diff options
author | Jung-uk Kim <jkim@FreeBSD.org> | 2018-11-20 18:59:41 +0000 |
---|---|---|
committer | Jung-uk Kim <jkim@FreeBSD.org> | 2018-11-20 18:59:41 +0000 |
commit | 8c3f9abd70b3f447a4795c1b00b386b044fb322d (patch) | |
tree | 884976f2693f42bade35b92edc3c1f7f8c53825b /doc/man1 | |
parent | a43ce912fc025d11e1395506111f75fc194d7ba5 (diff) | |
download | src-8c3f9abd70b3f447a4795c1b00b386b044fb322d.tar.gz src-8c3f9abd70b3f447a4795c1b00b386b044fb322d.zip |
Import OpenSSL 1.1.1a.vendor/openssl/1.1.1a
Notes
Notes:
svn path=/vendor-crypto/openssl/dist/; revision=340690
svn path=/vendor-crypto/openssl/1.1.1a/; revision=340691; tag=vendor/openssl/1.1.1a
Diffstat (limited to 'doc/man1')
-rw-r--r-- | doc/man1/ca.pod | 6 | ||||
-rw-r--r-- | doc/man1/enc.pod | 48 | ||||
-rw-r--r-- | doc/man1/openssl.pod | 57 | ||||
-rw-r--r-- | doc/man1/req.pod | 6 | ||||
-rw-r--r-- | doc/man1/rsa.pod | 25 | ||||
-rw-r--r-- | doc/man1/s_server.pod | 14 | ||||
-rw-r--r-- | doc/man1/storeutl.pod | 7 | ||||
-rw-r--r-- | doc/man1/x509.pod | 11 |
8 files changed, 125 insertions, 49 deletions
diff --git a/doc/man1/ca.pod b/doc/man1/ca.pod index 9b282e6479a8..e998eabf8358 100644 --- a/doc/man1/ca.pod +++ b/doc/man1/ca.pod @@ -250,8 +250,10 @@ for all available algorithms. =item B<-subj arg> Supersedes subject name given in the request. -The arg must be formatted as I</type0=value0/type1=value1/type2=...>, -characters may be escaped by \ (backslash), no spaces are skipped. +The arg must be formatted as I</type0=value0/type1=value1/type2=...>. +Keyword characters may be escaped by \ (backslash), and whitespace is retained. +Empty values are permitted, but the corresponding type will not be included +in the resulting certificate. =item B<-utf8> diff --git a/doc/man1/enc.pod b/doc/man1/enc.pod index 01cca4ea93f1..2136a9497849 100644 --- a/doc/man1/enc.pod +++ b/doc/man1/enc.pod @@ -257,7 +257,7 @@ ones provided by configured engines. The B<enc> program does not support authenticated encryption modes like CCM and GCM, and will not support such modes in the future. The B<enc> interface by necessity must begin streaming output (e.g., -to standard output when B<-out> is not used before the authentication +to standard output when B<-out> is not used) before the authentication tag could be validated, leading to the usage of B<enc> in pipelines that begin processing untrusted data and are not capable of rolling back upon authentication failure. The AEAD modes currently in common @@ -277,6 +277,7 @@ standard data format and performs the needed key/iv/nonce management. bf-cbc Blowfish in CBC mode bf Alias for bf-cbc + blowfish Alias for bf-cbc bf-cfb Blowfish in CFB mode bf-ecb Blowfish in ECB mode bf-ofb Blowfish in OFB mode @@ -288,6 +289,8 @@ standard data format and performs the needed key/iv/nonce management. cast5-ecb CAST5 in ECB mode cast5-ofb CAST5 in OFB mode + chacha20 ChaCha20 algorithm + des-cbc DES in CBC mode des Alias for des-cbc des-cfb DES in CFB mode @@ -334,6 +337,19 @@ standard data format and performs the needed key/iv/nonce management. rc5-ecb RC5 cipher in ECB mode rc5-ofb RC5 cipher in OFB mode + seed-cbc SEED cipher in CBC mode + seed Alias for seed-cbc + seed-cfb SEED cipher in CFB mode + seed-ecb SEED cipher in ECB mode + seed-ofb SEED cipher in OFB mode + + sm4-cbc SM4 cipher in CBC mode + sm4 Alias for sm4-cbc + sm4-cfb SM4 cipher in CFB mode + sm4-ctr SM4 cipher in CTR mode + sm4-ecb SM4 cipher in ECB mode + sm4-ofb SM4 cipher in OFB mode + aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode aes[128|192|256] Alias for aes-[128|192|256]-cbc aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode @@ -343,6 +359,15 @@ standard data format and performs the needed key/iv/nonce management. aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode + aria-[128|192|256]-cbc 128/192/256 bit ARIA in CBC mode + aria[128|192|256] Alias for aria-[128|192|256]-cbc + aria-[128|192|256]-cfb 128/192/256 bit ARIA in 128 bit CFB mode + aria-[128|192|256]-cfb1 128/192/256 bit ARIA in 1 bit CFB mode + aria-[128|192|256]-cfb8 128/192/256 bit ARIA in 8 bit CFB mode + aria-[128|192|256]-ctr 128/192/256 bit ARIA in CTR mode + aria-[128|192|256]-ecb 128/192/256 bit ARIA in ECB mode + aria-[128|192|256]-ofb 128/192/256 bit ARIA in OFB mode + camellia-[128|192|256]-cbc 128/192/256 bit Camellia in CBC mode camellia[128|192|256] Alias for camellia-[128|192|256]-cbc camellia-[128|192|256]-cfb 128/192/256 bit Camellia in 128 bit CFB mode @@ -362,26 +387,25 @@ Decode the same file openssl base64 -d -in file.b64 -out file.bin -Encrypt a file using triple DES in CBC mode using a prompted password: +Encrypt a file using AES-128 using a prompted password +and PBKDF2 key derivation: - openssl des3 -salt -in file.txt -out file.des3 + openssl enc -aes128 -pbkdf2 -in file.txt -out file.aes128 Decrypt a file using a supplied password: - openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword + openssl enc -aes128 -pbkdf2 -d -in file.aes128 -out file.txt \ + -pass pass:<password> Encrypt a file then base64 encode it (so it can be sent via mail for example) -using Blowfish in CBC mode: - - openssl bf -a -salt -in file.txt -out file.bf - -Base64 decode a file then decrypt it: +using AES-256 in CTR mode and PBKDF2 key derivation: - openssl bf -d -salt -a -in file.bf -out file.txt + openssl enc -aes-256-ctr -pbkdf2 -a -in file.txt -out file.aes256 -Decrypt some data using a supplied 40 bit RC4 key: +Base64 decode a file then decrypt it using a password supplied in a file: - openssl rc4-40 -in file.rc4 -out file.txt -K 0102030405 + openssl enc -aes-256-ctr -pbkdf2 -d -a -in file.aes256 -out file.txt \ + -pass file:<passfile> =head1 BUGS diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index c656a34ec032..a39cf963d988 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -40,6 +40,9 @@ The B<openssl> program provides a rich variety of commands (I<command> in the SYNOPSIS above), each of which often has a wealth of options and arguments (I<command_opts> and I<command_args> in the SYNOPSIS). +Detailed documentation and use cases for most standard subcommands are available +(e.g., L<x509(1)> or L<openssl-x509(1)>). + Many commands use an external configuration file for some or all of their arguments and have a B<-config> option to specify that file. The environment variable B<OPENSSL_CONF> can be used to specify @@ -369,8 +372,38 @@ SM3 Digest =head2 Encoding and Cipher Commands +The following aliases provide convenient access to the most used encodings +and ciphers. + +Depending on how OpenSSL was configured and built, not all ciphers listed +here may be present. See L<enc(1)> for more information and command usage. + =over 4 +=item B<aes128>, B<aes-128-cbc>, B<aes-128-cfb>, B<aes-128-ctr>, B<aes-128-ecb>, B<aes-128-ofb> + +AES-128 Cipher + +=item B<aes192>, B<aes-192-cbc>, B<aes-192-cfb>, B<aes-192-ctr>, B<aes-192-ecb>, B<aes-192-ofb> + +AES-192 Cipher + +=item B<aes256>, B<aes-256-cbc>, B<aes-256-cfb>, B<aes-256-ctr>, B<aes-256-ecb>, B<aes-256-ofb> + +AES-256 Cipher + +=item B<aria128>, B<aria-128-cbc>, B<aria-128-cfb>, B<aria-128-ctr>, B<aria-128-ecb>, B<aria-128-ofb> + +Aria-128 Cipher + +=item B<aria192>, B<aria-192-cbc>, B<aria-192-cfb>, B<aria-192-ctr>, B<aria-192-ecb>, B<aria-192-ofb> + +Aria-192 Cipher + +=item B<aria256>, B<aria-256-cbc>, B<aria-256-cfb>, B<aria-256-ctr>, B<aria-256-ecb>, B<aria-256-ofb> + +Aria-256 Cipher + =item B<base64> Base64 Encoding @@ -379,6 +412,18 @@ Base64 Encoding Blowfish Cipher +=item B<camellia128>, B<camellia-128-cbc>, B<camellia-128-cfb>, B<camellia-128-ctr>, B<camellia-128-ecb>, B<camellia-128-ofb> + +Camellia-128 Cipher + +=item B<camellia192>, B<camellia-192-cbc>, B<camellia-192-cfb>, B<camellia-192-ctr>, B<camellia-192-ecb>, B<camellia-192-ofb> + +Camellia-192 Cipher + +=item B<camellia256>, B<camellia-256-cbc>, B<camellia-256-cfb>, B<camellia-256-ctr>, B<camellia-256-ecb>, B<camellia-256-ofb> + +Camellia-256 Cipher + =item B<cast>, B<cast-cbc> CAST Cipher @@ -387,6 +432,10 @@ CAST Cipher CAST5 Cipher +=item B<chacha20> + +Chacha20 Cipher + =item B<des>, B<des-cbc>, B<des-cfb>, B<des-ecb>, B<des-ede>, B<des-ede-cbc>, B<des-ede-cfb>, B<des-ede-ofb>, B<des-ofb> DES Cipher @@ -411,6 +460,14 @@ RC4 Cipher RC5 Cipher +=item B<seed>, B<seed-cbc>, B<seed-cfb>, B<seed-ecb>, B<seed-ofb> + +SEED Cipher + +=item B<sm4>, B<sm4-cbc>, B<sm4-cfb>, B<sm4-ctr>, B<sm4-ecb>, B<sm4-ofb> + +SM4 Cipher + =back =head1 OPTIONS diff --git a/doc/man1/req.pod b/doc/man1/req.pod index 113cd9b6c985..c76d63d6fd81 100644 --- a/doc/man1/req.pod +++ b/doc/man1/req.pod @@ -221,8 +221,10 @@ see L<openssl(1)/COMMAND SUMMARY>. Sets subject name for new request or supersedes the subject name when processing a request. -The arg must be formatted as I</type0=value0/type1=value1/type2=...>, -characters may be escaped by \ (backslash), no spaces are skipped. +The arg must be formatted as I</type0=value0/type1=value1/type2=...>. +Keyword characters may be escaped by \ (backslash), and whitespace is retained. +Empty values are permitted, but the corresponding type will not be included +in the request. =item B<-multivalue-rdn> diff --git a/doc/man1/rsa.pod b/doc/man1/rsa.pod index 14a8fb1e2989..37f64616c00f 100644 --- a/doc/man1/rsa.pod +++ b/doc/man1/rsa.pod @@ -9,8 +9,8 @@ rsa - RSA key processing tool B<openssl> B<rsa> [B<-help>] -[B<-inform PEM|NET|DER>] -[B<-outform PEM|NET|DER>] +[B<-inform PEM|DER>] +[B<-outform PEM|DER>] [B<-in filename>] [B<-passin arg>] [B<-out filename>] @@ -53,16 +53,15 @@ utility. Print out a usage message. -=item B<-inform DER|NET|PEM> +=item B<-inform DER|PEM> This specifies the input format. The B<DER> option uses an ASN1 DER encoded form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format. The B<PEM> form is the default format: it consists of the B<DER> format base64 encoded with additional header and footer lines. On input PKCS#8 format private -keys are also accepted. The B<NET> form is a format is described in the B<NOTES> -section. +keys are also accepted. -=item B<-outform DER|NET|PEM> +=item B<-outform DER|PEM> This specifies the output format, the options have the same meaning and default as the B<-inform> option. @@ -158,17 +157,6 @@ The PEM B<RSAPublicKey> format uses the header and footer lines: -----BEGIN RSA PUBLIC KEY----- -----END RSA PUBLIC KEY----- -The B<NET> form is a format compatible with older Netscape servers -and Microsoft IIS .key files, this uses unsalted RC4 for its encryption. -It is not very secure and so should only be used when necessary. - -Some newer version of IIS have additional data in the exported .key -files. To use these with the utility, view the file with a binary editor -and look for the string "private-key", then trace back to the byte -sequence 0x30, 0x82 (this is an ASN1 SEQUENCE). Copy all the data -from this point onwards to another file and use that as the input -to the B<rsa> utility with the B<-inform NET> option. - =head1 EXAMPLES To remove the pass phrase on an RSA private key: @@ -197,9 +185,6 @@ Output the public part of a private key in B<RSAPublicKey> format: =head1 BUGS -The command line password arguments don't currently work with -B<NET> format. - There should be an option that automatically handles .key files, without having to manually edit them. diff --git a/doc/man1/s_server.pod b/doc/man1/s_server.pod index 07016fc46131..f4c4eda35313 100644 --- a/doc/man1/s_server.pod +++ b/doc/man1/s_server.pod @@ -405,13 +405,14 @@ Inhibit printing of session and certificate information. Sends a status message back to the client when it connects. This includes information about the ciphers used and various session parameters. The output is in HTML format so this option will normally be used with a -web browser. +web browser. Cannot be used in conjunction with B<-early_data>. =item B<-WWW> Emulates a simple web server. Pages will be resolved relative to the current directory, for example if the URL https://myhost/page.html is -requested the file ./page.html will be loaded. +requested the file ./page.html will be loaded. Cannot be used in conjunction +with B<-early_data>. =item B<-tlsextdebug> @@ -423,7 +424,8 @@ Emulates a simple web server. Pages will be resolved relative to the current directory, for example if the URL https://myhost/page.html is requested the file ./page.html will be loaded. The files loaded are assumed to contain a complete and correct HTTP response (lines that -are part of the HTTP response line and headers must end with CRLF). +are part of the HTTP response line and headers must end with CRLF). Cannot be +used in conjunction with B<-early_data>. =item B<-id_prefix val> @@ -488,7 +490,8 @@ output. =item B<-rev> Simple test server which just reverses the text received from the client -and sends it back to the server. Also sets B<-brief>. +and sends it back to the server. Also sets B<-brief>. Cannot be used in +conjunction with B<-early_data>. =item B<-async> @@ -711,7 +714,8 @@ greater than or equal to 0. =item B<-early_data> -Accept early data where possible. +Accept early data where possible. Cannot be used in conjunction with B<-www>, +B<-WWW>, B<-HTTP> or B<-rev>. =item B<-anti_replay>, B<-no_anti_replay> diff --git a/doc/man1/storeutl.pod b/doc/man1/storeutl.pod index 3f26ab500b83..083f0282469e 100644 --- a/doc/man1/storeutl.pod +++ b/doc/man1/storeutl.pod @@ -82,8 +82,11 @@ returned. =item B<-subject arg> Search for an object having the subject name B<arg>. -The arg must be formatted as I</type0=value0/type1=value1/type2=...>, -characters may be escaped by \ (backslash), no spaces are skipped. +The arg must be formatted as I</type0=value0/type1=value1/type2=...>. +Keyword characters may be escaped by \ (backslash), and whitespace is retained. +Empty values are permitted but are ignored for the search. That is, +a search with an empty value will have the same effect as not specifying +the type at all. =item B<-issuer arg> diff --git a/doc/man1/x509.pod b/doc/man1/x509.pod index 6e4d28815530..547da5da2368 100644 --- a/doc/man1/x509.pod +++ b/doc/man1/x509.pod @@ -9,8 +9,8 @@ x509 - Certificate display and signing utility B<openssl> B<x509> [B<-help>] -[B<-inform DER|PEM|NET>] -[B<-outform DER|PEM|NET>] +[B<-inform DER|PEM>] +[B<-outform DER|PEM>] [B<-keyform DER|PEM>] [B<-CAform DER|PEM>] [B<-CAkeyform DER|PEM>] @@ -86,16 +86,15 @@ various sections. Print out a usage message. -=item B<-inform DER|PEM|NET> +=item B<-inform DER|PEM> This specifies the input format normally the command will expect an X509 certificate but this can change if other options such as B<-req> are present. The DER format is the DER encoding of the certificate and PEM is the base64 encoding of the DER encoding with header and footer lines -added. The NET option is an obscure Netscape server format that is now -obsolete. The default format is PEM. +added. The default format is PEM. -=item B<-outform DER|PEM|NET> +=item B<-outform DER|PEM> This specifies the output format, the options have the same meaning and default as the B<-inform> option. |