EVP signature routines are a high\-level interface to digital signatures. .PP \&\fBEVP_SignInit_ex()\fR sets up signing context \fIctx\fR to use digest @@ -114,7 +117,7 @@ The error codes can be obtained by \fBERR_get_error\fR\|(3). .SH NOTES .IX Header "NOTES" The \fBEVP\fR interface to digital signatures should almost always be used in -preference to the low-level interfaces. This is because the code then becomes +preference to the low\-level interfaces. This is because the code then becomes transparent to the algorithm used and much more flexible. .PP When signing with some private key types the random number generator must diff --git a/secure/lib/libcrypto/man/man3/EVP_VerifyInit.3 b/secure/lib/libcrypto/man/man3/EVP_VerifyInit.3 index a6e5bf699536..96717b29040b 100644 --- a/secure/lib/libcrypto/man/man3/EVP_VerifyInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_VerifyInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_VERIFYINIT 3ossl" -.TH EVP_VERIFYINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_VERIFYINIT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,7 +84,7 @@ EVP_VerifyInit, EVP_VerifyUpdate, EVP_VerifyFinal_ex, EVP_VerifyFinal .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP signature verification routines are a high-level interface to digital +The EVP signature verification routines are a high\-level interface to digital signatures. .PP \&\fBEVP_VerifyInit_ex()\fR sets up verification context \fIctx\fR to use digest @@ -114,7 +117,7 @@ The error codes can be obtained by \fBERR_get_error\fR\|(3). .SH NOTES .IX Header "NOTES" The \fBEVP\fR interface to digital signatures should almost always be used in -preference to the low-level interfaces. This is because the code then becomes +preference to the low\-level interfaces. This is because the code then becomes transparent to the algorithm used and much more flexible. .PP The call to \fBEVP_VerifyFinal()\fR internally finalizes a copy of the digest context. diff --git a/secure/lib/libcrypto/man/man3/EVP_aes_128_gcm.3 b/secure/lib/libcrypto/man/man3/EVP_aes_128_gcm.3 index 50816e73d4fb..b34d3c940986 100644 --- a/secure/lib/libcrypto/man/man3/EVP_aes_128_gcm.3 +++ b/secure/lib/libcrypto/man/man3/EVP_aes_128_gcm.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_AES_128_GCM 3ossl" -.TH EVP_AES_128_GCM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_AES_128_GCM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -143,7 +146,7 @@ some undocumented ctrl functions. These ciphers do not conform to the EVP AEAD interface. .IP "\fBEVP_aes_128_ccm()\fR, \fBEVP_aes_192_ccm()\fR, \fBEVP_aes_256_ccm()\fR, \fBEVP_aes_128_gcm()\fR, \fBEVP_aes_192_gcm()\fR, \fBEVP_aes_256_gcm()\fR, \fBEVP_aes_128_ocb()\fR, \fBEVP_aes_192_ocb()\fR, \fBEVP_aes_256_ocb()\fR" 4 .IX Item "EVP_aes_128_ccm(), EVP_aes_192_ccm(), EVP_aes_256_ccm(), EVP_aes_128_gcm(), EVP_aes_192_gcm(), EVP_aes_256_gcm(), EVP_aes_128_ocb(), EVP_aes_192_ocb(), EVP_aes_256_ocb()" -AES for 128, 192 and 256 bit keys in CBC-MAC Mode (CCM), Galois Counter Mode +AES for 128, 192 and 256 bit keys in CBC\-MAC Mode (CCM), Galois Counter Mode (GCM) and OCB Mode respectively. These ciphers require additional control operations to function correctly, see the "AEAD INTERFACE" in \fBEVP_EncryptInit\fR\|(3) section for details. @@ -153,13 +156,13 @@ AES key wrap with 128, 192 and 256 bit keys, as according to RFC 3394 section 2.2.1 ("wrap") and RFC 5649 section 4.1 ("wrap with padding") respectively. .IP "\fBEVP_aes_128_xts()\fR, \fBEVP_aes_256_xts()\fR" 4 .IX Item "EVP_aes_128_xts(), EVP_aes_256_xts()" -AES XTS mode (XTS-AES) is standardized in IEEE Std. 1619\-2007 and described in NIST -SP 800\-38E. The XTS (XEX-based tweaked-codebook mode with ciphertext stealing) +AES XTS mode (XTS\-AES) is standardized in IEEE Std. 1619\-2007 and described in NIST +SP 800\-38E. The XTS (XEX\-based tweaked\-codebook mode with ciphertext stealing) mode was designed by Prof. Phillip Rogaway of University of California, Davis, intended for encrypting data on a storage device. .Sp -XTS-AES provides confidentiality but not authentication of data. It also -requires a key of double-length for protection of a certain key size. +XTS\-AES provides confidentiality but not authentication of data. It also +requires a key of double\-length for protection of a certain key size. In particular, XTS\-AES\-128 (\fBEVP_aes_128_xts\fR) takes input of a 256\-bit key to achieve AES 128\-bit security, and XTS\-AES\-256 (\fBEVP_aes_256_xts\fR) takes input of a 512\-bit key to achieve AES 256\-bit security. diff --git a/secure/lib/libcrypto/man/man3/EVP_aria_128_gcm.3 b/secure/lib/libcrypto/man/man3/EVP_aria_128_gcm.3 index d46564482077..b99a01610245 100644 --- a/secure/lib/libcrypto/man/man3/EVP_aria_128_gcm.3 +++ b/secure/lib/libcrypto/man/man3/EVP_aria_128_gcm.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_ARIA_128_GCM 3ossl" -.TH EVP_ARIA_128_GCM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_ARIA_128_GCM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -111,7 +114,7 @@ ARIA for 128, 192 and 256 bit keys in the following modes: CBC, CFB with 128\-bit shift, CFB with 1\-bit shift, CFB with 8\-bit shift, CTR, ECB and OFB. .IP "\fBEVP_aria_128_ccm()\fR, \fBEVP_aria_192_ccm()\fR, \fBEVP_aria_256_ccm()\fR, \fBEVP_aria_128_gcm()\fR, \fBEVP_aria_192_gcm()\fR, \fBEVP_aria_256_gcm()\fR," 4 .IX Item "EVP_aria_128_ccm(), EVP_aria_192_ccm(), EVP_aria_256_ccm(), EVP_aria_128_gcm(), EVP_aria_192_gcm(), EVP_aria_256_gcm()," -ARIA for 128, 192 and 256 bit keys in CBC-MAC Mode (CCM) and Galois Counter +ARIA for 128, 192 and 256 bit keys in CBC\-MAC Mode (CCM) and Galois Counter Mode (GCM). These ciphers require additional control operations to function correctly, see the "AEAD INTERFACE" in \fBEVP_EncryptInit\fR\|(3) section for details. .SH NOTES diff --git a/secure/lib/libcrypto/man/man3/EVP_bf_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_bf_cbc.3 index 46e14e666e3e..44390fdf4e2a 100644 --- a/secure/lib/libcrypto/man/man3/EVP_bf_cbc.3 +++ b/secure/lib/libcrypto/man/man3/EVP_bf_cbc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_BF_CBC 3ossl" -.TH EVP_BF_CBC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_BF_CBC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_blake2b512.3 b/secure/lib/libcrypto/man/man3/EVP_blake2b512.3 index 4c53ad77a167..b56688c7af6e 100644 --- a/secure/lib/libcrypto/man/man3/EVP_blake2b512.3 +++ b/secure/lib/libcrypto/man/man3/EVP_blake2b512.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_BLAKE2B512 3ossl" -.TH EVP_BLAKE2B512 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_BLAKE2B512 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,7 +93,7 @@ calling these functions multiple times and should consider using \&\fBEVP_MD_fetch\fR\|(3) with \fBEVP_MD\-BLAKE2\fR\|(7) instead. See "Performance" in \fBcrypto\fR\|(7) for further information. .PP -Both algorithms support a variable-length digest, +Both algorithms support a variable\-length digest, but this is only available through \fBEVP_MD\-BLAKE2\fR\|(7). .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/EVP_camellia_128_ecb.3 b/secure/lib/libcrypto/man/man3/EVP_camellia_128_ecb.3 index 9f540572cdd0..575cdfd28984 100644 --- a/secure/lib/libcrypto/man/man3/EVP_camellia_128_ecb.3 +++ b/secure/lib/libcrypto/man/man3/EVP_camellia_128_ecb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CAMELLIA_128_ECB 3ossl" -.TH EVP_CAMELLIA_128_ECB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CAMELLIA_128_ECB 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_cast5_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_cast5_cbc.3 index 3ef1740a8051..73f60f72f3e8 100644 --- a/secure/lib/libcrypto/man/man3/EVP_cast5_cbc.3 +++ b/secure/lib/libcrypto/man/man3/EVP_cast5_cbc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CAST5_CBC 3ossl" -.TH EVP_CAST5_CBC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CAST5_CBC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_chacha20.3 b/secure/lib/libcrypto/man/man3/EVP_chacha20.3 index 6d2ea3dcfded..77dc6d6a3f6a 100644 --- a/secure/lib/libcrypto/man/man3/EVP_chacha20.3 +++ b/secure/lib/libcrypto/man/man3/EVP_chacha20.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CHACHA20 3ossl" -.TH EVP_CHACHA20 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CHACHA20 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ The ChaCha20 stream cipher for EVP. .IP \fBEVP_chacha20()\fR 4 .IX Item "EVP_chacha20()" The ChaCha20 stream cipher. The key length is 256 bits, the IV is 128 bits long. -The first 64 bits consists of a counter in little-endian order followed by a 64 +The first 64 bits consists of a counter in little\-endian order followed by a 64 bit nonce. For example a nonce of: .Sp 0000000000000002 diff --git a/secure/lib/libcrypto/man/man3/EVP_des_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_des_cbc.3 index 499178d17555..cff585bf6492 100644 --- a/secure/lib/libcrypto/man/man3/EVP_des_cbc.3 +++ b/secure/lib/libcrypto/man/man3/EVP_des_cbc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_DES_CBC 3ossl" -.TH EVP_DES_CBC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_DES_CBC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,11 +113,11 @@ implementation. Two key triple DES in ECB, CBC, CFB with 64\-bit shift and OFB modes. .IP "\fBEVP_des_ede3()\fR, \fBEVP_des_ede3_cbc()\fR, \fBEVP_des_ede3_cfb()\fR, \fBEVP_des_ede3_cfb1()\fR, \fBEVP_des_ede3_cfb8()\fR, \fBEVP_des_ede3_cfb64()\fR, \fBEVP_des_ede3_ecb()\fR, \fBEVP_des_ede3_ofb()\fR" 4 .IX Item "EVP_des_ede3(), EVP_des_ede3_cbc(), EVP_des_ede3_cfb(), EVP_des_ede3_cfb1(), EVP_des_ede3_cfb8(), EVP_des_ede3_cfb64(), EVP_des_ede3_ecb(), EVP_des_ede3_ofb()" -Three-key triple DES in ECB, CBC, CFB with 64\-bit shift, CFB with 1\-bit shift, +Three\-key triple DES in ECB, CBC, CFB with 64\-bit shift, CFB with 1\-bit shift, CFB with 8\-bit shift and OFB modes. .IP \fBEVP_des_ede3_wrap()\fR 4 .IX Item "EVP_des_ede3_wrap()" -Triple-DES key wrap according to RFC 3217 Section 3. +Triple\-DES key wrap according to RFC 3217 Section 3. .SH NOTES .IX Header "NOTES" Developers should be aware of the negative performance implications of diff --git a/secure/lib/libcrypto/man/man3/EVP_desx_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_desx_cbc.3 index b651b4d5900c..91c8dd76b990 100644 --- a/secure/lib/libcrypto/man/man3/EVP_desx_cbc.3 +++ b/secure/lib/libcrypto/man/man3/EVP_desx_cbc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_DESX_CBC 3ossl" -.TH EVP_DESX_CBC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_DESX_CBC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -72,12 +75,12 @@ EVP_desx_cbc .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The DES-X encryption algorithm for EVP. +The DES\-X encryption algorithm for EVP. .PP All modes below use a key length of 128 bits and acts on blocks of 128\-bits. .IP \fBEVP_desx_cbc()\fR 4 .IX Item "EVP_desx_cbc()" -The DES-X algorithm in CBC mode. +The DES\-X algorithm in CBC mode. .Sp This algorithm is not provided by the OpenSSL default provider. To use it is necessary to load either the OpenSSL legacy provider or another diff --git a/secure/lib/libcrypto/man/man3/EVP_idea_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_idea_cbc.3 index bc5c16e511a2..3cdc70e3999e 100644 --- a/secure/lib/libcrypto/man/man3/EVP_idea_cbc.3 +++ b/secure/lib/libcrypto/man/man3/EVP_idea_cbc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_IDEA_CBC 3ossl" -.TH EVP_IDEA_CBC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_IDEA_CBC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_md2.3 b/secure/lib/libcrypto/man/man3/EVP_md2.3 index 4f267f1053d7..439acede6a54 100644 --- a/secure/lib/libcrypto/man/man3/EVP_md2.3 +++ b/secure/lib/libcrypto/man/man3/EVP_md2.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD2 3ossl" -.TH EVP_MD2 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD2 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_md4.3 b/secure/lib/libcrypto/man/man3/EVP_md4.3 index 56f76f0817c9..6725e29e94f1 100644 --- a/secure/lib/libcrypto/man/man3/EVP_md4.3 +++ b/secure/lib/libcrypto/man/man3/EVP_md4.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD4 3ossl" -.TH EVP_MD4 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD4 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_md5.3 b/secure/lib/libcrypto/man/man3/EVP_md5.3 index be15b9d5492a..6ef4dfb1b375 100644 --- a/secure/lib/libcrypto/man/man3/EVP_md5.3 +++ b/secure/lib/libcrypto/man/man3/EVP_md5.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD5 3ossl" -.TH EVP_MD5 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD5 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -87,7 +90,7 @@ The MD5 algorithm which produces a 128\-bit output from a given input. A hash algorithm of SSL v3 that combines MD5 with SHA\-1 as described in RFC 6101. .Sp -WARNING: this algorithm is not intended for non-SSL usage. +WARNING: this algorithm is not intended for non\-SSL usage. .SH NOTES .IX Header "NOTES" Developers should be aware of the negative performance implications of diff --git a/secure/lib/libcrypto/man/man3/EVP_mdc2.3 b/secure/lib/libcrypto/man/man3/EVP_mdc2.3 index b0667f6b0eb0..48d909f56467 100644 --- a/secure/lib/libcrypto/man/man3/EVP_mdc2.3 +++ b/secure/lib/libcrypto/man/man3/EVP_mdc2.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MDC2 3ossl" -.TH EVP_MDC2 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MDC2 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -72,7 +75,7 @@ EVP_mdc2 .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -MDC\-2 (Modification Detection Code 2 or Meyer-Schilling) is a cryptographic +MDC\-2 (Modification Detection Code 2 or Meyer\-Schilling) is a cryptographic hash function based on a block cipher. This implementation is only available with the legacy provider. .IP \fBEVP_mdc2()\fR 4 @@ -92,7 +95,7 @@ implementation of the message digest. See \fBEVP_MD_meth_new\fR\|(3) for details of the \fBEVP_MD\fR structure. .SH "CONFORMING TO" .IX Header "CONFORMING TO" -ISO/IEC 10118\-2:2000 Hash-Function 2, with DES as the underlying block cipher. +ISO/IEC 10118\-2:2000 Hash\-Function 2, with DES as the underlying block cipher. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBevp\fR\|(7), diff --git a/secure/lib/libcrypto/man/man3/EVP_rc2_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_rc2_cbc.3 index 30a133c7fac6..31733b0381bb 100644 --- a/secure/lib/libcrypto/man/man3/EVP_rc2_cbc.3 +++ b/secure/lib/libcrypto/man/man3/EVP_rc2_cbc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RC2_CBC 3ossl" -.TH EVP_RC2_CBC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RC2_CBC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_rc4.3 b/secure/lib/libcrypto/man/man3/EVP_rc4.3 index 86b74e874c6f..dc96932e4774 100644 --- a/secure/lib/libcrypto/man/man3/EVP_rc4.3 +++ b/secure/lib/libcrypto/man/man3/EVP_rc4.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RC4 3ossl" -.TH EVP_RC4 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RC4 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_rc5_32_12_16_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_rc5_32_12_16_cbc.3 index 80bd2c04c306..97003e6331a3 100644 --- a/secure/lib/libcrypto/man/man3/EVP_rc5_32_12_16_cbc.3 +++ b/secure/lib/libcrypto/man/man3/EVP_rc5_32_12_16_cbc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RC5_32_12_16_CBC 3ossl" -.TH EVP_RC5_32_12_16_CBC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RC5_32_12_16_CBC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_ripemd160.3 b/secure/lib/libcrypto/man/man3/EVP_ripemd160.3 index 6e49aba8527b..c91ce2c4f38a 100644 --- a/secure/lib/libcrypto/man/man3/EVP_ripemd160.3 +++ b/secure/lib/libcrypto/man/man3/EVP_ripemd160.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RIPEMD160 3ossl" -.TH EVP_RIPEMD160 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RIPEMD160 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,7 +94,7 @@ implementation of the message digest. See \fBEVP_MD_meth_new\fR\|(3) for details of the \fBEVP_MD\fR structure. .SH "CONFORMING TO" .IX Header "CONFORMING TO" -ISO/IEC 10118\-3:2016 Dedicated Hash-Function 1 (RIPEMD\-160). +ISO/IEC 10118\-3:2016 Dedicated Hash\-Function 1 (RIPEMD\-160). .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBevp\fR\|(7), diff --git a/secure/lib/libcrypto/man/man3/EVP_seed_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_seed_cbc.3 index ffb1af9fee48..fcc0a4f7a661 100644 --- a/secure/lib/libcrypto/man/man3/EVP_seed_cbc.3 +++ b/secure/lib/libcrypto/man/man3/EVP_seed_cbc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SEED_CBC 3ossl" -.TH EVP_SEED_CBC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SEED_CBC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_set_default_properties.3 b/secure/lib/libcrypto/man/man3/EVP_set_default_properties.3 index 08ce76625b6b..76a2ce05942e 100644 --- a/secure/lib/libcrypto/man/man3/EVP_set_default_properties.3 +++ b/secure/lib/libcrypto/man/man3/EVP_set_default_properties.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SET_DEFAULT_PROPERTIES 3ossl" -.TH EVP_SET_DEFAULT_PROPERTIES 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SET_DEFAULT_PROPERTIES 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,7 +85,7 @@ future EVP algorithm fetches, implicit as well as explicit. See fetching. .PP EVP_set_default_properties stores the properties given with the string -\&\fIpropq\fR among the EVP data that's been stored in the library context +\&\fIpropq\fR among the EVP data that\*(Aqs been stored in the library context given with \fIlibctx\fR (NULL signifies the default library context). .PP Any previous default property for the specified library context will @@ -92,12 +95,12 @@ be dropped. algorithm fetches, implicit as well as explicit, for the specific library context. .PP -\&\fBEVP_default_properties_enable_fips()\fR sets the 'fips=yes' to be a default property -if \fIenable\fR is non zero, otherwise it clears 'fips' from the default property +\&\fBEVP_default_properties_enable_fips()\fR sets the \*(Aqfips=yes\*(Aq to be a default property +if \fIenable\fR is non zero, otherwise it clears \*(Aqfips\*(Aq from the default property query for the given \fIlibctx\fR. It merges the fips default property query with any existing query strings that have been set via \fBEVP_set_default_properties()\fR. .PP -\&\fBEVP_default_properties_is_fips_enabled()\fR indicates if 'fips=yes' is a default +\&\fBEVP_default_properties_is_fips_enabled()\fR indicates if \*(Aqfips=yes\*(Aq is a default property for the given \fIlibctx\fR. .SH NOTES .IX Header "NOTES" @@ -114,7 +117,7 @@ being modified by a different thread. on success, or 0 on failure. An error is placed on the error stack if a failure occurs. .PP -\&\fBEVP_default_properties_is_fips_enabled()\fR returns 1 if the 'fips=yes' default +\&\fBEVP_default_properties_is_fips_enabled()\fR returns 1 if the \*(Aqfips=yes\*(Aq default property is set for the given \fIlibctx\fR, otherwise it returns 0. .PP \&\fBEVP_get1_default_properties()\fR returns allocated memory that must be freed by diff --git a/secure/lib/libcrypto/man/man3/EVP_sha1.3 b/secure/lib/libcrypto/man/man3/EVP_sha1.3 index 16ce19c5dd78..4c728cd1206e 100644 --- a/secure/lib/libcrypto/man/man3/EVP_sha1.3 +++ b/secure/lib/libcrypto/man/man3/EVP_sha1.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SHA1 3ossl" -.TH EVP_SHA1 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SHA1 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_sha224.3 b/secure/lib/libcrypto/man/man3/EVP_sha224.3 index 8d9db1fc7302..3301c2f52575 100644 --- a/secure/lib/libcrypto/man/man3/EVP_sha224.3 +++ b/secure/lib/libcrypto/man/man3/EVP_sha224.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SHA224 3ossl" -.TH EVP_SHA224 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SHA224 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_sha3_224.3 b/secure/lib/libcrypto/man/man3/EVP_sha3_224.3 index e74d14adbf9e..d0c2cef09ec1 100644 --- a/secure/lib/libcrypto/man/man3/EVP_sha3_224.3 +++ b/secure/lib/libcrypto/man/man3/EVP_sha3_224.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SHA3_224 3ossl" -.TH EVP_SHA3_224 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SHA3_224 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_sm3.3 b/secure/lib/libcrypto/man/man3/EVP_sm3.3 index d89d381da96c..1fc00715b29f 100644 --- a/secure/lib/libcrypto/man/man3/EVP_sm3.3 +++ b/secure/lib/libcrypto/man/man3/EVP_sm3.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SM3 3ossl" -.TH EVP_SM3 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SM3 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_sm4_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_sm4_cbc.3 index 99b659ec27dc..9123dabe7e79 100644 --- a/secure/lib/libcrypto/man/man3/EVP_sm4_cbc.3 +++ b/secure/lib/libcrypto/man/man3/EVP_sm4_cbc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SM4_CBC 3ossl" -.TH EVP_SM4_CBC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SM4_CBC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_whirlpool.3 b/secure/lib/libcrypto/man/man3/EVP_whirlpool.3 index 63c8e5f50d2d..85fa8520c07a 100644 --- a/secure/lib/libcrypto/man/man3/EVP_whirlpool.3 +++ b/secure/lib/libcrypto/man/man3/EVP_whirlpool.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_WHIRLPOOL 3ossl" -.TH EVP_WHIRLPOOL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_WHIRLPOOL 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/GENERAL_NAME.3 b/secure/lib/libcrypto/man/man3/GENERAL_NAME.3 index 45f040ff10f8..30f1d6fa90fc 100644 --- a/secure/lib/libcrypto/man/man3/GENERAL_NAME.3 +++ b/secure/lib/libcrypto/man/man3/GENERAL_NAME.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "GENERAL_NAME 3ossl" -.TH GENERAL_NAME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH GENERAL_NAME 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/HMAC.3 b/secure/lib/libcrypto/man/man3/HMAC.3 index 97bd885f7d53..9104a5675261 100644 --- a/secure/lib/libcrypto/man/man3/HMAC.3 +++ b/secure/lib/libcrypto/man/man3/HMAC.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "HMAC 3ossl" -.TH HMAC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH HMAC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -140,7 +143,7 @@ Use \fBEVP_Q_mac\fR\|(3) instead if a library context is required. All of the functions described below are deprecated. Applications should instead use \fBEVP_MAC_CTX_new\fR\|(3), \fBEVP_MAC_CTX_free\fR\|(3), \&\fBEVP_MAC_init\fR\|(3), \fBEVP_MAC_update\fR\|(3) and \fBEVP_MAC_final\fR\|(3) -or the 'quick' single-shot MAC function \fBEVP_Q_mac\fR\|(3). +or the \*(Aqquick\*(Aq single\-shot MAC function \fBEVP_Q_mac\fR\|(3). .PP \&\fBHMAC_CTX_new()\fR creates a new HMAC_CTX in heap memory. .PP diff --git a/secure/lib/libcrypto/man/man3/MD5.3 b/secure/lib/libcrypto/man/man3/MD5.3 index ba1e24009f7c..0ed74747c5c0 100644 --- a/secure/lib/libcrypto/man/man3/MD5.3 +++ b/secure/lib/libcrypto/man/man3/MD5.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "MD5 3ossl" -.TH MD5 3ossl 2025-09-30 3.5.4 OpenSSL +.TH MD5 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/MDC2_Init.3 b/secure/lib/libcrypto/man/man3/MDC2_Init.3 index 4ae0b4df5c8a..6a7746bb0100 100644 --- a/secure/lib/libcrypto/man/man3/MDC2_Init.3 +++ b/secure/lib/libcrypto/man/man3/MDC2_Init.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "MDC2_INIT 3ossl" -.TH MDC2_INIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH MDC2_INIT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -117,7 +120,7 @@ hash functions directly. \&\fBMDC2_Init()\fR, \fBMDC2_Update()\fR and \fBMDC2_Final()\fR return 1 for success, 0 otherwise. .SH "CONFORMING TO" .IX Header "CONFORMING TO" -ISO/IEC 10118\-2:2000 Hash-Function 2, with DES as the underlying block cipher. +ISO/IEC 10118\-2:2000 Hash\-Function 2, with DES as the underlying block cipher. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_DigestInit\fR\|(3) diff --git a/secure/lib/libcrypto/man/man3/Makefile b/secure/lib/libcrypto/man/man3/Makefile index 0fc9cc100077..01c40aed495e 100644 --- a/secure/lib/libcrypto/man/man3/Makefile +++ b/secure/lib/libcrypto/man/man3/Makefile @@ -54,6 +54,7 @@ MAN+= BIO_s_null.3 MAN+= BIO_s_socket.3 MAN+= BIO_sendmmsg.3 MAN+= BIO_set_callback.3 +MAN+= BIO_set_flags.3 MAN+= BIO_should_retry.3 MAN+= BIO_socket_wait.3 MAN+= BN_BLINDING_new.3 @@ -81,6 +82,7 @@ MAN+= CMAC_CTX.3 MAN+= CMS_EncryptedData_decrypt.3 MAN+= CMS_EncryptedData_encrypt.3 MAN+= CMS_EnvelopedData_create.3 +MAN+= CMS_EncryptedData_set1_key.3 MAN+= CMS_add0_cert.3 MAN+= CMS_add1_recipient_cert.3 MAN+= CMS_add1_signer.3 @@ -161,6 +163,7 @@ MAN+= ERR_remove_state.3 MAN+= ERR_set_mark.3 MAN+= EVP_ASYM_CIPHER_free.3 MAN+= EVP_BytesToKey.3 +MAN+= EVP_CIPHER_CTX_get_app_data.3 MAN+= EVP_CIPHER_CTX_get_cipher_data.3 MAN+= EVP_CIPHER_CTX_get_original_iv.3 MAN+= EVP_CIPHER_meth_new.3 @@ -280,6 +283,7 @@ MAN+= OPENSSL_instrument_bus.3 MAN+= OPENSSL_load_builtin_modules.3 MAN+= OPENSSL_load_u16_le.3 MAN+= OPENSSL_malloc.3 +MAN+= OPENSSL_ppccap.3 MAN+= OPENSSL_riscvcap.3 MAN+= OPENSSL_s390xcap.3 MAN+= OPENSSL_secure_malloc.3 diff --git a/secure/lib/libcrypto/man/man3/NCONF_new_ex.3 b/secure/lib/libcrypto/man/man3/NCONF_new_ex.3 index 1e5cdc7e4cdd..6f9d902d159f 100644 --- a/secure/lib/libcrypto/man/man3/NCONF_new_ex.3 +++ b/secure/lib/libcrypto/man/man3/NCONF_new_ex.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "NCONF_NEW_EX 3ossl" -.TH NCONF_NEW_EX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH NCONF_NEW_EX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OBJ_nid2obj.3 b/secure/lib/libcrypto/man/man3/OBJ_nid2obj.3 index 251a25331321..2b3973f73bff 100644 --- a/secure/lib/libcrypto/man/man3/OBJ_nid2obj.3 +++ b/secure/lib/libcrypto/man/man3/OBJ_nid2obj.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OBJ_NID2OBJ 3ossl" -.TH OBJ_NID2OBJ 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OBJ_NID2OBJ 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -133,10 +136,10 @@ is acceptable. .PP \&\fBOBJ_obj2txt()\fR converts the \fBASN1_OBJECT\fR \fIa\fR into a textual representation. Unless \fIbuf\fR is NULL, -the representation is written as a NUL-terminated string to \fIbuf\fR, where +the representation is written as a NUL\-terminated string to \fIbuf\fR, where at most \fIbuf_len\fR bytes are written, truncating the result if necessary. In any case it returns the total string length, excluding the NUL character, -required for non-truncated representation, or \-1 on error. +required for non\-truncated representation, or \-1 on error. If \fIno_name\fR is 0 then if the object has a long or short name then that will be used, otherwise the numerical form will be used. If \fIno_name\fR is 1 then the numerical form will always be used. @@ -202,7 +205,7 @@ decoded as part of ASN.1 structures. Applications can determine if there is a corresponding OBJECT IDENTIFIER by checking \fBOBJ_length()\fR is not zero. .PP These functions cannot return \fBconst\fR because an \fBASN1_OBJECT\fR can -represent both an internal, constant, OID and a dynamically-created one. +represent both an internal, constant, OID and a dynamically\-created one. The latter cannot be constant because it needs to be freed after use. .PP These functions were not thread safe in OpenSSL 3.0 and before. diff --git a/secure/lib/libcrypto/man/man3/OCSP_REQUEST_new.3 b/secure/lib/libcrypto/man/man3/OCSP_REQUEST_new.3 index c6ae22525d46..9bcf8493d23c 100644 --- a/secure/lib/libcrypto/man/man3/OCSP_REQUEST_new.3 +++ b/secure/lib/libcrypto/man/man3/OCSP_REQUEST_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OCSP_REQUEST_NEW 3ossl" -.TH OCSP_REQUEST_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OCSP_REQUEST_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OCSP_cert_to_id.3 b/secure/lib/libcrypto/man/man3/OCSP_cert_to_id.3 index e42b388357c9..84d9fd45d275 100644 --- a/secure/lib/libcrypto/man/man3/OCSP_cert_to_id.3 +++ b/secure/lib/libcrypto/man/man3/OCSP_cert_to_id.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OCSP_CERT_TO_ID 3ossl" -.TH OCSP_CERT_TO_ID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OCSP_CERT_TO_ID 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OCSP_request_add1_nonce.3 b/secure/lib/libcrypto/man/man3/OCSP_request_add1_nonce.3 index 5add784d7e90..55c8f8694a3f 100644 --- a/secure/lib/libcrypto/man/man3/OCSP_request_add1_nonce.3 +++ b/secure/lib/libcrypto/man/man3/OCSP_request_add1_nonce.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OCSP_REQUEST_ADD1_NONCE 3ossl" -.TH OCSP_REQUEST_ADD1_NONCE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OCSP_REQUEST_ADD1_NONCE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -116,7 +119,7 @@ The return values of \fBOCSP_check_nonce()\fR can be checked to cover each case. positive return value effectively indicates success: nonces are both present and match, both absent or present in the response only. A nonzero return additionally covers the case where the nonce is present in the request only: -this will happen if the responder doesn't support nonces. A zero return value +this will happen if the responder doesn\*(Aqt support nonces. A zero return value indicates present and mismatched nonces: this should be treated as an error condition. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/OCSP_resp_find_status.3 b/secure/lib/libcrypto/man/man3/OCSP_resp_find_status.3 index ed6ba2e347f2..e8310d3e8d69 100644 --- a/secure/lib/libcrypto/man/man3/OCSP_resp_find_status.3 +++ b/secure/lib/libcrypto/man/man3/OCSP_resp_find_status.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OCSP_RESP_FIND_STATUS 3ossl" -.TH OCSP_RESP_FIND_STATUS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OCSP_RESP_FIND_STATUS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -154,7 +157,7 @@ single response \fIbs\fR. signed \fIbs\fR. The OCSP protocol does not require that this certificate is included in the \fBcerts\fR field of the response, so additional certificates can be supplied via the \fIextra_certs\fR if the certificates that may have -signed the response are known via some out-of-band mechanism. +signed the response are known via some out\-of\-band mechanism. .PP \&\fBOCSP_resp_get0_id()\fR gets the responder id of \fIbs\fR. If the responder ID is a name then <*pname> is set to the name and \fI*pid\fR is set to NULL. If the @@ -191,7 +194,7 @@ If \fIflags\fR contains \fBOCSP_NOCHAIN\fR it ignores all certificates in \fIcer and in \fIbs\fR, else it takes them as untrusted intermediate CA certificates and uses them for constructing the validation path for the signer certificate. Certificate revocation status checks using CRLs is disabled during path validation -if the signer certificate contains the \fBid-pkix-ocsp-no-check\fR extension. +if the signer certificate contains the \fBid\-pkix\-ocsp\-no\-check\fR extension. After successful path validation the function returns success if the \fBOCSP_NOCHECKS\fR flag is set. Otherwise it verifies that the signer certificate meets the OCSP issuer diff --git a/secure/lib/libcrypto/man/man3/OCSP_response_status.3 b/secure/lib/libcrypto/man/man3/OCSP_response_status.3 index b7d086624a74..cd1722b512f9 100644 --- a/secure/lib/libcrypto/man/man3/OCSP_response_status.3 +++ b/secure/lib/libcrypto/man/man3/OCSP_response_status.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OCSP_RESPONSE_STATUS 3ossl" -.TH OCSP_RESPONSE_STATUS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OCSP_RESPONSE_STATUS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OCSP_sendreq_new.3 b/secure/lib/libcrypto/man/man3/OCSP_sendreq_new.3 index 530f84b35537..bf9be13c8481 100644 --- a/secure/lib/libcrypto/man/man3/OCSP_sendreq_new.3 +++ b/secure/lib/libcrypto/man/man3/OCSP_sendreq_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OCSP_SENDREQ_NEW 3ossl" -.TH OCSP_SENDREQ_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OCSP_SENDREQ_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_Applink.3 b/secure/lib/libcrypto/man/man3/OPENSSL_Applink.3 index 7c3513c66da5..257a7f843a99 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_Applink.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_Applink.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_APPLINK 3ossl" -.TH OPENSSL_APPLINK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_APPLINK 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -69,9 +72,9 @@ OPENSSL_Applink \- glue between OpenSSL BIO and Win32 compiler run\-time .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -OPENSSL_Applink is application-side interface which provides a glue -between OpenSSL BIO layer and Win32 compiler run-time environment. -Even though it appears at application side, it's essentially OpenSSL +OPENSSL_Applink is application\-side interface which provides a glue +between OpenSSL BIO layer and Win32 compiler run\-time environment. +Even though it appears at application side, it\*(Aqs essentially OpenSSL private interface. For this reason application developers are not expected to implement it, but to compile provided module with compiler of their choice and link it into the target application. diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_FILE.3 b/secure/lib/libcrypto/man/man3/OPENSSL_FILE.3 index eb54aa1bd264..b09db5c5290f 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_FILE.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_FILE.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_FILE 3ossl" -.TH OPENSSL_FILE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_FILE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_LH_COMPFUNC.3 b/secure/lib/libcrypto/man/man3/OPENSSL_LH_COMPFUNC.3 index 212781bdc9d3..869a7719319d 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_LH_COMPFUNC.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_LH_COMPFUNC.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_LH_COMPFUNC 3ossl" -.TH OPENSSL_LH_COMPFUNC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_LH_COMPFUNC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,20 +145,20 @@ The following macro is deprecated: .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -This library implements type-checked dynamic hash tables. The hash +This library implements type\-checked dynamic hash tables. The hash table entries can be arbitrary structures. Usually they consist of key and value fields. In the description here, \fR\f(BITYPE\fR\fB\fR is used a placeholder for any of the OpenSSL datatypes, such as \fISSL_SESSION\fR. .PP -To define a new type-checked dynamic hash table, use \fBDEFINE_LHASH_OF_EX\fR(). +To define a new type\-checked dynamic hash table, use \fBDEFINE_LHASH_OF_EX\fR(). \&\fBDEFINE_LHASH_OF\fR() was previously used for this purpose, but is now deprecated. The \fBDEFINE_LHASH_OF_EX\fR() macro provides all functionality of \&\fBDEFINE_LHASH_OF\fR() except for certain deprecated statistics functions (see \&\fBOPENSSL_LH_stats\fR\|(3)). .PP \&\fBlh_\fR\f(BITYPE\fR\fB_new\fR() creates a new \fBLHASH_OF\fR(\fR\f(BITYPE\fR\fB\fR) structure to store -arbitrary data entries, and specifies the 'hash' and 'compare' -callbacks to be used in organising the table's entries. The \fIhash\fR +arbitrary data entries, and specifies the \*(Aqhash\*(Aq and \*(Aqcompare\*(Aq +callbacks to be used in organising the table\*(Aqs entries. The \fIhash\fR callback takes a pointer to a table entry as its argument and returns an unsigned long hash value for its key field. The hash value is normally truncated to a power of 2, so make sure that your hash @@ -252,7 +255,7 @@ that is passed both the table entry and an extra argument). As with \&\fBlh_doall()\fR, you can instead choose to declare your callback with a prototype matching the types you are dealing with and use the declare/implement macros to create compatible wrappers that cast -variables before calling your type-specific callbacks. An example of +variables before calling your type\-specific callbacks. An example of this is demonstrated here (printing all hash table entries to a BIO that is provided by the caller): .PP @@ -328,7 +331,7 @@ NULL is returned if there is no such value in the hash table. if it has been found, NULL otherwise. .PP \&\fBlh_\fR\f(BITYPE\fR\fB_error\fR() and \fBOPENSSL_LH_error()\fR return 1 if an error occurred in -the last operation, 0 otherwise. It's meaningful only after non-retrieve +the last operation, 0 otherwise. It\*(Aqs meaningful only after non\-retrieve operations. .PP \&\fBlh_\fR\f(BITYPE\fR\fB_free\fR(), \fBOPENSSL_LH_free()\fR, \fBlh_\fR\f(BITYPE\fR\fB_flush\fR(), @@ -345,11 +348,11 @@ statistics, using the functions from \fBOPENSSL_LH_stats\fR\|(3), a read lock suffices. .PP The LHASH code regards table entries as constant data. As such, it -internally represents \fBlh_insert()\fR'd items with a "const void *" +internally represents \fBlh_insert()\fR\*(Aqd items with a "const void *" pointer type. This is why callbacks such as those used by \fBlh_doall()\fR and \fBlh_doall_arg()\fR declare their prototypes with "const", even for the -parameters that pass back the table items' data pointers \- for -consistency, user-provided data is "const" at all times as far as the +parameters that pass back the table items\*(Aq data pointers \- for +consistency, user\-provided data is "const" at all times as far as the LHASH code is concerned. However, as callers are themselves providing these pointers, they can choose whether they too should be treating all such parameters as constant. @@ -358,15 +361,15 @@ As an example, a hash table may be maintained by code that, for reasons of encapsulation, has only "const" access to the data being indexed in the hash table (i.e. it is returned as "const" from elsewhere in their code) \- in this case the LHASH prototypes are -appropriate as-is. Conversely, if the caller is responsible for the -life-time of the data in question, then they may well wish to make +appropriate as\-is. Conversely, if the caller is responsible for the +life\-time of the data in question, then they may well wish to make modifications to table item passed back in the \fBlh_doall()\fR or \&\fBlh_doall_arg()\fR callbacks (see the "TYPE_cleanup" example above). If -so, the caller can either cast the "const" away (if they're providing +so, the caller can either cast the "const" away (if they\*(Aqre providing the raw callbacks themselves) or use the macros to declare/implement the wrapper functions without "const" types. .PP -Callers that only have "const" access to data they're indexing in a +Callers that only have "const" access to data they\*(Aqre indexing in a table, yet declare callbacks without constant types (or cast the "const" away themselves), are therefore creating their own risks/bugs without being encouraged to do so by the API. On a related note, diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_LH_stats.3 b/secure/lib/libcrypto/man/man3/OPENSSL_LH_stats.3 index 62456d1ed039..458fe137cf55 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_LH_stats.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_LH_stats.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_LH_STATS 3ossl" -.TH OPENSSL_LH_STATS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_LH_STATS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,16 +97,16 @@ many entries are in it. For historical reasons, this function also outputs a number of additional statistics, but the tracking of these statistics is no longer supported and these statistics are always reported as zero. .PP -\&\fBOPENSSL_LH_node_stats()\fR prints the number of entries for each 'bucket' in the +\&\fBOPENSSL_LH_node_stats()\fR prints the number of entries for each \*(Aqbucket\*(Aq in the hash table. .PP \&\fBOPENSSL_LH_node_usage_stats()\fR prints out a short summary of the state of the -hash table. It prints the 'load' and the 'actual load'. The load is -the average number of data items per 'bucket' in the hash table. The -\&'actual load' is the average number of items per 'bucket', but only -for buckets which contain entries. So the 'actual load' is the +hash table. It prints the \*(Aqload\*(Aq and the \*(Aqactual load\*(Aq. The load is +the average number of data items per \*(Aqbucket\*(Aq in the hash table. The +\&\*(Aqactual load\*(Aq is the average number of items per \*(Aqbucket\*(Aq, but only +for buckets which contain entries. So the \*(Aqactual load\*(Aq is the average number of searches that will need to find an item in the hash -table, while the 'load' is the average number that will be done to +table, while the \*(Aqload\*(Aq is the average number that will be done to record a miss. .PP \&\fBOPENSSL_LH_stats_bio()\fR, \fBOPENSSL_LH_node_stats_bio()\fR and \fBOPENSSL_LH_node_usage_stats_bio()\fR diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_config.3 b/secure/lib/libcrypto/man/man3/OPENSSL_config.3 index 5286b72db31e..77d247d2766d 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_config.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_config.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_CONFIG 3ossl" -.TH OPENSSL_CONFIG 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_CONFIG 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -106,7 +109,7 @@ advisable. For example, to load dynamic ENGINEs from shared libraries (DSOs). However, very few applications currently support the control interface and so very few can load and use dynamic ENGINEs. Equally in future more sophisticated ENGINEs will require certain control operations to customize them. If an -application calls \fBOPENSSL_config()\fR it doesn't need to know or care about +application calls \fBOPENSSL_config()\fR it doesn\*(Aqt need to know or care about ENGINE control operations because they can be performed by editing a configuration file. .SH ENVIRONMENT @@ -114,7 +117,7 @@ configuration file. .IP \fBOPENSSL_CONF\fR 4 .IX Item "OPENSSL_CONF" The path to the config file. -Ignored in set-user-ID and set-group-ID programs. +Ignored in set\-user\-ID and set\-group\-ID programs. .SH "RETURN VALUES" .IX Header "RETURN VALUES" Neither \fBOPENSSL_config()\fR nor \fBOPENSSL_no_config()\fR return a value. diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_fork_prepare.3 b/secure/lib/libcrypto/man/man3/OPENSSL_fork_prepare.3 index 74efb2b859c4..0928f3bab188 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_fork_prepare.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_fork_prepare.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_FORK_PREPARE 3ossl" -.TH OPENSSL_FORK_PREPARE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_FORK_PREPARE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_gmtime.3 b/secure/lib/libcrypto/man/man3/OPENSSL_gmtime.3 index b77224f41eca..90f9e900d282 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_gmtime.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_gmtime.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_GMTIME 3ossl" -.TH OPENSSL_GMTIME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_GMTIME 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_hexchar2int.3 b/secure/lib/libcrypto/man/man3/OPENSSL_hexchar2int.3 index b5b01af3434e..ac8d4ed9842b 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_hexchar2int.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_hexchar2int.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_HEXCHAR2INT 3ossl" -.TH OPENSSL_HEXCHAR2INT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_HEXCHAR2INT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,25 +89,25 @@ equivalent. .PP \&\fBOPENSSL_hexstr2buf_ex()\fR decodes the hex string \fBstr\fR and places the resulting string of bytes in the given \fIbuf\fR. -The character \fIsep\fR is the separator between the bytes, setting this to '\e0' +The character \fIsep\fR is the separator between the bytes, setting this to \*(Aq\e0\*(Aq means that there is no separator. \&\fIbuf_n\fR gives the size of the buffer. If \fIbuflen\fR is not NULL, it is filled in with the result length. To find out how large the result will be, call this function with NULL for \fIbuf\fR. -Colons between two-character hex "bytes" are accepted and ignored. +Colons between two\-character hex "bytes" are accepted and ignored. An odd number of hex digits is an error. .PP \&\fBOPENSSL_hexstr2buf()\fR does the same thing as \fBOPENSSL_hexstr2buf_ex()\fR, but allocates the space for the result, and returns the result. It uses a -default separator of ':'. +default separator of \*(Aq:\*(Aq. The memory is allocated by calling \fBOPENSSL_malloc()\fR and should be released by calling \fBOPENSSL_free()\fR. .PP \&\fBOPENSSL_buf2hexstr_ex()\fR encodes the contents of the given \fIbuf\fR with length \fIbuflen\fR and places the resulting hexadecimal character string in the given \fIstr\fR. -The character \fIsep\fR is the separator between the bytes, setting this to '\e0' +The character \fIsep\fR is the separator between the bytes, setting this to \*(Aq\e0\*(Aq means that there is no separator. \&\fIstr_n\fR gives the size of the of the string buffer. If \fIstrlength\fR is not NULL, it is filled in with the result length. @@ -113,7 +116,7 @@ for \fIstr\fR. .PP \&\fBOPENSSL_buf2hexstr()\fR does the same thing as \fBOPENSSL_buf2hexstr_ex()\fR, but allocates the space for the result, and returns the result. It uses a -default separator of ':'. +default separator of \*(Aq:\*(Aq. The memory is allocated by calling \fBOPENSSL_malloc()\fR and should be released by calling \fBOPENSSL_free()\fR. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_ia32cap.3 b/secure/lib/libcrypto/man/man3/OPENSSL_ia32cap.3 index c3fa9651d393..fe1e9477830c 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_ia32cap.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_ia32cap.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_IA32CAP 3ossl" -.TH OPENSSL_IA32CAP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_IA32CAP 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,13 +88,13 @@ range of x86[_64] based processors. .PP Further CPUID information can be found in the Intel(R) Architecture Instruction Set Extensions Programming Reference, and the AMD64 Architecture -Programmer's Manual (Volume 3). +Programmer\*(Aqs Manual (Volume 3). .SS "Notable Capability Bits for LV0" .IX Subsection "Notable Capability Bits for LV0" The following are notable capability bits from logical vector 0 (LV0) resulting from the following execution of CPUID.(EAX=01H).EDX and CPUID.(EAX=01H).ECX: -.IP "bit #0+4 denoting presence of Time-Stamp Counter;" 4 +.IP "bit #0+4 denoting presence of Time\-Stamp Counter;" 4 .IX Item "bit #0+4 denoting presence of Time-Stamp Counter;" .PD 0 .IP "bit #0+19 denoting availability of CLFLUSH instruction;" 4 @@ -114,11 +117,11 @@ CPUID.(EAX=01H).ECX: .IX Item "bit #0+33 denoting availability of PCLMULQDQ instruction;" .IP "bit #0+41 denoting SSSE3, Supplemental SSE3, support;" 4 .IX Item "bit #0+41 denoting SSSE3, Supplemental SSE3, support;" -.IP "bit #0+43 denoting AMD XOP support (forced to zero on non-AMD CPUs);" 4 +.IP "bit #0+43 denoting AMD XOP support (forced to zero on non\-AMD CPUs);" 4 .IX Item "bit #0+43 denoting AMD XOP support (forced to zero on non-AMD CPUs);" .IP "bit #0+54 denoting availability of MOVBE instruction;" 4 .IX Item "bit #0+54 denoting availability of MOVBE instruction;" -.IP "bit #0+57 denoting AES-NI instruction set extension;" 4 +.IP "bit #0+57 denoting AES\-NI instruction set extension;" 4 .IX Item "bit #0+57 denoting AES-NI instruction set extension;" .IP "bit #0+58, XSAVE bit, lack of which in combination with MOVBE is used to identify Atom Silvermont core;" 4 .IX Item "bit #0+58, XSAVE bit, lack of which in combination with MOVBE is used to identify Atom Silvermont core;" @@ -178,7 +181,7 @@ CPUID.(EAX=07H,ECX=1H).EAX: .IX Item "bit #128+33 denoting availability of SM3 extension;" .IP "bit #128+34 denoting availability of SM4 extension;" 4 .IX Item "bit #128+34 denoting availability of SM4 extension;" -.IP "bit #128+55 denoting availability of AVX-IFMA extension;" 4 +.IP "bit #128+55 denoting availability of AVX\-IFMA extension;" 4 .IX Item "bit #128+55 denoting availability of AVX-IFMA extension;" .PD .SS "Notable Capability Bits for LV3" @@ -212,18 +215,18 @@ CPUID.(EAX=24H,ECX=0H).EBX: The \fBOPENSSL_ia32cap\fR environment variable provides a mechanism to override the default capability vector values at library initialization time. The variable consists of a series of 64\-bit numbers representing each -of the logical vectors (LV) described above. Each value is delimited by a '\fB:\fR'. +of the logical vectors (LV) described above. Each value is delimited by a \*(Aq\fB:\fR\*(Aq. Decimal/Octal/Hexadecimal values representations are supported. .PP \&\f(CW\*(C`env OPENSSL_ia32cap=LV0:LV1:LV2:LV3:LV4\*(C'\fR .PP -Used in this form, each non-null logical vector will *overwrite* the entire corresponding +Used in this form, each non\-null logical vector will *overwrite* the entire corresponding capability vector pair with the provided value. To keep compatibility with the behaviour of the original OPENSSL_ia32cap environment variable <env OPENSSL_ia32cap=LV0:LV1>, the next capability vector pairs will be set to zero. .PP To illustrate, the following will zero all capability bits in logical vectors 1 and further -(disable all post-AVX extensions): +(disable all post\-AVX extensions): .PP \&\f(CW\*(C`env OPENSSL_ia32cap=:0\*(C'\fR .PP @@ -235,7 +238,7 @@ The following will zero all capability bits only in logical vector 1: \&\f(CW\*(C`env OPENSSL_ia32cap=:0::::\*(C'\fR .PP A more likely usage scenario would be to disable specific instruction set extensions. -The '\fB~\fR' character is used to specify a bit mask of the extensions to be disabled for +The \*(Aq\fB~\fR\*(Aq character is used to specify a bit mask of the extensions to be disabled for a particular logical vector. .PP To illustrate, the following will disable AVX2 code paths and further extensions: @@ -253,7 +256,7 @@ Not all capability bits are copied from CPUID output verbatim. An example of this is the somewhat less intuitive clearing of LV0 bit #28, or ~0x10000000 in the "environment variable" terms. It has been adjusted to reflect whether or not the data cache is actually shared between logical cores. This in turn affects -the decision on whether or not expensive countermeasures against cache-timing attacks +the decision on whether or not expensive countermeasures against cache\-timing attacks are applied, most notably in AES assembler module. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_init_crypto.3 b/secure/lib/libcrypto/man/man3/OPENSSL_init_crypto.3 index ff806e798701..e2f7f622a8b1 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_init_crypto.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_init_crypto.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_INIT_CRYPTO 3ossl" -.TH OPENSSL_INIT_CRYPTO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_INIT_CRYPTO 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,7 +94,7 @@ and deinitialisation functions During normal operation OpenSSL (libcrypto) will allocate various resources at start up that must, subsequently, be freed on close down of the library. Additionally some resources are allocated on a per thread basis (if the -application is multi-threaded), and these resources must be freed prior to the +application is multi\-threaded), and these resources must be freed prior to the thread closing. .PP As of version 1.1.0 OpenSSL will automatically allocate all resources that it @@ -165,7 +168,7 @@ option. .IP OPENSSL_INIT_ASYNC 4 .IX Item "OPENSSL_INIT_ASYNC" With this option the library with automatically initialise the libcrypto async -sub-library (see \fBASYNC_start_job\fR\|(3)). This is a default option. +sub\-library (see \fBASYNC_start_job\fR\|(3)). This is a default option. .IP OPENSSL_INIT_ENGINE_RDRAND 4 .IX Item "OPENSSL_INIT_ENGINE_RDRAND" With this option the library will automatically load and initialise the @@ -234,7 +237,7 @@ automatically on application exit. This is done via the standard C library that will not call the registered \fBatexit()\fR handlers then the application should call \fBOPENSSL_cleanup()\fR directly. Developers of libraries using OpenSSL are discouraged from calling this function and should instead, typically, rely -on auto-deinitialisation. This is to avoid error conditions where both an +on auto\-deinitialisation. This is to avoid error conditions where both an application and a library it depends on both use OpenSSL, and the library deinitialises it before the application has finished using it. .PP @@ -276,7 +279,7 @@ The \fBOPENSSL_INIT_LOAD_CONFIG\fR flag will load a configuration file, as with \&\fBCONF_MFLAGS_IGNORE_MISSING_FILE\fR, \fBCONF_MFLAGS_IGNORE_RETURN_CODES\fR and \&\fBCONF_MFLAGS_DEFAULT_SECTION\fR flags. The filename, application name, and flags can be customized by providing a -non-null \fBOPENSSL_INIT_SETTINGS\fR object. +non\-null \fBOPENSSL_INIT_SETTINGS\fR object. The object can be allocated via \fBOPENSSL_INIT_new()\fR. The \fBOPENSSL_INIT_set_config_filename()\fR function can be used to specify a nondefault filename, which is copied and need not refer to persistent storage. @@ -304,7 +307,7 @@ threads are not destroyed until after \fBFreeLibrary()\fR is called then each th should call \fBOPENSSL_thread_stop()\fR prior to the \fBFreeLibrary()\fR call. .PP On Linux/Unix where OpenSSL has been loaded via \fBdlopen()\fR and the application is -multi-threaded and if \fBdlclose()\fR is subsequently called prior to the threads +multi\-threaded and if \fBdlclose()\fR is subsequently called prior to the threads being destroyed then OpenSSL will not be able to deallocate resources associated with those threads. The application should either call \fBOPENSSL_thread_stop()\fR on each thread prior to the \fBdlclose()\fR call, or alternatively the original \fBdlopen()\fR diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_init_ssl.3 b/secure/lib/libcrypto/man/man3/OPENSSL_init_ssl.3 index b806e541e6e1..6318e40448a6 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_init_ssl.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_init_ssl.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_INIT_SSL 3ossl" -.TH OPENSSL_INIT_SSL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_INIT_SSL 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -74,7 +77,7 @@ OPENSSL_init_ssl \- OpenSSL (libssl and libcrypto) initialisation During normal operation OpenSSL (libssl and libcrypto) will allocate various resources at start up that must, subsequently, be freed on close down of the library. Additionally some resources are allocated on a per thread basis (if the -application is multi-threaded), and these resources must be freed prior to the +application is multi\-threaded), and these resources must be freed prior to the thread closing. .PP As of version 1.1.0 OpenSSL will automatically allocate all resources that it diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_instrument_bus.3 b/secure/lib/libcrypto/man/man3/OPENSSL_instrument_bus.3 index eafa7a60c313..47465c57b532 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_instrument_bus.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_instrument_bus.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_INSTRUMENT_BUS 3ossl" -.TH OPENSSL_INSTRUMENT_BUS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_INSTRUMENT_BUS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -73,13 +76,13 @@ OPENSSL_instrument_bus, OPENSSL_instrument_bus2 \- instrument references to memo .SH DESCRIPTION .IX Header "DESCRIPTION" It was empirically found that timings of references to primary memory -are subject to irregular, apparently non-deterministic variations. The +are subject to irregular, apparently non\-deterministic variations. The subroutines in question instrument these references for purposes of gathering randomness for random number generator. In order to make it -bus-bound a 'flush cache line' instruction is used between probes. In +bus\-bound a \*(Aqflush cache line\*(Aq instruction is used between probes. In addition probes are added to \fBvector\fR elements in atomic or interlocked manner, which should contribute additional noise on -multi-processor systems. This also means that \fBvector[num]\fR should be +multi\-processor systems. This also means that \fBvector[num]\fR should be zeroed upon invocation (if you want to retrieve actual probe values). .PP \&\fBOPENSSL_instrument_bus()\fR performs \fBnum\fR probes and records the number of @@ -93,9 +96,9 @@ with \fBmax\fR value of 0 meaning "as many as it takes." .SH "RETURN VALUES" .IX Header "RETURN VALUES" Return value of 0 indicates that CPU is not capable of performing the -benchmark, either because oscillator counter or 'flush cache line' is -not available on current platform. For reference, on x86 'flush cache -line' was introduced with the SSE2 extensions. +benchmark, either because oscillator counter or \*(Aqflush cache line\*(Aq is +not available on current platform. For reference, on x86 \*(Aqflush cache +line\*(Aq was introduced with the SSE2 extensions. .PP Otherwise number of recorded values is returned. .SH COPYRIGHT diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_load_builtin_modules.3 b/secure/lib/libcrypto/man/man3/OPENSSL_load_builtin_modules.3 index f295f970cf95..907c18b8ddf9 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_load_builtin_modules.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_load_builtin_modules.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_LOAD_BUILTIN_MODULES 3ossl" -.TH OPENSSL_LOAD_BUILTIN_MODULES 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_LOAD_BUILTIN_MODULES 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_load_u16_le.3 b/secure/lib/libcrypto/man/man3/OPENSSL_load_u16_le.3 index d74866fe731f..e340aacace31 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_load_u16_le.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_load_u16_le.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_LOAD_U16_LE 3ossl" -.TH OPENSSL_LOAD_U16_LE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_LOAD_U16_LE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,10 +104,10 @@ Read and write unsigned 16, 32 and 64\-bit integers in a specific byte order .IX Header "DESCRIPTION" These functions read and write 16, 32 and 64 bit unsigned integers in a specified byte order. -The \f(CW\*(C`_be\*(C'\fR functions use big-endian byte order, while the \f(CW\*(C`_le\*(C'\fR functions use -little-endian byte order. -They're implemented directly in the header file, and declared static. When the -compiler supports inline functions, they're also declared inline. +The \f(CW\*(C`_be\*(C'\fR functions use big\-endian byte order, while the \f(CW\*(C`_le\*(C'\fR functions use +little\-endian byte order. +They\*(Aqre implemented directly in the header file, and declared static. When the +compiler supports inline functions, they\*(Aqre also declared inline. An optimising compiler will often convert these to just one or two machine instructions: a load or store with a possible byte swap. .PP diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_malloc.3 b/secure/lib/libcrypto/man/man3/OPENSSL_malloc.3 index c774725b62da..fd53a8a13192 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_malloc.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_malloc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_MALLOC 3ossl" -.TH OPENSSL_MALLOC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_MALLOC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -150,8 +153,8 @@ see \fBopenssl_user_macros\fR\|(7): .SH DESCRIPTION .IX Header "DESCRIPTION" OpenSSL memory allocation is handled by the \fBOPENSSL_xxx\fR API. These are -generally macro's that add the standard C \fB_\|_FILE_\|_\fR and \fB_\|_LINE_\|_\fR -parameters and call a lower-level \fBCRYPTO_xxx\fR API. +generally macro\*(Aqs that add the standard C \fB_\|_FILE_\|_\fR and \fB_\|_LINE_\|_\fR +parameters and call a lower\-level \fBCRYPTO_xxx\fR API. Some functions do not add those parameters, but exist for consistency. .PP \&\fBOPENSSL_malloc_init()\fR does nothing and does not need to be called. It is @@ -177,17 +180,21 @@ the returned pointer. .PP \&\fBOPENSSL_clear_realloc()\fR and \fBOPENSSL_clear_free()\fR should be used when the buffer at \fBaddr\fR holds sensitive information. -The old buffer is filled with zero's by calling \fBOPENSSL_cleanse()\fR +The old buffer is filled with zero\*(Aqs by calling \fBOPENSSL_cleanse()\fR before ultimately calling \fBOPENSSL_free()\fR. If the argument to \fBOPENSSL_free()\fR is NULL, nothing is done. .PP -\&\fBOPENSSL_cleanse()\fR fills \fBptr\fR of size \fBlen\fR with a string of 0's. +\&\fBOPENSSL_cleanse()\fR fills \fBptr\fR of size \fBlen\fR with a string of 0\*(Aqs. +It is useful in cases when it is needed to ensure that memory (that contains +sensitive information) is overwritten (for example, before it is reclaimed, +or when it is stored on stack), and such operation is not optimised out +by compiler optimisations such as dead store elimination (as \fBmemset\fR\|(3) may be). Use \fBOPENSSL_cleanse()\fR with care if the memory is a mapping of a file. -If the storage controller uses write compression, then it's possible +If the storage controller uses write compression, then it\*(Aqs possible that sensitive tail bytes will survive zeroization because the block of zeros will be compressed. If the storage controller uses wear leveling, then the old sensitive data will not be overwritten; rather, a block of -0's will be written at a new physical location. +0\*(Aqs will be written at a new physical location. .PP \&\fBOPENSSL_strdup()\fR, \fBOPENSSL_strndup()\fR and \fBOPENSSL_memdup()\fR are like the equivalent C functions, except that memory is allocated by calling the @@ -211,8 +218,8 @@ function pointers for the current implementations. With \fBCRYPTO_set_mem_functions()\fR, you can specify a different set of functions. If any of \fBmalloc_fn\fR, \fBrealloc_fn\fR, or \fBfree_fn\fR are NULL, then the function is not changed. -While it's permitted to swap out only a few and not all the functions -with \fBCRYPTO_set_mem_functions()\fR, it's recommended to swap them all out +While it\*(Aqs permitted to swap out only a few and not all the functions +with \fBCRYPTO_set_mem_functions()\fR, it\*(Aqs recommended to swap them all out at once. .PP If the library is built with the \f(CW\*(C`crypto\-mdebug\*(C'\fR option, then one @@ -267,11 +274,11 @@ return a pointer to allocated memory or NULL on error. always because allocations have already happened). .PP \&\fBCRYPTO_mem_leaks()\fR, \fBCRYPTO_mem_leaks_fp()\fR, \fBCRYPTO_mem_leaks_cb()\fR, -\&\fBCRYPTO_set_mem_debug()\fR, and \fBCRYPTO_mem_ctrl()\fR are deprecated and are no-ops that +\&\fBCRYPTO_set_mem_debug()\fR, and \fBCRYPTO_mem_ctrl()\fR are deprecated and are no\-ops that always return \-1. \&\fBOPENSSL_mem_debug_push()\fR, \fBOPENSSL_mem_debug_pop()\fR, \&\fBCRYPTO_mem_debug_push()\fR, and \fBCRYPTO_mem_debug_pop()\fR -are deprecated and are no-ops that always return 0. +are deprecated and are no\-ops that always return 0. .PP \&\fBOPENSSL_strtoul()\fR returns 1 on success and 0 in the event that an error has occurred. Specifically, 0 is returned in the following events: @@ -291,7 +298,7 @@ translation has been performed. For instance calling .Ve .PP will result in a successful translation with num having the value 0, and -*endptr = 'x'. Be sure to validate how much data was consumed when calling this +*endptr = \*(Aqx\*(Aq. Be sure to validate how much data was consumed when calling this function. .SH HISTORY .IX Header "HISTORY" @@ -300,8 +307,8 @@ function. \&\fBCRYPTO_mem_leaks()\fR, \fBCRYPTO_mem_leaks_fp()\fR, \&\fBCRYPTO_mem_leaks_cb()\fR, \fBCRYPTO_set_mem_debug()\fR, \fBCRYPTO_mem_ctrl()\fR were deprecated in OpenSSL 3.0. -The memory-leak checking has been deprecated in OpenSSL 3.0 in favor of -clang's memory and leak sanitizer. +The memory\-leak checking has been deprecated in OpenSSL 3.0 in favor of +clang\*(Aqs memory and leak sanitizer. \&\fBOPENSSL_aligned_alloc()\fR, \fBCRYPTO_aligned_alloc()\fR, \fBOPENSSL_strtoul()\fR were added in OpenSSL 3.4. .SH COPYRIGHT diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_ppccap.3 b/secure/lib/libcrypto/man/man3/OPENSSL_ppccap.3 new file mode 100644 index 000000000000..6b4f7256b62c --- /dev/null +++ b/secure/lib/libcrypto/man/man3/OPENSSL_ppccap.3 @@ -0,0 +1,206 @@ +.\" -*- mode: troff; coding: utf-8 -*- +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. +.ie n \{\ +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{\ +. if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +. \} +.\} +.rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l +.\" ======================================================================== +.\" +.IX Title "OPENSSL_PPCCAP 3ossl" +.TH OPENSSL_PPCCAP 3ossl 2026-01-27 3.5.5 OpenSSL +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH NAME +OPENSSL_ppccap \- the PowerPC processor capabilities vector +.SH SYNOPSIS +.IX Header "SYNOPSIS" +.Vb 1 +\& env OPENSSL_ppccap=... <application> +.Ve +.SH DESCRIPTION +.IX Header "DESCRIPTION" +libcrypto supports PowerPC instruction set extensions. These extensions are +represented by bits in the PowerPC capabilities vector. When libcrypto +initializes, it stores the results returned by PowerPC CPU capabilities detection +logic in the PowerPC capabilities vector. The CPU capabilities detection methods +are OS\-dependent and use a combination of information gathered by the kernel +during boot and probe functions that attempt to execute instructions and trap +illegal instruction signals with a signal handler. +.PP +To override the set of extensions available to an application, you can set the +\&\fBOPENSSL_ppccap\fR environment variable before you start the application. The +environment variable is assigned a numerical value that denotes the bits in +the PowerPC capabilities vector. The ppc_arch.h header file states that, "Flags\*(Aq +usage can appear ambiguous, because they are set rather to reflect OpenSSL +performance preferences than actual processor capabilities." +.PP +Multiple extensions are enabled by logically OR\-ing the values that represent the +desired extensions. +.PP +\&\fBNotes\fR: Enabling an extension on a CPU that does not support the extension +will result in a SIGILL crash. On AIX, all vector instructions can be disabled +with the schedo \-ro allow_vmx=0 command. DO NOT USE THIS COMMAND to disable +vector instructions in the OS when it is running on a CPU level that supports the +instructions without also disabling them in libcrpto via the OPENSSL_ppccap +environment variable or the application will crash with a SIGILL. +.PP +Currently, the following extensions are defined: +.IP 0x01 4 +.IX Item "0x01" +Name: \fBPPC_FPU64\fR +.Sp +This flag is obsolete. +.IP 0x02 4 +.IX Item "0x02" +Name: \fBPPC_ALTIVEC\fR +.Sp +Meaning: Use AltiVec (aka VMX) instructions. In some but not all cases, this +capability gates the use of later ISA vector instructions. The associated probe +instruction is vor (vector logical or). +.Sp +Effect: Enables use of vector instructions but does not enable extensions added +at specific ISA levels. However, disabling this capability disables a subset of +vector extensions added at specific ISA levels even if they are otherwise +enabled. +.IP 0x04 4 +.IX Item "0x04" +Name: \fBPPC_CRYPTO207\fR +.Sp +Meaning: Use instructions added in ISA level 2.07. The associated probe +instruction instruction is vcipher (vector AES cipher round). +.Sp +Effect: Enables AES, SHA\-2 sigma, and other ISA 2.07 instructions for AES, SHA\-2, +GHASH, and Poly1305. +.IP 0x08 4 +.IX Item "0x08" +Name: \fBPPC_FPU\fR +.Sp +Meaning: Use FPU instructions. The associated probe instruction is fmr (floating +move register). +.Sp +Effect: Enables Poly1305 FPU implementation. The PPC_CRYPTO207 capability +overrides this effect. +.IP 0x10 4 +.IX Item "0x10" +Name: \fBPPC_MADD300\fR +.Sp +Meaning: Use instructions added in ISA level 3.00. The associated probe +instruction is maddhdu (multiply\-add high doubleword unsigned). +.Sp +Effect: Enables use of the polynomial multiply and other ISA 3.00 instructions +for AES\-GCM, P\-384, and P\-521. +.IP 0x20 4 +.IX Item "0x20" +Name: \fBPPC_MFTB\fR +.Sp +Meaning: Use the mftb (move from time base) instruction. The associated probe +instruction is mftb. +.Sp +Effect: Enables use of the mftb instruction to sample the lower 32 bits of the +CPU time base register in order to acquire entropy. Considered obsolete. The +PPC_MFSPR268 capability overrides this capability. +.IP 0x40 4 +.IX Item "0x40" +Name: \fBPPC_MFSPR268\fR +.Sp +Meaning: Use the mfspr (move from special purpose register) instruction to +read SPR 268. The associated probe instruction is mfspr 268. +.Sp +Effect: Enables use of the mfspr instruction to sample the lower 32 bits of the +CPU time base register from SPR 268, the TBL (time base lower) register, in order +to acquire entropy. +.IP 0x80 4 +.IX Item "0x80" +Name: \fBPPC_BRD31\fR +.Sp +Meaning: Use instructions added in ISA level 3.1. The associated probe instruction +is brd (byte\-reverse doubleword). +.Sp +Effect: Enables use of ISA 3.1 instructions in ChaCha20. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +Not available. +.SH EXAMPLES +.IX Header "EXAMPLES" +Check currently detected capabilities: +.PP +.Vb 2 +\& $ openssl info \-cpusettings +\& OPENSSL_ppccap=0x2E +.Ve +.PP +The detected capabilities in the above example indicate that PPC_MFTB, PPC_FPU, +PPC_CRYPTO207, PPC_MFSPR268, and PPC_ALTIVEC are enabled. +.PP +Disable all instruction set extensions: +.PP +.Vb 1 +\& OPENSSL_ppccap=0x00 +.Ve +.PP +Enable base AltiVec extensions: +.PP +.Vb 1 +\& OPENSSL_ppccap=0x02 +.Ve +.SH COPYRIGHT +.IX Header "COPYRIGHT" +Copyright 2025 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_riscvcap.3 b/secure/lib/libcrypto/man/man3/OPENSSL_riscvcap.3 index e8dec8930974..305aa3faaf82 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_riscvcap.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_riscvcap.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_RISCVCAP 3ossl" -.TH OPENSSL_RISCVCAP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_RISCVCAP 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -69,18 +72,18 @@ OPENSSL_riscvcap \- the RISC\-V processor capabilities vector .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -libcrypto supports RISC-V instruction set extensions. These +libcrypto supports RISC\-V instruction set extensions. These extensions are denoted by individual extension names in the capabilities vector. For Linux platform, when libcrypto is initialized, the results -returned by the RISC-V Hardware Probing syscall (hwprobe) are stored +returned by the RISC\-V Hardware Probing syscall (hwprobe) are stored in the vector. Otherwise all capabilities are disabled. .PP To override the set of instructions available to an application, you can set the \fBOPENSSL_riscvcap\fR environment variable before you start the application. .PP -The environment variable is similar to the RISC-V ISA string defined in the -RISC-V Instruction Set Manual. It is case insensitive. Though due to the limit +The environment variable is similar to the RISC\-V ISA string defined in the +RISC\-V Instruction Set Manual. It is case insensitive. Though due to the limit of the environment variable parser inside libcrypto, an extension must be prefixed with an underscore to make it recognizable. This also applies to the Vector extension. @@ -101,27 +104,27 @@ Address Generation Could be detected using hwprobe for Linux kernel >= 6.5 .IP ZBB 4 .IX Item "ZBB" -Basic bit-manipulation +Basic bit\-manipulation .Sp Could be detected using hwprobe for Linux kernel >= 6.5 .IP ZBC 4 .IX Item "ZBC" -Carry-less multiplication +Carry\-less multiplication .Sp Could be detected using hwprobe for Linux kernel >= 6.8 .IP ZBS 4 .IX Item "ZBS" -Single-bit instructions +Single\-bit instructions .Sp Could be detected using hwprobe for Linux kernel >= 6.5 .IP ZBKB 4 .IX Item "ZBKB" -Bit-manipulation for Cryptography +Bit\-manipulation for Cryptography .Sp Could be detected using hwprobe for Linux kernel >= 6.8 .IP ZBKC 4 .IX Item "ZBKC" -Carry-less multiplication for Cryptography +Carry\-less multiplication for Cryptography .Sp Could be detected using hwprobe for Linux kernel >= 6.8 .IP ZBKX 4 @@ -169,7 +172,7 @@ Vector Extension for Application Processors Could be detected using hwprobe for Linux kernel >= 6.5 .IP ZVBB 4 .IX Item "ZVBB" -Vector Basic Bit-manipulation +Vector Basic Bit\-manipulation .Sp Could be detected using hwprobe for Linux kernel >= 6.8 .IP ZVBC 4 @@ -179,7 +182,7 @@ Vector Carryless Multiplication Could be detected using hwprobe for Linux kernel >= 6.8 .IP ZVKB 4 .IX Item "ZVKB" -Vector Cryptography Bit-manipulation +Vector Cryptography Bit\-manipulation .Sp Could be detected using hwprobe for Linux kernel >= 6.8 .IP ZVKG 4 @@ -221,19 +224,25 @@ Check currently detected capabilities .PP .Vb 2 \& $ openssl info \-cpusettings -\& OPENSSL_riscvcap=ZBA_ZBB_ZBC_ZBS_V +\& OPENSSL_riscvcap=RV64GC_ZBA_ZBB_ZBC_ZBS_V vlen:256 .Ve .PP +Note: The first word in the displayed capabilities is the RISC\-V base +architecture value, which is derived from the compiler configuration. +It is therefore not overridable by the environment variable. +When the V extension is given the riscv_vlen value is always displayed, +there is no way to override the riscv_vlen by the environment variable. +.PP Disables all instruction set extensions: .PP .Vb 1 -\& OPENSSL_riscvcap="rv64gc" +\& export OPENSSL_riscvcap="rv64gc" .Ve .PP Only enable the vector extension: .PP .Vb 1 -\& OPENSSL_riscvcap="rv64gc_v" +\& export OPENSSL_riscvcap="rv64gc_v" .Ve .SH COPYRIGHT .IX Header "COPYRIGHT" diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_s390xcap.3 b/secure/lib/libcrypto/man/man3/OPENSSL_s390xcap.3 index ce151ff66887..fb04282c4643 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_s390xcap.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_s390xcap.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_S390XCAP 3ossl" -.TH OPENSSL_S390XCAP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_S390XCAP 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -79,7 +82,7 @@ set the \fBOPENSSL_s390xcap\fR environment variable before you start the application. After initialization, the capability vector is ANDed bitwise with a mask which is derived from the environment variable. .PP -The environment variable is a semicolon-separated list of tokens which is +The environment variable is a semicolon\-separated list of tokens which is processed from left to right (whitespace is ignored): .PP .Vb 1 @@ -89,7 +92,7 @@ processed from left to right (whitespace is ignored): There are four types of tokens: .IP <string> 4 .IX Item "<string>" -The name of a processor generation. A bit in the environment variable's +The name of a processor generation. A bit in the environment variable\*(Aqs mask is set to one if and only if the specified processor generation implements the corresponding instruction set extension. Possible values are \fBz900\fR, \fBz990\fR, \fBz9\fR, \fBz10\fR, \fBz196\fR, \fBzEC12\fR, \fBz13\fR, \fBz14\fR, @@ -97,14 +100,14 @@ are \fBz900\fR, \fBz990\fR, \fBz9\fR, \fBz10\fR, \fBz196\fR, \fBzEC12\fR, \fBz13 .IP <string>:<mask>:<mask> 4 .IX Item "<string>:<mask>:<mask>" The name of an instruction followed by two 64\-bit masks. The part of the -environment variable's mask corresponding to the specified instruction is +environment variable\*(Aqs mask corresponding to the specified instruction is set to the specified 128\-bit mask. Possible values are \fBkimd\fR, \fBklmd\fR, \&\fBkm\fR, \fBkmc\fR, \fBkmac\fR, \fBkmctr\fR, \fBkmo\fR, \fBkmf\fR, \fBprno\fR, \fBkma\fR, \fBpcc\fR and \fBkdsa\fR. .IP stfle:<mask>:<mask>:<mask> 4 .IX Item "stfle:<mask>:<mask>:<mask>" -Store-facility-list-extended (stfle) followed by three 64\-bit masks. The -part of the environment variable's mask corresponding to the stfle +Store\-facility\-list\-extended (stfle) followed by three 64\-bit masks. The +part of the environment variable\*(Aqs mask corresponding to the stfle instruction is set to the specified 192\-bit mask. .IP nocex 4 .IX Item "nocex" @@ -248,7 +251,7 @@ Disables the vector facility: \& OPENSSL_s390xcap="stfle:~0:~0:~0x4000000000000000" .Ve .PP -Disables the KM-XTS-AES and the KIMD-SHAKE function codes: +Disables the KM\-XTS\-AES and the KIMD\-SHAKE function codes: .PP .Vb 1 \& OPENSSL_s390xcap="km:~0x2800:~0;kimd:~0xc000000:~0" diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_secure_malloc.3 b/secure/lib/libcrypto/man/man3/OPENSSL_secure_malloc.3 index b873a8b88d49..24a2fa9cd254 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_secure_malloc.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_secure_malloc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_SECURE_MALLOC 3ossl" -.TH OPENSSL_SECURE_MALLOC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_SECURE_MALLOC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,9 +101,9 @@ CRYPTO_secure_used \- secure heap storage .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -In order to help protect applications (particularly long-running servers) +In order to help protect applications (particularly long\-running servers) from pointer overruns or underruns that could return arbitrary data from -the program's dynamic memory area, where keys and other sensitive +the program\*(Aqs dynamic memory area, where keys and other sensitive information might be stored, OpenSSL supports the concept of a "secure heap." The level and type of security guarantees depend on the operating system. It is a good idea to review the code and see if it addresses your @@ -109,10 +112,10 @@ uses a single read/write lock, and therefore any operations that involve allocation or freeing of secure heap memory are serialised, blocking other threads. With that in mind, highly concurrent applications should enable the secure heap with caution and be aware of the performance -implications for multi-threaded code. +implications for multi\-threaded code. .PP If a secure heap is used, then private key \fBBIGNUM\fR values are stored there. -This protects long-term storage of private keys, but will not necessarily +This protects long\-term storage of private keys, but will not necessarily put all intermediate values and computations there. .PP \&\fBCRYPTO_secure_malloc_init()\fR creates the secure heap, with the specified diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_strcasecmp.3 b/secure/lib/libcrypto/man/man3/OPENSSL_strcasecmp.3 index 1e48b7b4e77e..0c63b3799b8d 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_strcasecmp.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_strcasecmp.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_STRCASECMP 3ossl" -.TH OPENSSL_STRCASECMP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_STRCASECMP 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -72,13 +75,13 @@ OPENSSL_strcasecmp, OPENSSL_strncasecmp \- compare two strings ignoring case .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The OPENSSL_strcasecmp function performs a byte-by-byte comparison of the strings +The OPENSSL_strcasecmp function performs a byte\-by\-byte comparison of the strings \&\fBs1\fR and \fBs2\fR, ignoring the case of the characters. .PP The OPENSSL_strncasecmp function is similar, except that it compares no more than \&\fBn\fR bytes of \fBs1\fR and \fBs2\fR. .PP -In POSIX-compatible system and on Windows these functions use "C" locale for +In POSIX\-compatible system and on Windows these functions use "C" locale for case insensitive. Otherwise the comparison is done in current locale. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -87,9 +90,9 @@ s1 is found, respectively, to be less than, to match, or be greater than s2. .SH NOTES .IX Header "NOTES" OpenSSL extensively uses case insensitive comparison of ASCII strings. Though -OpenSSL itself is locale-agnostic, the applications using OpenSSL libraries may +OpenSSL itself is locale\-agnostic, the applications using OpenSSL libraries may unpredictably suffer when they use localization (e.g. Turkish locale is -well-known with a specific I/i cases). These functions use C locale for string +well\-known with a specific I/i cases). These functions use C locale for string comparison. .SH HISTORY .IX Header "HISTORY" diff --git a/secure/lib/libcrypto/man/man3/OSSL_ALGORITHM.3 b/secure/lib/libcrypto/man/man3/OSSL_ALGORITHM.3 index 5d0a0e5383af..2b35b554bf36 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_ALGORITHM.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_ALGORITHM.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_ALGORITHM 3ossl" -.TH OSSL_ALGORITHM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_ALGORITHM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,7 +89,7 @@ properties. Arrays of this type must be terminated with a tuple where \fIalgorithm_names\fR is NULL. .PP -This type of array is typically returned by the provider's operation querying +This type of array is typically returned by the provider\*(Aqs operation querying function, further described in "Provider Functions" in \fBprovider\-base\fR\|(7). .SS "\fBOSSL_ALGORITHM\fP fields" .IX Subsection "OSSL_ALGORITHM fields" @@ -105,8 +108,8 @@ known identities: .IP \(bu 4 \&\f(CW\*(C`rsaEncryption\*(C'\fR .Sp -This is the name of the algorithm's OBJECT IDENTIFIER (OID), as given by the -PKCS#1 RFC's ASN.1 module <https://www.rfc-editor.org/rfc/rfc8017#appendix-C> +This is the name of the algorithm\*(Aqs OBJECT IDENTIFIER (OID), as given by the +PKCS#1 RFC\*(Aqs ASN.1 module <https://www.rfc-editor.org/rfc/rfc8017#appendix-C> .IP \(bu 4 \&\f(CW1.2.840.113549.1.1.1\fR .Sp @@ -125,7 +128,7 @@ or canonical name, on a per algorithm implementation basis. .Sp See the notes "On the subject of algorithm names" below for a more in depth discussion on \fIalgorithm_names\fR and how that may interact with -applications and libraries, including OpenSSL's. +applications and libraries, including OpenSSL\*(Aqs. .RE .IP \fIproperty_definition\fR 4 .IX Item "property_definition" @@ -143,7 +146,7 @@ Pointer to an \fBOSSL_DISPATCH\fR\|(3) array, containing pointers to the functions of a particular algorithm implementation. .IP \fIalgorithm_description\fR 4 .IX Item "algorithm_description" -A string with a short human-readable description of the algorithm. +A string with a short human\-readable description of the algorithm. .SH NOTES .IX Header "NOTES" .SS "On the subject of algorithm names" @@ -153,16 +156,16 @@ Providers may find the need to register ASN.1 OIDs for algorithms using \&\fBprovider\-base\fR\|(7), because some application or library \-\- possibly still the OpenSSL libraries, even \-\- use NIDs to look up algorithms. .PP -In that scenario, you must make sure that the corresponding \fBOSSL_ALGORITHM\fR's +In that scenario, you must make sure that the corresponding \fBOSSL_ALGORITHM\fR\*(Aqs \&\fIalgorithm_names\fR includes both the short and the long name. .PP -Most of the time, registering ASN.1 OIDs like this shouldn't be necessary, +Most of the time, registering ASN.1 OIDs like this shouldn\*(Aqt be necessary, and applications and libraries are encouraged to use \fBOBJ_obj2txt\fR\|(3) to get a text representation of the OID, which may be a long or short name for OIDs that are registered, or the OID itself in canonical decimal text form if not (or if \fBOBJ_obj2txt\fR\|(3) is called with \fIno_name\fR = 1). .PP -It's recommended to make sure that the corresponding \fBOSSL_ALGORITHM\fR's +It\*(Aqs recommended to make sure that the corresponding \fBOSSL_ALGORITHM\fR\*(Aqs \&\fIalgorithm_names\fR include known names as well as the OID itself in canonical decimal text form. That should cover all scenarios. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/OSSL_CALLBACK.3 b/secure/lib/libcrypto/man/man3/OSSL_CALLBACK.3 index 03dd66bdfc25..0ae5b7140c96 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CALLBACK.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CALLBACK.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CALLBACK 3ossl" -.TH OSSL_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CALLBACK 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,7 +86,7 @@ Callback functions themselves are always provided by or through the calling OpenSSL libraries, along with a generic pointer to data \fIarg\fR. As far as the function receiving the pointer to the function pointer and \fIarg\fR is concerned, the data that \fIarg\fR points at is opaque, and the pointer should -simply be passed back to the callback function when it's called. +simply be passed back to the callback function when it\*(Aqs called. .IP \fBOSSL_CALLBACK\fR 4 .IX Item "OSSL_CALLBACK" This is a generic callback function. When calling this callback function, diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_ATAV_set0.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_ATAV_set0.3 index 3f71e60293e1..ca1985a28c0d 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_ATAV_set0.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_ATAV_set0.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_ATAV_SET0 3ossl" -.TH OSSL_CMP_ATAV_SET0 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_ATAV_SET0 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -138,7 +141,7 @@ pointed to by \fI*sk_p\fR. It creates a new stack if \fI*sk_p\fR points to NULL. \&\fBOSSL_CMP_ATAV_free()\fR deallocates \fIatav\fR. It is defined as a macro. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210. CRMF is defined in RFC 4211. +CMP is defined in RFC 9810. CRMF is defined in RFC 4211. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_CMP_ATAV_create()\fR, diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_CTX_new.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_CTX_new.3 index d3fcb15c3088..1020a4584897 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_CTX_NEW 3ossl" -.TH OSSL_CMP_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_CTX_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -246,7 +249,7 @@ both of which may be NULL to select the defaults. It initializes the remaining fields to their default values \- for instance, the logging verbosity is set to OSSL_CMP_LOG_INFO, the message timeout is set to 120 seconds, -and the proof-of-possession method is set to OSSL_CRMF_POPO_SIGNATURE. +and the proof\-of\-possession method is set to OSSL_CRMF_POPO_SIGNATURE. .PP \&\fBOSSL_CMP_CTX_free()\fR deallocates an OSSL_CMP_CTX structure. If the argument is NULL, nothing is done. @@ -283,7 +286,7 @@ i.e., in case the server does not grant them an error occurs. The default value is 1: prefer to keep the connection open. .IP \fBOSSL_CMP_OPT_MSG_TIMEOUT\fR 4 .IX Item "OSSL_CMP_OPT_MSG_TIMEOUT" -Number of seconds a CMP request-response message round trip +Number of seconds a CMP request\-response message round trip is allowed to take before a timeout error is returned. A value <= 0 means no limitation (waiting indefinitely). Default is to use the \fBOSSL_CMP_OPT_TOTAL_TIMEOUT\fR setting. @@ -297,12 +300,12 @@ Default is 0. .IX Item "OSSL_CMP_OPT_USE_TLS" Use this option to indicate to the HTTP implementation whether TLS is going to be used for the connection (resulting in HTTPS). -The value 1 indicates that TLS is used for client-side HTTP connections, +The value 1 indicates that TLS is used for client\-side HTTP connections, which needs to be implemented via a callback function set by \&\fBOSSL_CMP_CTX_set_http_cb()\fR. The value 0 indicates that TLS is not used. Default is \-1 for backward compatibility: TLS is used by the client side -if and only if \fBOSSL_CMP_CTX_set_http_cb_arg()\fR sets a non-NULL \fIarg\fR. +if and only if \fBOSSL_CMP_CTX_set_http_cb_arg()\fR sets a non\-NULL \fIarg\fR. .IP \fBOSSL_CMP_OPT_VALIDITY_DAYS\fR 4 .IX Item "OSSL_CMP_OPT_VALIDITY_DAYS" Number of days new certificates are asked to be valid for. @@ -331,18 +334,18 @@ Select the proof of possession method to use. Possible values are: \& ("indirect method") .Ve .Sp -Note that a signature-based POPO can only be produced if a private key -is provided as the newPkey or client's pkey component of the CMP context. +Note that a signature\-based POPO can only be produced if a private key +is provided as the newPkey or client\*(Aqs pkey component of the CMP context. .IP \fBOSSL_CMP_OPT_DIGEST_ALGNID\fR 4 .IX Item "OSSL_CMP_OPT_DIGEST_ALGNID" -The NID of the digest algorithm to be used in RFC 4210's MSG_SIG_ALG -for signature-based message protection and Proof-of-Possession (POPO). +The NID of the digest algorithm to be used in RFC 9810\*(Aqs MSG_SIG_ALG +for signature\-based message protection and Proof\-of\-Possession (POPO). Default is SHA256. -.IP "\fBOSSL_CMP_OPT_OWF_ALGNID\fR The NID of the digest algorithm to be used as one-way function (OWF) for MAC-based message protection with password-based MAC (PBM). See RFC 4210 section 5.1.3.1 for details. Default is SHA256." 4 -.IX Item "OSSL_CMP_OPT_OWF_ALGNID The NID of the digest algorithm to be used as one-way function (OWF) for MAC-based message protection with password-based MAC (PBM). See RFC 4210 section 5.1.3.1 for details. Default is SHA256." +.IP "\fBOSSL_CMP_OPT_OWF_ALGNID\fR The NID of the digest algorithm to be used as one\-way function (OWF) for MAC\-based message protection with password\-based MAC (PBM). See RFC 9810 section 5.1.3.1 for details. Default is SHA256." 4 +.IX Item "OSSL_CMP_OPT_OWF_ALGNID The NID of the digest algorithm to be used as one-way function (OWF) for MAC-based message protection with password-based MAC (PBM). See RFC 9810 section 5.1.3.1 for details. Default is SHA256." .PD 0 -.IP "\fBOSSL_CMP_OPT_MAC_ALGNID\fR The NID of the MAC algorithm to be used for message protection with PBM. Default is HMAC\-SHA1 as per RFC 4210." 4 -.IX Item "OSSL_CMP_OPT_MAC_ALGNID The NID of the MAC algorithm to be used for message protection with PBM. Default is HMAC-SHA1 as per RFC 4210." +.IP "\fBOSSL_CMP_OPT_MAC_ALGNID\fR The NID of the MAC algorithm to be used for message protection with PBM. Default is HMAC\-SHA1, for backward compatibility with RFC 4210." 4 +.IX Item "OSSL_CMP_OPT_MAC_ALGNID The NID of the MAC algorithm to be used for message protection with PBM. Default is HMAC-SHA1, for backward compatibility with RFC 4210." .IP \fBOSSL_CMP_OPT_REVOCATION_REASON\fR 4 .IX Item "OSSL_CMP_OPT_REVOCATION_REASON" .PD @@ -360,10 +363,10 @@ Do not confirm enrolled certificates, to cope with broken servers not supporting implicit confirmation correctly. \&\fBWARNING:\fR This setting leads to unspecified behavior and it is meant exclusively to allow interoperability with server implementations violating -RFC 4210. +RFC 9810. .IP \fBOSSL_CMP_OPT_UNPROTECTED_SEND\fR 4 .IX Item "OSSL_CMP_OPT_UNPROTECTED_SEND" -Send request or response messages without CMP-level protection. +Send request or response messages without CMP\-level protection. .IP \fBOSSL_CMP_OPT_UNPROTECTED_ERRORS\fR 4 .IX Item "OSSL_CMP_OPT_UNPROTECTED_ERRORS" Accept unprotected error responses which are either explicitly @@ -372,12 +375,12 @@ error messages as well as certificate responses (IP/CP/KUP) and revocation responses (RP) with rejection. \&\fBWARNING:\fR This setting leads to unspecified behavior and it is meant exclusively to allow interoperability with server implementations violating -RFC 4210. +RFC 9810. .IP \fBOSSL_CMP_OPT_IGNORE_KEYUSAGE\fR 4 .IX Item "OSSL_CMP_OPT_IGNORE_KEYUSAGE" -Ignore key usage restrictions in the signer's certificate when -validating signature-based protection in received CMP messages. -Else, 'digitalSignature' must be allowed by CMP signer certificates. +Ignore key usage restrictions in the signer\*(Aqs certificate when +validating signature\-based protection in received CMP messages. +Else, \*(AqdigitalSignature\*(Aq must be allowed by CMP signer certificates. .IP \fBOSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR\fR 4 .IX Item "OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR" Allow retrieving a trust anchor from extraCerts and using that @@ -386,7 +389,7 @@ This is a quirk option added to support 3GPP TS 33.310. .Sp Note that using this option is dangerous as the certificate obtained this way has not been authenticated (at least not at CMP level). -Taking it over as a trust anchor implements trust-on-first-use (TOFU). +Taking it over as a trust anchor implements trust\-on\-first\-use (TOFU). .IP \fBOSSL_CMP_OPT_NO_CACHE_EXTRACERTS\fR 4 .IX Item "OSSL_CMP_OPT_NO_CACHE_EXTRACERTS" Do not cache certificates received in the extraCerts CMP message field. @@ -415,13 +418,13 @@ The default is \f(CW\*(C`/\*(C'\fR. .PP \&\fBOSSL_CMP_CTX_set1_server()\fR sets the given server \fIaddress\fR (which may be a hostname or IP address or NULL) in the given \fIctx\fR. -If \fBOSSL_CMP_CTX_get_transfer_cb_arg()\fR sets a non-NULL argument, +If \fBOSSL_CMP_CTX_get_transfer_cb_arg()\fR sets a non\-NULL argument, this server address information is used for diagnostic output only. .PP \&\fBOSSL_CMP_CTX_set_serverPort()\fR sets the port of the CMP server to connect to. If not used or the \fIport\fR argument is 0 the default port applies, which is 80 for HTTP and 443 for HTTPS. -If \fBOSSL_CMP_CTX_get_transfer_cb_arg()\fR sets a non-NULL argument, +If \fBOSSL_CMP_CTX_get_transfer_cb_arg()\fR sets a non\-NULL argument, this server port information is used for diagnostic output only. .PP \&\fBOSSL_CMP_CTX_set1_proxy()\fR sets the HTTP proxy to be used for connecting to @@ -459,8 +462,8 @@ a structure containing arguments such as an \fBSSL_CTX\fR structure, optionally to be used by the http connect/disconnect callback function. \&\fIarg\fR is not consumed, and it must therefore explicitly be freed when not needed any more. \fIarg\fR may be NULL to clear the entry. -If a non-NULL argument is set, it is an error to use \fBOSSL_CMP_CTX_set1_proxy()\fR -or \fBOSSL_CMP_CTX_set1_no_proxy()\fR for setting non-NULL strings. +If a non\-NULL argument is set, it is an error to use \fBOSSL_CMP_CTX_set1_proxy()\fR +or \fBOSSL_CMP_CTX_set1_no_proxy()\fR for setting non\-NULL strings. .PP \&\fBOSSL_CMP_CTX_get_http_cb_arg()\fR gets the argument, respectively the pointer to a structure containing arguments, previously set by @@ -516,7 +519,7 @@ It sets in the CMP context \fIctx\fR the certificate store of type X509_STORE containing trusted certificates, typically of root CAs. This is ignored when a certificate is pinned using \fBOSSL_CMP_CTX_set1_srvCert()\fR. The store may also hold CRLs and a certificate verification callback function -used for signature-based peer authentication. +used for signature\-based peer authentication. Any store entry already set before is freed. When given a NULL parameter the entry is cleared. .PP @@ -525,7 +528,7 @@ When given a NULL parameter the entry is cleared. It extracts from the CMP context \fIctx\fR the pointer to the currently set certificate store containing trust anchors etc., or an empty store if unset. .PP -\&\fBOSSL_CMP_CTX_set1_untrusted()\fR sets up a list of non-trusted certificates +\&\fBOSSL_CMP_CTX_set1_untrusted()\fR sets up a list of non\-trusted certificates of intermediate CAs that may be useful for path construction for the own CMP signer certificate, for the own TLS certificate (if any), when verifying peer CMP protection certificates, and when verifying newly enrolled certificates. @@ -538,10 +541,10 @@ list of untrusted certs in \fIctx\fR, which may be empty if unset. .PP \&\fBOSSL_CMP_CTX_set1_cert()\fR sets the CMP \fIsigner certificate\fR, also called \fIprotection certificate\fR, -related to the private key used for signature-based CMP message protection. +related to the private key used for signature\-based CMP message protection. Therefore the public key of this \fIcert\fR must correspond to the private key set before or thereafter via \fBOSSL_CMP_CTX_set1_pkey()\fR. -When using signature-based protection of CMP request messages +When using signature\-based protection of CMP request messages this CMP signer certificate will be included first in the extraCerts field. It serves as fallback reference certificate, see \fBOSSL_CMP_CTX_set1_oldCert()\fR. The subject of this \fIcert\fR will be used as the sender field of outgoing @@ -560,35 +563,35 @@ If \fIown_trusted\fR is NULL it builds the chain as far down as possible and ignores any verification errors. Else the CMP signer certificate must be verifiable where the chain reaches a trust anchor contained in \fIown_trusted\fR. On success the function stores the resulting chain in \fIctx\fR -for inclusion in the extraCerts field of signature-protected messages. +for inclusion in the extraCerts field of signature\-protected messages. Calling this function is optional; by default a chain construction is performed on demand that is equivalent to calling this function with the \fIcandidates\fR and \fIown_trusted\fR arguments being NULL. .PP -\&\fBOSSL_CMP_CTX_set1_pkey()\fR sets the client's private key corresponding to the +\&\fBOSSL_CMP_CTX_set1_pkey()\fR sets the client\*(Aqs private key corresponding to the CMP signer certificate set via \fBOSSL_CMP_CTX_set1_cert()\fR. -This key is used create signature-based protection (protectionAlg = MSG_SIG_ALG) +This key is used create signature\-based protection (protectionAlg = MSG_SIG_ALG) of outgoing messages unless a symmetric secret has been set via \fBOSSL_CMP_CTX_set1_secretValue()\fR. The \fIpkey\fR argument may be NULL to clear the entry. .PP \&\fBOSSL_CMP_CTX_set1_secretValue()\fR sets in \fIctx\fR the byte string \fIsec\fR of length -\&\fIlen\fR to use as pre-shared secret, or clears it if the \fIsec\fR argument is NULL. -If present, this secret is used to create MAC-based authentication and integrity -protection (rather than applying signature-based protection) +\&\fIlen\fR to use as pre\-shared secret, or clears it if the \fIsec\fR argument is NULL. +If present, this secret is used to create MAC\-based authentication and integrity +protection (rather than applying signature\-based protection) of outgoing messages and to verify authenticity and integrity of incoming -messages that have MAC-based protection (protectionAlg = \f(CW\*(C`MSG_MAC_ALG\*(C'\fR). +messages that have MAC\-based protection (protectionAlg = \f(CW\*(C`MSG_MAC_ALG\*(C'\fR). .PP \&\fBOSSL_CMP_CTX_set1_referenceValue()\fR sets the given referenceValue \fIref\fR with length \fIlen\fR in the given \fIctx\fR or clears it if the \fIref\fR argument is NULL. -According to RFC 4210 section 5.1.1, if no value for the sender field in +According to RFC 9810 section 5.1.1, if no value for the sender field in CMP message headers can be determined (i.e., no CMP signer certificate and no subject DN is set via \fBOSSL_CMP_CTX_set1_subjectName()\fR -then the sender field will contain the NULL-DN +then the sender field will contain the NULL\-DN and the senderKID field of the CMP message header must be set. -When signature-based protection is used the senderKID will be set to +When signature\-based protection is used the senderKID will be set to the subjectKeyIdentifier of the CMP signer certificate as far as present. -If not present or when MAC-based protection is used +If not present or when MAC\-based protection is used the \fIref\fR value is taken as the fallback value for the senderKID. .PP \&\fBOSSL_CMP_CTX_set1_recipient()\fR sets the recipient name that will be used in the @@ -600,7 +603,7 @@ the subject of the CMP server certificate set using \fBOSSL_CMP_CTX_set1_srvCert the value set using \fBOSSL_CMP_CTX_set1_issuer()\fR, the issuer of the certificate set using \fBOSSL_CMP_CTX_set1_oldCert()\fR, the issuer of the CMP signer certificate, -as far as any of those is present, else the NULL-DN as last resort. +as far as any of those is present, else the NULL\-DN as last resort. .PP \&\fBOSSL_CMP_CTX_push0_geninfo_ITAV()\fR adds \fIitav\fR to the stack in the \fIctx\fR to be added to the generalInfo field of the CMP PKIMessage header of a request @@ -623,7 +626,7 @@ The \fIpriv\fR parameter must be 0 if and only if the given key is a public key. \&\fBOSSL_CMP_CTX_get0_newPkey()\fR gives the key to use for certificate enrollment dependent on fields of the CMP context structure: the newPkey (which may be a private or public key) if present, -else the public key in the p10CSR if present, else the client's private key. +else the public key in the p10CSR if present, else the client\*(Aqs private key. If the \fIpriv\fR parameter is not 0 and the selected key does not have a private component then NULL is returned. .PP @@ -708,7 +711,7 @@ a positive or negative certConf message to the server. The callback has type .Ve .PP and should inspect the certificate it obtains via the \fIcert\fR parameter and may -overrule the pre-decision given in the \fIfail_info\fR and \fI*txt\fR parameters. +overrule the pre\-decision given in the \fIfail_info\fR and \fI*txt\fR parameters. If it accepts the certificate it must return 0, indicating success. Else it must return a bit field reflecting PKIFailureInfo with at least one failure bit and may set the \fI*txt\fR output parameter to point to a string constant with more @@ -759,8 +762,8 @@ OSSL_CMP_CTX_FAILINFO_badAlg. Returns \-1 if the failInfoCode field is unset. .PP \&\fBOSSL_CMP_CTX_get0_validatedSrvCert()\fR returns the successfully validated certificate, if any, that the CMP server used -in the current transaction for signature-based response message protection, -or NULL if the server used MAC-based protection. +in the current transaction for signature\-based response message protection, +or NULL if the server used MAC\-based protection. The value is relevant only at the end of a successful transaction. It may be used to check the authorization of the server based on its cert. .PP @@ -788,7 +791,7 @@ OSSL_CMP_CTX structure. the \fIctx\fR. This will be used to validate the recipNonce in incoming messages. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810 (and CRMF in RFC 4211). .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_CMP_CTX_free()\fR and \fBOSSL_CMP_CTX_print_errors()\fR do not return anything. @@ -837,7 +840,7 @@ Set up a CMP client context for sending requests and verifying responses: \& OSSL_CMP_CTX_set0_trusted(cmp_ctx, ts); .Ve .PP -Set up symmetric credentials for MAC-based message protection such as PBM: +Set up symmetric credentials for MAC\-based message protection such as PBM: .PP .Vb 2 \& OSSL_CMP_CTX_set1_referenceValue(cmp_ctx, ref, ref_len); @@ -886,7 +889,7 @@ Perform a Key Update Request, signed using the cert (and key) to be updated: .Ve .PP Perform a General Message transaction including, as an example, -the id-it-signKeyPairTypes OID and prints info on the General Response contents: +the id\-it\-signKeyPairTypes OID and prints info on the General Response contents: .PP .Vb 1 \& OSSL_CMP_CTX_reinit(cmp_ctx); diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_HDR_get0_transactionID.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_HDR_get0_transactionID.3 index a8675e8f6fce..4f742cff5838 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_HDR_get0_transactionID.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_HDR_get0_transactionID.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_HDR_GET0_TRANSACTIONID 3ossl" -.TH OSSL_CMP_HDR_GET0_TRANSACTIONID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_HDR_GET0_TRANSACTIONID 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,7 +91,7 @@ OSSL_CMP_HDR_get0_recipNonce returns the recipient nonce of the given PKIHeader. in the generalInfo field of the given PKIHeader. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210. +CMP is defined in RFC 9810. .SH "RETURN VALUES" .IX Header "RETURN VALUES" The functions return the intended pointer value as described above diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_new_caCerts.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_new_caCerts.3 index 9e4ae02d9505..b80eefcdb59e 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_new_caCerts.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_new_caCerts.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_ITAV_NEW_CACERTS 3ossl" -.TH OSSL_CMP_ITAV_NEW_CACERTS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_ITAV_NEW_CACERTS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -145,20 +148,20 @@ is not NULL. \&\fBrootCaKeyUpdate\fR. If an update of a root CA certificate is included, it assigns to \fI*newWithNew\fR the internal pointer -to the certificate contained in the newWithNew infoValue sub-field of \fIitav\fR. +to the certificate contained in the newWithNew infoValue sub\-field of \fIitav\fR. If \fInewWithOld\fR is not NULL, it assigns to \fI*newWithOld\fR the internal pointer -to the certificate contained in the newWithOld infoValue sub-field of \fIitav\fR. +to the certificate contained in the newWithOld infoValue sub\-field of \fIitav\fR. If \fIoldWithNew\fR is not NULL, it assigns to \fI*oldWithNew\fR the internal pointer -to the certificate contained in the oldWithNew infoValue sub-field of \fIitav\fR. +to the certificate contained in the oldWithNew infoValue sub\-field of \fIitav\fR. Each of these pointers will be set to NULL if no root CA certificate update -is present or the respective sub-field is not included. +is present or the respective sub\-field is not included. .PP \&\fBOSSL_CMP_CRLSTATUS_new1()\fR allocates a new \fBOSSL_CMP_CRLSTATUS\fR structure that contains either a copy of the distribution point name \fIdpn\fR or a copy of the certificate issuer \fIissuer\fR, while giving both is an error. If given, a copy of the CRL issuance time \fIthisUpdate\fR is also included. .PP -\&\fBOSSL_CMP_CRLSTATUS_create()\fR is a high-level variant of \fBOSSL_CMP_CRLSTATUS_new1()\fR. +\&\fBOSSL_CMP_CRLSTATUS_create()\fR is a high\-level variant of \fBOSSL_CMP_CRLSTATUS_new1()\fR. It fills the thisUpdate field with a copy of the thisUpdate field of \fIcrl\fR if present. It fills the CRLSource field with a copy of the first data item found using the \fIcrl\fR and/or \fIcert\fR parameters as follows. @@ -228,7 +231,7 @@ Otherwise, the function checks that all elements of keySpec field are of type \&\fBalgId\fR or \fBrsaKeyLen\fR and assigns to \fI*keySpec\fR a copy of the keySpec field. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210. +CMP is defined in RFC 9810. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_CMP_ITAV_new_caCerts()\fR, \fBOSSL_CMP_ITAV_new_rootCaCert()\fR, diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_set0.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_set0.3 index 9d42953da094..7a2a71912be3 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_set0.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_set0.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_ITAV_SET0 3ossl" -.TH OSSL_CMP_ITAV_SET0 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_ITAV_SET0 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,9 +91,9 @@ OSSL_CMP_ITAV_get0_certProfile .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -ITAV is short for InfoTypeAndValue. This type is defined in RFC 4210 +ITAV is short for InfoTypeAndValue. This type is defined in RFC 9810 section 5.3.19 and Appendix F. It is used at various places in CMP messages, -e.g., in the generalInfo PKIHeader field, to hold a key-value pair. +e.g., in the generalInfo PKIHeader field, to hold a key\-value pair. .PP \&\fBOSSL_CMP_ITAV_create()\fR creates a new \fBOSSL_CMP_ITAV\fR structure and fills it in. It combines \fBOSSL_CMP_ITAV_new()\fR and \fBOSSL_CMP_ITAV_set0()\fR. @@ -119,7 +122,7 @@ The pointer may be NULL if no profile name is included. It is an error if the infoType of \fIitav\fR is not \fBcertProfile\fR. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210 and RFC 9480 (and CRMF in RFC 4211). +CMP is defined in RFC 9810. .PP OIDs to use as types in \fBOSSL_CMP_ITAV\fR can be found at <https://datatracker.ietf.org/doc/html/rfc9480#section\-4.2.2>. @@ -142,7 +145,7 @@ return 1 on success, 0 on error. The following code creates and sets a structure representing a generic InfoTypeAndValue sequence, using an OID created from text as type, and an integer as value. Afterwards, it is pushed to the \fBOSSL_CMP_CTX\fR to be later -included in the requests' PKIHeader's genInfo field. +included in the requests\*(Aq PKIHeader\*(Aqs genInfo field. .PP .Vb 2 \& ASN1_OBJECT *type = OBJ_txt2obj("1.2.3.4.5", 1); diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_get0_header.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_get0_header.3 index 95a1fd30a017..8e0b5c6be303 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_get0_header.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_get0_header.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_MSG_GET0_HEADER 3ossl" -.TH OSSL_CMP_MSG_GET0_HEADER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_MSG_GET0_HEADER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -100,11 +103,11 @@ message and returns the public key in its certificate template if present. \&\fBOSSL_CMP_MSG_update_transactionID()\fR updates the transactionID field in the header of the given message according to the CMP_CTX. If \fIctx\fR does not contain a transaction ID, a fresh one is created before. -The message gets re-protected (if protecting requests is required). +The message gets re\-protected (if protecting requests is required). .PP \&\fBOSSL_CMP_MSG_update_recipNonce()\fR updates the recipNonce field in the header of the given message according to the CMP_CTX. -The message gets re-protected (if protecting requests is required). +The message gets re\-protected (if protecting requests is required). .PP \&\fBOSSL_CMP_CTX_setup_CRM()\fR creates a CRMF certificate request message from various information provided in the CMP context argument \fIctx\fR @@ -113,7 +116,7 @@ The \fIrid\fR argument defines the request identifier to use, which typically is .PP The subject DN included in the certificate template is the first available value of these: -.IP "any subject name in \fIctx\fR set via \fBOSSL_CMP_CTX_set1_subjectName\fR\|(3) \- if it is the NULL-DN (i.e., any empty sequence of RDNs), no subject is included," 4 +.IP "any subject name in \fIctx\fR set via \fBOSSL_CMP_CTX_set1_subjectName\fR\|(3) \- if it is the NULL\-DN (i.e., any empty sequence of RDNs), no subject is included," 4 .IX Item "any subject name in ctx set via OSSL_CMP_CTX_set1_subjectName - if it is the NULL-DN (i.e., any empty sequence of RDNs), no subject is included," .PD 0 .IP "the subject field of any PKCS#10 CSR set in \fIctx\fR via \fBOSSL_CMP_CTX_set1_p10CSR\fR\|(3)," 4 @@ -130,7 +133,7 @@ The public key included is the first available value of these: .IX Item "the public key of any PKCS#10 CSR given in ctx," .IP "the public key of any reference certificate given in \fIctx\fR (see \fBOSSL_CMP_CTX_set1_oldCert\fR\|(3))," 4 .IX Item "the public key of any reference certificate given in ctx (see OSSL_CMP_CTX_set1_oldCert)," -.IP "the public key derived from any client's private key set via \fBOSSL_CMP_CTX_set1_pkey\fR\|(3)." 4 +.IP "the public key derived from any client\*(Aqs private key set via \fBOSSL_CMP_CTX_set1_pkey\fR\|(3)." 4 .IX Item "the public key derived from any client's private key set via OSSL_CMP_CTX_set1_pkey." .PD .PP @@ -151,7 +154,7 @@ Finally, policies are overridden by any policies included in \fIctx\fR via for KUR messages using the issuer name and serial number of the reference certificate, if present. .PP -\&\fBOSSL_CMP_MSG_read()\fR loads a DER-encoded OSSL_CMP_MSG from \fIfile\fR. +\&\fBOSSL_CMP_MSG_read()\fR loads a DER\-encoded OSSL_CMP_MSG from \fIfile\fR. .PP \&\fBOSSL_CMP_MSG_write()\fR stores the given OSSL_CMP_MSG to \fIfile\fR in DER encoding. .PP @@ -162,7 +165,7 @@ It assigns a pointer to the new structure to \fI*msg\fR if \fImsg\fR is not NULL to BIO \fIbio\fR. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210. +CMP is defined in RFC 9810. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_CMP_MSG_get0_header()\fR returns the intended pointer value as described above diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_http_perform.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_http_perform.3 index 8e2ea6a8df92..debcf8cb6597 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_http_perform.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_http_perform.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_MSG_HTTP_PERFORM 3ossl" -.TH OSSL_CMP_MSG_HTTP_PERFORM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_MSG_HTTP_PERFORM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,17 +81,17 @@ CMP server specified in \fIctx\fR and returns the result obtained from it. .PP If \fBOSSL_CMP_CTX_set_transfer_cb_arg\fR\|(3) has been used to set the transfer callback argument then the provided pointer \fIbios\fR is taken as -a two-element \fBBIO\fR array to use for the exchange with the server +a two\-element \fBBIO\fR array to use for the exchange with the server as described for the \fIbio\fR and \fIrbio\fR parameters of \fBOSSL_HTTP_open\fR\|(3). For instance, the two BIO pointers may be equal and refer to a TLS connection, -such as in BRSKI-AE where a pre-established TLS channel is reused for CMP. +such as in BRSKI\-AE where a pre\-established TLS channel is reused for CMP. .PP Otherwise the server specified via \fBOSSL_CMP_CTX_set1_server\fR\|(3) and optionally \fBOSSL_CMP_CTX_set_serverPort\fR\|(3) is contacted, where the default port is 80 for HTTP and 443 for HTTPS. The HTTP path (aka "CMP alias" in this context) to use is by default \f(CW\*(C`/\*(C'\fR, otherwise the string specified via \fBOSSL_CMP_CTX_set1_serverPath\fR\|(3). -On success the function returns the server's response PKIMessage. +On success the function returns the server\*(Aqs response PKIMessage. .PP The function makes use of any HTTP callback function set via \fBOSSL_CMP_CTX_set_http_cb\fR\|(3). @@ -101,8 +104,8 @@ while using a proxy for HTTPS connections requires a suitable callback function such as \fBOSSL_HTTP_proxy_connect\fR\|(3). .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210. -HTTP transfer for CMP is defined in RFC 6712. +CMP is defined in RFC 9810. +HTTP transfer for CMP is defined in RFC 9811. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_CMP_MSG_http_perform()\fR diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_SRV_CTX_new.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_SRV_CTX_new.3 index ee8eb34bc6b8..500d28534218 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_SRV_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_SRV_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_SRV_CTX_NEW 3ossl" -.TH OSSL_CMP_SRV_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_SRV_CTX_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -166,6 +169,7 @@ which may be due to normal successful end of the transaction or due to an error. \&\fBOSSL_CMP_CTX_server_perform()\fR is an interface to \&\fBOSSL_CMP_SRV_process_request()\fR that can be used by a CMP client in the same way as \fBOSSL_CMP_MSG_http_perform\fR\|(3). +In particular, the first parameter \fIclient_ctx\fR is the \fBOSSL_CMP_CTX\fR of the client. The \fBOSSL_CMP_SRV_CTX\fR must be set as \fItransfer_cb_arg\fR of \fIclient_ctx\fR. .PP \&\fBOSSL_CMP_SRV_CTX_new()\fR creates and initializes an \fBOSSL_CMP_SRV_CTX\fR structure @@ -209,13 +213,13 @@ and other forms of negative responses unprotected. without protection of with invalid protection. .PP \&\fBOSSL_CMP_SRV_CTX_set_accept_raverified()\fR enables acceptance of ir/cr/kur -messages with POPO 'RAVerified'. +messages with POPO \*(AqRAVerified\*(Aq. .PP \&\fBOSSL_CMP_SRV_CTX_set_grant_implicit_confirm()\fR enables granting implicit confirmation of newly enrolled certificates if requested. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810 (and CRMF in RFC 4211). .PP So far the CMP server implementation is limited to one request per CMP message (and consequently to at most one response component per CMP message). diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_STATUSINFO_new.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_STATUSINFO_new.3 index 394b7c989e73..41650e73e4a3 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_STATUSINFO_new.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_STATUSINFO_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_STATUSINFO_NEW 3ossl" -.TH OSSL_CMP_STATUSINFO_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_STATUSINFO_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,16 +91,16 @@ It sets the status field to \fIstatus\fR, copies \fItext\fR (unless it is NULL) to statusString, and interprets \fIfail_info\fR as bit pattern for the failInfo field. .PP -\&\fBOSSL_CMP_snprint_PKIStatusInfo()\fR places a human-readable string +\&\fBOSSL_CMP_snprint_PKIStatusInfo()\fR places a human\-readable string representing the given statusInfo in the given buffer, with the given maximal length. .PP -\&\fBOSSL_CMP_CTX_snprint_PKIStatus()\fR places a human-readable string +\&\fBOSSL_CMP_CTX_snprint_PKIStatus()\fR places a human\-readable string representing the PKIStatusInfo components of the CMP context \fIctx\fR in the given buffer, with the given maximal length. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_CMP_STATUSINFO_new()\fR diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_exec_certreq.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_exec_certreq.3 index 1fe4ebad6971..fa234e4d44b2 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_exec_certreq.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_exec_certreq.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_EXEC_CERTREQ 3ossl" -.TH OSSL_CMP_EXEC_CERTREQ 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_EXEC_CERTREQ 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -112,7 +115,7 @@ OSSL_CMP_get1_certReqTemplate .Ve .PP This is the OpenSSL API for doing CMP (Certificate Management Protocol) -client-server transactions, i.e., sequences of CMP requests and responses. +client\-server transactions, i.e., sequences of CMP requests and responses. .PP All functions take a populated OSSL_CMP_CTX structure as their first argument. Usually the server name, port, and path ("CMP alias") need to be set, as well as @@ -123,7 +126,7 @@ also accessor functions for retrieving various results and status information from the \fIctx\fR. See \fBOSSL_CMP_CTX_new\fR\|(3) etc. for details. .PP The default conveying protocol is HTTP. -Timeout values may be given per request-response pair and per transaction. +Timeout values may be given per request\-response pair and per transaction. See \fBOSSL_CMP_MSG_http_perform\fR\|(3) for details. .PP \&\fBOSSL_CMP_exec_IR_ses()\fR requests an initial certificate from the given PKI. @@ -153,7 +156,7 @@ more flexible regarding what to do after receiving a checkAfter value. When called for the first time (with no certificate request in progress for the given \fIctx\fR) it starts a new transaction by sending a certificate request constructed as stated above using the \fIreq_type\fR and optional \fIcrm\fR parameter. -Otherwise (when according to \fIctx\fR a 'waiting' status has been received before) +Otherwise (when according to \fIctx\fR a \*(Aqwaiting\*(Aq status has been received before) it continues polling for the pending request unless the \fIreq_type\fR argument is < 0, which aborts the request. If the requested certificate is available the function returns 1 and the @@ -179,7 +182,7 @@ otherwise the issuer DN and serial number of the certificate set by \fBOSSL_CMP_CTX_set1_oldCert\fR\|(3), otherwise the subject DN and public key of the certificate signing request set by \fBOSSL_CMP_CTX_set1_p10CSR\fR\|(3). -RFC 4210 is vague in which PKIStatus should be returned by the server. +RFC 9810 is vague in which PKIStatus should be returned by the server. We take "accepted" and "grantedWithMods" as clear success and handle "revocationWarning" and "revocationNotification" just as warnings because CAs typically return them as an indication that the certificate was already revoked. @@ -198,7 +201,7 @@ and returns the list of \fBITAV\fRs received in a genp response message. This can be used, for instance, with infoType \f(CW\*(C`signKeyPairTypes\*(C'\fR to obtain the set of signature algorithm identifiers that the CA will certify for subject public keys. -See RFC 4210 section 5.3.19 and appendix E.5 for details. +See RFC 9810 section 5.3.19 and appendix D.5 for details. Functions implementing more specific genm/genp exchanges are described next. .PP \&\fBOSSL_CMP_get1_caCerts()\fR uses a genm/genp message exchange with infoType caCerts @@ -211,7 +214,7 @@ NULL output means that no CA certificates were provided by the server. with infoType rootCaCert to obtain from the CMP server referenced by \fIctx\fR in a genp response message with infoType rootCaKeyUpdate any update of the given root CA certificate \fIoldWithOld\fR and verifies it as far as possible. -See RFC 4210 section 4.4 for details. +See RFC 9810 section 4.4 for details. On success it assigns to \fI*newWithNew\fR the root certificate received. When the \fInewWithOld\fR and \fIoldWithNew\fR output parameters are not NULL, it assigns to them the corresponding transition certificates. @@ -242,7 +245,7 @@ if received, otherwise it set to NULL. Both must be freed by the caller. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810 (and CRMF in RFC 4211). .PP The CMP client implementation is limited to one request per CMP message (and consequently to at most one response component per CMP message). @@ -253,9 +256,9 @@ functions like \fBOSSL_CMP_get1_caCerts()\fR and \fBOSSL_CMP_get1_rootCaKeyUpdat authentication of the CMP server is particularly critical. So special care must be taken setting up server authentication in \fIctx\fR using functions such as -\&\fBOSSL_CMP_CTX_set0_trusted\fR\|(3) (for certificate-based authentication) or -\&\fBOSSL_CMP_CTX_set1_secretValue\fR\|(3) (for MAC-based protection). -If authentication is certificate-based, \fBOSSL_CMP_CTX_get0_validatedSrvCert\fR\|(3) +\&\fBOSSL_CMP_CTX_set0_trusted\fR\|(3) (for certificate\-based authentication) or +\&\fBOSSL_CMP_CTX_set1_secretValue\fR\|(3) (for MAC\-based protection). +If authentication is certificate\-based, \fBOSSL_CMP_CTX_get0_validatedSrvCert\fR\|(3) should be used to obtain the server validated certificate and perform an authorization check based on it. .SH "RETURN VALUES" @@ -269,7 +272,7 @@ This pointer will be freed implicitly by \fBOSSL_CMP_CTX_free()\fR or \&\fBOSSL_CMP_try_certreq()\fR returns 1 if the requested certificate is available via \fBOSSL_CMP_CTX_get0_newCert\fR\|(3) or on successfully aborting a pending certificate request, 0 on error, and \-1 -in case a 'waiting' status has been received and checkAfter value is available. +in case a \*(Aqwaiting\*(Aq status has been received and checkAfter value is available. In the latter case \fBOSSL_CMP_CTX_get0_newCert\fR\|(3) yields NULL and the output parameter \fIcheckAfter\fR has been used to assign the received value unless \fIcheckAfter\fR is NULL. diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_log_open.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_log_open.3 index dbce9f1f2ee8..990029b32d8e 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_log_open.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_log_open.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_LOG_OPEN 3ossl" -.TH OSSL_CMP_LOG_OPEN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_LOG_OPEN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -108,7 +111,7 @@ OSSL_CMP_print_errors_cb .SH DESCRIPTION .IX Header "DESCRIPTION" The logging and error reporting facility described here contains -convenience functions for CMP-specific logging, +convenience functions for CMP\-specific logging, including a string prefix mirroring the severity levels of syslog.h, and enhancements of the error queue mechanism needed for large diagnostic messages produced by the CMP library in case of certificate validation failures. @@ -129,7 +132,7 @@ some component info (which may be a module name and/or function name) or NULL, a file pathname or NULL, a line number or 0 indicating the source code location, a severity level, and -a message string describing the nature of the event, terminated by '\en'. +a message string describing the nature of the event, terminated by \*(Aq\en\*(Aq. .PP Even when an activity is successful some warnings may be useful and some degree of auditing may be required. Therefore, the logging facility supports a severity @@ -138,18 +141,18 @@ level, such that error, warning, info, debug, etc. can be treated differently. The callback is activated only when the severity level is sufficient according to the current level of verbosity, which by default is \fBOSSL_CMP_LOG_INFO\fR. .PP -The callback function may itself do non-trivial tasks like writing to +The callback function may itself do non\-trivial tasks like writing to a log file or remote stream, which in turn may fail. Therefore, the function should return 1 on success and 0 on failure. .PP -\&\fBOSSL_CMP_log_open()\fR initializes the CMP-specific logging facility to output +\&\fBOSSL_CMP_log_open()\fR initializes the CMP\-specific logging facility to output everything to STDOUT. It fails if the integrated tracing is disabled or STDIO is not available. It may be called during application startup. Alternatively, \fBOSSL_CMP_CTX_set_log_cb\fR\|(3) can be used for more flexibility. As long as neither if the two is used any logging output is ignored. .PP \&\fBOSSL_CMP_log_close()\fR may be called when all activities are finished to flush -any pending CMP-specific log output and deallocate related resources. +any pending CMP\-specific log output and deallocate related resources. It may be called multiple times. It does get called at OpenSSL shutdown. .PP \&\fBOSSL_CMP_print_to_bio()\fR prints the given component info, filename, line number, diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_validate_msg.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_validate_msg.3 index 59deab832ff7..41b5f11d6cfd 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_validate_msg.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_validate_msg.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_VALIDATE_MSG 3ossl" -.TH OSSL_CMP_VALIDATE_MSG 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_VALIDATE_MSG 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -79,7 +82,7 @@ which includes validating CMP message sender certificates and their paths while optionally checking the revocation status of the certificates(s). .PP \&\fBOSSL_CMP_validate_msg()\fR validates the protection of the given \fImsg\fR, -which must be signature-based or using password-based MAC (PBM). +which must be signature\-based or using password\-based MAC (PBM). In the former case a suitable trust anchor must be given in the CMP context \&\fIctx\fR, and in the latter case the matching secret must have been set there using \fBOSSL_CMP_CTX_set1_secretValue\fR\|(3). @@ -101,24 +104,24 @@ using any trust store set via \fBOSSL_CMP_CTX_set0_trusted\fR\|(3). .PP If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by calling \&\fBOSSL_CMP_CTX_set_option\fR\|(3), for an Initialization Response (IP) message -any self-issued certificate from the \fImsg\fR extraCerts field may be used -as a trust anchor for the path verification of an 'acceptable' cert if it can be +any self\-issued certificate from the \fImsg\fR extraCerts field may be used +as a trust anchor for the path verification of an \*(Aqacceptable\*(Aq cert if it can be used also to validate the issued certificate returned in the IP message. This is according to TS 33.310 [Network Domain Security (NDS); Authentication Framework (AF)] document specified by The 3rd Generation Partnership Project (3GPP). Note that using this option is dangerous as the certificate obtained this way has not been authenticated (at least not at CMP level). -Taking it over as a trust anchor implements trust-on-first-use (TOFU). +Taking it over as a trust anchor implements trust\-on\-first\-use (TOFU). .PP Any cert that has been found as described above is cached and tried first when validating the signatures of subsequent messages in the same transaction. .PP \&\fBOSSL_CMP_validate_cert_path()\fR attempts to validate the given certificate and its path using the given store of trusted certs (possibly including CRLs and a cert -verification callback) and non-trusted intermediate certs from the \fIctx\fR. +verification callback) and non\-trusted intermediate certs from the \fIctx\fR. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_CMP_validate_msg()\fR and \fBOSSL_CMP_validate_cert_path()\fR diff --git a/secure/lib/libcrypto/man/man3/OSSL_CORE_MAKE_FUNC.3 b/secure/lib/libcrypto/man/man3/OSSL_CORE_MAKE_FUNC.3 index 3bd9d0ea7dae..7d4879ebd087 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CORE_MAKE_FUNC.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CORE_MAKE_FUNC.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CORE_MAKE_FUNC 3ossl" -.TH OSSL_CORE_MAKE_FUNC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CORE_MAKE_FUNC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_get0_tmpl.3 b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_get0_tmpl.3 index 4471be950284..3cd4614ba9ca 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_get0_tmpl.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_get0_tmpl.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CRMF_MSG_GET0_TMPL 3ossl" -.TH OSSL_CRMF_MSG_GET0_TMPL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CRMF_MSG_GET0_TMPL 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -151,7 +154,7 @@ of the given CertId \fIcid\fR, which must be of ASN.1 type GEN_DIRNAME. \&\fBOSSL_CRMF_ENCRYPTEDKEY_get1_encCert()\fR decrypts the certificate in the given encryptedKey \fIecert\fR, using the private key \fIpkey\fR, library context \&\fIlibctx\fR and property query string \fIpropq\fR (see \fBOSSL_LIB_CTX\fR\|(3)). -This is needed for the indirect POPO method as in RFC 4210 section 5.2.8.2. +This is needed for the indirect POPO method as in RFC 9810 section 5.2.8.3.2. The function returns the decrypted certificate as a copy, leaving its ownership with the caller, who is responsible for freeing it. .PP @@ -178,16 +181,16 @@ encryptedValue \fIenc\fR, using the private key \fIpkey\fR, library context \&\fBOSSL_CRMF_ENCRYPTEDVALUE_get1_encCert()\fR decrypts the certificate in the given encryptedValue \fIecert\fR, using the private key \fIpkey\fR, library context \&\fIlibctx\fR and property query string \fIpropq\fR (see \fBOSSL_LIB_CTX\fR\|(3)). -This is needed for the indirect POPO method as in RFC 4210 section 5.2.8.2. +This is needed for the indirect POPO method as in RFC 9810 section 5.2.8.3.2. The function returns the decrypted certificate as a copy, leaving its ownership with the caller, who is responsible for freeing it. .PP \&\fBOSSL_CRMF_MSG_get_certReqId()\fR retrieves the certReqId of \fIcrm\fR. .PP \&\fBOSSL_CRMF_MSG_centralkeygen_requested()\fR returns 1 if central key generation -is requested i.e., the public key in the certificate request (\fIcrm\fR is taken if it is non-NULL, +is requested i.e., the public key in the certificate request (\fIcrm\fR is taken if it is non\-NULL, otherwise \fIp10cr\fR) is NULL or has an empty key value (with length zero). -In case \fIcrm\fR is non-NULL, this is checked for consistency with its \fBpopo\fR field +In case \fIcrm\fR is non\-NULL, this is checked for consistency with its \fBpopo\fR field (must be NULL if and only if central key generation is requested). Otherwise it returns 0, and on error a negative value. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set0_validity.3 b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set0_validity.3 index 45fa682f1797..a056ed484e53 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set0_validity.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set0_validity.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CRMF_MSG_SET0_VALIDITY 3ossl" -.TH OSSL_CRMF_MSG_SET0_VALIDITY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CRMF_MSG_SET0_VALIDITY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -108,19 +111,19 @@ On success ownership of \fInotBefore\fR and \fInotAfter\fR is transferred to \fI \&\fBOSSL_CRMF_MSG_set_certReqId()\fR sets \fIrid\fR as the certReqId of \fIcrm\fR. .PP \&\fBOSSL_CRMF_CERTTEMPLATE_fill()\fR sets those fields of the certTemplate \fItmpl\fR -for which non-NULL values are provided: \fIpubkey\fR, \fIsubject\fR, \fIissuer\fR, +for which non\-NULL values are provided: \fIpubkey\fR, \fIsubject\fR, \fIissuer\fR, and/or \fIserial\fR. X.509 extensions may be set using \fBOSSL_CRMF_MSG_set0_extensions()\fR. On success the reference counter of the \fIpubkey\fR (if given) is incremented, while the \fIsubject\fR, \fIissuer\fR, and \fIserial\fR structures (if given) are copied. .PP \&\fBOSSL_CRMF_MSG_set0_extensions()\fR sets \fIexts\fR as the extensions in the -certTemplate of \fIcrm\fR. Frees any pre-existing ones and consumes \fIexts\fR. +certTemplate of \fIcrm\fR. Frees any pre\-existing ones and consumes \fIexts\fR. .PP \&\fBOSSL_CRMF_MSG_push0_extension()\fR pushes the X509 extension \fIext\fR to the extensions in the certTemplate of \fIcrm\fR. Consumes \fIext\fR. .PP -\&\fBOSSL_CRMF_MSG_create_popo()\fR creates and sets the Proof-of-Possession (POPO) +\&\fBOSSL_CRMF_MSG_create_popo()\fR creates and sets the Proof\-of\-Possession (POPO) according to the method \fImeth\fR in \fIcrm\fR. The library context \fIlibctx\fR and property query string \fIpropq\fR, may be NULL to select the defaults. @@ -132,7 +135,7 @@ Ed25519 and Ed448) that is implicitly associated with a digest algorithm. \&\fImeth\fR can be one of the following: .IP \(bu 8 OSSL_CRMF_POPO_NONE \- RFC 4211, section 4, POP field omitted. -CA/RA uses out-of-band method to verify POP. Note that servers may fail in this +CA/RA uses out\-of\-band method to verify POP. Note that servers may fail in this case, resulting for instance in HTTP error code 500 (Internal error). .IP \(bu 8 OSSL_CRMF_POPO_RAVERIFIED \- RFC 4211, section 4, explicit indication @@ -143,11 +146,11 @@ so far. .IP \(bu 8 OSSL_CRMF_POPO_KEYENC \- RFC 4211, section 4.2, only indirect method (subsequentMessage/enccert) supported, -challenge-response exchange (challengeResp) not yet supported. +challenge\-response exchange (challengeResp) not yet supported. .IP \(bu 8 OSSL_CRMF_POPO_KEYAGREE \- RFC 4211, section 4.3, not yet supported. .PP -OSSL_CRMF_MSGS_verify_popo verifies the Proof-of-Possession of the request with +OSSL_CRMF_MSGS_verify_popo verifies the Proof\-of\-Possession of the request with the given \fIrid\fR in the list of \fIreqs\fR. Optionally accepts RAVerified. It can make use of the library context \fIlibctx\fR and property query string \fIpropq\fR. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.3 b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.3 index 58e94d645e42..83604e0dbf10 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CRMF_MSG_SET1_REGCTRL_REGTOKEN 3ossl" -.TH OSSL_CRMF_MSG_SET1_REGCTRL_REGTOKEN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CRMF_MSG_SET1_REGCTRL_REGTOKEN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.3 b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.3 index 2d692d030385..547d3fe6b80c 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CRMF_MSG_SET1_REGINFO_CERTREQ 3ossl" -.TH OSSL_CRMF_MSG_SET1_REGINFO_CERTREQ 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CRMF_MSG_SET1_REGINFO_CERTREQ 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_CRMF_pbmp_new.3 b/secure/lib/libcrypto/man/man3/OSSL_CRMF_pbmp_new.3 index 95ecd22aff83..c4de4d447ac1 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CRMF_pbmp_new.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CRMF_pbmp_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CRMF_PBMP_NEW 3ossl" -.TH OSSL_CRMF_PBMP_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CRMF_PBMP_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,7 +84,7 @@ OSSL_CRMF_pbmp_new .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBOSSL_CRMF_pbm_new()\fR generates a PBM (Password-Based MAC) based on given PBM +\&\fBOSSL_CRMF_pbm_new()\fR generates a PBM (Password\-Based MAC) based on given PBM parameters \fIpbmp\fR, message \fImsg\fR, and secret \fIsec\fR, along with the respective lengths \fImsglen\fR and \fIseclen\fR. The optional library context \fIlibctx\fR and \fIpropq\fR parameters may be used @@ -93,22 +96,23 @@ allocated MAC via the \fImac\fR reference parameter and writes the length via th .PP \&\fBOSSL_CRMF_pbmp_new()\fR initializes and returns a new \fBPBMParameter\fR structure with a new random salt of given length \fIsaltlen\fR, -OWF (one-way function) NID \fIowfnid\fR, OWF iteration count \fIitercnt\fR, +OWF (one\-way function) NID \fIowfnid\fR, OWF iteration count \fIitercnt\fR, and MAC NID \fImacnid\fR. The library context \fIlibctx\fR parameter may be used to select the provider for the random number generation (DRBG) and may be NULL for the default. .SH NOTES .IX Header "NOTES" -The algorithms for the OWF (one-way function) and for the MAC (message +The algorithms for the OWF (one\-way function) and for the MAC (message authentication code) may be any with a NID defined in \fI<openssl/objects.h>\fR. -As specified by RFC 4210, these should include NID_hmac_sha1. +For backward compatibility with RFC 4210, these should include NID_hmac_sha1. .PP -RFC 4210 recommends that the salt SHOULD be at least 8 bytes (64 bits) long, +RFC 4210 recommended that the salt SHOULD be at least 8 bytes (64 bits) long, where 16 bytes is common. .PP The iteration count must be at least 100, as stipulated by RFC 4211, and is limited to at most 100000 to avoid DoS through manipulated or otherwise malformed input. +See RFC 9045 for currently suggested values. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_CRMF_pbm_new()\fR returns 1 on success, 0 on error. diff --git a/secure/lib/libcrypto/man/man3/OSSL_DECODER.3 b/secure/lib/libcrypto/man/man3/OSSL_DECODER.3 index 15918a5712d4..492347ac8e5a 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_DECODER.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_DECODER.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_DECODER 3ossl" -.TH OSSL_DECODER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_DECODER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -129,7 +132,7 @@ If the argument is NULL, nothing is done. with the given \fIdecoder\fR. .PP \&\fBOSSL_DECODER_is_a()\fR checks if \fIdecoder\fR is an implementation -of an algorithm that's identifiable with \fIname\fR. +of an algorithm that\*(Aqs identifiable with \fIname\fR. .PP \&\fBOSSL_DECODER_get0_name()\fR returns the name used to fetch the given \fIdecoder\fR. .PP @@ -150,7 +153,7 @@ array of parameter descriptors. .PP \&\fBOSSL_DECODER_get_params()\fR attempts to get parameters specified with an \fBOSSL_PARAM\fR\|(3) array \fIparams\fR. Parameters that the -implementation doesn't recognise should be ignored. +implementation doesn\*(Aqt recognise should be ignored. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_DECODER_fetch()\fR returns a pointer to an OSSL_DECODER object, @@ -158,7 +161,7 @@ or NULL on error. .PP \&\fBOSSL_DECODER_up_ref()\fR returns 1 on success, or 0 on error. .PP -\&\fBOSSL_DECODER_free()\fR doesn't return any value. +\&\fBOSSL_DECODER_free()\fR doesn\*(Aqt return any value. .PP \&\fBOSSL_DECODER_get0_provider()\fR returns a pointer to a provider object, or NULL on error. @@ -176,7 +179,7 @@ algorithm definition is returned. Ownership of the returned string is retained by the \fIdecoder\fR object and should not be freed by the caller. .PP \&\fBOSSL_DECODER_get0_description()\fR returns a pointer to a description, or NULL if -there isn't one. +there isn\*(Aqt one. .PP \&\fBOSSL_DECODER_names_do_all()\fR returns 1 if the callback was called for all names. A return value of 0 means that the callback was not called for any names. diff --git a/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX.3 b/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX.3 index 616aca3869d1..d78c3673ad18 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_DECODER_CTX 3ossl" -.TH OSSL_DECODER_CTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_DECODER_CTX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -157,7 +160,7 @@ added those that take the specified input type, and functions like the decoder implementations that take that input type. For example, if the input type is set to \f(CW\*(C`DER\*(C'\fR, a PEM to DER decoder will be ignored. .PP -The input type can also be NULL, which means that the caller doesn't know +The input type can also be NULL, which means that the caller doesn\*(Aqt know what type of input they have. In this case, \fBOSSL_DECODER_from_bio()\fR will simply try with one decoder implementation after the other, and thereby discover what kind of input the caller gave it. @@ -181,7 +184,7 @@ parameter descriptors. \&\fBOSSL_DECODER_CTX_set_params()\fR attempts to set parameters specified with an \&\fBOSSL_PARAM\fR\|(3) array \fIparams\fR. These parameters are passed to all decoders that have been added to the \fIctx\fR so far. Parameters that an -implementation doesn't recognise should be ignored by it. +implementation doesn\*(Aqt recognise should be ignored by it. .PP \&\fBOSSL_DECODER_CTX_free()\fR frees the given context \fIctx\fR. If the argument is NULL, nothing is done. @@ -199,7 +202,7 @@ above. .PP \&\fBOSSL_DECODER_CTX_set_input_structure()\fR sets the name of the structure that the input is expected to have. This may be used to determines what decoder -implementations may be used. NULL is a valid input structure, when it's not +implementations may be used. NULL is a valid input structure, when it\*(Aqs not relevant, or when the decoder implementations are expected to figure it out. .PP \&\fBOSSL_DECODER_CTX_get_num_decoders()\fR gets the number of decoders currently @@ -208,7 +211,7 @@ added to the context \fIctx\fR. \&\fBOSSL_DECODER_CTX_set_construct()\fR sets the constructor \fIconstruct\fR. .PP \&\fBOSSL_DECODER_CTX_set_construct_data()\fR sets the constructor data that is -passed to the constructor every time it's called. +passed to the constructor every time it\*(Aqs called. .PP \&\fBOSSL_DECODER_CTX_set_cleanup()\fR sets the constructor data \fIcleanup\fR function. This is called by \fBOSSL_DECODER_CTX_free\fR\|(3). @@ -224,6 +227,13 @@ decode instance \fIdecoder_inst\fR that the constructor got and an object \&\fIreference\fR, unpacks the object which it refers to, and exports it by creating an \fBOSSL_PARAM\fR\|(3) array that it then passes to \fIexport_cb\fR, along with \fIexport_arg\fR. +.PP +Note that functions \fBOSSL_DECODER_CTX_set_selection()\fR, +\&\fBOSSL_DECODER_CTX_set_output_type()\fR, \fBOSSL_DECODER_CTX_set_output_structure()\fR, +\&\fBOSSL_DECODER_CTX_add_encoder()\fR, \fBOSSL_DECODER_CTX_add_extra()\fR, +\&\fBOSSL_DECODER_CTX_set_construct()\fR, \fBOSSL_DECODER_CTX_set_construct_data()\fR, and +\&\fBOSSL_DECODER_CTX_set_cleanup()\fR shouldn\*(Aqt be used after the context is finalised, +in particular after calling the function \fBOSSL_DECODER_CTX_new_for_pkey()\fR. .SS Constructor .IX Subsection "Constructor" A \fBOSSL_DECODER_CONSTRUCT\fR gets the following arguments: @@ -233,8 +243,8 @@ The \fBOSSL_DECODER_INSTANCE\fR for the decoder from which the constructor gets its data. .IP \fIobject\fR 4 .IX Item "object" -A provider-native object abstraction produced by the decoder. Further -information on the provider-native object abstraction can be found in +A provider\-native object abstraction produced by the decoder. Further +information on the provider\-native object abstraction can be found in \&\fBprovider\-object\fR\|(7). .IP \fIconstruct_data\fR 4 .IX Item "construct_data" @@ -249,10 +259,10 @@ These utility functions may be used by a constructor: implementation from a decoder instance \fIdecoder_inst\fR. .PP \&\fBOSSL_DECODER_INSTANCE_get_decoder_ctx()\fR can be used to get the decoder -implementation's provider context from a decoder instance \fIdecoder_inst\fR. +implementation\*(Aqs provider context from a decoder instance \fIdecoder_inst\fR. .PP \&\fBOSSL_DECODER_INSTANCE_get_input_type()\fR can be used to get the decoder -implementation's input type from a decoder instance \fIdecoder_inst\fR. +implementation\*(Aqs input type from a decoder instance \fIdecoder_inst\fR. .PP \&\fBOSSL_DECODER_INSTANCE_get_input_structure()\fR can be used to get the input structure for the decoder implementation from a decoder instance @@ -261,7 +271,7 @@ This may be NULL. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_DECODER_CTX_new()\fR returns a pointer to a \fBOSSL_DECODER_CTX\fR, or NULL -if the context structure couldn't be allocated. +if the context structure couldn\*(Aqt be allocated. .PP \&\fBOSSL_DECODER_settable_ctx_params()\fR returns an \fBOSSL_PARAM\fR\|(3) array, or NULL if none is available. diff --git a/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX_new_for_pkey.3 b/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX_new_for_pkey.3 index 1710ece2160f..5d8f2e505dda 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX_new_for_pkey.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX_new_for_pkey.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_DECODER_CTX_NEW_FOR_PKEY 3ossl" -.TH OSSL_DECODER_CTX_NEW_FOR_PKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_DECODER_CTX_NEW_FOR_PKEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -130,6 +133,10 @@ zero). This helps the caller to distinguish between an error when creating the \fBOSSL_ENCODER_CTX\fR and missing encoder implementation, and allows it to act accordingly. .PP +Note that \fBOSSL_DECODER_CTX_new_for_pkey()\fR finalises the OSSL_DECODER_CTX; +after that the OSSL_DECODER_CTX_set_* and OSSL_DECODER_CTX_add_* functions +described in \fBOSSL_DECODER_CTX\fR\|(3) shouldn\*(Aqt be called. +.PP \&\fBOSSL_DECODER_CTX_set_passphrase()\fR gives the implementation a pass phrase to use when decrypting the encoded private key. Alternatively, a pass phrase callback may be specified with the following functions. @@ -173,7 +180,7 @@ auto detect the selection. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_DECODER_CTX_new_for_pkey()\fR returns a pointer to a -\&\fBOSSL_DECODER_CTX\fR, or NULL if it couldn't be created. +\&\fBOSSL_DECODER_CTX\fR, or NULL if it couldn\*(Aqt be created. .PP \&\fBOSSL_DECODER_CTX_set_passphrase()\fR, \fBOSSL_DECODER_CTX_set_pem_password_cb()\fR, \&\fBOSSL_DECODER_CTX_set_passphrase_ui()\fR and diff --git a/secure/lib/libcrypto/man/man3/OSSL_DECODER_from_bio.3 b/secure/lib/libcrypto/man/man3/OSSL_DECODER_from_bio.3 index f75cc305644d..9328e63d5924 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_DECODER_from_bio.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_DECODER_from_bio.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_DECODER_FROM_BIO 3ossl" -.TH OSSL_DECODER_FROM_BIO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_DECODER_FROM_BIO 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,13 +86,13 @@ Feature availability macros: .IX Header "DESCRIPTION" \&\fBOSSL_DECODER_from_data()\fR runs the decoding process for the context \fIctx\fR, with input coming from \fI*pdata\fR, \fI*pdata_len\fR bytes long. Both \fI*pdata\fR -and \fI*pdata_len\fR must be non-NULL. When \fBOSSL_DECODER_from_data()\fR returns, +and \fI*pdata_len\fR must be non\-NULL. When \fBOSSL_DECODER_from_data()\fR returns, \&\fI*pdata\fR is updated to point at the location after what has been decoded, and \fI*pdata_len\fR to have the number of remaining bytes. .PP \&\fBOSSL_DECODER_from_bio()\fR runs the decoding process for the context \fIctx\fR, with the input coming from the \fBBIO\fR \fIin\fR. Should it make a difference, -it's recommended to have the BIO set in binary mode rather than text mode. +it\*(Aqs recommended to have the BIO set in binary mode rather than text mode. .PP \&\fBOSSL_DECODER_from_fp()\fR does the same thing as \fBOSSL_DECODER_from_bio()\fR, except that the input is coming from the \fBFILE\fR \fIfp\fR. diff --git a/secure/lib/libcrypto/man/man3/OSSL_DISPATCH.3 b/secure/lib/libcrypto/man/man3/OSSL_DISPATCH.3 index 1df93624f99b..44861bf62089 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_DISPATCH.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_DISPATCH.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_DISPATCH 3ossl" -.TH OSSL_DISPATCH 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_DISPATCH 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -96,7 +99,7 @@ signature that corresponds to the \fIfunction_id\fR Available function identities and corresponding function signatures are defined in \fBopenssl\-core_dispatch.h\fR\|(7). Furthermore, the chosen function identities and associated function -signature must be chosen specifically for the operation that it's intended +signature must be chosen specifically for the operation that it\*(Aqs intended for, as determined by the intended \fBOSSL_ALGORITHM\fR\|(3) array. .PP Any function identity not recognised by the recipient of this type diff --git a/secure/lib/libcrypto/man/man3/OSSL_ENCODER.3 b/secure/lib/libcrypto/man/man3/OSSL_ENCODER.3 index cca37a8602f0..b9de70303f26 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_ENCODER.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_ENCODER.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_ENCODER 3ossl" -.TH OSSL_ENCODER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_ENCODER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -129,7 +132,7 @@ If the argument is NULL, nothing is done. with the given \fIencoder\fR. .PP \&\fBOSSL_ENCODER_is_a()\fR checks if \fIencoder\fR is an implementation of an -algorithm that's identifiable with \fIname\fR. +algorithm that\*(Aqs identifiable with \fIname\fR. .PP \&\fBOSSL_ENCODER_get0_name()\fR returns the name used to fetch the given \fIencoder\fR. .PP @@ -150,7 +153,7 @@ array of parameter descriptors. .PP \&\fBOSSL_ENCODER_get_params()\fR attempts to get parameters specified with an \fBOSSL_PARAM\fR\|(3) array \fIparams\fR. Parameters that the -implementation doesn't recognise should be ignored. +implementation doesn\*(Aqt recognise should be ignored. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_ENCODER_fetch()\fR returns a pointer to the key management @@ -159,7 +162,7 @@ error. .PP \&\fBOSSL_ENCODER_up_ref()\fR returns 1 on success, or 0 on error. .PP -\&\fBOSSL_ENCODER_free()\fR doesn't return any value. +\&\fBOSSL_ENCODER_free()\fR doesn\*(Aqt return any value. .PP \&\fBOSSL_ENCODER_get0_provider()\fR returns a pointer to a provider object, or NULL on error. @@ -177,7 +180,7 @@ algorithm definition is returned. Ownership of the returned string is retained by the \fIencoder\fR object and should not be freed by the caller. .PP \&\fBOSSL_ENCODER_get0_description()\fR returns a pointer to a description, or NULL if -there isn't one. +there isn\*(Aqt one. .PP \&\fBOSSL_ENCODER_names_do_all()\fR returns 1 if the callback was called for all names. A return value of 0 means that the callback was not called for any names. diff --git a/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX.3 b/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX.3 index 98b727c320f1..6b903481422f 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_ENCODER_CTX 3ossl" -.TH OSSL_ENCODER_CTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_ENCODER_CTX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -140,7 +143,7 @@ The final output type must be given, and a chain of encoders must end with an implementation that produces that output type. .PP At the beginning of the encoding process, a constructor provided by the -caller is called to ensure that there is an appropriate provider-side object +caller is called to ensure that there is an appropriate provider\-side object to start with. The constructor is set with \fBOSSL_ENCODER_CTX_set_construct()\fR. .PP @@ -157,7 +160,7 @@ array of parameter descriptors. .PP \&\fBOSSL_ENCODER_CTX_set_params()\fR attempts to set parameters specified with an \fBOSSL_PARAM\fR\|(3) array \fIparams\fR. Parameters that the -implementation doesn't recognise should be ignored. +implementation doesn\*(Aqt recognise should be ignored. .PP \&\fBOSSL_ENCODER_CTX_free()\fR frees the given context \fIctx\fR. If the argument is NULL, nothing is done. @@ -183,10 +186,17 @@ added to the context \fIctx\fR. \&\fBOSSL_ENCODER_CTX_set_construct()\fR sets the constructor \fIconstruct\fR. .PP \&\fBOSSL_ENCODER_CTX_set_construct_data()\fR sets the constructor data that is -passed to the constructor every time it's called. +passed to the constructor every time it\*(Aqs called. .PP \&\fBOSSL_ENCODER_CTX_set_cleanup()\fR sets the constructor data \fIcleanup\fR function. This is called by \fBOSSL_ENCODER_CTX_free\fR\|(3). +.PP +Note that functions \fBOSSL_ENCODER_CTX_set_selection()\fR, +\&\fBOSSL_ENCODER_CTX_set_output_type()\fR, \fBOSSL_ENCODER_CTX_set_output_structure()\fR, +\&\fBOSSL_ENCODER_CTX_add_encoder()\fR, \fBOSSL_ENCODER_CTX_add_extra()\fR, +\&\fBOSSL_ENCODER_CTX_set_construct()\fR, \fBOSSL_ENCODER_CTX_set_construct_data()\fR, and +\&\fBOSSL_ENCODER_CTX_set_cleanup()\fR shouldn\*(Aqt be used after the context is finalised, +in particular after calling the function \fBOSSL_ENCODER_CTX_new_for_pkey()\fR. .SS Constructor .IX Subsection "Constructor" A \fBOSSL_ENCODER_CONSTRUCT\fR gets the following arguments: @@ -198,8 +208,8 @@ its data. .IX Item "construct_data" The pointer that was set with \fBOSSL_ENCODE_CTX_set_construct_data()\fR. .PP -The constructor is expected to return a valid (non-NULL) pointer to a -provider-native object that can be used as first input of an encoding chain, +The constructor is expected to return a valid (non\-NULL) pointer to a +provider\-native object that can be used as first input of an encoding chain, or NULL to indicate that an error has occurred. .PP These utility functions may be used by a constructor: @@ -208,7 +218,7 @@ These utility functions may be used by a constructor: implementation of the encoder instance \fIencoder_inst\fR. .PP \&\fBOSSL_ENCODER_INSTANCE_get_encoder_ctx()\fR can be used to get the encoder -implementation's provider context of the encoder instance \fIencoder_inst\fR. +implementation\*(Aqs provider context of the encoder instance \fIencoder_inst\fR. .PP \&\fBOSSL_ENCODER_INSTANCE_get_output_type()\fR can be used to get the output type for the encoder implementation of the encoder instance \fIencoder_inst\fR. @@ -221,7 +231,7 @@ This may be NULL. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_ENCODER_CTX_new()\fR returns a pointer to a \fBOSSL_ENCODER_CTX\fR, or NULL -if the context structure couldn't be allocated. +if the context structure couldn\*(Aqt be allocated. .PP \&\fBOSSL_ENCODER_settable_ctx_params()\fR returns an \fBOSSL_PARAM\fR\|(3) array, or NULL if none is available. @@ -251,6 +261,11 @@ output type. .PP \&\fBOSSL_ENCODER_INSTANCE_get_output_structure()\fR returns a string with the name of the output structure. +.SH "NOTES AND BUGS" +.IX Header "NOTES AND BUGS" +The chain mechanism in ENCODE is not yet completely implemented. +It affects functions such as OSSL_ENCODER_CTX_add_extra and the +inner processing loop. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBprovider\fR\|(7), \fBOSSL_ENCODER\fR\|(3) diff --git a/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX_new_for_pkey.3 b/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX_new_for_pkey.3 index bf732b85f784..1fc02e62b595 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX_new_for_pkey.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX_new_for_pkey.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_ENCODER_CTX_NEW_FOR_PKEY 3ossl" -.TH OSSL_ENCODER_CTX_NEW_FOR_PKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_ENCODER_CTX_NEW_FOR_PKEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -109,7 +112,7 @@ Internally, \fBOSSL_ENCODER_CTX_new_for_pkey()\fR uses the names from the \&\fBEVP_KEYMGMT\fR\|(3) implementation associated with \fIpkey\fR to build a list of applicable encoder implementations that are used to process the \fIpkey\fR into the encoding named by \fIoutput_type\fR, with the outermost structure named by -\&\fIoutput_structure\fR if that's relevant. All these implementations are +\&\fIoutput_structure\fR if that\*(Aqs relevant. All these implementations are implicitly fetched, with \fIpropquery\fR for finer selection. .PP If no suitable encoder implementation is found, @@ -119,6 +122,10 @@ zero). This helps the caller to distinguish between an error when creating the \fBOSSL_ENCODER_CTX\fR and missing encoder implementation, and allows it to act accordingly. .PP +Note that \fBOSSL_ENCODER_CTX_new_for_pkey()\fR finalises the OSSL_ENCODER_CTX; +after that the OSSL_ENCODER_CTX_set_* and OSSL_ENCODER_CTX_add_* functions +described in \fBOSSL_ENCODER_CTX\fR\|(3) shouldn\*(Aqt be called. +.PP \&\fBOSSL_ENCODER_CTX_set_cipher()\fR tells the implementation what cipher should be used to encrypt encoded keys. The cipher is given by name \fIcipher_name\fR. The interpretation of that \fIcipher_name\fR is @@ -164,14 +171,14 @@ The output is the \fIselection\fR of the \fIpkey\fR in PEM format. \&\fIselection\fR can be any one of the values described in "Selections" in \fBEVP_PKEY_fromdata\fR\|(3). .PP -These are only 'hints' since the encoder implementations are free to +These are only \*(Aqhints\*(Aq since the encoder implementations are free to determine what makes sense to include in the output, and this may depend on -the desired output. For example, an EC key in a PKCS#8 structure doesn't +the desired output. For example, an EC key in a PKCS#8 structure doesn\*(Aqt usually include the public key. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_ENCODER_CTX_new_for_pkey()\fR returns a pointer to an \fBOSSL_ENCODER_CTX\fR, -or NULL if it couldn't be created. +or NULL if it couldn\*(Aqt be created. .PP \&\fBOSSL_ENCODER_CTX_set_cipher()\fR, \fBOSSL_ENCODER_CTX_set_passphrase()\fR, \&\fBOSSL_ENCODER_CTX_set_pem_password_cb()\fR, \fBOSSL_ENCODER_CTX_set_passphrase_ui()\fR diff --git a/secure/lib/libcrypto/man/man3/OSSL_ENCODER_to_bio.3 b/secure/lib/libcrypto/man/man3/OSSL_ENCODER_to_bio.3 index 263ebff6be3a..7474efc6fb0e 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_ENCODER_to_bio.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_ENCODER_to_bio.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_ENCODER_TO_BIO 3ossl" -.TH OSSL_ENCODER_TO_BIO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_ENCODER_TO_BIO 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -87,7 +90,7 @@ If \fI*pdata\fR is NULL when \fBOSSL_ENCODER_to_data()\fR is called, a buffer wi allocated using \fBOPENSSL_zalloc\fR\|(3), and \fI*pdata\fR will be set to point at the start of that buffer, and \fI*pdata_len\fR will be assigned its length when \&\fBOSSL_ENCODER_to_data()\fR returns. -If \fI*pdata\fR is non-NULL when \fBOSSL_ENCODER_to_data()\fR is called, \fI*pdata_len\fR +If \fI*pdata\fR is non\-NULL when \fBOSSL_ENCODER_to_data()\fR is called, \fI*pdata_len\fR is assumed to have its size. In this case, \fI*pdata\fR will be set to point after the encoded bytes, and \fI*pdata_len\fR will be assigned the number of remaining bytes. diff --git a/secure/lib/libcrypto/man/man3/OSSL_ERR_STATE_save.3 b/secure/lib/libcrypto/man/man3/OSSL_ERR_STATE_save.3 index 141f2b4d7591..766867c26d32 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_ERR_STATE_save.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_ERR_STATE_save.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_ERR_STATE_SAVE 3ossl" -.TH OSSL_ERR_STATE_SAVE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_ERR_STATE_SAVE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_ESS_check_signing_certs.3 b/secure/lib/libcrypto/man/man3/OSSL_ESS_check_signing_certs.3 index dd3b5fcc7395..18a9b6ab6cb1 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_ESS_check_signing_certs.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_ESS_check_signing_certs.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_ESS_CHECK_SIGNING_CERTS 3ossl" -.TH OSSL_ESS_CHECK_SIGNING_CERTS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_ESS_CHECK_SIGNING_CERTS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -114,7 +117,7 @@ it must match the certificate issuer and serial number attributes. .IX Header "NOTES" ESS has been defined in RFC 2634, which has been updated in RFC 5035 (ESS version 2) to support hash algorithms other than SHA\-1. -This is used for TSP (RFC 3161) and CAdES-BES (informational RFC 5126). +This is used for TSP (RFC 3161) and CAdES\-BES (informational RFC 5126). .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_ESS_signing_cert_new_init()\fR and \fBOSSL_ESS_signing_cert_v2_new_init()\fR diff --git a/secure/lib/libcrypto/man/man3/OSSL_GENERAL_NAMES_print.3 b/secure/lib/libcrypto/man/man3/OSSL_GENERAL_NAMES_print.3 index 295124b95aed..bbd8c69df91c 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_GENERAL_NAMES_print.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_GENERAL_NAMES_print.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_GENERAL_NAMES_PRINT 3ossl" -.TH OSSL_GENERAL_NAMES_PRINT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_GENERAL_NAMES_PRINT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_HPKE_CTX_new.3 b/secure/lib/libcrypto/man/man3/OSSL_HPKE_CTX_new.3 index a40dcee5d5fb..bde56c00a64c 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_HPKE_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_HPKE_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_HPKE_CTX_NEW 3ossl" -.TH OSSL_HPKE_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_HPKE_CTX_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -213,18 +216,18 @@ HPKE supports the following variants of Authentication using a mode Identifier: Authentication is not used. .IP "\fBOSSL_HPKE_MODE_PSK\fR, 0x01" 4 .IX Item "OSSL_HPKE_MODE_PSK, 0x01" -Authenticates possession of a pre-shared key (PSK). +Authenticates possession of a pre\-shared key (PSK). .IP "\fBOSSL_HPKE_MODE_AUTH\fR, 0x02" 4 .IX Item "OSSL_HPKE_MODE_AUTH, 0x02" -Authenticates possession of a KEM-based sender private key. +Authenticates possession of a KEM\-based sender private key. .IP "\fBOSSL_HPKE_MODE_PSKAUTH\fR, 0x03" 4 .IX Item "OSSL_HPKE_MODE_PSKAUTH, 0x03" A combination of \fBOSSL_HPKE_MODE_PSK\fR and \fBOSSL_HPKE_MODE_AUTH\fR. Both the PSK and the senders authentication public/private must be supplied before the encapsulation/decapsulation operation will work. .PP -For further information related to authentication see "Pre-Shared Key HPKE -modes" and "Sender-authenticated HPKE Modes". +For further information related to authentication see "Pre\-Shared Key HPKE +modes" and "Sender\-authenticated HPKE Modes". .SS "HPKE Roles" .IX Subsection "HPKE Roles" HPKE contexts have a role \- either sender or receiver. This is used @@ -257,7 +260,7 @@ vectors present in RFC9180, Appendix A.) .PP In accordance with RFC9180, section 9.5, we define a constant \&\fIOSSL_HPKE_MIN_PSKLEN\fR with a value of 32 for the minimum length of a -pre-shared key, passed in \fIpsklen\fR. +pre\-shared key, passed in \fIpsklen\fR. .PP While RFC9180 also RECOMMENDS a 64 octet limit for the \fIinfolen\fR parameter, that is not sufficient for TLS Encrypted ClientHello (ECH) processing, so we @@ -276,9 +279,9 @@ previously by a call to \fBOSSL_HPKE_CTX_new()\fR. If the argument to \&\fBOSSL_HPKE_CTX_free()\fR is NULL, nothing is done. .SS "Sender APIs" .IX Subsection "Sender APIs" -A sender's goal is to use HPKE to encrypt using a public key, via use of a +A sender\*(Aqs goal is to use HPKE to encrypt using a public key, via use of a KEM, then a KDF and finally an AEAD. The first step is to encapsulate (using -\&\fBOSSL_HPKE_encap()\fR) the sender's public value using the recipient's public key, +\&\fBOSSL_HPKE_encap()\fR) the sender\*(Aqs public value using the recipient\*(Aqs public key, (\fIpub\fR) and to internally derive secrets. This produces the encapsulated public value (\fIenc\fR) to be sent to the recipient in whatever protocol is using HPKE. Having done the encapsulation step, the sender can then make one or more calls to @@ -292,7 +295,7 @@ the output size. An error will occur if the input \fIenclen\fR is smaller than the value returned from \fBOSSL_HPKE_get_public_encap_size()\fR. \&\fIinfo\fR may be used to bind other protocol or application artefacts such as identifiers. Generally, the encapsulated public value \fIenc\fR corresponds to a -single-use ephemeral private value created as part of the encapsulation +single\-use ephemeral private value created as part of the encapsulation process. Only a single call to \fBOSSL_HPKE_encap()\fR is allowed for a given \&\fBOSSL_HPKE_CTX\fR. .PP @@ -316,7 +319,7 @@ outside the scope of this API. Private keys use normal \fBEVP_PKEY\fR\|(3) point so normal private key management mechanisms can be used for the relevant values. .PP -In order to enable encapsulation, the recipient needs to make it's public value +In order to enable encapsulation, the recipient needs to make it\*(Aqs public value available to the sender. There is no generic HPKE format defined for that \- the relevant formatting is intended to be defined by the application/protocols that makes use of HPKE. ECH for example defines an ECHConfig data structure that @@ -339,9 +342,9 @@ then a randomly generated key for the relevant \fIsuite\fR will be produced. If required \fIikmlen\fR should be greater than or equal to \&\fBOSSL_HPKE_get_recommended_ikmelen()\fR. .PP -\&\fBOSSL_HPKE_decap()\fR takes as input the sender's encapsulated public value -produced by \fBOSSL_HPKE_encap()\fR (\fIenc\fR) and the recipient's \fBEVP_PKEY\fR\|(3) -pointer (\fIprov\fR), and then re-generates the internal secret derived by the +\&\fBOSSL_HPKE_decap()\fR takes as input the sender\*(Aqs encapsulated public value +produced by \fBOSSL_HPKE_encap()\fR (\fIenc\fR) and the recipient\*(Aqs \fBEVP_PKEY\fR\|(3) +pointer (\fIprov\fR), and then re\-generates the internal secret derived by the sender. As before, an optional \fIinfo\fR parameter allows binding that derived secret to other application/protocol artefacts. Only a single call to \&\fBOSSL_HPKE_decap()\fR is allowed for a given \fBOSSL_HPKE_CTX\fR. @@ -357,7 +360,7 @@ An error will occur if the input \fIptlen\fR is too small. \&\fBOSSL_HPKE_open()\fR may be called multiple times, but as with \fBOSSL_HPKE_seal()\fR there is an internally incrementing nonce value so ciphertexts need to be presented in the same order as used by the \fBOSSL_HPKE_seal()\fR. -See "Re-sequencing" if you need to process multiple ciphertexts in a +See "Re\-sequencing" if you need to process multiple ciphertexts in a different order. .SS "Exporting Secrets" .IX Subsection "Exporting Secrets" @@ -374,11 +377,11 @@ same secret. \&\fIOSSL_HPKE_AEAD_ID_EXPORTONLY\fR may be used as the \fBOSSL_HPKE_SUITE\fR \fIaead_id\fR that is passed to \fBOSSL_HPKE_CTX_new()\fR if the user needs to produce a shared secret, but does not wish to perform HPKE encryption. -.SS "Sender-authenticated HPKE Modes" +.SS "Sender\-authenticated HPKE Modes" .IX Subsection "Sender-authenticated HPKE Modes" -HPKE defines modes that support KEM-based sender-authentication +HPKE defines modes that support KEM\-based sender\-authentication \&\fBOSSL_HPKE_MODE_AUTH\fR and \fBOSSL_HPKE_MODE_PSKAUTH\fR. This works by binding -the sender's authentication private/public values into the encapsulation and +the sender\*(Aqs authentication private/public values into the encapsulation and decapsulation operations. The key used for such modes must also use the same KEM as used for the overall exchange. \fBOSSL_HPKE_keygen()\fR can be used to generate the private value required. @@ -390,16 +393,16 @@ private \fIpriv\fR \fBEVP_PKEY\fR key into the \fBOSSL_HPKE_CTX\fR \fIctx\fR bef \&\fBOSSL_HPKE_CTX_set1_authpub()\fR can be used by the receiver to set the senders encoded pub key \fIpub\fR of size \fIpublen\fR into the \fBOSSL_HPKE_CTX\fR \fIctx\fR before calling \fBOSSL_HPKE_decap()\fR. -.SS "Pre-Shared Key HPKE modes" +.SS "Pre\-Shared Key HPKE modes" .IX Subsection "Pre-Shared Key HPKE modes" HPKE also defines a symmetric equivalent to the authentication described above -using a pre-shared key (PSK) and a PSK identifier. PSKs can be used with the +using a pre\-shared key (PSK) and a PSK identifier. PSKs can be used with the \&\fBOSSL_HPKE_MODE_PSK\fR and \fBOSSL_HPKE_MODE_PSKAUTH\fR modes. .PP \&\fBOSSL_HPKE_CTX_set1_psk()\fR sets the PSK identifier \fIpskid\fR string, and PSK buffer \&\fIpsk\fR of size \fIpsklen\fR into the \fIctx\fR. If required this must be called before \fBOSSL_HPKE_encap()\fR or \fBOSSL_HPKE_decap()\fR. -As per RFC9180, if required, both \fIpsk\fR and \fIpskid\fR must be set to non-NULL values. +As per RFC9180, if required, both \fIpsk\fR and \fIpskid\fR must be set to non\-NULL values. As PSKs are symmetric the same calls must happen on both sender and receiver sides. .SS "Deterministic key generation for senders" @@ -417,7 +420,7 @@ It is generally undesirable to use \fBOSSL_HPKE_CTX_set1_ikme()\fR, since it exposes the relevant secret to the application rather then preserving it within the library, and is more likely to result in use of predictable values or values that leak. -.SS Re-sequencing +.SS Re\-sequencing .IX Subsection "Re-sequencing" Some protocols may have to deal with packet loss while still being able to decrypt arriving packets later. We provide a way to set the increment used for @@ -466,7 +469,7 @@ public value needs to be regenerated by a sender before calling \fBOSSL_HPKE_sea .PP \&\fBOSSL_HPKE_get_grease_value()\fR produces values of the appropriate length for a given \fIsuite_in\fR value (or a random value if \fIsuite_in\fR is NULL) so that a -protocol using HPKE can send so-called GREASE (see RFC8701) values that are +protocol using HPKE can send so\-called GREASE (see RFC8701) values that are harder to distinguish from a real use of HPKE. The buffer sizes should be supplied on input. The output \fIenc\fR value will have an appropriate length for \fIsuite_out\fR and a random value, and the \fIct\fR output will be @@ -474,10 +477,10 @@ a random value. The relevant sizes for buffers can be found using \&\fBOSSL_HPKE_get_ciphertext_size()\fR and \fBOSSL_HPKE_get_public_encap_size()\fR. .PP \&\fBOSSL_HPKE_str2suite()\fR maps input \fIstr\fR strings to an \fBOSSL_HPKE_SUITE\fR object. -The input \fIstr\fR should be a comma-separated string with a KEM, +The input \fIstr\fR should be a comma\-separated string with a KEM, KDF and AEAD name in that order, for example "x25519,hkdf\-sha256,aes128gcm". This can be used by command line tools that accept string form names for HPKE -codepoints. Valid (case-insensitive) names are: +codepoints. Valid (case\-insensitive) names are: "p\-256", "p\-384", "p\-521", "x25519" and "x448" for KEM, "hkdf\-sha256", "hkdf\-sha384" and "hkdf\-sha512" for KDF, and "aes\-gcm\-128", "aes\-gcm\-256", "chacha20\-poly1305" and "exporter" for AEAD. @@ -494,7 +497,7 @@ relevant value or zero on error. All other functions return 1 for success or zero for error. .SH EXAMPLES .IX Header "EXAMPLES" -This example demonstrates a minimal round-trip using HPKE. +This example demonstrates a minimal round\-trip using HPKE. .PP .Vb 4 \& #include <stddef.h> @@ -571,7 +574,7 @@ This example demonstrates a minimal round-trip using HPKE. .SH WARNINGS .IX Header "WARNINGS" Note that the \fBOSSL_HPKE_CTX_set_seq()\fR API could be dangerous \- if used with GCM -that could lead to nonce-reuse, which is a known danger. So avoid that +that could lead to nonce\-reuse, which is a known danger. So avoid that entirely, or be very very careful when using that API. .PP Use of an IKM value for deterministic key generation (via diff --git a/secure/lib/libcrypto/man/man3/OSSL_HTTP_REQ_CTX.3 b/secure/lib/libcrypto/man/man3/OSSL_HTTP_REQ_CTX.3 index 05fe9b60f3eb..927c72274028 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_HTTP_REQ_CTX.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_HTTP_REQ_CTX.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_HTTP_REQ_CTX 3ossl" -.TH OSSL_HTTP_REQ_CTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_HTTP_REQ_CTX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -117,7 +120,7 @@ OSSL_HTTP_is_alive \&\fBOSSL_HTTP_REQ_CTX\fR is a context structure for an HTTP request and response, used to collect all the necessary data to perform that request. .PP -This file documents low-level HTTP functions rarely used directly. High-level +This file documents low\-level HTTP functions rarely used directly. High\-level HTTP client functions like \fBOSSL_HTTP_get\fR\|(3) and \fBOSSL_HTTP_transfer\fR\|(3) should be preferred. .PP @@ -132,7 +135,7 @@ The allocated context structure includes an internal memory \fBBIO\fR, which collects the HTTP request header lines. .PP \&\fBOSSL_HTTP_REQ_CTX_free()\fR frees up the HTTP request context \fIrctx\fR. -The \fIrbio\fR is not free'd, \fIwbio\fR will be free'd if \fIfree_wbio\fR is set. +The \fIrbio\fR is not free\*(Aqd, \fIwbio\fR will be free\*(Aqd if \fIfree_wbio\fR is set. If the argument is NULL, nothing is done. .PP \&\fBOSSL_HTTP_REQ_CTX_set_request_line()\fR adds the 1st HTTP request line to \fIrctx\fR. @@ -160,7 +163,7 @@ Due to the structure of an HTTP request, if the \fIkeep_alive\fR argument is nonzero the function must be used before calling \fBOSSL_HTTP_REQ_CTX_set1_req()\fR. .PP If the \fIexpected_content_type\fR argument is not NULL, the client will -check in a case-insensitive way that the specified \f(CW\*(C`Content\-Type\*(C'\fR string value +check in a case\-insensitive way that the specified \f(CW\*(C`Content\-Type\*(C'\fR string value is included in the HTTP header of the response and return an error if not. In the \f(CW\*(C`Content\-Type\*(C'\fR header line the specified string should be present either as a whole, or in case the specified string does not include a \f(CW\*(C`;\*(C'\fR character, @@ -196,13 +199,13 @@ i.e., an error occurs in case the server does not grant it. It is needed if the \fImethod_POST\fR parameter in the \&\fBOSSL_HTTP_REQ_CTX_set_request_line()\fR call was 1 and an ASN.1\-encoded request should be sent. -It must also be used when requesting "keep-alive", +It must also be used when requesting "keep\-alive", even if a GET request is going to be sent, in which case \fIreq\fR must be NULL. Unless \fIreq\fR is NULL, the function adds the DER encoding of \fIreq\fR using the ASN.1 template \fIit\fR to do the encoding (which does not support streaming). The HTTP header \f(CW\*(C`Content\-Length\*(C'\fR is filled out with the length of the request. \&\fIcontent_type\fR must be NULL if \fIreq\fR is NULL. -If \fIcontent_type\fR isn't NULL, +If \fIcontent_type\fR isn\*(Aqt NULL, the HTTP header \f(CW\*(C`Content\-Type\*(C'\fR is also added with the given string value. The header lines are added to the internal memory \fBBIO\fR for the request header. .PP @@ -213,7 +216,7 @@ The function may need to be called again if its result is \-1, which indicates \&\fBBIO_should_retry\fR\|(3). In such a case it is advisable to sleep a little in between, using \fBBIO_wait\fR\|(3) on the read BIO to prevent a busy loop. See \fBOSSL_HTTP_REQ_CTX_set_expected()\fR how the response content type, -the response body, the HTTP transfer timeout, and "keep-alive" are treated. +the response body, the HTTP transfer timeout, and "keep\-alive" are treated. Any error message body is consumed if a \f(CW\*(C`Content\-Type\*(C'\fR header is not included or its value starts with \f(CW\*(C`text/\*(C'\fR. This is used for tracing the body contents if HTTP tracing is enabled. @@ -224,7 +227,7 @@ or the content is an ASN.1\-encoded structure with a length exceeding this value or both length indications are present but disagree then an error occurs. .PP \&\fBOSSL_HTTP_REQ_CTX_nbio_d2i()\fR is like \fBOSSL_HTTP_REQ_CTX_nbio()\fR but on success -in addition parses the response, which must be a DER-encoded ASN.1 structure, +in addition parses the response, which must be a DER\-encoded ASN.1 structure, using the ASN.1 template \fIit\fR and places the result in \fI*pval\fR. .PP \&\fBOSSL_HTTP_REQ_CTX_exchange()\fR calls \fBOSSL_HTTP_REQ_CTX_nbio()\fR as often as needed @@ -274,7 +277,7 @@ for any reason at the server side, it will notice this obtaining an I/O error when trying to send the next request via \fIrctx\fR. .SH WARNINGS .IX Header "WARNINGS" -The server's response may be unexpected if the hostname that was used to +The server\*(Aqs response may be unexpected if the hostname that was used to create the \fIwbio\fR, any \f(CW\*(C`Host\*(C'\fR header, and the host specified in the request URL do not match. .PP @@ -291,7 +294,7 @@ Adding extra header lines with \fBOSSL_HTTP_REQ_CTX_add1_header()\fR. This is optional and may be done multiple times with different names. .IP 3. 4 Finalize the request using \fBOSSL_HTTP_REQ_CTX_set1_req()\fR. -This may be omitted if the GET method is used and "keep-alive" is not requested. +This may be omitted if the GET method is used and "keep\-alive" is not requested. .PP When the request context is fully prepared, the HTTP exchange may be performed with \fBOSSL_HTTP_REQ_CTX_nbio()\fR or \fBOSSL_HTTP_REQ_CTX_exchange()\fR. @@ -323,7 +326,7 @@ The returned BIO must not be freed by the caller. \&\fBOSSL_HTTP_REQ_CTX_get_resp_len()\fR returns the size of the response contents or 0 if not available or an error occurred. .PP -\&\fBOSSL_HTTP_is_alive()\fR returns 1 if its argument is non-NULL +\&\fBOSSL_HTTP_is_alive()\fR returns 1 if its argument is non\-NULL and the client requested a persistent connection and the server did not disagree on keeping the connection open, else 0. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/OSSL_HTTP_parse_url.3 b/secure/lib/libcrypto/man/man3/OSSL_HTTP_parse_url.3 index 75830467ae9b..00507e756645 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_HTTP_parse_url.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_HTTP_parse_url.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_HTTP_PARSE_URL 3ossl" -.TH OSSL_HTTP_PARSE_URL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_HTTP_PARSE_URL 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -119,10 +122,10 @@ The port component is optional and defaults to \f(CW0\fR. If given, it must be in decimal form. If the \fIpport_num\fR argument is not NULL the integer value of the port number is assigned to \fI*pport_num\fR on success. The path component is also optional and defaults to \f(CW\*(C`/\*(C'\fR. -Each non-NULL result pointer argument \fIpscheme\fR, \fIpuser\fR, \fIphost\fR, \fIpport\fR, +Each non\-NULL result pointer argument \fIpscheme\fR, \fIpuser\fR, \fIphost\fR, \fIpport\fR, \&\fIppath\fR, \fIpquery\fR, and \fIpfrag\fR, is assigned the respective url component. Any IPv6 address in \fI*phost\fR is enclosed in \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*(C'\fR. -On success, they are guaranteed to contain non-NULL string pointers, else NULL. +On success, they are guaranteed to contain non\-NULL string pointers, else NULL. It is the responsibility of the caller to free them using \fBOPENSSL_free\fR\|(3). If \fIpquery\fR is NULL, any given query component is handled as part of the path. A string returned via \fI*ppath\fR is guaranteed to begin with a \f(CW\*(C`/\*(C'\fR character. diff --git a/secure/lib/libcrypto/man/man3/OSSL_HTTP_transfer.3 b/secure/lib/libcrypto/man/man3/OSSL_HTTP_transfer.3 index 4863e639a8b6..efdc513f5028 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_HTTP_transfer.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_HTTP_transfer.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_HTTP_TRANSFER 3ossl" -.TH OSSL_HTTP_TRANSFER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_HTTP_TRANSFER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -115,7 +118,7 @@ OSSL_HTTP_close NULL, else by connecting to a given \fIserver\fR optionally via a \fIproxy\fR. .PP Typically the OpenSSL build supports sockets and the \fIbio\fR parameter is NULL. -In this case \fIrbio\fR must be NULL as well and the \fIserver\fR must be non-NULL. +In this case \fIrbio\fR must be NULL as well and the \fIserver\fR must be non\-NULL. The function creates a network BIO internally using \fBBIO_new_connect\fR\|(3) for connecting to the given server and the optionally given \fIport\fR, defaulting to 80 for HTTP or 443 for HTTPS. @@ -130,7 +133,7 @@ As soon as the client has flushed \fIbio\fR the server must be ready to provide a response or indicate a waiting condition via \fIrbio\fR. .PP If \fIbio\fR is given, -it is an error to provide non-NULL \fIproxy\fR or \fIno_proxy\fR arguments, +it is an error to provide non\-NULL \fIproxy\fR or \fIno_proxy\fR arguments, while \fIserver\fR and \fIport\fR arguments may be given to support diagnostic output. If \fIbio\fR is NULL the optional \fIproxy\fR parameter can be used to set an HTTP(S) proxy to use (unless overridden by "no_proxy" settings). @@ -217,7 +220,7 @@ A value <= 0 enables waiting indefinitely, i.e., no timeout. \&\fBOSSL_HTTP_proxy_connect()\fR may be used by an above BIO connect callback function to set up an SSL/TLS connection via an HTTPS proxy. It promotes the given BIO \fIbio\fR representing a connection -pre-established with a TLS proxy using the HTTP CONNECT method, +pre\-established with a TLS proxy using the HTTP CONNECT method, optionally using proxy client credentials \fIproxyuser\fR and \fIproxypass\fR, to connect with TLS protection ultimately to \fIserver\fR and \fIport\fR. If the \fIport\fR argument is NULL or the empty string it defaults to "443". @@ -226,7 +229,7 @@ seconds the connection setup is allowed to take. A value <= 0 enables waiting indefinitely, i.e., no timeout. Since this function is typically called by applications such as \&\fBopenssl\-s_client\fR\|(1) it uses the \fIbio_err\fR and \fIprog\fR parameters (unless -NULL) to print additional diagnostic information in a user-oriented way. +NULL) to print additional diagnostic information in a user\-oriented way. .PP \&\fBOSSL_HTTP_set1_request()\fR sets up in \fIrctx\fR the request header and content data and expectations on the response using the following parameters. @@ -239,7 +242,7 @@ If \fIpath\fR is NULL it defaults to "/". If \fIreq\fR is NULL the HTTP GET method will be used to send the request else HTTP POST with the contents of \fIreq\fR and optional \fIcontent_type\fR, where the length of the data in \fIreq\fR does not need to be determined in advance: the -BIO will be read on-the-fly while sending the request, which supports streaming. +BIO will be read on\-the\-fly while sending the request, which supports streaming. The optional list \fIheaders\fR may contain additional custom HTTP header lines. The \fImax_resp_len\fR parameter specifies the maximum allowed response content length, where the value 0 indicates no limit. @@ -265,11 +268,11 @@ Otherwise it returns directly the read BIO that holds the response contents, which allows a response of indefinite length and may support streaming. The caller is responsible for freeing the BIO pointer obtained. .PP -\&\fBOSSL_HTTP_get()\fR uses HTTP GET to obtain data from \fIbio\fR if non-NULL, +\&\fBOSSL_HTTP_get()\fR uses HTTP GET to obtain data from \fIbio\fR if non\-NULL, else from the server contained in the \fIurl\fR, and returns it as a BIO. It supports redirection via HTTP status code 301 or 302. It is meant for transfers with a single round trip, so does not support persistent connections. -If \fIbio\fR is non-NULL, any host and port components in the \fIurl\fR are not used +If \fIbio\fR is non\-NULL, any host and port components in the \fIurl\fR are not used for connecting but the hostname is used, as usual, for the \f(CW\*(C`Host\*(C'\fR header. Any userinfo and fragment components in the \fIurl\fR are ignored. Any query component is handled as part of the path component. @@ -283,7 +286,7 @@ The caller is responsible for freeing the BIO pointer obtained. over a connection managed via \fIprctx\fR without supporting redirection. It combines \fBOSSL_HTTP_open()\fR, \fBOSSL_HTTP_set1_request()\fR, \fBOSSL_HTTP_exchange()\fR, and \fBOSSL_HTTP_close()\fR. -If \fIprctx\fR is not NULL it reuses any open connection represented by a non-NULL +If \fIprctx\fR is not NULL it reuses any open connection represented by a non\-NULL \&\fI*prctx\fR. It keeps the connection open if a persistent connection is requested or required and this was granted by the server, else it closes the connection and assigns NULL to \fI*prctx\fR. diff --git a/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX.3 b/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX.3 index 97ddfe91a06a..b71529a656e4 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_IETF_ATTR_SYNTAX 3ossl" -.TH OSSL_IETF_ATTR_SYNTAX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_IETF_ATTR_SYNTAX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX_print.3 b/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX_print.3 index 9d47575bdd1f..b9b4d1f20cf0 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX_print.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX_print.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_IETF_ATTR_SYNTAX_PRINT 3ossl" -.TH OSSL_IETF_ATTR_SYNTAX_PRINT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_IETF_ATTR_SYNTAX_PRINT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_INDICATOR_set_callback.3 b/secure/lib/libcrypto/man/man3/OSSL_INDICATOR_set_callback.3 index e6af4de3ced3..601781d1f05c 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_INDICATOR_set_callback.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_INDICATOR_set_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_INDICATOR_SET_CALLBACK 3ossl" -.TH OSSL_INDICATOR_SET_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_INDICATOR_SET_CALLBACK 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,14 +86,14 @@ typedef int (OSSL_INDICATOR_CALLBACK)(const char *type, const char *desc, \&\fBOSSL_INDICATOR_set_callback()\fR sets a user callback \fIcb\fR associated with a \&\fIlibctx\fR that will be called when a non approved FIPS operation is detected. .PP -The user's callback may be triggered multiple times during an algorithm operation +The user\*(Aqs callback may be triggered multiple times during an algorithm operation to indicate different approved mode checks have failed. .PP Non approved operations may only occur if the user has deliberately chosen to do so (either by setting a global FIPS configuration option or via an option in an -algorithm's operation context). +algorithm\*(Aqs operation context). .PP -The user's callback \fBOSSL_INDICATOR_CALLBACK\fR \fItype\fR and \fIdesc\fR +The user\*(Aqs callback \fBOSSL_INDICATOR_CALLBACK\fR \fItype\fR and \fIdesc\fR contain the algorithm type and operation that is not approved. \&\fIparams\fR is not currently used. .PP diff --git a/secure/lib/libcrypto/man/man3/OSSL_ITEM.3 b/secure/lib/libcrypto/man/man3/OSSL_ITEM.3 index 8a84ccca30a5..b2e6c3034b98 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_ITEM.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_ITEM.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_ITEM 3ossl" -.TH OSSL_ITEM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_ITEM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -76,13 +79,13 @@ OSSL_ITEM \- OpenSSL Core type for generic itemized data .SH DESCRIPTION .IX Header "DESCRIPTION" This type is a tuple of integer and pointer. -It's a generic type used as a generic descriptor, its exact meaning -being defined by how it's used. +It\*(Aqs a generic type used as a generic descriptor, its exact meaning +being defined by how it\*(Aqs used. Arrays of this type are passed between the OpenSSL libraries and the providers, and must be terminated with a tuple where the integer is zero and the pointer NULL. .PP -This is currently mainly used for the return value of the provider's error +This is currently mainly used for the return value of the provider\*(Aqs error reason strings array, see "Provider Functions" in \fBprovider\-base\fR\|(7). .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX.3 b/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX.3 index 849db8e6f42e..4da6fca9cc67 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_LIB_CTX 3ossl" -.TH OSSL_LIB_CTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_LIB_CTX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -92,7 +95,7 @@ a default context with functions that take an \fBOSSL_LIB_CTX\fR argument. .PP When a non default library context is in use care should be taken with -multi-threaded applications to properly clean up thread local resources before +multi\-threaded applications to properly clean up thread local resources before the OSSL_LIB_CTX is freed. See \fBOPENSSL_thread_stop_ex\fR\|(3) for more information. .PP @@ -101,7 +104,7 @@ See \fBOPENSSL_thread_stop_ex\fR\|(3) for more information. \&\fBOSSL_LIB_CTX_new_from_dispatch()\fR creates a new OpenSSL library context initialised to use callbacks from the OSSL_DISPATCH structure. This is primarily useful for provider authors. The \fIhandle\fR and dispatch structure arguments -passed should be the same ones as passed to a provider's +passed should be the same ones as passed to a provider\*(Aqs OSSL_provider_init function. Some OpenSSL functions, such as \&\fBBIO_new_from_core_bio\fR\|(3), require the library context to be created in this way in order to work. @@ -136,12 +139,12 @@ context. If \fBEVP_set_default_properties\fR\|(3) is called directly on a child library context then the new properties will override anything from the parent library context and mirroring of the properties will stop. .PP -When \fBOSSL_LIB_CTX_new_child()\fR is called from within the scope of a provider's +When \fBOSSL_LIB_CTX_new_child()\fR is called from within the scope of a provider\*(Aqs \&\fBOSSL_provider_init\fR function the currently initialising provider is not yet -available in the application's library context and therefore will similarly not +available in the application\*(Aqs library context and therefore will similarly not yet be available in the newly constructed child library context. As soon as the \&\fBOSSL_provider_init\fR function returns then the new provider is available in the -application's library context and will be similarly mirrored in the child +application\*(Aqs library context and will be similarly mirrored in the child library context. .PP \&\fBOSSL_LIB_CTX_load_config()\fR loads a configuration file using the given \fIctx\fR. @@ -185,7 +188,7 @@ depends on the index. \&\fBOSSL_LIB_CTX_set0_default()\fR return a library context pointer on success, or NULL on error. .PP -\&\fBOSSL_LIB_CTX_free()\fR doesn't return any value. +\&\fBOSSL_LIB_CTX_free()\fR doesn\*(Aqt return any value. .PP \&\fBOSSL_LIB_CTX_load_config()\fR returns 1 on success, 0 on error. .PP diff --git a/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX_set_conf_diagnostics.3 b/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX_set_conf_diagnostics.3 index 9a098c65dd77..709288d940ad 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX_set_conf_diagnostics.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX_set_conf_diagnostics.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_LIB_CTX_SET_CONF_DIAGNOSTICS 3ossl" -.TH OSSL_LIB_CTX_SET_CONF_DIAGNOSTICS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_LIB_CTX_SET_CONF_DIAGNOSTICS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_PARAM.3 b/secure/lib/libcrypto/man/man3/OSSL_PARAM.3 index ea8ea1b62b5f..c09aaa289b03 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_PARAM.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_PARAM.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PARAM 3ossl" -.TH OSSL_PARAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PARAM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -163,7 +166,7 @@ counting the terminating NUL byte. When requesting parameters, the size should be set to the size of the buffer to be populated, which should accommodate enough space for a terminating NUL byte. .Sp -When \fIrequesting parameters\fR, it's acceptable for \fIdata\fR to be NULL. +When \fIrequesting parameters\fR, it\*(Aqs acceptable for \fIdata\fR to be NULL. This can be used by the \fIrequester\fR to figure out dynamically exactly how much buffer space is needed to store the parameter data. In this case, \fIdata_size\fR is ignored. @@ -208,7 +211,7 @@ The \fIdata_type\fR field can be one of the following types: .PD The parameter data is an integer (signed or unsigned) of arbitrary length, organized in native form, i.e. most significant byte first on -Big-Endian systems, and least significant byte first on Little-Endian +Big\-Endian systems, and least significant byte first on Little\-Endian systems. .IP \fBOSSL_PARAM_REAL\fR 4 .IX Item "OSSL_PARAM_REAL" @@ -224,7 +227,7 @@ The parameter data is an arbitrary string of bytes. The parameter data is a pointer to a printable string. .Sp The difference between this and \fBOSSL_PARAM_UTF8_STRING\fR is that \fIdata\fR -doesn't point directly at the data, but to a pointer that points to the data. +doesn\*(Aqt point directly at the data, but to a pointer that points to the data. .Sp If there is any uncertainty about which to use, \fBOSSL_PARAM_UTF8_STRING\fR is almost certainly the correct choice. @@ -241,14 +244,14 @@ If this is used in a parameter request, .Sp Note that the use of this type is \fBfragile\fR and can only be safely used for data that remains constant and in a constant location for a -long enough duration (such as the life-time of the entity that +long enough duration (such as the life\-time of the entity that offers these parameters). .IP \fBOSSL_PARAM_OCTET_PTR\fR 4 .IX Item "OSSL_PARAM_OCTET_PTR" The parameter data is a pointer to an arbitrary string of bytes. .Sp The difference between this and \fBOSSL_PARAM_OCTET_STRING\fR is that -\&\fIdata\fR doesn't point directly at the data, but to a pointer that +\&\fIdata\fR doesn\*(Aqt point directly at the data, but to a pointer that points to the data. .Sp If there is any uncertainty about which to use, \fBOSSL_PARAM_OCTET_STRING\fR is @@ -266,7 +269,7 @@ If this is used in a parameter request, .Sp Note that the use of this type is \fBfragile\fR and can only be safely used for data that remains constant and in a constant location for a -long enough duration (such as the life-time of the entity that +long enough duration (such as the life\-time of the entity that offers these parameters). .SH NOTES .IX Header "NOTES" @@ -274,9 +277,9 @@ Both when setting and requesting parameters, the functions that are called will have to decide what is and what is not an error. The recommended behaviour is: .IP \(bu 4 -Keys that a \fIsetter\fR or \fIresponder\fR doesn't recognise should simply +Keys that a \fIsetter\fR or \fIresponder\fR doesn\*(Aqt recognise should simply be ignored. -That in itself isn't an error. +That in itself isn\*(Aqt an error. .IP \(bu 4 If the keys that a called \fIsetter\fR recognises form a consistent enough set of data, that call should succeed. @@ -286,11 +289,11 @@ of an \fBOSSL_PARAM\fR. To return a value, it should change the contents of the memory that \&\fIdata\fR points at. .IP \(bu 4 -If the data type for a key that it's associated with is incorrect, +If the data type for a key that it\*(Aqs associated with is incorrect, the called function may return an error. .Sp The called function may also try to convert the data to a suitable -form (for example, it's plausible to pass a large number as an octet +form (for example, it\*(Aqs plausible to pass a large number as an octet string, so even though a given key is defined as an \&\fBOSSL_PARAM_UNSIGNED_INTEGER\fR, is plausible to pass the value as an \&\fBOSSL_PARAM_OCTET_STRING\fR), but this is in no way mandatory. @@ -308,7 +311,7 @@ an error. .IP \(bu 4 For the integer type parameters (\fBOSSL_PARAM_UNSIGNED_INTEGER\fR and \&\fBOSSL_PARAM_INTEGER\fR), a \fIresponder\fR may choose to return an error -if the \fIdata_size\fR isn't a suitable size (even if \fIdata_size\fR is +if the \fIdata_size\fR isn\*(Aqt a suitable size (even if \fIdata_size\fR is bigger than needed). If the \fIresponder\fR finds the size suitable, it must fill all \fIdata_size\fR bytes and ensure correct padding for the native endianness, and set \fIreturn_size\fR to the same value as diff --git a/secure/lib/libcrypto/man/man3/OSSL_PARAM_BLD.3 b/secure/lib/libcrypto/man/man3/OSSL_PARAM_BLD.3 index 4954923174fb..be6bdf6f7435 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_PARAM_BLD.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_PARAM_BLD.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PARAM_BLD 3ossl" -.TH OSSL_PARAM_BLD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PARAM_BLD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_PARAM_allocate_from_text.3 b/secure/lib/libcrypto/man/man3/OSSL_PARAM_allocate_from_text.3 index b3f9894fae43..7bbaf53dd346 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_PARAM_allocate_from_text.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_PARAM_allocate_from_text.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PARAM_ALLOCATE_FROM_TEXT 3ossl" -.TH OSSL_PARAM_ALLOCATE_FROM_TEXT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PARAM_ALLOCATE_FROM_TEXT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -87,14 +90,14 @@ size (see \fBOSSL_PARAM\fR\|(3) for more information). .PP \&\fBOSSL_PARAM_allocate_from_text()\fR uses \fIkey\fR to look up an item in \&\fIparamdefs\fR. If an item was found, it converts \fIvalue\fR to something -suitable for that item's \fIdata_type\fR, and stores the result in +suitable for that item\*(Aqs \fIdata_type\fR, and stores the result in \&\fIto\->data\fR as well as its size in \fIto\->data_size\fR. \&\fIto\->key\fR and \fIto\->data_type\fR are assigned the corresponding values from the item that was found, and \fIto\->return_size\fR is set to zero. .PP \&\fIto\->data\fR is always allocated using \fBOPENSSL_zalloc\fR\|(3) and -needs to be freed by the caller when it's not useful any more, using +needs to be freed by the caller when it\*(Aqs not useful any more, using \&\fBOPENSSL_free\fR\|(3). .PP If \fIfound\fR is not NULL, \fI*found\fR is set to 1 if \fIkey\fR could be @@ -107,10 +110,10 @@ located in \fIparamdefs\fR, and to 0 otherwise. will be looked up in \fIparamdefs\fR. .PP When an item in \fIparamdefs\fR has been found, \fIvalue\fR is converted -depending on that item's \fIdata_type\fR, as follows: +depending on that item\*(Aqs \fIdata_type\fR, as follows: .IP "\fBOSSL_PARAM_INTEGER\fR and \fBOSSL_PARAM_UNSIGNED_INTEGER\fR" 4 .IX Item "OSSL_PARAM_INTEGER and OSSL_PARAM_UNSIGNED_INTEGER" -If \fIkey\fR didn't start with "hex", \fIvalue\fR is assumed to contain +If \fIkey\fR didn\*(Aqt start with "hex", \fIvalue\fR is assumed to contain \&\fIvalue_n\fR decimal characters, which are decoded, and the resulting bytes become the number stored in the \fIto\->data\fR storage. .Sp @@ -120,7 +123,7 @@ hexadecimal characters. If \fIkey\fR started with "hex", \fIvalue\fR is assumed to contain \&\fIvalue_n\fR hexadecimal characters without the "0x" prefix. .Sp -If \fIvalue\fR contains characters that couldn't be decoded as +If \fIvalue\fR contains characters that couldn\*(Aqt be decoded as hexadecimal or decimal characters, \fBOSSL_PARAM_allocate_from_text()\fR considers that an error. .IP \fBOSSL_PARAM_UTF8_STRING\fR 4 @@ -137,11 +140,11 @@ On systems where the native character encoding is EBCDIC, the bytes in If \fIkey\fR started with "hex", \fIvalue\fR is assumed to contain \&\fIvalue_n\fR hexadecimal characters, which are decoded, and the resulting bytes are stored in the \fIto\->data\fR storage. -If \fIvalue\fR contains characters that couldn't be decoded as +If \fIvalue\fR contains characters that couldn\*(Aqt be decoded as hexadecimal or decimal characters, \fBOSSL_PARAM_allocate_from_text()\fR considers that an error. .Sp -If \fIkey\fR didn't start with "hex", \fIvalue_n\fR bytes from \fIvalue\fR are +If \fIkey\fR didn\*(Aqt start with "hex", \fIvalue_n\fR bytes from \fIvalue\fR are copied to the \fIto\->data\fR storage. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/OSSL_PARAM_dup.3 b/secure/lib/libcrypto/man/man3/OSSL_PARAM_dup.3 index d251e67d02ce..0e19518cf68b 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_PARAM_dup.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_PARAM_dup.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PARAM_DUP 3ossl" -.TH OSSL_PARAM_DUP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PARAM_DUP 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,7 +86,7 @@ deep copy of the data. .PP \&\fBOSSL_PARAM_merge()\fR merges the parameter arrays \fIparams\fR and \fIparams1\fR into a new parameter array. If \fIparams\fR and \fIparams1\fR contain values with the same -\&'key' then the value from \fIparams1\fR will replace the \fIparam\fR value. This +\&\*(Aqkey\*(Aq then the value from \fIparams1\fR will replace the \fIparam\fR value. This function does a shallow copy of the parameters. Either \fIparams\fR or \fIparams1\fR may be NULL. The behaviour of the merge is unpredictable if \fIparams\fR and \&\fIparams1\fR contain the same key, and there are multiple entries within either diff --git a/secure/lib/libcrypto/man/man3/OSSL_PARAM_int.3 b/secure/lib/libcrypto/man/man3/OSSL_PARAM_int.3 index ab3fe3452300..ede335bdec30 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_PARAM_int.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_PARAM_int.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PARAM_INT 3ossl" -.TH OSSL_PARAM_INT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PARAM_INT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -257,8 +260,8 @@ Type coercion takes place as discussed in the NOTES section. .PP \&\fBOSSL_PARAM_set_TYPE()\fR stores a value \fIval\fR of type \fR\f(BITYPE\fR\fB\fR into the parameter \fIp\fR. -If the parameter's \fIdata\fR field is NULL, then only its \fIreturn_size\fR field -will be assigned the size the parameter's \fIdata\fR buffer should have. +If the parameter\*(Aqs \fIdata\fR field is NULL, then only its \fIreturn_size\fR field +will be assigned the size the parameter\*(Aqs \fIdata\fR buffer should have. Type coercion takes place as discussed in the NOTES section. .PP \&\fBOSSL_PARAM_get_BN()\fR retrieves a BIGNUM from the parameter pointed to by \fIp\fR. @@ -266,8 +269,8 @@ The BIGNUM referenced by \fIval\fR is updated and is allocated if \fI*val\fR is NULL. .PP \&\fBOSSL_PARAM_set_BN()\fR stores the BIGNUM \fIval\fR into the parameter \fIp\fR. -If the parameter's \fIdata\fR field is NULL, then only its \fIreturn_size\fR field -will be assigned the size the parameter's \fIdata\fR buffer should have. +If the parameter\*(Aqs \fIdata\fR field is NULL, then only its \fIreturn_size\fR field +will be assigned the size the parameter\*(Aqs \fIdata\fR buffer should have. .PP \&\fBOSSL_PARAM_get_utf8_string()\fR retrieves a UTF8 string from the parameter pointed to by \fIp\fR. @@ -280,14 +283,14 @@ If memory is allocated by this function, it must be freed by the caller. .PP \&\fBOSSL_PARAM_set_utf8_string()\fR sets a UTF8 string from the parameter pointed to by \fIp\fR to the value referenced by \fIval\fR. -If the parameter's \fIdata\fR field isn't NULL, its \fIdata_size\fR must indicate +If the parameter\*(Aqs \fIdata\fR field isn\*(Aqt NULL, its \fIdata_size\fR must indicate that the buffer is large enough to accommodate the string that \fIval\fR points at, not including the terminating NUL byte, or this function will fail. -A terminating NUL byte is added only if the parameter's \fIdata_size\fR indicates +A terminating NUL byte is added only if the parameter\*(Aqs \fIdata_size\fR indicates the buffer is longer than the string length, otherwise the string will not be NUL terminated. -If the parameter's \fIdata\fR field is NULL, then only its \fIreturn_size\fR field -will be assigned the minimum size the parameter's \fIdata\fR buffer should have +If the parameter\*(Aqs \fIdata\fR field is NULL, then only its \fIreturn_size\fR field +will be assigned the minimum size the parameter\*(Aqs \fIdata\fR buffer should have to accommodate the string, not including a terminating NUL byte. .PP \&\fBOSSL_PARAM_get_octet_string()\fR retrieves an OCTET string from the parameter @@ -301,8 +304,8 @@ If memory is allocated by this function, it must be freed by the caller. .PP \&\fBOSSL_PARAM_set_octet_string()\fR sets an OCTET string from the parameter pointed to by \fIp\fR to the value referenced by \fIval\fR. -If the parameter's \fIdata\fR field is NULL, then only its \fIreturn_size\fR field -will be assigned the size the parameter's \fIdata\fR buffer should have. +If the parameter\*(Aqs \fIdata\fR field is NULL, then only its \fIreturn_size\fR field +will be assigned the size the parameter\*(Aqs \fIdata\fR buffer should have. .PP \&\fBOSSL_PARAM_get_utf8_ptr()\fR retrieves the UTF8 string pointer from the parameter referenced by \fIp\fR and stores it in \fI*val\fR. @@ -325,7 +328,7 @@ string. .PP \&\fBOSSL_PARAM_get_octet_string_ptr()\fR retrieves the pointer to a octet string from the parameter pointed to by \fIp\fR, and stores that pointer in \fI*val\fR, -along with the string's length in \fI*used_len\fR. +along with the string\*(Aqs length in \fI*used_len\fR. This is different from \fBOSSL_PARAM_get_octet_string()\fR, which copies the string. .PP @@ -395,7 +398,7 @@ This example is for setting parameters on some object: .SS "Example 2" .IX Subsection "Example 2" This example is for requesting parameters on some object, and also -demonstrates that the requester isn't obligated to request all +demonstrates that the requester isn\*(Aqt obligated to request all available parameters: .PP .Vb 7 diff --git a/secure/lib/libcrypto/man/man3/OSSL_PARAM_print_to_bio.3 b/secure/lib/libcrypto/man/man3/OSSL_PARAM_print_to_bio.3 index 923be153ba0e..11d07cc3b41f 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_PARAM_print_to_bio.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_PARAM_print_to_bio.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PARAM_PRINT_TO_BIO 3ossl" -.TH OSSL_PARAM_PRINT_TO_BIO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PARAM_PRINT_TO_BIO 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -76,7 +79,7 @@ OSSL_PARAM_print_to_bio \&\fBOSSL_PARAM_print_to_bio()\fR formats each parameter contained in the passed in array of \fBOSSL_PARAM\fR values \fIp\fR, and prints both the key, and optionally its value, to a provided \fBBIO\fR. -\&\fIp\fR must be a non-null array of OSSL_PARAM values, terminated +\&\fIp\fR must be a non\-null array of OSSL_PARAM values, terminated with a value containing a null \fIkey\fR member. \&\fIprint_values\fR is a control parameter, indicating that key values should be printed, in addition to key names. diff --git a/secure/lib/libcrypto/man/man3/OSSL_PROVIDER.3 b/secure/lib/libcrypto/man/man3/OSSL_PROVIDER.3 index 5b636739f970..3d8cf2814349 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_PROVIDER.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_PROVIDER.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PROVIDER 3ossl" -.TH OSSL_PROVIDER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PROVIDER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -210,7 +213,7 @@ before a provider is in use by multiple threads. Parameters that only affect provider initialisation must, for now, be set in the configuration file, only parameters that are also queried later have any affect when set via this interface. -Only text parameters can be given, and it's up to the provider to +Only text parameters can be given, and it\*(Aqs up to the provider to interpret them. .PP \&\fBOSSL_PROVIDER_get_conf_parameters()\fR retrieves global configuration parameters @@ -224,32 +227,32 @@ the \fIparam\fR array must have \fBOSSL_PARAM_UTF8_PTR\fR as their \fBdata_type\ \&\fBOSSL_PROVIDER_conf_get_bool()\fR parses the global configuration parameter \fIname\fR associated with provider \fIprov\fR as a boolean value, returning a default value \&\fIdefval\fR when unable to retrieve or parse the parameter. -Parameter values equal (case-insensitively) to \f(CW1\fR, \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`yes\*(C'\fR, or \f(CW\*(C`true\*(C'\fR +Parameter values equal (case\-insensitively) to \f(CW1\fR, \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`yes\*(C'\fR, or \f(CW\*(C`true\*(C'\fR yield a true (nonzero) result. -Parameter values equal (case-insensitively) to \f(CW0\fR, \f(CW\*(C`off\*(C'\fR, \f(CW\*(C`no\*(C'\fR, or \f(CW\*(C`false\*(C'\fR +Parameter values equal (case\-insensitively) to \f(CW0\fR, \f(CW\*(C`off\*(C'\fR, \f(CW\*(C`no\*(C'\fR, or \f(CW\*(C`false\*(C'\fR yield a false (zero) result. .PP -\&\fBOSSL_PROVIDER_self_test()\fR is used to run a provider's self tests on demand. +\&\fBOSSL_PROVIDER_self_test()\fR is used to run a provider\*(Aqs self tests on demand. If the self tests fail then the provider will fail to provide any further services and algorithms. \fBOSSL_SELF_TEST_set_callback\fR\|(3) may be called beforehand in order to display diagnostics for the running self tests. .PP -\&\fBOSSL_PROVIDER_query_operation()\fR calls the provider's \fIquery_operation\fR +\&\fBOSSL_PROVIDER_query_operation()\fR calls the provider\*(Aqs \fIquery_operation\fR function (see \fBprovider\fR\|(7)), if the provider has one. It returns an array of \fIOSSL_ALGORITHM\fR for the given \fIoperation_id\fR terminated by an all -NULL OSSL_ALGORITHM entry. This is considered a low-level function that most +NULL OSSL_ALGORITHM entry. This is considered a low\-level function that most applications should not need to call. .PP -\&\fBOSSL_PROVIDER_unquery_operation()\fR calls the provider's \fIunquery_operation\fR +\&\fBOSSL_PROVIDER_unquery_operation()\fR calls the provider\*(Aqs \fIunquery_operation\fR function (see \fBprovider\fR\|(7)), if the provider has one. This is considered a -low-level function that most applications should not need to call. +low\-level function that most applications should not need to call. .PP \&\fBOSSL_PROVIDER_get0_provider_ctx()\fR returns the provider context for the given provider. The provider context is an opaque handle set by the provider itself and is passed back to the provider by libcrypto in various function calls. .PP -\&\fBOSSL_PROVIDER_get0_dispatch()\fR returns the provider's dispatch table as it was -returned in the \fIout\fR parameter from the provider's init function. See +\&\fBOSSL_PROVIDER_get0_dispatch()\fR returns the provider\*(Aqs dispatch table as it was +returned in the \fIout\fR parameter from the provider\*(Aqs init function. See \&\fBprovider\-base\fR\|(7). .PP If it is permissible to cache references to this array then \fI*no_store\fR is set @@ -264,7 +267,7 @@ supported by the provider specified in \fIprov\fR with the capability name will call the callback \fIcb\fR and supply a set of \fBOSSL_PARAM\fR\|(3)s describing the capability. It will also pass back the argument \fIarg\fR. For more details about capabilities and what they can be used for please see -"CAPABILTIIES" in \fBprovider\-base\fR\|(7). +"CAPABILITIES" in \fBprovider\-base\fR\|(7). .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_PROVIDER_set_default_search_path()\fR, \fBOSSL_PROVIDER_add()\fR, diff --git a/secure/lib/libcrypto/man/man3/OSSL_QUIC_client_method.3 b/secure/lib/libcrypto/man/man3/OSSL_QUIC_client_method.3 index 805a564c05a6..ffc3a99ccd8b 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_QUIC_client_method.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_QUIC_client_method.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_QUIC_CLIENT_METHOD 3ossl" -.TH OSSL_QUIC_CLIENT_METHOD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_QUIC_CLIENT_METHOD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,7 +88,7 @@ The \fBOSSL_QUIC_client_method()\fR does not use threads and depends on nonblocking mode of operation and the application periodically calling SSL functions. .PP -The \fBOSSL_QUIC_server_method()\fR provides server-side QUIC protocol support and +The \fBOSSL_QUIC_server_method()\fR provides server\-side QUIC protocol support and must be used with the \fBSSL_new_listener\fR\|(3) API. Attempting to use \&\fBOSSL_QUIC_server_method()\fR with \fBSSL_new\fR\|(3) will result in an error. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_new.3 b/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_new.3 index 3bc723cdd824..6097fe147e0e 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_new.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_SELF_TEST_NEW 3ossl" -.TH OSSL_SELF_TEST_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_SELF_TEST_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,7 +100,7 @@ If the argument is NULL, nothing is done. code. It can be used for diagnostic purposes. If this method is called the callback \fIcb\fR will receive the following \&\fBOSSL_PARAM\fR\|(3) object. -.IP """st-phase"" (\fBOSSL_PROV_PARAM_SELF_TEST_PHASE\fR) <UTF8 string>" 4 +.IP """st\-phase"" (\fBOSSL_PROV_PARAM_SELF_TEST_PHASE\fR) <UTF8 string>" 4 .IX Item """st-phase"" (OSSL_PROV_PARAM_SELF_TEST_PHASE) <UTF8 string>" The value is the string "Start" .PP @@ -109,7 +112,7 @@ The \fItype\fR and \fIdesc\fR can be used to identify an individual self test to target for failure testing. If this method is called the callback \fIcb\fR will receive the following \&\fBOSSL_PARAM\fR\|(3) object. -.IP """st-phase"" (\fBOSSL_PROV_PARAM_SELF_TEST_PHASE\fR) <UTF8 string>" 4 +.IP """st\-phase"" (\fBOSSL_PROV_PARAM_SELF_TEST_PHASE\fR) <UTF8 string>" 4 .IX Item """st-phase"" (OSSL_PROV_PARAM_SELF_TEST_PHASE) <UTF8 string>" The value is the string "Corrupt" .PP @@ -118,7 +121,7 @@ just before cleanup to indicate if the test passed or failed. It can be used for diagnostic purposes. If this method is called the callback \fIcb\fR will receive the following \&\fBOSSL_PARAM\fR\|(3) object. -.IP """st-phase"" (\fBOSSL_PROV_PARAM_SELF_TEST_PHASE\fR) <UTF8 string>" 4 +.IP """st\-phase"" (\fBOSSL_PROV_PARAM_SELF_TEST_PHASE\fR) <UTF8 string>" 4 .IX Item """st-phase"" (OSSL_PROV_PARAM_SELF_TEST_PHASE) <UTF8 string>" The value of the string is "Pass" if \fIret\fR is non zero, otherwise it has the value "Fail". @@ -129,11 +132,11 @@ After the callback \fIcb\fR has been called the values that were set by If \fBOSSL_SELF_TEST_onbegin()\fR, \fBOSSL_SELF_TEST_oncorrupt_byte()\fR or \&\fBOSSL_SELF_TEST_onend()\fR is called the following additional \fBOSSL_PARAM\fR\|(3) are passed to the callback. -.IP """st-type"" (\fBOSSL_PROV_PARAM_SELF_TEST_TYPE\fR) <UTF8 string>" 4 +.IP """st\-type"" (\fBOSSL_PROV_PARAM_SELF_TEST_TYPE\fR) <UTF8 string>" 4 .IX Item """st-type"" (OSSL_PROV_PARAM_SELF_TEST_TYPE) <UTF8 string>" The value is setup by the \fItype\fR passed to \fBOSSL_SELF_TEST_onbegin()\fR. This allows the callback to identify the type of test being run. -.IP """st-desc"" (\fBOSSL_PROV_PARAM_SELF_TEST_DESC\fR) <UTF8 string>" 4 +.IP """st\-desc"" (\fBOSSL_PROV_PARAM_SELF_TEST_DESC\fR) <UTF8 string>" 4 .IX Item """st-desc"" (OSSL_PROV_PARAM_SELF_TEST_DESC) <UTF8 string>" The value is setup by the \fItype\fR passed to \fBOSSL_SELF_TEST_onbegin()\fR. This allows the callback to identify the sub category of the test being run. @@ -188,7 +191,7 @@ A single self test could be set up in the following way: \& EVP_MD_CTX_free(ctx); .Ve .PP -Multiple self test's can be set up in a similar way by repeating the pattern of +Multiple self test\*(Aqs can be set up in a similar way by repeating the pattern of \&\fBOSSL_SELF_TEST_onbegin()\fR, \fBOSSL_SELF_TEST_oncorrupt_byte()\fR, \fBOSSL_SELF_TEST_onend()\fR for each test. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_set_callback.3 b/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_set_callback.3 index e943cd23aa37..291ecaa4cd46 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_set_callback.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_set_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_SELF_TEST_SET_CALLBACK 3ossl" -.TH OSSL_SELF_TEST_SET_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_SELF_TEST_SET_CALLBACK 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_INFO.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_INFO.3 index d29f3a46db95..535e60ba9e43 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_STORE_INFO.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_INFO.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_STORE_INFO 3ossl" -.TH OSSL_STORE_INFO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_STORE_INFO 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -120,7 +123,7 @@ supported objects from \fBOSSL_STORE_INFO\fR objects and for scheme specific loaders to create \fBOSSL_STORE_INFO\fR holders. .SS Types .IX Subsection "Types" -\&\fBOSSL_STORE_INFO\fR is an opaque type that's just an intermediary holder for +\&\fBOSSL_STORE_INFO\fR is an opaque type that\*(Aqs just an intermediary holder for the objects that have been retrieved by \fBOSSL_STORE_load()\fR and similar functions. Supported OpenSSL type object can be extracted using one of STORE_INFO_get0_<TYPE>() where <TYPE> can be NAME, PARAMS, PKEY, CERT, or CRL. @@ -173,7 +176,7 @@ This description is meant to be human readable and should be used for information printout. .PP \&\fBOSSL_STORE_INFO_new()\fR creates a \fBOSSL_STORE_INFO\fR with an arbitrary \fItype\fR -number and \fIdata\fR structure. It's the responsibility of the caller to +number and \fIdata\fR structure. It\*(Aqs the responsibility of the caller to define type numbers other than the ones defined by \fI<openssl/store.h>\fR, and to handle freeing the associated data structure on their own. \&\fIUsing type numbers that are defined by <openssl/store.h> may cause @@ -190,7 +193,7 @@ Currently supported object types are: .IP OSSL_STORE_INFO_NAME 4 .IX Item "OSSL_STORE_INFO_NAME" A name is exactly that, a name. -It's like a name in a directory, but formatted as a complete URI. +It\*(Aqs like a name in a directory, but formatted as a complete URI. For example, the path in URI \f(CW\*(C`file:/foo/bar/\*(C'\fR could include a file named \f(CW\*(C`cookie.pem\*(C'\fR, and in that case, the returned \fBOSSL_STORE_INFO_NAME\fR object would have the URI \f(CW\*(C`file:/foo/bar/cookie.pem\*(C'\fR, which can be @@ -207,9 +210,9 @@ The returned URI is considered canonical and must be unique and permanent for the storage where the object (or collection of objects) resides. Each loader is responsible for ensuring that it only returns canonical URIs. -However, it's possible that certain schemes allow an object (or collection +However, it\*(Aqs possible that certain schemes allow an object (or collection thereof) to be reached with alternative URIs; just because one URI is -canonical doesn't mean that other variants can't be used. +canonical doesn\*(Aqt mean that other variants can\*(Aqt be used. .Sp At the discretion of the loader that was used to get these names, an extra description may be attached as well. diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_LOADER.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_LOADER.3 index 98c43ae18b58..6dd8ea255462 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_STORE_LOADER.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_LOADER.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_STORE_LOADER 3ossl" -.TH OSSL_STORE_LOADER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_STORE_LOADER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -195,7 +198,7 @@ If the argument is NULL, nothing is done. with the given \fIloader\fR. .PP \&\fBOSSL_STORE_LOADER_is_a()\fR checks if \fIloader\fR is an implementation -of an algorithm that's identifiable with \fIscheme\fR. +of an algorithm that\*(Aqs identifiable with \fIscheme\fR. .PP \&\fBOSSL_STORE_LOADER_get0_description()\fR returns a description of the \fIloader\fR, meant for display and human consumption. The description is at the discretion of the @@ -276,7 +279,7 @@ function is expected to return 1 on success, 0 on error. .IX Item "OSSL_STORE_load_fn" This function takes a \fBOSSL_STORE_LOADER_CTX\fR pointer and a \fBUI_METHOD\fR with associated data. -It's expected to load the next available data, mold it into a data +It\*(Aqs expected to load the next available data, mold it into a data structure that can be wrapped in a \fBOSSL_STORE_INFO\fR using one of the \&\fBOSSL_STORE_INFO\fR\|(3) functions. If no more data is available or an error occurs, this function is @@ -356,7 +359,7 @@ or NULL on error. \&\fBOSSL_STORE_LOADER_names_do_all()\fR returns 1 if the callback was called for all names. A return value of 0 means that the callback was not called for any names. .PP -\&\fBOSSL_STORE_LOADER_free()\fR doesn't return any value. +\&\fBOSSL_STORE_LOADER_free()\fR doesn\*(Aqt return any value. .PP \&\fBOSSL_STORE_LOADER_get0_provider()\fR returns a pointer to a provider object, or NULL on error. @@ -368,7 +371,7 @@ definition string, or NULL on error. otherwise 0. .PP \&\fBOSSL_STORE_LOADER_get0_description()\fR returns a pointer to a description, or NULL if -there isn't one. +there isn\*(Aqt one. .PP The functions with the types \fBOSSL_STORE_open_fn\fR, \&\fBOSSL_STORE_open_ex_fn\fR, \fBOSSL_STORE_ctrl_fn\fR, diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_SEARCH.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_SEARCH.3 index 1cb7d92685bb..5f5661cf2700 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_STORE_SEARCH.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_SEARCH.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_STORE_SEARCH 3ossl" -.TH OSSL_STORE_SEARCH 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_STORE_SEARCH 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,7 +108,7 @@ OSSL_STORE_SEARCH_get0_digest .SH DESCRIPTION .IX Header "DESCRIPTION" These functions are used to specify search criteria to help search for specific -objects through other names than just the URI that's given to \fBOSSL_STORE_open()\fR. +objects through other names than just the URI that\*(Aqs given to \fBOSSL_STORE_open()\fR. For example, this can be useful for an application that has received a URI and then wants to add on search criteria in a uniform and supported manner. .SS Types diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_attach.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_attach.3 index 5d31191a75c4..d441184ec79a 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_STORE_attach.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_attach.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_STORE_ATTACH 3ossl" -.TH OSSL_STORE_ATTACH 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_STORE_ATTACH 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_expect.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_expect.3 index 40e35fd78115..1327780ba58c 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_STORE_expect.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_expect.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_STORE_EXPECT 3ossl" -.TH OSSL_STORE_EXPECT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_STORE_EXPECT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,7 +104,7 @@ supported search criterion types. .SH NOTES .IX Header "NOTES" If a more elaborate filter is required by the application, a better choice -would be to use a post-processing function. +would be to use a post\-processing function. See \fBOSSL_STORE_open\fR\|(3) for more information. .PP However, some loaders may take advantage of the knowledge of an expected type diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_open.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_open.3 index c9c7a3e204f1..3a77c590f91c 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_STORE_open.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_open.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_STORE_OPEN 3ossl" -.TH OSSL_STORE_OPEN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_STORE_OPEN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,7 +113,7 @@ These functions help the application to fetch supported objects (see from a given URI. The general method to do so is to "open" the URI using \fBOSSL_STORE_open()\fR, read each available and supported object using \fBOSSL_STORE_load()\fR as long as -\&\fBOSSL_STORE_eof()\fR hasn't been reached, and finish it off with \fBOSSL_STORE_close()\fR. +\&\fBOSSL_STORE_eof()\fR hasn\*(Aqt been reached, and finish it off with \fBOSSL_STORE_close()\fR. .PP The retrieved information is stored in a \fBOSSL_STORE_INFO\fR, which is further described in \fBOSSL_STORE_INFO\fR\|(3). @@ -146,7 +149,7 @@ the \fIparams\fR, the library context \fIlibctx\fR and property query \fIpropq\f \&\fBOSSL_STORE_ctrl()\fR takes a \fBOSSL_STORE_CTX\fR, and command number \fIcmd\fR and more arguments not specified here. The available loader specific command numbers and arguments they each -take depends on the loader that's used and is documented together with +take depends on the loader that\*(Aqs used and is documented together with that loader. .PP There are also global controls available: @@ -163,7 +166,7 @@ available object and return it wrapped with \fBOSSL_STORE_INFO\fR. .PP \&\fBOSSL_STORE_delete()\fR deletes the object identified by \fIuri\fR. .PP -\&\fBOSSL_STORE_eof()\fR takes a \fBOSSL_STORE_CTX\fR and checks if we've reached the end +\&\fBOSSL_STORE_eof()\fR takes a \fBOSSL_STORE_CTX\fR and checks if we\*(Aqve reached the end of data. .PP \&\fBOSSL_STORE_error()\fR takes a \fBOSSL_STORE_CTX\fR and checks if an error occurred in @@ -177,12 +180,12 @@ by \fBOSSL_STORE_open()\fR and frees all other information that was stored in th If \fIctx\fR is NULL it does nothing. .SH NOTES .IX Header "NOTES" -A string without a scheme prefix (that is, a non-URI string) is +A string without a scheme prefix (that is, a non\-URI string) is implicitly interpreted as using the \fIfile:\fR scheme. .PP There are some tools that can be used together with \&\fBOSSL_STORE_open()\fR to determine if any failure is caused by an unparsable -URI, or if it's a different error (such as memory allocation +URI, or if it\*(Aqs a different error (such as memory allocation failures); if the URI was parsable but the scheme unregistered, the top error will have the reason \f(CW\*(C`OSSL_STORE_R_UNREGISTERED_SCHEME\*(C'\fR. .PP diff --git a/secure/lib/libcrypto/man/man3/OSSL_sleep.3 b/secure/lib/libcrypto/man/man3/OSSL_sleep.3 index ccb724a474e1..aafbaff57603 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_sleep.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_sleep.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_SLEEP 3ossl" -.TH OSSL_SLEEP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_SLEEP 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_trace_enabled.3 b/secure/lib/libcrypto/man/man3/OSSL_trace_enabled.3 index 33b65043fcfd..9d089ab7926f 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_trace_enabled.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_trace_enabled.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_TRACE_ENABLED 3ossl" -.TH OSSL_TRACE_ENABLED 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_TRACE_ENABLED 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -123,7 +126,7 @@ The tracing types are described in detail in The fallback type \fBOSSL_TRACE_CATEGORY_ALL\fR should \fInot\fR be used with the functions described here. .PP -Tracing for a specific category is enabled at run-time if a so-called +Tracing for a specific category is enabled at run\-time if a so\-called \&\fItrace channel\fR is attached to it. A trace channel is simply a BIO object to which the application can write its trace output. .PP @@ -230,12 +233,12 @@ This will normally expand to: .Ve .PP \&\fBOSSL_TRACE()\fR and \fBOSSL_TRACE1()\fR, \fBOSSL_TRACE2()\fR, ... \fBOSSL_TRACE9()\fR are -so-called one-shot macros: +so\-called one\-shot macros: .PP The macro call \f(CW\*(C`OSSL_TRACE(category, text)\*(C'\fR, produces literal text trace output. .PP The macro call \f(CW\*(C`OSSL_TRACEn(category, format, arg1, ..., argn)\*(C'\fR produces -printf-style trace output with n format field arguments (n=1,...,9). +printf\-style trace output with n format field arguments (n=1,...,9). It expands to: .PP .Vb 3 @@ -244,7 +247,7 @@ It expands to: \& } OSSL_TRACE_END(category) .Ve .PP -Internally, all one-shot macros are implemented using a generic \fBOSSL_TRACEV()\fR +Internally, all one\-shot macros are implemented using a generic \fBOSSL_TRACEV()\fR macro, since C90 does not support variadic macros. This helper macro has a rather weird synopsis and should not be used directly. .PP @@ -314,14 +317,14 @@ contention. .Ve .PP Note however that premature optimization of tracing code is in general futile -and it's better to keep the tracing code as simple as possible. -Because most often the limiting factor for the application's speed is the time +and it\*(Aqs better to keep the tracing code as simple as possible. +Because most often the limiting factor for the application\*(Aqs speed is the time it takes to print the trace output, not to calculate it. .SS "Configure Tracing" .IX Subsection "Configure Tracing" By default, the OpenSSL library is built with tracing disabled. To use the tracing functionality documented here, it is therefore -necessary to configure and build OpenSSL with the 'enable\-trace' option. +necessary to configure and build OpenSSL with the \*(Aqenable\-trace\*(Aq option. .PP When the library is built with tracing disabled: .IP \(bu 4 @@ -346,7 +349,7 @@ For example, take this example from "Macros" section above: \& } OSSL_TRACE_END(TLS); .Ve .Sp -When the tracing API isn't operational, that will expand to: +When the tracing API isn\*(Aqt operational, that will expand to: .Sp .Vb 10 \& do { diff --git a/secure/lib/libcrypto/man/man3/OSSL_trace_get_category_num.3 b/secure/lib/libcrypto/man/man3/OSSL_trace_get_category_num.3 index 850ff85bb10c..6f3d0a9ea3b0 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_trace_get_category_num.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_trace_get_category_num.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_TRACE_GET_CATEGORY_NUM 3ossl" -.TH OSSL_TRACE_GET_CATEGORY_NUM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_TRACE_GET_CATEGORY_NUM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_trace_set_channel.3 b/secure/lib/libcrypto/man/man3/OSSL_trace_set_channel.3 index 5f761e19d9af..31557eff3792 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_trace_set_channel.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_trace_set_channel.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_TRACE_SET_CHANNEL 3ossl" -.TH OSSL_TRACE_SET_CHANNEL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_TRACE_SET_CHANNEL 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -84,7 +87,7 @@ This output comes in form of free text for humans to read. .PP The trace output is divided into categories which can be enabled individually. -Every category can be enabled individually by attaching a so-called +Every category can be enabled individually by attaching a so\-called \&\fItrace channel\fR to it, which in the simplest case is just a BIO object to which the application can write the tracing output for this category. Alternatively, the application can provide a tracer callback in order to @@ -98,7 +101,7 @@ respectively. \&\fBOSSL_TRACE_ENABLED\fR\|(3) can be used to check whether tracing is currently enabled for the given category. Functions like \fBOSSL_TRACE1\fR\|(3) and macros like \fBOSSL_TRACE_BEGIN\fR\|(3) -can be used for producing free-text trace output. +can be used for producing free\-text trace output. .SS Functions .IX Subsection "Functions" \&\fBOSSL_trace_set_channel()\fR is used to enable the given trace \f(CW\*(C`category\*(C'\fR @@ -118,11 +121,11 @@ tracing prefixes, consider setting a callback with \&\fBOSSL_trace_set_callback()\fR is used to enable the given trace \&\fIcategory\fR by giving it the tracer callback \fIcb\fR with the associated data \fIdata\fR, which will simply be passed through to \fIcb\fR whenever -it's called. The callback function is internally wrapped by a -dedicated BIO object, the so-called \fIcallback trace channel\fR. -This should be used when it's desirable to do form the trace output to +it\*(Aqs called. The callback function is internally wrapped by a +dedicated BIO object, the so\-called \fIcallback trace channel\fR. +This should be used when it\*(Aqs desirable to do form the trace output to something suitable for application needs where a prefix and suffix -line aren't enough. +line aren\*(Aqt enough. .PP \&\fBOSSL_trace_set_channel()\fR and \fBOSSL_trace_set_callback()\fR are mutually exclusive, calling one of them will clear whatever was set by the @@ -175,7 +178,7 @@ This needs special care, as OpenSSL will do automatic cleanup after exit from \f(CWmain()\fR, and any tracing output done during this cleanup will be lost if the tracing channel or callback were cleaned away prematurely. -A suggestion is to make such cleanup part of a function that's +A suggestion is to make such cleanup part of a function that\*(Aqs registered very early with \fBatexit\fR\|(3). .IP \fBOSSL_TRACE_CATEGORY_TLS\fR 4 .IX Item "OSSL_TRACE_CATEGORY_TLS" @@ -241,7 +244,7 @@ There is also \fBOSSL_TRACE_CATEGORY_ALL\fR, which works as a fallback and can be used to get \fIall\fR trace output. .PP Note, however, that in this case all trace output will effectively be -associated with the 'ALL' category, which is undesirable if the +associated with the \*(AqALL\*(Aq category, which is undesirable if the application intends to include the category name in the trace output. In this case it is better to register separate channels for each trace category instead. @@ -347,7 +350,7 @@ The output is almost the same as for the simple example above. .IX Subsection "Configure Tracing" By default, the OpenSSL library is built with tracing disabled. To use the tracing functionality documented here, it is therefore -necessary to configure and build OpenSSL with the 'enable\-trace' option. +necessary to configure and build OpenSSL with the \*(Aqenable\-trace\*(Aq option. .PP When the library is built with tracing disabled, the macro \&\fBOPENSSL_NO_TRACE\fR is defined in \fI<openssl/opensslconf.h>\fR and all diff --git a/secure/lib/libcrypto/man/man3/OpenSSL_add_all_algorithms.3 b/secure/lib/libcrypto/man/man3/OpenSSL_add_all_algorithms.3 index dd3984bba9eb..797f56e5e7b5 100644 --- a/secure/lib/libcrypto/man/man3/OpenSSL_add_all_algorithms.3 +++ b/secure/lib/libcrypto/man/man3/OpenSSL_add_all_algorithms.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_ADD_ALL_ALGORITHMS 3ossl" -.TH OPENSSL_ADD_ALL_ALGORITHMS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_ADD_ALL_ALGORITHMS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OpenSSL_version.3 b/secure/lib/libcrypto/man/man3/OpenSSL_version.3 index ef70574cd3f8..410d256d87f3 100644 --- a/secure/lib/libcrypto/man/man3/OpenSSL_version.3 +++ b/secure/lib/libcrypto/man/man3/OpenSSL_version.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_VERSION 3ossl" -.TH OPENSSL_VERSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_VERSION 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -112,7 +115,7 @@ The three macros \fBOPENSSL_VERSION_MAJOR\fR, \fBOPENSSL_VERSION_MINOR\fR and identifier, \fR\f(BIMAJOR\fR\fB.\fR\f(BIMINOR\fR\fB.\fR\f(BIPATCH\fR\fB\fR. .PP The macro \fBOPENSSL_VERSION_PRE_RELEASE\fR is an added bit of text that -indicates that this is a pre-release version, such as \f(CW"\-dev"\fR for an +indicates that this is a pre\-release version, such as \f(CW"\-dev"\fR for an ongoing development snapshot or \f(CW"\-alpha3"\fR for an alpha release. The value must be a string. .PP @@ -133,7 +136,7 @@ version text, which includes \fBOPENSSL_FULL_VERSION_STR\fR and the release date. .PP \&\fBOPENSSL_VERSION_PREREQ\fR is a useful macro for checking whether the OpenSSL -version for the headers in use is at least at the given pre-requisite major +version for the headers in use is at least at the given pre\-requisite major (\fBmaj\fR) and minor (\fBmin\fR) number or not. It will evaluate to true if the header version number (\fBOPENSSL_VERSION_MAJOR\fR.\fBOPENSSL_VERSION_MINOR\fR) is greater than or equal to \fBmaj\fR.\fBmin\fR. @@ -206,7 +209,7 @@ The Windows install context. The Windows install context is used to compute the OpenSSL registry key name on Windows. The full registry key is \&\f(CW\*(C`SOFTWARE\eWOW6432Node\eOpenSSL\-{major}.{minor}\-{context}\*(C'\fR, where \f(CW\*(C`{major}\*(C'\fR, -\&\f(CW\*(C`{minor}\*(C'\fR and \f(CW\*(C`{context}\*(C'\fR are OpenSSL's major version number, minor version +\&\f(CW\*(C`{minor}\*(C'\fR and \f(CW\*(C`{context}\*(C'\fR are OpenSSL\*(Aqs major version number, minor version number and the Windows install context, respectively. .PP For an unknown \fIt\fR, the text \f(CW\*(C`not available\*(C'\fR is returned. @@ -252,7 +255,7 @@ The Windows install context. The Windows install context is used to compute the OpenSSL registry key name on Windows. The full registry key is \&\f(CW\*(C`SOFTWARE\eWOW6432Node\eOpenSSL\-{major}.{minor}\-{context}\*(C'\fR, where \f(CW\*(C`{major}\*(C'\fR, -\&\f(CW\*(C`{minor}\*(C'\fR and \f(CW\*(C`{context}\*(C'\fR are OpenSSL's major version number, minor version +\&\f(CW\*(C`{minor}\*(C'\fR and \f(CW\*(C`{context}\*(C'\fR are OpenSSL\*(Aqs major version number, minor version number and the Windows install context, respectively. .PP For an unknown \fIt\fR, NULL is returned. diff --git a/secure/lib/libcrypto/man/man3/PBMAC1_get1_pbkdf2_param.3 b/secure/lib/libcrypto/man/man3/PBMAC1_get1_pbkdf2_param.3 index f02a5337232f..31a246665264 100644 --- a/secure/lib/libcrypto/man/man3/PBMAC1_get1_pbkdf2_param.3 +++ b/secure/lib/libcrypto/man/man3/PBMAC1_get1_pbkdf2_param.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PBMAC1_GET1_PBKDF2_PARAM 3ossl" -.TH PBMAC1_GET1_PBKDF2_PARAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PBMAC1_GET1_PBKDF2_PARAM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PEM_X509_INFO_read_bio_ex.3 b/secure/lib/libcrypto/man/man3/PEM_X509_INFO_read_bio_ex.3 index 2d05e15fe278..5c999d2b23bb 100644 --- a/secure/lib/libcrypto/man/man3/PEM_X509_INFO_read_bio_ex.3 +++ b/secure/lib/libcrypto/man/man3/PEM_X509_INFO_read_bio_ex.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PEM_X509_INFO_READ_BIO_EX 3ossl" -.TH PEM_X509_INFO_READ_BIO_EX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PEM_X509_INFO_READ_BIO_EX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PEM_bytes_read_bio.3 b/secure/lib/libcrypto/man/man3/PEM_bytes_read_bio.3 index cd6d16ead5d6..1f33992b70f7 100644 --- a/secure/lib/libcrypto/man/man3/PEM_bytes_read_bio.3 +++ b/secure/lib/libcrypto/man/man3/PEM_bytes_read_bio.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PEM_BYTES_READ_BIO 3ossl" -.TH PEM_BYTES_READ_BIO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PEM_BYTES_READ_BIO 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -76,12 +79,12 @@ PEM_bytes_read_bio, PEM_bytes_read_bio_secmem \- read a PEM\-encoded data struct .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBPEM_bytes_read_bio()\fR reads PEM-formatted (IETF RFC 1421 and IETF RFC 7468) +\&\fBPEM_bytes_read_bio()\fR reads PEM\-formatted (IETF RFC 1421 and IETF RFC 7468) data from the BIO \&\fIbp\fR for the data type given in \fIname\fR (RSA PRIVATE KEY, CERTIFICATE, -etc.). If multiple PEM-encoded data structures are present in the same -stream, \fBPEM_bytes_read_bio()\fR will skip non-matching data types and -continue reading. Non-PEM data present in the stream may cause an +etc.). If multiple PEM\-encoded data structures are present in the same +stream, \fBPEM_bytes_read_bio()\fR will skip non\-matching data types and +continue reading. Non\-PEM data present in the stream may cause an error. .PP The PEM header may indicate that the following data is encrypted; if so, @@ -92,9 +95,9 @@ the decryption passphrase, if applicable. Some data types have compatibility aliases, such as a file containing X509 CERTIFICATE matching a request for the deprecated type CERTIFICATE. The actual type indicated by the file is returned in \fI*pnm\fR if \fIpnm\fR is -non-NULL. The caller must free the storage pointed to by \fI*pnm\fR. +non\-NULL. The caller must free the storage pointed to by \fI*pnm\fR. .PP -The returned data is the DER-encoded form of the requested type, in +The returned data is the DER\-encoded form of the requested type, in \&\fI*pdata\fR with length \fI*plen\fR. The caller must free the storage pointed to by \fI*pdata\fR. .PP diff --git a/secure/lib/libcrypto/man/man3/PEM_read.3 b/secure/lib/libcrypto/man/man3/PEM_read.3 index 919374867547..bde281b14b3d 100644 --- a/secure/lib/libcrypto/man/man3/PEM_read.3 +++ b/secure/lib/libcrypto/man/man3/PEM_read.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PEM_READ 3ossl" -.TH PEM_READ 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PEM_READ 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,7 +100,7 @@ PEM_write_bio, PEM_ASN1_write, PEM_ASN1_write_bio, PEM_ASN1_write_bio_ctx .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -These functions read and write PEM-encoded objects, using the PEM +These functions read and write PEM\-encoded objects, using the PEM type \fBname\fR, any additional \fBheader\fR information, and the raw \&\fBdata\fR of length \fBlen\fR. .PP @@ -126,7 +129,7 @@ for examples. .PP \&\fBPEM_read()\fR reads from the file \fBfp\fR, while \fBPEM_read_bio()\fR reads from the BIO \fBbp\fR. -Both skip any non-PEM data that precedes the start of the next PEM object. +Both skip any non\-PEM data that precedes the start of the next PEM object. When an object is successfully retrieved, the type name from the "\-\-\-\-BEGIN <type>\-\-\-\-\-" is returned via the \fBname\fR argument, any encapsulation headers are returned in \fBheader\fR and the base64\-decoded content and its length are @@ -175,7 +178,7 @@ The \fBdata\fR is likely meaningless if these functions fail. The \fBPEM_get_EVP_CIPHER_INFO()\fR and \fBPEM_do_header()\fR functions are deprecated. This is because the underlying PEM encryption format is obsolete, and should be avoided. -It uses an encryption format with an OpenSSL-specific key-derivation function, +It uses an encryption format with an OpenSSL\-specific key\-derivation function, which employs MD5 with an iteration count of 1! Instead, private keys should be stored in PKCS#8 form, with a strong PKCS#5 v2.0 PBE. @@ -189,7 +192,7 @@ It will simply be treated as a byte sequence. counting the PEM header and end marker) written on success or 0 on failure. .PP \&\fBPEM_ASN1_write_bio()\fR, and \fBPEM_ASN1_write_bio_ctx()\fR return 1 on success and 0 on -failure. The latter function passes an additional application-provided context +failure. The latter function passes an additional application\-provided context value to the \fBi2d\fR function that serialises the input ASN.1 object. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/PEM_read_CMS.3 b/secure/lib/libcrypto/man/man3/PEM_read_CMS.3 index a13ceb8de7ea..f16f624d6e24 100644 --- a/secure/lib/libcrypto/man/man3/PEM_read_CMS.3 +++ b/secure/lib/libcrypto/man/man3/PEM_read_CMS.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PEM_READ_CMS 3ossl" -.TH PEM_READ_CMS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PEM_READ_CMS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -154,10 +157,10 @@ the next four lines of the synopsis. .PP These routines convert between local instances of ASN1 datatypes and the PEM encoding. For more information on the templates, see -\&\fBASN1_ITEM\fR\|(3). For more information on the lower-level routines used +\&\fBASN1_ITEM\fR\|(3). For more information on the lower\-level routines used by the functions here, see \fBPEM_read\fR\|(3). .PP -\&\fBPEM_read_\fR\f(BITYPE\fR() reads a PEM-encoded object of \fB\fR\f(BITYPE\fR\fB\fR from the file +\&\fBPEM_read_\fR\f(BITYPE\fR() reads a PEM\-encoded object of \fB\fR\f(BITYPE\fR\fB\fR from the file \&\fIfp\fR and returns it. The \fIcb\fR and \fIu\fR parameters are as described in \&\fBpem_password_cb\fR\|(3). .PP diff --git a/secure/lib/libcrypto/man/man3/PEM_read_bio_PrivateKey.3 b/secure/lib/libcrypto/man/man3/PEM_read_bio_PrivateKey.3 index 26322737087e..3af869637300 100644 --- a/secure/lib/libcrypto/man/man3/PEM_read_bio_PrivateKey.3 +++ b/secure/lib/libcrypto/man/man3/PEM_read_bio_PrivateKey.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PEM_READ_BIO_PRIVATEKEY 3ossl" -.TH PEM_READ_BIO_PRIVATEKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PEM_READ_BIO_PRIVATEKEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -341,12 +344,12 @@ key is not DSA. .PP The \fBParameters\fR functions read or write key parameters in PEM format using an EVP_PKEY structure. The encoding depends on the type of key; for DSA key -parameters, it will be a Dss-Parms structure as defined in RFC2459, and for DH +parameters, it will be a Dss\-Parms structure as defined in RFC2459, and for DH key parameters, it will be a PKCS#3 DHparameter structure. \fIThese functions only exist for the \fR\f(BIBIO\fR\fI type\fR. .PP The \fBDSAparams\fR functions process DSA parameters using a DSA -structure. The parameters are encoded using a Dss-Parms structure +structure. The parameters are encoded using a Dss\-Parms structure as defined in RFC2459. .PP The \fBDHparams\fR functions process DH parameters using a DH @@ -485,17 +488,17 @@ The private key (or other data) takes the following form: \& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\- .Ve .PP -The line beginning with \fIProc-Type\fR contains the version and the -protection on the encapsulated data. The line beginning \fIDEK-Info\fR +The line beginning with \fIProc\-Type\fR contains the version and the +protection on the encapsulated data. The line beginning \fIDEK\-Info\fR contains two comma separated values: the encryption algorithm name as used by \fBEVP_get_cipherbyname()\fR and an initialization vector used by the cipher encoded as a set of hexadecimal digits. After those two lines is the base64\-encoded encrypted data. .PP -The encryption key is derived using \fBEVP_BytesToKey()\fR. The cipher's +The encryption key is derived using \fBEVP_BytesToKey()\fR. The cipher\*(Aqs initialization vector is passed to \fBEVP_BytesToKey()\fR as the \fIsalt\fR parameter. Internally, \fBPKCS5_SALT_LEN\fR bytes of the salt are used -(regardless of the size of the initialization vector). The user's +(regardless of the size of the initialization vector). The user\*(Aqs password is passed to \fBEVP_BytesToKey()\fR using the \fIdata\fR and \fIdatal\fR parameters. Finally, the library uses an iteration count of 1 for \&\fBEVP_BytesToKey()\fR. diff --git a/secure/lib/libcrypto/man/man3/PEM_read_bio_ex.3 b/secure/lib/libcrypto/man/man3/PEM_read_bio_ex.3 index 51c13d5b7a7d..b5dcdeed878f 100644 --- a/secure/lib/libcrypto/man/man3/PEM_read_bio_ex.3 +++ b/secure/lib/libcrypto/man/man3/PEM_read_bio_ex.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PEM_READ_BIO_EX 3ossl" -.TH PEM_READ_BIO_EX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PEM_READ_BIO_EX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PEM_write_bio_CMS_stream.3 b/secure/lib/libcrypto/man/man3/PEM_write_bio_CMS_stream.3 index a02b0060c261..739306a3b946 100644 --- a/secure/lib/libcrypto/man/man3/PEM_write_bio_CMS_stream.3 +++ b/secure/lib/libcrypto/man/man3/PEM_write_bio_CMS_stream.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PEM_WRITE_BIO_CMS_STREAM 3ossl" -.TH PEM_WRITE_BIO_CMS_STREAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PEM_WRITE_BIO_CMS_STREAM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PEM_write_bio_PKCS7_stream.3 b/secure/lib/libcrypto/man/man3/PEM_write_bio_PKCS7_stream.3 index 26d3fe555291..77faff57240f 100644 --- a/secure/lib/libcrypto/man/man3/PEM_write_bio_PKCS7_stream.3 +++ b/secure/lib/libcrypto/man/man3/PEM_write_bio_PKCS7_stream.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PEM_WRITE_BIO_PKCS7_STREAM 3ossl" -.TH PEM_WRITE_BIO_PKCS7_STREAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PEM_WRITE_BIO_PKCS7_STREAM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_PBE_keyivgen.3 b/secure/lib/libcrypto/man/man3/PKCS12_PBE_keyivgen.3 index 22993bc35667..dfaf319e4268 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_PBE_keyivgen.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_PBE_keyivgen.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_PBE_KEYIVGEN 3ossl" -.TH PKCS12_PBE_KEYIVGEN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_PBE_KEYIVGEN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,7 +104,7 @@ implementations. .PP \&\fBPKCS12_pbe_crypt()\fR and \fBPKCS12_pbe_crypt_ex()\fR will encrypt or decrypt a buffer based on the algorithm in \fIalgor\fR and password \fIpass\fR of length \fIpasslen\fR. -The input is from \fIin\fR of length \fIinlen\fR and output is into a malloc'd buffer +The input is from \fIin\fR of length \fIinlen\fR and output is into a malloc\*(Aqd buffer returned in \fI*data\fR of length \fIdatalen\fR. The operation is determined by \fIen_de\fR, encryption (\fIen_de\fR=1) or decryption (\fIen_de\fR=0). .PP diff --git a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_create_cert.3 b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_create_cert.3 index 2d857ac16859..afb0d92e8124 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_create_cert.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_create_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_SAFEBAG_CREATE_CERT 3ossl" -.TH PKCS12_SAFEBAG_CREATE_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_SAFEBAG_CREATE_CERT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get0_attrs.3 b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get0_attrs.3 index efb40039e2bc..12f5b177fd87 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get0_attrs.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get0_attrs.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_SAFEBAG_GET0_ATTRS 3ossl" -.TH PKCS12_SAFEBAG_GET0_ATTRS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_SAFEBAG_GET0_ATTRS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get1_cert.3 b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get1_cert.3 index a1e43b652459..9edabf8ce2ce 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get1_cert.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get1_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_SAFEBAG_GET1_CERT 3ossl" -.TH PKCS12_SAFEBAG_GET1_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_SAFEBAG_GET1_CERT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_set0_attrs.3 b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_set0_attrs.3 index 2b45b73e4ce7..5f6fe0c8b832 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_set0_attrs.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_set0_attrs.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_SAFEBAG_SET0_ATTRS 3ossl" -.TH PKCS12_SAFEBAG_SET0_ATTRS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_SAFEBAG_SET0_ATTRS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_add1_attr_by_NID.3 b/secure/lib/libcrypto/man/man3/PKCS12_add1_attr_by_NID.3 index 78ce077c4eee..24e01086569f 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_add1_attr_by_NID.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_add1_attr_by_NID.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_ADD1_ATTR_BY_NID 3ossl" -.TH PKCS12_ADD1_ATTR_BY_NID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_ADD1_ATTR_BY_NID 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_add_CSPName_asc.3 b/secure/lib/libcrypto/man/man3/PKCS12_add_CSPName_asc.3 index efcd89b61583..44ede1effa2c 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_add_CSPName_asc.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_add_CSPName_asc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_ADD_CSPNAME_ASC 3ossl" -.TH PKCS12_ADD_CSPNAME_ASC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_ADD_CSPNAME_ASC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_add_cert.3 b/secure/lib/libcrypto/man/man3/PKCS12_add_cert.3 index 5134656d422f..dcbcec0361b6 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_add_cert.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_add_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_ADD_CERT 3ossl" -.TH PKCS12_ADD_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_ADD_CERT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_add_friendlyname_asc.3 b/secure/lib/libcrypto/man/man3/PKCS12_add_friendlyname_asc.3 index a9688fc8cf3c..c2c0a28c296f 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_add_friendlyname_asc.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_add_friendlyname_asc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_ADD_FRIENDLYNAME_ASC 3ossl" -.TH PKCS12_ADD_FRIENDLYNAME_ASC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_ADD_FRIENDLYNAME_ASC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_add_localkeyid.3 b/secure/lib/libcrypto/man/man3/PKCS12_add_localkeyid.3 index e60cd1c00d2b..8a1180c208c6 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_add_localkeyid.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_add_localkeyid.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_ADD_LOCALKEYID 3ossl" -.TH PKCS12_ADD_LOCALKEYID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_ADD_LOCALKEYID 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_add_safe.3 b/secure/lib/libcrypto/man/man3/PKCS12_add_safe.3 index 09338c9072ab..4b5a6b1006c7 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_add_safe.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_add_safe.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_ADD_SAFE 3ossl" -.TH PKCS12_ADD_SAFE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_ADD_SAFE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_create.3 b/secure/lib/libcrypto/man/man3/PKCS12_create.3 index f39790ca686f..9c848ef57ad1 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_create.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_create.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_CREATE 3ossl" -.TH PKCS12_CREATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_CREATE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_decrypt_skey.3 b/secure/lib/libcrypto/man/man3/PKCS12_decrypt_skey.3 index aa43199c35cc..5d3bf9a533e8 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_decrypt_skey.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_decrypt_skey.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_DECRYPT_SKEY 3ossl" -.TH PKCS12_DECRYPT_SKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_DECRYPT_SKEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_gen_mac.3 b/secure/lib/libcrypto/man/man3/PKCS12_gen_mac.3 index 5980ae499e15..d0d037de35ae 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_gen_mac.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_gen_mac.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_GEN_MAC 3ossl" -.TH PKCS12_GEN_MAC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_GEN_MAC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,7 +97,7 @@ Functions to create and manipulate a PKCS#12 MAC structure supplied password along with a set of already configured parameters. The default key generation mechanism used is PKCS12KDF. .PP -\&\fBPKCS12_verify_mac()\fR verifies the PKCS#12 object's HMAC using the supplied +\&\fBPKCS12_verify_mac()\fR verifies the PKCS#12 object\*(Aqs HMAC using the supplied password. .PP \&\fBPKCS12_setup_mac()\fR sets the MAC part of the PKCS#12 structure with the supplied diff --git a/secure/lib/libcrypto/man/man3/PKCS12_get_friendlyname.3 b/secure/lib/libcrypto/man/man3/PKCS12_get_friendlyname.3 index 83ddc5d332cc..e243c7d746a5 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_get_friendlyname.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_get_friendlyname.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_GET_FRIENDLYNAME 3ossl" -.TH PKCS12_GET_FRIENDLYNAME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_GET_FRIENDLYNAME 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_init.3 b/secure/lib/libcrypto/man/man3/PKCS12_init.3 index feb5317862e5..2a10447af537 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_init.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_init.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_INIT 3ossl" -.TH PKCS12_INIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_INIT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_item_decrypt_d2i.3 b/secure/lib/libcrypto/man/man3/PKCS12_item_decrypt_d2i.3 index 54830a9a1dd4..7c60b074c526 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_item_decrypt_d2i.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_item_decrypt_d2i.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_ITEM_DECRYPT_D2I 3ossl" -.TH PKCS12_ITEM_DECRYPT_D2I 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_ITEM_DECRYPT_D2I 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_key_gen_utf8_ex.3 b/secure/lib/libcrypto/man/man3/PKCS12_key_gen_utf8_ex.3 index b736222a6e25..c7d5f20e14a3 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_key_gen_utf8_ex.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_key_gen_utf8_ex.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_KEY_GEN_UTF8_EX 3ossl" -.TH PKCS12_KEY_GEN_UTF8_EX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_KEY_GEN_UTF8_EX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -109,9 +112,9 @@ as an integrity key for MACing. .PP The intended format of the supplied password is determined by the method chosen: .IP \(bu 4 -\&\fBPKCS12_key_gen_asc()\fR and \fBPKCS12_key_gen_asc_ex()\fR expect an ASCII-formatted password. +\&\fBPKCS12_key_gen_asc()\fR and \fBPKCS12_key_gen_asc_ex()\fR expect an ASCII\-formatted password. .IP \(bu 4 -\&\fBPKCS12_key_gen_uni()\fR and \fBPKCS12_key_gen_uni_ex()\fR expect a Unicode-formatted password. +\&\fBPKCS12_key_gen_uni()\fR and \fBPKCS12_key_gen_uni_ex()\fR expect a Unicode\-formatted password. .IP \(bu 4 \&\fBPKCS12_key_gen_utf8()\fR and \fBPKCS12_key_gen_utf8_ex()\fR expect a UTF\-8 encoded password. .PP diff --git a/secure/lib/libcrypto/man/man3/PKCS12_newpass.3 b/secure/lib/libcrypto/man/man3/PKCS12_newpass.3 index 75d53629a744..7776eade4d44 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_newpass.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_newpass.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_NEWPASS 3ossl" -.TH PKCS12_NEWPASS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_NEWPASS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_pack_p7encdata.3 b/secure/lib/libcrypto/man/man3/PKCS12_pack_p7encdata.3 index fd59f64b3133..be73c7631592 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_pack_p7encdata.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_pack_p7encdata.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_PACK_P7ENCDATA 3ossl" -.TH PKCS12_PACK_P7ENCDATA 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_PACK_P7ENCDATA 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ into a PKCS#7 encrypted data object .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBPKCS12_pack_p7encdata()\fR generates a PKCS#7 ContentInfo object of encrypted-data +\&\fBPKCS12_pack_p7encdata()\fR generates a PKCS#7 ContentInfo object of encrypted\-data type from the set of safeBags \fIbags\fR. The algorithm ID in \fIpbe_nid\fR can be a PKCS#12 or PKCS#5 password based encryption algorithm, or a cipher algorithm. If a cipher algorithm is passed, the PKCS#5 PBES2 algorithm will be used with diff --git a/secure/lib/libcrypto/man/man3/PKCS12_parse.3 b/secure/lib/libcrypto/man/man3/PKCS12_parse.3 index 3fccb8f1ded8..b1ecf844f4a3 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_parse.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_parse.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_PARSE 3ossl" -.TH PKCS12_PARSE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_PARSE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,10 +85,10 @@ certificate to \fB*cert\fR and any additional certificates to \fB*ca\fR. Each of the parameters \fBpkey\fR, \fBcert\fR, and \fBca\fR can be NULL in which case the private key, the corresponding certificate, or the additional certificates, respectively, will be discarded. -If any of \fBpkey\fR and \fBcert\fR is non-NULL the variable it points to is +If any of \fBpkey\fR and \fBcert\fR is non\-NULL the variable it points to is initialized. -If \fBca\fR is non-NULL and \fB*ca\fR is NULL a new STACK will be allocated. -If \fBca\fR is non-NULL and \fB*ca\fR is a valid STACK +If \fBca\fR is non\-NULL and \fB*ca\fR is NULL a new STACK will be allocated. +If \fBca\fR is non\-NULL and \fB*ca\fR is a valid STACK then additional certificates are appended in the given order to \fB*ca\fR. .PP The \fBfriendlyName\fR and \fBlocalKeyID\fR attributes (if present) on each diff --git a/secure/lib/libcrypto/man/man3/PKCS5_PBE_keyivgen.3 b/secure/lib/libcrypto/man/man3/PKCS5_PBE_keyivgen.3 index 367956c8e70e..f98cf0e03b5c 100644 --- a/secure/lib/libcrypto/man/man3/PKCS5_PBE_keyivgen.3 +++ b/secure/lib/libcrypto/man/man3/PKCS5_PBE_keyivgen.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS5_PBE_KEYIVGEN 3ossl" -.TH PKCS5_PBE_KEYIVGEN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS5_PBE_KEYIVGEN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS5_PBKDF2_HMAC.3 b/secure/lib/libcrypto/man/man3/PKCS5_PBKDF2_HMAC.3 index 1b2748c2f369..c19bed1f5b82 100644 --- a/secure/lib/libcrypto/man/man3/PKCS5_PBKDF2_HMAC.3 +++ b/secure/lib/libcrypto/man/man3/PKCS5_PBKDF2_HMAC.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS5_PBKDF2_HMAC 3ossl" -.TH PKCS5_PBKDF2_HMAC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS5_PBKDF2_HMAC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS7_decrypt.3 b/secure/lib/libcrypto/man/man3/PKCS7_decrypt.3 index dac9bae2da12..e7903e21488d 100644 --- a/secure/lib/libcrypto/man/man3/PKCS7_decrypt.3 +++ b/secure/lib/libcrypto/man/man3/PKCS7_decrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS7_DECRYPT 3ossl" -.TH PKCS7_DECRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS7_DECRYPT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS7_encrypt.3 b/secure/lib/libcrypto/man/man3/PKCS7_encrypt.3 index 5f233187f78b..6c3de80cce75 100644 --- a/secure/lib/libcrypto/man/man3/PKCS7_encrypt.3 +++ b/secure/lib/libcrypto/man/man3/PKCS7_encrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS7_ENCRYPT 3ossl" -.TH PKCS7_ENCRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS7_ENCRYPT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS7_get_octet_string.3 b/secure/lib/libcrypto/man/man3/PKCS7_get_octet_string.3 index 90ec58877b88..dd429676cc0b 100644 --- a/secure/lib/libcrypto/man/man3/PKCS7_get_octet_string.3 +++ b/secure/lib/libcrypto/man/man3/PKCS7_get_octet_string.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS7_GET_OCTET_STRING 3ossl" -.TH PKCS7_GET_OCTET_STRING 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS7_GET_OCTET_STRING 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS7_sign.3 b/secure/lib/libcrypto/man/man3/PKCS7_sign.3 index 454876556c70..9f4c887f121b 100644 --- a/secure/lib/libcrypto/man/man3/PKCS7_sign.3 +++ b/secure/lib/libcrypto/man/man3/PKCS7_sign.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS7_SIGN 3ossl" -.TH PKCS7_SIGN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS7_SIGN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,10 +97,10 @@ Many S/MIME clients expect the signed content to include valid MIME headers. If the \fBPKCS7_TEXT\fR flag is set MIME headers for type \f(CW\*(C`text/plain\*(C'\fR are prepended to the data. .PP -If \fBPKCS7_NOCERTS\fR is set the signer's certificate and the extra \fIcerts\fR +If \fBPKCS7_NOCERTS\fR is set the signer\*(Aqs certificate and the extra \fIcerts\fR will not be included in the PKCS7 structure. -The signer's certificate must still be supplied in the \fIsigncert\fR parameter -though. This can reduce the size of the signatures if the signer's certificates +The signer\*(Aqs certificate must still be supplied in the \fIsigncert\fR parameter +though. This can reduce the size of the signatures if the signer\*(Aqs certificates can be obtained by other means: for example a previously signed message. .PP The data being signed is included in the PKCS7 structure, unless diff --git a/secure/lib/libcrypto/man/man3/PKCS7_sign_add_signer.3 b/secure/lib/libcrypto/man/man3/PKCS7_sign_add_signer.3 index 9719bca625e3..2f1c4cf8671d 100644 --- a/secure/lib/libcrypto/man/man3/PKCS7_sign_add_signer.3 +++ b/secure/lib/libcrypto/man/man3/PKCS7_sign_add_signer.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS7_SIGN_ADD_SIGNER 3ossl" -.TH PKCS7_SIGN_ADD_SIGNER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS7_SIGN_ADD_SIGNER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -79,7 +82,7 @@ PKCS7_add_certificate, PKCS7_add_crl \- add information to PKCS7 structure key \fIpkey\fR using message digest \fImd\fR to a PKCS7 signed data structure \fIp7\fR. .PP The \fBPKCS7\fR structure should be obtained from an initial call to \fBPKCS7_sign()\fR -with the flag \fBPKCS7_PARTIAL\fR set or in the case or re-signing a valid PKCS#7 +with the flag \fBPKCS7_PARTIAL\fR set or in the case or re\-signing a valid PKCS#7 signed data structure. .PP If the \fImd\fR parameter is NULL then the default digest for the public @@ -108,8 +111,8 @@ If \fBPKCS7_PARTIAL\fR is set in addition to \fBPKCS7_REUSE_DIGEST\fR then the can be added. In this case an explicit call to \fBPKCS7_SIGNER_INFO_sign()\fR is needed to finalize it. .PP -If \fBPKCS7_NOCERTS\fR is set the signer's certificate will not be included in the -\&\fBPKCS7\fR structure, the signer's certificate must still be supplied in the +If \fBPKCS7_NOCERTS\fR is set the signer\*(Aqs certificate will not be included in the +\&\fBPKCS7\fR structure, the signer\*(Aqs certificate must still be supplied in the \&\fIsigncert\fR parameter though. This can reduce the size of the signature if the signers certificate can be obtained by other means: for example a previously signed message. @@ -129,7 +132,7 @@ structure just added, which can be used to set additional attributes before it is finalized. .PP \&\fBPKCS7_add_certificate()\fR adds to the \fBPKCS7\fR structure \fIp7\fR the certificate -\&\fIcert\fR, which may be an end-entity (signer) certificate +\&\fIcert\fR, which may be an end\-entity (signer) certificate or a CA certificate useful for chain building. This is done internally by \fBPKCS7_sign_ex\fR\|(3) and similar signing functions. It may have to be used before calling \fBPKCS7_verify\fR\|(3) diff --git a/secure/lib/libcrypto/man/man3/PKCS7_type_is_other.3 b/secure/lib/libcrypto/man/man3/PKCS7_type_is_other.3 index fe4aac62564a..70cdb50590c0 100644 --- a/secure/lib/libcrypto/man/man3/PKCS7_type_is_other.3 +++ b/secure/lib/libcrypto/man/man3/PKCS7_type_is_other.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS7_TYPE_IS_OTHER 3ossl" -.TH PKCS7_TYPE_IS_OTHER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS7_TYPE_IS_OTHER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS7_verify.3 b/secure/lib/libcrypto/man/man3/PKCS7_verify.3 index 2da0b2ff911e..9884dc266a77 100644 --- a/secure/lib/libcrypto/man/man3/PKCS7_verify.3 +++ b/secure/lib/libcrypto/man/man3/PKCS7_verify.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS7_VERIFY 3ossl" -.TH PKCS7_VERIFY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS7_VERIFY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -77,7 +80,7 @@ PKCS7_verify, PKCS7_get0_signers \- verify a PKCS#7 signedData structure \&\fBPKCS7_verify()\fR is very similar to \fBCMS_verify\fR\|(3). It verifies a PKCS#7 signedData structure given in \fIp7\fR. The optional \fIcerts\fR parameter refers to a set of certificates -in which to search for signer's certificates. +in which to search for signer\*(Aqs certificates. It is also used as a source of untrusted intermediate CA certificates for chain building. \&\fIp7\fR may contain extra untrusted CA certificates that may be used for @@ -89,7 +92,7 @@ Otherwise \fIindata\fR should be NULL, and then the signed data must be in \fIp7 The content is written to the BIO \fIout\fR unless it is NULL. \&\fIflags\fR is an optional set of flags, which can be used to modify the operation. .PP -\&\fBPKCS7_get0_signers()\fR retrieves the signer's certificates from \fIp7\fR, it does +\&\fBPKCS7_get0_signers()\fR retrieves the signer\*(Aqs certificates from \fIp7\fR, it does \&\fBnot\fR check their validity or whether any signatures are valid. The \fIcerts\fR and \fIflags\fR parameters have the same meanings as in \fBPKCS7_verify()\fR. .SH "VERIFY PROCESS" @@ -105,12 +108,12 @@ embedded and external content. To treat this as an error, use the flag The default behavior allows this, for compatibility with older versions of OpenSSL. .PP -An attempt is made to locate all the signer's certificates, first looking in +An attempt is made to locate all the signer\*(Aqs certificates, first looking in the \fIcerts\fR parameter (if it is not NULL). Then they are looked up in any certificates contained in the \fIp7\fR structure unless \fBPKCS7_NOINTERN\fR is set. -If any signer's certificates cannot be located the operation fails. +If any signer\*(Aqs certificates cannot be located the operation fails. .PP -Each signer's certificate is chain verified using the \fBsmimesign\fR purpose and +Each signer\*(Aqs certificate is chain verified using the \fBsmimesign\fR purpose and using the trusted certificate store \fIstore\fR if supplied. Any internal certificates in the message, which may have been added using \&\fBPKCS7_add_certificate\fR\|(3), are used as untrusted CAs unless \fBPKCS7_NOCHAIN\fR @@ -130,8 +133,8 @@ parameter to change the default verify behaviour. Only the flag \fBPKCS7_NOINTERN\fR is meaningful to \fBPKCS7_get0_signers()\fR. .PP If \fBPKCS7_NOINTERN\fR is set the certificates in the message itself are not -searched when locating the signer's certificates. -This means that all the signer's certificates must be in the \fIcerts\fR parameter. +searched when locating the signer\*(Aqs certificates. +This means that all the signer\*(Aqs certificates must be in the \fIcerts\fR parameter. .PP If \fBPKCS7_NOCRL\fR is set and CRL checking is enabled in \fIstore\fR then any CRLs in the message itself are ignored. @@ -140,18 +143,18 @@ If the \fBPKCS7_TEXT\fR flag is set MIME headers for type \f(CW\*(C`text/plain\* from the content. If the content is not of type \f(CW\*(C`text/plain\*(C'\fR then an error is returned. .PP -If \fBPKCS7_NOVERIFY\fR is set the signer's certificates are not chain verified. +If \fBPKCS7_NOVERIFY\fR is set the signer\*(Aqs certificates are not chain verified. .PP If \fBPKCS7_NOCHAIN\fR is set then the certificates contained in the message are not used as untrusted CAs. This means that the whole verify chain (apart from -the signer's certificates) must be contained in the trusted store. +the signer\*(Aqs certificates) must be contained in the trusted store. .PP If \fBPKCS7_NOSIGS\fR is set then the signatures on the data are not checked. .SH NOTES .IX Header "NOTES" One application of \fBPKCS7_NOINTERN\fR is to only accept messages signed by a small number of certificates. The acceptable certificates would be passed -in the \fIcerts\fR parameter. In this case if the signer's certificate is not one +in the \fIcerts\fR parameter. In this case if the signer\*(Aqs certificate is not one of the certificates supplied in \fIcerts\fR then the verify will fail because the signer cannot be found. .PP @@ -174,7 +177,7 @@ timestamp). The error can be obtained from \fBERR_get_error\fR\|(3). .SH BUGS .IX Header "BUGS" -The trusted certificate store is not searched for the signer's certificates. +The trusted certificate store is not searched for the signer\*(Aqs certificates. This is primarily due to the inadequacies of the current \fBX509_STORE\fR functionality. .PP diff --git a/secure/lib/libcrypto/man/man3/PKCS8_encrypt.3 b/secure/lib/libcrypto/man/man3/PKCS8_encrypt.3 index a1d92f6286f4..00e56f3bfd20 100644 --- a/secure/lib/libcrypto/man/man3/PKCS8_encrypt.3 +++ b/secure/lib/libcrypto/man/man3/PKCS8_encrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS8_ENCRYPT 3ossl" -.TH PKCS8_ENCRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS8_ENCRYPT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS8_pkey_add1_attr.3 b/secure/lib/libcrypto/man/man3/PKCS8_pkey_add1_attr.3 index b48d41bf9d79..1cc439fbdd5c 100644 --- a/secure/lib/libcrypto/man/man3/PKCS8_pkey_add1_attr.3 +++ b/secure/lib/libcrypto/man/man3/PKCS8_pkey_add1_attr.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS8_PKEY_ADD1_ATTR 3ossl" -.TH PKCS8_PKEY_ADD1_ATTR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS8_PKEY_ADD1_ATTR 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/RAND_add.3 b/secure/lib/libcrypto/man/man3/RAND_add.3 index 2dca430c4210..d99b33c0b0af 100644 --- a/secure/lib/libcrypto/man/man3/RAND_add.3 +++ b/secure/lib/libcrypto/man/man3/RAND_add.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RAND_ADD 3ossl" -.TH RAND_ADD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RAND_ADD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -99,7 +102,7 @@ built with automatic reseeding disabled, see \fBRAND\fR\|(7) for more details. \&\fBRAND_status()\fR indicates whether or not the random generator has been sufficiently seeded. If not, functions such as \fBRAND_bytes\fR\|(3) will fail. .PP -\&\fBRAND_poll()\fR uses the system's capabilities to seed the random generator using +\&\fBRAND_poll()\fR uses the system\*(Aqs capabilities to seed the random generator using random input obtained from polling various trusted entropy sources. The default choice of the entropy source can be modified at build time, see \fBRAND\fR\|(7) for more details. diff --git a/secure/lib/libcrypto/man/man3/RAND_bytes.3 b/secure/lib/libcrypto/man/man3/RAND_bytes.3 index ae8cbf4df547..4ac33c8ebe6e 100644 --- a/secure/lib/libcrypto/man/man3/RAND_bytes.3 +++ b/secure/lib/libcrypto/man/man3/RAND_bytes.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RAND_BYTES 3ossl" -.TH RAND_BYTES 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RAND_BYTES 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -111,16 +114,16 @@ ignored. .PP \&\fBRAND_set1_random_provider()\fR specifies a provider, \fIprov\fR, which will be used by the library context \fIctx\fR for all of the generate calls above instead -of the built-in in DRBGs and entropy source. Pass NULL for the provider -to disable the random provider functionality. In this case, the built-in DRBGs +of the built\-in in DRBGs and entropy source. Pass NULL for the provider +to disable the random provider functionality. In this case, the built\-in DRBGs and entropy source will be used. This call should not be considered thread safe. .SH NOTES .IX Header "NOTES" By default, the OpenSSL CSPRNG supports a security level of 256 bits, provided it was able to seed itself from a trusted entropy source. -On all major platforms supported by OpenSSL (including the Unix-like platforms +On all major platforms supported by OpenSSL (including the Unix\-like platforms and Windows), OpenSSL is configured to automatically seed the CSPRNG on first use -using the operating systems's random generator. +using the operating systems\*(Aqs random generator. .PP If the entropy source fails or is not available, the CSPRNG will enter an error state and refuse to generate random bytes. For that reason, it is important @@ -129,8 +132,8 @@ not take randomness for granted. .PP On other platforms, there might not be a trusted entropy source available or OpenSSL might have been explicitly configured to use different entropy sources. -If you are in doubt about the quality of the entropy source, don't hesitate to ask -your operating system vendor or post a question on GitHub or the openssl-users +If you are in doubt about the quality of the entropy source, don\*(Aqt hesitate to ask +your operating system vendor or post a question on GitHub or the openssl\-users mailing list. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/RAND_cleanup.3 b/secure/lib/libcrypto/man/man3/RAND_cleanup.3 index b2e4f11f90df..7958dce2a582 100644 --- a/secure/lib/libcrypto/man/man3/RAND_cleanup.3 +++ b/secure/lib/libcrypto/man/man3/RAND_cleanup.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RAND_CLEANUP 3ossl" -.TH RAND_CLEANUP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RAND_CLEANUP 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -79,7 +82,7 @@ see \fBopenssl_user_macros\fR\|(7): .IX Header "DESCRIPTION" Prior to OpenSSL 1.1.0, \fBRAND_cleanup()\fR released all resources used by the PRNG. As of version 1.1.0, it does nothing and should not be called, -since no explicit initialisation or de-initialisation is necessary. See +since no explicit initialisation or de\-initialisation is necessary. See \&\fBOPENSSL_init_crypto\fR\|(3). .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/RAND_egd.3 b/secure/lib/libcrypto/man/man3/RAND_egd.3 index 682d9717b03a..05f9efc19a59 100644 --- a/secure/lib/libcrypto/man/man3/RAND_egd.3 +++ b/secure/lib/libcrypto/man/man3/RAND_egd.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RAND_EGD 3ossl" -.TH RAND_EGD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RAND_EGD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/RAND_get0_primary.3 b/secure/lib/libcrypto/man/man3/RAND_get0_primary.3 index 6a7ef66bfa94..b7685d6313cf 100644 --- a/secure/lib/libcrypto/man/man3/RAND_get0_primary.3 +++ b/secure/lib/libcrypto/man/man3/RAND_get0_primary.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RAND_GET0_PRIMARY 3ossl" -.TH RAND_GET0_PRIMARY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RAND_GET0_PRIMARY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,7 +86,7 @@ RAND_set0_private The default RAND API implementation (\fBRAND_OpenSSL()\fR) utilizes three shared DRBG instances which are accessed via the RAND API: .PP -The \fIpublic\fR and \fIprivate\fR DRBG are thread-local instances, which are used +The \fIpublic\fR and \fIprivate\fR DRBG are thread\-local instances, which are used by \fBRAND_bytes()\fR and \fBRAND_priv_bytes()\fR, respectively. The \fIprimary\fR DRBG is a global instance, which is not intended to be used directly, but is used internally to reseed the other two instances. @@ -107,9 +110,9 @@ for the given OSSL_LIB_CTX \fBctx\fR. on error. .SH NOTES .IX Header "NOTES" -It is not thread-safe to access the \fIprimary\fR DRBG instance. +It is not thread\-safe to access the \fIprimary\fR DRBG instance. The \fIpublic\fR and \fIprivate\fR DRBG instance can be accessed safely, because -they are thread-local. Note however, that changes to these two instances +they are thread\-local. Note however, that changes to these two instances apply only to the current thread. .PP For that reason it is recommended not to change the settings of these diff --git a/secure/lib/libcrypto/man/man3/RAND_load_file.3 b/secure/lib/libcrypto/man/man3/RAND_load_file.3 index 446ff7e2e78a..4e64bf9642ad 100644 --- a/secure/lib/libcrypto/man/man3/RAND_load_file.3 +++ b/secure/lib/libcrypto/man/man3/RAND_load_file.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RAND_LOAD_FILE 3ossl" -.TH RAND_LOAD_FILE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RAND_LOAD_FILE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,13 +85,13 @@ if \fBmax_bytes\fR is \-1, the complete file is read (unless the file is not a regular file, in that case a fixed number of bytes, 256 in the current implementation, is attempted to be read). \&\fBRAND_load_file()\fR can read less than the complete file or the requested number -of bytes if it doesn't fit in the return value type. +of bytes if it doesn\*(Aqt fit in the return value type. Do not load the same file multiple times unless its contents have been updated by \fBRAND_write_file()\fR between reads. Also, note that \fBfilename\fR should be adequately protected so that an attacker cannot replace or examine the contents. If \fBfilename\fR is not a regular file, then user is considered to be -responsible for any side effects, e.g. non-anticipated blocking or +responsible for any side effects, e.g. non\-anticipated blocking or capture of controlling terminal. .PP \&\fBRAND_write_file()\fR writes a number of random bytes (currently 128) to @@ -118,7 +121,7 @@ Otherwise, the file is called \f(CW\*(C`.rnd\*(C'\fR, found in platform dependen \& $HOME .Ve .PP -If \f(CW$HOME\fR (on non-Windows and non-VMS system) is not set either, or +If \f(CW$HOME\fR (on non\-Windows and non\-VMS system) is not set either, or \&\fBnum\fR is too small for the pathname, an error occurs. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/RAND_set_DRBG_type.3 b/secure/lib/libcrypto/man/man3/RAND_set_DRBG_type.3 index 21bed1aa4f8c..d5d22c71ff20 100644 --- a/secure/lib/libcrypto/man/man3/RAND_set_DRBG_type.3 +++ b/secure/lib/libcrypto/man/man3/RAND_set_DRBG_type.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RAND_SET_DRBG_TYPE 3ossl" -.TH RAND_SET_DRBG_TYPE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RAND_SET_DRBG_TYPE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -96,11 +99,11 @@ These functions must be called before the random bit generators are first created in the library context. They will return an error if the call is made too late. .PP -The default DRBG is "CTR-DRBG" using the "AES\-256\-CTR" cipher. +The default DRBG is "CTR\-DRBG" using the "AES\-256\-CTR" cipher. .PP The default seed source can be configured when OpenSSL is compiled by setting \fB\-DOPENSSL_DEFAULT_SEED_SRC=SEED\-SRC\fR. If not set then -"SEED-SRC" is used. +"SEED\-SRC" is used. .SH EXAMPLES .IX Header "EXAMPLES" .Vb 3 diff --git a/secure/lib/libcrypto/man/man3/RAND_set_rand_method.3 b/secure/lib/libcrypto/man/man3/RAND_set_rand_method.3 index 24d11fc53d67..3254a8d2681a 100644 --- a/secure/lib/libcrypto/man/man3/RAND_set_rand_method.3 +++ b/secure/lib/libcrypto/man/man3/RAND_set_rand_method.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RAND_SET_RAND_METHOD 3ossl" -.TH RAND_SET_RAND_METHOD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RAND_SET_RAND_METHOD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/RC4_set_key.3 b/secure/lib/libcrypto/man/man3/RC4_set_key.3 index 4331e940b846..520da668465f 100644 --- a/secure/lib/libcrypto/man/man3/RC4_set_key.3 +++ b/secure/lib/libcrypto/man/man3/RC4_set_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RC4_SET_KEY 3ossl" -.TH RC4_SET_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RC4_SET_KEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -102,7 +105,7 @@ key at \fBdata\fR. \&\fBkey\fR and places the result at \fBoutdata\fR. Repeated \fBRC4()\fR calls with the same \fBkey\fR yield a continuous key stream. .PP -Since RC4 is a stream cipher (the input is XORed with a pseudo-random +Since RC4 is a stream cipher (the input is XORed with a pseudo\-random key stream to produce the output), decryption uses the same function calls as encryption. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/RIPEMD160_Init.3 b/secure/lib/libcrypto/man/man3/RIPEMD160_Init.3 index f0bae2a8cd33..c60450c38470 100644 --- a/secure/lib/libcrypto/man/man3/RIPEMD160_Init.3 +++ b/secure/lib/libcrypto/man/man3/RIPEMD160_Init.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RIPEMD160_INIT 3ossl" -.TH RIPEMD160_INIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RIPEMD160_INIT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -119,7 +122,7 @@ Applications should use the higher level functions functions directly. .SH "CONFORMING TO" .IX Header "CONFORMING TO" -ISO/IEC 10118\-3:2016 Dedicated Hash-Function 1 (RIPEMD\-160). +ISO/IEC 10118\-3:2016 Dedicated Hash\-Function 1 (RIPEMD\-160). .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_DigestInit\fR\|(3) diff --git a/secure/lib/libcrypto/man/man3/RSA_blinding_on.3 b/secure/lib/libcrypto/man/man3/RSA_blinding_on.3 index b2be8d1a57d4..c2db54ddb1c7 100644 --- a/secure/lib/libcrypto/man/man3/RSA_blinding_on.3 +++ b/secure/lib/libcrypto/man/man3/RSA_blinding_on.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_BLINDING_ON 3ossl" -.TH RSA_BLINDING_ON 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_BLINDING_ON 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/RSA_check_key.3 b/secure/lib/libcrypto/man/man3/RSA_check_key.3 index 2afc27ac9d9d..f5dec22db1eb 100644 --- a/secure/lib/libcrypto/man/man3/RSA_check_key.3 +++ b/secure/lib/libcrypto/man/man3/RSA_check_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_CHECK_KEY 3ossl" -.TH RSA_CHECK_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_CHECK_KEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -118,13 +121,13 @@ override the way key data is stored and handled, and can even provide support for HSM keys \- in which case the RSA structure may contain \fBno\fR key data at all! If the ENGINE in question is only being used for acceleration or analysis purposes, then in all likelihood the RSA key data -is complete and untouched, but this can't be assumed in the general case. +is complete and untouched, but this can\*(Aqt be assumed in the general case. .SH BUGS .IX Header "BUGS" A method of verifying the RSA key using opaque RSA API functions might need to be considered. Right now \fBRSA_check_key()\fR simply uses the RSA structure elements directly, bypassing the RSA_METHOD table altogether (and -completely violating encapsulation and object-orientation in the process). +completely violating encapsulation and object\-orientation in the process). The best fix will probably be to introduce a "\fBcheck_key()\fR" handler to the RSA_METHOD function table so that alternative implementations can also provide their own verifiers. diff --git a/secure/lib/libcrypto/man/man3/RSA_generate_key.3 b/secure/lib/libcrypto/man/man3/RSA_generate_key.3 index 033332f05b6d..b849d3aa647a 100644 --- a/secure/lib/libcrypto/man/man3/RSA_generate_key.3 +++ b/secure/lib/libcrypto/man/man3/RSA_generate_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_GENERATE_KEY 3ossl" -.TH RSA_GENERATE_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_GENERATE_KEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -100,7 +103,7 @@ Applications should instead use \fBEVP_RSA_gen()\fR, \fBEVP_PKEY_Q_keygen\fR\|(3 \&\fBRSA_generate_key_ex()\fR generates a 2\-prime RSA key pair and stores it in the \&\fBRSA\fR structure provided in \fIrsa\fR. .PP -\&\fBRSA_generate_multi_prime_key()\fR generates a multi-prime RSA key pair and stores +\&\fBRSA_generate_multi_prime_key()\fR generates a multi\-prime RSA key pair and stores it in the \fBRSA\fR structure provided in \fIrsa\fR. The number of primes is given by the \fIprimes\fR parameter. If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to @@ -126,8 +129,8 @@ will be called as follows using the \fBBN_GENCB_call()\fR function described on the \fBBN_generate_prime\fR\|(3) page. .PP \&\fBRSA_generate_key()\fR is similar to \fBRSA_generate_key_ex()\fR but -expects an old-style callback function; see -\&\fBBN_generate_prime\fR\|(3) for information on the old-style callback. +expects an old\-style callback function; see +\&\fBBN_generate_prime\fR\|(3) for information on the old\-style callback. .IP \(bu 2 While a random prime number is generated, it is called as described in \fBBN_generate_prime\fR\|(3). diff --git a/secure/lib/libcrypto/man/man3/RSA_get0_key.3 b/secure/lib/libcrypto/man/man3/RSA_get0_key.3 index 1a311fd169aa..92bb168f5982 100644 --- a/secure/lib/libcrypto/man/man3/RSA_get0_key.3 +++ b/secure/lib/libcrypto/man/man3/RSA_get0_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_GET0_KEY 3ossl" -.TH RSA_GET0_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_GET0_KEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -126,8 +129,8 @@ private key (see PKCS#1 section 3 Key Types), where \fBp\fR and \fBq\fR are the first and second factor of \fBn\fR and \fBdmp1\fR, \fBdmq1\fR and \fBiqmp\fR are the exponents and coefficient for CRT calculations. .PP -For multi-prime RSA (defined in RFC 8017), there are also one or more -\&'triplet' in an RSA object. A triplet contains three members, \fBr\fR, \fBd\fR +For multi\-prime RSA (defined in RFC 8017), there are also one or more +\&\*(Aqtriplet\*(Aq in an RSA object. A triplet contains three members, \fBr\fR, \fBd\fR and \fBt\fR. \fBr\fR is the additional prime besides \fBp\fR and \fBq\fR. \fBd\fR and \&\fBt\fR are the exponent and coefficient for CRT calculations. .PP @@ -140,7 +143,7 @@ by the caller. .PP The \fBn\fR, \fBe\fR and \fBd\fR parameter values can be set by calling \&\fBRSA_set0_key()\fR and passing the new values for \fBn\fR, \fBe\fR and \fBd\fR as -parameters to the function. The values \fBn\fR and \fBe\fR must be non-NULL +parameters to the function. The values \fBn\fR and \fBe\fR must be non\-NULL the first time this function is called on a given RSA object. The value \fBd\fR may be NULL. On subsequent calls any of these values may be NULL which means the corresponding RSA field is left untouched. @@ -155,12 +158,12 @@ set with \fBRSA_get0_factors()\fR and \fBRSA_set0_factors()\fR, and the \fBdmp1\ .PP For \fBRSA_get0_key()\fR, \fBRSA_get0_factors()\fR, and \fBRSA_get0_crt_params()\fR, NULL value BIGNUM ** output parameters are permitted. The functions -ignore NULL parameters but return values for other, non-NULL, parameters. +ignore NULL parameters but return values for other, non\-NULL, parameters. .PP -For multi-prime RSA, \fBRSA_get0_multi_prime_factors()\fR and \fBRSA_get0_multi_prime_params()\fR +For multi\-prime RSA, \fBRSA_get0_multi_prime_factors()\fR and \fBRSA_get0_multi_prime_params()\fR can be used to obtain other primes and related CRT parameters. The return values are stored in an array of \fBBIGNUM *\fR. \fBRSA_set0_multi_prime_params()\fR -sets a collect of multi-prime 'triplet' members (prime, exponent and coefficient) +sets a collect of multi\-prime \*(Aqtriplet\*(Aq members (prime, exponent and coefficient) into an RSA object. .PP Any of the values \fBn\fR, \fBe\fR, \fBd\fR, \fBp\fR, \fBq\fR, \fBdmp1\fR, \fBdmq1\fR, and \fBiqmp\fR can also be @@ -168,7 +171,7 @@ retrieved separately by the corresponding function \&\fBRSA_get0_n()\fR, \fBRSA_get0_e()\fR, \fBRSA_get0_d()\fR, \fBRSA_get0_p()\fR, \fBRSA_get0_q()\fR, \&\fBRSA_get0_dmp1()\fR, \fBRSA_get0_dmq1()\fR, and \fBRSA_get0_iqmp()\fR, respectively. .PP -\&\fBRSA_get0_pss_params()\fR is used to retrieve the RSA-PSS parameters. +\&\fBRSA_get0_pss_params()\fR is used to retrieve the RSA\-PSS parameters. .PP \&\fBRSA_set_flags()\fR sets the flags in the \fBflags\fR parameter on the RSA object. Multiple flags can be passed in one go (bitwise ORed together). @@ -195,7 +198,7 @@ The caller should obtain the size by calling \fBRSA_get_multi_prime_extra_count( in advance and allocate sufficient buffer to store the return values before calling \fBRSA_get0_multi_prime_factors()\fR and \fBRSA_get0_multi_prime_params()\fR. .PP -\&\fBRSA_set0_multi_prime_params()\fR always clears the original multi-prime +\&\fBRSA_set0_multi_prime_params()\fR always clears the original multi\-prime triplets in RSA object \fBr\fR and assign the new set of triplets into it. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -214,10 +217,10 @@ there is none. .PP \&\fBRSA_get_multi_prime_extra_count()\fR returns two less than the number of primes in use, which is 0 for traditional RSA and the number of extra primes for -multi-prime RSA. +multi\-prime RSA. .PP -\&\fBRSA_get_version()\fR returns \fBRSA_ASN1_VERSION_MULTI\fR for multi-prime RSA and -\&\fBRSA_ASN1_VERSION_DEFAULT\fR for normal two-prime RSA, as defined in RFC 8017. +\&\fBRSA_get_version()\fR returns \fBRSA_ASN1_VERSION_MULTI\fR for multi\-prime RSA and +\&\fBRSA_ASN1_VERSION_DEFAULT\fR for normal two\-prime RSA, as defined in RFC 8017. .PP \&\fBRSA_test_flags()\fR returns the current state of the flags in the RSA object. .PP diff --git a/secure/lib/libcrypto/man/man3/RSA_meth_new.3 b/secure/lib/libcrypto/man/man3/RSA_meth_new.3 index 2a7997622e13..755bcee77305 100644 --- a/secure/lib/libcrypto/man/man3/RSA_meth_new.3 +++ b/secure/lib/libcrypto/man/man3/RSA_meth_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_METH_NEW 3ossl" -.TH RSA_METH_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_METH_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -223,7 +226,7 @@ these flags. .PP The functions \fBRSA_meth_get0_app_data()\fR and \fBRSA_meth_set0_app_data()\fR provide the ability to associate implementation specific data with the -RSA_METHOD. It is the application's responsibility to free this data +RSA_METHOD. It is the application\*(Aqs responsibility to free this data before the RSA_METHOD is freed via a call to \fBRSA_meth_free()\fR. .PP \&\fBRSA_meth_get_sign()\fR and \fBRSA_meth_set_sign()\fR get and set the function @@ -276,7 +279,7 @@ function will be called in response to the application calling meaning as for \fBRSA_generate_key_ex()\fR. .PP \&\fBRSA_meth_get_multi_prime_keygen()\fR and \fBRSA_meth_set_multi_prime_keygen()\fR get -and set the function used for generating a new multi-prime RSA key pair +and set the function used for generating a new multi\-prime RSA key pair respectively. This function will be called in response to the application calling \&\fBRSA_generate_multi_prime_key()\fR. The parameter for the function has the same meaning as for \fBRSA_generate_multi_prime_key()\fR. diff --git a/secure/lib/libcrypto/man/man3/RSA_new.3 b/secure/lib/libcrypto/man/man3/RSA_new.3 index d0d2733e9bef..4a2420ef0c6a 100644 --- a/secure/lib/libcrypto/man/man3/RSA_new.3 +++ b/secure/lib/libcrypto/man/man3/RSA_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_NEW 3ossl" -.TH RSA_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/RSA_padding_add_PKCS1_type_1.3 b/secure/lib/libcrypto/man/man3/RSA_padding_add_PKCS1_type_1.3 index 5247e7766468..042dd37afdb4 100644 --- a/secure/lib/libcrypto/man/man3/RSA_padding_add_PKCS1_type_1.3 +++ b/secure/lib/libcrypto/man/man3/RSA_padding_add_PKCS1_type_1.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_PADDING_ADD_PKCS1_TYPE_1 3ossl" -.TH RSA_PADDING_ADD_PKCS1_TYPE_1 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_PADDING_ADD_PKCS1_TYPE_1 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,7 +145,7 @@ PKCS #1 v2.0 EMSA\-PKCS1\-v1_5 (PKCS #1 v1.5 block type 1); used for signatures PKCS #1 v2.0 EME\-PKCS1\-v1_5 (PKCS #1 v1.5 block type 2) .IP PKCS1_OAEP 4 .IX Item "PKCS1_OAEP" -PKCS #1 v2.0 EME-OAEP +PKCS #1 v2.0 EME\-OAEP .IP none 4 .IX Item "none" simply copy the data @@ -182,7 +185,7 @@ plaintext and additionally some application specific consistency checks on the plaintext need to be performed in constant time. If the plaintext is rejected it must be kept secret which of the checks caused the application to reject the message. -Do not remove the zero-padding from the decrypted raw RSA data +Do not remove the zero\-padding from the decrypted raw RSA data which was computed by \fBRSA_private_decrypt()\fR with \fBRSA_NO_PADDING\fR, as this would create a small timing side channel which could be used to mount a Bleichenbacher attack against any padding mode diff --git a/secure/lib/libcrypto/man/man3/RSA_print.3 b/secure/lib/libcrypto/man/man3/RSA_print.3 index c3f59341e835..9e9b08c43b1e 100644 --- a/secure/lib/libcrypto/man/man3/RSA_print.3 +++ b/secure/lib/libcrypto/man/man3/RSA_print.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_PRINT 3ossl" -.TH RSA_PRINT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_PRINT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -108,7 +111,7 @@ All of the functions described on this page are deprecated. Applications should instead use \fBEVP_PKEY_print_params\fR\|(3) and \&\fBEVP_PKEY_print_private\fR\|(3). .PP -A human-readable hexadecimal output of the components of the RSA +A human\-readable hexadecimal output of the components of the RSA key, DSA parameters or key or DH parameters is printed to \fBbp\fR or \fBfp\fR. .PP The output lines are indented by \fBoffset\fR spaces. diff --git a/secure/lib/libcrypto/man/man3/RSA_private_encrypt.3 b/secure/lib/libcrypto/man/man3/RSA_private_encrypt.3 index 554f636eb6a7..c2867714e4e4 100644 --- a/secure/lib/libcrypto/man/man3/RSA_private_encrypt.3 +++ b/secure/lib/libcrypto/man/man3/RSA_private_encrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_PRIVATE_ENCRYPT 3ossl" -.TH RSA_PRIVATE_ENCRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_PRIVATE_ENCRYPT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,7 +89,7 @@ Applications should instead use \fBEVP_PKEY_sign_init_ex\fR\|(3), \&\fBEVP_PKEY_sign\fR\|(3), \fBEVP_PKEY_verify_recover_init\fR\|(3), and \&\fBEVP_PKEY_verify_recover\fR\|(3). .PP -These functions handle RSA signatures at a low-level. +These functions handle RSA signatures at a low\-level. .PP \&\fBRSA_private_encrypt()\fR signs the \fBflen\fR bytes at \fBfrom\fR (usually a message digest with an algorithm identifier) using the private key @@ -107,7 +110,7 @@ cryptographically sound padding modes in the application code. Signing user data directly with RSA is insecure. .PP \&\fBRSA_public_decrypt()\fR recovers the message digest from the \fBflen\fR -bytes long signature at \fBfrom\fR using the signer's public key +bytes long signature at \fBfrom\fR using the signer\*(Aqs public key \&\fBrsa\fR. \fBto\fR must point to a memory section large enough to hold the message digest (which is smaller than \fBRSA_size(rsa) \- 11\fR). \fBpadding\fR is the padding mode that was used to sign the data. diff --git a/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3 b/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3 index c169831a8841..512664dffa13 100644 --- a/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3 +++ b/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_PUBLIC_ENCRYPT 3ossl" -.TH RSA_PUBLIC_ENCRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_PUBLIC_ENCRYPT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,7 +101,7 @@ However, it is highly recommended to use RSA_PKCS1_OAEP_PADDING in new applications. SEE WARNING BELOW. .IP RSA_PKCS1_OAEP_PADDING 4 .IX Item "RSA_PKCS1_OAEP_PADDING" -EME-OAEP as defined in PKCS #1 v2.0 with SHA\-1, MGF1 and an empty +EME\-OAEP as defined in PKCS #1 v2.0 with SHA\-1, MGF1 and an empty encoding parameter. This mode is recommended for all new applications. .IP RSA_NO_PADDING 4 .IX Item "RSA_NO_PADDING" @@ -149,12 +152,12 @@ returned value could be used to mount the Bleichenbacher attack. Since version 3.2.0, the default provider in OpenSSL does not return an error when padding checks fail. Instead it generates a random message based on used private -key and provided ciphertext so that application code doesn't have to implement -a side-channel secure error handling. -Applications that want to be secure against side-channel attacks with -providers that don't implement implicit rejection, still need to -handle the returned values using side-channel free code. -Side-channel free handling of the error stack can be performed using +key and provided ciphertext so that application code doesn\*(Aqt have to implement +a side\-channel secure error handling. +Applications that want to be secure against side\-channel attacks with +providers that don\*(Aqt implement implicit rejection, still need to +handle the returned values using side\-channel free code. +Side\-channel free handling of the error stack can be performed using either a pair of unconditional \fBERR_set_mark\fR\|(3) and \fBERR_pop_to_mark\fR\|(3) calls or by using the \fBERR_clear_error\fR\|(3) call. .SH "CONFORMING TO" diff --git a/secure/lib/libcrypto/man/man3/RSA_set_method.3 b/secure/lib/libcrypto/man/man3/RSA_set_method.3 index 5e7844cb54bb..9caad79c0b36 100644 --- a/secure/lib/libcrypto/man/man3/RSA_set_method.3 +++ b/secure/lib/libcrypto/man/man3/RSA_set_method.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_SET_METHOD 3ossl" -.TH RSA_SET_METHOD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_SET_METHOD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -107,7 +110,7 @@ as returned by \fBRSA_PKCS1_OpenSSL()\fR. structures created later. \&\fBNB\fR: This is true only whilst no ENGINE has been set as a default for RSA, so this function is no longer recommended. -This function is not thread-safe and should not be called at the same time +This function is not thread\-safe and should not be called at the same time as other OpenSSL functions. .PP \&\fBRSA_get_default_method()\fR returns a pointer to the current default @@ -120,7 +123,7 @@ recommended. previous method was supplied by an ENGINE, the handle to that ENGINE will be released during the change. It is possible to have RSA keys that only work with certain RSA_METHOD implementations (e.g. from an ENGINE module -that supports embedded hardware-protected keys), and in such cases +that supports embedded hardware\-protected keys), and in such cases attempting to change the RSA_METHOD for the key can have unexpected results. .PP @@ -130,7 +133,7 @@ it is, the return value can only be guaranteed to be valid as long as the RSA key itself is valid and does not have its implementation changed by \&\fBRSA_set_method()\fR. .PP -\&\fBRSA_flags()\fR returns the \fBflags\fR that are set for \fBrsa\fR's current +\&\fBRSA_flags()\fR returns the \fBflags\fR that are set for \fBrsa\fR\*(Aqs current RSA_METHOD. See the BUGS section. .PP \&\fBRSA_new_method()\fR allocates and initializes an RSA structure so that @@ -138,7 +141,7 @@ RSA_METHOD. See the BUGS section. default ENGINE for RSA operations is used, and if no default ENGINE is set, the RSA_METHOD controlled by \fBRSA_set_default_method()\fR is used. .PP -\&\fBRSA_flags()\fR returns the \fBflags\fR that are set for \fBrsa\fR's current method. +\&\fBRSA_flags()\fR returns the \fBflags\fR that are set for \fBrsa\fR\*(Aqs current method. .PP \&\fBRSA_new_method()\fR allocates and initializes an \fBRSA\fR structure so that \&\fBmethod\fR will be used for the RSA operations. If \fBmethod\fR is \fBNULL\fR, @@ -222,7 +225,7 @@ by \fBERR_get_error\fR\|(3) if the allocation fails. Otherwise it returns a pointer to the newly allocated structure. .SH BUGS .IX Header "BUGS" -The behaviour of \fBRSA_flags()\fR is a mis-feature that is left as-is for now +The behaviour of \fBRSA_flags()\fR is a mis\-feature that is left as\-is for now to avoid creating compatibility problems. RSA functionality, such as the encryption functions, are controlled by the \fBflags\fR value in the RSA key itself, not by the \fBflags\fR value in the RSA_METHOD attached to the RSA key diff --git a/secure/lib/libcrypto/man/man3/RSA_sign.3 b/secure/lib/libcrypto/man/man3/RSA_sign.3 index 28a07533c953..43c36119c8cf 100644 --- a/secure/lib/libcrypto/man/man3/RSA_sign.3 +++ b/secure/lib/libcrypto/man/man3/RSA_sign.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_SIGN 3ossl" -.TH RSA_SIGN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_SIGN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -89,9 +92,9 @@ Applications should instead use \fBEVP_PKEY_sign_init\fR\|(3), \fBEVP_PKEY_sign\ private key \fBrsa\fR using RSASSA\-PKCS1\-v1_5 as specified in RFC 3447. It stores the signature in \fBsigret\fR and the signature size in \fBsiglen\fR. \&\fBsigret\fR must point to RSA_size(\fBrsa\fR) bytes of memory. -Note that PKCS #1 adds meta-data, placing limits on the size of the +Note that PKCS #1 adds meta\-data, placing limits on the size of the key that can be used. -See \fBRSA_private_encrypt\fR\|(3) for lower-level +See \fBRSA_private_encrypt\fR\|(3) for lower\-level operations. .PP \&\fBtype\fR denotes the message digest algorithm that was used to generate @@ -103,7 +106,7 @@ and no algorithm identifier) is created. \&\fBRSA_verify()\fR verifies that the signature \fBsigbuf\fR of size \fBsiglen\fR matches a given message digest \fBm\fR of size \fBm_len\fR. \fBtype\fR denotes the message digest algorithm that was used to generate the signature. -\&\fBrsa\fR is the signer's public key. +\&\fBrsa\fR is the signer\*(Aqs public key. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBRSA_sign()\fR returns 1 on success and 0 for failure. diff --git a/secure/lib/libcrypto/man/man3/RSA_sign_ASN1_OCTET_STRING.3 b/secure/lib/libcrypto/man/man3/RSA_sign_ASN1_OCTET_STRING.3 index c915ccd24991..f4ad4dfb244e 100644 --- a/secure/lib/libcrypto/man/man3/RSA_sign_ASN1_OCTET_STRING.3 +++ b/secure/lib/libcrypto/man/man3/RSA_sign_ASN1_OCTET_STRING.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_SIGN_ASN1_OCTET_STRING 3ossl" -.TH RSA_SIGN_ASN1_OCTET_STRING 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_SIGN_ASN1_OCTET_STRING 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,7 +104,7 @@ external circumstances (see \fBRAND\fR\|(7)), the operation will fail. .PP \&\fBRSA_verify_ASN1_OCTET_STRING()\fR verifies that the signature \fBsigbuf\fR of size \fBsiglen\fR is the DER representation of a given octet string -\&\fBm\fR of size \fBm_len\fR. \fBdummy\fR is ignored. \fBrsa\fR is the signer's +\&\fBm\fR of size \fBm_len\fR. \fBdummy\fR is ignored. \fBrsa\fR is the signer\*(Aqs public key. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/RSA_size.3 b/secure/lib/libcrypto/man/man3/RSA_size.3 index f06b46be062d..82352403da06 100644 --- a/secure/lib/libcrypto/man/man3/RSA_size.3 +++ b/secure/lib/libcrypto/man/man3/RSA_size.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_SIZE 3ossl" -.TH RSA_SIZE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_SIZE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SCT_new.3 b/secure/lib/libcrypto/man/man3/SCT_new.3 index 995b0109b903..d8485fb43cc8 100644 --- a/secure/lib/libcrypto/man/man3/SCT_new.3 +++ b/secure/lib/libcrypto/man/man3/SCT_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SCT_NEW 3ossl" -.TH SCT_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SCT_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -150,7 +153,7 @@ Only SCT_VERSION_V1 is currently supported. \&\fBSCT_set_log_entry_type()\fR to set the type of certificate the SCT was issued for: .Sp \&\fBCT_LOG_ENTRY_TYPE_X509\fR for a normal certificate. -\&\fBCT_LOG_ENTRY_TYPE_PRECERT\fR for a pre-certificate. +\&\fBCT_LOG_ENTRY_TYPE_PRECERT\fR for a pre\-certificate. .IP \(bu 2 \&\fBSCT_set0_log_id()\fR or \fBSCT_set1_log_id()\fR to set the LogID of the CT log that the SCT came from. .Sp @@ -170,7 +173,7 @@ The former takes ownership, whereas the latter makes a copy. .Sp The former takes ownership, whereas the latter makes a copy. .PP -Alternatively, the SCT can be pre-populated from the following data using +Alternatively, the SCT can be pre\-populated from the following data using \&\fBSCT_new_from_base64()\fR: .IP \(bu 2 The SCT version (only SCT_VERSION_V1 is currently supported). @@ -179,7 +182,7 @@ The LogID (see RFC 6962, Section 3.2), base64 encoded. .IP \(bu 2 The type of certificate the SCT was issued for: \&\fBCT_LOG_ENTRY_TYPE_X509\fR for a normal certificate. -\&\fBCT_LOG_ENTRY_TYPE_PRECERT\fR for a pre-certificate. +\&\fBCT_LOG_ENTRY_TYPE_PRECERT\fR for a pre\-certificate. .IP \(bu 2 The time that the SCT was issued (time in milliseconds since the Unix Epoch). .IP \(bu 2 diff --git a/secure/lib/libcrypto/man/man3/SCT_print.3 b/secure/lib/libcrypto/man/man3/SCT_print.3 index 619ee9bb6308..75a1dabf5a39 100644 --- a/secure/lib/libcrypto/man/man3/SCT_print.3 +++ b/secure/lib/libcrypto/man/man3/SCT_print.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SCT_PRINT 3ossl" -.TH SCT_PRINT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SCT_PRINT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -76,7 +79,7 @@ Prints Signed Certificate Timestamps in a human\-readable way .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBSCT_print()\fR prints a single Signed Certificate Timestamp (SCT) to a \fBBIO\fR in -a human-readable format. \fBSCT_LIST_print()\fR prints an entire list of SCTs in a +a human\-readable format. \fBSCT_LIST_print()\fR prints an entire list of SCTs in a similar way. A separator can be specified to delimit each SCT in the output. .PP The output can be indented by a specified number of spaces. If a \fBCTLOG_STORE\fR @@ -85,11 +88,11 @@ each SCT (if that log is in the CTLOG_STORE). Alternatively, NULL can be passed as the CTLOG_STORE parameter to disable this feature. .PP \&\fBSCT_validation_status_string()\fR will return the validation status of an SCT as -a human-readable string. Call \fBSCT_validate()\fR or \fBSCT_LIST_validate()\fR +a human\-readable string. Call \fBSCT_validate()\fR or \fBSCT_LIST_validate()\fR beforehand in order to set the validation status of an SCT first. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fBSCT_validation_status_string()\fR returns a NUL-terminated string representing +\&\fBSCT_validation_status_string()\fR returns a NUL\-terminated string representing the validation status of an \fBSCT\fR object. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SCT_validate.3 b/secure/lib/libcrypto/man/man3/SCT_validate.3 index 3c3712f6a557..8948cf535e08 100644 --- a/secure/lib/libcrypto/man/man3/SCT_validate.3 +++ b/secure/lib/libcrypto/man/man3/SCT_validate.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SCT_VALIDATE 3ossl" -.TH SCT_VALIDATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SCT_VALIDATE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,7 +100,7 @@ SCT_VALIDATION_STATUS_UNVERIFIED. .IP \(bu 2 The issuer of that certificate. .Sp -This is only required if the SCT was issued for a pre-certificate +This is only required if the SCT was issued for a pre\-certificate (see RFC 6962). If it is required but not provided, the validation status will be SCT_VALIDATION_STATUS_UNVERIFIED. .IP \(bu 2 @@ -109,7 +112,7 @@ status will be SCT_VALIDATION_STATUS_UNKNOWN_LOG. If the SCT is of an unsupported version (only v1 is currently supported), the validation status will be SCT_VALIDATION_STATUS_UNKNOWN_VERSION. .PP -If the SCT's signature is incorrect, its timestamp is in the future (relative to +If the SCT\*(Aqs signature is incorrect, its timestamp is in the future (relative to the time in CT_POLICY_EVAL_CTX), or if it is otherwise invalid, the validation status will be SCT_VALIDATION_STATUS_INVALID. .PP diff --git a/secure/lib/libcrypto/man/man3/SHA256_Init.3 b/secure/lib/libcrypto/man/man3/SHA256_Init.3 index 99dfc9be77d9..c6b6570e87a1 100644 --- a/secure/lib/libcrypto/man/man3/SHA256_Init.3 +++ b/secure/lib/libcrypto/man/man3/SHA256_Init.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SHA256_INIT 3ossl" -.TH SHA256_INIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SHA256_INIT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -107,7 +110,7 @@ see \fBopenssl_user_macros\fR\|(7): All of the functions described on this page except for \fBSHA1()\fR, \fBSHA224()\fR, \fBSHA256()\fR, \fBSHA384()\fR and \fBSHA512()\fR are deprecated. Applications should instead use \fBEVP_DigestInit_ex\fR\|(3), \fBEVP_DigestUpdate\fR\|(3) -and \fBEVP_DigestFinal_ex\fR\|(3), or the quick one-shot function \fBEVP_Q_digest\fR\|(3). +and \fBEVP_DigestFinal_ex\fR\|(3), or the quick one\-shot function \fBEVP_Q_digest\fR\|(3). \&\fBSHA1()\fR, \fBSHA224()\fR, \fBSHA256()\fR, \fBSHA384()\fR, and \fBSHA256()\fR can continue to be used. They can also be replaced by, e.g., .PP diff --git a/secure/lib/libcrypto/man/man3/SMIME_read_ASN1.3 b/secure/lib/libcrypto/man/man3/SMIME_read_ASN1.3 index b0926d90a624..0c45bfc17805 100644 --- a/secure/lib/libcrypto/man/man3/SMIME_read_ASN1.3 +++ b/secure/lib/libcrypto/man/man3/SMIME_read_ASN1.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SMIME_READ_ASN1 3ossl" -.TH SMIME_READ_ASN1 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SMIME_READ_ASN1 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SMIME_read_CMS.3 b/secure/lib/libcrypto/man/man3/SMIME_read_CMS.3 index e2ac2127e7a1..fa72020b03ee 100644 --- a/secure/lib/libcrypto/man/man3/SMIME_read_CMS.3 +++ b/secure/lib/libcrypto/man/man3/SMIME_read_CMS.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SMIME_READ_CMS 3ossl" -.TH SMIME_READ_CMS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SMIME_READ_CMS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SMIME_read_PKCS7.3 b/secure/lib/libcrypto/man/man3/SMIME_read_PKCS7.3 index 87621cb4cc8d..d423deb17e13 100644 --- a/secure/lib/libcrypto/man/man3/SMIME_read_PKCS7.3 +++ b/secure/lib/libcrypto/man/man3/SMIME_read_PKCS7.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SMIME_READ_PKCS7 3ossl" -.TH SMIME_READ_PKCS7 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SMIME_READ_PKCS7 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SMIME_write_ASN1.3 b/secure/lib/libcrypto/man/man3/SMIME_write_ASN1.3 index 482820a60153..d9bdaba432fb 100644 --- a/secure/lib/libcrypto/man/man3/SMIME_write_ASN1.3 +++ b/secure/lib/libcrypto/man/man3/SMIME_write_ASN1.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SMIME_WRITE_ASN1 3ossl" -.TH SMIME_WRITE_ASN1 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SMIME_WRITE_ASN1 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SMIME_write_CMS.3 b/secure/lib/libcrypto/man/man3/SMIME_write_CMS.3 index 91fa572c308e..a512164cf99d 100644 --- a/secure/lib/libcrypto/man/man3/SMIME_write_CMS.3 +++ b/secure/lib/libcrypto/man/man3/SMIME_write_CMS.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SMIME_WRITE_CMS 3ossl" -.TH SMIME_WRITE_CMS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SMIME_WRITE_CMS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SMIME_write_PKCS7.3 b/secure/lib/libcrypto/man/man3/SMIME_write_PKCS7.3 index 97dc80451034..3036a377226d 100644 --- a/secure/lib/libcrypto/man/man3/SMIME_write_PKCS7.3 +++ b/secure/lib/libcrypto/man/man3/SMIME_write_PKCS7.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SMIME_WRITE_PKCS7 3ossl" -.TH SMIME_WRITE_PKCS7 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SMIME_WRITE_PKCS7 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SRP_Calc_B.3 b/secure/lib/libcrypto/man/man3/SRP_Calc_B.3 index a35182f7fa7f..278212afbfe5 100644 --- a/secure/lib/libcrypto/man/man3/SRP_Calc_B.3 +++ b/secure/lib/libcrypto/man/man3/SRP_Calc_B.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SRP_CALC_B 3ossl" -.TH SRP_CALC_B 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SRP_CALC_B 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -122,7 +125,7 @@ RFC2945 for a detailed description of their usage and the meaning of the various BIGNUM parameters to these functions. .PP Most of these functions come in two forms. Those that take a \fIlibctx\fR and -\&\fIpropq\fR parameter, and those that don't. Any cryptogrpahic functions that +\&\fIpropq\fR parameter, and those that don\*(Aqt. Any cryptogrpahic functions that are fetched and used during the calculation use the provided \fIlibctx\fR and \&\fIpropq\fR. See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for more details. The variants that do not take a \fIlibctx\fR and \fIpropq\fR parameter use the default library diff --git a/secure/lib/libcrypto/man/man3/SRP_VBASE_new.3 b/secure/lib/libcrypto/man/man3/SRP_VBASE_new.3 index 46a768c4cb61..81ce991412e4 100644 --- a/secure/lib/libcrypto/man/man3/SRP_VBASE_new.3 +++ b/secure/lib/libcrypto/man/man3/SRP_VBASE_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SRP_VBASE_NEW 3ossl" -.TH SRP_VBASE_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SRP_VBASE_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,8 +100,8 @@ The \fBSRP_VBASE_new()\fR function allocates a structure to store server side SR verifier information. If \fBseed_key\fR is not NULL a copy is stored and used to generate dummy parameters for users that are not found by \fBSRP_VBASE_get1_by_user()\fR. This allows the server -to hide the fact that it doesn't have a verifier for a particular username, -as described in section 2.5.1.3 'Unknown SRP' of RFC 5054. +to hide the fact that it doesn\*(Aqt have a verifier for a particular username, +as described in section 2.5.1.3 \*(AqUnknown SRP\*(Aq of RFC 5054. The seed string should contain random NUL terminated binary data (therefore the random data should not contain NUL bytes!). .PP @@ -109,8 +112,8 @@ The \fBSRP_VBASE_init()\fR function parses the information in a verifier file an populates the \fBvb\fR structure. The verifier file is a text file containing multiple entries, whose format is: flag base64(verifier) base64(salt) username gNid userinfo(optional) -where the flag can be 'V' (valid) or 'R' (revoked). -Note that the base64 encoding used here is non-standard so it is recommended +where the flag can be \*(AqV\*(Aq (valid) or \*(AqR\*(Aq (revoked). +Note that the base64 encoding used here is non\-standard so it is recommended to use \fBopenssl\-srp\fR\|(1) to generate this file. .PP The \fBSRP_VBASE_add0_user()\fR function adds the \fBuser_pwd\fR verifier information @@ -123,7 +126,7 @@ whose username matches \fBusername\fR. It replaces the deprecated \&\fBSRP_VBASE_get_by_user()\fR. If no matching user is found but a seed_key and default gN parameters have been set, dummy authentication information is generated from the seed_key, allowing -the server to hide the fact that it doesn't have a verifier for a particular +the server to hide the fact that it doesn\*(Aqt have a verifier for a particular username. When using SRP as a TLS authentication mechanism, this will cause the handshake to proceed normally but the first client will be rejected with a "bad_record_mac" alert, as if the password was incorrect. diff --git a/secure/lib/libcrypto/man/man3/SRP_create_verifier.3 b/secure/lib/libcrypto/man/man3/SRP_create_verifier.3 index 930a0b162758..3f636544bdfc 100644 --- a/secure/lib/libcrypto/man/man3/SRP_create_verifier.3 +++ b/secure/lib/libcrypto/man/man3/SRP_create_verifier.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SRP_CREATE_VERIFIER 3ossl" -.TH SRP_CREATE_VERIFIER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SRP_CREATE_VERIFIER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -116,7 +119,7 @@ The caller is responsible for freeing the allocated \fI*salt\fR and \fI*verifier BIGNUMS (use \fBBN_free\fR\|(3)). .PP The \fBSRP_create_verifier()\fR function is similar to \fBSRP_create_verifier_BN()\fR but -all numeric parameters are in a non-standard base64 encoding originally designed +all numeric parameters are in a non\-standard base64 encoding originally designed for compatibility with libsrp. This is mainly present for historical compatibility and its use is discouraged. It is possible to pass NULL as \fIN\fR and an SRP group id as \fIg\fR instead to @@ -137,7 +140,7 @@ The known ids are "1024", "1536", "2048", "3072", "4096", "6144" and "8192". 0 on failure. .PP \&\fBSRP_create_verifier_ex()\fR and \fBSRP_create_verifier()\fR return NULL on failure and a -non-NULL value on success: +non\-NULL value on success: "*" if \fIN\fR is not NULL, the selected group id otherwise. This value should not be freed. .PP diff --git a/secure/lib/libcrypto/man/man3/SRP_user_pwd_new.3 b/secure/lib/libcrypto/man/man3/SRP_user_pwd_new.3 index 9f917c54c9dd..8e55ea0d98d3 100644 --- a/secure/lib/libcrypto/man/man3/SRP_user_pwd_new.3 +++ b/secure/lib/libcrypto/man/man3/SRP_user_pwd_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SRP_USER_PWD_NEW 3ossl" -.TH SRP_USER_PWD_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SRP_USER_PWD_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CIPHER_get_name.3 b/secure/lib/libcrypto/man/man3/SSL_CIPHER_get_name.3 index 5e9b8b6250ca..9bf241cc186c 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CIPHER_get_name.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CIPHER_get_name.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CIPHER_GET_NAME 3ossl" -.TH SSL_CIPHER_GET_NAME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CIPHER_GET_NAME 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -159,15 +162,15 @@ ChaCha20/Poly1305), and 0 if it is not AEAD. .PP \&\fBSSL_CIPHER_find()\fR returns a \fBSSL_CIPHER\fR structure which has the cipher ID stored in \fBptr\fR. The \fBptr\fR parameter is a two element array of \fBchar\fR, which stores the -two-byte TLS cipher ID (as allocated by IANA) in network byte order. This parameter +two\-byte TLS cipher ID (as allocated by IANA) in network byte order. This parameter is usually retrieved from a TLS packet by using functions like \&\fBSSL_client_hello_get0_ciphers\fR\|(3). \fBSSL_CIPHER_find()\fR returns NULL if an error occurs or the indicated cipher is not found. .PP -\&\fBSSL_CIPHER_get_id()\fR returns the OpenSSL-specific ID of the given cipher \fBc\fR. That ID is -not the same as the IANA-specific ID. +\&\fBSSL_CIPHER_get_id()\fR returns the OpenSSL\-specific ID of the given cipher \fBc\fR. That ID is +not the same as the IANA\-specific ID. .PP -\&\fBSSL_CIPHER_get_protocol_id()\fR returns the two-byte ID used in the TLS protocol of the given +\&\fBSSL_CIPHER_get_protocol_id()\fR returns the two\-byte ID used in the TLS protocol of the given cipher \fBc\fR. .PP \&\fBSSL_CIPHER_description()\fR returns a textual description of the cipher used @@ -211,7 +214,7 @@ Some examples for the output of \fBSSL_CIPHER_description()\fR: .IX Header "RETURN VALUES" \&\fBSSL_CIPHER_get_name()\fR, \fBSSL_CIPHER_standard_name()\fR, \fBOPENSSL_cipher_name()\fR, \&\fBSSL_CIPHER_get_version()\fR and \fBSSL_CIPHER_description()\fR return the corresponding -value in a NUL-terminated string for a specific cipher or "(NONE)" +value in a NUL\-terminated string for a specific cipher or "(NONE)" if the cipher is not found. .PP \&\fBSSL_CIPHER_get_bits()\fR returns a positive integer representing the number of @@ -229,10 +232,10 @@ if an error occurred. \&\fBSSL_CIPHER_find()\fR returns a valid \fBSSL_CIPHER\fR structure or NULL if an error occurred. .PP -\&\fBSSL_CIPHER_get_id()\fR returns a 4\-byte integer representing the OpenSSL-specific ID. +\&\fBSSL_CIPHER_get_id()\fR returns a 4\-byte integer representing the OpenSSL\-specific ID. .PP \&\fBSSL_CIPHER_get_protocol_id()\fR returns a 2\-byte integer representing the TLS -protocol-specific ID. +protocol\-specific ID. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBssl\fR\|(7), \fBSSL_get_current_cipher\fR\|(3), @@ -248,7 +251,7 @@ rather than a fixed string, in OpenSSL 1.1.0. The \fBSSL_CIPHER_get_handshake_digest()\fR function was added in OpenSSL 1.1.1. .PP The \fBSSL_CIPHER_standard_name()\fR function was globally available in OpenSSL 1.1.1. - Before OpenSSL 1.1.1, tracing (\fBenable-ssl-trace\fR argument to Configure) was + Before OpenSSL 1.1.1, tracing (\fBenable\-ssl\-trace\fR argument to Configure) was required to enable this function. .PP The \fBOPENSSL_cipher_name()\fR function was added in OpenSSL 1.1.1. diff --git a/secure/lib/libcrypto/man/man3/SSL_COMP_add_compression_method.3 b/secure/lib/libcrypto/man/man3/SSL_COMP_add_compression_method.3 index 953229e2bc10..b4a763f3e905 100644 --- a/secure/lib/libcrypto/man/man3/SSL_COMP_add_compression_method.3 +++ b/secure/lib/libcrypto/man/man3/SSL_COMP_add_compression_method.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_COMP_ADD_COMPRESSION_METHOD 3ossl" -.TH SSL_COMP_ADD_COMPRESSION_METHOD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_COMP_ADD_COMPRESSION_METHOD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,7 +108,7 @@ into the communication. The TLS RFC does however not specify compression methods or their corresponding identifiers, so there is currently no compatible way to integrate compression with unknown peers. It is therefore currently not recommended to integrate compression into applications. Applications for -non-public use may agree on certain compression methods. Using different +non\-public use may agree on certain compression methods. Using different compression methods with the same identifier will lead to connection failure. .PP An OpenSSL client speaking a protocol that allows compression (SSLv3, TLSv1) diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_new.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_new.3 index 5ba1bd04def8..09b8eddd65bb 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CONF_CTX_NEW 3ossl" -.TH SSL_CONF_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CONF_CTX_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set1_prefix.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set1_prefix.3 index c321852c8594..4fdfec2cb7e8 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set1_prefix.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set1_prefix.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CONF_CTX_SET1_PREFIX 3ossl" -.TH SSL_CONF_CTX_SET1_PREFIX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CONF_CTX_SET1_PREFIX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_flags.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_flags.3 index 5163aa1d29ca..c367db77bb29 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_flags.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_flags.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CONF_CTX_SET_FLAGS 3ossl" -.TH SSL_CONF_CTX_SET_FLAGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CONF_CTX_SET_FLAGS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,7 +104,7 @@ file an error occurs. .IP SSL_CONF_FLAG_SHOW_ERRORS 4 .IX Item "SSL_CONF_FLAG_SHOW_ERRORS" indicate errors relating to unrecognised options or missing arguments in -the error queue. If this option isn't set such errors are only reflected +the error queue. If this option isn\*(Aqt set such errors are only reflected in the return values of \fBSSL_CONF_set_cmd()\fR or \fBSSL_CONF_set_argv()\fR .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_ssl_ctx.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_ssl_ctx.3 index 76d542adbb89..5c9744ab3047 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_ssl_ctx.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_ssl_ctx.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CONF_CTX_SET_SSL_CTX 3ossl" -.TH SSL_CONF_CTX_SET_SSL_CTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CONF_CTX_SET_SSL_CTX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_cmd.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_cmd.3 index 439487dd4608..99eadf209529 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CONF_cmd.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CONF_cmd.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CONF_CMD 3ossl" -.TH SSL_CONF_CMD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CONF_CMD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -113,7 +116,7 @@ signature algorithm or elliptic curve to use for an incoming connection. Equivalent to \fBSSL_OP_CIPHER_SERVER_PREFERENCE\fR. Only used by servers. .IP \fB\-client_renegotiation\fR 4 .IX Item "-client_renegotiation" -Allows servers to accept client-initiated renegotiation. Equivalent to +Allows servers to accept client\-initiated renegotiation. Equivalent to setting \fBSSL_OP_ALLOW_CLIENT_RENEGOTIATION\fR. Only used by servers. .IP \fB\-legacy_renegotiation\fR 4 @@ -166,9 +169,9 @@ or \fBsignature_scheme\fR. For the default providers shipped with OpenSSL, \&\fBsignature_scheme\fR is one of the signature schemes defined in TLSv1.3, specified using the IETF name, e.g., \fBecdsa_secp256r1_sha256\fR, \&\fBed25519\fR, or \fBrsa_pss_pss_sha256\fR. Additional providers may make available -further algorithms via the TLS-SIGALG capability. +further algorithms via the TLS\-SIGALG capability. Signature scheme names and public key algorithm names (but not the hash names) -in the \fBalgorithm+hash\fR form are case-insensitive. +in the \fBalgorithm+hash\fR form are case\-insensitive. See \fBprovider\-base\fR\|(7). .Sp If this option is not set then all signature algorithms supported by all @@ -203,7 +206,7 @@ registry. For some groups, OpenSSL supports additional aliases. Such an alias could be a \fBNIST\fR name (e.g. \fBP\-256\fR), an OpenSSL OID name (e.g. \fBprime256v1\fR), or some other commonly used name. -Group names are case-insensitive in OpenSSL 3.5 and later. +Group names are case\-insensitive in OpenSSL 3.5 and later. The list should be in order of preference with the most preferred group first. .Sp The first group listed will also be used for the \fBkey_share\fR sent by a client @@ -249,7 +252,7 @@ curve can be either the \fBNIST\fR name (e.g. \fBP\-256\fR) or an OpenSSL OID na (e.g. \fBprime256v1\fR). Even with TLS 1.0 and 1.1, the default value of \f(CW\*(C`auto\*(C'\fR is strongly recommended over choosing a specific curve. -Curve names are case-insensitive in OpenSSL 3.5 and later. +Curve names are case\-insensitive in OpenSSL 3.5 and later. .IP \fB\-tx_cert_comp\fR 4 .IX Item "-tx_cert_comp" Enables support for sending TLSv1.3 compressed certificates. @@ -275,7 +278,7 @@ structure is associated with \fBctx\fR. .IP "\fB\-ciphersuites\fR \fI1.3ciphers\fR" 4 .IX Item "-ciphersuites 1.3ciphers" Sets the available ciphersuites for TLSv1.3 to value. This is a -colon-separated list of TLSv1.3 ciphersuite names in order of preference. This +colon\-separated list of TLSv1.3 ciphersuite names in order of preference. This list will be combined any configured TLSv1.2 and below ciphersuites. See \fBopenssl\-ciphers\fR\|(1) for more information. .IP "\fB\-min_protocol\fR \fIminprot\fR, \fB\-max_protocol\fR \fImaxprot\fR" 4 @@ -343,11 +346,11 @@ Switches replay protection, on or off respectively. With replay protection on, OpenSSL will automatically detect if a session ticket has been used more than once, TLSv1.3 has been negotiated, and early data is enabled on the server. A full handshake is forced if a session ticket is used a second or subsequent -time. Anti-Replay is on by default unless overridden by a configuration file and -is only used by servers. Anti-replay measures are required for compliance with +time. Anti\-Replay is on by default unless overridden by a configuration file and +is only used by servers. Anti\-replay measures are required for compliance with the TLSv1.3 specification. Some applications may be able to mitigate the replay -risks in other ways and in such cases the built-in OpenSSL functionality is not -required. Switching off anti-replay is equivalent to \fBSSL_OP_NO_ANTI_REPLAY\fR. +risks in other ways and in such cases the built\-in OpenSSL functionality is not +required. Switching off anti\-replay is equivalent to \fBSSL_OP_NO_ANTI_REPLAY\fR. .SH "SUPPORTED CONFIGURATION FILE COMMANDS" .IX Header "SUPPORTED CONFIGURATION FILE COMMANDS" Currently supported \fBoption\fR names for configuration files (i.e., when the @@ -366,7 +369,7 @@ structure is associated with \fBctx\fR. .IP \fBCiphersuites\fR 4 .IX Item "Ciphersuites" Sets the available ciphersuites for TLSv1.3 to \fBvalue\fR. This is a -colon-separated list of TLSv1.3 ciphersuite names in order of preference. This +colon\-separated list of TLSv1.3 ciphersuite names in order of preference. This list will be combined any configured TLSv1.2 and below ciphersuites. See \fBopenssl\-ciphers\fR\|(1) for more information. .IP \fBCertificate\fR 4 @@ -414,6 +417,11 @@ omitted, the same padding will be applied to all messages. Padding attempts to pad TLSv1.3 records so that they are a multiple of the set length on send. A value of 0 or 1 turns off padding as relevant. Otherwise, the values must be >1 or <=16384. +.Sp +Note that, for QUIC objects, padding is always performed at the +packet level, and so cannot be done at the record level. Given that, when the +config file is created, there is no knowledge of what kind of SSL objects are +being created, this option is silently ignored for QUIC objects. .IP \fBSignatureAlgorithms\fR 4 .IX Item "SignatureAlgorithms" This sets the supported signature algorithms for TLSv1.2 and TLSv1.3. @@ -431,7 +439,7 @@ or \fBSHA512\fR. specified using the IANA name, e.g., \fBecdsa_secp256r1_sha256\fR, \fBed25519\fR, or \fBrsa_pss_pss_sha256\fR. Signature scheme names and public key algorithm names (but not the hash names) -in the \fBalgorithm+hash\fR form are case-insensitive. +in the \fBalgorithm+hash\fR form are case\-insensitive. Additional providers may make available further signature schemes via the TLS_SIGALG capability. See "CAPABILITIES" in \fBprovider\-base\fR\|(7). .Sp @@ -469,7 +477,7 @@ registry. For some groups, OpenSSL supports additional aliases. Such an alias could be a \fBNIST\fR name (e.g. \fBP\-256\fR), an OpenSSL OID name (e.g. \fBprime256v1\fR), or some other commonly used name. -Group names are case-insensitive in OpenSSL 3.5 and later. +Group names are case\-insensitive in OpenSSL 3.5 and later. The list should be in order of preference with the most preferred group first. .Sp The commands below list the available groups for TLS 1.2 and TLS 1.3, @@ -495,8 +503,8 @@ This sets the minimum supported SSL, TLS or DTLS version. .Sp Currently supported protocol values are \fBSSLv3\fR, \fBTLSv1\fR, \fBTLSv1.1\fR, \&\fBTLSv1.2\fR, \fBTLSv1.3\fR, \fBDTLSv1\fR and \fBDTLSv1.2\fR. -The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds -apply only to DTLS-based contexts. +The SSL and TLS bounds apply only to TLS\-based contexts, while the DTLS bounds +apply only to DTLS\-based contexts. The command can be repeated with one instance setting a TLS bound, and the other setting a DTLS bound. The value \fBNone\fR applies to both types of contexts and disables the limits. @@ -506,8 +514,8 @@ This sets the maximum supported SSL, TLS or DTLS version. .Sp Currently supported protocol values are \fBSSLv3\fR, \fBTLSv1\fR, \fBTLSv1.1\fR, \&\fBTLSv1.2\fR, \fBTLSv1.3\fR, \fBDTLSv1\fR and \fBDTLSv1.2\fR. -The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds -apply only to DTLS-based contexts. +The SSL and TLS bounds apply only to TLS\-based contexts, while the DTLS bounds +apply only to DTLS\-based contexts. The command can be repeated with one instance setting a TLS bound, and the other setting a DTLS bound. The value \fBNone\fR applies to both types of contexts and disables the limits. @@ -530,7 +538,7 @@ Currently supported protocol values are \fBSSLv3\fR, \fBTLSv1\fR, \fBTLSv1.1\fR, \&\fBTLSv1.2\fR, \fBTLSv1.3\fR, \fBDTLSv1\fR and \fBDTLSv1.2\fR. The special value \fBALL\fR refers to all supported versions. .Sp -This can't enable protocols that are disabled using \fBMinProtocol\fR +This can\*(Aqt enable protocols that are disabled using \fBMinProtocol\fR or \fBMaxProtocol\fR, but can disable protocols that are still allowed by them. .Sp @@ -590,7 +598,7 @@ Equivalent to \fBSSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\fR. \&\fBUnsafeLegacyServerConnect\fR: permits the use of unsafe legacy renegotiation for OpenSSL clients only. Equivalent to \fBSSL_OP_LEGACY_SERVER_CONNECT\fR. .Sp -\&\fBEncryptThenMac\fR: use encrypt-then-mac extension, enabled by +\&\fBEncryptThenMac\fR: use encrypt\-then\-mac extension, enabled by default. Inverse of \fBSSL_OP_NO_ENCRYPT_THEN_MAC\fR: that is, \&\fB\-EncryptThenMac\fR is the same as setting \fBSSL_OP_NO_ENCRYPT_THEN_MAC\fR. .Sp @@ -613,10 +621,10 @@ default. Equivalent to \fBSSL_OP_ENABLE_MIDDLEBOX_COMPAT\fR. has been used more than once, TLSv1.3 has been negotiated, and early data is enabled on the server. A full handshake is forced if a session ticket is used a second or subsequent time. This option is set by default and is only used by -servers. Anti-replay measures are required to comply with the TLSv1.3 +servers. Anti\-replay measures are required to comply with the TLSv1.3 specification. Some applications may be able to mitigate the replay risks in -other ways and in such cases the built-in OpenSSL functionality is not required. -Disabling anti-replay is equivalent to setting \fBSSL_OP_NO_ANTI_REPLAY\fR. +other ways and in such cases the built\-in OpenSSL functionality is not required. +Disabling anti\-replay is equivalent to setting \fBSSL_OP_NO_ANTI_REPLAY\fR. .Sp \&\fBExtendedMasterSecret\fR: use extended master secret extension, enabled by default. Inverse of \fBSSL_OP_NO_EXTENDED_MASTER_SECRET\fR: that is, @@ -646,7 +654,7 @@ a performance boost when used with KTLS hardware offload. Note that invalid TLS records might be transmitted if the file is changed while being sent. This option has no effect if \fBKTLS\fR is not enabled. Equivalent to \&\fBSSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE\fR. This option only applies to Linux. -KTLS sendfile on FreeBSD doesn't offer an option to disable zerocopy and +KTLS sendfile on FreeBSD doesn\*(Aqt offer an option to disable zerocopy and always runs in this mode. .Sp \&\fBIgnoreUnexpectedEOF\fR: Equivalent to \fBSSL_OP_IGNORE_UNEXPECTED_EOF\fR. @@ -669,16 +677,16 @@ occurs if the client does not present a certificate. Servers only. not when renegotiating. Servers only. .Sp \&\fBRequestPostHandshake\fR configures the connection to support requests but does -not require a certificate from the client post-handshake. A certificate will +not require a certificate from the client post\-handshake. A certificate will not be requested during the initial handshake. The server application must -provide a mechanism to request a certificate post-handshake. Servers only. +provide a mechanism to request a certificate post\-handshake. Servers only. TLSv1.3 only. .Sp \&\fBRequiresPostHandshake\fR configures the connection to support requests and -requires a certificate from the client post-handshake: an error occurs if the +requires a certificate from the client post\-handshake: an error occurs if the client does not present a certificate. A certificate will not be requested during the initial handshake. The server application must provide a mechanism -to request a certificate post-handshake. Servers only. TLSv1.3 only. +to request a certificate post\-handshake. Servers only. TLSv1.3 only. .IP "\fBClientCAFile\fR, \fBClientCAPath\fR" 4 .IX Item "ClientCAFile, ClientCAPath" A file or directory of certificates in PEM format whose names are used as the @@ -703,7 +711,7 @@ The value is a filename. The value is a directory name. .IP \fBSSL_CONF_TYPE_NONE\fR 4 .IX Item "SSL_CONF_TYPE_NONE" -The value string is not used e.g. a command line option which doesn't take an +The value string is not used e.g. a command line option which doesn\*(Aqt take an argument. .SH NOTES .IX Header "NOTES" @@ -794,7 +802,7 @@ The following also disables SSLv3: The following will first enable all protocols, and then disable SSLv3. If no protocol versions were disabled before this has the same effect as -"\-SSLv3", but if some versions were disables this will re-enable them before +"\-SSLv3", but if some versions were disables this will re\-enable them before disabling SSLv3. .PP .Vb 1 @@ -844,11 +852,11 @@ Set supported curves to P\-256, P\-384: .IX Header "HISTORY" The \fBSSL_CONF_cmd()\fR function was added in OpenSSL 1.0.2. .PP -The \fBSSL_OP_NO_SSL2\fR option doesn't have effect since 1.1.0, but the macro +The \fBSSL_OP_NO_SSL2\fR option doesn\*(Aqt have effect since 1.1.0, but the macro is retained for backwards compatibility. .PP The \fBSSL_CONF_TYPE_NONE\fR was added in OpenSSL 1.1.0. In earlier versions of -OpenSSL passing a command which didn't take an argument would return +OpenSSL passing a command which didn\*(Aqt take an argument would return \&\fBSSL_CONF_TYPE_UNKNOWN\fR. .PP \&\fBMinProtocol\fR and \fBMaxProtocol\fR where added in OpenSSL 1.1.0. @@ -863,7 +871,7 @@ added in OpenSSL 3.2. .PP \&\fBPreferNoDHEKEX\fR was added in OpenSSL 3.3. .PP -OpenSSL 3.5 introduces support for post-quantum (PQ) TLS key exchange via the +OpenSSL 3.5 introduces support for post\-quantum (PQ) TLS key exchange via the \&\fBMLKEM512\fR, \fBMLKEM768\fR and \fBMLKEM1024\fR TLS groups. These are based on the underlying \fBML\-KEM\-512\fR, \fBML\-KEM\-768\fR and \&\fBML\-KEM\-1024\fR algorithms from FIPS 203. @@ -873,13 +881,13 @@ TLS groups: \fBX25519MLKEM768\fR, \fBSecP256r1MLKEM768\fR and \&\fBSecP384r1MLKEM1024\fR. They offer CPU performance comparable to the associated ECDH group, though at the cost of significantly larger key exchange messages. -The third group, \fBSecP384r1MLKEM1024\fR is substantially more CPU-intensive, +The third group, \fBSecP384r1MLKEM1024\fR is substantially more CPU\-intensive, largely as a result of the high CPU cost of ECDH for the underlying \fBP\-384\fR group. Also its key exchange messages at close to 1700 bytes are larger than the roughly 1200 bytes for the first two groups. .PP -As of OpenSSL 3.5 key exchange group names are case-insensitive. +As of OpenSSL 3.5 key exchange group names are case\-insensitive. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2012\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_cmd_argv.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_cmd_argv.3 index 5d48aeac0968..42d6474f96e7 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CONF_cmd_argv.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CONF_cmd_argv.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CONF_CMD_ARGV 3ossl" -.TH SSL_CONF_CMD_ARGV 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CONF_CMD_ARGV 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,7 +85,7 @@ or a negative error code. .PP If \-2 is returned then an argument for a command is missing. .PP -If \-1 is returned the command is recognised but couldn't be processed due +If \-1 is returned the command is recognised but couldn\*(Aqt be processed due to an error: for example a syntax error in the argument. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_add1_chain_cert.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_add1_chain_cert.3 index 2750635312c6..d3540d6c9666 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_add1_chain_cert.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_add1_chain_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_ADD1_CHAIN_CERT 3ossl" -.TH SSL_CTX_ADD1_CHAIN_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_ADD1_CHAIN_CERT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_add_extra_chain_cert.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_add_extra_chain_cert.3 index d5d7ff0f7344..ab5e5251ce02 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_add_extra_chain_cert.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_add_extra_chain_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_ADD_EXTRA_CHAIN_CERT 3ossl" -.TH SSL_CTX_ADD_EXTRA_CHAIN_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_ADD_EXTRA_CHAIN_CERT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_add_session.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_add_session.3 index 446e2b508b5b..ac778cc40fb4 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_add_session.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_add_session.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_ADD_SESSION 3ossl" -.TH SSL_CTX_ADD_SESSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_ADD_SESSION 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -79,7 +82,7 @@ the same session id already exists, the old session is removed by calling \&\fBSSL_SESSION_free\fR\|(3). .PP \&\fBSSL_CTX_remove_session()\fR removes the session \fBc\fR from the context \fBctx\fR and -marks it as non-resumable. \fBSSL_SESSION_free\fR\|(3) is called once for \fBc\fR. +marks it as non\-resumable. \fBSSL_SESSION_free\fR\|(3) is called once for \fBc\fR. .SH NOTES .IX Header "NOTES" When adding a new session to the internal session cache, it is examined @@ -88,12 +91,12 @@ it is assumed that both sessions are identical. If the same session is stored in a different SSL_SESSION object, The old session is removed and replaced by the new session. If the session is actually identical (the SSL_SESSION object is identical), \fBSSL_CTX_add_session()\fR -is a no-op, and the return value is 0. +is a no\-op, and the return value is 0. .PP If a server SSL_CTX is configured with the SSL_SESS_CACHE_NO_INTERNAL_STORE flag then the internal cache will not be populated automatically by new sessions negotiated by the SSL/TLS implementation, even though the internal -cache will be searched automatically for session-resume requests (the +cache will be searched automatically for session\-resume requests (the latter can be suppressed by SSL_SESS_CACHE_NO_INTERNAL_LOOKUP). So the application can use \fBSSL_CTX_add_session()\fR directly to have full control over the sessions that can be resumed if desired. diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_config.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_config.3 index 628bc8d437f7..e3c11c047307 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_config.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_config.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_CONFIG 3ossl" -.TH SSL_CTX_CONFIG 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_CONFIG 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_ctrl.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_ctrl.3 index 3e1f9f8476ac..d4a01a588952 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_ctrl.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_ctrl.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_CTRL 3ossl" -.TH SSL_CTX_CTRL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_CTRL 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_dane_enable.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_dane_enable.3 index c448ac4ef3dd..a4c4fe6e3980 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_dane_enable.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_dane_enable.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_DANE_ENABLE 3ossl" -.TH SSL_CTX_DANE_ENABLE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_DANE_ENABLE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -95,7 +98,7 @@ peer authentication. \&\fBSSL_CTX_dane_enable()\fR must be called first to initialize the shared state required for DANE support. Individual connections associated with the context can then enable -per-connection DANE support as appropriate. +per\-connection DANE support as appropriate. DANE authentication is implemented in the \fBX509_verify_cert\fR\|(3) function, and applications that override \fBX509_verify_cert\fR\|(3) via \&\fBSSL_CTX_set_cert_verify_callback\fR\|(3) are responsible to authenticate the peer @@ -121,7 +124,7 @@ is mapped to \f(CWEVP_sha512()\fR with a strength ordinal of \f(CW2\fR. .PP \&\fBSSL_dane_enable()\fR must be called before the SSL handshake is initiated with \&\fBSSL_connect\fR\|(3) if (and only if) you want to enable DANE for that connection. -(The connection must be associated with a DANE-enabled SSL context). +(The connection must be associated with a DANE\-enabled SSL context). The \fBbasedomain\fR argument specifies the RFC7671 TLSA base domain, which will be the primary peer reference identifier for certificate name checks. @@ -146,12 +149,12 @@ call and take appropriate action if none are usable or an internal error is encountered in processing some records. .PP If no TLSA records are added successfully, DANE authentication is not enabled, -and authentication will be based on any configured traditional trust-anchors; +and authentication will be based on any configured traditional trust\-anchors; authentication success in this case does not mean that the peer was -DANE-authenticated. +DANE\-authenticated. .PP \&\fBSSL_get0_dane_authority()\fR can be used to get more detailed information about -the matched DANE trust-anchor after successful connection completion. +the matched DANE trust\-anchor after successful connection completion. The return value is negative if DANE verification failed (or was not enabled), 0 if an EE TLSA record directly matched the leaf certificate, or a positive number indicating the depth at which a TA record matched an issuer certificate. @@ -161,21 +164,21 @@ certificates sent by the peer as returned by \fBSSL_get_peer_cert_chain\fR\|(3). .PP If the \fBmcert\fR argument is not \fBNULL\fR and a TLSA record matched a chain certificate, a pointer to the matching certificate is returned via \fBmcert\fR. -The returned address is a short-term internal reference to the certificate and +The returned address is a short\-term internal reference to the certificate and must not be freed by the application. Applications that want to retain access to the certificate can call -\&\fBX509_up_ref\fR\|(3) to obtain a long-term reference which must then be freed via +\&\fBX509_up_ref\fR\|(3) to obtain a long\-term reference which must then be freed via \&\fBX509_free\fR\|(3) once no longer needed. .PP If no TLSA records directly matched any elements of the certificate chain, but a \fBDANE\-TA\fR\|(2) \fBSPKI\fR\|(1) \fBFull\fR\|(0) record provided the public key that signed an element of the chain, then that key is returned via \fBmspki\fR argument (if not NULL). -In this case the return value is the depth of the top-most element of the +In this case the return value is the depth of the top\-most element of the validated certificate chain. -As with \fBmcert\fR this is a short-term internal reference, and +As with \fBmcert\fR this is a short\-term internal reference, and \&\fBEVP_PKEY_up_ref\fR\|(3) and \fBEVP_PKEY_free\fR\|(3) can be used to acquire and -release long-term references respectively. +release long\-term references respectively. .PP \&\fBSSL_get0_dane_tlsa()\fR can be used to retrieve the fields of the TLSA record that matched the peer certificate chain. @@ -184,21 +187,21 @@ The return value indicates the match depth or failure to match just as with When the return value is nonnegative, the storage pointed to by the \fBusage\fR, \&\fBselector\fR, \fBmtype\fR and \fBdata\fR parameters is updated to the corresponding TLSA record fields. -The \fBdata\fR field is in binary wire form, and is therefore not NUL-terminated, +The \fBdata\fR field is in binary wire form, and is therefore not NUL\-terminated, its length is returned via the \fBdlen\fR parameter. If any of these parameters is NULL, the corresponding field is not returned. -The \fBdata\fR parameter is set to a short-term internal-copy of the associated +The \fBdata\fR parameter is set to a short\-term internal\-copy of the associated data field and must not be freed by the application. -Applications that need long-term access to this field need to copy the content. +Applications that need long\-term access to this field need to copy the content. .PP \&\fBSSL_CTX_dane_set_flags()\fR and \fBSSL_dane_set_flags()\fR can be used to enable optional DANE verification features. \&\fBSSL_CTX_dane_clear_flags()\fR and \fBSSL_dane_clear_flags()\fR can be used to disable the same features. -The \fBflags\fR argument is a bit-mask of the features to enable or disable. +The \fBflags\fR argument is a bit\-mask of the features to enable or disable. The \fBflags\fR set for an \fBSSL_CTX\fR context are copied to each \fBSSL\fR handle associated with that context at the time the handle is created. -Subsequent changes in the context's \fBflags\fR have no effect on the \fBflags\fR set +Subsequent changes in the context\*(Aqs \fBflags\fR have no effect on the \fBflags\fR set for the handle. .PP At present, the only available option is \fBDANE_FLAG_NO_DANE_EE_NAMECHECKS\fR @@ -208,7 +211,7 @@ For some applications, primarily web browsers, it is not safe to disable name checks due to "unknown key share" attacks, in which a malicious server can convince a client that a connection to a victim server is instead a secure connection to the malicious server. -The malicious server may then be able to violate cross-origin scripting +The malicious server may then be able to violate cross\-origin scripting restrictions. Thus, despite the text of RFC7671, name checks are by default enabled for \&\fBDANE\-EE\fR\|(3) TLSA records, and can be disabled in applications where it is safe @@ -232,7 +235,7 @@ certificate or a public key that fails to parse. The functions \fBSSL_get0_dane_authority()\fR and \fBSSL_get0_dane_tlsa()\fR return a negative value when DANE authentication failed or was not enabled, a nonnegative value indicates the chain depth at which the TLSA record matched a -chain certificate, or the depth of the top-most certificate, when the TLSA +chain certificate, or the depth of the top\-most certificate, when the TLSA record is a full public key that is its signer. .PP The functions \fBSSL_CTX_dane_set_flags()\fR, \fBSSL_CTX_dane_clear_flags()\fR, @@ -241,7 +244,7 @@ before they were called. .SH EXAMPLES .IX Header "EXAMPLES" Suppose "smtp.example.com" is the MX host of the domain "example.com", and has -DNSSEC-validated TLSA records. +DNSSEC\-validated TLSA records. The calls below will perform DANE authentication and arrange to match either the MX hostname or the destination domain name in the SMTP server certificate. Wildcards are supported, but must match the entire label. @@ -389,7 +392,7 @@ the lifetime of the SSL connection. .IX Header "NOTES" It is expected that the majority of clients employing DANE TLS will be doing "opportunistic DANE TLS" in the sense of RFC7672 and RFC7435. -That is, they will use DANE authentication when DNSSEC-validated TLSA records +That is, they will use DANE authentication when DNSSEC\-validated TLSA records are published for a given peer, and otherwise will use unauthenticated TLS or even cleartext. .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_flush_sessions.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_flush_sessions.3 index 22ce66cda33f..81ab1751b7bc 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_flush_sessions.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_flush_sessions.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_FLUSH_SESSIONS 3ossl" -.TH SSL_CTX_FLUSH_SESSIONS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_FLUSH_SESSIONS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_free.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_free.3 index 729c650c6ac2..51402b4816fe 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_free.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_free.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_FREE 3ossl" -.TH SSL_CTX_FREE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_FREE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,8 +84,8 @@ the certificates and keys. If \fBctx\fR is NULL nothing is done. .SH WARNINGS .IX Header "WARNINGS" -If a session-remove callback is set (\fBSSL_CTX_sess_set_remove_cb()\fR), this -callback will be called for each session being freed from \fBctx\fR's +If a session\-remove callback is set (\fBSSL_CTX_sess_set_remove_cb()\fR), this +callback will be called for each session being freed from \fBctx\fR\*(Aqs session cache. This implies, that all corresponding sessions from an external session cache are removed as well. If this is not desired, the user should explicitly unset the callback by calling diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_get0_param.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_get0_param.3 index d00f5702265f..4fd2a7acae4a 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_get0_param.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_get0_param.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_GET0_PARAM 3ossl" -.TH SSL_CTX_GET0_PARAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_GET0_PARAM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_get_verify_mode.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_get_verify_mode.3 index e446b5d4fa26..8db8c69f484c 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_get_verify_mode.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_get_verify_mode.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_GET_VERIFY_MODE 3ossl" -.TH SSL_CTX_GET_VERIFY_MODE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_GET_VERIFY_MODE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_has_client_custom_ext.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_has_client_custom_ext.3 index 50c0ad567c7e..7afcebebdb8d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_has_client_custom_ext.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_has_client_custom_ext.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_HAS_CLIENT_CUSTOM_EXT 3ossl" -.TH SSL_CTX_HAS_CLIENT_CUSTOM_EXT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_HAS_CLIENT_CUSTOM_EXT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_load_verify_locations.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_load_verify_locations.3 index 3017574ffc21..230ef4270882 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_load_verify_locations.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_load_verify_locations.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_LOAD_VERIFY_LOCATIONS 3ossl" -.TH SSL_CTX_LOAD_VERIFY_LOCATIONS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_LOAD_VERIFY_LOCATIONS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -154,10 +157,10 @@ will search for suitable certificates first in \fBCAfile\fR, then in \fBCApath\f Details of the chain building process are described in "Certification Path Building" in \fBopenssl\-verification\-options\fR\|(1). .PP -If \fBCAstore\fR is not NULL, it's a URI for to a store, which may +If \fBCAstore\fR is not NULL, it\*(Aqs a URI for to a store, which may represent a single container or a whole catalogue of containers. Apart from the \fBCAstore\fR not necessarily being a local file or -directory, it's generally treated the same way as a \fBCApath\fR. +directory, it\*(Aqs generally treated the same way as a \fBCApath\fR. .PP In server mode, when requesting a client certificate, the server must send the list of CAs of which it will accept client certificates. This list diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_new.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_new.3 index 3e26ab1a7b35..485fab0434bb 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_NEW 3ossl" -.TH SSL_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -171,17 +174,17 @@ with \fBSSL_CTX_get0_param\fR\|(3), to override the default purpose of the sessi .PP The SSL_CTX object uses \fImethod\fR as the connection method. Three method variants are available: a generic method (for either client or -server use), a server-only method, and a client-only method. +server use), a server\-only method, and a client\-only method. .PP The \fImethod\fR parameter of \fBSSL_CTX_new_ex()\fR and \fBSSL_CTX_new()\fR can be one of the following: .IP "\fBTLS_method()\fR, \fBTLS_server_method()\fR, \fBTLS_client_method()\fR" 4 .IX Item "TLS_method(), TLS_server_method(), TLS_client_method()" -These are the general-purpose \fIversion-flexible\fR SSL/TLS methods. +These are the general\-purpose \fIversion\-flexible\fR SSL/TLS methods. The actual protocol version used will be negotiated to the highest version mutually supported by the client and the server. The supported protocols are SSLv3, TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3. -Applications should use these methods, and avoid the version-specific +Applications should use these methods, and avoid the version\-specific methods described below, which are deprecated. .IP "\fBSSLv23_method()\fR, \fBSSLv23_server_method()\fR, \fBSSLv23_client_method()\fR" 4 .IX Item "SSLv23_method(), SSLv23_server_method(), SSLv23_client_method()" @@ -210,25 +213,25 @@ SSLv3 protocol. The SSLv3 protocol is deprecated and should not be used. .IP "\fBDTLS_method()\fR, \fBDTLS_server_method()\fR, \fBDTLS_client_method()\fR" 4 .IX Item "DTLS_method(), DTLS_server_method(), DTLS_client_method()" -These are the version-flexible DTLS methods. +These are the version\-flexible DTLS methods. Currently supported protocols are DTLS 1.0 and DTLS 1.2. .IP "\fBDTLSv1_2_method()\fR, \fBDTLSv1_2_server_method()\fR, \fBDTLSv1_2_client_method()\fR" 4 .IX Item "DTLSv1_2_method(), DTLSv1_2_server_method(), DTLSv1_2_client_method()" -These are the version-specific methods for DTLSv1.2. +These are the version\-specific methods for DTLSv1.2. These methods are deprecated. .IP "\fBDTLSv1_method()\fR, \fBDTLSv1_server_method()\fR, \fBDTLSv1_client_method()\fR" 4 .IX Item "DTLSv1_method(), DTLSv1_server_method(), DTLSv1_client_method()" -These are the version-specific methods for DTLSv1. +These are the version\-specific methods for DTLSv1. These methods are deprecated. .PP \&\fBSSL_CTX_new()\fR initializes the list of ciphers, the session cache setting, the callbacks, the keys and certificates and the options to their default values. .PP \&\fBTLS_method()\fR, \fBTLS_server_method()\fR, \fBTLS_client_method()\fR, \fBDTLS_method()\fR, -\&\fBDTLS_server_method()\fR and \fBDTLS_client_method()\fR are the \fIversion-flexible\fR +\&\fBDTLS_server_method()\fR and \fBDTLS_client_method()\fR are the \fIversion\-flexible\fR methods. All other methods only support one specific protocol version. -Use the \fIversion-flexible\fR methods instead of the version specific methods. +Use the \fIversion\-flexible\fR methods instead of the version specific methods. .PP If you want to limit the supported protocols for the version flexible methods you can use \fBSSL_CTX_set_min_proto_version\fR\|(3), @@ -281,7 +284,7 @@ removed in OpenSSL 1.1.0. were deprecated and the preferred \fBTLS_method()\fR, \fBTLS_server_method()\fR and \fBTLS_client_method()\fR functions were added in OpenSSL 1.1.0. .PP -All version-specific methods were deprecated in OpenSSL 1.1.0. +All version\-specific methods were deprecated in OpenSSL 1.1.0. .PP \&\fBSSL_CTX_new_ex()\fR was added in OpenSSL 3.0. .SH COPYRIGHT diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_number.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_number.3 index b50907c2297b..e3cee828ec8e 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_number.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_number.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SESS_NUMBER 3ossl" -.TH SSL_CTX_SESS_NUMBER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SESS_NUMBER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_cache_size.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_cache_size.3 index 1a93b5fe250c..08d4545f6d82 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_cache_size.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_cache_size.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SESS_SET_CACHE_SIZE 3ossl" -.TH SSL_CTX_SESS_SET_CACHE_SIZE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SESS_SET_CACHE_SIZE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_get_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_get_cb.3 index 87c40f9824fd..1f29f9f37d5e 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_get_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_get_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SESS_SET_GET_CB 3ossl" -.TH SSL_CTX_SESS_SET_GET_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SESS_SET_GET_CB 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -116,12 +119,12 @@ The \fBnew_session_cb()\fR is called whenever a new session has been negotiated session caching is enabled (see \fBSSL_CTX_set_session_cache_mode\fR\|(3)). The \&\fBnew_session_cb()\fR is passed the \fBssl\fR connection and the nascent ssl session \fBsess\fR. -Since sessions are reference-counted objects, the reference count on the +Since sessions are reference\-counted objects, the reference count on the session is incremented before the callback, on behalf of the application. If the callback returns \fB0\fR, the session will be immediately removed from the internal cache and the reference count released. If the callback returns \fB1\fR, the application retains the reference (for an entry in the -application-maintained "external session cache"), and is responsible for +application\-maintained "external session cache"), and is responsible for calling \fBSSL_SESSION_free()\fR when the session reference is no longer in use. .PP Note that in TLSv1.3, sessions are established after the main diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_sessions.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_sessions.3 index bf0508a2e28f..8b956f7f7eb7 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_sessions.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_sessions.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SESSIONS 3ossl" -.TH SSL_CTX_SESSIONS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SESSIONS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set0_CA_list.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set0_CA_list.3 index 107388d3579b..e3235757b07c 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set0_CA_list.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set0_CA_list.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET0_CA_LIST 3ossl" -.TH SSL_CTX_SET0_CA_LIST 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET0_CA_LIST 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -127,7 +130,7 @@ to \fBctx\fR and it should not be freed by the caller. .PP \&\fBSSL_set_client_CA_list()\fR sets the \fBlist\fR of CAs sent to the client when requesting a client certificate for the chosen \fBssl\fR, overriding the -setting valid for \fBssl\fR's SSL_CTX object. Ownership of \fBlist\fR is transferred +setting valid for \fBssl\fR\*(Aqs SSL_CTX object. Ownership of \fBlist\fR is transferred to \fBs\fR and it should not be freed by the caller. .PP \&\fBSSL_CTX_get_client_CA_list()\fR returns the list of client CAs explicitly set for @@ -135,7 +138,7 @@ to \fBs\fR and it should not be freed by the caller. by the caller. .PP \&\fBSSL_get_client_CA_list()\fR returns the list of client CAs explicitly -set for \fBssl\fR using \fBSSL_set_client_CA_list()\fR or \fBssl\fR's SSL_CTX object with +set for \fBssl\fR using \fBSSL_set_client_CA_list()\fR or \fBssl\fR\*(Aqs SSL_CTX object with \&\fBSSL_CTX_set_client_CA_list()\fR, when in server mode. In client mode, SSL_get_client_CA_list returns the list of client CAs sent from the server, if any. The returned list should not be freed by the caller. @@ -146,7 +149,7 @@ list of CAs sent to the client when requesting a client certificate for .PP \&\fBSSL_add_client_CA()\fR adds the CA name extracted from \fBcacert\fR to the list of CAs sent to the client when requesting a client certificate for -the chosen \fBssl\fR, overriding the setting valid for \fBssl\fR's SSL_CTX object. +the chosen \fBssl\fR, overriding the setting valid for \fBssl\fR\*(Aqs SSL_CTX object. .PP \&\fBSSL_get0_peer_CA_list()\fR retrieves the list of CA names (if any) the peer has sent. This can be called on either the server or the client side. The diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_cert_comp_preference.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_cert_comp_preference.3 index f1396c5211e0..adc8faa3c510 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_cert_comp_preference.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_cert_comp_preference.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET1_CERT_COMP_PREFERENCE 3ossl" -.TH SSL_CTX_SET1_CERT_COMP_PREFERENCE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET1_CERT_COMP_PREFERENCE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -113,25 +116,25 @@ TLSEXT_comp_cert_zstd .PP The above is also the default preference order. If a preference order is not specified, then the default preference order is sent to the peer and the -received peer's preference order will be used when compressing a certificate. +received peer\*(Aqs preference order will be used when compressing a certificate. Otherwise, the configured preference order is sent to the peer and is used -to filter the peer's preference order. +to filter the peer\*(Aqs preference order. .PP -\&\fBSSL_CTX_compress_certs()\fR and \fBSSL_compress_certs()\fR are used to pre-compress all +\&\fBSSL_CTX_compress_certs()\fR and \fBSSL_compress_certs()\fR are used to pre\-compress all the configured certificates on an SSL_CTX/SSL object with algorithm \fBalg\fR. If \&\fBalg\fR is 0, then the certificates are compressed with the algorithms specified in the preference list. Calling these functions on a client SSL_CTX/SSL object -will result in an error, as only server certificates may be pre-compressed. +will result in an error, as only server certificates may be pre\-compressed. .PP \&\fBSSL_CTX_get1_compressed_cert()\fR and \fBSSL_get1_compressed_cert()\fR are used to get -the pre-compressed certificate most recently set that may be stored for later +the pre\-compressed certificate most recently set that may be stored for later use. Calling these functions on a client SSL_CTX/SSL object will result in an -error, as only server certificates may be pre-compressed. The \fBdata\fR and +error, as only server certificates may be pre\-compressed. The \fBdata\fR and \&\fBorig_len\fR arguments are required. .PP The compressed certificate data may be passed to \fBSSL_CTX_set1_compressed_cert()\fR -or \fBSSL_set1_compressed_cert()\fR to provide a pre-compressed version of the -most recently set certificate. This pre-compressed certificate can only be used +or \fBSSL_set1_compressed_cert()\fR to provide a pre\-compressed version of the +most recently set certificate. This pre\-compressed certificate can only be used by a server. .SH NOTES .IX Header "NOTES" @@ -139,14 +142,14 @@ Each side of the connection sends their compression algorithm preference list to their peer indicating compressed certificate support. The received preference list is filtered by the configured preference list (i.e. the intersection is saved). As the default list includes all the enabled algorithms, not specifying -a preference will allow any enabled algorithm by the peer. The filtered peer's +a preference will allow any enabled algorithm by the peer. The filtered peer\*(Aqs preference order is used to determine what algorithm to use when sending a compressed certificate. .PP -Only server certificates may be pre-compressed. Calling any of these functions +Only server certificates may be pre\-compressed. Calling any of these functions (except \fBSSL_CTX_set1_cert_comp_preference()\fR/\fBSSL_set1_cert_comp_preference()\fR) on a client SSL_CTX/SSL object will return an error. Client certificates are -compressed on-demand as unique context data from the server is compressed along +compressed on\-demand as unique context data from the server is compressed along with the certificate. .PP For \fBSSL_CTX_set1_cert_comp_preference()\fR and \fBSSL_set1_cert_comp_preference()\fR diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_curves.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_curves.3 index e240bded3260..c4ff1a2268b0 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_curves.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_curves.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET1_CURVES 3ossl" -.TH SSL_CTX_SET1_CURVES 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET1_CURVES 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -124,13 +127,13 @@ OpenSSL will use this array in different ways based on the TLS version, and whether the groups are used in a client or server. .PP For a TLS client, the groups are used directly in the supported groups -extension. The extension's preference order, to be evaluated by the server, is +extension. The extension\*(Aqs preference order, to be evaluated by the server, is determined by the order of the elements in the array. .PP For a TLS 1.2 server, the groups determine the selected group. If \&\fBSSL_OP_CIPHER_SERVER_PREFERENCE\fR is set, the order of the elements in the array determines the selected group. Otherwise, the order is ignored and the -client's order determines the selection. +client\*(Aqs order determines the selection. .PP For a TLS 1.3 server, the groups determine the selected group, but selection is more complex. A TLS 1.3 client sends both a group list as well as a @@ -139,7 +142,7 @@ an extra roundtrip. However, in some situations, the most preferred group may not be predicted. OpenSSL considers all supported groups in \fIclist\fR to be comparable in security and prioritizes avoiding roundtrips above either client or server preference order. If an application uses an external provider to extend OpenSSL -with, e.g., a post-quantum algorithm, this behavior may allow a network attacker +with, e.g., a post\-quantum algorithm, this behavior may allow a network attacker to downgrade connections to a weaker algorithm. It is therefore recommended to use \fBSSL_CTX_set1_groups_list()\fR with the ability to specify group tuples. .PP @@ -158,7 +161,7 @@ respectively: Each group can be either the \fBNIST\fR name (e.g. \fBP\-256\fR), some other commonly used name where applicable (e.g. \fBX25519\fR, \fBffdhe2048\fR) or an OpenSSL OID name (e.g. \fBprime256v1\fR). -Group names are case-insensitive in OpenSSL 3.5 and later. +Group names are case\-insensitive in OpenSSL 3.5 and later. The preferred group names are those defined by IANA <https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8>. .PP @@ -166,7 +169,7 @@ The \fIlist\fR can be used to define several group tuples of comparable security levels, and can specify which key shares should be sent by a client. The specified list elements can optionally be ignored, if not implemented (listing unknown groups otherwise results in error). -It is also possible to specify the built-in default set of groups, and to explicitly +It is also possible to specify the built\-in default set of groups, and to explicitly remove a group from that list. .PP In its simplest form, the string \fIlist\fR is just a colon separated list @@ -179,24 +182,24 @@ Group tuples of comparable security are defined by separating them from each other by a tuple separator \f(CW\*(C`/\*(C'\fR. Keyshares to be sent by a client are specified by prepending a \f(CW\*(C`*\*(C'\fR to the group name, while any \f(CW\*(C`*\*(C'\fR will be ignored by a server. The following string \fIlist\fR for example defines three tuples when -used on the server-side, and triggers the generation of three key shares -when used on the client-side: P\-521:*P\-256/*P\-384/*X25519:P\-384:ffdhe2048. +used on the server\-side, and triggers the generation of three key shares +when used on the client\-side: P\-521:*P\-256/*P\-384/*X25519:P\-384:ffdhe2048. .PP If a group name is preceded with the \f(CW\*(C`?\*(C'\fR character, it will be ignored if an implementation is missing. If a group name is preceded with the \f(CW\*(C`\-\*(C'\fR character, it will be removed from the list of groups if present (including not sending a key share for this group), ignored otherwise. The pseudo group name -\&\f(CW\*(C`DEFAULT\*(C'\fR can be used to select the OpenSSL built-in default list of groups. +\&\f(CW\*(C`DEFAULT\*(C'\fR can be used to select the OpenSSL built\-in default list of groups. .PP For a TLS 1.3 client, all the groups in the string \fIlist\fR are added to the supported groups extension of a \f(CW\*(C`ClientHello\*(C'\fR, in the order in which they are listed, -thereby interpreting tuple separators as group separators. The extension's +thereby interpreting tuple separators as group separators. The extension\*(Aqs preference order, to be evaluated by the server, is determined by the order of the elements in the array, see below. .PP If a group name is preceded by \f(CW\*(C`*\*(C'\fR, a key share will be sent for this group. When preceding \f(CW\*(C`DEFAULT\*(C'\fR with \f(CW\*(C`*\*(C'\fR, a key share will be sent for the first group -of the OpenSSL built-in default list of groups. If no \f(CW\*(C`*\*(C'\fR is used anywhere in the list, +of the OpenSSL built\-in default list of groups. If no \f(CW\*(C`*\*(C'\fR is used anywhere in the list, a single key share for the leftmost valid group is sent. A maximum of 4 key shares are supported. Example: "P\-521:*P\-256/*P\-384" will add P\-521, P\-256 and P\-384 to the supported groups extension in a \f(CW\*(C`ClientHello\*(C'\fR and will send key shares for P\-256 and P\-384. @@ -209,7 +212,7 @@ can be enforced by setting \fBSSL_OP_CIPHER_SERVER_PREFERENCE\fR using \&\fBSSL_set_options\fR (default: client preference). .PP The server will select the group to be used for a key agreement using the following -pseudo-code algorithm: +pseudo\-code algorithm: .PP .Vb 12 \& FOR each group tuple @@ -251,13 +254,13 @@ bitwise OR of TLSEXT_nid_unknown (0x1000000) and the id of the group. .PP \&\fBSSL_get0_iana_groups()\fR retrieves the list of groups sent by the client in the supported_groups extension. The \fB*out\fR array of bytes -is populated with the host-byte-order representation of the uint16_t group +is populated with the host\-byte\-order representation of the uint16_t group identifiers, as assigned by IANA. The group list is returned in the same order that was received in the ClientHello. The return value is the number of groups, not the number of bytes written. .PP \&\fBSSL_get_shared_group()\fR returns the NID of the shared group \fBn\fR for a -server-side SSL \fBssl\fR. If \fBn\fR is \-1 then the total number of shared groups is +server\-side SSL \fBssl\fR. If \fBn\fR is \-1 then the total number of shared groups is returned, which may be zero. Other than for diagnostic purposes, most applications will only be interested in the first shared group so \fBn\fR is normally set to zero. If the value \fBn\fR is out of range, @@ -267,11 +270,11 @@ group. .PP \&\fBSSL_get_negotiated_group()\fR returns the NID of the negotiated group used for the handshake key exchange process. For TLSv1.3 connections this typically -reflects the state of the current connection, though in the case of PSK-only +reflects the state of the current connection, though in the case of PSK\-only resumption, the returned value will be from a previous connection. For earlier TLS versions, when a session has been resumed, it always reflects the group used for key exchange during the initial handshake (otherwise it is from the -current, non-resumption, connection). This can be called by either client or +current, non\-resumption, connection). This can be called by either client or server. If the NID for the shared group is unknown then the value is set to the bitwise OR of TLSEXT_nid_unknown (0x1000000) and the id of the group. See also \&\fBSSL_get0_group_name\fR\|(3) which returns the name of the negotiated group @@ -282,7 +285,7 @@ groups that are compatible with the TLS version of the \fBctx\fR argument. The returned names are references to internal constants and must not be modified or freed. When \fBall\fR is nonzero, the returned list includes not only the preferred IANA names of the groups, but also any associated aliases. -If the SSL_CTX is version-flexible, the groups will be those compatible +If the SSL_CTX is version\-flexible, the groups will be those compatible with any configured minimum and maximum protocol versions. The \fBnames\fR stack should be allocated by the caller and be empty, the matching group names are appended to the provided stack. @@ -329,15 +332,15 @@ client supports \f(CW\*(C`P\-521\*(C'\fR but does not send a key share for this server, and the client supports \f(CW\*(C`P\-384\*(C'\fR including key share for this group. With both server and client preference, an HRR will be triggered for \f(CW\*(C`P\-521\*(C'\fR despite the availability of a key share for P\-384, which overlaps with a lower -priority server-side tuple. +priority server\-side tuple. .PP As a separate example, consider a server \fIlist\fR "A:B/C:D/E:F". Listed in order of highest preference to least, 3 group tuples are created: "A:B", "C:D", and "E:F". Here are some examples of a client \fIlist\fR where setting server/client preference will not change the outcome: .PP -\&\- "A:D:*F": Both prefer "A", but the server didn't receive a keyshare for the -most-preferred tuple in which there's at least one group supported by both. +\&\- "A:D:*F": Both prefer "A", but the server didn\*(Aqt receive a keyshare for the +most\-preferred tuple in which there\*(Aqs at least one group supported by both. Therefore, an HRR is triggered for "A". .PP \&\- "B:*C": Both prefer "B" from the first group tuple "A:B", so an HRR is @@ -386,25 +389,25 @@ was added in OpenSSL 3.0.0. Support for ignoring unknown groups in \fBSSL_CTX_set1_groups_list()\fR and \&\fBSSL_set1_groups_list()\fR was added in OpenSSL 3.3. .PP -Support for \fBML-KEM\fR was added in OpenSSL 3.5. +Support for \fBML\-KEM\fR was added in OpenSSL 3.5. .PP OpenSSL 3.5 also introduces support for three \fIhybrid\fR ECDH PQ key exchange TLS groups: \fBX25519MLKEM768\fR, \fBSecP256r1MLKEM768\fR and \&\fBSecP384r1MLKEM1024\fR. They offer CPU performance comparable to the associated ECDH group, though at the cost of significantly larger key exchange messages. -The third group, \fBSecP384r1MLKEM1024\fR is substantially more CPU-intensive, +The third group, \fBSecP384r1MLKEM1024\fR is substantially more CPU\-intensive, largely as a result of the high CPU cost of ECDH for the underlying \fBP\-384\fR group. Also its key exchange messages at close to 1700 bytes are larger than the roughly 1200 bytes for the first two groups. .PP -As of OpenSSL 3.5 key exchange group names are case-insensitive. +As of OpenSSL 3.5 key exchange group names are case\-insensitive. .PP \&\fBSSL_CTX_get0_implemented_groups\fR was first implemented in OpenSSL 3.5. .PP Earlier versions of this document described the list as a preference order. -However, OpenSSL's behavior as a TLS 1.3 server is to consider \fIall\fR +However, OpenSSL\*(Aqs behavior as a TLS 1.3 server is to consider \fIall\fR supported groups as comparable in security. .SH COPYRIGHT .IX Header "COPYRIGHT" diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_sigalgs.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_sigalgs.3 index b0dee600e8b4..a5ab30b75c05 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_sigalgs.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_sigalgs.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET1_SIGALGS 3ossl" -.TH SSL_CTX_SET1_SIGALGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET1_SIGALGS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,7 +97,7 @@ elements, where each element is either a combination of a public key algorithm and a digest separated by \fB+\fR, or a TLS 1.3\-style named SignatureScheme such as rsa_pss_pss_sha256. Signature scheme names and public key algorithm names (but not the digest -names) in the \fBalgorithm+hash\fR form are case-insensitive. +names) in the \fBalgorithm+hash\fR form are case\-insensitive. If a list entry is preceded with the \f(CW\*(C`?\*(C'\fR character, it will be ignored if an implementation is missing. .PP @@ -138,7 +141,7 @@ EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, EVP_PKEY_DSA and EVP_PKEY_EC. .PP The short or long name values for digests can be used in a string (for example "MD5", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512") and -the public key algorithm strings "RSA", "RSA-PSS", "DSA" or "ECDSA". +the public key algorithm strings "RSA", "RSA\-PSS", "DSA" or "ECDSA". .PP The TLS 1.3 signature scheme names (such as "rsa_pss_pss_sha256") can also be used with the \fB_list\fR forms of the API. diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_verify_cert_store.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_verify_cert_store.3 index 12acbecd5f14..8a46b394ceef 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_verify_cert_store.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_verify_cert_store.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET1_VERIFY_CERT_STORE 3ossl" -.TH SSL_CTX_SET1_VERIFY_CERT_STORE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET1_VERIFY_CERT_STORE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -117,7 +120,7 @@ affected if the parent SSL_CTX store pointer is set to a new value. .PP The verification store is used to verify the certificate chain sent by the peer: that is an SSL/TLS client will use the verification store to verify -the server's certificate chain and an SSL/TLS server will use it to verify +the server\*(Aqs certificate chain and an SSL/TLS server will use it to verify any client certificate chain. .PP The chain store is used to build the certificate chain. diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_alpn_select_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_alpn_select_cb.3 index 54acdba9817b..47b288110ec3 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_alpn_select_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_alpn_select_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_ALPN_SELECT_CB 3ossl" -.TH SSL_CTX_SET_ALPN_SELECT_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_ALPN_SELECT_CB 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,7 +113,7 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated .IX Header "DESCRIPTION" \&\fBSSL_CTX_set_alpn_protos()\fR and \fBSSL_set_alpn_protos()\fR are used by the client to set the list of protocols available to be negotiated. The \fBprotos\fR must be in -protocol-list format, described below. The length of \fBprotos\fR is specified in +protocol\-list format, described below. The length of \fBprotos\fR is specified in \&\fBprotos_len\fR. Setting \fBprotos_len\fR to 0 clears any existing list of ALPN protocols and no ALPN extension will be sent to the server. .PP @@ -120,7 +123,7 @@ is NULL, ALPN is not used. The \fBarg\fR value is a pointer which is passed to the application callback. .PP \&\fBcb\fR is the application defined callback. The \fBin\fR, \fBinlen\fR parameters are a -vector in protocol-list format. The value of the \fBout\fR, \fBoutlen\fR vector +vector in protocol\-list format. The value of the \fBout\fR, \fBoutlen\fR vector should be set to the value of a single protocol selected from the \fBin\fR, \&\fBinlen\fR vector. The \fBout\fR buffer may point directly into \fBin\fR, or to a buffer that outlives the handshake. The \fBarg\fR parameter is the pointer set via @@ -129,7 +132,7 @@ buffer that outlives the handshake. The \fBarg\fR parameter is the pointer set v \&\fBSSL_select_next_proto()\fR is a helper function used to select protocols. It implements the standard protocol selection. It is expected that this function is called from the application callback \fBcb\fR. The protocol data in \fBserver\fR, -\&\fBserver_len\fR and \fBclient\fR, \fBclient_len\fR must be in the protocol-list format +\&\fBserver_len\fR and \fBclient\fR, \fBclient_len\fR must be in the protocol\-list format described below. The first item in the \fBserver\fR, \fBserver_len\fR list that matches an item in the \fBclient\fR, \fBclient_len\fR list is selected, and returned in \fBout\fR, \fBoutlen\fR. The \fBout\fR value will point into either \fBserver\fR or @@ -145,12 +148,12 @@ must be ignored if \fBOPENSSL_NPN_NO_OVERLAP\fR has been returned from \&\fBSSL_select_next_proto()\fR. .PP \&\fBSSL_CTX_set_next_proto_select_cb()\fR sets a callback \fBcb\fR that is called when a -client needs to select a protocol from the server's provided list, and a -user-defined pointer argument \fBarg\fR which will be passed to this callback. +client needs to select a protocol from the server\*(Aqs provided list, and a +user\-defined pointer argument \fBarg\fR which will be passed to this callback. For the callback itself, \fBout\fR must be set to point to the selected protocol (which may be within \fBin\fR). The length of the protocol name must be written into \fBoutlen\fR. The -server's advertised protocols are provided in \fBin\fR and \fBinlen\fR. The +server\*(Aqs advertised protocols are provided in \fBin\fR and \fBinlen\fR. The callback can assume that \fBin\fR is syntactically valid. The client must select a protocol (although it may be an empty, zero length protocol). It is fatal to the connection if this callback returns a value other than @@ -159,7 +162,7 @@ parameter is the pointer set via \fBSSL_CTX_set_next_proto_select_cb()\fR. .PP \&\fBSSL_CTX_set_next_protos_advertised_cb()\fR sets a callback \fBcb\fR that is called when a TLS server needs a list of supported protocols for Next Protocol -Negotiation. The returned list must be in protocol-list format, described +Negotiation. The returned list must be in protocol\-list format, described below. The list is returned by setting \fBout\fR to point to it and \fBoutlen\fR to its length. This memory will not be modified, but the \fBSSL\fR does keep a @@ -168,11 +171,11 @@ wishes to advertise. Otherwise, no such extension will be included in the ServerHello. .PP \&\fBSSL_get0_alpn_selected()\fR returns a pointer to the selected protocol in \fBdata\fR -with length \fBlen\fR. It is not NUL-terminated. \fBdata\fR is set to NULL and \fBlen\fR +with length \fBlen\fR. It is not NUL\-terminated. \fBdata\fR is set to NULL and \fBlen\fR is set to 0 if no protocol has been selected. \fBdata\fR must not be freed. .PP \&\fBSSL_get0_next_proto_negotiated()\fR sets \fBdata\fR and \fBlen\fR to point to the -client's requested protocol for this connection. If the client did not +client\*(Aqs requested protocol for this connection. If the client did not request any protocol or NPN is not enabled, then \fBdata\fR is set to NULL and \&\fBlen\fR to 0. Note that the client can request any protocol it chooses. The value returned from @@ -185,10 +188,10 @@ when using QUIC SSL objects. \fBSSL_CTX_set_next_protos_advertised_cb()\fR and context. .SH NOTES .IX Header "NOTES" -The protocol-lists must be in wire-format, which is defined as a vector of -nonempty, 8\-bit length-prefixed, byte strings. The length-prefix byte is not -included in the length. Each string is limited to 255 bytes. A byte-string -length of 0 is invalid. A truncated byte-string is invalid. The length of the +The protocol\-lists must be in wire\-format, which is defined as a vector of +nonempty, 8\-bit length\-prefixed, byte strings. The length\-prefix byte is not +included in the length. Each string is limited to 255 bytes. A byte\-string +length of 0 is invalid. A truncated byte\-string is invalid. The length of the vector is not in the vector itself, but in a separate variable. .PP Example: @@ -227,7 +230,7 @@ The ALPN select callback \fBcb\fR, must return one of the following: ALPN protocol selected. .IP SSL_TLSEXT_ERR_ALERT_FATAL 4 .IX Item "SSL_TLSEXT_ERR_ALERT_FATAL" -There was no overlap between the client's supplied list and the server +There was no overlap between the client\*(Aqs supplied list and the server configuration. .IP SSL_TLSEXT_ERR_NOACK 4 .IX Item "SSL_TLSEXT_ERR_NOACK" diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_cb.3 index c10c71cb9076..806aac8467ac 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_CERT_CB 3ossl" -.TH SSL_CTX_SET_CERT_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_CERT_CB 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_store.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_store.3 index 20e43c77d26f..001fa322d0f9 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_store.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_store.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_CERT_STORE 3ossl" -.TH SSL_CTX_SET_CERT_STORE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_CERT_STORE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,7 +83,7 @@ take ownership of the \fBstore\fR, i.e., the call \f(CWX509_STORE_free(store)\fR longer needed. .PP \&\fBSSL_CTX_set1_cert_store()\fR sets/replaces the certificate verification storage -of \fBctx\fR to/with \fBstore\fR. The \fBstore\fR's reference count is incremented. +of \fBctx\fR to/with \fBstore\fR. The \fBstore\fR\*(Aqs reference count is incremented. If another X509_STORE object is currently set in \fBctx\fR, it will be \fBX509_STORE_free()\fRed. .PP \&\fBSSL_CTX_get_cert_store()\fR returns a pointer to the current certificate @@ -107,7 +110,7 @@ overridden with the \fBverify_callback()\fR set via the This document must therefore be updated when documentation about the X509_STORE object and its handling becomes available. .PP -\&\fBSSL_CTX_set_cert_store()\fR does not increment the \fBstore\fR's reference +\&\fBSSL_CTX_set_cert_store()\fR does not increment the \fBstore\fR\*(Aqs reference count, so it should not be used to assign an X509_STORE that is owned by another SSL_CTX. .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_verify_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_verify_callback.3 index 610e9230a347..ca875d345d83 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_verify_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_verify_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_CERT_VERIFY_CALLBACK 3ossl" -.TH SSL_CTX_SET_CERT_VERIFY_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_CERT_VERIFY_CALLBACK 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,7 +84,7 @@ the time when \fBSSL_new\fR\|(3) is called. When a peer certificate has been received during an SSL/TLS handshake, a verification function is called regardless of the verification mode. If the application does not explicitly specify a verification callback function, -the built-in verification function is used. +the built\-in verification function is used. If a verification callback \fIcallback\fR is specified via \&\fBSSL_CTX_set_cert_verify_callback()\fR, the supplied callback function is called instead with the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). @@ -114,13 +117,18 @@ which can be done using \fBX509_STORE_CTX_set_error\fR\|(3). This is particularly important in case the \fIcallback\fR allows the connection to continue (by returning 1). Note that the verification status in the store context is a possibly durable -indication of the chain's validity! +indication of the chain\*(Aqs validity! This gets recorded in the SSL session (and thus also in session tickets) and the validity of the originally presented chain is then visible on resumption, even though no chain is presented int that case. Moreover, the calling application will be informed about the detailed result of the verification procedure and may elect to base further decisions on it. .PP +\&\fIcallback\fR may call \fBX509_verify_cert\fR\|(3) to run the built\-in verification +function. This may be useful if application wishes to dynamically reconfigure +\&\fIx509_store_ctx\fR before verification, or postprocess the result. In this case, +\&\fBX509_verify_cert\fR\|(3) will set the \fBerror\fR member as described above. +.PP Within \fIx509_store_ctx\fR, \fIcallback\fR has access to the \fIverify_callback\fR function set using \fBSSL_CTX_set_verify\fR\|(3). .SH "RETURN VALUES" @@ -134,7 +142,7 @@ latter is set using the \fBSSL_CTX_set_verify\fR\|(3) family of functions. .PP Providing a complete verification procedure including certificate purpose -settings etc is a complex task. The built-in procedure is quite powerful +settings etc is a complex task. The built\-in procedure is quite powerful and in most cases it should be sufficient to modify its behaviour using the \fBverify_callback\fR function. .SH BUGS diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cipher_list.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cipher_list.3 index ea5152a023dd..9422f21f6df2 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cipher_list.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cipher_list.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_CIPHER_LIST 3ossl" -.TH SSL_CTX_SET_CIPHER_LIST 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_CIPHER_LIST 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -107,9 +110,9 @@ ciphersuite names in order of preference. Valid TLSv1.3 ciphersuite names are: .IX Item "TLS_AES_128_CCM_SHA256" .IP TLS_AES_128_CCM_8_SHA256 4 .IX Item "TLS_AES_128_CCM_8_SHA256" -.IP "TLS_SHA384_SHA384 \- integrity-only" 4 +.IP "TLS_SHA384_SHA384 \- integrity\-only" 4 .IX Item "TLS_SHA384_SHA384 - integrity-only" -.IP "TLS_SHA256_SHA256 \- integrity-only" 4 +.IP "TLS_SHA256_SHA256 \- integrity\-only" 4 .IX Item "TLS_SHA256_SHA256 - integrity-only" .PD .PP @@ -137,15 +140,15 @@ It should be noted, that inclusion of a cipher to be used into the list is a necessary condition. On the client side, the inclusion into the list is also sufficient unless the security level excludes it. On the server side, additional restrictions apply. All ciphers have additional requirements. -ADH ciphers don't need a certificate, but DH-parameters must have been set. +ADH ciphers don\*(Aqt need a certificate, but DH\-parameters must have been set. All other ciphers need a corresponding certificate and key. .PP An RSA cipher can only be chosen, when an RSA certificate is available. -RSA ciphers using DHE need a certificate and key and additional DH-parameters +RSA ciphers using DHE need a certificate and key and additional DH\-parameters (see \fBSSL_CTX_set_tmp_dh_callback\fR\|(3)). .PP A DSA cipher can only be chosen, when a DSA certificate is available. -DSA ciphers always use DH key exchange and therefore need DH-parameters +DSA ciphers always use DH key exchange and therefore need DH\-parameters (see \fBSSL_CTX_set_tmp_dh_callback\fR\|(3)). .PP When these conditions are not met for any cipher in the list (e.g. a diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_cert_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_cert_cb.3 index 94240f6f3892..f3abc24c4afb 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_cert_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_cert_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_CLIENT_CERT_CB 3ossl" -.TH SSL_CTX_SET_CLIENT_CERT_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_CLIENT_CERT_CB 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_hello_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_hello_cb.3 index 3e0b7ccb7854..b7592998a810 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_hello_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_hello_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_CLIENT_HELLO_CB 3ossl" -.TH SSL_CTX_SET_CLIENT_HELLO_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_CLIENT_HELLO_CB 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -102,7 +105,7 @@ success, normal handshake processing will continue from that point. SSLv2 record and is in the SSLv2 format. The SSLv2 format has substantial differences from the normal SSLv3 format, including using three bytes per cipher suite, and not allowing extensions. Additionally, the SSLv2 format -\&'challenge' field is exposed via \fBSSL_client_hello_get0_random()\fR, padded to +\&\*(Aqchallenge\*(Aq field is exposed via \fBSSL_client_hello_get0_random()\fR, padded to SSL3_RANDOM_SIZE bytes with zeros if needed. For SSLv2 format ClientHellos, \&\fBSSL_client_hello_get0_compression_methods()\fR returns a dummy list that only includes the null compression method, since the SSLv2 format does not include a @@ -115,7 +118,7 @@ ClientHello fields, returning the field length and optionally setting an out pointer to the octets of that field. .PP Similarly, \fBSSL_client_hello_get0_ext()\fR provides access to individual extensions -from the ClientHello on a per-extension basis. For the provided wire +from the ClientHello on a per\-extension basis. For the provided wire protocol extension type value, the extension value and length are returned in the output parameters (if present). .PP @@ -128,6 +131,9 @@ holding the numerical value of the TLS extension types in the order they appear in the ClientHello. \fB*outlen\fR contains the number of elements in the array. In situations when the ClientHello has no extensions, the function will return success with \fB*out\fR set to NULL and \fB*outlen\fR set to 0. +Note that \fBSSL_client_hello_get1_extensions_present()\fR returns only recognised +extensions; therefore, unrecognised (including GREASE) extensions will not +appear in the output. .PP \&\fBSSL_client_hello_get_extension_order()\fR is similar to \&\fBSSL_client_hello_get1_extensions_present()\fR, without internal memory allocation. @@ -149,8 +155,8 @@ allow the server to examine the server name indication extension provided by the client in order to select an appropriate certificate to present, and make other configuration adjustments relevant to that server name and its configuration. Such configuration changes can include swapping out -the associated SSL_CTX pointer, modifying the server's list of permitted TLS -versions, changing the server's cipher list in response to the client's +the associated SSL_CTX pointer, modifying the server\*(Aqs list of permitted TLS +versions, changing the server\*(Aqs cipher list in response to the client\*(Aqs cipher list, etc. .PP It is also recommended that applications utilize a ClientHello callback and @@ -158,11 +164,15 @@ not use a servername callback, in order to avoid unexpected behavior that occurs due to the relative order of processing between things like session resumption and the historical servername callback. .PP -The SSL_client_hello_* family of functions may only be called from code executing -within a ClientHello callback. +The SSL_client_hello_* family of functions may only be called from code +executing within a ClientHello callback. +.PP +The SSL_client_hello_get0_*() functions return raw ClientHello data, whereas +\&\fBSSL_client_hello_get1_extensions_present()\fR returns only recognized extensions +(so unknown/GREASE\-extensions are not included). .SH "RETURN VALUES" .IX Header "RETURN VALUES" -The application's supplied ClientHello callback returns +The application\*(Aqs supplied ClientHello callback returns SSL_CLIENT_HELLO_SUCCESS on success, SSL_CLIENT_HELLO_ERROR on failure, and SSL_CLIENT_HELLO_RETRY to suspend processing. .PP @@ -174,7 +184,7 @@ SSL_CLIENT_HELLO_RETRY to suspend processing. corresponding ClientHello fields. If zero is returned, the output pointer should not be assumed to be valid. .PP -\&\fBSSL_client_hello_get0_ext()\fR returns 1 if the extension of type 'type' is present, and +\&\fBSSL_client_hello_get0_ext()\fR returns 1 if the extension of type \*(Aqtype\*(Aq is present, and 0 otherwise. .PP \&\fBSSL_client_hello_get1_extensions_present()\fR returns 1 on success and 0 on failure. diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ct_validation_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ct_validation_callback.3 index df28a83e984d..13aa4585acc8 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ct_validation_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ct_validation_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_CT_VALIDATION_CALLBACK 3ossl" -.TH SSL_CTX_SET_CT_VALIDATION_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_CT_VALIDATION_CALLBACK 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,7 +94,7 @@ control Certificate Transparency policy \&\fBSSL_enable_ct()\fR and \fBSSL_CTX_enable_ct()\fR enable the processing of signed certificate timestamps (SCTs) either for a given SSL connection or for all connections that share the given SSL context, respectively. -This is accomplished by setting a built-in CT validation callback. +This is accomplished by setting a built\-in CT validation callback. The behaviour of the callback is determined by the \fBvalidation_mode\fR argument, which can be either of \fBSSL_CT_VALIDATION_PERMISSIVE\fR or \&\fBSSL_CT_VALIDATION_STRICT\fR as described below. @@ -101,7 +104,7 @@ TLS handshake with the verification mode set to \fBSSL_VERIFY_PEER\fR, if the pe presents no valid SCTs the handshake will be aborted. If the verification mode is \fBSSL_VERIFY_NONE\fR, the handshake will continue despite lack of valid SCTs. -However, in that case if the verification status before the built-in callback +However, in that case if the verification status before the built\-in callback was \fBX509_V_OK\fR it will be set to \fBX509_V_ERR_NO_VALID_SCTS\fR after the callback. Applications can call \fBSSL_get_verify_result\fR\|(3) to check the status at @@ -123,10 +126,10 @@ session is not resumed. \&\fBSSL_set_ct_validation_callback()\fR and \fBSSL_CTX_set_ct_validation_callback()\fR register a custom callback that may implement a different policy than either of the above. -This callback can examine the peer's SCTs and determine whether they are +This callback can examine the peer\*(Aqs SCTs and determine whether they are sufficient to allow the connection to continue. The TLS handshake is aborted if the verification mode is not \fBSSL_VERIFY_NONE\fR -and the callback returns a non-positive result. +and the callback returns a non\-positive result. .PP An arbitrary callback data argument, \fBarg\fR, can be passed in when setting the callback. @@ -148,11 +151,11 @@ nor to have specified server verification via \fBDANE\-TA\fR\|(2) or \fBDANE\-EE records. .PP \&\fBSSL_disable_ct()\fR and \fBSSL_CTX_disable_ct()\fR turn off CT processing, whether -enabled via the built-in or the custom callbacks, by setting a NULL callback. +enabled via the built\-in or the custom callbacks, by setting a NULL callback. These may be implemented as macros. .PP \&\fBSSL_ct_is_enabled()\fR and \fBSSL_CTX_ct_is_enabled()\fR return 1 if CT processing is -enabled via either \fBSSL_enable_ct()\fR or a non-null custom callback, and 0 +enabled via either \fBSSL_enable_ct()\fR or a non\-null custom callback, and 0 otherwise. .SH NOTES .IX Header "NOTES" @@ -176,7 +179,7 @@ been setup to handle SCTs. .PP \&\fBSSL_disable_ct()\fR and \fBSSL_CTX_disable_ct()\fR do not return a result. .PP -\&\fBSSL_CTX_ct_is_enabled()\fR and \fBSSL_ct_is_enabled()\fR return a 1 if a non-null CT +\&\fBSSL_CTX_ct_is_enabled()\fR and \fBSSL_ct_is_enabled()\fR return a 1 if a non\-null CT validation callback is set, or 0 if no callback (or equivalently a NULL callback) is set. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ctlog_list_file.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ctlog_list_file.3 index bd458d0d476d..018c1ecf3f5d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ctlog_list_file.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ctlog_list_file.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_CTLOG_LIST_FILE 3ossl" -.TH SSL_CTX_SET_CTLOG_LIST_FILE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_CTLOG_LIST_FILE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_default_passwd_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_default_passwd_cb.3 index d1a0dd406f3e..4df2962139d1 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_default_passwd_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_default_passwd_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_DEFAULT_PASSWD_CB 3ossl" -.TH SSL_CTX_SET_DEFAULT_PASSWD_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_DEFAULT_PASSWD_CB 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -135,7 +138,7 @@ These functions do not provide diagnostic information. .SH EXAMPLES .IX Header "EXAMPLES" The following example returns the password provided as userdata to the -calling function. The password is considered to be a '\e0' terminated +calling function. The password is considered to be a \*(Aq\e0\*(Aq terminated string. If the password does not fit into the buffer, the password is truncated. .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_domain_flags.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_domain_flags.3 index 99ad744b9319..15832407c5e7 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_domain_flags.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_domain_flags.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_DOMAIN_FLAGS 3ossl" -.TH SSL_CTX_SET_DOMAIN_FLAGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_DOMAIN_FLAGS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,17 +97,17 @@ to these concepts can be found in \fBopenssl\-quic\-concurrency\fR\|(7). Applications may use either one the flags here: .IP \fBSSL_DOMAIN_FLAG_SINGLE_THREAD\fR 4 .IX Item "SSL_DOMAIN_FLAG_SINGLE_THREAD" -Specifying this flag configures the Single-Threaded Concurrency Model (SCM). +Specifying this flag configures the Single\-Threaded Concurrency Model (SCM). .IP \fBSSL_DOMAIN_FLAG_MULTI_THREAD\fR 4 .IX Item "SSL_DOMAIN_FLAG_MULTI_THREAD" -Speciyfing this flag configures the Contentive Concurrency Model (CCM) (unless +Specifying this flag configures the Contentive Concurrency Model (CCM) (unless \&\fBSSL_DOMAIN_FLAG_THREAD_ASSISTED\fR is also specified). .Sp If OpenSSL was built without thread support, this is identical to \&\fBSSL_DOMAIN_FLAG_SINGLE_THREAD\fR. .IP \fBSSL_DOMAIN_FLAG_THREAD_ASSISTED\fR 4 .IX Item "SSL_DOMAIN_FLAG_THREAD_ASSISTED" -Specifying this flag configures the Thread-Assisted Concurrency Model (TACM). +Specifying this flag configures the Thread\-Assisted Concurrency Model (TACM). It implies \fBSSL_DOMAIN_FLAG_MULTI_THREAD\fR and \fBSSL_DOMAIN_FLAG_BLOCKING\fR. .Sp This concurrency model is not available if OpenSSL was built without thread @@ -147,7 +150,7 @@ inconsistent or which cannot be supported given the current environment. \&\fBSSL_CTX_set_domain_flags()\fR and \fBSSL_CTX_get_domain_flags()\fR fail if called on a \&\fBSSL_CTX\fR which is not using a QUIC \fBSSL_METHOD\fR. .PP -\&\fBSSL_get_domain_flags()\fR fails if called on a non-QUIC SSL object. +\&\fBSSL_get_domain_flags()\fR fails if called on a non\-QUIC SSL object. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBSSL_new_domain\fR\|(3), \fBopenssl\-quic\-concurrency\fR\|(7) diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_generate_session_id.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_generate_session_id.3 index 1ccfb21d2fdf..4f8373cd8a1e 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_generate_session_id.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_generate_session_id.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_GENERATE_SESSION_ID 3ossl" -.TH SSL_CTX_SET_GENERATE_SESSION_ID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_GENERATE_SESSION_ID 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_info_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_info_callback.3 index 2527ae080499..a5d213e6ec6a 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_info_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_info_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_INFO_CALLBACK 3ossl" -.TH SSL_CTX_SET_INFO_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_INFO_CALLBACK 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -112,7 +115,7 @@ the callback function was called. If \fBret\fR is 0, an error condition occurred If an alert is handled, SSL_CB_ALERT is set and \fBret\fR specifies the alert information. .PP -\&\fBwhere\fR is a bit-mask made up of the following bits: +\&\fBwhere\fR is a bit\-mask made up of the following bits: .IP SSL_CB_LOOP 4 .IX Item "SSL_CB_LOOP" Callback has been called to indicate state change or some other significant diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_keylog_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_keylog_callback.3 index 5d10cc5960ac..35f09c98b315 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_keylog_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_keylog_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_KEYLOG_CALLBACK 3ossl" -.TH SSL_CTX_SET_KEYLOG_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_KEYLOG_CALLBACK 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,7 +91,7 @@ The key logging callback is called with two items: the \fBssl\fR object associat with the connection, and \fBline\fR, a string containing the key material in the format used by NSS for its \fBSSLKEYLOGFILE\fR debugging output. To recreate that file, the key logging callback should log \fBline\fR, followed by a newline. -\&\fBline\fR will always be a NUL-terminated string. +\&\fBline\fR will always be a NUL\-terminated string. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBSSL_CTX_get_keylog_callback()\fR returns a pointer to \fBSSL_CTX_keylog_cb_func\fR or diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_max_cert_list.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_max_cert_list.3 index 7431d6529be5..be60c82e5fcc 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_max_cert_list.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_max_cert_list.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,16 +52,19 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_MAX_CERT_LIST 3ossl" -.TH SSL_CTX_SET_MAX_CERT_LIST 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_MAX_CERT_LIST 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH NAME -SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list \- manipulate allowed size for the peer's certificate chain +SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list \- manipulate allowed size for the peer\*(Aqs certificate chain .SH SYNOPSIS .IX Header "SYNOPSIS" .Vb 1 @@ -75,14 +78,14 @@ SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBSSL_CTX_set_max_cert_list()\fR sets the maximum size allowed for the peer's +\&\fBSSL_CTX_set_max_cert_list()\fR sets the maximum size allowed for the peer\*(Aqs certificate chain for all SSL objects created from \fBctx\fR to be <size> bytes. The SSL objects inherit the setting valid for \fBctx\fR at the time \&\fBSSL_new\fR\|(3) is being called. .PP \&\fBSSL_CTX_get_max_cert_list()\fR returns the currently set maximum size for \fBctx\fR. .PP -\&\fBSSL_set_max_cert_list()\fR sets the maximum size allowed for the peer's +\&\fBSSL_set_max_cert_list()\fR sets the maximum size allowed for the peer\*(Aqs certificate chain for \fBssl\fR to be <size> bytes. This setting stays valid until a new value is set. .PP @@ -98,7 +101,7 @@ chain is set. .PP The default value for the maximum certificate chain size is 100kB (30kB on the 16\-bit DOS platform). This should be sufficient for usual certificate -chains (OpenSSL's default maximum chain length is 10, see +chains (OpenSSL\*(Aqs default maximum chain length is 10, see \&\fBSSL_CTX_set_verify\fR\|(3), and certificates without special extensions have a typical size of 1\-2kB). .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_min_proto_version.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_min_proto_version.3 index d60633dbc7ce..69b21cad23d4 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_min_proto_version.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_min_proto_version.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_MIN_PROTO_VERSION 3ossl" -.TH SSL_CTX_SET_MIN_PROTO_VERSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_MIN_PROTO_VERSION 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -107,7 +110,7 @@ TLSv1.3. Calling these functions on a QUIC object has no effect. .SH "RETURN VALUES" .IX Header "RETURN VALUES" These setter functions return 1 on success and 0 on failure. The getter -functions return the configured version or 0 for auto-configuration of +functions return the configured version or 0 for auto\-configuration of lowest or highest protocol, respectively. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_mode.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_mode.3 index 2fa123a9bfb4..8d6c049ea775 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_mode.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_mode.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_MODE 3ossl" -.TH SSL_CTX_SET_MODE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_MODE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -77,13 +80,13 @@ SSL_CTX_set_mode, SSL_CTX_clear_mode, SSL_set_mode, SSL_clear_mode, SSL_CTX_get_ .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBSSL_CTX_set_mode()\fR adds the mode set via bit-mask in \fBmode\fR to \fBctx\fR. +\&\fBSSL_CTX_set_mode()\fR adds the mode set via bit\-mask in \fBmode\fR to \fBctx\fR. Options already set before are not cleared. -\&\fBSSL_CTX_clear_mode()\fR removes the mode set via bit-mask in \fBmode\fR from \fBctx\fR. +\&\fBSSL_CTX_clear_mode()\fR removes the mode set via bit\-mask in \fBmode\fR from \fBctx\fR. .PP -\&\fBSSL_set_mode()\fR adds the mode set via bit-mask in \fBmode\fR to \fBssl\fR. +\&\fBSSL_set_mode()\fR adds the mode set via bit\-mask in \fBmode\fR to \fBssl\fR. Options already set before are not cleared. -\&\fBSSL_clear_mode()\fR removes the mode set via bit-mask in \fBmode\fR from \fBssl\fR. +\&\fBSSL_clear_mode()\fR removes the mode set via bit\-mask in \fBmode\fR from \fBssl\fR. .PP \&\fBSSL_CTX_get_mode()\fR returns the mode set for \fBctx\fR. .PP @@ -111,19 +114,19 @@ avoid the misconception that nonblocking \fBSSL_write()\fR behaves like nonblocking \fBwrite()\fR. .IP SSL_MODE_AUTO_RETRY 4 .IX Item "SSL_MODE_AUTO_RETRY" -During normal operations, non-application data records might need to be sent or +During normal operations, non\-application data records might need to be sent or received that the application is not aware of. -If a non-application data record was processed, +If a non\-application data record was processed, \&\fBSSL_read_ex\fR\|(3) and \fBSSL_read\fR\|(3) can return with a failure and indicate the need to retry with \fBSSL_ERROR_WANT_READ\fR. -If such a non-application data record was processed, the flag +If such a non\-application data record was processed, the flag \&\fBSSL_MODE_AUTO_RETRY\fR causes it to try to process the next record instead of returning. .Sp In a nonblocking environment applications must be prepared to handle incomplete read/write operations. Setting \fBSSL_MODE_AUTO_RETRY\fR for a nonblocking \fBBIO\fR will process -non-application data records until either no more data is available or +non\-application data records until either no more data is available or an application data record has been processed. .Sp In a blocking environment, applications are not always prepared to @@ -135,7 +138,7 @@ failure. Turning off \fBSSL_MODE_AUTO_RETRY\fR can be useful with blocking \fBBIO\fRs in case they are used in combination with something like \fBselect()\fR or \fBpoll()\fR. Otherwise the call to \fBSSL_read()\fR or \fBSSL_read_ex()\fR might hang when a -non-application record was sent and no application data was sent. +non\-application record was sent and no application data was sent. .IP SSL_MODE_RELEASE_BUFFERS 4 .IX Item "SSL_MODE_RELEASE_BUFFERS" When we no longer need a read buffer or a write buffer for a given SSL, @@ -160,7 +163,7 @@ used to perform cryptographic operations. See \fBSSL_get_error\fR\|(3). .IP SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG 4 .IX Item "SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG" Older versions of OpenSSL had a bug in the computation of the label length -used for computing the endpoint-pair shared secret. The bug was that the +used for computing the endpoint\-pair shared secret. The bug was that the terminating zero was included in the length of the label. Setting this option enables this behaviour to allow interoperability with such broken implementations. Please note that setting this option breaks interoperability @@ -170,10 +173,10 @@ All modes are off by default except for SSL_MODE_AUTO_RETRY which is on by default since 1.1.1. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fBSSL_CTX_set_mode()\fR and \fBSSL_set_mode()\fR return the new mode bit-mask +\&\fBSSL_CTX_set_mode()\fR and \fBSSL_set_mode()\fR return the new mode bit\-mask after adding \fBmode\fR. .PP -\&\fBSSL_CTX_get_mode()\fR and \fBSSL_get_mode()\fR return the current bit-mask. +\&\fBSSL_CTX_get_mode()\fR and \fBSSL_get_mode()\fR return the current bit\-mask. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBssl\fR\|(7), \fBSSL_read_ex\fR\|(3), \fBSSL_read\fR\|(3), \fBSSL_write_ex\fR\|(3) or diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_msg_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_msg_callback.3 index e76e87dcf339..47adcff353b2 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_msg_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_msg_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_MSG_CALLBACK 3ossl" -.TH SSL_CTX_SET_MSG_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_MSG_CALLBACK 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -134,10 +137,10 @@ longer valid after the callback function has returned. The \fBSSL\fR object that received or sent the message. .IP \fIarg\fR 4 .IX Item "arg" -The user-defined argument optionally defined by +The user\-defined argument optionally defined by \&\fBSSL_CTX_set_msg_callback_arg()\fR or \fBSSL_set_msg_callback_arg()\fR. .PP -The \fBSSL_trace()\fR function can be used as a pre-written callback in a call to +The \fBSSL_trace()\fR function can be used as a pre\-written callback in a call to \&\fBSSL_CTX_set_msg_callback()\fR or \fBSSL_set_msg_callback()\fR. It requires a BIO to be set as the callback argument via \fBSSL_CTX_set_msg_callback_arg()\fR or \&\fBSSL_set_msg_callback_arg()\fR. Setting this callback will cause human readable @@ -179,7 +182,7 @@ Used when a QUIC datagram is sent or received. Used when a QUIC packet is sent or received. .IP \fBSSL3_RT_QUIC_FRAME_FULL\fR 4 .IX Item "SSL3_RT_QUIC_FRAME_FULL" -Used when a QUIC frame is sent or received. This is only used for non-crypto +Used when a QUIC frame is sent or received. This is only used for non\-crypto and stream data related frames. The full QUIC frame data is supplied. .IP \fBSSL3_RT_QUIC_FRAME_HEADER\fR 4 .IX Item "SSL3_RT_QUIC_FRAME_HEADER" diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_new_pending_conn_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_new_pending_conn_cb.3 index e93ad7a6d17c..3c82252b9018 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_new_pending_conn_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_new_pending_conn_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_NEW_PENDING_CONN_CB 3ossl" -.TH SSL_CTX_SET_NEW_PENDING_CONN_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_NEW_PENDING_CONN_CB 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -102,7 +105,7 @@ into consideration when writing an application. .RS 4 QUIC connections may begin processing prior to when an application calls \&\fBSSL_accept_connection()\fR on them. As such, it may occur that callbacks are -delivered to applications' registered TLS callbacks prior to those SSL objects +delivered to applications\*(Aq registered TLS callbacks prior to those SSL objects being returned in \fBSSL_accept_connection()\fR. Applications should expect this possibility. .Sp diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_num_tickets.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_num_tickets.3 index 75dfdbce2882..1c38b9e99442 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_num_tickets.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_num_tickets.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_NUM_TICKETS 3ossl" -.TH SSL_CTX_SET_NUM_TICKETS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_NUM_TICKETS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,7 +94,7 @@ issued will never be more than 1 regardless of the value set via \&\fBSSL_set_num_tickets()\fR or \fBSSL_CTX_set_num_tickets()\fR. If \fBnum_tickets\fR is set to 0 then no tickets will be issued for either a normal connection or a resumption. .PP -Tickets are also issued on receipt of a post-handshake certificate from the +Tickets are also issued on receipt of a post\-handshake certificate from the client following a request by the server using \&\fBSSL_verify_client_post_handshake\fR\|(3). These new tickets will be associated with the updated client identity (i.e. including their certificate and @@ -101,7 +104,7 @@ handshake then \fBSSL_set_num_tickets()\fR can be called again prior to calling \&\fBSSL_verify_client_post_handshake()\fR to update the number of tickets that will be sent. .PP -To issue tickets after other events (such as application-layer changes), +To issue tickets after other events (such as application\-layer changes), \&\fBSSL_new_session_ticket()\fR is used by a server application to request that a new ticket be sent when it is safe to do so. New tickets are only allowed to be sent in this manner after the initial handshake has completed, and only for @@ -117,7 +120,7 @@ together when it is safe to do so and triggered by \fBSSL_write()\fR or \&\fBSSL_do_handshake()\fR. Note that a successful return from \&\fBSSL_new_session_ticket()\fR indicates only that the request to send a ticket was processed, not that the ticket itself was sent. To be notified when the -ticket itself is sent, a new-session callback can be registered with +ticket itself is sent, a new\-session callback can be registered with \&\fBSSL_CTX_sess_set_new_cb\fR\|(3) that will be invoked as the ticket or tickets are generated. .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3 index e19269cf2eff..206d82030a37 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_OPTIONS 3ossl" -.TH SSL_CTX_SET_OPTIONS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_OPTIONS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,17 +85,17 @@ SSL_get_secure_renegotiation_support \- manipulate SSL options .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBSSL_CTX_set_options()\fR adds the options set via bit-mask in \fBoptions\fR to \fBctx\fR. +\&\fBSSL_CTX_set_options()\fR adds the options set via bit\-mask in \fBoptions\fR to \fBctx\fR. \&\fBctx\fR \fBMUST NOT\fR be NULL. Options already set before are not cleared! .PP -\&\fBSSL_set_options()\fR adds the options set via bit-mask in \fBoptions\fR to \fBssl\fR. +\&\fBSSL_set_options()\fR adds the options set via bit\-mask in \fBoptions\fR to \fBssl\fR. Options already set before are not cleared! .PP -\&\fBSSL_CTX_clear_options()\fR clears the options set via bit-mask in \fBoptions\fR +\&\fBSSL_CTX_clear_options()\fR clears the options set via bit\-mask in \fBoptions\fR to \fBctx\fR. .PP -\&\fBSSL_clear_options()\fR clears the options set via bit-mask in \fBoptions\fR to \fBssl\fR. +\&\fBSSL_clear_options()\fR clears the options set via bit\-mask in \fBoptions\fR to \fBssl\fR. .PP \&\fBSSL_CTX_get_options()\fR returns the options set for \fBctx\fR. .PP @@ -104,7 +107,7 @@ Note, this is implemented via a macro. .SH NOTES .IX Header "NOTES" The behaviour of the SSL library can be changed by setting several options. -The options are coded as bit-masks and can be combined by a bitwise \fBor\fR +The options are coded as bit\-masks and can be combined by a bitwise \fBor\fR operation (|). .PP \&\fBSSL_CTX_set_options()\fR and \fBSSL_set_options()\fR affect the (external) @@ -120,7 +123,7 @@ SSL objects. \fBSSL_clear()\fR does not affect the settings. The following \fBbug workaround\fR options are available: .IP SSL_OP_CRYPTOPRO_TLSEXT_BUG 4 .IX Item "SSL_OP_CRYPTOPRO_TLSEXT_BUG" -Add server-hello extension from the early version of cryptopro draft +Add server\-hello extension from the early version of cryptopro draft when GOST ciphersuite is negotiated. Required for interoperability with CryptoPro CSP 3.x. .IP SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 4 @@ -131,8 +134,8 @@ broken SSL implementations. This option has no effect for connections using other ciphers. .IP SSL_OP_SAFARI_ECDHE_ECDSA_BUG 4 .IX Item "SSL_OP_SAFARI_ECDHE_ECDSA_BUG" -Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X. -OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers. +Don\*(Aqt prefer ECDHE\-ECDSA ciphers when the client appears to be Safari on OS X. +OS X 10.8..10.8.3 has broken support for ECDHE\-ECDSA ciphers. .IP SSL_OP_TLSEXT_PADDING 4 .IX Item "SSL_OP_TLSEXT_PADDING" Adds a padding extension to ensure the ClientHello size is never between @@ -149,7 +152,7 @@ desired. The following \fBmodifying\fR options are available: .IP SSL_OP_ALLOW_CLIENT_RENEGOTIATION 4 .IX Item "SSL_OP_ALLOW_CLIENT_RENEGOTIATION" -Client-initiated renegotiation is disabled by default. Use +Client\-initiated renegotiation is disabled by default. Use this option to enable it. .IP SSL_OP_ALLOW_NO_DHE_KEX 4 .IX Item "SSL_OP_ALLOW_NO_DHE_KEX" @@ -166,13 +169,13 @@ Allow legacy insecure renegotiation between OpenSSL and unpatched clients or servers. See the \fBSECURE RENEGOTIATION\fR section for more details. .IP SSL_OP_CIPHER_SERVER_PREFERENCE 4 .IX Item "SSL_OP_CIPHER_SERVER_PREFERENCE" -When choosing a cipher, use the server's preferences instead of the client +When choosing a cipher, use the server\*(Aqs preferences instead of the client preferences. When not set, the SSL server will always follow the clients preferences. When set, the SSL/TLS server will choose following its own preferences. .IP SSL_OP_CISCO_ANYCONNECT 4 .IX Item "SSL_OP_CISCO_ANYCONNECT" -Use Cisco's version identifier of DTLS_BAD_VER when establishing a DTLSv1 +Use Cisco\*(Aqs version identifier of DTLS_BAD_VER when establishing a DTLSv1 connection. Only available when using the deprecated \fBDTLSv1_client_method()\fR API. .IP SSL_OP_CLEANSE_PLAINTEXT 4 .IX Item "SSL_OP_CLEANSE_PLAINTEXT" @@ -211,9 +214,9 @@ have been compiled with support for it, and it must be supported by the negotiated ciphersuites and extensions. The specific ciphersuites and extensions that are supported may vary by platform and kernel version. .Sp -The kernel TLS data-path implements the record layer, and the encryption +The kernel TLS data\-path implements the record layer, and the encryption algorithm. The kernel will utilize the best hardware -available for encryption. Using the kernel data-path should reduce the memory +available for encryption. Using the kernel data\-path should reduce the memory footprint of OpenSSL because no buffering is required. Also, the throughput should improve because data copy is avoided when user data is encrypted into kernel memory instead of the usual encrypt then copy to kernel. @@ -233,7 +236,7 @@ performance boost when used with KTLS hardware offload. Note that invalid TLS records might be transmitted if the file is changed while being sent. This option has no effect if \fBSSL_OP_ENABLE_KTLS\fR is not enabled. .Sp -This option only applies to Linux. KTLS sendfile on FreeBSD doesn't offer an +This option only applies to Linux. KTLS sendfile on FreeBSD doesn\*(Aqt offer an option to disable zerocopy and always runs in this mode. .IP SSL_OP_ENABLE_MIDDLEBOX_COMPAT 4 .IX Item "SSL_OP_ENABLE_MIDDLEBOX_COMPAT" @@ -264,11 +267,11 @@ Allow legacy insecure renegotiation between OpenSSL and unpatched servers .IX Item "SSL_OP_NO_ANTI_REPLAY" By default, when a server is configured for early data (i.e., max_early_data > 0), OpenSSL will switch on replay protection. See \fBSSL_read_early_data\fR\|(3) for a -description of the replay protection feature. Anti-replay measures are required +description of the replay protection feature. Anti\-replay measures are required to comply with the TLSv1.3 specification. Some applications may be able to mitigate the replay risks in other ways and in such cases the built in OpenSSL functionality is not required. Those applications can turn this feature off by -setting this option. This is a server-side option only. It is ignored by +setting this option. This is a server\-side option only. It is ignored by clients. .IP SSL_OP_NO_TX_CERTIFICATE_COMPRESSION 4 .IX Item "SSL_OP_NO_TX_CERTIFICATE_COMPRESSION" @@ -295,9 +298,9 @@ will have no effect without also changing the default security level. See .IP SSL_OP_NO_ENCRYPT_THEN_MAC 4 .IX Item "SSL_OP_NO_ENCRYPT_THEN_MAC" Normally clients and servers will transparently attempt to negotiate the -RFC7366 Encrypt-then-MAC option on TLS and DTLS connection. +RFC7366 Encrypt\-then\-MAC option on TLS and DTLS connection. .Sp -If this option is set, Encrypt-then-MAC is disabled. Clients will not +If this option is set, Encrypt\-then\-MAC is disabled. Clients will not propose, and servers will not accept the extension. .IP SSL_OP_NO_EXTENDED_MASTER_SECRET 4 .IX Item "SSL_OP_NO_EXTENDED_MASTER_SECRET" @@ -356,7 +359,7 @@ its cache. By default OpenSSL will use stateless tickets. The SSL_OP_NO_TICKET option will cause stateless tickets to not be issued. In TLSv1.2 and below this means no ticket gets sent to the client at all. In TLSv1.3 a stateful ticket will be -sent. This is a server-side option only. +sent. This is a server\-side option only. .Sp In TLSv1.3 it is possible to suppress all tickets (stateful and stateless) from being sent by calling \fBSSL_CTX_set_num_tickets\fR\|(3) or @@ -375,11 +378,11 @@ Disable version rollback attack detection. .Sp During the client key exchange, the client must send the same information about acceptable SSL/TLS protocol levels as during the first hello. Some -clients violate this rule by adapting to the server's answer. (Example: +clients violate this rule by adapting to the server\*(Aqs answer. (Example: the client sends an SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server only understands up to SSLv3. In this case the client must still use the same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect -to the server's answer and violate the version rollback protection.) +to the server\*(Aqs answer and violate the version rollback protection.) .PP The following options no longer have any effect but their identifiers are retained for compatibility purposes: @@ -428,7 +431,7 @@ aware of. In the description below an implementation supporting secure renegotiation is referred to as \fIpatched\fR. A server not supporting secure renegotiation is referred to as \fIunpatched\fR. .PP -The following sections describe the operations permitted by OpenSSL's secure +The following sections describe the operations permitted by OpenSSL\*(Aqs secure renegotiation implementation. .SS "Patched client and server" .IX Subsection "Patched client and server" @@ -505,16 +508,16 @@ default options set on any future streams which are created. Other options not mentioned above do not have an effect and will be ignored. .PP Options which relate to QUIC streams may also be set directly on QUIC stream SSL -objects. Setting connection-related options on such an object has no effect. +objects. Setting connection\-related options on such an object has no effect. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fBSSL_CTX_set_options()\fR and \fBSSL_set_options()\fR return the new options bit-mask +\&\fBSSL_CTX_set_options()\fR and \fBSSL_set_options()\fR return the new options bit\-mask after adding \fBoptions\fR. .PP -\&\fBSSL_CTX_clear_options()\fR and \fBSSL_clear_options()\fR return the new options bit-mask +\&\fBSSL_CTX_clear_options()\fR and \fBSSL_clear_options()\fR return the new options bit\-mask after clearing \fBoptions\fR. .PP -\&\fBSSL_CTX_get_options()\fR and \fBSSL_get_options()\fR return the current bit-mask. +\&\fBSSL_CTX_get_options()\fR and \fBSSL_get_options()\fR return the current bit\-mask. .PP \&\fBSSL_get_secure_renegotiation_support()\fR returns 1 is the peer supports secure renegotiation and 0 if it does not. diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_psk_client_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_psk_client_callback.3 index 10fdd624b2f9..131812af89f6 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_psk_client_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_psk_client_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_PSK_CLIENT_CALLBACK 3ossl" -.TH SSL_CTX_SET_PSK_CLIENT_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_PSK_CLIENT_CALLBACK 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -138,7 +141,7 @@ Additionally the maximum early data value should be set via a call to \&\fBSSL_SESSION_set_max_early_data\fR\|(3) if the PSK will be used for sending early data. .PP -Alternatively an SSL_SESSION created from a previous non-PSK handshake may also +Alternatively an SSL_SESSION created from a previous non\-PSK handshake may also be used as the basis for a PSK. .PP Ownership of the SSL_SESSION object is passed to the OpenSSL library and so it @@ -154,7 +157,7 @@ provide a different callback function. This function will be called when the client is sending the ClientKeyExchange message to the server. .PP The purpose of the callback function is to select the PSK identity and -the pre-shared key to use during the connection setup phase. +the pre\-shared key to use during the connection setup phase. .PP The callback is set using functions \fBSSL_CTX_set_psk_client_callback()\fR or \fBSSL_set_psk_client_callback()\fR. The callback function is given the @@ -162,7 +165,7 @@ connection in parameter \fBssl\fR, a \fBNUL\fR\-terminated PSK identity hint sent by the server in parameter \fBhint\fR, a buffer \fBidentity\fR of length \fBmax_identity_len\fR bytes (including the \fBNUL\fR\-terminator) where the resulting \fBNUL\fR\-terminated identity is to be stored, and a buffer \fBpsk\fR -of length \fBmax_psk_len\fR bytes where the resulting pre-shared key is to +of length \fBmax_psk_len\fR bytes where the resulting pre\-shared key is to be stored. .PP The callback for use in TLSv1.2 will also work in TLSv1.3 although it is @@ -189,14 +192,14 @@ below) and TLSv1.3. However, the RFC has this note of caution: .PP "While there is no known way in which the same PSK might produce related output in both versions, only limited analysis has been done. Implementations can -ensure safety from cross-protocol related output by not reusing PSKs between +ensure safety from cross\-protocol related output by not reusing PSKs between TLS 1.3 and TLS 1.2." .SH "RETURN VALUES" .IX Header "RETURN VALUES" Return values from the \fBSSL_psk_client_cb_func\fR callback are interpreted as follows: .PP -On success (callback found a PSK identity and a pre-shared key to use) +On success (callback found a PSK identity and a pre\-shared key to use) the length (> 0) of \fBpsk\fR in bytes is returned. .PP Otherwise or on errors the callback should return 0. In this case diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_quiet_shutdown.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_quiet_shutdown.3 index 44cf0fada3e2..c9a93f296409 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_quiet_shutdown.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_quiet_shutdown.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_QUIET_SHUTDOWN 3ossl" -.TH SSL_CTX_SET_QUIET_SHUTDOWN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_QUIET_SHUTDOWN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_read_ahead.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_read_ahead.3 index 923d493c82b7..31287c845e4d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_read_ahead.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_read_ahead.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_READ_AHEAD 3ossl" -.TH SSL_CTX_SET_READ_AHEAD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_READ_AHEAD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -102,17 +105,17 @@ These functions have no impact when used with DTLS. The return values for \&\fBread_ahead\fR can impact the behaviour of the \fBSSL_pending()\fR function (see \fBSSL_pending\fR\|(3)). .PP -Since \fBSSL_read()\fR can return \fBSSL_ERROR_WANT_READ\fR for non-application data -records, and \fBSSL_has_pending()\fR can't tell the difference between processed and -unprocessed data, it's recommended that if read ahead is turned on that +Since \fBSSL_read()\fR can return \fBSSL_ERROR_WANT_READ\fR for non\-application data +records, and \fBSSL_has_pending()\fR can\*(Aqt tell the difference between processed and +unprocessed data, it\*(Aqs recommended that if read ahead is turned on that \&\fBSSL_MODE_AUTO_RETRY\fR is not turned off using \fBSSL_CTX_clear_mode()\fR. That will prevent getting \fBSSL_ERROR_WANT_READ\fR when there is still a complete -record available that hasn't been processed. +record available that hasn\*(Aqt been processed. .PP If the application wants to continue to use the underlying transport (e.g. TCP connection) after the SSL connection is finished using \fBSSL_shutdown()\fR reading ahead should be turned off. -Otherwise the SSL structure might read data that it shouldn't. +Otherwise the SSL structure might read data that it shouldn\*(Aqt. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBSSL_get_read_ahead()\fR and \fBSSL_CTX_get_read_ahead()\fR return 0 if reading ahead is off, diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_record_padding_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_record_padding_callback.3 index fe072d33ac33..a9f2f4cabef2 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_record_padding_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_record_padding_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_RECORD_PADDING_CALLBACK 3ossl" -.TH SSL_CTX_SET_RECORD_PADDING_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_RECORD_PADDING_CALLBACK 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,13 +145,13 @@ the callback function is not set because Kernel TLS is configured for the SSL ob .IX Header "NOTES" The default behavior is to add no padding to the record. .PP -A user-supplied padding callback function will override the behavior set by -\&\fBSSL_set_block_padding()\fR or \fBSSL_CTX_set_block_padding()\fR. Setting the user-supplied +A user\-supplied padding callback function will override the behavior set by +\&\fBSSL_set_block_padding()\fR or \fBSSL_CTX_set_block_padding()\fR. Setting the user\-supplied callback to NULL will restore the configured block padding behavior. .PP These functions only apply to TLS 1.3 records being written. .PP -Padding bytes are not added in constant-time. +Padding bytes are not added in constant\-time. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBssl\fR\|(7), \fBSSL_new\fR\|(3) diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_security_level.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_security_level.3 index 9391d1fff523..dc3219e1aecb 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_security_level.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_security_level.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_SECURITY_LEVEL 3ossl" -.TH SSL_CTX_SET_SECURITY_LEVEL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_SECURITY_LEVEL 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -117,7 +120,7 @@ value is passed to the callback verbatim and can be set to any convenient application specific value. .SH "DEFAULT CALLBACK BEHAVIOUR" .IX Header "DEFAULT CALLBACK BEHAVIOUR" -If an application doesn't set its own security callback the default +If an application doesn\*(Aqt set its own security callback the default callback is used. It is intended to provide sane defaults. The meaning of each level is described below. .IP "\fBLevel 0\fR" 4 @@ -182,7 +185,7 @@ then only cipher suites consistent with the security level are permissible. See SP800\-57 for how the security limits are related to individual algorithms. .PP -Some security levels require large key sizes for non-ECC public key +Some security levels require large key sizes for non\-ECC public key algorithms which can severely degrade performance. For example 256 bits of security requires the use of RSA keys of at least 15360 bits in size. .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_cache_mode.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_cache_mode.3 index eef4db6f2b57..0491faa3ef12 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_cache_mode.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_cache_mode.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_SESSION_CACHE_MODE 3ossl" -.TH SSL_CTX_SET_SESSION_CACHE_MODE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_SESSION_CACHE_MODE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,7 +86,7 @@ The sessions can be held in memory for each \fBctx\fR, if more than one SSL_CTX object is being maintained, the sessions are unique for each SSL_CTX object. .PP -In order to reuse a session, a client must send the session's id to the +In order to reuse a session, a client must send the session\*(Aqs id to the server. It can only send exactly one id. The server then either agrees to reuse the session or it starts a full handshake (to create a new session). @@ -130,7 +133,7 @@ flushing may be disabled and explicitly by the application. .IP SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 4 .IX Item "SSL_SESS_CACHE_NO_INTERNAL_LOOKUP" -By setting this flag, session-resume operations in an SSL/TLS server will not +By setting this flag, session\-resume operations in an SSL/TLS server will not automatically look up sessions in the internal cache, even if sessions are automatically stored there. If external session caching callbacks are in use, this flag guarantees that all lookups are directed to the external cache. @@ -145,7 +148,7 @@ session caching (callback) that is configured for the SSL_CTX. This flag will prevent sessions being stored in the internal cache (though the application can add them manually using \fBSSL_CTX_add_session\fR\|(3)). Note: in any SSL/TLS servers where external caching is configured, any successful -session lookups in the external cache (i.e. for session-resume requests) would +session lookups in the external cache (i.e. for session\-resume requests) would normally be copied into the local cache before processing continues \- this flag prevents these additions to the internal cache as well. .IP SSL_SESS_CACHE_NO_INTERNAL 4 diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_id_context.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_id_context.3 index b2a027e98a8a..6b6410035387 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_id_context.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_id_context.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_SESSION_ID_CONTEXT 3ossl" -.TH SSL_CTX_SET_SESSION_ID_CONTEXT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_SESSION_ID_CONTEXT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,7 +86,7 @@ SSL_CTX_set_session_id_context, SSL_set_session_id_context \- set context within .IX Header "NOTES" Sessions are generated within a certain context. When exporting/importing sessions with \fBi2d_SSL_SESSION\fR/\fBd2i_SSL_SESSION\fR it would be possible, -to re-import a session generated from another context (e.g. another +to re\-import a session generated from another context (e.g. another application), which might lead to malfunctions. Therefore, each application must set its own session id context \fBsid_ctx\fR which is used to distinguish the contexts and is stored in exported sessions. The \fBsid_ctx\fR can be diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_ticket_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_ticket_cb.3 index e5ebb6f745be..ce65b3324a7b 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_ticket_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_ticket_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_SESSION_TICKET_CB 3ossl" -.TH SSL_CTX_SET_SESSION_TICKET_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_SESSION_TICKET_CB 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -139,7 +142,7 @@ sent to the client. This only occurs in TLSv1.2 or below. In TLSv1.3 it is not valid for a client to send an empty ticket. .IP SSL_TICKET_NO_DECRYPT 4 .IX Item "SSL_TICKET_NO_DECRYPT" -The ticket couldn't be decrypted. No ticket data will be used and a new ticket +The ticket couldn\*(Aqt be decrypted. No ticket data will be used and a new ticket should be sent to the client. .IP SSL_TICKET_SUCCESS 4 .IX Item "SSL_TICKET_SUCCESS" diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_split_send_fragment.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_split_send_fragment.3 index 0b6ef970e468..5d4dbdc7f15d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_split_send_fragment.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_split_send_fragment.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_SPLIT_SEND_FRAGMENT 3ossl" -.TH SSL_CTX_SET_SPLIT_SEND_FRAGMENT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_SPLIT_SEND_FRAGMENT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -112,7 +115,7 @@ functions will only accept a value in the range 512 \- SSL3_RT_MAX_PLAIN_LENGTH. \&\fBSSL_CTX_set_max_pipelines()\fR and \fBSSL_set_max_pipelines()\fR set the maximum number of pipelines that will be used at any one time. This value applies to both "read" pipelining and "write" pipelining. By default only one pipeline will be -used (i.e. normal non-parallel operation). The number of pipelines set must be +used (i.e. normal non\-parallel operation). The number of pipelines set must be in the range 1 \- SSL_MAX_PIPELINES (32). Setting this to a value > 1 will also automatically turn on "read_ahead" (see \fBSSL_CTX_set_read_ahead\fR\|(3)). This is explained further below. OpenSSL will only ever use more than one pipeline if @@ -140,7 +143,7 @@ SSL_write/SSL_write_ex called with 6001+ bytes == 4 pipelines used \&\fBsplit_send_fragment\fR must always be less than or equal to \&\fBmax_send_fragment\fR. By default it is set to be equal to \fBmax_send_fragment\fR. This will mean that the same number of records will always be created as would -have been created in the non-parallel case, although the data will be +have been created in the non\-parallel case, although the data will be apportioned differently. In the parallel case data will be spread equally between the pipelines. .PP @@ -170,14 +173,14 @@ SSL3_RT_MAX_PLAIN_LENGTH + SSL3_RT_MAX_ENCRYPTED_OVERHEAD (16704) bytes. \&\fBSSL_CTX_set_tlsext_max_fragment_length()\fR sets the default maximum fragment length negotiation mode via value \fBmode\fR to \fBctx\fR. This setting affects only SSL instances created after this function is called. -It affects the client-side as only its side may initiate this extension use. +It affects the client\-side as only its side may initiate this extension use. .PP \&\fBSSL_set_tlsext_max_fragment_length()\fR sets the maximum fragment length negotiation mode via value \fBmode\fR to \fBssl\fR. This setting will be used during a handshake when extensions are exchanged between client and server. So it only affects SSL sessions created after this function is called. -It affects the client-side as only its side may initiate this extension use. +It affects the client\-side as only its side may initiate this extension use. .PP \&\fBSSL_SESSION_get_max_fragment_length()\fR gets the maximum fragment length negotiated in \fBsession\fR. @@ -188,7 +191,7 @@ These functions cannot be used with QUIC SSL objects. \&\fBSSL_set_tlsext_max_fragment_length()\fR fail if called on a QUIC SSL object. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -All non-void functions return 1 on success and 0 on failure. +All non\-void functions return 1 on success and 0 on failure. .SH NOTES .IX Header "NOTES" The Maximum Fragment Length extension support is optional on the server side. diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_srp_password.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_srp_password.3 index 214d92eefb4a..ede72e078290 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_srp_password.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_srp_password.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_SRP_PASSWORD 3ossl" -.TH SSL_CTX_SET_SRP_PASSWORD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_SRP_PASSWORD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ssl_version.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ssl_version.3 index eb954f836dd5..9037fc74d229 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ssl_version.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ssl_version.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_SSL_VERSION 3ossl" -.TH SSL_CTX_SET_SSL_VERSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_SSL_VERSION 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,7 +108,7 @@ it would usually be preferable to create a new SSL_CTX object than to try to reuse an existing one in this fashion. Its usage is considered deprecated. .PP -\&\fBSSL_set_ssl_method()\fR cannot be used to change a non-QUIC SSL object to a QUIC +\&\fBSSL_set_ssl_method()\fR cannot be used to change a non\-QUIC SSL object to a QUIC SSL object or vice versa, or change a QUIC SSL object from one QUIC method to another. .SH "RETURN VALUES" @@ -118,7 +121,7 @@ The new choice failed, check the error stack to find out the reason. .IX Item "1" The operation succeeded. .PP -\&\fBSSL_CTX_get_ssl_method()\fR and \fBSSL_get_ssl_method()\fR always return non-NULL +\&\fBSSL_CTX_get_ssl_method()\fR and \fBSSL_get_ssl_method()\fR always return non\-NULL pointers. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3 index fd2d7316742b..567a507dece5 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_STATELESS_COOKIE_GENERATE_CB 3ossl" -.TH SSL_CTX_SET_STATELESS_COOKIE_GENERATE_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_STATELESS_COOKIE_GENERATE_CB 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,7 +101,7 @@ SSL_CTX_set_cookie_verify_cb .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBSSL_CTX_set_stateless_cookie_generate_cb()\fR sets the callback used by -\&\fBSSL_stateless\fR\|(3) to generate the application-controlled portion of the cookie +\&\fBSSL_stateless\fR\|(3) to generate the application\-controlled portion of the cookie provided to clients in the HelloRetryRequest transmitted as a response to a ClientHello with a missing or invalid cookie. \fBgen_stateless_cookie_cb()\fR must write at most SSL_COOKIE_LENGTH bytes into \fBcookie\fR, and must write the number @@ -106,11 +109,11 @@ of bytes written to \fBcookie_len\fR. If a cookie cannot be generated, a zero return value can be used to abort the handshake. .PP \&\fBSSL_CTX_set_stateless_cookie_verify_cb()\fR sets the callback used by -\&\fBSSL_stateless\fR\|(3) to determine whether the application-controlled portion of a +\&\fBSSL_stateless\fR\|(3) to determine whether the application\-controlled portion of a ClientHello cookie is valid. The cookie data is pointed to by \fBcookie\fR and is of length \fBcookie_len\fR. A nonzero return value from \fBverify_stateless_cookie_cb()\fR communicates that the cookie is valid. The integrity of the entire cookie, -including the application-controlled portion, is automatically verified by HMAC +including the application\-controlled portion, is automatically verified by HMAC before \fBverify_stateless_cookie_cb()\fR is called. .PP \&\fBSSL_CTX_set_cookie_generate_cb()\fR sets the callback used by \fBDTLSv1_listen\fR\|(3) diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_timeout.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_timeout.3 index c22e65bbf29f..d2d9d6fc1c57 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_timeout.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_timeout.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_TIMEOUT 3ossl" -.TH SSL_CTX_SET_TIMEOUT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_TIMEOUT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_servername_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_servername_callback.3 index e03611f32ee9..58d0a66c048c 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_servername_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_servername_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3ossl" -.TH SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -115,7 +118,7 @@ treated the same way as SSL_TLSEXT_ERR_NOACK. This return value indicates that the servername is not accepted by the server. No alerts are sent and the server will not acknowledge the requested servername. .PP -\&\fBSSL_CTX_set_tlsext_servername_arg()\fR sets a context-specific argument to be +\&\fBSSL_CTX_set_tlsext_servername_arg()\fR sets a context\-specific argument to be passed into the callback (via the \fBarg\fR parameter) for this \fBSSL_CTX\fR. .PP The behaviour of \fBSSL_get_servername()\fR depends on a number of different factors. diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_status_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_status_cb.3 index 16f427d69488..a6acfafcdb03 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_status_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_status_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_TLSEXT_STATUS_CB 3ossl" -.TH SSL_CTX_SET_TLSEXT_STATUS_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_TLSEXT_STATUS_CB 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3 index 723ba66e9493..3566ccca685d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3ossl" -.TH SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -113,7 +116,7 @@ Before the callback function is started \fIctx\fR and \fIhctx\fR have been initialised with \fBEVP_CIPHER_CTX_reset\fR\|(3) and \fBEVP_MAC_CTX_new\fR\|(3) respectively. .PP -For new sessions tickets, when the client doesn't present a session ticket, or +For new sessions tickets, when the client doesn\*(Aqt present a session ticket, or an attempted retrieval of the ticket failed, or a renew option was indicated, the callback function will be called with \fIenc\fR equal to 1. The OpenSSL library expects that the function will set an arbitrary \fIname\fR, initialize @@ -178,7 +181,7 @@ The \fIhctx\fR key material can be set using \fBHMAC_Init_ex\fR\|(3). .SH NOTES .IX Header "NOTES" Session resumption shortcuts the TLS handshake so that the client certificate -negotiation doesn't occur. It makes up for this by storing the client certificate +negotiation doesn\*(Aqt occur. It makes up for this by storing the client certificate and all other negotiated state information encrypted within the ticket. In a resumed session the applications will have all this state information available exactly as if a full negotiation had occurred. diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_use_srtp.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_use_srtp.3 index 4a4aa31b380a..098ba8d3b227 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_use_srtp.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_use_srtp.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_TLSEXT_USE_SRTP 3ossl" -.TH SSL_CTX_SET_TLSEXT_USE_SRTP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_TLSEXT_USE_SRTP 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -79,7 +82,7 @@ SSL_get_selected_srtp_profile .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -SRTP is the Secure Real-Time Transport Protocol. OpenSSL implements support for +SRTP is the Secure Real\-Time Transport Protocol. OpenSSL implements support for the "use_srtp" DTLS extension defined in RFC5764. This provides a mechanism for establishing SRTP keying material, algorithms and parameters using DTLS. This capability may be used as part of an implementation that conforms to RFC5763. @@ -92,7 +95,7 @@ An OpenSSL client wishing to send the "use_srtp" extension should call \&\fBSSL_CTX_set_tlsext_use_srtp()\fR to set its use for all SSL objects subsequently created from an SSL_CTX. Alternatively a client may call \&\fBSSL_set_tlsext_use_srtp()\fR to set its use for an individual SSL object. The -\&\fBprofiles\fR parameters should point to a NUL-terminated, colon delimited list of +\&\fBprofiles\fR parameters should point to a NUL\-terminated, colon delimited list of SRTP protection profile names. .PP The currently supported protection profile names are: diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_dh_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_dh_callback.3 index 0cb913a0273d..ec9ce166b0e3 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_dh_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_dh_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_TMP_DH_CALLBACK 3ossl" -.TH SSL_CTX_SET_TMP_DH_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_TMP_DH_CALLBACK 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -95,7 +98,7 @@ see \fBopenssl_user_macros\fR\|(7): .IX Header "DESCRIPTION" The functions described on this page are relevant for servers only. .PP -Some ciphersuites may use ephemeral Diffie-Hellman (DH) key exchange. In these +Some ciphersuites may use ephemeral Diffie\-Hellman (DH) key exchange. In these cases, the session data is negotiated using the ephemeral/temporary DH key and the key supplied and certified by the certificate chain is only used for signing. Anonymous ciphers (without a permanent server key) also use ephemeral @@ -116,9 +119,9 @@ As generating DH parameters is extremely time consuming, an application should not generate the parameters on the fly. DH parameters can be reused, as the actual key is newly generated during the negotiation. .PP -Typically applications should use well known DH parameters that have built-in +Typically applications should use well known DH parameters that have built\-in support in OpenSSL. The macros \fBSSL_CTX_set_dh_auto()\fR and \fBSSL_set_dh_auto()\fR -configure OpenSSL to use the default built-in DH parameters for the \fBSSL_CTX\fR +configure OpenSSL to use the default built\-in DH parameters for the \fBSSL_CTX\fR and \fBSSL\fR objects respectively. Passing a value of 2 or 1 in the \fIonoff\fR parameter switches it on. If the \fIonoff\fR parameter is set to 2, it will force the DH key size to 1024 if the \fBSSL_CTX\fR or \fBSSL\fR security level @@ -126,13 +129,13 @@ the DH key size to 1024 if the \fBSSL_CTX\fR or \fBSSL\fR security level it off. The default setting is off. .PP If "auto" DH parameters are switched on then the parameters will be selected to -be consistent with the size of the key associated with the server's certificate. +be consistent with the size of the key associated with the server\*(Aqs certificate. If there is no certificate (e.g. for PSK ciphersuites), then it it will be consistent with the size of the negotiated symmetric cipher key. .PP -Applications may supply their own DH parameters instead of using the built-in +Applications may supply their own DH parameters instead of using the built\-in values. This approach is discouraged and applications should in preference use -the built-in parameter support described above. Applications wishing to supply +the built\-in parameter support described above. Applications wishing to supply their own DH parameters should call \fBSSL_CTX_set0_tmp_dh_pkey()\fR or \&\fBSSL_set0_tmp_dh_pkey()\fR to supply the parameters for the \fBSSL_CTX\fR or \fBSSL\fR respectively. The parameters should be supplied in the \fIdhpkey\fR argument as @@ -157,7 +160,7 @@ as appropriate. The callback will be invoked during a connection when DH parameters are required. The \fBSSL\fR object for the current connection is supplied as an argument. Previous versions of OpenSSL used the \fBis_export\fR and \fBkeylength\fR -arguments to control parameter generation for export and non-export +arguments to control parameter generation for export and non\-export cipher suites. Modern OpenSSL does not support export ciphersuites and so these arguments are unused and can be ignored by the callback. The callback should return the parameters to be used in a DH object. Ownership of the DH object is diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_ecdh.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_ecdh.3 index 2bec98784759..586b06d6be93 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_ecdh.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_ecdh.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_TMP_ECDH 3ossl" -.TH SSL_CTX_SET_TMP_ECDH 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_TMP_ECDH 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3 index 52dea0e935f2..db7a4e4c773e 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_VERIFY 3ossl" -.TH SSL_CTX_SET_VERIFY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_VERIFY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -125,8 +128,8 @@ verification that shall be allowed for \fBctx\fR. verification that shall be allowed for \fBssl\fR. .PP \&\fBSSL_CTX_set_post_handshake_auth()\fR and \fBSSL_set_post_handshake_auth()\fR enable the -Post-Handshake Authentication extension to be added to the ClientHello such that -post-handshake authentication can be requested by the server. If \fBval\fR is 0 +Post\-Handshake Authentication extension to be added to the ClientHello such that +post\-handshake authentication can be requested by the server. If \fBval\fR is 0 then the extension is not sent, otherwise it is. By default the extension is not sent. A certificate callback will need to be set via \&\fBSSL_CTX_set_client_cert_cb()\fR if no certificate is provided at initialization. @@ -137,7 +140,7 @@ be set; the SSL_VERIFY_POST_HANDSHAKE flag is optional. .SH NOTES .IX Header "NOTES" The verification of certificates can be controlled by a set of logically -or'ed \fBmode\fR flags: +or\*(Aqed \fBmode\fR flags: .IP SSL_VERIFY_NONE 4 .IX Item "SSL_VERIFY_NONE" \&\fBServer mode:\fR the server will not send a client certificate request to the @@ -175,7 +178,7 @@ This flag must be used together with SSL_VERIFY_PEER. .IX Item "SSL_VERIFY_CLIENT_ONCE" \&\fBServer mode:\fR only request a client certificate once during the connection. Do not ask for a client certificate again during -renegotiation or post-authentication if a certificate was requested +renegotiation or post\-authentication if a certificate was requested during the initial handshake. This flag must be used together with SSL_VERIFY_PEER. .Sp @@ -185,7 +188,7 @@ SSL_VERIFY_PEER. \&\fBServer mode:\fR the server will not send a client certificate request during the initial handshake, but will send the request via \&\fBSSL_verify_client_post_handshake()\fR. This allows the SSL_CTX or SSL -to be configured for post-handshake peer verification before the +to be configured for post\-handshake peer verification before the handshake occurs. This flag must be used together with SSL_VERIFY_PEER. TLSv1.3 only; no effect on pre\-TLSv1.3 connections. .Sp @@ -196,25 +199,25 @@ If the \fBmode\fR is SSL_VERIFY_NONE none of the other flags may be set. If verification flags are not modified explicitly by \f(CWSSL_CTX_set_verify()\fR or \f(CWSSL_set_verify()\fR, the default value will be SSL_VERIFY_NONE. .PP -The actual verification procedure is performed either using the built-in +The actual verification procedure is performed either using the built\-in verification procedure or using another application provided verification function set with \&\fBSSL_CTX_set_cert_verify_callback\fR\|(3). -The following descriptions apply in the case of the built-in procedure. An +The following descriptions apply in the case of the built\-in procedure. An application provided procedure also has access to the verify depth information and the \fBverify_callback()\fR function, but the way this information is used may be different. .PP \&\fBSSL_CTX_set_verify_depth()\fR and \fBSSL_set_verify_depth()\fR set a limit on the -number of certificates between the end-entity and trust-anchor certificates. +number of certificates between the end\-entity and trust\-anchor certificates. Neither the -end-entity nor the trust-anchor certificates count against \fBdepth\fR. If the +end\-entity nor the trust\-anchor certificates count against \fBdepth\fR. If the certificate chain needed to reach a trusted issuer is longer than \fBdepth+2\fR, X509_V_ERR_CERT_CHAIN_TOO_LONG will be issued. The depth count is "level 0:peer certificate", "level 1: CA certificate", "level 2: higher level CA certificate", and so on. Setting the maximum -depth to 2 allows the levels 0, 1, 2 and 3 (0 being the end-entity and 3 the -trust-anchor). +depth to 2 allows the levels 0, 1, 2 and 3 (0 being the end\-entity and 3 the +trust\-anchor). The default depth limit is 100, allowing for the peer certificate, at most 100 intermediate CA certificates and a final trust anchor certificate. @@ -227,7 +230,7 @@ the certificate in question was passed (preverify_ok=1) or not for the certificate chain verification. .PP The certificate chain is checked starting with the deepest nesting level -(the root CA certificate) and worked upward to the peer's certificate. +(the root CA certificate) and worked upward to the peer\*(Aqs certificate. At each level signatures and issuer attributes are checked. Whenever a verification error is found, the error number is stored in \fBx509_ctx\fR and \fBverify_callback\fR is called with \fBpreverify_ok\fR=0. By applying @@ -258,16 +261,16 @@ certificate or certificate callback to its configuration before it can successfully authenticate. This must be called before \fBSSL_connect()\fR. .PP \&\fBSSL_verify_client_post_handshake()\fR requires that verify flags have been -previously set, and that a client sent the post-handshake authentication +previously set, and that a client sent the post\-handshake authentication extension. When the client returns a certificate the verify callback will be invoked. A write operation must take place for the Certificate Request to be sent to the client, this can be done with \fBSSL_do_handshake()\fR or \fBSSL_write_ex()\fR. Only one certificate request may be outstanding at any time. .PP -When post-handshake authentication occurs, a refreshed NewSessionTicket +When post\-handshake authentication occurs, a refreshed NewSessionTicket message is sent to the client. .PP -Post-handshake authentication cannot be used with QUIC. +Post\-handshake authentication cannot be used with QUIC. \&\fBSSL_set_post_handshake_auth()\fR has no effect if called on a QUIC SSL object. .SH BUGS .IX Header "BUGS" diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_use_certificate.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_use_certificate.3 index ede541adb720..6f5ad5c140c3 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_use_certificate.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_use_certificate.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_USE_CERTIFICATE 3ossl" -.TH SSL_CTX_USE_CERTIFICATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_USE_CERTIFICATE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,7 +145,7 @@ should be preferred. .PP \&\fBSSL_CTX_use_certificate_chain_file()\fR loads a certificate chain from \&\fBfile\fR into \fBctx\fR. The certificates must be in PEM format and must -be sorted starting with the subject's certificate (actual client or server +be sorted starting with the subject\*(Aqs certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA. \fBSSL_use_certificate_chain_file()\fR is similar except it loads the certificate chain into \fBssl\fR. diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_use_psk_identity_hint.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_use_psk_identity_hint.3 index 5b5d288bcc09..aed4d56d5249 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_use_psk_identity_hint.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_use_psk_identity_hint.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_USE_PSK_IDENTITY_HINT 3ossl" -.TH SSL_CTX_USE_PSK_IDENTITY_HINT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_USE_PSK_IDENTITY_HINT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -127,12 +130,12 @@ ServerKeyExchange message to the client. A server application wishing to use PSKs for TLSv1.2 and below must provide a callback function which is called when the server receives the ClientKeyExchange message from the client. The purpose of the callback function -is to validate the received PSK identity and to fetch the pre-shared key used +is to validate the received PSK identity and to fetch the pre\-shared key used during the connection setup phase. The callback is set using the functions \&\fBSSL_CTX_set_psk_server_callback()\fR or \fBSSL_set_psk_server_callback()\fR. The callback function is given the connection in parameter \fBssl\fR, \fBNUL\fR\-terminated PSK identity sent by the client in parameter \fBidentity\fR, and a buffer \fBpsk\fR of -length \fBmax_psk_len\fR bytes where the pre-shared key is to be stored. +length \fBmax_psk_len\fR bytes where the pre\-shared key is to be stored. .PP The callback for use in TLSv1.2 will also work in TLSv1.3 although it is recommended to use \fBSSL_CTX_set_psk_find_session_callback()\fR @@ -180,7 +183,7 @@ below) and TLSv1.3. However, the RFC has this note of caution: .PP "While there is no known way in which the same PSK might produce related output in both versions, only limited analysis has been done. Implementations can -ensure safety from cross-protocol related output by not reusing PSKs between +ensure safety from cross\-protocol related output by not reusing PSKs between TLS 1.3 and TLS 1.2." .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_use_serverinfo.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_use_serverinfo.3 index 839de1ff0a02..c8b6f51f441e 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_use_serverinfo.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_use_serverinfo.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_USE_SERVERINFO 3ossl" -.TH SSL_CTX_USE_SERVERINFO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_USE_SERVERINFO 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -95,7 +98,7 @@ length bytes of extension_data. The context and type values have the same meaning as for \fBSSL_CTX_add_custom_ext\fR\|(3). If serverinfo is being loaded for extensions to be added to a Certificate message, then the extension will only be added for the first certificate in the message (which is always the -end-entity certificate). +end\-entity certificate). .PP If \fBversion\fR is \fBSSL_SERVERINFOV1\fR then the extensions in the array must consist of a 2\-byte Extension Type, a 2\-byte length, and then length bytes of diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_free.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_free.3 index e13dc37a2114..ebcf37dfa5e8 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_free.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_free.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_FREE 3ossl" -.TH SSL_SESSION_FREE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_FREE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_cipher.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_cipher.3 index c6e9ce19f9e2..441d0ca387f5 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_cipher.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_cipher.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_GET0_CIPHER 3ossl" -.TH SSL_SESSION_GET0_CIPHER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_GET0_CIPHER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_hostname.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_hostname.3 index 2e4dc1ec2ee0..3598514da8a4 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_hostname.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_hostname.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_GET0_HOSTNAME 3ossl" -.TH SSL_SESSION_GET0_HOSTNAME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_GET0_HOSTNAME 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -84,18 +87,18 @@ SSL_SESSION_set1_alpn_selected .IX Header "DESCRIPTION" \&\fBSSL_SESSION_get0_hostname()\fR retrieves the Server Name Indication (SNI) value that was sent by the client when the session was created if the server -acknowledged the client's SNI extension by including an empty SNI extension +acknowledged the client\*(Aqs SNI extension by including an empty SNI extension in response. Otherwise NULL is returned. .PP The value returned is a pointer to memory maintained within \fBs\fR and -should not be free'd. +should not be free\*(Aqd. .PP \&\fBSSL_SESSION_set1_hostname()\fR sets the SNI value for the hostname to a copy of the string provided in hostname. .PP \&\fBSSL_SESSION_get0_alpn_selected()\fR retrieves the selected ALPN protocol for this session and its associated length in bytes. The returned value of \fB*alpn\fR is a -pointer to memory maintained within \fBs\fR and should not be free'd. +pointer to memory maintained within \fBs\fR and should not be free\*(Aqd. .PP \&\fBSSL_SESSION_set1_alpn_selected()\fR sets the ALPN protocol for this session to the value in \fBalpn\fR which should be of length \fBlen\fR bytes. A copy of the input diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_id_context.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_id_context.3 index 22bf238b31a8..3249d0a2a78a 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_id_context.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_id_context.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_GET0_ID_CONTEXT 3ossl" -.TH SSL_SESSION_GET0_ID_CONTEXT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_GET0_ID_CONTEXT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_peer.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_peer.3 index 8a8640029ff7..16e14a67f3aa 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_peer.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_peer.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,17 +52,20 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_GET0_PEER 3ossl" -.TH SSL_SESSION_GET0_PEER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_GET0_PEER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH NAME SSL_SESSION_get0_peer -\&\- get details about peer's certificate for a session +\&\- get details about peer\*(Aqs certificate for a session .SH SYNOPSIS .IX Header "SYNOPSIS" .Vb 1 diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_compress_id.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_compress_id.3 index cd6bd4a5372e..4cfa403fa7cc 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_compress_id.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_compress_id.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_GET_COMPRESS_ID 3ossl" -.TH SSL_SESSION_GET_COMPRESS_ID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_GET_COMPRESS_ID 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -74,7 +77,7 @@ SSL_SESSION_get_compress_id .IX Header "DESCRIPTION" If compression has been negotiated for an ssl session then \&\fBSSL_SESSION_get_compress_id()\fR will return the id for the compression method or -0 otherwise. The only built-in supported compression method is zlib which has an +0 otherwise. The only built\-in supported compression method is zlib which has an id of 1. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_protocol_version.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_protocol_version.3 index e4d85938b5d0..6c4287075b2e 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_protocol_version.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_protocol_version.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_GET_PROTOCOL_VERSION 3ossl" -.TH SSL_SESSION_GET_PROTOCOL_VERSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_GET_PROTOCOL_VERSION 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_time.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_time.3 index 4ad3c22b4855..a1608ce07169 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_time.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_time.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_GET_TIME 3ossl" -.TH SSL_SESSION_GET_TIME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_GET_TIME 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_has_ticket.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_has_ticket.3 index 6237606756a0..f8bb9c2c0faf 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_has_ticket.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_has_ticket.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_HAS_TICKET 3ossl" -.TH SSL_SESSION_HAS_TICKET 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_HAS_TICKET 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_is_resumable.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_is_resumable.3 index c8714b31baa9..80b50a2c3d17 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_is_resumable.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_is_resumable.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_IS_RESUMABLE 3ossl" -.TH SSL_SESSION_IS_RESUMABLE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_IS_RESUMABLE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -74,7 +77,7 @@ SSL_SESSION_is_resumable .IX Header "DESCRIPTION" \&\fBSSL_SESSION_is_resumable()\fR determines whether an SSL_SESSION object can be used to resume a session or not. Returns 1 if it can or 0 if not. Note that -attempting to resume with a non-resumable session will result in a full +attempting to resume with a non\-resumable session will result in a full handshake. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_print.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_print.3 index 225f08b98a45..70333d67908b 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_print.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_print.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_PRINT 3ossl" -.TH SSL_SESSION_PRINT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_PRINT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_set1_id.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_set1_id.3 index a812a723c4ec..3775d30166e6 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_set1_id.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_set1_id.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_SET1_ID 3ossl" -.TH SSL_SESSION_SET1_ID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_SET1_ID 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_accept.3 b/secure/lib/libcrypto/man/man3/SSL_accept.3 index 3080c7c6d42e..7e391257b99d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_accept.3 +++ b/secure/lib/libcrypto/man/man3/SSL_accept.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_ACCEPT 3ossl" -.TH SSL_ACCEPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_ACCEPT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_accept_stream.3 b/secure/lib/libcrypto/man/man3/SSL_accept_stream.3 index 4576233a4878..0e7895f6dcb2 100644 --- a/secure/lib/libcrypto/man/man3/SSL_accept_stream.3 +++ b/secure/lib/libcrypto/man/man3/SSL_accept_stream.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_ACCEPT_STREAM 3ossl" -.TH SSL_ACCEPT_STREAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_ACCEPT_STREAM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_alert_type_string.3 b/secure/lib/libcrypto/man/man3/SSL_alert_type_string.3 index fb18de2df110..9549808d31e6 100644 --- a/secure/lib/libcrypto/man/man3/SSL_alert_type_string.3 +++ b/secure/lib/libcrypto/man/man3/SSL_alert_type_string.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_ALERT_TYPE_STRING 3ossl" -.TH SSL_ALERT_TYPE_STRING 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_ALERT_TYPE_STRING 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -93,9 +96,9 @@ a special situation, it sends an alert. The alert is sent as a special message and does not influence the normal data stream (unless its contents results in the communication being canceled). .PP -A warning alert is sent, when a non-fatal error condition occurs. The +A warning alert is sent, when a non\-fatal error condition occurs. The "close notify" alert is sent as a warning alert. Other examples for -non-fatal errors are certificate errors ("certificate expired", +non\-fatal errors are certificate errors ("certificate expired", "unsupported certificate"), for which a warning alert may be sent. (The sending party may however decide to send a fatal error.) The receiving side may cancel the connection on reception of a warning @@ -169,9 +172,9 @@ A field in the handshake was out of range or inconsistent with other fields. This is always fatal. .IP """DC""/""decryption failed""" 4 .IX Item """DC""/""decryption failed""" -A TLSCiphertext decrypted in an invalid way: either it wasn't an +A TLSCiphertext decrypted in an invalid way: either it wasn\*(Aqt an even multiple of the block length or its padding values, when -checked, weren't correct. This message is always fatal. +checked, weren\*(Aqt correct. This message is always fatal. .IP """RO""/""record overflow""" 4 .IX Item """RO""/""record overflow""" A TLSCiphertext record was received which had a length more than @@ -181,7 +184,7 @@ with more than 2^14+1024 bytes. This message is always fatal. .IX Item """CA""/""unknown CA""" A valid certificate chain or partial chain was received, but the certificate was not accepted because the CA certificate could not -be located or couldn't be matched with a known, trusted CA. This +be located or couldn\*(Aqt be matched with a known, trusted CA. This message is always fatal. .IP """AD""/""access denied""" 4 .IX Item """AD""/""access denied""" diff --git a/secure/lib/libcrypto/man/man3/SSL_alloc_buffers.3 b/secure/lib/libcrypto/man/man3/SSL_alloc_buffers.3 index cda8b5c6e24d..d3a42492a137 100644 --- a/secure/lib/libcrypto/man/man3/SSL_alloc_buffers.3 +++ b/secure/lib/libcrypto/man/man3/SSL_alloc_buffers.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_ALLOC_BUFFERS 3ossl" -.TH SSL_ALLOC_BUFFERS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_ALLOC_BUFFERS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,7 +88,7 @@ can be used to make sure the buffers are preallocated. This can be used to avoid allocation during data processing or with \fBCRYPTO_set_mem_functions()\fR to control where and how buffers are allocated. .PP -These functions are no-ops when used with QUIC SSL objects. For QUIC, +These functions are no\-ops when used with QUIC SSL objects. For QUIC, \&\fBSSL_free_buffers()\fR always fails, and \fBSSL_alloc_buffers()\fR always succeeds. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_check_chain.3 b/secure/lib/libcrypto/man/man3/SSL_check_chain.3 index bf6bec255c18..9dc62f5a1fca 100644 --- a/secure/lib/libcrypto/man/man3/SSL_check_chain.3 +++ b/secure/lib/libcrypto/man/man3/SSL_check_chain.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CHECK_CHAIN 3ossl" -.TH SSL_CHECK_CHAIN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CHECK_CHAIN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_clear.3 b/secure/lib/libcrypto/man/man3/SSL_clear.3 index 18241a39e243..100c756b19b4 100644 --- a/secure/lib/libcrypto/man/man3/SSL_clear.3 +++ b/secure/lib/libcrypto/man/man3/SSL_clear.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CLEAR 3ossl" -.TH SSL_CLEAR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CLEAR 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,7 +93,7 @@ session was a TLSv1 session, an SSL client object will use a TLSv1 client method for the next handshake and an SSL server object will use a TLSv1 server method, even if TLS_*_methods were chosen on startup. This will might lead to connection failures (see \fBSSL_new\fR\|(3)) -for a description of the method's properties. +for a description of the method\*(Aqs properties. .PP This function is not supported on QUIC SSL objects and returns failure if called on such an object. diff --git a/secure/lib/libcrypto/man/man3/SSL_connect.3 b/secure/lib/libcrypto/man/man3/SSL_connect.3 index bdedab3d755c..41fa689c010b 100644 --- a/secure/lib/libcrypto/man/man3/SSL_connect.3 +++ b/secure/lib/libcrypto/man/man3/SSL_connect.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CONNECT 3ossl" -.TH SSL_CONNECT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CONNECT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -93,7 +96,7 @@ nothing is to be done, but \fBselect()\fR can be used to check for the required condition. When using a buffering BIO, like a BIO pair, data must be written into or retrieved out of the BIO before being able to continue. .PP -Many systems implement Nagle's algorithm by default which means that it will +Many systems implement Nagle\*(Aqs algorithm by default which means that it will buffer outgoing TCP data if a TCP packet has already been sent for which no corresponding ACK has been received yet from the peer. This can have performance impacts after a successful TLSv1.3 handshake or a successful TLSv1.2 (or below) @@ -102,8 +105,8 @@ the client. If the client is also the first to send application data (as is typical for many protocols) then this data could be buffered until an ACK has been received for the final handshake message. .PP -The \fBTCP_NODELAY\fR socket option is often available to disable Nagle's -algorithm. If an application opts to disable Nagle's algorithm consideration +The \fBTCP_NODELAY\fR socket option is often available to disable Nagle\*(Aqs +algorithm. If an application opts to disable Nagle\*(Aqs algorithm consideration should be given to turning it back on again later if appropriate. The helper function \fBBIO_set_tcp_ndelay()\fR can be used to turn on or off the \fBTCP_NODELAY\fR option. diff --git a/secure/lib/libcrypto/man/man3/SSL_do_handshake.3 b/secure/lib/libcrypto/man/man3/SSL_do_handshake.3 index 854e479aeffd..f87a830f7e86 100644 --- a/secure/lib/libcrypto/man/man3/SSL_do_handshake.3 +++ b/secure/lib/libcrypto/man/man3/SSL_do_handshake.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_DO_HANDSHAKE 3ossl" -.TH SSL_DO_HANDSHAKE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_DO_HANDSHAKE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_export_keying_material.3 b/secure/lib/libcrypto/man/man3/SSL_export_keying_material.3 index acef4594e2cd..616873d6561d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_export_keying_material.3 +++ b/secure/lib/libcrypto/man/man3/SSL_export_keying_material.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_EXPORT_KEYING_MATERIAL 3ossl" -.TH SSL_EXPORT_KEYING_MATERIAL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_EXPORT_KEYING_MATERIAL 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_extension_supported.3 b/secure/lib/libcrypto/man/man3/SSL_extension_supported.3 index f7c21fad7745..2e97c04fadd5 100644 --- a/secure/lib/libcrypto/man/man3/SSL_extension_supported.3 +++ b/secure/lib/libcrypto/man/man3/SSL_extension_supported.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_EXTENSION_SUPPORTED 3ossl" -.TH SSL_EXTENSION_SUPPORTED 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_EXTENSION_SUPPORTED 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -230,7 +233,7 @@ the callback returns. .IX Header "EXTENSION CONTEXTS" An extension context defines which messages and under which conditions an extension should be added or expected. The context is built up by performing -a bitwise OR of multiple pre-defined values together. The valid context values +a bitwise OR of multiple pre\-defined values together. The valid context values are: .IP SSL_EXT_TLS_ONLY 4 .IX Item "SSL_EXT_TLS_ONLY" diff --git a/secure/lib/libcrypto/man/man3/SSL_free.3 b/secure/lib/libcrypto/man/man3/SSL_free.3 index a9cdfae29089..c922f1040387 100644 --- a/secure/lib/libcrypto/man/man3/SSL_free.3 +++ b/secure/lib/libcrypto/man/man3/SSL_free.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_FREE 3ossl" -.TH SSL_FREE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_FREE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,14 +100,14 @@ parts of the stream are reset unless those parts have already been concluded normally: .IP \(bu 4 If the stream has a sending part (in other words, if it is bidirectional or a -locally-initiated unidirectional stream) and that part has not been concluded +locally\-initiated unidirectional stream) and that part has not been concluded via a call to \fBSSL_stream_conclude\fR\|(3) or \fBSSL_stream_reset\fR\|(3) on the QUIC stream SSL object, a call to \fBSSL_free()\fR automatically resets the sending part of the stream as though \fBSSL_stream_reset\fR\|(3) were called with a QUIC application error code of 0. .IP \(bu 4 If the stream has a receiving part (in other words, if it is bidirectional or a -remotely-initiated unidirectional stream), and the peer has not yet concluded +remotely\-initiated unidirectional stream), and the peer has not yet concluded that part of the stream normally (such as via a call to \&\fBSSL_stream_conclude\fR\|(3) on its own end), a call to \fBSSL_free()\fR automatically requests the reset of the receiving part of the stream using a QUIC STOP_SENDING diff --git a/secure/lib/libcrypto/man/man3/SSL_get0_connection.3 b/secure/lib/libcrypto/man/man3/SSL_get0_connection.3 index 54737056af2d..aebe461095d4 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get0_connection.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get0_connection.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET0_CONNECTION 3ossl" -.TH SSL_GET0_CONNECTION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET0_CONNECTION 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -79,15 +82,15 @@ to. .PP When called on a QUIC connection SSL object, it returns the same object. .PP -When called on a non-QUIC object, it returns the same object it was passed. +When called on a non\-QUIC object, it returns the same object it was passed. .PP -\&\fBSSL_is_connection()\fR returns 1 for QUIC connection SSL objects and for non-QUIC +\&\fBSSL_is_connection()\fR returns 1 for QUIC connection SSL objects and for non\-QUIC SSL objects, but returns 0 for QUIC stream SSL objects. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBSSL_get0_connection()\fR returns the QUIC connection SSL object (for a QUIC stream SSL object) and otherwise returns the same SSL object passed. It always returns -non-NULL. +non\-NULL. .PP \&\fBSSL_is_connection()\fR returns 1 if the SSL object is not a QUIC stream SSL object and 0 otherwise. diff --git a/secure/lib/libcrypto/man/man3/SSL_get0_group_name.3 b/secure/lib/libcrypto/man/man3/SSL_get0_group_name.3 index 16cdf66dc09a..85bd965f371e 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get0_group_name.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get0_group_name.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET0_GROUP_NAME 3ossl" -.TH SSL_GET0_GROUP_NAME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET0_GROUP_NAME 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -76,7 +79,7 @@ agreement of the current TLS session establishment the key agreement of the current TLS session establishment. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -If non-NULL, \fBSSL_get0_group_name()\fR returns the name of the group that was used for +If non\-NULL, \fBSSL_get0_group_name()\fR returns the name of the group that was used for the key agreement of the current TLS session establishment. If \fBSSL_get0_group_name()\fR returns NULL, an error occurred; possibly no TLS session has been established. See also \fBSSL_get_negotiated_group\fR\|(3). diff --git a/secure/lib/libcrypto/man/man3/SSL_get0_peer_rpk.3 b/secure/lib/libcrypto/man/man3/SSL_get0_peer_rpk.3 index 6654705c9e0d..0757fb4f1cf8 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get0_peer_rpk.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get0_peer_rpk.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET0_PEER_RPK 3ossl" -.TH SSL_GET0_PEER_RPK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET0_PEER_RPK 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,17 +83,17 @@ SSL_SESSION_get0_peer_rpk \- raw public key (RFC7250) support .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBSSL_add_expected_rpk()\fR adds a DANE TLSA record matching public key \fBrpk\fR -to SSL \fBs\fR's DANE validation policy. +to SSL \fBs\fR\*(Aqs DANE validation policy. .PP -\&\fBSSL_get_negotiated_client_cert_type()\fR returns the connection's negotiated +\&\fBSSL_get_negotiated_client_cert_type()\fR returns the connection\*(Aqs negotiated client certificate type. .PP -\&\fBSSL_get_negotiated_server_cert_type()\fR returns the connection's negotiated +\&\fBSSL_get_negotiated_server_cert_type()\fR returns the connection\*(Aqs negotiated server certificate type. .PP -\&\fBSSL_get0_peer_rpk()\fR returns the peer's raw public key from SSL \fBs\fR. +\&\fBSSL_get0_peer_rpk()\fR returns the peer\*(Aqs raw public key from SSL \fBs\fR. .PP -\&\fBSSL_SESSION_get0_peer_rpk()\fR returns the peer's raw public key from +\&\fBSSL_SESSION_get0_peer_rpk()\fR returns the peer\*(Aqs raw public key from SSL_SESSION \fBss\fR. .SH NOTES .IX Header "NOTES" @@ -115,13 +118,13 @@ private key. The \fBSSL_add_expected_rpk()\fR function is a wrapper around \&\fBSSL_dane_tlsa_add\fR\|(3). When DANE is enabled via \fBSSL_dane_enable\fR\|(3), the configured TLSA records -will be used to validate the peer's public key or certificate. +will be used to validate the peer\*(Aqs public key or certificate. If DANE is not enabled, then no validation will occur. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBSSL_add_expected_rpk()\fR returns 1 on success and 0 on failure. .PP -\&\fBSSL_get0_peer_rpk()\fR and \fBSSL_SESSION_get0_peer_rpk()\fR return the peer's raw +\&\fBSSL_get0_peer_rpk()\fR and \fBSSL_SESSION_get0_peer_rpk()\fR return the peer\*(Aqs raw public key as an EVP_PKEY or NULL when the raw public key is not available. .PP \&\fBSSL_get_negotiated_client_cert_type()\fR and \fBSSL_get_negotiated_server_cert_type()\fR diff --git a/secure/lib/libcrypto/man/man3/SSL_get0_peer_scts.3 b/secure/lib/libcrypto/man/man3/SSL_get0_peer_scts.3 index 8a95e66edd15..cae13b13636e 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get0_peer_scts.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get0_peer_scts.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET0_PEER_SCTS 3ossl" -.TH SSL_GET0_PEER_SCTS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET0_PEER_SCTS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -74,7 +77,7 @@ SSL_get0_peer_scts \- get SCTs received \&\fBSSL_get0_peer_scts()\fR returns the signed certificate timestamps (SCTs) that have been received. If this is the first time that this function has been called for a given \fBSSL\fR instance, it will examine the TLS extensions, OCSP response and -the peer's certificate for SCTs. Future calls will return the same SCTs. +the peer\*(Aqs certificate for SCTs. Future calls will return the same SCTs. .SH RESTRICTIONS .IX Header "RESTRICTIONS" If no Certificate Transparency validation callback has been set (using diff --git a/secure/lib/libcrypto/man/man3/SSL_get1_builtin_sigalgs.3 b/secure/lib/libcrypto/man/man3/SSL_get1_builtin_sigalgs.3 index e45b2dab22ea..7f3d07b06721 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get1_builtin_sigalgs.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get1_builtin_sigalgs.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET1_BUILTIN_SIGALGS 3ossl" -.TH SSL_GET1_BUILTIN_SIGALGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET1_BUILTIN_SIGALGS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -71,12 +74,12 @@ SSL_get1_builtin_sigalgs \- get list of built\-in signature algorithms .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -Return the colon-separated list of built-in and available TLS signature +Return the colon\-separated list of built\-in and available TLS signature algorithms. The string returned must be freed by the user using \fBOPENSSL_free\fR\|(3). .SH NOTES .IX Header "NOTES" -The string may be empty (strlen==0) if none of the built-in TLS signature +The string may be empty (strlen==0) if none of the built\-in TLS signature algorithms can be activated, e.g., if suitable providers are missing. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_get_SSL_CTX.3 b/secure/lib/libcrypto/man/man3/SSL_get_SSL_CTX.3 index c492534d2563..8ee1b23df6fc 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_SSL_CTX.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_SSL_CTX.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_SSL_CTX 3ossl" -.TH SSL_GET_SSL_CTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_SSL_CTX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_get_all_async_fds.3 b/secure/lib/libcrypto/man/man3/SSL_get_all_async_fds.3 index 5e910688f6a8..68bbea0aedb6 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_all_async_fds.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_all_async_fds.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_ALL_ASYNC_FDS 3ossl" -.TH SSL_GET_ALL_ASYNC_FDS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_ALL_ASYNC_FDS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -119,7 +122,7 @@ On Windows platforms the \fI<openssl/async.h>\fR header is dependent on some of the types customarily made available by including \fI<windows.h>\fR. The application developer is likely to require control over when the latter is included, commonly as one of the first included headers. Therefore, -it is defined as an application developer's responsibility to include +it is defined as an application developer\*(Aqs responsibility to include \&\fI<windows.h>\fR prior to \fI<openssl/async.h>\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_get_certificate.3 b/secure/lib/libcrypto/man/man3/SSL_get_certificate.3 index 5f63cb3fa9bf..6a12ae82ab0e 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_certificate.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_certificate.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_CERTIFICATE 3ossl" -.TH SSL_GET_CERTIFICATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_CERTIFICATE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -74,7 +77,7 @@ private key .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBSSL_get_certificate()\fR returns a pointer to an \fBX509\fR object representing a -certificate used as the local peer's identity. +certificate used as the local peer\*(Aqs identity. .PP Multiple certificates can be configured; for example, a server might have both RSA and ECDSA certificates. The certificate which is returned by @@ -94,8 +97,8 @@ selection occurs. .PP A specific use for \fBSSL_get_certificate()\fR is inside a callback set via a call to \&\fBSSL_CTX_set_tlsext_status_cb\fR\|(3). This callback occurs after certificate -selection, where it can be used to examine a server's chosen certificate, for -example for the purpose of identifying a certificate's OCSP responder URL so +selection, where it can be used to examine a server\*(Aqs chosen certificate, for +example for the purpose of identifying a certificate\*(Aqs OCSP responder URL so that an OCSP response can be obtained. .PP \&\fBSSL_get_privatekey()\fR returns a pointer to the \fBEVP_PKEY\fR object corresponding diff --git a/secure/lib/libcrypto/man/man3/SSL_get_ciphers.3 b/secure/lib/libcrypto/man/man3/SSL_get_ciphers.3 index 117273697827..cdfd62db176c 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_ciphers.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_ciphers.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_CIPHERS 3ossl" -.TH SSL_GET_CIPHERS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_CIPHERS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,10 +113,10 @@ list received from the client on \fBssl\fR. If \fBssl\fR is NULL, no ciphers are available, or \fBssl\fR is not operating in server mode, NULL is returned. .PP \&\fBSSL_bytes_to_cipher_list()\fR treats the supplied \fBlen\fR octets in \fBbytes\fR -as a wire-protocol cipher suite specification (in the three-octet-per-cipher -SSLv2 wire format if \fBisv2format\fR is nonzero; otherwise the two-octet +as a wire\-protocol cipher suite specification (in the three\-octet\-per\-cipher +SSLv2 wire format if \fBisv2format\fR is nonzero; otherwise the two\-octet SSLv3/TLS wire format), and parses the cipher suites supported by the library -into the returned stacks of SSL_CIPHER objects sk and Signalling Cipher-Suite +into the returned stacks of SSL_CIPHER objects sk and Signalling Cipher\-Suite Values scsvs. Unsupported cipher suites are ignored. Returns 1 on success and 0 on failure. .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_get_client_random.3 b/secure/lib/libcrypto/man/man3/SSL_get_client_random.3 index 266836d34feb..32e73eae08cb 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_client_random.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_client_random.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_CLIENT_RANDOM 3ossl" -.TH SSL_GET_CLIENT_RANDOM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_CLIENT_RANDOM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -104,15 +107,15 @@ associated with \fBin\fR. The caller must ensure that the length of the key is suitable for the ciphersuite associated with the SSL_SESSION. .SH NOTES .IX Header "NOTES" -You probably shouldn't use these functions. +You probably shouldn\*(Aqt use these functions. .PP These functions expose internal values from the TLS handshake, for -use in low-level protocols. You probably should not use them, unless +use in low\-level protocols. You probably should not use them, unless you are implementing something that needs access to the internal protocol details. .PP Despite the names of \fBSSL_get_client_random()\fR and \fBSSL_get_server_random()\fR, they -ARE NOT random number generators. Instead, they return the mostly-random values that +ARE NOT random number generators. Instead, they return the mostly\-random values that were already generated and used in the TLS protocol. Using them in place of \fBRAND_bytes()\fR would be grossly foolish. .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_get_conn_close_info.3 b/secure/lib/libcrypto/man/man3/SSL_get_conn_close_info.3 index 1d6693696ba1..83b122387b1a 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_conn_close_info.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_conn_close_info.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_CONN_CLOSE_INFO 3ossl" -.TH SSL_GET_CONN_CLOSE_INFO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_CONN_CLOSE_INFO 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -134,7 +137,7 @@ OSSL_QUIC_LOCAL_ERR_IDLE_TIMEOUT The \fBSSL_get_conn_close_info()\fR function provides information about why and how a QUIC connection was closed. .PP -Connection closure information is written to \fI*info\fR, which must be non-NULL. +Connection closure information is written to \fI*info\fR, which must be non\-NULL. \&\fIinfo_len\fR must be set to \f(CWsizeof(*info)\fR. .PP The following fields are set: @@ -152,9 +155,9 @@ frame type was specified as causing the connection to be closed. If \&\fBSSL_CONN_CLOSE_FLAG_TRANSPORT\fR is not set, this is set to 0. .IP \fIreason\fR 4 .IX Item "reason" -If non-NULL, this is intended to be a UTF\-8 textual string briefly describing +If non\-NULL, this is intended to be a UTF\-8 textual string briefly describing the reason for connection closure. The length of the reason string in bytes is -given in \fIreason_len\fR. While, if non-NULL, OpenSSL guarantees that this string +given in \fIreason_len\fR. While, if non\-NULL, OpenSSL guarantees that this string will be zero terminated, consider that this buffer may originate from the (untrusted) peer and thus may also contain zero bytes elsewhere. Therefore, use of \fIreason_len\fR is recommended. @@ -183,7 +186,7 @@ a TLS alert code into a QUIC transport error code by mapping it into the range reserved for such codes by RFC 9000. This range begins at \&\fBOSSL_QUIC_ERR_CRYPTO_ERR_BEGIN\fR and ends at \fBOSSL_QUIC_ERR_CRYPTO_ERR_END\fR inclusive. -.SH "NON-STANDARD TRANSPORT ERROR CODES" +.SH "NON\-STANDARD TRANSPORT ERROR CODES" .IX Header "NON-STANDARD TRANSPORT ERROR CODES" Some conditions which can cause QUIC connection termination are not signalled on the wire and therefore do not have standard error codes. OpenSSL indicates these @@ -197,7 +200,7 @@ The connection was terminated immediately due to the idle timeout expiring. .IX Header "RETURN VALUES" \&\fBSSL_get_conn_close_info()\fR returns 1 on success and 0 on failure. This function fails if called on a QUIC connection SSL object which has not yet been -terminated. It also fails if called on a QUIC stream SSL object or a non-QUIC +terminated. It also fails if called on a QUIC stream SSL object or a non\-QUIC SSL object. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_get_current_cipher.3 b/secure/lib/libcrypto/man/man3/SSL_get_current_cipher.3 index a153710a430c..3e41ff6f585f 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_current_cipher.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_current_cipher.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_CURRENT_CIPHER 3ossl" -.TH SSL_GET_CURRENT_CIPHER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_CURRENT_CIPHER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,7 +101,7 @@ This may be the case during handshake processing, when control flow can be returned to the application via any of several callback methods. The internal sequencing of handshake processing and callback invocation is not guaranteed to be stable from release to release, and at present only the callback set -by \fBSSL_CTX_set_alpn_select_cb()\fR is guaranteed to have a non-NULL return value. +by \fBSSL_CTX_set_alpn_select_cb()\fR is guaranteed to have a non\-NULL return value. Other callbacks may be added to this list over time. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_get_default_timeout.3 b/secure/lib/libcrypto/man/man3/SSL_get_default_timeout.3 index 78fd7e628ca3..97ccfd3066fe 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_default_timeout.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_default_timeout.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_DEFAULT_TIMEOUT 3ossl" -.TH SSL_GET_DEFAULT_TIMEOUT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_DEFAULT_TIMEOUT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_get_error.3 b/secure/lib/libcrypto/man/man3/SSL_get_error.3 index 5d9a1b139cf2..b9659c15ea26 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_error.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_error.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_ERROR 3ossl" -.TH SSL_GET_ERROR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_ERROR 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,11 +81,12 @@ statement) for a preceding call to \fBSSL_connect()\fR, \fBSSL_accept()\fR, \fBS function must be passed to \fBSSL_get_error()\fR in parameter \fBret\fR. .PP In addition to \fBssl\fR and \fBret\fR, \fBSSL_get_error()\fR inspects the -current thread's OpenSSL error queue. Thus, \fBSSL_get_error()\fR must be +current thread\*(Aqs OpenSSL error queue. Thus, \fBSSL_get_error()\fR must be used in the same thread that performed the TLS/SSL I/O operation, and no other OpenSSL function calls should appear in between. The current -thread's error queue must be empty before the TLS/SSL I/O operation is -attempted, or \fBSSL_get_error()\fR will not work reliably. +thread\*(Aqs error queue must be empty before the TLS/SSL I/O operation is +attempted, or \fBSSL_get_error()\fR will not work reliably. Emptying the +current thread\*(Aqs error queue is done with \fBERR_clear_error\fR\|(3). .SH NOTES .IX Header "NOTES" Some TLS implementations do not send a close_notify alert on shutdown. @@ -114,7 +118,7 @@ is set. See \fBSSL_CTX_set_options\fR\|(3) for more details. .IX Item "SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE" The operation did not complete and can be retried later. .Sp -For non-QUIC SSL objects, \fBSSL_ERROR_WANT_READ\fR is returned when the last +For non\-QUIC SSL objects, \fBSSL_ERROR_WANT_READ\fR is returned when the last operation was a read operation from a nonblocking \fBBIO\fR. It means that not enough data was available at this time to complete the operation. @@ -126,7 +130,7 @@ still unprocessed data available at either the \fBSSL\fR or the \fBBIO\fR layer, for a blocking \fBBIO\fR. See \fBSSL_read\fR\|(3) for more information. .Sp -For non-QUIC SSL objects, \fBSSL_ERROR_WANT_WRITE\fR is returned when the last +For non\-QUIC SSL objects, \fBSSL_ERROR_WANT_WRITE\fR is returned when the last operation was a write to a nonblocking \fBBIO\fR and it was unable to send all data to the \fBBIO\fR. When the \fBBIO\fR is writable again, the same function can be called again. @@ -210,7 +214,7 @@ The TLS/SSL I/O function should be called again later. Details depend on the application. .IP SSL_ERROR_SYSCALL 4 .IX Item "SSL_ERROR_SYSCALL" -Some non-recoverable, fatal I/O error occurred. The OpenSSL error queue may +Some non\-recoverable, fatal I/O error occurred. The OpenSSL error queue may contain more information on the error. For socket I/O on Unix systems, consult \&\fBerrno\fR for details. If this error occurs then no further I/O operations should be performed on the connection and \fBSSL_shutdown()\fR must not be called. @@ -219,13 +223,17 @@ This value can also be returned for other errors, check the error queue for details. .IP SSL_ERROR_SSL 4 .IX Item "SSL_ERROR_SSL" -A non-recoverable, fatal error in the SSL library occurred, usually a protocol +A non\-recoverable, fatal error in the SSL library occurred, usually a protocol error. The OpenSSL error queue contains more information on the error. If this error occurs then no further I/O operations should be performed on the connection and \fBSSL_shutdown()\fR must not be called. +.PP +The OpenSSL error queue can be inspected with the \fBERR\fR family of functions, +such as \fBERR_print_errors\fR\|(3) and \fBERR_peek_last_error_all\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fBssl\fR\|(7) +\&\fBssl\fR\|(7), +\&\fBERR_clear_error\fR\|(3), \fBERR_print_errors\fR\|(3), \fBERR_peek_last_error_all\fR\|(3) .SH HISTORY .IX Header "HISTORY" The SSL_ERROR_WANT_ASYNC error code was added in OpenSSL 1.1.0. diff --git a/secure/lib/libcrypto/man/man3/SSL_get_event_timeout.3 b/secure/lib/libcrypto/man/man3/SSL_get_event_timeout.3 index 6457e8c3dbb2..e51b074c3699 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_event_timeout.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_event_timeout.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_EVENT_TIMEOUT 3ossl" -.TH SSL_GET_EVENT_TIMEOUT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_EVENT_TIMEOUT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -75,7 +78,7 @@ handled \&\fBSSL_get_event_timeout()\fR determines when the SSL object next needs to perform internal processing due to the passage of time. .PP -All arguments are required; \fItv\fR and \fIis_infinite\fR must be non-NULL. +All arguments are required; \fItv\fR and \fIis_infinite\fR must be non\-NULL. .PP Upon the successful return of \fBSSL_get_event_timeout()\fR, one of the following cases applies: diff --git a/secure/lib/libcrypto/man/man3/SSL_get_extms_support.3 b/secure/lib/libcrypto/man/man3/SSL_get_extms_support.3 index 86540ba0228c..534a0e7fd60d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_extms_support.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_extms_support.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_EXTMS_SUPPORT 3ossl" -.TH SSL_GET_EXTMS_SUPPORT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_EXTMS_SUPPORT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_get_fd.3 b/secure/lib/libcrypto/man/man3/SSL_get_fd.3 index ca61e5a49abd..aa9688061e80 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_fd.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_fd.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_FD 3ossl" -.TH SSL_GET_FD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_FD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_get_handshake_rtt.3 b/secure/lib/libcrypto/man/man3/SSL_get_handshake_rtt.3 index 53acd3f6a938..8ed197193a46 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_handshake_rtt.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_handshake_rtt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_HANDSHAKE_RTT 3ossl" -.TH SSL_GET_HANDSHAKE_RTT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_HANDSHAKE_RTT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -72,7 +75,7 @@ SSL_get_handshake_rtt .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBSSL_get_handshake_rtt()\fR retrieves the round-trip time (RTT) for \fIssl\fR. +\&\fBSSL_get_handshake_rtt()\fR retrieves the round\-trip time (RTT) for \fIssl\fR. .PP This metric is represented in microseconds (us) as a uint64_t data type. .SH NOTES @@ -83,17 +86,17 @@ providing the difference between these two times. When acting as the server, one timestamp is taken when the server is finished writing to the client. This is during the ServerFinished in TLS 1.3 and ServerHelloDone in TLS 1.2. The other timestamp is taken when the server is -done reading the client's response. This is after the client has responded +done reading the client\*(Aqs response. This is after the client has responded with ClientFinished. .PP When acting as the client, one timestamp is taken when the client is finished writing the ClientHello and early data (if any). The other is taken when -client is done reading the server's response. This is after ServerFinished in +client is done reading the server\*(Aqs response. This is after ServerFinished in TLS 1.3 and after ServerHelloDone in TLS 1.2. .PP In addition to network propagation delay and network stack overhead, this metric includes processing time on both endpoints, as this is based on TLS -protocol-level messages and the TLS protocol is not designed to measure +protocol\-level messages and the TLS protocol is not designed to measure network timings. In some cases the processing time can be significant, especially when the processing includes asymmetric cryptographic operations. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_get_peer_cert_chain.3 b/secure/lib/libcrypto/man/man3/SSL_get_peer_cert_chain.3 index 660a9396f182..d6be30667779 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_peer_cert_chain.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_peer_cert_chain.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_PEER_CERT_CHAIN 3ossl" -.TH SSL_GET_PEER_CERT_CHAIN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_PEER_CERT_CHAIN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -75,8 +78,8 @@ chain of the peer .IX Header "DESCRIPTION" \&\fBSSL_get_peer_cert_chain()\fR returns a pointer to STACK_OF(X509) certificates forming the certificate chain sent by the peer. If called on the client side, -the stack also contains the peer's certificate; if called on the server -side, the peer's certificate must be obtained separately using +the stack also contains the peer\*(Aqs certificate; if called on the server +side, the peer\*(Aqs certificate must be obtained separately using \&\fBSSL_get_peer_certificate\fR\|(3). If the peer did not present a certificate, NULL is returned. .PP @@ -85,7 +88,7 @@ only consists of certificates the peer has sent (in the order the peer has sent them) it is \fBnot\fR a verified chain. .PP \&\fBSSL_get0_verified_chain()\fR returns the \fBverified\fR certificate chain -of the peer including the peer's end entity certificate. It must be called +of the peer including the peer\*(Aqs end entity certificate. It must be called after a session has been successfully established. If peer verification was not successful (as indicated by \fBSSL_get_verify_result()\fR not returning X509_V_OK) the chain may be incomplete or invalid. diff --git a/secure/lib/libcrypto/man/man3/SSL_get_peer_certificate.3 b/secure/lib/libcrypto/man/man3/SSL_get_peer_certificate.3 index 323e5f9d6fe3..dce0032c35e4 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_peer_certificate.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_peer_certificate.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_PEER_CERTIFICATE 3ossl" -.TH SSL_GET_PEER_CERTIFICATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_PEER_CERTIFICATE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_get_peer_signature_nid.3 b/secure/lib/libcrypto/man/man3/SSL_get_peer_signature_nid.3 index b95d2775140e..d9407663ac01 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_peer_signature_nid.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_peer_signature_nid.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_PEER_SIGNATURE_NID 3ossl" -.TH SSL_GET_PEER_SIGNATURE_NID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_PEER_SIGNATURE_NID 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -93,8 +96,8 @@ by the peer to sign TLS messages. It is implemented as a macro. type used by the peer to sign TLS messages. Currently the signature type is the NID of the public key type used for signing except for PSS signing where it is \fBEVP_PKEY_RSA_PSS\fR. To differentiate between -\&\fBrsa_pss_rsae_*\fR and \fBrsa_pss_pss_*\fR signatures, it's necessary to check -the type of public key in the peer's certificate. +\&\fBrsa_pss_rsae_*\fR and \fBrsa_pss_pss_*\fR signatures, it\*(Aqs necessary to check +the type of public key in the peer\*(Aqs certificate. .PP \&\fBSSL_get0_signature_name()\fR, \fBSSL_get_signature_nid()\fR and \&\fBSSL_get_signature_type_nid()\fR return the equivalent information for the local diff --git a/secure/lib/libcrypto/man/man3/SSL_get_peer_tmp_key.3 b/secure/lib/libcrypto/man/man3/SSL_get_peer_tmp_key.3 index 35b5240e70ba..187342da4e69 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_peer_tmp_key.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_peer_tmp_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_PEER_TMP_KEY 3ossl" -.TH SSL_GET_PEER_TMP_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_PEER_TMP_KEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -76,14 +79,14 @@ about temporary keys used during a handshake .IX Header "DESCRIPTION" \&\fBSSL_get_peer_tmp_key()\fR returns the temporary key provided by the peer and used during key exchange. For example, if ECDHE is in use, then this represents -the peer's public ECDHE key. On success a pointer to the key is stored in -\&\fB*key\fR. It is the caller's responsibility to free this key after use using +the peer\*(Aqs public ECDHE key. On success a pointer to the key is stored in +\&\fB*key\fR. It is the caller\*(Aqs responsibility to free this key after use using \&\fBEVP_PKEY_free\fR\|(3). .PP \&\fBSSL_get_server_tmp_key()\fR is a backwards compatibility alias for \&\fBSSL_get_peer_tmp_key()\fR. Under that name it worked just on the client side of the connection, its -behaviour on the server end is release-dependent. +behaviour on the server end is release\-dependent. .PP \&\fBSSL_get_tmp_key()\fR returns the equivalent information for the local end of the connection. diff --git a/secure/lib/libcrypto/man/man3/SSL_get_psk_identity.3 b/secure/lib/libcrypto/man/man3/SSL_get_psk_identity.3 index 504ac6e78fb9..340e2caa34af 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_psk_identity.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_psk_identity.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_PSK_IDENTITY 3ossl" -.TH SSL_GET_PSK_IDENTITY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_PSK_IDENTITY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_get_rbio.3 b/secure/lib/libcrypto/man/man3/SSL_get_rbio.3 index ac5cfe180c62..3ab504a9f2fd 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_rbio.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_rbio.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_RBIO 3ossl" -.TH SSL_GET_RBIO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_RBIO 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_get_rpoll_descriptor.3 b/secure/lib/libcrypto/man/man3/SSL_get_rpoll_descriptor.3 index e8de4b7c1c1a..c5732ca7bc44 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_rpoll_descriptor.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_rpoll_descriptor.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_RPOLL_DESCRIPTOR 3ossl" -.TH SSL_GET_RPOLL_DESCRIPTOR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_RPOLL_DESCRIPTOR 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -115,12 +118,12 @@ may change in response to any call to the SSL object other than \&\fBSSL_net_read_desired()\fR, \fBSSL_net_write_desired()\fR, \fBSSL_get_rpoll_descriptor()\fR, \&\fBSSL_get_wpoll_descriptor()\fR and \fBSSL_get_event_timeout()\fR. .PP -On non-QUIC SSL objects, calls to \fBSSL_get_rpoll_descriptor()\fR and +On non\-QUIC SSL objects, calls to \fBSSL_get_rpoll_descriptor()\fR and \&\fBSSL_get_wpoll_descriptor()\fR function the same as calls to \&\fBBIO_get_rpoll_descriptor()\fR and \fBBIO_get_wpoll_descriptor()\fR on the respective read and write BIOs configured on the SSL object. .PP -On non-QUIC SSL objects, calls to \fBSSL_net_read_desired()\fR and +On non\-QUIC SSL objects, calls to \fBSSL_net_read_desired()\fR and \&\fBSSL_net_write_desired()\fR function identically to calls to \fBSSL_want_read()\fR and \&\fBSSL_want_write()\fR respectively. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_get_session.3 b/secure/lib/libcrypto/man/man3/SSL_get_session.3 index b2d189fbb611..98101c01fc50 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_session.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_session.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_SESSION 3ossl" -.TH SSL_GET_SESSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_SESSION 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,7 +86,7 @@ that the pointer can become invalid by other operations. count of the \fBSSL_SESSION\fR is incremented by one. .SH NOTES .IX Header "NOTES" -The ssl session contains all information required to re-establish the +The ssl session contains all information required to re\-establish the connection without a full handshake for SSL versions up to and including TLSv1.2. In TLSv1.3 the same is true, but sessions are established after the main handshake has occurred. The server will send the session information to the @@ -110,7 +113,7 @@ enables applications to obtain information about all sessions sent by the server. .PP A session will be automatically removed from the session cache and marked as -non-resumable if the connection is not closed down cleanly, e.g. if a fatal +non\-resumable if the connection is not closed down cleanly, e.g. if a fatal error occurs on the connection or \fBSSL_shutdown\fR\|(3) is not called prior to \&\fBSSL_free\fR\|(3). .PP @@ -132,7 +135,7 @@ but stays in memory. In order to remove the session to decrement the reference count again. .PP SSL_SESSION objects keep internal link information about the session cache -list, when being inserted into one SSL_CTX object's session cache. +list, when being inserted into one SSL_CTX object\*(Aqs session cache. One SSL_SESSION object, regardless of its reference count, must therefore only be used with one SSL_CTX object (and the SSL objects created from this SSL_CTX object). diff --git a/secure/lib/libcrypto/man/man3/SSL_get_shared_sigalgs.3 b/secure/lib/libcrypto/man/man3/SSL_get_shared_sigalgs.3 index 32600c67002c..73ce18a83bec 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_shared_sigalgs.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_shared_sigalgs.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_SHARED_SIGALGS 3ossl" -.TH SSL_GET_SHARED_SIGALGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_SHARED_SIGALGS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,7 +97,7 @@ signature algorithms or \fB0\fR if the \fBidx\fR parameter is out of range. .SH NOTES .IX Header "NOTES" These functions are typically called for debugging purposes (to report -the peer's preferences) or where an application wants finer control over +the peer\*(Aqs preferences) or where an application wants finer control over certificate selection. Most applications will rely on internal handling and will not need to call them. .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_get_stream_id.3 b/secure/lib/libcrypto/man/man3/SSL_get_stream_id.3 index 4532db6247d3..8857297b264b 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_stream_id.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_stream_id.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_STREAM_ID 3ossl" -.TH SSL_GET_STREAM_ID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_STREAM_ID 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -93,7 +96,7 @@ The SSL object is a QUIC connection SSL object without a default stream attached. .IP \fBSSL_STREAM_TYPE_BIDI\fR 4 .IX Item "SSL_STREAM_TYPE_BIDI" -The SSL object is a non-QUIC SSL object, or is a QUIC stream object (or QUIC +The SSL object is a non\-QUIC SSL object, or is a QUIC stream object (or QUIC connection SSL object with a default stream attached), and that stream is a bidirectional QUIC stream. .IP \fBSSL_STREAM_TYPE_READ\fR 4 diff --git a/secure/lib/libcrypto/man/man3/SSL_get_stream_read_state.3 b/secure/lib/libcrypto/man/man3/SSL_get_stream_read_state.3 index 4c9e5f147b02..6232c2af8bfc 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_stream_read_state.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_stream_read_state.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_STREAM_READ_STATE 3ossl" -.TH SSL_GET_STREAM_READ_STATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_STREAM_READ_STATE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,7 +97,7 @@ overall state of the receiving and sending parts of a QUIC stream, respectively. They both return one of the following values: .IP \fBSSL_STREAM_STATE_NONE\fR 4 .IX Item "SSL_STREAM_STATE_NONE" -This value is returned if called on a non-QUIC SSL object, or on a QUIC +This value is returned if called on a non\-QUIC SSL object, or on a QUIC connection SSL object without a default stream attached. .IP \fBSSL_STREAM_STATE_OK\fR 4 .IX Item "SSL_STREAM_STATE_OK" @@ -103,9 +106,9 @@ healthy. .IP \fBSSL_STREAM_STATE_WRONG_DIR\fR 4 .IX Item "SSL_STREAM_STATE_WRONG_DIR" This value is returned if \fBSSL_get_stream_read_state()\fR is called on a -locally-initiated (and thus send-only) unidirectional stream, or, conversely, if -\&\fBSSL_get_stream_write_state()\fR is called on a remotely-initiated (and thus -receive-only) unidirectional stream. +locally\-initiated (and thus send\-only) unidirectional stream, or, conversely, if +\&\fBSSL_get_stream_write_state()\fR is called on a remotely\-initiated (and thus +receive\-only) unidirectional stream. .IP \fBSSL_STREAM_STATE_FINISHED\fR 4 .IX Item "SSL_STREAM_STATE_FINISHED" For \fBSSL_get_stream_read_state()\fR, this value is returned when the remote peer has @@ -128,7 +131,7 @@ read by calling \fBSSL_read\fR\|(3). .Sp For \fBSSL_get_stream_write_state()\fR, this means that the sending part of the stream was aborted, for example because the application called \fBSSL_stream_reset\fR\|(3), -or because a QUIC stream SSL object with an un-concluded sending part was freed +or because a QUIC stream SSL object with an un\-concluded sending part was freed using \fBSSL_free\fR\|(3). Calls to \fBSSL_write\fR\|(3) will fail. .Sp When this value is returned, the application error code which was signalled can @@ -161,7 +164,7 @@ will fail. \fBSSL_get_stream_read_state()\fR will return this state if and only \&\fBSSL_get_stream_write_state()\fR will also return this state. .PP \&\fBSSL_get_stream_read_error_code()\fR and \fBSSL_get_stream_write_error_code()\fR provide -the application error code which was signalled during non-normal termination of +the application error code which was signalled during non\-normal termination of the receiving or sending parts of a stream, respectively. On success, the application error code is written to \fI*app_error_code\fR. .SH NOTES @@ -176,7 +179,7 @@ with the connection closure using \fBSSL_get_conn_close_info\fR\|(3). .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBSSL_get_stream_read_state()\fR and \fBSSL_get_stream_write_state()\fR return one of the -\&\fBSSL_STREAM_STATE\fR values. If called on a non-QUIC SSL object, or a QUIC +\&\fBSSL_STREAM_STATE\fR values. If called on a non\-QUIC SSL object, or a QUIC connection SSL object without a default stream, \fBSSL_STREAM_STATE_NONE\fR is returned. .PP @@ -184,7 +187,7 @@ returned. on success and 0 if the stream was terminated normally. They return \-1 on error, for example if the stream is still healthy, was still healthy at the time of connection closure, if called on a stream for which the respective stream part -does not exist (e.g. on a unidirectional stream), or if called on a non-QUIC +does not exist (e.g. on a unidirectional stream), or if called on a non\-QUIC object or a QUIC connection SSL object without a default stream attached. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_get_value_uint.3 b/secure/lib/libcrypto/man/man3/SSL_get_value_uint.3 index 22bdf69e55b0..48de728efac3 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_value_uint.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_value_uint.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_VALUE_UINT 3ossl" -.TH SSL_GET_VALUE_UINT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_VALUE_UINT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -154,17 +157,17 @@ within a given value class. The value classes are enumerated by Values in this class do not participate in the feature negotiation process. They may represent connection parameters which do not participate in explicit negotiation or provide connection statistics. Values in this class might be -read-write or read-only. +read\-write or read\-only. .Sp You can access values in this class using the convenience macros \&\fBSSL_get_generic_value_uint()\fR and \fBSSL_set_generic_value_uint()\fR for brevity. .IP \fBSSL_VALUE_CLASS_FEATURE_REQUEST\fR 4 .IX Item "SSL_VALUE_CLASS_FEATURE_REQUEST" -Values in this class are read-write, and represent what the local party is +Values in this class are read\-write, and represent what the local party is requesting during feature negotiation. Such a request will not necessarily be honoured; see \fBSSL_VALUE_CLASS_FEATURE_NEGOTIATED\fR. .Sp -A value in this class may become read-only in certain circumstances; for +A value in this class may become read\-only in certain circumstances; for example, after a connection has been established, for a value which cannot be renegotiated after connection establishment. Setting a value in this class after connection establishment represents a request for online renegotiation of the @@ -174,7 +177,7 @@ You can access values in this class using the convenience macros \&\fBSSL_get_feature_request_uint()\fR and \fBSSL_set_feature_request_uint()\fR for brevity. .IP \fBSSL_VALUE_CLASS_FEATURE_PEER_REQUEST\fR 4 .IX Item "SSL_VALUE_CLASS_FEATURE_PEER_REQUEST" -Values in this value class are read-only, and represent what was requested by a +Values in this value class are read\-only, and represent what was requested by a peer during feature negotiation. Such a request has not necessarily been honoured; see \fBSSL_VALUE_CLASS_FEATURE_NEGOTIATED\fR. .Sp @@ -182,7 +185,7 @@ You can access values in this class using the convenience macro \&\fBSSL_get_feature_peer_request_uint()\fR for brevity. .IP \fBSSL_VALUE_CLASS_FEATURE_NEGOTIATED\fR 4 .IX Item "SSL_VALUE_CLASS_FEATURE_NEGOTIATED" -Values in this value class are read-only, and represent the value which was +Values in this value class are read\-only, and represent the value which was actually negotiated based on both local and peer input during feature negotiation. This is the effective value in actual use. .Sp @@ -190,7 +193,7 @@ Attempting to read a value in this class will generally fail if the feature negotiation process has not yet completed and the value is therefore currently unknown, unless the nature of the feature in question causes a provisional value to be used prior to completion of feature negotiation, in which case that value -may be returned. If an online (post-handshake) renegotiation of a feature is +may be returned. If an online (post\-handshake) renegotiation of a feature is in progress, retrieving the negotiated value will continue to retrieve the previous negotiated value until that process is completed. See the documentation of specific values for full details of its behaviour. @@ -218,8 +221,8 @@ This release of OpenSSL uses a default value of 30 seconds. This default value may change between releases of OpenSSL. .IP "\fBSSL_VALUE_QUIC_STREAM_BIDI_LOCAL_AVAIL\fR (connection object)" 4 .IX Item "SSL_VALUE_QUIC_STREAM_BIDI_LOCAL_AVAIL (connection object)" -Generic read-only statistical value. The number of bidirectional, -locally-initiated streams available to be created (but not yet created). For +Generic read\-only statistical value. The number of bidirectional, +locally\-initiated streams available to be created (but not yet created). For example, a value of 100 would mean that \fBSSL_new_stream\fR\|(3) could be called 100 times to create 100 bidirectional streams before \fBSSL_new_stream\fR\|(3) would block or fail due to backpressure. @@ -228,14 +231,14 @@ Can be queried using the convenience macro \&\fBSSL_get_quic_stream_bidi_local_avail()\fR. .IP "\fBSSL_VALUE_QUIC_STREAM_UNI_LOCAL_AVAIL\fR (connection object)" 4 .IX Item "SSL_VALUE_QUIC_STREAM_UNI_LOCAL_AVAIL (connection object)" -As above, but provides the number of unidirectional, locally-initiated streams +As above, but provides the number of unidirectional, locally\-initiated streams available to be created (but not yet created). .Sp Can be queried using the convenience macro \&\fBSSL_get_quic_stream_uni_local_avail()\fR. .IP "\fBSSL_VALUE_QUIC_STREAM_BIDI_REMOTE_AVAIL\fR (connection object)" 4 .IX Item "SSL_VALUE_QUIC_STREAM_BIDI_REMOTE_AVAIL (connection object)" -As above, but provides the number of bidirectional, remotely-initiated streams +As above, but provides the number of bidirectional, remotely\-initiated streams available to be created (but not yet created) by the peer. This represents the number of streams the local endpoint has authorised the peer to create in terms of QUIC stream creation flow control. @@ -244,7 +247,7 @@ Can be queried using the convenience macro \&\fBSSL_get_quic_stream_bidi_remote_avail()\fR. .IP "\fBSSL_VALUE_QUIC_STREAM_UNI_REMOTE_AVAIL\fR (connection object)" 4 .IX Item "SSL_VALUE_QUIC_STREAM_UNI_REMOTE_AVAIL (connection object)" -As above, but provides the number of unidirectional, remotely-initiated streams +As above, but provides the number of unidirectional, remotely\-initiated streams available to be created (but not yet created). .Sp Can be queried using the convenience macro @@ -278,7 +281,7 @@ model, \fBnonblocking\fR calls to I/O functions such as \fBSSL_read_ex\fR\|(3) o new incoming network traffic is not handled; no new outgoing network traffic is generated, and pending timeout events are not processed. This allows an application to obtain greater control over the circumstances in which QUIC event -processing occurs. If this event handling model is used, it is the application's +processing occurs. If this event handling model is used, it is the application\*(Aqs responsibility to call \fBSSL_handle_events\fR\|(3) as and when called for by the QUIC implementation; see the \fBSSL_get_rpoll_descriptor\fR\|(3) man page for more information. @@ -312,7 +315,7 @@ also affect the state of any other object related to a connection. .RE .IP "\fBSSL_VALUE_STREAM_WRITE_BUF_SIZE\fR (stream object)" 4 .IX Item "SSL_VALUE_STREAM_WRITE_BUF_SIZE (stream object)" -Generic read-only statistical value. The size of the write buffer allocated to +Generic read\-only statistical value. The size of the write buffer allocated to hold data written to a stream with \fBSSL_write_ex\fR\|(3) until it is transmitted and subsequently acknowledged by the peer. This value may change at any time, as buffer sizes are optimised in response to network conditions to optimise @@ -321,7 +324,7 @@ throughput. Can be queried using the convenience macro \fBSSL_get_stream_write_buf_size()\fR. .IP "\fBSSL_VALUE_STREAM_WRITE_BUF_USED\fR (stream object)" 4 .IX Item "SSL_VALUE_STREAM_WRITE_BUF_USED (stream object)" -Generic read-only statistical value. The number of bytes currently consumed +Generic read\-only statistical value. The number of bytes currently consumed in the write buffer which have yet to be acknowledged by the peer. Successful calls to \fBSSL_write_ex\fR\|(3) which accept data cause this number to increase. This number will then decrease as data is acknowledged by the peer. @@ -329,7 +332,7 @@ This number will then decrease as data is acknowledged by the peer. Can be queried using the convenience macro \fBSSL_get_stream_write_buf_used()\fR. .IP "\fBSSL_VALUE_STREAM_WRITE_BUF_AVAIL\fR (stream object)" 4 .IX Item "SSL_VALUE_STREAM_WRITE_BUF_AVAIL (stream object)" -Generic read-only statistical value. The number of bytes available in the write +Generic read\-only statistical value. The number of bytes available in the write buffer which have yet to be consumed by calls to \fBSSL_write_ex\fR\|(3). Successful calls to \fBSSL_write_ex\fR\|(3) which accept data cause this number to decrease. This number will increase as data is acknowledged by the peer. It may also @@ -337,7 +340,7 @@ change if the buffer is resized automatically to optimise throughput. .Sp Can be queried using the convenience macro \fBSSL_get_stream_write_buf_avail()\fR. .PP -No configurable values are currently defined for non-QUIC SSL objects. +No configurable values are currently defined for non\-QUIC SSL objects. .SH "RETURN VALUES" .IX Header "RETURN VALUES" Returns 1 on success or 0 on failure. This function can fail for a number of diff --git a/secure/lib/libcrypto/man/man3/SSL_get_verify_result.3 b/secure/lib/libcrypto/man/man3/SSL_get_verify_result.3 index 070ce68bc46e..6fd7423fbc7f 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_verify_result.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_verify_result.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_VERIFY_RESULT 3ossl" -.TH SSL_GET_VERIFY_RESULT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_VERIFY_RESULT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_get_version.3 b/secure/lib/libcrypto/man/man3/SSL_get_version.3 index 8c128496340a..93e3b9d26293 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_version.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_version.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_VERSION 3ossl" -.TH SSL_GET_VERSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_VERSION 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -116,7 +119,7 @@ The connection uses the TLSv1.2 protocol. The connection uses the TLSv1.3 protocol. .IP DTLSv0.9 4 .IX Item "DTLSv0.9" -The connection uses an obsolete pre-standardisation DTLS protocol +The connection uses an obsolete pre\-standardisation DTLS protocol .IP DTLSv1 4 .IX Item "DTLSv1" The connection uses the DTLSv1 protocol @@ -150,7 +153,7 @@ The connection uses the TLSv1.3 protocol (never returned for \&\fBSSL_client_version()\fR). .IP DTLS1_BAD_VER 4 .IX Item "DTLS1_BAD_VER" -The connection uses an obsolete pre-standardisation DTLS protocol +The connection uses an obsolete pre\-standardisation DTLS protocol .IP DTLS1_VERSION 4 .IX Item "DTLS1_VERSION" The connection uses the DTLSv1 protocol diff --git a/secure/lib/libcrypto/man/man3/SSL_group_to_name.3 b/secure/lib/libcrypto/man/man3/SSL_group_to_name.3 index d4b480dbe520..9995d723982c 100644 --- a/secure/lib/libcrypto/man/man3/SSL_group_to_name.3 +++ b/secure/lib/libcrypto/man/man3/SSL_group_to_name.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GROUP_TO_NAME 3ossl" -.TH SSL_GROUP_TO_NAME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GROUP_TO_NAME 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -72,13 +75,13 @@ SSL_group_to_name \- get name of group .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBSSL_group_to_name()\fR is used to retrieve the TLS group name -associated with a given TLS group ID, as registered via built-in +associated with a given TLS group ID, as registered via built\-in or external providers and as returned by a call to \fBSSL_get1_groups()\fR or \fBSSL_get_shared_group()\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -If non-NULL, \fBSSL_group_to_name()\fR returns the TLS group name -corresponding to the given \fIid\fR as a NUL-terminated string. +If non\-NULL, \fBSSL_group_to_name()\fR returns the TLS group name +corresponding to the given \fIid\fR as a NUL\-terminated string. If \fBSSL_group_to_name()\fR returns NULL, an error occurred; possibly no corresponding tlsname was registered during provider initialisation. .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_handle_events.3 b/secure/lib/libcrypto/man/man3/SSL_handle_events.3 index 558ddb871608..a395e6398512 100644 --- a/secure/lib/libcrypto/man/man3/SSL_handle_events.3 +++ b/secure/lib/libcrypto/man/man3/SSL_handle_events.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_HANDLE_EVENTS 3ossl" -.TH SSL_HANDLE_EVENTS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_HANDLE_EVENTS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -119,11 +122,11 @@ will be made to the object for a substantial period of time. So long as at least one call to the SSL object is blocking, no such call is needed. However, \&\fBSSL_handle_events()\fR may optionally be used on a QUIC connection object if desired. .Sp -With the thread-assisted mode of operation \fBOSSL_QUIC_client_thread_method\fR\|(3) +With the thread\-assisted mode of operation \fBOSSL_QUIC_client_thread_method\fR\|(3) it is unnecessary to call \fBSSL_handle_events()\fR as the assist thread handles the QUIC connection events. .PP -Calling \fBSSL_handle_events()\fR on any other kind of SSL object is a no-op. This is +Calling \fBSSL_handle_events()\fR on any other kind of SSL object is a no\-op. This is considered a success case. .PP Note that \fBSSL_handle_events()\fR supersedes the older \fBDTLSv1_handle_timeout\fR\|(3) function diff --git a/secure/lib/libcrypto/man/man3/SSL_in_init.3 b/secure/lib/libcrypto/man/man3/SSL_in_init.3 index f74ddbce597c..67c3b80265d5 100644 --- a/secure/lib/libcrypto/man/man3/SSL_in_init.3 +++ b/secure/lib/libcrypto/man/man3/SSL_in_init.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_IN_INIT 3ossl" -.TH SSL_IN_INIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_IN_INIT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_inject_net_dgram.3 b/secure/lib/libcrypto/man/man3/SSL_inject_net_dgram.3 index 778e263dba4e..006e70bcfc6f 100644 --- a/secure/lib/libcrypto/man/man3/SSL_inject_net_dgram.3 +++ b/secure/lib/libcrypto/man/man3/SSL_inject_net_dgram.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_INJECT_NET_DGRAM 3ossl" -.TH SSL_INJECT_NET_DGRAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_INJECT_NET_DGRAM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_key_update.3 b/secure/lib/libcrypto/man/man3/SSL_key_update.3 index 4019834e96d7..bd3b6675c833 100644 --- a/secure/lib/libcrypto/man/man3/SSL_key_update.3 +++ b/secure/lib/libcrypto/man/man3/SSL_key_update.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_KEY_UPDATE 3ossl" -.TH SSL_KEY_UPDATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_KEY_UPDATE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_library_init.3 b/secure/lib/libcrypto/man/man3/SSL_library_init.3 index 5cfa9e77a146..8d276b47a556 100644 --- a/secure/lib/libcrypto/man/man3/SSL_library_init.3 +++ b/secure/lib/libcrypto/man/man3/SSL_library_init.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_LIBRARY_INIT 3ossl" -.TH SSL_LIBRARY_INIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_LIBRARY_INIT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_load_client_CA_file.3 b/secure/lib/libcrypto/man/man3/SSL_load_client_CA_file.3 index 8ab47c02bf4a..3a0b51ef90e7 100644 --- a/secure/lib/libcrypto/man/man3/SSL_load_client_CA_file.3 +++ b/secure/lib/libcrypto/man/man3/SSL_load_client_CA_file.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_LOAD_CLIENT_CA_FILE 3ossl" -.TH SSL_LOAD_CLIENT_CA_FILE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_LOAD_CLIENT_CA_FILE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_new.3 b/secure/lib/libcrypto/man/man3/SSL_new.3 index 711da31b9e26..ac8d72be7807 100644 --- a/secure/lib/libcrypto/man/man3/SSL_new.3 +++ b/secure/lib/libcrypto/man/man3/SSL_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_NEW 3ossl" -.TH SSL_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_new_domain.3 b/secure/lib/libcrypto/man/man3/SSL_new_domain.3 index 29a46ebc718b..1983f17eaf14 100644 --- a/secure/lib/libcrypto/man/man3/SSL_new_domain.3 +++ b/secure/lib/libcrypto/man/man3/SSL_new_domain.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_NEW_DOMAIN 3ossl" -.TH SSL_NEW_DOMAIN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_NEW_DOMAIN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_new_listener.3 b/secure/lib/libcrypto/man/man3/SSL_new_listener.3 index 4495a1e7ac76..d43ade3cb856 100644 --- a/secure/lib/libcrypto/man/man3/SSL_new_listener.3 +++ b/secure/lib/libcrypto/man/man3/SSL_new_listener.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_NEW_LISTENER 3ossl" -.TH SSL_NEW_LISTENER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_NEW_LISTENER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,7 +145,7 @@ descended from a listener object (e.g. a connection obtained using \&\fBSSL_accept_connection()\fR) or indirectly from a listener object (e.g. a QUIC stream SSL object obtained using \fBSSL_accept_stream()\fR called on a connection obtained using \fBSSL_accept_connection()\fR) the return value is NULL. See NOTES -below for caveats related to pending SSL connections on a QUIC listener's accept +below for caveats related to pending SSL connections on a QUIC listener\*(Aqs accept queue. .PP The \fBSSL_listen()\fR function begins monitoring the listener \fIssl\fR for incoming @@ -154,7 +157,7 @@ called automatically on the first call to \fBSSL_accept_connection()\fR. However the listening process begins, or to ensure that no errors occur when starting to listen for connections. After a call to \fBSSL_listen()\fR (or \&\fBSSL_accept_connection()\fR) succeeds. The \fBSSL_listen()\fR function is idempotent, -subsequent calls on the same \fIssl\fR object are no-ops. This call is supported +subsequent calls on the same \fIssl\fR object are no\-ops. This call is supported only on listener SSL objects. .PP The \fBSSL_accept_connection()\fR call is supported only on a listener SSL object and @@ -176,21 +179,21 @@ The \fBSSL_ACCEPT_CONNECTION_NO_BLOCK\fR flag may be specified to listener SSL object is configured in blocking mode. .PP The \fBSSL_get_accept_connection_queue_len()\fR call returns the number of pending -connections on the \fIssl\fR listener's queue. \fBSSL_accept_connection()\fR returns the +connections on the \fIssl\fR listener\*(Aqs queue. \fBSSL_accept_connection()\fR returns the next pending connection, removing it from the queue. The returned connection -count is a point-in-time value, the actual number of connections that will +count is a point\-in\-time value, the actual number of connections that will ultimately be returned may be different. .PP Currently, listener SSL objects are only supported for QUIC server usage via -\&\fBOSSL_QUIC_server_method\fR\|(3), or QUIC client-only usage via +\&\fBOSSL_QUIC_server_method\fR\|(3), or QUIC client\-only usage via \&\fBOSSL_QUIC_client_method\fR\|(3) or \fBOSSL_QUIC_client_thread_method\fR\|(3) (see -"CLIENT-ONLY USAGE"). It is expected that the listener interface, which +"CLIENT\-ONLY USAGE"). It is expected that the listener interface, which provides an abstracted API for connection acceptance, will be expanded to support other protocols, such as TLS over TCP, plain TCP or DTLS in future. .PP \&\fBSSL_listen()\fR and \fBSSL_accept_connection()\fR are "I/O" functions, meaning that they update the value returned by \fBSSL_get_error\fR\|(3) if they fail. -.SH "CLIENT-ONLY USAGE" +.SH "CLIENT\-ONLY USAGE" .IX Header "CLIENT-ONLY USAGE" It is also possible to use the listener interface without accepting any connections and without listening for connections. This can be useful in diff --git a/secure/lib/libcrypto/man/man3/SSL_new_stream.3 b/secure/lib/libcrypto/man/man3/SSL_new_stream.3 index fa7d3cb80d3b..b847e6f36ac2 100644 --- a/secure/lib/libcrypto/man/man3/SSL_new_stream.3 +++ b/secure/lib/libcrypto/man/man3/SSL_new_stream.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_NEW_STREAM 3ossl" -.TH SSL_NEW_STREAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_NEW_STREAM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -76,7 +79,7 @@ SSL_STREAM_FLAG_ADVANCE \- create a new locally\-initiated QUIC stream .SH DESCRIPTION .IX Header "DESCRIPTION" The \fBSSL_new_stream()\fR function, when passed a QUIC connection SSL object, creates -a new locally-initiated bidirectional or unidirectional QUIC stream and returns +a new locally\-initiated bidirectional or unidirectional QUIC stream and returns the newly created QUIC stream SSL object. .PP If the \fBSSL_STREAM_FLAG_UNI\fR flag is passed, a unidirectional stream is @@ -85,7 +88,7 @@ created; else a bidirectional stream is created. To retrieve the stream ID of the newly created stream, use \&\fBSSL_get_stream_id\fR\|(3). .PP -It is the caller's responsibility to free the QUIC stream SSL object using +It is the caller\*(Aqs responsibility to free the QUIC stream SSL object using \&\fBSSL_free\fR\|(3). The lifetime of the QUIC connection SSL object must exceed that of the QUIC stream SSL object; in other words, the QUIC stream SSL object must be freed first. @@ -93,7 +96,7 @@ be freed first. Once a stream has been created using \fBSSL_new_stream()\fR, it may be used in the normal way using \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3). .PP -This function can only be used to create stream objects for locally-initiated +This function can only be used to create stream objects for locally\-initiated streams. To accept incoming streams initiated by a peer, use \&\fBSSL_accept_stream\fR\|(3). .PP @@ -124,7 +127,7 @@ remainder of the connection lifetime. .IX Header "RETURN VALUES" \&\fBSSL_new_stream()\fR returns a new stream object, or NULL on error. .PP -This function fails if called on a QUIC stream SSL object or on a non-QUIC SSL +This function fails if called on a QUIC stream SSL object or on a non\-QUIC SSL object. .PP \&\fBSSL_new_stream()\fR may also fail if the underlying connection has reached the diff --git a/secure/lib/libcrypto/man/man3/SSL_pending.3 b/secure/lib/libcrypto/man/man3/SSL_pending.3 index 5c571877c231..51d96cdbdc9d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_pending.3 +++ b/secure/lib/libcrypto/man/man3/SSL_pending.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_PENDING 3ossl" -.TH SSL_PENDING 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_PENDING 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,7 +83,7 @@ read by the application via a call to \fBSSL_read_ex\fR\|(3) or \fBSSL_read\fR\| \&\fBSSL_pending()\fR returns the number of bytes which have been processed, buffered and are available inside \fBssl\fR for immediate read. .PP -If the \fBSSL\fR object's \fIread_ahead\fR flag is set (see +If the \fBSSL\fR object\*(Aqs \fIread_ahead\fR flag is set (see \&\fBSSL_CTX_set_read_ahead\fR\|(3)), additional protocol bytes (beyond the current record) may have been read containing more TLS/SSL records. This also applies to DTLS and pipelining (see \fBSSL_CTX_set_split_send_fragment\fR\|(3)). These diff --git a/secure/lib/libcrypto/man/man3/SSL_poll.3 b/secure/lib/libcrypto/man/man3/SSL_poll.3 index 95ba9d818ef9..7a7e9c02acb0 100644 --- a/secure/lib/libcrypto/man/man3/SSL_poll.3 +++ b/secure/lib/libcrypto/man/man3/SSL_poll.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_POLL 3ossl" -.TH SSL_POLL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_POLL 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -172,7 +175,7 @@ actually applicable to the resource described by \fIdesc\fR. As for \fIevents\fR it is a collection of zero or more \fBSSL_POLL_EVENT\fR flags. .Sp \&\fIrevents\fR need not be a subset of the events specified in \fIevents\fR, as some -event types are defined as always being enabled (non-maskable). See "EVENT +event types are defined as always being enabled (non\-maskable). See "EVENT TYPES" for more information. .PP To use \fBSSL_poll()\fR, call it with an array of \fBSSL_POLL_ITEM\fR structures. The @@ -186,11 +189,11 @@ to use \fBSSL_poll()\fR in blocking or nonblocking mode: If \fItimeout\fR is NULL, the function blocks indefinitely until at least one resource is ready. .IP \(bu 4 -If \fItimeout\fR is non-NULL, and it points to a \fBstruct timeval\fR which is set to +If \fItimeout\fR is non\-NULL, and it points to a \fBstruct timeval\fR which is set to zero, the function operates in nonblocking mode and returns immediately with readiness information. .IP \(bu 4 -If \fItimeout\fR is non-NULL, and it points to a \fBstruct timeval\fR which is set to +If \fItimeout\fR is non\-NULL, and it points to a \fBstruct timeval\fR which is set to a value other than zero, the function blocks for the specified interval or until at least one of the specified resources is ready, whichever comes first. .PP @@ -210,7 +213,7 @@ state machine processing is performed. If this flag is used in blocking mode (for example, with \fItimeout\fR set to NULL), event processing does not occur unless the function blocks. .PP -The \fIresult_count\fR argument is optional. If it is non-NULL, it is used to +The \fIresult_count\fR argument is optional. If it is non\-NULL, it is used to output the number of entries in the array which have nonzero \fIrevents\fR fields when the call to \fBSSL_poll()\fR returns; see "RETURN VALUES" for details. .SH "EVENT TYPES" @@ -228,7 +231,7 @@ repeated notifications and has not caused the underlying readiness condition \&\fBSSL_POLL_EVENT_R\fR is reported) to be deasserted. .PP Some event types do not make sense on a given kind of resource. In this case, -specifying that event type in \fIevents\fR is a no-op and will be ignored, and the +specifying that event type in \fIevents\fR is a no\-op and will be ignored, and the given event will never be reported in \fIrevents\fR. .PP Failure of the polling mechanism itself is considered distinct from an exception @@ -237,10 +240,10 @@ and "RETURN VALUES" for details. .PP In general, an application should always listen for the event types corresponding to exception conditions if it is listening to the corresponding -non-exception event types (e.g. \fBSSL_POLL_EVENT_EC\fR and \fBSSL_POLL_EVENT_ER\fR +non\-exception event types (e.g. \fBSSL_POLL_EVENT_EC\fR and \fBSSL_POLL_EVENT_ER\fR for \fBSSL_POLL_EVENT_R\fR), as not doing so is unlikely to be a sound design. .PP -Some event types are non-maskable and may be reported in \fIrevents\fR regardless +Some event types are non\-maskable and may be reported in \fIrevents\fR regardless of whether they were requested in \fIevents\fR. .PP The following event types are supported: @@ -306,7 +309,7 @@ Writable. This event is raised when a QUIC stream SSL object (or a QUIC connection SSL object with a default stream attached) could accept more application data using \fBSSL_write_ex\fR\|(3). .Sp -This event is never raised by a receive-only stream. +This event is never raised by a receive\-only stream. .Sp This event is never raised by a stream which has had its send part concluded normally (as with \fBSSL_stream_conclude\fR\|(3)) or locally reset (as with @@ -356,7 +359,7 @@ Unless the \fIitems\fR pointer itself is invalid, \fBSSL_poll()\fR will always i the \fIrevents\fR fields of all items in the input array upon returning, even if it returns failure. .PP -If \fIresult_count\fR is non-NULL, it is always written with the number of items in +If \fIresult_count\fR is non\-NULL, it is always written with the number of items in the array with nonzero \fIrevents\fR fields, even if the \fBSSL_poll()\fR call returns failure. .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_read.3 b/secure/lib/libcrypto/man/man3/SSL_read.3 index d2e93e2991f7..fd640f95681d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_read.3 +++ b/secure/lib/libcrypto/man/man3/SSL_read.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_READ 3ossl" -.TH SSL_READ 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_READ 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,7 +94,7 @@ In the paragraphs below a "read function" is defined as one of \fBSSL_read_ex()\ .PP If necessary, a read function will negotiate a TLS/SSL session, if not already explicitly performed by \fBSSL_connect\fR\|(3) or \fBSSL_accept\fR\|(3). If the -peer requests a re-negotiation, it will be performed transparently during +peer requests a re\-negotiation, it will be performed transparently during the read function operation. The behaviour of the read functions depends on the underlying BIO. .PP @@ -115,7 +118,7 @@ of the underlying transport (e.g. TCP), it may be necessary to read several packets from the transport layer before the record is complete and the read call can succeed. .PP -If \fBSSL_MODE_AUTO_RETRY\fR has been switched off and a non-application data +If \fBSSL_MODE_AUTO_RETRY\fR has been switched off and a non\-application data record has been processed, the read function can return and set the error to \&\fBSSL_ERROR_WANT_READ\fR. In this case there might still be unprocessed data available in the \fBBIO\fR. @@ -125,9 +128,9 @@ This behaviour can be controlled using the \fBSSL_CTX_set_mode\fR\|(3) call. .PP If the underlying BIO is \fBblocking\fR, a read function will only return once the read operation has been finished or an error occurred, except when a -non-application data record has been processed and \fBSSL_MODE_AUTO_RETRY\fR is +non\-application data record has been processed and \fBSSL_MODE_AUTO_RETRY\fR is not set. -Note that if \fBSSL_MODE_AUTO_RETRY\fR is set and only non-application data is +Note that if \fBSSL_MODE_AUTO_RETRY\fR is set and only non\-application data is available the call will hang. .PP If the underlying BIO is \fBnonblocking\fR, a read function will also return when @@ -136,7 +139,7 @@ operation. In this case a call to \fBSSL_get_error\fR\|(3) with the return value of the read function will yield \fBSSL_ERROR_WANT_READ\fR or \&\fBSSL_ERROR_WANT_WRITE\fR. -As at any time it's possible that non-application data needs to be sent, +As at any time it\*(Aqs possible that non\-application data needs to be sent, a read function can also cause write operations. The calling process then must repeat the call after taking appropriate action to satisfy the needs of the read function. @@ -165,7 +168,7 @@ Success means that 1 or more application data bytes have been read from the SSL connection. Failure means that no bytes could be read from the SSL connection. Failures can be retryable (e.g. we are waiting for more bytes to -be delivered by the network) or non-retryable (e.g. a fatal network error). +be delivered by the network) or non\-retryable (e.g. a fatal network error). In the event of a failure call \fBSSL_get_error\fR\|(3) to find out the reason which indicates whether the call is retryable or not. .PP @@ -183,7 +186,7 @@ Call \fBSSL_get_error\fR\|(3) with the return value \fBret\fR to find out the re .Sp Old documentation indicated a difference between 0 and \-1, and that \-1 was retryable. -You should instead call \fBSSL_get_error()\fR to find out if it's retryable. +You should instead call \fBSSL_get_error()\fR to find out if it\*(Aqs retryable. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBSSL_get_error\fR\|(3), \fBSSL_write_ex\fR\|(3), diff --git a/secure/lib/libcrypto/man/man3/SSL_read_early_data.3 b/secure/lib/libcrypto/man/man3/SSL_read_early_data.3 index 0f769aaff8b6..3eb1984dcd9d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_read_early_data.3 +++ b/secure/lib/libcrypto/man/man3/SSL_read_early_data.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_READ_EARLY_DATA 3ossl" -.TH SSL_READ_EARLY_DATA 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_READ_EARLY_DATA 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -118,7 +121,7 @@ These functions are used to send and receive early data where TLSv1.3 has been negotiated. Early data can be sent by the client immediately after its initial ClientHello without having to wait for the server to complete the handshake. Early data can be sent if a session has previously been established with the -server or when establishing a new session using an out-of-band PSK, and only +server or when establishing a new session using an out\-of\-band PSK, and only when the server is known to support it. Additionally these functions can be used to send data from the server to the client when the client has not yet completed the authentication stage of the handshake. @@ -131,7 +134,7 @@ data. For specific details, consult the TLS 1.3 specification. .PP When a server receives early data it may opt to immediately respond by sending application data back to the client. Data sent by the server at this stage is -done before the full handshake has been completed. Specifically the client's +done before the full handshake has been completed. Specifically the client\*(Aqs authentication messages have not yet been received, i.e. the client is unauthenticated at this point and care should be taken when using this capability. @@ -288,7 +291,7 @@ decision is made to accept or reject early data. The callback is provided with a pointer to the user data argument that was provided when the callback was first set. Returning 1 from the callback will allow early data and returning 0 will reject it. Note that the OpenSSL library may reject early data for other reasons -in which case this callback will not get called. Notably, the built-in replay +in which case this callback will not get called. Notably, the built\-in replay protection feature will still be used even if a callback is present unless it has been explicitly disabled using the SSL_OP_NO_ANTI_REPLAY option. See "REPLAY PROTECTION" below. @@ -302,10 +305,10 @@ These functions cannot currently be used with QUIC SSL objects. The whole purpose of early data is to enable a client to start sending data to the server before a full round trip of network traffic has occurred. Application developers should ensure they consider optimisation of the underlying TCP socket -to obtain a performant solution. For example Nagle's algorithm is commonly used +to obtain a performant solution. For example Nagle\*(Aqs algorithm is commonly used by operating systems in an attempt to avoid lots of small TCP packets. In many scenarios this is beneficial for performance, but it does not work well with the -early data solution as implemented in OpenSSL. In Nagle's algorithm the OS will +early data solution as implemented in OpenSSL. In Nagle\*(Aqs algorithm the OS will buffer outgoing TCP data if a TCP packet has already been sent which we have not yet received an ACK for from the peer. The buffered data will only be transmitted if enough data to fill an entire TCP packet is accumulated, or if @@ -320,7 +323,7 @@ sent until a complete round trip with the server has occurred which defeats the objective of early data. .PP In many operating systems the TCP_NODELAY socket option is available to disable -Nagle's algorithm. If an application opts to disable Nagle's algorithm +Nagle\*(Aqs algorithm. If an application opts to disable Nagle\*(Aqs algorithm consideration should be given to turning it back on again after the handshake is complete if appropriate. .PP @@ -359,7 +362,7 @@ does not exist then the resumption is not allowed and a full handshake will occur. .PP Note that some applications may maintain an external cache of sessions (see -\&\fBSSL_CTX_sess_set_new_cb\fR\|(3) and similar functions). It is the application's +\&\fBSSL_CTX_sess_set_new_cb\fR\|(3) and similar functions). It is the application\*(Aqs responsibility to ensure that any sessions in the external cache are also populated in the internal cache and that once removed from the internal cache they are similarly removed from the external cache. Failing to do this could @@ -376,7 +379,7 @@ The OpenSSL replay protection does not apply to external Pre Shared Keys (PSKs) should be applied when combining external PSKs with early data. .PP Some applications may mitigate the replay risks in other ways. For those -applications it is possible to turn off the built-in replay protection feature +applications it is possible to turn off the built\-in replay protection feature using the \fBSSL_OP_NO_ANTI_REPLAY\fR option. See \fBSSL_CTX_set_options\fR\|(3) for details. Applications can also set a callback to make decisions about accepting early data or not. See \fBSSL_CTX_set_allow_early_data_cb()\fR above for details. diff --git a/secure/lib/libcrypto/man/man3/SSL_rstate_string.3 b/secure/lib/libcrypto/man/man3/SSL_rstate_string.3 index 115806c881b5..70975a40fea2 100644 --- a/secure/lib/libcrypto/man/man3/SSL_rstate_string.3 +++ b/secure/lib/libcrypto/man/man3/SSL_rstate_string.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_RSTATE_STRING 3ossl" -.TH SSL_RSTATE_STRING 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_RSTATE_STRING 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_session_reused.3 b/secure/lib/libcrypto/man/man3/SSL_session_reused.3 index 58cec1f57e74..0e7144f8ad54 100644 --- a/secure/lib/libcrypto/man/man3/SSL_session_reused.3 +++ b/secure/lib/libcrypto/man/man3/SSL_session_reused.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_REUSED 3ossl" -.TH SSL_SESSION_REUSED 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_REUSED 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_set1_host.3 b/secure/lib/libcrypto/man/man3/SSL_set1_host.3 index 005abe729f73..73979ca592ea 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set1_host.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set1_host.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET1_HOST 3ossl" -.TH SSL_SET1_HOST 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET1_HOST 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,7 +93,7 @@ the primary reference identifier of the peer, and should not call \&\fBSSL_set1_host()\fR. .PP \&\fBSSL_add1_host()\fR adds \fIhost\fR as an additional reference identifier -that can match the peer's certificate. Any previous hostnames +that can match the peer\*(Aqs certificate. Any previous hostnames set via \fBSSL_set1_host()\fR or \fBSSL_add1_host()\fR are retained. Adding an IP address is allowed only if no IP address has been set before. No change is made if \fIhost\fR is NULL or empty. @@ -115,7 +118,7 @@ identifiers. When wildcard matching is not disabled, the name matched in the peer certificate may be a wildcard name. When one of the reference identifiers configured via \fBSSL_set1_host()\fR or \&\fBSSL_add1_host()\fR starts with ".", which indicates a parent domain prefix -rather than a fixed name, the matched peer name may be a sub-domain +rather than a fixed name, the matched peer name may be a sub\-domain of the reference identifier. The returned string is allocated by the library and is no longer valid once the associated \fIssl\fR handle is cleared or freed, or a renegotiation takes place. Applications diff --git a/secure/lib/libcrypto/man/man3/SSL_set1_initial_peer_addr.3 b/secure/lib/libcrypto/man/man3/SSL_set1_initial_peer_addr.3 index 01ea3ffd736a..69e1a72f9f6f 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set1_initial_peer_addr.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set1_initial_peer_addr.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET1_INITIAL_PEER_ADDR 3ossl" -.TH SSL_SET1_INITIAL_PEER_ADDR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET1_INITIAL_PEER_ADDR 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_set1_server_cert_type.3 b/secure/lib/libcrypto/man/man3/SSL_set1_server_cert_type.3 index ffc2356523ac..39202f223159 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set1_server_cert_type.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set1_server_cert_type.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET1_SERVER_CERT_TYPE 3ossl" -.TH SSL_SET1_SERVER_CERT_TYPE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET1_SERVER_CERT_TYPE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -132,7 +135,7 @@ Which corresponds to an X.509 certificate normally used in TLS. .IX Item "TLSEXT_cert_type_rpk" Which corresponds to a raw public key. .PP -If \fBval\fR is set to a non-NULL value, then the extension is sent in the handshake. +If \fBval\fR is set to a non\-NULL value, then the extension is sent in the handshake. If b<val> is set to a NULL value (and \fBlen\fR is 0), then the extension is disabled. The default value is NULL, meaning the extension is not sent, and X.509 certificates are used in the handshake. diff --git a/secure/lib/libcrypto/man/man3/SSL_set_async_callback.3 b/secure/lib/libcrypto/man/man3/SSL_set_async_callback.3 index be474806f295..7cf1da3333a6 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_async_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_async_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_ASYNC_CALLBACK 3ossl" -.TH SSL_SET_ASYNC_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_ASYNC_CALLBACK 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -124,14 +127,14 @@ At a future point in time (probably via a polling mechanism or via an interrupt) the engine will become aware that the asynchronous request has finished processing. .IP 6. 4 -The engine will call the application's callback passing the callback data as +The engine will call the application\*(Aqs callback passing the callback data as a parameter. .IP 7. 4 The callback function should then run. Note: it is a requirement that the callback function is small and nonblocking as it will be run in the context of a polling mechanism or an interrupt. .IP 8. 4 -It is the application's responsibility via the callback function to schedule +It is the application\*(Aqs responsibility via the callback function to schedule recalling the OpenSSL asynchronous function and to continue processing. .IP 9. 4 The callback function has the option to check the status returned via diff --git a/secure/lib/libcrypto/man/man3/SSL_set_bio.3 b/secure/lib/libcrypto/man/man3/SSL_set_bio.3 index c72c90b43a05..fd1ad4d22bd5 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_bio.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_bio.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_BIO 3ossl" -.TH SSL_SET_BIO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_BIO 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -139,7 +142,7 @@ use \fBSSL_set0_rbio()\fR and \fBSSL_set0_wbio()\fR instead. Where a new BIO is set on a QUIC connection SSL object, blocking mode will be disabled on that SSL object if the BIO cannot support blocking mode. If another BIO is subsequently set on the SSL object which can support blocking mode, -blocking mode will not be automatically re-enabled. For more information, see +blocking mode will not be automatically re\-enabled. For more information, see \&\fBSSL_set_blocking_mode\fR\|(3). .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_set_blocking_mode.3 b/secure/lib/libcrypto/man/man3/SSL_set_blocking_mode.3 index 405a4c97ac77..068c857688f4 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_blocking_mode.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_blocking_mode.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_BLOCKING_MODE 3ossl" -.TH SSL_SET_BLOCKING_MODE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_BLOCKING_MODE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -100,7 +103,7 @@ is responsible for ensuring that the SSL object is ticked regularly; see .PP Blocking mode is disabled automatically if the application provides a QUIC connection SSL object with a network BIO which cannot support blocking mode. To -re-enable blocking mode in this case, an application must set a network BIO +re\-enable blocking mode in this case, an application must set a network BIO which can support blocking mode and explicitly call \fBSSL_set_blocking_mode()\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_set_connect_state.3 b/secure/lib/libcrypto/man/man3/SSL_set_connect_state.3 index 4507bddf609c..1fbfebddb32e 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_connect_state.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_connect_state.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_CONNECT_STATE 3ossl" -.TH SSL_SET_CONNECT_STATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_CONNECT_STATE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_set_default_stream_mode.3 b/secure/lib/libcrypto/man/man3/SSL_set_default_stream_mode.3 index ce8c95d9297d..530113c56513 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_default_stream_mode.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_default_stream_mode.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_DEFAULT_STREAM_MODE 3ossl" -.TH SSL_SET_DEFAULT_STREAM_MODE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_DEFAULT_STREAM_MODE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -87,15 +90,15 @@ connection. When not disabled, a default stream is automatically created on an outgoing connection once \fBSSL_read\fR\|(3) or \fBSSL_write\fR\|(3) is called. .PP -A QUIC stream must be explicitly designated as client-initiated or -server-initiated up front. This broadly corresponds to whether an application +A QUIC stream must be explicitly designated as client\-initiated or +server\-initiated up front. This broadly corresponds to whether an application protocol involves the client transmitting first, or the server transmitting first. As such, if \fBSSL_read\fR\|(3) is called first (before any call to \&\fBSSL_write\fR\|(3)) after establishing a connection, OpenSSL will wait for the -server to open the first server-initiated stream, and then bind this as the +server to open the first server\-initiated stream, and then bind this as the default stream. Conversely, if \fBSSL_write\fR\|(3) is called before any call to \&\fBSSL_read\fR\|(3), OpenSSL assumes the client wishes to transmit first, creates a -client-initiated stream, and binds this as the default stream. +client\-initiated stream, and binds this as the default stream. .PP By default, the default stream created is bidirectional. If a unidirectional stream is desired, or if the application wishes to disable default stream @@ -119,7 +122,7 @@ after calling \fBSSL_new\fR\|(3), prior to initiating a connection. The argument .IP SSL_DEFAULT_STREAM_MODE_AUTO_BIDI 4 .IX Item "SSL_DEFAULT_STREAM_MODE_AUTO_BIDI" This is the default setting. If \fBSSL_write\fR\|(3) is called prior to any call to -\&\fBSSL_read\fR\|(3), a bidirectional client-initiated stream is created and bound as +\&\fBSSL_read\fR\|(3), a bidirectional client\-initiated stream is created and bound as the default stream. If \fBSSL_read\fR\|(3) is called prior to any call to \&\fBSSL_write\fR\|(3), OpenSSL waits for an incoming stream from the peer (causing \&\fBSSL_read\fR\|(3) to block if the connection is in blocking mode), and then binds @@ -131,7 +134,7 @@ determine the type of a stream after a call to \fBSSL_read\fR\|(3), use .IP SSL_DEFAULT_STREAM_MODE_AUTO_UNI 4 .IX Item "SSL_DEFAULT_STREAM_MODE_AUTO_UNI" In this mode, if \fBSSL_write\fR\|(3) is called prior to any call to \fBSSL_read\fR\|(3), -a unidirectional client-initiated stream is created and bound as the default +a unidirectional client\-initiated stream is created and bound as the default stream. The behaviour is otherwise identical to that of \&\fBSSL_DEFAULT_STREAM_MODE_AUTO_BIDI\fR. The behaviour when \fBSSL_read\fR\|(3) is called prior to any call to \fBSSL_write\fR\|(3) is unchanged. @@ -154,7 +157,7 @@ stream functionality. \&\fBSSL_set_default_stream_mode()\fR fails if it is called after a default stream has already been established. .PP -These functions fail if called on a QUIC stream SSL object or on a non-QUIC SSL +These functions fail if called on a QUIC stream SSL object or on a non\-QUIC SSL object. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_set_fd.3 b/secure/lib/libcrypto/man/man3/SSL_set_fd.3 index cfe006922785..e67e71fbeba3 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_fd.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_fd.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_FD 3ossl" -.TH SSL_SET_FD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_FD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -102,7 +105,7 @@ The operation succeeded. .SH NOTES .IX Header "NOTES" On Windows, a socket handle is a 64\-bit data type (UINT_PTR), which leads to a -compiler warning (conversion from 'SOCKET' to 'int', possible loss of data) when +compiler warning (conversion from \*(AqSOCKET\*(Aq to \*(Aqint\*(Aq, possible loss of data) when passing the socket handle to SSL_set_*\fBfd()\fR. For the time being, this warning can safely be ignored, because although the Microsoft documentation claims that the upper limit is INVALID_SOCKET\-1 (2^64 \- 2), in practice the current \fBsocket()\fR diff --git a/secure/lib/libcrypto/man/man3/SSL_set_incoming_stream_policy.3 b/secure/lib/libcrypto/man/man3/SSL_set_incoming_stream_policy.3 index a8a845c6d2f6..ad90e1d8541d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_incoming_stream_policy.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_incoming_stream_policy.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_INCOMING_STREAM_POLICY 3ossl" -.TH SSL_SET_INCOMING_STREAM_POLICY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_INCOMING_STREAM_POLICY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,8 +85,8 @@ policy \&\fBSSL_set_incoming_stream_policy()\fR policy changes the incoming stream policy for a QUIC connection. Depending on the policy configured, OpenSSL QUIC may automatically reject incoming streams initiated by the peer. This is intended to -ensure that legacy applications using single-stream operation with a default -stream on a QUIC connection SSL object are not passed remotely-initiated streams +ensure that legacy applications using single\-stream operation with a default +stream on a QUIC connection SSL object are not passed remotely\-initiated streams by a peer which those applications are not prepared to handle. .PP \&\fIapp_error_code\fR is an application error code which will be used in any QUIC @@ -123,7 +126,7 @@ appropriate. .IX Header "RETURN VALUES" Returns 1 on success and 0 on failure. .PP -This function fails if called on a QUIC stream SSL object, or on a non-QUIC SSL +This function fails if called on a QUIC stream SSL object, or on a non\-QUIC SSL object. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_set_quic_tls_cbs.3 b/secure/lib/libcrypto/man/man3/SSL_set_quic_tls_cbs.3 index 509a3d617c09..3edbb232d22b 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_quic_tls_cbs.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_quic_tls_cbs.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_QUIC_TLS_CBS 3ossl" -.TH SSL_SET_QUIC_TLS_CBS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_QUIC_TLS_CBS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -129,6 +132,11 @@ given SSL object \fIs\fR, a set of callbacks are supplied in an \fBOSSL_DISPATCH table via \fIqtdis\fR. The \fIarg\fR parameter will be passed as an argument when the various callbacks are called. .PP +The above callbacks are invoked, as needed, by \fBSSL_do_handshake()\fR and \fBSSL_read()\fR (including +SSL_read_ex, SSL_peek, SSL_peek_ex). Once the SSL handshake is complete, the QUIC +stack must arrange to call one of the \fBSSL_read()\fR variants whenever a post\-handshake CRYPTO +frame is received. The number of bytes requested may be zero. +.PP An \fBOSSL_DISPATCH\fR table should consist of an array of \fBOSSL_DISPATCH\fR entries where each entry is a function id, and a function pointer. The array should be terminated with an empty entry (i.e. a 0 function id, and a NULL function diff --git a/secure/lib/libcrypto/man/man3/SSL_set_retry_verify.3 b/secure/lib/libcrypto/man/man3/SSL_set_retry_verify.3 index 9fb384e418f0..ee34cc250ab9 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_retry_verify.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_retry_verify.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_RETRY_VERIFY 3ossl" -.TH SSL_SET_RETRY_VERIFY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_RETRY_VERIFY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_set_session.3 b/secure/lib/libcrypto/man/man3/SSL_set_session.3 index 8467f0e4d481..422118656a18 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_session.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_session.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_SESSION 3ossl" -.TH SSL_SET_SESSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_SESSION 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -89,7 +92,7 @@ set the SSL_SENT_SHUTDOWN state). .SH NOTES .IX Header "NOTES" SSL_SESSION objects keep internal link information about the session cache -list, when being inserted into one SSL_CTX object's session cache. +list, when being inserted into one SSL_CTX object\*(Aqs session cache. One SSL_SESSION object, regardless of its reference count, must therefore only be used with one SSL_CTX object (and the SSL objects created from this SSL_CTX object). diff --git a/secure/lib/libcrypto/man/man3/SSL_set_session_secret_cb.3 b/secure/lib/libcrypto/man/man3/SSL_set_session_secret_cb.3 index c098d051d814..c69b996ba431 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_session_secret_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_session_secret_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_SESSION_SECRET_CB 3ossl" -.TH SSL_SET_SESSION_SECRET_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_SESSION_SECRET_CB 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,10 +84,10 @@ SSL_set_session_secret_cb, tls_session_secret_cb_fn \&\fBSSL_set_session_secret_cb()\fR sets the session secret callback to be used (\fIsession_secret_cb\fR), and an optional argument (\fIarg\fR) to be passed to that callback when it is called. This is only useful for an implementation of -EAP-FAST (RFC4851). The presence of the callback also modifies the internal +EAP\-FAST (RFC4851). The presence of the callback also modifies the internal OpenSSL TLS state machine to match the modified TLS behaviour as described in RFC4851. Therefore this callback should not be used except when implementing -EAP-FAST. +EAP\-FAST. .PP The callback is expected to set the master secret to be used by filling in the data pointed to by \fI*secret\fR. The size of the secret buffer is initially diff --git a/secure/lib/libcrypto/man/man3/SSL_set_shutdown.3 b/secure/lib/libcrypto/man/man3/SSL_set_shutdown.3 index d6b9c03375c8..9260ac105568 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_shutdown.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_shutdown.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_SHUTDOWN 3ossl" -.TH SSL_SET_SHUTDOWN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_SHUTDOWN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ SSL_set_shutdown, SSL_get_shutdown \- manipulate shutdown state of an SSL connec \&\fBSSL_get_shutdown()\fR returns the shutdown mode of \fBssl\fR. .SH NOTES .IX Header "NOTES" -The shutdown state of an ssl connection is a bit-mask of: +The shutdown state of an ssl connection is a bit\-mask of: .IP 0 4 No shutdown setting, yet. .IP SSL_SENT_SHUTDOWN 4 @@ -98,7 +101,7 @@ the ssl session. If the session is still open, when it is considered bad and removed according to RFC2246. The actual condition for a correctly closed session is SSL_SENT_SHUTDOWN (according to the TLS RFC, it is acceptable to only send the close_notify -alert but to not wait for the peer's answer, when the underlying connection +alert but to not wait for the peer\*(Aqs answer, when the underlying connection is closed). \&\fBSSL_set_shutdown()\fR can be used to set this state without sending a close alert to the peer (see \fBSSL_shutdown\fR\|(3)). diff --git a/secure/lib/libcrypto/man/man3/SSL_set_verify_result.3 b/secure/lib/libcrypto/man/man3/SSL_set_verify_result.3 index 4982fcc96728..7d9d61508b9f 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_verify_result.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_verify_result.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_VERIFY_RESULT 3ossl" -.TH SSL_SET_VERIFY_RESULT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_VERIFY_RESULT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_shutdown.3 b/secure/lib/libcrypto/man/man3/SSL_shutdown.3 index 0ffd3780368f..065a36b89eb9 100644 --- a/secure/lib/libcrypto/man/man3/SSL_shutdown.3 +++ b/secure/lib/libcrypto/man/man3/SSL_shutdown.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SHUTDOWN 3ossl" -.TH SSL_SHUTDOWN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SHUTDOWN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,11 +85,11 @@ SSL_shutdown, SSL_shutdown_ex \- shut down a TLS/SSL or QUIC connection .IX Header "DESCRIPTION" \&\fBSSL_shutdown()\fR shuts down an active connection represented by an SSL object. \fIssl\fR \fBMUST NOT\fR be NULL. .PP -\&\fBSSL_shutdown_ex()\fR is an extended version of \fBSSL_shutdown()\fR. If non-NULL, \fIargs\fR +\&\fBSSL_shutdown_ex()\fR is an extended version of \fBSSL_shutdown()\fR. If non\-NULL, \fIargs\fR must point to a \fBSSL_SHUTDOWN_EX_ARGS\fR structure and \fIargs_len\fR must be set to \&\f(CWsizeof(SSL_SHUTDOWN_EX_ARGS)\fR. The \fBSSL_SHUTDOWN_EX_ARGS\fR structure must be -zero-initialized. If \fIargs\fR is NULL, the behaviour is the same as passing a -zero-initialised \fBSSL_SHUTDOWN_EX_ARGS\fR structure. Currently, all extended +zero\-initialized. If \fIargs\fR is NULL, the behaviour is the same as passing a +zero\-initialised \fBSSL_SHUTDOWN_EX_ARGS\fR structure. Currently, all extended arguments relate to usage with QUIC, therefore this call functions identically to \fBSSL_shutdown()\fR when not being used with QUIC. .PP @@ -104,7 +107,7 @@ information. \&\fBSSL_shutdown()\fR should not be called if a previous fatal error has occurred on a connection; i.e., if \fBSSL_get_error\fR\|(3) has returned \fBSSL_ERROR_SYSCALL\fR or \&\fBSSL_ERROR_SSL\fR. -.SH "TLS AND DTLS-SPECIFIC CONSIDERATIONS" +.SH "TLS AND DTLS\-SPECIFIC CONSIDERATIONS" .IX Header "TLS AND DTLS-SPECIFIC CONSIDERATIONS" Shutdown for SSL/TLS and DTLS is implemented in terms of the SSL/TLS/DTLS close_notify alert message. The shutdown process for SSL/TLS and DTLS @@ -116,7 +119,7 @@ A close_notify shutdown alert message is received from the peer. .PP These steps can occur in either order depending on whether the connection shutdown process was first initiated by the local application or by the peer. -.SS "Locally-Initiated Shutdown" +.SS "Locally\-Initiated Shutdown" .IX Subsection "Locally-Initiated Shutdown" Calling \fBSSL_shutdown()\fR on an SSL/TLS or DTLS SSL object initiates the shutdown process and causes OpenSSL to try to send a close_notify shutdown alert to the @@ -128,11 +131,11 @@ read direction is closed by the peer. Once \fBSSL_shutdown()\fR is called, \&\fBSSL_write\fR\|(3) can no longer be used, but \fBSSL_read\fR\|(3) may still be used until the peer decides to close the connection in turn. The peer might continue sending data for some period of time before handling the local -application's shutdown indication. +application\*(Aqs shutdown indication. .PP \&\fBSSL_shutdown()\fR does not affect an underlying network connection such as a TCP connection, which remains open. -.SS "Remotely-Initiated Shutdown" +.SS "Remotely\-Initiated Shutdown" .IX Subsection "Remotely-Initiated Shutdown" If the peer was the first to initiate the shutdown process by sending a close_notify alert message, an application will be notified of this as an EOF @@ -169,12 +172,12 @@ received). However, the preferred method of waiting for the shutdown to complete is to use \&\fBSSL_read\fR\|(3) until \fBSSL_get_error\fR\|(3) indicates EOF by returning \&\fBSSL_ERROR_ZERO_RETURN\fR. This ensures any data received immediately before the -peer's close_notify alert is still provided to the application. It also ensures -any final handshake-layer messages received are processed (for example, messages +peer\*(Aqs close_notify alert is still provided to the application. It also ensures +any final handshake\-layer messages received are processed (for example, messages issuing new session tickets). .PP If this approach is not used, the second call to \fBSSL_shutdown()\fR (to complete the -shutdown by confirming receipt of the peer's close_notify message) will fail if +shutdown by confirming receipt of the peer\*(Aqs close_notify message) will fail if it is called when the application has not read all pending application data sent by the peer using \fBSSL_read\fR\|(3). .PP @@ -188,7 +191,7 @@ may be checked using \fBSSL_get_shutdown\fR\|(3). .IX Subsection "Fast Shutdown" Alternatively, it is acceptable for an application to call \fBSSL_shutdown()\fR once (such that it returns 0) and then close the underlying connection without -waiting for the peer's response. This allows for a more rapid shutdown process +waiting for the peer\*(Aqs response. This allows for a more rapid shutdown process if the application does not wish to wait for the peer. .PP This alternative "fast shutdown" approach should only be done if it is known @@ -221,11 +224,11 @@ state without actually sending a close_notify alert message; see \&\fBSSL_CTX_set_quiet_shutdown\fR\|(3). When "quiet shutdown" is enabled, \&\fBSSL_shutdown()\fR will always succeed and return 1 immediately. .PP -This is not standards-compliant behaviour. It should only be done when the +This is not standards\-compliant behaviour. It should only be done when the application protocol in use enables the peer to ensure that all data has been -received, such that it doesn't need to wait for a close_notify alert, otherwise +received, such that it doesn\*(Aqt need to wait for a close_notify alert, otherwise application data may be truncated unexpectedly. -.SS "Non-Compliant Peers" +.SS "Non\-Compliant Peers" .IX Subsection "Non-Compliant Peers" There are SSL/TLS implementations that never send the required close_notify alert message but simply close the underlying transport (e.g. a TCP connection) @@ -256,13 +259,13 @@ to benefit from session resumption are advised to perform a complete shutdown procedure by calling \fBSSL_shutdown()\fR until it returns 1, as described above. This will ensure there is an opportunity for SSL/TLS session ticket messages to be received and processed by OpenSSL. -.SH "QUIC-SPECIFIC SHUTDOWN CONSIDERATIONS" +.SH "QUIC\-SPECIFIC SHUTDOWN CONSIDERATIONS" .IX Header "QUIC-SPECIFIC SHUTDOWN CONSIDERATIONS" When used with a QUIC connection SSL object, \fBSSL_shutdown()\fR initiates a QUIC immediate close using QUIC \fBCONNECTION_CLOSE\fR frames. .PP \&\fBSSL_shutdown()\fR cannot be used on QUIC stream SSL objects. To conclude a stream -normally, see \fBSSL_stream_conclude\fR\|(3); to perform a non-normal stream +normally, see \fBSSL_stream_conclude\fR\|(3); to perform a non\-normal stream termination, see \fBSSL_stream_reset\fR\|(3). .PP \&\fBSSL_shutdown_ex()\fR may be used instead of \fBSSL_shutdown()\fR by an application to @@ -275,10 +278,10 @@ must be in the range [0, 2**62\-1], else the call to \fBSSL_shutdown_ex()\fR fai not provided, an error code of 0 is used by default. .IP \fIquic_reason\fR 4 .IX Item "quic_reason" -An optional zero-terminated (UTF\-8) reason string to be signalled to the peer. +An optional zero\-terminated (UTF\-8) reason string to be signalled to the peer. The application is responsible for providing a valid UTF\-8 string and OpenSSL will not validate the string. If a reason is not provided, or \fBSSL_shutdown()\fR is -used, a zero-length string is used as the reason. If provided, the reason string +used, a zero\-length string is used as the reason. If provided, the reason string is copied and stored inside the QUIC connection SSL object and need not remain allocated after the call to \fBSSL_shutdown_ex()\fR returns. Reason strings are bounded by the path MTU and may be silently truncated if they are too long to @@ -320,15 +323,15 @@ application has been sent to the peer, and until the receipt of all such data is acknowledged by the peer. Only once this process is completed is the shutdown considered complete. .PP -An exception to this is streams which terminated in a non-normal fashion, for -example due to a stream reset; only streams which are non-terminated at the time +An exception to this is streams which terminated in a non\-normal fashion, for +example due to a stream reset; only streams which are non\-terminated at the time \&\fBSSL_shutdown()\fR is called, or which terminated in a normal fashion, have their pending send buffers flushed in this manner. .PP This behaviour of flushing streams during the shutdown process can be skipped by setting the \fBSSL_SHUTDOWN_FLAG_NO_STREAM_FLUSH\fR flag in a call to \&\fBSSL_shutdown_ex()\fR; in this case, data remaining in stream send buffers may not -be transmitted to the peer. This flag may be used when a non-normal application +be transmitted to the peer. This flag may be used when a non\-normal application condition has occurred and the delivery of data written to streams via \&\fBSSL_write\fR\|(3) is no longer relevant. .SS "Shutdown Mode" @@ -338,9 +341,9 @@ applications. Ordinarily, QUIC expects a connection to continue to be serviced for a substantial period of time after it is nominally closed. This is necessary to ensure that any connection closure notification sent to the peer was successfully received. However, a consequence of this is that a fully -RFC-compliant QUIC connection closure process could take of the order of -seconds. This may be unsuitable for some applications, such as short-lived -processes which need to exit immediately after completing an application-layer +RFC\-compliant QUIC connection closure process could take of the order of +seconds. This may be unsuitable for some applications, such as short\-lived +processes which need to exit immediately after completing an application\-layer transaction. .PP As such, there are two shutdown modes available to users of QUIC connection SSL @@ -368,12 +371,12 @@ yet been fully shut down (unless it has already done so, in which case it will return 1). .PP If \fBSSL_SHUTDOWN_FLAG_RAPID\fR is specified in \fIflags\fR, a rapid shutdown is -performed, otherwise an RFC-compliant shutdown is performed. +performed, otherwise an RFC\-compliant shutdown is performed. .PP If an application calls \fBSSL_shutdown_ex()\fR with \fBSSL_SHUTDOWN_FLAG_RAPID\fR, an application can subsequently change its mind about performing a rapid shutdown by making a subsequent call to \fBSSL_shutdown_ex()\fR without the flag set. -.SS "Peer-Initiated Shutdown" +.SS "Peer\-Initiated Shutdown" .IX Subsection "Peer-Initiated Shutdown" In some cases, an application may wish to wait for a shutdown initiated by the peer rather than triggered locally. To do this, call \fBSSL_shutdown_ex()\fR with @@ -414,7 +417,7 @@ even though no error occurred. .IX Item "1" The shutdown was successfully completed. .Sp -For TLS and DTLS, this means that a close_notify alert was sent and the peer's +For TLS and DTLS, this means that a close_notify alert was sent and the peer\*(Aqs close_notify alert was received. .Sp For QUIC connection SSL objects, this means that the connection closure process diff --git a/secure/lib/libcrypto/man/man3/SSL_state_string.3 b/secure/lib/libcrypto/man/man3/SSL_state_string.3 index be33cc662261..3d287fdec10a 100644 --- a/secure/lib/libcrypto/man/man3/SSL_state_string.3 +++ b/secure/lib/libcrypto/man/man3/SSL_state_string.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_STATE_STRING 3ossl" -.TH SSL_STATE_STRING 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_STATE_STRING 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -73,7 +76,7 @@ SSL_state_string, SSL_state_string_long \- get textual description of state of a .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBSSL_state_string()\fR returns an abbreviated string indicating the current state -of the SSL object \fBssl\fR. The returned NUL-terminated string contains 6 or fewer characters. +of the SSL object \fBssl\fR. The returned NUL\-terminated string contains 6 or fewer characters. .PP \&\fBSSL_state_string_long()\fR returns a descriptive string indicating the current state of the SSL object \fBssl\fR. diff --git a/secure/lib/libcrypto/man/man3/SSL_stream_conclude.3 b/secure/lib/libcrypto/man/man3/SSL_stream_conclude.3 index 1c6cee7b37c8..98827ec429b0 100644 --- a/secure/lib/libcrypto/man/man3/SSL_stream_conclude.3 +++ b/secure/lib/libcrypto/man/man3/SSL_stream_conclude.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_STREAM_CONCLUDE 3ossl" -.TH SSL_STREAM_CONCLUDE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_STREAM_CONCLUDE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -71,14 +74,14 @@ SSL_stream_conclude \- conclude the sending part of a QUIC stream .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBSSL_stream_conclude()\fR signals the normal end-of-stream condition for the send +\&\fBSSL_stream_conclude()\fR signals the normal end\-of\-stream condition for the send part of a QUIC stream. If called on a QUIC connection SSL object with an associated default stream, it signals the end of the single stream to the peer. .PP Any data already queued for transmission via a call to \fBSSL_write()\fR will still be -written in a reliable manner before the end-of-stream is signalled, assuming the +written in a reliable manner before the end\-of\-stream is signalled, assuming the connection remains healthy. This function can be thought of as appending a -logical end-of-stream marker after any data which has previously been written to +logical end\-of\-stream marker after any data which has previously been written to the stream via calls to \fBSSL_write()\fR. Further attempts to call \fBSSL_write()\fR after calling this function will fail. .PP @@ -89,7 +92,7 @@ of the stream. Thus, \fBSSL_read()\fR can still be used. \&\fIflags\fR is reserved and should be set to 0. .PP Only the first call to this function has any effect for a given stream; -subsequent calls are no-ops. This is considered a success case. +subsequent calls are no\-ops. This is considered a success case. .PP This function is not supported on an object other than a QUIC stream SSL object. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_stream_reset.3 b/secure/lib/libcrypto/man/man3/SSL_stream_reset.3 index 6e0b959ee66e..632d4606331b 100644 --- a/secure/lib/libcrypto/man/man3/SSL_stream_reset.3 +++ b/secure/lib/libcrypto/man/man3/SSL_stream_reset.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_STREAM_RESET 3ossl" -.TH SSL_STREAM_RESET 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_STREAM_RESET 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,9 +84,9 @@ The \fBSSL_stream_reset()\fR function resets the send part of a QUIC stream when called on a QUIC stream SSL object, or on a QUIC connection SSL object with a default stream attached. .PP -If \fIargs\fR is non-NULL, \fIargs_len\fR must be set to \f(CWsizeof(*args)\fR. +If \fIargs\fR is non\-NULL, \fIargs_len\fR must be set to \f(CWsizeof(*args)\fR. .PP -\&\fIquic_error_code\fR is an application-specified error code, which must be in the +\&\fIquic_error_code\fR is an application\-specified error code, which must be in the range [0, 2**62\-1]. If \fIargs\fR is NULL, a value of 0 is used. .PP Resetting a stream indicates to an application that the sending part of the @@ -110,7 +113,7 @@ This function corresponds to the QUIC \fBRESET_STREAM\fR frame. Returns 1 on success and 0 on failure. .PP This function fails if called on a QUIC connection SSL object without a default -stream attached, or on a non-QUIC SSL object. +stream attached, or on a non\-QUIC SSL object. .PP After the first call to this function succeeds for a given stream, subsequent calls succeed but are ignored. The application error code diff --git a/secure/lib/libcrypto/man/man3/SSL_want.3 b/secure/lib/libcrypto/man/man3/SSL_want.3 index 6b2639aaa979..7abade3e298d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_want.3 +++ b/secure/lib/libcrypto/man/man3/SSL_want.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_WANT 3ossl" -.TH SSL_WANT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_WANT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -143,7 +146,7 @@ A call to \fBSSL_get_error\fR\|(3) should return \fBSSL_ERROR_WANT_CLIENT_HELLO_ \&\fBSSL_want_x509_lookup()\fR, \fBSSL_want_retry_verify()\fR, \&\fBSSL_want_async()\fR, \fBSSL_want_async_job()\fR, and \fBSSL_want_client_hello_cb()\fR return 1 when the corresponding condition is true or 0 otherwise. -.SH "QUIC-SPECIFIC CONSIDERATIONS" +.SH "QUIC\-SPECIFIC CONSIDERATIONS" .IX Header "QUIC-SPECIFIC CONSIDERATIONS" For QUIC, these functions relate only to the TLS handshake layer. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_write.3 b/secure/lib/libcrypto/man/man3/SSL_write.3 index 66c4ec2c2623..73e7ccdefa98 100644 --- a/secure/lib/libcrypto/man/man3/SSL_write.3 +++ b/secure/lib/libcrypto/man/man3/SSL_write.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_WRITE 3ossl" -.TH SSL_WRITE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_WRITE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -89,7 +92,7 @@ optional flags which modify its behaviour. Calling \fBSSL_write_ex2()\fR with a .PP \&\fBSSL_sendfile()\fR writes \fBsize\fR bytes from offset \fBoffset\fR in the file descriptor \fBfd\fR to the specified SSL connection \fBs\fR. This function provides -efficient zero-copy semantics. \fBSSL_sendfile()\fR is available only when +efficient zero\-copy semantics. \fBSSL_sendfile()\fR is available only when Kernel TLS is enabled, which can be checked by calling \fBBIO_get_ktls_send()\fR. It is provided here to allow users to maintain the same interface. The meaning of \fBflags\fR is platform dependent. @@ -105,7 +108,7 @@ objects with a default stream attached). .Sp If this flag is set, and the call to \fBSSL_write_ex2()\fR succeeds, and all of the data passed to the call is written (meaning that \f(CW\*(C`*written == num\*(C'\fR), the -relevant QUIC stream's send part is concluded automatically as though +relevant QUIC stream\*(Aqs send part is concluded automatically as though \&\fBSSL_stream_conclude\fR\|(3) was called (causing transmission of a FIN for the stream). .Sp @@ -115,7 +118,7 @@ flag enables greater efficiency than making these two API calls separately, as it enables the written stream data and the FIN flag indicating the end of the stream to be scheduled as part of the same QUIC STREAM frame and QUIC packet. .Sp -Setting this flag does not cause a stream's send part to be concluded if not all +Setting this flag does not cause a stream\*(Aqs send part to be concluded if not all of the data passed to the call was consumed. .PP A call to \fBSSL_write_ex2()\fR fails if a flag is passed which is not supported or @@ -129,7 +132,7 @@ In the paragraphs below a "write function" is defined as one of either .PP If necessary, a write function will negotiate a TLS/SSL session, if not already explicitly performed by \fBSSL_connect\fR\|(3) or \fBSSL_accept\fR\|(3). If the peer -requests a re-negotiation, it will be performed transparently during +requests a re\-negotiation, it will be performed transparently during the write function operation. The behaviour of the write functions depends on the underlying BIO. .PP @@ -145,7 +148,7 @@ If the underlying BIO is \fBnonblocking\fR the write functions will also return when the underlying BIO could not satisfy the needs of the function to continue the operation. In this case a call to \fBSSL_get_error\fR\|(3) with the return value of the write function will yield \fBSSL_ERROR_WANT_READ\fR -or \fBSSL_ERROR_WANT_WRITE\fR. As at any time a re-negotiation is possible, a +or \fBSSL_ERROR_WANT_WRITE\fR. As at any time a re\-negotiation is possible, a call to a write function can also cause read operations! The calling process then must repeat the call after taking appropriate action to satisfy the needs of the write function. The action depends on the underlying BIO. When using a @@ -191,7 +194,7 @@ not all the requested bytes have been written yet (if SSL_MODE_ENABLE_PARTIAL_WRITE is not in use) or no bytes could be written to the SSL connection (if SSL_MODE_ENABLE_PARTIAL_WRITE is in use). Failures can be retryable (e.g. the network write buffer has temporarily filled up) or -non-retryable (e.g. a fatal network error). In the event of a failure call +non\-retryable (e.g. a fatal network error). In the event of a failure call \&\fBSSL_get_error\fR\|(3) to find out the reason which indicates whether the call is retryable or not. .PP @@ -208,7 +211,7 @@ Call \fBSSL_get_error()\fR with the return value \fBret\fR to find out the reaso .Sp Old documentation indicated a difference between 0 and \-1, and that \-1 was retryable. -You should instead call \fBSSL_get_error()\fR to find out if it's retryable. +You should instead call \fBSSL_get_error()\fR to find out if it\*(Aqs retryable. .PP For \fBSSL_sendfile()\fR, the following return values can occur: .IP ">= 0" 4 diff --git a/secure/lib/libcrypto/man/man3/TS_RESP_CTX_new.3 b/secure/lib/libcrypto/man/man3/TS_RESP_CTX_new.3 index b52d6c1e25fa..f4d380633ae9 100644 --- a/secure/lib/libcrypto/man/man3/TS_RESP_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/TS_RESP_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "TS_RESP_CTX_NEW 3ossl" -.TH TS_RESP_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH TS_RESP_CTX_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/TS_VERIFY_CTX.3 b/secure/lib/libcrypto/man/man3/TS_VERIFY_CTX.3 index b8860d0d5577..5b6d33feefd0 100644 --- a/secure/lib/libcrypto/man/man3/TS_VERIFY_CTX.3 +++ b/secure/lib/libcrypto/man/man3/TS_VERIFY_CTX.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "TS_VERIFY_CTX 3ossl" -.TH TS_VERIFY_CTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH TS_VERIFY_CTX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -106,15 +109,15 @@ The following function has been deprecated since OpenSSL 3.0: .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The Time-Stamp Protocol (TSP) is defined by RFC 3161. TSP is a protocol used to -provide long-term proof of the existence of certain data before a particular +The Time\-Stamp Protocol (TSP) is defined by RFC 3161. TSP is a protocol used to +provide long\-term proof of the existence of certain data before a particular time. TSP defines a Time Stamping Authority (TSA) and an entity that makes requests to the TSA. Usually, the TSA is referred to as the server side, and the requesting entity is referred to as the client. .PP In TSP, when a server sends a response to a client, the server normally needs to sign the response data \- the TimeStampToken (TST) \- with its private -key. Then the client verifies the received TST using the server's certificate +key. Then the client verifies the received TST using the server\*(Aqs certificate chain. .PP For all the following methods, unless noted otherwise, \fIctx\fR is the @@ -131,7 +134,7 @@ verification context to be freed. If \fIctx\fR is NULL, the call is ignored. the flags to be set. .PP \&\fBTS_VERIFY_CTX_add_flags()\fR adds flags to the verification context. \fIf\fR are the -flags to be added (OR'd). +flags to be added (OR\*(Aqd). .PP \&\fBTS_VERIFY_CTX_set0_data()\fR sets the data to be verified. \fIb\fR is the \fBBIO\fR with the data. A previously assigned \fBBIO\fR is freed. @@ -142,7 +145,7 @@ message imprint to be assigned. A previously assigned imprint is freed. \&\fBTS_VERIFY_CTX_set0_store()\fR sets the store for the verification context. \fIs\fR is the store to be assigned. A previously assigned store is freed. .PP -\&\fBTS_VERIFY_CTX_set0_certs()\fR is used to set the server's certificate chain when +\&\fBTS_VERIFY_CTX_set0_certs()\fR is used to set the server\*(Aqs certificate chain when verifying a TST. \fIcerts\fR is a stack of \fBX509\fR certificates. .PP \&\fBTS_VERIFY_CTX_cleanup()\fR frees all data associated with the given @@ -165,7 +168,7 @@ message imprint to assign. \&\fBTS_VERIFY_CTX_set_store()\fR is used to set the certificate store. A previously assigned store is \fBnot freed\fR by this call. \fIs\fR is the store to assign. .PP -\&\fBTS_VERIFY_CTX_set_certs()\fR is used to set the server's certificate chain. +\&\fBTS_VERIFY_CTX_set_certs()\fR is used to set the server\*(Aqs certificate chain. A previously assigned stack is \fBnot freed\fR by this call. \fIcerts\fR is a stack of \fBX509\fR certificates. .PP diff --git a/secure/lib/libcrypto/man/man3/UI_STRING.3 b/secure/lib/libcrypto/man/man3/UI_STRING.3 index e231a3b23de1..7d24de933196 100644 --- a/secure/lib/libcrypto/man/man3/UI_STRING.3 +++ b/secure/lib/libcrypto/man/man3/UI_STRING.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "UI_STRING 3ossl" -.TH UI_STRING 3ossl 2025-09-30 3.5.4 OpenSSL +.TH UI_STRING 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -103,7 +106,7 @@ one of the functions \fBUI_add_input_string()\fR, \fBUI_dup_input_string()\fR, \&\fBUI_add_input_boolean()\fR, \fBUI_dup_input_boolean()\fR, \fBUI_add_info_string()\fR, \&\fBUI_dup_info_string()\fR, \fBUI_add_error_string()\fR or \fBUI_dup_error_string()\fR is called. -For a \fBUI_METHOD\fR user, there's no need to know more. +For a \fBUI_METHOD\fR user, there\*(Aqs no need to know more. For a \fBUI_METHOD\fR creator, it is of interest to fetch text from these \&\fBUI_STRING\fR objects as well as adding results to some of them. .PP @@ -146,7 +149,7 @@ For \fBUIT_BOOLEAN\fR type UI strings, this sets the first character of the result retrievable with \fBUI_get0_result_string()\fR to the first \&\fBok_char\fR given with \fBUI_add_input_boolean()\fR or \fBUI_dup_input_boolean()\fR if the \fBresult\fR matched any of them, or the first of the -\&\fBcancel_chars\fR if the \fBresult\fR matched any of them, otherwise it's +\&\fBcancel_chars\fR if the \fBresult\fR matched any of them, otherwise it\*(Aqs set to the NUL char \f(CW\*(C`\e0\*(C'\fR. See \fBUI_add_input_boolean\fR\|(3) for more information on \fBok_chars\fR and \&\fBcancel_chars\fR. @@ -170,7 +173,7 @@ string for \fBUIT_BOOLEAN\fR type UI strings, NULL for any other type. \&\fBUIT_PROMPT\fR and \fBUIT_VERIFY\fR type UI strings, NULL for any other type. .PP -\&\fBUI_get_result_string_length()\fR returns the UI string result buffer's +\&\fBUI_get_result_string_length()\fR returns the UI string result buffer\*(Aqs content length for \fBUIT_PROMPT\fR and \fBUIT_VERIFY\fR type UI strings, \&\-1 for any other type. .PP diff --git a/secure/lib/libcrypto/man/man3/UI_UTIL_read_pw.3 b/secure/lib/libcrypto/man/man3/UI_UTIL_read_pw.3 index eeae8beddf8e..89719175751a 100644 --- a/secure/lib/libcrypto/man/man3/UI_UTIL_read_pw.3 +++ b/secure/lib/libcrypto/man/man3/UI_UTIL_read_pw.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "UI_UTIL_READ_PW 3ossl" -.TH UI_UTIL_READ_PW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH UI_UTIL_READ_PW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/UI_create_method.3 b/secure/lib/libcrypto/man/man3/UI_create_method.3 index 3a5c496e71a0..020c8732baa4 100644 --- a/secure/lib/libcrypto/man/man3/UI_create_method.3 +++ b/secure/lib/libcrypto/man/man3/UI_create_method.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "UI_CREATE_METHOD 3ossl" -.TH UI_CREATE_METHOD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH UI_CREATE_METHOD 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,7 +113,7 @@ interface method creation and destruction .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -A method contains a few functions that implement the low-level of the +A method contains a few functions that implement the low\-level of the User Interface. These functions are: .IP "an opener" 4 @@ -143,17 +146,17 @@ This function takes a reference to a UI, and closes the session, maybe by closing the channel to the tty, maybe by destroying a dialog box. .PP All of these functions are expected to return 0 on error, 1 on -success, or \-1 on out-off-band events, for example if some prompting -has been cancelled (by pressing Ctrl-C, for example). +success, or \-1 on out\-off\-band events, for example if some prompting +has been cancelled (by pressing Ctrl\-C, for example). Only the flusher or the reader are expected to return \-1. -If returned by another of the functions, it's treated as if 0 was +If returned by another of the functions, it\*(Aqs treated as if 0 was returned. .PP -Regarding the writer and the reader, don't assume the former should -only write and don't assume the latter should only read. +Regarding the writer and the reader, don\*(Aqt assume the former should +only write and don\*(Aqt assume the latter should only read. This depends on the needs of the method. .PP -For example, a typical tty reader wouldn't write the prompts in the +For example, a typical tty reader wouldn\*(Aqt write the prompts in the write, but would rather do so in the reader, because of the sequential nature of prompting on a tty. This is how the \fBUI_OpenSSL()\fR method does it. @@ -166,21 +169,21 @@ fetch those results. The central function that uses these method functions is \fBUI_process()\fR, and it does it in five steps: .IP 1. 4 -Open the session using the opener function if that one's defined. +Open the session using the opener function if that one\*(Aqs defined. If an error occurs, jump to 5. .IP 2. 4 For every UI String associated with the UI, call the writer function -if that one's defined. +if that one\*(Aqs defined. If an error occurs, jump to 5. .IP 3. 4 -Flush everything using the flusher function if that one's defined. +Flush everything using the flusher function if that one\*(Aqs defined. If an error occurs, jump to 5. .IP 4. 4 For every UI String associated with the UI, call the reader function -if that one's defined. +if that one\*(Aqs defined. If an error occurs, jump to 5. .IP 5. 4 -Close the session using the closer function if that one's defined. +Close the session using the closer function if that one\*(Aqs defined. .PP \&\fBUI_create_method()\fR creates a new UI method with a given \fBname\fR. .PP @@ -228,7 +231,7 @@ return 0 on success, \-1 if the given \fBmethod\fR is NULL. \&\fBUI_method_get_flusher()\fR, \fBUI_method_get_reader()\fR, \&\fBUI_method_get_closer()\fR, \fBUI_method_get_data_duplicator()\fR, \&\fBUI_method_get_data_destructor()\fR and \fBUI_method_get_prompt_constructor()\fR -return the requested function pointer if it's set in the method, +return the requested function pointer if it\*(Aqs set in the method, otherwise NULL. .PP \&\fBUI_method_get_ex_data()\fR returns a pointer to the application specific diff --git a/secure/lib/libcrypto/man/man3/UI_new.3 b/secure/lib/libcrypto/man/man3/UI_new.3 index fb040251d829..4bfdd67aaf01 100644 --- a/secure/lib/libcrypto/man/man3/UI_new.3 +++ b/secure/lib/libcrypto/man/man3/UI_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "UI_NEW 3ossl" -.TH UI_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH UI_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -127,7 +130,7 @@ UI_get_method, UI_set_method, UI_OpenSSL, UI_null \- user interface .SH DESCRIPTION .IX Header "DESCRIPTION" UI stands for User Interface, and is general purpose set of routines to -prompt the user for text-based information. Through user-written methods +prompt the user for text\-based information. Through user\-written methods (see \fBUI_create_method\fR\|(3)), prompting can be done in any way imaginable, be it plain text prompting, through dialog boxes or from a cell phone. @@ -139,9 +142,9 @@ carry out the actual prompting. .PP The first thing to do is to create a UI with \fBUI_new()\fR or \fBUI_new_method()\fR, then add information to it with the UI_add or UI_dup functions. Also, -user-defined random data can be passed down to the underlying method +user\-defined random data can be passed down to the underlying method through calls to \fBUI_add_user_data()\fR or \fBUI_dup_user_data()\fR. The default -UI method doesn't care about these data, but other methods might. Finally, +UI method doesn\*(Aqt care about these data, but other methods might. Finally, use \fBUI_process()\fR to actually perform the prompting and \fBUI_get0_result()\fR and \fBUI_get_result_length()\fR to find the result to the prompt and its length. .PP @@ -161,7 +164,7 @@ this UI, it should be freed using \fBUI_free()\fR. \&\fBUI_new_method()\fR creates a new UI using the given UI method. When done with this UI, it should be freed using \fBUI_free()\fR. .PP -\&\fBUI_OpenSSL()\fR returns the built-in UI method (note: not necessarily the +\&\fBUI_OpenSSL()\fR returns the built\-in UI method (note: not necessarily the default one, since the default can be changed. See further on). This method is the most machine/OS dependent part of OpenSSL and normally generates the most problems when porting. @@ -170,7 +173,7 @@ generates the most problems when porting. getting internal defaults for passed UI_METHOD pointers. .PP \&\fBUI_free()\fR removes a UI from memory, along with all other pieces of memory -that's connected to it, like duplicated input strings, results and others. +that\*(Aqs connected to it, like duplicated input strings, results and others. If \fBui\fR is NULL nothing is done. .PP \&\fBUI_add_input_string()\fR and \fBUI_add_verify_string()\fR add a prompt to the UI, @@ -180,9 +183,9 @@ information is used to prompt for information, for example a password, and to verify a password (i.e. having the user enter it twice and check that the same string was entered twice). \fBUI_add_verify_string()\fR takes and extra argument that should be a pointer to the result buffer of the -input string that it's supposed to verify, or verification will fail. +input string that it\*(Aqs supposed to verify, or verification will fail. .PP -\&\fBUI_add_input_boolean()\fR adds a prompt to the UI that's supposed to be answered +\&\fBUI_add_input_boolean()\fR adds a prompt to the UI that\*(Aqs supposed to be answered in a boolean way, with a single character for yes and a different character for no. A set of characters that can be used to cancel the prompt is given as well. The prompt itself is divided in two, one part being the @@ -191,8 +194,8 @@ the possible answers (given through the \fIaction_desc\fR argument). .PP \&\fBUI_add_info_string()\fR and \fBUI_add_error_string()\fR add strings that are shown at the same time as the prompt for extra information or to show an error string. -The difference between the two is only conceptual. With the built-in method, -there's no technical difference between them. Other methods may make a +The difference between the two is only conceptual. With the built\-in method, +there\*(Aqs no technical difference between them. Other methods may make a difference between them, however. .PP The flags currently supported are \fBUI_INPUT_FLAG_ECHO\fR, which is relevant for @@ -218,17 +221,20 @@ With the description "pass phrase" and the filename "foo.key", that becomes string and may include encodings that will be processed by the other method functions. .PP -\&\fBUI_add_user_data()\fR adds a user data pointer for the method to use at any -time. The built-in UI method doesn't care about this info. Note that several -calls to this function doesn't add data, it replaces the previous blob +\&\fBUI_add_user_data()\fR sets the user data pointer for the method to use at any +time. The built\-in UI method doesn\*(Aqt care about this info. Note that several +calls to this function doesn\*(Aqt add data, it replaces the previous pointer with the one given as argument. +The return value is the previously set user data pointer if it was set +using \fBUI_add_user_data()\fR and thus the caller owns it, otherwise NULL. .PP \&\fBUI_dup_user_data()\fR duplicates the user data and works as an alternative to \fBUI_add_user_data()\fR when the user data needs to be preserved for a longer duration, perhaps even the lifetime of the application. The UI object takes ownership of this duplicate and will free it whenever it gets replaced or the UI is destroyed. \fBUI_dup_user_data()\fR returns 0 on success, or \-1 on memory -allocation failure or if the method doesn't have a duplicator function. +allocation failure or if the method doesn\*(Aqt have a duplicator and a destructor +function. .PP \&\fBUI_get0_user_data()\fR retrieves the data that has last been given to the UI with \fBUI_add_user_data()\fR or UI_dup_user_data. @@ -240,7 +246,7 @@ the information indexed by \fIi\fR. the information indexed by \fIi\fR. .PP \&\fBUI_process()\fR goes through the information given so far, does all the printing -and prompting and returns the final status, which is \-2 on out-of-band events +and prompting and returns the final status, which is \-2 on out\-of\-band events (Interrupt, Cancel, ...), \-1 on error and 0 on success. .PP \&\fBUI_ctrl()\fR adds extra control for the application author. For now, it @@ -250,7 +256,7 @@ print the OpenSSL error stack as part of processing the UI, and be used again or not. .PP \&\fBUI_set_default_method()\fR changes the default UI method to the one given. -This function is not thread-safe and should not be called at the same time +This function is not thread\-safe and should not be called at the same time as other OpenSSL functions. .PP \&\fBUI_get_default_method()\fR returns a pointer to the current default UI method. @@ -266,7 +272,7 @@ Windows) code page. For applications having different demands, these strings need to be converted appropriately by the caller. For Windows, if the \fBOPENSSL_WIN32_UTF8\fR environment variable is set, -the built-in method \fBUI_OpenSSL()\fR will produce UTF\-8 encoded strings +the built\-in method \fBUI_OpenSSL()\fR will produce UTF\-8 encoded strings instead. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -281,6 +287,9 @@ is less than or equal to 0 otherwise. .PP \&\fBUI_construct_prompt()\fR returns a string or NULL if an error occurred. .PP +\&\fBUI_add_user_data()\fR returns +the user data pointer previously set using this function, otherwise NULL. +.PP \&\fBUI_dup_user_data()\fR returns 0 on success or \-1 on error. .PP \&\fBUI_get0_result()\fR returns a string or NULL on error. @@ -300,7 +309,7 @@ respectively. The \fBUI_dup_user_data()\fR function was added in OpenSSL 1.1.1. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/X509V3_get_d2i.3 b/secure/lib/libcrypto/man/man3/X509V3_get_d2i.3 index bcc553028fed..838625b20612 100644 --- a/secure/lib/libcrypto/man/man3/X509V3_get_d2i.3 +++ b/secure/lib/libcrypto/man/man3/X509V3_get_d2i.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509V3_GET_D2I 3ossl" -.TH X509V3_GET_D2I 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509V3_GET_D2I 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -280,7 +283,7 @@ The following extensions are used by certificate transparency, RFC6962 a pointer to an extension specific structure or NULL if an error occurs. .PP \&\fBX509V3_add1_i2d()\fR and its variants return 1 if the operation is successful -and 0 if it fails due to a non-fatal error (extension not found, already exists, +and 0 if it fails due to a non\-fatal error (extension not found, already exists, cannot be encoded) or \-1 due to a fatal error such as a memory allocation failure. .PP diff --git a/secure/lib/libcrypto/man/man3/X509V3_set_ctx.3 b/secure/lib/libcrypto/man/man3/X509V3_set_ctx.3 index 3808a5d63480..d120b1b0b278 100644 --- a/secure/lib/libcrypto/man/man3/X509V3_set_ctx.3 +++ b/secure/lib/libcrypto/man/man3/X509V3_set_ctx.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509V3_SET_CTX 3ossl" -.TH X509V3_SET_CTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509V3_SET_CTX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ X509V3_set_issuer_pkey \- X.509 v3 extension generation utilities providing details potentially needed by functions producing X509 v3 extensions. These may make use of fields of the certificate \fIsubject\fR, the certification request \fIreq\fR, or the certificate revocation list \fIcrl\fR. -At most one of these three parameters can be non-NULL. +At most one of these three parameters can be non\-NULL. When constructing the subject key identifier of a certificate by computing a hash value of its public key, the public key is taken from \fIsubject\fR or \fIreq\fR. Similarly, when constructing subject alternative names from any email addresses @@ -86,7 +89,7 @@ contained in a subject DN, the subject DN is taken from \fIsubject\fR or \fIreq\ If \fIsubject\fR or \fIcrl\fR is provided, \fIissuer\fR should point to its issuer, for instance as a reference for generating the authority key identifier extension. \&\fIissuer\fR may be the same pointer value as \fIsubject\fR (which usually is an -indication that the \fIsubject\fR certificate is self-issued or even self-signed). +indication that the \fIsubject\fR certificate is self\-issued or even self\-signed). In this case the fallback source for generating the authority key identifier extension will be taken from any value provided using \fBX509V3_set_issuer_pkey()\fR. \&\fIflags\fR may be 0 diff --git a/secure/lib/libcrypto/man/man3/X509_ACERT_add1_attr.3 b/secure/lib/libcrypto/man/man3/X509_ACERT_add1_attr.3 index d751cad5553b..52312cb59f09 100644 --- a/secure/lib/libcrypto/man/man3/X509_ACERT_add1_attr.3 +++ b/secure/lib/libcrypto/man/man3/X509_ACERT_add1_attr.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_ACERT_ADD1_ATTR 3ossl" -.TH X509_ACERT_ADD1_ATTR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_ACERT_ADD1_ATTR 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_ACERT_add_attr_nconf.3 b/secure/lib/libcrypto/man/man3/X509_ACERT_add_attr_nconf.3 index 2e3bbd8aa91c..ab338eb99999 100644 --- a/secure/lib/libcrypto/man/man3/X509_ACERT_add_attr_nconf.3 +++ b/secure/lib/libcrypto/man/man3/X509_ACERT_add_attr_nconf.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_ACERT_ADD_ATTR_NCONF 3ossl" -.TH X509_ACERT_ADD_ATTR_NCONF 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_ACERT_ADD_ATTR_NCONF 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_ACERT_get0_holder_baseCertId.3 b/secure/lib/libcrypto/man/man3/X509_ACERT_get0_holder_baseCertId.3 index 217895c8b927..830a74d69137 100644 --- a/secure/lib/libcrypto/man/man3/X509_ACERT_get0_holder_baseCertId.3 +++ b/secure/lib/libcrypto/man/man3/X509_ACERT_get0_holder_baseCertId.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_ACERT_GET0_HOLDER_BASECERTID 3ossl" -.TH X509_ACERT_GET0_HOLDER_BASECERTID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_ACERT_GET0_HOLDER_BASECERTID 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -124,7 +127,7 @@ attribute certificate \fIx\fR can be retrieved with \&\fBX509_ACERT_get0_holder_digest()\fR. .PP A \fBOSSL_ISSUER_SERIAL\fR object holds the subject name and UID of a certificate -issuer and a certificate's serial number. \fBOSSL_ISSUER_SERIAL_set1_issuer()\fR, +issuer and a certificate\*(Aqs serial number. \fBOSSL_ISSUER_SERIAL_set1_issuer()\fR, \&\fBOSSL_ISSUER_SERIAL_set1_issuerUID()\fR, and \fBOSSL_ISSUER_SERIAL_set1_serial()\fR respectively copy these values into the \fBOSSL_ISSUER_SERIAL\fR structure. The application is responsible for freeing its own copy of these values after @@ -149,7 +152,7 @@ Hash of another object. See NOTES below. .SH "RETURN VALUES" .IX Header "RETURN VALUES" All \fIset0\fR/\fIset1\fR routines return 1 for success and 0 for failure. -All \fIget0\fR functions return a pointer to the object's inner structure. These +All \fIget0\fR functions return a pointer to the object\*(Aqs inner structure. These pointers must not be freed after use. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man3/X509_ACERT_get_attr.3 b/secure/lib/libcrypto/man/man3/X509_ACERT_get_attr.3 index 967203523bde..b84035297cab 100644 --- a/secure/lib/libcrypto/man/man3/X509_ACERT_get_attr.3 +++ b/secure/lib/libcrypto/man/man3/X509_ACERT_get_attr.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_ACERT_GET_ATTR 3ossl" -.TH X509_ACERT_GET_ATTR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_ACERT_GET_ATTR 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -87,7 +90,7 @@ of attributes in the \fBX509_ACERT\fR. attribute location matching \fInid\fR or \fIobj\fR after \fIlastpos\fR. \fIlastpos\fR should initially be set to \-1. If there are no more entries \-1 is returned. If \fInid\fR is invalid -(doesn't correspond to a valid OID) then \-2 is returned. +(doesn\*(Aqt correspond to a valid OID) then \-2 is returned. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBX509_ACERT_get0_attr()\fR return a \fBX509_ATTRIBUTE\fR from an attribute diff --git a/secure/lib/libcrypto/man/man3/X509_ACERT_print_ex.3 b/secure/lib/libcrypto/man/man3/X509_ACERT_print_ex.3 index a4d110b0ac74..843bbea3850b 100644 --- a/secure/lib/libcrypto/man/man3/X509_ACERT_print_ex.3 +++ b/secure/lib/libcrypto/man/man3/X509_ACERT_print_ex.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_ACERT_PRINT_EX 3ossl" -.TH X509_ACERT_PRINT_EX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_ACERT_PRINT_EX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,7 +104,7 @@ holder issuer name is present, the first GENERAL_NAME returned by \fBX509_ACERT_get0_holder_entityName()\fR is printed. If the holder baseCertificateId is present, the issuer name (printed with X509_NAME_print_ex) and serial number of the -holder's certificate are displayed. (X509_FLAG_NO_SUBJECT) +holder\*(Aqs certificate are displayed. (X509_FLAG_NO_SUBJECT) .Sp = item * .Sp diff --git a/secure/lib/libcrypto/man/man3/X509_ALGOR_dup.3 b/secure/lib/libcrypto/man/man3/X509_ALGOR_dup.3 index 5ea460069195..bf875986d021 100644 --- a/secure/lib/libcrypto/man/man3/X509_ALGOR_dup.3 +++ b/secure/lib/libcrypto/man/man3/X509_ALGOR_dup.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_ALGOR_DUP 3ossl" -.TH X509_ALGOR_DUP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_ALGOR_DUP 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_ATTRIBUTE.3 b/secure/lib/libcrypto/man/man3/X509_ATTRIBUTE.3 index 6327db7d44ff..f3fa2e8075cc 100644 --- a/secure/lib/libcrypto/man/man3/X509_ATTRIBUTE.3 +++ b/secure/lib/libcrypto/man/man3/X509_ATTRIBUTE.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_ATTRIBUTE 3ossl" -.TH X509_ATTRIBUTE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_ATTRIBUTE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -143,7 +146,7 @@ in RFC 5280, i.e. \& AttributeValue ::= ANY \-\- DEFINED BY AttributeType .Ve .PP -For example CMS defines the signing-time attribute as: +For example CMS defines the signing\-time attribute as: .PP .Vb 2 \& id\-signingTime OBJECT IDENTIFIER ::= { iso(1) member\-body(2) diff --git a/secure/lib/libcrypto/man/man3/X509_CRL_get0_by_serial.3 b/secure/lib/libcrypto/man/man3/X509_CRL_get0_by_serial.3 index 902d932b81e7..b9155419a646 100644 --- a/secure/lib/libcrypto/man/man3/X509_CRL_get0_by_serial.3 +++ b/secure/lib/libcrypto/man/man3/X509_CRL_get0_by_serial.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_CRL_GET0_BY_SERIAL 3ossl" -.TH X509_CRL_GET0_BY_SERIAL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_CRL_GET0_BY_SERIAL 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_EXTENSION_set_object.3 b/secure/lib/libcrypto/man/man3/X509_EXTENSION_set_object.3 index b4ad2d8fd2ff..2ed6f098c46b 100644 --- a/secure/lib/libcrypto/man/man3/X509_EXTENSION_set_object.3 +++ b/secure/lib/libcrypto/man/man3/X509_EXTENSION_set_object.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_EXTENSION_SET_OBJECT 3ossl" -.TH X509_EXTENSION_SET_OBJECT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_EXTENSION_SET_OBJECT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,7 +93,7 @@ functions \&\fBobj\fR pointer is duplicated internally so \fBobj\fR should be freed up after use. .PP \&\fBX509_EXTENSION_set_critical()\fR sets the criticality of \fBex\fR to \fBcrit\fR. If -\&\fBcrit\fR is zero the extension in non-critical otherwise it is critical. +\&\fBcrit\fR is zero the extension in non\-critical otherwise it is critical. .PP \&\fBX509_EXTENSION_set_data()\fR sets the data in extension \fBex\fR to \fBdata\fR. The \&\fBdata\fR pointer is duplicated internally. @@ -109,7 +112,7 @@ except it creates and extension using \fBobj\fR instead of a NID. not be freed up. .PP \&\fBX509_EXTENSION_get_critical()\fR returns the criticality of extension \fBex\fR it -returns \fB1\fR for critical and \fB0\fR for non-critical. +returns \fB1\fR for critical and \fB0\fR for non\-critical. .PP \&\fBX509_EXTENSION_get_data()\fR returns the data of extension \fBex\fR. The returned pointer is an internal value which must not be freed up. @@ -132,7 +135,7 @@ an \fBX509_EXTENSION\fR pointer or \fBNULL\fR if an error occurs. .PP \&\fBX509_EXTENSION_get_object()\fR returns an \fBASN1_OBJECT\fR pointer. .PP -\&\fBX509_EXTENSION_get_critical()\fR returns \fB0\fR for non-critical and \fB1\fR for +\&\fBX509_EXTENSION_get_critical()\fR returns \fB0\fR for non\-critical and \fB1\fR for critical. .PP \&\fBX509_EXTENSION_get_data()\fR returns an \fBASN1_OCTET_STRING\fR pointer. diff --git a/secure/lib/libcrypto/man/man3/X509_LOOKUP.3 b/secure/lib/libcrypto/man/man3/X509_LOOKUP.3 index 7fe9bfac1042..024a5a54d866 100644 --- a/secure/lib/libcrypto/man/man3/X509_LOOKUP.3 +++ b/secure/lib/libcrypto/man/man3/X509_LOOKUP.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_LOOKUP 3ossl" -.TH X509_LOOKUP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_LOOKUP 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -182,7 +185,7 @@ certificates and CRLs are loaded on demand into the associated This can only be used with a lookup using the implementation \&\fBX509_LOOKUP_hash_dir\fR\|(3). .PP -\&\fBX509_LOOKUP_add_store_ex()\fR passes a URI for a directory-like structure +\&\fBX509_LOOKUP_add_store_ex()\fR passes a URI for a directory\-like structure from which containers with certificates and CRLs are loaded on demand into the associated \fBX509_STORE\fR. The library context \fIlibctx\fR and property query \fIpropq\fR are used when fetching algorithms from providers. @@ -247,9 +250,9 @@ or NULL on error. 0 on error. .PP \&\fBX509_LOOKUP_ctrl_ex()\fR and \fBX509_LOOKUP_ctrl()\fR -return \-1 if the \fBX509_LOOKUP\fR doesn't have an +return \-1 if the \fBX509_LOOKUP\fR doesn\*(Aqt have an associated \fBX509_LOOKUP_METHOD\fR, or 1 if the -doesn't have a control function. +doesn\*(Aqt have a control function. Otherwise, it returns what the control function in the \&\fBX509_LOOKUP_METHOD\fR returns, which is usually 1 on success and 0 on error but could also be \-1 on failure. @@ -268,7 +271,7 @@ but passes NULL for both the libctx and propq. .PP \&\fBX509_LOOKUP_by_issuer_serial()\fR, \fBX509_LOOKUP_by_fingerprint()\fR, and \&\fBX509_LOOKUP_by_alias()\fR all return 0 if there is no \fBX509_LOOKUP_METHOD\fR or that -method doesn't implement the corresponding function. +method doesn\*(Aqt implement the corresponding function. Otherwise, they return what the corresponding function in the \&\fBX509_LOOKUP_METHOD\fR returns, which is usually 1 on success and 0 in error. diff --git a/secure/lib/libcrypto/man/man3/X509_LOOKUP_hash_dir.3 b/secure/lib/libcrypto/man/man3/X509_LOOKUP_hash_dir.3 index 1a7bc5fa4210..bb85c6235547 100644 --- a/secure/lib/libcrypto/man/man3/X509_LOOKUP_hash_dir.3 +++ b/secure/lib/libcrypto/man/man3/X509_LOOKUP_hash_dir.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_LOOKUP_HASH_DIR 3ossl" -.TH X509_LOOKUP_HASH_DIR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_LOOKUP_HASH_DIR 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -181,9 +184,9 @@ certificates or CRLs, but can also be references to catalogues of such objects (that behave like directories). .PP This method overlaps the "File Method" and "Hashed Directory Method" -because of the 'file:' scheme loader. +because of the \*(Aqfile:\*(Aq scheme loader. It does no caching of its own, but can use a caching \fBossl_store\fR\|(7) -loader, and therefore depends on the loader's capability. +loader, and therefore depends on the loader\*(Aqs capability. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBX509_LOOKUP_hash_dir()\fR, \fBX509_LOOKUP_file()\fR and \fBX509_LOOKUP_store()\fR diff --git a/secure/lib/libcrypto/man/man3/X509_LOOKUP_meth_new.3 b/secure/lib/libcrypto/man/man3/X509_LOOKUP_meth_new.3 index 7a3fa3b64ea1..d4db7fa62174 100644 --- a/secure/lib/libcrypto/man/man3/X509_LOOKUP_meth_new.3 +++ b/secure/lib/libcrypto/man/man3/X509_LOOKUP_meth_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_LOOKUP_METH_NEW 3ossl" -.TH X509_LOOKUP_METH_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_LOOKUP_METH_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -165,7 +168,7 @@ of an X509_LOOKUP_METHOD can be associated to many instantiations of an \&\fBX509_LOOKUP\fR structure. .PP \&\fBX509_LOOKUP_meth_new()\fR creates a new \fBX509_LOOKUP_METHOD\fR structure. It should -be given a human-readable string containing a brief description of the lookup +be given a human\-readable string containing a brief description of the lookup method. .PP \&\fBX509_LOOKUP_meth_free()\fR destroys a \fBX509_LOOKUP_METHOD\fR structure. @@ -200,7 +203,7 @@ points to a location where any return data should be written to. How .PP \&\fBX509_LOOKUP_set_get_by_subject()\fR, \fBX509_LOOKUP_set_get_by_issuer_serial()\fR, \&\fBX509_LOOKUP_set_get_by_fingerprint()\fR, \fBX509_LOOKUP_set_get_by_alias()\fR set -the functions used to retrieve an X509 or X509_CRL object by the object's +the functions used to retrieve an X509 or X509_CRL object by the object\*(Aqs subject, issuer, fingerprint, and alias respectively. These functions are given the X509_LOOKUP context, the type of the X509_OBJECT being requested, parameters related to the lookup, and an X509_OBJECT that will receive the requested @@ -216,7 +219,7 @@ reference count again. .PP Implementations should also use either \fBX509_OBJECT_set1_X509()\fR or \&\fBX509_OBJECT_set1_X509_CRL()\fR to set the result. Note that this also -increments the result's reference count. +increments the result\*(Aqs reference count. .PP Any method data that was created as a result of the new_item function set by \fBX509_LOOKUP_meth_set_new_item()\fR can be accessed with diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_ENTRY_get_object.3 b/secure/lib/libcrypto/man/man3/X509_NAME_ENTRY_get_object.3 index f6e116e01e4b..4de67f336033 100644 --- a/secure/lib/libcrypto/man/man3/X509_NAME_ENTRY_get_object.3 +++ b/secure/lib/libcrypto/man/man3/X509_NAME_ENTRY_get_object.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_NAME_ENTRY_GET_OBJECT 3ossl" -.TH X509_NAME_ENTRY_GET_OBJECT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_NAME_ENTRY_GET_OBJECT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_add_entry_by_txt.3 b/secure/lib/libcrypto/man/man3/X509_NAME_add_entry_by_txt.3 index d11ad8bd3be4..a857880163ba 100644 --- a/secure/lib/libcrypto/man/man3/X509_NAME_add_entry_by_txt.3 +++ b/secure/lib/libcrypto/man/man3/X509_NAME_add_entry_by_txt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_NAME_ADD_ENTRY_BY_TXT 3ossl" -.TH X509_NAME_ADD_ENTRY_BY_TXT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_NAME_ADD_ENTRY_BY_TXT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -129,8 +132,8 @@ If it is zero a new RDN is created. .PP If \fBset\fR is \-1 or 1 it is added as a new set member to the previous or next RDN structure, respectively. -This will then become part of a multi-valued RDN (containing a set of AVAs). -Since multi-valued RDNs are very rarely used \fBset\fR typically will be zero. +This will then become part of a multi\-valued RDN (containing a set of AVAs). +Since multi\-valued RDNs are very rarely used \fBset\fR typically will be zero. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBX509_NAME_add_entry_by_txt()\fR, \fBX509_NAME_add_entry_by_OBJ()\fR, diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_get0_der.3 b/secure/lib/libcrypto/man/man3/X509_NAME_get0_der.3 index 673b17565d87..32d877960d02 100644 --- a/secure/lib/libcrypto/man/man3/X509_NAME_get0_der.3 +++ b/secure/lib/libcrypto/man/man3/X509_NAME_get0_der.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_NAME_GET0_DER 3ossl" -.TH X509_NAME_GET0_DER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_NAME_GET0_DER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_get_index_by_NID.3 b/secure/lib/libcrypto/man/man3/X509_NAME_get_index_by_NID.3 index 0cda14055ff3..6b00b7d2a157 100644 --- a/secure/lib/libcrypto/man/man3/X509_NAME_get_index_by_NID.3 +++ b/secure/lib/libcrypto/man/man3/X509_NAME_get_index_by_NID.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_NAME_GET_INDEX_BY_NID 3ossl" -.TH X509_NAME_GET_INDEX_BY_NID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_NAME_GET_INDEX_BY_NID 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,7 +94,7 @@ and issuer names. \&\fBX509_NAME_get_index_by_NID()\fR and \fBX509_NAME_get_index_by_OBJ()\fR retrieve the next index matching \fBnid\fR or \fBobj\fR after \fBlastpos\fR. \fBlastpos\fR should initially be set to \-1. If there are no more entries \-1 is returned. -If \fBnid\fR is invalid (doesn't correspond to a valid OID) then \-2 is returned. +If \fBnid\fR is invalid (doesn\*(Aqt correspond to a valid OID) then \-2 is returned. .PP \&\fBX509_NAME_entry_count()\fR returns the total number of entries in \fBname\fR. .PP diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_print_ex.3 b/secure/lib/libcrypto/man/man3/X509_NAME_print_ex.3 index 3dd987e2cbab..8eb93cb4bd59 100644 --- a/secure/lib/libcrypto/man/man3/X509_NAME_print_ex.3 +++ b/secure/lib/libcrypto/man/man3/X509_NAME_print_ex.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_NAME_PRINT_EX 3ossl" -.TH X509_NAME_PRINT_EX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_NAME_PRINT_EX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,10 +88,10 @@ output format can be extensively customised by use of the \fIflags\fR parameter. except the output is written to FILE pointer \fIfp\fR. .PP \&\fBX509_NAME_oneline()\fR prints an ASCII version of \fIa\fR to \fIbuf\fR. -This supports multi-valued RDNs and escapes \fB/\fR and \fB+\fR characters in values. +This supports multi\-valued RDNs and escapes \fB/\fR and \fB+\fR characters in values. If \fIbuf\fR is \fBNULL\fR then a buffer is dynamically allocated and returned, and \&\fIsize\fR is ignored. -Otherwise, at most \fIsize\fR bytes will be written, including the ending '\e0', +Otherwise, at most \fIsize\fR bytes will be written, including the ending \*(Aq\e0\*(Aq, and \fIbuf\fR is returned. .PP \&\fBX509_NAME_print()\fR prints out \fIname\fR to \fIbp\fR indenting each line by \fIobase\fR @@ -97,7 +100,7 @@ characters. Multiple lines are used if the output (including indent) exceeds .SH NOTES .IX Header "NOTES" The functions \fBX509_NAME_oneline()\fR and \fBX509_NAME_print()\fR -produce a non standard output form, they don't handle multi-character fields and +produce a non standard output form, they don\*(Aqt handle multi\-character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications and they could be deprecated in a future release. @@ -116,8 +119,8 @@ The options \fBXN_FLAG_SEP_COMMA_PLUS\fR, \fBXN_FLAG_SEP_CPLUS_SPC\fR, \&\fBXN_FLAG_SEP_SPLUS_SPC\fR and \fBXN_FLAG_SEP_MULTILINE\fR determine the field separators to use. Two distinct separators are used between distinct RelativeDistinguishedName -components and separate values in the same RDN for a multi-valued RDN. -Multi-valued RDNs are currently very rare +components and separate values in the same RDN for a multi\-valued RDN. +Multi\-valued RDNs are currently very rare so the second separator will hardly ever be used. .PP \&\fBXN_FLAG_SEP_COMMA_PLUS\fR uses comma and plus as separators. @@ -134,7 +137,7 @@ use the short name (e.g. CN) the long name (e.g. commonName) always use OID numerical form (normally OIDs are only used if the field name is not recognised) and no field name respectively. .PP -If \fBXN_FLAG_SPC_EQ\fR is set then spaces will be placed around the '=' character +If \fBXN_FLAG_SPC_EQ\fR is set then spaces will be placed around the \*(Aq=\*(Aq character separating field names and values. .PP If \fBXN_FLAG_DUMP_UNKNOWN_FIELDS\fR is set then the encoding of unknown fields is diff --git a/secure/lib/libcrypto/man/man3/X509_PUBKEY_new.3 b/secure/lib/libcrypto/man/man3/X509_PUBKEY_new.3 index c219dd763e28..1f68f38e82b4 100644 --- a/secure/lib/libcrypto/man/man3/X509_PUBKEY_new.3 +++ b/secure/lib/libcrypto/man/man3/X509_PUBKEY_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_PUBKEY_NEW 3ossl" -.TH X509_PUBKEY_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_PUBKEY_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -155,18 +158,18 @@ similar to \fBd2i_PUBKEY()\fR and \fBi2d_PUBKEY()\fR except they decode or encod \&\fBd2i_PUBKEY_ex_bio()\fR and \fBd2i_PUBKEY_ex_fp()\fR are similar to \fBd2i_PUBKEY_ex()\fR except they decode using a \fBBIO\fR or \fBFILE\fR pointer. .PP -\&\fBX509_PUBKEY_set0_public_key()\fR sets the public-key encoding of \fIpub\fR +\&\fBX509_PUBKEY_set0_public_key()\fR sets the public\-key encoding of \fIpub\fR to the \fIpenclen\fR bytes contained in buffer \fIpenc\fR. -Any earlier public-key encoding in \fIpub\fR is freed. +Any earlier public\-key encoding in \fIpub\fR is freed. \&\fIpenc\fR may be NULL to indicate that there is no actual public key data. Ownership of the \fIpenc\fR argument is passed to \fIpub\fR. .PP -\&\fBX509_PUBKEY_set0_param()\fR sets the public-key parameters of \fIpub\fR. +\&\fBX509_PUBKEY_set0_param()\fR sets the public\-key parameters of \fIpub\fR. The OID associated with the algorithm is set to \fIaobj\fR. The type of the algorithm parameters is set to \fItype\fR using the structure \fIpval\fR. If \fIpenc\fR is not NULL the encoding of the public key itself is set to the \fIpenclen\fR bytes contained in buffer \fIpenc\fR and -any earlier public-key encoding in \fIpub\fR is freed. +any earlier public\-key encoding in \fIpub\fR is freed. On success ownership of all the supplied arguments is passed to \fIpub\fR so they must not be freed after the call. .PP diff --git a/secure/lib/libcrypto/man/man3/X509_REQ_get_attr.3 b/secure/lib/libcrypto/man/man3/X509_REQ_get_attr.3 index 38684e536f07..c4dd9c3c1ad0 100644 --- a/secure/lib/libcrypto/man/man3/X509_REQ_get_attr.3 +++ b/secure/lib/libcrypto/man/man3/X509_REQ_get_attr.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_REQ_GET_ATTR 3ossl" -.TH X509_REQ_GET_ATTR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_REQ_GET_ATTR 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,13 +113,13 @@ See <openssl/obj_mac.h> for a list of NID_*. the \fIreq\fR objects list of attributes. An error occurs if \fIreq\fR is NULL. .PP \&\fBX509_REQ_add1_attr()\fR pushes a copy of the passed in \fBX509_ATTRIBUTE\fR \fRattr> -to the \fIreq\fR object's attribute list. An error will occur if either the +to the \fIreq\fR object\*(Aqs attribute list. An error will occur if either the attribute list is NULL or the attribute already exists. .PP \&\fBX509_REQ_add1_attr_by_OBJ()\fR creates a new \fBX509_ATTRIBUTE\fR using \&\fBX509_ATTRIBUTE_set1_object()\fR and \fBX509_ATTRIBUTE_set1_data()\fR to assign a new \&\fIobj\fR with type \fItype\fR and data \fIbytes\fR of length \fIlen\fR and then pushes it -to the \fIreq\fR object's attribute list. \fIreq\fR must be non NULL or an error +to the \fIreq\fR object\*(Aqs attribute list. \fIreq\fR must be non NULL or an error will occur. If \fIobj\fR already exists in the attribute list then an error occurs. .PP \&\fBX509_REQ_add1_attr_by_NID()\fR is similar to \fBX509_REQ_add1_attr_by_OBJ()\fR except @@ -133,7 +136,7 @@ Refer to \fBX509_ATTRIBUTE\fR\|(3) for information related to attributes. \&\fBX509_REQ_get_attr_count()\fR returns the number of attributes in the \fIreq\fR object attribute list or \-1 if the attribute list is NULL. .PP -\&\fBX509_REQ_get_attr_by_OBJ()\fR returns \-1 if either the \fIreq\fR object's attribute +\&\fBX509_REQ_get_attr_by_OBJ()\fR returns \-1 if either the \fIreq\fR object\*(Aqs attribute list is empty OR \fIobj\fR is not found, otherwise it returns the location of the \&\fIobj\fR in the attribute list. .PP diff --git a/secure/lib/libcrypto/man/man3/X509_REQ_get_extensions.3 b/secure/lib/libcrypto/man/man3/X509_REQ_get_extensions.3 index acaec721998a..dd74389ac105 100644 --- a/secure/lib/libcrypto/man/man3/X509_REQ_get_extensions.3 +++ b/secure/lib/libcrypto/man/man3/X509_REQ_get_extensions.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_REQ_GET_EXTENSIONS 3ossl" -.TH X509_REQ_GET_EXTENSIONS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_REQ_GET_EXTENSIONS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,7 +89,7 @@ using \fInid\fR to identify the extensions attribute. \&\fIreq\fR is unchanged if \fIexts\fR is NULL or an empty list. This function may be called more than once on the same \fIreq\fR and \fInid\fR. In such case any previous extensions are augmented, where an extension to be -added that has the same OID as a pre-existing one replaces this earlier one. +added that has the same OID as a pre\-existing one replaces this earlier one. .PP \&\fBX509_REQ_add_extensions()\fR is like \fBX509_REQ_add_extensions_nid()\fR except that the default \fBNID_ext_req\fR is used. diff --git a/secure/lib/libcrypto/man/man3/X509_SIG_get0.3 b/secure/lib/libcrypto/man/man3/X509_SIG_get0.3 index 5d3b63ab1b04..c3bfa057d0be 100644 --- a/secure/lib/libcrypto/man/man3/X509_SIG_get0.3 +++ b/secure/lib/libcrypto/man/man3/X509_SIG_get0.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_SIG_GET0 3ossl" -.TH X509_SIG_GET0 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_SIG_GET0 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_by_subject.3 b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_by_subject.3 index ff07ebdc5acf..531f14ab87f6 100644 --- a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_by_subject.3 +++ b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_by_subject.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_STORE_CTX_GET_BY_SUBJECT 3ossl" -.TH X509_STORE_CTX_GET_BY_SUBJECT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_STORE_CTX_GET_BY_SUBJECT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_error.3 b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_error.3 index d05578b71283..dca387f436e6 100644 --- a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_error.3 +++ b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_error.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_STORE_CTX_GET_ERROR 3ossl" -.TH X509_STORE_CTX_GET_ERROR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_STORE_CTX_GET_ERROR 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -167,17 +170,17 @@ Unspecified error; should not happen. .IX Item "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate" The issuer certificate of a locally looked up certificate could not be found. This normally means the list of trusted certificates is not complete. -To allow any certificate (not only a self-signed one) in the trust store +To allow any certificate (not only a self\-signed one) in the trust store to terminate the chain the \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag may be set. .IP "\fBX509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL\fR" 4 .IX Item "X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL" The CRL of a certificate could not be found. -.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature\fR" 4 +.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate\*(Aqs signature\fR" 4 .IX Item "X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature" The certificate signature could not be decrypted. This means that the actual signature value could not be determined rather than it not matching the expected value, this is only meaningful for RSA keys. -.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature\fR" 4 +.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL\*(Aqs signature\fR" 4 .IX Item "X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature" The CRL signature could not be decrypted: this means that the actual signature value could not be determined rather than it not matching the expected value. @@ -206,29 +209,29 @@ The CRL is not yet valid. .IP "\fBX509_V_ERR_CRL_HAS_EXPIRED: CRL has expired\fR" 4 .IX Item "X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired" The CRL has expired. -.IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field\fR" 4 +.IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate\*(Aqs notBefore field\fR" 4 .IX Item "X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field" The certificate \f(CW\*(C`notBefore\*(C'\fR field contains an invalid time. -.IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field\fR" 4 +.IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate\*(Aqs notAfter field\fR" 4 .IX Item "X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field" The certificate \f(CW\*(C`notAfter\*(C'\fR field contains an invalid time. -.IP "\fBX509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field\fR" 4 +.IP "\fBX509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL\*(Aqs lastUpdate field\fR" 4 .IX Item "X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field" The CRL \fBlastUpdate\fR field contains an invalid time. -.IP "\fBX509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field\fR" 4 +.IP "\fBX509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL\*(Aqs nextUpdate field\fR" 4 .IX Item "X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field" The CRL \f(CW\*(C`nextUpdate\*(C'\fR field contains an invalid time. .IP "\fBX509_V_ERR_OUT_OF_MEM: out of memory\fR" 4 .IX Item "X509_V_ERR_OUT_OF_MEM: out of memory" An error occurred trying to allocate memory. -.IP "\fBX509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self-signed certificate\fR" 4 +.IP "\fBX509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self\-signed certificate\fR" 4 .IX Item "X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self-signed certificate" -The passed certificate is self-signed and the same certificate cannot be found +The passed certificate is self\-signed and the same certificate cannot be found in the list of trusted certificates. -.IP "\fBX509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self-signed certificate in certificate chain\fR" 4 +.IP "\fBX509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self\-signed certificate in certificate chain\fR" 4 .IX Item "X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self-signed certificate in certificate chain" The certificate chain could be built up using the untrusted certificates -but no suitable trust anchor (which typically is a self-signed root certificate) +but no suitable trust anchor (which typically is a self\-signed root certificate) could be found in the trust store. .IP "\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate\fR" 4 .IX Item "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate" @@ -237,19 +240,19 @@ of an untrusted certificate cannot be found. .IP "\fBX509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate\fR" 4 .IX Item "X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate" No signatures could be verified because the chain contains only one certificate -and it is not self-signed and the \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag is not set. +and it is not self\-signed and the \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag is not set. .IP "\fBX509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long\fR" 4 .IX Item "X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long" The certificate chain length is greater than the supplied maximum depth. .IP "\fBX509_V_ERR_CERT_REVOKED: certificate revoked\fR" 4 .IX Item "X509_V_ERR_CERT_REVOKED: certificate revoked" The certificate has been revoked. -.IP "\fBX509_V_ERR_NO_ISSUER_PUBLIC_KEY: issuer certificate doesn't have a public key\fR" 4 +.IP "\fBX509_V_ERR_NO_ISSUER_PUBLIC_KEY: issuer certificate doesn\*(Aqt have a public key\fR" 4 .IX Item "X509_V_ERR_NO_ISSUER_PUBLIC_KEY: issuer certificate doesn't have a public key" The issuer certificate does not have a public key. .IP "\fBX509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded\fR" 4 .IX Item "X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded" -The basicConstraints path-length parameter has been exceeded. +The basicConstraints path\-length parameter has been exceeded. .IP "\fBX509_V_ERR_INVALID_PURPOSE: unsuitable certificate purpose\fR" 4 .IX Item "X509_V_ERR_INVALID_PURPOSE: unsuitable certificate purpose" The target certificate cannot be used for the specified purpose. @@ -289,9 +292,9 @@ Key usage does not include CRL signing. .IP "\fBX509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: unhandled critical CRL extension\fR" 4 .IX Item "X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: unhandled critical CRL extension" Unhandled critical CRL extension. -.IP "\fBX509_V_ERR_INVALID_NON_CA: invalid non-CA certificate (has CA markings)\fR" 4 +.IP "\fBX509_V_ERR_INVALID_NON_CA: invalid non\-CA certificate (has CA markings)\fR" 4 .IX Item "X509_V_ERR_INVALID_NON_CA: invalid non-CA certificate (has CA markings)" -Invalid non-CA certificate has CA markings. +Invalid non\-CA certificate has CA markings. .IP "\fBX509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: proxy path length constraint exceeded\fR" 4 .IX Item "X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: proxy path length constraint exceeded" Proxy path length constraint exceeded. @@ -322,7 +325,7 @@ The only CRLs that could be found did not match the scope of the certificate. .IP "\fBX509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: unsupported extension feature\fR" 4 .IX Item "X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: unsupported extension feature" Some feature of a certificate extension is not supported. Unused. -.IP "\fBX509_V_ERR_UNNESTED_RESOURCE: RFC 3779 resource not subset of parent's resources\fR" 4 +.IP "\fBX509_V_ERR_UNNESTED_RESOURCE: RFC 3779 resource not subset of parent\*(Aqs resources\fR" 4 .IX Item "X509_V_ERR_UNNESTED_RESOURCE: RFC 3779 resource not subset of parent's resources" See RFC 3779 for details. .IP "\fBX509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation\fR" 4 @@ -408,8 +411,8 @@ recognized by the OCSP responder. Cannot find certificate signature algorithm. .IP "\fBX509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH: subject signature algorithm and issuer public key algorithm mismatch\fR" 4 .IX Item "X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH: subject signature algorithm and issuer public key algorithm mismatch" -The issuer's public key is not of the type required by the signature in -the subject's certificate. +The issuer\*(Aqs public key is not of the type required by the signature in +the subject\*(Aqs certificate. .IP "\fBX509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY: cert info signature and signature algorithm mismatch\fR" 4 .IX Item "X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY: cert info signature and signature algorithm mismatch" The algorithm given in the certificate info is inconsistent diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_new.3 b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_new.3 index 17bedd104014..25567de49455 100644 --- a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_STORE_CTX_NEW 3ossl" -.TH X509_STORE_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_STORE_CTX_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -186,14 +189,14 @@ The target certificate is not copied (its reference count is not updated), and the caller must not free it before verification is complete. .PP \&\fBX509_STORE_CTX_set0_rpk()\fR sets the target raw public key to be verified in \fIctx\fR -to \fItarget\fR, a non-NULL raw public key preempts any target certificate, which +to \fItarget\fR, a non\-NULL raw public key preempts any target certificate, which is then ignored. The \fItarget\fR public key is not copied (its reference count is not updated), and the caller must not free it before verification is complete. .PP \&\fBX509_STORE_CTX_set0_verified_chain()\fR sets the validated chain to \fIchain\fR. Ownership of the chain is transferred to \fIctx\fR, -and so it should not be free'd by the caller. +and so it should not be free\*(Aqd by the caller. .PP \&\fBX509_STORE_CTX_get0_chain()\fR returns the internal pointer used by the \&\fIctx\fR that contains the constructed (output) chain. @@ -236,14 +239,14 @@ Details of the chain building and checking process are described in \&\fBX509_STORE_CTX_set0_verified_chain()\fR sets the validated chain used by \fIctx\fR to be \fIchain\fR. Ownership of the chain is transferred to \fIctx\fR, -and so it should not be free'd by the caller. +and so it should not be free\*(Aqd by the caller. .PP \&\fBX509_STORE_CTX_set_default()\fR looks up and sets the default verification method. This uses the function \fBX509_VERIFY_PARAM_lookup()\fR to find the set of parameters associated with the given verification method \fIname\fR. Among others, the parameters determine the trust model and verification purpose. More detail, including the list of currently predefined methods, -is described for the \fB\-verify_name\fR command-line option +is described for the \fB\-verify_name\fR command\-line option in "Verification Options" in \fBopenssl\-verification\-options\fR\|(1). .PP \&\fBX509_STORE_CTX_set_verify()\fR provides the capability for overriding the default @@ -279,7 +282,7 @@ custom "purpose" (see below) or supply a nondefault verification callback (\fBX509_STORE_set_verify_cb_func\fR\|(3)). .PP \&\fBX509_STORE_CTX_set_purpose()\fR sets the purpose for the target certificate being -verified in the \fIctx\fR. Built-in available values for the \fIpurpose\fR argument +verified in the \fIctx\fR. Built\-in available values for the \fIpurpose\fR argument are \fBX509_PURPOSE_SSL_CLIENT\fR, \fBX509_PURPOSE_SSL_SERVER\fR, \&\fBX509_PURPOSE_NS_SSL_SERVER\fR, \fBX509_PURPOSE_SMIME_SIGN\fR, \&\fBX509_PURPOSE_SMIME_ENCRYPT\fR, \fBX509_PURPOSE_CRL_SIGN\fR, \fBX509_PURPOSE_ANY\fR, @@ -297,7 +300,7 @@ to check whether it is consistent with the trust set by the system administrator for certificates in the chain. .PP \&\fBX509_STORE_CTX_set_trust()\fR sets the trust value for the target certificate -being verified in the \fIctx\fR. Built-in available values for the \fItrust\fR +being verified in the \fIctx\fR. Built\-in available values for the \fItrust\fR argument are \fBX509_TRUST_COMPAT\fR, \fBX509_TRUST_SSL_CLIENT\fR, \&\fBX509_TRUST_SSL_SERVER\fR, \fBX509_TRUST_EMAIL\fR, \fBX509_TRUST_OBJECT_SIGN\fR, \&\fBX509_TRUST_OCSP_SIGN\fR, \fBX509_TRUST_OCSP_REQUEST\fR and \fBX509_TRUST_TSA\fR. It is diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_set_verify_cb.3 b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_set_verify_cb.3 index 940fe076ffb5..b4cbaee399cd 100644 --- a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_set_verify_cb.3 +++ b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_set_verify_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_STORE_CTX_SET_VERIFY_CB 3ossl" -.TH X509_STORE_CTX_SET_VERIFY_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_STORE_CTX_SET_VERIFY_CB 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -201,7 +204,7 @@ to continue after this error: \& } .Ve .PP -More complex example, we don't wish to continue after \fBany\fR certificate has +More complex example, we don\*(Aqt wish to continue after \fBany\fR certificate has expired just one specific case: .PP .Vb 4 diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_add_cert.3 b/secure/lib/libcrypto/man/man3/X509_STORE_add_cert.3 index 89a38feb6694..b3a537e4f9bc 100644 --- a/secure/lib/libcrypto/man/man3/X509_STORE_add_cert.3 +++ b/secure/lib/libcrypto/man/man3/X509_STORE_add_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_STORE_ADD_CERT 3ossl" -.TH X509_STORE_ADD_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_STORE_ADD_CERT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -125,10 +128,10 @@ via mechanisms such as \fBX509_STORE_add_lookup()\fR and \fBX509_LOOKUP_file()\f and many behaviors configured as desired. .PP Once the \fBX509_STORE\fR is suitably configured, \fBX509_STORE_CTX_new()\fR is -used to instantiate a single-use \fBX509_STORE_CTX\fR for each chain-building -and verification operation. That process includes providing the end-entity +used to instantiate a single\-use \fBX509_STORE_CTX\fR for each chain\-building +and verification operation. That process includes providing the end\-entity certificate to be verified and an additional set of untrusted certificates -that may be used in chain-building. As such, it is expected that the +that may be used in chain\-building. As such, it is expected that the certificates included in the \fBX509_STORE\fR are certificates that represent trusted entities such as root certificate authorities (CAs). OpenSSL represents these trusted certificates internally as \fBX509\fR objects @@ -138,8 +141,8 @@ The public interfaces that operate on such trusted certificates still operate on pointers to \fBX509\fR objects, though. .PP \&\fBX509_STORE_add_cert()\fR and \fBX509_STORE_add_crl()\fR add the respective object -to the \fBX509_STORE\fR's local storage. Untrusted objects should not be -added in this way. The added object's reference count is incremented by one, +to the \fBX509_STORE\fR\*(Aqs local storage. Untrusted objects should not be +added in this way. The added object\*(Aqs reference count is incremented by one, hence the caller retains ownership of the object and needs to free it when it is no longer needed. .PP diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_get0_param.3 b/secure/lib/libcrypto/man/man3/X509_STORE_get0_param.3 index 9c8b5c9b1a5e..f55cd492b240 100644 --- a/secure/lib/libcrypto/man/man3/X509_STORE_get0_param.3 +++ b/secure/lib/libcrypto/man/man3/X509_STORE_get0_param.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_STORE_GET0_PARAM 3ossl" -.TH X509_STORE_GET0_PARAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_STORE_GET0_PARAM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,18 +86,20 @@ X509_STORE_get1_objects, X509_STORE_get0_objects, X509_STORE_get1_all_certs parameters for \fIxs\fR. The returned pointer must not be freed by the calling application .PP -\&\fBX509_STORE_get1_objects()\fR returns a snapshot of all objects in the store's X509 -cache. The cache contains \fBX509\fR and \fBX509_CRL\fR objects. The caller is -responsible for freeing the returned list. +\&\fBX509_STORE_get1_objects()\fR returns a snapshot of all objects in the store\*(Aqs X509 +cache. The cache contains \fBX509\fR and \fBX509_CRL\fR objects. The caller +is responsible for freeing the returned list, +using sk_X509_OBJECT_pop_free(sk, X509_OBJECT_free). .PP -\&\fBX509_STORE_get0_objects()\fR retrieves an internal pointer to the store's +\&\fBX509_STORE_get0_objects()\fR retrieves an internal pointer to the store\*(Aqs X509 object cache. The cache contains \fBX509\fR and \fBX509_CRL\fR objects. The returned pointer must not be freed by the calling application. If the store is shared across multiple threads, it is not safe to use the result of this function. Use \fBX509_STORE_get1_objects()\fR instead, which avoids this problem. .PP \&\fBX509_STORE_get1_all_certs()\fR returns a list of all certificates in the store. -The caller is responsible for freeing the returned list. +The caller is responsible for freeing the returned list +with \fBOSSL_STACK_OF_X509_free()\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBX509_STORE_get0_param()\fR returns a pointer to an @@ -111,6 +116,7 @@ objects on success, else NULL. certificates on success, else NULL. .SH "SEE ALSO" .IX Header "SEE ALSO" +\&\fBDEFINE_STACK_OF\fR\|(3), \&\fBX509_STORE_new\fR\|(3) .SH HISTORY .IX Header "HISTORY" diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_new.3 b/secure/lib/libcrypto/man/man3/X509_STORE_new.3 index 622418fd24dc..cf7965c8004b 100644 --- a/secure/lib/libcrypto/man/man3/X509_STORE_new.3 +++ b/secure/lib/libcrypto/man/man3/X509_STORE_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_STORE_NEW 3ossl" -.TH X509_STORE_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_STORE_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_set_verify_cb_func.3 b/secure/lib/libcrypto/man/man3/X509_STORE_set_verify_cb_func.3 index 08f6a6503ec7..a2e03b98389d 100644 --- a/secure/lib/libcrypto/man/man3/X509_STORE_set_verify_cb_func.3 +++ b/secure/lib/libcrypto/man/man3/X509_STORE_set_verify_cb_func.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_STORE_SET_VERIFY_CB_FUNC 3ossl" -.TH X509_STORE_SET_VERIFY_CB_FUNC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_STORE_SET_VERIFY_CB_FUNC 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -191,7 +194,7 @@ please see \fBX509_STORE_CTX_set_verify_cb\fR\|(3) for further information. \&\fIxs\fR to \fIverify\fR. Its purpose is to go through the chain of certificates and check that all signatures are valid and that the current time is within the -limits of each certificate's first and last validity time. +limits of each certificate\*(Aqs first and last validity time. The final chain verification functions must return 0 on failure and 1 on success. \&\fIIf no chain verification function is provided, the internal default @@ -207,7 +210,7 @@ Note that this search does not support backtracking. .PP \&\fBX509_STORE_set_get_issuer()\fR sets the function \fIget_issuer\fR that is used to get the "best" candidate issuer certificate of the given certificate \fIx\fR. -When such a certificate is found, \fIget_issuer\fR must up-ref and assign it +When such a certificate is found, \fIget_issuer\fR must up\-ref and assign it to \fI*issuer\fR and then return 1. Otherwise \fIget_issuer\fR must return 0 if not found and \-1 (or 0) on failure. If \fBX509_STORE_set_get_issuer()\fR is not used or \fIget_issuer\fR is NULL @@ -215,7 +218,7 @@ then \fBX509_STORE_CTX_get1_issuer()\fR is used as the default implementation. .PP \&\fBX509_STORE_set_check_issued()\fR sets the function to check that a given certificate \fIx\fR is issued by the issuer certificate \fIissuer\fR. -This function must return 0 on failure (among others if \fIx\fR hasn't +This function must return 0 on failure (among others if \fIx\fR hasn\*(Aqt been issued with \fIissuer\fR) and 1 on success. \&\fIIf no function to get the issuer is provided, the internal default function will be used instead.\fR @@ -264,7 +267,7 @@ function will be used instead.\fR .PP \&\fBX509_STORE_set_cleanup()\fR sets the final cleanup function, which is called when the context (\fBX509_STORE_CTX\fR) is being torn down. -This function doesn't return any value. +This function doesn\*(Aqt return any value. \&\fIIf no function to get the issuer is provided, the internal default function will be used instead.\fR .PP diff --git a/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3 b/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3 index 6b0b700431e0..ff7b5b26c1ea 100644 --- a/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3 +++ b/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_VERIFY_PARAM_SET_FLAGS 3ossl" -.TH X509_VERIFY_PARAM_SET_FLAGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_VERIFY_PARAM_SET_FLAGS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -174,11 +177,11 @@ an existing policy set. That is the maximum number of intermediate CA certificates that can appear in a chain. A maximal depth chain contains 2 more certificates than the limit, since -neither the end-entity certificate nor the trust-anchor count against this +neither the end\-entity certificate nor the trust\-anchor count against this limit. -Thus a \fBdepth\fR limit of 0 only allows the end-entity certificate to be signed +Thus a \fBdepth\fR limit of 0 only allows the end\-entity certificate to be signed directly by the trust anchor, while with a \fBdepth\fR limit of 1 there can be one -intermediate CA certificate between the trust anchor and the end-entity +intermediate CA certificate between the trust anchor and the end\-entity certificate. .PP \&\fBX509_VERIFY_PARAM_set_auth_level()\fR sets the authentication security level to @@ -187,7 +190,7 @@ The authentication security level determines the acceptable signature and public key strength when verifying certificate chains. For a certificate chain to validate, the public keys of all the certificates must meet the specified security level. -The signature algorithm security level is not enforced for the chain's \fItrust +The signature algorithm security level is not enforced for the chain\*(Aqs \fItrust anchor\fR certificate, which is either directly trusted or validated by means other than its signature. See \fBSSL_CTX_set_security_level\fR\|(3) for the definitions of the available @@ -207,7 +210,7 @@ pointer is returned. \&\fBname\fR clearing any previously specified hostname. If \&\fBname\fR is NULL, or empty the list of hostnames is cleared, and name checks are not performed on the peer certificate. If \fBname\fR -is NUL-terminated, \fBnamelen\fR may be zero, otherwise \fBnamelen\fR +is NUL\-terminated, \fBnamelen\fR may be zero, otherwise \fBnamelen\fR must be set to the length of \fBname\fR. .PP When a hostname is specified, @@ -236,7 +239,7 @@ flag takes precedence over the \fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR flag. call to \fBX509_VERIFY_PARAM_set_hostflags()\fR. .PP \&\fBX509_VERIFY_PARAM_add1_host()\fR adds \fBname\fR as an additional reference -identifier that can match the peer's certificate. Any previous names +identifier that can match the peer\*(Aqs certificate. Any previous names set via \fBX509_VERIFY_PARAM_set1_host()\fR or \fBX509_VERIFY_PARAM_add1_host()\fR are retained, no change is made if \fBname\fR is NULL or empty. When multiple names are configured, the peer is considered verified when @@ -247,7 +250,7 @@ CommonName from the peer certificate that matched one of the reference identifiers. When wildcard matching is not disabled, or when a reference identifier specifies a parent domain (starts with ".") rather than a hostname, the peer name may be a wildcard name or a -sub-domain of the reference identifier respectively. The return +sub\-domain of the reference identifier respectively. The return string is allocated by the library and is no longer valid once the associated \fBparam\fR argument is freed. Applications must not free the return value. @@ -255,7 +258,7 @@ the return value. \&\fBX509_VERIFY_PARAM_get0_email()\fR returns the expected RFC822 email address. .PP \&\fBX509_VERIFY_PARAM_set1_email()\fR sets the expected RFC822 email address to -\&\fBemail\fR. If \fBemail\fR is NUL-terminated, \fBemaillen\fR may be zero, otherwise +\&\fBemail\fR. If \fBemail\fR is NUL\-terminated, \fBemaillen\fR may be zero, otherwise \&\fBemaillen\fR must be set to the length of \fBemail\fR. When an email address is specified, certificate verification automatically invokes \&\fBX509_check_email\fR\|(3). @@ -264,14 +267,14 @@ is specified, certificate verification automatically invokes The caller is responsible for freeing it. .PP \&\fBX509_VERIFY_PARAM_set1_ip()\fR sets the expected IP address to \fBip\fR. -The \fBip\fR argument is in binary format, in network byte-order and +The \fBip\fR argument is in binary format, in network byte\-order and \&\fBiplen\fR must be set to 4 for IPv4 and 16 for IPv6. When an IP address is specified, certificate verification automatically invokes \&\fBX509_check_ip\fR\|(3). .PP \&\fBX509_VERIFY_PARAM_set1_ip_asc()\fR sets the expected IP address to -\&\fBipasc\fR. The \fBipasc\fR argument is a NUL-terminal ASCII string: -dotted decimal quad for IPv4 and colon-separated hexadecimal for +\&\fBipasc\fR. The \fBipasc\fR argument is a NUL\-terminal ASCII string: +dotted decimal quad for IPv4 and colon\-separated hexadecimal for IPv6. The condensed "::" notation is supported for IPv6 addresses. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -350,12 +353,12 @@ If \fBX509_V_FLAG_USE_DELTAS\fR is set delta CRLs (if present) are used to determine certificate status. If not set deltas are ignored. .PP \&\fBX509_V_FLAG_CHECK_SS_SIGNATURE\fR requests checking the signature of -the last certificate in a chain if the certificate is supposedly self-signed. -This is prohibited and will result in an error if it is a non-conforming CA +the last certificate in a chain if the certificate is supposedly self\-signed. +This is prohibited and will result in an error if it is a non\-conforming CA certificate with key usage restrictions not including the \fIkeyCertSign\fR bit. -By default this check is disabled because it doesn't +By default this check is disabled because it doesn\*(Aqt add any additional security but in some cases applications might want to -check the signature anyway. A side effect of not checking the self-signature +check the signature anyway. A side effect of not checking the self\-signature of such a certificate is that disabled or unsupported message digests used for the signature are not treated as fatal errors. .PP @@ -378,15 +381,15 @@ found that is trusted. As of OpenSSL 1.1.0, with \fBX509_V_FLAG_TRUSTED_FIRST\fR always set, this option has no effect. .PP -The \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag causes non-self-signed certificates in the -trust store to be treated as trust anchors, in the same way as self-signed +The \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag causes non\-self\-signed certificates in the +trust store to be treated as trust anchors, in the same way as self\-signed root CA certificates. -This makes it possible to trust self-issued certificates as well as certificates +This makes it possible to trust self\-issued certificates as well as certificates issued by an intermediate CA without having to trust their ancestor root CA. With OpenSSL 1.1.0 and later and \fBX509_V_FLAG_PARTIAL_CHAIN\fR set, chain construction stops as soon as the first certificate contained in the trust store -is added to the chain, whether that certificate is a self-signed "root" -certificate or a not self-signed "intermediate" or self-issued certificate. +is added to the chain, whether that certificate is a self\-signed "root" +certificate or a not self\-signed "intermediate" or self\-issued certificate. Thus, when an intermediate certificate is found in the trust store, the verified chain passed to callbacks may be shorter than it otherwise would be without the \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag. diff --git a/secure/lib/libcrypto/man/man3/X509_add_cert.3 b/secure/lib/libcrypto/man/man3/X509_add_cert.3 index 67d3fe572ff3..0bb42b5950d6 100644 --- a/secure/lib/libcrypto/man/man3/X509_add_cert.3 +++ b/secure/lib/libcrypto/man/man3/X509_add_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_ADD_CERT 3ossl" -.TH X509_ADD_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_ADD_CERT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,7 +101,7 @@ In both cases the original order of the added certificates is preserved. If \fBX509_ADD_FLAG_NO_DUP\fR is set then certificates already contained in \fIsk\fR, which is determined using \fBX509_cmp\fR\|(3), are ignored. .PP -If \fBX509_ADD_FLAG_NO_SS\fR is set then certificates that are marked self-signed, +If \fBX509_ADD_FLAG_NO_SS\fR is set then certificates that are marked self\-signed, which is determined using \fBX509_self_signed\fR\|(3), are ignored. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/X509_check_ca.3 b/secure/lib/libcrypto/man/man3/X509_check_ca.3 index cf40df71f6af..64b44129e591 100644 --- a/secure/lib/libcrypto/man/man3/X509_check_ca.3 +++ b/secure/lib/libcrypto/man/man3/X509_check_ca.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_CHECK_CA 3ossl" -.TH X509_CHECK_CA 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_CHECK_CA 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ otherwise an error is returned. .IX Header "RETURN VALUES" Function return 0, if it is not CA certificate, 1 if it is proper X509v3 CA certificate with \fBbasicConstraints\fR extension CA:TRUE, -3, if it is self-signed X509 v1 certificate, 4, if it is certificate with +3, if it is self\-signed X509 v1 certificate, 4, if it is certificate with \&\fBkeyUsage\fR extension with bit \fBkeyCertSign\fR set, but without \&\fBbasicConstraints\fR, and 5 if it has outdated Netscape Certificate Type extension telling that it is CA certificate. diff --git a/secure/lib/libcrypto/man/man3/X509_check_host.3 b/secure/lib/libcrypto/man/man3/X509_check_host.3 index 15dcedbdf41d..7b71a5d5adea 100644 --- a/secure/lib/libcrypto/man/man3/X509_check_host.3 +++ b/secure/lib/libcrypto/man/man3/X509_check_host.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_CHECK_HOST 3ossl" -.TH X509_CHECK_HOST 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_CHECK_HOST 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,7 +89,7 @@ other means. Name (SAN) or Subject CommonName (CN) matches the specified hostname, which must be encoded in the preferred name syntax described in section 3.5 of RFC 1034. By default, wildcards are supported -and they match only in the left-most label; but they may match +and they match only in the left\-most label; but they may match part of that label with an explicit prefix or suffix. For example, by default, the host \fBname\fR "www.example.com" would match a certificate with a SAN or CN value of "*.example.com", "w*.example.com" @@ -97,7 +100,7 @@ domain names must be given in A\-label form. The \fBnamelen\fR argument must be the number of characters in the name string or zero in which case the length is calculated with strlen(\fBname\fR). When \fBname\fR starts with a dot (e.g. ".example.com"), it will be matched by a certificate -valid for any sub-domain of \fBname\fR, (see also +valid for any sub\-domain of \fBname\fR, (see also \&\fBX509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS\fR below). .PP When the certificate is matched, and \fBpeername\fR is not NULL, a @@ -124,7 +127,7 @@ explicitly marked addresses in the certificates are considered; IP addresses stored in DNS names and Common Names are ignored. There are currently no \fBflags\fR that would affect the behavior of this call. .PP -\&\fBX509_check_ip_asc()\fR is similar, except that the NUL-terminated +\&\fBX509_check_ip_asc()\fR is similar, except that the NUL\-terminated string \fBaddress\fR is first converted to the internal representation. .PP The \fBflags\fR argument is usually 0. It can be the bitwise OR of the @@ -172,8 +175,8 @@ to match more than one label in \fBname\fR; this flag only applies to \fBX509_check_host\fR. .PP If set, \fBX509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS\fR restricts \fBname\fR -values which start with ".", that would otherwise match any sub-domain -in the peer certificate, to only match direct child sub-domains. +values which start with ".", that would otherwise match any sub\-domain +in the peer certificate, to only match direct child sub\-domains. Thus, for instance, with this flag set a \fBname\fR of ".example.com" would match a peer certificate with a DNS name of "www.example.com", but would not match a peer certificate with a DNS name of diff --git a/secure/lib/libcrypto/man/man3/X509_check_issued.3 b/secure/lib/libcrypto/man/man3/X509_check_issued.3 index 0fb944ec85b8..68ee189c7cd3 100644 --- a/secure/lib/libcrypto/man/man3/X509_check_issued.3 +++ b/secure/lib/libcrypto/man/man3/X509_check_issued.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_CHECK_ISSUED 3ossl" -.TH X509_CHECK_ISSUED 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_CHECK_ISSUED 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -75,7 +78,7 @@ certificate \&\fBX509_check_issued()\fR checks if certificate \fIsubject\fR was apparently issued using (CA) certificate \fIissuer\fR. This function takes into account not only matching of the issuer field of \fIsubject\fR with the subject field of \fIissuer\fR, -but also compares all sub-fields of the \fBauthorityKeyIdentifier\fR extension of +but also compares all sub\-fields of the \fBauthorityKeyIdentifier\fR extension of \&\fIsubject\fR, as far as present, with the respective \fBsubjectKeyIdentifier\fR, serial number, and issuer fields of \fIissuer\fR, as far as present. It also checks if the \fBkeyUsage\fR field (if present) of \fIissuer\fR allows certificate signing. diff --git a/secure/lib/libcrypto/man/man3/X509_check_private_key.3 b/secure/lib/libcrypto/man/man3/X509_check_private_key.3 index 1458f2a66eae..2c9f2e29325d 100644 --- a/secure/lib/libcrypto/man/man3/X509_check_private_key.3 +++ b/secure/lib/libcrypto/man/man3/X509_check_private_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_CHECK_PRIVATE_KEY 3ossl" -.TH X509_CHECK_PRIVATE_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_CHECK_PRIVATE_KEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_check_purpose.3 b/secure/lib/libcrypto/man/man3/X509_check_purpose.3 index 193d5201d54e..bfb18a2c6715 100644 --- a/secure/lib/libcrypto/man/man3/X509_check_purpose.3 +++ b/secure/lib/libcrypto/man/man3/X509_check_purpose.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_CHECK_PURPOSE 3ossl" -.TH X509_CHECK_PURPOSE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_CHECK_PURPOSE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,11 +104,11 @@ X509_PURPOSE_set \- functions related to checking the purpose of a certificate .IX Header "DESCRIPTION" \&\fBX509_check_purpose()\fR checks if certificate \fIx\fR was created with the purpose represented by \fIid\fR. If \fIca\fR is nonzero, then certificate \fIx\fR is -checked to determine if it's a possible CA with various levels of certainty +checked to determine if it\*(Aqs a possible CA with various levels of certainty possibly returned. The certificate \fIx\fR must be a complete certificate otherwise the function returns an error. .PP -Below are the potential ID's that can be checked: +Below are the potential ID\*(Aqs that can be checked: .PP .Vb 10 \& # define X509_PURPOSE_SSL_CLIENT 1 @@ -144,7 +147,7 @@ the purpose (long) name \fIname\fR, the short name \fIsname\fR, the purpose chec function \fIck\fR of type \fBint (*) (const X509_PURPOSE *, const X509 *, int)\fR, and its user data \fIarg\fR which may be retrieved via the \fBX509_PURPOSE\fR pointer. .PP -\&\fBX509_PURPOSE_cleanup()\fR removes all purposes that are not pre-defined. +\&\fBX509_PURPOSE_cleanup()\fR removes all purposes that are not pre\-defined. .PP \&\fBX509_PURPOSE_get0()\fR returns an \fBX509_PURPOSE\fR pointer or NULL on error. .PP @@ -162,7 +165,7 @@ This resets to the any purpose if \fIpurpose\fR is \fBX509_PURPOSE_DEFAULT_ANY\f .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBX509_check_purpose()\fR returns the following values. -For non-CA checks +For non\-CA checks .IP "\-1 an error condition has occurred" 4 .IX Item "-1 an error condition has occurred" .PD 0 @@ -217,7 +220,7 @@ int \fBX509_PURPOSE_add()\fR returns 1 on success, 0 on error. \&\fBX509_PURPOSE_set()\fR returns 1 on success, 0 on error. .SH BUGS .IX Header "BUGS" -The X509_PURPOSE implementation so far is not thread-safe. +The X509_PURPOSE implementation so far is not thread\-safe. There may be race conditions retrieving purpose information while \&\fBX509_PURPOSE_add()\fR or X509_PURPOSE_cleanup(void) is being called. .SH HISTORY diff --git a/secure/lib/libcrypto/man/man3/X509_cmp.3 b/secure/lib/libcrypto/man/man3/X509_cmp.3 index 70214dbad22f..785da0e78474 100644 --- a/secure/lib/libcrypto/man/man3/X509_cmp.3 +++ b/secure/lib/libcrypto/man/man3/X509_cmp.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_CMP 3ossl" -.TH X509_CMP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_CMP 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,7 +97,7 @@ canonical (DER) encoding values of the two objects using \fBi2d_X509_NAME\fR\|(3 This procedure adheres to the matching rules for Distinguished Names (DN) given in RFC 4517 section 4.2.15 and RFC 5280 section 7.1. In particular, the order of Relative Distinguished Names (RDNs) is relevant. -On the other hand, if an RDN is multi-valued, i.e., it contains a set of +On the other hand, if an RDN is multi\-valued, i.e., it contains a set of AttributeValueAssertions (AVAs), its members are effectively not ordered. .PP The \fBX509_issuer_and_serial_cmp()\fR function compares the serial number and issuer diff --git a/secure/lib/libcrypto/man/man3/X509_cmp_time.3 b/secure/lib/libcrypto/man/man3/X509_cmp_time.3 index e220223d2393..ff6930453618 100644 --- a/secure/lib/libcrypto/man/man3/X509_cmp_time.3 +++ b/secure/lib/libcrypto/man/man3/X509_cmp_time.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_CMP_TIME 3ossl" -.TH X509_CMP_TIME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_CMP_TIME 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_digest.3 b/secure/lib/libcrypto/man/man3/X509_digest.3 index 142f77fe84c7..c1aa12c9156f 100644 --- a/secure/lib/libcrypto/man/man3/X509_digest.3 +++ b/secure/lib/libcrypto/man/man3/X509_digest.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_DIGEST 3ossl" -.TH X509_DIGEST 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_DIGEST 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_dup.3 b/secure/lib/libcrypto/man/man3/X509_dup.3 index 9f1ccb64aa78..384676ee84e5 100644 --- a/secure/lib/libcrypto/man/man3/X509_dup.3 +++ b/secure/lib/libcrypto/man/man3/X509_dup.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_DUP 3ossl" -.TH X509_DUP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_DUP 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -534,7 +537,7 @@ see \fBopenssl_user_macros\fR\|(7): In the description below, \fR\f(BITYPE\fR\fB\fR is used as a placeholder for any of the OpenSSL datatypes, such as \fBX509\fR. .PP -The OpenSSL ASN1 parsing library templates are like a data-driven bytecode +The OpenSSL ASN1 parsing library templates are like a data\-driven bytecode interpreter. Every ASN1 object as a global variable, TYPE_it, that describes the item such as its fields. (On systems which cannot export variables from shared @@ -564,16 +567,16 @@ To avoid such situations, better use \fB\fR\f(BITYPE\fR\fB_up_ref\fR() if availa For the case of \fBX509\fR objects, an alternative to using \fBX509_up_ref\fR\|(3) may be to still call \fB\fR\f(BITYPE\fR\fB_dup\fR(), e.g., \fIcopied_cert = X509_dup(cert)\fR, followed by \fIX509_check_purpose(copied_cert, \-1, 0)\fR, -which re-builds the cached data. +which re\-builds the cached data. .PP -\&\fR\f(BITYPE\fR\fB_free\fR() releases the object and all pointers and sub-objects +\&\fR\f(BITYPE\fR\fB_free\fR() releases the object and all pointers and sub\-objects within it. If the argument is NULL, nothing is done. .PP \&\fR\f(BITYPE\fR\fB_print_ctx\fR() prints the object \fIa\fR on the specified BIO \fIout\fR. Each line will be prefixed with \fIindent\fR spaces. The \fIpctx\fR specifies the printing context and is for internal use; use NULL to get the default behavior. If a print function is -user-defined, then pass in any \fIpctx\fR down to any nested calls. +user\-defined, then pass in any \fIpctx\fR down to any nested calls. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fR\f(BITYPE\fR\fB_new\fR(), \fB\fR\f(BITYPE\fR\fB_new_ex\fR() and \fB\fR\f(BITYPE\fR\fB_dup\fR() return a pointer to diff --git a/secure/lib/libcrypto/man/man3/X509_get0_distinguishing_id.3 b/secure/lib/libcrypto/man/man3/X509_get0_distinguishing_id.3 index aa1c826af237..36c190912e96 100644 --- a/secure/lib/libcrypto/man/man3/X509_get0_distinguishing_id.3 +++ b/secure/lib/libcrypto/man/man3/X509_get0_distinguishing_id.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET0_DISTINGUISHING_ID 3ossl" -.TH X509_GET0_DISTINGUISHING_ID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET0_DISTINGUISHING_ID 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_get0_notBefore.3 b/secure/lib/libcrypto/man/man3/X509_get0_notBefore.3 index 9cbe8977fc3a..20ea937a24a9 100644 --- a/secure/lib/libcrypto/man/man3/X509_get0_notBefore.3 +++ b/secure/lib/libcrypto/man/man3/X509_get0_notBefore.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET0_NOTBEFORE 3ossl" -.TH X509_GET0_NOTBEFORE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET0_NOTBEFORE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -102,7 +105,7 @@ the call. \fIx\fR \fBMUST NOT\fR be NULL. .PP \&\fBX509_getm_notBefore()\fR and \fBX509_getm_notAfter()\fR are similar to \&\fBX509_get0_notBefore()\fR and \fBX509_get0_notAfter()\fR except they return -non-constant mutable references to the associated date field of +non\-constant mutable references to the associated date field of the certificate. .PP \&\fBX509_set1_notBefore()\fR and \fBX509_set1_notAfter()\fR set the \fBnotBefore\fR diff --git a/secure/lib/libcrypto/man/man3/X509_get0_signature.3 b/secure/lib/libcrypto/man/man3/X509_get0_signature.3 index 222733a4dd60..feac1ee0687a 100644 --- a/secure/lib/libcrypto/man/man3/X509_get0_signature.3 +++ b/secure/lib/libcrypto/man/man3/X509_get0_signature.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET0_SIGNATURE 3ossl" -.TH X509_GET0_SIGNATURE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET0_SIGNATURE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_get0_uids.3 b/secure/lib/libcrypto/man/man3/X509_get0_uids.3 index 55bd709997f9..b5d1becc6029 100644 --- a/secure/lib/libcrypto/man/man3/X509_get0_uids.3 +++ b/secure/lib/libcrypto/man/man3/X509_get0_uids.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET0_UIDS 3ossl" -.TH X509_GET0_UIDS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET0_UIDS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_get_default_cert_file.3 b/secure/lib/libcrypto/man/man3/X509_get_default_cert_file.3 index 32740736cc47..84d3a7a40e99 100644 --- a/secure/lib/libcrypto/man/man3/X509_get_default_cert_file.3 +++ b/secure/lib/libcrypto/man/man3/X509_get_default_cert_file.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET_DEFAULT_CERT_FILE 3ossl" -.TH X509_GET_DEFAULT_CERT_FILE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET_DEFAULT_CERT_FILE 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,13 +86,13 @@ the default path when it is asked to load trusted CA certificates from a file and no other path is specified. If the file exists, CA certificates are loaded from the file. .PP -The \fBX509_get_default_cert_dir()\fR function returns a default delimeter-separated +The \fBX509_get_default_cert_dir()\fR function returns a default delimeter\-separated list of paths to a directories containing trusted CA certificates named in the hashed format. OpenSSL will use this as the default list of paths when it is asked to load trusted CA certificates from a directory and no other path is specified. If a given directory in the list exists, OpenSSL attempts to lookup CA certificates in this directory by calculating a filename based on a hash of -the certificate's subject name. +the certificate\*(Aqs subject name. .PP \&\fBX509_get_default_cert_file_env()\fR returns an environment variable name which is recommended to specify a nondefault value to be used instead of the value @@ -107,7 +110,7 @@ variable can also be a store URI (but see BUGS below). .IX Header "BUGS" By default (for example, when \fBX509_STORE_set_default_paths\fR\|(3) is used), the environment variable name returned by \fBX509_get_default_cert_dir_env()\fR is -interpreted both as a delimiter-separated list of paths, and as a store URI. +interpreted both as a delimiter\-separated list of paths, and as a store URI. This is ambiguous. For example, specifying a value of \fB"file:///etc/certs"\fR would cause instantiation of the "file" store provided as part of the default provider, but would also cause an \fBX509_LOOKUP_hash_dir\fR\|(3) instance to look diff --git a/secure/lib/libcrypto/man/man3/X509_get_extension_flags.3 b/secure/lib/libcrypto/man/man3/X509_get_extension_flags.3 index 566f23d0b7f7..bd63712c4147 100644 --- a/secure/lib/libcrypto/man/man3/X509_get_extension_flags.3 +++ b/secure/lib/libcrypto/man/man3/X509_get_extension_flags.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET_EXTENSION_FLAGS 3ossl" -.TH X509_GET_EXTENSION_FLAGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET_EXTENSION_FLAGS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -128,7 +131,7 @@ The certificate contains an unhandled critical extension. .IX Item "EXFLAG_INVALID" Some certificate extension values are invalid or inconsistent. The certificate should be rejected. -This bit may also be raised after an out-of-memory error while +This bit may also be raised after an out\-of\-memory error while processing the X509 object, so it may not be related to the processed ASN1 object itself. .IP \fBEXFLAG_NO_FINGERPRINT\fR 4 @@ -139,7 +142,7 @@ This may be due to malloc failure or because no SHA1 implementation was found. .IX Item "EXFLAG_INVALID_POLICY" The NID_certificate_policies certificate extension is invalid or inconsistent. The certificate should be rejected. -This bit may also be raised after an out-of-memory error while +This bit may also be raised after an out\-of\-memory error while processing the X509 object, so it may not be related to the processed ASN1 object itself. .IP \fBEXFLAG_KUSAGE\fR 4 @@ -163,9 +166,9 @@ returned. extension. If extended key usage is present it will return zero or more of the flags: \fBXKU_SSL_SERVER\fR, \fBXKU_SSL_CLIENT\fR, \fBXKU_SMIME\fR, \fBXKU_CODE_SIGN\fR \&\fBXKU_OCSP_SIGN\fR, \fBXKU_TIMESTAMP\fR, \fBXKU_DVCS\fR or \fBXKU_ANYEKU\fR. These -correspond to the OIDs \fBid-kp-serverAuth\fR, \fBid-kp-clientAuth\fR, -\&\fBid-kp-emailProtection\fR, \fBid-kp-codeSigning\fR, \fBid-kp-OCSPSigning\fR, -\&\fBid-kp-timeStamping\fR, \fBid-kp-dvcs\fR and \fBanyExtendedKeyUsage\fR respectively. +correspond to the OIDs \fBid\-kp\-serverAuth\fR, \fBid\-kp\-clientAuth\fR, +\&\fBid\-kp\-emailProtection\fR, \fBid\-kp\-codeSigning\fR, \fBid\-kp\-OCSPSigning\fR, +\&\fBid\-kp\-timeStamping\fR, \fBid\-kp\-dvcs\fR and \fBanyExtendedKeyUsage\fR respectively. Additionally \fBXKU_SGC\fR is set if either Netscape or Microsoft SGC OIDs are present. .PP diff --git a/secure/lib/libcrypto/man/man3/X509_get_pubkey.3 b/secure/lib/libcrypto/man/man3/X509_get_pubkey.3 index c325bcb4f922..f3d04d043f94 100644 --- a/secure/lib/libcrypto/man/man3/X509_get_pubkey.3 +++ b/secure/lib/libcrypto/man/man3/X509_get_pubkey.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET_PUBKEY 3ossl" -.TH X509_GET_PUBKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET_PUBKEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_get_serialNumber.3 b/secure/lib/libcrypto/man/man3/X509_get_serialNumber.3 index 28008de3666a..1178d81d7d42 100644 --- a/secure/lib/libcrypto/man/man3/X509_get_serialNumber.3 +++ b/secure/lib/libcrypto/man/man3/X509_get_serialNumber.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET_SERIALNUMBER 3ossl" -.TH X509_GET_SERIALNUMBER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET_SERIALNUMBER 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_get_subject_name.3 b/secure/lib/libcrypto/man/man3/X509_get_subject_name.3 index cd3f99cfc118..fa73c7271822 100644 --- a/secure/lib/libcrypto/man/man3/X509_get_subject_name.3 +++ b/secure/lib/libcrypto/man/man3/X509_get_subject_name.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET_SUBJECT_NAME 3ossl" -.TH X509_GET_SUBJECT_NAME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET_SUBJECT_NAME 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_get_version.3 b/secure/lib/libcrypto/man/man3/X509_get_version.3 index 584fd8275680..ebe39fb2c32c 100644 --- a/secure/lib/libcrypto/man/man3/X509_get_version.3 +++ b/secure/lib/libcrypto/man/man3/X509_get_version.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET_VERSION 3ossl" -.TH X509_GET_VERSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET_VERSION 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_load_http.3 b/secure/lib/libcrypto/man/man3/X509_load_http.3 index 8ab562a084bc..613b9eff8023 100644 --- a/secure/lib/libcrypto/man/man3/X509_load_http.3 +++ b/secure/lib/libcrypto/man/man3/X509_load_http.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_LOAD_HTTP 3ossl" -.TH X509_LOAD_HTTP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_LOAD_HTTP 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_new.3 b/secure/lib/libcrypto/man/man3/X509_new.3 index 11e74bdf231a..06a540b833b8 100644 --- a/secure/lib/libcrypto/man/man3/X509_new.3 +++ b/secure/lib/libcrypto/man/man3/X509_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_NEW 3ossl" -.TH X509_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_NEW 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -112,7 +115,7 @@ The function \fBX509_up_ref()\fR if useful if a certificate structure is being used by several different operations each of which will free it up after use: this avoids the need to duplicate the entire certificate structure. .PP -The function \fBX509_chain_up_ref()\fR doesn't just up the reference count of +The function \fBX509_chain_up_ref()\fR doesn\*(Aqt just up the reference count of each certificate. It also returns a copy of the stack, using \fBsk_X509_dup()\fR, but it serves a similar purpose: the returned chain persists after the original has been freed. diff --git a/secure/lib/libcrypto/man/man3/X509_sign.3 b/secure/lib/libcrypto/man/man3/X509_sign.3 index ee2a2dd48f9e..ea8feeaf6ee4 100644 --- a/secure/lib/libcrypto/man/man3/X509_sign.3 +++ b/secure/lib/libcrypto/man/man3/X509_sign.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_SIGN 3ossl" -.TH X509_SIGN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_SIGN 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,7 +104,7 @@ sign certificate requests and CRLs, respectively. .IX Header "NOTES" \&\fBX509_sign_ctx()\fR is used where the default parameters for the corresponding public key and digest are not suitable. It can be used to sign keys using -RSA-PSS for example. +RSA\-PSS for example. .PP For efficiency reasons and to work around ASN.1 encoding issues the encoding of the signed portion of a certificate, certificate request and CRL is cached diff --git a/secure/lib/libcrypto/man/man3/X509_verify.3 b/secure/lib/libcrypto/man/man3/X509_verify.3 index 8997f77a53b0..a93d5b1a1211 100644 --- a/secure/lib/libcrypto/man/man3/X509_verify.3 +++ b/secure/lib/libcrypto/man/man3/X509_verify.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_VERIFY 3ossl" -.TH X509_VERIFY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_VERIFY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -87,7 +90,7 @@ verify certificate, certificate request, or CRL signature \&\fIpkey\fR. Only the signature is checked: no other checks (such as certificate chain validity) are performed. .PP -\&\fBX509_self_signed()\fR checks whether certificate \fIcert\fR is self-signed. +\&\fBX509_self_signed()\fR checks whether certificate \fIcert\fR is self\-signed. For success the issuer and subject names must match, the components of the authority key identifier (if present) must match the subject key identifier etc. The signature itself is actually verified only if \fBverify_signature\fR is 1, as @@ -101,7 +104,7 @@ respectively. \&\fBX509_verify()\fR, \&\fBX509_REQ_verify_ex()\fR, \fBX509_REQ_verify()\fR and \fBX509_CRL_verify()\fR return 1 if the signature is valid and 0 if the signature check fails. -If the signature could not be checked at all because it was ill-formed, +If the signature could not be checked at all because it was ill\-formed, the certificate or the request was not complete or some other error occurred then \-1 is returned. .PP diff --git a/secure/lib/libcrypto/man/man3/X509_verify_cert.3 b/secure/lib/libcrypto/man/man3/X509_verify_cert.3 index 5c34f3c38627..1a48f4e6f65f 100644 --- a/secure/lib/libcrypto/man/man3/X509_verify_cert.3 +++ b/secure/lib/libcrypto/man/man3/X509_verify_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_VERIFY_CERT 3ossl" -.TH X509_VERIFY_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_VERIFY_CERT 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,11 +88,11 @@ It internally uses a \fBX509_STORE_CTX\fR structure associated with the library context \fIlibctx\fR and property query string \fIpropq\fR, both of which may be NULL. In case there is more than one possibility for the chain, only one is taken. .PP -On success it returns a pointer to a new stack of (up_ref'ed) certificates +On success it returns a pointer to a new stack of (up_ref\*(Aqed) certificates starting with \fItarget\fR and followed by all available intermediate certificates. -A self-signed trust anchor is included only if \fItarget\fR is the trust anchor +A self\-signed trust anchor is included only if \fItarget\fR is the trust anchor of \fIwith_self_signed\fR is 1. -If a non-NULL stack is returned the caller is responsible for freeing it. +If a non\-NULL stack is returned the caller is responsible for freeing it. .PP The \fBX509_verify_cert()\fR function attempts to discover and validate a certificate chain based on parameters in \fIctx\fR. @@ -97,7 +100,7 @@ The verification context, of type \fBX509_STORE_CTX\fR, can be constructed using \fBX509_STORE_CTX_new\fR\|(3) and \fBX509_STORE_CTX_init\fR\|(3). It usually includes a target certificate to be verified, a set of certificates serving as trust anchors, -a list of non-trusted certificates that may be helpful for chain construction, +a list of non\-trusted certificates that may be helpful for chain construction, flags such as X509_V_FLAG_X509_STRICT, and various other optional components such as a callback function that allows customizing the verification outcome. A complete description of the certificate verification process is contained in diff --git a/secure/lib/libcrypto/man/man3/X509v3_get_ext_by_NID.3 b/secure/lib/libcrypto/man/man3/X509v3_get_ext_by_NID.3 index 962b32c7dd0f..815f168a40df 100644 --- a/secure/lib/libcrypto/man/man3/X509v3_get_ext_by_NID.3 +++ b/secure/lib/libcrypto/man/man3/X509v3_get_ext_by_NID.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509V3_GET_EXT_BY_NID 3ossl" -.TH X509V3_GET_EXT_BY_NID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509V3_GET_EXT_BY_NID 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -134,7 +137,7 @@ the extension is found, its index is returned, otherwise \-1 is returned. .PP \&\fBX509v3_get_ext_by_critical()\fR is similar to \fBX509v3_get_ext_by_NID()\fR except it looks for an extension of criticality \fIcrit\fR. A zero value for \fIcrit\fR -looks for a non-critical extension. A nonzero value looks for a critical +looks for a non\-critical extension. A nonzero value looks for a critical extension. .PP \&\fBX509v3_delete_ext()\fR deletes the extension with index \fIloc\fR from \fIx\fR. @@ -150,7 +153,7 @@ The passed extension \fIex\fR is duplicated so it must be freed after use. The STACK \fI*target\fR is returned unchanged if \fIexts\fR is NULL or an empty list. Otherwise a new stack is allocated if \fI*target\fR is NULL. An extension to be added -that has the same OID as a pre-existing one replaces this earlier one. +that has the same OID as a pre\-existing one replaces this earlier one. .PP \&\fBX509_get_ext_count()\fR, \fBX509_get_ext()\fR, \fBX509_get_ext_by_NID()\fR, \&\fBX509_get_ext_by_OBJ()\fR, \fBX509_get_ext_by_critical()\fR, \fBX509_delete_ext()\fR @@ -181,7 +184,7 @@ These search functions start from the extension \fBafter\fR the \fIlastpos\fR pa so it should initially be set to \-1. If it is set to zero, the initial extension will not be checked. .PP -\&\fBX509v3_delete_ext()\fR and its variants are a bit counter-intuitive +\&\fBX509v3_delete_ext()\fR and its variants are a bit counter\-intuitive because these functions do not free the extension they delete. They return an \fBX509_EXTENSION\fR object which must be explicitly freed using \fBX509_EXTENSION_free()\fR. diff --git a/secure/lib/libcrypto/man/man3/b2i_PVK_bio_ex.3 b/secure/lib/libcrypto/man/man3/b2i_PVK_bio_ex.3 index da15b9a4ab9f..83c04055e8b6 100644 --- a/secure/lib/libcrypto/man/man3/b2i_PVK_bio_ex.3 +++ b/secure/lib/libcrypto/man/man3/b2i_PVK_bio_ex.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "B2I_PVK_BIO_EX 3ossl" -.TH B2I_PVK_BIO_EX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH B2I_PVK_BIO_EX 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/d2i_PKCS8PrivateKey_bio.3 b/secure/lib/libcrypto/man/man3/d2i_PKCS8PrivateKey_bio.3 index d90c45f3baba..b0373a0df986 100644 --- a/secure/lib/libcrypto/man/man3/d2i_PKCS8PrivateKey_bio.3 +++ b/secure/lib/libcrypto/man/man3/d2i_PKCS8PrivateKey_bio.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "D2I_PKCS8PRIVATEKEY_BIO 3ossl" -.TH D2I_PKCS8PRIVATEKEY_BIO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH D2I_PKCS8PRIVATEKEY_BIO 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/d2i_PrivateKey.3 b/secure/lib/libcrypto/man/man3/d2i_PrivateKey.3 index 49072770717a..ef8cbf10722a 100644 --- a/secure/lib/libcrypto/man/man3/d2i_PrivateKey.3 +++ b/secure/lib/libcrypto/man/man3/d2i_PrivateKey.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "D2I_PRIVATEKEY 3ossl" -.TH D2I_PRIVATEKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH D2I_PRIVATEKEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -109,7 +112,7 @@ i2d_PrivateKey_fp .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBd2i_PrivateKey_ex()\fR decodes a private key using algorithm \fItype\fR. It attempts -to use any key-specific format or PKCS#8 unencrypted PrivateKeyInfo format. +to use any key\-specific format or PKCS#8 unencrypted PrivateKeyInfo format. The \fItype\fR parameter should be a public key algorithm constant such as \&\fBEVP_PKEY_RSA\fR. An error occurs if the decoded key does not match \fItype\fR. Some private key decoding implementations may use cryptographic algorithms (for @@ -153,7 +156,7 @@ to encrypt or decrypt private keys should use other functions such as \&\fBd2i_PKCS8PrivateKey()\fR instead. .PP To decode a key with type \fBEVP_PKEY_EC\fR, \fBd2i_PublicKey()\fR requires \fI*a\fR to be -a non-NULL EVP_PKEY structure assigned an EC_KEY structure referencing the proper +a non\-NULL EVP_PKEY structure assigned an EC_KEY structure referencing the proper EC_GROUP. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/d2i_RSAPrivateKey.3 b/secure/lib/libcrypto/man/man3/d2i_RSAPrivateKey.3 index e617d564606f..9d1d6ad466da 100644 --- a/secure/lib/libcrypto/man/man3/d2i_RSAPrivateKey.3 +++ b/secure/lib/libcrypto/man/man3/d2i_RSAPrivateKey.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "D2I_RSAPRIVATEKEY 3ossl" -.TH D2I_RSAPRIVATEKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH D2I_RSAPRIVATEKEY 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -172,11 +175,11 @@ OpenSSL datatypes, such as \fBRSA\fR. The function parameters \fIppin\fR and \fIppout\fR are generally either both named \&\fIpp\fR in the headers, or \fIin\fR and \fIout\fR. .PP -All the functions here behave the way that's described in \fBd2i_X509\fR\|(3). +All the functions here behave the way that\*(Aqs described in \fBd2i_X509\fR\|(3). .PP Please note that not all functions in the synopsis are available for all key types. For example, there are no \fBd2i_RSAparams()\fR or \fBi2d_RSAparams()\fR, -because the PKCS#1 \fBRSA\fR structure doesn't include any key parameters. +because the PKCS#1 \fBRSA\fR structure doesn\*(Aqt include any key parameters. .PP \&\fBd2i_\fR\f(BITYPE\fR\fBPrivateKey\fR() and derivates thereof decode DER encoded \&\fR\f(BITYPE\fR\fB\fR private key data organized in a type specific structure. @@ -307,7 +310,7 @@ of the encoded structure. The ways that \fI*ppin\fR and \fI*ppout\fR are incremented after the operation can trap the unwary. See the \fBWARNINGS\fR section in \fBd2i_X509\fR\|(3) for some common errors. -The reason for this-auto increment behaviour is to reflect a typical +The reason for this\-auto increment behaviour is to reflect a typical usage of ASN1 functions: after one structure is encoded or decoded another will be processed after it. .PP @@ -317,7 +320,7 @@ The following points about the data types might be useful: Represents a DSA public key using a \fBSubjectPublicKeyInfo\fR structure. .IP "\fBDSAPublicKey\fR, \fBDSAPrivateKey\fR" 4 .IX Item "DSAPublicKey, DSAPrivateKey" -Use a non-standard OpenSSL format and should be avoided; use \fBDSA_PUBKEY\fR, +Use a non\-standard OpenSSL format and should be avoided; use \fBDSA_PUBKEY\fR, \&\fBPEM_write_PrivateKey\fR\|(3), or similar instead. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/d2i_SSL_SESSION.3 b/secure/lib/libcrypto/man/man3/d2i_SSL_SESSION.3 index ac0f4d3d861e..a66eebf23395 100644 --- a/secure/lib/libcrypto/man/man3/d2i_SSL_SESSION.3 +++ b/secure/lib/libcrypto/man/man3/d2i_SSL_SESSION.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "D2I_SSL_SESSION 3ossl" -.TH D2I_SSL_SESSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH D2I_SSL_SESSION 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,7 +83,7 @@ These functions decode and encode an SSL_SESSION object. For encoding details see \fBd2i_X509\fR\|(3). .PP SSL_SESSION objects keep internal link information about the session cache -list, when being inserted into one SSL_CTX object's session cache. +list, when being inserted into one SSL_CTX object\*(Aqs session cache. One SSL_SESSION object, regardless of its reference count, must therefore only be used with one SSL_CTX object (and the SSL objects created from this SSL_CTX object). @@ -88,7 +91,7 @@ from this SSL_CTX object). .IX Header "RETURN VALUES" \&\fBd2i_SSL_SESSION()\fR and \fBd2i_SSL_SESSION_ex()\fR return a pointer to the newly allocated SSL_SESSION object. -In case of failure the NULL-pointer is returned and the error message +In case of failure the NULL\-pointer is returned and the error message can be retrieved from the error stack. .PP \&\fBi2d_SSL_SESSION()\fR returns the size of the ASN1 representation in bytes. diff --git a/secure/lib/libcrypto/man/man3/d2i_X509.3 b/secure/lib/libcrypto/man/man3/d2i_X509.3 index 37e64608b5e6..eda3508403b8 100644 --- a/secure/lib/libcrypto/man/man3/d2i_X509.3 +++ b/secure/lib/libcrypto/man/man3/d2i_X509.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "D2I_X509 3ossl" -.TH D2I_X509 3ossl 2025-09-30 3.5.4 OpenSSL +.TH D2I_X509 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -517,7 +520,7 @@ The function parameters \fIppin\fR and \fIppout\fR are generally either both named \fIpp\fR in the headers, or \fIin\fR and \fIout\fR. .PP These functions convert OpenSSL objects to and from their ASN.1/DER -encoding. Unlike the C structures which can have pointers to sub-objects +encoding. Unlike the C structures which can have pointers to sub\-objects within, the DER is a serialized encoding, suitable for sending over the network, writing to a file, and so on. .PP @@ -583,7 +586,7 @@ of the encoded structure. The ways that \fI*ppin\fR and \fI*ppout\fR are incremented after the operation can trap the unwary. See the \fBWARNINGS\fR section for some common errors. -The reason for this-auto increment behaviour is to reflect a typical +The reason for this\-auto increment behaviour is to reflect a typical usage of ASN1 functions: after one structure is encoded or decoded another will be processed after it. .PP @@ -627,6 +630,10 @@ value if an error occurs. \&\fBi2d_\fR\f(BITYPE\fR\fB_bio\fR() and \fBi2d_\fR\f(BITYPE\fR\fB_fp\fR(), as well as \fBi2d_ASN1_bio_stream()\fR, return 1 for success and 0 if an error occurs. +.PP +On error, these functions may record the error in the OpenSSL error queue. +That error queue can be inspected with the \fBERR\fR family of functions, such as +\&\fBERR_print_errors\fR\|(3) and \fBERR_peek_last_error_all\fR\|(3). .SH EXAMPLES .IX Header "EXAMPLES" Allocate and encode the DER encoding of an X509 structure: @@ -748,6 +755,9 @@ Any function which encodes a structure (\fBi2d_\fR\f(BITYPE\fR(), structure has been modified after deserialization or previous serialization. This is because some objects cache the encoding for efficiency reasons. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fBERR_print_errors\fR\|(3), \fBERR_peek_last_error_all\fR\|(3) .SH HISTORY .IX Header "HISTORY" \&\fBd2i_OSSL_ATTRIBUTES_SYNTAX()\fR, \fBd2i_OSSL_BASIC_ATTR_CONSTRAINTS()\fR, diff --git a/secure/lib/libcrypto/man/man3/i2d_CMS_bio_stream.3 b/secure/lib/libcrypto/man/man3/i2d_CMS_bio_stream.3 index d4d214ccfecb..3e19f100313d 100644 --- a/secure/lib/libcrypto/man/man3/i2d_CMS_bio_stream.3 +++ b/secure/lib/libcrypto/man/man3/i2d_CMS_bio_stream.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "I2D_CMS_BIO_STREAM 3ossl" -.TH I2D_CMS_BIO_STREAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH I2D_CMS_BIO_STREAM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/i2d_PKCS7_bio_stream.3 b/secure/lib/libcrypto/man/man3/i2d_PKCS7_bio_stream.3 index fe09c04fa3b5..d2322fb3bf3a 100644 --- a/secure/lib/libcrypto/man/man3/i2d_PKCS7_bio_stream.3 +++ b/secure/lib/libcrypto/man/man3/i2d_PKCS7_bio_stream.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "I2D_PKCS7_BIO_STREAM 3ossl" -.TH I2D_PKCS7_BIO_STREAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH I2D_PKCS7_BIO_STREAM 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/i2d_re_X509_tbs.3 b/secure/lib/libcrypto/man/man3/i2d_re_X509_tbs.3 index 2916ffd818f1..d286d8edf066 100644 --- a/secure/lib/libcrypto/man/man3/i2d_re_X509_tbs.3 +++ b/secure/lib/libcrypto/man/man3/i2d_re_X509_tbs.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "I2D_RE_X509_TBS 3ossl" -.TH I2D_RE_X509_TBS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH I2D_RE_X509_TBS 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,21 +91,21 @@ This function should not be called on untrusted input. \&\fBi2d_X509_AUX()\fR is similar to \fBi2d_X509\fR\|(3), but the encoded output contains both the certificate and any auxiliary trust information. This is used by the PEM routines to write "TRUSTED CERTIFICATE" objects. -Note that this is a non-standard OpenSSL-specific data format. +Note that this is a non\-standard OpenSSL\-specific data format. .PP \&\fBi2d_re_X509_tbs()\fR is similar to \fBi2d_X509\fR\|(3) except it encodes only the TBSCertificate portion of the certificate. \fBi2d_re_X509_CRL_tbs()\fR and \fBi2d_re_X509_REQ_tbs()\fR are analogous for CRL and certificate request, -respectively. The "re" in \fBi2d_re_X509_tbs\fR stands for "re-encode", +respectively. The "re" in \fBi2d_re_X509_tbs\fR stands for "re\-encode", and ensures that a fresh encoding is generated in case the object has been modified after creation (see the BUGS section). .PP The encoding of the TBSCertificate portion of a certificate is cached in the \fBX509\fR structure internally to improve encoding performance and to ensure certificate signatures are verified correctly in some -certificates with broken (non-DER) encodings. +certificates with broken (non\-DER) encodings. .PP -If, after modification, the \fBX509\fR object is re-signed with \fBX509_sign()\fR, +If, after modification, the \fBX509\fR object is re\-signed with \fBX509_sign()\fR, the encoding is automatically renewed. Otherwise, the encoding of the TBSCertificate portion of the \fBX509\fR can be manually renewed by calling \&\fBi2d_re_X509_tbs()\fR. diff --git a/secure/lib/libcrypto/man/man3/o2i_SCT_LIST.3 b/secure/lib/libcrypto/man/man3/o2i_SCT_LIST.3 index b45deee66b1b..a36ed7aa3f22 100644 --- a/secure/lib/libcrypto/man/man3/o2i_SCT_LIST.3 +++ b/secure/lib/libcrypto/man/man3/o2i_SCT_LIST.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "O2I_SCT_LIST 3ossl" -.TH O2I_SCT_LIST 3ossl 2025-09-30 3.5.4 OpenSSL +.TH O2I_SCT_LIST 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/s2i_ASN1_IA5STRING.3 b/secure/lib/libcrypto/man/man3/s2i_ASN1_IA5STRING.3 index 3d41751532a6..e0828471eb5b 100644 --- a/secure/lib/libcrypto/man/man3/s2i_ASN1_IA5STRING.3 +++ b/secure/lib/libcrypto/man/man3/s2i_ASN1_IA5STRING.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "S2I_ASN1_IA5STRING 3ossl" -.TH S2I_ASN1_IA5STRING 3ossl 2025-09-30 3.5.4 OpenSSL +.TH S2I_ASN1_IA5STRING 3ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,7 +108,7 @@ The letters \fBi\fR and \fBs\fR in \fBi2s\fR and \fBs2i\fR stand for "internal" (that is, an internal C structure) and string respectively. So \fBi2s_ASN1_IA5STRING\fR() converts from internal to string. .PP -It is the caller's responsibility to free the returned string. +It is the caller\*(Aqs responsibility to free the returned string. In the \fBi2s_ASN1_IA5STRING\fR() function the string is copied and the ownership of the original string remains with the caller. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man5/config.5 b/secure/lib/libcrypto/man/man5/config.5 index 9815f4de5393..eab705db9833 100644 --- a/secure/lib/libcrypto/man/man5/config.5 +++ b/secure/lib/libcrypto/man/man5/config.5 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CONFIG 5ossl" -.TH CONFIG 5ossl 2025-09-30 3.5.4 OpenSSL +.TH CONFIG 5ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,7 +83,7 @@ The syntax for defining ASN.1 values is described in A configuration file is a series of lines. Blank lines, and whitespace between the elements of a line, have no significance. A comment starts with a \fB#\fR character; the rest of the line is ignored. If the \fB#\fR -is the first non-space character in a line, the entire line is ignored. +is the first non\-space character in a line, the entire line is ignored. .SS Directives .IX Subsection "Directives" Two directives can be used to control the parsing of configuration files: @@ -100,7 +103,7 @@ If \fBpathname\fR is a simple filename, that file is included directly at that point. Included files can have \fB.include\fR statements that specify other files. If \fBpathname\fR is a directory, all files within that directory that have a \f(CW\*(C`.cnf\*(C'\fR or \f(CW\*(C`.conf\*(C'\fR extension will be included. (This is only -available on systems with POSIX IO support.) Any sub-directories found +available on systems with POSIX IO support.) Any sub\-directories found inside the \fBpathname\fR are \fBignored\fR. Similarly, if a file is opened while scanning a directory, and that file has an \fB.include\fR directive that specifies a directory, that is also ignored. @@ -135,7 +138,7 @@ done with the following directive: The default behavior, where the \fBvalue\fR is \fBfalse\fR or \fBoff\fR, is to treat the dollarsign as indicating a variable name; \f(CW\*(C`foo$bar\*(C'\fR is interpreted as \&\f(CW\*(C`foo\*(C'\fR followed by the expansion of the variable \f(CW\*(C`bar\*(C'\fR. If \fBvalue\fR is -\&\fBtrue\fR or \fBon\fR, then \f(CW\*(C`foo$bar\*(C'\fR is a single seven-character name and +\&\fBtrue\fR or \fBon\fR, then \f(CW\*(C`foo$bar\*(C'\fR is a single seven\-character name and variable expansions must be specified using braces or parentheses. .PP .Vb 1 @@ -143,7 +146,7 @@ variable expansions must be specified using braces or parentheses. .Ve .PP If a relative pathname is specified in the \fB.include\fR directive, and -the \fBOPENSSL_CONF_INCLUDE\fR environment variable doesn't exist, then +the \fBOPENSSL_CONF_INCLUDE\fR environment variable doesn\*(Aqt exist, then the value of the \fBincludedir\fR pragma, if it exists, is prepended to the pathname. .SS Settings @@ -211,7 +214,7 @@ to the configuration file, but are not propagated to the environment. .PP It is an error if the value ends up longer than 64k. .PP -It is possible to escape certain characters by using a single \fB'\fR or +It is possible to escape certain characters by using a single \fB\*(Aq\fR or double \fB"\fR quote around the value, or using a backslash \fB\e\fR before the character, By making the last character of a line a \fB\e\fR @@ -281,10 +284,10 @@ is used to specify the individual sections. .SS "ASN.1 Object Identifier Configuration" .IX Subsection "ASN.1 Object Identifier Configuration" The name \fBoid_section\fR in the initialization section names the section -containing name/value pairs of OID's. +containing name/value pairs of OID\*(Aqs. The name is the short name; the value is an optional long name followed by a comma, and the numeric value. -While some OpenSSL commands have their own section for specifying OID's, +While some OpenSSL commands have their own section for specifying OID\*(Aqs, this section makes them available to all commands and applications. .PP .Vb 4 @@ -313,7 +316,7 @@ showing that the OID "newoid1" has been added as "1.2.3.4.1". The name \fBproviders\fR in the initialization section names the section containing cryptographic provider configuration. The name/value assignments in this section each name a provider, and point to the configuration section -for that provider. The provider-specific section is used to specify how +for that provider. The provider\-specific section is used to specify how to load the module, activate it, and set other parameters. .PP Within a provider section, the following names have meaning: @@ -348,7 +351,7 @@ activate this setting, while a value of 0, no, false, or off (again in lower or uppercase) will disable this setting. Any other value will produce an error. Note this setting defaults to off if not provided .PP -All parameters in the section as well as sub-sections are made +All parameters in the section as well as sub\-sections are made available to the provider. .PP \fIDefault provider and its activation\fR @@ -403,7 +406,7 @@ section with the configuration for that name. For example: .PP The configuration name \fBsystem_default\fR has a special meaning. If it exists, it is applied whenever an \fBSSL_CTX\fR object is created. For example, -to impose system-wide minimum TLS and DTLS protocol versions: +to impose system\-wide minimum TLS and DTLS protocol versions: .PP .Vb 3 \& [tls_system_default] @@ -411,8 +414,8 @@ to impose system-wide minimum TLS and DTLS protocol versions: \& MinProtocol = DTLSv1.2 .Ve .PP -The minimum TLS protocol is applied to \fBSSL_CTX\fR objects that are TLS-based, -and the minimum DTLS protocol to those are DTLS-based. +The minimum TLS protocol is applied to \fBSSL_CTX\fR objects that are TLS\-based, +and the minimum DTLS protocol to those are DTLS\-based. The same applies also to maximum versions set with \fBMaxProtocol\fR. .PP Each configuration section consists of name/value pairs that are parsed @@ -433,7 +436,7 @@ The name \fBengines\fR in the initialization section names the section containing the list of ENGINE configurations. As with the providers, each name in this section identifies an engine with the configuration for that engine. -The engine-specific section is used to specify how to load the engine, +The engine\-specific section is used to specify how to load the engine, activate it, and set other parameters. .PP Within an engine section, the following names have meaning: @@ -503,25 +506,25 @@ For example: .Sp The available random bit generators are: .RS 4 -.IP \fBCTR-DRBG\fR 4 +.IP \fBCTR\-DRBG\fR 4 .IX Item "CTR-DRBG" .PD 0 -.IP \fBHASH-DRBG\fR 4 +.IP \fBHASH\-DRBG\fR 4 .IX Item "HASH-DRBG" -.IP \fBHMAC-DRBG\fR 4 +.IP \fBHMAC\-DRBG\fR 4 .IX Item "HMAC-DRBG" +.PD .RE .RS 4 .RE .IP \fBcipher\fR 4 .IX Item "cipher" -.PD -This specifies what cipher a \fBCTR-DRBG\fR random bit generator will use. +This specifies what cipher a \fBCTR\-DRBG\fR random bit generator will use. Other random bit generators ignore this name. The default value is \fBAES\-256\-CTR\fR. .IP \fBdigest\fR 4 .IX Item "digest" -This specifies what digest the \fBHASH-DRBG\fR or \fBHMAC-DRBG\fR random bit +This specifies what digest the \fBHASH\-DRBG\fR or \fBHMAC\-DRBG\fR random bit generators will use. Other random bit generators ignore this name. .IP \fBproperties\fR 4 .IX Item "properties" @@ -529,7 +532,7 @@ This sets the property query used when fetching the random bit generator and any underlying algorithms. .IP \fBseed\fR 4 .IX Item "seed" -This sets the randomness source that should be used. By default \fBSEED-SRC\fR +This sets the randomness source that should be used. By default \fBSEED\-SRC\fR will be used outside of the FIPS provider. The FIPS provider uses call backs to access the same randomness sources from outside the validated boundary. .IP \fBseed_properties\fR 4 @@ -537,9 +540,9 @@ to access the same randomness sources from outside the validated boundary. This sets the property query used when fetching the randomness source. .IP \fBrandom_provider\fR 4 .IX Item "random_provider" -This sets the provider to use for the \fBRAND_bytes\fR\|(3) calls instead of the built-in +This sets the provider to use for the \fBRAND_bytes\fR\|(3) calls instead of the built\-in entropy sources. It defaults to "fips". If the named provider is not loaded, the -built-in entropy sources will be used. +built\-in entropy sources will be used. .SH EXAMPLES .IX Header "EXAMPLES" This example shows how to use quoting and escaping. @@ -596,15 +599,15 @@ This example shows how to enforce FIPS mode for the application .IP \fBOPENSSL_CONF\fR 4 .IX Item "OPENSSL_CONF" The path to the config file, or the empty string for none. -Ignored in set-user-ID and set-group-ID programs. +Ignored in set\-user\-ID and set\-group\-ID programs. .IP \fBOPENSSL_ENGINES\fR 4 .IX Item "OPENSSL_ENGINES" The path to the engines directory. -Ignored in set-user-ID and set-group-ID programs. +Ignored in set\-user\-ID and set\-group\-ID programs. .IP \fBOPENSSL_MODULES\fR 4 .IX Item "OPENSSL_MODULES" The path to the directory with OpenSSL modules, such as providers. -Ignored in set-user-ID and set-group-ID programs. +Ignored in set\-user\-ID and set\-group\-ID programs. .IP \fBOPENSSL_CONF_INCLUDE\fR 4 .IX Item "OPENSSL_CONF_INCLUDE" The optional path to prepend to all \fB.include\fR paths. @@ -613,8 +616,8 @@ The optional path to prepend to all \fB.include\fR paths. There is no way to include characters using the octal \fB\ennn\fR form. Strings are all null terminated so nulls cannot form part of the value. .PP -The escaping isn't quite right: if you want to use sequences like \fB\en\fR -you can't use any quote escaping on the same line. +The escaping isn\*(Aqt quite right: if you want to use sequences like \fB\en\fR +you can\*(Aqt use any quote escaping on the same line. .PP The limit that only one directory can be opened and read at a time can be considered a bug and should be fixed. @@ -624,8 +627,8 @@ An undocumented API, \fBNCONF_WIN32()\fR, used a slightly different set of parsing rules there were intended to be tailored to the Microsoft Windows platform. Specifically, the backslash character was not an escape character and -could be used in pathnames, only the double-quote character was recognized, -and comments began with a semi-colon. +could be used in pathnames, only the double\-quote character was recognized, +and comments began with a semi\-colon. This function was deprecated in OpenSSL 3.0; applications with configuration files using that syntax will have to be modified. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man5/fips_config.5 b/secure/lib/libcrypto/man/man5/fips_config.5 index 7c05da10f535..fad4096d2881 100644 --- a/secure/lib/libcrypto/man/man5/fips_config.5 +++ b/secure/lib/libcrypto/man/man5/fips_config.5 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "FIPS_CONFIG 5ossl" -.TH FIPS_CONFIG 5ossl 2025-09-30 3.5.4 OpenSSL +.TH FIPS_CONFIG 5ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,14 +69,14 @@ fips_config \- OpenSSL FIPS configuration .IX Header "DESCRIPTION" A separate configuration file, using the OpenSSL \fBconfig\fR\|(5) syntax, is used to hold information about the FIPS module. This includes a digest -of the shared library file, and status about the self-testing. +of the shared library file, and status about the self\-testing. This data is used automatically by the module itself for two purposes: -.IP "\- Run the startup FIPS self-test known answer tests (KATS)." 4 +.IP "\- Run the startup FIPS self\-test known answer tests (KATS)." 4 .IX Item "- Run the startup FIPS self-test known answer tests (KATS)." This is normally done once, at installation time, but may also be set up to run each time the module is used. -.IP "\- Verify the module's checksum." 4 +.IP "\- Verify the module\*(Aqs checksum." 4 .IX Item "- Verify the module's checksum." This is done each time the module is used. .PP @@ -87,7 +90,7 @@ section, as described in "Provider Configuration Module" in \fBconfig\fR\|(5). .IX Item "activate" If present, the module is activated. The value assigned to this name is not significant. -.IP \fBconditional-errors\fR 4 +.IP \fBconditional\-errors\fR 4 .IX Item "conditional-errors" The FIPS module normally enters an internal error mode if any self test fails. Once this error mode is active, no services or cryptographic algorithms are @@ -99,45 +102,45 @@ continuous test fails. The default value of \f(CW1\fR will trigger the error mod Regardless of the value, the operation (e.g., key generation) that called the continuous test will return an error code if its continuous test fails. The operation may then be retried if the error mode has not been triggered. -.IP \fBmodule-mac\fR 4 +.IP \fBmodule\-mac\fR 4 .IX Item "module-mac" The calculated MAC of the FIPS provider file. -.IP \fBinstall-version\fR 4 +.IP \fBinstall\-version\fR 4 .IX Item "install-version" A version number for the fips install process. Should be 1. -.IP \fBinstall-status\fR 4 +.IP \fBinstall\-status\fR 4 .IX Item "install-status" This field is deprecated and is no longer used. -.IP \fBinstall-mac\fR 4 +.IP \fBinstall\-mac\fR 4 .IX Item "install-mac" This field is deprecated and is no longer used. .SS "FIPS indicator options" .IX Subsection "FIPS indicator options" -The following FIPS configuration options indicate if run-time checks related to +The following FIPS configuration options indicate if run\-time checks related to enforcement of FIPS security parameters such as minimum security strength of keys and approved curve names are used. -A value of '1' will perform the checks, otherwise if the value is '0' the checks +A value of \*(Aq1\*(Aq will perform the checks, otherwise if the value is \*(Aq0\*(Aq the checks are not performed and FIPS compliance must be done by procedures documented in the relevant Security Policy. .PP See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) for further information related to these options. -.IP \fBsecurity-checks\fR 4 +.IP \fBsecurity\-checks\fR 4 .IX Item "security-checks" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-no_security_checks\fR .IP \fBtls1\-prf\-ems\-check\fR 4 .IX Item "tls1-prf-ems-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-ems_check\fR -.IP \fBno-short-mac\fR 4 +.IP \fBno\-short\-mac\fR 4 .IX Item "no-short-mac" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-no_short_mac\fR -.IP \fBdrbg-no-trunc-md\fR 4 +.IP \fBdrbg\-no\-trunc\-md\fR 4 .IX Item "drbg-no-trunc-md" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-no_drbg_truncated_digests\fR -.IP \fBsignature-digest-check\fR 4 +.IP \fBsignature\-digest\-check\fR 4 .IX Item "signature-digest-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-signature_digest_check\fR -.IP \fBhkdf-digest-check\fR 4 +.IP \fBhkdf\-digest\-check\fR 4 .IX Item "hkdf-digest-check" This option is deprecated. .IP \fBtls13\-kdf\-digest\-check\fR 4 @@ -146,34 +149,34 @@ See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tls13_kdf_digest_check\fR .IP \fBtls1\-prf\-digest\-check\fR 4 .IX Item "tls1-prf-digest-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tls1_prf_digest_check\fR -.IP \fBsshkdf-digest-check\fR 4 +.IP \fBsshkdf\-digest\-check\fR 4 .IX Item "sshkdf-digest-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-sshkdf_digest_check\fR -.IP \fBsskdf-digest-check\fR 4 +.IP \fBsskdf\-digest\-check\fR 4 .IX Item "sskdf-digest-check" This option is deprecated. .IP \fBx963kdf\-digest\-check\fR 4 .IX Item "x963kdf-digest-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-x963kdf_digest_check\fR -.IP \fBdsa-sign-disabled\fR 4 +.IP \fBdsa\-sign\-disabled\fR 4 .IX Item "dsa-sign-disabled" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-dsa_sign_disabled\fR -.IP \fBtdes-encrypt-disabled\fR 4 +.IP \fBtdes\-encrypt\-disabled\fR 4 .IX Item "tdes-encrypt-disabled" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tdes_encrypt_disabled\fR .IP \fBrsa\-pkcs15\-pad\-disabled\fR 4 .IX Item "rsa-pkcs15-pad-disabled" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-rsa_pkcs15_pad_disabled\fR -.IP \fBrsa-pss-saltlen-check\fR 4 +.IP \fBrsa\-pss\-saltlen\-check\fR 4 .IX Item "rsa-pss-saltlen-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-rsa_pss_saltlen_check\fR .IP \fBrsa\-sign\-x931\-pad\-disabled\fR 4 .IX Item "rsa-sign-x931-pad-disabled" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-rsa_sign_x931_disabled\fR -.IP \fBhkdf-key-check\fR 4 +.IP \fBhkdf\-key\-check\fR 4 .IX Item "hkdf-key-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-hkdf_key_check\fR -.IP \fBkbkdf-key-check\fR 4 +.IP \fBkbkdf\-key\-check\fR 4 .IX Item "kbkdf-key-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-kbkdf_key_check\fR .IP \fBtls13\-kdf\-key\-check\fR 4 @@ -182,10 +185,10 @@ See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tls13_kdf_key_check\fR .IP \fBtls1\-prf\-key\-check\fR 4 .IX Item "tls1-prf-key-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tls1_prf_key_check\fR -.IP \fBsshkdf-key-check\fR 4 +.IP \fBsshkdf\-key\-check\fR 4 .IX Item "sshkdf-key-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-sshkdf_key_check\fR -.IP \fBsskdf-key-check\fR 4 +.IP \fBsskdf\-key\-check\fR 4 .IX Item "sskdf-key-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-sskdf_key_check\fR .IP \fBx963kdf\-key\-check\fR 4 @@ -197,13 +200,13 @@ See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-x942kdf_key_check\fR .IP \fBpbkdf2\-lower\-bound\-check\fR 4 .IX Item "pbkdf2-lower-bound-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-no_pbkdf2_lower_bound_check\fR -.IP \fBecdh-cofactor-check\fR 4 +.IP \fBecdh\-cofactor\-check\fR 4 .IX Item "ecdh-cofactor-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-ecdh_cofactor_check\fR -.IP \fBhmac-key-check\fR 4 +.IP \fBhmac\-key\-check\fR 4 .IX Item "hmac-key-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-hmac_key_check\fR -.IP \fBkmac-key-check\fR 4 +.IP \fBkmac\-key\-check\fR 4 .IX Item "kmac-key-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-kmac_key_check\fR .PP @@ -223,7 +226,7 @@ For example: .IX Header "NOTES" When using the FIPS provider, it is recommended that the \&\fBconfig_diagnostics\fR option is enabled to prevent accidental use of -non-FIPS validated algorithms via broken or mistaken configuration. +non\-FIPS validated algorithms via broken or mistaken configuration. See \fBconfig\fR\|(5). .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man5/x509v3_config.5 b/secure/lib/libcrypto/man/man5/x509v3_config.5 index afb14b4c5186..c44ef8a4a6b5 100644 --- a/secure/lib/libcrypto/man/man5/x509v3_config.5 +++ b/secure/lib/libcrypto/man/man5/x509v3_config.5 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509V3_CONFIG 5ossl" -.TH X509V3_CONFIG 5ossl 2025-09-30 3.5.4 OpenSSL +.TH X509V3_CONFIG 5ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -87,7 +90,7 @@ If multiple entries are processed for the same extension name, later entries override earlier ones with the same name. .PP The format of \fBvalues\fR depends on the value of \fBname\fR, many have a -type-value pairing where the type and value are separated by a colon. +type\-value pairing where the type and value are separated by a colon. There are four main types of extension: .PP .Vb 4 @@ -102,8 +105,8 @@ Each is described in the following paragraphs. String extensions simply have a string which contains either the value itself or how it is obtained. .PP -Multi-valued extensions have a short form and a long form. The short form -is a comma-separated list of names and values: +Multi\-valued extensions have a short form and a long form. The short form +is a comma\-separated list of names and values: .PP .Vb 1 \& basicConstraints = critical, CA:true, pathlen:1 @@ -122,7 +125,7 @@ The long form allows the values to be placed in a separate section: .PP Both forms are equivalent. .PP -If an extension is multi-value and a field value must contain a comma the long +If an extension is multi\-value and a field value must contain a comma the long form must be used otherwise the comma would be misinterpreted as a field separator. For example: .PP @@ -178,7 +181,7 @@ The following sections describe the syntax of each supported extension. They do not define the semantics of the extension. .SS "Basic Constraints" .IX Subsection "Basic Constraints" -This is a multi-valued extension which indicates whether a certificate is +This is a multi\-valued extension which indicates whether a certificate is a CA certificate. The first value is \fBCA\fR followed by \fBTRUE\fR or \&\fBFALSE\fR. If \fBCA\fR is \fBTRUE\fR then an optional \fBpathlen\fR name followed by a nonnegative value can be included. @@ -194,14 +197,14 @@ For example: .Ve .PP A CA certificate \fImust\fR include the \fBbasicConstraints\fR name with the \fBCA\fR -parameter set to \fBTRUE\fR. An end-user certificate must either have \fBCA:FALSE\fR +parameter set to \fBTRUE\fR. An end\-user certificate must either have \fBCA:FALSE\fR or omit the extension entirely. The \fBpathlen\fR parameter specifies the maximum number of CAs that can appear below this one in a chain. A \fBpathlen\fR of zero means the CA cannot sign -any sub-CA's, and can only sign end-entity certificates. +any sub\-CA\*(Aqs, and can only sign end\-entity certificates. .SS "Key Usage" .IX Subsection "Key Usage" -Key usage is a multi-valued extension consisting of a list of names of +Key usage is a multi\-valued extension consisting of a list of names of the permitted key usages. The defined values are: \f(CW\*(C`digitalSignature\*(C'\fR, \&\f(CW\*(C`nonRepudiation\*(C'\fR, \f(CW\*(C`keyEncipherment\*(C'\fR, \f(CW\*(C`dataEncipherment\*(C'\fR, \f(CW\*(C`keyAgreement\*(C'\fR, \&\f(CW\*(C`keyCertSign\*(C'\fR, \f(CW\*(C`cRLSign\*(C'\fR, \f(CW\*(C`encipherOnly\*(C'\fR, and \f(CW\*(C`decipherOnly\*(C'\fR. @@ -236,7 +239,7 @@ The following text names, and their intended meaning, are known: \& msEFS Microsoft Encrypted File System .Ve .PP -While IETF RFC 5280 says that \fBid-kp-serverAuth\fR and \fBid-kp-clientAuth\fR +While IETF RFC 5280 says that \fBid\-kp\-serverAuth\fR and \fBid\-kp\-clientAuth\fR are only for WWW use, in practice they are used for all kinds of TLS clients and servers, and this is what OpenSSL assumes as well. .PP @@ -279,14 +282,14 @@ Otherwise it may have the value \fBkeyid\fR or \fBissuer\fR or both of them, separated by \f(CW\*(C`,\*(C'\fR. Either or both can have the option \fBalways\fR, indicated by putting a colon \f(CW\*(C`:\*(C'\fR between the value and this option. -For self-signed certificates the AKID is suppressed unless \fBalways\fR is present. +For self\-signed certificates the AKID is suppressed unless \fBalways\fR is present. .PP By default the \fBx509\fR, \fBreq\fR, and \fBca\fR apps behave as if \fBnone\fR was given -for self-signed certificates and \fBkeyid\fR\f(CW\*(C`,\*(C'\fR \fBissuer\fR otherwise. +for self\-signed certificates and \fBkeyid\fR\f(CW\*(C`,\*(C'\fR \fBissuer\fR otherwise. .PP If \fBkeyid\fR is present, an attempt is made to copy the subject key identifier (SKID) from the issuer certificate except if -the issuer certificate is the same as the current one and it is not self-signed. +the issuer certificate is the same as the current one and it is not self\-signed. The hash of the public key related to the signing key is taken as fallback if the issuer certificate is the same as the current certificate. If \fBalways\fR is present but no value can be obtained, an error is returned. @@ -305,7 +308,7 @@ Examples: .Ve .SS "Subject Alternative Name" .IX Subsection "Subject Alternative Name" -This is a multi-valued extension that supports several types of name +This is a multi\-valued extension that supports several types of name identifier, including \&\fBemail\fR (an email address), \&\fBURI\fR (a uniform resource indicator), @@ -325,8 +328,8 @@ from the certificate subject name to the extension. The IP address used in the \fBIP\fR option can be in either IPv4 or IPv6 format. .PP The value of \fBdirName\fR is specifies the configuration section containing -the distinguished name to use, as a set of name-value pairs. -Multi-valued AVAs can be formed by prefacing the name with a \fB+\fR character. +the distinguished name to use, as a set of name\-value pairs. +Multi\-valued AVAs can be formed by prefacing the name with a \fB+\fR character. .PP The value of \fBotherName\fR can include arbitrary data associated with an OID; the value should be the OID followed by a semicolon and the content in specified @@ -355,7 +358,7 @@ Examples: \& CN = My Name .Ve .PP -Non-ASCII Email Address conforming the syntax defined in Section 3.3 of RFC 6531 +Non\-ASCII Email Address conforming the syntax defined in Section 3.3 of RFC 6531 are provided as otherName.SmtpUTF8Mailbox. According to RFC 8398, the email address should be provided as UTF8String. To enforce the valid representation in the certificate, the SmtpUTF8Mailbox should be provided as follows @@ -382,7 +385,7 @@ Example: This extension gives details about how to retrieve information that related to the certificate that the CA makes available. The syntax is \&\fBaccess_id;location\fR, where \fBaccess_id\fR is an object identifier -(although only a few values are well-known) and \fBlocation\fR has the same +(although only a few values are well\-known) and \fBlocation\fR has the same syntax as subject alternative name (except that \fBemail:copy\fR is not supported). .PP Possible values for access_id include \fBOCSP\fR (OCSP responder), @@ -400,11 +403,11 @@ Examples: .Ve .SS "CRL distribution points" .IX Subsection "CRL distribution points" -This is a multi-valued extension whose values can be either a name-value +This is a multi\-valued extension whose values can be either a name\-value pair using the same form as subject alternative name or a single value specifying the section name containing all the distribution point values. .PP -When a name-value pair is used, a DistributionPoint extension will +When a name\-value pair is used, a DistributionPoint extension will be set with the given value as the fullName field as the distributionPoint value, and the reasons and cRLIssuer fields will be omitted. .PP @@ -423,7 +426,7 @@ value of the nameRelativeToCRLIssuer field. The value must in the same format as the subject alternative name. .IP reasons 4 .IX Item "reasons" -A multi-value field that contains the reasons for revocation. The recognized +A multi\-value field that contains the reasons for revocation. The recognized values are: \f(CW\*(C`keyCompromise\*(C'\fR, \f(CW\*(C`CACompromise\*(C'\fR, \f(CW\*(C`affiliationChanged\*(C'\fR, \&\f(CW\*(C`superseded\*(C'\fR, \f(CW\*(C`cessationOfOperation\*(C'\fR, \f(CW\*(C`certificateHold\*(C'\fR, \&\f(CW\*(C`privilegeWithdrawn\*(C'\fR, and \f(CW\*(C`AACompromise\*(C'\fR. @@ -456,7 +459,7 @@ Full distribution point example: .Ve .SS "Issuing Distribution Point" .IX Subsection "Issuing Distribution Point" -This extension should only appear in CRLs. It is a multi-valued extension +This extension should only appear in CRLs. It is a multi\-valued extension whose syntax is similar to the "section" pointed to by the CRL distribution points extension. The following names have meaning: .IP fullname 4 @@ -469,7 +472,7 @@ The value is taken as a distinguished name fragment that is set as the value of the nameRelativeToCRLIssuer field. .IP onlysomereasons 4 .IX Item "onlysomereasons" -A multi-value field that contains the reasons for revocation. The recognized +A multi\-value field that contains the reasons for revocation. The recognized values are: \f(CW\*(C`keyCompromise\*(C'\fR, \f(CW\*(C`CACompromise\*(C'\fR, \f(CW\*(C`affiliationChanged\*(C'\fR, \&\f(CW\*(C`superseded\*(C'\fR, \f(CW\*(C`cessationOfOperation\*(C'\fR, \f(CW\*(C`certificateHold\*(C'\fR, \&\f(CW\*(C`privilegeWithdrawn\*(C'\fR, and \f(CW\*(C`AACompromise\*(C'\fR. @@ -494,7 +497,7 @@ This is a \fIraw\fR extension that supports all of the defined fields of the certificate extension. .PP Policies without qualifiers are specified by giving the OID. -Multiple policies are comma-separated. For example: +Multiple policies are comma\-separated. For example: .PP .Vb 1 \& certificatePolicies = 1.2.4.5, 1.1.3.4 @@ -553,7 +556,7 @@ value with \fBUTF8\fR, \fBBMP\fR, or \fBVISIBLE\fR followed by colon. For exampl .Ve .SS "Policy Constraints" .IX Subsection "Policy Constraints" -This is a multi-valued extension which consisting of the names +This is a multi\-valued extension which consisting of the names \&\fBrequireExplicitPolicy\fR or \fBinhibitPolicyMapping\fR and a non negative integer value. At least one component must be present. .PP @@ -573,7 +576,7 @@ Example: .Ve .SS "Name Constraints" .IX Subsection "Name Constraints" -This is a multi-valued extension. The name should +This is a multi\-valued extension. The name should begin with the word \fBpermitted\fR or \fBexcluded\fR followed by a \fB;\fR. The rest of the name and the value follows the syntax of subjectAltName except \&\fBemail:copy\fR @@ -600,7 +603,7 @@ Example: .Ve .SS "TLS Feature (aka Must Staple)" .IX Subsection "TLS Feature (aka Must Staple)" -This is a multi-valued extension consisting of a list of TLS extension +This is a multi\-valued extension consisting of a list of TLS extension identifiers. Each identifier may be a number (0..65535) or a supported name. When a TLS client sends a listed extension, the TLS server is expected to include that extension in its reply. @@ -625,7 +628,7 @@ Other extensions of this type are: \fBnsBaseUrl\fR, and \fBnsSslServerName\fR. .SS "Netscape Certificate Type" .IX Subsection "Netscape Certificate Type" -This is a multi-valued extensions which consists of a list of flags to be +This is a multi\-valued extensions which consists of a list of flags to be included. It was used to indicate the purposes for which a certificate could be used. The basicConstraints, keyUsage and extended key usage extensions are now used instead. diff --git a/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-RSA.7 b/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-RSA.7 index 585c80700a75..ec9bf115a0f5 100644 --- a/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-RSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-RSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_ASYM_CIPHER-RSA 7ossl" -.TH EVP_ASYM_CIPHER-RSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_ASYM_CIPHER-RSA 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -68,7 +71,7 @@ EVP_ASYM_CIPHER\-RSA Asymmetric Cipher support for the \fBRSA\fR key type. .SS "RSA Asymmetric Cipher parameters" .IX Subsection "RSA Asymmetric Cipher parameters" -.IP """pad-mode"" (\fBOSSL_ASYM_CIPHER_PARAM_PAD_MODE\fR) <UTF8 string>" 4 +.IP """pad\-mode"" (\fBOSSL_ASYM_CIPHER_PARAM_PAD_MODE\fR) <UTF8 string>" 4 .IX Item """pad-mode"" (OSSL_ASYM_CIPHER_PARAM_PAD_MODE) <UTF8 string>" The default provider understands these RSA padding modes in string form: .RS 4 @@ -89,10 +92,8 @@ See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-rsa_pkcs15_pad_disabled\fR .RE .RS 4 .RE -.PD 0 -.IP """pad-mode"" (\fBOSSL_ASYM_CIPHER_PARAM_PAD_MODE\fR) <integer>" 4 +.IP """pad\-mode"" (\fBOSSL_ASYM_CIPHER_PARAM_PAD_MODE\fR) <integer>" 4 .IX Item """pad-mode"" (OSSL_ASYM_CIPHER_PARAM_PAD_MODE) <integer>" -.PD The default provider understands these RSA padding modes in integer form: .RS 4 .IP "1 (\fBRSA_PKCS1_PADDING\fR)" 4 @@ -107,38 +108,38 @@ agreement and key transport. .IX Item "4 (RSA_PKCS1_OAEP_PADDING)" .IP "5 (\fBRSA_X931_PADDING\fR)" 4 .IX Item "5 (RSA_X931_PADDING)" +.PD .RE .RS 4 -.PD .Sp See \fBEVP_PKEY_CTX_set_rsa_padding\fR\|(3) for further details. .RE .IP """digest"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST\fR) <UTF8 string>" 4 .IX Item """digest"" (OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST) <UTF8 string>" .PD 0 -.IP """digest-props"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS\fR) <UTF8 string>" 4 +.IP """digest\-props"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS\fR) <UTF8 string>" 4 .IX Item """digest-props"" (OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS) <UTF8 string>" .IP """mgf1\-digest"" (\fBOSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST\fR) <UTF8 string>" 4 .IX Item """mgf1-digest"" (OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST) <UTF8 string>" .IP """mgf1\-digest\-props"" (\fBOSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS\fR) <UTF8 string>" 4 .IX Item """mgf1-digest-props"" (OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS) <UTF8 string>" -.IP """oaep-label"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\fR) <octet string>" 4 +.IP """oaep\-label"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\fR) <octet string>" 4 .IX Item """oaep-label"" (OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL) <octet string>" -.IP """tls-client-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4 +.IP """tls\-client\-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4 .IX Item """tls-client-version"" (OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION) <unsigned integer>" .PD See \fBRSA_PKCS1_WITH_TLS_PADDING\fR on the page \fBEVP_PKEY_CTX_set_rsa_padding\fR\|(3). -.IP """tls-negotiated-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4 +.IP """tls\-negotiated\-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4 .IX Item """tls-negotiated-version"" (OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION) <unsigned integer>" See \fBRSA_PKCS1_WITH_TLS_PADDING\fR on the page \fBEVP_PKEY_CTX_set_rsa_padding\fR\|(3). .Sp See "Asymmetric Cipher Parameters" in \fBprovider\-asym_cipher\fR\|(7) for more information. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR) <integer>" .PD 0 -.IP """key-check"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK) <integer>" .PD See "Asymmetric Cipher Parameters" in \fBprovider\-asym_cipher\fR\|(7) for more information. @@ -147,8 +148,8 @@ See "Asymmetric Cipher Parameters" in \fBprovider\-asym_cipher\fR\|(7) for more The default value of 1 causes an error during encryption if the RSA padding mode is set to "pkcs1". Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-SM2.7 b/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-SM2.7 index 729701d9b34e..981de3c012f9 100644 --- a/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-SM2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-SM2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_ASYM_CIPHER-SM2 7ossl" -.TH EVP_ASYM_CIPHER-SM2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_ASYM_CIPHER-SM2 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -71,7 +74,7 @@ Asymmetric Cipher support for the \fBSM2\fR key type. .IP """digest"" (\fBOSSL_ASYM_CIPHER_PARAM_DIGEST\fR) <UTF8 string>" 4 .IX Item """digest"" (OSSL_ASYM_CIPHER_PARAM_DIGEST) <UTF8 string>" .PD 0 -.IP """digest-props"" (\fBOSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS\fR) <UTF8 string>" 4 +.IP """digest\-props"" (\fBOSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS\fR) <UTF8 string>" 4 .IX Item """digest-props"" (OSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS) <UTF8 string>" .PD See "Asymmetric Cipher Parameters" in \fBprovider\-asym_cipher\fR\|(7). diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-AES.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-AES.7 index 8b18e070a770..bbb5e5cb5aaa 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-AES.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-AES.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-AES 7ossl" -.TH EVP_CIPHER-AES 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-AES 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,11 +113,11 @@ This implementation supports the parameters described in "PARAMETERS" in \fBEVP_EncryptInit\fR\|(3). .SH NOTES .IX Header "NOTES" -The AES-SIV and AES-WRAP mode implementations do not support streaming. That +The AES\-SIV and AES\-WRAP mode implementations do not support streaming. That means to obtain correct results there can be only one \fBEVP_EncryptUpdate\fR\|(3) or \fBEVP_DecryptUpdate\fR\|(3) call after the initialization of the context. .PP -The AES-XTS implementations allow streaming to be performed, but each +The AES\-XTS implementations allow streaming to be performed, but each \&\fBEVP_EncryptUpdate\fR\|(3) or \fBEVP_DecryptUpdate\fR\|(3) call requires each input to be a multiple of the blocksize. Only the final \fBEVP_EncryptUpdate()\fR or \&\fBEVP_DecryptUpdate()\fR call can optionally have an input that is not a multiple @@ -125,7 +128,7 @@ stealing (CTS) is used to fill the block. \&\fBprovider\-cipher\fR\|(7), \fBOSSL_PROVIDER\-FIPS\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7) .SH HISTORY .IX Header "HISTORY" -The GCM-SIV mode ciphers were added in OpenSSL version 3.2. +The GCM\-SIV mode ciphers were added in OpenSSL version 3.2. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2021\-2023 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-ARIA.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-ARIA.7 index 0d0dcf472c6d..50ce9cb43e33 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-ARIA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-ARIA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-ARIA 7ossl" -.TH EVP_CIPHER-ARIA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-ARIA 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-BLOWFISH.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-BLOWFISH.7 index 959c2e5c36f7..68c4816729ed 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-BLOWFISH.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-BLOWFISH.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-BLOWFISH 7ossl" -.TH EVP_CIPHER-BLOWFISH 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-BLOWFISH 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -68,14 +71,14 @@ Support for BLOWFISH symmetric encryption using the \fBEVP_CIPHER\fR API. .SS "Algorithm Names" .IX Subsection "Algorithm Names" The following algorithms are available in the legacy provider: -.IP """BF-ECB""" 4 +.IP """BF\-ECB""" 4 .IX Item """BF-ECB""" .PD 0 -.IP """BF-CBC""" 4 +.IP """BF\-CBC""" 4 .IX Item """BF-CBC""" -.IP """BF-OFB""" 4 +.IP """BF\-OFB""" 4 .IX Item """BF-OFB""" -.IP """BF-CFB""" 4 +.IP """BF\-CFB""" 4 .IX Item """BF-CFB""" .PD .SS Parameters diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAMELLIA.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAMELLIA.7 index e89cc8717be1..3a5df269aa74 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAMELLIA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAMELLIA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-CAMELLIA 7ossl" -.TH EVP_CIPHER-CAMELLIA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-CAMELLIA 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAST.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAST.7 index 829abd1e2f7a..63afcef5fd36 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAST.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAST.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-CAST 7ossl" -.TH EVP_CIPHER-CAST 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-CAST 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-CHACHA.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-CHACHA.7 index 699f4cfa8cfd..f697fdc952a6 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-CHACHA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-CHACHA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-CHACHA 7ossl" -.TH EVP_CIPHER-CHACHA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-CHACHA 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-DES.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-DES.7 index f19084a11e70..43cba38c8f28 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-DES.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-DES.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-DES 7ossl" -.TH EVP_CIPHER-DES 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-DES 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,35 +84,35 @@ FIPS provider: .IP """DES\-EDE3\-CFB8"" and ""DES\-EDE3\-CFB1""" 4 .IX Item """DES-EDE3-CFB8"" and ""DES-EDE3-CFB1""" .PD 0 -.IP """DES-EDE-ECB"" or ""DES-EDE""" 4 +.IP """DES\-EDE\-ECB"" or ""DES\-EDE""" 4 .IX Item """DES-EDE-ECB"" or ""DES-EDE""" -.IP """DES-EDE-CBC""" 4 +.IP """DES\-EDE\-CBC""" 4 .IX Item """DES-EDE-CBC""" -.IP """DES-EDE-OFB""" 4 +.IP """DES\-EDE\-OFB""" 4 .IX Item """DES-EDE-OFB""" -.IP """DES-EDE-CFB""" 4 +.IP """DES\-EDE\-CFB""" 4 .IX Item """DES-EDE-CFB""" .IP """DES3\-WRAP""" 4 .IX Item """DES3-WRAP""" .PD .PP The following algorithms are available in the legacy provider: -.IP """DES-ECB""" 4 +.IP """DES\-ECB""" 4 .IX Item """DES-ECB""" .PD 0 -.IP """DES-CBC""" 4 +.IP """DES\-CBC""" 4 .IX Item """DES-CBC""" -.IP """DES-OFB""" 4 +.IP """DES\-OFB""" 4 .IX Item """DES-OFB""" -.IP """DES-CFB"", ""DES\-CFB1"" and ""DES\-CFB8""" 4 +.IP """DES\-CFB"", ""DES\-CFB1"" and ""DES\-CFB8""" 4 .IX Item """DES-CFB"", ""DES-CFB1"" and ""DES-CFB8""" -.IP """DESX-CBC""" 4 +.IP """DESX\-CBC""" 4 .IX Item """DESX-CBC""" .PD .SS Parameters .IX Subsection "Parameters" This implementation supports the parameters described in -"PARAMETERS" in \fBEVP_EncryptInit\fR\|(3) including "encrypt-check" and "fips-indicator". +"PARAMETERS" in \fBEVP_EncryptInit\fR\|(3) including "encrypt\-check" and "fips\-indicator". .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBprovider\-cipher\fR\|(7), \fBOSSL_PROVIDER\-FIPS\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7), diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-IDEA.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-IDEA.7 index 2e4dd1ab6d58..2e198e8c64eb 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-IDEA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-IDEA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-IDEA 7ossl" -.TH EVP_CIPHER-IDEA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-IDEA 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -68,14 +71,14 @@ Support for IDEA symmetric encryption using the \fBEVP_CIPHER\fR API. .SS "Algorithm Names" .IX Subsection "Algorithm Names" The following algorithms are available in the legacy provider: -.IP """IDEA-ECB""" 4 +.IP """IDEA\-ECB""" 4 .IX Item """IDEA-ECB""" .PD 0 -.IP """IDEA-CBC""" 4 +.IP """IDEA\-CBC""" 4 .IX Item """IDEA-CBC""" -.IP """IDEA-OFB"" or ""IDEA\-OFB64""" 4 +.IP """IDEA\-OFB"" or ""IDEA\-OFB64""" 4 .IX Item """IDEA-OFB"" or ""IDEA-OFB64""" -.IP """IDEA-CFB"" or ""IDEA\-CFB64""" 4 +.IP """IDEA\-CFB"" or ""IDEA\-CFB64""" 4 .IX Item """IDEA-CFB"" or ""IDEA-CFB64""" .PD .SS Parameters diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-NULL.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-NULL.7 index dcfc26968524..58468f8247cd 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-NULL.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-NULL.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-NULL 7ossl" -.TH EVP_CIPHER-NULL 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-NULL 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,7 +91,7 @@ See "Gettable EVP_CIPHER parameters" in \fBEVP_EncryptInit\fR\|(3) .PD 0 .IP """ivlen"" (\fBOSSL_CIPHER_PARAM_IVLEN\fR and <\fBOSSL_CIPHER_PARAM_AEAD_IVLEN\fR) <unsigned integer>" 4 .IX Item """ivlen"" (OSSL_CIPHER_PARAM_IVLEN and <OSSL_CIPHER_PARAM_AEAD_IVLEN) <unsigned integer>" -.IP """tls-mac"" (\fBOSSL_CIPHER_PARAM_TLS_MAC\fR) <octet ptr>" 4 +.IP """tls\-mac"" (\fBOSSL_CIPHER_PARAM_TLS_MAC\fR) <octet ptr>" 4 .IX Item """tls-mac"" (OSSL_CIPHER_PARAM_TLS_MAC) <octet ptr>" .PD .PP @@ -96,7 +99,7 @@ See "PARAMETERS" in \fBEVP_EncryptInit\fR\|(3) for further information. .PP \fISettable EVP_CIPHER_CTX parameters\fR .IX Subsection "Settable EVP_CIPHER_CTX parameters" -.IP """tls-mac-size"" (\fBOSSL_CIPHER_PARAM_TLS_MAC_SIZE\fR) <unsigned integer>" 4 +.IP """tls\-mac\-size"" (\fBOSSL_CIPHER_PARAM_TLS_MAC_SIZE\fR) <unsigned integer>" 4 .IX Item """tls-mac-size"" (OSSL_CIPHER_PARAM_TLS_MAC_SIZE) <unsigned integer>" .PP See "PARAMETERS" in \fBEVP_EncryptInit\fR\|(3) for further information. diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC2.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC2.7 index 9b8cc42d1dfd..0ff47a9e1ae0 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-RC2 7ossl" -.TH EVP_CIPHER-RC2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-RC2 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC4.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC4.7 index 1f5fb7f1ffcc..0e7028a88324 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC4.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC4.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-RC4 7ossl" -.TH EVP_CIPHER-RC4 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-RC4 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC5.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC5.7 index 6586d997099b..0b299932e7da 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC5.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC5.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-RC5 7ossl" -.TH EVP_CIPHER-RC5 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-RC5 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-SEED.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-SEED.7 index 6aaf4802764e..53c91edb5356 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-SEED.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-SEED.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-SEED 7ossl" -.TH EVP_CIPHER-SEED 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-SEED 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -68,14 +71,14 @@ Support for SEED symmetric encryption using the \fBEVP_CIPHER\fR API. .SS "Algorithm Names" .IX Subsection "Algorithm Names" The following algorithms are available in the legacy provider: -.IP """SEED-CBC"" or ""SEED""" 4 +.IP """SEED\-CBC"" or ""SEED""" 4 .IX Item """SEED-CBC"" or ""SEED""" .PD 0 -.IP """SEED-ECB""" 4 +.IP """SEED\-ECB""" 4 .IX Item """SEED-ECB""" -.IP """SEED-OFB"" or ""SEED\-OFB128""" 4 +.IP """SEED\-OFB"" or ""SEED\-OFB128""" 4 .IX Item """SEED-OFB"" or ""SEED-OFB128""" -.IP """SEED-CFB"" or ""SEED\-CFB128""" 4 +.IP """SEED\-CFB"" or ""SEED\-CFB128""" 4 .IX Item """SEED-CFB"" or ""SEED-CFB128""" .PD .SS Parameters diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-SM4.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-SM4.7 index 903f1624aa38..090a7cd15f09 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-SM4.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-SM4.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-SM4 7ossl" -.TH EVP_CIPHER-SM4 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-SM4 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-ARGON2.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-ARGON2.7 index 78a02825abce..3f34ffa98bc4 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-ARGON2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-ARGON2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-ARGON2 7ossl" -.TH EVP_KDF-ARGON2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-ARGON2 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,25 +67,25 @@ EVP_KDF\-ARGON2 \- The Argon2 EVP KDF implementation .SH DESCRIPTION .IX Header "DESCRIPTION" -Support for computing the \fBargon2\fR password-based KDF through the \fBEVP_KDF\fR +Support for computing the \fBargon2\fR password\-based KDF through the \fBEVP_KDF\fR API. .PP -The EVP_KDF\-ARGON2 algorithm implements the Argon2 password-based key -derivation function, as described in IETF RFC 9106. It is memory-hard in +The EVP_KDF\-ARGON2 algorithm implements the Argon2 password\-based key +derivation function, as described in IETF RFC 9106. It is memory\-hard in the sense that it deliberately requires a significant amount of RAM for efficient computation. The intention of this is to render brute forcing of passwords on systems that lack large amounts of main memory (such as GPUs or ASICs) computationally infeasible. .PP -Argon2d (Argon2i) uses data-dependent (data-independent) memory access and -primary seek to address trade-off (side-channel) attacks. +Argon2d (Argon2i) uses data\-dependent (data\-independent) memory access and +primary seek to address trade\-off (side\-channel) attacks. .PP Argon2id is a hybrid construction which, in the first two slices of the first -pass, generates reference addresses data-independently as in Argon2i, whereas -in later slices and next passes it generates them data-dependently as in +pass, generates reference addresses data\-independently as in Argon2i, whereas +in later slices and next passes it generates them data\-dependently as in Argon2d. .PP -Sbox-hardened version Argon2ds is not supported. +Sbox\-hardened version Argon2ds is not supported. .PP For more information, please refer to RFC 9106. .SS "Supported parameters" @@ -114,7 +117,7 @@ password. .IX Item """threads"" (OSSL_KDF_PARAM_THREADS) <unsigned integer>" The number of threads, bounded above by the number of lanes. .Sp -This can only be used with built-in thread support. Threading must be +This can only be used with built\-in thread support. Threading must be explicitly enabled. See EXAMPLES section for more information. .IP """ad"" (\fBOSSL_KDF_PARAM_ARGON2_AD\fR) <octet string>" 4 .IX Item """ad"" (OSSL_KDF_PARAM_ARGON2_AD) <octet string>" @@ -123,12 +126,12 @@ to a particular public key, without having to modify salt. .IP """lanes"" (\fBOSSL_KDF_PARAM_ARGON2_LANES\fR) <unsigned integer>" 4 .IX Item """lanes"" (OSSL_KDF_PARAM_ARGON2_LANES) <unsigned integer>" Argon2 splits the requested memory size into lanes, each of which is designed -to be processed in parallel. For example, on a system with p cores, it's +to be processed in parallel. For example, on a system with p cores, it\*(Aqs recommended to use p lanes. .Sp The number of lanes is used to derive the key. It is possible to specify more lanes than the number of available computational threads. This is -especially encouraged if multi-threading is disabled. +especially encouraged if multi\-threading is disabled. .IP """memcost"" (\fBOSSL_KDF_PARAM_ARGON2_MEMCOST\fR) <unsigned integer>" 4 .IX Item """memcost"" (OSSL_KDF_PARAM_ARGON2_MEMCOST) <unsigned integer>" Memory cost parameter (the number of 1k memory blocks used). diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-HKDF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-HKDF.7 index aab786491abf..04ce81a1de93 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-HKDF.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-HKDF.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-HKDF 7ossl" -.TH EVP_KDF-HKDF 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-HKDF 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -67,9 +70,9 @@ EVP_KDF\-HKDF \- The HKDF EVP_KDF implementation Support for computing the \fBHKDF\fR KDF through the \fBEVP_KDF\fR API. .PP The EVP_KDF\-HKDF algorithm implements the HKDF key derivation function. -HKDF follows the "extract-then-expand" paradigm, where the KDF logically +HKDF follows the "extract\-then\-expand" paradigm, where the KDF logically consists of two modules. The first stage takes the input keying material -and "extracts" from it a fixed-length pseudorandom key K. The second stage +and "extracts" from it a fixed\-length pseudorandom key K. The second stage "expands" the key K into several additional pseudorandom keys (the output of the KDF). .PP @@ -107,14 +110,14 @@ There are three modes that are currently defined: This is the default mode. Calling \fBEVP_KDF_derive\fR\|(3) on an EVP_KDF_CTX set up for HKDF will perform an extract followed by an expand operation in one go. The derived key returned will be the result after the expand operation. The -intermediate fixed-length pseudorandom key K is not returned. +intermediate fixed\-length pseudorandom key K is not returned. .Sp In this mode the digest, key, salt and info values must be set before a key is derived otherwise an error will occur. .IP """EXTRACT_ONLY"" or \fBEVP_KDF_HKDF_MODE_EXTRACT_ONLY\fR" 4 .IX Item """EXTRACT_ONLY"" or EVP_KDF_HKDF_MODE_EXTRACT_ONLY" In this mode calling \fBEVP_KDF_derive\fR\|(3) will just perform the extract -operation. The value returned will be the intermediate fixed-length pseudorandom +operation. The value returned will be the intermediate fixed\-length pseudorandom key K. The \fIkeylen\fR parameter must match the size of K, which can be looked up by calling \fBEVP_KDF_CTX_get_kdf_size()\fR after setting the mode and digest. .Sp @@ -123,7 +126,7 @@ an error will occur. .IP """EXPAND_ONLY"" or \fBEVP_KDF_HKDF_MODE_EXPAND_ONLY\fR" 4 .IX Item """EXPAND_ONLY"" or EVP_KDF_HKDF_MODE_EXPAND_ONLY" In this mode calling \fBEVP_KDF_derive\fR\|(3) will just perform the expand -operation. The input key should be set to the intermediate fixed-length +operation. The input key should be set to the intermediate fixed\-length pseudorandom key K returned from a previous extract operation. .Sp The digest, key and info values must be set before a key is derived otherwise @@ -133,19 +136,19 @@ an error will occur. .RE .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. -This may be used after calling EVP_KDF_derive. It returns 0 if "key-check" +This may be used after calling EVP_KDF_derive. It returns 0 if "key\-check" is set to 0 and the check fails. -.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the -length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 +length of used key\-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 bits. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH NOTES .IX Header "NOTES" @@ -159,7 +162,7 @@ A context for HKDF can be obtained by calling: The output length of an HKDF expand operation is specified via the \fIkeylen\fR parameter to the \fBEVP_KDF_derive\fR\|(3) function. When using EVP_KDF_HKDF_MODE_EXTRACT_ONLY the \fIkeylen\fR parameter must equal the size of -the intermediate fixed-length pseudorandom key otherwise an error will occur. +the intermediate fixed\-length pseudorandom key otherwise an error will occur. For that mode, the fixed output size can be looked up by calling \fBEVP_KDF_CTX_get_kdf_size()\fR after setting the mode and digest on the \fBEVP_KDF_CTX\fR. .SH EXAMPLES diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-HMAC-DRBG.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-HMAC-DRBG.7 index 9f052e930e37..590431a3ad3c 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-HMAC-DRBG.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-HMAC-DRBG.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-HMAC-DRBG 7ossl" -.TH EVP_KDF-HMAC-DRBG 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-HMAC-DRBG 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -71,7 +74,7 @@ values. This is used to generate deterministic nonce value required by ECDSA and DSA (as defined in RFC 6979). .SS Identity .IX Subsection "Identity" -"HMAC-DRBG-KDF" is the name for this implementation; it can be used +"HMAC\-DRBG\-KDF" is the name for this implementation; it can be used with the \fBEVP_KDF_fetch()\fR function. .SS "Supported parameters" .IX Subsection "Supported parameters" @@ -85,10 +88,10 @@ The supported parameters are: These parameters work as described in "PARAMETERS" in \fBEVP_KDF\fR\|(3). .IP """entropy"" (\fBOSSL_KDF_PARAM_HMACDRBG_ENTROPY\fR) <octet string>" 4 .IX Item """entropy"" (OSSL_KDF_PARAM_HMACDRBG_ENTROPY) <octet string>" -Sets the entropy bytes supplied to the HMAC-DRBG. +Sets the entropy bytes supplied to the HMAC\-DRBG. .IP """nonce"" (\fBOSSL_KDF_PARAM_HMACDRBG_NONCE\fR) <octet string>" 4 .IX Item """nonce"" (OSSL_KDF_PARAM_HMACDRBG_NONCE) <octet string>" -Sets the nonce bytes supplied to the HMAC-DRBG. +Sets the nonce bytes supplied to the HMAC\-DRBG. .SH NOTES .IX Header "NOTES" A context for KDF HMAC DRBG can be obtained by calling: diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-KB.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-KB.7 index 738a06916bfb..869cea1165e5 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-KB.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-KB.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-KB 7ossl" -.TH EVP_KDF-KB 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-KB 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,7 +67,7 @@ EVP_KDF\-KB \- The Key\-Based EVP_KDF implementation .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP_KDF\-KB algorithm implements the Key-Based key derivation function +The EVP_KDF\-KB algorithm implements the Key\-Based key derivation function (KBKDF). KBKDF derives a key from repeated application of a keyed MAC to an input secret (and other optional values). .PP @@ -101,36 +104,36 @@ The value is either CMAC, HMAC, KMAC128 or KMAC256. .IX Item """seed"" (OSSL_KDF_PARAM_SEED) <octet string>" .PD The seed parameter is unused in counter mode. -.IP """use-l"" (\fBOSSL_KDF_PARAM_KBKDF_USE_L\fR) <integer>" 4 +.IP """use\-l"" (\fBOSSL_KDF_PARAM_KBKDF_USE_L\fR) <integer>" 4 .IX Item """use-l"" (OSSL_KDF_PARAM_KBKDF_USE_L) <integer>" -Set to \fB0\fR to disable use of the optional Fixed Input data 'L' (see SP800\-108). +Set to \fB0\fR to disable use of the optional Fixed Input data \*(AqL\*(Aq (see SP800\-108). The default value of \fB1\fR will be used if unspecified. -.IP """use-separator"" (\fBOSSL_KDF_PARAM_KBKDF_USE_SEPARATOR\fR) <integer>" 4 +.IP """use\-separator"" (\fBOSSL_KDF_PARAM_KBKDF_USE_SEPARATOR\fR) <integer>" 4 .IX Item """use-separator"" (OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR) <integer>" -Set to \fB0\fR to disable use of the optional Fixed Input data 'zero separator' +Set to \fB0\fR to disable use of the optional Fixed Input data \*(Aqzero separator\*(Aq (see SP800\-108) that is placed between the Label and Context. The default value of \fB1\fR will be used if unspecified. .IP """r"" (\fBOSSL_KDF_PARAM_KBKDF_R\fR) <integer>" 4 .IX Item """r"" (OSSL_KDF_PARAM_KBKDF_R) <integer>" -Set the fixed value 'r', indicating the length of the counter in bits. +Set the fixed value \*(Aqr\*(Aq, indicating the length of the counter in bits. .Sp Supported values are \fB8\fR, \fB16\fR, \fB24\fR, and \fB32\fR. The default value of \fB32\fR will be used if unspecified. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. -This may be used after calling EVP_KDF_derive. It returns 0 if "key-check" +This may be used after calling EVP_KDF_derive. It returns 0 if "key\-check" is set to 0 and the check fails. -.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the -length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 +length of used key\-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 bits. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .PP Depending on whether mac is CMAC or HMAC, either digest or cipher is required diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-KRB5KDF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-KRB5KDF.7 index 0f1a7bd69150..39a2b8aacef3 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-KRB5KDF.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-KRB5KDF.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-KRB5KDF 7ossl" -.TH EVP_KDF-KRB5KDF 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-KRB5KDF 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -102,7 +105,7 @@ A context for KRB5KDF can be obtained by calling: The output length of the KRB5KDF derivation is specified via the \fIkeylen\fR parameter to the \fBEVP_KDF_derive\fR\|(3) function, and MUST match the key length for the chosen cipher or an error is returned. Moreover, the -constant's length must not exceed the block size of the cipher. +constant\*(Aqs length must not exceed the block size of the cipher. Since the KRB5KDF output length depends on the chosen cipher, calling \&\fBEVP_KDF_CTX_get_kdf_size\fR\|(3) to obtain the requisite length returns the correct length only after the cipher is set. Prior to that \fBEVP_MAX_KEY_LENGTH\fR is returned. diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF1.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF1.7 index 25f0db72ea71..0c7de4a05803 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF1.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF1.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-PBKDF1 7ossl" -.TH EVP_KDF-PBKDF1 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-PBKDF1 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,10 +67,10 @@ EVP_KDF\-PBKDF1 \- The PBKDF1 EVP_KDF implementation .SH DESCRIPTION .IX Header "DESCRIPTION" -Support for computing the \fBPBKDF1\fR password-based KDF through the \fBEVP_KDF\fR +Support for computing the \fBPBKDF1\fR password\-based KDF through the \fBEVP_KDF\fR API. .PP -The EVP_KDF\-PBKDF1 algorithm implements the PBKDF1 password-based key +The EVP_KDF\-PBKDF1 algorithm implements the PBKDF1 password\-based key derivation function, as described in RFC 8018; it derives a key from a password using a salt and iteration count. .SS Identity diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF2.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF2.7 index 7607d24bab02..78e5af89277f 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-PBKDF2 7ossl" -.TH EVP_KDF-PBKDF2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-PBKDF2 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,10 +67,10 @@ EVP_KDF\-PBKDF2 \- The PBKDF2 EVP_KDF implementation .SH DESCRIPTION .IX Header "DESCRIPTION" -Support for computing the \fBPBKDF2\fR password-based KDF through the \fBEVP_KDF\fR +Support for computing the \fBPBKDF2\fR password\-based KDF through the \fBEVP_KDF\fR API. .PP -The EVP_KDF\-PBKDF2 algorithm implements the PBKDF2 password-based key +The EVP_KDF\-PBKDF2 algorithm implements the PBKDF2 password\-based key derivation function, as described in SP800\-132; it derives a key from a password using a salt and iteration count. .PP @@ -109,16 +112,16 @@ The checks performed are: .IX Item "- the salt length is at least 128 bits." .IP "\- the derived key length is at least 112 bits." 4 .IX Item "- the derived key length is at least 112 bits." +.PD .RE .RS 4 -.PD .Sp The default provider uses a default mode of 1 for backwards compatibility, and the FIPS provider uses a default mode of 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .RE -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" This option is used by the OpenSSL FIPS provider. .Sp diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-PKCS12KDF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-PKCS12KDF.7 index 341f1d862e50..5b8ea1932164 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-PKCS12KDF.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-PKCS12KDF.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-PKCS12KDF 7ossl" -.TH EVP_KDF-PKCS12KDF 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-PKCS12KDF 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,10 +67,10 @@ EVP_KDF\-PKCS12KDF \- The PKCS#12 EVP_KDF implementation .SH DESCRIPTION .IX Header "DESCRIPTION" -Support for computing the \fBPKCS#12\fR password-based KDF through the \fBEVP_KDF\fR +Support for computing the \fBPKCS#12\fR password\-based KDF through the \fBEVP_KDF\fR API. .PP -The EVP_KDF\-PKCS12KDF algorithm implements the PKCS#12 password-based key +The EVP_KDF\-PKCS12KDF algorithm implements the PKCS#12 password\-based key derivation function, as described in appendix B of RFC 7292 (PKCS #12: Personal Information Exchange Syntax); it derives a key from a password using a salt, iteration count and the intended usage. diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-PVKKDF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-PVKKDF.7 index 3e905f6b0e31..e0e08d57d688 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-PVKKDF.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-PVKKDF.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-PVKKDF 7ossl" -.TH EVP_KDF-PVKKDF 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-PVKKDF 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,10 +67,10 @@ EVP_KDF\-PVKKDF \- The PVK EVP_KDF implementation .SH DESCRIPTION .IX Header "DESCRIPTION" -Support for computing the \fBPVK KDF\fR PIN-based KDF through the \fBEVP_KDF\fR +Support for computing the \fBPVK KDF\fR PIN\-based KDF through the \fBEVP_KDF\fR API. .PP -The EVP_KDF\-PVKKDF algorithm implements a PVK PIN-based key +The EVP_KDF\-PVKKDF algorithm implements a PVK PIN\-based key derivation function; it derives a key from a password using a salt. .SS Identity .IX Subsection "Identity" diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-SCRYPT.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-SCRYPT.7 index a08ad8fed8e8..a708efc341c6 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-SCRYPT.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-SCRYPT.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-SCRYPT 7ossl" -.TH EVP_KDF-SCRYPT 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-SCRYPT 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,11 +67,11 @@ EVP_KDF\-SCRYPT \- The scrypt EVP_KDF implementation .SH DESCRIPTION .IX Header "DESCRIPTION" -Support for computing the \fBscrypt\fR password-based KDF through the \fBEVP_KDF\fR +Support for computing the \fBscrypt\fR password\-based KDF through the \fBEVP_KDF\fR API. .PP -The EVP_KDF\-SCRYPT algorithm implements the scrypt password-based key -derivation function, as described in RFC 7914. It is memory-hard in the sense +The EVP_KDF\-SCRYPT algorithm implements the scrypt password\-based key +derivation function, as described in RFC 7914. It is memory\-hard in the sense that it deliberately requires a significant amount of RAM for efficient computation. The intention of this is to render brute forcing of passwords on systems that lack large amounts of main memory (such as GPUs or ASICs) @@ -82,7 +85,7 @@ greater than zero. The amount of RAM that scrypt requires for its computation is roughly (128 * N * r * p) bytes. .PP In the original paper of Colin Percival ("Stronger Key Derivation via -Sequential Memory-Hard Functions", 2009), the suggested values that give a +Sequential Memory\-Hard Functions", 2009), the suggested values that give a computation time of less than 5 seconds on a 2.5 GHz Intel Core 2 Duo are N = 2^20 = 1048576, r = 8, p = 1. Consequently, the required amount of memory for this computation is roughly 1 GiB. On a more recent CPU (Intel i7\-5930K at 3.5 diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-SS.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-SS.7 index e10084e0fcea..6fa1c21ef51f 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-SS.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-SS.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-SS 7ossl" -.TH EVP_KDF-SS 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-SS 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -67,7 +70,7 @@ EVP_KDF\-SS \- The Single Step / One Step EVP_KDF implementation The EVP_KDF\-SS algorithm implements the Single Step key derivation function (SSKDF). SSKDF derives a key using input such as a shared secret key (that was generated during the execution of a key establishment scheme) and fixedinfo. -SSKDF is also informally referred to as 'Concat KDF'. +SSKDF is also informally referred to as \*(AqConcat KDF\*(Aq. .PP The output is considered to be keying material. .SS "Auxiliary function" @@ -82,7 +85,7 @@ The implementation uses a selectable auxiliary function H, which can be one of: .IX Item "H(x) = KMACxxx(x, key=salt, custom=""KDF"", outlen=mac_size)" .PD .PP -Both the HMAC and KMAC implementations set the key using the 'salt' value. +Both the HMAC and KMAC implementations set the key using the \*(Aqsalt\*(Aq value. The hash and HMAC also require the digest to be set. .SS Identity .IX Subsection "Identity" @@ -115,19 +118,19 @@ This parameter set the shared secret that is used for key derivation. This parameter sets an optional value for fixedinfo, also known as otherinfo. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. -This may be used after calling EVP_KDF_derive. It returns 0 if "key-check" +This may be used after calling EVP_KDF_derive. It returns 0 if "key\-check" is set to 0 and the check fails. -.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the -length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 +length of used key\-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 bits. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-SSHKDF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-SSHKDF.7 index c00d36a8a7ba..892dac94cfdd 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-SSHKDF.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-SSHKDF.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-SSHKDF 7ossl" -.TH EVP_KDF-SSHKDF 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-SSHKDF 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -106,56 +109,56 @@ There are six supported types: .IP EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 4 .IX Item "EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV" The Initial IV from client to server. -A single char of value 65 (ASCII char 'A'). +A single char of value 65 (ASCII char \*(AqA\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 4 .IX Item "EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI" The Initial IV from server to client -A single char of value 66 (ASCII char 'B'). +A single char of value 66 (ASCII char \*(AqB\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 4 .IX Item "EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV" The Encryption Key from client to server -A single char of value 67 (ASCII char 'C'). +A single char of value 67 (ASCII char \*(AqC\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI 4 .IX Item "EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI" The Encryption Key from server to client -A single char of value 68 (ASCII char 'D'). +A single char of value 68 (ASCII char \*(AqD\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV 4 .IX Item "EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV" The Integrity Key from client to server -A single char of value 69 (ASCII char 'E'). +A single char of value 69 (ASCII char \*(AqE\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI 4 .IX Item "EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI" The Integrity Key from client to server -A single char of value 70 (ASCII char 'F'). +A single char of value 70 (ASCII char \*(AqF\*(Aq). .RE .RS 4 .RE .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling EVP_KDF_derive. It returns 0 if any "***\-check" related parameter is set to 0 and the check fails. -.IP """digest-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_KDF_PARAM_FIPS_DIGEST_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if used digest is not approved. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .Sp According to SP 800\-135r1, the following are approved digest algorithms: SHA\-1, SHA2\-224, SHA2\-256, SHA2\-384, SHA2\-512. -.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the -length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 +length of used key\-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 bits. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-TLS13_KDF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-TLS13_KDF.7 index 225b2e0878a4..4bfbb2308e86 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-TLS13_KDF.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-TLS13_KDF.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-TLS13_KDF 7ossl" -.TH EVP_KDF-TLS13_KDF 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-TLS13_KDF 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,7 +113,7 @@ There are two modes that are currently defined: .IP """EXTRACT_ONLY"" or \fBEVP_KDF_HKDF_MODE_EXTRACT_ONLY\fR" 4 .IX Item """EXTRACT_ONLY"" or EVP_KDF_HKDF_MODE_EXTRACT_ONLY" In this mode calling \fBEVP_KDF_derive\fR\|(3) will just perform the extract -operation. The value returned will be the intermediate fixed-length pseudorandom +operation. The value returned will be the intermediate fixed\-length pseudorandom key K. The \fIkeylen\fR parameter must match the size of K, which can be looked up by calling \fBEVP_KDF_CTX_get_kdf_size()\fR after setting the mode and digest. .Sp @@ -119,7 +122,7 @@ an error will occur. .IP """EXPAND_ONLY"" or \fBEVP_KDF_HKDF_MODE_EXPAND_ONLY\fR" 4 .IX Item """EXPAND_ONLY"" or EVP_KDF_HKDF_MODE_EXPAND_ONLY" In this mode calling \fBEVP_KDF_derive\fR\|(3) will just perform the expand -operation. The input key should be set to the intermediate fixed-length +operation. The input key should be set to the intermediate fixed\-length pseudorandom key K returned from a previous extract operation. .Sp The digest, key and info values must be set before a key is derived otherwise @@ -129,30 +132,30 @@ an error will occur. .RE .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling EVP_KDF_derive. It returns 0 if any "***\-check" related parameter is set to 0 and the check fails. -.IP """digest-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_KDF_PARAM_FIPS_DIGEST_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if used digest is not approved. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .Sp According to RFC 8446, the following are approved digest algorithms: SHA2\-256, SHA2\-384. -.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the -length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 +length of used key\-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 bits. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH NOTES .IX Header "NOTES" @@ -173,7 +176,7 @@ A context for a TLS 1.3 KDF can be obtained by calling: The output length of a TLS 1.3 KDF expand operation is specified via the \&\fIkeylen\fR parameter to the \fBEVP_KDF_derive\fR\|(3) function. When using EVP_KDF_HKDF_MODE_EXTRACT_ONLY the \fIkeylen\fR parameter must equal the size of -the intermediate fixed-length pseudorandom key otherwise an error will occur. +the intermediate fixed\-length pseudorandom key otherwise an error will occur. For that mode, the fixed output size can be looked up by calling \&\fBEVP_KDF_CTX_get_kdf_size()\fR after setting the mode and digest on the \&\fBEVP_KDF_CTX\fR. diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-TLS1_PRF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-TLS1_PRF.7 index 29310eeb6dce..77bd1c31ca2a 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-TLS1_PRF.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-TLS1_PRF.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-TLS1_PRF 7ossl" -.TH EVP_KDF-TLS1_PRF 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-TLS1_PRF 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -100,7 +103,7 @@ The length of the context seed cannot exceed 1024 bytes; this should be more than enough for any normal use of the TLS PRF. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling EVP_KDF_derive. It returns 0 if any "***\-check" @@ -109,28 +112,28 @@ related parameter is set to 0 and the check fails. .IX Item """ems_check"" (OSSL_KDF_PARAM_FIPS_EMS_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_derive()\fR if "master secret" is used instead of "extended master secret" Setting this to zero -will ignore the error and set the approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +will ignore the error and set the approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. -.IP """digest-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_KDF_PARAM_FIPS_DIGEST_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if used digest is not approved. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .Sp According to SP 800\-135r1, the following are approved digest algorithms: SHA2\-256, SHA2\-384, SHA2\-512. -.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the -length of used key-derivation key (\fBOSSL_KDF_PARAM_SECRET\fR) is shorter than 112 +length of used key\-derivation key (\fBOSSL_KDF_PARAM_SECRET\fR) is shorter than 112 bits. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-X942-ASN1.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-X942-ASN1.7 index ab6662cccdb5..5007bc677280 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-X942-ASN1.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-X942-ASN1.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-X942-ASN1 7ossl" -.TH EVP_KDF-X942-ASN1 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-X942-ASN1 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -67,8 +70,8 @@ EVP_KDF\-X942\-ASN1 \- The X9.42\-2003 asn1 EVP_KDF implementation The EVP_KDF\-X942\-ASN1 algorithm implements the key derivation function X942KDF\-ASN1. It is used by DH KeyAgreement, to derive a key using input such as a shared secret key and other info. The other info is DER encoded data that -contains a 32 bit counter as well as optional fields for "partyu-info", -"partyv-info", "supp-pubinfo" and "supp-privinfo". +contains a 32 bit counter as well as optional fields for "partyu\-info", +"partyv\-info", "supp\-pubinfo" and "supp\-privinfo". This kdf is used by Cryptographic Message Syntax (CMS). .PP The output is considered to be keying material. @@ -89,34 +92,34 @@ These parameters work as described in "PARAMETERS" in \fBEVP_KDF\fR\|(3). .IP """secret"" (\fBOSSL_KDF_PARAM_SECRET\fR) <octet string>" 4 .IX Item """secret"" (OSSL_KDF_PARAM_SECRET) <octet string>" The shared secret used for key derivation. This parameter sets the secret. -.IP """acvp-info"" (\fBOSSL_KDF_PARAM_X942_ACVPINFO\fR) <octet string>" 4 +.IP """acvp\-info"" (\fBOSSL_KDF_PARAM_X942_ACVPINFO\fR) <octet string>" 4 .IX Item """acvp-info"" (OSSL_KDF_PARAM_X942_ACVPINFO) <octet string>" This value should not be used in production and should only be used for ACVP testing. It is an optional octet string containing a combined DER encoded blob -of any of the optional fields related to "partyu-info", "partyv-info", -"supp-pubinfo" and "supp-privinfo". If it is specified then none of these other +of any of the optional fields related to "partyu\-info", "partyv\-info", +"supp\-pubinfo" and "supp\-privinfo". If it is specified then none of these other fields should be used. -.IP """partyu-info"" (\fBOSSL_KDF_PARAM_X942_PARTYUINFO\fR) <octet string>" 4 +.IP """partyu\-info"" (\fBOSSL_KDF_PARAM_X942_PARTYUINFO\fR) <octet string>" 4 .IX Item """partyu-info"" (OSSL_KDF_PARAM_X942_PARTYUINFO) <octet string>" An optional octet string containing public info contributed by the initiator. .IP """ukm"" (\fBOSSL_KDF_PARAM_UKM\fR) <octet string>" 4 .IX Item """ukm"" (OSSL_KDF_PARAM_UKM) <octet string>" -An alias for "partyu-info". +An alias for "partyu\-info". In CMS this is the user keying material. -.IP """partyv-info"" (\fBOSSL_KDF_PARAM_X942_PARTYVINFO\fR) <octet string>" 4 +.IP """partyv\-info"" (\fBOSSL_KDF_PARAM_X942_PARTYVINFO\fR) <octet string>" 4 .IX Item """partyv-info"" (OSSL_KDF_PARAM_X942_PARTYVINFO) <octet string>" An optional octet string containing public info contributed by the responder. -.IP """supp-pubinfo"" (\fBOSSL_KDF_PARAM_X942_SUPP_PUBINFO\fR) <octet string>" 4 +.IP """supp\-pubinfo"" (\fBOSSL_KDF_PARAM_X942_SUPP_PUBINFO\fR) <octet string>" 4 .IX Item """supp-pubinfo"" (OSSL_KDF_PARAM_X942_SUPP_PUBINFO) <octet string>" -An optional octet string containing some additional, mutually-known public -information. Setting this value also sets "use-keybits" to 0. -.IP """use-keybits"" (\fBOSSL_KDF_PARAM_X942_USE_KEYBITS\fR) <integer>" 4 +An optional octet string containing some additional, mutually\-known public +information. Setting this value also sets "use\-keybits" to 0. +.IP """use\-keybits"" (\fBOSSL_KDF_PARAM_X942_USE_KEYBITS\fR) <integer>" 4 .IX Item """use-keybits"" (OSSL_KDF_PARAM_X942_USE_KEYBITS) <integer>" The default value of 1 will use the KEK key length (in bits) as the -"supp-pubinfo". A value of 0 disables setting the "supp-pubinfo". -.IP """supp-privinfo"" (\fBOSSL_KDF_PARAM_X942_SUPP_PRIVINFO\fR) <octet string>" 4 +"supp\-pubinfo". A value of 0 disables setting the "supp\-pubinfo". +.IP """supp\-privinfo"" (\fBOSSL_KDF_PARAM_X942_SUPP_PRIVINFO\fR) <octet string>" 4 .IX Item """supp-privinfo"" (OSSL_KDF_PARAM_X942_SUPP_PRIVINFO) <octet string>" -An optional octet string containing some additional, mutually-known private +An optional octet string containing some additional, mutually\-known private information. .IP """cekalg"" (\fBOSSL_KDF_PARAM_CEK_ALG\fR) <UTF8 string>" 4 .IX Item """cekalg"" (OSSL_KDF_PARAM_CEK_ALG) <UTF8 string>" @@ -124,19 +127,19 @@ This parameter sets the CEK wrapping algorithm name. Valid values are "AES\-128\-WRAP", "AES\-192\-WRAP", "AES\-256\-WRAP" and "DES3\-WRAP". .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. -This may be used after calling EVP_KDF_derive. It returns 0 if "key-check" +This may be used after calling EVP_KDF_derive. It returns 0 if "key\-check" parameter is set to 0 and the check fails. -.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the -length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 +length of used key\-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 bits. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-X942-CONCAT.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-X942-CONCAT.7 index 801b89da4cac..b247182a3e17 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-X942-CONCAT.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-X942-CONCAT.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-X942-CONCAT 7ossl" -.TH EVP_KDF-X942-CONCAT 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-X942-CONCAT 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-X963.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-X963.7 index c21382cdd60c..9c571167193a 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-X963.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-X963.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-X963 7ossl" -.TH EVP_KDF-X963 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-X963 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -92,31 +95,31 @@ This parameter sets the secret. This parameter specifies an optional value for shared info. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling EVP_KDF_derive. It returns 0 if any "***\-check" related parameter is set to 0 and the check fails. -.IP """digest-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <int>" 4 +.IP """digest\-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <int>" 4 .IX Item """digest-check"" (OSSL_KDF_PARAM_FIPS_DIGEST_CHECK) <int>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if used digest is not approved. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .Sp According to ANSI X9.63\-2001, the following are approved digest algorithms: SHA2\-224, SHA2\-256, SHA2\-384, SHA2\-512, SHA2\-512/224, SHA2\-512/256, SHA3\-224, SHA3\-256, SHA3\-384, SHA3\-512. -.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the -length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 +length of used key\-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 bits. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man7/EVP_KEM-EC.7 b/secure/lib/libcrypto/man/man7/EVP_KEM-EC.7 index 8cae2016c1a4..5054e80e75a5 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KEM-EC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KEM-EC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEM-EC 7ossl" -.TH EVP_KEM-EC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEM-EC 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_KEM-ML-KEM.7 b/secure/lib/libcrypto/man/man7/EVP_KEM-ML-KEM.7 index 80f1fd720b6b..0fed1bc16ff7 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KEM-ML-KEM.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KEM-ML-KEM.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEM-ML-KEM 7ossl" -.TH EVP_KEM-ML-KEM 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEM-ML-KEM 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,14 +68,14 @@ EVP_KEM\-ML\-KEM\-512, EVP_KEM\-ML\-KEM\-768, EVP_KEM\-ML\-KEM\-1024, EVP_KEM\-M \&\- EVP_KEM ML\-KEM keytype and algorithm support .SH DESCRIPTION .IX Header "DESCRIPTION" -The \fBML-KEM\fR keytypes and parameters are described in \fBEVP_PKEY\-ML\-KEM\fR\|(7). +The \fBML\-KEM\fR keytypes and parameters are described in \fBEVP_PKEY\-ML\-KEM\fR\|(7). See \fBEVP_PKEY_encapsulate\fR\|(3) and \fBEVP_PKEY_decapsulate\fR\|(3) for more details about basic KEM operations. -.SS "ML-KEM KEM parameters" +.SS "ML\-KEM KEM parameters" .IX Subsection "ML-KEM KEM parameters" .IP """ikme"" (\fBOSSL_KEM_PARAM_IKME\fR) <octet string>" 4 .IX Item """ikme"" (OSSL_KEM_PARAM_IKME) <octet string>" -The OpenSSL ML-KEM encapsulation mechanism can only be modified by +The OpenSSL ML\-KEM encapsulation mechanism can only be modified by setting randomness during encapsulation, this enables testing, as per FIPS 203, section 6.2, algorithm 17. .Sp diff --git a/secure/lib/libcrypto/man/man7/EVP_KEM-RSA.7 b/secure/lib/libcrypto/man/man7/EVP_KEM-RSA.7 index 2465e98296fe..958cfaaf64a7 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KEM-RSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KEM-RSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEM-RSA 7ossl" -.TH EVP_KEM-RSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEM-RSA 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -84,10 +87,10 @@ The decapsulate function recovers the secret using the RSA private key. .Sp This can be set using \fBEVP_PKEY_CTX_set_kem_op()\fR. .RE -.IP """fips-indicator"" (\fBOSSL_KEM_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KEM_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KEM_PARAM_FIPS_APPROVED_INDICATOR) <integer>" .PD 0 -.IP """key-check"" (\fBOSSL_KEM_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_KEM_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KEM_PARAM_FIPS_KEY_CHECK) <integer>" .PD These parameters are described in \fBprovider\-kem\fR\|(7). diff --git a/secure/lib/libcrypto/man/man7/EVP_KEM-X25519.7 b/secure/lib/libcrypto/man/man7/EVP_KEM-X25519.7 index 0cb4e209da7d..8c357ee66636 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KEM-X25519.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KEM-X25519.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEM-X25519 7ossl" -.TH EVP_KEM-X25519 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEM-X25519 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-DH.7 b/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-DH.7 index b965e24e5b35..e5fc40719c3a 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-DH.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-DH.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEYEXCH-DH 7ossl" -.TH EVP_KEYEXCH-DH 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEYEXCH-DH 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,22 +88,22 @@ filled with zeros where necessary to make the shared secret the same size as the largest possible secret size. The padding mode parameter is ignored (and padding implicitly enabled) when the KDF type is set to "X942KDF\-ASN1" (\fBOSSL_KDF_NAME_X942KDF_ASN1\fR). -.IP """kdf-type"" (\fBOSSL_EXCHANGE_PARAM_KDF_TYPE\fR) <UTF8 string>" 4 +.IP """kdf\-type"" (\fBOSSL_EXCHANGE_PARAM_KDF_TYPE\fR) <UTF8 string>" 4 .IX Item """kdf-type"" (OSSL_EXCHANGE_PARAM_KDF_TYPE) <UTF8 string>" .PD 0 -.IP """kdf-digest"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST\fR) <UTF8 string>" 4 +.IP """kdf\-digest"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST\fR) <UTF8 string>" 4 .IX Item """kdf-digest"" (OSSL_EXCHANGE_PARAM_KDF_DIGEST) <UTF8 string>" -.IP """kdf-digest-props"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\fR) <UTF8 string>" 4 +.IP """kdf\-digest\-props"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\fR) <UTF8 string>" 4 .IX Item """kdf-digest-props"" (OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS) <UTF8 string>" -.IP """kdf-outlen"" (\fBOSSL_EXCHANGE_PARAM_KDF_OUTLEN\fR) <unsigned integer>" 4 +.IP """kdf\-outlen"" (\fBOSSL_EXCHANGE_PARAM_KDF_OUTLEN\fR) <unsigned integer>" 4 .IX Item """kdf-outlen"" (OSSL_EXCHANGE_PARAM_KDF_OUTLEN) <unsigned integer>" -.IP """kdf-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string>" 4 +.IP """kdf\-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string>" 4 .IX Item """kdf-ukm"" (OSSL_EXCHANGE_PARAM_KDF_UKM) <octet string>" -.IP """fips-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR) <integer>" -.IP """key-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK) <integer>" -.IP """digest-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK) <integer>" .PD See "Common Key Exchange parameters" in \fBprovider\-keyexch\fR\|(7). @@ -113,7 +116,7 @@ The examples assume a host and peer both generate keys using the same named group (or domain parameters). See "Examples" in \fBEVP_PKEY\-DH\fR\|(7). Both the host and peer transfer their public key to each other. .PP -To convert the peer's generated key pair to a public key in DER format in order +To convert the peer\*(Aqs generated key pair to a public key in DER format in order to transfer to the host: .PP .Vb 3 @@ -126,7 +129,7 @@ to transfer to the host: \& OPENSSL_free(peer_pub_der); .Ve .PP -To convert the received peer's public key from DER format on the host: +To convert the received peer\*(Aqs public key from DER format on the host: .PP .Vb 4 \& const unsigned char *pd = peer_pub_der; @@ -135,7 +138,7 @@ To convert the received peer's public key from DER format on the host: \& EVP_PKEY_free(peer_pub_key); .Ve .PP -To derive a shared secret on the host using the host's key and the peer's public +To derive a shared secret on the host using the host\*(Aqs key and the peer\*(Aqs public key: .PP .Vb 8 @@ -169,7 +172,7 @@ key: .Ve .PP Very similar code can be used by the peer to derive the same shared secret -using the host's public key and the peer's generated key pair. +using the host\*(Aqs public key and the peer\*(Aqs generated key pair. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_PKEY\-DH\fR\|(7), diff --git a/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-ECDH.7 b/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-ECDH.7 index 660e3b333945..7cae95edeb0e 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-ECDH.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-ECDH.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEYEXCH-ECDH 7ossl" -.TH EVP_KEYEXCH-ECDH 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEYEXCH-ECDH 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -67,13 +70,13 @@ EVP_KEYEXCH\-ECDH \- ECDH Key Exchange algorithm support Key exchange support for the \fBECDH\fR key type. .SS "ECDH Key Exchange parameters" .IX Subsection "ECDH Key Exchange parameters" -.IP """ecdh-cofactor-mode"" (\fBOSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE\fR) <integer>" 4 +.IP """ecdh\-cofactor\-mode"" (\fBOSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE\fR) <integer>" 4 .IX Item """ecdh-cofactor-mode"" (OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE) <integer>" Sets or gets the ECDH mode of operation for the associated key exchange ctx. .Sp -In the context of an Elliptic Curve Diffie-Hellman key exchange, this parameter -can be used to select between the plain Diffie-Hellman (DH) or Cofactor -Diffie-Hellman (CDH) variants of the key exchange algorithm. +In the context of an Elliptic Curve Diffie\-Hellman key exchange, this parameter +can be used to select between the plain Diffie\-Hellman (DH) or Cofactor +Diffie\-Hellman (CDH) variants of the key exchange algorithm. .Sp When setting, the value should be 1, 0 or \-1, respectively forcing cofactor mode on, off, or resetting it to the default for the private key associated with the @@ -84,38 +87,38 @@ cofactor mode is on or off. .Sp See also \fBprovider\-keymgmt\fR\|(7) for the related \&\fBOSSL_PKEY_PARAM_USE_COFACTOR_ECDH\fR parameter that can be set on a -per-key basis. -.IP """kdf-type"" (\fBOSSL_EXCHANGE_PARAM_KDF_TYPE\fR) <UTF8 string>" 4 +per\-key basis. +.IP """kdf\-type"" (\fBOSSL_EXCHANGE_PARAM_KDF_TYPE\fR) <UTF8 string>" 4 .IX Item """kdf-type"" (OSSL_EXCHANGE_PARAM_KDF_TYPE) <UTF8 string>" .PD 0 -.IP """kdf-digest"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST\fR) <UTF8 string>" 4 +.IP """kdf\-digest"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST\fR) <UTF8 string>" 4 .IX Item """kdf-digest"" (OSSL_EXCHANGE_PARAM_KDF_DIGEST) <UTF8 string>" -.IP """kdf-digest-props"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\fR) <UTF8 string>" 4 +.IP """kdf\-digest\-props"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\fR) <UTF8 string>" 4 .IX Item """kdf-digest-props"" (OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS) <UTF8 string>" -.IP """kdf-outlen"" (\fBOSSL_EXCHANGE_PARAM_KDF_OUTLEN\fR) <unsigned integer>" 4 +.IP """kdf\-outlen"" (\fBOSSL_EXCHANGE_PARAM_KDF_OUTLEN\fR) <unsigned integer>" 4 .IX Item """kdf-outlen"" (OSSL_EXCHANGE_PARAM_KDF_OUTLEN) <unsigned integer>" -.IP """kdf-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string>" 4 +.IP """kdf\-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string>" 4 .IX Item """kdf-ukm"" (OSSL_EXCHANGE_PARAM_KDF_UKM) <octet string>" .PD .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR) <integer>" .PD 0 -.IP """key-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK) <integer>" -.IP """digest-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK) <integer>" .PD See "Common Key Exchange parameters" in \fBprovider\-keyexch\fR\|(7). -.IP """ecdh-cofactor-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_ECDH_COFACTOR_CHECK\fR) <integer>" 4 +.IP """ecdh\-cofactor\-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_ECDH_COFACTOR_CHECK\fR) <integer>" 4 .IX Item """ecdh-cofactor-check"" (OSSL_EXCHANGE_PARAM_FIPS_ECDH_COFACTOR_CHECK) <integer>" If required this parameter should before \fBOSSL_FUNC_keyexch_derive()\fR. The default value of 1 causes an error during the OSSL_FUNC_keyexch_derive if the EC curve has a cofactor that is not 1, and the cofactor is not used. Setting this to 0 will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH EXAMPLES .IX Header "EXAMPLES" @@ -127,7 +130,7 @@ Keys for the host and peer must be generated as shown in The code to generate a shared secret for the normal case is identical to "Examples" in \fBEVP_KEYEXCH\-DH\fR\|(7). .PP -To derive a shared secret on the host using the host's key and the peer's public +To derive a shared secret on the host using the host\*(Aqs key and the peer\*(Aqs public key but also using X963KDF with a user key material: .PP .Vb 10 diff --git a/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-X25519.7 b/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-X25519.7 index 15c3c18d9f40..704889466dec 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-X25519.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-X25519.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEYEXCH-X25519 7ossl" -.TH EVP_KEYEXCH-X25519 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEYEXCH-X25519 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -72,7 +75,7 @@ Key exchange support for the \fBX25519\fR and \fBX448\fR key types. .IP """pad"" (\fBOSSL_EXCHANGE_PARAM_PAD\fR) <unsigned integer>" 4 .IX Item """pad"" (OSSL_EXCHANGE_PARAM_PAD) <unsigned integer>" .PD 0 -.IP """fips-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR) <integer>" .PD \&\fBX25519\fR and \fBX448\fR are not FIPS approved in FIPS 140\-3. diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-BLAKE2.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-BLAKE2.7 index 08b3b920d191..fd2236709782 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MAC-BLAKE2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MAC-BLAKE2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MAC-BLAKE2 7ossl" -.TH EVP_MAC-BLAKE2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MAC-BLAKE2 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,12 +84,12 @@ properties, to be used with \fBEVP_MAC_fetch()\fR: The general description of these parameters can be found in "PARAMETERS" in \fBEVP_MAC\fR\|(3). .PP -All these parameters (except for "block-size") can be set with +All these parameters (except for "block\-size") can be set with \&\fBEVP_MAC_CTX_set_params()\fR. Furthermore, the "size" parameter can be retrieved with \&\fBEVP_MAC_CTX_get_params()\fR, or with \fBEVP_MAC_CTX_get_mac_size()\fR. The length of the "size" parameter should not exceed that of a \fBsize_t\fR. -Likewise, the "block-size" parameter can be retrieved with +Likewise, the "block\-size" parameter can be retrieved with \&\fBEVP_MAC_CTX_get_params()\fR, or with \fBEVP_MAC_CTX_get_block_size()\fR. .IP """key"" (\fBOSSL_MAC_PARAM_KEY\fR) <octet string>" 4 .IX Item """key"" (OSSL_MAC_PARAM_KEY) <octet string>" @@ -110,7 +113,7 @@ Sets the MAC size. It can be any number between 1 and 32 for EVP_MAC_BLAKE2S or between 1 and 64 for EVP_MAC_BLAKE2B. It is 32 and 64 respectively by default. -.IP """block-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4 +.IP """block\-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4 .IX Item """block-size"" (OSSL_MAC_PARAM_BLOCK_SIZE) <unsigned integer>" Gets the MAC block size. It is 64 for EVP_MAC_BLAKE2S and 128 for EVP_MAC_BLAKE2B. diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-CMAC.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-CMAC.7 index 9b21397475b5..9e835a00caaa 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MAC-CMAC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MAC-CMAC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MAC-CMAC 7ossl" -.TH EVP_MAC-CMAC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MAC-CMAC 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -93,16 +96,16 @@ must be CBC. Sets the properties to be queried when trying to fetch the underlying cipher. This must be given together with the cipher naming parameter to be considered valid. -.IP """encrypt-check"" (\fBOSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK\fR) <integer>" 4 +.IP """encrypt\-check"" (\fBOSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK\fR) <integer>" 4 .IX Item """encrypt-check"" (OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK) <integer>" This option is used by the OpenSSL FIPS provider. If required this parameter should be set before \fBEVP_MAC_init()\fR .Sp -The default value of 1 causes an error when a unapproved Triple-DES encryption +The default value of 1 causes an error when a unapproved Triple\-DES encryption operation is triggered. Setting this to 0 will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .PP The following parameters can be retrieved with @@ -111,17 +114,17 @@ The following parameters can be retrieved with .IX Item """size"" (OSSL_MAC_PARAM_SIZE) <unsigned integer>" The "size" parameter can also be retrieved with with \fBEVP_MAC_CTX_get_mac_size()\fR. The length of the "size" parameter is equal to that of an \fBunsigned int\fR. -.IP """block-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4 +.IP """block\-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4 .IX Item """block-size"" (OSSL_MAC_PARAM_BLOCK_SIZE) <unsigned integer>" -Gets the MAC block size. The "block-size" parameter can also be retrieved with +Gets the MAC block size. The "block\-size" parameter can also be retrieved with \&\fBEVP_MAC_CTX_get_block_size()\fR. -.IP """fips-indicator"" (\fBOSSL_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_CIPHER_PARAM_FIPS_APPROVED_INDICATOR) <integer>" This option is used by the OpenSSL FIPS provider. .Sp A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling \fBEVP_MAC_final()\fR. -It may return 0 if the "encrypt-check" option is set to 0. +It may return 0 if the "encrypt\-check" option is set to 0. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_MAC_CTX_get_params\fR\|(3), \fBEVP_MAC_CTX_set_params\fR\|(3), diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-GMAC.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-GMAC.7 index 38f9f01f8d9b..d2b2a10372f2 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MAC-GMAC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MAC-GMAC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MAC-GMAC 7ossl" -.TH EVP_MAC-GMAC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MAC-GMAC 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-HMAC.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-HMAC.7 index d4839cb779c1..6879f24f9e64 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MAC-HMAC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MAC-HMAC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MAC-HMAC 7ossl" -.TH EVP_MAC-HMAC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MAC-HMAC 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -92,23 +95,23 @@ Sets the name of the underlying digest to be used. Sets the properties to be queried when trying to fetch the underlying digest. This must be given together with the digest naming parameter ("digest", or \&\fBOSSL_MAC_PARAM_DIGEST\fR) to be considered valid. -.IP """digest-noinit"" (\fBOSSL_MAC_PARAM_DIGEST_NOINIT\fR) <integer>" 4 +.IP """digest\-noinit"" (\fBOSSL_MAC_PARAM_DIGEST_NOINIT\fR) <integer>" 4 .IX Item """digest-noinit"" (OSSL_MAC_PARAM_DIGEST_NOINIT) <integer>" A flag to set the MAC digest to not initialise the implementation specific data. The value 0 or 1 is expected. This option is deprecated and will be removed in a future release. It may be set but is currently ignored -.IP """digest-oneshot"" (\fBOSSL_MAC_PARAM_DIGEST_ONESHOT\fR) <integer>" 4 +.IP """digest\-oneshot"" (\fBOSSL_MAC_PARAM_DIGEST_ONESHOT\fR) <integer>" 4 .IX Item """digest-oneshot"" (OSSL_MAC_PARAM_DIGEST_ONESHOT) <integer>" -A flag to set the MAC digest to be a one-shot operation. +A flag to set the MAC digest to be a one\-shot operation. The value 0 or 1 is expected. This option is deprecated and will be removed in a future release. It may be set but is currently ignored. -.IP """tls-data-size"" (\fBOSSL_MAC_PARAM_TLS_DATA_SIZE\fR) <unsigned integer>" 4 +.IP """tls\-data\-size"" (\fBOSSL_MAC_PARAM_TLS_DATA_SIZE\fR) <unsigned integer>" 4 .IX Item """tls-data-size"" (OSSL_MAC_PARAM_TLS_DATA_SIZE) <unsigned integer>" .PD 0 -.IP """key-check"" (\fBOSSL_MAC_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_MAC_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_MAC_PARAM_FIPS_KEY_CHECK) <integer>" .PD See "Mac Parameters" in \fBprovider\-mac\fR\|(7). @@ -118,11 +121,11 @@ The following parameters can be retrieved with \fBEVP_MAC_CTX_get_params()\fR: .IX Item """size"" (OSSL_MAC_PARAM_SIZE) <unsigned integer>" The "size" parameter can also be retrieved with \fBEVP_MAC_CTX_get_mac_size()\fR. The length of the "size" parameter is equal to that of an \fBunsigned int\fR. -.IP """block-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4 +.IP """block\-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4 .IX Item """block-size"" (OSSL_MAC_PARAM_BLOCK_SIZE) <unsigned integer>" -Gets the MAC block size. The "block-size" parameter can also be retrieved with +Gets the MAC block size. The "block\-size" parameter can also be retrieved with \&\fBEVP_MAC_CTX_get_block_size()\fR. -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" See "Mac Parameters" in \fBprovider\-mac\fR\|(7). .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-KMAC.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-KMAC.7 index 2dca95a15233..caf036e70c81 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MAC-KMAC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MAC-KMAC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MAC-KMAC 7ossl" -.TH EVP_MAC-KMAC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MAC-KMAC 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,12 +84,12 @@ properties, to be used with \fBEVP_MAC_fetch()\fR: The general description of these parameters can be found in "PARAMETERS" in \fBEVP_MAC\fR\|(3). .PP -All these parameters (except for "block-size") can be set with +All these parameters (except for "block\-size") can be set with \&\fBEVP_MAC_CTX_set_params()\fR. Furthermore, the "size" parameter can be retrieved with \&\fBEVP_MAC_CTX_get_params()\fR, or with \fBEVP_MAC_CTX_get_mac_size()\fR. The length of the "size" parameter should not exceed that of a \fBsize_t\fR. -Likewise, the "block-size" parameter can be retrieved with +Likewise, the "block\-size" parameter can be retrieved with \&\fBEVP_MAC_CTX_get_params()\fR, or with \fBEVP_MAC_CTX_get_block_size()\fR. .IP """key"" (\fBOSSL_MAC_PARAM_KEY\fR) <octet string>" 4 .IX Item """key"" (OSSL_MAC_PARAM_KEY) <octet string>" @@ -102,7 +105,7 @@ empty by default. .IX Item """size"" (OSSL_MAC_PARAM_SIZE) <unsigned integer>" Sets the MAC size. By default, it is 32 for \f(CW\*(C`KMAC\-128\*(C'\fR and 64 for \f(CW\*(C`KMAC\-256\*(C'\fR. -.IP """block-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4 +.IP """block\-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4 .IX Item """block-size"" (OSSL_MAC_PARAM_BLOCK_SIZE) <unsigned integer>" Gets the MAC block size. It is 168 for \f(CW\*(C`KMAC\-128\*(C'\fR and 136 for \f(CW\*(C`KMAC\-256\*(C'\fR. @@ -110,19 +113,19 @@ It is 168 for \f(CW\*(C`KMAC\-128\*(C'\fR and 136 for \f(CW\*(C`KMAC\-256\*(C'\f .IX Item """xof"" (OSSL_MAC_PARAM_XOF) <integer>" The "xof" parameter value is expected to be 1 or 0. Use 1 to enable XOF mode. The default value is 0. -.IP """fips-indicator"" (\fBOSSL_MAC_PARAM_FIPS_APPROVED_INDICATOR\fR) <int>" 4 +.IP """fips\-indicator"" (\fBOSSL_MAC_PARAM_FIPS_APPROVED_INDICATOR\fR) <int>" 4 .IX Item """fips-indicator"" (OSSL_MAC_PARAM_FIPS_APPROVED_INDICATOR) <int>" This settable parameter is described in \fBprovider\-mac\fR\|(7). -.IP """no-short-mac"" (\fBOSSL_MAC_PARAM_FIPS_NO_SHORT_MAC\fR) <integer>" 4 +.IP """no\-short\-mac"" (\fBOSSL_MAC_PARAM_FIPS_NO_SHORT_MAC\fR) <integer>" 4 .IX Item """no-short-mac"" (OSSL_MAC_PARAM_FIPS_NO_SHORT_MAC) <integer>" This settable parameter is described in \fBprovider\-mac\fR\|(7). It is used by the OpenSSL FIPS provider and the minimum length output for KMAC -is defined by NIST's SP 800\-185 8.4.2. -.IP """key-check"" (\fBOSSL_MAC_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +is defined by NIST\*(Aqs SP 800\-185 8.4.2. +.IP """key\-check"" (\fBOSSL_MAC_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_MAC_PARAM_FIPS_KEY_CHECK) <integer>" This settable parameter is described in \fBprovider\-mac\fR\|(7). .PP -The "custom" and "no-short-mac" parameters must be set as part of or before +The "custom" and "no\-short\-mac" parameters must be set as part of or before the \fBEVP_MAC_init()\fR call. The "xof" and "size" parameters can be set at any time before \fBEVP_MAC_final()\fR. The "key" parameter is set as part of the \fBEVP_MAC_init()\fR call, but can be diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-Poly1305.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-Poly1305.7 index e8eb0fbff32c..1672a956f2be 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MAC-Poly1305.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MAC-Poly1305.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MAC-POLY1305 7ossl" -.TH EVP_MAC-POLY1305 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MAC-POLY1305 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-Siphash.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-Siphash.7 index 03c4c51426fd..617516f3d8d6 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MAC-Siphash.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MAC-Siphash.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MAC-SIPHASH 7ossl" -.TH EVP_MAC-SIPHASH 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MAC-SIPHASH 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-BLAKE2.7 b/secure/lib/libcrypto/man/man7/EVP_MD-BLAKE2.7 index a8b50f506e10..f8792b6a34b7 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-BLAKE2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-BLAKE2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-BLAKE2 7ossl" -.TH EVP_MD-BLAKE2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-BLAKE2 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-KECCAK.7 b/secure/lib/libcrypto/man/man7/EVP_MD-KECCAK.7 index fde9613ea92b..81264096dd1d 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-KECCAK.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-KECCAK.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-KECCAK 7ossl" -.TH EVP_MD-KECCAK 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-KECCAK 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-MD2.7 b/secure/lib/libcrypto/man/man7/EVP_MD-MD2.7 index 9853422b2a74..4c55d632eb2b 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-MD2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-MD2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-MD2 7ossl" -.TH EVP_MD-MD2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-MD2 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-MD4.7 b/secure/lib/libcrypto/man/man7/EVP_MD-MD4.7 index 6b8bb7a6f3ba..c821e9d16249 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-MD4.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-MD4.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-MD4 7ossl" -.TH EVP_MD-MD4 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-MD4 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-MD5-SHA1.7 b/secure/lib/libcrypto/man/man7/EVP_MD-MD5-SHA1.7 index dc63de91a25f..d98aceb3829e 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-MD5-SHA1.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-MD5-SHA1.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-MD5-SHA1 7ossl" -.TH EVP_MD-MD5-SHA1 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-MD5-SHA1 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,7 +69,7 @@ EVP_MD\-MD5\-SHA1 \- The MD5\-SHA1 EVP_MD implementation .IX Header "DESCRIPTION" Support for computing MD5\-SHA1 digests through the \fBEVP_MD\fR API. .PP -MD5\-SHA1 is a rather special digest that's used with SSLv3. +MD5\-SHA1 is a rather special digest that\*(Aqs used with SSLv3. .SS Identity .IX Subsection "Identity" This implementation is only available with the default provider, and is diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-MD5.7 b/secure/lib/libcrypto/man/man7/EVP_MD-MD5.7 index e9031ceaad2c..5b60d91d044e 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-MD5.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-MD5.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-MD5 7ossl" -.TH EVP_MD-MD5 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-MD5 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-MDC2.7 b/secure/lib/libcrypto/man/man7/EVP_MD-MDC2.7 index a36a78c9fca8..4d6b0260610a 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-MDC2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-MDC2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-MDC2 7ossl" -.TH EVP_MD-MDC2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-MDC2 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -77,7 +80,7 @@ in \fBEVP_MD\-common\fR\|(7). .IX Subsection "Settable Context Parameters" This implementation supports the following \fBOSSL_PARAM\fR\|(3) entries, settable for an \fBEVP_MD_CTX\fR with \fBEVP_MD_CTX_set_params\fR\|(3): -.IP """pad-type"" (\fBOSSL_DIGEST_PARAM_PAD_TYPE\fR) <unsigned integer>" 4 +.IP """pad\-type"" (\fBOSSL_DIGEST_PARAM_PAD_TYPE\fR) <unsigned integer>" 4 .IX Item """pad-type"" (OSSL_DIGEST_PARAM_PAD_TYPE) <unsigned integer>" Sets the padding type to be used. Normally the final MDC2 block is padded with zeros. diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-NULL.7 b/secure/lib/libcrypto/man/man7/EVP_MD-NULL.7 index 5cc0892c88e4..e71f1a411d54 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-NULL.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-NULL.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-NULL 7ossl" -.TH EVP_MD-NULL 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-NULL 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-RIPEMD160.7 b/secure/lib/libcrypto/man/man7/EVP_MD-RIPEMD160.7 index c8157af2e42d..6854ea443e0a 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-RIPEMD160.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-RIPEMD160.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-RIPEMD160 7ossl" -.TH EVP_MD-RIPEMD160 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-RIPEMD160 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-SHA1.7 b/secure/lib/libcrypto/man/man7/EVP_MD-SHA1.7 index 54470345abe6..b478c0fa0a29 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-SHA1.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-SHA1.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-SHA1 7ossl" -.TH EVP_MD-SHA1 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-SHA1 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-SHA2.7 b/secure/lib/libcrypto/man/man7/EVP_MD-SHA2.7 index e42cf8d2a40c..bff76c89c9bb 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-SHA2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-SHA2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-SHA2 7ossl" -.TH EVP_MD-SHA2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-SHA2 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-SHA3.7 b/secure/lib/libcrypto/man/man7/EVP_MD-SHA3.7 index cfa809d5f380..bebe5346b75f 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-SHA3.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-SHA3.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-SHA3 7ossl" -.TH EVP_MD-SHA3 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-SHA3 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-SHAKE.7 b/secure/lib/libcrypto/man/man7/EVP_MD-SHAKE.7 index b5b3bbc465d7..a3d48f8d8544 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-SHAKE.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-SHAKE.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-SHAKE 7ossl" -.TH EVP_MD-SHAKE 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-SHAKE 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,10 +68,10 @@ EVP_MD\-SHAKE, EVP_MD\-KECCAK\-KMAC \&\- The SHAKE / KECCAK family EVP_MD implementations .SH DESCRIPTION .IX Header "DESCRIPTION" -Support for computing SHAKE or KECCAK-KMAC digests through the +Support for computing SHAKE or KECCAK\-KMAC digests through the \&\fBEVP_MD\fR API. .PP -KECCAK-KMAC is an Extendable Output Function (XOF), with a definition +KECCAK\-KMAC is an Extendable Output Function (XOF), with a definition similar to SHAKE, used by the KMAC EVP_MAC implementation (see \&\fBEVP_MAC\-KMAC\fR\|(7)). .SS Identities diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-SM3.7 b/secure/lib/libcrypto/man/man7/EVP_MD-SM3.7 index fee09c3e8c7f..ca17fe56bef3 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-SM3.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-SM3.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-SM3 7ossl" -.TH EVP_MD-SM3 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-SM3 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-WHIRLPOOL.7 b/secure/lib/libcrypto/man/man7/EVP_MD-WHIRLPOOL.7 index 8cf939c6ac94..4c11b1100783 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-WHIRLPOOL.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-WHIRLPOOL.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-WHIRLPOOL 7ossl" -.TH EVP_MD-WHIRLPOOL 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-WHIRLPOOL 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-common.7 b/secure/lib/libcrypto/man/man7/EVP_MD-common.7 index fa6c0970b233..310bc781cfdc 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-common.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-common.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-COMMON 7ossl" -.TH EVP_MD-COMMON 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-COMMON 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-DH.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-DH.7 index 90555420683b..47f923456185 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-DH.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-DH.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-DH 7ossl" -.TH EVP_PKEY-DH 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-DH 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,12 +68,12 @@ EVP_PKEY\-DH, EVP_PKEY\-DHX, EVP_KEYMGMT\-DH, EVP_KEYMGMT\-DHX \&\- EVP_PKEY DH and DHX keytype and algorithm support .SH DESCRIPTION .IX Header "DESCRIPTION" -For finite field Diffie-Hellman key agreement, two classes of domain +For finite field Diffie\-Hellman key agreement, two classes of domain parameters can be used: "safe" domain parameters that are associated with -approved named safe-prime groups, and a class of "FIPS186\-type" domain +approved named safe\-prime groups, and a class of "FIPS186\-type" domain parameters. FIPS186\-type domain parameters should only be used for backward compatibility with existing applications that cannot be upgraded to use the -approved safe-prime groups. +approved safe\-prime groups. .PP See \fBEVP_PKEY\-FFC\fR\|(7) for more information about FFC keys. .PP @@ -90,11 +93,11 @@ implementations support the following: Sets or gets a string that associates a \fBDH\fR or \fBDHX\fR named safe prime group with known values for \fIp\fR, \fIq\fR and \fIg\fR. .Sp -The following values can be used by the OpenSSL's default and FIPS providers: +The following values can be used by the OpenSSL\*(Aqs default and FIPS providers: "ffdhe2048", "ffdhe3072", "ffdhe4096", "ffdhe6144", "ffdhe8192", "modp_2048", "modp_3072", "modp_4096", "modp_6144", "modp_8192". .Sp -The following additional values can also be used by OpenSSL's default provider: +The following additional values can also be used by OpenSSL\*(Aqs default provider: "modp_1536", "dh_1024_160", "dh_2048_224", "dh_2048_256". .Sp DH/DHX named groups can be easily validated since the parameters are well known. @@ -102,14 +105,14 @@ For protocols that only transfer \fIp\fR and \fIg\fR the value of \fIq\fR can al retrieved. .SS "DH and DHX additional parameters" .IX Subsection "DH and DHX additional parameters" -.IP """encoded-pub-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4 +.IP """encoded\-pub\-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4 .IX Item """encoded-pub-key"" (OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY) <octet string>" Used for getting and setting the encoding of the DH public key used in a key exchange message for the TLS protocol. See \fBEVP_PKEY_set1_encoded_public_key()\fR and \fBEVP_PKEY_get1_encoded_public_key()\fR. .SS "DH additional domain parameters" .IX Subsection "DH additional domain parameters" -.IP """safeprime-generator"" (\fBOSSL_PKEY_PARAM_DH_GENERATOR\fR) <integer>" 4 +.IP """safeprime\-generator"" (\fBOSSL_PKEY_PARAM_DH_GENERATOR\fR) <integer>" 4 .IX Item """safeprime-generator"" (OSSL_PKEY_PARAM_DH_GENERATOR) <integer>" Used for DH generation of safe primes using the old safe prime generator code. The default value is 2. @@ -143,14 +146,14 @@ This specifies that a named safe prime name will be chosen using the "pbits" type. .IP """generator""" 4 .IX Item """generator""" -A safe prime generator. See the "safeprime-generator" type above. +A safe prime generator. See the "safeprime\-generator" type above. This is only valid for \fBDH\fR keys. .RE .RS 4 .RE .IP """pbits"" (\fBOSSL_PKEY_PARAM_FFC_PBITS\fR) <unsigned integer>" 4 .IX Item """pbits"" (OSSL_PKEY_PARAM_FFC_PBITS) <unsigned integer>" -Sets the size (in bits) of the prime 'p'. +Sets the size (in bits) of the prime \*(Aqp\*(Aq. .Sp For "fips186_4" this must be 2048. For "fips186_2" this must be 1024. @@ -177,7 +180,7 @@ With the OpenSSL FIPS provider, \fBEVP_PKEY_param_check\fR\|(3) and \&\fBEVP_PKEY_param_check_quick\fR\|(3) behave in the following way: the parameters are tested if they are either an approved safe prime group OR that the FFC parameters conform to FIPS186\-4 as defined in SP800\-56Ar3 \fIAssurances of -Domain-Parameter Validity\fR. +Domain\-Parameter Validity\fR. .PP The OpenSSL default provider uses simpler checks that allows there to be no \fIq\fR value for backwards compatibility, however the \fBEVP_PKEY_param_check\fR\|(3) will @@ -186,10 +189,10 @@ which can take significant time. The \fBEVP_PKEY_param_check_quick\fR\|(3) avoid the prime tests. .PP \&\fBEVP_PKEY_public_check\fR\|(3) conforms to SP800\-56Ar3 -\&\fIFFC Full Public-Key Validation\fR. +\&\fIFFC Full Public\-Key Validation\fR. .PP \&\fBEVP_PKEY_public_check_quick\fR\|(3) conforms to SP800\-56Ar3 -\&\fIFFC Partial Public-Key Validation\fR when the key is an approved named safe +\&\fIFFC Partial Public\-Key Validation\fR when the key is an approved named safe prime group, otherwise it is the same as \fBEVP_PKEY_public_check\fR\|(3). .PP \&\fBEVP_PKEY_private_check\fR\|(3) tests that the private key is in the correct range @@ -199,7 +202,7 @@ For backwards compatibility the OpenSSL default provider only requires \fIp\fR t be set. .PP \&\fBEVP_PKEY_pairwise_check\fR\|(3) conforms to SP800\-56Ar3 -\&\fIOwner Assurance of Pair-wise Consistency\fR. +\&\fIOwner Assurance of Pair\-wise Consistency\fR. .SH EXAMPLES .IX Header "EXAMPLES" An \fBEVP_PKEY\fR context can be obtained by calling: @@ -337,7 +340,7 @@ The following sections of SP800\-56Ar3: .IP "5.5.1.1 FFC Domain Parameter Selection/Generation" 4 .IX Item "5.5.1.1 FFC Domain Parameter Selection/Generation" .PD 0 -.IP "Appendix D: FFC Safe-prime Groups" 4 +.IP "Appendix D: FFC Safe\-prime Groups" 4 .IX Item "Appendix D: FFC Safe-prime Groups" .PD .PP diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-DSA.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-DSA.7 index a000dc5703f5..96462c15280a 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-DSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-DSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-DSA 7ossl" -.TH EVP_PKEY-DSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-DSA 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -79,10 +82,10 @@ The \fBDSA\fR key type supports the FFC parameters (see "FFC parameters" in \fBEVP_PKEY\-FFC\fR\|(7)). .PP It also supports the following parameters: -.IP """sign-check"" (\fBOSSL_PKEY_PARAM_FIPS_SIGN_CHECK\fR) <integer" 4 +.IP """sign\-check"" (\fBOSSL_PKEY_PARAM_FIPS_SIGN_CHECK\fR) <integer" 4 .IX Item """sign-check"" (OSSL_PKEY_PARAM_FIPS_SIGN_CHECK) <integer" .PD 0 -.IP """fips-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR) <integer>" .PD See "Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7) for more information. diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-EC.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-EC.7 index b838ea84b660..d0bee1999fb8 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-EC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-EC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-EC 7ossl" -.TH EVP_PKEY-EC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-EC 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,24 +69,24 @@ EVP_KEYMGMT\-EC \&\- EVP_PKEY EC keytype and algorithm support .SH DESCRIPTION .IX Header "DESCRIPTION" -The \fBEC\fR keytype is implemented in OpenSSL's default provider. +The \fBEC\fR keytype is implemented in OpenSSL\*(Aqs default provider. .SS "Common EC parameters" .IX Subsection "Common EC parameters" The normal way of specifying domain parameters for an EC curve is via the curve name "group". For curves with no curve name, explicit parameters can be -used that specify "field-type", "p", "a", "b", "generator" and "order". +used that specify "field\-type", "p", "a", "b", "generator" and "order". Explicit parameters are supported for backwards compatibility reasons, but they are not compliant with multiple standards (including RFC5915) which only allow named curves. .PP The following Key generation/Gettable/Import/Export types are available for the -built-in EC algorithm: +built\-in EC algorithm: .IP """group"" (\fBOSSL_PKEY_PARAM_GROUP_NAME\fR) <UTF8 string>" 4 .IX Item """group"" (OSSL_PKEY_PARAM_GROUP_NAME) <UTF8 string>" The curve name. -.IP """field-type"" (\fBOSSL_PKEY_PARAM_EC_FIELD_TYPE\fR) <UTF8 string>" 4 +.IP """field\-type"" (\fBOSSL_PKEY_PARAM_EC_FIELD_TYPE\fR) <UTF8 string>" 4 .IX Item """field-type"" (OSSL_PKEY_PARAM_EC_FIELD_TYPE) <UTF8 string>" -The value should be either "prime-field" or "characteristic-two-field", +The value should be either "prime\-field" or "characteristic\-two\-field", which correspond to prime field Fp and binary field F2^m. .IP """p"" (\fBOSSL_PKEY_PARAM_EC_P\fR) <unsigned integer>" 4 .IX Item """p"" (OSSL_PKEY_PARAM_EC_P) <unsigned integer>" @@ -121,37 +124,37 @@ Integers used for point multiplications will be between 0 and \&\fIorder\fR \- 1. \&\fIcofactor\fR is an optional value. \&\fIorder\fR multiplied by the \fIcofactor\fR gives the number of points on the curve. -.IP """decoded-from-explicit"" (\fBOSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS\fR) <integer>" 4 +.IP """decoded\-from\-explicit"" (\fBOSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS\fR) <integer>" 4 .IX Item """decoded-from-explicit"" (OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS) <integer>" Gets a flag indicating whether the key or parameters were decoded from explicit curve parameters. Set to 1 if so or 0 if a named curve was used. -.IP """use-cofactor-flag"" (\fBOSSL_PKEY_PARAM_USE_COFACTOR_ECDH\fR) <integer>" 4 +.IP """use\-cofactor\-flag"" (\fBOSSL_PKEY_PARAM_USE_COFACTOR_ECDH\fR) <integer>" 4 .IX Item """use-cofactor-flag"" (OSSL_PKEY_PARAM_USE_COFACTOR_ECDH) <integer>" Enable Cofactor DH (ECC CDH) if this value is 1, otherwise it uses normal EC DH if the value is zero. The cofactor variant multiplies the shared secret by the -EC curve's cofactor (note for some curves the cofactor is 1). +EC curve\*(Aqs cofactor (note for some curves the cofactor is 1). .Sp See also \fBEVP_KEYEXCH\-ECDH\fR\|(7) for the related \&\fBOSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE\fR parameter that can be set on a -per-operation basis. +per\-operation basis. .IP """encoding"" (\fBOSSL_PKEY_PARAM_EC_ENCODING\fR) <UTF8 string>" 4 .IX Item """encoding"" (OSSL_PKEY_PARAM_EC_ENCODING) <UTF8 string>" Set the format used for serializing the EC group parameters. Valid values are "explicit" or "named_curve". The default value is "named_curve". -.IP """point-format"" (\fBOSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT\fR) <UTF8 string>" 4 +.IP """point\-format"" (\fBOSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT\fR) <UTF8 string>" 4 .IX Item """point-format"" (OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT) <UTF8 string>" Sets or gets the point_conversion_form for the \fIkey\fR. For a description of point_conversion_forms please see \fBEC_POINT_new\fR\|(3). Valid values are "uncompressed" or "compressed". The default value is "uncompressed". -.IP """group-check"" (\fBOSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE\fR) <UTF8 string>" 4 +.IP """group\-check"" (\fBOSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE\fR) <UTF8 string>" 4 .IX Item """group-check"" (OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE) <UTF8 string>" Sets or Gets the type of group check done when \fBEVP_PKEY_param_check()\fR is called. -Valid values are "default", "named" and "named-nist". +Valid values are "default", "named" and "named\-nist". The "named" type checks that the domain parameters match the inbuilt curve parameters, -"named-nist" is similar but also checks that the named curve is a nist curve. +"named\-nist" is similar but also checks that the named curve is a nist curve. The "default" type does domain parameter validation for the OpenSSL default provider, -but is equivalent to "named-nist" for the OpenSSL FIPS provider. -.IP """include-public"" (\fBOSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC\fR) <integer>" 4 +but is equivalent to "named\-nist" for the OpenSSL FIPS provider. +.IP """include\-public"" (\fBOSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC\fR) <integer>" 4 .IX Item """include-public"" (OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC) <integer>" Setting this value to 0 indicates that the public key should not be included when encoding the private key. The default value of 1 will include the public key. @@ -173,7 +176,7 @@ to uncompressed format. .IP """priv"" (\fBOSSL_PKEY_PARAM_PRIV_KEY\fR) <unsigned integer>" 4 .IX Item """priv"" (OSSL_PKEY_PARAM_PRIV_KEY) <unsigned integer>" The private key value. -.IP """encoded-pub-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4 +.IP """encoded\-pub\-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4 .IX Item """encoded-pub-key"" (OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY) <octet string>" Used for getting and setting the encoding of an EC public key. The public key is expected to be a point conforming to Sec. 2.3.4 of the SECG SEC 1 ("Elliptic @@ -184,11 +187,11 @@ Used for getting the EC public key X component. .IP """qy"" (\fBOSSL_PKEY_PARAM_EC_PUB_Y\fR) <unsigned integer>" 4 .IX Item """qy"" (OSSL_PKEY_PARAM_EC_PUB_Y) <unsigned integer>" Used for getting the EC public key Y component. -.IP """default-digest"" (\fBOSSL_PKEY_PARAM_DEFAULT_DIGEST\fR) <UTF8 string>" 4 +.IP """default\-digest"" (\fBOSSL_PKEY_PARAM_DEFAULT_DIGEST\fR) <UTF8 string>" 4 .IX Item """default-digest"" (OSSL_PKEY_PARAM_DEFAULT_DIGEST) <UTF8 string>" Getter that returns the default digest name. (Currently returns "SHA256" as of OpenSSL 3.0). -.IP """dhkem-ikm"" (\fBOSSL_PKEY_PARAM_DHKEM_IKM\fR) <octet string>" 4 +.IP """dhkem\-ikm"" (\fBOSSL_PKEY_PARAM_DHKEM_IKM\fR) <octet string>" 4 .IX Item """dhkem-ikm"" (OSSL_PKEY_PARAM_DHKEM_IKM) <octet string>" DHKEM requires the generation of a keypair using an input key material (seed). Use this to specify the key material used for generation of the private key. @@ -196,8 +199,8 @@ This value should not be reused for other purposes. It can only be used for the curves "P\-256", "P\-384" and "P\-521" and should have a length of at least the size of the encoded private key (i.e. 32, 48 and 66 for the listed curves). .PP -The following Gettable types are also available for the built-in EC algorithm: -.IP """basis-type"" (\fBOSSL_PKEY_PARAM_EC_CHAR2_TYPE\fR) <UTF8 string>" 4 +The following Gettable types are also available for the built\-in EC algorithm: +.IP """basis\-type"" (\fBOSSL_PKEY_PARAM_EC_CHAR2_TYPE\fR) <UTF8 string>" 4 .IX Item """basis-type"" (OSSL_PKEY_PARAM_EC_CHAR2_TYPE) <UTF8 string>" Supports the values "tpBasis" for a trinomial or "ppBasis" for a pentanomial. This field is only used for a binary field F2^m. @@ -223,14 +226,14 @@ range m > tp > 0. that m > k3 > k2 > k1 > 0 .PP The following key generation settable parameter is also available for the -OpenSSL FIPS provider's EC algorithm: -.IP """key-check"" (\fBOSSL_PKEY_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +OpenSSL FIPS provider\*(Aqs EC algorithm: +.IP """key\-check"" (\fBOSSL_PKEY_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_PKEY_PARAM_FIPS_KEY_CHECK) <integer>" See "Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7) for further information. .PP The following key generation Gettable parameter is available for the OpenSSL -FIPS provider's EC algorithm: -.IP """fips-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +FIPS provider\*(Aqs EC algorithm: +.IP """fips\-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR) <integer>" See "Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7) for further information. .SS "EC key validation" @@ -240,18 +243,18 @@ For the OpenSSL default provider it uses either \&\fBEC_GROUP_check\fR\|(3) or \fBEC_GROUP_check_named_curve\fR\|(3) depending on the flag EC_FLAG_CHECK_NAMED_GROUP. The OpenSSL FIPS provider uses \fBEC_GROUP_check_named_curve\fR\|(3) in order to -conform to SP800\-56Ar3 \fIAssurances of Domain-Parameter Validity\fR. +conform to SP800\-56Ar3 \fIAssurances of Domain\-Parameter Validity\fR. .PP For EC keys, \fBEVP_PKEY_param_check_quick\fR\|(3) is equivalent to \&\fBEVP_PKEY_param_check\fR\|(3). .PP For EC keys, \fBEVP_PKEY_public_check\fR\|(3) and \fBEVP_PKEY_public_check_quick\fR\|(3) -conform to SP800\-56Ar3 \fIECC Full Public-Key Validation\fR and -\&\fIECC Partial Public-Key Validation\fR respectively. +conform to SP800\-56Ar3 \fIECC Full Public\-Key Validation\fR and +\&\fIECC Partial Public\-Key Validation\fR respectively. .PP For EC Keys, \fBEVP_PKEY_private_check\fR\|(3) and \fBEVP_PKEY_pairwise_check\fR\|(3) conform to SP800\-56Ar3 \fIPrivate key validity\fR and -\&\fIOwner Assurance of Pair-wise Consistency\fR respectively. +\&\fIOwner Assurance of Pair\-wise Consistency\fR respectively. .SH EXAMPLES .IX Header "EXAMPLES" An \fBEVP_PKEY\fR context can be obtained by calling: @@ -291,7 +294,7 @@ or like this: \& EVP_PKEY_CTX_free(gctx); .Ve .PP -An \fBEVP_PKEY\fR EC CDH (Cofactor Diffie-Hellman) key can be generated with a +An \fBEVP_PKEY\fR EC CDH (Cofactor Diffie\-Hellman) key can be generated with a "K\-571" named group by calling: .PP .Vb 5 diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-FFC.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-FFC.7 index 4fc71c49a970..dbbf7115d40b 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-FFC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-FFC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-FFC 7ossl" -.TH EVP_PKEY-FFC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-FFC 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,10 +69,10 @@ EVP_PKEY\-FFC \- EVP_PKEY DSA and DH/DHX shared FFC parameters. .IX Header "DESCRIPTION" Finite field cryptography (FFC) is a method of implementing discrete logarithm cryptography using finite field mathematics. DSA is an example of FFC and -Diffie-Hellman key establishment algorithms specified in SP800\-56A can also be +Diffie\-Hellman key establishment algorithms specified in SP800\-56A can also be implemented as FFC. .PP -The \fBDSA\fR, \fBDH\fR and \fBDHX\fR keytypes are implemented in OpenSSL's default and +The \fBDSA\fR, \fBDH\fR and \fBDHX\fR keytypes are implemented in OpenSSL\*(Aqs default and FIPS providers. The implementations support the basic DSA, DH and DHX keys, containing the public and private keys \fIpub\fR and \fIpriv\fR as well as the three main domain parameters @@ -84,8 +87,8 @@ For \fBDH\fR the \fIseed\fR and \fIpcounter\fR can be stored in ASN1 data (but the \fIgindex\fR is not). For \fBDSA\fR however, these fields are not stored in the ASN1 data so they need to be stored externally if validation is required. .PP -The \fBDH\fR key type uses PKCS#3 format which saves p and g, but not the 'q' value. -The \fBDHX\fR key type uses X9.42 format which saves the value of 'q' and this +The \fBDH\fR key type uses PKCS#3 format which saves p and g, but not the \*(Aqq\*(Aq value. +The \fBDHX\fR key type uses X9.42 format which saves the value of \*(Aqq\*(Aq and this must be used for FIPS186\-4. .SS "FFC parameters" .IX Subsection "FFC parameters" @@ -102,15 +105,15 @@ The private key value. .IX Subsection "FFC DSA, DH and DHX domain parameters" .IP """p"" (\fBOSSL_PKEY_PARAM_FFC_P\fR) <unsigned integer>" 4 .IX Item """p"" (OSSL_PKEY_PARAM_FFC_P) <unsigned integer>" -A DSA or Diffie-Hellman prime "p" value. +A DSA or Diffie\-Hellman prime "p" value. .IP """g"" (\fBOSSL_PKEY_PARAM_FFC_G\fR) <unsigned integer>" 4 .IX Item """g"" (OSSL_PKEY_PARAM_FFC_G) <unsigned integer>" -A DSA or Diffie-Hellman generator "g" value. +A DSA or Diffie\-Hellman generator "g" value. .SS "FFC DSA and DHX domain parameters" .IX Subsection "FFC DSA and DHX domain parameters" .IP """q"" (\fBOSSL_PKEY_PARAM_FFC_Q\fR) <unsigned integer>" 4 .IX Item """q"" (OSSL_PKEY_PARAM_FFC_Q) <unsigned integer>" -A DSA or Diffie-Hellman prime "q" value. +A DSA or Diffie\-Hellman prime "q" value. .IP """seed"" (\fBOSSL_PKEY_PARAM_FFC_SEED\fR) <octet string>" 4 .IX Item """seed"" (OSSL_PKEY_PARAM_FFC_SEED) <octet string>" An optional domain parameter \fIseed\fR value used during generation and validation @@ -136,18 +139,18 @@ satisfies g = h^j mod p (where g != 1 and "j" is the cofactor). .IP """j"" (\fBOSSL_PKEY_PARAM_FFC_COFACTOR\fR) <unsigned integer>" 4 .IX Item """j"" (OSSL_PKEY_PARAM_FFC_COFACTOR) <unsigned integer>" An optional informational cofactor parameter that should equal to (p \- 1) / q. -.IP """validate-pq"" (\fBOSSL_PKEY_PARAM_FFC_VALIDATE_PQ\fR) <unsigned integer>" 4 +.IP """validate\-pq"" (\fBOSSL_PKEY_PARAM_FFC_VALIDATE_PQ\fR) <unsigned integer>" 4 .IX Item """validate-pq"" (OSSL_PKEY_PARAM_FFC_VALIDATE_PQ) <unsigned integer>" .PD 0 -.IP """validate-g"" (\fBOSSL_PKEY_PARAM_FFC_VALIDATE_G\fR) <unsigned integer>" 4 +.IP """validate\-g"" (\fBOSSL_PKEY_PARAM_FFC_VALIDATE_G\fR) <unsigned integer>" 4 .IX Item """validate-g"" (OSSL_PKEY_PARAM_FFC_VALIDATE_G) <unsigned integer>" .PD These boolean values are used during FIPS186\-4 or FIPS186\-2 key validation checks (See \fBEVP_PKEY_param_check\fR\|(3)) to select validation options. By default -\&\fIvalidate-pq\fR and \fIvalidate-g\fR are both set to 1 to check that p,q and g are +\&\fIvalidate\-pq\fR and \fIvalidate\-g\fR are both set to 1 to check that p,q and g are valid. Either of these may be set to 0 to skip a test, which is mainly useful for testing purposes. -.IP """validate-legacy"" (\fBOSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY\fR) <unsigned integer>" 4 +.IP """validate\-legacy"" (\fBOSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY\fR) <unsigned integer>" 4 .IX Item """validate-legacy"" (OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY) <unsigned integer>" This boolean value is used during key validation checks (See \fBEVP_PKEY_param_check\fR\|(3)) to select the validation type. The default @@ -175,10 +178,10 @@ parameters set for parameter generation. .RE .IP """pbits"" (\fBOSSL_PKEY_PARAM_FFC_PBITS\fR) <unsigned integer>" 4 .IX Item """pbits"" (OSSL_PKEY_PARAM_FFC_PBITS) <unsigned integer>" -Sets the size (in bits) of the prime 'p'. +Sets the size (in bits) of the prime \*(Aqp\*(Aq. .IP """qbits"" (\fBOSSL_PKEY_PARAM_FFC_QBITS\fR) <unsigned integer>" 4 .IX Item """qbits"" (OSSL_PKEY_PARAM_FFC_QBITS) <unsigned integer>" -Sets the size (in bits) of the prime 'q'. +Sets the size (in bits) of the prime \*(Aqq\*(Aq. .Sp For "fips186_4" this can be either 224 or 256. For "fips186_2" this has a size of 160. diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-HMAC.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-HMAC.7 index ff85046b6364..c2b665b4e87b 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-HMAC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-HMAC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-HMAC 7ossl" -.TH EVP_PKEY-HMAC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-HMAC 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,7 +69,7 @@ EVP_PKEY\-Poly1305, EVP_KEYMGMT\-Poly1305, EVP_PKEY\-CMAC, EVP_KEYMGMT\-CMAC \&\- EVP_PKEY legacy MAC keytypes and algorithm support .SH DESCRIPTION .IX Header "DESCRIPTION" -The \fBHMAC\fR and \fBCMAC\fR key types are implemented in OpenSSL's default and FIPS +The \fBHMAC\fR and \fBCMAC\fR key types are implemented in OpenSSL\*(Aqs default and FIPS providers. Additionally the \fBSiphash\fR and \fBPoly1305\fR key types are implemented in the default provider. Performing MAC operations via an EVP_PKEY is considered legacy and are only available for backwards compatibility purposes diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-DSA.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-DSA.7 index 998eed41a047..e8473f04ea31 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-DSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-DSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-ML-DSA 7ossl" -.TH EVP_PKEY-ML-DSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-ML-DSA 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,16 +69,16 @@ EVP_PKEY\-ML\-DSA\-44, EVP_PKEY\-ML\-DSA\-65, EVP_PKEY\-ML\-DSA\-87 \&\- EVP_PKEY ML\-DSA keytype and algorithm support .SH DESCRIPTION .IX Header "DESCRIPTION" -ML-DSA implements the algorithms \fBML\-DSA\-44\fR, \fBML\-DSA\-65\fR and \fBML\-DSA\-87\fR. +ML\-DSA implements the algorithms \fBML\-DSA\-44\fR, \fBML\-DSA\-65\fR and \fBML\-DSA\-87\fR. The key types \fBEVP_PKEY_ML_DSA_44\fR, \fBEVP_PKEY_ML_DSA_65\fR and -\&\fBEVP_PKEY_ML_DSA_87\fR are implemented in OpenSSL's default and FIPS providers. +\&\fBEVP_PKEY_ML_DSA_87\fR are implemented in OpenSSL\*(Aqs default and FIPS providers. These implementations support the associated key, containing the public key \fIpub\fR and the private key \fIpriv\fR. .PP Each of the different key types has an associated security category. This value is one of 2, 3 or 5 for key types \fBML\-DSA\-44\fR, \fBML\-DSA\-65\fR and \fBML\-DSA\-87\fR respectively, which correspond to security strengths of -128, 192 and 256 repsectively. +128, 192 and 256 respectively. .SS "Keygen Parameters" .IX Subsection "Keygen Parameters" .IP """seed"" (\fBOSSL_PKEY_PARAM_ML_DSA_SEED\fR) <octet string>" 4 @@ -99,10 +102,10 @@ key files will contain only the private key in FIPS 204 \f(CW\*(C`sk\*(C'\fR for .IP """properties"" (\fBOSSL_PKEY_PARAM_PROPERTIES\fR) <UTF8 string>" 4 .IX Item """properties"" (OSSL_PKEY_PARAM_PROPERTIES) <UTF8 string>" Sets properties to be used when fetching algorithm implementations used for -ML-DSA hashing operations. +ML\-DSA hashing operations. .PP Use \fBEVP_PKEY_CTX_set_params\fR\|(3) after calling \fBEVP_PKEY_keygen_init\fR\|(3). -.SS "Common ML-DSA parameters" +.SS "Common ML\-DSA parameters" .IX Subsection "Common ML-DSA parameters" In addition to the common parameters that all keytypes should support (see "Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7), the implementation of @@ -151,10 +154,10 @@ used instead. List of enabled private key input formats when parsing PKCS#8 objects. List elements are separated by commas, spaces or tabs. The list of enabled formats can be specified in the configuration file, as seen -in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command-line +in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command\-line option (see also \fBOSSL_PROVIDER_add_conf_parameter\fR\|(3)). .Sp -Values specified on the command-line override any configuration file settings. +Values specified on the command\-line override any configuration file settings. By default all the supported formats are enabled. The supported formats are: .RS 4 @@ -222,7 +225,7 @@ recognised on input. Ordered list of enabled private key output formats when writing \fBPKCS#8\fR files. List elements are separated by commas, spaces or tabs. The list of enabled formats can be specified in the configuration file, as seen -in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command-line +in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command\-line option. .Sp This supports the same set of formats as described under \f(CW\*(C`ml\-dsa.input_formats\*(C'\fR @@ -274,7 +277,7 @@ The key pair components can be extracted from a key by calling: \& pub, sizeof(pub), &pub_len)); .Ve .PP -An \fBML-DSA\fR private key in seed format can be converted to a key in the FIPS +An \fBML\-DSA\fR private key in seed format can be converted to a key in the FIPS 204 \fBsk\fR format by running: .PP .Vb 2 diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-KEM.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-KEM.7 index bb3e59e82f7f..ffbdcb766eb7 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-KEM.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-KEM.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-ML-KEM 7ossl" -.TH EVP_PKEY-ML-KEM 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-ML-KEM 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -73,7 +76,7 @@ EVP_KEYMGMT\-ML\-KEM\-1024 .SH DESCRIPTION .IX Header "DESCRIPTION" The \fBML\-KEM\-512\fR, \fBML\-KEM\-768\fR, and \fBML\-KEM\-1024\fR keytypes are implemented -in OpenSSL's default and FIPS providers. +in OpenSSL\*(Aqs default and FIPS providers. .SS "Keygen Parameters" .IX Subsection "Keygen Parameters" No mandatory parameters are required for generating a key pair. @@ -81,9 +84,9 @@ To set explicit parameters, use \fBEVP_PKEY_CTX_set_params()\fR after calling \&\fBEVP_PKEY_keygen_init()\fR. .IP """seed"" (\fBOSSL_PKEY_PARAM_ML_KEM_SEED\fR) <octet string>" 4 .IX Item """seed"" (OSSL_PKEY_PARAM_ML_KEM_SEED) <octet string>" -Internally, ML-KEM generates keys using a 64\-byte random value (seed), which is +Internally, ML\-KEM generates keys using a 64\-byte random value (seed), which is the concatenation of the 32\-byte \fId\fR and \fIz\fR parameters described in FIPS 203. -This optional parameter can be used to set a pre-determined seed prior to +This optional parameter can be used to set a pre\-determined seed prior to keypair generation. .Sp Generated keys default to retaining the seed used. @@ -100,13 +103,13 @@ key files will contain only the private key in FIPS 203 \f(CW\*(C`dk\*(C'\fR for .IP """properties"" (\fBOSSL_PKEY_PARAM_PROPERTIES\fR) <UTF8 string>" 4 .IX Item """properties"" (OSSL_PKEY_PARAM_PROPERTIES) <UTF8 string>" Sets properties to be used when fetching algorithm implementations used for -ML-KEM hashing operations. +ML\-KEM hashing operations. .Sp Use \fBEVP_PKEY_CTX_set_params\fR\|(3) after calling \fBEVP_PKEY_keygen_init\fR\|(3). .SS "Common parameters" .IX Subsection "Common parameters" In addition to the common parameters that all keytypes should support (see -"Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7)), \fBML-KEM\fR keys +"Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7)), \fBML\-KEM\fR keys keys support the parameters listed below. These are gettable using \&\fBEVP_PKEY_get_octet_string_param\fR\|(3) or \fBEVP_PKEY_get_params\fR\|(3). @@ -121,7 +124,7 @@ The public key value. This parameter is used when importing or exporting the public key value with the \fBEVP_PKEY_fromdata()\fR and \fBEVP_PKEY_todata()\fR functions. The key length and content is that of the FIPS 203 (Algorithm 16: -\&\fBML\-KEM.KeyGen_internal\fR) \fBek\fR public key for the given ML-KEM variant. +\&\fBML\-KEM.KeyGen_internal\fR) \fBek\fR public key for the given ML\-KEM variant. Initial import aside, this parameter is otherwise only gettable. .IP """priv"" (\fBOSSL_PKEY_PARAM_PRIV_KEY\fR) <octet string>" 4 .IX Item """priv"" (OSSL_PKEY_PARAM_PRIV_KEY) <octet string>" @@ -130,9 +133,9 @@ The private key value. This parameter is used when importing or exporting the private key value with the \fBEVP_PKEY_fromdata()\fR and \fBEVP_PKEY_todata()\fR functions. The key length and content is that of the FIPS 203 (Algorithm 16: -\&\fBML\-KEM.KeyGen_internal\fR) \fBdk\fR private key for the given ML-KEM variant. +\&\fBML\-KEM.KeyGen_internal\fR) \fBdk\fR private key for the given ML\-KEM variant. Initial import aside, this parameter is otherwise only gettable. -.IP """encoded-pub-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4 +.IP """encoded\-pub\-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4 .IX Item """encoded-pub-key"" (OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY) <octet string>" Used for getting and setting the encoding of a public key. The key format is that of \fBek\fR in FIPS 203, Algorithm 16: @@ -150,7 +153,7 @@ configuration options programmatically. .ie n .IP """ml\-kem.import_pct_type"" (\fBOSSL_PKEY_PARAM_ML_KEM_IMPORT_PCT_TYPE\fR) <UTF8 string>" 4 .el .IP "\f(CWml\-kem.import_pct_type\fR (\fBOSSL_PKEY_PARAM_ML_KEM_IMPORT_PCT_TYPE\fR) <UTF8 string>" 4 .IX Item "ml-kem.import_pct_type (OSSL_PKEY_PARAM_ML_KEM_IMPORT_PCT_TYPE) <UTF8 string>" -When an \fBML-KEM\fR key is imported as an explict FIPS 203 \fBdk\fR decapsulation +When an \fBML\-KEM\fR key is imported as an explicit FIPS 203 \fBdk\fR decapsulation key, rather than a seed, a pairwise consistency test (PCT) is optionally performed. By default, or when this parameter is set explicitly to \f(CW\*(C`random\*(C'\fR, the PCT @@ -182,10 +185,10 @@ used instead. List of enabled private key input formats when parsing PKCS#8 objects. List elements are separated by commas and/or spaces or tabs. The list of enabled formats can be specified in the configuration file, as seen -in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command-line +in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command\-line option (see also \fBOSSL_PROVIDER_add_conf_parameter\fR\|(3)). .Sp -Values specified on the command-line override any configuration file settings. +Values specified on the command\-line override any configuration file settings. By default all the supported formats are enabled. The supported formats are: .RS 4 @@ -253,7 +256,7 @@ recognised on input. Ordered list of enabled private key output formats when writing \fBPKCS#8\fR files. List elements are separated by commas, spaces or tabs. The list of enabled formats can be specified in the configuration file, as seen -in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command-line +in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command\-line option. .Sp This supports the same set of formats as described under \f(CW\*(C`ml\-kem.input_formats\*(C'\fR @@ -290,7 +293,7 @@ An \fBML\-KEM\-768\fR key can be generated like this: \& pkey = EVP_PKEY_Q_keygen(NULL, NULL, "ML\-KEM\-768"); .Ve .PP -An \fBML-KEM\fR private key in seed format can be converted to a key in the FIPS +An \fBML\-KEM\fR private key in seed format can be converted to a key in the FIPS 203 \fBdk\fR format by running: .PP .Vb 2 diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-RSA.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-RSA.7 index 15ef60e96c0f..f64a5db02821 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-RSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-RSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-RSA 7ossl" -.TH EVP_PKEY-RSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-RSA 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,7 +68,7 @@ EVP_PKEY\-RSA, EVP_KEYMGMT\-RSA, RSA \&\- EVP_PKEY RSA keytype and algorithm support .SH DESCRIPTION .IX Header "DESCRIPTION" -The \fBRSA\fR keytype is implemented in OpenSSL's default and FIPS providers. +The \fBRSA\fR keytype is implemented in OpenSSL\*(Aqs default and FIPS providers. That implementation supports the basic RSA keys, containing the modulus \fIn\fR, the public exponent \fIe\fR, the private exponent \fId\fR, and a collection of prime factors, exponents and coefficient for CRT calculations, of which the first @@ -169,7 +172,7 @@ bits. .IP """primes"" (\fBOSSL_PKEY_PARAM_RSA_PRIMES\fR) <unsigned integer>" 4 .IX Item """primes"" (OSSL_PKEY_PARAM_RSA_PRIMES) <unsigned integer>" The value should be the number of primes for the generated \fBRSA\fR key. The -default is 2. It isn't permitted to specify a larger number of primes than +default is 2. It isn\*(Aqt permitted to specify a larger number of primes than 10. Additionally, the number of primes is limited by the length of the key being generated so the maximum number could be less. Some providers may only support a value of 2. @@ -178,7 +181,7 @@ Some providers may only support a value of 2. The RSA "e" value. The value may be any odd number greater than or equal to 65537. The default value is 65537. For legacy reasons a value of 3 is currently accepted but is deprecated. -.IP """rsa-derive-from-pq"" (\fBOSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ\fR) <unsigned integer>" 4 +.IP """rsa\-derive\-from\-pq"" (\fBOSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ\fR) <unsigned integer>" 4 .IX Item """rsa-derive-from-pq"" (OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ) <unsigned integer>" Indicate that missing parameters not passed in the parameter list should be derived if not provided. Setting a nonzero value will cause all @@ -245,14 +248,14 @@ For RSA keys, \fBEVP_PKEY_private_check\fR\|(3) conforms to the SP800\-56Br1 .PP For RSA keys, \fBEVP_PKEY_pairwise_check\fR\|(3) conforms to the SP800\-56Br1 \fIKeyPair Validation check\fR for the OpenSSL FIPS provider. The -OpenSSL default provider allows testing of the validity of multi-primes. +OpenSSL default provider allows testing of the validity of multi\-primes. .SH "CONFORMING TO" .IX Header "CONFORMING TO" .IP FIPS186\-4 4 .IX Item "FIPS186-4" Section B.3.6 Generation of Probable Primes with Conditions Based on Auxiliary Probable Primes -.IP "RFC 8017, excluding RSA-PSS and RSA-OAEP" 4 +.IP "RFC 8017, excluding RSA\-PSS and RSA\-OAEP" 4 .IX Item "RFC 8017, excluding RSA-PSS and RSA-OAEP" .SH EXAMPLES .IX Header "EXAMPLES" diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-SLH-DSA.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-SLH-DSA.7 index 2b3a66fe55c0..b8f60690f6de 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-SLH-DSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-SLH-DSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-SLH-DSA 7ossl" -.TH EVP_PKEY-SLH-DSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-SLH-DSA 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -77,13 +80,13 @@ The \fBSLH\-DSA\-SHA2\-128s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHA2\-128f\fR, \&\fBSLH\-DSA\-SHAKE\-128s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHAKE\-128f\fR, \&\fBSLH\-DSA\-SHAKE\-192s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHAKE\-192f\fR, \&\fBSLH\-DSA\-SHAKE\-256s\fR and \fBEVP_PKEY\-SLH\-DSA\-SHAKE\-256f\fR key types are -implemented in OpenSSL's default and FIPS providers. These implementations +implemented in OpenSSL\*(Aqs default and FIPS providers. These implementations support the associated key, containing the public key \fIpub\fR and the private key \fIpriv\fR. .PP -SLH-DSA (Stateless Hash-based Digital Signature Standard) uses small keys, +SLH\-DSA (Stateless Hash\-based Digital Signature Standard) uses small keys, but has relatively large signatures and is relatively slow performing all -operations compared to \fBML-DSA\fR. It does however have proven security proofs, +operations compared to \fBML\-DSA\fR. It does however have proven security proofs, since it relies only on hash functions. .PP Each of the different key types has an associated security parameter \fBn\fR. @@ -123,10 +126,10 @@ purposes only. The length of the value supplied must be 3 * \fBn\fR. .IP """properties"" (\fBOSSL_PKEY_PARAM_PROPERTIES\fR) <utf8_string>" 4 .IX Item """properties"" (OSSL_PKEY_PARAM_PROPERTIES) <utf8_string>" Sets properties to be used when fetching algorithm implementations used for -SLH-DSA hashing operations. +SLH\-DSA hashing operations. .PP Use \fBEVP_PKEY_CTX_set_params()\fR after calling \fBEVP_PKEY_keygen_init()\fR. -.SS "Common SLH-DSA parameters" +.SS "Common SLH\-DSA parameters" .IX Subsection "Common SLH-DSA parameters" In addition to the common parameters that all keytypes should support (see "Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7)), the implementation of @@ -144,7 +147,7 @@ as defined by FIPS 205 Figure 16. The private key has a size of 4 * \fBn\fR bytes, which includes the public key components. i.e. It consists of the concatenation of SK.seed, SK.prf, PK.seed and PF.root as defined by FIPS 205 Figure 15. -.IP """mandatory-digest"" (\fBOSSL_PKEY_PARAM_MANDATORY_DIGEST\fR) <UTF8 string>" 4 +.IP """mandatory\-digest"" (\fBOSSL_PKEY_PARAM_MANDATORY_DIGEST\fR) <UTF8 string>" 4 .IX Item """mandatory-digest"" (OSSL_PKEY_PARAM_MANDATORY_DIGEST) <UTF8 string>" The empty string, signifying that no digest may be specified. .SH "CONFORMING TO" @@ -160,7 +163,7 @@ An \fBEVP_PKEY\fR context can be obtained by calling: \& EVP_PKEY_CTX_new_from_name(NULL, "SLH\-DSA\-SHA2\-128f", NULL); .Ve .PP -An \fBSLH-DSA\fR key can be generated like this: +An \fBSLH\-DSA\fR key can be generated like this: .PP .Vb 1 \& pkey = EVP_PKEY_Q_keygen(NULL, NULL, "SLH\-DSA\-SHA2\-128f"); diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-SM2.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-SM2.7 index de2844379391..651209b4aa92 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-SM2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-SM2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-SM2 7ossl" -.TH EVP_PKEY-SM2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-SM2 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,9 +88,9 @@ Getter that returns the default digest name. (Currently returns "SM3" as of OpenSSL 3.0). .SH NOTES .IX Header "NOTES" -\&\fBSM2\fR signatures can be generated by using the 'DigestSign' series of APIs, for +\&\fBSM2\fR signatures can be generated by using the \*(AqDigestSign\*(Aq series of APIs, for instance, \fBEVP_DigestSignInit()\fR, \fBEVP_DigestSignUpdate()\fR and \fBEVP_DigestSignFinal()\fR. -Ditto for the verification process by calling the 'DigestVerify' series of APIs. +Ditto for the verification process by calling the \*(AqDigestVerify\*(Aq series of APIs. Note that the SM2 algorithm requires the presence of the public key for signatures, as such the \fBOSSL_PKEY_PARAM_PUB_KEY\fR option must be set on any key used in signature generation. diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-X25519.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-X25519.7 index 500e39400c79..fbc31e91cd57 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-X25519.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-X25519.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-X25519 7ossl" -.TH EVP_PKEY-X25519 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-X25519 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -67,19 +70,19 @@ EVP_KEYMGMT\-X25519, EVP_KEYMGMT\-X448, EVP_KEYMGMT\-ED25519, EVP_KEYMGMT\-ED448 .SH DESCRIPTION .IX Header "DESCRIPTION" The \fBX25519\fR, \fBX448\fR, \fBED25519\fR and \fBED448\fR keytypes are -implemented in OpenSSL's default and FIPS providers. These implementations +implemented in OpenSSL\*(Aqs default and FIPS providers. These implementations support the associated key, containing the public key \fIpub\fR and the private key \fIpriv\fR. .SS "Keygen Parameters" .IX Subsection "Keygen Parameters" -.IP """dhkem-ikm"" (\fBOSSL_PKEY_PARAM_DHKEM_IKM\fR) <octet string>" 4 +.IP """dhkem\-ikm"" (\fBOSSL_PKEY_PARAM_DHKEM_IKM\fR) <octet string>" 4 .IX Item """dhkem-ikm"" (OSSL_PKEY_PARAM_DHKEM_IKM) <octet string>" DHKEM requires the generation of a keypair using an input key material (seed). Use this to specify the key material used for generation of the private key. This value should not be reused for other purposes. It should have a length of at least 32 for X25519, and 56 for X448. This is only supported by X25519 and X448. -.IP """fips-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR) <integer>" This getter is only supported by X25519 and X448 for the FIPS provider. Since X25519 and X448 are unapproved in FIPS 140\-3 this getter return 0. @@ -103,14 +106,14 @@ The public key value. .IP """priv"" (\fBOSSL_PKEY_PARAM_PRIV_KEY\fR) <octet string>" 4 .IX Item """priv"" (OSSL_PKEY_PARAM_PRIV_KEY) <octet string>" The private key value. -.IP """encoded-pub-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4 +.IP """encoded\-pub\-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4 .IX Item """encoded-pub-key"" (OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY) <octet string>" Used for getting and setting the encoding of a public key for the \fBX25519\fR and \&\fBX448\fR key types. Public keys are expected be encoded in a format as defined by RFC7748. .SS "ED25519 and ED448 parameters" .IX Subsection "ED25519 and ED448 parameters" -.IP """mandatory-digest"" (\fBOSSL_PKEY_PARAM_MANDATORY_DIGEST\fR) <UTF8 string>" 4 +.IP """mandatory\-digest"" (\fBOSSL_PKEY_PARAM_MANDATORY_DIGEST\fR) <UTF8 string>" 4 .IX Item """mandatory-digest"" (OSSL_PKEY_PARAM_MANDATORY_DIGEST) <UTF8 string>" The empty string, signifying that no digest may be specified. .SH "CONFORMING TO" diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-CRNG-TEST.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-CRNG-TEST.7 index 21832dbcad47..248f196a681c 100644 --- a/secure/lib/libcrypto/man/man7/EVP_RAND-CRNG-TEST.7 +++ b/secure/lib/libcrypto/man/man7/EVP_RAND-CRNG-TEST.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RAND-CRNG-TEST 7ossl" -.TH EVP_RAND-CRNG-TEST 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RAND-CRNG-TEST 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -71,11 +74,11 @@ Tests". Most requests are forwarded to the entropy source, either via its parent reference or via the provider entropy upcalls. .SS Identity .IX Subsection "Identity" -"CRNG-TEST" is the name for this implementation; it can be used with the +"CRNG\-TEST" is the name for this implementation; it can be used with the \&\fBEVP_RAND_fetch()\fR function. .SS "Supported parameters" .IX Subsection "Supported parameters" -If a parent EVP_RAND is specified on context creation, the parent's +If a parent EVP_RAND is specified on context creation, the parent\*(Aqs parameters are supported because the request is forwarded to the parent seed source for processing. .PP @@ -90,7 +93,7 @@ are supported: .IX Item """max_request"" (OSSL_RAND_PARAM_MAX_REQUEST) <unsigned integer>" .PD These parameters work as described in "PARAMETERS" in \fBEVP_RAND\fR\|(3). -.IP """fips-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR) <integer>" This parameter works as described in "PARAMETERS" in \fBprovider\-rand\fR\|(7). .SH NOTES diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-CTR-DRBG.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-CTR-DRBG.7 index 7818e16a2e56..3ed76029aa08 100644 --- a/secure/lib/libcrypto/man/man7/EVP_RAND-CTR-DRBG.7 +++ b/secure/lib/libcrypto/man/man7/EVP_RAND-CTR-DRBG.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RAND-CTR-DRBG 7ossl" -.TH EVP_RAND-CTR-DRBG 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RAND-CTR-DRBG 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -68,7 +71,7 @@ Support for the counter deterministic random bit generator through the \&\fBEVP_RAND\fR API. .SS Identity .IX Subsection "Identity" -"CTR-DRBG" is the name for this implementation; it can be used with the +"CTR\-DRBG" is the name for this implementation; it can be used with the \&\fBEVP_RAND_fetch()\fR function. .SS "Supported parameters" .IX Subsection "Supported parameters" @@ -118,7 +121,7 @@ A context for CTR DRBG can be obtained by calling: \& EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand, NULL); .Ve .PP -The default CTR-DRBG implementation attempts to fetch the required internal +The default CTR\-DRBG implementation attempts to fetch the required internal algorithms from the provider they are built into (eg the default provider) regardless of the properties provided. Should the provider not implement the required algorithms then properties will be used to find a different diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-HASH-DRBG.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-HASH-DRBG.7 index 9972e152bca2..62edbc66c947 100644 --- a/secure/lib/libcrypto/man/man7/EVP_RAND-HASH-DRBG.7 +++ b/secure/lib/libcrypto/man/man7/EVP_RAND-HASH-DRBG.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RAND-HASH-DRBG 7ossl" -.TH EVP_RAND-HASH-DRBG 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RAND-HASH-DRBG 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -68,7 +71,7 @@ Support for the hash deterministic random bit generator through the \&\fBEVP_RAND\fR API. .SS Identity .IX Subsection "Identity" -"HASH-DRBG" is the name for this implementation; it can be used with the +"HASH\-DRBG" is the name for this implementation; it can be used with the \&\fBEVP_RAND_fetch()\fR function. .SS "Supported parameters" .IX Subsection "Supported parameters" @@ -104,10 +107,10 @@ The supported parameters are: .IX Item """digest"" (OSSL_DRBG_PARAM_DIGEST) <UTF8 string>" .PD These parameters work as described in "PARAMETERS" in \fBEVP_RAND\fR\|(3). -.IP """fips-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR) <integer>" .PD 0 -.IP """digest-check"" (\fBOSSL_DRBG_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_DRBG_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_DRBG_PARAM_FIPS_DIGEST_CHECK) <integer>" .PD These parameters work as described in "PARAMETERS" in \fBprovider\-rand\fR\|(7). @@ -117,7 +120,7 @@ When the FIPS provider is installed using the \fB\-no_drbg_truncated_digests\fR option to fipsinstall, only these digests are permitted (as per FIPS 140\-3 IG D.R <https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf>): .PP -The default HASH-DRBG implementation attempts to fetch the required internal +The default HASH\-DRBG implementation attempts to fetch the required internal algorithms from the provider they are built into (eg the default provider) regardless of the properties provided. Should the provider not implement the required algorithms then properties will be used to find a different diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-HMAC-DRBG.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-HMAC-DRBG.7 index 7b929d257547..a2d8044e0a2f 100644 --- a/secure/lib/libcrypto/man/man7/EVP_RAND-HMAC-DRBG.7 +++ b/secure/lib/libcrypto/man/man7/EVP_RAND-HMAC-DRBG.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RAND-HMAC-DRBG 7ossl" -.TH EVP_RAND-HMAC-DRBG 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RAND-HMAC-DRBG 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -68,7 +71,7 @@ Support for the HMAC deterministic random bit generator through the \&\fBEVP_RAND\fR API. .SS Identity .IX Subsection "Identity" -"HMAC-DRBG" is the name for this implementation; it can be used with the +"HMAC\-DRBG" is the name for this implementation; it can be used with the \&\fBEVP_RAND_fetch()\fR function. .SS "Supported parameters" .IX Subsection "Supported parameters" @@ -106,10 +109,10 @@ The supported parameters are: .IX Item """digest"" (OSSL_DRBG_PARAM_DIGEST) <UTF8 string>" .PD These parameters work as described in "PARAMETERS" in \fBEVP_RAND\fR\|(3). -.IP """fips-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR) <integer>" .PD 0 -.IP """digest-check"" (\fBOSSL_DRBG_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_DRBG_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_DRBG_PARAM_FIPS_DIGEST_CHECK) <integer>" .PD These parameters work as described in "PARAMETERS" in \fBprovider\-rand\fR\|(7). @@ -118,7 +121,7 @@ These parameters work as described in "PARAMETERS" in \fBprovider\-rand\fR\|(7). When using the FIPS provider, only these digests are permitted (as per FIPS 140\-3 IG D.R <https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf>): .PP -The default HMAC-DRBG implementation attempts to fetch the required internal +The default HMAC\-DRBG implementation attempts to fetch the required internal algorithms from the provider they are built into (eg the default provider) regardless of the properties provided. Should the provider not implement the required algorithms then properties will be used to find a different diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-JITTER.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-JITTER.7 index 562e653c0148..7442c8b4a0b1 100644 --- a/secure/lib/libcrypto/man/man7/EVP_RAND-JITTER.7 +++ b/secure/lib/libcrypto/man/man7/EVP_RAND-JITTER.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RAND-JITTER 7ossl" -.TH EVP_RAND-JITTER 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RAND-JITTER 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -70,7 +73,7 @@ Support for deterministic random number generator seeding through the This software seed source produces randomness based on tiny CPU "jitter" fluctuations. .PP -It is available when OpenSSL is compiled with \fBenable-jitter\fR +It is available when OpenSSL is compiled with \fBenable\-jitter\fR option. When available it is listed in \fBopenssl list \&\-random\-generators\fR and \fBopenssl info \-seeds\fR. .SS Identity @@ -98,11 +101,11 @@ A context for the seed source can be obtained by calling: \& EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand, NULL); .Ve .PP -The \fBenable-jitter\fR option was added in OpenSSL 3.4. +The \fBenable\-jitter\fR option was added in OpenSSL 3.4. .PP -By specifying the \fBenable-fips-jitter\fR configuration option, the FIPS +By specifying the \fBenable\-fips\-jitter\fR configuration option, the FIPS provider will use an internal jitter source for its entropy. Enabling -this option will cause the FIPS provider to operate in a non-compliant +this option will cause the FIPS provider to operate in a non\-compliant mode unless an entropy assessment ESV <https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations> and validation through the diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-SEED-SRC.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-SEED-SRC.7 index 34acbbbc7b73..b8dab3d4d28c 100644 --- a/secure/lib/libcrypto/man/man7/EVP_RAND-SEED-SRC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_RAND-SEED-SRC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RAND-SEED-SRC 7ossl" -.TH EVP_RAND-SEED-SRC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RAND-SEED-SRC 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -72,7 +75,7 @@ building using the \fB\-\-with\-rand\-seed=\fR option. By default, operating sy randomness sources are used. .SS Identity .IX Subsection "Identity" -"SEED-SRC" is the name for this implementation; it can be used with the +"SEED\-SRC" is the name for this implementation; it can be used with the \&\fBEVP_RAND_fetch()\fR function. .SS "Supported parameters" .IX Subsection "Supported parameters" diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-TEST-RAND.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-TEST-RAND.7 index 42c9fffdfad6..9fcb08c4eaf0 100644 --- a/secure/lib/libcrypto/man/man7/EVP_RAND-TEST-RAND.7 +++ b/secure/lib/libcrypto/man/man7/EVP_RAND-TEST-RAND.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RAND-TEST-RAND 7ossl" -.TH EVP_RAND-TEST-RAND 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RAND-TEST-RAND 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -68,7 +71,7 @@ Support for a test generator through the \fBEVP_RAND\fR API. This generator is for test purposes only, it does not generate random numbers. .SS Identity .IX Subsection "Identity" -"TEST-RAND" is the name for this implementation; it can be used with the +"TEST\-RAND" is the name for this implementation; it can be used with the \&\fBEVP_RAND_fetch()\fR function. .SS "Supported parameters" .IX Subsection "Supported parameters" @@ -76,7 +79,7 @@ The supported parameters are: .IP """state"" (\fBOSSL_RAND_PARAM_STATE\fR) <integer>" 4 .IX Item """state"" (OSSL_RAND_PARAM_STATE) <integer>" .PD 0 -.IP """fips-indicator"" (\fBOSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR) <integer>" .PD These parameter works as described in "PARAMETERS" in \fBEVP_RAND\fR\|(3). @@ -119,7 +122,7 @@ Each nonce request will return all of the bytes. .IX Item """generate"" (OSSL_RAND_PARAM_GENERATE) <integer>" If this parameter is zero, it will only emit the nonce and entropy data supplied via the aforementioned parameters. Otherwise, low quality -non-cryptographic pseudorandom output is produced. This parameter defaults +non\-cryptographic pseudorandom output is produced. This parameter defaults to zero. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND.7 b/secure/lib/libcrypto/man/man7/EVP_RAND.7 index 8d7ad73ee30c..eb605c040883 100644 --- a/secure/lib/libcrypto/man/man7/EVP_RAND.7 +++ b/secure/lib/libcrypto/man/man7/EVP_RAND.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RAND 7ossl" -.TH EVP_RAND 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RAND 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -71,14 +74,14 @@ EVP_RAND \- the random bit generator .SH DESCRIPTION .IX Header "DESCRIPTION" The default OpenSSL RAND method is based on the EVP_RAND classes to provide -non-deterministic inputs to other cryptographic algorithms. +non\-deterministic inputs to other cryptographic algorithms. .PP -While the RAND API is the 'frontend' which is intended to be used by +While the RAND API is the \*(Aqfrontend\*(Aq which is intended to be used by application developers for obtaining random bytes, the EVP_RAND API -serves as the 'backend', connecting the former with the operating -systems's entropy sources and providing access to deterministic random +serves as the \*(Aqbackend\*(Aq, connecting the former with the operating +systems\*(Aqs entropy sources and providing access to deterministic random bit generators (DRBG) and their configuration parameters. -A DRBG is a certain type of cryptographically-secure pseudo-random +A DRBG is a certain type of cryptographically\-secure pseudo\-random number generator (CSPRNG), which is described in [NIST SP 800\-90A Rev. 1]. .SS Disclaimer @@ -94,7 +97,7 @@ Typical examples for such special use cases are the following: You want to use your own private DRBG instances. Multiple DRBG instances which are accessed only by a single thread provide additional security (because their internal states are independent) and -better scalability in multithreaded applications (because they don't need +better scalability in multithreaded applications (because they don\*(Aqt need to be locked). .IP \(bu 2 You need to integrate a previously unsupported entropy source. @@ -121,10 +124,10 @@ a live entropy source may ignore and not use its parent. Currently, there are three shared DRBG instances, the <primary>, <public>, and <private> DRBG. While the <primary> DRBG is a single global instance, the <public> and <private> -DRBG are created per thread and accessed through thread-local storage. +DRBG are created per thread and accessed through thread\-local storage. .PP By default, the functions \fBRAND_bytes\fR\|(3) and \fBRAND_priv_bytes\fR\|(3) use -the thread-local <public> and <private> DRBG instance, respectively. +the thread\-local <public> and <private> DRBG instance, respectively. .SS "The <primary> DRBG instance" .IX Subsection "The <primary> DRBG instance" The <primary> DRBG is not used directly by the application, only for reseeding @@ -141,24 +144,24 @@ This instance is used per default by \fBRAND_priv_bytes\fR\|(3) .IX Header "LOCKING" The <primary> DRBG is intended to be accessed concurrently for reseeding by its child DRBG instances. The necessary locking is done internally. -It is \fInot\fR thread-safe to access the <primary> DRBG directly via the +It is \fInot\fR thread\-safe to access the <primary> DRBG directly via the EVP_RAND interface. -The <public> and <private> DRBG are thread-local, i.e. there is an +The <public> and <private> DRBG are thread\-local, i.e. there is an instance of each per thread. So they can safely be accessed without locking via the EVP_RAND interface. .PP Pointers to these DRBG instances can be obtained using \&\fBRAND_get0_primary()\fR, \fBRAND_get0_public()\fR and \fBRAND_get0_private()\fR, respectively. -Note that it is not allowed to store a pointer to one of the thread-local +Note that it is not allowed to store a pointer to one of the thread\-local DRBG instances in a variable or other memory location where it will be accessed and used by multiple threads. .PP -All other DRBG instances created by an application don't support locking, +All other DRBG instances created by an application don\*(Aqt support locking, because they are intended to be used by a single thread. Instead of accessing a single DRBG instance concurrently from different threads, it is recommended to instantiate a separate DRBG instance per thread. Using the <primary> DRBG as entropy source for multiple DRBG -instances on different threads is thread-safe, because the DRBG instance +instances on different threads is thread\-safe, because the DRBG instance will lock the <primary> DRBG automatically for obtaining random input. .SH "THE OVERALL PICTURE" .IX Header "THE OVERALL PICTURE" @@ -249,7 +252,7 @@ previous OpenSSL versions to call \fBRAND_add()\fR before calling \fBRAND_bytes( .SS "Entropy Input and Additional Data" .IX Subsection "Entropy Input and Additional Data" The DRBG distinguishes two different types of random input: \fIentropy\fR, -which comes from a trusted source, and \fIadditional input\fR', +which comes from a trusted source, and \fIadditional input\fR\*(Aq, which can optionally be added by the user and is considered untrusted. It is possible to add \fIadditional input\fR not only during reseeding, but also for every generate request. @@ -259,11 +262,11 @@ In most cases OpenSSL will automatically choose a suitable seed source for automatically seeding and reseeding its <primary> DRBG. The default seed source can be configured when OpenSSL is compiled by setting \fB\-DOPENSSL_DEFAULT_SEED_SRC=SEED\-SRC\fR. If not set then -"SEED-SRC" is used. One can specify a third-party provider seed-source, +"SEED\-SRC" is used. One can specify a third\-party provider seed\-source, or \fB\-DOPENSSL_DEFAULT_SEED_SRC=JITTER\fR if available. .PP In some cases however, it will be necessary to explicitly specify a -seed source used by "SEED-SRC" during configuration, using the +seed source used by "SEED\-SRC" during configuration, using the \&\-\-with\-rand\-seed option. For more information, see the INSTALL instructions. There are also operating systems where no seed source is available and automatic reseeding is disabled by default. diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-DSA.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-DSA.7 index e77ed38d5a61..37aa5c17a441 100644 --- a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-DSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-DSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SIGNATURE-DSA 7ossl" -.TH EVP_SIGNATURE-DSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SIGNATURE-DSA 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,7 +88,7 @@ The base signature algorithm, supported explicitly fetched with EC keys) with \fBEVP_DigestSignInit\fR\|(3) and \&\fBEVP_DigestVerifyInit\fR\|(3). .Sp -It can't be used with \fBEVP_PKEY_sign_message_init\fR\|(3) +It can\*(Aqt be used with \fBEVP_PKEY_sign_message_init\fR\|(3) .IP """DSA\-SHA1"", ""DSA\-SHA\-1"", ""dsaWithSHA1"", ""1.2.840.10040.4.3""" 4 .IX Item """DSA-SHA1"", ""DSA-SHA-1"", ""dsaWithSHA1"", ""1.2.840.10040.4.3""" .PD 0 @@ -123,28 +126,28 @@ using \fBEVP_PKEY_sign_init_ex()\fR or \fBEVP_PKEY_verify_init_ex()\fR. .PD These two are not supported with the DSA signature schemes that already include a message digest algorithm, See "Algorithm Names" above. -.IP """nonce-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 +.IP """nonce\-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 .IX Item """nonce-type"" (OSSL_SIGNATURE_PARAM_NONCE_TYPE) <unsigned integer>" .PD 0 -.IP """key-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) <integer>" -.IP """digest-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) <integer>" -.IP """sign-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK\fR) <int>" 4 +.IP """sign\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK\fR) <int>" 4 .IX Item """sign-check"" (OSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK) <int>" .PD The settable parameters are described in \fBprovider\-signature\fR\|(7). .PP The following signature parameters can be retrieved using \&\fBEVP_PKEY_CTX_get_params()\fR. -.IP """algorithm-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4 +.IP """algorithm\-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4 .IX Item """algorithm-id"" (OSSL_SIGNATURE_PARAM_ALGORITHM_ID) <octet string>" .PD 0 .IP """digest"" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) <UTF8 string>" 4 .IX Item """digest"" (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>" -.IP """nonce-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 +.IP """nonce\-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 .IX Item """nonce-type"" (OSSL_SIGNATURE_PARAM_NONCE_TYPE) <unsigned integer>" -.IP """fips-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR) <integer>" .PD The gettable parameters are described in \fBprovider\-signature\fR\|(7). diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ECDSA.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ECDSA.7 index 77afb3656577..eb73a4ce3ba2 100644 --- a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ECDSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ECDSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SIGNATURE-ECDSA 7ossl" -.TH EVP_SIGNATURE-ECDSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SIGNATURE-ECDSA 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -79,7 +82,7 @@ The base signature algorithm, supported explicitly fetched with EC keys) with \fBEVP_DigestSignInit\fR\|(3) and \&\fBEVP_DigestVerifyInit\fR\|(3). .Sp -It can't be used with \fBEVP_PKEY_sign_message_init\fR\|(3) +It can\*(Aqt be used with \fBEVP_PKEY_sign_message_init\fR\|(3) .IP """ECDSA\-SHA1"", ""ECDSA\-SHA\-1"", ""ecdsa\-with\-SHA1"", ""1.2.840.10045.4.1""" 4 .IX Item """ECDSA-SHA1"", ""ECDSA-SHA-1"", ""ecdsa-with-SHA1"", ""1.2.840.10045.4.1""" .PD 0 @@ -116,28 +119,28 @@ and before calling \fBEVP_PKEY_sign()\fR or \fBEVP_PKEY_verify()\fR. .PD These two are not supported with the ECDSA signature schemes that already include a message digest algorithm, See "Algorithm Names" above. -.IP """nonce-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 +.IP """nonce\-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 .IX Item """nonce-type"" (OSSL_SIGNATURE_PARAM_NONCE_TYPE) <unsigned integer>" .PD 0 -.IP """key-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) <integer>" -.IP """digest-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) <integer>" .PD These parameters are described in \fBprovider\-signature\fR\|(7). .PP The following signature parameters can be retrieved using \&\fBEVP_PKEY_CTX_get_params()\fR. -.IP """algorithm-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4 +.IP """algorithm\-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4 .IX Item """algorithm-id"" (OSSL_SIGNATURE_PARAM_ALGORITHM_ID) <octet string>" .PD 0 .IP """digest"" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) <UTF8 string>" 4 .IX Item """digest"" (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>" -.IP """nonce-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 +.IP """nonce\-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 .IX Item """nonce-type"" (OSSL_SIGNATURE_PARAM_NONCE_TYPE) <unsigned integer>" -.IP """fips-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR) <integer>" -.IP """verify-message"" (\fBOSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE\fR <integer>" 4 +.IP """verify\-message"" (\fBOSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE\fR <integer>" 4 .IX Item """verify-message"" (OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE <integer>" .PD The parameters are described in \fBprovider\-signature\fR\|(7). diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ED25519.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ED25519.7 index 2cd9a4e16e1d..246582c45765 100644 --- a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ED25519.7 +++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ED25519.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SIGNATURE-ED25519 7ossl" -.TH EVP_SIGNATURE-ED25519 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SIGNATURE-ED25519 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -69,7 +72,7 @@ Ed448 .SH DESCRIPTION .IX Header "DESCRIPTION" The \fBEd25519\fR and \fBEd448\fR EVP_PKEY implementation supports key -generation, one-shot digest-sign and digest-verify using the EdDSA +generation, one\-shot digest\-sign and digest\-verify using the EdDSA signature schemes described in RFC 8032. It has associated private and public key formats compatible with RFC 8410. .SS "EdDSA Instances" @@ -89,9 +92,9 @@ Ed448ph, the hash function is SHAKE256 with an output length of 512 bits. .PP The instances Ed25519ctx, Ed25519ph, Ed448, Ed448ph accept an optional -\&\fBcontext-string\fR as input to sign and verify operations (and for -Ed25519ctx, the context-string must be nonempty). For the Ed25519 -instance, a nonempty context-string is not permitted. +\&\fBcontext\-string\fR as input to sign and verify operations (and for +Ed25519ctx, the context\-string must be nonempty). For the Ed25519 +instance, a nonempty context\-string is not permitted. .PP These instances can be specified as signature parameters when using \&\fBEVP_DigestSignInit\fR\|(3) and \fBEVP_DigestVerifyInit\fR\|(3), see @@ -104,7 +107,7 @@ These instances are also explicitly fetchable as algorithms using .SS "ED25519 and ED448 Signature Parameters" .IX Subsection "ED25519 and ED448 Signature Parameters" Two parameters can be set during signing or verification: the EdDSA -\&\fBinstance name\fR and the \fBcontext-string value\fR. They can be set by +\&\fBinstance name\fR and the \fBcontext\-string value\fR. They can be set by passing an OSSL_PARAM array to \fBEVP_DigestSignInit_ex()\fR. .IP \(bu 4 "instance" (\fBOSSL_SIGNATURE_PARAM_INSTANCE\fR) <utf8 string> @@ -115,7 +118,7 @@ One of the five strings "Ed25519", "Ed25519ctx", "Ed25519ph", "Ed448", "Ed448ph" .Sp "Ed448", "Ed448ph" are valid only for an Ed448 EVP_PKEY. .IP \(bu 4 -"context-string" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string> +"context\-string" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string> .Sp A string of octets with length at most 255. .PP @@ -134,7 +137,7 @@ When using \fBEVP_PKEY_sign_init_ex2\fR\|(3), \fBEVP_PKEY_verify_init_ex2\fR\|(3 instance is the explicit signature algorithm name, and may not be changed (trying to give one with the "instance" parameter is therefore an error). .PP -If a context-string is not specified, then an empty context-string is +If a context\-string is not specified, then an empty context\-string is used. .PP See \fBEVP_PKEY\-X25519\fR\|(7) for information related to \fBX25519\fR and \fBX448\fR keys. @@ -142,22 +145,22 @@ See \fBEVP_PKEY\-X25519\fR\|(7) for information related to \fBX25519\fR and \fBX The following signature parameters can be retrieved using \&\fBEVP_PKEY_CTX_get_params()\fR. .IP \(bu 4 -"algorithm-id" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string> +"algorithm\-id" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string> .IP \(bu 4 "instance" (\fBOSSL_SIGNATURE_PARAM_INSTANCE\fR) <utf8 string> .IP \(bu 4 -"context-string" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string> +"context\-string" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string> .PP The parameters are described in \fBprovider\-signature\fR\|(7). .SH NOTES .IX Header "NOTES" The PureEdDSA instances do not support the streaming mechanism of other signature algorithms using, for example, \fBEVP_DigestUpdate()\fR. -The message to sign or verify must be passed using the one-shot +The message to sign or verify must be passed using the one\-shot \&\fBEVP_DigestSign()\fR and \fBEVP_DigestVerify()\fR functions. .PP The HashEdDSA instances do not yet support the streaming mechanisms -(so the one-shot functions must be used with HashEdDSA as well). +(so the one\-shot functions must be used with HashEdDSA as well). .PP When calling \fBEVP_DigestSignInit()\fR or \fBEVP_DigestVerifyInit()\fR, the digest \fItype\fR parameter \fBMUST\fR be set to NULL. @@ -180,6 +183,9 @@ Ed25519 and Ed448 can be tested with the \fBopenssl\-speed\fR\|(1) application since version 1.1.1. Valid algorithm names are \fBed25519\fR, \fBed448\fR and \fBeddsa\fR. If \fBeddsa\fR is specified, then both Ed25519 and Ed448 are benchmarked. +.PP +Since Ed25519ctx is not included in FIPS 186\-5, it is not present +in the FIPS provider. .SH EXAMPLES .IX Header "EXAMPLES" To sign a message using an ED25519 EVP_PKEY structure: diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-HMAC.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-HMAC.7 index d9d85ab8b502..5ab887849a4b 100644 --- a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-HMAC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-HMAC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SIGNATURE-HMAC 7ossl" -.TH EVP_SIGNATURE-HMAC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SIGNATURE-HMAC 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ML-DSA.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ML-DSA.7 index 51b46b446b59..0948e641d25b 100644 --- a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ML-DSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ML-DSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SIGNATURE-ML-DSA 7ossl" -.TH EVP_SIGNATURE-ML-DSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SIGNATURE-ML-DSA 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -67,7 +70,7 @@ EVP_SIGNATURE\-ML\-DSA\-44, EVP_SIGNATURE\-ML\-DSA\-65, EVP_SIGNATURE\-ML\-DSA\- .SH DESCRIPTION .IX Header "DESCRIPTION" The \fBML\-DSA\-44\fR, \fBML\-DSA\-65\fR and \fBML\-DSA\-87\fR EVP_PKEY implementations -support key generation, and one-shot sign and verify using the ML-DSA +support key generation, and one\-shot sign and verify using the ML\-DSA signature schemes described in FIPS 204 <https://csrc.nist.gov/pubs/fips/204/final>. .PP The different algorithms names correspond to the parameter sets defined in @@ -75,39 +78,39 @@ FIPS 204 <https://csrc.nist.gov/pubs/fips/204/final> Section 4 Table 1. (The signatures range in size from ~2.5K to ~4.5K depending on the type chosen). There are 3 different security categories also depending on the type. .PP -\&\fBEVP_SIGNATURE_fetch\fR\|(3) can be used to explicitely fetch one of the 3 +\&\fBEVP_SIGNATURE_fetch\fR\|(3) can be used to explicitly fetch one of the 3 algorithms which can then be used with \fBEVP_PKEY_sign_message_init\fR\|(3), \&\fBEVP_PKEY_sign\fR\|(3), \fBEVP_PKEY_verify_message_init\fR\|(3), and -\&\fBEVP_PKEY_verify\fR\|(3) to perform one-shot message signing or signature verification. +\&\fBEVP_PKEY_verify\fR\|(3) to perform one\-shot message signing or signature verification. .PP -The normal signing process (called Pure ML-DSA Signature Generation) +The normal signing process (called Pure ML\-DSA Signature Generation) encodes the message internally as 0x00 || len(ctx) || ctx || message. where \fBctx\fR is some optional value of size 0x00..0xFF. This process is defined in FIPS 204 <https://csrc.nist.gov/pubs/fips/204/final> Algorithm 2 step 10 and Algorithm 3 step 5. OpenSSL also allows the message to not be encoded which is required for -testing. OpenSSL does not support Pre Hash ML-DSA Signature Generation, but this +testing. OpenSSL does not support Pre Hash ML\-DSA Signature Generation, but this may be done by the user by doing Pre hash encoding externally and then choosing the option to not encode the message. -.SS "ML-DSA Signature Parameters" +.SS "ML\-DSA Signature Parameters" .IX Subsection "ML-DSA Signature Parameters" The following parameter can be used for both signing and verification. it may be set by passing an OSSL_PARAM array to \fBEVP_PKEY_sign_message_init\fR\|(3) or \fBEVP_PKEY_verify_message_init\fR\|(3) -.IP """context-string"" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string>" 4 +.IP """context\-string"" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string>" 4 .IX Item """context-string"" (OSSL_SIGNATURE_PARAM_CONTEXT_STRING) <octet string>" A string of octets with length at most 255. By default it is the empty string. .PP The following parameters can be used when signing: They can be set by passing an OSSL_PARAM array to \fBEVP_PKEY_sign_init_ex2\fR\|(3). -.IP """message-encoding"" (\fBOSSL_SIGNATURE_PARAM_MESSAGE_ENCODING\fR) <integer>" 4 +.IP """message\-encoding"" (\fBOSSL_SIGNATURE_PARAM_MESSAGE_ENCODING\fR) <integer>" 4 .IX Item """message-encoding"" (OSSL_SIGNATURE_PARAM_MESSAGE_ENCODING) <integer>" -The default value of 1 uses 'Pure ML-DSA Signature Generation' as described +The default value of 1 uses \*(AqPure ML\-DSA Signature Generation\*(Aq as described above. Setting it to 0 does not encode the message, which is used for testing. The message encoding steps are defined in FIPS 204 <https://csrc.nist.gov/pubs/fips/204/final> Algorithm 2 step 10 and Algorithm 3 step 5. -.IP """test-entropy"" (\fBOSSL_SIGNATURE_PARAM_TEST_ENTROPY\fR) <octet string>" 4 +.IP """test\-entropy"" (\fBOSSL_SIGNATURE_PARAM_TEST_ENTROPY\fR) <octet string>" 4 .IX Item """test-entropy"" (OSSL_SIGNATURE_PARAM_TEST_ENTROPY) <octet string>" Used for testing to pass an optional deterministic per message random value. If set the size must be 32 bytes. @@ -115,7 +118,7 @@ If set the size must be 32 bytes. .IX Item """deterministic"" (OSSL_SIGNATURE_PARAM_DETERMINISTIC) <integer>" The default value of 0 causes the per message randomness to be randomly generated using a DRBG. Setting this to 1 causes the per message randomness -to be set to 32 bytes of zeros. This value is ignored if "test-entropy" is set. +to be set to 32 bytes of zeros. This value is ignored if "test\-entropy" is set. .IP """mu"" (\fBOSSL_SIGNATURE_PARAM_MU\fR) <integer>" 4 .IX Item """mu"" (OSSL_SIGNATURE_PARAM_MU) <integer>" The default value of 0 causes sign and verify operations to process a raw message. @@ -127,15 +130,15 @@ Note that the message encoding steps from FIPS 204 <https://csrc.nist.gov/pubs/fips/204/final> Algorithm 2 step 10 and Algorithm 3 step 5 are omitted when this setting is 1. .PP -See \fBEVP_PKEY\-ML\-DSA\fR\|(7) for information related to \fBML-DSA\fR keys. +See \fBEVP_PKEY\-ML\-DSA\fR\|(7) for information related to \fBML\-DSA\fR keys. .SH NOTES .IX Header "NOTES" -For backwards compatability reasons \fBEVP_DigestSignInit_ex()\fR, \fBEVP_DigestSign()\fR, +For backwards compatibility reasons \fBEVP_DigestSignInit_ex()\fR, \fBEVP_DigestSign()\fR, \&\fBEVP_DigestVerifyInit_ex()\fR and \fBEVP_DigestVerify()\fR may also be used, but the digest passed in \fImdname\fR must be NULL. .SH EXAMPLES .IX Header "EXAMPLES" -To sign a message using an ML-DSA EVP_PKEY structure: +To sign a message using an ML\-DSA EVP_PKEY structure: .PP .Vb 10 \& void do_sign(EVP_PKEY *key, unsigned char *msg, size_t msg_len) diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-RSA.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-RSA.7 index c4b8a85899e4..d38073d96eab 100644 --- a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-RSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-RSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SIGNATURE-RSA 7ossl" -.TH EVP_SIGNATURE-RSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SIGNATURE-RSA 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,7 +83,7 @@ The base signature algorithm, supported explicitly fetched with RSA keys) with \fBEVP_DigestSignInit\fR\|(3) and \&\fBEVP_DigestVerifyInit\fR\|(3). .Sp -It can't be used with \fBEVP_PKEY_sign_message_init\fR\|(3) +It can\*(Aqt be used with \fBEVP_PKEY_sign_message_init\fR\|(3) .IP """RSA\-RIPEMD160"", ""ripemd160WithRSA"", ""1.3.36.3.3.1.2""" 4 .IX Item """RSA-RIPEMD160"", ""ripemd160WithRSA"", ""1.3.36.3.3.1.2""" .PD 0 @@ -110,7 +113,7 @@ It can't be used with \fBEVP_PKEY_sign_message_init\fR\|(3) PKCS#1 v1.5 RSA signature schemes with diverse message digest algorithms. They are all supported explicitly fetched with \fBEVP_PKEY_sign_init_ex2\fR\|(3) and \&\fBEVP_PKEY_sign_message_init\fR\|(3). -They are all pre-set to use the pad mode "pkcs1". This cannot be changed. +They are all pre\-set to use the pad mode "pkcs1". This cannot be changed. .SS "Signature Parameters" .IX Subsection "Signature Parameters" The following signature parameters can be set using \fBEVP_PKEY_CTX_set_params()\fR. @@ -127,7 +130,7 @@ These are not supported with the RSA signature schemes that already include a message digest algorithm, See "Algorithm Names" above. .Sp These common parameters are described in \fBprovider\-signature\fR\|(7). -.IP """pad-mode"" (\fBOSSL_SIGNATURE_PARAM_PAD_MODE\fR) <UTF8 string>" 4 +.IP """pad\-mode"" (\fBOSSL_SIGNATURE_PARAM_PAD_MODE\fR) <UTF8 string>" 4 .IX Item """pad-mode"" (OSSL_SIGNATURE_PARAM_PAD_MODE) <UTF8 string>" The type of padding to be used. Its value can be one of the following: .RS 4 @@ -147,10 +150,8 @@ generation, but may be used for signature verification for legacy use cases. .RE .RS 4 .RE -.PD 0 .IP """mgf1\-digest"" (\fBOSSL_SIGNATURE_PARAM_MGF1_DIGEST\fR) <UTF8 string>" 4 .IX Item """mgf1-digest"" (OSSL_SIGNATURE_PARAM_MGF1_DIGEST) <UTF8 string>" -.PD The digest algorithm name to use for the maskGenAlgorithm used by "pss" mode. .IP """mgf1\-properties"" (\fBOSSL_SIGNATURE_PARAM_MGF1_PROPERTIES\fR) <UTF8 string>" 4 .IX Item """mgf1-properties"" (OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES) <UTF8 string>" @@ -170,7 +171,7 @@ Use the maximum salt length. .IP """auto"" (\fBOSSL_PKEY_RSA_PSS_SALT_LEN_AUTO\fR)" 4 .IX Item """auto"" (OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO)" Auto detect the salt length. -.IP """auto-digestmax"" (\fBOSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX\fR)" 4 +.IP """auto\-digestmax"" (\fBOSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX\fR)" 4 .IX Item """auto-digestmax"" (OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX)" Auto detect the salt length when verifying. Maximize the salt length up to the digest size when signing to comply with FIPS 186\-4 section 5.5. @@ -179,40 +180,40 @@ digest size when signing to comply with FIPS 186\-4 section 5.5. .RE .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """key-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) <integer>" .PD 0 -.IP """digest-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) <integer>" .IP """sign\-x931\-pad\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK\fR) <integer>" 4 .IX Item """sign-x931-pad-check"" (OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK) <integer>" .PD These parameters are described in \fBprovider\-signature\fR\|(7). -.IP """rsa-pss-saltlen-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK\fR) <integer>" 4 +.IP """rsa\-pss\-saltlen\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK\fR) <integer>" 4 .IX Item """rsa-pss-saltlen-check"" (OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK) <integer>" The default value of 1 causes an error during signature generation or verification if salt length (\fBOSSL_SIGNATURE_PARAM_PSS_SALTLEN\fR) is not between zero and the output block size of the digest function (inclusive). -Setting this to zero will ignore the error and set the approved "fips-indicator" +Setting this to zero will ignore the error and set the approved "fips\-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .PP The following signature parameters can be retrieved using \&\fBEVP_PKEY_CTX_get_params()\fR. -.IP """algorithm-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4 +.IP """algorithm\-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4 .IX Item """algorithm-id"" (OSSL_SIGNATURE_PARAM_ALGORITHM_ID) <octet string>" .PD 0 -.IP """fips-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR) <integer>" -.IP """verify-message"" (\fBOSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE\fR <integer>" 4 +.IP """verify\-message"" (\fBOSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE\fR <integer>" 4 .IX Item """verify-message"" (OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE <integer>" .PD These common parameter are described in \fBprovider\-signature\fR\|(7). .IP """digest"" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) <UTF8 string>" 4 .IX Item """digest"" (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>" .PD 0 -.IP """pad-mode"" (\fBOSSL_SIGNATURE_PARAM_PAD_MODE\fR) <UTF8 string>" 4 +.IP """pad\-mode"" (\fBOSSL_SIGNATURE_PARAM_PAD_MODE\fR) <UTF8 string>" 4 .IX Item """pad-mode"" (OSSL_SIGNATURE_PARAM_PAD_MODE) <UTF8 string>" .IP """mgf1\-digest"" (\fBOSSL_SIGNATURE_PARAM_MGF1_DIGEST\fR) <UTF8 string>" 4 .IX Item """mgf1-digest"" (OSSL_SIGNATURE_PARAM_MGF1_DIGEST) <UTF8 string>" diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-SLH-DSA.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-SLH-DSA.7 index 79d43741e1a2..e5bca0dadb54 100644 --- a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-SLH-DSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-SLH-DSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SIGNATURE-SLH-DSA 7ossl" -.TH EVP_SIGNATURE-SLH-DSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SIGNATURE-SLH-DSA 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -77,7 +80,7 @@ The \fBSLH\-DSA\-SHA2\-128s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHA2\-128f\fR, \&\fBSLH\-DSA\-SHAKE\-128s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHAKE\-128f\fR, \&\fBSLH\-DSA\-SHAKE\-192s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHAKE\-192f\fR, \&\fBSLH\-DSA\-SHAKE\-256s\fR and \fBEVP_PKEY\-SLH\-DSA\-SHAKE\-256f\fR EVP_PKEY implementations -supports key generation, one-shot sign and verify using the SLH-DSA +supports key generation, one\-shot sign and verify using the SLH\-DSA signature schemes described in FIPS 205. .PP The different algorithms names correspond to the parameter sets defined in @@ -86,45 +89,45 @@ FIPS 205 Section 11 Table 2. (The signatures range from ~8K to ~50K depending on the type chosen). There are 3 different security categories also depending on the type. .PP -\&\fBEVP_SIGNATURE_fetch\fR\|(3) can be used to explicitely fetch one of the 12 +\&\fBEVP_SIGNATURE_fetch\fR\|(3) can be used to explicitly fetch one of the 12 algorithms which can then be used with \fBEVP_PKEY_sign_message_init\fR\|(3), \&\fBEVP_PKEY_sign\fR\|(3), \fBEVP_PKEY_verify_message_init\fR\|(3), and -\&\fBEVP_PKEY_verify\fR\|(3) to perform one-shot message signing or verification. +\&\fBEVP_PKEY_verify\fR\|(3) to perform one\-shot message signing or verification. .PP -The normal signing process (called Pure SLH-DSA Signature Generation) +The normal signing process (called Pure SLH\-DSA Signature Generation) encodes the message internally as 0x00 || len(ctx) || ctx || message. where \fBctx\fR is some optional value of size 0x00..0xFF. OpenSSL also allows the message to not be encoded which is required for -testing. OpenSSL does not support Pre Hash SLH-DSA Signature Generation, but this -may be done by the user by doing Pre hash encoding externally and then chosing +testing. OpenSSL does not support Pre Hash SLH\-DSA Signature Generation, but this +may be done by the user by doing Pre hash encoding externally and then choosing the option to not encode the message. -.SS "SLH-DSA Signature Parameters" +.SS "SLH\-DSA Signature Parameters" .IX Subsection "SLH-DSA Signature Parameters" The \f(CW\*(C`context\-string\*(C'\fR parameter, described below, can be used for both signing and verification. It may be set by passing an OSSL_PARAM array to \fBEVP_PKEY_sign_init_ex2\fR\|(3) or \&\fBEVP_PKEY_verify_init_ex2\fR\|(3) -.IP """context-string"" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string>" 4 +.IP """context\-string"" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string>" 4 .IX Item """context-string"" (OSSL_SIGNATURE_PARAM_CONTEXT_STRING) <octet string>" A string of octets with length at most 255. By default it is the empty string. .PP The following parameters can be used when signing: They can be set by passing an OSSL_PARAM array to \fBEVP_PKEY_sign_init_ex2\fR\|(3). -.IP """message-encoding"" (\fBOSSL_SIGNATURE_PARAM_MESSAGE_ENCODING\fR) <integer>" 4 +.IP """message\-encoding"" (\fBOSSL_SIGNATURE_PARAM_MESSAGE_ENCODING\fR) <integer>" 4 .IX Item """message-encoding"" (OSSL_SIGNATURE_PARAM_MESSAGE_ENCODING) <integer>" -The default value of 1 uses 'Pure SLH-DSA Signature Generation' as described +The default value of 1 uses \*(AqPure SLH\-DSA Signature Generation\*(Aq as described above. Setting it to 0 does not encode the message, which is used for testing, -but can also be used for 'Pre Hash SLH-DSA Signature Generation'. -.IP """test-entropy"" (\fBOSSL_SIGNATURE_PARAM_TEST_ENTROPY <octet string\fR" 4 +but can also be used for \*(AqPre Hash SLH\-DSA Signature Generation\*(Aq. +.IP """test\-entropy"" (\fBOSSL_SIGNATURE_PARAM_TEST_ENTROPY <octet string\fR" 4 .IX Item """test-entropy"" (OSSL_SIGNATURE_PARAM_TEST_ENTROPY <octet string" Used for testing to pass a optional random value. .IP """deterministic"" (\fBOSSL_SIGNATURE_PARAM_DETERMINISTIC\fR) <integer>" 4 .IX Item """deterministic"" (OSSL_SIGNATURE_PARAM_DETERMINISTIC) <integer>" The default value of 0 generates a random value (using a DRBG) this is used when processing the message. Setting this to 1 causes the private key seed to be used -instead. This value is ignored if "test-entropy" is set. +instead. This value is ignored if "test\-entropy" is set. .PP -See \fBEVP_PKEY\-SLH\-DSA\fR\|(7) for information related to \fBSLH-DSA\fR keys. +See \fBEVP_PKEY\-SLH\-DSA\fR\|(7) for information related to \fBSLH\-DSA\fR keys. .SH NOTES .IX Header "NOTES" For backwards compatibility reasons \fBEVP_DigestSignInit_ex()\fR, \fBEVP_DigestSign()\fR, @@ -132,7 +135,7 @@ For backwards compatibility reasons \fBEVP_DigestSignInit_ex()\fR, \fBEVP_Digest passed in \fImdname\fR must be NULL. .SH EXAMPLES .IX Header "EXAMPLES" -To sign a message using an SLH-DSA EVP_PKEY structure: +To sign a message using an SLH\-DSA EVP_PKEY structure: .PP .Vb 10 \& void do_sign(EVP_PKEY *key, unsigned char *msg, size_t msg_len) diff --git a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-FIPS.7 b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-FIPS.7 index 2ec89d2a6f38..c48f6c26d7ce 100644 --- a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-FIPS.7 +++ b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-FIPS.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PROVIDER-FIPS 7ossl" -.TH OSSL_PROVIDER-FIPS 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PROVIDER-FIPS 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,7 +68,7 @@ OSSL_PROVIDER\-FIPS \- OpenSSL FIPS provider .SH DESCRIPTION .IX Header "DESCRIPTION" The OpenSSL FIPS provider is a special provider that conforms to the Federal -Information Processing Standards (FIPS) specified in FIPS 140\-3. This 'module' +Information Processing Standards (FIPS) specified in FIPS 140\-3. This \*(Aqmodule\*(Aq contains an approved set of cryptographic algorithms that is validated by an accredited testing laboratory. .SS Properties @@ -87,7 +90,7 @@ functions that take a property query string, such as To be FIPS compliant, it is mandatory to include \f(CW\*(C`fips=yes\*(C'\fR as part of all property queries. This ensures that only FIPS approved implementations are used for cryptographic operations. The \f(CW\*(C`fips=yes\*(C'\fR -query may also include other non-crypto support operations that +query may also include other non\-crypto support operations that are not in the FIPS provider, such as asymmetric key encoders, see "Asymmetric Key Management" in \fBOSSL_PROVIDER\-default\fR\|(7). .PP @@ -117,7 +120,7 @@ The OpenSSL FIPS provider supports these operations and algorithms: .IX Item "SHA2, see EVP_MD-SHA2" .IP "SHA3, see \fBEVP_MD\-SHA3\fR\|(7)" 4 .IX Item "SHA3, see EVP_MD-SHA3" -.IP "KECCAK-KMAC, see \fBEVP_MD\-KECCAK\-KMAC\fR\|(7)" 4 +.IP "KECCAK\-KMAC, see \fBEVP_MD\-KECCAK\-KMAC\fR\|(7)" 4 .IX Item "KECCAK-KMAC, see EVP_MD-KECCAK-KMAC" .IP "SHAKE, see \fBEVP_MD\-SHAKE\fR\|(7)" 4 .IX Item "SHAKE, see EVP_MD-SHAKE" @@ -177,7 +180,7 @@ The OpenSSL FIPS provider supports these operations and algorithms: .IX Item "X25519, see EVP_KEYEXCH-X25519" .IP "X448, see \fBEVP_KEYEXCH\-X448\fR\|(7)" 4 .IX Item "X448, see EVP_KEYEXCH-X448" -.IP "ML-KEM, see \fBEVP_KEM\-ML\-KEM\fR\|(7)" 4 +.IP "ML\-KEM, see \fBEVP_KEM\-ML\-KEM\fR\|(7)" 4 .IX Item "ML-KEM, see EVP_KEM-ML-KEM" .IP TLS1\-PRF 4 .IX Item "TLS1-PRF" @@ -206,7 +209,7 @@ for signature generation, but may be used for verification for legacy use cases. .IX Item "ML-DSA-65, see EVP_SIGNATURE-ML-DSA" .IP "ML\-DSA\-87, see \fBEVP_SIGNATURE\-ML\-DSA\fR\|(7)" 4 .IX Item "ML-DSA-87, see EVP_SIGNATURE-ML-DSA" -.IP "SLH-DSA, see \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7)" 4 +.IP "SLH\-DSA, see \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7)" 4 .IX Item "SLH-DSA, see EVP_SIGNATURE-SLH-DSA" .IP "HMAC, see \fBEVP_SIGNATURE\-HMAC\fR\|(7)" 4 .IX Item "HMAC, see EVP_SIGNATURE-HMAC" @@ -219,10 +222,8 @@ for signature generation, but may be used for verification for legacy use cases. .IX Item "RSA, see EVP_ASYM_CIPHER-RSA" .SS "Asymmetric Key Encapsulation" .IX Subsection "Asymmetric Key Encapsulation" -.PD 0 .IP "RSA, see \fBEVP_KEM\-RSA\fR\|(7)" 4 .IX Item "RSA, see EVP_KEM-RSA" -.PD .SS "Asymmetric Key Management" .IX Subsection "Asymmetric Key Management" .IP "DH, see \fBEVP_KEYMGMT\-DH\fR\|(7)" 4 @@ -234,7 +235,7 @@ for signature generation, but may be used for verification for legacy use cases. .IX Item "DSA, see EVP_KEYMGMT-DSA" .IP "RSA, see \fBEVP_KEYMGMT\-RSA\fR\|(7)" 4 .IX Item "RSA, see EVP_KEYMGMT-RSA" -.IP RSA-PSS 4 +.IP RSA\-PSS 4 .IX Item "RSA-PSS" .IP "EC, see \fBEVP_KEYMGMT\-EC\fR\|(7)" 4 .IX Item "EC, see EVP_KEYMGMT-EC" @@ -295,19 +296,19 @@ included in SP 800\-56Arev3 are not approved for key agreement". .PD .SS "Random Number Generation" .IX Subsection "Random Number Generation" -.IP "CRNG-TEST, see \fBEVP_RAND\-CRNG\-TEST\fR\|(7)" 4 +.IP "CRNG\-TEST, see \fBEVP_RAND\-CRNG\-TEST\fR\|(7)" 4 .IX Item "CRNG-TEST, see EVP_RAND-CRNG-TEST" .PD 0 -.IP "CTR-DRBG, see \fBEVP_RAND\-CTR\-DRBG\fR\|(7)" 4 +.IP "CTR\-DRBG, see \fBEVP_RAND\-CTR\-DRBG\fR\|(7)" 4 .IX Item "CTR-DRBG, see EVP_RAND-CTR-DRBG" -.IP "HASH-DRBG, see \fBEVP_RAND\-HASH\-DRBG\fR\|(7)" 4 +.IP "HASH\-DRBG, see \fBEVP_RAND\-HASH\-DRBG\fR\|(7)" 4 .IX Item "HASH-DRBG, see EVP_RAND-HASH-DRBG" -.IP "HMAC-DRBG, see \fBEVP_RAND\-HMAC\-DRBG\fR\|(7)" 4 +.IP "HMAC\-DRBG, see \fBEVP_RAND\-HMAC\-DRBG\fR\|(7)" 4 .IX Item "HMAC-DRBG, see EVP_RAND-HMAC-DRBG" -.IP "TEST-RAND, see \fBEVP_RAND\-TEST\-RAND\fR\|(7)" 4 +.IP "TEST\-RAND, see \fBEVP_RAND\-TEST\-RAND\fR\|(7)" 4 .IX Item "TEST-RAND, see EVP_RAND-TEST-RAND" .PD -TEST-RAND is an unapproved algorithm. +TEST\-RAND is an unapproved algorithm. .SH "SELF TESTING" .IX Header "SELF TESTING" A requirement of FIPS modules is to run cryptographic algorithm self tests. @@ -400,11 +401,11 @@ The FIPS module passes the following descriptions(s) to \fBOSSL_SELF_TEST_onbegi .IX Item """EDDSA"" (OSSL_SELF_TEST_DESC_PCT_EDDSA)" .IP """DSA"" (\fBOSSL_SELF_TEST_DESC_PCT_DSA\fR)" 4 .IX Item """DSA"" (OSSL_SELF_TEST_DESC_PCT_DSA)" -.IP """ML-DSA"" (\fBOSSL_SELF_TEST_DESC_PCT_ML_DSA\fR)" 4 +.IP """ML\-DSA"" (\fBOSSL_SELF_TEST_DESC_PCT_ML_DSA\fR)" 4 .IX Item """ML-DSA"" (OSSL_SELF_TEST_DESC_PCT_ML_DSA)" -.IP """ML-KEM"" (\fBOSSL_SELF_TEST_DESC_PCT_ML_KEM\fR)" 4 +.IP """ML\-KEM"" (\fBOSSL_SELF_TEST_DESC_PCT_ML_KEM\fR)" 4 .IX Item """ML-KEM"" (OSSL_SELF_TEST_DESC_PCT_ML_KEM)" -.IP """SLH-DSA"" (\fBOSSL_SELF_TEST_DESC_PCT_SLH_DSA\fR)" 4 +.IP """SLH\-DSA"" (\fBOSSL_SELF_TEST_DESC_PCT_SLH_DSA\fR)" 4 .IX Item """SLH-DSA"" (OSSL_SELF_TEST_DESC_PCT_SLH_DSA)" .PD Key generation tests used with the "Pairwise_Consistency_Test" type. @@ -415,12 +416,12 @@ Key generation tests used with the "Pairwise_Consistency_Test" type. .IX Item """RSA_Decrypt"" (OSSL_SELF_TEST_DESC_ASYM_RSA_DEC)" .PD "KAT_AsymmetricCipher" uses this to indicate an encrypt or decrypt KAT. -.IP """ML-DSA"" (\fBOSSL_SELF_TEST_DESC_KEYGEN_ML_DSA\fR)" 4 +.IP """ML\-DSA"" (\fBOSSL_SELF_TEST_DESC_KEYGEN_ML_DSA\fR)" 4 .IX Item """ML-DSA"" (OSSL_SELF_TEST_DESC_KEYGEN_ML_DSA)" .PD 0 -.IP """ML-KEM"" (\fBOSSL_SELF_TEST_DESC_KEYGEN_ML_KEM\fR)" 4 +.IP """ML\-KEM"" (\fBOSSL_SELF_TEST_DESC_KEYGEN_ML_KEM\fR)" 4 .IX Item """ML-KEM"" (OSSL_SELF_TEST_DESC_KEYGEN_ML_KEM)" -.IP """SLH-DSA"" (\fBOSSL_SELF_TEST_DESC_KEYGEN_SLH_DSA\fR)" 4 +.IP """SLH\-DSA"" (\fBOSSL_SELF_TEST_DESC_KEYGEN_SLH_DSA\fR)" 4 .IX Item """SLH-DSA"" (OSSL_SELF_TEST_DESC_KEYGEN_SLH_DSA)" .PD "KAT_AsymmetricKeyGeneration" uses this to indicate a key generation KAT. @@ -451,9 +452,9 @@ Digest tests used with the "KAT_Digest" type. .IX Item """ECDSA"" (OSSL_SELF_TEST_DESC_SIGN_ECDSA)" .IP """EDDSA"" (\fBOSSL_SELF_TEST_DESC_SIGN_EDDSA\fR)" 4 .IX Item """EDDSA"" (OSSL_SELF_TEST_DESC_SIGN_EDDSA)" -.IP """ML-DSA"" (\fBOSSL_SELF_TEST_DESC_SIGN_ML_DSA\fR)" 4 +.IP """ML\-DSA"" (\fBOSSL_SELF_TEST_DESC_SIGN_ML_DSA\fR)" 4 .IX Item """ML-DSA"" (OSSL_SELF_TEST_DESC_SIGN_ML_DSA)" -.IP """SLH-DSA"" (\fBOSSL_SELF_TEST_DESC_SIGN_SLH_DSA\fR)" 4 +.IP """SLH\-DSA"" (\fBOSSL_SELF_TEST_DESC_SIGN_SLH_DSA\fR)" 4 .IX Item """SLH-DSA"" (OSSL_SELF_TEST_DESC_SIGN_SLH_DSA)" .PD Signature tests used with the "KAT_Signature" type. @@ -562,7 +563,7 @@ Some released versions of OpenSSL do not include a validated FIPS provider. To determine which versions have undergone the validation process, please refer to the OpenSSL Downloads page <https://www.openssl.org/source/>. If you -require FIPS-approved functionality, it is essential to build your FIPS +require FIPS\-approved functionality, it is essential to build your FIPS provider using one of the validated versions listed there. Normally, it is possible to utilize a FIPS provider constructed from one of the validated versions alongside \fIlibcrypto\fR and \fIlibssl\fR compiled from any diff --git a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-base.7 b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-base.7 index 0d978cc170ec..08d5a27021e7 100644 --- a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-base.7 +++ b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-base.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PROVIDER-BASE 7ossl" -.TH OSSL_PROVIDER-BASE 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PROVIDER-BASE 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,7 +67,7 @@ OSSL_PROVIDER\-base \- OpenSSL base provider .SH DESCRIPTION .IX Header "DESCRIPTION" -The OpenSSL base provider supplies the encoding for OpenSSL's +The OpenSSL base provider supplies the encoding for OpenSSL\*(Aqs asymmetric cryptography. .SS Properties .IX Subsection "Properties" @@ -75,7 +78,7 @@ defined: .PP It may be used in a property query string with fetching functions. .PP -It isn't mandatory to query for this property, except to make sure to get +It isn\*(Aqt mandatory to query for this property, except to make sure to get implementations of this provider and none other. .IP """type=parameters""" 4 .IX Item """type=parameters""" @@ -106,21 +109,21 @@ currently permitted. The OpenSSL base provider supports these operations and algorithms: .SS "Random Number Generation" .IX Subsection "Random Number Generation" -.IP "SEED-SRC, see \fBEVP_RAND\-SEED\-SRC\fR\|(7)" 4 +.IP "SEED\-SRC, see \fBEVP_RAND\-SEED\-SRC\fR\|(7)" 4 .IX Item "SEED-SRC, see EVP_RAND-SEED-SRC" .PD 0 .IP "JITTER, see \fBEVP_RAND\-JITTER\fR\|(7)" 4 .IX Item "JITTER, see EVP_RAND-JITTER" .PD .PP -In addition to this provider, the "SEED-SRC" and "JITTER" algorithms +In addition to this provider, the "SEED\-SRC" and "JITTER" algorithms are also available in the default provider. .SS "Asymmetric Key Encoder" .IX Subsection "Asymmetric Key Encoder" .IP RSA 4 .IX Item "RSA" .PD 0 -.IP RSA-PSS 4 +.IP RSA\-PSS 4 .IX Item "RSA-PSS" .IP DH 4 .IX Item "DH" @@ -186,7 +189,7 @@ combination with the FIPS provider. .IP RSA 4 .IX Item "RSA" .PD 0 -.IP RSA-PSS 4 +.IP RSA\-PSS 4 .IX Item "RSA-PSS" .IP DH 4 .IX Item "DH" @@ -268,7 +271,7 @@ available in the default provider. .IX Header "HISTORY" This functionality was added in OpenSSL 3.0. .PP -Support for \fBML-DSA\fR and <ML\-KEM> was added in OpenSSL 3.5. +Support for \fBML\-DSA\fR and <ML\-KEM> was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-default.7 b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-default.7 index 6d3ee808f7db..96dd33a6ce80 100644 --- a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-default.7 +++ b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-default.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PROVIDER-DEFAULT 7ossl" -.TH OSSL_PROVIDER-DEFAULT 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PROVIDER-DEFAULT 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,15 +67,15 @@ OSSL_PROVIDER\-default \- OpenSSL default provider .SH DESCRIPTION .IX Header "DESCRIPTION" -The OpenSSL default provider supplies the majority of OpenSSL's diverse -algorithm implementations. If an application doesn't specify anything else +The OpenSSL default provider supplies the majority of OpenSSL\*(Aqs diverse +algorithm implementations. If an application doesn\*(Aqt specify anything else explicitly (e.g. in the application or via config), then this is the provider that will be used as fallback: It is loaded automatically the first time that an algorithm is fetched from a provider or a function acting on providers is called and no other provider has been loaded yet. .PP If an attempt to load a provider has already been made (whether successful -or not) then the default provider won't be loaded automatically. Therefore +or not) then the default provider won\*(Aqt be loaded automatically. Therefore if the default provider is to be used in conjunction with other providers then it must be loaded explicitly. Automatic loading of the default provider only occurs a maximum of once; if the default provider is @@ -90,7 +93,7 @@ It may be used in a property query string with fetching functions such as functions that take a property query string, such as \&\fBEVP_PKEY_CTX_new_from_name\fR\|(3). .PP -It isn't mandatory to query for this property, except to make sure to get +It isn\*(Aqt mandatory to query for this property, except to make sure to get implementations of this provider and none other. .PP Some implementations may define additional properties. Exact information is @@ -109,7 +112,7 @@ The OpenSSL default provider supports these operations and algorithms: .IX Item "SHA3, see EVP_MD-SHA3" .IP "KECCAK, see \fBEVP_MD\-KECCAK\fR\|(7)" 4 .IX Item "KECCAK, see EVP_MD-KECCAK" -.IP "KECCAK-KMAC, see \fBEVP_MD\-KECCAK\-KMAC\fR\|(7)" 4 +.IP "KECCAK\-KMAC, see \fBEVP_MD\-KECCAK\-KMAC\fR\|(7)" 4 .IX Item "KECCAK-KMAC, see EVP_MD-KECCAK-KMAC" .IP "SHAKE, see \fBEVP_MD\-SHAKE\fR\|(7)" 4 .IX Item "SHAKE, see EVP_MD-SHAKE" @@ -193,7 +196,7 @@ The OpenSSL default provider supports these operations and algorithms: .IX Item "SCRYPT, see EVP_KDF-SCRYPT" .IP "KRB5KDF, see \fBEVP_KDF\-KRB5KDF\fR\|(7)" 4 .IX Item "KRB5KDF, see EVP_KDF-KRB5KDF" -.IP "HMAC-DRBG, see \fBEVP_KDF\-HMAC\-DRBG\fR\|(7)" 4 +.IP "HMAC\-DRBG, see \fBEVP_KDF\-HMAC\-DRBG\fR\|(7)" 4 .IX Item "HMAC-DRBG, see EVP_KDF-HMAC-DRBG" .IP "ARGON2, see \fBEVP_KDF\-ARGON2\fR\|(7)" 4 .IX Item "ARGON2, see EVP_KDF-ARGON2" @@ -309,7 +312,7 @@ The OpenSSL default provider supports these operations and algorithms: .PD 0 .IP "RSA, see \fBEVP_KEYMGMT\-RSA\fR\|(7)" 4 .IX Item "RSA, see EVP_KEYMGMT-RSA" -.IP RSA-PSS 4 +.IP RSA\-PSS 4 .IX Item "RSA-PSS" .IP "EC, see \fBEVP_KEYMGMT\-EC\fR\|(7)" 4 .IX Item "EC, see EVP_KEYMGMT-EC" @@ -380,29 +383,29 @@ The OpenSSL default provider supports these operations and algorithms: .PD .SS "Random Number Generation" .IX Subsection "Random Number Generation" -.IP "CTR-DRBG, see \fBEVP_RAND\-CTR\-DRBG\fR\|(7)" 4 +.IP "CTR\-DRBG, see \fBEVP_RAND\-CTR\-DRBG\fR\|(7)" 4 .IX Item "CTR-DRBG, see EVP_RAND-CTR-DRBG" .PD 0 -.IP "HASH-DRBG, see \fBEVP_RAND\-HASH\-DRBG\fR\|(7)" 4 +.IP "HASH\-DRBG, see \fBEVP_RAND\-HASH\-DRBG\fR\|(7)" 4 .IX Item "HASH-DRBG, see EVP_RAND-HASH-DRBG" -.IP "HMAC-DRBG, see \fBEVP_RAND\-HMAC\-DRBG\fR\|(7)" 4 +.IP "HMAC\-DRBG, see \fBEVP_RAND\-HMAC\-DRBG\fR\|(7)" 4 .IX Item "HMAC-DRBG, see EVP_RAND-HMAC-DRBG" -.IP "SEED-SRC, see \fBEVP_RAND\-SEED\-SRC\fR\|(7)" 4 +.IP "SEED\-SRC, see \fBEVP_RAND\-SEED\-SRC\fR\|(7)" 4 .IX Item "SEED-SRC, see EVP_RAND-SEED-SRC" .IP "JITTER, see \fBEVP_RAND\-JITTER\fR\|(7)" 4 .IX Item "JITTER, see EVP_RAND-JITTER" -.IP "TEST-RAND, see \fBEVP_RAND\-TEST\-RAND\fR\|(7)" 4 +.IP "TEST\-RAND, see \fBEVP_RAND\-TEST\-RAND\fR\|(7)" 4 .IX Item "TEST-RAND, see EVP_RAND-TEST-RAND" .PD .PP -In addition to this provider, the "SEED-SRC" and "JITTER" algorithms +In addition to this provider, the "SEED\-SRC" and "JITTER" algorithms are also available in the base provider. .SS "Asymmetric Key Encoder" .IX Subsection "Asymmetric Key Encoder" .IP RSA 4 .IX Item "RSA" .PD 0 -.IP RSA-PSS 4 +.IP RSA\-PSS 4 .IX Item "RSA-PSS" .IP DH 4 .IX Item "DH" @@ -468,7 +471,7 @@ combination with the FIPS provider. .IP RSA 4 .IX Item "RSA" .PD 0 -.IP RSA-PSS 4 +.IP RSA\-PSS 4 .IX Item "RSA-PSS" .IP DH 4 .IX Item "DH" diff --git a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-legacy.7 b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-legacy.7 index 6626df7f56ed..27aece024916 100644 --- a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-legacy.7 +++ b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-legacy.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PROVIDER-LEGACY 7ossl" -.TH OSSL_PROVIDER-LEGACY 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PROVIDER-LEGACY 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,7 +85,7 @@ It may be used in a property query string with fetching functions such as functions that take a property query string, such as \&\fBEVP_PKEY_CTX_new_from_name\fR\|(3). .PP -It isn't mandatory to query for any of these properties, except to +It isn\*(Aqt mandatory to query for any of these properties, except to make sure to get implementations of this provider and none other. .SH "OPERATIONS AND ALGORITHMS" .IX Header "OPERATIONS AND ALGORITHMS" @@ -130,9 +133,9 @@ Disabled by default. Use \fIenable\-rc5\fR config option to enable. .IX Item "SEED, see EVP_CIPHER-SEED" .SS "Key Derivation Function (KDF)" .IX Subsection "Key Derivation Function (KDF)" -.PD 0 .IP PBKDF1 4 .IX Item "PBKDF1" +.PD 0 .IP PVKKDF 4 .IX Item "PVKKDF" .PD diff --git a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-null.7 b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-null.7 index bfff452070ee..2136114ef785 100644 --- a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-null.7 +++ b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-null.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PROVIDER-NULL 7ossl" -.TH OSSL_PROVIDER-NULL 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PROVIDER-NULL 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/OSSL_STORE-winstore.7 b/secure/lib/libcrypto/man/man7/OSSL_STORE-winstore.7 index 9a7f3d2bb580..5a2f98654730 100644 --- a/secure/lib/libcrypto/man/man7/OSSL_STORE-winstore.7 +++ b/secure/lib/libcrypto/man/man7/OSSL_STORE-winstore.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_STORE-WINSTORE 7ossl" -.TH OSSL_STORE-WINSTORE 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_STORE-WINSTORE 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,7 +67,7 @@ OSSL_STORE\-winstore \- OpenSSL built in OSSL_STORE for Windows .SH DESCRIPTION .IX Header "DESCRIPTION" -The OSSL_STORE implementation for Windows provides access to Windows' system +The OSSL_STORE implementation for Windows provides access to Windows\*(Aq system \&\f(CW\*(C`ROOT\*(C'\fR certificate store through URIs, using the URI scheme \&\f(CW\*(C`org.openssl.winstore\*(C'\fR. .SS "Supported URIs" @@ -111,7 +114,7 @@ The winstore (\f(CW\*(C`org.openssl.winstore\*(C'\fR) implementation was added i .SH NOTES .IX Header "NOTES" OpenSSL uses \fBOSSL_DECODER\fR\|(3) implementations under the hood. -To influence what \fBOSSL_DECODER\fR\|(3) implementations are used, it's advisable +To influence what \fBOSSL_DECODER\fR\|(3) implementations are used, it\*(Aqs advisable to use \fBOSSL_STORE_open_ex\fR\|(3) and set the \fIpropq\fR argument. .SH COPYRIGHT .IX Header "COPYRIGHT" diff --git a/secure/lib/libcrypto/man/man7/RAND.7 b/secure/lib/libcrypto/man/man7/RAND.7 index 07f4e2f7cdf3..b8fc7dbc4f7c 100644 --- a/secure/lib/libcrypto/man/man7/RAND.7 +++ b/secure/lib/libcrypto/man/man7/RAND.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RAND 7ossl" -.TH RAND 7ossl 2025-09-30 3.5.4 OpenSSL +.TH RAND 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -67,8 +70,8 @@ RAND .IX Header "DESCRIPTION" Random numbers are a vital part of cryptography, they are needed to provide unpredictability for tasks like key generation, creating salts, and many more. -Software-based generators must be seeded with external randomness before they -can be used as a cryptographically-secure pseudo-random number generator +Software\-based generators must be seeded with external randomness before they +can be used as a cryptographically\-secure pseudo\-random number generator (CSPRNG). The availability of common hardware with special instructions and modern operating systems, which may use items such as interrupt jitter @@ -78,7 +81,7 @@ OpenSSL comes with a default implementation of the RAND API which is based on the deterministic random bit generator (DRBG) model as described in [NIST SP 800\-90A Rev. 1]. The default random generator will initialize automatically on first use and will be fully functional without having -to be initialized ('seeded') explicitly. +to be initialized (\*(Aqseeded\*(Aq) explicitly. It seeds and reseeds itself automatically using trusted random sources provided by the operating system. .PP @@ -95,7 +98,7 @@ For more details on reseeding and error recovery, see \fBEVP_RAND\fR\|(7). .PP For values that should remain secret, you can use \fBRAND_priv_bytes\fR\|(3) instead. -This method does not provide 'better' randomness, it uses the same type of +This method does not provide \*(Aqbetter\*(Aq randomness, it uses the same type of CSPRNG. The intention behind using a dedicated CSPRNG exclusively for private values is that none of its output should be visible to an attacker (e.g., @@ -122,7 +125,7 @@ family of functions. .IX Header "DEFAULT SETUP" The default OpenSSL RAND method is based on the EVP_RAND deterministic random bit generator (DRBG) classes. -A DRBG is a certain type of cryptographically-secure pseudo-random +A DRBG is a certain type of cryptographically\-secure pseudo\-random number generator (CSPRNG), which is described in [NIST SP 800\-90A Rev. 1]. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man7/RSA-PSS.7 b/secure/lib/libcrypto/man/man7/RSA-PSS.7 index 6258e5a5a791..131217d18fd3 100644 --- a/secure/lib/libcrypto/man/man7/RSA-PSS.7 +++ b/secure/lib/libcrypto/man/man7/RSA-PSS.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA-PSS 7ossl" -.TH RSA-PSS 7ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA-PSS 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,7 +67,7 @@ RSA\-PSS \- EVP_PKEY RSA\-PSS algorithm support .SH DESCRIPTION .IX Header "DESCRIPTION" -The \fBRSA-PSS\fR EVP_PKEY implementation is a restricted version of the RSA +The \fBRSA\-PSS\fR EVP_PKEY implementation is a restricted version of the RSA algorithm which only supports signing, verification and key generation using PSS padding modes with optional parameter restrictions. .PP @@ -87,8 +90,8 @@ By default no parameter restrictions are placed on the generated key. .IX Header "NOTES" The public key format is documented in RFC4055. .PP -The PKCS#8 private key format used for RSA-PSS keys is similar to the RSA -format except it uses the \fBid-RSASSA-PSS\fR OID and the parameters field, if +The PKCS#8 private key format used for RSA\-PSS keys is similar to the RSA +format except it uses the \fBid\-RSASSA\-PSS\fR OID and the parameters field, if present, restricts the key parameters in the same way as the public key. .SH "CONFORMING TO" .IX Header "CONFORMING TO" diff --git a/secure/lib/libcrypto/man/man7/X25519.7 b/secure/lib/libcrypto/man/man7/X25519.7 index 9e8e6265b4d0..5ac52c2fca8b 100644 --- a/secure/lib/libcrypto/man/man7/X25519.7 +++ b/secure/lib/libcrypto/man/man7/X25519.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X25519 7ossl" -.TH X25519 7ossl 2025-09-30 3.5.4 OpenSSL +.TH X25519 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/bio.7 b/secure/lib/libcrypto/man/man7/bio.7 index 22aed27ce473..374ef2e7ca84 100644 --- a/secure/lib/libcrypto/man/man7/bio.7 +++ b/secure/lib/libcrypto/man/man7/bio.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO 7ossl" -.TH BIO 7ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -123,7 +126,7 @@ FreeBSD 12.0 and later, supports both client and server TFO. macOS 10.14 and later. .PP Each operating system has a slightly different API for TFO. Please -refer to the operating systems' API documentation when using +refer to the operating systems\*(Aq API documentation when using sockets directly. .SH EXAMPLES .IX Header "EXAMPLES" diff --git a/secure/lib/libcrypto/man/man7/ct.7 b/secure/lib/libcrypto/man/man7/ct.7 index 6f0f30e36b67..d20e2b492c35 100644 --- a/secure/lib/libcrypto/man/man7/ct.7 +++ b/secure/lib/libcrypto/man/man7/ct.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CT 7ossl" -.TH CT 7ossl 2025-09-30 3.5.4 OpenSSL +.TH CT 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/des_modes.7 b/secure/lib/libcrypto/man/man7/des_modes.7 index a04287e3429e..ccbb545e9f36 100644 --- a/secure/lib/libcrypto/man/man7/des_modes.7 +++ b/secure/lib/libcrypto/man/man7/des_modes.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DES_MODES 7ossl" -.TH DES_MODES 7ossl 2025-09-30 3.5.4 OpenSSL +.TH DES_MODES 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ Normally, this is found as the function \fIalgorithm\fR\fB_ecb_encrypt()\fR. The order of the blocks can be rearranged without detection. .IP \(bu 2 The same plaintext block always produces the same ciphertext block -(for the same key) making it vulnerable to a 'dictionary attack'. +(for the same key) making it vulnerable to a \*(Aqdictionary attack\*(Aq. .IP \(bu 2 An error will only affect one ciphertext block. .SS "Cipher Block Chaining Mode (CBC)" @@ -154,15 +157,15 @@ OFB mode of operation does not extend ciphertext errors in the resultant plaintext output. Every bit error in the ciphertext causes only one bit to be in error in the deciphered plaintext. .IP \(bu 2 -OFB mode is not self-synchronizing. If the two operation of +OFB mode is not self\-synchronizing. If the two operation of encipherment and decipherment get out of synchronism, the system needs -to be re-initialized. +to be re\-initialized. .IP \(bu 2 -Each re-initialization should use a value of the start variable +Each re\-initialization should use a value of the start variable different from the start variable values used before with the same key. The reason for this is that an identical bit stream would be produced each time from the same parameters. This would be -susceptible to a 'known plaintext' attack. +susceptible to a \*(Aqknown plaintext\*(Aq attack. .SS "Triple ECB Mode" .IX Subsection "Triple ECB Mode" Normally, this is found as the function \fIalgorithm\fR\fB_ecb3_encrypt()\fR. diff --git a/secure/lib/libcrypto/man/man7/evp.7 b/secure/lib/libcrypto/man/man7/evp.7 index 6e7b80004630..f8a10b45b000 100644 --- a/secure/lib/libcrypto/man/man7/evp.7 +++ b/secure/lib/libcrypto/man/man7/evp.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP 7ossl" -.TH EVP 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -69,7 +72,7 @@ evp \- high\-level cryptographic functions .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP library provides a high-level interface to cryptographic +The EVP library provides a high\-level interface to cryptographic functions. .PP The \fBEVP_Seal\fR\fIXXX\fR and \fBEVP_Open\fR\fIXXX\fR @@ -84,7 +87,7 @@ functions. Symmetric encryption is available with the \fBEVP_Encrypt\fR\fIXXX\fR functions. The \fBEVP_Digest\fR\fIXXX\fR functions provide message digests. .PP -The \fBEVP_PKEY\fR\fIXXX\fR functions provide a high-level interface to +The \fBEVP_PKEY\fR\fIXXX\fR functions provide a high\-level interface to asymmetric algorithms. To create a new EVP_PKEY see \&\fBEVP_PKEY_new\fR\|(3). EVP_PKEYs can be associated with a private key of a particular algorithm by using the functions @@ -120,12 +123,12 @@ as defaults, then the various EVP functions will automatically use those implementations automatically in preference to built in software implementations. For more information, consult the \fBengine\fR\|(3) man page. .PP -Although low-level algorithm specific functions exist for many algorithms +Although low\-level algorithm specific functions exist for many algorithms their use is discouraged. They cannot be used with an ENGINE and ENGINE -versions of new algorithms cannot be accessed using the low-level functions. +versions of new algorithms cannot be accessed using the low\-level functions. Also makes code harder to adapt to new algorithms and some options are not -cleanly supported at the low-level and some operations are more efficient -using the high-level interface. +cleanly supported at the low\-level and some operations are more efficient +using the high\-level interface. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_DigestInit\fR\|(3), diff --git a/secure/lib/libcrypto/man/man7/fips_module.7 b/secure/lib/libcrypto/man/man7/fips_module.7 index 69bcfe3c9958..e49f35fe2845 100644 --- a/secure/lib/libcrypto/man/man7/fips_module.7 +++ b/secure/lib/libcrypto/man/man7/fips_module.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "FIPS_MODULE 7ossl" -.TH FIPS_MODULE 7ossl 2025-09-30 3.5.4 OpenSSL +.TH FIPS_MODULE 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -152,7 +155,7 @@ FIPS module config file that you installed earlier. See <https://github.com/openssl/openssl/blob/master/README\-FIPS.md>. .PP For FIPS usage, it is recommended that the \fBconfig_diagnostics\fR option is -enabled to prevent accidental use of non-FIPS validated algorithms via broken +enabled to prevent accidental use of non\-FIPS validated algorithms via broken or mistaken configuration. See \fBconfig\fR\|(5). .PP Any applications that use OpenSSL 3.0 and are started after these changes are @@ -193,7 +196,7 @@ application basis. The default OpenSSL config file depends on the compiled in value for \fBOPENSSLDIR\fR as described in the section above. However it is also possible to override the config file to be used via the \fBOPENSSL_CONF\fR environment variable. For example the following, on Unix, will cause the -application to be executed with a non-standard config file location: +application to be executed with a non\-standard config file location: .PP .Vb 1 \& $ OPENSSL_CONF=/my/nondefault/openssl.cnf myapplication @@ -260,7 +263,7 @@ have not explicitly specified via a property query (see below) which one should be used. .PP Also note that in this example we have additionally loaded the "base" provider. -This loads a sub-set of algorithms that are also available in the default +This loads a sub\-set of algorithms that are also available in the default provider \- specifically non cryptographic ones which may be used in conjunction with the FIPS provider. For example this contains algorithms for encoding and decoding keys. If you decide not to load the default provider then you @@ -312,14 +315,14 @@ default property query is defined then the two queries are merged together and both apply. The local property query overrides the default properties if the same property name is specified in both. .PP -There are two important built-in properties that you should be aware of: +There are two important built\-in properties that you should be aware of: .PP The "provider" property enables you to specify which provider you want an implementation to be fetched from, e.g. \f(CW\*(C`provider=default\*(C'\fR or \f(CW\*(C`provider=fips\*(C'\fR. All algorithms implemented in a provider have this property set on them. .PP There is also the \f(CW\*(C`fips\*(C'\fR property. All FIPS algorithms match against the -property query \f(CW\*(C`fips=yes\*(C'\fR. There are also some non-cryptographic algorithms +property query \f(CW\*(C`fips=yes\*(C'\fR. There are also some non\-cryptographic algorithms available in the default and base providers that also have the \f(CW\*(C`fips=yes\*(C'\fR property defined for them. These are the encoder and decoder algorithms that can (for example) be used to write out a key generated in the FIPS provider to a @@ -437,7 +440,7 @@ library contexts then the default library context will be automatically used. This could be the case for your own existing applications as well as certain parts of OpenSSL itself. Not all parts of OpenSSL are library context aware. If this happens then you could "accidentally" use the wrong library context for a -particular operation. To be sure this doesn't happen you can load the "null" +particular operation. To be sure this doesn\*(Aqt happen you can load the "null" provider into the default library context. Because a provider has been explicitly loaded, the default provider will not automatically load. This means code using the default context by accident will fail because no algorithms will @@ -455,7 +458,7 @@ you need a decoder to read previously saved keys and parameters. In most cases this will be invisible to you if you are using APIs that existed in OpenSSL 1.1.1 or earlier such as \fBi2d_PrivateKey\fR\|(3). However the appropriate encoder/decoder will need to be available in the library context associated with -the key or parameter object. The built-in OpenSSL encoders and decoders are +the key or parameter object. The built\-in OpenSSL encoders and decoders are implemented in both the default and base providers and are not in the FIPS module boundary. However since they are not cryptographic algorithms themselves it is still possible to use them in conjunction with the FIPS module, and @@ -534,11 +537,11 @@ setter. Overriding the check means that the algorithm is not FIPS compliant. \&\fBOSSL_INDICATOR_set_callback\fR\|(3) can be called to register a callback to log unapproved algorithms. At the end of any algorithm operation the approved status can be queried using an algorithm context getter to retrieve the indicator -(e.g. "fips-indicator"). -An example of an algorithm context setter is "key-check" +(e.g. "fips\-indicator"). +An example of an algorithm context setter is "key\-check" in "Supported parameters" in \fBEVP_KDF\-HKDF\fR\|(7). .PP -The following algorithms use "fips-indicator" to query if the algorithm +The following algorithms use "fips\-indicator" to query if the algorithm is approved: .IP "DSA Key generation" 4 .IX Item "DSA Key generation" @@ -569,7 +572,7 @@ See "Supported parameters" in \fBEVP_RAND\-HASH\-DRBG\fR\|(7) and \&\fBEVP_RAND\-HMAC\-DRBG\fR\|(7)/Supported parameters> .IP DES 4 .IX Item "DES" -Triple-DES is not longer approved for encryption. +Triple\-DES is not longer approved for encryption. See "Parameters" in \fBEVP_CIPHER\-DES\fR\|(7) .IP DH 4 .IX Item "DH" @@ -585,8 +588,8 @@ See relevant KDF documentation e.g. "Supported parameters" in \fBEVP_KDF\-HKDF\f See "Supported parameters" in \fBEVP_MAC\-CMAC\fR\|(7) and "Supported parameters" in \fBEVP_MAC\-KMAC\fR\|(7) .PP -The following FIPS algorithms are unapproved and use the "fips-indicator". -.IP RAND-TEST-RAND 4 +The following FIPS algorithms are unapproved and use the "fips\-indicator". +.IP RAND\-TEST\-RAND 4 .IX Item "RAND-TEST-RAND" See "Supported parameters" in \fBEVP_RAND\-TEST\-RAND\fR\|(7) The indicator callback is NOT triggered for this algorithm since it is used @@ -599,10 +602,10 @@ The unapproved (non FIPS validated) algorithms have a property query value of .PP The following algorithms use a unique indicator and do not trigger the indicator callback. -.IP "AES-GCM ciphers support the indicator ""iv-generated""" 4 +.IP "AES\-GCM ciphers support the indicator ""iv\-generated""" 4 .IX Item "AES-GCM ciphers support the indicator ""iv-generated""" See "PARAMETERS" in \fBEVP_EncryptInit\fR\|(3) for further information. -.IP "ECDSA and RSA Signatures support the indicator ""verify-message""." 4 +.IP "ECDSA and RSA Signatures support the indicator ""verify\-message""." 4 .IX Item "ECDSA and RSA Signatures support the indicator ""verify-message""." See "ECDSA Signature Parameters" in \fBEVP_SIGNATURE\-ECDSA\fR\|(7) and "Signature Parameters" in \fBEVP_SIGNATURE\-RSA\fR\|(7) /for further information. @@ -612,14 +615,14 @@ Some released versions of OpenSSL do not include a validated FIPS provider. To determine which versions have undergone the validation process, please refer to the OpenSSL Downloads page <https://www.openssl.org/source/>. If you -require FIPS-approved functionality, it is essential to build your FIPS +require FIPS\-approved functionality, it is essential to build your FIPS provider using one of the validated versions listed there. Normally, it is possible to utilize a FIPS provider constructed from one of the validated versions alongside \fIlibcrypto\fR and \fIlibssl\fR compiled from any release within the same major release series. This flexibility enables you to address bug fixes and CVEs that fall outside the FIPS boundary. .PP -As the FIPS provider still supports non-FIPS validated algorithms, +As the FIPS provider still supports non\-FIPS validated algorithms, The property query \f(CW\*(C`fips=yes\*(C'\fR is mandatory for applications that want to operate in a FIPS approved manner. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man7/life_cycle-cipher.7 b/secure/lib/libcrypto/man/man7/life_cycle-cipher.7 index 8ac8518659ef..c0c328753a35 100644 --- a/secure/lib/libcrypto/man/man7/life_cycle-cipher.7 +++ b/secure/lib/libcrypto/man/man7/life_cycle-cipher.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "LIFE_CYCLE-CIPHER 7ossl" -.TH LIFE_CYCLE-CIPHER 7ossl 2025-09-30 3.5.4 OpenSSL +.TH LIFE_CYCLE-CIPHER 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,11 +68,11 @@ life_cycle\-cipher \- The cipher algorithm life\-cycle .SH DESCRIPTION .IX Header "DESCRIPTION" All symmetric ciphers (CIPHERs) go through a number of stages in their -life-cycle: +life\-cycle: .IP start 4 .IX Item "start" This state represents the CIPHER before it has been allocated. It is the -starting state for any life-cycle transitions. +starting state for any life\-cycle transitions. .IP newed 4 .IX Item "newed" This state represents the CIPHER after it has been allocated. @@ -85,12 +88,12 @@ input. There are three possible initialised states: .IX Item "initialised for decryption using EVP_DecryptInit" .IP "initialised for encryption using EVP_EncryptInit" 4 .IX Item "initialised for encryption using EVP_EncryptInit" +.PD .RE .RS 4 .RE .IP updated 4 .IX Item "updated" -.PD These states represent the CIPHER when it is set up and capable of processing additional input or generating output. The three possible states directly correspond to those for initialised above. The three different streams should @@ -101,18 +104,18 @@ This state represents the CIPHER when it has generated output. .IP freed 4 .IX Item "freed" This state is entered when the CIPHER is freed. It is the terminal state -for all life-cycle transitions. +for all life\-cycle transitions. .SS "State Transition Diagram" .IX Subsection "State Transition Diagram" -The usual life-cycle of a CIPHER is illustrated: +The usual life\-cycle of a CIPHER is illustrated: +---------------------------+ | | | start | | | +---------------------------+ + - - - - - - - - - - - - - + - | ' any of the initialised ' - | EVP_CIPHER_CTX_new ' updated or finaled states ' - v ' ' + | \*(Aq any of the initialised \*(Aq + | EVP_CIPHER_CTX_new \*(Aq updated or finaled states \*(Aq + v \*(Aq \*(Aq +---------------------------+ + - - - - - - - - - - - - - + | | | | newed | | EVP_CIPHER_CTX_reset diff --git a/secure/lib/libcrypto/man/man7/life_cycle-digest.7 b/secure/lib/libcrypto/man/man7/life_cycle-digest.7 index 783c078c9b6b..050cfc08c2be 100644 --- a/secure/lib/libcrypto/man/man7/life_cycle-digest.7 +++ b/secure/lib/libcrypto/man/man7/life_cycle-digest.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "LIFE_CYCLE-DIGEST 7ossl" -.TH LIFE_CYCLE-DIGEST 7ossl 2025-09-30 3.5.4 OpenSSL +.TH LIFE_CYCLE-DIGEST 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,11 +67,11 @@ life_cycle\-digest \- The digest algorithm life\-cycle .SH DESCRIPTION .IX Header "DESCRIPTION" -All message digests (MDs) go through a number of stages in their life-cycle: +All message digests (MDs) go through a number of stages in their life\-cycle: .IP start 4 .IX Item "start" This state represents the MD before it has been allocated. It is the -starting state for any life-cycle transitions. +starting state for any life\-cycle transitions. .IP newed 4 .IX Item "newed" This state represents the MD after it has been allocated. @@ -84,7 +87,7 @@ additional input or generating output. .IX Item "finaled" This state represents the MD when it has generated output. For an XOF digest, this state represents the MD when it has generated a -single-shot output. +single\-shot output. .IP squeezed 4 .IX Item "squeezed" For an XOF digest, this state represents the MD when it has generated output. @@ -93,10 +96,10 @@ variable for each call. .IP freed 4 .IX Item "freed" This state is entered when the MD is freed. It is the terminal state -for all life-cycle transitions. +for all life\-cycle transitions. .SS "State Transition Diagram" .IX Subsection "State Transition Diagram" -The usual life-cycle of a MD is illustrated: +The usual life\-cycle of a MD is illustrated: +--------------------+ | start | +--------------------+ @@ -104,13 +107,13 @@ The usual life-cycle of a MD is illustrated: | EVP_MD_CTX_new +-------------------------------------------------+ v v | EVP_MD_CTX_reset + - - - - - - - - - - - - - - - - - - - - - - + EVP_MD_CTX_reset | - +-------------------> ' newed ' <--------------------+ | + +-------------------> \*(Aq newed \*(Aq <--------------------+ | | + - - - - - - - - - - - - - - - - - - - - - - + | | | | | | | | EVP_DigestInit | | | v | | | EVP_DigestInit + - - - - - - - - - - - - - - - - - - - - - - + | | - +----+-------------------> ' initialised ' <+ EVP_DigestInit | | + +----+-------------------> \*(Aq initialised \*(Aq <+ EVP_DigestInit | | | | + - - - - - - - - - - - - - - - - - - - - - - + | | | | | | ^ | | | | | | EVP_DigestUpdate | EVP_DigestInit | | | diff --git a/secure/lib/libcrypto/man/man7/life_cycle-kdf.7 b/secure/lib/libcrypto/man/man7/life_cycle-kdf.7 index 29b2b74abfb4..008756c004a8 100644 --- a/secure/lib/libcrypto/man/man7/life_cycle-kdf.7 +++ b/secure/lib/libcrypto/man/man7/life_cycle-kdf.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "LIFE_CYCLE-KDF 7ossl" -.TH LIFE_CYCLE-KDF 7ossl 2025-09-30 3.5.4 OpenSSL +.TH LIFE_CYCLE-KDF 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,11 +68,11 @@ life_cycle\-kdf \- The KDF algorithm life\-cycle .SH DESCRIPTION .IX Header "DESCRIPTION" All key derivation functions (KDFs) and pseudo random functions (PRFs) -go through a number of stages in their life-cycle: +go through a number of stages in their life\-cycle: .IP start 4 .IX Item "start" This state represents the KDF/PRF before it has been allocated. It is the -starting state for any life-cycle transitions. +starting state for any life\-cycle transitions. .IP newed 4 .IX Item "newed" This state represents the KDF/PRF after it has been allocated. @@ -80,10 +83,10 @@ output. .IP freed 4 .IX Item "freed" This state is entered when the KDF/PRF is freed. It is the terminal state -for all life-cycle transitions. +for all life\-cycle transitions. .SS "State Transition Diagram" .IX Subsection "State Transition Diagram" -The usual life-cycle of a KDF/PRF is illustrated: +The usual life\-cycle of a KDF/PRF is illustrated: +-------------------+ | start | +-------------------+ @@ -98,7 +101,7 @@ The usual life-cycle of a KDF/PRF is illustrated: v | EVP_KDF_CTX_reset EVP_KDF_derive +-------------------+ | + - - - - - - - - | | | - ' | deriving | | + \*(Aq | deriving | | + - - - - - - - -> | | -+ +-------------------+ | diff --git a/secure/lib/libcrypto/man/man7/life_cycle-mac.7 b/secure/lib/libcrypto/man/man7/life_cycle-mac.7 index 31de698f3133..bfcf237c7e46 100644 --- a/secure/lib/libcrypto/man/man7/life_cycle-mac.7 +++ b/secure/lib/libcrypto/man/man7/life_cycle-mac.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "LIFE_CYCLE-MAC 7ossl" -.TH LIFE_CYCLE-MAC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH LIFE_CYCLE-MAC 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,11 +68,11 @@ life_cycle\-mac \- The MAC algorithm life\-cycle .SH DESCRIPTION .IX Header "DESCRIPTION" All message authentication codes (MACs) -go through a number of stages in their life-cycle: +go through a number of stages in their life\-cycle: .IP start 4 .IX Item "start" This state represents the MAC before it has been allocated. It is the -starting state for any life-cycle transitions. +starting state for any life\-cycle transitions. .IP newed 4 .IX Item "newed" This state represents the MAC after it has been allocated. @@ -87,10 +90,10 @@ This state represents the MAC when it has generated output. .IP freed 4 .IX Item "freed" This state is entered when the MAC is freed. It is the terminal state -for all life-cycle transitions. +for all life\-cycle transitions. .SS "State Transition Diagram" .IX Subsection "State Transition Diagram" -The usual life-cycle of a MAC is illustrated: +The usual life\-cycle of a MAC is illustrated: +-------------------+ | start | +-------------------+ diff --git a/secure/lib/libcrypto/man/man7/life_cycle-pkey.7 b/secure/lib/libcrypto/man/man7/life_cycle-pkey.7 index 53d6c5b85ef1..6793d3d1838c 100644 --- a/secure/lib/libcrypto/man/man7/life_cycle-pkey.7 +++ b/secure/lib/libcrypto/man/man7/life_cycle-pkey.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "LIFE_CYCLE-PKEY 7ossl" -.TH LIFE_CYCLE-PKEY 7ossl 2025-09-30 3.5.4 OpenSSL +.TH LIFE_CYCLE-PKEY 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,11 +67,11 @@ life_cycle\-pkey \- The PKEY algorithm life\-cycle .SH DESCRIPTION .IX Header "DESCRIPTION" -All public keys (PKEYs) go through a number of stages in their life-cycle: +All public keys (PKEYs) go through a number of stages in their life\-cycle: .IP start 4 .IX Item "start" This state represents the PKEY before it has been allocated. It is the -starting state for any life-cycle transitions. +starting state for any life\-cycle transitions. .IP newed 4 .IX Item "newed" This state represents the PKEY after it has been allocated. @@ -108,10 +111,10 @@ This state represents the PKEY when it is ready to recover a public key signatur .IP freed 4 .IX Item "freed" This state is entered when the PKEY is freed. It is the terminal state -for all life-cycle transitions. +for all life\-cycle transitions. .SS "State Transition Diagram" .IX Subsection "State Transition Diagram" -The usual life-cycle of a PKEY object is illustrated: +The usual life\-cycle of a PKEY object is illustrated: +-------------+ | | | start | @@ -166,9 +169,9 @@ The usual life-cycle of a PKEY object is illustrated: + - - - - - + +-----------+ - ' ' EVP_PKEY_CTX_free | | - ' any state '------------------->| freed | - ' ' | | + \*(Aq \*(Aq EVP_PKEY_CTX_free | | + \*(Aq any state \*(Aq------------------->| freed | + \*(Aq \*(Aq | | + - - - - - + +-----------+ .SS "Formal State Transitions" .IX Subsection "Formal State Transitions" diff --git a/secure/lib/libcrypto/man/man7/life_cycle-rand.7 b/secure/lib/libcrypto/man/man7/life_cycle-rand.7 index c4a887294dbe..3b479fc11da8 100644 --- a/secure/lib/libcrypto/man/man7/life_cycle-rand.7 +++ b/secure/lib/libcrypto/man/man7/life_cycle-rand.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "LIFE_CYCLE-RAND 7ossl" -.TH LIFE_CYCLE-RAND 7ossl 2025-09-30 3.5.4 OpenSSL +.TH LIFE_CYCLE-RAND 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,11 +68,11 @@ life_cycle\-rand \- The RAND algorithm life\-cycle .SH DESCRIPTION .IX Header "DESCRIPTION" All random number generator (RANDs) -go through a number of stages in their life-cycle: +go through a number of stages in their life\-cycle: .IP start 4 .IX Item "start" This state represents the RAND before it has been allocated. It is the -starting state for any life-cycle transitions. +starting state for any life\-cycle transitions. .IP newed 4 .IX Item "newed" This state represents the RAND after it has been allocated but unable to @@ -85,10 +88,10 @@ capable of generating output. .IP freed 4 .IX Item "freed" This state is entered when the RAND is freed. It is the terminal state -for all life-cycle transitions. +for all life\-cycle transitions. .SS "State Transition Diagram" .IX Subsection "State Transition Diagram" -The usual life-cycle of a RAND is illustrated: +The usual life\-cycle of a RAND is illustrated: +-------------------------+ | start | +-------------------------+ @@ -105,11 +108,11 @@ The usual life-cycle of a RAND is illustrated: +-------------------- | | | | instantiated | +-------------------> | | <+ - +-------------------------+ ' - | ' - | EVP_RAND_uninstantiate ' EVP_RAND_instantiate - v ' - +-------------------------+ ' + +-------------------------+ \*(Aq + | \*(Aq + | EVP_RAND_uninstantiate \*(Aq EVP_RAND_instantiate + v \*(Aq + +-------------------------+ \*(Aq | uninstantiated | -+ +-------------------------+ | diff --git a/secure/lib/libcrypto/man/man7/openssl-core.h.7 b/secure/lib/libcrypto/man/man7/openssl-core.h.7 index 177a73608ee1..0d96aefae223 100644 --- a/secure/lib/libcrypto/man/man7/openssl-core.h.7 +++ b/secure/lib/libcrypto/man/man7/openssl-core.h.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-CORE.H 7ossl" -.TH OPENSSL-CORE.H 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-CORE.H 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/openssl-core_dispatch.h.7 b/secure/lib/libcrypto/man/man7/openssl-core_dispatch.h.7 index 608f0019359f..b4f7c9c0b568 100644 --- a/secure/lib/libcrypto/man/man7/openssl-core_dispatch.h.7 +++ b/secure/lib/libcrypto/man/man7/openssl-core_dispatch.h.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-CORE_DISPATCH.H 7ossl" -.TH OPENSSL-CORE_DISPATCH.H 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-CORE_DISPATCH.H 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/openssl-core_names.h.7 b/secure/lib/libcrypto/man/man7/openssl-core_names.h.7 index d3a121360a14..38f67c22c743 100644 --- a/secure/lib/libcrypto/man/man7/openssl-core_names.h.7 +++ b/secure/lib/libcrypto/man/man7/openssl-core_names.h.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-CORE_NAMES.H 7ossl" -.TH OPENSSL-CORE_NAMES.H 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-CORE_NAMES.H 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -71,9 +74,9 @@ openssl/core_names.h \- OpenSSL provider parameter names .IX Header "DESCRIPTION" The \fI<openssl/core_names.h>\fR header defines a multitude of macros for \fBOSSL_PARAM\fR\|(3) names, algorithm names and other known names used -with OpenSSL's providers, made available for practical purposes only. +with OpenSSL\*(Aqs providers, made available for practical purposes only. .PP -Existing names are further described in the manuals for OpenSSL's +Existing names are further described in the manuals for OpenSSL\*(Aqs providers (see "SEE ALSO") and the manuals for each algorithm they provide (listed in those provider manuals). .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man7/openssl-env.7 b/secure/lib/libcrypto/man/man7/openssl-env.7 index 1b1163c8c9f4..aa93a742a5f6 100644 --- a/secure/lib/libcrypto/man/man7/openssl-env.7 +++ b/secure/lib/libcrypto/man/man7/openssl-env.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-ENV 7ossl" -.TH OPENSSL-ENV 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-ENV 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,9 +68,9 @@ openssl\-env \- OpenSSL environment variables .SH DESCRIPTION .IX Header "DESCRIPTION" The OpenSSL libraries use environment variables to override the -compiled-in default paths for various data. +compiled\-in default paths for various data. To avoid security risks, the environment is usually not consulted when -the executable is set-user-ID or set-group-ID. +the executable is set\-user\-ID or set\-group\-ID. .IP \fBCTLOG_FILE\fR 4 .IX Item "CTLOG_FILE" Specifies the path to a certificate transparency log list. @@ -98,7 +101,7 @@ See \fBOPENSSL_malloc\fR\|(3). .IP \fBOPENSSL_MODULES\fR 4 .IX Item "OPENSSL_MODULES" Specifies the directory from which cryptographic providers are loaded. -Equivalently, the generic \fB\-provider\-path\fR command-line option may be used. +Equivalently, the generic \fB\-provider\-path\fR command\-line option may be used. .IP \fBOPENSSL_TRACE\fR 4 .IX Item "OPENSSL_TRACE" By default the OpenSSL trace feature is disabled statically. @@ -109,7 +112,7 @@ Unless OpenSSL tracing support is generally disabled, enable trace output of specific parts of OpenSSL libraries, by name. This output usually makes sense only if you know OpenSSL internals well. .Sp -The value of this environment varialble is a comma-separated list of names, +The value of this environment variable is a comma\-separated list of names, with the following available: .RS 4 .IP \fBTRACE\fR 4 @@ -177,7 +180,7 @@ Traces the HTTP client and server, such as messages being sent and received. .IX Item "OPENSSL_WIN32_UTF8" If set, then \fBUI_OpenSSL\fR\|(3) returns UTF\-8 encoded strings, rather than ones encoded in the current code page, and -the \fBopenssl\fR\|(1) program also transcodes the command-line parameters +the \fBopenssl\fR\|(1) program also transcodes the command\-line parameters from the current code page to UTF\-8. This environment variable is only checked on Microsoft Windows platforms. .IP \fBRANDFILE\fR 4 @@ -198,7 +201,8 @@ OpenSSL supports a number of different algorithm implementations for various machines and, by default, it determines which to use based on the processor capabilities and run time feature enquiry. These environment variables can be used to exert more control over this selection process. -See \fBOPENSSL_ia32cap\fR\|(3), \fBOPENSSL_s390xcap\fR\|(3) and \fBOPENSSL_riscvcap\fR\|(3). +See \fBOPENSSL_ia32cap\fR\|(3), \fBOPENSSL_ppccap\fR\|(3), \fBOPENSSL_riscvcap\fR\|(3), +and \fBOPENSSL_s390xcap\fR\|(3). .IP "\fBNO_PROXY\fR, \fBHTTPS_PROXY\fR, \fBHTTP_PROXY\fR" 4 .IX Item "NO_PROXY, HTTPS_PROXY, HTTP_PROXY" Specify a proxy hostname. @@ -214,7 +218,7 @@ Used to set a QUIC qlog filter specification. See \fBopenssl\-qlog\fR\|(7). Used to produce the standard format output file for SSL key logging. Optionally set this variable to a filename to log all secrets produced by SSL connections. Note, use of the environment variable is predicated on configuring OpenSSL at -build time with the enable-sslkeylog feature. The file format standard can be +build time with the enable\-sslkeylog feature. The file format standard can be found at <https://datatracker.ietf.org/doc/draft\-ietf\-tls\-keylogfile/>. Note: the use of \fBSSLKEYLOGFILE\fR poses an explicit security risk. By recording the exchanged keys during an SSL session, it allows any available party with diff --git a/secure/lib/libcrypto/man/man7/openssl-glossary.7 b/secure/lib/libcrypto/man/man7/openssl-glossary.7 index e0a24a3529f6..e7c9edda9527 100644 --- a/secure/lib/libcrypto/man/man7/openssl-glossary.7 +++ b/secure/lib/libcrypto/man/man7/openssl-glossary.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-GLOSSARY 7ossl" -.TH OPENSSL-GLOSSARY 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-GLOSSARY 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -74,7 +77,7 @@ implementation for any given algorithm available for use. .IP "ASN.1, ASN1" 4 .IX Item "ASN.1, ASN1" ASN.1 ("Abstract Syntax Notation One") is a notation for describing abstract -types and values. It is defined in the ITU-T documents X.680 to X.683: +types and values. It is defined in the ITU\-T documents X.680 to X.683: .Sp <https://www.itu.int/rec/T\-REC\-X.680>, <https://www.itu.int/rec/T\-REC\-X.681>, @@ -107,7 +110,7 @@ DER is a binary encoding of data, structured according to an ASN.1 specification. This is a common encoding used for cryptographic objects such as private and public keys, certificates, CRLs, ... .Sp -It is defined in ITU-T document X.690: +It is defined in ITU\-T document X.690: .Sp <https://www.itu.int/rec/T\-REC\-X.690> .IP Encoder 4 diff --git a/secure/lib/libcrypto/man/man7/openssl-qlog.7 b/secure/lib/libcrypto/man/man7/openssl-qlog.7 index 0330f3bcf375..05592d016d38 100644 --- a/secure/lib/libcrypto/man/man7/openssl-qlog.7 +++ b/secure/lib/libcrypto/man/man7/openssl-qlog.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-QLOG 7ossl" -.TH OPENSSL-QLOG 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-QLOG 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -72,7 +75,7 @@ contained within them, as well as loss detection and other events. The qlog output generated by OpenSSL can be used to obtain diagnostic visualisations of a given QUIC connection using tools such as \fBqvis\fR. .PP -\&\fBWARNING:\fR The output of OpenSSL's qlog functionality uses an unstable format +\&\fBWARNING:\fR The output of OpenSSL\*(Aqs qlog functionality uses an unstable format based on a draft specification. qlog output is not subject to any format stability or compatibility guarantees at this time, and \fBwill\fR change in incompatible ways in future versions of OpenSSL. See \fBFORMAT STABILITY\fR below @@ -84,7 +87,7 @@ the standard \fBQLOGDIR\fR environment variable to point to a directory where ql files should be written. Once set, any QUIC connection established by OpenSSL will have a qlog file written automatically to the specified directory. .PP -Log files are generated in the \fI.sqlog\fR format based on JSON-SEQ (RFC 7464). +Log files are generated in the \fI.sqlog\fR format based on JSON\-SEQ (RFC 7464). .PP The filenames of generated log files under the specified \fBQLOGDIR\fR use the following structure: @@ -94,13 +97,13 @@ following structure: .Ve .PP where \fB{connection_odcid}\fR is the lowercase hexadecimal encoding of a QUIC -connection's Original Destination Connection ID, which is the Destination +connection\*(Aqs Original Destination Connection ID, which is the Destination Connection ID used in the header of the first Initial packet sent as part of the connection process, and \fB{vantage_point_type}\fR is either \f(CW\*(C`client\*(C'\fR or \&\f(CW\*(C`server\*(C'\fR, reflecting the perspective of the endpoint producing the qlog output. .PP The qlog functionality can be disabled at OpenSSL build time using the -\&\fIno-unstable-qlog\fR configure flag. +\&\fIno\-unstable\-qlog\fR configure flag. .SH "SUPPORTED EVENT TYPES" .IX Header "SUPPORTED EVENT TYPES" The following event types are currently supported: @@ -125,7 +128,7 @@ The following event types are currently supported: By default, all supported event types are logged. The \fBOSSL_QFILTER\fR environment variable can be used to configure a filter specification which determines which event types are to be logged. Each event type can be turned on -and off individually. The filter specification is a space-separated list of +and off individually. The filter specification is a space\-separated list of terms listing event types to enable or disable. The terms are applied in order, thus the effects of later terms override the effects of earlier terms. .SS Examples @@ -219,7 +222,7 @@ the qlog format. The OpenSSL qlog functionality will transition to producing output in this format in the future once standardisation is complete. .PP Because of this, the qlog output of OpenSSL \fBwill\fR change in incompatible and -breaking ways in the future, including in non-major releases of OpenSSL. The +breaking ways in the future, including in non\-major releases of OpenSSL. The qlog output of OpenSSL is considered unstable and not subject to any format stability or compatibility guarantees at this time. .PP @@ -240,7 +243,7 @@ a disparity between the current draft and what qvis supports, the OpenSSL qlog functionality will generally aim for qvis compatibility over compliance with the latest draft. .PP -As such, OpenSSL's qlog functionality currently implements qlog version 0.3 as +As such, OpenSSL\*(Aqs qlog functionality currently implements qlog version 0.3 as defined in \fBdraft\-ietf\-quic\-qlog\-main\-schema\-05\fR and \&\fBdraft\-ietf\-quic\-qlog\-quic\-events\-04\fR. These revisions are intentionally used instead of more recent revisions due to their qvis compatibility. @@ -250,7 +253,7 @@ The OpenSSL implementation of qlog currently has the following limitations: .IP \(bu 4 Not all event types defined by the draft specification are implemented. .IP \(bu 4 -Only the JSON-SEQ (\fB.sqlog\fR) output format is supported. +Only the JSON\-SEQ (\fB.sqlog\fR) output format is supported. .IP \(bu 4 Only the \fBQLOGDIR\fR environment variable is supported for configuring the qlog output directory. The standard \fBQLOGFILE\fR environment variable is not diff --git a/secure/lib/libcrypto/man/man7/openssl-quic-concurrency.7 b/secure/lib/libcrypto/man/man7/openssl-quic-concurrency.7 index 94019da3c1fd..94e4ba30bcfb 100644 --- a/secure/lib/libcrypto/man/man7/openssl-quic-concurrency.7 +++ b/secure/lib/libcrypto/man/man7/openssl-quic-concurrency.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-QUIC-CONCURRENCY 7ossl" -.TH OPENSSL-QUIC-CONCURRENCY 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-QUIC-CONCURRENCY 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -100,18 +103,18 @@ a wide variety of usage scenarios. .PP The available concurrency models are as follows: .IP \(bu 4 -The \fBSingle-Threaded Concurrency Model (SCM)\fR, which supports only -application-synchronised single-threaded usage. +The \fBSingle\-Threaded Concurrency Model (SCM)\fR, which supports only +application\-synchronised single\-threaded usage. .IP \(bu 4 -The \fBContentive Concurrency Model (CCM)\fR, which supports multi-threaded usage. +The \fBContentive Concurrency Model (CCM)\fR, which supports multi\-threaded usage. .IP \(bu 4 -The \fBThread-Assisted Concurrency Model (TACM)\fR, which also supports -multi-threaded usage and provides assistance to an application for handling QUIC +The \fBThread\-Assisted Concurrency Model (TACM)\fR, which also supports +multi\-threaded usage and provides assistance to an application for handling QUIC timer events. .PP The merits of these models are as follows: .IP \(bu 4 -The \fBSingle-Threaded Concurrency Model (SCM)\fR performs no locking or +The \fBSingle\-Threaded Concurrency Model (SCM)\fR performs no locking or synchronisation. It is entirely up to the application to synchronise access to the QUIC domain and its subsidiary SSL objects. .Sp @@ -120,13 +123,13 @@ OpenSSL QUIC implementation as a pure state machine. .IP \(bu 4 The \fBContentive Concurrency Model (CCM)\fR performs automatic locking when making API calls to SSL objects in a QUIC domain. This provides automatic -synchronisation for multi-threaded usage of QUIC objects. For example, different +synchronisation for multi\-threaded usage of QUIC objects. For example, different QUIC stream SSL objects in the same QUIC connection can be safely accessed from different threads. .Sp -This concurrency model adds the overhead of locking over the Single-Threaded -Concurrency Model in order to support multi-threaded usage, but provides limited -performance in highly contended multi-threaded usage due to its simple approach. +This concurrency model adds the overhead of locking over the Single\-Threaded +Concurrency Model in order to support multi\-threaded usage, but provides limited +performance in highly contended multi\-threaded usage due to its simple approach. However, it may still prove a good solution for a broad class of applications which spend the majority of their time in application logic and not in QUIC I/O processing. @@ -134,11 +137,11 @@ processing. An advantage of this model relative to the more sophisticated concurrency models below is that it does not create any OS threads. .IP \(bu 4 -The \fBThread-Assisted Concurrency Model (TACM)\fR is identical to the Contentive +The \fBThread\-Assisted Concurrency Model (TACM)\fR is identical to the Contentive Concurrency Model except that a thread is spun up in the background to ensure that QUIC timer events are handled in a timely fashion. This ensures that QUIC timeout events are handled even if an application does not periodically call -into the QUIC domain to ensure that any outstanding QUIC-related timer or +into the QUIC domain to ensure that any outstanding QUIC\-related timer or network I/O events are handled. The assist thread contends for the same resources like any other thread. However, handshake layer events (TLS) are never processed by the assist thread. @@ -152,11 +155,11 @@ Additional concurrency models may be offered in future releases of OpenSSL. .SH "BLOCKING I/O CAPABILITIES" .IX Header "BLOCKING I/O CAPABILITIES" All of the supported concurrency models are capable of supporting blocking I/O -calls, where application-level I/O calls (for example, to \fBSSL_read_ex\fR\|(3) or +calls, where application\-level I/O calls (for example, to \fBSSL_read_ex\fR\|(3) or \&\fBSSL_write_ex\fR\|(3) on a QUIC stream SSL object) block until the request can be serviced. This includes the use of \fBSSL_poll\fR\|(3) in a blocking fashion. .PP -Supporting blocking API calls reliably with multi-threaded usage requires the +Supporting blocking API calls reliably with multi\-threaded usage requires the creation of additional OS resources such as internal file descriptors to allow threads to be woken when necessary. This creation of internal OS resources is optional and may need to be explicitly requested by an application depending on @@ -167,23 +170,23 @@ notwithstanding the following section. .SS "Legacy Blocking Support Compatibility" .IX Subsection "Legacy Blocking Support Compatibility" OpenSSL 3.2 and 3.3 contained a buggy implementation of blocking QUIC I/O calls -which is only reliable under single-threaded usage. This functionality is always -available in the Single-Threaded Concurrency Model (SCM), where it works +which is only reliable under single\-threaded usage. This functionality is always +available in the Single\-Threaded Concurrency Model (SCM), where it works reliably. .PP For compatibility reasons, this functionality is also available under the default concurrency model if the application does not explicitly specify a concurrency model or disable it. This is known as Legacy Blocking Compatibility -Mode, and its usage is not recommended for multi-threaded applications. +Mode, and its usage is not recommended for multi\-threaded applications. .SH "RECOMMENDED USAGE" .IX Header "RECOMMENDED USAGE" New applications are advised to choose a concurrency model as follows: .IP \(bu 4 -A purely single-threaded application, or an application which wishes to use +A purely single\-threaded application, or an application which wishes to use OpenSSL QUIC as a state machine and manage synchronisation itself, should explicitly select the SCM concurrency model. .IP \(bu 4 -An application which wants to engage in multi-threaded usage of different QUIC +An application which wants to engage in multi\-threaded usage of different QUIC connections or streams in the same QUIC domain should a) select the CCM or TACM concurrency model and b) explicitly opt in or out of blocking I/O support (depending on whether the application wishes to make blocking I/O calls), @@ -203,14 +206,14 @@ If using an explicit QUIC domain, a concurrency model is chosen when calling \&\fBSSL_new_domain\fR\|(3) by specifying zero or more of the following flags: .IP \fBSSL_DOMAIN_FLAG_SINGLE_THREAD\fR 4 .IX Item "SSL_DOMAIN_FLAG_SINGLE_THREAD" -Specifying this flag configures the Single-Threaded Concurrency Model (SCM). +Specifying this flag configures the Single\-Threaded Concurrency Model (SCM). .IP \fBSSL_DOMAIN_FLAG_MULTI_THREAD\fR 4 .IX Item "SSL_DOMAIN_FLAG_MULTI_THREAD" -Speciyfing this flag configures the Contentive Concurrency Model (CCM) (unless +Specifying this flag configures the Contentive Concurrency Model (CCM) (unless \&\fBSSL_DOMAIN_FLAG_THREAD_ASSISTED\fR is also specified). .IP \fBSSL_DOMAIN_FLAG_THREAD_ASSISTED\fR 4 .IX Item "SSL_DOMAIN_FLAG_THREAD_ASSISTED" -Specifying this flag configures the Thread-Assisted Concurrency Model (TACM). +Specifying this flag configures the Thread\-Assisted Concurrency Model (TACM). It implies \fBSSL_DOMAIN_FLAG_MULTI_THREAD\fR. .IP \fBSSL_DOMAIN_FLAG_BLOCKING\fR 4 .IX Item "SSL_DOMAIN_FLAG_BLOCKING" @@ -244,10 +247,10 @@ The default concurrency model set on a newly created \fBSSL_CTX\fR is determined follows: .IP \(bu 4 If an \fBSSL_METHOD\fR of \fBOSSL_QUIC_client_thread_method\fR\|(3) is used, the -Thread-Assisted Concurrency Model (TACM) is used with the +Thread\-Assisted Concurrency Model (TACM) is used with the \&\fBSSL_DOMAIN_FLAG_BLOCKING\fR flag. This provides reliable blocking functionality. .IP \(bu 4 -Otherwise, if OpenSSL was built without threading support, the Single-Threaded +Otherwise, if OpenSSL was built without threading support, the Single\-Threaded Concurrency Model (SCM) is used, with the \fBSSL_DOMAIN_FLAG_LEGACY_BLOCKING\fR flag. .IP \(bu 4 @@ -269,12 +272,12 @@ an implicit QUIC domain is created when calling \fBSSL_new_listener\fR\|(3) or .SH "CONSUMPTION OF OS RESOURCES" .IX Header "CONSUMPTION OF OS RESOURCES" If full blocking I/O support is selected using \fBSSL_DOMAIN_FLAG_BLOCKING\fR, at -least one socket, socket-like OS handle or file descriptor must be allocated to +least one socket, socket\-like OS handle or file descriptor must be allocated to allow one thread to wake other threads which may be blocking in calls to OS socket polling interfaces such as \fBselect\fR\|(2) or \fBpoll\fR\|(2). This is allocated automatically internally by OpenSSL. .PP -If the Thread-Assisted Concurrency Model (TACM) is selected, a background thread +If the Thread\-Assisted Concurrency Model (TACM) is selected, a background thread is spawned. This also implies \fBSSL_DOMAIN_FLAG_BLOCKING\fR and the above. .PP The internal consumption by OpenSSL of mutexes, condition variables, spin locks @@ -282,11 +285,11 @@ or other similar thread synchronisation primitives is unspecified under all concurrency models. .PP The internal consumption by OpenSSL of threads is unspecified under the -Thread-Assisted Concurrency Model. +Thread\-Assisted Concurrency Model. .PP -The internal consumption by OpenSSL of sockets, socket-like OS handles or file -descriptors, or other resources as needed to support inter-thread notification, -is unspecified under the Thread-Assisted Concurrency Model or when using +The internal consumption by OpenSSL of sockets, socket\-like OS handles or file +descriptors, or other resources as needed to support inter\-thread notification, +is unspecified under the Thread\-Assisted Concurrency Model or when using \&\fBSSL_DOMAIN_FLAG_BLOCKING\fR. .SH "BEHAVIOUR OF SSL OBJECTS" .IX Header "BEHAVIOUR OF SSL OBJECTS" diff --git a/secure/lib/libcrypto/man/man7/openssl-quic.7 b/secure/lib/libcrypto/man/man7/openssl-quic.7 index d50b06cd1b87..30a7be6a3796 100644 --- a/secure/lib/libcrypto/man/man7/openssl-quic.7 +++ b/secure/lib/libcrypto/man/man7/openssl-quic.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-QUIC 7ossl" -.TH OPENSSL-QUIC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-QUIC 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,7 +68,7 @@ openssl\-quic \- OpenSSL QUIC .SH DESCRIPTION .IX Header "DESCRIPTION" OpenSSL 3.2 and later features support for the QUIC transport protocol. -You can use OpenSSL's QUIC capabilities for both client and server applications. +You can use OpenSSL\*(Aqs QUIC capabilities for both client and server applications. This man page describes how to let applications use the QUIC protocol using the libssl API. .PP @@ -79,9 +82,9 @@ option: SSL method \fBOSSL_QUIC_server_method\fR\|(3) with \fBSSL_CTX_new\fR\|(3 .PP The remainder of this man page discusses, in order: .IP \(bu 4 -Default stream mode versus multi-stream mode for clients; +Default stream mode versus multi\-stream mode for clients; .IP \(bu 4 -The changes to existing libssl APIs which are driven by QUIC-related +The changes to existing libssl APIs which are driven by QUIC\-related implementation requirements, which existing applications should bear in mind; .IP \(bu 4 Aspects which must be considered by existing applications when adopting QUIC, @@ -89,25 +92,25 @@ including potential changes which may be needed. .IP \(bu 4 Recommended usage approaches for new applications. .IP \(bu 4 -New, QUIC-specific APIs. +New, QUIC\-specific APIs. .SH "CLIENT MODES OF OPERATION" .IX Header "CLIENT MODES OF OPERATION" When a client creates a QUIC connection, by default, it operates in default -stream mode, which is intended to provide compatibility with existing non-QUIC +stream mode, which is intended to provide compatibility with existing non\-QUIC application usage patterns. In this mode, the connection has a single stream associated with it. Calls to \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3) on the QUIC connection SSL object read and write from that stream. Whether the stream is -client-initiated or server-initiated from a QUIC perspective depends on whether +client\-initiated or server\-initiated from a QUIC perspective depends on whether \&\fBSSL_read\fR\|(3) or \fBSSL_write\fR\|(3) is called first. .PP Default stream mode is primarily for compatibility with existing applications. -For new applications utilizing QUIC, it's recommended to disable this mode and -instead adopt the multi-stream API. See the RECOMMENDATIONS FOR NEW APPLICATIONS +For new applications utilizing QUIC, it\*(Aqs recommended to disable this mode and +instead adopt the multi\-stream API. See the RECOMMENDATIONS FOR NEW APPLICATIONS section for more details. .SS "Default Stream Mode" .IX Subsection "Default Stream Mode" A QUIC client connection can be used in either default stream mode or -multi-stream mode. By default, a newly created QUIC connection SSL object uses +multi\-stream mode. By default, a newly created QUIC connection SSL object uses default stream mode. .PP In default stream mode, a stream is implicitly created and bound to the QUIC @@ -119,45 +122,45 @@ stream SSL object can also be called on a QUIC connection SSL object, in which case it affects the default stream bound to the connection. .PP The identity of a QUIC stream, including its stream ID, varies depending on -whether a stream is client-initiated or server-initiated. In default stream +whether a stream is client\-initiated or server\-initiated. In default stream mode, if a client application calls \fBSSL_read\fR\|(3) first before any call to \&\fBSSL_write\fR\|(3) on the connection, it is assumed that the application protocol -is using a server-initiated stream, and the \fBSSL_read\fR\|(3) call will not +is using a server\-initiated stream, and the \fBSSL_read\fR\|(3) call will not complete (either blocking, or failing appropriately if nonblocking mode is configured) until the server initiates a stream. Conversely, if the client application calls \fBSSL_write\fR\|(3) before any call to \fBSSL_read\fR\|(3) on the -connection, it is assumed that a client-initiated stream is to be used +connection, it is assumed that a client\-initiated stream is to be used and such a stream is created automatically. .PP Default stream mode is intended to aid compatibility with legacy applications. -New applications adopting QUIC should use multi-stream mode, described below, +New applications adopting QUIC should use multi\-stream mode, described below, and avoid use of the default stream functionality. .PP It is possible to use additional streams in default stream mode using \&\fBSSL_new_stream\fR\|(3) and \fBSSL_accept_stream\fR\|(3); note that the default incoming stream policy will need to be changed using \fBSSL_set_incoming_stream_policy\fR\|(3) in order to use \fBSSL_accept_stream\fR\|(3) in this case. However, applications -using additional streams are strongly recommended to use multi-stream mode +using additional streams are strongly recommended to use multi\-stream mode instead. .PP Calling \fBSSL_new_stream\fR\|(3) or \fBSSL_accept_stream\fR\|(3) before a default stream has been associated with the QUIC connection SSL object will inhibit future creation of a default stream. -.SS "Multi-Stream Mode" +.SS "Multi\-Stream Mode" .IX Subsection "Multi-Stream Mode" -The recommended usage mode for new applications adopting QUIC is multi-stream +The recommended usage mode for new applications adopting QUIC is multi\-stream mode, in which no default stream is attached to the QUIC connection SSL object and attempts to call \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3) on the QUIC connection SSL object fail. Instead, an application calls \fBSSL_new_stream\fR\|(3) or \&\fBSSL_accept_stream\fR\|(3) to create individual stream SSL objects for sending and receiving application data using \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3). .PP -To use multi-stream mode, call \fBSSL_set_default_stream_mode\fR\|(3) with an +To use multi\-stream mode, call \fBSSL_set_default_stream_mode\fR\|(3) with an argument of \fBSSL_DEFAULT_STREAM_MODE_NONE\fR; this function must be called prior to initiating the connection. The default stream mode cannot be changed after initiating a connection. .PP -When multi-stream mode is used, meaning that no default stream is associated +When multi\-stream mode is used, meaning that no default stream is associated with the connection, calls to API functions which are defined as operating on a QUIC stream fail if called on the QUIC connection SSL object. For example, calls such as \fBSSL_write\fR\|(3) or \fBSSL_get_stream_id\fR\|(3) will fail. @@ -176,11 +179,11 @@ BIO: \&\fBBIO_s_datagram\fR\|(3), recommended for most applications, replaces \&\fBBIO_s_socket\fR\|(3) and provides a UDP socket. .IP \(bu 4 -\&\fBBIO_s_dgram_pair\fR\|(3) provides BIO pair-like functionality but with datagram +\&\fBBIO_s_dgram_pair\fR\|(3) provides BIO pair\-like functionality but with datagram semantics, and is recommended for existing applications which use a BIO pair or -memory BIO to manage libssl's communication with the network. +memory BIO to manage libssl\*(Aqs communication with the network. .IP \(bu 4 -\&\fBBIO_s_dgram_mem\fR\|(3) provides a simple memory BIO-like interface but with +\&\fBBIO_s_dgram_mem\fR\|(3) provides a simple memory BIO\-like interface but with datagram semantics. Unlike \fBBIO_s_dgram_pair\fR\|(3), it is unidirectional. .IP \(bu 4 An application may also choose to implement a custom BIO. The new @@ -194,18 +197,18 @@ instantiate a \fBBIO_s_socket\fR\|(3). For QUIC, these functions instead instant a \fBBIO_s_datagram\fR\|(3). This is equivalent to instantiating a \&\fBBIO_s_datagram\fR\|(3) and using \fBSSL_set0_rbio\fR\|(3) and \fBSSL_set0_wbio\fR\|(3). .IP \(bu 4 -Traditionally, whether the application-level I/O APIs (such as \fBSSL_read\fR\|(3) +Traditionally, whether the application\-level I/O APIs (such as \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3) operated in a blocking fashion was directly correlated with whether the underlying network socket was configured in a blocking fashion. This is no longer the case; applications must explicitly configure the desired -application-level blocking mode using \fBSSL_set_blocking_mode\fR\|(3). See +application\-level blocking mode using \fBSSL_set_blocking_mode\fR\|(3). See \&\fBSSL_set_blocking_mode\fR\|(3) for details. .IP \(bu 4 -Network-level I/O must always be performed in a nonblocking manner. The -application can still enjoy blocking semantics for calls to application-level +Network\-level I/O must always be performed in a nonblocking manner. The +application can still enjoy blocking semantics for calls to application\-level I/O functions such as \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3), but the underlying network BIO provided to QUIC (such as a \fBBIO_s_datagram\fR\|(3)) must be configured -in nonblocking mode. For application-level blocking functionality, see +in nonblocking mode. For application\-level blocking functionality, see \&\fBSSL_set_blocking_mode\fR\|(3). .IP \(bu 4 \&\fBBIO_new_ssl_connect\fR\|(3) has been changed to automatically use a @@ -217,8 +220,8 @@ change to use \fBBIO_new_ssl_connect\fR\|(3) instead. .IP \(bu 4 \&\fBSSL_shutdown\fR\|(3) has significant changes in relation to how QUIC connections must be shut down. In particular, applications should be advised that the full -RFC-conformant QUIC shutdown process may take an extended amount of time. This -may not be suitable for short-lived processes which should exit immediately +RFC\-conformant QUIC shutdown process may take an extended amount of time. This +may not be suitable for short\-lived processes which should exit immediately after their usage of a QUIC connection is completed. A rapid shutdown mode is available for such applications. For details, see \fBSSL_shutdown\fR\|(3). .IP \(bu 4 @@ -229,7 +232,7 @@ object. .Sp When used in nonblocking mode, \fBSSL_ERROR_WANT_READ\fR indicates that the receive part of a QUIC stream does not currently have any more data available to -be read, and \fBSSL_ERROR_WANT_WRITE\fR indicates that the stream's internal buffer +be read, and \fBSSL_ERROR_WANT_WRITE\fR indicates that the stream\*(Aqs internal buffer is full. .Sp To determine if the QUIC implementation currently wishes to be informed of @@ -237,7 +240,7 @@ incoming network datagrams, use the new function \fBSSL_net_read_desired\fR\|(3) likewise, to determine if the QUIC implementation currently wishes to be informed when it is possible to transmit network datagrams, use the new function \&\fBSSL_net_write_desired\fR\|(3). Only applications which wish to manage their own event -loops need to use these functions; see \fBAPPLICATION-DRIVEN EVENT LOOPS\fR for +loops need to use these functions; see \fBAPPLICATION\-DRIVEN EVENT LOOPS\fR for further discussion. .IP \(bu 4 The use of ALPN is mandatory when using QUIC. Attempts to connect without @@ -273,7 +276,7 @@ TLSv1.3 Early Data TLS Next Protocol Negotiation cannot be used and is superseded by ALPN, which must be used instead. The use of ALPN is mandatory with QUIC. .IP \(bu 4 -Post-Handshake Client Authentication is not available as QUIC prohibits its use. +Post\-Handshake Client Authentication is not available as QUIC prohibits its use. .IP \(bu 4 QUIC requires the use of TLSv1.3 or later, therefore functionality only relevant to older TLS versions is not available. @@ -287,7 +290,7 @@ CCM mode is not currently supported. .RS 4 .Sp The following libssl functionality is also not available when used with QUIC, -but calls to the relevant functions are treated as no-ops: +but calls to the relevant functions are treated as no\-ops: .IP \(bu 4 Readahead (\fBSSL_set_read_ahead\fR\|(3), etc.) .RE @@ -316,7 +319,7 @@ the SSL object to provide it with network access. Changes needed: Change your application to use \fBBIO_s_datagram\fR\|(3) instead when using QUIC. The socket must be configured in nonblocking mode. You may or may not need to use \fBSSL_set1_initial_peer_addr\fR\|(3) to set the initial peer -address; see the \fBQUIC-SPECIFIC APIS\fR section for details. +address; see the \fBQUIC\-SPECIFIC APIS\fR section for details. .IP \(bu 4 Your application uses \fBBIO_new_ssl_connect\fR\|(3) to construct a BIO which is passed to the SSL object to provide it with network @@ -345,7 +348,7 @@ instance. Your application uses a custom BIO method to provide the SSL object with network access. .Sp -Changes needed: The custom BIO must be re-architected to have datagram +Changes needed: The custom BIO must be re\-architected to have datagram semantics. \fBBIO_sendmmsg\fR\|(3) and \fBBIO_recvmmsg\fR\|(3) must be implemented. These calls must operate in a nonblocking fashion. Optionally, implement the \&\fBBIO_get_rpoll_descriptor\fR\|(3) and \fBBIO_get_wpoll_descriptor\fR\|(3) methods if @@ -395,10 +398,10 @@ APIS\fR. In particular, you should use these APIs to determine the ability of a QUIC stream to receive or provide application data, not to to determine if network I/O is required. .IP \(bu 4 -Evaluate your application's use of \fBSSL_shutdown\fR\|(3) in light of the changes +Evaluate your application\*(Aqs use of \fBSSL_shutdown\fR\|(3) in light of the changes discussed in \fBCHANGES TO EXISTING APIS\fR. Depending on whether your application wishes to prioritise RFC conformance or rapid shutdown, consider using the new -\&\fBSSL_shutdown_ex\fR\|(3) API instead. See \fBQUIC-SPECIFIC APIS\fR for details. +\&\fBSSL_shutdown_ex\fR\|(3) API instead. See \fBQUIC\-SPECIFIC APIS\fR for details. .SH "RECOMMENDED USAGE IN NEW APPLICATIONS" .IX Header "RECOMMENDED USAGE IN NEW APPLICATIONS" The recommended usage in new applications varies depending on three independent @@ -408,7 +411,7 @@ Whether the application will use blocking or nonblocking I/O at the application level (configured using \fBSSL_set_blocking_mode\fR\|(3)). .Sp If the application does nonblocking I/O at the application level it can choose -to manage its own polling and event loop; see \fBAPPLICATION-DRIVEN EVENT LOOPS\fR. +to manage its own polling and event loop; see \fBAPPLICATION\-DRIVEN EVENT LOOPS\fR. .IP \(bu 4 Whether the application intends to give the QUIC implementation direct access to a network socket (e.g. via \fBBIO_s_datagram\fR\|(3)) or whether it intends to buffer @@ -423,17 +426,17 @@ Whether thread assisted mode will be used (see \fBTHREAD ASSISTED MODE\fR). Simple demos for QUIC usage under these various scenarios can be found at <https://github.com/openssl/openssl/tree/master/doc/designs/ddd>. .PP -Applications which wish to implement QUIC-specific protocols should be aware of -the APIs listed under \fBQUIC-SPECIFIC APIS\fR which provide access to -QUIC-specific functionality. For example, \fBSSL_stream_conclude\fR\|(3) can be used +Applications which wish to implement QUIC\-specific protocols should be aware of +the APIs listed under \fBQUIC\-SPECIFIC APIS\fR which provide access to +QUIC\-specific functionality. For example, \fBSSL_stream_conclude\fR\|(3) can be used to indicate the end of the sending part of a stream, and \fBSSL_shutdown_ex\fR\|(3) can be used to provide a QUIC application error code when closing a connection. .PP Regardless of the design decisions chosen above, it is recommended that new -applications avoid use of the default stream mode and use the multi-stream API +applications avoid use of the default stream mode and use the multi\-stream API by calling \fBSSL_set_default_stream_mode\fR\|(3); see the MODES OF OPERATION section for details. -.SH "QUIC-SPECIFIC APIS" +.SH "QUIC\-SPECIFIC APIS" .IX Header "QUIC-SPECIFIC APIS" This section details new APIs which are directly or indirectly related to QUIC. For details on the operation of each API, see the referenced man pages. @@ -449,7 +452,7 @@ This can also be used with DTLS and supersedes \fBDTLSv1_get_timeout\fR\|(3) for usage. .IP \fBSSL_handle_events\fR\|(3) 4 .IX Item "SSL_handle_events" -This is a non-specific I/O operation which makes a best effort attempt to +This is a non\-specific I/O operation which makes a best effort attempt to perform any pending I/O or timeout processing. It can be used to advance the QUIC state machine by processing incoming network traffic, generating outgoing network traffic and handling any expired timeout events. Most other I/O @@ -465,10 +468,10 @@ The following SSL APIs are specific to QUIC: .IX Item "SSL_new_listener" Creates a listener SSL object, which differs from an ordinary SSL object in that it is used to provide an abstraction for the acceptance of network connections -in a protocol-agnostic manner. +in a protocol\-agnostic manner. .Sp Currently, listener SSL objects are only supported for QUIC server usage or -client-only usage. The listener interface may expand to support additional +client\-only usage. The listener interface may expand to support additional protocols in the future. .IP \fBSSL_new_listener_from\fR\|(3) 4 .IX Item "SSL_new_listener_from" @@ -489,7 +492,7 @@ to call this because it will be called automatically on the first call to \&\fBSSL_accept_connection\fR\|(3). .IP \fBSSL_accept_connection\fR\|(3) 4 .IX Item "SSL_accept_connection" -Accepts a new incoming connection for a listner SSL object. A new SSL object +Accepts a new incoming connection for a listener SSL object. A new SSL object representing the accepted connection is created and returned on success. If no incoming connection is available and the listener SSL object is configured in nonblocking mode, NULL is returned. @@ -558,7 +561,7 @@ QUIC stream. This corresponds to the FIN flag in the QUIC RFC. The receiving part of a stream remains usable. .IP \fBSSL_stream_reset\fR\|(3) 4 .IX Item "SSL_stream_reset" -This allows an application to indicate the non-normal termination of the sending +This allows an application to indicate the non\-normal termination of the sending part of a stream. This corresponds to the RESET_STREAM frame in the QUIC RFC. .IP "\fBSSL_get_stream_write_state\fR\|(3) and \fBSSL_get_stream_read_state\fR\|(3)" 4 .IX Item "SSL_get_stream_write_state and SSL_get_stream_read_state" @@ -567,7 +570,7 @@ sending and receiving parts of a stream respectively. .IP "\fBSSL_get_stream_write_error_code\fR\|(3) and \fBSSL_get_stream_read_error_code\fR\|(3)" 4 .IX Item "SSL_get_stream_write_error_code and SSL_get_stream_read_error_code" This allows an application to determine the application error code which was -signalled by a peer which has performed a non-normal stream termination of the +signalled by a peer which has performed a non\-normal stream termination of the respective sending or receiving part of a stream, if any. .IP \fBSSL_get_conn_close_info\fR\|(3) 4 .IX Item "SSL_get_conn_close_info" @@ -589,19 +592,19 @@ Returns the QUIC stream ID which the QUIC protocol has associated with a QUIC stream. .IP \fBSSL_new_stream\fR\|(3) 4 .IX Item "SSL_new_stream" -Creates a new QUIC stream SSL object representing a new, locally-initiated QUIC +Creates a new QUIC stream SSL object representing a new, locally\-initiated QUIC stream. .IP \fBSSL_accept_stream\fR\|(3) 4 .IX Item "SSL_accept_stream" Potentially yields a new QUIC stream SSL object representing a new -remotely-initiated QUIC stream, blocking until one is available if the +remotely\-initiated QUIC stream, blocking until one is available if the connection is configured to do so. .IP \fBSSL_get_accept_stream_queue_len\fR\|(3) 4 .IX Item "SSL_get_accept_stream_queue_len" -Provides information on the number of pending remotely-initiated streams. +Provides information on the number of pending remotely\-initiated streams. .IP \fBSSL_set_incoming_stream_policy\fR\|(3) 4 .IX Item "SSL_set_incoming_stream_policy" -Configures how incoming, remotely-initiated streams are handled. The incoming +Configures how incoming, remotely\-initiated streams are handled. The incoming stream policy can be used to automatically reject streams created by the peer, or allow them to be handled using \fBSSL_accept_stream\fR\|(3). .IP \fBSSL_set_default_stream_mode\fR\|(3) 4 @@ -610,7 +613,7 @@ Used to configure or disable default stream mode; see the MODES OF OPERATION section for details. .PP The following BIO APIs are not specific to QUIC but have been added to -facilitate QUIC-specific requirements and are closely associated with its use: +facilitate QUIC\-specific requirements and are closely associated with its use: .IP \fBBIO_s_dgram_pair\fR\|(3) 4 .IX Item "BIO_s_dgram_pair" This is a new BIO method which is similar to a conventional BIO pair but @@ -670,13 +673,13 @@ does provide the simplest mode of usage for an application. .PP The implementation may or may not use a common thread or thread pool to service multiple SSL objects in the same \fBSSL_CTX\fR. -.SH "APPLICATION-DRIVEN EVENT LOOPS" +.SH "APPLICATION\-DRIVEN EVENT LOOPS" .IX Header "APPLICATION-DRIVEN EVENT LOOPS" -OpenSSL's QUIC implementation is designed to facilitate applications which wish +OpenSSL\*(Aqs QUIC implementation is designed to facilitate applications which wish to use the SSL APIs in a blocking fashion, but is also designed to facilitate applications which wish to use the SSL APIs in a nonblocking fashion and manage their own event loops and polling directly. This is useful when it is desirable -to host OpenSSL's QUIC implementation on top of an application's existing +to host OpenSSL\*(Aqs QUIC implementation on top of an application\*(Aqs existing nonblocking I/O infrastructure. .PP This is supported via the concept of poll descriptors; see @@ -751,6 +754,19 @@ The application must call \fBSSL_get_event_timeout\fR\|(3) after every call to \&\fBSSL_handle_events\fR\|(3) (or another I/O function on the SSL object), and ensure that a call to \fBSSL_handle_events\fR\|(3) is performed after the specified timeout (if any). +.SH "WINDOWS APPLICATION NOTES" +.IX Header "WINDOWS APPLICATION NOTES" +QUIC protocol uses UDP sockets. The \fBrecvfrom()\fR function on Windows may fail +with \f(CW\*(C`WSAECONNRESET\*(C'\fR error causing OpenSSL QUIC stack to enter permanent +error, which prevents further communication over QUIC protocol. Applications +should disable SIO_UDP_CONNRESET and SIO_UDP_NETRESET error notification +on UDP sockets they pass to OpenSSL QUIC stack. More details can be found here: +https://learn.microsoft.com/en\-us/windows/win32/winsock/winsock\-ioctls#sio_udp_connreset\-opcode\-setting\-i\-t3 +.PP +OpenSSL attempts to always disable SIO_UDP_CONNRESET and SIO_UDP_NETRESET +on UDP sockets it receives from application, but no error is reported back +if the respective \f(CWWSAIoctl()\fR calls fail. Robust application should set those +options itself so it can handle error notifications from \f(CWWSAIoctl()\fR properly. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBSSL_handle_events\fR\|(3), \fBSSL_get_event_timeout\fR\|(3), @@ -769,7 +785,7 @@ that a call to \fBSSL_handle_events\fR\|(3) is performed after the specified tim \&\fBSSL_is_domain\fR\|(3), \fBSSL_get0_domain\fR\|(3) .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2022\-2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man7/openssl-threads.7 b/secure/lib/libcrypto/man/man7/openssl-threads.7 index 252b195da2b7..405ec6e03085 100644 --- a/secure/lib/libcrypto/man/man7/openssl-threads.7 +++ b/secure/lib/libcrypto/man/man7/openssl-threads.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-THREADS 7ossl" -.TH OPENSSL-THREADS 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-THREADS 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,22 +67,22 @@ openssl\-threads \- Overview of thread safety in OpenSSL .SH DESCRIPTION .IX Header "DESCRIPTION" -In this man page, we use the term \fBthread-safe\fR to indicate that an +In this man page, we use the term \fBthread\-safe\fR to indicate that an object or function can be used by multiple threads at the same time. .PP OpenSSL can be built with or without threads support. The most important use of this support is so that OpenSSL itself can use a single consistent API, as shown in "EXAMPLES" in \fBCRYPTO_THREAD_run_once\fR\|(3). -Multi-platform applications can also use this API. +Multi\-platform applications can also use this API. .PP In particular, being configured for threads support does not imply that -all OpenSSL objects are thread-safe. +all OpenSSL objects are thread\-safe. To emphasize: \fImost objects are not safe for simultaneous use\fR. Exceptions to this should be documented on the specific manual pages, and -some general high-level guidance is given here. +some general high\-level guidance is given here. .PP One major use of the OpenSSL thread API is to implement reference counting. -Many objects within OpenSSL are reference-counted, so resources are not +Many objects within OpenSSL are reference\-counted, so resources are not released, until the last reference is removed. References are often increased automatically (such as when an \fBX509\fR certificate object is added into an \fBX509_STORE\fR trust store). @@ -89,24 +92,24 @@ Failure to match \fB\fR\f(BIobject\fR\fB_up_ref\fR() calls with the right number \&\fB\fR\f(BIobject\fR\fB_free\fR() calls is a common source of memory leaks when a program exits. .PP -Many objects have set and get API's to set attributes in the object. +Many objects have set and get API\*(Aqs to set attributes in the object. A \f(CW\*(C`set0\*(C'\fR passes ownership from the caller to the object and a \&\f(CW\*(C`get0\*(C'\fR returns a pointer but the attribute ownership remains with the object and a reference to it is returned. A \f(CW\*(C`set1\*(C'\fR or \f(CW\*(C`get1\*(C'\fR function does not change the ownership, but instead -updates the attribute's reference count so that the object is shared +updates the attribute\*(Aqs reference count so that the object is shared between the caller and the object; the caller must free the returned attribute when finished. Functions that involve attributes that have reference counts themselves, but are named with just \f(CW\*(C`set\*(C'\fR or \f(CW\*(C`get\*(C'\fR are historical; and the documentation must state how the references are handled. -Get methods are often thread-safe as long as the ownership requirements are +Get methods are often thread\-safe as long as the ownership requirements are met and shared objects are not modified. -Set methods, or modifying shared objects, are generally not thread-safe +Set methods, or modifying shared objects, are generally not thread\-safe as discussed below. .PP -Objects are thread-safe -as long as the API's being invoked don't modify the object; in this +Objects are thread\-safe +as long as the API\*(Aqs being invoked don\*(Aqt modify the object; in this case the parameter is usually marked in the API as \f(CW\*(C`const\*(C'\fR. Not all parameters are marked this way. Note that a \f(CW\*(C`const\*(C'\fR declaration does not mean immutable; for example @@ -114,30 +117,30 @@ Note that a \f(CW\*(C`const\*(C'\fR declaration does not mean immutable; for exa uses a C cast to remove that so it can lock objects, generate and cache a DER encoding, and so on. .PP -Another instance of thread-safety is when updates to an object's +Another instance of thread\-safety is when updates to an object\*(Aqs internal state, such as cached values, are done with locks. -One example of this is the reference counting API's described above. +One example of this is the reference counting API\*(Aqs described above. .PP In all cases, however, it is generally not safe for one thread to mutate an object, such as setting elements of a private or public key, while another thread is using that object, such as verifying a signature. .PP -The same API's can usually be used simultaneously on different objects +The same API\*(Aqs can usually be used simultaneously on different objects without interference. For example, two threads can calculate a signature using two different \&\fBEVP_PKEY_CTX\fR objects. .PP -For implicit global state or singletons, thread-safety depends on the facility. -The \fBCRYPTO_secure_malloc\fR\|(3) and related API's have their own lock, +For implicit global state or singletons, thread\-safety depends on the facility. +The \fBCRYPTO_secure_malloc\fR\|(3) and related API\*(Aqs have their own lock, while \fBCRYPTO_malloc\fR\|(3) assumes the underlying platform allocation will do any necessary locking. -Some API's, such as \fBNCONF_load\fR\|(3) and related do no locking at all; +Some API\*(Aqs, such as \fBNCONF_load\fR\|(3) and related do no locking at all; this can be considered a bug. .PP A separate, although related, issue is modifying "factory" objects when other objects have been created from that. For example, an \fBSSL_CTX\fR object created by \fBSSL_CTX_new\fR\|(3) is used -to create per-connection \fBSSL\fR objects by calling \fBSSL_new\fR\|(3). +to create per\-connection \fBSSL\fR objects by calling \fBSSL_new\fR\|(3). In this specific case, and probably for factory methods in general, it is not safe to modify the factory object after it has been used to create other objects. diff --git a/secure/lib/libcrypto/man/man7/openssl_user_macros.7 b/secure/lib/libcrypto/man/man7/openssl_user_macros.7 index c668a30b28fc..1ab137400d50 100644 --- a/secure/lib/libcrypto/man/man7/openssl_user_macros.7 +++ b/secure/lib/libcrypto/man/man7/openssl_user_macros.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_USER_MACROS 7ossl" -.TH OPENSSL_USER_MACROS 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_USER_MACROS 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -87,7 +90,7 @@ The value is a version number, given in one of the following two forms: This is the form supported for all versions up to 1.1.x, where \f(CW\*(C`M\*(C'\fR represents the major number, \f(CW\*(C`NN\*(C'\fR represents the minor number, and \&\f(CW\*(C`FF\*(C'\fR represents the fix number, as a hexadecimal number. For version -1.1.0, that's \f(CW\*(C`0x10100000L\*(C'\fR. +1.1.0, that\*(Aqs \f(CW\*(C`0x10100000L\*(C'\fR. .Sp Any version number may be given, but these numbers are the current known major deprecation points, making them the most @@ -103,9 +106,9 @@ meaningful: .ie n .IP """0x10100000L"" (version 1.1.0)" 4 .el .IP "\f(CW0x10100000L\fR (version 1.1.0)" 4 .IX Item "0x10100000L (version 1.1.0)" +.PD .RE .RS 4 -.PD .Sp For convenience, higher numbers are accepted as well, as long as feasible. For example, \f(CW\*(C`0x60000000L\*(C'\fR will work as expected. @@ -128,12 +131,12 @@ minor and patch components of the version number. For example: .IX Item "10002 corresponds to version 1.0.2" .IP "420101 corresponds to version 42.1.1" 4 .IX Item "420101 corresponds to version 42.1.1" +.PD .RE .RS 4 .RE .RE .RS 4 -.PD .Sp If \fBOPENSSL_API_COMPAT\fR is undefined, this default value is used in its place: @@ -143,7 +146,7 @@ place: .IX Item "OPENSSL_NO_DEPRECATED" If this macro is defined, all deprecated public symbols in all OpenSSL versions up to and including the version given by \fBOPENSSL_API_COMPAT\fR -(or the default value given above, when \fBOPENSSL_API_COMPAT\fR isn't defined) +(or the default value given above, when \fBOPENSSL_API_COMPAT\fR isn\*(Aqt defined) will be hidden. .SH COPYRIGHT .IX Header "COPYRIGHT" diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-introduction.7 b/secure/lib/libcrypto/man/man7/ossl-guide-introduction.7 index af30d4713b20..a89e600345ce 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-introduction.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-introduction.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-INTRODUCTION 7ossl" -.TH OSSL-GUIDE-INTRODUCTION 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-INTRODUCTION 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,7 +68,7 @@ ossl\-guide\-introduction \&\- OpenSSL Guide: An introduction to OpenSSL .SH "WHAT IS OPENSSL?" .IX Header "WHAT IS OPENSSL?" -OpenSSL is a robust, commercial-grade, full-featured toolkit for general-purpose +OpenSSL is a robust, commercial\-grade, full\-featured toolkit for general\-purpose cryptography and secure communication. Its features are made available via a command line application that enables users to perform various cryptography related functions such as generating keys and certificates. Additionally it @@ -82,8 +85,8 @@ The OpenSSL Project develops and distributes the source code for OpenSSL. You can obtain that source code via the OpenSSL website (<https://www.openssl.org/source>). .PP -Many Operating Systems (notably Linux distributions) supply pre-built OpenSSL -binaries either pre-installed or available via the package management system in +Many Operating Systems (notably Linux distributions) supply pre\-built OpenSSL +binaries either pre\-installed or available via the package management system in use for that OS. It is worth checking whether this applies to you before attempting to build OpenSSL from the source code. .PP @@ -105,17 +108,17 @@ provides information about setting up Perl for use by the OpenSSL build system across multiple platforms. .PP Sometimes you may want to build and install OpenSSL from source on a system -which already has a pre-built version of OpenSSL installed on it via the +which already has a pre\-built version of OpenSSL installed on it via the Operating System package management system (for example if you want to use a newer version of OpenSSL than the one supplied by your Operating System). In this case it is strongly recommended to install OpenSSL to a different location -than where the pre-built version is installed. You should \fBnever\fR replace the -pre-built version with a different version as this may break your system. +than where the pre\-built version is installed. You should \fBnever\fR replace the +pre\-built version with a different version as this may break your system. .SH "CONTENTS OF THE OPENSSL GUIDE" .IX Header "CONTENTS OF THE OPENSSL GUIDE" The OpenSSL Guide is a series of documentation pages (starting with this one) that introduce some of the main concepts in OpenSSL. The guide can either be -read end-to-end in order, or alternatively you can simply skip to the parts most +read end\-to\-end in order, or alternatively you can simply skip to the parts most applicable to your use case. Note however that later pages may depend on and assume knowledge from earlier pages. .PP @@ -141,7 +144,7 @@ The pages in the guide are as follows: .IX Item "ossl-guide-quic-client-block: Writing a simple blocking QUIC client" .IP "\fBossl\-guide\-quic\-server\-block\fR\|(7): Writing a simple blocking QUIC server" 4 .IX Item "ossl-guide-quic-server-block: Writing a simple blocking QUIC server" -.IP "\fBossl\-guide\-quic\-multi\-stream\fR\|(7): Writing a simple multi-stream QUIC client" 4 +.IP "\fBossl\-guide\-quic\-multi\-stream\fR\|(7): Writing a simple multi\-stream QUIC client" 4 .IX Item "ossl-guide-quic-multi-stream: Writing a simple multi-stream QUIC client" .IP "\fBossl\-guide\-quic\-server\-non\-block\fR\|(7): Writing a simple nonblocking QUIC server" 4 .IX Item "ossl-guide-quic-server-non-block: Writing a simple nonblocking QUIC server" diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-libcrypto-introduction.7 b/secure/lib/libcrypto/man/man7/ossl-guide-libcrypto-introduction.7 index 67414659de75..39ce5c4c818e 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-libcrypto-introduction.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-libcrypto-introduction.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-LIBCRYPTO-INTRODUCTION 7ossl" -.TH OSSL-GUIDE-LIBCRYPTO-INTRODUCTION 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-LIBCRYPTO-INTRODUCTION 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -73,7 +76,7 @@ and protocols. .PP The functionality includes symmetric encryption, public key cryptography, key agreement, certificate handling, cryptographic hash functions, cryptographic -pseudo-random number generators, message authentication codes (MACs), key +pseudo\-random number generators, message authentication codes (MACs), key derivation functions (KDFs), and various utilities. .SS Algorithms .IX Subsection "Algorithms" diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-libraries-introduction.7 b/secure/lib/libcrypto/man/man7/ossl-guide-libraries-introduction.7 index 3e224034aa32..8bb8374090c3 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-libraries-introduction.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-libraries-introduction.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-LIBRARIES-INTRODUCTION 7ossl" -.TH OSSL-GUIDE-LIBRARIES-INTRODUCTION 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-LIBRARIES-INTRODUCTION 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,14 +101,14 @@ algorithm AES). In order to use an algorithm you must have at least one provider loaded that contains an implementation of it. OpenSSL comes with a number of providers and they may also be obtained from third parties. .PP -Providers may either be "built-in" or in the form of a separate loadable module +Providers may either be "built\-in" or in the form of a separate loadable module file (typically one ending in ".so" or ".dll" dependent on the platform). A -built-in provider is one that is either already present in \f(CW\*(C`libcrypto\*(C'\fR or one +built\-in provider is one that is either already present in \f(CW\*(C`libcrypto\*(C'\fR or one that the application has supplied itself directly. Third parties can also supply providers in the form of loadable modules. .PP -If you don't load a provider explicitly (either in program code or via config) -then the OpenSSL built-in "default" provider will be automatically loaded. +If you don\*(Aqt load a provider explicitly (either in program code or via config) +then the OpenSSL built\-in "default" provider will be automatically loaded. .PP See "OPENSSL PROVIDERS" below for a description of the providers that OpenSSL itself supplies. @@ -135,7 +138,7 @@ initialise OpenSSL for use. Unlike in earlier versions of OpenSSL (prior to 1.1.0) no explicit initialisation steps need to be taken. .PP Similarly when the application exits, the default library context is -automatically destroyed. No explicit de-initialisation steps need to be taken. +automatically destroyed. No explicit de\-initialisation steps need to be taken. .PP See \fBOSSL_LIB_CTX\fR\|(3) for more information about library contexts. See also "ALGORITHM FETCHING" in \fBossl\-guide\-libcrypto\-introduction\fR\|(7). @@ -163,12 +166,12 @@ there is a conflict. See "ALGORITHM FETCHING" in \fBossl\-guide\-libcrypto\-introduction\fR\|(7) for more information about fetching. See \fBproperty\fR\|(7) for more information about properties. -.SH "MULTI-THREADED APPLICATIONS" +.SH "MULTI\-THREADED APPLICATIONS" .IX Header "MULTI-THREADED APPLICATIONS" As long as OpenSSL has been built with support for threads (the default case -on most platforms) then most OpenSSL \fIfunctions\fR are thread-safe in the sense +on most platforms) then most OpenSSL \fIfunctions\fR are thread\-safe in the sense that it is safe to call the same function from multiple threads at the same -time. However most OpenSSL \fIdata structures\fR are not thread-safe. For example +time. However most OpenSSL \fIdata structures\fR are not thread\-safe. For example the \fBBIO_write\fR\|(3) and \fBBIO_read\fR\|(3) functions are thread safe. However it would not be thread safe to call \fBBIO_write()\fR from one thread while calling \&\fBBIO_read()\fR in another where both functions are passed the same \fBBIO\fR object @@ -232,14 +235,14 @@ As well as the OpenSSL providers third parties can also implement providers. For information on writing a provider see \fBprovider\fR\|(7). .SS "Default provider" .IX Subsection "Default provider" -The default provider is built-in as part of the \fIlibcrypto\fR library and +The default provider is built\-in as part of the \fIlibcrypto\fR library and contains all of the most commonly used algorithm implementations. Should it be needed (if other providers are loaded and offer implementations of the same algorithms), the property query string "provider=default" can be used as a search criterion for these implementations. The default provider includes all of the functionality in the base provider below. .PP -If you don't load any providers at all then the "default" provider will be +If you don\*(Aqt load any providers at all then the "default" provider will be automatically loaded. If you explicitly load any provider then the "default" provider would also need to be explicitly loaded if it is required. .PP @@ -267,7 +270,7 @@ providers are loaded and offer implementations of the same algorithms), the property query string "provider=fips" can be used as a search criterion for these implementations. All approved algorithm implementations in the FIPS provider can also be selected with the property "fips=yes". The FIPS provider -may also contain non-approved algorithm implementations and these can be +may also contain non\-approved algorithm implementations and these can be selected with the property "fips=no". .PP Typically the "Base provider" will also need to be loaded because the FIPS @@ -347,7 +350,7 @@ examples of how to use the various API functions. To look at them download the OpenSSL source code from the OpenSSL website (<https://www.openssl.org/source/>). Extract the downloaded \fB.tar.gz\fR file for the version of OpenSSL that you are using and look at the various files in the -\&\fBdemos\fR sub-directory. +\&\fBdemos\fR sub\-directory. .PP The Makefiles in the subdirectories give instructions on how to build and run the demo applications. diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-libssl-introduction.7 b/secure/lib/libcrypto/man/man7/ossl-guide-libssl-introduction.7 index ff205b48d623..05749240fb56 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-libssl-introduction.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-libssl-introduction.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-LIBSSL-INTRODUCTION 7ossl" -.TH OSSL-GUIDE-LIBSSL-INTRODUCTION 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-LIBSSL-INTRODUCTION 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,15 +94,15 @@ used for exchanging data with the peer. .PP Both TLS and QUIC support the concept of a "stream" of data. Data sent via a stream is guaranteed to be delivered in order without any data loss. A stream -can be uni\- or bi-directional. +can be uni\- or bi\-directional. .PP SSL/TLS only supports one stream of data per connection and it is always -bi-directional. In this case the \fBSSL\fR object used for the connection also +bi\-directional. In this case the \fBSSL\fR object used for the connection also represents that stream. See \fBossl\-guide\-tls\-introduction\fR\|(7) for more information. .PP The QUIC protocol can support multiple streams per connection and they can be -uni\- or bi-directional. In this case an \fBSSL\fR object can represent the +uni\- or bi\-directional. In this case an \fBSSL\fR object can represent the underlying connection, or a stream, or both. Where multiple streams are in use a separate \fBSSL\fR object is used for each one. See \&\fBossl\-guide\-quic\-introduction\fR\|(7) for more information. diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-migration.7 b/secure/lib/libcrypto/man/man7/ossl-guide-migration.7 index 9cc9ad751edb..e671a2935959 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-migration.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-migration.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-MIGRATION 7ossl" -.TH OSSL-GUIDE-MIGRATION 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-MIGRATION 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -77,7 +80,7 @@ For an overview of some of the key concepts introduced in OpenSSL 3.0 see .IX Header "OPENSSL 3.1" .SS "Main Changes from OpenSSL 3.0" .IX Subsection "Main Changes from OpenSSL 3.0" -The FIPS provider in OpenSSL 3.1 includes some non-FIPS validated algorithms, +The FIPS provider in OpenSSL 3.1 includes some non\-FIPS validated algorithms, consequently the property query \f(CW\*(C`fips=yes\*(C'\fR is mandatory for applications that want to operate in a FIPS approved manner. The algorithms are: .IP "Triple DES ECB" 4 @@ -209,19 +212,19 @@ will still work. However, their applicability will be limited. .PP New algorithms provided via engines will still work. .PP -Engine-backed keys can be loaded via custom \fBOSSL_STORE\fR implementation. +Engine\-backed keys can be loaded via custom \fBOSSL_STORE\fR implementation. In this case the \fBEVP_PKEY\fR objects created via \fBENGINE_load_private_key\fR\|(3) will be considered legacy and will continue to work. .PP To ensure the future compatibility, the engines should be turned to providers. -To prefer the provider-based hardware offload, you can specify the default +To prefer the provider\-based hardware offload, you can specify the default properties to prefer your provider. .PP -Setting engine-based or application-based default low-level crypto method such +Setting engine\-based or application\-based default low\-level crypto method such as \fBRSA_METHOD\fR or \fBEC_KEY_METHOD\fR is still possible and keys inside the -default provider will use the engine-based implementation for the crypto +default provider will use the engine\-based implementation for the crypto operations. However \fBEVP_PKEY\fRs created by decoding by using \fBOSSL_DECODER\fR, -\&\fBPEM_\fR or \fBd2i_\fR APIs will be provider-based. To create a fully legacy +\&\fBPEM_\fR or \fBd2i_\fR APIs will be provider\-based. To create a fully legacy \&\fBEVP_PKEY\fRs \fBEVP_PKEY_set1_RSA\fR\|(3), \fBEVP_PKEY_set1_EC_KEY\fR\|(3) or similar functions must be used. .PP @@ -245,10 +248,10 @@ For more information, see \fBOpenSSL_version\fR\|(3). \fIOther major new features\fR .IX Subsection "Other major new features" .PP -Certificate Management Protocol (CMP, RFC 4210) -.IX Subsection "Certificate Management Protocol (CMP, RFC 4210)" +Certificate Management Protocol (CMP, RFC 9810) +.IX Subsection "Certificate Management Protocol (CMP, RFC 9810)" .PP -This also covers CRMF (RFC 4211) and HTTP transfer (RFC 6712) +This also covers CRMF (RFC 4211) and HTTP transfer (RFC 9811) See \fBopenssl\-cmp\fR\|(1) and \fBOSSL_CMP_exec_certreq\fR\|(3) as starting points. .PP HTTP(S) client @@ -262,7 +265,7 @@ Key Derivation Function API (EVP_KDF) .PP This simplifies the process of adding new KDF and PRF implementations. .PP -Previously KDF algorithms had been shoe-horned into using the EVP_PKEY object +Previously KDF algorithms had been shoe\-horned into using the EVP_PKEY object which was not a logical mapping. Existing applications that use KDF algorithms using EVP_PKEY (scrypt, TLS1 PRF and HKDF) may be slower as they use an EVP_KDF bridge @@ -316,7 +319,7 @@ KEM Algorithm "RSASVE" .Sp See \fBEVP_KEM\-RSA\fR\|(7). .IP \(bu 4 -Cipher Algorithm "AES-SIV" +Cipher Algorithm "AES\-SIV" .Sp See "SIV Mode" in \fBEVP_EncryptInit\fR\|(3). .IP \(bu 4 @@ -336,13 +339,13 @@ CS1, CS2 and CS3 variants are supported. CMS and PKCS#7 updates .IX Subsection "CMS and PKCS#7 updates" .IP \(bu 4 -Added CAdES-BES signature verification support. +Added CAdES\-BES signature verification support. .IP \(bu 4 -Added CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API. +Added CAdES\-BES signature scheme and attributes support (RFC 5126) to CMS API. .IP \(bu 4 Added AuthEnvelopedData content type structure (RFC 5083) using AES_GCM .Sp -This uses the AES-GCM parameter (RFC 5084) for the Cryptographic Message Syntax. +This uses the AES\-GCM parameter (RFC 5084) for the Cryptographic Message Syntax. Its purpose is to support encryption and decryption of a digital envelope that is both authenticated and encrypted using AES GCM mode. .IP \(bu 4 @@ -354,7 +357,7 @@ PKCS#12 API updates The default algorithms for pkcs12 creation with the \fBPKCS12_create()\fR function were changed to more modern PBKDF2 and AES based algorithms. The default MAC iteration count was changed to PKCS12_DEFAULT_ITER to make it equal -with the password-based encryption iteration count. The default digest +with the password\-based encryption iteration count. The default digest algorithm for the MAC computation was changed to SHA\-256. The pkcs12 application now supports \-legacy option that restores the previous default algorithms to support interoperability with legacy systems. @@ -425,7 +428,7 @@ This code is now always set to zero. Related functions are deprecated. STACK and HASH macros have been cleaned up .IX Subsection "STACK and HASH macros have been cleaned up" .PP -The type-safe wrappers are declared everywhere and implemented once. +The type\-safe wrappers are declared everywhere and implemented once. See \fBDEFINE_STACK_OF\fR\|(3) and \fBDEFINE_LHASH_OF_EX\fR\|(3). .PP The RAND_DRBG subsystem has been removed @@ -446,7 +449,7 @@ model. Applications should instead use Key generation is slower .IX Subsection "Key generation is slower" .PP -The Miller-Rabin test now uses 64 rounds, which is used for all prime generation, +The Miller\-Rabin test now uses 64 rounds, which is used for all prime generation, including RSA key generation. This affects the time for larger keys sizes. .PP The default key generation method for the regular 2\-prime RSA keys was changed @@ -502,7 +505,7 @@ Functions that return an internal key should be treated as read only .IX Subsection "Functions that return an internal key should be treated as read only" .PP Functions such as \fBEVP_PKEY_get0_RSA\fR\|(3) behave slightly differently in -OpenSSL 3.0. Previously they returned a pointer to the low-level key used +OpenSSL 3.0. Previously they returned a pointer to the low\-level key used internally by libcrypto. From OpenSSL 3.0 this key may now be held in a provider. Calling these functions will only return a handle on the internal key where the EVP_PKEY was constructed using this key in the first place, for @@ -515,15 +518,15 @@ the cached copy. Similarly any changes made to the cached copy by application code will not be reflected back in the internal provider key. .PP For the above reasons the keys returned from these functions should typically be -treated as read-only. To emphasise this the value returned from +treated as read\-only. To emphasise this the value returned from \&\fBEVP_PKEY_get0_RSA\fR\|(3), \fBEVP_PKEY_get0_DSA\fR\|(3), \fBEVP_PKEY_get0_EC_KEY\fR\|(3) and \&\fBEVP_PKEY_get0_DH\fR\|(3) have been made const. This may break some existing code. Applications broken by this change should be modified. The preferred solution is to refactor the code to avoid the use of these deprecated functions. Failing this the code should be modified to use a const pointer instead. The \fBEVP_PKEY_get1_RSA\fR\|(3), \fBEVP_PKEY_get1_DSA\fR\|(3), \fBEVP_PKEY_get1_EC_KEY\fR\|(3) -and \fBEVP_PKEY_get1_DH\fR\|(3) functions continue to return a non-const pointer to -enable them to be "freed". However they should also be treated as read-only. +and \fBEVP_PKEY_get1_DH\fR\|(3) functions continue to return a non\-const pointer to +enable them to be "freed". However they should also be treated as read\-only. .PP The public key check has moved from \fBEVP_PKEY_derive()\fR to \fBEVP_PKEY_derive_set_peer()\fR .IX Subsection "The public key check has moved from EVP_PKEY_derive() to EVP_PKEY_derive_set_peer()" @@ -619,9 +622,9 @@ As OpenSSL 3.0 provides a brand new Encoder/Decoder mechanism for working with widely used file formats, application code that checks for particular error reason codes on key loading failures might need an update. .PP -Password-protected keys may deserve special attention. If only some errors +Password\-protected keys may deserve special attention. If only some errors are treated as an indicator that the user should be asked about the password again, -it's worth testing these scenarios and processing the newly relevant codes. +it\*(Aqs worth testing these scenarios and processing the newly relevant codes. .PP There may be more cases to treat specially, depending on the calling application code. .SS "Upgrading from OpenSSL 1.0.2" @@ -690,7 +693,7 @@ See \fBfips_module\fR\|(7) and \fBOSSL_PROVIDER\-FIPS\fR\|(7) for details. .IX Subsection "Completing the installation of the FIPS Module" The FIPS Module will be built and installed automatically if FIPS support has been configured. The current documentation can be found in the -README-FIPS <https://github.com/openssl/openssl/blob/master/README-FIPS.md> file. +README\-FIPS <https://github.com/openssl/openssl/blob/master/README-FIPS.md> file. .SS Programming .IX Subsection "Programming" Applications written to work with OpenSSL 1.1.1 will mostly just work with @@ -937,7 +940,7 @@ This section describes some common categories of deprecations. See "Deprecated function mappings" for the list of deprecated functions that refer to these categories. .PP -Providers are a replacement for engines and low-level method overrides +Providers are a replacement for engines and low\-level method overrides .IX Subsection "Providers are a replacement for engines and low-level method overrides" .PP Any accessor that uses an ENGINE is deprecated (such as \fBEVP_PKEY_set1_engine()\fR). @@ -947,26 +950,26 @@ Before providers were added algorithms were overridden by changing the methods used by algorithms. All these methods such as \fBRSA_new_method()\fR and \fBRSA_meth_new()\fR are now deprecated and can be replaced by using providers instead. .PP -Deprecated i2d and d2i functions for low-level key types +Deprecated i2d and d2i functions for low\-level key types .IX Subsection "Deprecated i2d and d2i functions for low-level key types" .PP -Any i2d and d2i functions such as \fBd2i_DHparams()\fR that take a low-level key type +Any i2d and d2i functions such as \fBd2i_DHparams()\fR that take a low\-level key type have been deprecated. Applications should instead use the \fBOSSL_DECODER\fR\|(3) and \&\fBOSSL_ENCODER\fR\|(3) APIs to read and write files. See "Migration" in \fBd2i_RSAPrivateKey\fR\|(3) for further details. .PP -Deprecated low-level key object getters and setters +Deprecated low\-level key object getters and setters .IX Subsection "Deprecated low-level key object getters and setters" .PP -Applications that set or get low-level key objects (such as \fBEVP_PKEY_set1_DH()\fR +Applications that set or get low\-level key objects (such as \fBEVP_PKEY_set1_DH()\fR or \fBEVP_PKEY_get0()\fR) should instead use the OSSL_ENCODER (See \fBOSSL_ENCODER_to_bio\fR\|(3)) or OSSL_DECODER (See \fBOSSL_DECODER_from_bio\fR\|(3)) APIs, or alternatively use \fBEVP_PKEY_fromdata\fR\|(3) or \fBEVP_PKEY_todata\fR\|(3). .PP -Deprecated low-level key parameter getters +Deprecated low\-level key parameter getters .IX Subsection "Deprecated low-level key parameter getters" .PP -Functions that access low-level objects directly such as \fBRSA_get0_n\fR\|(3) are now +Functions that access low\-level objects directly such as \fBRSA_get0_n\fR\|(3) are now deprecated. Applications should use one of: \&\fBEVP_PKEY_get_bn_param\fR\|(3), \&\fBEVP_PKEY_get_int_param\fR\|(3), @@ -987,116 +990,116 @@ and "Common parameters" in \fBEVP_PKEY\-ML\-KEM\fR\|(7). Applications may also use \fBEVP_PKEY_todata\fR\|(3) to return all fields. .PP -Deprecated low-level key parameter setters +Deprecated low\-level key parameter setters .IX Subsection "Deprecated low-level key parameter setters" .PP -Functions that access low-level objects directly such as \fBRSA_set0_crt_params\fR\|(3) +Functions that access low\-level objects directly such as \fBRSA_set0_crt_params\fR\|(3) are now deprecated. Applications should use \fBEVP_PKEY_fromdata\fR\|(3) to create new keys from user provided key data. Keys should be immutable once they are created, so if required the user may use \fBEVP_PKEY_todata\fR\|(3), \fBOSSL_PARAM_merge\fR\|(3), and \fBEVP_PKEY_fromdata\fR\|(3) to create a modified key. See "Examples" in \fBEVP_PKEY\-DH\fR\|(7) for more information. -See "Deprecated low-level key generation functions" for information on +See "Deprecated low\-level key generation functions" for information on generating a key using parameters. .PP -Deprecated low-level object creation +Deprecated low\-level object creation .IX Subsection "Deprecated low-level object creation" .PP -Low-level objects were created using methods such as \fBRSA_new\fR\|(3), +Low\-level objects were created using methods such as \fBRSA_new\fR\|(3), \&\fBRSA_up_ref\fR\|(3) and \fBRSA_free\fR\|(3). Applications should instead use the -high-level EVP_PKEY APIs, e.g. \fBEVP_PKEY_new\fR\|(3), \fBEVP_PKEY_up_ref\fR\|(3) and +high\-level EVP_PKEY APIs, e.g. \fBEVP_PKEY_new\fR\|(3), \fBEVP_PKEY_up_ref\fR\|(3) and \&\fBEVP_PKEY_free\fR\|(3). See also \fBEVP_PKEY_CTX_new_from_name\fR\|(3) and \fBEVP_PKEY_CTX_new_from_pkey\fR\|(3). .PP EVP_PKEYs may be created in a variety of ways: -See also "Deprecated low-level key generation functions", -"Deprecated low-level key reading and writing functions" and -"Deprecated low-level key parameter setters". +See also "Deprecated low\-level key generation functions", +"Deprecated low\-level key reading and writing functions" and +"Deprecated low\-level key parameter setters". .PP -Deprecated low-level encryption functions +Deprecated low\-level encryption functions .IX Subsection "Deprecated low-level encryption functions" .PP -Low-level encryption functions such as \fBAES_encrypt\fR\|(3) and \fBAES_decrypt\fR\|(3) +Low\-level encryption functions such as \fBAES_encrypt\fR\|(3) and \fBAES_decrypt\fR\|(3) have been informally discouraged from use for a long time. Applications should instead use the high level EVP APIs \fBEVP_EncryptInit_ex\fR\|(3), \&\fBEVP_EncryptUpdate\fR\|(3), and \fBEVP_EncryptFinal_ex\fR\|(3) or \&\fBEVP_DecryptInit_ex\fR\|(3), \fBEVP_DecryptUpdate\fR\|(3) and \fBEVP_DecryptFinal_ex\fR\|(3). .PP -Deprecated low-level digest functions +Deprecated low\-level digest functions .IX Subsection "Deprecated low-level digest functions" .PP -Use of low-level digest functions such as \fBSHA1_Init\fR\|(3) have been +Use of low\-level digest functions such as \fBSHA1_Init\fR\|(3) have been informally discouraged from use for a long time. Applications should instead use the high level EVP APIs \fBEVP_DigestInit_ex\fR\|(3), \fBEVP_DigestUpdate\fR\|(3) -and \fBEVP_DigestFinal_ex\fR\|(3), or the quick one-shot \fBEVP_Q_digest\fR\|(3). +and \fBEVP_DigestFinal_ex\fR\|(3), or the quick one\-shot \fBEVP_Q_digest\fR\|(3). .PP Note that the functions \fBSHA1\fR\|(3), \fBSHA224\fR\|(3), \fBSHA256\fR\|(3), \fBSHA384\fR\|(3) and \fBSHA512\fR\|(3) have changed to macros that use \fBEVP_Q_digest\fR\|(3). .PP -Deprecated low-level signing functions +Deprecated low\-level signing functions .IX Subsection "Deprecated low-level signing functions" .PP -Use of low-level signing functions such as \fBDSA_sign\fR\|(3) have been +Use of low\-level signing functions such as \fBDSA_sign\fR\|(3) have been informally discouraged for a long time. Instead applications should use \&\fBEVP_DigestSign\fR\|(3) and \fBEVP_DigestVerify\fR\|(3). See also \fBEVP_SIGNATURE\-RSA\fR\|(7), \fBEVP_SIGNATURE\-DSA\fR\|(7), \&\fBEVP_SIGNATURE\-ECDSA\fR\|(7) and \fBEVP_SIGNATURE\-ED25519\fR\|(7). .PP -Deprecated low-level MAC functions +Deprecated low\-level MAC functions .IX Subsection "Deprecated low-level MAC functions" .PP -Low-level mac functions such as \fBCMAC_Init\fR\|(3) are deprecated. +Low\-level mac functions such as \fBCMAC_Init\fR\|(3) are deprecated. Applications should instead use the new \fBEVP_MAC\fR\|(3) interface, using \&\fBEVP_MAC_CTX_new\fR\|(3), \fBEVP_MAC_CTX_free\fR\|(3), \fBEVP_MAC_init\fR\|(3), -\&\fBEVP_MAC_update\fR\|(3) and \fBEVP_MAC_final\fR\|(3) or the single-shot MAC function +\&\fBEVP_MAC_update\fR\|(3) and \fBEVP_MAC_final\fR\|(3) or the single\-shot MAC function \&\fBEVP_Q_mac\fR\|(3). See \fBEVP_MAC\fR\|(3), \fBEVP_MAC\-HMAC\fR\|(7), \fBEVP_MAC\-CMAC\fR\|(7), \fBEVP_MAC\-GMAC\fR\|(7), \&\fBEVP_MAC\-KMAC\fR\|(7), \fBEVP_MAC\-BLAKE2\fR\|(7), \fBEVP_MAC\-Poly1305\fR\|(7) and \&\fBEVP_MAC\-Siphash\fR\|(7) for additional information. .PP -Note that the one-shot method \fBHMAC()\fR is still available for compatibility purposes, +Note that the one\-shot method \fBHMAC()\fR is still available for compatibility purposes, but this can also be replaced by using EVP_Q_MAC if a library context is required. .PP -Deprecated low-level validation functions +Deprecated low\-level validation functions .IX Subsection "Deprecated low-level validation functions" .PP -Low-level validation functions such as \fBDH_check\fR\|(3) have been informally -discouraged from use for a long time. Applications should instead use the high-level +Low\-level validation functions such as \fBDH_check\fR\|(3) have been informally +discouraged from use for a long time. Applications should instead use the high\-level EVP_PKEY APIs such as \fBEVP_PKEY_check\fR\|(3), \fBEVP_PKEY_param_check\fR\|(3), \&\fBEVP_PKEY_param_check_quick\fR\|(3), \fBEVP_PKEY_public_check\fR\|(3), \&\fBEVP_PKEY_public_check_quick\fR\|(3), \fBEVP_PKEY_private_check\fR\|(3), and \fBEVP_PKEY_pairwise_check\fR\|(3). .PP -Deprecated low-level key exchange functions +Deprecated low\-level key exchange functions .IX Subsection "Deprecated low-level key exchange functions" .PP -Many low-level functions have been informally discouraged from use for a long +Many low\-level functions have been informally discouraged from use for a long time. Applications should instead use \fBEVP_PKEY_derive\fR\|(3). See \fBEVP_KEYEXCH\-DH\fR\|(7), \fBEVP_KEYEXCH\-ECDH\fR\|(7) and \fBEVP_KEYEXCH\-X25519\fR\|(7). .PP -Deprecated low-level key generation functions +Deprecated low\-level key generation functions .IX Subsection "Deprecated low-level key generation functions" .PP -Many low-level functions have been informally discouraged from use for a long +Many low\-level functions have been informally discouraged from use for a long time. Applications should instead use \fBEVP_PKEY_keygen_init\fR\|(3) and \&\fBEVP_PKEY_generate\fR\|(3) as described in \fBEVP_PKEY\-DSA\fR\|(7), \fBEVP_PKEY\-DH\fR\|(7), \&\fBEVP_PKEY\-RSA\fR\|(7), \fBEVP_PKEY\-EC\fR\|(7) and \fBEVP_PKEY\-X25519\fR\|(7). -The 'quick' one-shot function \fBEVP_PKEY_Q_keygen\fR\|(3) and macros for the most +The \*(Aqquick\*(Aq one\-shot function \fBEVP_PKEY_Q_keygen\fR\|(3) and macros for the most common cases: <\fBEVP_RSA_gen\fR\|(3)> and \fBEVP_EC_gen\fR\|(3) may also be used. .PP -Deprecated low-level key reading and writing functions +Deprecated low\-level key reading and writing functions .IX Subsection "Deprecated low-level key reading and writing functions" .PP -Use of low-level objects (such as DSA) has been informally discouraged from use -for a long time. Functions to read and write these low-level objects (such as +Use of low\-level objects (such as DSA) has been informally discouraged from use +for a long time. Functions to read and write these low\-level objects (such as \&\fBPEM_read_DSA_PUBKEY()\fR) should be replaced. Applications should instead use \&\fBOSSL_ENCODER_to_bio\fR\|(3) and \fBOSSL_DECODER_from_bio\fR\|(3). .PP -Deprecated low-level key printing functions +Deprecated low\-level key printing functions .IX Subsection "Deprecated low-level key printing functions" .PP -Use of low-level objects (such as DSA) has been informally discouraged from use -for a long time. Functions to print these low-level objects such as +Use of low\-level objects (such as DSA) has been informally discouraged from use +for a long time. Functions to print these low\-level objects such as \&\fBDSA_print()\fR should be replaced with the equivalent EVP_PKEY functions. Application should use one of \fBEVP_PKEY_print_public\fR\|(3), \&\fBEVP_PKEY_print_private\fR\|(3), \fBEVP_PKEY_print_params\fR\|(3), @@ -1114,7 +1117,7 @@ The following functions have been deprecated in 3.0. There is no replacement for the IGE functions. New code should not use these modes. These undocumented functions were never integrated into the EVP layer. They implemented the AES Infinite Garble Extension (IGE) mode and AES -Bi-directional IGE mode. These modes were never formally standardised and +Bi\-directional IGE mode. These modes were never formally standardised and usage of these functions is believed to be very small. In particular \&\fBAES_bi_ige_encrypt()\fR has a known bug. It accepts 2 AES keys, but only one is ever used. The security implications are believed to be minimal, but @@ -1126,7 +1129,7 @@ this issue was never fixed for backwards compatibility reasons. .IP \(bu 4 \&\fBAES_unwrap_key()\fR, \fBAES_wrap_key()\fR .Sp -See "Deprecated low-level encryption functions" +See "Deprecated low\-level encryption functions" .IP \(bu 4 \&\fBAES_options()\fR .Sp @@ -1146,7 +1149,7 @@ previously passed in pointer. \&\fBBF_encrypt()\fR, \fBBF_decrypt()\fR, \fBBF_set_key()\fR, \fBBF_cbc_encrypt()\fR, \fBBF_cfb64_encrypt()\fR, \&\fBBF_ecb_encrypt()\fR, \fBBF_ofb64_encrypt()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". The Blowfish algorithm has been moved to the Legacy Provider. .IP \(bu 4 \&\fBBF_options()\fR @@ -1155,12 +1158,12 @@ There is no replacement. This option returned a constant string. .IP \(bu 4 \&\fBBIO_get_callback()\fR, \fBBIO_set_callback()\fR, \fBBIO_debug_callback()\fR .Sp -Use the respective non-deprecated \fB_ex()\fR functions. +Use the respective non\-deprecated \fB_ex()\fR functions. .IP \(bu 4 \&\fBBN_is_prime_ex()\fR, \fBBN_is_prime_fasttest_ex()\fR .Sp Use \fBBN_check_prime\fR\|(3) which avoids possible misuse and always uses at least -64 rounds of the Miller-Rabin primality test. +64 rounds of the Miller\-Rabin primality test. .IP \(bu 4 \&\fBBN_pseudo_rand()\fR, \fBBN_pseudo_rand_range()\fR .Sp @@ -1168,7 +1171,7 @@ Use \fBBN_rand\fR\|(3) and \fBBN_rand_range\fR\|(3). .IP \(bu 4 \&\fBBN_X931_derive_prime_ex()\fR, \fBBN_X931_generate_prime_ex()\fR, \fBBN_X931_generate_Xpq()\fR .Sp -There are no replacements for these low-level functions. They were used internally +There are no replacements for these low\-level functions. They were used internally by \fBRSA_X931_derive_ex()\fR and \fBRSA_X931_generate_key_ex()\fR which are also deprecated. Use \fBEVP_PKEY_keygen\fR\|(3) instead. .IP \(bu 4 @@ -1177,29 +1180,29 @@ Use \fBEVP_PKEY_keygen\fR\|(3) instead. \&\fBCamellia_cfb8_encrypt()\fR, \fBCamellia_ctr128_encrypt()\fR, \fBCamellia_ecb_encrypt()\fR, \&\fBCamellia_ofb128_encrypt()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". .IP \(bu 4 \&\fBCAST_encrypt()\fR, \fBCAST_decrypt()\fR, \fBCAST_set_key()\fR, \fBCAST_cbc_encrypt()\fR, \&\fBCAST_cfb64_encrypt()\fR, \fBCAST_ecb_encrypt()\fR, \fBCAST_ofb64_encrypt()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". The CAST algorithm has been moved to the Legacy Provider. .IP \(bu 4 \&\fBCMAC_CTX_new()\fR, \fBCMAC_CTX_cleanup()\fR, \fBCMAC_CTX_copy()\fR, \fBCMAC_CTX_free()\fR, \&\fBCMAC_CTX_get0_cipher_ctx()\fR .Sp -See "Deprecated low-level MAC functions". +See "Deprecated low\-level MAC functions". .IP \(bu 4 \&\fBCMAC_Init()\fR, \fBCMAC_Update()\fR, \fBCMAC_Final()\fR, \fBCMAC_resume()\fR .Sp -See "Deprecated low-level MAC functions". +See "Deprecated low\-level MAC functions". .IP \(bu 4 \&\fBCRYPTO_mem_ctrl()\fR, \fBCRYPTO_mem_debug_free()\fR, \fBCRYPTO_mem_debug_malloc()\fR, \&\fBCRYPTO_mem_debug_pop()\fR, \fBCRYPTO_mem_debug_push()\fR, \fBCRYPTO_mem_debug_realloc()\fR, \&\fBCRYPTO_mem_leaks()\fR, \fBCRYPTO_mem_leaks_cb()\fR, \fBCRYPTO_mem_leaks_fp()\fR, \&\fBCRYPTO_set_mem_debug()\fR .Sp -Memory-leak checking has been deprecated in favor of more modern development +Memory\-leak checking has been deprecated in favor of more modern development tools, such as compiler memory and leak sanitizers or Valgrind. .IP \(bu 4 \&\fBCRYPTO_cts128_encrypt_block()\fR, \fBCRYPTO_cts128_encrypt()\fR, @@ -1223,12 +1226,12 @@ See "EXAMPLES" in \fBEVP_EncryptInit\fR\|(3) for a AES\-256\-CBC\-CTS example. \&\fBd2i_RSA_PUBKEY_bio()\fR, \fBd2i_RSA_PUBKEY_fp()\fR, \fBd2i_RSAPublicKey()\fR, \&\fBd2i_RSAPublicKey_bio()\fR, \fBd2i_RSAPublicKey_fp()\fR .Sp -See "Deprecated i2d and d2i functions for low-level key types" +See "Deprecated i2d and d2i functions for low\-level key types" .IP \(bu 4 \&\fBo2i_ECPublicKey()\fR .Sp Use \fBEVP_PKEY_set1_encoded_public_key\fR\|(3). -See "Deprecated low-level key parameter setters" +See "Deprecated low\-level key parameter setters" .IP \(bu 4 \&\fBDES_crypt()\fR, \fBDES_fcrypt()\fR, \fBDES_encrypt1()\fR, \fBDES_encrypt2()\fR, \fBDES_encrypt3()\fR, \&\fBDES_decrypt3()\fR, \fBDES_ede3_cbc_encrypt()\fR, \fBDES_ede3_cfb64_encrypt()\fR, @@ -1240,8 +1243,8 @@ DES_cfb64_encrypt \fBDES_cfb_encrypt()\fR, \fBDES_cbc_encrypt()\fR, \fBDES_ncbc_ \&\fBDES_random_key()\fR, \fBDES_set_key()\fR, \fBDES_set_key_checked()\fR, \fBDES_set_key_unchecked()\fR, \&\fBDES_set_odd_parity()\fR, \fBDES_string_to_2keys()\fR, \fBDES_string_to_key()\fR .Sp -See "Deprecated low-level encryption functions". -Algorithms for "DESX-CBC", "DES-ECB", "DES-CBC", "DES-OFB", "DES-CFB", +See "Deprecated low\-level encryption functions". +Algorithms for "DESX\-CBC", "DES\-ECB", "DES\-CBC", "DES\-OFB", "DES\-CFB", "DES\-CFB1" and "DES\-CFB8" have been moved to the Legacy Provider. .IP \(bu 4 \&\fBDH_bits()\fR, \fBDH_security_bits()\fR, \fBDH_size()\fR @@ -1252,7 +1255,7 @@ Use \fBEVP_PKEY_get_bits\fR\|(3), \fBEVP_PKEY_get_security_bits\fR\|(3) and \&\fBDH_check()\fR, \fBDH_check_ex()\fR, \fBDH_check_params()\fR, \fBDH_check_params_ex()\fR, \&\fBDH_check_pub_key()\fR, \fBDH_check_pub_key_ex()\fR .Sp -See "Deprecated low-level validation functions" +See "Deprecated low\-level validation functions" .IP \(bu 4 \&\fBDH_clear_flags()\fR, \fBDH_test_flags()\fR, \fBDH_set_flags()\fR .Sp @@ -1263,20 +1266,20 @@ There is no replacement for setting these flags. .IP \(bu 4 \&\fBDH_compute_key()\fR \fBDH_compute_key_padded()\fR .Sp -See "Deprecated low-level key exchange functions". +See "Deprecated low\-level key exchange functions". .IP \(bu 4 \&\fBDH_new()\fR, \fBDH_new_by_nid()\fR, \fBDH_free()\fR, \fBDH_up_ref()\fR .Sp -See "Deprecated low-level object creation" +See "Deprecated low\-level object creation" .IP \(bu 4 \&\fBDH_generate_key()\fR, \fBDH_generate_parameters_ex()\fR .Sp -See "Deprecated low-level key generation functions". +See "Deprecated low\-level key generation functions". .IP \(bu 4 \&\fBDH_get0_pqg()\fR, \fBDH_get0_p()\fR, \fBDH_get0_q()\fR, \fBDH_get0_g()\fR, \fBDH_get0_key()\fR, \&\fBDH_get0_priv_key()\fR, \fBDH_get0_pub_key()\fR, \fBDH_get_length()\fR, \fBDH_get_nid()\fR .Sp -See "Deprecated low-level key parameter getters" +See "Deprecated low\-level key parameter getters" .IP \(bu 4 \&\fBDH_get_1024_160()\fR, \fBDH_get_2048_224()\fR, \fBDH_get_2048_256()\fR .Sp @@ -1292,15 +1295,15 @@ Applications should use \fBEVP_PKEY_CTX_set_dh_kdf_type\fR\|(3) instead. \&\fBDH_OpenSSL()\fR, \fBDH_get_ex_data()\fR, \fBDH_set_default_method()\fR, \fBDH_set_method()\fR, \&\fBDH_set_ex_data()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides" +See "Providers are a replacement for engines and low\-level method overrides" .IP \(bu 4 \&\fBDHparams_print()\fR, \fBDHparams_print_fp()\fR .Sp -See "Deprecated low-level key printing functions" +See "Deprecated low\-level key printing functions" .IP \(bu 4 \&\fBDH_set0_key()\fR, \fBDH_set0_pqg()\fR, \fBDH_set_length()\fR .Sp -See "Deprecated low-level key parameter setters" +See "Deprecated low\-level key parameter setters" .IP \(bu 4 \&\fBDSA_bits()\fR, \fBDSA_security_bits()\fR, \fBDSA_size()\fR .Sp @@ -1314,22 +1317,22 @@ and \fBEVP_PKEY_dup\fR\|(3) instead. .IP \(bu 4 \&\fBDSA_generate_key()\fR, \fBDSA_generate_parameters_ex()\fR .Sp -See "Deprecated low-level key generation functions". +See "Deprecated low\-level key generation functions". .IP \(bu 4 \&\fBDSA_get0_engine()\fR, \fBDSA_get_default_method()\fR, \fBDSA_get_ex_data()\fR, \&\fBDSA_get_method()\fR, DSA_meth_*(), \fBDSA_new_method()\fR, \fBDSA_OpenSSL()\fR, \&\fBDSA_set_default_method()\fR, \fBDSA_set_ex_data()\fR, \fBDSA_set_method()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides". +See "Providers are a replacement for engines and low\-level method overrides". .IP \(bu 4 \&\fBDSA_get0_p()\fR, \fBDSA_get0_q()\fR, \fBDSA_get0_g()\fR, \fBDSA_get0_pqg()\fR, \fBDSA_get0_key()\fR, \&\fBDSA_get0_priv_key()\fR, \fBDSA_get0_pub_key()\fR .Sp -See "Deprecated low-level key parameter getters". +See "Deprecated low\-level key parameter getters". .IP \(bu 4 \&\fBDSA_new()\fR, \fBDSA_free()\fR, \fBDSA_up_ref()\fR .Sp -See "Deprecated low-level object creation" +See "Deprecated low\-level object creation" .IP \(bu 4 \&\fBDSAparams_dup()\fR .Sp @@ -1338,11 +1341,11 @@ and \fBEVP_PKEY_dup\fR\|(3) instead. .IP \(bu 4 \&\fBDSAparams_print()\fR, \fBDSAparams_print_fp()\fR, \fBDSA_print()\fR, \fBDSA_print_fp()\fR .Sp -See "Deprecated low-level key printing functions" +See "Deprecated low\-level key printing functions" .IP \(bu 4 \&\fBDSA_set0_key()\fR, \fBDSA_set0_pqg()\fR .Sp -See "Deprecated low-level key parameter setters" +See "Deprecated low\-level key parameter setters" .IP \(bu 4 \&\fBDSA_set_flags()\fR, \fBDSA_clear_flags()\fR, \fBDSA_test_flags()\fR .Sp @@ -1350,22 +1353,22 @@ The \fBDSA_FLAG_CACHE_MONT_P\fR flag has been deprecated without replacement. .IP \(bu 4 \&\fBDSA_sign()\fR, \fBDSA_do_sign()\fR, \fBDSA_sign_setup()\fR, \fBDSA_verify()\fR, \fBDSA_do_verify()\fR .Sp -See "Deprecated low-level signing functions". +See "Deprecated low\-level signing functions". .IP \(bu 4 \&\fBECDH_compute_key()\fR .Sp -See "Deprecated low-level key exchange functions". +See "Deprecated low\-level key exchange functions". .IP \(bu 4 \&\fBECDH_KDF_X9_62()\fR .Sp Applications may either set this using the helper function \&\fBEVP_PKEY_CTX_set_ecdh_kdf_type\fR\|(3) or by setting an \fBOSSL_PARAM\fR\|(3) using the -"kdf-type" as shown in "EXAMPLES" in \fBEVP_KEYEXCH\-ECDH\fR\|(7) +"kdf\-type" as shown in "EXAMPLES" in \fBEVP_KEYEXCH\-ECDH\fR\|(7) .IP \(bu 4 \&\fBECDSA_sign()\fR, \fBECDSA_sign_ex()\fR, \fBECDSA_sign_setup()\fR, \fBECDSA_do_sign()\fR, \&\fBECDSA_do_sign_ex()\fR, \fBECDSA_verify()\fR, \fBECDSA_do_verify()\fR .Sp -See "Deprecated low-level signing functions". +See "Deprecated low\-level signing functions". .IP \(bu 4 \&\fBECDSA_size()\fR .Sp @@ -1396,7 +1399,7 @@ named curves which OpenSSL has hardcoded lookup tables for. .IP \(bu 4 \&\fBEC_GROUP_new()\fR, \fBEC_GROUP_method_of()\fR, \fBEC_POINT_method_of()\fR .Sp -EC_METHOD is now an internal-only concept and a suitable EC_METHOD is assigned +EC_METHOD is now an internal\-only concept and a suitable EC_METHOD is assigned internally without application intervention. Users of \fBEC_GROUP_new()\fR should switch to a different suitable constructor. .IP \(bu 4 @@ -1406,7 +1409,7 @@ Applications should use \fBEVP_PKEY_can_sign\fR\|(3) instead. .IP \(bu 4 \&\fBEC_KEY_check_key()\fR .Sp -See "Deprecated low-level validation functions" +See "Deprecated low\-level validation functions" .IP \(bu 4 \&\fBEC_KEY_set_flags()\fR, \fBEC_KEY_get_flags()\fR, \fBEC_KEY_clear_flags()\fR .Sp @@ -1428,24 +1431,24 @@ There is no replacement. .IP \(bu 4 \&\fBEC_KEY_generate_key()\fR .Sp -See "Deprecated low-level key generation functions". +See "Deprecated low\-level key generation functions". .IP \(bu 4 \&\fBEC_KEY_get0_group()\fR, \fBEC_KEY_get0_private_key()\fR, \fBEC_KEY_get0_public_key()\fR, \&\fBEC_KEY_get_conv_form()\fR, \fBEC_KEY_get_enc_flags()\fR .Sp -See "Deprecated low-level key parameter getters". +See "Deprecated low\-level key parameter getters". .IP \(bu 4 \&\fBEC_KEY_get0_engine()\fR, \fBEC_KEY_get_default_method()\fR, \fBEC_KEY_get_method()\fR, \&\fBEC_KEY_new_method()\fR, \fBEC_KEY_get_ex_data()\fR, \fBEC_KEY_OpenSSL()\fR, \&\fBEC_KEY_set_ex_data()\fR, \fBEC_KEY_set_default_method()\fR, EC_KEY_METHOD_*(), \&\fBEC_KEY_set_method()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides" +See "Providers are a replacement for engines and low\-level method overrides" .IP \(bu 4 \&\fBEC_METHOD_get_field_type()\fR .Sp Use \fBEC_GROUP_get_field_type\fR\|(3) instead. -See "Providers are a replacement for engines and low-level method overrides" +See "Providers are a replacement for engines and low\-level method overrides" .IP \(bu 4 \&\fBEC_KEY_key2buf()\fR, \fBEC_KEY_oct2key()\fR, \fBEC_KEY_oct2priv()\fR, \fBEC_KEY_priv2buf()\fR, \&\fBEC_KEY_priv2oct()\fR @@ -1454,30 +1457,30 @@ There are no replacements for these. .IP \(bu 4 \&\fBEC_KEY_new()\fR, \fBEC_KEY_new_by_curve_name()\fR, \fBEC_KEY_free()\fR, \fBEC_KEY_up_ref()\fR .Sp -See "Deprecated low-level object creation" +See "Deprecated low\-level object creation" .IP \(bu 4 \&\fBEC_KEY_print()\fR, \fBEC_KEY_print_fp()\fR .Sp -See "Deprecated low-level key printing functions" +See "Deprecated low\-level key printing functions" .IP \(bu 4 \&\fBEC_KEY_set_asn1_flag()\fR, \fBEC_KEY_set_conv_form()\fR, \fBEC_KEY_set_enc_flags()\fR .Sp -See "Deprecated low-level key parameter setters". +See "Deprecated low\-level key parameter setters". .IP \(bu 4 \&\fBEC_KEY_set_group()\fR, \fBEC_KEY_set_private_key()\fR, \fBEC_KEY_set_public_key()\fR, \&\fBEC_KEY_set_public_key_affine_coordinates()\fR .Sp -See "Deprecated low-level key parameter setters". +See "Deprecated low\-level key parameter setters". .IP \(bu 4 \&\fBECParameters_print()\fR, \fBECParameters_print_fp()\fR, \fBECPKParameters_print()\fR, \&\fBECPKParameters_print_fp()\fR .Sp -See "Deprecated low-level key printing functions" +See "Deprecated low\-level key printing functions" .IP \(bu 4 \&\fBEC_POINT_bn2point()\fR, \fBEC_POINT_point2bn()\fR .Sp These functions were not particularly useful, since EC point serialization -formats are not individual big-endian integers. +formats are not individual big\-endian integers. .IP \(bu 4 \&\fBEC_POINT_get_affine_coordinates_GF2m()\fR, \fBEC_POINT_get_affine_coordinates_GFp()\fR, \&\fBEC_POINT_set_affine_coordinates_GF2m()\fR, \fBEC_POINT_set_affine_coordinates_GFp()\fR @@ -1508,7 +1511,7 @@ This function is not widely used. Applications should instead use the \&\fBENGINE_*()\fR .Sp All engine functions are deprecated. An engine should be rewritten as a provider. -See "Providers are a replacement for engines and low-level method overrides". +See "Providers are a replacement for engines and low\-level method overrides". .IP \(bu 4 \&\fBERR_load_*()\fR, \fBERR_func_error_string()\fR, \fBERR_get_error_line()\fR, \&\fBERR_get_error_line_data()\fR, \fBERR_get_state()\fR @@ -1534,7 +1537,7 @@ See \fBEVP_CIPHER_CTX_get_original_iv\fR\|(3) for further information. \&\fBEVP_CIPHER_meth_*()\fR, \fBEVP_MD_CTX_set_update_fn()\fR, \fBEVP_MD_CTX_update_fn()\fR, \&\fBEVP_MD_meth_*()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides". +See "Providers are a replacement for engines and low\-level method overrides". .IP \(bu 4 \&\fBEVP_PKEY_CTRL_PKCS7_ENCRYPT()\fR, \fBEVP_PKEY_CTRL_PKCS7_DECRYPT()\fR, \&\fBEVP_PKEY_CTRL_PKCS7_SIGN()\fR, \fBEVP_PKEY_CTRL_CMS_ENCRYPT()\fR, @@ -1546,7 +1549,7 @@ when the operation is initialized. .IP \(bu 4 \&\fBEVP_PKEY_CTX_get0_dh_kdf_ukm()\fR, \fBEVP_PKEY_CTX_get0_ecdh_kdf_ukm()\fR .Sp -See the "kdf-ukm" item in "DH key exchange parameters" in \fBEVP_KEYEXCH\-DH\fR\|(7) and +See the "kdf\-ukm" item in "DH key exchange parameters" in \fBEVP_KEYEXCH\-DH\fR\|(7) and "ECDH Key Exchange parameters" in \fBEVP_KEYEXCH\-ECDH\fR\|(7). These functions are obsolete and should not be required. .IP \(bu 4 @@ -1576,16 +1579,16 @@ See "Functions that return an internal key should be treated as read only". .IP \(bu 4 \&\fBEVP_PKEY_meth_*()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides". +See "Providers are a replacement for engines and low\-level method overrides". .IP \(bu 4 \&\fBEVP_PKEY_new_CMAC_key()\fR .Sp -See "Deprecated low-level MAC functions". +See "Deprecated low\-level MAC functions". .IP \(bu 4 \&\fBEVP_PKEY_assign()\fR, \fBEVP_PKEY_set1_DH()\fR, \fBEVP_PKEY_set1_DSA()\fR, \&\fBEVP_PKEY_set1_EC_KEY()\fR, \fBEVP_PKEY_set1_RSA()\fR .Sp -See "Deprecated low-level key object getters and setters" +See "Deprecated low\-level key object getters and setters" .IP \(bu 4 \&\fBEVP_PKEY_set1_tls_encodedpoint()\fR \fBEVP_PKEY_get1_tls_encodedpoint()\fR .Sp @@ -1598,7 +1601,7 @@ new functions. .IP \(bu 4 \&\fBEVP_PKEY_set1_engine()\fR, \fBEVP_PKEY_get0_engine()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides". +See "Providers are a replacement for engines and low\-level method overrides". .IP \(bu 4 \&\fBEVP_PKEY_set_alias_type()\fR .Sp @@ -1607,49 +1610,49 @@ See "\fBEVP_PKEY_set_alias_type()\fR method has been removed" .IP \(bu 4 \&\fBHMAC_Init_ex()\fR, \fBHMAC_Update()\fR, \fBHMAC_Final()\fR, \fBHMAC_size()\fR .Sp -See "Deprecated low-level MAC functions". +See "Deprecated low\-level MAC functions". .IP \(bu 4 \&\fBHMAC_CTX_new()\fR, \fBHMAC_CTX_free()\fR, \fBHMAC_CTX_copy()\fR, \fBHMAC_CTX_reset()\fR, \&\fBHMAC_CTX_set_flags()\fR, \fBHMAC_CTX_get_md()\fR .Sp -See "Deprecated low-level MAC functions". +See "Deprecated low\-level MAC functions". .IP \(bu 4 \&\fBi2d_DHparams()\fR, \fBi2d_DHxparams()\fR .Sp -See "Deprecated low-level key reading and writing functions" +See "Deprecated low\-level key reading and writing functions" and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3) .IP \(bu 4 \&\fBi2d_DSAparams()\fR, \fBi2d_DSAPrivateKey()\fR, \fBi2d_DSAPrivateKey_bio()\fR, \&\fBi2d_DSAPrivateKey_fp()\fR, \fBi2d_DSA_PUBKEY()\fR, \fBi2d_DSA_PUBKEY_bio()\fR, \&\fBi2d_DSA_PUBKEY_fp()\fR, \fBi2d_DSAPublicKey()\fR .Sp -See "Deprecated low-level key reading and writing functions" +See "Deprecated low\-level key reading and writing functions" and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3) .IP \(bu 4 \&\fBi2d_ECParameters()\fR, \fBi2d_ECPrivateKey()\fR, \fBi2d_ECPrivateKey_bio()\fR, \&\fBi2d_ECPrivateKey_fp()\fR, \fBi2d_EC_PUBKEY()\fR, \fBi2d_EC_PUBKEY_bio()\fR, \&\fBi2d_EC_PUBKEY_fp()\fR .Sp -See "Deprecated low-level key reading and writing functions" +See "Deprecated low\-level key reading and writing functions" and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3) .IP \(bu 4 \&\fBi2o_ECPublicKey()\fR .Sp Use \fBEVP_PKEY_get1_encoded_public_key\fR\|(3). -See "Deprecated low-level key parameter getters" +See "Deprecated low\-level key parameter getters" .IP \(bu 4 \&\fBi2d_RSAPrivateKey()\fR, \fBi2d_RSAPrivateKey_bio()\fR, \fBi2d_RSAPrivateKey_fp()\fR, \&\fBi2d_RSA_PUBKEY()\fR, \fBi2d_RSA_PUBKEY_bio()\fR, \fBi2d_RSA_PUBKEY_fp()\fR, \&\fBi2d_RSAPublicKey()\fR, \fBi2d_RSAPublicKey_bio()\fR, \fBi2d_RSAPublicKey_fp()\fR .Sp -See "Deprecated low-level key reading and writing functions" +See "Deprecated low\-level key reading and writing functions" and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3) .IP \(bu 4 \&\fBIDEA_encrypt()\fR, \fBIDEA_set_decrypt_key()\fR, \fBIDEA_set_encrypt_key()\fR, \&\fBIDEA_cbc_encrypt()\fR, \fBIDEA_cfb64_encrypt()\fR, \fBIDEA_ecb_encrypt()\fR, \&\fBIDEA_ofb64_encrypt()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". IDEA has been moved to the Legacy Provider. .IP \(bu 4 \&\fBIDEA_options()\fR @@ -1658,7 +1661,7 @@ There is no replacement. This function returned a constant string. .IP \(bu 4 \&\fBMD2()\fR, \fBMD2_Init()\fR, \fBMD2_Update()\fR, \fBMD2_Final()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". MD2 has been moved to the Legacy Provider. .IP \(bu 4 \&\fBMD2_options()\fR @@ -1667,17 +1670,17 @@ There is no replacement. This function returned a constant string. .IP \(bu 4 \&\fBMD4()\fR, \fBMD4_Init()\fR, \fBMD4_Update()\fR, \fBMD4_Final()\fR, \fBMD4_Transform()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". MD4 has been moved to the Legacy Provider. .IP \(bu 4 \&\fBMDC2()\fR, \fBMDC2_Init()\fR, \fBMDC2_Update()\fR, \fBMDC2_Final()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". MDC2 has been moved to the Legacy Provider. .IP \(bu 4 \&\fBMD5()\fR, \fBMD5_Init()\fR, \fBMD5_Update()\fR, \fBMD5_Final()\fR, \fBMD5_Transform()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". .IP \(bu 4 \&\fBNCONF_WIN32()\fR .Sp @@ -1732,11 +1735,11 @@ PEM_read_bio_DSAPrivateKey and \fBPEM_read_bio_DSA_PUBKEY()\fR, \&\fBPEM_write_bio_RSAPrivateKey()\fR, \fBPEM_write_bio_RSA_PUBKEY()\fR, \&\fBPEM_write_bio_RSAPublicKey()\fR, .Sp -See "Deprecated low-level key reading and writing functions" +See "Deprecated low\-level key reading and writing functions" .IP \(bu 4 \&\fBPKCS1_MGF1()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". .IP \(bu 4 \&\fBRAND_get_rand_method()\fR, \fBRAND_set_rand_method()\fR, \fBRAND_OpenSSL()\fR, \&\fBRAND_set_rand_engine()\fR @@ -1751,13 +1754,13 @@ See \fBRAND_set_rand_method\fR\|(3) for more details. \&\fBRC5_32_encrypt()\fR, \fBRC5_32_set_key()\fR, \fBRC5_32_decrypt()\fR, \fBRC5_32_cbc_encrypt()\fR, \&\fBRC5_32_cfb64_encrypt()\fR, \fBRC5_32_ecb_encrypt()\fR, \fBRC5_32_ofb64_encrypt()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". The Algorithms "RC2", "RC4" and "RC5" have been moved to the Legacy Provider. .IP \(bu 4 \&\fBRIPEMD160()\fR, \fBRIPEMD160_Init()\fR, \fBRIPEMD160_Update()\fR, \fBRIPEMD160_Final()\fR, \&\fBRIPEMD160_Transform()\fR .Sp -See "Deprecated low-level digest functions". +See "Deprecated low\-level digest functions". The RIPE algorithm has been moved to the Legacy Provider. .IP \(bu 4 \&\fBRSA_bits()\fR, \fBRSA_security_bits()\fR, \fBRSA_size()\fR @@ -1767,7 +1770,7 @@ Use \fBEVP_PKEY_get_bits\fR\|(3), \fBEVP_PKEY_get_security_bits\fR\|(3) and .IP \(bu 4 \&\fBRSA_check_key()\fR, \fBRSA_check_key_ex()\fR .Sp -See "Deprecated low-level validation functions" +See "Deprecated low\-level validation functions" .IP \(bu 4 \&\fBRSA_clear_flags()\fR, \fBRSA_flags()\fR, \fBRSA_set_flags()\fR, \fBRSA_test_flags()\fR, \&\fBRSA_setup_blinding()\fR, \fBRSA_blinding_off()\fR, \fBRSA_blinding_on()\fR @@ -1780,11 +1783,11 @@ All of these RSA flags have been deprecated without replacement: .IP \(bu 4 \&\fBRSA_generate_key_ex()\fR, \fBRSA_generate_multi_prime_key()\fR .Sp -See "Deprecated low-level key generation functions". +See "Deprecated low\-level key generation functions". .IP \(bu 4 \&\fBRSA_get0_engine()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides" +See "Providers are a replacement for engines and low\-level method overrides" .IP \(bu 4 \&\fBRSA_get0_crt_params()\fR, \fBRSA_get0_d()\fR, \fBRSA_get0_dmp1()\fR, \fBRSA_get0_dmq1()\fR, \&\fBRSA_get0_e()\fR, \fBRSA_get0_factors()\fR, \fBRSA_get0_iqmp()\fR, \fBRSA_get0_key()\fR, @@ -1792,15 +1795,15 @@ See "Providers are a replacement for engines and low-level method overrides" \&\fBRSA_get0_p()\fR, \fBRSA_get0_pss_params()\fR, \fBRSA_get0_q()\fR, \&\fBRSA_get_multi_prime_extra_count()\fR .Sp -See "Deprecated low-level key parameter getters" +See "Deprecated low\-level key parameter getters" .IP \(bu 4 \&\fBRSA_new()\fR, \fBRSA_free()\fR, \fBRSA_up_ref()\fR .Sp -See "Deprecated low-level object creation". +See "Deprecated low\-level object creation". .IP \(bu 4 \&\fBRSA_get_default_method()\fR, RSA_get_ex_data and \fBRSA_get_method()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides". +See "Providers are a replacement for engines and low\-level method overrides". .IP \(bu 4 \&\fBRSA_get_version()\fR .Sp @@ -1808,25 +1811,25 @@ There is no replacement. .IP \(bu 4 \&\fBRSA_meth_*()\fR, \fBRSA_new_method()\fR, RSA_null_method and \fBRSA_PKCS1_OpenSSL()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides". +See "Providers are a replacement for engines and low\-level method overrides". .IP \(bu 4 \&\fBRSA_padding_add_*()\fR, \fBRSA_padding_check_*()\fR .Sp -See "Deprecated low-level signing functions" and -"Deprecated low-level encryption functions". +See "Deprecated low\-level signing functions" and +"Deprecated low\-level encryption functions". .IP \(bu 4 \&\fBRSA_print()\fR, \fBRSA_print_fp()\fR .Sp -See "Deprecated low-level key printing functions" +See "Deprecated low\-level key printing functions" .IP \(bu 4 \&\fBRSA_public_encrypt()\fR, \fBRSA_private_decrypt()\fR .Sp -See "Deprecated low-level encryption functions" +See "Deprecated low\-level encryption functions" .IP \(bu 4 \&\fBRSA_private_encrypt()\fR, \fBRSA_public_decrypt()\fR .Sp This is equivalent to doing sign and verify recover operations (with a padding -mode of none). See "Deprecated low-level signing functions". +mode of none). See "Deprecated low\-level signing functions". .IP \(bu 4 \&\fBRSAPrivateKey_dup()\fR, \fBRSAPublicKey_dup()\fR .Sp @@ -1834,22 +1837,22 @@ There is no direct replacement. Applications may use \fBEVP_PKEY_dup\fR\|(3). .IP \(bu 4 \&\fBRSAPublicKey_it()\fR, \fBRSAPrivateKey_it()\fR .Sp -See "Deprecated low-level key reading and writing functions" +See "Deprecated low\-level key reading and writing functions" .IP \(bu 4 \&\fBRSA_set0_crt_params()\fR, \fBRSA_set0_factors()\fR, \fBRSA_set0_key()\fR, \&\fBRSA_set0_multi_prime_params()\fR .Sp -See "Deprecated low-level key parameter setters". +See "Deprecated low\-level key parameter setters". .IP \(bu 4 \&\fBRSA_set_default_method()\fR, \fBRSA_set_method()\fR, \fBRSA_set_ex_data()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides" +See "Providers are a replacement for engines and low\-level method overrides" .IP \(bu 4 \&\fBRSA_sign()\fR, \fBRSA_sign_ASN1_OCTET_STRING()\fR, \fBRSA_verify()\fR, \&\fBRSA_verify_ASN1_OCTET_STRING()\fR, \fBRSA_verify_PKCS1_PSS()\fR, \&\fBRSA_verify_PKCS1_PSS_mgf1()\fR .Sp -See "Deprecated low-level signing functions". +See "Deprecated low\-level signing functions". .IP \(bu 4 \&\fBRSA_X931_derive_ex()\fR, \fBRSA_X931_generate_key_ex()\fR, \fBRSA_X931_hash_id()\fR .Sp @@ -1860,7 +1863,7 @@ See \fBOSSL_SIGNATURE_PARAM_PAD_MODE\fR. \&\fBSEED_encrypt()\fR, \fBSEED_decrypt()\fR, \fBSEED_set_key()\fR, \fBSEED_cbc_encrypt()\fR, \&\fBSEED_cfb128_encrypt()\fR, \fBSEED_ecb_encrypt()\fR, \fBSEED_ofb128_encrypt()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". The SEED algorithm has been moved to the Legacy Provider. .IP \(bu 4 \&\fBSHA1_Init()\fR, \fBSHA1_Update()\fR, \fBSHA1_Final()\fR, \fBSHA1_Transform()\fR, @@ -1869,7 +1872,7 @@ The SEED algorithm has been moved to the Legacy Provider. \&\fBSHA384_Init()\fR, \fBSHA384_Update()\fR, \fBSHA384_Final()\fR, \&\fBSHA512_Init()\fR, \fBSHA512_Update()\fR, \fBSHA512_Final()\fR, \fBSHA512_Transform()\fR .Sp -See "Deprecated low-level digest functions". +See "Deprecated low\-level digest functions". .IP \(bu 4 \&\fBSRP_Calc_A()\fR, \fBSRP_Calc_B()\fR, \fBSRP_Calc_client_key()\fR, \fBSRP_Calc_server_key()\fR, \&\fBSRP_Calc_u()\fR, \fBSRP_Calc_x()\fR, \fBSRP_check_known_gN_param()\fR, \fBSRP_create_verifier()\fR, @@ -1883,14 +1886,14 @@ There are no replacements for the SRP functions. \&\fBSSL_CTX_set_tmp_dh_callback()\fR, \fBSSL_set_tmp_dh_callback()\fR, \&\fBSSL_CTX_set_tmp_dh()\fR, \fBSSL_set_tmp_dh()\fR .Sp -These are used to set the Diffie-Hellman (DH) parameters that are to be used by +These are used to set the Diffie\-Hellman (DH) parameters that are to be used by servers requiring ephemeral DH keys. Instead applications should consider using -the built-in DH parameters that are available by calling \fBSSL_CTX_set_dh_auto\fR\|(3) +the built\-in DH parameters that are available by calling \fBSSL_CTX_set_dh_auto\fR\|(3) or \fBSSL_set_dh_auto\fR\|(3). If custom parameters are necessary then applications can use the alternative functions \fBSSL_CTX_set0_tmp_dh_pkey\fR\|(3) and \&\fBSSL_set0_tmp_dh_pkey\fR\|(3). There is no direct replacement for the "callback" functions. The callback was originally useful in order to have different -parameters for export and non-export ciphersuites. Export ciphersuites are no +parameters for export and non\-export ciphersuites. Export ciphersuites are no longer supported by OpenSSL. Use of the callback functions should be replaced by one of the other methods described above. .IP \(bu 4 @@ -1901,7 +1904,7 @@ Use the new \fBSSL_CTX_set_tlsext_ticket_key_evp_cb\fR\|(3) function instead. \&\fBWHIRLPOOL()\fR, \fBWHIRLPOOL_Init()\fR, \fBWHIRLPOOL_Update()\fR, \fBWHIRLPOOL_Final()\fR, \&\fBWHIRLPOOL_BitUpdate()\fR .Sp -See "Deprecated low-level digest functions". +See "Deprecated low\-level digest functions". The Whirlpool algorithm has been moved to the Legacy Provider. .IP \(bu 4 \&\fBX509_certificate_type()\fR @@ -1944,8 +1947,8 @@ See \fBfips_module\fR\|(7) and \fBOSSL_PROVIDER\-FIPS\fR\|(7) for details. .IX Subsection "Added options" .PP \&\fB\-provider_path\fR and \fB\-provider\fR are available to all apps and can be used -multiple times to load any providers, such as the 'legacy' provider or third -party providers. If used then the 'default' provider would also need to be +multiple times to load any providers, such as the \*(Aqlegacy\*(Aq provider or third +party providers. If used then the \*(Aqdefault\*(Aq provider would also need to be specified if required. The \fB\-provider_path\fR must be specified before the \&\fB\-provider\fR option. .PP @@ -1970,16 +1973,16 @@ The \fB\-c\fR option used by \fBopenssl x509\fR, \fBopenssl dhparam\fR, The output of Command line applications may have minor changes. These are primarily changes in capitalisation and white space. However, in some cases, there are additional differences. -For example, the DH parameters output from \fBopenssl dhparam\fR now lists 'P', -\&'Q', 'G' and 'pcounter' instead of 'prime', 'generator', 'subgroup order' and -\&'counter' respectively. +For example, the DH parameters output from \fBopenssl dhparam\fR now lists \*(AqP\*(Aq, +\&\*(AqQ\*(Aq, \*(AqG\*(Aq and \*(Aqpcounter\*(Aq instead of \*(Aqprime\*(Aq, \*(Aqgenerator\*(Aq, \*(Aqsubgroup order\*(Aq and +\&\*(Aqcounter\*(Aq respectively. .PP The \fBopenssl\fR commands that read keys, certificates, and CRLs now automatically detect the PEM or DER format of the input files so it is not necessary to explicitly specify the input format anymore. However if the input format option is used the specified format will be required. .PP -\&\fBopenssl speed\fR no longer uses low-level API calls. +\&\fBopenssl speed\fR no longer uses low\-level API calls. This implies some of the performance numbers might not be comparable with the previous releases due to higher overhead. This applies particularly to measuring performance on smaller data chunks. @@ -2036,7 +2039,7 @@ internal buffers after delivering them to the application. Note, the application is still responsible for cleansing other copies (e.g.: data received by \fBSSL_read\fR\|(3)). .IP \(bu 4 -Client-initiated renegotiation is disabled by default. +Client\-initiated renegotiation is disabled by default. .Sp To allow it, use the \fB\-client_renegotiation\fR option, the \fBSSL_OP_ALLOW_CLIENT_RENEGOTIATION\fR flag, or the \f(CW\*(C`ClientRenegotiation\*(C'\fR @@ -2050,12 +2053,12 @@ to connect to legacy peers will need to explicitly set SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL. .IP \(bu 4 -Combining the Configure options no-ec and no-dh no longer disables TLSv1.3 +Combining the Configure options no\-ec and no\-dh no longer disables TLSv1.3 .Sp Typically if OpenSSL has no EC or DH algorithms then it cannot support connections with TLSv1.3. However OpenSSL now supports "pluggable" groups through providers. Therefore third party providers may supply group -implementations even where there are no built-in ones. Attempting to create +implementations even where there are no built\-in ones. Attempting to create TLS connections in such a build without also disabling TLSv1.3 at run time or using third party provider groups may result in handshake failures. TLSv1.3 can be disabled at compile time using the "no\-tls1_3" Configure option. diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-block.7 index 0a58176e335f..07125d699b17 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-block.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-block.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-QUIC-CLIENT-BLOCK 7ossl" -.TH OSSL-GUIDE-QUIC-CLIENT-BLOCK 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-QUIC-CLIENT-BLOCK 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -68,7 +71,7 @@ ossl\-guide\-quic\-client\-block This page will present various source code samples demonstrating how to write a simple blocking QUIC client application which connects to a server, sends an HTTP/1.0 request to it, and reads back the response. Note that HTTP/1.0 over -QUIC is non-standard and will not be supported by real world servers. This is +QUIC is non\-standard and will not be supported by real world servers. This is for demonstration purposes only. .PP We assume that you already have OpenSSL installed on your system; that you @@ -84,7 +87,7 @@ this one will be discussed so we also assume that you have run through and understand that tutorial. .PP For this tutorial our client will be using a single QUIC stream. A subsequent -tutorial will discuss how to write a multi-stream client (see +tutorial will discuss how to write a multi\-stream client (see \&\fBossl\-guide\-quic\-multi\-stream\fR\|(7)). .PP The complete source code for this example blocking QUIC client is available in @@ -240,14 +243,14 @@ Note the use of \fBBIO_s_datagram\fR\|(3) here as opposed to \fBBIO_s_socket\fR\ we used for our TLS client. This is again due to the fact that QUIC uses UDP instead of TCP for its transport layer. See \fBBIO_new\fR\|(3), \fBBIO_s_datagram\fR\|(3) and \fBBIO_set_fd\fR\|(3) for further information on these functions. -.SS "Setting the server's hostname" +.SS "Setting the server\*(Aqs hostname" .IX Subsection "Setting the server's hostname" -As in the TLS tutorial we need to set the server's hostname both for SNI (Server +As in the TLS tutorial we need to set the server\*(Aqs hostname both for SNI (Server Name Indication) and for certificate validation purposes. The steps for this are -identical to the TLS tutorial and won't be repeated here. +identical to the TLS tutorial and won\*(Aqt be repeated here. .SS "Setting the ALPN" .IX Subsection "Setting the ALPN" -ALPN (Application-Layer Protocol Negotiation) is a feature of TLS that enables +ALPN (Application\-Layer Protocol Negotiation) is a feature of TLS that enables the application to negotiate which protocol will be used over the connection. For example, if you intend to use HTTP/3 over the connection then the ALPN value for that is "h3" (see @@ -297,7 +300,7 @@ Note that we will need to free the \fBpeer_addr\fR value that we allocated via .IX Subsection "The handshake and application data transfer" Once initial setup of the \fBSSL\fR object is complete then we perform the handshake via \fBSSL_connect\fR\|(3) in exactly the same way as we did for the TLS -client, so we won't repeat it here. +client, so we won\*(Aqt repeat it here. .PP We can also perform data transfer using a default QUIC stream that is automatically associated with the \fBSSL\fR object for us. We can transmit data diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-non-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-non-block.7 index 12675ed4e025..30dd31495063 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-non-block.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-non-block.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-QUIC-CLIENT-NON-BLOCK 7ossl" -.TH OSSL-GUIDE-QUIC-CLIENT-NON-BLOCK 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-QUIC-CLIENT-NON-BLOCK 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,7 +93,7 @@ operations on some other connection or stream. .PP We will see later in this tutorial how to change the \fBSSL\fR object so that it has nonblocking behaviour. With a nonblocking \fBSSL\fR object, functions such as -\&\fBSSL_read_ex\fR\|(3) or \fBSSL_write_ex\fR\|(3) will return immediately with a non-fatal +\&\fBSSL_read_ex\fR\|(3) or \fBSSL_write_ex\fR\|(3) will return immediately with a non\-fatal error if they are currently unable to read or write respectively. .PP Since this page is building on the example developed on the @@ -219,7 +222,7 @@ A QUIC application that has been configured for nonblocking behaviour will need to be prepared to handle errors returned from OpenSSL I/O functions such as \&\fBSSL_read_ex\fR\|(3) or \fBSSL_write_ex\fR\|(3). Errors may be fatal for the stream (for example because the stream has been reset or because the underlying connection -has failed), or non-fatal (for example because we are trying to read from the +has failed), or non\-fatal (for example because we are trying to read from the stream but no data has not yet arrived from the peer for that stream). .PP \&\fBSSL_read_ex\fR\|(3) and \fBSSL_write_ex\fR\|(3) will return 0 to indicate an error and @@ -227,15 +230,15 @@ stream but no data has not yet arrived from the peer for that stream). an error. \fBSSL_shutdown\fR\|(3) will return a negative value to incidate an error. .PP In the event of an error an application should call \fBSSL_get_error\fR\|(3) to find -out what type of error has occurred. If the error is non-fatal and can be +out what type of error has occurred. If the error is non\-fatal and can be retried then \fBSSL_get_error\fR\|(3) will return \fBSSL_ERROR_WANT_READ\fR or \&\fBSSL_ERROR_WANT_WRITE\fR depending on whether OpenSSL wanted to read to or write from the stream but was unable to. Note that a call to \fBSSL_read_ex\fR\|(3) or \&\fBSSL_read\fR\|(3) can still generate \fBSSL_ERROR_WANT_WRITE\fR. Similarly calls to \&\fBSSL_write_ex\fR\|(3) or \fBSSL_write\fR\|(3) might generate \fBSSL_ERROR_WANT_READ\fR. .PP -Another type of non-fatal error that may occur is \fBSSL_ERROR_ZERO_RETURN\fR. This -indicates an EOF (End-Of-File) which can occur if you attempt to read data from +Another type of non\-fatal error that may occur is \fBSSL_ERROR_ZERO_RETURN\fR. This +indicates an EOF (End\-Of\-File) which can occur if you attempt to read data from an \fBSSL\fR object but the peer has indicated that it will not send any more data on the stream. In this case you may still want to write data to the stream but you will not receive any more data. @@ -313,15 +316,15 @@ OpenSSL I/O functions: .PP This function takes as arguments the \fBSSL\fR object that represents the connection, as well as the return code from the I/O function that failed. In -the event of a non-fatal failure, it waits until a retry of the I/O operation +the event of a non\-fatal failure, it waits until a retry of the I/O operation might succeed (by using the \f(CWwait_for_activity()\fR function that we developed -in the previous section). It returns 1 in the event of a non-fatal error +in the previous section). It returns 1 in the event of a non\-fatal error (except EOF), 0 in the event of EOF, or \-1 if a fatal error occurred. .SS "Creating the SSL_CTX and SSL objects" .IX Subsection "Creating the SSL_CTX and SSL objects" In order to connect to a server we must create \fBSSL_CTX\fR and \fBSSL\fR objects for this. Most of the steps to do this are the same as for a blocking client and are -explained on the \fBossl\-guide\-quic\-client\-block\fR\|(7) page. We won't repeat that +explained on the \fBossl\-guide\-quic\-client\-block\fR\|(7) page. We won\*(Aqt repeat that information here. .PP One key difference is that we must put the \fBSSL\fR object into nonblocking mode @@ -366,7 +369,7 @@ this we must use \fBOSSL_QUIC_client_thread_method\fR\|(3) when we construct the As in the demo for a blocking QUIC client we use the \fBSSL_connect\fR\|(3) function to perform the handshake with the server. Since we are using a nonblocking \&\fBSSL\fR object it is very likely that calls to this function will fail with a -non-fatal error while we are waiting for the server to respond to our handshake +non\-fatal error while we are waiting for the server to respond to our handshake messages. In such a case we must retry the same \fBSSL_connect\fR\|(3) call at a later time. In this demo we do this in a loop: .PP @@ -388,7 +391,7 @@ this stage, so such a response is treated in the same way as a fatal error. .IX Subsection "Sending and receiving data" As with the blocking QUIC client demo we use the \fBSSL_write_ex\fR\|(3) function to send data to the server. As with \fBSSL_connect\fR\|(3) above, because we are using -a nonblocking \fBSSL\fR object, this call could fail with a non-fatal error. In +a nonblocking \fBSSL\fR object, this call could fail with a non\-fatal error. In that case we should retry exactly the same \fBSSL_write_ex\fR\|(3) call again. Note that the parameters must be \fIexactly\fR the same, i.e. the same pointer to the buffer to write with the same length. You must not attempt to send different @@ -471,7 +474,7 @@ The main difference this time is that it is valid for us to receive an EOF response when trying to read data from the server. This will occur when the server closes down the connection after sending all the data in its response. .PP -In this demo we just print out all the data we've received back in the response +In this demo we just print out all the data we\*(Aqve received back in the response from the server. We continue going around the loop until we either encounter a fatal error, or we receive an EOF (indicating a graceful finish). .SS "Shutting down the connection" @@ -507,12 +510,12 @@ this: .IX Subsection "Final clean up" As with the blocking QUIC client example, once our connection is finished with we must free it. The steps to do this for this example are the same as for the -blocking example, so we won't repeat it here. +blocking example, so we won\*(Aqt repeat it here. .SH "FURTHER READING" .IX Header "FURTHER READING" See \fBossl\-guide\-quic\-client\-block\fR\|(7) to read a tutorial on how to write a blocking QUIC client. See \fBossl\-guide\-quic\-multi\-stream\fR\|(7) to see how to write -a multi-stream QUIC client. +a multi\-stream QUIC client. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBossl\-guide\-introduction\fR\|(7), \fBossl\-guide\-libraries\-introduction\fR\|(7), diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-quic-introduction.7 b/secure/lib/libcrypto/man/man7/ossl-guide-quic-introduction.7 index 42debcd957f4..b8af87980b07 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-quic-introduction.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-quic-introduction.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-QUIC-INTRODUCTION 7ossl" -.TH OSSL-GUIDE-QUIC-INTRODUCTION 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-QUIC-INTRODUCTION 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -87,19 +90,19 @@ allowing application protocols built on QUIC to create arbitrarily many bytestreams for communication between a client and server. This allows an application protocol to avoid problems where one packet of data is held up waiting on another packet being delivered (commonly referred to as -"head-of-line blocking"). It also enables an application to open additional -logical streams without requiring a round-trip exchange of packets between the +"head\-of\-line blocking"). It also enables an application to open additional +logical streams without requiring a round\-trip exchange of packets between the client and server as is required when opening an additional TLS/TCP connection. .IP HTTP/3 4 .IX Item "HTTP/3" Since QUIC is the basis of HTTP/3, support for QUIC also enables applications -to use HTTP/3 using a suitable third-party library. +to use HTTP/3 using a suitable third\-party library. .IP "Fast connection initiation" 4 .IX Item "Fast connection initiation" Future versions of OpenSSL will offer support for 0\-RTT connection initiation, allowing a connection to be initiated to a server and application data to be -transmitted without any waiting time. This is similar to TLS 1.3's 0\-RTT +transmitted without any waiting time. This is similar to TLS 1.3\*(Aqs 0\-RTT functionality but also avoids the round trip needed to open a TCP socket; thus, it is similar to a combination of TLS 1.3 0\-RTT and TCP Fast Open. .IP "Connection migration" 4 @@ -109,10 +112,10 @@ connections to seamlessly survive IP address changes. .IP "Datagram based use cases" 4 .IX Item "Datagram based use cases" Future versions of OpenSSL will offer support for the QUIC datagram extension, -allowing support for both TLS and DTLS-style use cases on a single connection. +allowing support for both TLS and DTLS\-style use cases on a single connection. .IP "Implemented as application library" 4 .IX Item "Implemented as application library" -Because most QUIC implementations, including OpenSSL's implementation, are +Because most QUIC implementations, including OpenSSL\*(Aqs implementation, are implemented as an application library rather than by an operating system, an application can gain the benefit of QUIC without needing to wait for an OS update to be deployed. Future evolutions and enhancements to the QUIC protocol @@ -120,8 +123,8 @@ can be delivered as quickly as an application can be updated without dependency on an OS update cadence. .IP "Multiplexing over a single UDP socket" 4 .IX Item "Multiplexing over a single UDP socket" -Because QUIC is UDP-based, it is possible to multiplex a QUIC connection on the -same UDP socket as some other UDP-based protocols, such as RTP. +Because QUIC is UDP\-based, it is possible to multiplex a QUIC connection on the +same UDP socket as some other UDP\-based protocols, such as RTP. .SH "QUIC TIME BASED EVENTS" .IX Header "QUIC TIME BASED EVENTS" A key difference between the TLS implementation and the QUIC implementation in @@ -169,8 +172,8 @@ QUIC introduces the concept of "streams". A stream provides a reliable mechanism for sending and receiving application data between the endpoints. The bytes transmitted are guaranteed to be received in the same order they were sent without any loss of data or reordering of the bytes. A TLS application -effectively has one bi-directional stream available to it per TLS connection. A -QUIC application can have multiple uni-directional or bi-directional streams +effectively has one bi\-directional stream available to it per TLS connection. A +QUIC application can have multiple uni\-directional or bi\-directional streams available to it for each connection. .PP In OpenSSL an \fBSSL\fR object is used to represent both connections and streams. @@ -192,7 +195,7 @@ TLS assumes "stream" type semantics for its underlying transport layer protocol by using UDP. An OpenSSL application using QUIC is responsible for creating a BIO to represent the underlying transport layer. This BIO must support datagrams and is typically \fBBIO_s_datagram\fR\|(3), but other \fBBIO\fR choices are available. -See \fBbio\fR\|(7) for an introduction to OpenSSL's \fBBIO\fR concept. +See \fBbio\fR\|(7) for an introduction to OpenSSL\*(Aqs \fBBIO\fR concept. .PP A significant difference between OpenSSL TLS applications and OpenSSL QUIC applications is the way that blocking is implemented. In TLS if your application @@ -202,7 +205,7 @@ underlying socket is configured to be nonblocking. .PP With an OpenSSL QUIC application the underlying socket must always be configured to be nonblocking. Howevever the \fBSSL\fR object will, by default, still operate -in blocking mode. So, from an application's perspective, calls to functions such +in blocking mode. So, from an application\*(Aqs perspective, calls to functions such as \fBSSL_read_ex\fR\|(3), \fBSSL_write_ex\fR\|(3) and other I/O functions will still block. OpenSSL itself provides that blocking capability for QUIC instead of the socket. If nonblocking behaviour is desired then the application must call diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-quic-multi-stream.7 b/secure/lib/libcrypto/man/man7/ossl-guide-quic-multi-stream.7 index bd22fe37d47c..8c1db0ce23d7 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-quic-multi-stream.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-quic-multi-stream.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-QUIC-MULTI-STREAM 7ossl" -.TH OSSL-GUIDE-QUIC-MULTI-STREAM 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-QUIC-MULTI-STREAM 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,12 +69,12 @@ ossl\-guide\-quic\-multi\-stream .SH INTRODUCTION .IX Header "INTRODUCTION" This page will introduce some important concepts required to write a simple -QUIC multi-stream application. It assumes a basic understanding of QUIC and how +QUIC multi\-stream application. It assumes a basic understanding of QUIC and how it is used in OpenSSL. See \fBossl\-guide\-quic\-introduction\fR\|(7) and \&\fBossl\-guide\-quic\-client\-block\fR\|(7). .SH "QUIC STREAMS" .IX Header "QUIC STREAMS" -In a QUIC multi-stream application we separate out the concepts of a QUIC +In a QUIC multi\-stream application we separate out the concepts of a QUIC "connection" and a QUIC "stream". A connection object represents the overarching details of the connection between a client and a server including all its negotiated and configured parameters. We use the \fBSSL\fR object for that in an @@ -110,15 +113,15 @@ created and associated with the \fBSSL\fR object when the application calls passes the connection \fBSSL\fR object as a parameter. .PP If a client application calls \fBSSL_write_ex\fR\|(3) or \fBSSL_write\fR\|(3) first then -(by default) the default stream will be a client-initiated bi-directional +(by default) the default stream will be a client\-initiated bi\-directional stream. If a client application calls \fBSSL_read_ex\fR\|(3) or \fBSSL_read\fR\|(3) first then the first stream initiated by the server will be used as the default -stream (whether it is bi-directional or uni-directional). +stream (whether it is bi\-directional or uni\-directional). .PP This behaviour can be controlled via the default stream mode. See \&\fBSSL_set_default_stream_mode\fR\|(3) for further details. .PP -It is recommended that new multi-stream applications should not use a default +It is recommended that new multi\-stream applications should not use a default stream at all and instead should use a separate stream \fBSSL\fR object for each stream that is used. This requires calling \fBSSL_set_default_stream_mode\fR\|(3) and setting the mode to \fBSSL_DEFAULT_STREAM_MODE_NONE\fR. @@ -127,7 +130,7 @@ and setting the mode to \fBSSL_DEFAULT_STREAM_MODE_NONE\fR. An endpoint can create a new stream by calling \fBSSL_new_stream\fR\|(3). This creates a locally initiated stream. In order to do so you must pass the QUIC connection \fBSSL\fR object as a parameter. You can also specify whether you want a -bi-directional or a uni-directional stream. +bi\-directional or a uni\-directional stream. .PP The function returns a new QUIC stream \fBSSL\fR object for sending and receiving data on that stream. @@ -147,8 +150,8 @@ accepted. To override this behaviour you must call is not relevant if the default stream has been disabled as described in "THE DEFAULT STREAM" above. .PP -Any stream may be bi-directional or uni-directional. If it is uni-directional -then the initiator can write to it but not read from it, and vice-versa for the +Any stream may be bi\-directional or uni\-directional. If it is uni\-directional +then the initiator can write to it but not read from it, and vice\-versa for the peer. You can determine what type of stream an \fBSSL\fR object represents by calling \fBSSL_get_stream_type\fR\|(3). See the man page for further details. .SH "USING A STREAM TO SEND AND RECEIVE DATA" @@ -185,14 +188,14 @@ will automatically signal STOP_SENDING to the peer. .SH "STREAMS AND CONNECTIONS" .IX Header "STREAMS AND CONNECTIONS" Given a stream object it is possible to get the \fBSSL\fR object corresponding to -the connection via a call to \fBSSL_get0_connection\fR\|(3). Multi-threaded +the connection via a call to \fBSSL_get0_connection\fR\|(3). Multi\-threaded restrictions apply so care should be taken when using the returned connection object. Specifically, if you are handling each of your stream objects in a different thread and call \fBSSL_get0_connection\fR\|(3) from within that thread then you must be careful to not to call any function that uses the connection object at the same time as one of the other threads is also using that connection object (with the exception of \fBSSL_accept_stream\fR\|(3) and -\&\fBSSL_get_accept_stream_queue_len\fR\|(3) which are thread-safe). +\&\fBSSL_get_accept_stream_queue_len\fR\|(3) which are thread\-safe). .PP A stream object does not inherit all its settings and values from its parent \&\fBSSL\fR connection object. Therefore certain function calls that are relevant to @@ -200,30 +203,30 @@ the connection as a whole will not work on a stream. For example the function \&\fBSSL_get_certificate\fR\|(3) can be used to obtain a handle on the peer certificate when called with a connection \fBSSL\fR object. When called with a stream \fBSSL\fR object it will return NULL. -.SH "SIMPLE MULTI-STREAM QUIC CLIENT EXAMPLE" +.SH "SIMPLE MULTI\-STREAM QUIC CLIENT EXAMPLE" .IX Header "SIMPLE MULTI-STREAM QUIC CLIENT EXAMPLE" This section will present various source code samples demonstrating how to write -a simple multi-stream QUIC client application which connects to a server, send +a simple multi\-stream QUIC client application which connects to a server, send some HTTP/1.0 requests to it, and read back the responses. Note that HTTP/1.0 -over QUIC is non-standard and will not be supported by real world servers. This +over QUIC is non\-standard and will not be supported by real world servers. This is for demonstration purposes only. .PP We will build on the example code for the simple blocking QUIC client that is covered on the \fBossl\-guide\-quic\-client\-block\fR\|(7) page and we assume that you are familiar with it. We will only describe the differences between the simple -blocking QUIC client and the multi-stream QUIC client. Although the example code +blocking QUIC client and the multi\-stream QUIC client. Although the example code uses blocking \fBSSL\fR objects, you can equally use nonblocking \fBSSL\fR objects. See \fBossl\-guide\-quic\-client\-non\-block\fR\|(7) for more information about writing a nonblocking QUIC client. .PP -The complete source code for this example multi-stream QUIC client is available +The complete source code for this example multi\-stream QUIC client is available in the \f(CW\*(C`demos/guide\*(C'\fR directory of the OpenSSL source distribution in the file \&\f(CW\*(C`quic\-multi\-stream.c\*(C'\fR. It is also available online at <https://github.com/openssl/openssl/blob/master/demos/guide/quic\-multi\-stream.c>. .SS "Disabling the default stream" .IX Subsection "Disabling the default stream" As discussed above in "THE DEFAULT STREAM" we will follow the recommendation -to disable the default stream for our multi-stream client. To do this we call +to disable the default stream for our multi\-stream client. To do this we call the \fBSSL_set_default_stream_mode\fR\|(3) function and pass in our connection \fBSSL\fR object and the value \fBSSL_DEFAULT_STREAM_MODE_NONE\fR. .PP @@ -241,8 +244,8 @@ object and the value \fBSSL_DEFAULT_STREAM_MODE_NONE\fR. .IX Subsection "Creating the request streams" For the purposes of this example we will create two different streams to send two different HTTP requests to the server. For the purposes of demonstration the -first of these will be a bi-directional stream and the second one will be a -uni-directional one: +first of these will be a bi\-directional stream and the second one will be a +uni\-directional one: .PP .Vb 10 \& /* @@ -305,7 +308,7 @@ the requests to each stream simultaneously. .Ve .SS "Reading data from a stream" .IX Subsection "Reading data from a stream" -In this example \fBstream1\fR is a bi-directional stream so, once we have sent the +In this example \fBstream1\fR is a bi\-directional stream so, once we have sent the request on it, we can attempt to read the response from the server back. Here we just repeatedly call \fBSSL_read_ex\fR\|(3) until that function fails (indicating either that there has been a problem, or that the peer has signalled the stream @@ -392,7 +395,7 @@ these different cases. .Ve .SS "Accepting an incoming stream" .IX Subsection "Accepting an incoming stream" -Our \fBstream2\fR object that we created above was a uni-directional stream so it +Our \fBstream2\fR object that we created above was a uni\-directional stream so it cannot be used to receive data from the server. In this hypothetical example we assume that the server initiates a new stream to send us back the data that we requested. To do that we call \fBSSL_accept_stream\fR\|(3). Since this is a @@ -420,13 +423,13 @@ return \fBNULL\fR. .Ve .PP We can now read data from the stream in the same way that we did for \fBstream1\fR -above. We won't repeat that here. +above. We won\*(Aqt repeat that here. .SS "Cleaning up the streams" .IX Subsection "Cleaning up the streams" Once we have finished using our streams we can simply free them by calling \&\fBSSL_free\fR\|(3). Optionally we could call \fBSSL_stream_conclude\fR\|(3) on them if -we want to indicate to the peer that we won't be sending them any more data, but -we don't do that in this example because we assume that the HTTP application +we want to indicate to the peer that we won\*(Aqt be sending them any more data, but +we don\*(Aqt do that in this example because we assume that the HTTP application protocol supplies sufficient information for the peer to know when we have finished sending request data. .PP diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-block.7 index 080671daef73..597d351f85a8 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-block.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-block.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-QUIC-SERVER-BLOCK 7ossl" -.TH OSSL-GUIDE-QUIC-SERVER-BLOCK 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-QUIC-SERVER-BLOCK 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,11 +69,11 @@ ossl\-guide\-quic\-server\-block .SH "SIMPLE BLOCKING QUIC SERVER EXAMPLE" .IX Header "SIMPLE BLOCKING QUIC SERVER EXAMPLE" This page will present various source code samples demonstrating how to write a -simple, non-concurrent, QUIC "echo" server application which accepts one client +simple, non\-concurrent, QUIC "echo" server application which accepts one client connection at a time, echoing input from the client back to the same client. Once the current client disconnects, the next client connection is accepted. .PP -The server only accepts HTTP/1.0 requests, which is non-standard and will not +The server only accepts HTTP/1.0 requests, which is non\-standard and will not be supported by real world servers. This is for demonstration purposes only. .PP Both the accepting socket and client connections are "blocking". A more typical @@ -107,7 +110,7 @@ whenever you are writing a QUIC server. .Ve .PP Servers need a private key and certificate. Intermediate issuer CA -certificates are often required, and both the server (end-entity or EE) +certificates are often required, and both the server (end\-entity or EE) certificate and the issuer ("chain") certificates are most easily configured in a single "chain file". Below we load such a chain file (the EE certificate must appear first), and then load the corresponding private key, checking that @@ -178,7 +181,7 @@ the default handling. \& SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); .Ve .PP -QUIC also dictates using Application-Layer Protocol Negotiation (ALPN) to select +QUIC also dictates using Application\-Layer Protocol Negotiation (ALPN) to select an application protocol. We use \fBSSL_CTX_set_alpn_select_cb\fR\|(3) for this purpose. We can pass a callback which will be called for each connection to select an ALPN the server considers acceptable. @@ -188,7 +191,7 @@ select an ALPN the server considers acceptable. \& SSL_CTX_set_alpn_select_cb(ctx, select_alpn, NULL); .Ve .PP -In this case, we only accept "http/1.0" and "hq-interop". +In this case, we only accept "http/1.0" and "hq\-interop". .PP .Vb 8 \& /* diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-non-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-non-block.7 index 81dbaadbb609..eccb815c4a14 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-non-block.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-non-block.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-QUIC-SERVER-NON-BLOCK 7ossl" -.TH OSSL-GUIDE-QUIC-SERVER-NON-BLOCK 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-QUIC-SERVER-NON-BLOCK 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,12 +69,12 @@ ossl\-guide\-quic\-server\-non\-block .SH "SIMPLE NONBLOCKING QUIC SERVER EXAMPLE" .IX Header "SIMPLE NONBLOCKING QUIC SERVER EXAMPLE" This page presents various source code samples demonstrating how to write a -simple, non-concurrent, QUIC "echo" server application which accepts one client +simple, non\-concurrent, QUIC "echo" server application which accepts one client connection at a time, echoing input from the client back to the same client. Once the current client disconnects, the next client connection is accepted. .PP -The server only accepts \f(CW\*(C`http/1.0\*(C'\fR and \f(CW\*(C`hq\-interop\*(C'\fR ALPN's and doesn't actually -implement HTTP but only does a simple echo. This is non-standard and will not +The server only accepts \f(CW\*(C`http/1.0\*(C'\fR and \f(CW\*(C`hq\-interop\*(C'\fR ALPN\*(Aqs and doesn\*(Aqt actually +implement HTTP but only does a simple echo. This is non\-standard and will not be supported by real world servers. This is for demonstration purposes only. .PP There are various methods to test this server: \fBquic\-client\-block.c\fR and @@ -116,7 +119,7 @@ whenever you are writing a QUIC server. .Ve .PP Servers need a private key and certificate. Intermediate issuer CA -certificates are often required, and both the server (end-entity or EE) +certificates are often required, and both the server (end\-entity or EE) certificate and the issuer ("chain") certificates are most easily configured in a single "chain file". Below we load such a chain file (the EE certificate must appear first), and then load the corresponding private key, checking that @@ -187,7 +190,7 @@ the default handling. \& SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); .Ve .PP -QUIC also dictates using Application-Layer Protocol Negotiation (ALPN) to select +QUIC also dictates using Application\-Layer Protocol Negotiation (ALPN) to select an application protocol. We use \fBSSL_CTX_set_alpn_select_cb\fR\|(3) for this purpose. We can pass a callback which will be called for each connection to select an ALPN the server considers acceptable. @@ -197,7 +200,7 @@ select an ALPN the server considers acceptable. \& SSL_CTX_set_alpn_select_cb(ctx, select_alpn, NULL); .Ve .PP -In this case, we only accept "http/1.0" and "hq-interop". +In this case, we only accept "http/1.0" and "hq\-interop". .PP .Vb 8 \& /* @@ -307,7 +310,7 @@ block until a connection is established. .PP The helper function wait_for_activity uses \fBselect()\fR to block until the file descriptor belonging to the passed SSL object is readable. As mentioned earlier, -a more real-world application would likely use this time to perform other tasks. +a more real\-world application would likely use this time to perform other tasks. .PP .Vb 3 \& /* Initialize the fd_set structure */ diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-block.7 index e69bde78c771..f25b515e61de 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-block.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-block.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-TLS-CLIENT-BLOCK 7ossl" -.TH OSSL-GUIDE-TLS-CLIENT-BLOCK 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-TLS-CLIENT-BLOCK 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -73,7 +76,7 @@ We use a blocking socket for the purposes of this example. This means that attempting to read data from a socket that has no data available on it to read will block (and the function will not return), until data becomes available. For example, this can happen if we have sent our request, but we are still -waiting for the server's response. Similarly any attempts to write to a socket +waiting for the server\*(Aqs response. Similarly any attempts to write to a socket that is not able to write at the moment will block until writing is possible. .PP This blocking behaviour simplifies the implementation of a client because you do @@ -116,7 +119,7 @@ client and the server. \& } .Ve .PP -Since we are writing a client we must ensure that we verify the server's +Since we are writing a client we must ensure that we verify the server\*(Aqs certificate. We do this by calling the \fBSSL_CTX_set_verify\fR\|(3) function and pass the \fBSSL_VERIFY_PEER\fR value to it. The final argument to this function is a callback that you can optionally supply to override the default handling @@ -183,7 +186,7 @@ function and passing the \fBSSL_CTX\fR we created as an argument. .SS "Creating the socket and BIO" .IX Subsection "Creating the socket and BIO" TLS data is transmitted over an underlying transport layer. Normally a TCP -socket. It is the application's responsibility for ensuring that the socket is +socket. It is the application\*(Aqs responsibility for ensuring that the socket is created and associated with an SSL object (via a BIO). .PP Socket creation for use by a client is typically a 2 step process, i.e. @@ -320,13 +323,13 @@ freed. So, once \fBSSL_set_bio\fR\|(3) has been been called, you should not call .Vb 1 \& SSL_set_bio(ssl, bio, bio); .Ve -.SS "Setting the server's hostname" +.SS "Setting the server\*(Aqs hostname" .IX Subsection "Setting the server's hostname" We have already connected our underlying socket to the server, but the client -still needs to know the server's hostname. It uses this information for 2 key +still needs to know the server\*(Aqs hostname. It uses this information for 2 key purposes and we need to set the hostname for each one. .PP -Firstly, the server's hostname is included in the initial ClientHello message +Firstly, the server\*(Aqs hostname is included in the initial ClientHello message sent by the client. This is known as the Server Name Indication (SNI). This is important because it is common for multiple hostnames to be fronted by a single server that handles requests for all of them. In other words a single server may @@ -401,7 +404,7 @@ to concern ourselves with whether the call was successful or not. Anything else indicates that we have failed to connect to the server. .PP A common cause of failures at this stage is due to a problem verifying the -server's certificate. For example if the certificate has expired, or it is not +server\*(Aqs certificate. For example if the certificate has expired, or it is not signed by a CA in our trusted certificate store. We can use the \&\fBSSL_get_verify_result\fR\|(3) function to find out more information about the verification failure. A return value of \fBX509_V_OK\fR indicates that the @@ -470,7 +473,7 @@ server. \& printf("\en"); .Ve .PP -We use the \fBSSL_read_ex\fR\|(3) function to read the response. We don't know +We use the \fBSSL_read_ex\fR\|(3) function to read the response. We don\*(Aqt know exactly how much data we are going to receive back so we enter a loop reading blocks of data from the server and printing each block that we receive to the screen. The loop ends as soon as \fBSSL_read_ex\fR\|(3) returns 0 \- meaning that it @@ -603,15 +606,15 @@ See the page \fBossl\-guide\-tls\-introduction\fR\|(7) and check that your trust certificate store is correctly configured .IP "Unrecognised CA" 4 .IX Item "Unrecognised CA" -If the CA used by the server's certificate is not in the trusted certificate +If the CA used by the server\*(Aqs certificate is not in the trusted certificate store for the client then this will cause a verification failure during -connection. Often this can occur if the server is using a self-signed +connection. Often this can occur if the server is using a self\-signed certificate (i.e. a test certificate that has not been signed by a CA at all). .IP "Missing intermediate CAs" 4 .IX Item "Missing intermediate CAs" This is a server misconfiguration where the client has the relevant root CA in its trust store, but the server has not supplied all of the intermediate CA -certificates between that root CA and the server's own certificate. Therefore +certificates between that root CA and the server\*(Aqs own certificate. Therefore a trust chain cannot be established. .IP "Mismatched hostname" 4 .IX Item "Mismatched hostname" @@ -620,10 +623,10 @@ not match the hostname in the certificate then this will cause verification to fail. .IP "Expired certificate" 4 .IX Item "Expired certificate" -The date that the server's certificate is valid to has passed. +The date that the server\*(Aqs certificate is valid to has passed. .PP The "unable to get local issuer certificate" we saw in the example above means -that we have been unable to find the issuer of the server's certificate (or one +that we have been unable to find the issuer of the server\*(Aqs certificate (or one of its intermediate CA certificates) in our trusted certificate store (e.g. because the trusted certificate store is misconfigured, or there are missing intermediate CAs, or the issuer is simply unrecognised). diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-non-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-non-block.7 index 93b5453d6af6..af2134941c5b 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-non-block.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-non-block.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-TLS-CLIENT-NON-BLOCK 7ossl" -.TH OSSL-GUIDE-TLS-CLIENT-NON-BLOCK 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-TLS-CLIENT-NON-BLOCK 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,7 +89,7 @@ to go and do other tasks whilst the socket is unable to read/write, for example updating a GUI or performing operations on some other socket. .PP With a nonblocking socket attempting to read or write to a socket that is -currently unable to read or write will return immediately with a non-fatal +currently unable to read or write will return immediately with a non\-fatal error. Although OpenSSL does the reading/writing to the socket this nonblocking behaviour is propagated up to the application so that OpenSSL I/O functions such as \fBSSL_read_ex\fR\|(3) or \fBSSL_write_ex\fR\|(3) will not block. @@ -109,7 +112,7 @@ Fortunately OpenSSL offers a portable function that will do this for you: \& } .Ve .PP -You do not have to use OpenSSL's function for this. You can of course directly +You do not have to use OpenSSL\*(Aqs function for this. You can of course directly call whatever functions that your Operating System provides for this purpose on your platform. .SS "Performing work while waiting for the socket" @@ -121,7 +124,7 @@ application the opportunity to do something else. Whatever it is that the application has to do, it must also be prepared to come back and retry the operation that it previously attempted periodically to see if it can now complete. Ideally it would only do this in the event that the state of the -underlying socket has actually changed (e.g. become readable where it wasn't +underlying socket has actually changed (e.g. become readable where it wasn\*(Aqt before), but this does not have to be the case. It can retry at any time. .PP Note that it is important that you retry exactly the same operation that you @@ -135,7 +138,7 @@ other work. In fact, for the sake of simplicity, it will do nothing except wait for the state of the socket to change. .PP We call our function \f(CWwait_for_activity()\fR because all it does is wait until -the underlying socket has become readable or writeable when it wasn't before. +the underlying socket has become readable or writeable when it wasn\*(Aqt before. .PP .Vb 4 \& static void wait_for_activity(SSL *ssl, int write) @@ -180,14 +183,14 @@ other similar function to do the same thing. \f(CW\*(C`select\*(C'\fR waits for the underlying socket(s) to become readable/writeable before returning. It also supports a "timeout" (as do most other similar functions) so in your own applications you can make use of this to periodically wake up and perform work -while waiting for the socket state to change. But we don't use that timeout +while waiting for the socket state to change. But we don\*(Aqt use that timeout capability in this example for the sake of simplicity. .SS "Handling errors from OpenSSL I/O functions" .IX Subsection "Handling errors from OpenSSL I/O functions" An application that uses a nonblocking socket will need to be prepared to handle errors returned from OpenSSL I/O functions such as \fBSSL_read_ex\fR\|(3) or \&\fBSSL_write_ex\fR\|(3). Errors may be fatal (for example because the underlying -connection has failed), or non-fatal (for example because we are trying to read +connection has failed), or non\-fatal (for example because we are trying to read from the underlying socket but the data has not yet arrived from the peer). .PP \&\fBSSL_read_ex\fR\|(3) and \fBSSL_write_ex\fR\|(3) will return 0 to indicate an error and @@ -195,7 +198,7 @@ from the underlying socket but the data has not yet arrived from the peer). an error. \fBSSL_shutdown\fR\|(3) will return a negative value to incidate an error. .PP In the event of an error an application should call \fBSSL_get_error\fR\|(3) to find -out what type of error has occurred. If the error is non-fatal and can be +out what type of error has occurred. If the error is non\-fatal and can be retried then \fBSSL_get_error\fR\|(3) will return \fBSSL_ERROR_WANT_READ\fR or \&\fBSSL_ERROR_WANT_WRITE\fR depending on whether OpenSSL wanted to read to or write from the socket but was unable to. Note that a call to \fBSSL_read_ex\fR\|(3) or @@ -204,8 +207,8 @@ may need to write protocol messages (such as to update cryptographic keys) even if the application is only trying to read data. Similarly calls to \&\fBSSL_write_ex\fR\|(3) or \fBSSL_write\fR\|(3) might generate \fBSSL_ERROR_WANT_READ\fR. .PP -Another type of non-fatal error that may occur is \fBSSL_ERROR_ZERO_RETURN\fR. This -indicates an EOF (End-Of-File) which can occur if you attempt to read data from +Another type of non\-fatal error that may occur is \fBSSL_ERROR_ZERO_RETURN\fR. This +indicates an EOF (End\-Of\-File) which can occur if you attempt to read data from an \fBSSL\fR object but the peer has indicated that it will not send any more data on it. In this case you may still want to write data to the connection but you will not receive any more data. @@ -260,21 +263,21 @@ OpenSSL I/O functions: .PP This function takes as arguments the \fBSSL\fR object that represents the connection, as well as the return code from the I/O function that failed. In -the event of a non-fatal failure, it waits until a retry of the I/O operation +the event of a non\-fatal failure, it waits until a retry of the I/O operation might succeed (by using the \f(CWwait_for_activity()\fR function that we developed -in the previous section). It returns 1 in the event of a non-fatal error +in the previous section). It returns 1 in the event of a non\-fatal error (except EOF), 0 in the event of EOF, or \-1 if a fatal error occurred. .SS "Creating the SSL_CTX and SSL objects" .IX Subsection "Creating the SSL_CTX and SSL objects" In order to connect to a server we must create \fBSSL_CTX\fR and \fBSSL\fR objects for this. The steps do this are the same as for a blocking client and are explained -on the \fBossl\-guide\-tls\-client\-block\fR\|(7) page. We won't repeat that information +on the \fBossl\-guide\-tls\-client\-block\fR\|(7) page. We won\*(Aqt repeat that information here. .SS "Performing the handshake" .IX Subsection "Performing the handshake" As in the demo for a blocking TLS client we use the \fBSSL_connect\fR\|(3) function to perform the TLS handshake with the server. Since we are using a nonblocking -socket it is very likely that calls to this function will fail with a non-fatal +socket it is very likely that calls to this function will fail with a non\-fatal error while we are waiting for the server to respond to our handshake messages. In such a case we must retry the same \fBSSL_connect\fR\|(3) call at a later time. In this demo we this in a loop: @@ -297,7 +300,7 @@ this stage, so such a response is treated in the same way as a fatal error. .IX Subsection "Sending and receiving data" As with the blocking TLS client demo we use the \fBSSL_write_ex\fR\|(3) function to send data to the server. As with \fBSSL_connect\fR\|(3) above, because we are using -a nonblocking socket, this call could fail with a non-fatal error. In that case +a nonblocking socket, this call could fail with a non\-fatal error. In that case we should retry exactly the same \fBSSL_write_ex\fR\|(3) call again. Note that the parameters must be \fIexactly\fR the same, i.e. the same pointer to the buffer to write with the same length. You must not attempt to send different data on a @@ -373,7 +376,7 @@ The main difference this time is that it is valid for us to receive an EOF response when trying to read data from the server. This will occur when the server closes down the connection after sending all the data in its response. .PP -In this demo we just print out all the data we've received back in the response +In this demo we just print out all the data we\*(Aqve received back in the response from the server. We continue going around the loop until we either encounter a fatal error, or we receive an EOF (indicating a graceful finish). .SS "Shutting down the connection" @@ -384,7 +387,7 @@ finished with it. If our application was initiating the shutdown then we would expect to see \&\fBSSL_shutdown\fR\|(3) give a return value of 0, and then we would continue to call it until we received a return value of 1 (meaning we have successfully completed -the shutdown). In this particular example we don't expect \fBSSL_shutdown()\fR to +the shutdown). In this particular example we don\*(Aqt expect \fBSSL_shutdown()\fR to return 0 because we have already received EOF from the server indicating that it has shutdown already. So we just keep calling it until \fBSSL_shutdown()\fR returns 1. Since we are using a nonblocking socket we might expect to have to retry this @@ -414,7 +417,7 @@ must call \fBSSL_get_error\fR\|(3) to work out what to do next. We use our .IX Subsection "Final clean up" As with the blocking TLS client example, once our connection is finished with we must free it. The steps to do this for this example are the same as for the -blocking example, so we won't repeat it here. +blocking example, so we won\*(Aqt repeat it here. .SH "FURTHER READING" .IX Header "FURTHER READING" See \fBossl\-guide\-tls\-client\-block\fR\|(7) to read a tutorial on how to write a diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-tls-introduction.7 b/secure/lib/libcrypto/man/man7/ossl-guide-tls-introduction.7 index 3c3000ea0020..2e8e806b28b2 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-tls-introduction.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-tls-introduction.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-TLS-INTRODUCTION 7ossl" -.TH OSSL-GUIDE-TLS-INTRODUCTION 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-TLS-INTRODUCTION 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ the information exchanged to prevent an attacker from changing it. Finally it provides authentication so that one or both parties can be sure that they are talking to who they think they are talking to and not some imposter. .PP -Sometimes TLS is referred to by its predecessor's name SSL (Secure Sockets +Sometimes TLS is referred to by its predecessor\*(Aqs name SSL (Secure Sockets Layer). OpenSSL dates from a time when the SSL name was still in common use and hence many of the functions and names used by OpenSSL contain the "SSL" abbreviation. Nonetheless OpenSSL contains a fully fledged TLS implementation. @@ -120,7 +123,7 @@ susceptible to security problems. OpenSSL does not support SSLv2 (it was removed in OpenSSL 1.1.0). Support for SSLv3 is available as a compile time option \- but it is not built by default. Support for TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3 are all available by default -in a standard build of OpenSSL. However special run-time configuration is +in a standard build of OpenSSL. However special run\-time configuration is required in order to make TLSv1.0 and TLSv1.1 work successfully. .PP OpenSSL will always try to negotiate the highest protocol version that it has @@ -134,7 +137,7 @@ the server that it claims to be and not some imposter. In order to do this the server will send to the client a digital certificate (also commonly referred to as an X.509 certificate). The certificate contains various information about the server including its full DNS hostname. Also within the certificate is the -server's public key. The server operator will have a private key which is +server\*(Aqs public key. The server operator will have a private key which is linked to the public key and must not be published. .PP Along with the certificate the server will also send to the client proof that it @@ -146,13 +149,13 @@ possession of the correct private key. .PP The certificate that the server sends will also be signed by a Certificate Authority. The Certificate Authority (commonly known as a CA) is a third party -organisation that is responsible for verifying the information in the server's +organisation that is responsible for verifying the information in the server\*(Aqs certificate (including its DNS hostname). The CA should only sign the certificate if it has been able to confirm that the server operator does indeed have control of the server associated with its DNS hostname and that the server operator has control of the private key. .PP -In this way, if the client trusts the CA that has signed the server's +In this way, if the client trusts the CA that has signed the server\*(Aqs certificate and it can verify that the server has the right private key then it can trust that the server truly does represent the DNS hostname given in the certificate. The client must also verify that the hostname given in the @@ -165,7 +168,7 @@ of CAs that the client trusts as well as the DNS hostname for the server that this client is trying to connect to. .PP Note that it is common for certificates to be built up into a chain. For example -a server's certificate may be signed by a key owned by a an intermediate CA. +a server\*(Aqs certificate may be signed by a key owned by a an intermediate CA. That intermediate CA also has a certificate containing its public key which is in turn signed by a key owned by a root CA. The client may only trust the root CA, but if the server sends both its own certificate and the certificate for the @@ -326,7 +329,7 @@ server always sends its Finished message before the client. The client later responds with its Finished message. At this point the client has completed the handshake because it has both sent and received a Finished message. The server has sent its Finished message but the Finished message from the client may still -be in-flight, so the server is still in the handshake phase. It is even possible +be in\-flight, so the server is still in the handshake phase. It is even possible that the server will fail to complete the handshake (if it considers there is some problem with the messages sent from the client), even though the client may have already progressed to sending application data. In TLSv1.2 this can happen @@ -336,7 +339,7 @@ second. Once the handshake is complete the application data transfer phase begins. Strictly speaking there are some situations where the client can start sending application data even earlier (using the TLSv1.3 "early data" capability) \- but -we're going to skip over that for this basic introduction. +we\*(Aqre going to skip over that for this basic introduction. .PP During application data transfer the client and server can read and write data to the connection freely. The details of this are typically left to some higher diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-tls-server-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-tls-server-block.7 index 37b35edf6209..67da17b074e7 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-tls-server-block.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-tls-server-block.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-TLS-SERVER-BLOCK 7ossl" -.TH OSSL-GUIDE-TLS-SERVER-BLOCK 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-TLS-SERVER-BLOCK 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,7 +69,7 @@ ossl\-guide\-tls\-server\-block .SH "SIMPLE BLOCKING TLS SERVER EXAMPLE" .IX Header "SIMPLE BLOCKING TLS SERVER EXAMPLE" This page will present various source code samples demonstrating how to write a -simple, non-concurrent, TLS "echo" server application which accepts one client +simple, non\-concurrent, TLS "echo" server application which accepts one client connection at a time, echoing input from the client back to the same client. Once the current client disconnects, the next client connection is accepted. .PP @@ -156,7 +159,7 @@ Next we configure some option flags, see \fBSSL_CTX_set_options\fR\|(3) for deta Servers need a private key and certificate. Though anonymous ciphers (no server certificate) are possible in TLS 1.2, they are rarely applicable, and are not currently defined for TLS 1.3. Additional intermediate issuer CA -certificates are often also required, and both the server (end-entity or EE) +certificates are often also required, and both the server (end\-entity or EE) certificate and the issuer ("chain") certificates are most easily configured in a single "chain file". Below we load such a chain file (the EE certificate must appear first), and then load the corresponding private key, checking that @@ -339,7 +342,7 @@ ownership of the BIO or BIOs involved (our \fBclient_bio\fR) to the SSL handle. \& SSL_set_bio(ssl, client_bio, client_bio); .Ve .PP -And now we're ready to attempt the SSL handshake. With a blocking socket +And now we\*(Aqre ready to attempt the SSL handshake. With a blocking socket OpenSSL will perform all the read and write operations required to complete the handshake (or detect and report a failure) before returning. .PP diff --git a/secure/lib/libcrypto/man/man7/ossl_store-file.7 b/secure/lib/libcrypto/man/man7/ossl_store-file.7 index e552a97f65dc..91802ea12c99 100644 --- a/secure/lib/libcrypto/man/man7/ossl_store-file.7 +++ b/secure/lib/libcrypto/man/man7/ossl_store-file.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,52 +52,55 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_STORE-FILE 7ossl" -.TH OSSL_STORE-FILE 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_STORE-FILE 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH NAME -ossl_store\-file \- The store 'file' scheme loader +ossl_store\-file \- The store \*(Aqfile\*(Aq scheme loader .SH SYNOPSIS .IX Header "SYNOPSIS" #include <openssl/store.h> .SH DESCRIPTION .IX Header "DESCRIPTION" -Support for the 'file' scheme is built into \f(CW\*(C`libcrypto\*(C'\fR. -Since files come in all kinds of formats and content types, the 'file' +Support for the \*(Aqfile\*(Aq scheme is built into \f(CW\*(C`libcrypto\*(C'\fR. +Since files come in all kinds of formats and content types, the \*(Aqfile\*(Aq scheme has its own layer of functionality called "file handlers", which are used to try to decode diverse types of file contents. .PP In case a file is formatted as PEM, each called file handler receives -the PEM name (everything following any '\f(CW\*(C`\-\-\-\-\-BEGIN \*(C'\fR') as well as +the PEM name (everything following any \*(Aq\f(CW\*(C`\-\-\-\-\-BEGIN \*(C'\fR\*(Aq) as well as possible PEM headers, together with the decoded PEM body. Since PEM formatted files can contain more than one object, the file handlers are called upon for each such object. .PP -If the file isn't determined to be formatted as PEM, the content is +If the file isn\*(Aqt determined to be formatted as PEM, the content is loaded in raw form in its entirety and passed to the available file handlers as is, with no PEM name or headers. .PP -Each file handler is expected to handle PEM and non-PEM content as -appropriate. Some may refuse non-PEM content for the sake of +Each file handler is expected to handle PEM and non\-PEM content as +appropriate. Some may refuse non\-PEM content for the sake of determinism (for example, there are keys out in the wild that are -represented as an ASN.1 OCTET STRING. In raw form, it's not easily +represented as an ASN.1 OCTET STRING. In raw form, it\*(Aqs not easily possible to distinguish those from any other data coming as an ASN.1 OCTET STRING, so such keys would naturally be accepted as PEM files only). .SH NOTES .IX Header "NOTES" -When needed, the 'file' scheme loader will require a pass phrase by +When needed, the \*(Aqfile\*(Aq scheme loader will require a pass phrase by using the \fBUI_METHOD\fR that was passed via \fBOSSL_STORE_open()\fR. This pass phrase is expected to be UTF\-8 encoded, anything else will give an undefined result. The files made accessible through this loader are expected to be standard compliant with regards to pass phrase encoding. -Files that aren't should be re-generated with a correctly encoded pass +Files that aren\*(Aqt should be re\-generated with a correctly encoded pass phrase. See \fBpassphrase\-encoding\fR\|(7) for more information. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man7/ossl_store.7 b/secure/lib/libcrypto/man/man7/ossl_store.7 index c93274bb5e7f..f5ea4cb6d18d 100644 --- a/secure/lib/libcrypto/man/man7/ossl_store.7 +++ b/secure/lib/libcrypto/man/man7/ossl_store.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_STORE 7ossl" -.TH OSSL_STORE 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_STORE 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -84,7 +87,7 @@ from which an OpenSSL type can be retrieved. Support for a URI scheme is called a STORE "loader", and can be added dynamically from the calling application or from a loadable engine. .PP -Support for the 'file' scheme is built into \f(CW\*(C`libcrypto\*(C'\fR. +Support for the \*(Aqfile\*(Aq scheme is built into \f(CW\*(C`libcrypto\*(C'\fR. See \fBossl_store\-file\fR\|(7) for more information. .SS "UI_METHOD and pass phrases" .IX Subsection "UI_METHOD and pass phrases" diff --git a/secure/lib/libcrypto/man/man7/passphrase-encoding.7 b/secure/lib/libcrypto/man/man7/passphrase-encoding.7 index 118da77d0c6d..9d8b2066b932 100644 --- a/secure/lib/libcrypto/man/man7/passphrase-encoding.7 +++ b/secure/lib/libcrypto/man/man7/passphrase-encoding.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PASSPHRASE-ENCODING 7ossl" -.TH PASSPHRASE-ENCODING 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PASSPHRASE-ENCODING 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -71,7 +74,7 @@ This manual page attempts to give an overview over how this problem is currently addressed in different parts of the OpenSSL library. .SS "The general case" .IX Subsection "The general case" -The OpenSSL library doesn't treat pass phrases in any special way as a general +The OpenSSL library doesn\*(Aqt treat pass phrases in any special way as a general rule, and trusts the application or user to choose a suitable character set and stick to that throughout the lifetime of affected objects. This means that for an object that was encrypted using a pass phrase encoded in @@ -87,7 +90,7 @@ encoded in big endian (UCS\-2 BE). .PP OpenSSL tries to adapt to this requirements in one of the following manners: .IP 1. 4 -Treats the received pass phrase as UTF\-8 encoded and tries to re-encode it to +Treats the received pass phrase as UTF\-8 encoded and tries to re\-encode it to UTF\-16 (which is the same as UCS\-2 for characters U+0000 to U+D7FF and U+E000 to U+FFFF, but becomes an expansion for any other character), or failing that, proceeds with step 2. @@ -105,13 +108,13 @@ characters in the 0x80\-0x9F range). OpenSSL versions older than 1.1.0 do variant 2 only, and that is the reason why OpenSSL still does this, to be able to read files produced with older versions. .PP -It should be noted that this approach isn't entirely fault free. +It should be noted that this approach isn\*(Aqt entirely fault free. .PP A pass phrase encoded in ISO\-8859\-2 could very well have a sequence such as 0xC3 0xAF (which is the two characters "LATIN CAPITAL LETTER A WITH BREVE" and "LATIN CAPITAL LETTER Z WITH DOT ABOVE" in ISO\-8859\-2 encoding), but would be misinterpreted as the perfectly valid UTF\-8 encoded code point U+00EF (LATIN -SMALL LETTER I WITH DIAERESIS) \fIif the pass phrase doesn't contain anything that +SMALL LETTER I WITH DIAERESIS) \fIif the pass phrase doesn\*(Aqt contain anything that would be invalid UTF\-8\fR. A pass phrase that contains this kind of byte sequence will give a different outcome in OpenSSL 1.1.0 and newer than in OpenSSL older than 1.1.0. @@ -129,7 +132,7 @@ than 1.1.0 was misinterpreted as ISO\-8859\-1 sequences. potentially protected with a pass phrase, a PIN or something else. This API stipulates that pass phrases should be UTF\-8 encoded, and that any other pass phrase encoding may give undefined results. -This API relies on the application to ensure UTF\-8 encoding, and doesn't check +This API relies on the application to ensure UTF\-8 encoding, and doesn\*(Aqt check that this is the case, so what it gets, it will also pass to the underlying loader. .SH RECOMMENDATIONS @@ -139,19 +142,19 @@ but that it may have been encoded in a different character encoding than the one used by your current input method. For example, the pass phrase may have been used at a time when your default encoding was ISO\-8859\-1 (i.e. "naïve" resulting in the byte sequence 0x6E 0x61 -0xEF 0x76 0x65), and you're now in an environment where your default encoding +0xEF 0x76 0x65), and you\*(Aqre now in an environment where your default encoding is UTF\-8 (i.e. "naïve" resulting in the byte sequence 0x6E 0x61 0xC3 0xAF 0x76 0x65). -Whenever it's mentioned that you should use a certain character encoding, it +Whenever it\*(Aqs mentioned that you should use a certain character encoding, it should be understood that you either change the input method to use the mentioned encoding when you type in your pass phrase, or use some suitable tool to convert your pass phrase from your default encoding to the target encoding. .PP -Also note that the sub-sections below discuss human readable pass phrases. +Also note that the sub\-sections below discuss human readable pass phrases. This is particularly relevant for PKCS#12 objects, where human readable pass phrases are assumed. -For other objects, it's as legitimate to use any byte sequence (such as a -sequence of bytes from \fI/dev/urandom\fR that's been saved away), which makes any +For other objects, it\*(Aqs as legitimate to use any byte sequence (such as a +sequence of bytes from \fI/dev/urandom\fR that\*(Aqs been saved away), which makes any character encoding discussion irrelevant; in such cases, simply use the same byte sequence as it is. .SS "Creating new objects" @@ -175,7 +178,7 @@ following: .IP 1. 4 Try the pass phrase that you have as it is in the character encoding of your environment. -It's possible that its byte sequence is exactly right. +It\*(Aqs possible that its byte sequence is exactly right. .IP 2. 4 Convert the pass phrase to UTF\-8 and try with the result. Specifically with PKCS#12, this should open up any object that was created @@ -189,7 +192,7 @@ U+0000 to U+00FF, which other non\-UTF\-8 character sets do not. This also takes care of the case when a UTF\-8 encoded string was used with OpenSSL older than 1.1.0. (for example, \f(CW\*(C`ï\*(C'\fR, which is 0xC3 0xAF when encoded in UTF\-8, would become 0xC3 -0x83 0xC2 0xAF when re-encoded in the naïve manner. +0x83 0xC2 0xAF when re\-encoded in the naïve manner. The conversion to BMPString would then yield 0x00 0xC3 0x00 0xA4 0x00 0x00, the erroneous/non\-compliant encoding used by OpenSSL older than 1.1.0) .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man7/property.7 b/secure/lib/libcrypto/man/man7/property.7 index 5627e529d43b..1b764a2f7e3c 100644 --- a/secure/lib/libcrypto/man/man7/property.7 +++ b/secure/lib/libcrypto/man/man7/property.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROPERTY 7ossl" -.TH PROPERTY 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROPERTY 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,13 +84,13 @@ A \fIreserved\fR property name consists of a single C\-style identifier (except for leading underscores not being permitted), which begins with a letter and can be followed by any number of letters, numbers and underscores. -Property names are case-insensitive, but OpenSSL will only use lowercase +Property names are case\-insensitive, but OpenSSL will only use lowercase letters. .PP A \fIuser defined\fR property name is similar, but it \fBmust\fR consist of two or more C\-style identifiers, separated by periods. -The last identifier in the name can be considered the 'true' property -name, which is prefixed by some sort of 'namespace'. +The last identifier in the name can be considered the \*(Aqtrue\*(Aq property +name, which is prefixed by some sort of \*(Aqnamespace\*(Aq. Providers for example could include their name in the prefix and use property names like .PP @@ -112,7 +115,7 @@ Each implementation of an algorithm can define any number of properties. For example, the default provider defines the property \fIprovider=default\fR for all of its algorithms. -Likewise, OpenSSL's FIPS provider defines \fIprovider=fips\fR and the legacy +Likewise, OpenSSL\*(Aqs FIPS provider defines \fIprovider=fips\fR and the legacy provider defines \fIprovider=legacy\fR for all of their algorithms. .SS Queries .IX Subsection "Queries" @@ -142,7 +145,7 @@ following property name should be ignored. \&\fB"..."\fR is a quoted string. The quotes are not included in the body of the string. .IP \(bu 4 -\&\fB'...'\fR is a quoted string. +\&\fB\*(Aq...\*(Aq\fR is a quoted string. The quotes are not included in the body of the string. .SS Lookups .IX Subsection "Lookups" @@ -168,7 +171,7 @@ Where both the context and local queries include a clause with the same name, the local clause overrides the context clause. .PP It is possible for a local property query to remove a clause in the context -property query by preceding the property name with a '\-'. +property query by preceding the property name with a \*(Aq\-\*(Aq. For example, a context property query that contains "fips=yes" would normally result in implementations that have "fips=yes". .PP diff --git a/secure/lib/libcrypto/man/man7/provider-asym_cipher.7 b/secure/lib/libcrypto/man/man7/provider-asym_cipher.7 index ff64f79c714f..9d1ab9697683 100644 --- a/secure/lib/libcrypto/man/man7/provider-asym_cipher.7 +++ b/secure/lib/libcrypto/man/man7/provider-asym_cipher.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-ASYM_CIPHER 7ossl" -.TH PROVIDER-ASYM_CIPHER 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-ASYM_CIPHER 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -112,7 +115,7 @@ other related functions). .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -236,11 +239,11 @@ with the given provider side asymmetric cipher context \fIctx\fR to \fIparams\fR Any parameter settings are additional to any that were previously set. Passing NULL for \fIparams\fR should return true. .PP -Parameters currently recognised by built-in asymmetric cipher algorithms are as +Parameters currently recognised by built\-in asymmetric cipher algorithms are as follows. Not all parameters are relevant to, or are understood by all asymmetric cipher algorithms: -.IP """pad-mode"" (\fBOSSL_ASYM_CIPHER_PARAM_PAD_MODE\fR) <UTF8 string> OR <integer>" 4 +.IP """pad\-mode"" (\fBOSSL_ASYM_CIPHER_PARAM_PAD_MODE\fR) <UTF8 string> OR <integer>" 4 .IX Item """pad-mode"" (OSSL_ASYM_CIPHER_PARAM_PAD_MODE) <UTF8 string> OR <integer>" The type of padding to be used. The interpretation of this value will depend on the algorithm in use. @@ -252,10 +255,10 @@ use. .IX Item """digest"" (OSSL_ASYM_CIPHER_PARAM_DIGEST) <UTF8 string>" Gets or sets the name of the digest algorithm used by the algorithm (where applicable). -.IP """digest-props"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS\fR) <UTF8 string>" 4 +.IP """digest\-props"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS\fR) <UTF8 string>" 4 .IX Item """digest-props"" (OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS) <UTF8 string>" Gets or sets the properties to use when fetching the OAEP digest algorithm. -.IP """digest-props"" (\fBOSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS\fR) <UTF8 string>" 4 +.IP """digest\-props"" (\fBOSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS\fR) <UTF8 string>" 4 .IX Item """digest-props"" (OSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS) <UTF8 string>" Gets or sets the properties to use when fetching the cipher digest algorithm. .IP """mgf1\-digest"" (\fBOSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST\fR) <UTF8 string>" 4 @@ -265,41 +268,41 @@ is in use. .IP """mgf1\-digest\-props"" (\fBOSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS\fR) <UTF8 string>" 4 .IX Item """mgf1-digest-props"" (OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS) <UTF8 string>" Gets or sets the properties to use when fetching the MGF1 digest algorithm. -.IP """oaep-label"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\fR) <octet string ptr>" 4 +.IP """oaep\-label"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\fR) <octet string ptr>" 4 .IX Item """oaep-label"" (OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL) <octet string ptr>" Gets the OAEP label used when OAEP padding is in use. -.IP """oaep-label"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\fR) <octet string>" 4 +.IP """oaep\-label"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\fR) <octet string>" 4 .IX Item """oaep-label"" (OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL) <octet string>" Sets the OAEP label used when OAEP padding is in use. -.IP """tls-client-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4 +.IP """tls\-client\-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4 .IX Item """tls-client-version"" (OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION) <unsigned integer>" The TLS protocol version first requested by the client. -.IP """tls-negotiated-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4 +.IP """tls\-negotiated\-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4 .IX Item """tls-negotiated-version"" (OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION) <unsigned integer>" The negotiated TLS protocol version. -.IP """implicit-rejection"" (\fBOSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION\fR) <unsigned integer>" 4 +.IP """implicit\-rejection"" (\fBOSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION\fR) <unsigned integer>" 4 .IX Item """implicit-rejection"" (OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION) <unsigned integer>" Gets or sets the use of the implicit rejection mechanism for RSA PKCS#1 v1.5 decryption. When set (non zero value), the decryption API will return a deterministically random value if the PKCS#1 v1.5 padding check fails. This makes exploitation of the Bleichenbacher significantly harder, even -if the code using the RSA decryption API is not implemented in side-channel +if the code using the RSA decryption API is not implemented in side\-channel free manner. Set by default in OpenSSL providers. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling either \fBOSSL_FUNC_asym_cipher_encrypt()\fR or -\&\fBOSSL_FUNC_asym_cipher_decrypt()\fR. It may return 0 if "key-check" is set to 0. -.IP """key-check"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +\&\fBOSSL_FUNC_asym_cipher_decrypt()\fR. It may return 0 if "key\-check" is set to 0. +.IP """key\-check"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK) <integer>" If required this parameter should be set using either \&\fBOSSL_FUNC_asym_cipher_encrypt_init()\fR or \fBOSSL_FUNC_asym_cipher_decrypt_init()\fR. The default value of 1 causes an error during the init if the key is not FIPS approved (e.g. The key has a security strength of less than 112 bits). Setting -this to 0 will ignore the error and set the approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +this to 0 will ignore the error and set the approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .PP \&\fBOSSL_FUNC_asym_cipher_gettable_ctx_params()\fR and \fBOSSL_FUNC_asym_cipher_settable_ctx_params()\fR @@ -318,7 +321,7 @@ All other functions should return 1 for success or 0 on error. .SH HISTORY .IX Header "HISTORY" The provider ASYM_CIPHER interface was introduced in OpenSSL 3.0. -The Asymmetric Cipher Parameters "fips-indicator" and "key-check" +The Asymmetric Cipher Parameters "fips\-indicator" and "key\-check" were added in OpenSSL 3.4. .SH COPYRIGHT .IX Header "COPYRIGHT" diff --git a/secure/lib/libcrypto/man/man7/provider-base.7 b/secure/lib/libcrypto/man/man7/provider-base.7 index f62620469128..3e17a03d0443 100644 --- a/secure/lib/libcrypto/man/man7/provider-base.7 +++ b/secure/lib/libcrypto/man/man7/provider-base.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-BASE 7ossl" -.TH PROVIDER-BASE 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-BASE 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -296,9 +299,9 @@ freeing thread local variables. .PP \&\fBcore_get_libctx()\fR retrieves the core context in which the library object for the current provider is stored, accessible through the \fIhandle\fR. -This function is useful only for built-in providers such as the default +This function is useful only for built\-in providers such as the default provider. Never cast this to OSSL_LIB_CTX in a provider that is not -built-in as the OSSL_LIB_CTX of the library loading the provider might be +built\-in as the OSSL_LIB_CTX of the library loading the provider might be a completely different structure than the OSSL_LIB_CTX of the library the provider is linked to. Use \fBOSSL_LIB_CTX_new_child\fR\|(3) instead to obtain a proper library context that is linked to the application library context. @@ -323,7 +326,7 @@ This corresponds to the OpenSSL function \fBERR_set_debug\fR\|(3). .IX Item "core_vset_error()" sets the \fIreason\fR for the error, along with any addition data. The \fIreason\fR is a number defined by the provider and used to index -the reason strings table that's returned by +the reason strings table that\*(Aqs returned by \&\fBprovider_get_reason_strings()\fR. The additional data is given as a format string \fIfmt\fR and a set of arguments \fIargs\fR, which are treated in the same manner as with @@ -433,22 +436,22 @@ is passed in \fBbuf\fR and its length in \fBlen\fR. is passed in \fBbuf\fR and its length in \fBlen\fR. .PP \&\fBprovider_register_child_cb()\fR registers callbacks for being informed about the -loading and unloading of providers in the application's library context. -\&\fIhandle\fR is this provider's handle and \fIcbdata\fR is this provider's data +loading and unloading of providers in the application\*(Aqs library context. +\&\fIhandle\fR is this provider\*(Aqs handle and \fIcbdata\fR is this provider\*(Aqs data that will be passed back to the callbacks. It returns 1 on success or 0 otherwise. These callbacks may be called while holding locks in libcrypto. In order to avoid deadlocks the callback implementation must not be long running and must not call other OpenSSL API functions or upcalls. .PP \&\fIcreate_cb\fR is a callback that will be called when a new provider is loaded -into the application's library context. It is also called for any providers that +into the application\*(Aqs library context. It is also called for any providers that are already loaded at the point that this callback is registered. The callback is passed the handle being used for the new provider being loadded and this -provider's data in \fIcbdata\fR. It should return 1 on success or 0 on failure. +provider\*(Aqs data in \fIcbdata\fR. It should return 1 on success or 0 on failure. .PP \&\fIremove_cb\fR is a callback that will be called when a new provider is unloaded -from the application's library context. It is passed the handle being used for -the provider being unloaded and this provider's data in \fIcbdata\fR. It should +from the application\*(Aqs library context. It is passed the handle being used for +the provider being unloaded and this provider\*(Aqs data in \fIcbdata\fR. It should return 1 on success or 0 on failure. .PP \&\fIglobal_props_cb\fR is a callback that will be called when the global properties @@ -458,7 +461,7 @@ or 0 on failure. \&\fBprovider_deregister_child_cb()\fR unregisters callbacks previously registered via \&\fBprovider_register_child_cb()\fR. If \fBprovider_register_child_cb()\fR has been called then \fBprovider_deregister_child_cb()\fR should be called at or before the point that -this provider's teardown function is called. +this provider\*(Aqs teardown function is called. .PP \&\fBprovider_name()\fR returns a string giving the name of the provider identified by \&\fIhandle\fR. @@ -479,7 +482,7 @@ already loaded. It returns 1 on success or 0 on failure. .SS "Provider functions" .IX Subsection "Provider functions" \&\fBprovider_teardown()\fR is called when a provider is shut down and removed -from the core's provider store. +from the core\*(Aqs provider store. It must free the passed \fIprovctx\fR. .PP \&\fBprovider_gettable_params()\fR should return a constant array of @@ -531,12 +534,12 @@ This points to a string that should give a unique name for the provider. .IP """version"" (\fBOSSL_PROV_PARAM_VERSION\fR) <UTF8 ptr>" 4 .IX Item """version"" (OSSL_PROV_PARAM_VERSION) <UTF8 ptr>" This points to a string that is a version number associated with this provider. -OpenSSL in-built providers use OPENSSL_VERSION_STR, but this may be different +OpenSSL in\-built providers use OPENSSL_VERSION_STR, but this may be different for any third party provider. This string is for informational purposes only. .IP """buildinfo"" (\fBOSSL_PROV_PARAM_BUILDINFO\fR) <UTF8 ptr>" 4 .IX Item """buildinfo"" (OSSL_PROV_PARAM_BUILDINFO) <UTF8 ptr>" This points to a string that is a build information associated with this provider. -OpenSSL in-built providers use OPENSSL_FULL_VERSION_STR, but this may be +OpenSSL in\-built providers use OPENSSL_FULL_VERSION_STR, but this may be different for any third party provider. .IP """status"" (\fBOSSL_PROV_PARAM_STATUS\fR) <unsigned integer>" 4 .IX Item """status"" (OSSL_PROV_PARAM_STATUS) <unsigned integer>" @@ -547,14 +550,14 @@ This returns 0 if the provider has entered an error state, otherwise it returns .SS "Core parameters" .IX Subsection "Core parameters" \&\fBcore_get_params()\fR can retrieve the following core parameters for each provider: -.IP """openssl-version"" (\fBOSSL_PROV_PARAM_CORE_VERSION\fR) <UTF8 string ptr>" 4 +.IP """openssl\-version"" (\fBOSSL_PROV_PARAM_CORE_VERSION\fR) <UTF8 string ptr>" 4 .IX Item """openssl-version"" (OSSL_PROV_PARAM_CORE_VERSION) <UTF8 string ptr>" -This points to the OpenSSL libraries' full version string, i.e. the string +This points to the OpenSSL libraries\*(Aq full version string, i.e. the string expanded from the macro \fBOPENSSL_VERSION_STR\fR. -.IP """provider-name"" (\fBOSSL_PROV_PARAM_CORE_PROV_NAME\fR) <UTF8 string ptr>" 4 +.IP """provider\-name"" (\fBOSSL_PROV_PARAM_CORE_PROV_NAME\fR) <UTF8 string ptr>" 4 .IX Item """provider-name"" (OSSL_PROV_PARAM_CORE_PROV_NAME) <UTF8 string ptr>" -This points to the OpenSSL libraries' idea of what the calling provider is named. -.IP """module-filename"" (\fBOSSL_PROV_PARAM_CORE_MODULE_FILENAME\fR) <UTF8 string ptr>" 4 +This points to the OpenSSL libraries\*(Aq idea of what the calling provider is named. +.IP """module\-filename"" (\fBOSSL_PROV_PARAM_CORE_MODULE_FILENAME\fR) <UTF8 string ptr>" 4 .IX Item """module-filename"" (OSSL_PROV_PARAM_CORE_MODULE_FILENAME) <UTF8 string ptr>" This points to a string containing the full filename of the providers module file. @@ -564,7 +567,7 @@ config file are available, in dotted name form. The dotted name form is a concatenation of section names and final config command name separated by periods. .PP -For example, let's say we have the following config example: +For example, let\*(Aqs say we have the following config example: .PP .Vb 2 \& config_diagnostics = 1 @@ -607,10 +610,10 @@ For more information on handling parameters, see \fBOSSL_PARAM\fR\|(3) as Capabilities describe some of the services that a provider can offer. Applications can query the capabilities to discover those services. .PP -\fI"TLS-GROUP" Capability\fR +\fI"TLS\-GROUP" Capability\fR .IX Subsection """TLS-GROUP"" Capability" .PP -The "TLS-GROUP" capability can be queried by libssl to discover the list of +The "TLS\-GROUP" capability can be queried by libssl to discover the list of TLS groups that a provider can support. Each group supported can be used for \&\fIkey exchange\fR (KEX) or \fIkey encapsulation method\fR (KEM) during a TLS handshake. @@ -623,15 +626,15 @@ Each TLS group that a provider supports should be described via the callback passed in through the provider_get_capabilities function. Each group should have the following details supplied (all are mandatory, except \&\fBOSSL_CAPABILITY_TLS_GROUP_IS_KEM\fR): -.IP """tls-group-name"" (\fBOSSL_CAPABILITY_TLS_GROUP_NAME\fR) <UTF8 string>" 4 +.IP """tls\-group\-name"" (\fBOSSL_CAPABILITY_TLS_GROUP_NAME\fR) <UTF8 string>" 4 .IX Item """tls-group-name"" (OSSL_CAPABILITY_TLS_GROUP_NAME) <UTF8 string>" The name of the group as given in the IANA TLS Supported Groups registry <https://www.iana.org/assignments/tls\-parameters/tls\-parameters.xhtml#tls\-parameters\-8>. -.IP """tls-group-name-internal"" (\fBOSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL\fR) <UTF8 string>" 4 +.IP """tls\-group\-name\-internal"" (\fBOSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL\fR) <UTF8 string>" 4 .IX Item """tls-group-name-internal"" (OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL) <UTF8 string>" The name of the group as known by the provider. This could be the same as the -"tls-group-name", but does not have to be. -.IP """tls-group-id"" (\fBOSSL_CAPABILITY_TLS_GROUP_ID\fR) <unsigned integer>" 4 +"tls\-group\-name", but does not have to be. +.IP """tls\-group\-id"" (\fBOSSL_CAPABILITY_TLS_GROUP_ID\fR) <unsigned integer>" 4 .IX Item """tls-group-id"" (OSSL_CAPABILITY_TLS_GROUP_ID) <unsigned integer>" The TLS group id value as given in the IANA TLS Supported Groups registry. .Sp @@ -639,7 +642,7 @@ It is possible to register the same group id from within different providers. Users should note that if no property query is specified, or more than one implementation matches the property query then it is unspecified which implementation for a particular group id will be used. -.IP """tls-group-alg"" (\fBOSSL_CAPABILITY_TLS_GROUP_ALG\fR) <UTF8 string>" 4 +.IP """tls\-group\-alg"" (\fBOSSL_CAPABILITY_TLS_GROUP_ALG\fR) <UTF8 string>" 4 .IX Item """tls-group-alg"" (OSSL_CAPABILITY_TLS_GROUP_ALG) <UTF8 string>" The name of a Key Management algorithm that the provider offers and that should be used with this group. Keys created should be able to support \fIkey exchange\fR @@ -647,14 +650,14 @@ or \fIkey encapsulation method\fR (KEM), as implied by the optional \&\fBOSSL_CAPABILITY_TLS_GROUP_IS_KEM\fR flag. The algorithm must support key and parameter generation as well as the key/parameter generation parameter, \fBOSSL_PKEY_PARAM_GROUP_NAME\fR. The group -name given via "tls-group-name-internal" above will be passed via +name given via "tls\-group\-name\-internal" above will be passed via \&\fBOSSL_PKEY_PARAM_GROUP_NAME\fR when libssl wishes to generate keys/parameters. -.IP """tls-group-sec-bits"" (\fBOSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS\fR) <unsigned integer>" 4 +.IP """tls\-group\-sec\-bits"" (\fBOSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS\fR) <unsigned integer>" 4 .IX Item """tls-group-sec-bits"" (OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS) <unsigned integer>" The number of bits of security offered by keys in this group. The number of bits should be comparable with the ones given in table 2 and 3 of the NIST SP800\-57 document. -.IP """tls-group-is-kem"" (\fBOSSL_CAPABILITY_TLS_GROUP_IS_KEM\fR) <unsigned integer>" 4 +.IP """tls\-group\-is\-kem"" (\fBOSSL_CAPABILITY_TLS_GROUP_IS_KEM\fR) <unsigned integer>" 4 .IX Item """tls-group-is-kem"" (OSSL_CAPABILITY_TLS_GROUP_IS_KEM) <unsigned integer>" Boolean flag to describe if the group should be used in \fIkey exchange\fR (KEX) mode (0, default) or in \fIkey encapsulation method\fR (KEM) mode (1). @@ -662,42 +665,42 @@ mode (0, default) or in \fIkey encapsulation method\fR (KEM) mode (1). This parameter is optional: if not specified, KEX mode is assumed as the default mode for the group. .Sp -In KEX mode, in a typical Diffie-Hellman fashion, both sides execute \fIkeygen\fR +In KEX mode, in a typical Diffie\-Hellman fashion, both sides execute \fIkeygen\fR then \fIderive\fR against the peer public key. To operate in KEX mode, the group implementation must support the provider functions as described in \&\fBprovider\-keyexch\fR\|(7). .Sp In KEM mode, the client executes \fIkeygen\fR and sends its public key, the server -executes \fIencapsulate\fR using the client's public key and sends back the +executes \fIencapsulate\fR using the client\*(Aqs public key and sends back the resulting \fIciphertext\fR, finally the client executes \fIdecapsulate\fR to retrieve -the same \fIshared secret\fR generated by the server's \fIencapsulate\fR. To operate +the same \fIshared secret\fR generated by the server\*(Aqs \fIencapsulate\fR. To operate in KEM mode, the group implementation must support the provider functions as described in \fBprovider\-kem\fR\|(7). .Sp Both in KEX and KEM mode, the resulting \fIshared secret\fR is then used according to the protocol specification. -.IP """tls-min-tls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MIN_TLS\fR) <integer>" 4 +.IP """tls\-min\-tls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MIN_TLS\fR) <integer>" 4 .IX Item """tls-min-tls"" (OSSL_CAPABILITY_TLS_GROUP_MIN_TLS) <integer>" .PD 0 -.IP """tls-max-tls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MAX_TLS\fR) <integer>" 4 +.IP """tls\-max\-tls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MAX_TLS\fR) <integer>" 4 .IX Item """tls-max-tls"" (OSSL_CAPABILITY_TLS_GROUP_MAX_TLS) <integer>" -.IP """tls-min-dtls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MIN_DTLS\fR) <integer>" 4 +.IP """tls\-min\-dtls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MIN_DTLS\fR) <integer>" 4 .IX Item """tls-min-dtls"" (OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS) <integer>" -.IP """tls-max-dtls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MAX_DTLS\fR) <integer>" 4 +.IP """tls\-max\-dtls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MAX_DTLS\fR) <integer>" 4 .IX Item """tls-max-dtls"" (OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS) <integer>" .PD These parameters can be used to describe the minimum and maximum TLS and DTLS -versions supported by the group. The values equate to the on-the-wire encoding +versions supported by the group. The values equate to the on\-the\-wire encoding of the various TLS versions. For example TLSv1.3 is 0x0304 (772 decimal), and TLSv1.2 is 0x0303 (771 decimal). A 0 indicates that there is no defined minimum or maximum. A \-1 indicates that the group should not be used in that protocol. .PP -\fI"TLS-SIGALG" Capability\fR +\fI"TLS\-SIGALG" Capability\fR .IX Subsection """TLS-SIGALG"" Capability" .PP -The "TLS-SIGALG" capability can be queried by libssl to discover the list of +The "TLS\-SIGALG" capability can be queried by libssl to discover the list of TLS signature algorithms that a provider can support. Each signature supported -can be used for client\- or server-authentication in addition to the built-in +can be used for client\- or server\-authentication in addition to the built\-in signature algorithms. TLS1.3 clients can advertise the list of TLS signature algorithms they support in the signature_algorithms extension, and TLS servers can select an algorithm @@ -708,13 +711,13 @@ additional ones. Each TLS signature algorithm that a provider supports should be described via the callback passed in through the provider_get_capabilities function. Each algorithm can have the following details supplied: -.IP """iana-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_IANA_NAME\fR) <UTF8 string>" 4 +.IP """iana\-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_IANA_NAME\fR) <UTF8 string>" 4 .IX Item """iana-name"" (OSSL_CAPABILITY_TLS_SIGALG_IANA_NAME) <UTF8 string>" The name of the signature algorithm as given in the IANA TLS Signature Scheme registry as "Description": <https://www.iana.org/assignments/tls\-parameters/tls\-parameters.xhtml#tls\-signaturescheme>. This value must be supplied. -.IP """iana-code-point"" (\fBOSSL_CAPABILITY_TLS_SIGALG_CODE_POINT\fR) <unsigned integer>" 4 +.IP """iana\-code\-point"" (\fBOSSL_CAPABILITY_TLS_SIGALG_CODE_POINT\fR) <unsigned integer>" 4 .IX Item """iana-code-point"" (OSSL_CAPABILITY_TLS_SIGALG_CODE_POINT) <unsigned integer>" The TLS algorithm ID value as given in the IANA TLS SignatureScheme registry. This value must be supplied. @@ -723,66 +726,66 @@ It is possible to register the same code point from within different providers. Users should note that if no property query is specified, or more than one implementation matches the property query then it is unspecified which implementation for a particular code point will be used. -.IP """sigalg-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_NAME\fR) <UTF8 string>" 4 +.IP """sigalg\-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_NAME\fR) <UTF8 string>" 4 .IX Item """sigalg-name"" (OSSL_CAPABILITY_TLS_SIGALG_NAME) <UTF8 string>" -A name for the full (possibly composite hash-and-signature) signature +A name for the full (possibly composite hash\-and\-signature) signature algorithm. The provider may, but is not obligated to, provide a signature implementation -with this name; if it doesn't, this is assumed to be a composite of a pure +with this name; if it doesn\*(Aqt, this is assumed to be a composite of a pure signature algorithm and a hash algorithm, which must be given with the -parameters "sig-name" and "hash-name". +parameters "sig\-name" and "hash\-name". This value must be supplied. -.IP """sigalg-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_OID\fR) <UTF8 string>" 4 +.IP """sigalg\-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_OID\fR) <UTF8 string>" 4 .IX Item """sigalg-oid"" (OSSL_CAPABILITY_TLS_SIGALG_OID) <UTF8 string>" -The OID of the "sigalg-name" algorithm in canonical numeric text form. If +The OID of the "sigalg\-name" algorithm in canonical numeric text form. If this parameter is given, \fBOBJ_create()\fR will be used to create an OBJ and -a NID for this OID, using the "sigalg-name" parameter for its (short) name. -Otherwise, it's assumed to already exist in the object database, possibly +a NID for this OID, using the "sigalg\-name" parameter for its (short) name. +Otherwise, it\*(Aqs assumed to already exist in the object database, possibly done by the provider with the \fBcore_obj_create()\fR upcall. This value is optional. -.IP """sig-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_SIG_NAME\fR) <UTF8 string>" 4 +.IP """sig\-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_SIG_NAME\fR) <UTF8 string>" 4 .IX Item """sig-name"" (OSSL_CAPABILITY_TLS_SIGALG_SIG_NAME) <UTF8 string>" The name of the pure signature algorithm that is part of a composite -"sigalg-name". If "sigalg-name" is implemented by the provider, this +"sigalg\-name". If "sigalg\-name" is implemented by the provider, this parameter is redundant and must not be given. This value is optional. -.IP """sig-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_SIG_OID\fR) <UTF8 string>" 4 +.IP """sig\-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_SIG_OID\fR) <UTF8 string>" 4 .IX Item """sig-oid"" (OSSL_CAPABILITY_TLS_SIGALG_SIG_OID) <UTF8 string>" -The OID of the "sig-name" algorithm in canonical numeric text form. If +The OID of the "sig\-name" algorithm in canonical numeric text form. If this parameter is given, \fBOBJ_create()\fR will be used to create an OBJ and -a NID for this OID, using the "sig-name" parameter for its (short) name. +a NID for this OID, using the "sig\-name" parameter for its (short) name. Otherwise, it is assumed to already exist in the object database. This can be done by the provider using the \fBcore_obj_create()\fR upcall. This value is optional. -.IP """hash-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_HASH_NAME\fR) <UTF8 string>" 4 +.IP """hash\-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_HASH_NAME\fR) <UTF8 string>" 4 .IX Item """hash-name"" (OSSL_CAPABILITY_TLS_SIGALG_HASH_NAME) <UTF8 string>" -The name of the hash algorithm that is part of a composite "sigalg-name". -If "sigalg-name" is implemented by the provider, this parameter is redundant +The name of the hash algorithm that is part of a composite "sigalg\-name". +If "sigalg\-name" is implemented by the provider, this parameter is redundant and must not be given. This value is optional. -.IP """hash-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_HASH_OID\fR) <UTF8 string>" 4 +.IP """hash\-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_HASH_OID\fR) <UTF8 string>" 4 .IX Item """hash-oid"" (OSSL_CAPABILITY_TLS_SIGALG_HASH_OID) <UTF8 string>" -The OID of the "hash-name" algorithm in canonical numeric text form. If +The OID of the "hash\-name" algorithm in canonical numeric text form. If this parameter is given, \fBOBJ_create()\fR will be used to create an OBJ and -a NID for this OID, using the "hash-name" parameter for its (short) name. -Otherwise, it's assumed to already exist in the object database, possibly +a NID for this OID, using the "hash\-name" parameter for its (short) name. +Otherwise, it\*(Aqs assumed to already exist in the object database, possibly done by the provider with the \fBcore_obj_create()\fR upcall. This value is optional. -.IP """key-type"" (\fBOSSL_CAPABILITY_TLS_SIGALG_KEYTYPE\fR) <UTF8 string>" 4 +.IP """key\-type"" (\fBOSSL_CAPABILITY_TLS_SIGALG_KEYTYPE\fR) <UTF8 string>" 4 .IX Item """key-type"" (OSSL_CAPABILITY_TLS_SIGALG_KEYTYPE) <UTF8 string>" The key type of the public key of applicable certificates. If this parameter -isn't present, it's assumed to be the same as "sig-name" if that's present, -otherwise "sigalg-name". +isn\*(Aqt present, it\*(Aqs assumed to be the same as "sig\-name" if that\*(Aqs present, +otherwise "sigalg\-name". This value is optional. -.IP """key-type-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_KEYTYPE_OID\fR) <UTF8 string>" 4 +.IP """key\-type\-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_KEYTYPE_OID\fR) <UTF8 string>" 4 .IX Item """key-type-oid"" (OSSL_CAPABILITY_TLS_SIGALG_KEYTYPE_OID) <UTF8 string>" -The OID of the "key-type" in canonical numeric text form. If +The OID of the "key\-type" in canonical numeric text form. If this parameter is given, \fBOBJ_create()\fR will be used to create an OBJ and -a NID for this OID, using the "key-type" parameter for its (short) name. -Otherwise, it's assumed to already exist in the object database, possibly +a NID for this OID, using the "key\-type" parameter for its (short) name. +Otherwise, it\*(Aqs assumed to already exist in the object database, possibly done by the provider with the \fBcore_obj_create()\fR upcall. This value is optional. -.IP """sec-bits"" (\fBOSSL_CAPABILITY_TLS_SIGALG_SECURITY_BITS\fR) <unsigned integer>" 4 +.IP """sec\-bits"" (\fBOSSL_CAPABILITY_TLS_SIGALG_SECURITY_BITS\fR) <unsigned integer>" 4 .IX Item """sec-bits"" (OSSL_CAPABILITY_TLS_SIGALG_SECURITY_BITS) <unsigned integer>" The number of bits of security offered by keys of this algorithm. The number of bits should be comparable with the ones given in table 2 and 3 of the NIST @@ -792,24 +795,24 @@ defines the security strength. If the signature algorithm implements its own digest internally, this value needs to be set to properly reflect the overall security strength. This value must be supplied. -.IP """tls-min-tls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MIN_TLS\fR) <integer>" 4 +.IP """tls\-min\-tls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MIN_TLS\fR) <integer>" 4 .IX Item """tls-min-tls"" (OSSL_CAPABILITY_TLS_SIGALG_MIN_TLS) <integer>" .PD 0 -.IP """tls-max-tls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MAX_TLS\fR) <integer>" 4 +.IP """tls\-max\-tls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MAX_TLS\fR) <integer>" 4 .IX Item """tls-max-tls"" (OSSL_CAPABILITY_TLS_SIGALG_MAX_TLS) <integer>" -.IP """tls-min-dtls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS\fR) <integer>" 4 +.IP """tls\-min\-dtls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS\fR) <integer>" 4 .IX Item """tls-min-dtls"" (OSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS) <integer>" -.IP """tls-max-dtls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MAX_DTLS\fR) <integer>" 4 +.IP """tls\-max\-dtls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MAX_DTLS\fR) <integer>" 4 .IX Item """tls-max-dtls"" (OSSL_CAPABILITY_TLS_SIGALG_MAX_DTLS) <integer>" .PD These parameters can be used to describe the minimum and maximum TLS and DTLS versions supported by the signature algorithm. The values equate to the -on-the-wire encoding of the various TLS versions. For example TLSv1.3 is +on\-the\-wire encoding of the various TLS versions. For example TLSv1.3 is 0x0304 (772 decimal), and TLSv1.2 is 0x0303 (771 decimal). A 0 indicates that there is no defined minimum or maximum. A \-1 in either the min or max field indicates that the signature algorithm should not be used in that protocol. Presently, provider signature algorithms are used only with TLS 1.3, if -that's enclosed in the specified range. +that\*(Aqs enclosed in the specified range. .SH NOTES .IX Header "NOTES" The \fBcore_obj_create()\fR and \fBcore_obj_add_sigid()\fR functions were not thread safe diff --git a/secure/lib/libcrypto/man/man7/provider-cipher.7 b/secure/lib/libcrypto/man/man7/provider-cipher.7 index 8e5253ee389e..4213116459fe 100644 --- a/secure/lib/libcrypto/man/man7/provider-cipher.7 +++ b/secure/lib/libcrypto/man/man7/provider-cipher.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-CIPHER 7ossl" -.TH PROVIDER-CIPHER 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-CIPHER 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -144,7 +147,7 @@ equivalents and other related functions). .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -228,7 +231,7 @@ except that it initialises the context for a decryption operation. \&\fBOSSL_FUNC_cipher_encrypt_skey_init()\fR and \&\fBOSSL_FUNC_cipher_decrypt_skey_init()\fR are variants of \&\fBOSSL_FUNC_cipher_encrypt_init()\fR and \fBOSSL_FUNC_cipher_decrypt_init()\fR for working with -opaque objects containing provider-specific key handles instead of raw bytes. +opaque objects containing provider\-specific key handles instead of raw bytes. .PP \&\fBOSSL_FUNC_cipher_update()\fR is called to supply data to be encrypted/decrypted as part of a previously initialised cipher operation. @@ -244,7 +247,7 @@ that are not multiples of the block length. In such cases a cipher implementation will typically cache partial blocks of input data until a complete block is obtained. The pointers \fIout\fR and \fIin\fR may point to the same location, in which -case the encryption must be done in-place. If \fIout\fR and \fIin\fR point to different +case the encryption must be done in\-place. If \fIout\fR and \fIin\fR point to different locations, the requirements of \fBEVP_EncryptUpdate\fR\|(3) and \fBEVP_DecryptUpdate\fR\|(3) guarantee that the two buffers are disjoint. Similarly, the requirements of \fBEVP_EncryptUpdate\fR\|(3) and \fBEVP_DecryptUpdate\fR\|(3) @@ -276,11 +279,11 @@ amount of data stored should be put in \fI*outl\fR which should be no more than .PP \&\fBOSSL_FUNC_cipher_pipeline_encrypt_init()\fR, \fBOSSL_FUNC_cipher_pipeline_decrypt_init()\fR \&\fBOSSL_FUNC_cipher_pipeline_update()\fR, and \fBOSSL_FUNC_cipher_pipeline_final()\fR are similar to -the non-pipeline variants, but are used when the application is using cipher pipelining. +the non\-pipeline variants, but are used when the application is using cipher pipelining. The \fInumpipes\fR parameter is the number of pipes in the pipeline. The \fIiv\fR parameter is an array of buffers with IVs, each \fIivlen\fR bytes long. The \fIin\fR and \fIout\fR are arrays of buffer pointers. The \fIinl\fR and \fIoutl\fR, \fIoutsize\fR are arrays of size_t -representing corresponding buffer length as similar to the non-pipeline variants. +representing corresponding buffer length as similar to the non\-pipeline variants. All arrays are of length \fInumpipes\fR. See \fBEVP_CipherPipelineEncryptInit\fR\|(3) for more information. .SS "Cipher Parameters" @@ -310,7 +313,7 @@ with the provider side context \fIcctx\fR in its current state if it is not NULL. Otherwise, they return the parameters associated with the provider side algorithm \fIprovctx\fR. .PP -Parameters currently recognised by built-in ciphers are listed in +Parameters currently recognised by built\-in ciphers are listed in "PARAMETERS" in \fBEVP_EncryptInit\fR\|(3). Not all parameters are relevant to, or are understood by all ciphers. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man7/provider-decoder.7 b/secure/lib/libcrypto/man/man7/provider-decoder.7 index b388f23a52e3..71e04256253a 100644 --- a/secure/lib/libcrypto/man/man7/provider-decoder.7 +++ b/secure/lib/libcrypto/man/man7/provider-decoder.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-DECODER 7ossl" -.TH PROVIDER-DECODER 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-DECODER 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -104,30 +107,30 @@ provider\-decoder \- The OSSL_DECODER library <\-> provider functions not limited to deserialization as individual decoders can also do decoding into intermediate data formats.\fR .PP -The DECODER operation is a generic method to create a provider-native +The DECODER operation is a generic method to create a provider\-native object reference or intermediate decoded data from an encoded form read from the given \fBOSSL_CORE_BIO\fR. If the caller wants to decode data from memory, it should provide a \fBBIO_s_mem\fR\|(3) \fBBIO\fR. The decoded data or object reference is passed along with eventual metadata to the \fImetadata_cb\fR as \fBOSSL_PARAM\fR\|(3) parameters. .PP -The decoder doesn't need to know more about the \fBOSSL_CORE_BIO\fR +The decoder doesn\*(Aqt need to know more about the \fBOSSL_CORE_BIO\fR pointer than being able to pass it to the appropriate BIO upcalls (see "Core functions" in \fBprovider\-base\fR\|(7)). .PP The DECODER implementation may be part of a chain, where data is passed from one to the next. For example, there may be an implementation to decode an object from PEM to DER, and another one -that decodes DER to a provider-native object. +that decodes DER to a provider\-native object. .PP The last decoding step in the decoding chain is usually supposed to create -a provider-native object referenced by an object reference. To import +a provider\-native object referenced by an object reference. To import that object into a different provider the \fBOSSL_FUNC_decoder_export_object()\fR can be called as the final step of the decoding process. .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -206,9 +209,9 @@ expected to have. .Sp This property is \fIoptional\fR. .Sp -Structures currently recognised by built-in decoders: +Structures currently recognised by built\-in decoders: .RS 4 -.IP """type-specific""" 4 +.IP """type\-specific""" 4 .IX Item """type-specific""" Type specific structure. .IP """pkcs8""" 4 @@ -222,15 +225,15 @@ Encoding of public keys according to the Subject Public Key Info of RFC 5280. .RE .PP The possible values of both these properties is open ended. A provider may -very well specify input types and structures that libcrypto doesn't know +very well specify input types and structures that libcrypto doesn\*(Aqt know anything about. .SS "Subset selections" .IX Subsection "Subset selections" Sometimes, an object has more than one subset of data that is interesting to -treat separately or together. It's possible to specify what subsets are to +treat separately or together. It\*(Aqs possible to specify what subsets are to be decoded, with a set of bits \fIselection\fR that are passed in an \fBint\fR. .PP -This set of bits depend entirely on what kind of provider-side object is +This set of bits depend entirely on what kind of provider\-side object is to be decoded. For example, those bits are assumed to be the same as those used with \fBprovider\-keymgmt\fR\|(7) (see "Key Objects" in \fBprovider\-keymgmt\fR\|(7)) when the object is an asymmetric keypair \- e.g., \fBOSSL_KEYMGMT_SELECT_PRIVATE_KEY\fR @@ -259,7 +262,7 @@ See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure used b \&\fBOSSL_FUNC_decoder_set_ctx_params()\fR and \fBOSSL_FUNC_decoder_settable_ctx_params()\fR. .SS "Export function" .IX Subsection "Export function" -When a provider-native object is created by a decoder it would be unsuitable +When a provider\-native object is created by a decoder it would be unsuitable for direct use with a foreign provider. The export function allows for exporting the object into that foreign provider if the foreign provider supports the type of the object and provides an import function. @@ -279,21 +282,21 @@ The decoding functions also take an \fBOSSL_PASSPHRASE_CALLBACK\fR\|(3) function pointer along with a pointer to application data \fIcbarg\fR, which should be used when a pass phrase prompt is needed. .PP -It's important to understand that the return value from this function is +It\*(Aqs important to understand that the return value from this function is interpreted as follows: .IP "True (1)" 4 .IX Item "True (1)" This means "carry on the decoding process", and is meaningful even though -this function couldn't decode the input into anything, because there may be +this function couldn\*(Aqt decode the input into anything, because there may be another decoder implementation that can decode it into something. .Sp -The \fIdata_cb\fR callback should never be called when this function can't +The \fIdata_cb\fR callback should never be called when this function can\*(Aqt decode the input into anything. .IP "False (0)" 4 .IX Item "False (0)" This means "stop the decoding process", and is meaningful when the input could be decoded into some sort of object that this function understands, -but further treatment of that object results into errors that won't be +but further treatment of that object results into errors that won\*(Aqt be possible for some other decoder implementation to get a different result. .PP The conditions to stop the decoding process are at the discretion of the @@ -301,14 +304,14 @@ implementation. .SS "Decoder operation parameters" .IX Subsection "Decoder operation parameters" There are currently no operation parameters currently recognised by the -built-in decoders. +built\-in decoders. .PP -Parameters currently recognised by the built-in pass phrase callback: +Parameters currently recognised by the built\-in pass phrase callback: .IP """info"" (\fBOSSL_PASSPHRASE_PARAM_INFO\fR) <UTF8 string>" 4 .IX Item """info"" (OSSL_PASSPHRASE_PARAM_INFO) <UTF8 string>" A string of information that will become part of the pass phrase prompt. This could be used to give the user information on what kind -of object it's being prompted for. +of object it\*(Aqs being prompted for. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_FUNC_decoder_newctx()\fR returns a pointer to a context, or NULL on diff --git a/secure/lib/libcrypto/man/man7/provider-digest.7 b/secure/lib/libcrypto/man/man7/provider-digest.7 index 586eda8964fb..89e219df52d0 100644 --- a/secure/lib/libcrypto/man/man7/provider-digest.7 +++ b/secure/lib/libcrypto/man/man7/provider-digest.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-DIGEST 7ossl" -.TH PROVIDER-DIGEST 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-DIGEST 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -114,7 +117,7 @@ them available to applications via the API functions \fBEVP_DigestInit_ex\fR\|(3 .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -239,7 +242,7 @@ can handle, respectively. The array is based on the current state of the provider side context if \fIdctx\fR is not NULL and on the provider side algorithm \fIprovctx\fR otherwise. .PP -Parameters currently recognised by built-in digests with this function +Parameters currently recognised by built\-in digests with this function are as follows. Not all parameters are relevant to, or are understood by all digests: .IP """blocksize"" (\fBOSSL_DIGEST_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4 @@ -259,7 +262,7 @@ Diverse flags that describe exceptional behaviour for the digest: This digest method can only handle one block of input. .IP \fBEVP_MD_FLAG_XOF\fR 4 .IX Item "EVP_MD_FLAG_XOF" -This digest method is an extensible-output function (XOF). +This digest method is an extensible\-output function (XOF). .IP \fBEVP_MD_FLAG_DIGALGID_NULL\fR 4 .IX Item "EVP_MD_FLAG_DIGALGID_NULL" When setting up a DigestAlgorithmIdentifier, this flag will have the diff --git a/secure/lib/libcrypto/man/man7/provider-encoder.7 b/secure/lib/libcrypto/man/man7/provider-encoder.7 index 436f37f155ef..ceddff4f6845 100644 --- a/secure/lib/libcrypto/man/man7/provider-encoder.7 +++ b/secure/lib/libcrypto/man/man7/provider-encoder.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-ENCODER 7ossl" -.TH PROVIDER-ENCODER 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-ENCODER 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -104,25 +107,25 @@ provider\-encoder \- The OSSL_ENCODER library <\-> provider functions \&\fIWe use the wide term "encode" in this manual. This includes but is not limited to serialization.\fR .PP -The ENCODER operation is a generic method to encode a provider-native +The ENCODER operation is a generic method to encode a provider\-native object (\fIobj_raw\fR) or an object abstraction (\fIobject_abstract\fR, see \&\fBprovider\-object\fR\|(7)) into an encoded form, and write the result to the given OSSL_CORE_BIO. If the caller wants to get the encoded stream to memory, it should provide a \fBBIO_s_mem\fR\|(3) \fBBIO\fR. .PP -The encoder doesn't need to know more about the \fBOSSL_CORE_BIO\fR +The encoder doesn\*(Aqt need to know more about the \fBOSSL_CORE_BIO\fR pointer than being able to pass it to the appropriate BIO upcalls (see "Core functions" in \fBprovider\-base\fR\|(7)). .PP The ENCODER implementation may be part of a chain, where data is passed from one to the next. For example, there may be an implementation to encode an object to DER (that object is assumed to -be provider-native and thereby passed via \fIobj_raw\fR), and another one +be provider\-native and thereby passed via \fIobj_raw\fR), and another one that encodes DER to PEM (that one would receive the DER encoding via \&\fIobj_abstract\fR). .PP The encoding using the \fBOSSL_PARAM\fR\|(3) array form allows a -encoder to be used for data that's been exported from another +encoder to be used for data that\*(Aqs been exported from another provider, and thereby allow them to exist independently of each other. .PP @@ -132,7 +135,7 @@ with the KEYMGMT provider. .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -220,22 +223,22 @@ PKCS#8 structure as part of the encoding. This property is \fIoptional\fR. .PP The possible values of both these properties is open ended. A provider may -very well specify output types and structures that libcrypto doesn't know +very well specify output types and structures that libcrypto doesn\*(Aqt know anything about. .SS "Subset selections" .IX Subsection "Subset selections" Sometimes, an object has more than one subset of data that is interesting to -treat separately or together. It's possible to specify what subsets are to +treat separately or together. It\*(Aqs possible to specify what subsets are to be encoded, with a set of bits \fIselection\fR that are passed in an \fBint\fR. .PP -This set of bits depend entirely on what kind of provider-side object is +This set of bits depend entirely on what kind of provider\-side object is passed. For example, those bits are assumed to be the same as those used with \fBprovider\-keymgmt\fR\|(7) (see "Key Objects" in \fBprovider\-keymgmt\fR\|(7)) when the object is an asymmetric keypair. .PP ENCODER implementations are free to regard the \fIselection\fR as a set of hints, but must do so with care. In the end, the output must make sense, -and if there's a corresponding decoder, the resulting decoded object must +and if there\*(Aqs a corresponding decoder, the resulting decoded object must match the original object that was encoded. .PP \&\fBOSSL_FUNC_encoder_does_selection()\fR should tell if a particular implementation @@ -261,22 +264,22 @@ See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure used b \&\fBOSSL_FUNC_encoder_set_ctx_params()\fR and \fBOSSL_FUNC_encoder_settable_ctx_params()\fR. .SS "Import functions" .IX Subsection "Import functions" -A provider-native object may be associated with a foreign provider, and may +A provider\-native object may be associated with a foreign provider, and may therefore be unsuitable for direct use with a given ENCODER implementation. -Provided that the foreign provider's implementation to handle the object has +Provided that the foreign provider\*(Aqs implementation to handle the object has a function to export that object in \fBOSSL_PARAM\fR\|(3) array form, the ENCODER implementation should be able to import that array and create a suitable -object to be passed to \fBOSSL_FUNC_encoder_encode()\fR's \fIobj_raw\fR. +object to be passed to \fBOSSL_FUNC_encoder_encode()\fR\*(Aqs \fIobj_raw\fR. .PP \&\fBOSSL_FUNC_encoder_import_object()\fR should import the subset of \fIparams\fR -given with \fIselection\fR to create a provider-native object that can be +given with \fIselection\fR to create a provider\-native object that can be passed as \fIobj_raw\fR to \fBOSSL_FUNC_encoder_encode()\fR. .PP \&\fBOSSL_FUNC_encoder_free_object()\fR should free the object that was created with \&\fBOSSL_FUNC_encoder_import_object()\fR. .SS "Encoding functions" .IX Subsection "Encoding functions" -\&\fBOSSL_FUNC_encoder_encode()\fR should take a provider-native object (in +\&\fBOSSL_FUNC_encoder_encode()\fR should take a provider\-native object (in \&\fIobj_raw\fR) or an object abstraction (in \fIobj_abstract\fR), and should output the object in encoded form to the \fBOSSL_CORE_BIO\fR. The \fIselection\fR bits, if relevant, should determine in greater detail what will be output. @@ -285,7 +288,7 @@ pointer along with a pointer to application data \fIcbarg\fR, which should be used when a pass phrase prompt is needed. .SS "Encoder operation parameters" .IX Subsection "Encoder operation parameters" -Operation parameters currently recognised by built-in encoders are as +Operation parameters currently recognised by built\-in encoders are as follows: .IP """cipher"" (\fBOSSL_ENCODER_PARAM_CIPHER\fR) <UTF8 string>" 4 .IX Item """cipher"" (OSSL_ENCODER_PARAM_CIPHER) <UTF8 string>" @@ -304,21 +307,21 @@ with the "cipher" parameter. This must be given together with the "cipher" parameter to be considered valid. .Sp -The encoding implementation isn't obligated to use this value. +The encoding implementation isn\*(Aqt obligated to use this value. However, it is recommended that implementations that do not handle property strings return an error on receiving this parameter unless its value NULL or the empty string. -.IP """save-parameters"" (\fBOSSL_ENCODER_PARAM_SAVE_PARAMETERS\fR) <integer>" 4 +.IP """save\-parameters"" (\fBOSSL_ENCODER_PARAM_SAVE_PARAMETERS\fR) <integer>" 4 .IX Item """save-parameters"" (OSSL_ENCODER_PARAM_SAVE_PARAMETERS) <integer>" If set to 0 disables saving of key domain parameters. Default is 1. It currently has an effect only on DSA keys. .PP -Parameters currently recognised by the built-in pass phrase callback: +Parameters currently recognised by the built\-in pass phrase callback: .IP """info"" (\fBOSSL_PASSPHRASE_PARAM_INFO\fR) <UTF8 string>" 4 .IX Item """info"" (OSSL_PASSPHRASE_PARAM_INFO) <UTF8 string>" A string of information that will become part of the pass phrase prompt. This could be used to give the user information on what kind -of object it's being prompted for. +of object it\*(Aqs being prompted for. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_FUNC_encoder_newctx()\fR returns a pointer to a context, or NULL on diff --git a/secure/lib/libcrypto/man/man7/provider-kdf.7 b/secure/lib/libcrypto/man/man7/provider-kdf.7 index b541d2fd392b..7ed18e01ff47 100644 --- a/secure/lib/libcrypto/man/man7/provider-kdf.7 +++ b/secure/lib/libcrypto/man/man7/provider-kdf.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-KDF 7ossl" -.TH PROVIDER-KDF 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-KDF 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,7 +108,7 @@ and \fBEVP_KDF_derive\fR\|(3). .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -201,7 +204,7 @@ with the provider side context \fIkctx\fR in its current state if it is not NULL. Otherwise, they return the parameters associated with the provider side algorithm \fIprovctx\fR. .PP -Parameters currently recognised by built-in KDFs are as follows. Not all +Parameters currently recognised by built\-in KDFs are as follows. Not all parameters are relevant to, or are understood by all KDFs: .IP """size"" (\fBOSSL_KDF_PARAM_SIZE\fR) <unsigned integer>" 4 .IX Item """size"" (OSSL_KDF_PARAM_SIZE) <unsigned integer>" @@ -228,7 +231,7 @@ Sets the password in the associated KDF ctx. .IX Item """mac"" (OSSL_KDF_PARAM_MAC) <UTF8 string>" .PD Sets the name of the underlying cipher, digest or MAC to be used. -It must name a suitable algorithm for the KDF that's being used. +It must name a suitable algorithm for the KDF that\*(Aqs being used. .IP """maclen"" (\fBOSSL_KDF_PARAM_MAC_SIZE\fR) <octet string>" 4 .IX Item """maclen"" (OSSL_KDF_PARAM_MAC_SIZE) <octet string>" Sets the length of the MAC in the associated KDF ctx. @@ -257,12 +260,12 @@ The checks performed are: .IX Item "- the salt length is at least 128 bits." .IP "\- the derived key length is at least 112 bits." 4 .IX Item "- the derived key length is at least 112 bits." +.PD .RE .RS 4 .RE .IP """ukm"" (\fBOSSL_KDF_PARAM_UKM\fR) <octet string>" 4 .IX Item """ukm"" (OSSL_KDF_PARAM_UKM) <octet string>" -.PD Sets an optional random string that is provided by the sender called "partyAInfo". In CMS this is the user keying material. .IP """cekalg"" (\fBOSSL_KDF_PARAM_CEK_ALG\fR) <UTF8 string>" 4 @@ -312,27 +315,27 @@ There are six supported types: .IP EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 4 .IX Item "EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV" The Initial IV from client to server. -A single char of value 65 (ASCII char 'A'). +A single char of value 65 (ASCII char \*(AqA\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 4 .IX Item "EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI" The Initial IV from server to client -A single char of value 66 (ASCII char 'B'). +A single char of value 66 (ASCII char \*(AqB\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 4 .IX Item "EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV" The Encryption Key from client to server -A single char of value 67 (ASCII char 'C'). +A single char of value 67 (ASCII char \*(AqC\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI 4 .IX Item "EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI" The Encryption Key from server to client -A single char of value 68 (ASCII char 'D'). +A single char of value 68 (ASCII char \*(AqD\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV 4 .IX Item "EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV" The Integrity Key from client to server -A single char of value 69 (ASCII char 'E'). +A single char of value 69 (ASCII char \*(AqE\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI 4 .IX Item "EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI" The Integrity Key from client to server -A single char of value 70 (ASCII char 'F'). +A single char of value 70 (ASCII char \*(AqF\*(Aq). .RE .RS 4 .RE @@ -357,7 +360,7 @@ success or 0 on error. array, or NULL if none is offered. .SH NOTES .IX Header "NOTES" -The KDF life-cycle is described in \fBlife_cycle\-kdf\fR\|(7). Providers should +The KDF life\-cycle is described in \fBlife_cycle\-kdf\fR\|(7). Providers should ensure that the various transitions listed there are supported. At some point the EVP layer will begin enforcing the listed transitions. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man7/provider-kem.7 b/secure/lib/libcrypto/man/man7/provider-kem.7 index 3fd72509341b..3b2cab9c4bae 100644 --- a/secure/lib/libcrypto/man/man7/provider-kem.7 +++ b/secure/lib/libcrypto/man/man7/provider-kem.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-KEM 7ossl" -.TH PROVIDER-KEM 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-KEM 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -114,7 +117,7 @@ via the API functions \fBEVP_PKEY_encapsulate\fR\|(3), .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -244,19 +247,19 @@ the \fBOSSL_FUNC_kem_get_ctx_params()\fR and \fBOSSL_FUNC_kem_set_ctx_params()\f functions. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_KEM_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KEM_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KEM_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling either \fBOSSL_FUNC_kem_encapsulate()\fR or -\&\fBOSSL_FUNC_kem_decapsulate()\fR. It may return 0 if the "key-check" is set to 0. -.IP """key-check"" (\fBOSSL_KEM_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +\&\fBOSSL_FUNC_kem_decapsulate()\fR. It may return 0 if the "key\-check" is set to 0. +.IP """key\-check"" (\fBOSSL_KEM_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KEM_PARAM_FIPS_KEY_CHECK) <integer>" If required this parameter should be set using \fBOSSL_FUNC_kem_encapsulate_init()\fR or \fBOSSL_FUNC_kem_decapsulate_init()\fR. The default value of 1 causes an error during the init if the key is not FIPS approved (e.g. The key has a security strength of less than 112 bits). Setting -this to 0 will ignore the error and set the approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +this to 0 will ignore the error and set the approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SS "Asymmetric Key Encapsulation Parameter Functions" .IX Subsection "Asymmetric Key Encapsulation Parameter Functions" @@ -270,7 +273,7 @@ with the given provider side asymmetric kem context \fIctx\fR to \fIparams\fR. Any parameter settings are additional to any that were previously set. Passing NULL for \fIparams\fR should return true. .PP -No parameters are currently recognised by built-in asymmetric kem algorithms. +No parameters are currently recognised by built\-in asymmetric kem algorithms. .PP \&\fBOSSL_FUNC_kem_gettable_ctx_params()\fR and \fBOSSL_FUNC_kem_settable_ctx_params()\fR get a constant \fBOSSL_PARAM\fR\|(3) array that describes the gettable and settable @@ -292,7 +295,7 @@ The provider KEM interface was introduced in OpenSSL 3.0. \&\fBOSSL_FUNC_kem_auth_encapsulate_init()\fR and \fBOSSL_FUNC_kem_auth_decapsulate_init()\fR were added in OpenSSL 3.2. .PP -The Asymmetric Key Encapsulation Parameters "fips-indicator" and "key-check" +The Asymmetric Key Encapsulation Parameters "fips\-indicator" and "key\-check" were added in OpenSSL 3.4. .SH COPYRIGHT .IX Header "COPYRIGHT" diff --git a/secure/lib/libcrypto/man/man7/provider-keyexch.7 b/secure/lib/libcrypto/man/man7/provider-keyexch.7 index 665fb75ba0df..c7197c4a08c3 100644 --- a/secure/lib/libcrypto/man/man7/provider-keyexch.7 +++ b/secure/lib/libcrypto/man/man7/provider-keyexch.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-KEYEXCH 7ossl" -.TH PROVIDER-KEYEXCH 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-KEYEXCH 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -106,7 +109,7 @@ other related functions). .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -174,7 +177,7 @@ The key object should have been previously generated, loaded or imported into the provider using the key management (OSSL_OP_KEYMGMT) operation (see \fBprovider\-keymgmt\fR\|(7)>. .PP -\&\fBOSSL_FUNC_keyexch_set_peer()\fR is called to supply the peer's public key (in the +\&\fBOSSL_FUNC_keyexch_set_peer()\fR is called to supply the peer\*(Aqs public key (in the \&\fIprovkey\fR parameter) to be used when deriving the shared secret. It is also passed a previously initialised key exchange context in the \fIctx\fR parameter. @@ -221,31 +224,31 @@ Notice that not all settable parameters are also gettable, and vice versa. See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure used by the \fBOSSL_FUNC_keyexch_set_ctx_params()\fR and \fBOSSL_FUNC_keyexch_get_ctx_params()\fR functions. .PP -Common parameters currently recognised by built-in key exchange algorithms are +Common parameters currently recognised by built\-in key exchange algorithms are as follows. -.IP """kdf-type"" (\fBOSSL_EXCHANGE_PARAM_KDF_TYPE\fR) <UTF8 string>" 4 +.IP """kdf\-type"" (\fBOSSL_EXCHANGE_PARAM_KDF_TYPE\fR) <UTF8 string>" 4 .IX Item """kdf-type"" (OSSL_EXCHANGE_PARAM_KDF_TYPE) <UTF8 string>" Sets or gets the Key Derivation Function type to apply within the associated key exchange ctx. -.IP """kdf-digest"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST\fR) <UTF8 string>" 4 +.IP """kdf\-digest"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST\fR) <UTF8 string>" 4 .IX Item """kdf-digest"" (OSSL_EXCHANGE_PARAM_KDF_DIGEST) <UTF8 string>" Sets or gets the Digest algorithm to be used as part of the Key Derivation Function associated with the given key exchange ctx. -.IP """kdf-digest-props"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\fR) <UTF8 string>" 4 +.IP """kdf\-digest\-props"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\fR) <UTF8 string>" 4 .IX Item """kdf-digest-props"" (OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS) <UTF8 string>" Sets properties to be used upon look up of the implementation for the selected Digest algorithm for the Key Derivation Function associated with the given key exchange ctx. -.IP """kdf-outlen"" (\fBOSSL_EXCHANGE_PARAM_KDF_OUTLEN\fR) <unsigned integer>" 4 +.IP """kdf\-outlen"" (\fBOSSL_EXCHANGE_PARAM_KDF_OUTLEN\fR) <unsigned integer>" 4 .IX Item """kdf-outlen"" (OSSL_EXCHANGE_PARAM_KDF_OUTLEN) <unsigned integer>" Sets or gets the desired size for the output of the chosen Key Derivation Function associated with the given key exchange ctx. -The length of the "kdf-outlen" parameter should not exceed that of a \fBsize_t\fR. -.IP """kdf-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string>" 4 +The length of the "kdf\-outlen" parameter should not exceed that of a \fBsize_t\fR. +.IP """kdf\-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string>" 4 .IX Item """kdf-ukm"" (OSSL_EXCHANGE_PARAM_KDF_UKM) <octet string>" Sets the User Key Material to be used as part of the selected Key Derivation Function associated with the given key exchange ctx. -.IP """kdf-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string ptr>" 4 +.IP """kdf\-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string ptr>" 4 .IX Item """kdf-ukm"" (OSSL_EXCHANGE_PARAM_KDF_UKM) <octet string ptr>" Gets a pointer to the User Key Material to be used as part of the selected Key Derivation Function associated with the given key exchange ctx. Providers @@ -254,26 +257,26 @@ is to support functionality of the deprecated \fBEVP_PKEY_CTX_get0_ecdh_kdf_ukm( and \fBEVP_PKEY_CTX_get0_dh_kdf_ukm()\fR functions. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling \fBOSSL_FUNC_keyexch_derive()\fR. It may -return 0 if either the "digest-check" or the "key-check" are set to 0. -.IP """key-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +return 0 if either the "digest\-check" or the "key\-check" are set to 0. +.IP """key\-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK) <integer>" If required this parameter should be set using \fBOSSL_FUNC_keyexch_init()\fR. The default value of 1 causes an error during the init if the key is not FIPS approved (e.g. The key has a security strength of less than 112 bits). Setting -this to 0 will ignore the error and set the approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +this to 0 will ignore the error and set the approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. -.IP """digest-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK) <integer>" If required this parameter should be set before any optional digest is set. The default value of 1 causes an error when the digest is set if the digest is not FIPS approved. Setting this to 0 will ignore the error and set the -approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -293,7 +296,7 @@ always return a constant \fBOSSL_PARAM\fR\|(3) array. .IX Header "HISTORY" The provider KEYEXCH interface was introduced in OpenSSL 3.0. .PP -The Key Exchange Parameters "fips-indicator", "key-check" and "digest-check" +The Key Exchange Parameters "fips\-indicator", "key\-check" and "digest\-check" were added in OpenSSL 3.4. .SH COPYRIGHT .IX Header "COPYRIGHT" diff --git a/secure/lib/libcrypto/man/man7/provider-keymgmt.7 b/secure/lib/libcrypto/man/man7/provider-keymgmt.7 index 655da73d2284..c020119545b3 100644 --- a/secure/lib/libcrypto/man/man7/provider-keymgmt.7 +++ b/secure/lib/libcrypto/man/man7/provider-keymgmt.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-KEYMGMT 7ossl" -.TH PROVIDER-KEYMGMT 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-KEYMGMT 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -124,8 +127,8 @@ provider\-keymgmt \- The KEYMGMT library <\-> provider functions .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The KEYMGMT operation doesn't have much public visibility in OpenSSL -libraries, it's rather an internal operation that's designed to work +The KEYMGMT operation doesn\*(Aqt have much public visibility in OpenSSL +libraries, it\*(Aqs rather an internal operation that\*(Aqs designed to work in tandem with operations that use private/public key pairs. .PP Because the KEYMGMT operation shares knowledge with the operations it @@ -137,7 +140,7 @@ provider side key data for the OpenSSL library EVP_PKEY structure. .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -204,7 +207,7 @@ interface that we document here can be passed as is to other provider operations, such as \fBOP_signature_sign_init()\fR (see \&\fBprovider\-signature\fR\|(7)). .PP -With some of the KEYMGMT functions, it's possible to select a specific +With some of the KEYMGMT functions, it\*(Aqs possible to select a specific subset of data to handle, governed by the bits in a \fIselection\fR indicator. The bits are: .IP \fBOSSL_KEYMGMT_SELECT_PRIVATE_KEY\fR 4 @@ -224,7 +227,7 @@ considered. Indicating that other parameters in a key object should be considered. .Sp -Other parameters are key parameters that don't fit any other +Other parameters are key parameters that don\*(Aqt fit any other classification. In other words, this particular selector bit works as a last resort bit bucket selector. .PP @@ -250,7 +253,7 @@ Indicating that everything in a key object should be considered. The exact interpretation of those bits or how they combine is left to each function where you can specify a selector. .PP -It's left to the provider implementation to decide what is reasonable +It\*(Aqs left to the provider implementation to decide what is reasonable to do with regards to received selector bits and how to do it. Among others, an implementation of \fBOSSL_FUNC_keymgmt_match()\fR might opt to not compare the private half if it has compared the public half, @@ -341,7 +344,7 @@ must also be present, and vice versa. supported algorithm for the operation \fIoperation_id\fR. This is similar to \fBprovider_query_operation()\fR (see \fBprovider\-base\fR\|(7)), but only works as an advisory. If this function is not present, or -returns NULL, the caller is free to assume that there's an algorithm +returns NULL, the caller is free to assume that there\*(Aqs an algorithm from the same provider, of the same name as the one used to fetch the keymgmt and try to use that. .PP @@ -410,14 +413,14 @@ provider side key object with the data. .IX Subsection "Common Information Parameters" See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure. .PP -Common information parameters currently recognised by all built-in +Common information parameters currently recognised by all built\-in keymgmt algorithms are as follows: .IP """bits"" (\fBOSSL_PKEY_PARAM_BITS\fR) <integer>" 4 .IX Item """bits"" (OSSL_PKEY_PARAM_BITS) <integer>" The value should be the cryptographic length of the cryptosystem to which the key belongs, in bits. The definition of cryptographic length is specific to the key cryptosystem. -.IP """max-size"" (\fBOSSL_PKEY_PARAM_MAX_SIZE\fR) <integer>" 4 +.IP """max\-size"" (\fBOSSL_PKEY_PARAM_MAX_SIZE\fR) <integer>" 4 .IX Item """max-size"" (OSSL_PKEY_PARAM_MAX_SIZE) <integer>" The value should be the maximum size that a caller should allocate to safely store a signature (called \fIsig\fR in \fBprovider\-signature\fR\|(7)), @@ -432,28 +435,28 @@ Because an EVP_KEYMGMT method is always tightly bound to another method (signature, asymmetric cipher, key exchange, ...) and must be of the same provider, this number only needs to be synchronised with the dimensions handled in the rest of the same provider. -.IP """security-bits"" (\fBOSSL_PKEY_PARAM_SECURITY_BITS\fR) <integer>" 4 +.IP """security\-bits"" (\fBOSSL_PKEY_PARAM_SECURITY_BITS\fR) <integer>" 4 .IX Item """security-bits"" (OSSL_PKEY_PARAM_SECURITY_BITS) <integer>" The value should be the number of security bits of the given key. Bits of security is defined in SP800\-57. -.IP """mandatory-digest"" (\fBOSSL_PKEY_PARAM_MANDATORY_DIGEST\fR) <UTF8 string>" 4 +.IP """mandatory\-digest"" (\fBOSSL_PKEY_PARAM_MANDATORY_DIGEST\fR) <UTF8 string>" 4 .IX Item """mandatory-digest"" (OSSL_PKEY_PARAM_MANDATORY_DIGEST) <UTF8 string>" If there is a mandatory digest for performing a signature operation with keys from this keymgmt, this parameter should get its name as value. .Sp -When \fBEVP_PKEY_get_default_digest_name()\fR queries this parameter and it's +When \fBEVP_PKEY_get_default_digest_name()\fR queries this parameter and it\*(Aqs filled in by the implementation, its return value will be 2. .Sp If the keymgmt implementation fills in the value \f(CW""\fR or \f(CW"UNDEF"\fR, \&\fBEVP_PKEY_get_default_digest_name\fR\|(3) will place the string \f(CW"UNDEF"\fR into its argument \fImdname\fR. This signifies that no digest should be specified with the corresponding signature operation. -.IP """default-digest"" (\fBOSSL_PKEY_PARAM_DEFAULT_DIGEST\fR) <UTF8 string>" 4 +.IP """default\-digest"" (\fBOSSL_PKEY_PARAM_DEFAULT_DIGEST\fR) <UTF8 string>" 4 .IX Item """default-digest"" (OSSL_PKEY_PARAM_DEFAULT_DIGEST) <UTF8 string>" If there is a default digest for performing a signature operation with keys from this keymgmt, this parameter should get its name as value. .Sp -When \fBEVP_PKEY_get_default_digest_name\fR\|(3) queries this parameter and it's +When \fBEVP_PKEY_get_default_digest_name\fR\|(3) queries this parameter and it\*(Aqs filled in by the implementation, its return value will be 1. Note that if \&\fBOSSL_PKEY_PARAM_MANDATORY_DIGEST\fR is responded to as well, \&\fBEVP_PKEY_get_default_digest_name\fR\|(3) ignores the response to this @@ -466,28 +469,28 @@ with the corresponding signature operation, but may be specified as an option. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling \fBOSSL_FUNC_keymgmt_gen()\fR function. It may -return 0 if either the "key-check", or "sign-check" are set to 0. -.IP """key-check"" (\fBOSSL_PKEY_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +return 0 if either the "key\-check", or "sign\-check" are set to 0. +.IP """key\-check"" (\fBOSSL_PKEY_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_PKEY_PARAM_FIPS_KEY_CHECK) <integer>" If required this parameter should be set using \fBOSSL_FUNC_keymgmt_gen_set_params()\fR or \fBOSSL_FUNC_keymgmt_gen_init()\fR. The default value of 1 causes an error during the init if the key is not FIPS approved (e.g. The key has a security strength of less than 112 bits). Setting -this to 0 will ignore the error and set the approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +this to 0 will ignore the error and set the approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. -.IP """sign-check"" (\fBOSSL_PKEY_PARAM_FIPS_SIGN_CHECK\fR) <integer>" 4 +.IP """sign\-check"" (\fBOSSL_PKEY_PARAM_FIPS_SIGN_CHECK\fR) <integer>" 4 .IX Item """sign-check"" (OSSL_PKEY_PARAM_FIPS_SIGN_CHECK) <integer>" If required this parameter should be set before the \fBOSSL_FUNC_keymgmt_gen()\fR function. This value is not supported by all keygen algorithms. The default value of 1 will cause an error if the generated key is not allowed to be used for signing. -Setting this to 0 will ignore the error and set the approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +Setting this to 0 will ignore the error and set the approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -539,9 +542,9 @@ were added with OpenSSL 3.2. The functions \fBOSSL_FUNC_keymgmt_gen_get_params()\fR and \&\fBOSSL_FUNC_keymgmt_gen_gettable_params()\fR were added in OpenSSL 3.4. .PP -The parameters "sign-check" and "fips-indicator" were added in OpenSSL 3.4. +The parameters "sign\-check" and "fips\-indicator" were added in OpenSSL 3.4. .PP -Support for the \fBML-DSA\fR, \fBML-KEM\fR and \fBSLH-DSA\fR algorithms was added in OpenSSL 3.5. +Support for the \fBML\-DSA\fR, \fBML\-KEM\fR and \fBSLH\-DSA\fR algorithms was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man7/provider-mac.7 b/secure/lib/libcrypto/man/man7/provider-mac.7 index b6f824409c6a..c0782e5a0100 100644 --- a/secure/lib/libcrypto/man/man7/provider-mac.7 +++ b/secure/lib/libcrypto/man/man7/provider-mac.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-MAC 7ossl" -.TH PROVIDER-MAC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-MAC 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -107,7 +110,7 @@ them available to applications via the API functions \fBEVP_MAC_init\fR\|(3), .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -174,7 +177,7 @@ This function should free any resources associated with that context. side mac context in the \fImctx\fR parameter. The \fIparams\fR are set before setting the MAC \fIkey\fR of \fIkeylen\fR bytes. .PP -\&\fBOSSL_FUNC_mac_init_skey()\fR is similar but uses an opaque provider-specific object +\&\fBOSSL_FUNC_mac_init_skey()\fR is similar but uses an opaque provider\-specific object to initialize the MAC context. .PP \&\fBOSSL_FUNC_mac_update()\fR is called to supply data for MAC computation of a previously @@ -253,30 +256,30 @@ Can be used to get the MAC block size (if supported by the algorithm). .RE .PP The OpenSSL FIPS provider may support the following parameters: -.IP """fips-indicator"" (\fBOSSL_MAC_PARAM_FIPS_APPROVED_INDICATOR\fR) <int>" 4 +.IP """fips\-indicator"" (\fBOSSL_MAC_PARAM_FIPS_APPROVED_INDICATOR\fR) <int>" 4 .IX Item """fips-indicator"" (OSSL_MAC_PARAM_FIPS_APPROVED_INDICATOR) <int>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling the final function. It may return 0 if -either "no-short-mac" or "key-check" are set to 0. -.IP """no-short-mac"" (\fBOSSL_MAC_PARAM_FIPS_NO_SHORT_MAC\fR) <integer>" 4 +either "no\-short\-mac" or "key\-check" are set to 0. +.IP """no\-short\-mac"" (\fBOSSL_MAC_PARAM_FIPS_NO_SHORT_MAC\fR) <integer>" 4 .IX Item """no-short-mac"" (OSSL_MAC_PARAM_FIPS_NO_SHORT_MAC) <integer>" If required this parameter should be set early via an init function. The default value of 1 causes an error when too short MAC output is asked for. Setting this to 0 will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. -.IP """key-check"" (\fBOSSL_MAC_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_MAC_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_MAC_PARAM_FIPS_KEY_CHECK) <integer>" If required this parameter should be set before OSSL_FUNC_mac_init. The default value of 1 causes an error when small key sizes are asked for. Setting this to 0 will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH NOTES .IX Header "NOTES" -The MAC life-cycle is described in \fBlife_cycle\-rand\fR\|(7). Providers should +The MAC life\-cycle is described in \fBlife_cycle\-rand\fR\|(7). Providers should ensure that the various transitions listed there are supported. At some point the EVP layer will begin enforcing the listed transitions. .SH "RETURN VALUES" @@ -302,7 +305,7 @@ array, or NULL if none is offered. .SH HISTORY .IX Header "HISTORY" The provider MAC interface was introduced in OpenSSL 3.0. -The parameters "no-short-mac" and "fips-indicator" were added in OpenSSL 3.4. +The parameters "no\-short\-mac" and "fips\-indicator" were added in OpenSSL 3.4. .PP The function \fBOSSL_FUNC_mac_init_skey()\fR was introduced in OpenSSL 3.5. .SH COPYRIGHT diff --git a/secure/lib/libcrypto/man/man7/provider-object.7 b/secure/lib/libcrypto/man/man7/provider-object.7 index 82beed8d146e..32db7c8f99ed 100644 --- a/secure/lib/libcrypto/man/man7/provider-object.7 +++ b/secure/lib/libcrypto/man/man7/provider-object.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-OBJECT 7ossl" -.TH PROVIDER-OBJECT 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-OBJECT 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -70,12 +73,12 @@ provider\-object \- A specification for a provider\-native object abstraction .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The provider-native object abstraction is a set of \fBOSSL_PARAM\fR\|(3) keys and -values that can be used to pass provider-native objects to OpenSSL library +The provider\-native object abstraction is a set of \fBOSSL_PARAM\fR\|(3) keys and +values that can be used to pass provider\-native objects to OpenSSL library code or between different provider operation implementations with the help of OpenSSL library code. .PP -The intention is that certain provider-native operations can pass any sort +The intention is that certain provider\-native operations can pass any sort of object that belong with other operations, or with OpenSSL library code. .PP An object may be passed in the following manners: @@ -84,24 +87,24 @@ An object may be passed in the following manners: .Sp This means that the \fIobject data\fR is passed as an octet string or an UTF8 string, which can be handled in diverse ways by other provided implementations. -The encoding of the object depends on the context it's used in; for example, +The encoding of the object depends on the context it\*(Aqs used in; for example, \&\fBOSSL_DECODER\fR\|(3) allows multiple encodings, depending on existing decoders. If central OpenSSL library functionality is to handle the data directly, it \&\fBmust\fR be encoded in DER for all object types except for \fBOSSL_OBJECT_NAME\fR -(see "Parameter reference" below), where it's assumed to a plain UTF8 string. +(see "Parameter reference" below), where it\*(Aqs assumed to a plain UTF8 string. .IP 2. 4 \&\fIBy reference\fR .Sp -This means that the \fIobject data\fR isn't passed directly, an \fIobject -reference\fR is passed instead. It's an octet string that only the correct +This means that the \fIobject data\fR isn\*(Aqt passed directly, an \fIobject +reference\fR is passed instead. It\*(Aqs an octet string that only the correct provider understands correctly. .PP Objects \fIby value\fR can be used by anything that handles DER encoded objects. .PP Objects \fIby reference\fR need a higher level of cooperation from the -implementation where the object originated (let's call it X) and its target -implementation (let's call it Y): +implementation where the object originated (let\*(Aqs call it X) and its target +implementation (let\*(Aqs call it Y): .IP 1. 4 \&\fIAn object loading function in the target implementation\fR .Sp @@ -120,13 +123,13 @@ using the \fIobject data type\fR as its key type (the second argument in .Sp The originating implementation (X) may have an exporter function. This exporter function can be used to export the object in \fBOSSL_PARAM\fR\|(3) form, -that can then be imported by the target implementation's imported function. +that can then be imported by the target implementation\*(Aqs imported function. .Sp -This can be used when it's not possible to fetch the target implementation +This can be used when it\*(Aqs not possible to fetch the target implementation (Y) from the same provider. .SS "Parameter reference" .IX Subsection "Parameter reference" -A provider-native object abstraction is an \fBOSSL_PARAM\fR\|(3) with a selection +A provider\-native object abstraction is an \fBOSSL_PARAM\fR\|(3) with a selection of the following parameters: .IP """data"" (\fBOSSL_OBJECT_PARAM_DATA\fR) <octet string> or <UTF8 string>" 4 .IX Item """data"" (OSSL_OBJECT_PARAM_DATA) <octet string> or <UTF8 string>" @@ -148,14 +151,14 @@ This is useful for \fBprovider\-storemgmt\fR\|(7) when a URI load results in new URIs. .IP \fBOSSL_OBJECT_PKEY\fR 4 .IX Item "OSSL_OBJECT_PKEY" -The object data is suitable as provider-native \fBEVP_PKEY\fR key data. The +The object data is suitable as provider\-native \fBEVP_PKEY\fR key data. The object data may be \fIpassed by value\fR or \fIpassed by reference\fR. .IP \fBOSSL_OBJECT_CERT\fR 4 .IX Item "OSSL_OBJECT_CERT" The object data is suitable as \fBX509\fR data. The object data for this object type can only be \fIpassed by value\fR, and should be an octet string. .Sp -Since there's no provider-native X.509 object, OpenSSL libraries that +Since there\*(Aqs no provider\-native X.509 object, OpenSSL libraries that receive this object abstraction are expected to convert the data to a \&\fBX509\fR object with \fBd2i_X509()\fR. .IP \fBOSSL_OBJECT_CRL\fR 4 @@ -163,19 +166,19 @@ receive this object abstraction are expected to convert the data to a The object data is suitable as \fBX509_CRL\fR data. The object data can only be \fIpassed by value\fR, and should be an octet string. .Sp -Since there's no provider-native X.509 CRL object, OpenSSL libraries that +Since there\*(Aqs no provider\-native X.509 CRL object, OpenSSL libraries that receive this object abstraction are expected to convert the data to a \&\fBX509_CRL\fR object with \fBd2i_X509_CRL()\fR. .RE .RS 4 .RE -.IP """data-type"" (\fBOSSL_OBJECT_PARAM_DATA_TYPE\fR) <UTF8 string>" 4 +.IP """data\-type"" (\fBOSSL_OBJECT_PARAM_DATA_TYPE\fR) <UTF8 string>" 4 .IX Item """data-type"" (OSSL_OBJECT_PARAM_DATA_TYPE) <UTF8 string>" The specific type of the object content. Legitimate values depend on the object type; if it is \fBOSSL_OBJECT_PKEY\fR, the data type is expected to be a key type suitable for fetching a \fBprovider\-keymgmt\fR\|(7) that can handle the data. -.IP """data-structure"" (\fBOSSL_OBJECT_PARAM_DATA_STRUCTURE\fR) <UTF8 string>" 4 +.IP """data\-structure"" (\fBOSSL_OBJECT_PARAM_DATA_STRUCTURE\fR) <UTF8 string>" 4 .IX Item """data-structure"" (OSSL_OBJECT_PARAM_DATA_STRUCTURE) <UTF8 string>" The outermost structure of the object content. Legitimate values depend on the object type. @@ -183,7 +186,7 @@ the object type. .IX Item """desc"" (OSSL_OBJECT_PARAM_DESC) <UTF8 string>" A human readable text that describes extra details on the object. .PP -When a provider-native object abstraction is used, it \fImust\fR contain object +When a provider\-native object abstraction is used, it \fImust\fR contain object data in at least one form (object data \fIpassed by value\fR, i.e. the "data" item, or object data \fIpassed by reference\fR, i.e. the "reference" item). Both may be present at once, in which case the OpenSSL library code that diff --git a/secure/lib/libcrypto/man/man7/provider-rand.7 b/secure/lib/libcrypto/man/man7/provider-rand.7 index cdde7ab4b46b..9ac8ae558d94 100644 --- a/secure/lib/libcrypto/man/man7/provider-rand.7 +++ b/secure/lib/libcrypto/man/man7/provider-rand.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-RAND 7ossl" -.TH PROVIDER-RAND 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-RAND 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -229,7 +232,7 @@ associated with the provider side context \fIctx\fR in its current state if it is not NULL. Otherwise, they return the parameters associated with the provider side algorithm \fIprovctx\fR. .PP -Parameters currently recognised by built-in rands are as follows. Not all +Parameters currently recognised by built\-in rands are as follows. Not all parameters are relevant to, or are understood by all rands: .IP """state"" (\fBOSSL_RAND_PARAM_STATE\fR) <integer>" 4 .IX Item """state"" (OSSL_RAND_PARAM_STATE) <integer>" @@ -237,7 +240,7 @@ Returns the state of the random number generator. .IP """strength"" (\fBOSSL_RAND_PARAM_STRENGTH\fR) <unsigned integer>" 4 .IX Item """strength"" (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>" Returns the bit strength of the random number generator. -.IP """fips-indicator"" (\fBOSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This option is used by the OpenSSL FIPS provider and is not supported @@ -294,7 +297,7 @@ Specifies the number of times the DRBG has been seeded or reseeded. .IX Item """mac"" (OSSL_DRBG_PARAM_MAC) <UTF8 string>" .PD Sets the name of the underlying cipher, digest or MAC to be used. -It must name a suitable algorithm for the DRBG that's being used. +It must name a suitable algorithm for the DRBG that\*(Aqs being used. .IP """properties"" (\fBOSSL_DRBG_PARAM_PROPERTIES\fR) <UTF8 string>" 4 .IX Item """properties"" (OSSL_DRBG_PARAM_PROPERTIES) <UTF8 string>" Sets the properties to be queried when trying to fetch an underlying algorithm. @@ -302,18 +305,18 @@ This must be given together with the algorithm naming parameter to be considered valid. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling \fBOSSL_FUNC_rand_generate()\fR. It may -return 0 if the "digest-check" is set to 0. -.IP """digest-check"" (\fBOSSL_DRBG_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +return 0 if the "digest\-check" is set to 0. +.IP """digest\-check"" (\fBOSSL_DRBG_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_DRBG_PARAM_FIPS_DIGEST_CHECK) <integer>" If required this parameter should be set before the digest is set. The default value of 1 causes an error when the digest is set if the digest is not FIPS approved (e.g. truncated digests). Setting this to 0 will ignore -the error and set the approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +the error and set the approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -332,7 +335,7 @@ error. All of the remaining functions should return 1 for success or 0 on error. .SH NOTES .IX Header "NOTES" -The RAND life-cycle is described in \fBlife_cycle\-rand\fR\|(7). Providers should +The RAND life\-cycle is described in \fBlife_cycle\-rand\fR\|(7). Providers should ensure that the various transitions listed there are supported. At some point the EVP layer will begin enforcing the listed transitions. .SH "SEE ALSO" @@ -345,7 +348,7 @@ the EVP layer will begin enforcing the listed transitions. .SH HISTORY .IX Header "HISTORY" The provider RAND interface was introduced in OpenSSL 3.0. -The Rand Parameters "fips-indicator" and "digest-check" were added in +The Rand Parameters "fips\-indicator" and "digest\-check" were added in OpenSSL 3.4. .SH COPYRIGHT .IX Header "COPYRIGHT" diff --git a/secure/lib/libcrypto/man/man7/provider-signature.7 b/secure/lib/libcrypto/man/man7/provider-signature.7 index acdd3bf1967e..3c770d53c3d2 100644 --- a/secure/lib/libcrypto/man/man7/provider-signature.7 +++ b/secure/lib/libcrypto/man/man7/provider-signature.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-SIGNATURE 7ossl" -.TH PROVIDER-SIGNATURE 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-SIGNATURE 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -168,7 +171,7 @@ and \fBEVP_PKEY_verify_recover\fR\|(3) (as well as other related functions). .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -236,28 +239,66 @@ context functions (OSSL_FUNC_signature_newctx and OSSL_FUNC_signature_freectx) a set of "signature" functions, i.e. at least one of: .IP "OSSL_FUNC_signature_sign_init and OSSL_FUNC_signature_sign" 4 .IX Item "OSSL_FUNC_signature_sign_init and OSSL_FUNC_signature_sign" -.PD 0 +Used via \fBEVP_PKEY_sign_init\fR\|(3) and \fBEVP_PKEY_sign\fR\|(3). +These functions operate on pre\-digested data (the "to be signed" or TBS value). .IP "OSSL_FUNC_signature_sign_message_init and OSSL_FUNC_signature_sign" 4 .IX Item "OSSL_FUNC_signature_sign_message_init and OSSL_FUNC_signature_sign" +Used via \fBEVP_PKEY_sign_message_init\fR\|(3) and \fBEVP_PKEY_sign\fR\|(3) when signing a complete message. +The implementation internally handles message digesting. .IP "OSSL_FUNC_signature_sign_message_init, OSSL_FUNC_signature_sign_message_update and OSSL_FUNC_signature_sign_message_final" 4 .IX Item "OSSL_FUNC_signature_sign_message_init, OSSL_FUNC_signature_sign_message_update and OSSL_FUNC_signature_sign_message_final" +Streaming variant of message signing, used via \fBEVP_PKEY_sign_message_init\fR\|(3), +\&\fBEVP_PKEY_sign_message_update\fR\|(3), and \fBEVP_PKEY_sign_message_final\fR\|(3). .IP "OSSL_FUNC_signature_verify_init and OSSL_FUNC_signature_verify" 4 .IX Item "OSSL_FUNC_signature_verify_init and OSSL_FUNC_signature_verify" +Used via \fBEVP_PKEY_verify_init\fR\|(3) and \fBEVP_PKEY_verify\fR\|(3). +These functions operate on pre\-digested data. .IP "OSSL_FUNC_signature_verify_message_init and OSSL_FUNC_signature_verify" 4 .IX Item "OSSL_FUNC_signature_verify_message_init and OSSL_FUNC_signature_verify" +Used via \fBEVP_PKEY_verify_message_init\fR\|(3) and \fBEVP_PKEY_verify\fR\|(3) when verifying a complete message. +The implementation internally handles message digesting. .IP "OSSL_FUNC_signature_verify_message_init, OSSL_FUNC_signature_verify_message_update and OSSL_FUNC_signature_verify_message_final" 4 .IX Item "OSSL_FUNC_signature_verify_message_init, OSSL_FUNC_signature_verify_message_update and OSSL_FUNC_signature_verify_message_final" +Streaming variant of message verification, used via \fBEVP_PKEY_verify_message_init\fR\|(3), +\&\fBEVP_PKEY_verify_message_update\fR\|(3), and \fBEVP_PKEY_verify_message_final\fR\|(3). .IP "OSSL_FUNC_signature_verify_recover_init and OSSL_FUNC_signature_verify_recover" 4 .IX Item "OSSL_FUNC_signature_verify_recover_init and OSSL_FUNC_signature_verify_recover" +Used via \fBEVP_PKEY_verify_recover_init\fR\|(3) and \fBEVP_PKEY_verify_recover\fR\|(3). +Applicable only to signature schemes that support signature recovery (such as RSA). .IP "OSSL_FUNC_signature_digest_sign_init, OSSL_FUNC_signature_digest_sign_update and OSSL_FUNC_signature_digest_sign_final" 4 .IX Item "OSSL_FUNC_signature_digest_sign_init, OSSL_FUNC_signature_digest_sign_update and OSSL_FUNC_signature_digest_sign_final" +Streaming digest\-sign variant, used via \fBEVP_DigestSignInit\fR\|(3), +\&\fBEVP_DigestSignUpdate\fR\|(3), and \fBEVP_DigestSignFinal\fR\|(3). .IP "OSSL_FUNC_signature_digest_verify_init, OSSL_FUNC_signature_digest_verify_update and OSSL_FUNC_signature_digest_verify_final" 4 .IX Item "OSSL_FUNC_signature_digest_verify_init, OSSL_FUNC_signature_digest_verify_update and OSSL_FUNC_signature_digest_verify_final" +Streaming digest\-verify variant, used via \fBEVP_DigestVerifyInit\fR\|(3), +\&\fBEVP_DigestVerifyUpdate\fR\|(3), and \fBEVP_DigestVerifyFinal\fR\|(3). .IP "OSSL_FUNC_signature_digest_sign_init and OSSL_FUNC_signature_digest_sign" 4 .IX Item "OSSL_FUNC_signature_digest_sign_init and OSSL_FUNC_signature_digest_sign" +One\-shot digest\-sign variant, used via \fBEVP_DigestSign\fR\|(3). .IP "OSSL_FUNC_signature_digest_verify_init and OSSL_FUNC_signature_digest_verify" 4 .IX Item "OSSL_FUNC_signature_digest_verify_init and OSSL_FUNC_signature_digest_verify" -.PD +One\-shot digest\-verify variant, used via \fBEVP_DigestVerify\fR\|(3). +.PP +\&\fBImportant Note for TLS Support:\fR For a provider signature implementation to +be usable within \fIlibssl\fR for TLS connections, it \fBmust\fR implement the +digest\-sign and digest\-verify functions +(OSSL_FUNC_signature_digest_sign_init/update/final or the one\-shot variant, and +OSSL_FUNC_signature_digest_verify_init/update/final or the one\-shot variant). +The TLS handshake code in \fIlibssl\fR specifically requires these digest functions +and will not use implementations that only provide the basic sign/verify functions +(OSSL_FUNC_signature_sign_init/sign or OSSL_FUNC_signature_verify_init/verify). +.PP +The choice of which function set to implement depends on your use case: +.IP \(bu 4 +For general\-purpose signature operations and TLS support: implement the +digest\-sign and digest\-verify functions. +.IP \(bu 4 +For operations on pre\-digested data only: implement the basic sign and verify +functions. +.IP \(bu 4 +For signature schemes with recovery capability: additionally implement the +verify\-recover functions. .PP The \fBOSSL_FUNC_signature_set_ctx_params()\fR and \&\fBOSSL_FUNC_signature_settable_ctx_params()\fR functions are optional, @@ -270,7 +311,7 @@ The \fBOSSL_FUNC_signature_dupctx()\fR function is optional. It is not yet used by OpenSSL. .PP The \fBOSSL_FUNC_signature_query_key_types()\fR function is optional. -When present, it should return a NULL-terminated array of strings +When present, it should return a NULL\-terminated array of strings indicating the key types supported by the provider for signature operations. Otherwise the signature algorithm name must match the given key or match the default signature algorithm name of the key, @@ -338,7 +379,7 @@ the provider using the key management (OSSL_OP_KEYMGMT) operation (see \&\fBOSSL_FUNC_signature_sign_message_final()\fR performs the actual signing on the data that was gathered with \fBOSSL_FUNC_signature_sign_message_update()\fR. .PP -\&\fBOSSL_FUNC_signature_sign()\fR can be used for one-shot signature calls. In that +\&\fBOSSL_FUNC_signature_sign()\fR can be used for one\-shot signature calls. In that case, \fItbs\fR is expected to be the whole message to be signed, \fItbslen\fR bytes long. .PP @@ -389,7 +430,7 @@ The signature itself must have been passed through the "signature" (\fBOSSL_SIGNATURE_PARAM_SIGNATURE\fR) Signature parameter before this function is called. .PP -\&\fBOSSL_FUNC_signature_verify()\fR can be used for one-shot verification calls. In +\&\fBOSSL_FUNC_signature_verify()\fR can be used for one\-shot verification calls. In that case, \fItbs\fR is expected to be the whole message to be verified on, \&\fItbslen\fR bytes long. .SS "Verify Recover Functions" @@ -492,12 +533,12 @@ given provider side signature context \fIctx\fR to \fIparams\fR. Any parameter settings are additional to any that were previously set. Passing NULL for \fIparams\fR should return true. .PP -Common parameters currently recognised by built-in signature algorithms are as +Common parameters currently recognised by built\-in signature algorithms are as follows. .IP """digest"" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) <UTF8 string>" 4 .IX Item """digest"" (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>" Get or sets the name of the digest algorithm used for the input to the -signature functions. It is required in order to calculate the "algorithm-id". +signature functions. It is required in order to calculate the "algorithm\-id". .IP """properties"" (\fBOSSL_SIGNATURE_PARAM_PROPERTIES\fR) <UTF8 string>" 4 .IX Item """properties"" (OSSL_SIGNATURE_PARAM_PROPERTIES) <UTF8 string>" Sets the name of the property query associated with the "digest" algorithm. @@ -505,29 +546,29 @@ NULL is used if this optional value is not set. .PP Note that when implementing a signature algorithm that gathers a full message, like RSA\-SHA256, the "digest" and "properties" parameters should not be used. -For such implementations, it's acceptable to simply ignore them if they happen +For such implementations, it\*(Aqs acceptable to simply ignore them if they happen to be passed in a call to \fBOSSL_FUNC_signature_set_ctx_params()\fR. For such implementations, however, it is not acceptable to have them in the \fBOSSL_PARAM\fR -array that's returned by \fBOSSL_FUNC_signature_settable_ctx_params()\fR. +array that\*(Aqs returned by \fBOSSL_FUNC_signature_settable_ctx_params()\fR. .IP """signature"" (\fBOSSL_SIGNATURE_PARAM_SIGNATURE\fR) <octet string>" 4 .IX Item """signature"" (OSSL_SIGNATURE_PARAM_SIGNATURE) <octet string>" Sets the signature to verify, specifically when \&\fBOSSL_FUNC_signature_verify_message_final()\fR is used. -.IP """digest-size"" (\fBOSSL_SIGNATURE_PARAM_DIGEST_SIZE\fR) <unsigned integer>" 4 +.IP """digest\-size"" (\fBOSSL_SIGNATURE_PARAM_DIGEST_SIZE\fR) <unsigned integer>" 4 .IX Item """digest-size"" (OSSL_SIGNATURE_PARAM_DIGEST_SIZE) <unsigned integer>" Gets or sets the output size of the digest algorithm used for the input to the signature functions. -The length of the "digest-size" parameter should not exceed that of a \fBsize_t\fR. -.IP """algorithm-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4 +The length of the "digest\-size" parameter should not exceed that of a \fBsize_t\fR. +.IP """algorithm\-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4 .IX Item """algorithm-id"" (OSSL_SIGNATURE_PARAM_ALGORITHM_ID) <octet string>" -Gets the DER-encoded AlgorithmIdentifier for the signature operation. +Gets the DER\-encoded AlgorithmIdentifier for the signature operation. This typically corresponds to the combination of a digest algorithm with a purely asymmetric signature algorithm, such as SHA256WithECDSA. .Sp The \fBASN1_item_sign_ctx\fR\|(3) function relies on this operation and is used by many other functions that sign ASN.1 structures such as X.509 certificates, certificate requests, and CRLs, as well as OCSP, CMP, and CMS messages. -.IP """nonce-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 +.IP """nonce\-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 .IX Item """nonce-type"" (OSSL_SIGNATURE_PARAM_NONCE_TYPE) <unsigned integer>" Set this to 1 to use deterministic digital signature generation with ECDSA or DSA, as defined in RFC 6979 (see Section 3.2 "Generation of @@ -535,7 +576,7 @@ k"). In this case, the "digest" parameter must be explicitly set (otherwise, deterministic nonce generation will fail). Before using deterministic digital signature generation, please read RFC 6979 Section 4 "Security Considerations". The default value for -"nonce-type" is 0 and results in a random value being used for the +"nonce\-type" is 0 and results in a random value being used for the nonce \fBk\fR as defined in FIPS 186\-4 Section 6.3 "Secret Number Generation". .Sp @@ -554,51 +595,51 @@ Known answer tests can be performed if the random generator is overridden to supply known values that either pass or fail. .PP The following parameters are used by the OpenSSL FIPS provider: -.IP """fips-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling either the sign or verify final functions. It may -return 0 if either the "digest-check", "key-check", or "sign-check" are set to 0. -.IP """verify-message"" (\fBOSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE\fR <integer>" 4 +return 0 if either the "digest\-check", "key\-check", or "sign\-check" are set to 0. +.IP """verify\-message"" (\fBOSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE\fR <integer>" 4 .IX Item """verify-message"" (OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE <integer>" A getter that returns 1 if a signature verification operation acted on a raw message, or 0 if it verified a predigested message. A value of 0 -indicates likely non-approved usage of the FIPS provider. This flag is +indicates likely non\-approved usage of the FIPS provider. This flag is set when any signature verification initialisation function is called. It is also set to 1 when any signing operation is performed to signify compliance. See FIPS 140\-3 IG 2.4.B for further information. -.IP """key-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) <integer>" If required this parameter should be set early via an init function (e.g. \fBOSSL_FUNC_signature_sign_init()\fR or \fBOSSL_FUNC_signature_verify_init()\fR). The default value of 1 causes an error during the init if the key is not FIPS approved (e.g. The key has a security strength of less than 112 bits). Setting this to 0 will ignore the error and set the approved "indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. -.IP """digest-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) <integer>" If required this parameter should be set before the signature digest is set. The default value of 1 causes an error when the digest is set if the digest is not FIPS approved (e.g. SHA1 is used for signing). Setting this to 0 will ignore -the error and set the approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +the error and set the approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. -.IP """sign-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK\fR) <integer>" 4 +.IP """sign\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK\fR) <integer>" 4 .IX Item """sign-check"" (OSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK) <integer>" If required this parameter should be set early via an init function. The default value of 1 causes an error when a signing algorithm is used. (This is triggered by deprecated signing algorithms). -Setting this to 0 will ignore the error and set the approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" to +Setting this to 0 will ignore the error and set the approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .IP """sign\-x931\-pad\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK\fR) <integer>" 4 .IX Item """sign-x931-pad-check"" (OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK) <integer>" If required this parameter should be set before the padding mode is set. The default value of 1 causes an error if the padding mode is set to X9.31 padding for a RSA signing operation. Setting this to 0 will ignore the error and set the -approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .PP \&\fBOSSL_FUNC_signature_gettable_ctx_params()\fR and \fBOSSL_FUNC_signature_settable_ctx_params()\fR get a @@ -620,8 +661,8 @@ given provider side digest signature context \fIctx\fR to \fIparams\fR. Any parameter settings are additional to any that were previously set. Passing NULL for \fIparams\fR should return true. .PP -Parameters currently recognised by built-in signature algorithms are the same -as those for built-in digest algorithms. See +Parameters currently recognised by built\-in signature algorithms are the same +as those for built\-in digest algorithms. See "Digest Parameters" in \fBprovider\-digest\fR\|(7) for further information. .PP \&\fBOSSL_FUNC_signature_gettable_md_ctx_params()\fR and \fBOSSL_FUNC_signature_settable_md_ctx_params()\fR @@ -638,10 +679,10 @@ provider side signature context, or NULL on failure. \&\fBOSSL_FUNC_signature_gettable_md_ctx_params()\fR and \fBOSSL_FUNC_signature_settable_md_ctx_params()\fR, return the gettable or settable parameters in a constant \fBOSSL_PARAM\fR\|(3) array. .PP -\&\fBOSSL_FUNC_signature_query_key_types()\fR should return a NULL-terminated array of strings. +\&\fBOSSL_FUNC_signature_query_key_types()\fR should return a NULL\-terminated array of strings. .PP All verification functions should return 1 for success, -0 for a non-matching signature, and a negative value for operation failure. +0 for a non\-matching signature, and a negative value for operation failure. .PP All other functions should return 1 for success and 0 or a negative value for failure. @@ -654,8 +695,17 @@ and 0 or a negative value for failure. .SH HISTORY .IX Header "HISTORY" The provider SIGNATURE interface was introduced in OpenSSL 3.0. -The Signature Parameters "fips-indicator", "key-check" and "digest-check" -were added in OpenSSL 3.4. +.PP +The \fBOSSL_FUNC_signature_sign_message_init()\fR, \fBOSSL_FUNC_signature_sign_message_update()\fR, +\&\fBOSSL_FUNC_signature_sign_message_final()\fR, \fBOSSL_FUNC_signature_verify_message_init()\fR, +\&\fBOSSL_FUNC_signature_verify_message_update()\fR and \fBOSSL_FUNC_signature_verify_message_final()\fR +functions were added in OpenSSL 3.4. +.PP +The Signature Parameters "fips\-indicator", "key\-check" and "digest\-check" were added in +OpenSSL 3.4. +.PP +Deterministic digital signature generation for ECDSA was added to the FIPS provider in OpenSSL +3.6. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man7/provider-skeymgmt.7 b/secure/lib/libcrypto/man/man7/provider-skeymgmt.7 index f2898076e9c1..c1638efcf289 100644 --- a/secure/lib/libcrypto/man/man7/provider-skeymgmt.7 +++ b/secure/lib/libcrypto/man/man7/provider-skeymgmt.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-SKEYMGMT 7ossl" -.TH PROVIDER-SKEYMGMT 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-SKEYMGMT 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -89,7 +92,7 @@ provider\-skeymgmt \- The SKEYMGMT library <\-> provider functions .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The SKEYMGMT operation doesn't have much public visibility in the OpenSSL +The SKEYMGMT operation doesn\*(Aqt have much public visibility in the OpenSSL libraries, rather it is an internal operation that is designed to work with operations that use opaque symmetric keys objects. .PP @@ -102,7 +105,7 @@ provider side key data for the OpenSSL library EVP_SKEY structure. .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -141,7 +144,7 @@ interface can be passed as is to other algorithms from the same provider operations, such as \fBOSSL_FUNC_mac_init_opaque()\fR (see \&\fBprovider\-mac\fR\|(7)). .PP -With the export SKEYMGMT function, it's possible to select a specific +With the export SKEYMGMT function, it\*(Aqs possible to select a specific subset of data to handle, governed by the bits in a \fIselection\fR indicator. The bits are: .IP \fBOSSL_SKEYMGMT_SELECT_SECRET_KEY\fR 4 @@ -186,22 +189,22 @@ object. be provided to the \fBOSSL_FUNC_skeymgmt_generate()\fR function. .SS "Key Object Information functions" .IX Subsection "Key Object Information functions" -\&\fBOSSL_FUNC_skeymgmt_get_key_id()\fR returns a NUL-terminated string identifying the +\&\fBOSSL_FUNC_skeymgmt_get_key_id()\fR returns a NUL\-terminated string identifying the particular key. The returned string will be freed by a call to \fBEVP_SKEY_free()\fR so callers need to copy it themselves if they want to preserve the value past the key lifetime. The purpose of this function is providing a printable string that can help users to access the specific key. The content of this string is -provider-specific. +provider\-specific. .SS "Common Import and Export Parameters" .IX Subsection "Common Import and Export Parameters" See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure. .PP -Common information parameters currently recognised by built-in +Common information parameters currently recognised by built\-in skeymgmt algorithms are as follows: -.IP """raw-bytes"" (\fBSKEY_PARAM_RAW_BYTES\fR) <octet string>" 4 +.IP """raw\-bytes"" (\fBSKEY_PARAM_RAW_BYTES\fR) <octet string>" 4 .IX Item """raw-bytes"" (SKEY_PARAM_RAW_BYTES) <octet string>" The value represents symmetric key as a byte array. -.IP """key-length"" (\fBSKEY_PARAM_KEY_LENGTH\fR) <integer>" 4 +.IP """key\-length"" (\fBSKEY_PARAM_KEY_LENGTH\fR) <integer>" 4 .IX Item """key-length"" (SKEY_PARAM_KEY_LENGTH) <integer>" The value is the byte length of the given key. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man7/provider-storemgmt.7 b/secure/lib/libcrypto/man/man7/provider-storemgmt.7 index 07fd9502430e..b1eed9740941 100644 --- a/secure/lib/libcrypto/man/man7/provider-storemgmt.7 +++ b/secure/lib/libcrypto/man/man7/provider-storemgmt.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-STOREMGMT 7ossl" -.TH PROVIDER-STOREMGMT 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-STOREMGMT 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,7 +104,7 @@ The STORE operation is the provider side of the \fBossl_store\fR\|(7) API. .PP The primary responsibility of the STORE operation is to load all sorts of objects from a container indicated by URI. These objects are given -to the OpenSSL library in provider-native object abstraction form (see +to the OpenSSL library in provider\-native object abstraction form (see \&\fBprovider\-object\fR\|(7)). The OpenSSL library is then responsible for passing on that abstraction to suitable provided functions. .PP @@ -112,7 +115,7 @@ form). .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -160,7 +163,7 @@ can handle. \&\fBOSSL_FUNC_store_set_ctx_params()\fR should set additional parameters, such as what kind of data to expect, search criteria, and so on. More on those below, in "Load Parameters". Whether unrecognised parameters are an error or simply -ignored is at the implementation's discretion. +ignored is at the implementation\*(Aqs discretion. Passing NULL for \fIparams\fR should return true. .PP \&\fBOSSL_FUNC_store_load()\fR loads the next object from the URI opened by @@ -172,12 +175,12 @@ case a passphrase needs to be prompted to unlock an object, \fIpw_cb\fR should be called. .PP \&\fBOSSL_FUNC_store_eof()\fR indicates if the end of the set of objects from the -URI has been reached. When that happens, there's no point trying to do any +URI has been reached. When that happens, there\*(Aqs no point trying to do any further loading. .PP \&\fBOSSL_FUNC_store_close()\fR frees the provider side context \fIctx\fR. .PP -When a provider-native object is created by a store manager it would be unsuitable +When a provider\-native object is created by a store manager it would be unsuitable for direct use with a foreign provider. The export function allows for exporting the object to that foreign provider if the foreign provider supports the type of the object and provides an import function. @@ -243,7 +246,7 @@ alias (some call it a "friendly name"). .IX Item """properties"" (OSSL_STORE_PARAM_PROPERTIES) <utf8 string>" Property string to use when querying for algorithms such as the \fBOSSL_DECODER\fR decoder implementations. -.IP """input-type"" (\fBOSSL_STORE_PARAM_INPUT_TYPE\fR) <utf8 string>" 4 +.IP """input\-type"" (\fBOSSL_STORE_PARAM_INPUT_TYPE\fR) <utf8 string>" 4 .IX Item """input-type"" (OSSL_STORE_PARAM_INPUT_TYPE) <utf8 string>" Type of the input format as a hint to use when decoding the objects in the store. diff --git a/secure/lib/libcrypto/man/man7/provider.7 b/secure/lib/libcrypto/man/man7/provider.7 index 579aaa05c2c4..c655b870b7b0 100644 --- a/secure/lib/libcrypto/man/man7/provider.7 +++ b/secure/lib/libcrypto/man/man7/provider.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER 7ossl" -.TH PROVIDER 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,11 +93,11 @@ See \fBcrypto\fR\|(7) for further details. A \fIprovider\fR offers an initialization function, as a set of base functions in the form of an \fBOSSL_DISPATCH\fR\|(3) array, and by extension, a set of \fBOSSL_ALGORITHM\fR\|(3)s (see \fBopenssl\-core.h\fR\|(7)). -It may be a dynamically loadable module, or may be built-in, in +It may be a dynamically loadable module, or may be built\-in, in OpenSSL libraries or in the application. -If it's a dynamically loadable module, the initialization function +If it\*(Aqs a dynamically loadable module, the initialization function must be named \f(CW\*(C`OSSL_provider_init\*(C'\fR and must be exported. -If it's built-in, the initialization function may have any name. +If it\*(Aqs built\-in, the initialization function may have any name. .PP The initialization function must have the following signature: .PP diff --git a/secure/lib/libcrypto/man/man7/proxy-certificates.7 b/secure/lib/libcrypto/man/man7/proxy-certificates.7 index 630d0d475fb2..772d456039c8 100644 --- a/secure/lib/libcrypto/man/man7/proxy-certificates.7 +++ b/secure/lib/libcrypto/man/man7/proxy-certificates.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROXY-CERTIFICATES 7ossl" -.TH PROXY-CERTIFICATES 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROXY-CERTIFICATES 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -113,7 +116,7 @@ command, with some extra extensions: \& proxyCertInfo = critical,language:id\-ppl\-anyLanguage,pathlen:1,policy:text:AB .Ve .PP -It's also possible to specify the proxy extension in a separate section: +It\*(Aqs also possible to specify the proxy extension in a separate section: .PP .Vb 1 \& proxyCertInfo = critical,@proxy_ext diff --git a/secure/lib/libcrypto/man/man7/x509.7 b/secure/lib/libcrypto/man/man7/x509.7 index 42e20227ed5a..f545f8ba9553 100644 --- a/secure/lib/libcrypto/man/man7/x509.7 +++ b/secure/lib/libcrypto/man/man7/x509.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509 7ossl" -.TH X509 7ossl 2025-09-30 3.5.4 OpenSSL +.TH X509 7ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -73,7 +76,7 @@ An X.509 certificate is a structured grouping of information about an individual, a device, or anything one can imagine. An X.509 CRL (certificate revocation list) is a tool to help determine if a certificate is still valid. The exact definition of those can be -found in the X.509 document from ITU-T, or in RFC3280 from PKIX. +found in the X.509 document from ITU\-T, or in RFC3280 from PKIX. In OpenSSL, the type X509 is used to express such a certificate, and the type X509_CRL is used to express a CRL. .PP @@ -86,7 +89,7 @@ X509_NAME (to express a certificate name), X509_ATTRIBUTE (to express a certificate attribute), X509_EXTENSION (to express a certificate extension) and a few more. .PP -Finally, there's the supertype X509_INFO, which can contain a CRL, a +Finally, there\*(Aqs the supertype X509_INFO, which can contain a CRL, a certificate and a corresponding private key. .PP \&\fBX509_\fR\fIXXX\fR, \fBd2i_X509_\fR\fIXXX\fR, and \fBi2d_X509_\fR\fIXXX\fR functions diff --git a/secure/usr.bin/openssl/man/CA.pl.1 b/secure/usr.bin/openssl/man/CA.pl.1 index f3175944d4d5..d330ba382b9c 100644 --- a/secure/usr.bin/openssl/man/CA.pl.1 +++ b/secure/usr.bin/openssl/man/CA.pl.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CA.PL 1ossl" -.TH CA.PL 1ossl 2025-09-30 3.5.4 OpenSSL +.TH CA.PL 1ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,7 +97,7 @@ It is intended to simplify the process of certificate creation and management by the use of some simple options. .PP The script is intended as a simple front end for the \fBopenssl\fR\|(1) program for -use by a beginner. Its behaviour isn't always what is wanted. For more control +use by a beginner. Its behaviour isn\*(Aqt always what is wanted. For more control over the behaviour of the certificate commands call the \fBopenssl\fR\|(1) command directly. .PP @@ -189,10 +192,10 @@ certificates are specified on the command line it tries to verify the file .IP "\fB\-extra\-\fR\f(BIcmd\fR \fIparameter\fR" 4 .IX Item "-extra-cmd parameter" For each option \fBextra\-\fR\f(BIcmd\fR, pass \fIparameter\fR to the \fBopenssl\fR\|(1) -sub-command with the same name as \fIcmd\fR, if that sub-command is invoked. +sub\-command with the same name as \fIcmd\fR, if that sub\-command is invoked. For example, if \fBopenssl\-req\fR\|(1) is invoked, the \fIparameter\fR given with \&\fB\-extra\-req\fR will be passed to it. -For multi-word parameters, either repeat the option or quote the \fIparameters\fR +For multi\-word parameters, either repeat the option or quote the \fIparameters\fR so it looks like one word to your shell. See the individual command documentation for more information. .SH EXAMPLES @@ -219,7 +222,7 @@ the OpenSSL program. It can be a full pathname, or a relative one. .PP The environment variable \fBOPENSSL_CONFIG\fR may be used to specify a configuration option and value to the \fBreq\fR and \fBca\fR commands invoked by -this script. It's value should be the option and pathname, as in +this script. It\*(Aqs value should be the option and pathname, as in \&\f(CW\*(C`\-config /path/to/conf\-file\*(C'\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/usr.bin/openssl/man/openssl-asn1parse.1 b/secure/usr.bin/openssl/man/openssl-asn1parse.1 index a46871fcaacf..c173e8bae141 100644 --- a/secure/usr.bin/openssl/man/openssl-asn1parse.1 +++ b/secure/usr.bin/openssl/man/openssl-asn1parse.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-ASN1PARSE 1ossl" -.TH OPENSSL-ASN1PARSE 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-ASN1PARSE 1ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -104,7 +107,7 @@ option is not present then no data will be output. This is most useful when combined with the \fB\-strparse\fR option. .IP \fB\-noout\fR 4 .IX Item "-noout" -Don't output the parsed version of the input file. +Don\*(Aqt output the parsed version of the input file. .IP "\fB\-offset\fR \fInumber\fR" 4 .IX Item "-offset number" Starting offset to begin parsing, default is start of file. @@ -173,7 +176,7 @@ The output will typically contain lines like this: .PP \&..... .PP -This example is part of a self-signed certificate. Each line starts with the +This example is part of a self\-signed certificate. Each line starts with the offset in decimal. \f(CW\*(C`d=XX\*(C'\fR specifies the current depth. The depth is increased within the scope of any SET or SEQUENCE. \f(CW\*(C`hl=XX\*(C'\fR gives the header length (tag and length octets) of the current type. \f(CW\*(C`l=XX\*(C'\fR gives the length of @@ -194,7 +197,7 @@ be examined using the option \f(CW\*(C`\-strparse 229\*(C'\fR to yield: .Ve .SH NOTES .IX Header "NOTES" -If an OID is not part of OpenSSL's internal table it will be represented in +If an OID is not part of OpenSSL\*(Aqs internal table it will be represented in numerical form (for example 1.2.3.4). The file passed to the \fB\-oid\fR option allows additional OIDs to be included. Each line consists of three columns, the first column is the OID in numerical format and should be followed by white @@ -226,7 +229,7 @@ Generate a simple UTF8String: \& openssl asn1parse \-genstr \*(AqUTF8:Hello World\*(Aq .Ve .PP -Generate and write out a UTF8String, don't print parsed output: +Generate and write out a UTF8String, don\*(Aqt print parsed output: .PP .Vb 1 \& openssl asn1parse \-genstr \*(AqUTF8:Hello World\*(Aq \-noout \-out utf8.der diff --git a/secure/usr.bin/openssl/man/openssl-ca.1 b/secure/usr.bin/openssl/man/openssl-ca.1 index 20bcaf806098..1a8109eb34e4 100644 --- a/secure/usr.bin/openssl/man/openssl-ca.1 +++ b/secure/usr.bin/openssl/man/openssl-ca.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-CA 1ossl" -.TH OPENSSL-CA 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-CA 1ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -183,7 +186,7 @@ by default PEM is tried first. See \fBopenssl\-format\-options\fR\|(1) for details. .IP "\fB\-ss_cert\fR \fIfilename\fR" 4 .IX Item "-ss_cert filename" -A single self-signed certificate to be signed by the CA. +A single self\-signed certificate to be signed by the CA. .IP "\fB\-spkac\fR \fIfilename\fR" 4 .IX Item "-spkac filename" A file containing a single Netscape signed public key and challenge @@ -221,14 +224,14 @@ See \fBopenssl\-format\-options\fR\|(1) for details. .IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4 .IX Item "-sigopt nm:v" Pass options to the signature algorithm during sign operations. -Names and values of these options are algorithm-specific and +Names and values of these options are algorithm\-specific and documented in "Signature parameters" in \fBprovider\-signature\fR\|(7). .IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4 .IX Item "-vfyopt nm:v" Pass options to the signature algorithm during verify operations. -Names and values of these options are algorithm-specific. +Names and values of these options are algorithm\-specific. .Sp -This often needs to be given while signing too, because the self-signature of +This often needs to be given while signing too, because the self\-signature of a certificate signing request (CSR) is verified against the included public key, and that verification may need its own set of options. .IP "\fB\-key\fR \fIpassword\fR" 4 @@ -250,14 +253,14 @@ the certificate requests were signed with (given with \fB\-keyfile\fR). Certificate requests signed with a different key are ignored. If \fB\-spkac\fR, \fB\-ss_cert\fR or \fB\-gencrl\fR are given, \fB\-selfsign\fR is ignored. .Sp -A consequence of using \fB\-selfsign\fR is that the self-signed +A consequence of using \fB\-selfsign\fR is that the self\-signed certificate appears among the entries in the certificate database (see the configuration option \fBdatabase\fR), and uses the same serial number counter as all other certificates sign with the -self-signed certificate. +self\-signed certificate. .IP \fB\-notext\fR 4 .IX Item "-notext" -Don't output the text form of a certificate to the output file. +Don\*(Aqt output the text form of a certificate to the output file. .IP \fB\-dateopt\fR 4 .IX Item "-dateopt" Specify the date output format. Values are: rfc_822 and iso_8601. @@ -316,7 +319,7 @@ DNs match the order of the request. This is not needed for Xenroll. The DN of a certificate can contain the EMAIL field if present in the request DN, however, it is good policy just having the e\-mail set into the altName extension of the certificate. When this option is set the -EMAIL field is removed from the certificate' subject and set only in +EMAIL field is removed from the certificate\*(Aq subject and set only in the, eventually present, extensions. The \fBemail_in_dn\fR keyword can be used in the configuration file to enable this behaviour. .IP \fB\-batch\fR 4 @@ -344,8 +347,8 @@ The arg must be formatted as \f(CW\*(C`/type0=value0/type1=value1/type2=...\*(C' Special characters may be escaped by \f(CW\*(C`\e\*(C'\fR (backslash), whitespace is retained. Empty values are permitted, but the corresponding type will not be included in the resulting certificate. -Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN). -Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR +Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL\-DN). +Multi\-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR between the AttributeValueAssertions (AVAs) that specify the members of the set. Example: .Sp @@ -362,7 +365,7 @@ If reading serial from the text file as specified in the configuration fails, specifying this option creates a new random serial to be used as next serial number. To get random serial numbers, use the \fB\-rand_serial\fR flag instead; this -should only be used for simple error-recovery. +should only be used for simple error\-recovery. .IP \fB\-rand_serial\fR 4 .IX Item "-rand_serial" Generate a large random number to use as the serial number. @@ -395,13 +398,13 @@ See "Provider Options" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproper This option generates a CRL based on information in the index file. .IP "\fB\-crl_lastupdate\fR \fItime\fR" 4 .IX Item "-crl_lastupdate time" -Allows the value of the CRL's lastUpdate field to be explicitly set; if +Allows the value of the CRL\*(Aqs lastUpdate field to be explicitly set; if this option is not present, the current time is used. Accepts times in YYMMDDHHMMSSZ format (the same as an ASN1 UTCTime structure) or YYYYMMDDHHMMSSZ format (the same as an ASN1 GeneralizedTime structure). .IP "\fB\-crl_nextupdate\fR \fItime\fR" 4 .IX Item "-crl_nextupdate time" -Allows the value of the CRL's nextUpdate field to be explicitly set; if +Allows the value of the CRL\*(Aqs nextUpdate field to be explicitly set; if this option is present, any values given for \fB\-crldays\fR, \fB\-crlhours\fR and \fB\-crlsec\fR are ignored. Accepts times in the same formats as \&\fB\-crl_lastupdate\fR. @@ -458,7 +461,7 @@ include. If no CRL extension section is present then a V1 CRL is created, if the CRL extension section is present (even if it is empty) then a V2 CRL is created. The CRL extensions specified are CRL extensions and \fBnot\fR CRL entry extensions. It should be noted -that some software (for example Netscape) can't handle V2 CRLs. See +that some software (for example Netscape) can\*(Aqt handle V2 CRLs. See \&\fBx509v3_config\fR\|(5) manual page for details of the extension section format. .SH "CONFIGURATION FILE OPTIONS" @@ -543,8 +546,8 @@ If the value \fByes\fR is given, the valid certificate entries in the database must have unique subjects. if the value \fBno\fR is given, several valid certificate entries may have the exact same subject. The default value is \fByes\fR, to be compatible with older (pre 0.9.8) -versions of OpenSSL. However, to make CA certificate roll-over easier, -it's recommended to use the value \fBno\fR, especially if combined with +versions of OpenSSL. However, to make CA certificate roll\-over easier, +it\*(Aqs recommended to use the value \fBno\fR, especially if combined with the \fB\-selfsign\fR command line option. .Sp Note that it is valid in some circumstances for certificates to be created @@ -571,8 +574,8 @@ The same as \fB\-preserveDN\fR .IP \fBemail_in_dn\fR 4 .IX Item "email_in_dn" The same as \fB\-noemailDN\fR. If you want the EMAIL field to be removed -from the DN of the certificate simply set this to 'no'. If not present -the default is to allow for the EMAIL filed in the certificate's DN. +from the DN of the certificate simply set this to \*(Aqno\*(Aq. If not present +the default is to allow for the EMAIL filed in the certificate\*(Aqs DN. .IP \fBmsie_hack\fR 4 .IX Item "msie_hack" The same as \fB\-msie_hack\fR @@ -628,7 +631,7 @@ It is however possible to create SPKACs using \fBopenssl\-spkac\fR\|(1). The file should contain the variable SPKAC set to the value of the SPKAC and also the required DN components as name value pairs. If you need to include the same component twice then it can be -preceded by a number and a '.'. +preceded by a number and a \*(Aq.\*(Aq. .PP When processing SPKAC format, the output is DER if the \fB\-out\fR flag is used, but PEM format if sending to stdout or the \fB\-outdir\fR @@ -759,24 +762,24 @@ CRL: however there is no option to do this. V2 CRL features like delta CRLs are not currently supported. .PP Although several requests can be input and handled at once it is only -possible to include one SPKAC or self-signed certificate. +possible to include one SPKAC or self\-signed certificate. .SH BUGS .IX Header "BUGS" This command is quirky and at times downright unfriendly. .PP -The use of an in-memory text database can cause problems when large +The use of an in\-memory text database can cause problems when large numbers of certificates are present because, as the name implies the database has to be kept in memory. .PP This command really needs rewriting or the required functionality -exposed at either a command or interface level so that a more user-friendly +exposed at either a command or interface level so that a more user\-friendly replacement could handle things properly. The script \&\fBCA.pl\fR helps a little but not very much. .PP Any fields in a request that are not present in a policy are silently deleted. This does not happen if the \fB\-preserveDN\fR option is used. To enforce the absence of the EMAIL field within the DN, as suggested by -RFCs, regardless the contents of the request' subject the \fB\-noemailDN\fR +RFCs, regardless the contents of the request\*(Aq subject the \fB\-noemailDN\fR option can be used. The behaviour should be more friendly and configurable. .PP diff --git a/secure/usr.bin/openssl/man/openssl-ciphers.1 b/secure/usr.bin/openssl/man/openssl-ciphers.1 index 09f07d6b689a..00f0f2583f8c 100644 --- a/secure/usr.bin/openssl/man/openssl-ciphers.1 +++ b/secure/usr.bin/openssl/man/openssl-ciphers.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-CIPHERS 1ossl" -.TH OPENSSL-CIPHERS 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-CIPHERS 1ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -197,7 +200,7 @@ If \fB\-\fR is used then the ciphers are deleted from the list, but some or all of the ciphers can be added again by later options. .PP If \fB+\fR is used then the ciphers are moved to the end of the list. This -option doesn't add any new ciphers it just moves matching existing ones. +option doesn\*(Aqt add any new ciphers it just moves matching existing ones. .PP If none of these characters is present then the string is just interpreted as a list of ciphers to be appended to the current preference list. If the @@ -227,7 +230,7 @@ The ciphers included in \fBALL\fR, but not enabled by default. Currently this includes all RC4 and anonymous ciphers. Note that this rule does not cover \fBeNULL\fR, which is not included by \fBALL\fR (use \fBCOMPLEMENTOFALL\fR if necessary). Note that RC4 based cipher suites are not built into OpenSSL by -default (see the enable-weak-ssl-ciphers option to Configure). +default (see the enable\-weak\-ssl\-ciphers option to Configure). .IP \fBALL\fR 4 .IX Item "ALL" All cipher suites except the \fBeNULL\fR ciphers (which must be explicitly enabled @@ -254,7 +257,7 @@ cipher suites have been removed as of OpenSSL 1.1.0. The "NULL" ciphers that is those offering no encryption. Because these offer no encryption at all and are a security risk they are not enabled via either the \&\fBDEFAULT\fR or \fBALL\fR cipher strings. -Be careful when building cipherlists out of lower-level primitives such as +Be careful when building cipherlists out of lower\-level primitives such as \&\fBkRSA\fR or \fBaECDSA\fR as these do overlap with the \fBeNULL\fR ciphers. When in doubt, include \fB!eNULL\fR in your cipherlist. .IP \fBaNULL\fR 4 @@ -264,7 +267,7 @@ DH algorithms and anonymous ECDH algorithms. These cipher suites are vulnerable to "man in the middle" attacks and so their use is discouraged. These are excluded from the \fBDEFAULT\fR ciphers, but included in the \fBALL\fR ciphers. -Be careful when building cipherlists out of lower-level primitives such as +Be careful when building cipherlists out of lower\-level primitives such as \&\fBkDHE\fR or \fBAES\fR as these do overlap with the \fBaNULL\fR ciphers. When in doubt, include \fB!aNULL\fR in your cipherlist. .IP "\fBkRSA\fR, \fBaRSA\fR, \fBRSA\fR" 4 @@ -296,7 +299,7 @@ cipher suites. Cipher suites using authenticated ephemeral ECDH key agreement. .IP \fBAECDH\fR 4 .IX Item "AECDH" -Anonymous Elliptic Curve Diffie-Hellman cipher suites. +Anonymous Elliptic Curve Diffie\-Hellman cipher suites. .IP "\fBaDSS\fR, \fBDSS\fR" 4 .IX Item "aDSS, DSS" Cipher suites using DSS authentication, i.e. the certificates carry DSS keys. @@ -389,7 +392,7 @@ Cipher suites, using HMAC based on GOST R 34.11\-94. Cipher suites using GOST 28147\-89 MAC \fBinstead of\fR HMAC. .IP \fBPSK\fR 4 .IX Item "PSK" -All cipher suites using pre-shared keys (PSK). +All cipher suites using pre\-shared keys (PSK). .IP "\fBkPSK\fR, \fBkECDHEPSK\fR, \fBkDHEPSK\fR, \fBkRSAPSK\fR" 4 .IX Item "kPSK, kECDHEPSK, kDHEPSK, kRSAPSK" Cipher suites using PSK key exchange, ECDHE_PSK, DHE_PSK or RSA_PSK. @@ -415,7 +418,7 @@ permissible. .IX Item "CBC" All cipher suites using encryption algorithm in Cipher Block Chaining (CBC) mode. These cipher suites are only supported in TLS v1.2 and earlier. Currently -it's an alias for the following cipherstrings: \fBSSL_DES\fR, \fBSSL_3DES\fR, \fBSSL_RC2\fR, +it\*(Aqs an alias for the following cipherstrings: \fBSSL_DES\fR, \fBSSL_3DES\fR, \fBSSL_RC2\fR, \&\fBSSL_IDEA\fR, \fBSSL_AES128\fR, \fBSSL_AES256\fR, \fBSSL_CAMELLIA128\fR, \fBSSL_CAMELLIA256\fR, \fBSSL_SEED\fR. .SH "CIPHER SUITE NAMES" .IX Header "CIPHER SUITE NAMES" @@ -517,10 +520,10 @@ is used. \& \& TLS_DH_anon_WITH_SEED_CBC_SHA ADH\-SEED\-SHA .Ve -.SS "GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0" +.SS "GOST cipher suites from draft\-chudov\-cryptopro\-cptls, extending TLS v1.0" .IX Subsection "GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0" Note: these ciphers require an engine which including GOST cryptographic -algorithms, such as the \fBgost\fR engine, which isn't part of the OpenSSL +algorithms, such as the \fBgost\fR engine, which isn\*(Aqt part of the OpenSSL distribution. .PP .Vb 4 @@ -532,7 +535,7 @@ distribution. .SS "GOST cipher suites, extending TLS v1.2" .IX Subsection "GOST cipher suites, extending TLS v1.2" Note: these ciphers require an engine which including GOST cryptographic -algorithms, such as the \fBgost\fR engine, which isn't part of the OpenSSL +algorithms, such as the \fBgost\fR engine, which isn\*(Aqt part of the OpenSSL distribution. .PP .Vb 2 @@ -650,7 +653,7 @@ Note: the CBC modes mentioned in this RFC are not supported. \& TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 RSA\-PSK\-ARIA128\-GCM\-SHA256 \& TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 RSA\-PSK\-ARIA256\-GCM\-SHA384 .Ve -.SS "Camellia HMAC-Based cipher suites from RFC6367, extending TLS v1.2" +.SS "Camellia HMAC\-Based cipher suites from RFC6367, extending TLS v1.2" .IX Subsection "Camellia HMAC-Based cipher suites from RFC6367, extending TLS v1.2" .Vb 4 \& TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-ECDSA\-CAMELLIA128\-SHA256 @@ -658,7 +661,7 @@ Note: the CBC modes mentioned in this RFC are not supported. \& TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-RSA\-CAMELLIA128\-SHA256 \& TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-RSA\-CAMELLIA256\-SHA384 .Ve -.SS "Pre-shared keying (PSK) cipher suites" +.SS "Pre\-shared keying (PSK) cipher suites" .IX Subsection "Pre-shared keying (PSK) cipher suites" .Vb 3 \& PSK_WITH_NULL_SHA PSK\-NULL\-SHA @@ -753,7 +756,7 @@ Note: the CBC modes mentioned in this RFC are not supported. \& TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_SHA256 \& TLS_AES_128_CCM_8_SHA256 TLS_AES_128_CCM_8_SHA256 .Ve -.SS "TLS v1.3 integrity-only cipher suites according to RFC 9150" +.SS "TLS v1.3 integrity\-only cipher suites according to RFC 9150" .IX Subsection "TLS v1.3 integrity-only cipher suites according to RFC 9150" .Vb 2 \& TLS_SHA256_SHA256 TLS_SHA256_SHA256 @@ -832,14 +835,14 @@ Set security level to 2 and display all ciphers consistent with level 2: The \fB\-V\fR option was added in OpenSSL 1.0.0. .PP The \fB\-stdname\fR is only available if OpenSSL is built with tracing enabled -(\fBenable-ssl-trace\fR argument to Configure) before OpenSSL 1.1.1. +(\fBenable\-ssl\-trace\fR argument to Configure) before OpenSSL 1.1.1. .PP The \fB\-convert\fR option was added in OpenSSL 1.1.1. .PP Support for standard IANA names in cipher lists was added in OpenSSL 3.2.0. .PP -The support for TLS v1.3 integrity-only cipher suites was added in OpenSSL 3.4. +The support for TLS v1.3 integrity\-only cipher suites was added in OpenSSL 3.4. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2000\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/usr.bin/openssl/man/openssl-cmds.1 b/secure/usr.bin/openssl/man/openssl-cmds.1 index d450d50148de..2df51a4a118b 100644 --- a/secure/usr.bin/openssl/man/openssl-cmds.1 +++ b/secure/usr.bin/openssl/man/openssl-cmds.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-CMDS 1ossl" -.TH OPENSSL-CMDS 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-CMDS 1ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -184,10 +187,10 @@ Print out a usage message for the subcommand. Initially, the manual page entry for the \f(CW\*(C`openssl \fR\f(CIcmd\fR\f(CW\*(C'\fR command used to be available at \fIcmd\fR(1). Later, the alias \fBopenssl\-\fR\f(BIcmd\fR(1) was introduced, which made it easier to group the openssl commands using -the \fBapropos\fR\|(1) command or the shell's tab completion. +the \fBapropos\fR\|(1) command or the shell\*(Aqs tab completion. .PP In order to reduce cluttering of the global manual page namespace, -the manual page entries without the 'openssl\-' prefix have been +the manual page entries without the \*(Aqopenssl\-\*(Aq prefix have been deprecated in OpenSSL 3.0 and will be removed in OpenSSL 4.0. .SH COPYRIGHT .IX Header "COPYRIGHT" diff --git a/secure/usr.bin/openssl/man/openssl-cmp.1 b/secure/usr.bin/openssl/man/openssl-cmp.1 index e28310ecd79e..56bd2ff74c23 100644 --- a/secure/usr.bin/openssl/man/openssl-cmp.1 +++ b/secure/usr.bin/openssl/man/openssl-cmp.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,16 +52,19 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-CMP 1ossl" -.TH OPENSSL-CMP 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-CMP 1ossl 2026-01-27 3.5.5 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH NAME -openssl\-cmp \- Certificate Management Protocol (CMP, RFC 4210) application +openssl\-cmp \- Certificate Management Protocol (CMP, RFCs 9810 and 9811) application .SH SYNOPSIS .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBcmp\fR @@ -179,7 +182,7 @@ TLS connection options: [\fB\-tls_trusted\fR \fIfilenames\fR|\fIuris\fR] [\fB\-tls_host\fR \fIname\fR] .PP -Client-side debugging options: +Client\-side debugging options: .PP [\fB\-batch\fR] [\fB\-repeat\fR \fInumber\fR] @@ -261,7 +264,8 @@ Certificate verification options, for both CMP and TLS: .SH DESCRIPTION .IX Header "DESCRIPTION" The \fBcmp\fR command is a client implementation for the Certificate -Management Protocol (CMP) as defined in RFC4210. +Management Protocol (CMP) as defined in RFCs 9810 and +its HTTP(S) transfer as defined in RFC 9811. It can be used to request certificates from a CA server, update their certificates, request certificates to be revoked, and perform other types of CMP requests. @@ -285,7 +289,7 @@ Multiple section names may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). Contents of sections named later may override contents of sections named before. In any case, as usual, the \f(CW\*(C`[default]\*(C'\fR section and finally the unnamed -section (as far as present) can provide per-option fallback values. +section (as far as present) can provide per\-option fallback values. .IP "\fB\-verbosity\fR \fIlevel\fR" 4 .IX Item "-verbosity level" Level of verbosity for logging, error output, etc. @@ -300,21 +304,21 @@ CMP command to execute. Currently implemented commands are: .RS 4 .IP "ir \ \- Initialization Request" 8 -.IX Item "ir \ - Initialization Request" +.IX Item "ir - Initialization Request" .PD 0 .IP "cr \ \- Certificate Request" 8 -.IX Item "cr \ - Certificate Request" +.IX Item "cr - Certificate Request" .IP "p10cr \- PKCS#10 Certification Request (for legacy support)" 8 .IX Item "p10cr - PKCS#10 Certification Request (for legacy support)" .IP "kur \ \ \- Key Update Request" 8 -.IX Item "kur \ \ - Key Update Request" +.IX Item "kur - Key Update Request" .IP "rr \ \- Revocation Request" 8 -.IX Item "rr \ - Revocation Request" +.IX Item "rr - Revocation Request" .IP "genm \- General Message" 8 .IX Item "genm - General Message" +.PD .RE .RS 4 -.PD .Sp \&\fBir\fR requests initialization of an end entity into a PKI hierarchy by issuing a first certificate. @@ -346,7 +350,7 @@ Name of a certificate profile to place in the PKIHeader generalInfo field of request messages. .IP "\fB\-geninfo\fR \fIvalues\fR" 4 .IX Item "-geninfo values" -A comma-separated list of InfoTypeAndValue to place in +A comma\-separated list of InfoTypeAndValue to place in the generalInfo field of the PKIHeader of requests messages. Each InfoTypeAndValue gives an OID and an integer or string value of the form \fIOID\fR:int:\fInumber\fR or \fIOID\fR:str:\fItext\fR, @@ -354,11 +358,11 @@ e.g., \f(CW\*(Aq1.2.3.4:int:56789, id\-kp:str:name\*(Aq\fR. .IP "\fB\-template\fR \fIfilename\fR" 4 .IX Item "-template filename" The file to save any CRMF certTemplate in DER format -received in a genp message with id-it-certReqTemplate. +received in a genp message with id\-it\-certReqTemplate. .IP "\fB\-keyspec\fR \fIfilename\fR" 4 .IX Item "-keyspec filename" It is optional and used to specify the file to save any keySpec if -present in a genp message with id-it-keyGenParameters. +present in a genp message with id\-it\-keyGenParameters. .Sp Note: any keySpec field contents received are logged as INFO. .SS "Certificate enrollment options" @@ -392,7 +396,7 @@ File to save centrally generated private key, in PEM format. .IX Item "-subject name" X.509 Distinguished Name (DN) to use as subject field in the requested certificate template in IR/CR/KUR messages. -If the NULL-DN (\f(CW\*(C`/\*(C'\fR) is given then no subject is placed in the template. +If the NULL\-DN (\f(CW\*(C`/\*(C'\fR) is given then no subject is placed in the template. Default is the subject DN of any PKCS#10 CSR given with the \fB\-csr\fR option. For KUR, a further fallback is the subject DN of the reference certificate (see \fB\-oldcert\fR) if provided. @@ -404,8 +408,8 @@ the subject DN is used as fallback sender of outgoing CMP messages. The argument must be formatted as \fI/type0=value0/type1=value1/type2=...\fR. Special characters may be escaped by \f(CW\*(C`\e\*(C'\fR (backslash); whitespace is retained. Empty values are permitted, but the corresponding type will not be included. -Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN). -Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR +Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL\-DN). +Multi\-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR between the AttributeValueAssertions (AVAs) that specify the members of the set. Example: .Sp @@ -451,11 +455,11 @@ This option cannot be used together with \fB\-policies\fR. Flag the policies given with \fB\-policy_oids\fR as critical. .IP "\fB\-popo\fR \fInumber\fR" 4 .IX Item "-popo number" -Proof-of-possession (POPO) method to use for IR/CR/KUR; values: \f(CW\-1\fR..<2> where +Proof\-of\-possession (POPO) method to use for IR/CR/KUR; values: \f(CW\-1\fR..<2> where \&\f(CW\-1\fR = NONE, which implies central key generation, \&\f(CW0\fR = RAVERIFIED, \f(CW1\fR = SIGNATURE (default), \f(CW2\fR = KEYENC. .Sp -Note that a signature-based POPO can only be produced if a private key +Note that a signature\-based POPO can only be produced if a private key is provided via the \fB\-newkey\fR or \fB\-key\fR options. .IP "\fB\-csr\fR \fIfilename\fR" 4 .IX Item "-csr filename" @@ -494,7 +498,7 @@ Request implicit confirmation of newly enrolled certificates. Do not send certificate confirmation message for newly enrolled certificate without requesting implicit confirmation to cope with broken servers not supporting implicit confirmation correctly. -\&\fBWARNING:\fR This leads to behavior violating RFC 4210. +\&\fBWARNING:\fR This leads to behavior violating RFC 9810. .IP "\fB\-certout\fR \fIfilename\fR" 4 .IX Item "-certout filename" The file where any newly enrolled certificate should be saved. @@ -511,7 +515,7 @@ the newly enrolled certificate followed by its chain. .IX Subsection "Certificate enrollment and revocation options" .IP "\fB\-oldcert\fR \fIfilename\fR|\fIuri\fR" 4 .IX Item "-oldcert filename|uri" -The certificate to be updated (i.e., renewed or re-keyed) in Key Update Request +The certificate to be updated (i.e., renewed or re\-keyed) in Key Update Request (KUR) messages or to be revoked in Revocation Request (RR) messages. For KUR the certificate to be updated defaults to \fB\-cert\fR, and the resulting certificate is called \fIreference certificate\fR. @@ -529,7 +533,7 @@ if neither \fB\-recipient\fR, \fB\-srvcert\fR, nor \fB\-issuer\fR is given. .IX Item "-issuer name" X.509 Distinguished Name (DN) to place as the issuer field in the requested certificate template in IR/CR/KUR/RR messages. -If the NULL-DN (\f(CW\*(C`/\*(C'\fR) is given then no issuer is placed in the template. +If the NULL\-DN (\f(CW\*(C`/\*(C'\fR) is given then no issuer is placed in the template. .Sp If provided and neither \fB\-recipient\fR nor \fB\-srvcert\fR is given, the issuer DN is used as fallback recipient of outgoing CMP messages. @@ -609,7 +613,7 @@ the subject of the CMP server certificate given with the \fB\-srvcert\fR option, the \fB\-issuer\fR option, the issuer of the certificate given with the \fB\-oldcert\fR option, the issuer of the CMP client certificate (\fB\-cert\fR option), -as far as any of those is present, else the NULL-DN as last resort. +as far as any of those is present, else the NULL\-DN as last resort. .Sp The argument must be formatted as \fI/type0=value0/type1=value1/type2=...\fR. For details see the description of the \fB\-subject\fR option. @@ -629,7 +633,7 @@ i.e., an error occurs if the server does not grant it. The default value is 1, which means preferring to keep the connection open. .IP "\fB\-msg_timeout\fR \fIseconds\fR" 4 .IX Item "-msg_timeout seconds" -Number of seconds a CMP request-response message round trip +Number of seconds a CMP request\-response message round trip is allowed to take before a timeout error is returned. A value <= 0 means no limitation (waiting indefinitely). Default is to use the \fB\-total_timeout\fR setting. @@ -644,7 +648,7 @@ Default is 0. .IP "\fB\-trusted\fR \fIfilenames\fR|\fIuris\fR" 4 .IX Item "-trusted filenames|uris" The certificate(s), typically of root CAs, the client shall use as trust anchors -when validating signature-based protection of CMP response messages. +when validating signature\-based protection of CMP response messages. This option is ignored if the \fB\-srvcert\fR option is given as well. It provides more flexibility than \fB\-srvcert\fR because the CMP protection certificate of the server is not pinned but may be any certificate @@ -662,13 +666,13 @@ The certificate verification options have no effect on the certificate verification enabled via this option. .IP "\fB\-untrusted\fR \fIfilenames\fR|\fIuris\fR" 4 .IX Item "-untrusted filenames|uris" -Non-trusted intermediate CA certificate(s). +Non\-trusted intermediate CA certificate(s). Any extra certificates given with the \fB\-cert\fR option are appended to it. All these certificates may be useful for cert path construction for the own CMP signer certificate (to include in the extraCerts field of request messages) and for the TLS client certificate (if TLS is used) as well as for chain building -when validating server certificates (checking signature-based +when validating server certificates (checking signature\-based CMP message protection) and when validating newly enrolled certificates. .Sp Multiple sources may be given, separated by commas and/or whitespace @@ -677,7 +681,7 @@ Each source may contain multiple certificates. .IP "\fB\-srvcert\fR \fIfilename\fR|\fIuri\fR" 4 .IX Item "-srvcert filename|uri" The specific CMP server certificate to expect and directly trust (even if it is -expired) when verifying signature-based protection of CMP response messages. +expired) when verifying signature\-based protection of CMP response messages. This pins the accepted server and results in ignoring the \fB\-trusted\fR option. .Sp If set, the subject of the certificate is also used @@ -700,7 +704,7 @@ For details see the description of the \fB\-subject\fR option. .IP \fB\-ignore_keyusage\fR 4 .IX Item "-ignore_keyusage" Ignore key usage restrictions in CMP signer certificates when validating -signature-based protection of incoming CMP messages. +signature\-based protection of incoming CMP messages. By default, \f(CW\*(C`digitalSignature\*(C'\fR must be allowed by CMP signer certificates. This option applies to both CMP clients and the mock server. .IP \fB\-unprotected_errors\fR 4 @@ -721,7 +725,7 @@ negative PKIConf messages .Sp \&\fBWARNING:\fR This setting leads to unspecified behavior and it is meant exclusively to allow interoperability with server implementations violating -RFC 4210, e.g.: +RFC 9810, e.g.: .IP \(bu 4 section 5.1.3.1 allows exceptions from protecting only for special cases: @@ -744,8 +748,8 @@ This option applies to both CMP clients and the mock server. .IP "\fB\-srvcertout\fR \fIfilename\fR" 4 .IX Item "-srvcertout filename" The file where to save the successfully validated certificate, if any, -that the CMP server used for signature-based response message protection. -If there is no such certificate, typically because the protection was MAC-based, +that the CMP server used for signature\-based response message protection. +If there is no such certificate, typically because the protection was MAC\-based, this is indicated by deleting the file (if it existed). .IP "\fB\-extracertsout\fR \fIfilename\fR" 4 .IX Item "-extracertsout filename" @@ -811,21 +815,21 @@ If on success no such CRL was received, this is indicated by deleting the file. .IX Item "-ref value" Reference number/string/value to use as fallback senderKID; this is required if no sender name can be determined from the \fB\-cert\fR or <\-subject> options and -is typically used when authenticating with pre-shared key (password-based MAC). +is typically used when authenticating with pre\-shared key (password\-based MAC). .IP "\fB\-secret\fR \fIarg\fR" 4 .IX Item "-secret arg" -Provides the source of a secret value to use with MAC-based message protection. +Provides the source of a secret value to use with MAC\-based message protection. This takes precedence over the \fB\-cert\fR and \fB\-key\fR options. -The secret is used for creating MAC-based protection of outgoing messages -and for validating incoming messages that have MAC-based protection. -The algorithm used by default is Password-Based Message Authentication Code (PBM) -as defined in RFC 4210 section 5.1.3.1. +The secret is used for creating MAC\-based protection of outgoing messages +and for validating incoming messages that have MAC\-based protection. +The algorithm used by default is Password\-Based Message Authentication Code (PBM) +as defined in RFC 9810 section 5.1.3.1. .Sp For more information about the format of \fIarg\fR see \&\fBopenssl\-passphrase\-options\fR\|(1). .IP "\fB\-cert\fR \fIfilename\fR|\fIuri\fR" 4 .IX Item "-cert filename|uri" -The client's current CMP signer certificate. +The client\*(Aqs current CMP signer certificate. Requires the corresponding key to be given with \fB\-key\fR. .Sp The subject and the public key contained in this certificate @@ -837,23 +841,23 @@ while the subject of \fB\-oldcert\fR or \fB\-subjectName\fR may provide fallback The issuer of this certificate is used as one of the recipient fallback values and as fallback issuer entry in the certificate template of IR/CR/KUR messages. .Sp -When performing signature-based message protection, +When performing signature\-based message protection, this "protection certificate", also called "signer certificate", will be included first in the extraCerts field of outgoing messages and the signature is done with the corresponding key. In Initialization Request (IR) messages this can be used for authenticating -using an external entity certificate as defined in appendix E.7 of RFC 4210. +using an external entity certificate as defined in appendix D.7 of RFC 9810. .Sp For Key Update Request (KUR) messages this is also used as the certificate to be updated if the \fB\-oldcert\fR option is not given. .Sp If the file includes further certs, they are appended to the untrusted certs because they typically constitute the chain of the client certificate, which -is included in the extraCerts field in signature-protected request messages. +is included in the extraCerts field in signature\-protected request messages. .IP "\fB\-own_trusted\fR \fIfilenames\fR|\fIuris\fR" 4 .IX Item "-own_trusted filenames|uris" If this list of certificates is provided then the chain built for -the client-side CMP signer certificate given with the \fB\-cert\fR option +the client\-side CMP signer certificate given with the \fB\-cert\fR option is verified using the given certificates as trust anchors. .Sp Multiple sources may be given, separated by commas and/or whitespace @@ -865,10 +869,10 @@ The certificate verification options have no effect on the certificate verification enabled via this option. .IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4 .IX Item "-key filename|uri" -The corresponding private key file for the client's current certificate given in +The corresponding private key file for the client\*(Aqs current certificate given in the \fB\-cert\fR option. -This will be used for signature-based message protection unless the \fB\-secret\fR -option indicating MAC-based protection or \fB\-unprotected_requests\fR is given. +This will be used for signature\-based message protection unless the \fB\-secret\fR +option indicating MAC\-based protection or \fB\-unprotected_requests\fR is given. .Sp It is also used as a fallback for the \fB\-newkey\fR option with IR/CR/KUR messages. .IP "\fB\-keypass\fR \fIarg\fR" 4 @@ -881,10 +885,10 @@ For more information about the format of \fIarg\fR see \&\fBopenssl\-passphrase\-options\fR\|(1). .IP "\fB\-digest\fR \fIname\fR" 4 .IX Item "-digest name" -Specifies name of supported digest to use in RFC 4210's MSG_SIG_ALG -and as the one-way function (OWF) in \f(CW\*(C`MSG_MAC_ALG\*(C'\fR. +Specifies name of supported digest to use in RFC 9810\*(Aqs MSG_SIG_ALG +and as the one\-way function (OWF) in \f(CW\*(C`MSG_MAC_ALG\*(C'\fR. If applicable, this is used for message protection and -proof-of-possession (POPO) signatures. +proof\-of\-possession (POPO) signatures. To see the list of supported digests, use \f(CW\*(C`openssl list \-digest\-commands\*(C'\fR. Defaults to \f(CW\*(C`sha256\*(C'\fR. .IP "\fB\-mac\fR \fIname\fR" 4 @@ -893,7 +897,7 @@ Specifies the name of the MAC algorithm in \f(CW\*(C`MSG_MAC_ALG\*(C'\fR. To get the names of supported MAC algorithms use \f(CW\*(C`openssl list \-mac\-algorithms\*(C'\fR and possibly combine such a name with the name of a supported digest algorithm, e.g., hmacWithSHA256. -Defaults to \f(CW\*(C`hmac\-sha1\*(C'\fR as per RFC 4210. +Defaults to \f(CW\*(C`hmac\-sha1\*(C'\fR, for backward compatibility with RFC 4210. .IP "\fB\-extracerts\fR \fIfilenames\fR|\fIuris\fR" 4 .IX Item "-extracerts filenames|uris" |