aboutsummaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2020-03-31 15:25:23 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2020-03-31 15:25:23 +0000
commitb6cfecdc04a5a5e42ae4f2b025d8246cc16f3342 (patch)
tree2a7386571f7a820ff0830927575980b68bb350c7 /doc
parentaa144ced5d61b5c7fb74acaebb37d85bd08f0416 (diff)
downloadsrc-b6cfecdc04a5a5e42ae4f2b025d8246cc16f3342.tar.gz
src-b6cfecdc04a5a5e42ae4f2b025d8246cc16f3342.zip
Import OpenSSL 1.1.1f.vendor/openssl/1.1.1f
Notes
Notes: svn path=/vendor-crypto/openssl/dist/; revision=359482 svn path=/vendor-crypto/openssl/1.1.1f/; revision=359483; tag=vendor/openssl/1.1.1f
Diffstat (limited to 'doc')
-rw-r--r--doc/man3/BN_generate_prime.pod10
-rw-r--r--doc/man3/SSL_get_error.pod14
-rw-r--r--doc/man3/X509_get_extension_flags.pod13
3 files changed, 32 insertions, 5 deletions
diff --git a/doc/man3/BN_generate_prime.pod b/doc/man3/BN_generate_prime.pod
index 31fbc1ffa174..f1e63f3b3c4a 100644
--- a/doc/man3/BN_generate_prime.pod
+++ b/doc/man3/BN_generate_prime.pod
@@ -52,7 +52,9 @@ Deprecated:
BN_generate_prime_ex() generates a pseudo-random prime number of
at least bit length B<bits>. The returned number is probably prime
-with a negligible error.
+with a negligible error. If B<add> is B<NULL> the returned prime
+number will have exact bit length B<bits> with the top most two
+bits set.
If B<ret> is not B<NULL>, it will be used to store the number.
@@ -89,7 +91,9 @@ If B<add> is not B<NULL>, the prime will fulfill the condition p % B<add>
generator.
If B<safe> is true, it will be a safe prime (i.e. a prime p so
-that (p-1)/2 is also prime).
+that (p-1)/2 is also prime). If B<safe> is true, and B<rem> == B<NULL>
+the condition will be p % B<add> == 3.
+It is recommended that B<add> is a multiple of 4.
The random generator must be seeded prior to calling BN_generate_prime_ex().
If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to
@@ -206,7 +210,7 @@ and BN_GENCB_get_arg() functions were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/SSL_get_error.pod b/doc/man3/SSL_get_error.pod
index 97320a6c153f..5221ccfe1804 100644
--- a/doc/man3/SSL_get_error.pod
+++ b/doc/man3/SSL_get_error.pod
@@ -155,6 +155,18 @@ connection and SSL_shutdown() must not be called.
=back
+=head1 BUGS
+
+The B<SSL_ERROR_SYSCALL> with B<errno> value of 0 indicates unexpected EOF from
+the peer. This will be properly reported as B<SSL_ERROR_SSL> with reason
+code B<SSL_R_UNEXPECTED_EOF_WHILE_READING> in the OpenSSL 3.0 release because
+it is truly a TLS protocol error to terminate the connection without
+a SSL_shutdown().
+
+The issue is kept unfixed in OpenSSL 1.1.1 releases because many applications
+which choose to ignore this protocol error depend on the existing way of
+reporting the error.
+
=head1 SEE ALSO
L<ssl(7)>
@@ -166,7 +178,7 @@ The SSL_ERROR_WANT_CLIENT_HELLO_CB error code was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/X509_get_extension_flags.pod b/doc/man3/X509_get_extension_flags.pod
index 2dfe2ef37275..43c9c952c6b7 100644
--- a/doc/man3/X509_get_extension_flags.pod
+++ b/doc/man3/X509_get_extension_flags.pod
@@ -80,6 +80,17 @@ The certificate contains an unhandled critical extension.
Some certificate extension values are invalid or inconsistent. The
certificate should be rejected.
+This bit may also be raised after an out-of-memory error while
+processing the X509 object, so it may not be related to the processed
+ASN1 object itself.
+
+=item B<EXFLAG_INVALID_POLICY>
+
+The NID_certificate_policies certificate extension is invalid or
+inconsistent. The certificate should be rejected.
+This bit may also be raised after an out-of-memory error while
+processing the X509 object, so it may not be related to the processed
+ASN1 object itself.
=item B<EXFLAG_KUSAGE>
@@ -183,7 +194,7 @@ X509_get_proxy_pathlen() were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
-Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy