diff options
Diffstat (limited to 'secure/lib/libcrypto/man')
838 files changed, 8596 insertions, 5099 deletions
diff --git a/secure/lib/libcrypto/man/man3/ADMISSIONS.3 b/secure/lib/libcrypto/man/man3/ADMISSIONS.3 index 445637880987..528de9a0f2c1 100644 --- a/secure/lib/libcrypto/man/man3/ADMISSIONS.3 +++ b/secure/lib/libcrypto/man/man3/ADMISSIONS.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ADMISSIONS 3ossl" -.TH ADMISSIONS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ADMISSIONS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -157,7 +160,7 @@ PROFESSION_INFO_set0_registrationNumber The \fBPROFESSION_INFOS\fR, \fBADMISSION_SYNTAX\fR, \fBADMISSIONS\fR, and \&\fBPROFESSION_INFO\fR types are opaque structures representing the analogous types defined in the Common PKI Specification published -by <https://www.t7ev.org>. +by T7 & TELETRUST <https://www.bundesnetzagentur.de/EVD/DE/SharedDocuments/Downloads/Anbieter_Infothek/Common_PKI_v2.0_02.pdf?__blob=publicationFile&v=1>. Knowledge of those structures and their semantics is assumed. .PP The conventional routines to convert between DER and the local format @@ -225,7 +228,7 @@ structure and must not be freed. \&\fBd2i_X509\fR\|(3), .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/ASN1_EXTERN_FUNCS.3 b/secure/lib/libcrypto/man/man3/ASN1_EXTERN_FUNCS.3 index cb458f74017b..775dc556d513 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_EXTERN_FUNCS.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_EXTERN_FUNCS.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_EXTERN_FUNCS 3ossl" -.TH ASN1_EXTERN_FUNCS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_EXTERN_FUNCS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -143,7 +146,7 @@ macro. .IP \fIasn1_ex_d2i\fR 4 .IX Item "asn1_ex_d2i" A "d2i" function responsible for converting DER data with the tag \fItag\fR and -class \fIclass\fR into an \fBASN1_VALUE\fR. If \fI*pval\fR is non-NULL then the +class \fIclass\fR into an \fBASN1_VALUE\fR. If \fI*pval\fR is non\-NULL then the \&\fBASN_VALUE\fR it points to should be reused. Otherwise a new \fBASN1_VALUE\fR should be allocated and stored in \fI*pval\fR. \fI*in\fR points to the DER data to be decoded and \fIlen\fR is the length of that data. After decoding \fI*in\fR should be @@ -177,7 +180,7 @@ The \fIasn1_ex_i2d\fR entry may be NULL if \fIasn1_ex_i2d_ex\fR has been specifi instead. .Sp The return value should be negative if a fatal error occurred, or 0 if a -non-fatal error occurred. Otherwise it should return the length of the encoded +non\-fatal error occurred. Otherwise it should return the length of the encoded data. .IP \fIasn1_ex_print\fR 4 .IX Item "asn1_ex_print" diff --git a/secure/lib/libcrypto/man/man3/ASN1_INTEGER_get_int64.3 b/secure/lib/libcrypto/man/man3/ASN1_INTEGER_get_int64.3 index 0f298ce0727d..af02cdc949af 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_INTEGER_get_int64.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_INTEGER_get_int64.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_INTEGER_GET_INT64 3ossl" -.TH ASN1_INTEGER_GET_INT64 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_INTEGER_GET_INT64 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ASN1_INTEGER_new.3 b/secure/lib/libcrypto/man/man3/ASN1_INTEGER_new.3 index 967d636f7550..c73de7b1bbb8 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_INTEGER_new.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_INTEGER_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_INTEGER_NEW 3ossl" -.TH ASN1_INTEGER_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_INTEGER_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ASN1_ITEM_lookup.3 b/secure/lib/libcrypto/man/man3/ASN1_ITEM_lookup.3 index e7a3e468edcb..1e7ea8555455 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_ITEM_lookup.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_ITEM_lookup.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_ITEM_LOOKUP 3ossl" -.TH ASN1_ITEM_LOOKUP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_ITEM_LOOKUP 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ASN1_OBJECT_new.3 b/secure/lib/libcrypto/man/man3/ASN1_OBJECT_new.3 index 847469c18a63..4ff6d5d19b54 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_OBJECT_new.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_OBJECT_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_OBJECT_NEW 3ossl" -.TH ASN1_OBJECT_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_OBJECT_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ASN1_STRING_TABLE_add.3 b/secure/lib/libcrypto/man/man3/ASN1_STRING_TABLE_add.3 index 0a020e53cf1e..c509dd4b5ee6 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_STRING_TABLE_add.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_STRING_TABLE_add.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_STRING_TABLE_ADD 3ossl" -.TH ASN1_STRING_TABLE_ADD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_STRING_TABLE_ADD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ASN1_STRING_length.3 b/secure/lib/libcrypto/man/man3/ASN1_STRING_length.3 index 8c20ba8451ef..472ec1d22ea5 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_STRING_length.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_STRING_length.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_STRING_LENGTH 3ossl" -.TH ASN1_STRING_LENGTH 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_STRING_LENGTH 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -116,7 +119,7 @@ should be freed using \fBOPENSSL_free()\fR. .SH NOTES .IX Header "NOTES" Almost all ASN1 types in OpenSSL are represented as an \fBASN1_STRING\fR -structure. Other types such as \fBASN1_OCTET_STRING\fR are simply typedef'ed +structure. Other types such as \fBASN1_OCTET_STRING\fR are simply typedef\*(Aqed to \fBASN1_STRING\fR and the functions call the \fBASN1_STRING\fR equivalents. \&\fBASN1_STRING\fR is also used for some \fBCHOICE\fR types which consist entirely of primitive string types such as \fBDirectoryString\fR and diff --git a/secure/lib/libcrypto/man/man3/ASN1_STRING_new.3 b/secure/lib/libcrypto/man/man3/ASN1_STRING_new.3 index 9269ed3d19c6..19a1ce18f9c1 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_STRING_new.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_STRING_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_STRING_NEW 3ossl" -.TH ASN1_STRING_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_STRING_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ASN1_STRING_print_ex.3 b/secure/lib/libcrypto/man/man3/ASN1_STRING_print_ex.3 index eb7d5bf0dd8a..693844ed8c9f 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_STRING_print_ex.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_STRING_print_ex.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_STRING_PRINT_EX 3ossl" -.TH ASN1_STRING_PRINT_EX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_STRING_PRINT_EX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,9 +88,9 @@ to \fIfp\fR instead. .PP \&\fBASN1_STRING_print()\fR prints \fIstr\fR to \fIout\fR but using a different format to \&\fBASN1_STRING_print_ex()\fR. It replaces unprintable characters (other than CR, LF) -with '.'. +with \*(Aq.\*(Aq. .PP -\&\fBASN1_tag2str()\fR returns a human-readable name of the specified ASN.1 \fItag\fR. +\&\fBASN1_tag2str()\fR returns a human\-readable name of the specified ASN.1 \fItag\fR. .SH NOTES .IX Header "NOTES" \&\fBASN1_STRING_print()\fR is a deprecated function which should be avoided; use @@ -111,7 +114,7 @@ using exactly four characters for the hex representation. If it is 32 bits then "\eWXXXXXXXX" is used using eight characters of its hex representation. These forms will only be used if UTF8 conversion is not set (see below). .PP -Printable characters are normally escaped using the backslash '\e' character. If +Printable characters are normally escaped using the backslash \*(Aq\e\*(Aq character. If \&\fBASN1_STRFLGS_ESC_QUOTE\fR is set then the whole string is instead surrounded by double quote characters: this is arguably more readable than the backslash notation. Other characters use the "\eXX" using exactly two characters of the hex @@ -153,7 +156,7 @@ characters written or \-1 if an error occurred. .PP \&\fBASN1_STRING_print()\fR returns 1 on success or 0 on error. .PP -\&\fBASN1_tag2str()\fR returns a human-readable name of the specified ASN.1 \fItag\fR. +\&\fBASN1_tag2str()\fR returns a human\-readable name of the specified ASN.1 \fItag\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBX509_NAME_print_ex\fR\|(3), diff --git a/secure/lib/libcrypto/man/man3/ASN1_TIME_set.3 b/secure/lib/libcrypto/man/man3/ASN1_TIME_set.3 index 7047a8bdd2ea..a818dc5322a4 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_TIME_set.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_TIME_set.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_TIME_SET 3ossl" -.TH ASN1_TIME_SET 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_TIME_SET 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -275,7 +278,7 @@ return 1 if the time is successfully printed out and error occurred (invalid time format). .PP \&\fBASN1_TIME_diff()\fR returns 1 for success and 0 for failure. It can fail if the -passed-in time structure has invalid syntax, for example. +passed\-in time structure has invalid syntax, for example. .PP \&\fBASN1_TIME_cmp_time_t()\fR and \fBASN1_UTCTIME_cmp_time_t()\fR return \-1 if \fIs\fR is before \fIt\fR, 0 if \fIs\fR equals \fIt\fR, or 1 if \fIs\fR is after \fIt\fR. \-2 is returned diff --git a/secure/lib/libcrypto/man/man3/ASN1_TYPE_get.3 b/secure/lib/libcrypto/man/man3/ASN1_TYPE_get.3 index daf451be0ac8..ec6695053aab 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_TYPE_get.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_TYPE_get.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_TYPE_GET 3ossl" -.TH ASN1_TYPE_GET 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_TYPE_GET 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ASN1_aux_cb.3 b/secure/lib/libcrypto/man/man3/ASN1_aux_cb.3 index fbe4eec75b6c..1b633ee50b71 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_aux_cb.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_aux_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_AUX_CB 3ossl" -.TH ASN1_AUX_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_AUX_CB 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -125,7 +128,7 @@ The \fBASN1_AFLG_BROKEN\fR flag is a work around for broken encoders where the sequence length value may not be correct. This should generally not be used. .Sp The \fBASN1_AFLG_CONST_CB\fR flag indicates that the "const" form of the -\&\fBASN1_AUX\fR callback should be used in preference to the non-const form. +\&\fBASN1_AUX\fR callback should be used in preference to the non\-const form. .IP \fIref_offset\fR 4 .IX Item "ref_offset" If the \fBASN1_AFLG_REFCOUNT\fR flag is set then this value is assumed to be an @@ -178,7 +181,7 @@ success or 0 on error. .IP \fBASN1_OP_FREE_POST\fR 4 .IX Item "ASN1_OP_FREE_POST" Invoked when processing a \fBCHOICE\fR, \fBSEQUENCE\fR or \fBNDEF_SEQUENCE\fR structure -immediately after \fBASN1_VALUE\fR sub-structures are freed. +immediately after \fBASN1_VALUE\fR sub\-structures are freed. .IP \fBASN1_OP_D2I_PRE\fR 4 .IX Item "ASN1_OP_D2I_PRE" Invoked when processing a \fBCHOICE\fR, \fBSEQUENCE\fR or \fBNDEF_SEQUENCE\fR structure diff --git a/secure/lib/libcrypto/man/man3/ASN1_generate_nconf.3 b/secure/lib/libcrypto/man/man3/ASN1_generate_nconf.3 index 5bf73ccdfb6f..b4b24c2de27a 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_generate_nconf.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_generate_nconf.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_GENERATE_NCONF 3ossl" -.TH ASN1_GENERATE_NCONF 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_GENERATE_NCONF 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -234,7 +237,7 @@ SEQUENCE consisting of a BOOL an OID and a UTF8String: .PP This example produces an RSAPrivateKey structure, this is the key contained in the file client.pem in all OpenSSL distributions -(note: the field names such as 'coeff' are ignored and are present just +(note: the field names such as \*(Aqcoeff\*(Aq are ignored and are present just for clarity): .PP .Vb 3 diff --git a/secure/lib/libcrypto/man/man3/ASN1_item_d2i_bio.3 b/secure/lib/libcrypto/man/man3/ASN1_item_d2i_bio.3 index 50d35753a2fd..270c61664bd3 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_item_d2i_bio.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_item_d2i_bio.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_ITEM_D2I_BIO 3ossl" -.TH ASN1_ITEM_D2I_BIO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_ITEM_D2I_BIO 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -96,9 +99,9 @@ ASN1_item_pack, ASN1_item_unpack_ex, ASN1_item_unpack .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBASN1_item_d2i_ex()\fR decodes the contents of the data stored in \fI*in\fR of length -\&\fIlen\fR which must be a DER-encoded ASN.1 structure, using the ASN.1 template +\&\fIlen\fR which must be a DER\-encoded ASN.1 structure, using the ASN.1 template \&\fIit\fR. It places the result in \fI*pval\fR unless \fIpval\fR is NULL. If \fI*pval\fR is -non-NULL on entry then the \fBASN1_VALUE\fR present there will be reused. Otherwise +non\-NULL on entry then the \fBASN1_VALUE\fR present there will be reused. Otherwise a new \fBASN1_VALUE\fR will be allocated. If any algorithm fetches are required during the process then they will use the \fBOSSL_LIB_CTX\fRprovided in the \&\fIlibctx\fR parameter and the property query string in \fIpropq\fR. See @@ -110,7 +113,7 @@ decoded structure. OSSL_LIB_CTX is used (i.e. NULL) and with a NULL property query string. .PP \&\fBASN1_item_d2i_bio_ex()\fR decodes the contents of its input BIO \fIin\fR, -which must be a DER-encoded ASN.1 structure, using the ASN.1 template \fIit\fR +which must be a DER\-encoded ASN.1 structure, using the ASN.1 template \fIit\fR and places the result in \fI*pval\fR unless \fIpval\fR is NULL. If \fIin\fR is NULL it returns NULL, else a pointer to the parsed structure. If any algorithm fetches are required during the process then they will use the @@ -140,7 +143,7 @@ then the returned return is also set into \fI*oct\fR. If there is an error the o passed in \fBASN1_STRING\fR will not be freed, but the previous value may be cleared when ASN1_STRING_set0(*oct, NULL, 0) is called internally. .PP -\&\fBASN1_item_unpack()\fR uses \fBASN1_item_d2i()\fR to decode the DER-encoded \fBASN1_STRING\fR +\&\fBASN1_item_unpack()\fR uses \fBASN1_item_d2i()\fR to decode the DER\-encoded \fBASN1_STRING\fR \&\fIoct\fR using the ASN.1 template \fIit\fR. .PP \&\fBASN1_item_unpack_ex()\fR is similar to \fBASN1_item_unpack()\fR, but uses \fBASN1_item_d2i_ex()\fR so diff --git a/secure/lib/libcrypto/man/man3/ASN1_item_new.3 b/secure/lib/libcrypto/man/man3/ASN1_item_new.3 index 5b7b0e038395..63d99e97b4e4 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_item_new.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_item_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_ITEM_NEW 3ossl" -.TH ASN1_ITEM_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_ITEM_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ASN1_item_sign.3 b/secure/lib/libcrypto/man/man3/ASN1_item_sign.3 index a849af987445..63388ecd96d3 100644 --- a/secure/lib/libcrypto/man/man3/ASN1_item_sign.3 +++ b/secure/lib/libcrypto/man/man3/ASN1_item_sign.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASN1_ITEM_SIGN 3ossl" -.TH ASN1_ITEM_SIGN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASN1_ITEM_SIGN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -145,10 +148,10 @@ zero for failure. .PP All verify functions return 1 if the signature is valid and 0 if the signature check fails. If the signature could not be checked at all because it was -ill-formed or some other error occurred then \-1 is returned. +ill\-formed or some other error occurred then \-1 is returned. .SH EXAMPLES .IX Header "EXAMPLES" -In the following example a 'MyObject' object is signed using the key contained +In the following example a \*(AqMyObject\*(Aq object is signed using the key contained in an EVP_MD_CTX. The signature is written to MyObject.signature. The object is then output in DER format and then loaded back in and verified. .PP diff --git a/secure/lib/libcrypto/man/man3/ASYNC_WAIT_CTX_new.3 b/secure/lib/libcrypto/man/man3/ASYNC_WAIT_CTX_new.3 index ff0c1d01162b..27f4792a4126 100644 --- a/secure/lib/libcrypto/man/man3/ASYNC_WAIT_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/ASYNC_WAIT_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASYNC_WAIT_CTX_NEW 3ossl" -.TH ASYNC_WAIT_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASYNC_WAIT_CTX_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -108,7 +111,7 @@ ASYNC_STATUS_EAGAIN For an overview of how asynchronous operations are implemented in OpenSSL see \&\fBASYNC_start_job\fR\|(3). An \fBASYNC_WAIT_CTX\fR object represents an asynchronous "session", i.e. a related set of crypto operations. For example in SSL terms -this would have a one-to-one correspondence with an SSL connection. +this would have a one\-to\-one correspondence with an SSL connection. .PP Application code must create an \fBASYNC_WAIT_CTX\fR using the \fBASYNC_WAIT_CTX_new()\fR function prior to calling \fBASYNC_start_job()\fR (see \fBASYNC_start_job\fR\|(3)). When @@ -122,7 +125,7 @@ is closed), application code cleans up with \fBASYNC_WAIT_CTX_free()\fR. Calling \fBASYNC_WAIT_CTX_get_all_fds()\fR and passing in a pointer to an \&\fBASYNC_WAIT_CTX\fR in the \fIctx\fR parameter will return the wait file descriptors associated with that job in \fI*fd\fR. The number of file descriptors returned will -be stored in \fI*numfds\fR. It is the caller's responsibility to ensure that +be stored in \fI*numfds\fR. It is the caller\*(Aqs responsibility to ensure that sufficient memory has been allocated in \fI*fd\fR to receive all the file descriptors. Calling \fBASYNC_WAIT_CTX_get_all_fds()\fR with a NULL \fIfd\fR value will return no file descriptors but will still populate \fI*numfds\fR. Therefore, @@ -246,7 +249,7 @@ On Windows platforms the \fI<openssl/async.h>\fR header is dependent on some of the types customarily made available by including \fI<windows.h>\fR. The application developer is likely to require control over when the latter is included, commonly as one of the first included headers. Therefore, -it is defined as an application developer's responsibility to include +it is defined as an application developer\*(Aqs responsibility to include \&\fI<windows.h>\fR prior to \fI<openssl/async.h>\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/ASYNC_start_job.3 b/secure/lib/libcrypto/man/man3/ASYNC_start_job.3 index c3c95ed7b585..ee28efcee5df 100644 --- a/secure/lib/libcrypto/man/man3/ASYNC_start_job.3 +++ b/secure/lib/libcrypto/man/man3/ASYNC_start_job.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ASYNC_START_JOB 3ossl" -.TH ASYNC_START_JOB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ASYNC_START_JOB 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,16 +100,16 @@ ASYNC_stack_alloc_fn, ASYNC_stack_free_fn, ASYNC_set_mem_functions, ASYNC_get_me OpenSSL implements asynchronous capabilities through an \fBASYNC_JOB\fR. This represents code that can be started and executes until some event occurs. At that point the code can be paused and control returns to user code until some -subsequent event indicates that the job can be resumed. It's OpenSSL +subsequent event indicates that the job can be resumed. It\*(Aqs OpenSSL specific implementation of cooperative multitasking. .PP The creation of an \fBASYNC_JOB\fR is a relatively expensive operation. Therefore, for efficiency reasons, jobs can be created up front and reused many times. They are held in a pool until they are needed, at which point they are removed from the pool, used, and then returned to the pool when the job completes. If the -user application is multi-threaded, then \fBASYNC_init_thread()\fR may be called for +user application is multi\-threaded, then \fBASYNC_init_thread()\fR may be called for each thread that will initiate asynchronous jobs. Before -user code exits per-thread resources need to be cleaned up. This will normally +user code exits per\-thread resources need to be cleaned up. This will normally occur automatically (see \fBOPENSSL_init_crypto\fR\|(3)) but may be explicitly initiated by using \fBASYNC_cleanup_thread()\fR. No asynchronous jobs must be outstanding for the thread when \fBASYNC_cleanup_thread()\fR is called. Failing to @@ -195,7 +198,7 @@ The \fBASYNC_block_pause()\fR function will prevent the currently active job fro pausing. The block will remain in place until a subsequent call to \&\fBASYNC_unblock_pause()\fR. These functions can be nested, e.g. if you call \&\fBASYNC_block_pause()\fR twice then you must call \fBASYNC_unblock_pause()\fR twice in -order to re-enable pausing. If these functions are called while there is no +order to re\-enable pausing. If these functions are called while there is no currently active job then they have no effect. This functionality can be useful to avoid deadlock scenarios. For example during the execution of an \fBASYNC_JOB\fR an application acquires a lock. It then calls some cryptographic function which @@ -215,7 +218,7 @@ stack memory such as mmap, or using stack memory from the current thread. Using an ASYNC_stack_alloc_fn callback also allows manipulation of the stack size, which defaults to 32k. The stack size can be altered by allocating a stack of a size different to -the requested size, and passing back the new stack size in the callback's \fI*num\fR +the requested size, and passing back the new stack size in the callback\*(Aqs \fI*num\fR parameter. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -244,7 +247,7 @@ On Windows platforms the \fI<openssl/async.h>\fR header is dependent on some of the types customarily made available by including \fI<windows.h>\fR. The application developer is likely to require control over when the latter is included, commonly as one of the first included headers. Therefore, -it is defined as an application developer's responsibility to include +it is defined as an application developer\*(Aqs responsibility to include \&\fI<windows.h>\fR prior to \fI<openssl/async.h>\fR. .SH EXAMPLES .IX Header "EXAMPLES" diff --git a/secure/lib/libcrypto/man/man3/BF_encrypt.3 b/secure/lib/libcrypto/man/man3/BF_encrypt.3 index a6a7b26d517e..16cce8996c92 100644 --- a/secure/lib/libcrypto/man/man3/BF_encrypt.3 +++ b/secure/lib/libcrypto/man/man3/BF_encrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BF_ENCRYPT 3ossl" -.TH BF_ENCRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BF_ENCRYPT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -125,7 +128,7 @@ The mode functions \fBBF_cbc_encrypt()\fR, \fBBF_cfb64_encrypt()\fR and \fBBF_of all operate on variable length data. They all take an initialization vector \&\fBivec\fR which needs to be passed along into the next call of the same function for the same message. \fBivec\fR may be initialized with anything, but the -recipient needs to know what it was initialized with, or it won't be able +recipient needs to know what it was initialized with, or it won\*(Aqt be able to decrypt. Some programs and protocols simplify this, like SSH, where \&\fBivec\fR is simply initialized to zero. \&\fBBF_cbc_encrypt()\fR operates on data that is a multiple of 8 bytes long, while @@ -156,10 +159,10 @@ the same way. \&\fBBF_encrypt()\fR and \fBBF_decrypt()\fR are the lowest level functions for Blowfish encryption. They encrypt/decrypt the first 64 bits of the vector pointed by \&\fBdata\fR, using the key \fBkey\fR. These functions should not be used unless you -implement 'modes' of Blowfish. The alternative is to use \fBBF_ecb_encrypt()\fR. +implement \*(Aqmodes\*(Aq of Blowfish. The alternative is to use \fBBF_ecb_encrypt()\fR. If you still want to use these functions, you should be aware that they take -each 32\-bit chunk in host-byte order, which is little-endian on little-endian -platforms and big-endian on big-endian ones. +each 32\-bit chunk in host\-byte order, which is little\-endian on little\-endian +platforms and big\-endian on big\-endian ones. .SH "RETURN VALUES" .IX Header "RETURN VALUES" None of the functions presented here return any value. diff --git a/secure/lib/libcrypto/man/man3/BIO_ADDR.3 b/secure/lib/libcrypto/man/man3/BIO_ADDR.3 index a3bd60aaeaa1..34acae6121b9 100644 --- a/secure/lib/libcrypto/man/man3/BIO_ADDR.3 +++ b/secure/lib/libcrypto/man/man3/BIO_ADDR.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_ADDR 3ossl" -.TH BIO_ADDR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_ADDR 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -92,7 +95,7 @@ BIO_ADDR_path_string \- BIO_ADDR routines .IX Header "DESCRIPTION" The \fBBIO_ADDR\fR type is a wrapper around all types of socket addresses that OpenSSL deals with, currently transparently -supporting AF_INET, AF_INET6 and AF_UNIX according to what's +supporting AF_INET, AF_INET6 and AF_UNIX according to what\*(Aqs available on the platform at hand. .PP \&\fBBIO_ADDR_new()\fR creates a new unfilled \fBBIO_ADDR\fR, to be used @@ -122,14 +125,14 @@ NUL, such as the result of a call to \fBstrlen()\fR). Read on about the addresses in "RAW ADDRESSES" below. .PP \&\fBBIO_ADDR_family()\fR returns the protocol family of the given -\&\fBBIO_ADDR\fR. The possible non-error results are one of the +\&\fBBIO_ADDR\fR. The possible non\-error results are one of the constants AF_INET, AF_INET6 and AF_UNIX. It will also return AF_UNSPEC if the BIO_ADDR has not been initialised. .PP \&\fBBIO_ADDR_rawaddress()\fR will write the raw address of the given -\&\fBBIO_ADDR\fR in the area pointed at by \fBp\fR if \fBp\fR is non-NULL, +\&\fBBIO_ADDR\fR in the area pointed at by \fBp\fR if \fBp\fR is non\-NULL, and will set \fB*l\fR to be the amount of bytes the raw address -takes up if \fBl\fR is non-NULL. +takes up if \fBl\fR is non\-NULL. A technique to only find out the size of the address is a call with \fBp\fR set to \fBNULL\fR. The raw address will be in network byte order, most significant byte first. @@ -176,7 +179,7 @@ OpenSSL error stack. \&\fBBIO_ADDR_copy()\fR returns 1 on success or 0 on error. .PP All other functions described here return 0 or \fBNULL\fR when the -information they should return isn't available. +information they should return isn\*(Aqt available. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBBIO_connect\fR\|(3), \fBBIO_s_connect\fR\|(3) diff --git a/secure/lib/libcrypto/man/man3/BIO_ADDRINFO.3 b/secure/lib/libcrypto/man/man3/BIO_ADDRINFO.3 index 8963474ea4e5..7f8d8b9fd913 100644 --- a/secure/lib/libcrypto/man/man3/BIO_ADDRINFO.3 +++ b/secure/lib/libcrypto/man/man3/BIO_ADDRINFO.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_ADDRINFO 3ossl" -.TH BIO_ADDRINFO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_ADDRINFO 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -145,7 +148,7 @@ occurred, and will leave an error indication on the OpenSSL error stack in that case. .PP All other functions described here return 0 or \fBNULL\fR when the -information they should return isn't available. +information they should return isn\*(Aqt available. .SH NOTES .IX Header "NOTES" The \fBBIO_lookup_ex()\fR implementation uses the platform provided \fBgetaddrinfo()\fR diff --git a/secure/lib/libcrypto/man/man3/BIO_connect.3 b/secure/lib/libcrypto/man/man3/BIO_connect.3 index 85a50ca6a6ec..92075b888750 100644 --- a/secure/lib/libcrypto/man/man3/BIO_connect.3 +++ b/secure/lib/libcrypto/man/man3/BIO_connect.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_CONNECT 3ossl" -.TH BIO_CONNECT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_CONNECT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,7 +101,7 @@ The flags are described in "FLAGS" below. .PP \&\fBBIO_accept_ex()\fR waits for an incoming connections on the given socket \fBaccept_sock\fR. When it gets a connection, the address and -port of the peer gets stored in \fBpeer\fR if that one is non-NULL. +port of the peer gets stored in \fBpeer\fR if that one is non\-NULL. Accept \fBoptions\fR may be zero or \fBBIO_SOCK_NONBLOCK\fR, and is applied on the accepted socket. The flags are described in "FLAGS" below. .PP @@ -107,7 +110,7 @@ on the accepted socket. The flags are described in "FLAGS" below. .IX Header "FLAGS" .IP BIO_SOCK_KEEPALIVE 4 .IX Item "BIO_SOCK_KEEPALIVE" -Enables regular sending of keep-alive messages. +Enables regular sending of keep\-alive messages. .IP BIO_SOCK_NONBLOCK 4 .IX Item "BIO_SOCK_NONBLOCK" Sets the socket to nonblocking mode. @@ -115,7 +118,7 @@ Sets the socket to nonblocking mode. .IX Item "BIO_SOCK_NODELAY" Corresponds to \fBTCP_NODELAY\fR, and disables the Nagle algorithm. With this set, any data will be sent as soon as possible instead of being -buffered until there's enough for the socket to send out in one go. +buffered until there\*(Aqs enough for the socket to send out in one go. .IP BIO_SOCK_REUSEADDR 4 .IX Item "BIO_SOCK_REUSEADDR" Try to reuse the address and port combination for a recently closed diff --git a/secure/lib/libcrypto/man/man3/BIO_ctrl.3 b/secure/lib/libcrypto/man/man3/BIO_ctrl.3 index 3717891171e6..53ab60f1c336 100644 --- a/secure/lib/libcrypto/man/man3/BIO_ctrl.3 +++ b/secure/lib/libcrypto/man/man3/BIO_ctrl.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_CTRL 3ossl" -.TH BIO_CTRL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_CTRL 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -116,7 +119,7 @@ calls. of file related BIOs for example it rewinds the file pointer to the start of the file. .PP -\&\fBBIO_seek()\fR resets a file related BIO's (that is file descriptor and +\&\fBBIO_seek()\fR resets a file related BIO\*(Aqs (that is file descriptor and FILE BIOs) file position pointer to \fBofs\fR bytes from start of file. .PP \&\fBBIO_tell()\fR returns the current file position of a file related BIO. @@ -140,9 +143,9 @@ Not all BIOs support these calls. \fBBIO_ctrl_pending()\fR and \fBBIO_ctrl_wpend return a size_t type and are functions, \fBBIO_pending()\fR and \fBBIO_wpending()\fR are macros which call \fBBIO_ctrl()\fR. .PP -\&\fBBIO_get_ktls_send()\fR returns 1 if the BIO is using the Kernel TLS data-path for +\&\fBBIO_get_ktls_send()\fR returns 1 if the BIO is using the Kernel TLS data\-path for sending. Otherwise, it returns zero. -\&\fBBIO_get_ktls_recv()\fR returns 1 if the BIO is using the Kernel TLS data-path for +\&\fBBIO_get_ktls_recv()\fR returns 1 if the BIO is using the Kernel TLS data\-path for receiving. Otherwise, it returns zero. .PP \&\fBBIO_get_conn_mode()\fR returns the BIO connection mode. \fBBIO_set_conn_mode()\fR sets @@ -174,13 +177,13 @@ return the amount of pending data. \fBBIO_pending()\fR and \fBBIO_wpending()\fR negative value or 0 on error. \fBBIO_ctrl_pending()\fR and \fBBIO_ctrl_wpending()\fR return 0 on error. .PP -\&\fBBIO_get_ktls_send()\fR returns 1 if the BIO is using the Kernel TLS data-path for +\&\fBBIO_get_ktls_send()\fR returns 1 if the BIO is using the Kernel TLS data\-path for sending. Otherwise, it returns zero. -\&\fBBIO_get_ktls_recv()\fR returns 1 if the BIO is using the Kernel TLS data-path for +\&\fBBIO_get_ktls_recv()\fR returns 1 if the BIO is using the Kernel TLS data\-path for receiving. Otherwise, it returns zero. .PP \&\fBBIO_set_conn_mode()\fR returns 1 for success and 0 for failure. \fBBIO_get_conn_mode()\fR -returns the current connection mode. Which may contain the bitwise-or of the +returns the current connection mode. Which may contain the bitwise\-or of the following flags: .PP .Vb 6 diff --git a/secure/lib/libcrypto/man/man3/BIO_f_base64.3 b/secure/lib/libcrypto/man/man3/BIO_f_base64.3 index 34b51f086dff..fdc0fd5261d7 100644 --- a/secure/lib/libcrypto/man/man3/BIO_f_base64.3 +++ b/secure/lib/libcrypto/man/man3/BIO_f_base64.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_F_BASE64 3ossl" -.TH BIO_F_BASE64 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_F_BASE64 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -93,7 +96,7 @@ skipped, as are lines longer than 1024 bytes. Decoding starts with the first line that is shorter than 1024 bytes (including the newline) and consists of only (at least one) valid base64 characters plus optional whitespace. -Decoding stops when base64 padding is encountered, a soft end-of-input +Decoding stops when base64 padding is encountered, a soft end\-of\-input character (\fB\-\fR, see \fBEVP_DecodeUpdate\fR\|(3)) occurs as the first byte after a complete group of 4 valid base64 characters is decoded, or when an error occurs (e.g. due to input characters other than valid base64 or whitespace). @@ -157,12 +160,12 @@ data to standard output: .Ve .SH BUGS .IX Header "BUGS" -The hyphen character (\fB\-\fR) is treated as an ad hoc soft end-of-input +The hyphen character (\fB\-\fR) is treated as an ad hoc soft end\-of\-input character when it occurs at the start of a base64 group of 4 encoded characters. .PP This heuristic works to detect the ends of base64 blocks in PEM or -multi-part MIME, provided there are no stray hyphens in the middle +multi\-part MIME, provided there are no stray hyphens in the middle input. But it is just a heuristic, and sufficiently unusual input could produce unexpected results. diff --git a/secure/lib/libcrypto/man/man3/BIO_f_buffer.3 b/secure/lib/libcrypto/man/man3/BIO_f_buffer.3 index c7246d65d9d3..f252aade2e21 100644 --- a/secure/lib/libcrypto/man/man3/BIO_f_buffer.3 +++ b/secure/lib/libcrypto/man/man3/BIO_f_buffer.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_F_BUFFER 3ossl" -.TH BIO_F_BUFFER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_F_BUFFER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -112,7 +115,7 @@ Buffering BIOs implement \fBBIO_read_ex()\fR and \fBBIO_gets()\fR by using result in an internal buffer, from which bytes are given back to the caller as appropriate for the call; a \fBBIO_gets()\fR is guaranteed to give the caller a whole line, and \fBBIO_read_ex()\fR is guaranteed to give the -caller the number of bytes it asks for, unless there's an error or end +caller the number of bytes it asks for, unless there\*(Aqs an error or end of communication is reached in the next BIO. By prepending a buffering BIO to a chain it is therefore possible to provide \&\fBBIO_gets()\fR or exact size \fBBIO_read_ex()\fR functionality if the following diff --git a/secure/lib/libcrypto/man/man3/BIO_f_cipher.3 b/secure/lib/libcrypto/man/man3/BIO_f_cipher.3 index 915dfca393d4..81bf804fba41 100644 --- a/secure/lib/libcrypto/man/man3/BIO_f_cipher.3 +++ b/secure/lib/libcrypto/man/man3/BIO_f_cipher.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_F_CIPHER 3ossl" -.TH BIO_F_CIPHER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_F_CIPHER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_f_md.3 b/secure/lib/libcrypto/man/man3/BIO_f_md.3 index c54342a68926..33f8e13d942d 100644 --- a/secure/lib/libcrypto/man/man3/BIO_f_md.3 +++ b/secure/lib/libcrypto/man/man3/BIO_f_md.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_F_MD 3ossl" -.TH BIO_F_MD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_F_MD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_f_null.3 b/secure/lib/libcrypto/man/man3/BIO_f_null.3 index f1b49042a9d7..49237e69254d 100644 --- a/secure/lib/libcrypto/man/man3/BIO_f_null.3 +++ b/secure/lib/libcrypto/man/man3/BIO_f_null.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_F_NULL 3ossl" -.TH BIO_F_NULL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_F_NULL 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_f_prefix.3 b/secure/lib/libcrypto/man/man3/BIO_f_prefix.3 index b1b54e6a1397..ad3f905850dd 100644 --- a/secure/lib/libcrypto/man/man3/BIO_f_prefix.3 +++ b/secure/lib/libcrypto/man/man3/BIO_f_prefix.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_F_PREFIX 3ossl" -.TH BIO_F_PREFIX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_F_PREFIX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,7 +91,7 @@ By default, there is no prefix, and indentation is set to 0. .PP \&\fBBIO_set_prefix()\fR sets the prefix to be used for future lines of text, using \fIprefix\fR. \fIprefix\fR may be NULL, signifying that there -should be no prefix. If \fIprefix\fR isn't NULL, this function makes a +should be no prefix. If \fIprefix\fR isn\*(Aqt NULL, this function makes a copy of it. .PP \&\fBBIO_set_indent()\fR sets the indentation to be used for future lines of diff --git a/secure/lib/libcrypto/man/man3/BIO_f_readbuffer.3 b/secure/lib/libcrypto/man/man3/BIO_f_readbuffer.3 index c967deb494cb..abf7bcabaac0 100644 --- a/secure/lib/libcrypto/man/man3/BIO_f_readbuffer.3 +++ b/secure/lib/libcrypto/man/man3/BIO_f_readbuffer.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_F_READBUFFER 3ossl" -.TH BIO_F_READBUFFER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_F_READBUFFER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -74,7 +77,7 @@ BIO_f_readbuffer .IX Header "DESCRIPTION" \&\fBBIO_f_readbuffer()\fR returns the read buffering BIO method. .PP -This BIO filter can be inserted on top of BIO's that do not support \fBBIO_tell()\fR +This BIO filter can be inserted on top of BIO\*(Aqs that do not support \fBBIO_tell()\fR or \fBBIO_seek()\fR (e.g. A file BIO that uses stdin). .PP Data read from a read buffering BIO comes from an internal buffer which is @@ -90,7 +93,7 @@ Read buffering BIOs implement \fBBIO_read_ex()\fR by using \fBBIO_read_ex()\fR o on the next BIO (e.g. a file BIO) in the chain and storing the result in an internal buffer, from which bytes are given back to the caller as appropriate for the call. \fBBIO_read_ex()\fR is guaranteed to give the caller the number of bytes -it asks for, unless there's an error or end of communication is reached in the +it asks for, unless there\*(Aqs an error or end of communication is reached in the next BIO. The internal buffer can grow to cache the entire contents of the next BIO in the chain. \fBBIO_seek()\fR uses the internal buffer, so that it can only seek into data that is already read. diff --git a/secure/lib/libcrypto/man/man3/BIO_f_ssl.3 b/secure/lib/libcrypto/man/man3/BIO_f_ssl.3 index 61a5d59ce8ba..a0b4285a8c78 100644 --- a/secure/lib/libcrypto/man/man3/BIO_f_ssl.3 +++ b/secure/lib/libcrypto/man/man3/BIO_f_ssl.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_F_SSL 3ossl" -.TH BIO_F_SSL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_F_SSL 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -153,7 +156,7 @@ pointer. .PP \&\fBBIO_do_handshake()\fR attempts to complete an SSL handshake on the supplied BIO and establish the SSL connection. -For non-SSL BIOs the connection is done typically at TCP level. +For non\-SSL BIOs the connection is done typically at TCP level. If domain name resolution yields multiple IP addresses all of them are tried after \fBconnect()\fR failures. The function returns 1 if the connection was established successfully. diff --git a/secure/lib/libcrypto/man/man3/BIO_find_type.3 b/secure/lib/libcrypto/man/man3/BIO_find_type.3 index fdf4104ff85d..e81bde128412 100644 --- a/secure/lib/libcrypto/man/man3/BIO_find_type.3 +++ b/secure/lib/libcrypto/man/man3/BIO_find_type.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_FIND_TYPE 3ossl" -.TH BIO_FIND_TYPE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_FIND_TYPE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_get_data.3 b/secure/lib/libcrypto/man/man3/BIO_get_data.3 index a0a98acad594..528f79be729f 100644 --- a/secure/lib/libcrypto/man/man3/BIO_get_data.3 +++ b/secure/lib/libcrypto/man/man3/BIO_get_data.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_GET_DATA 3ossl" -.TH BIO_GET_DATA 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_GET_DATA 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -77,13 +80,13 @@ BIO_get_shutdown \- functions for managing BIO state information .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -These functions are mainly useful when implementing a custom BIO. +These functions can be used when implementing a custom BIO. .PP The \fBBIO_set_data()\fR function associates the custom data pointed to by \fBptr\fR with the BIO. This data can subsequently be retrieved via a call to \fBBIO_get_data()\fR. This can be used by custom BIOs for storing implementation specific information. .PP -The \fBBIO_set_init()\fR function sets the value of the BIO's "init" flag to indicate +The \fBBIO_set_init()\fR function sets the value of the BIO\*(Aqs "init" flag to indicate whether initialisation has been completed for this BIO or not. A nonzero value indicates that initialisation is complete, whilst zero indicates that it is not. Often initialisation will complete during initial construction of the BIO. For @@ -92,16 +95,22 @@ have occurred (for example through calling custom ctrls). The \fBBIO_get_init()\ function returns the value of the "init" flag. .PP The \fBBIO_set_shutdown()\fR and \fBBIO_get_shutdown()\fR functions set and get the state of -this BIO's shutdown (i.e. BIO_CLOSE) flag. If set then the underlying resource +this BIO\*(Aqs shutdown (i.e. BIO_CLOSE) flag. If set then the underlying resource is also closed when the BIO is freed. +.SH WARNINGS +.IX Header "WARNINGS" +Do not use \fBBIO_set_data()\fR, \fBBIO_get_data()\fR, \fBBIO_set_init()\fR, \fBBIO_get_init()\fR, outside +the implementation of a custom BIO. +Calling \fBBIO_set_data()\fR on an existing BIO implementation with data that it does +not expect will lead to unexpected results. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBBIO_get_data()\fR returns a pointer to the implementation specific custom data associated with this BIO, or NULL if none has been set. .PP -\&\fBBIO_get_init()\fR returns the state of the BIO's init flag. +\&\fBBIO_get_init()\fR returns the state of the BIO\*(Aqs init flag. .PP -\&\fBBIO_get_shutdown()\fR returns the stat of the BIO's shutdown (i.e. BIO_CLOSE) flag. +\&\fBBIO_get_shutdown()\fR returns the stat of the BIO\*(Aqs shutdown (i.e. BIO_CLOSE) flag. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBbio\fR\|(7), \fBBIO_meth_new\fR\|(3) @@ -110,7 +119,7 @@ associated with this BIO, or NULL if none has been set. The functions described here were added in OpenSSL 1.1.0. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/BIO_get_ex_new_index.3 b/secure/lib/libcrypto/man/man3/BIO_get_ex_new_index.3 index e6ec1d3ee4a3..495fe0549689 100644 --- a/secure/lib/libcrypto/man/man3/BIO_get_ex_new_index.3 +++ b/secure/lib/libcrypto/man/man3/BIO_get_ex_new_index.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_GET_EX_NEW_INDEX 3ossl" -.TH BIO_GET_EX_NEW_INDEX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_GET_EX_NEW_INDEX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,7 +144,7 @@ Applications should instead use \fBEVP_PKEY_set_ex_data()\fR, All functions with a \fITYPE\fR of \fBENGINE\fR are deprecated. Applications using engines should be replaced by providers. .PP -These functions handle application-specific data for OpenSSL data +These functions handle application\-specific data for OpenSSL data structures. .PP \&\fBTYPE_get_ex_new_index()\fR is a macro that calls \fBCRYPTO_get_ex_new_index()\fR diff --git a/secure/lib/libcrypto/man/man3/BIO_get_rpoll_descriptor.3 b/secure/lib/libcrypto/man/man3/BIO_get_rpoll_descriptor.3 index 98299ffb6c0c..ef3b9834faf3 100644 --- a/secure/lib/libcrypto/man/man3/BIO_get_rpoll_descriptor.3 +++ b/secure/lib/libcrypto/man/man3/BIO_get_rpoll_descriptor.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_GET_RPOLL_DESCRIPTOR 3ossl" -.TH BIO_GET_RPOLL_DESCRIPTOR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_GET_RPOLL_DESCRIPTOR 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -84,7 +87,7 @@ can be used to determine when a BIO object can next be read or written .IX Header "DESCRIPTION" \&\fBBIO_get_rpoll_descriptor()\fR and \fBBIO_get_wpoll_descriptor()\fR, on success, fill \&\fI*desc\fR with a poll descriptor. A poll descriptor is a tagged union structure -which represents some kind of OS or non-OS resource which can be used to +which represents some kind of OS or non\-OS resource which can be used to synchronise on I/O availability events. .PP \&\fBBIO_get_rpoll_descriptor()\fR outputs a descriptor which can be used to determine @@ -115,7 +118,7 @@ in the \fBBIO_POLL_DESCRIPTOR\fR is valid if it is not set to \-1. .Sp The resource is whatever kind of handle is used by a given OS to represent sockets, which may vary by OS. For example, on Windows, the value is a \fBSOCKET\fR -for use with the Winsock API. On POSIX-like platforms, it is a file descriptor. +for use with the Winsock API. On POSIX\-like platforms, it is a file descriptor. .Sp Where a poll descriptor of this type is output by \fBBIO_get_rpoll_descriptor()\fR, it should be polled for readability to determine when the BIO might next be able to diff --git a/secure/lib/libcrypto/man/man3/BIO_meth_new.3 b/secure/lib/libcrypto/man/man3/BIO_meth_new.3 index 10cd19ec2686..ffa66e88c661 100644 --- a/secure/lib/libcrypto/man/man3/BIO_meth_new.3 +++ b/secure/lib/libcrypto/man/man3/BIO_meth_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_METH_NEW 3ossl" -.TH BIO_METH_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_METH_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -244,7 +247,7 @@ The \fBBIO_meth_get\fR functions return the corresponding function pointers. .IX Header "BUGS" It is not safe to use \f(CW\*(C`BIO_meth_get_\*(C'\fR functions to reuse the \fBBIO\fR implementation of \fBBIO\fRs implemented by OpenSSL itself with -application-implemented \fBBIO\fRs. Instead either the applications ought to +application\-implemented \fBBIO\fRs. Instead either the applications ought to implement these functions themselves or they should implement a filter BIO. .PP For more details please see <https://github.com/openssl/openssl/issues/26047>. diff --git a/secure/lib/libcrypto/man/man3/BIO_new.3 b/secure/lib/libcrypto/man/man3/BIO_new.3 index 44176f4c34d5..6ac37f946a37 100644 --- a/secure/lib/libcrypto/man/man3/BIO_new.3 +++ b/secure/lib/libcrypto/man/man3/BIO_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_NEW 3ossl" -.TH BIO_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_new_CMS.3 b/secure/lib/libcrypto/man/man3/BIO_new_CMS.3 index f5b95ea32949..f01255dc5878 100644 --- a/secure/lib/libcrypto/man/man3/BIO_new_CMS.3 +++ b/secure/lib/libcrypto/man/man3/BIO_new_CMS.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_NEW_CMS 3ossl" -.TH BIO_NEW_CMS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_NEW_CMS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_parse_hostserv.3 b/secure/lib/libcrypto/man/man3/BIO_parse_hostserv.3 index 2062eb8254a5..8df01db362bc 100644 --- a/secure/lib/libcrypto/man/man3/BIO_parse_hostserv.3 +++ b/secure/lib/libcrypto/man/man3/BIO_parse_hostserv.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_PARSE_HOSTSERV 3ossl" -.TH BIO_PARSE_HOSTSERV 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_PARSE_HOSTSERV 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -96,8 +99,8 @@ The syntax the \fBBIO_parse_hostserv()\fR recognises is: \& service .Ve .PP -The host part can be a name or an IP address. If it's a IPv6 -address, it MUST be enclosed in brackets, such as '[::1]'. +The host part can be a name or an IP address. If it\*(Aqs a IPv6 +address, it MUST be enclosed in brackets, such as \*(Aq[::1]\*(Aq. .PP The service part can be a service name or its port number. A service name will be mapped to a port number using the system function \fBgetservbyname()\fR. diff --git a/secure/lib/libcrypto/man/man3/BIO_printf.3 b/secure/lib/libcrypto/man/man3/BIO_printf.3 index dc64e86dcf74..18c1228f34a5 100644 --- a/secure/lib/libcrypto/man/man3/BIO_printf.3 +++ b/secure/lib/libcrypto/man/man3/BIO_printf.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_PRINTF 3ossl" -.TH BIO_PRINTF 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_PRINTF 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_push.3 b/secure/lib/libcrypto/man/man3/BIO_push.3 index 5ea891c8ccfc..86ef31396c3d 100644 --- a/secure/lib/libcrypto/man/man3/BIO_push.3 +++ b/secure/lib/libcrypto/man/man3/BIO_push.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_PUSH 3ossl" -.TH BIO_PUSH 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_PUSH 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -79,7 +82,7 @@ Otherwise it prepends \fIb\fR, which may be a single BIO or a chain of BIOs, to \fInext\fR (unless \fInext\fR is NULL). It then makes a control call on \fIb\fR and returns \fIb\fR. .PP -\&\fBBIO_pop()\fR removes the BIO \fIb\fR from any chain is is part of. +\&\fBBIO_pop()\fR removes the BIO \fIb\fR from any chain it is part of. If \fIb\fR is NULL the function does nothing and returns NULL. Otherwise it makes a control call on \fIb\fR and returns the next BIO in the chain, or NULL if there is no next BIO. @@ -147,7 +150,7 @@ except that \fImd2\fR will no more be applied. The \fBBIO_set_next()\fR function was added in OpenSSL 1.1.0. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/BIO_read.3 b/secure/lib/libcrypto/man/man3/BIO_read.3 index 29926d5ad6e7..950fa28c3c2a 100644 --- a/secure/lib/libcrypto/man/man3/BIO_read.3 +++ b/secure/lib/libcrypto/man/man3/BIO_read.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_READ 3ossl" -.TH BIO_READ 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_READ 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -96,22 +99,24 @@ in \fIbuf\fR. Usually this operation will attempt to read a line of data from the BIO of maximum length \fIsize\-1\fR. There are exceptions to this, however; for example, \fBBIO_gets()\fR on a digest BIO will calculate and return the digest and other BIOs may not support \fBBIO_gets()\fR at all. -The returned string is always NUL-terminated and the '\en' is preserved +The returned string is always NUL\-terminated and the \*(Aq\en\*(Aq is preserved if present in the input data. On binary input there may be NUL characters within the string; in this case the return value (if nonnegative) may give an incorrect length. .PP -\&\fBBIO_get_line()\fR attempts to read from BIO \fIb\fR a line of data up to the next '\en' +\&\fBBIO_get_line()\fR attempts to read from BIO \fIb\fR a line of data up to the next \*(Aq\en\*(Aq or the maximum length \fIsize\-1\fR is reached and places the data in \fIbuf\fR. -The returned string is always NUL-terminated and the '\en' is preserved +The returned string is always NUL\-terminated and the \*(Aq\en\*(Aq is preserved if present in the input data. On binary input there may be NUL characters within the string; in this case the return value (if nonnegative) gives the actual length read. -For implementing this, unfortunately the data needs to be read byte-by-byte. +For implementing this, unfortunately the data needs to be read byte\-by\-byte. .PP \&\fBBIO_write()\fR attempts to write \fIlen\fR bytes from \fIbuf\fR to BIO \fIb\fR. .PP -\&\fBBIO_puts()\fR attempts to write a NUL-terminated string \fIbuf\fR to BIO \fIb\fR. +\&\fBBIO_puts()\fR attempts to write a NUL\-terminated string \fIbuf\fR to BIO \fIb\fR, +without the terminating NUL byte and without appending \*(Aq\en\*(Aq +(so, similar to \fBfputs\fR\|(3), and not \fBputs\fR\|(3)). .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBBIO_read_ex()\fR returns 1 if data was successfully read, and 0 otherwise. @@ -165,7 +170,7 @@ supported by adding a buffering BIO \fBBIO_f_buffer\fR\|(3) to the chain. .SH HISTORY .IX Header "HISTORY" \&\fBBIO_gets()\fR on 1.1.0 and older when called on \fBBIO_fd()\fR based BIO did not -keep the '\en' at the end of the line in the buffer. +keep the \*(Aq\en\*(Aq at the end of the line in the buffer. .PP \&\fBBIO_get_line()\fR was added in OpenSSL 3.0. .PP @@ -173,7 +178,7 @@ keep the '\en' at the end of the line in the buffer. \&\fIwritten\fR parameter of the function can be NULL since OpenSSL 3.0. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/BIO_s_accept.3 b/secure/lib/libcrypto/man/man3/BIO_s_accept.3 index 4b5af5e98860..716078bab75a 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_accept.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_accept.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_ACCEPT 3ossl" -.TH BIO_S_ACCEPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_ACCEPT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,7 +101,7 @@ BIO_set_bind_mode, BIO_get_bind_mode, BIO_do_accept \- accept BIO .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBBIO_s_accept()\fR returns the accept BIO method. This is a wrapper -round the platform's TCP/IP socket accept routines. +round the platform\*(Aqs TCP/IP socket accept routines. .PP Using accept BIOs, TCP/IP connections can be accepted and data transferred using only BIO routines. In this way any platform diff --git a/secure/lib/libcrypto/man/man3/BIO_s_bio.3 b/secure/lib/libcrypto/man/man3/BIO_s_bio.3 index 1194bae9daf9..b4ca692aaffb 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_bio.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_bio.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_BIO 3ossl" -.TH BIO_S_BIO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_BIO 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -193,7 +196,7 @@ locations for \fBbio1\fR and \fBbio2\fR. Check the error stack for more informat .IX Header "EXAMPLES" The BIO pair can be used to have full control over the network access of an application. The application can call \fBselect()\fR on the socket as required -without having to go through the SSL-interface. +without having to go through the SSL\-interface. .PP .Vb 1 \& BIO *internal_bio, *network_bio; diff --git a/secure/lib/libcrypto/man/man3/BIO_s_connect.3 b/secure/lib/libcrypto/man/man3/BIO_s_connect.3 index e6665553950b..60bec72dcade 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_connect.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_connect.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_CONNECT 3ossl" -.TH BIO_S_CONNECT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_CONNECT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,7 +100,7 @@ BIO_do_connect \- connect BIO .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBBIO_s_connect()\fR returns the connect BIO method. This is a wrapper -round the platform's TCP/IP socket connection routines. +round the platform\*(Aqs TCP/IP socket connection routines. .PP Using connect BIOs, TCP/IP connections can be made and data transferred using only BIO routines. In this way any platform @@ -156,7 +159,7 @@ non blocking I/O is set during the connect process. .PP \&\fBBIO_do_connect()\fR attempts to connect the supplied BIO. This performs an SSL/TLS handshake as far as supported by the BIO. -For non-SSL BIOs the connection is done typically at TCP level. +For non\-SSL BIOs the connection is done typically at TCP level. If domain name resolution yields multiple IP addresses all of them are tried after \fBconnect()\fR failures. The function returns 1 if the connection was established successfully. @@ -186,7 +189,7 @@ will normally mean that the connection was closed. If the port name is supplied as part of the hostname then this will override any value set with \fBBIO_set_conn_port()\fR. This may be undesirable if the application does not wish to allow connection to arbitrary -ports. This can be avoided by checking for the presence of the ':' +ports. This can be avoided by checking for the presence of the \*(Aq:\*(Aq character in the passed hostname and either indicating an error or truncating the string at that point. .PP diff --git a/secure/lib/libcrypto/man/man3/BIO_s_core.3 b/secure/lib/libcrypto/man/man3/BIO_s_core.3 index 3104f3ab3ac6..764f0b0dc2a4 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_core.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_core.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_CORE 3ossl" -.TH BIO_S_CORE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_CORE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_s_datagram.3 b/secure/lib/libcrypto/man/man3/BIO_s_datagram.3 index 6f7da894ab39..328007e29447 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_datagram.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_datagram.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_DATAGRAM 3ossl" -.TH BIO_S_DATAGRAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_DATAGRAM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,7 +101,7 @@ a single datagram and a single \fBBIO_read()\fR call receives a single datagram. the size of the buffer passed to \fBBIO_read()\fR is inadequate, the datagram is silently truncated. .PP -For a memory-based BIO which provides datagram semantics identical to those of +For a memory\-based BIO which provides datagram semantics identical to those of \&\fBBIO_s_datagram()\fR, see \fBBIO_s_dgram_pair\fR\|(3). .PP This BIO supports the \fBBIO_sendmmsg\fR\|(3) and \fBBIO_recvmmsg\fR\|(3) functions. @@ -107,7 +110,7 @@ When using \fBBIO_s_datagram()\fR, it is important to note that: .IP \(bu 4 This BIO can be used with either a connected or unconnected network socket. A connected socket is a network socket which has had \fBBIO_connect\fR\|(3) or a -similar OS-specific function called on it. Such a socket can only receive +similar OS\-specific function called on it. Such a socket can only receive datagrams from the specified peer. Any other socket is an unconnected socket and can receive datagrams from any host. .IP \(bu 4 @@ -147,7 +150,7 @@ This informs the \fBBIO_s_datagram()\fR whether the underlying socket has been connected, and therefore how the \fBBIO_s_datagram()\fR should attempt to use the socket. .Sp -If the \fIpeer\fR argument is non-NULL, \fBBIO_s_datagram()\fR assumes that the +If the \fIpeer\fR argument is non\-NULL, \fBBIO_s_datagram()\fR assumes that the underlying socket has been connected and will attempt to use the socket using OS APIs which do not specify peer addresses (for example, \fBsend\fR\|(3) and \fBrecv\fR\|(3) or similar). The \fIpeer\fR argument should specify the peer address to which the socket @@ -215,9 +218,9 @@ higher in atypical network configurations, for example where IPv6 extension headers or IPv4 options are used. .IP BIO_CTRL_DGRAM_SET_DONT_FRAG 4 .IX Item "BIO_CTRL_DGRAM_SET_DONT_FRAG" -If \fInum\fR is nonzero, configures the underlying network socket to enable Don't -Fragment mode, in which datagrams will be set with the IP Don't Fragment (DF) -bit set. If \fInum\fR is zero, Don't Fragment mode is disabled. +If \fInum\fR is nonzero, configures the underlying network socket to enable Don\*(Aqt +Fragment mode, in which datagrams will be set with the IP Don\*(Aqt Fragment (DF) +bit set. If \fInum\fR is zero, Don\*(Aqt Fragment mode is disabled. .IP BIO_CTRL_DGRAM_QUERY_MTU 4 .IX Item "BIO_CTRL_DGRAM_QUERY_MTU" Queries the OS for its assessment of the Path MTU for the destination to which diff --git a/secure/lib/libcrypto/man/man3/BIO_s_dgram_pair.3 b/secure/lib/libcrypto/man/man3/BIO_s_dgram_pair.3 index 3c94c37ff121..0bd49d5234ec 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_dgram_pair.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_dgram_pair.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_DGRAM_PAIR 3ossl" -.TH BIO_S_DGRAM_PAIR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_DGRAM_PAIR 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -134,8 +137,8 @@ size of the next datagram waiting to be read in bytes. An application can use this function to ensure it provides an adequate buffer to a subsequent read call. If no datagram is waiting to be read, zero is returned. .PP -This BIO does not support sending or receiving zero-length datagrams. Passing a -zero-length buffer to BIO_write is treated as a no-op. +This BIO does not support sending or receiving zero\-length datagrams. Passing a +zero\-length buffer to BIO_write is treated as a no\-op. .PP \&\fBBIO_eof\fR\|(3) returns 1 only if the given BIO datagram pair BIO is not currently connected to a peer BIO. @@ -149,9 +152,9 @@ intending to write it to a BIO datagram pair, but where the received datagram ends up being too large to write to the BIO datagram pair. .PP \&\fBBIO_dgram_set_no_trunc()\fR and \fBBIO_ctrl_get_no_trunc()\fR set and retrieve the -truncation mode for the given half of a BIO datagram pair. When no-truncate mode +truncation mode for the given half of a BIO datagram pair. When no\-truncate mode is enabled, \fBBIO_read()\fR will fail if the buffer provided is inadequate to hold -the next datagram to be read. If no-truncate mode is disabled (the default), the +the next datagram to be read. If no\-truncate mode is disabled (the default), the datagram will be silently truncated. This default behaviour maintains compatibility with the semantics of the Berkeley sockets API. .PP @@ -171,7 +174,7 @@ explicitly specified local address takes precedence. The reference to the BIO_ADDR is passed to the BIO by this call and will be freed automatically when the BIO is freed. .PP -\&\fBBIO_flush\fR\|(3) is a no-op. +\&\fBBIO_flush\fR\|(3) is a no\-op. .SH NOTES .IX Header "NOTES" The halves of a BIO datagram pair have independent lifetimes and must be @@ -254,8 +257,8 @@ locations for \fBbio1\fR and \fBbio2\fR. Check the error stack for more informat \&\fBBIO_dgram_set_no_trunc()\fR, \fBBIO_dgram_set_caps()\fR and \fBBIO_dgram_set_mtu()\fR return 1 on success and 0 on failure. .PP -\&\fBBIO_dgram_get_no_trunc()\fR returns 1 if no-truncate mode is enabled on a BIO, or 0 -if no-truncate mode is not enabled or not supported on a given BIO. +\&\fBBIO_dgram_get_no_trunc()\fR returns 1 if no\-truncate mode is enabled on a BIO, or 0 +if no\-truncate mode is not enabled or not supported on a given BIO. .PP \&\fBBIO_dgram_get_effective_caps()\fR and \fBBIO_dgram_get_caps()\fR return zero if no capabilities are supported. diff --git a/secure/lib/libcrypto/man/man3/BIO_s_fd.3 b/secure/lib/libcrypto/man/man3/BIO_s_fd.3 index e90758f383d1..598f14fd1464 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_fd.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_fd.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_FD 3ossl" -.TH BIO_S_FD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_FD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_s_file.3 b/secure/lib/libcrypto/man/man3/BIO_s_file.3 index 4e90637aa3c5..b47498cee1d7 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_file.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_file.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_FILE 3ossl" -.TH BIO_S_FILE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_FILE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_s_mem.3 b/secure/lib/libcrypto/man/man3/BIO_s_mem.3 index 58320b109713..b6fec16d9104 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_mem.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_mem.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_MEM 3ossl" -.TH BIO_S_MEM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_MEM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_s_null.3 b/secure/lib/libcrypto/man/man3/BIO_s_null.3 index b2c14922bcb3..0c44cb03e57f 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_null.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_null.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_NULL 3ossl" -.TH BIO_S_NULL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_NULL 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_s_socket.3 b/secure/lib/libcrypto/man/man3/BIO_s_socket.3 index 949cade498a1..e8d94aa41fb0 100644 --- a/secure/lib/libcrypto/man/man3/BIO_s_socket.3 +++ b/secure/lib/libcrypto/man/man3/BIO_s_socket.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_S_SOCKET 3ossl" -.TH BIO_S_SOCKET 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_S_SOCKET 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -74,7 +77,7 @@ BIO_s_socket, BIO_new_socket \- socket BIO .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBBIO_s_socket()\fR returns the socket BIO method. This is a wrapper -round the platform's socket routines. +round the platform\*(Aqs socket routines. .PP \&\fBBIO_read_ex()\fR and \fBBIO_write_ex()\fR read or write the underlying socket. \&\fBBIO_puts()\fR is supported but \fBBIO_gets()\fR is not. diff --git a/secure/lib/libcrypto/man/man3/BIO_sendmmsg.3 b/secure/lib/libcrypto/man/man3/BIO_sendmmsg.3 index f415219e8130..e029c64faa22 100644 --- a/secure/lib/libcrypto/man/man3/BIO_sendmmsg.3 +++ b/secure/lib/libcrypto/man/man3/BIO_sendmmsg.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_SENDMMSG 3ossl" -.TH BIO_SENDMMSG 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_SENDMMSG 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,14 +108,14 @@ The caller should set the \fIdata\fR member of a \fBBIO_MSG\fR to a buffer conta the data to send, or to be filled with a received message. \fIdata_len\fR should be set to the size of the buffer in bytes. If the given \fBBIO_MSG\fR is processed (in other words, if the integer returned by the function is greater than or equal to -that \fBBIO_MSG\fR's array index), \fIdata_len\fR will be modified to specify the +that \fBBIO_MSG\fR\*(Aqs array index), \fIdata_len\fR will be modified to specify the actual amount of data sent or received. .PP -The \fIflags\fR field of a \fBBIO_MSG\fR provides input per-message flags to the +The \fIflags\fR field of a \fBBIO_MSG\fR provides input per\-message flags to the invocation. If the invocation processes that \fBBIO_MSG\fR, the \fIflags\fR field is -written with output per-message flags, or zero if no such flags are applicable. +written with output per\-message flags, or zero if no such flags are applicable. .PP -Currently, no input or output per-message flags are defined and this field +Currently, no input or output per\-message flags are defined and this field should be set to zero before calling \fBBIO_sendmmsg()\fR or \fBBIO_recvmmsg()\fR. .PP The \fIflags\fR argument to \fBBIO_sendmmsg()\fR and \fBBIO_recvmmsg()\fR provides global @@ -121,47 +124,47 @@ defined and this argument should be set to zero. .PP When these functions are used to send and receive datagrams, the \fIpeer\fR field of a \fBBIO_MSG\fR allows the destination address of sent datagrams to be specified -on a per-datagram basis, and the source address of received datagrams to be +on a per\-datagram basis, and the source address of received datagrams to be determined. The \fIpeer\fR field should be set to point to a \fBBIO_ADDR\fR, which will be read by \fBBIO_sendmmsg()\fR and used as the destination address for sent datagrams, and written by \fBBIO_recvmmsg()\fR with the source address of received datagrams. .PP Similarly, the \fIlocal\fR field of a \fBBIO_MSG\fR allows the source address of sent -datagrams to be specified on a per-datagram basis, and the destination address +datagrams to be specified on a per\-datagram basis, and the destination address of received datagrams to be determined. Unlike \fIpeer\fR, support for \fIlocal\fR must be explicitly enabled on a \fBBIO\fR before it can be used; see -\&\fBBIO_dgram_set_local_addr_enable()\fR. If \fIlocal\fR is non-NULL in a \fBBIO_MSG\fR and +\&\fBBIO_dgram_set_local_addr_enable()\fR. If \fIlocal\fR is non\-NULL in a \fBBIO_MSG\fR and support for \fIlocal\fR has not been enabled, processing of that \fBBIO_MSG\fR fails. .PP \&\fIpeer\fR and \fIlocal\fR should be set to NULL if they are not required. Support for \&\fIlocal\fR may not be available on all platforms; on these platforms, these -functions always fail if \fIlocal\fR is non-NULL. +functions always fail if \fIlocal\fR is non\-NULL. .PP If \fIlocal\fR is specified and local address support is enabled, but the operating system does not report a local address for a specific received message, the \&\fBBIO_ADDR\fR it points to will be cleared (address family set to \f(CW\*(C`AF_UNSPEC\*(C'\fR). This is known to happen on Windows when a packet is received which was sent by -the local system, regardless of whether the packet's destination address was the -loopback address or the IP address of a local non-loopback interface. This is +the local system, regardless of whether the packet\*(Aqs destination address was the +loopback address or the IP address of a local non\-loopback interface. This is also known to happen on macOS in some circumstances, such as for packets sent before local address support was enabled for a receiving socket. These are -OS-specific limitations. As such, users of this API using local address support +OS\-specific limitations. As such, users of this API using local address support should expect to sometimes receive a cleared local \fBBIO_ADDR\fR instead of the correct value. .PP The \fIstride\fR argument must be set to \f(CWsizeof(BIO_MSG)\fR. This argument facilitates backwards compatibility if fields are added to \fBBIO_MSG\fR. Callers -must zero-initialize \fBBIO_MSG\fR. +must zero\-initialize \fBBIO_MSG\fR. .PP \&\fInum_msg\fR should be sent to the maximum number of messages to send or receive, which is also the length of the array pointed to by \fImsg\fR. .PP -\&\fImsgs_processed\fR must be non-NULL and points to an integer written with the +\&\fImsgs_processed\fR must be non\-NULL and points to an integer written with the number of messages successfully processed; see the RETURN VALUES section for further discussion. .PP -Unlike most BIO functions, these functions explicitly support multi-threaded +Unlike most BIO functions, these functions explicitly support multi\-threaded use. Multiple concurrent writers and multiple concurrent readers of the same BIO are permitted in any combination. As such, these functions do not clear, set, or otherwise modify BIO retry flags. The return value must be used to determine @@ -186,7 +189,7 @@ which is transient in nature. .SH NOTES .IX Header "NOTES" Some implementations of the \fBBIO_sendmmsg()\fR and \fBBIO_recvmmsg()\fR BIO methods might -always process at most one message at a time, for example when OS-level +always process at most one message at a time, for example when OS\-level functionality to transmit or receive multiple messages at a time is not available. .SH "RETURN VALUES" @@ -197,7 +200,7 @@ the number of messages successfully processed (which need not be nonzero) to entries in the \fBBIO_MSG\fR array from 0 through n\-1 inclusive have their \&\fIdata_len\fR and \fIflags\fR fields updated with the results of the operation on that message. If the call was to \fBBIO_recvmmsg()\fR and the \fIpeer\fR or \fIlocal\fR -fields of that message are non-NULL, the \fBBIO_ADDR\fR structures they point to +fields of that message are non\-NULL, the \fBBIO_ADDR\fR structures they point to are written with the relevant address. .PP On failure, the functions \fBBIO_sendmmsg()\fR and \fBBIO_recvmmsg()\fR return 0 and write @@ -209,35 +212,35 @@ error using \fBERR_raise\fR\|(3). Any error may be raised, but the following in particular may be noted: .IP \fBBIO_R_LOCAL_ADDR_NOT_AVAILABLE\fR 2 .IX Item "BIO_R_LOCAL_ADDR_NOT_AVAILABLE" -The \fIlocal\fR field was set to a non-NULL value, but local address support is not +The \fIlocal\fR field was set to a non\-NULL value, but local address support is not available or not enabled on the BIO. .IP \fBBIO_R_PEER_ADDR_NOT_AVAILABLE\fR 2 .IX Item "BIO_R_PEER_ADDR_NOT_AVAILABLE" -The \fIpeer\fR field was set to a non-NULL value, but peer address support is not +The \fIpeer\fR field was set to a non\-NULL value, but peer address support is not available on the BIO. .IP \fBBIO_R_UNSUPPORTED_METHOD\fR 2 .IX Item "BIO_R_UNSUPPORTED_METHOD" The \fBBIO_sendmmsg()\fR or \fBBIO_recvmmsg()\fR method is not supported on the BIO. .IP \fBBIO_R_NON_FATAL\fR 2 .IX Item "BIO_R_NON_FATAL" -The call failed due to a transient, non-fatal error (for example, because the +The call failed due to a transient, non\-fatal error (for example, because the BIO is in nonblocking mode and the call would otherwise have blocked). .Sp Implementations of this interface which do not make system calls and thereby -pass through system error codes using \fBERR_LIB_SYS\fR (for example, memory-based +pass through system error codes using \fBERR_LIB_SYS\fR (for example, memory\-based implementations) should issue this reason code to indicate a transient failure. However, users of this interface should not test for this reason code directly, as there are multiple possible packed error codes representing a transient failure; use \fBBIO_err_is_non_fatal()\fR instead (discussed below). .IP "Socket errors" 2 .IX Item "Socket errors" -OS-level socket errors are reported using an error with library code +OS\-level socket errors are reported using an error with library code \&\fBERR_LIB_SYS\fR; for a packed error code \fBerrcode\fR where -\&\f(CW\*(C`ERR_SYSTEM_ERROR(errcode) == 1\*(C'\fR, the OS-level socket error code can be +\&\f(CW\*(C`ERR_SYSTEM_ERROR(errcode) == 1\*(C'\fR, the OS\-level socket error code can be retrieved using \f(CWERR_GET_REASON(errcode)\fR. The packed error code can be retrieved by calling \fBERR_peek_last_error\fR\|(3) after the call to \fBBIO_sendmmsg()\fR or \fBBIO_recvmmsg()\fR returns 0. -.IP "Non-fatal errors" 2 +.IP "Non\-fatal errors" 2 .IX Item "Non-fatal errors" Whether an error is transient can be determined by passing the packed error code to \fBBIO_err_is_non_fatal()\fR. Callers should do this instead of testing the reason diff --git a/secure/lib/libcrypto/man/man3/BIO_set_callback.3 b/secure/lib/libcrypto/man/man3/BIO_set_callback.3 index dc4c5c455021..1d21492b851c 100644 --- a/secure/lib/libcrypto/man/man3/BIO_set_callback.3 +++ b/secure/lib/libcrypto/man/man3/BIO_set_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_SET_CALLBACK 3ossl" -.TH BIO_SET_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_SET_CALLBACK 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -106,7 +109,7 @@ see \fBopenssl_user_macros\fR\|(7): .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBBIO_set_callback_ex()\fR and \fBBIO_get_callback_ex()\fR set and retrieve the BIO -callback. The callback is called during most high-level BIO operations. It can +callback. The callback is called during most high\-level BIO operations. It can be used for debugging purposes to trace operations on a BIO or to modify its operation. .PP @@ -135,7 +138,7 @@ The BIO the callback is attached to is passed in \fBb\fR. .IX Item "oper" \&\fBoper\fR is set to the operation being performed. For some operations the callback is called twice, once before and once after the actual -operation, the latter case has \fBoper\fR or'ed with BIO_CB_RETURN. +operation, the latter case has \fBoper\fR or\*(Aqed with BIO_CB_RETURN. .IP \fBlen\fR 4 .IX Item "len" The length of the data requested to be read or written. This is only useful if @@ -353,7 +356,7 @@ respectively. \&\fBBIO_get_callback_arg()\fR returns a \fBchar\fR pointer to the value previously set via a call to \fBBIO_set_callback_arg()\fR. .PP -\&\fBBIO_debug_callback()\fR returns 1 or \fBret\fR if it's called after specific BIO +\&\fBBIO_debug_callback()\fR returns 1 or \fBret\fR if it\*(Aqs called after specific BIO operations. .SH EXAMPLES .IX Header "EXAMPLES" @@ -364,7 +367,7 @@ in crypto/bio/bio_cb.c The \fBBIO_debug_callback_ex()\fR function was added in OpenSSL 3.0. .PP \&\fBBIO_set_callback()\fR, \fBBIO_get_callback()\fR, and \fBBIO_debug_callback()\fR were -deprecated in OpenSSL 3.0. Use the non-deprecated _ex functions instead. +deprecated in OpenSSL 3.0. Use the non\-deprecated _ex functions instead. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man3/BIO_set_flags.3 b/secure/lib/libcrypto/man/man3/BIO_set_flags.3 new file mode 100644 index 000000000000..918d9ec695a5 --- /dev/null +++ b/secure/lib/libcrypto/man/man3/BIO_set_flags.3 @@ -0,0 +1,236 @@ +.\" -*- mode: troff; coding: utf-8 -*- +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. +.ie n \{\ +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{\ +. if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +. \} +.\} +.rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l +.\" ======================================================================== +.\" +.IX Title "BIO_SET_FLAGS 3ossl" +.TH BIO_SET_FLAGS 3ossl 2026-04-07 3.5.6 OpenSSL +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH NAME +BIO_set_flags, BIO_clear_flags, BIO_test_flags, BIO_get_flags, +BIO_set_retry_read, BIO_set_retry_write, BIO_set_retry_special, +BIO_clear_retry_flags, BIO_get_retry_flags +\&\- manipulate and interpret BIO flags +.SH SYNOPSIS +.IX Header "SYNOPSIS" +.Vb 1 +\& #include <openssl/bio.h> +\& +\& void BIO_set_flags(BIO *b, int flags); +\& void BIO_clear_flags(BIO *b, int flags); +\& int BIO_test_flags(const BIO *b, int flags); +\& int BIO_get_flags(const BIO *b); +\& +\& void BIO_set_retry_read(BIO *b); +\& void BIO_set_retry_write(BIO *b); +\& void BIO_set_retry_special(BIO *b); +\& void BIO_clear_retry_flags(BIO *b); +\& int BIO_get_retry_flags(BIO *b); +.Ve +.SH DESCRIPTION +.IX Header "DESCRIPTION" +A \fBBIO\fR has an internal set of bit flags that describe its state. These +functions and macros are used primarily by \fBBIO\fR implementations and by code +that builds \fBBIO\fR chains to manipulate those flags. +.PP +\&\fBBIO_set_flags()\fR sets the bits given in \fIflags\fR in the \fBBIO\fR \fIb\fR. Any bits +already set in the \fBBIO\fR\*(Aqs flag word remain set. +.PP +\&\fBBIO_clear_flags()\fR clears the bits given in \fIflags\fR from the \fBBIO\fR \fIb\fR. Any +other bits in the flag word are left unchanged. +.PP +\&\fBBIO_test_flags()\fR tests the bits given in \fIflags\fR in the \fBBIO\fR \fIb\fR and +returns a nonzero value if any of them are currently set and zero +otherwise. +.PP +\&\fBBIO_get_flags()\fR returns the current flag word from the \fBBIO\fR \fIb\fR. This is +equivalent to testing for all bits and returning the result. +.PP +The following convenience macros are built on top of these primitives and are +used to maintain the retry state of a BIO: +.PP +\&\fBBIO_set_retry_read()\fR marks the \fBBIO\fR \fIb\fR as being in a retryable state +by setting the \fBBIO_FLAGS_SHOULD_RETRY\fR flag. In addition, it sets the +\&\fBBIO_FLAGS_READ\fR flag to indicate that the retry condition is +associated with a read operation. +.PP +\&\fBBIO_set_retry_write()\fR marks the \fBBIO\fR \fIb\fR as being in a retryable state +by setting the \fBBIO_FLAGS_SHOULD_RETRY\fR flag. In addition, it sets the +\&\fBBIO_FLAGS_WRITE\fR flag to indicate that the retry condition is +associated with a write operation. +.PP +\&\fBBIO_set_retry_special()\fR marks the \fBBIO\fR \fIb\fR as being in a retryable state +by setting the \fBBIO_FLAGS_SHOULD_RETRY\fR flag. In addition, it sets the +\&\fBBIO_FLAGS_IO_SPECIAL\fR flag to indicate that the retry condition is +associated with a read operation some "special" condition. +The precise meaning of this condition depends on the \fBBIO\fR type. +.PP +\&\fBBIO_clear_retry_flags()\fR clears all retry\-related bits from \fIb\fR, i.e. +\&\fBBIO_FLAGS_READ\fR, \fBBIO_FLAGS_WRITE\fR, \fBBIO_FLAGS_IO_SPECIAL\fR, and +\&\fBBIO_FLAGS_SHOULD_RETRY\fR. +.PP +\&\fBBIO_get_retry_flags()\fR returns retry\-related bits that are +currently set in \fIb\fR. The result is a subset of +\&\fBBIO_FLAGS_RWS|BIO_FLAGS_SHOULD_RETRY\fR. +.PP +The retry bits are interpreted by the higher level macros +\&\fBBIO_should_read()\fR, \fBBIO_should_write()\fR, \fBBIO_should_io_special()\fR, +\&\fBBIO_retry_type()\fR and \fBBIO_should_retry()\fR, as documented in +\&\fBBIO_should_retry\fR\|(3). Application code will typically use those macros +rather than manipulate the underlying flags directly. +.PP +The following flag bits are currently defined for use with \fBBIO_set_flags()\fR, +\&\fBBIO_clear_flags()\fR and \fBBIO_test_flags()\fR: +.IP \fBBIO_FLAGS_READ\fR 4 +.IX Item "BIO_FLAGS_READ" +The last I/O operation should be retried when the \fBBIO\fR becomes readable. +This flag is normally set by the \fBBIO\fR implementation via \fBBIO_set_retry_read()\fR +after a failed read operation. +.IP \fBBIO_FLAGS_WRITE\fR 4 +.IX Item "BIO_FLAGS_WRITE" +The last I/O operation should be retried when the \fBBIO\fR becomes writable. +This flag is normally set by the \fBBIO\fR implementation via \fBBIO_set_retry_write()\fR +after a failed write operation. +.IP \fBBIO_FLAGS_IO_SPECIAL\fR 4 +.IX Item "BIO_FLAGS_IO_SPECIAL" +The last I/O operation should be retried when some "special" condition +becomes true. The precise meaning of this condition depends on the \fBBIO\fR +type and is usually obtained via \fBBIO_get_retry_BIO()\fR and +\&\fBBIO_get_retry_reason()\fR as described in \fBBIO_should_retry\fR\|(3). +This flag is normally set by the \fBBIO\fR implementation via +\&\fBBIO_set_retry_special()\fR. +.IP \fBBIO_FLAGS_RWS\fR 4 +.IX Item "BIO_FLAGS_RWS" +The bitwise OR of \fBBIO_FLAGS_READ\fR, \fBBIO_FLAGS_WRITE\fR and +\&\fBBIO_FLAGS_IO_SPECIAL\fR. This mask is used when clearing or extracting +the retry\-direction bits. +.IP \fBBIO_FLAGS_SHOULD_RETRY\fR 4 +.IX Item "BIO_FLAGS_SHOULD_RETRY" +Set if the last I/O operation on the \fBBIO\fR should be retried at a later time. +If this bit is not set then the condition is treated as an error. +This flag is normally set by the \fBBIO\fR implementation. +.IP \fBBIO_FLAGS_BASE64_NO_NL\fR 4 +.IX Item "BIO_FLAGS_BASE64_NO_NL" +When set on a base64 filter \fBBIO\fR this flag disables the generation of +newline characters in the encoded output and causes newlines to be ignored +in the input. See also \fBBIO_f_base64\fR\|(3). +The flag has no effect on any other built\-in \fBBIO\fR types. +.IP \fBBIO_FLAGS_MEM_RDONLY\fR 4 +.IX Item "BIO_FLAGS_MEM_RDONLY" +When set on a memory \fBBIO\fR this flag indicates that the underlying buffer is +read only. Attempts to write to such a \fBBIO\fR will fail. +The flag has no effect on any other built\-in \fBBIO\fR types. +.IP \fBBIO_FLAGS_NONCLEAR_RST\fR 4 +.IX Item "BIO_FLAGS_NONCLEAR_RST" +On a memory \fBBIO\fR this flag modifies the behaviour of \fBBIO_reset()\fR. When it +is set, resetting the \fBBIO\fR does not clear the underlying buffer but only +resets the current read position. +The flag has no effect on any other built\-in \fBBIO\fR types. +.IP \fBBIO_FLAGS_IN_EOF\fR 4 +.IX Item "BIO_FLAGS_IN_EOF" +This flag may be used by a \fBBIO\fR implementation to indicate that the end +of the input stream has been reached. However, \fBBIO\fR types are not +required to use this flag to signal end\-of\-file conditions; they may rely +on other mechanisms such as system calls or by querying the next \fBBIO\fR in a +chain. Applications must therefore not test this flag directly to +determine whether EOF has been reached, and must use \fBBIO_eof()\fR instead. +.PP +A range of additional flag values is reserved for internal use by OpenSSL +to track kernel TLS (KTLS) state. This range and the corresponding flag +macros are not part of the public API and must not be used by applications. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fBBIO_get_flags()\fR returns a bit mask of the flags currently set on the \fBBIO\fR. +.PP +\&\fBBIO_test_flags()\fR returns a bit mask consisting of those flags from the +argument that are currently set in the \fBBIO\fR. Consequently, it returns a +nonzero value if and only if at least one of the requested flags is set. +.PP +\&\fBBIO_get_retry_flags()\fR returns a bit mask consisting of those flags from +\&\fBBIO_FLAGS_READ\fR, \fBBIO_FLAGS_WRITE\fR, \fBBIO_FLAGS_IO_SPECIAL\fR, and +\&\fBBIO_FLAGS_SHOULD_RETRY\fR that are currently set in the \fIBIO\fR. +.SH NOTES +.IX Header "NOTES" +Ordinary application code will rarely need to call \fBBIO_set_flags()\fR, +\&\fBBIO_clear_flags()\fR or \fBBIO_test_flags()\fR directly. They are intended for \fBBIO\fR +implementations and for code that forwards retry state from one \fBBIO\fR in a +chain to another. +After a failed I/O operation, applications should normally use +\&\fBBIO_should_retry()\fR and related macros as described in +\&\fBBIO_should_retry\fR\|(3) instead of inspecting the flags directly. +.PP +These functions and macros are not thread\-safe. If a single \fBBIO\fR +is accessed from multiple threads, the caller must provide appropriate +external synchronisation. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fBBIO_should_retry\fR\|(3), \fBBIO_f_base64\fR\|(3), \fBbio\fR\|(7) +.SH HISTORY +.IX Header "HISTORY" +The functions and macros described here have been available in OpenSSL since +at least 1.1.0 (\fBBIO_FLAGS_IN_EOF\fR since 1.1.1). +.SH COPYRIGHT +.IX Header "COPYRIGHT" +Copyright 2025 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/lib/libcrypto/man/man3/BIO_should_retry.3 b/secure/lib/libcrypto/man/man3/BIO_should_retry.3 index c53a7e8c9834..db1f004be4af 100644 --- a/secure/lib/libcrypto/man/man3/BIO_should_retry.3 +++ b/secure/lib/libcrypto/man/man3/BIO_should_retry.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_SHOULD_RETRY 3ossl" -.TH BIO_SHOULD_RETRY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_SHOULD_RETRY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BIO_socket_wait.3 b/secure/lib/libcrypto/man/man3/BIO_socket_wait.3 index 7dc0e990fb22..4f37585bcb02 100644 --- a/secure/lib/libcrypto/man/man3/BIO_socket_wait.3 +++ b/secure/lib/libcrypto/man/man3/BIO_socket_wait.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO_SOCKET_WAIT 3ossl" -.TH BIO_SOCKET_WAIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO_SOCKET_WAIT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,7 +85,7 @@ BIO_do_connect_retry else for writing, at most until \fBmax_time\fR. It succeeds immediately if \fBmax_time\fR == 0 (which means no timeout given). .PP -\&\fBBIO_wait()\fR waits at most until \fBmax_time\fR on the given (typically socket-based) +\&\fBBIO_wait()\fR waits at most until \fBmax_time\fR on the given (typically socket\-based) \&\fBbio\fR, for reading if \fBbio\fR is supposed to read, else for writing. It is used by \fBBIO_do_connect_retry()\fR and can be used together \fBBIO_read\fR\|(3). It succeeds immediately if \fBmax_time\fR == 0 (which means no timeout given). @@ -93,7 +96,7 @@ Via \fBnap_milliseconds\fR the caller determines the polling granularity. \&\fBBIO_do_connect_retry()\fR connects via the given \fBbio\fR. It retries \fBBIO_do_connect()\fR as far as needed to reach a definite outcome, i.e., connection succeeded, timeout has been reached, or an error occurred. -For nonblocking and potentially even non-socket BIOs it polls +For nonblocking and potentially even non\-socket BIOs it polls every \fBnap_milliseconds\fR and sleeps in between using \fBBIO_wait()\fR. If \fBnap_milliseconds\fR is < 0 then a default value of 100 ms is used. If the \fBtimeout\fR parameter is > 0 this indicates the maximum number of seconds diff --git a/secure/lib/libcrypto/man/man3/BN_BLINDING_new.3 b/secure/lib/libcrypto/man/man3/BN_BLINDING_new.3 index 00a96d818bd0..68b490160f95 100644 --- a/secure/lib/libcrypto/man/man3/BN_BLINDING_new.3 +++ b/secure/lib/libcrypto/man/man3/BN_BLINDING_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_BLINDING_NEW 3ossl" -.TH BN_BLINDING_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_BLINDING_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -107,7 +110,7 @@ If \fBb\fR is NULL, nothing is done. .PP \&\fBBN_BLINDING_update()\fR updates the \fBBN_BLINDING\fR parameters by squaring the \fBA\fR and \fBAi\fR or, after specific number of uses and if the -necessary parameters are set, by re-creating the blinding parameters. +necessary parameters are set, by re\-creating the blinding parameters. .PP \&\fBBN_BLINDING_convert_ex()\fR multiplies \fBn\fR with the blinding factor \fBA\fR. If \fBr\fR is not NULL a copy the inverse blinding factor \fBAi\fR will be @@ -122,7 +125,7 @@ with \fBr\fR set to NULL. .PP \&\fBBN_BLINDING_is_current_thread()\fR returns whether the \fBBN_BLINDING\fR structure is owned by the current thread. This is to help users -provide proper locking if needed for multi-threaded use. +provide proper locking if needed for multi\-threaded use. .PP \&\fBBN_BLINDING_set_current_thread()\fR sets the current thread as the owner of the \fBBN_BLINDING\fR structure. @@ -135,7 +138,7 @@ owner of the \fBBN_BLINDING\fR structure. there are two supported flags: \fBBN_BLINDING_NO_UPDATE\fR and \&\fBBN_BLINDING_NO_RECREATE\fR. \fBBN_BLINDING_NO_UPDATE\fR inhibits the automatic update of the \fBBN_BLINDING\fR parameters after each use -and \fBBN_BLINDING_NO_RECREATE\fR inhibits the automatic re-creation +and \fBBN_BLINDING_NO_RECREATE\fR inhibits the automatic re\-creation of the \fBBN_BLINDING\fR parameters after a fixed number of uses (currently 32). In newly allocated \fBBN_BLINDING\fR objects no flags are set. \&\fBBN_BLINDING_set_flags()\fR sets the \fBBN_BLINDING\fR parameters flags. @@ -156,7 +159,7 @@ success and 0 if an error occurred. \&\fBBN_BLINDING_is_current_thread()\fR returns 1 if the current thread owns the \fBBN_BLINDING\fR object, 0 otherwise. .PP -\&\fBBN_BLINDING_set_current_thread()\fR doesn't return anything. +\&\fBBN_BLINDING_set_current_thread()\fR doesn\*(Aqt return anything. .PP \&\fBBN_BLINDING_lock()\fR, \fBBN_BLINDING_unlock()\fR return 1 if the operation succeeded or 0 on error. diff --git a/secure/lib/libcrypto/man/man3/BN_CTX_new.3 b/secure/lib/libcrypto/man/man3/BN_CTX_new.3 index fe4057eb9b91..3ca6646f240d 100644 --- a/secure/lib/libcrypto/man/man3/BN_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/BN_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_CTX_NEW 3ossl" -.TH BN_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_CTX_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BN_CTX_start.3 b/secure/lib/libcrypto/man/man3/BN_CTX_start.3 index e94824d54266..aa68ef685945 100644 --- a/secure/lib/libcrypto/man/man3/BN_CTX_start.3 +++ b/secure/lib/libcrypto/man/man3/BN_CTX_start.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_CTX_START 3ossl" -.TH BN_CTX_START 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_CTX_START 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BN_add.3 b/secure/lib/libcrypto/man/man3/BN_add.3 index 64cc8fdf843e..def347eef2bd 100644 --- a/secure/lib/libcrypto/man/man3/BN_add.3 +++ b/secure/lib/libcrypto/man/man3/BN_add.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_ADD 3ossl" -.TH BN_ADD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_ADD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BN_add_word.3 b/secure/lib/libcrypto/man/man3/BN_add_word.3 index 7302f2c88233..083eeb60c648 100644 --- a/secure/lib/libcrypto/man/man3/BN_add_word.3 +++ b/secure/lib/libcrypto/man/man3/BN_add_word.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_ADD_WORD 3ossl" -.TH BN_ADD_WORD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_ADD_WORD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BN_bn2bin.3 b/secure/lib/libcrypto/man/man3/BN_bn2bin.3 index 6a12bf279781..7c411bb24580 100644 --- a/secure/lib/libcrypto/man/man3/BN_bn2bin.3 +++ b/secure/lib/libcrypto/man/man3/BN_bn2bin.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_BN2BIN 3ossl" -.TH BN_BN2BIN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_BN2BIN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -100,46 +103,46 @@ BN_print, BN_print_fp, BN_bn2mpi, BN_mpi2bn \- format conversions .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBBN_bn2bin()\fR converts the absolute value of \fBa\fR into big-endian form +\&\fBBN_bn2bin()\fR converts the absolute value of \fBa\fR into big\-endian form and stores it at \fBto\fR. \fBto\fR must point to BN_num_bytes(\fBa\fR) bytes of memory. \fBa\fR and \fBto\fR \fBMUST NOT\fR be NULL. .PP -\&\fBBN_bn2binpad()\fR also converts the absolute value of \fBa\fR into big-endian form +\&\fBBN_bn2binpad()\fR also converts the absolute value of \fBa\fR into big\-endian form and stores it at \fBto\fR. \fBtolen\fR indicates the length of the output buffer \&\fBto\fR. The result is padded with zeros if necessary. If \fBtolen\fR is less than BN_num_bytes(\fBa\fR) an error is returned. .PP -\&\fBBN_signed_bn2bin()\fR converts the value of \fBa\fR into big-endian signed 2's +\&\fBBN_signed_bn2bin()\fR converts the value of \fBa\fR into big\-endian signed 2\*(Aqs complements form and stores it at \fBto\fR. \fBtolen\fR indicates the length of the output buffer \fBto\fR. The result is signed extended (padded with 0x00 for positive numbers or with 0xff for negative numbers) if necessary. If \fBtolen\fR is smaller than the necessary size (which may be \&\f(CW\*(C`<BN_num_bytes(\fR\f(CBa\fR\f(CW) + 1\*(C'\fR>), an error is returned. .PP -\&\fBBN_bin2bn()\fR converts the positive integer in big-endian form of length +\&\fBBN_bin2bn()\fR converts the positive integer in big\-endian form of length \&\fBlen\fR at \fBs\fR into a \fBBIGNUM\fR and places it in \fBret\fR. If \fBret\fR is NULL, a new \fBBIGNUM\fR is created. \fBs\fR \fBMUST NOT\fR be NULL. .PP -\&\fBBN_signed_bin2bn()\fR converts the integer in big-endian signed 2's complement +\&\fBBN_signed_bin2bn()\fR converts the integer in big\-endian signed 2\*(Aqs complement form of length \fBlen\fR at \fBs\fR into a \fBBIGNUM\fR and places it in \fBret\fR. If \&\fBret\fR is NULL, a new \fBBIGNUM\fR is created. .PP \&\fBBN_bn2lebinpad()\fR, \fBBN_signed_bn2lebin()\fR and \fBBN_lebin2bn()\fR are identical to \&\fBBN_bn2binpad()\fR, \fBBN_signed_bn2bin()\fR and \fBBN_bin2bn()\fR except the buffer is in -little-endian format. +little\-endian format. .PP \&\fBBN_bn2nativepad()\fR, \fBBN_signed_bn2native()\fR and \fBBN_native2bn()\fR are identical to \fBBN_bn2binpad()\fR, \fBBN_signed_bn2bin()\fR and \fBBN_bin2bn()\fR except the buffer is -in native format, i.e. most significant byte first on big-endian platforms, -and least significant byte first on little-endian platforms. +in native format, i.e. most significant byte first on big\-endian platforms, +and least significant byte first on little\-endian platforms. .PP \&\fBBN_bn2hex()\fR and \fBBN_bn2dec()\fR return printable strings containing the hexadecimal and decimal encoding of \fBa\fR respectively. For negative -numbers, the string is prefaced with a leading '\-'. The string must be +numbers, the string is prefaced with a leading \*(Aq\-\*(Aq. The string must be freed later using \fBOPENSSL_free()\fR. .PP \&\fBBN_hex2bn()\fR takes as many characters as possible from the string \fBstr\fR, -including the leading character '\-' which means negative, to form a valid +including the leading character \*(Aq\-\*(Aq which means negative, to form a valid hexadecimal number representation and converts them to a \fBBIGNUM\fR and stores it in **\fBa\fR. If *\fBa\fR is NULL, a new \fBBIGNUM\fR is created. If \&\fBa\fR is NULL, it only computes the length of valid representation. @@ -147,12 +150,12 @@ A "negative zero" is converted to zero. \&\fBBN_dec2bn()\fR is the same using the decimal system. .PP \&\fBBN_print()\fR and \fBBN_print_fp()\fR write the hexadecimal encoding of \fBa\fR, -with a leading '\-' for negative numbers, to the \fBBIO\fR or \fBFILE\fR +with a leading \*(Aq\-\*(Aq for negative numbers, to the \fBBIO\fR or \fBFILE\fR \&\fBfp\fR. .PP \&\fBBN_bn2mpi()\fR and \fBBN_mpi2bn()\fR convert \fBBIGNUM\fRs from and to a format -that consists of the number's length in bytes represented as a 4\-byte -big-endian number, and the number itself in big-endian format, where +that consists of the number\*(Aqs length in bytes represented as a 4\-byte +big\-endian number, and the number itself in big\-endian format, where the most significant bit signals a negative number (the representation of numbers with the MSB set is prefixed with null byte). .PP @@ -165,14 +168,14 @@ a \fBBIGNUM\fR and stores it at \fBret\fR, or in a newly allocated \fBBIGNUM\fR if \fBret\fR is NULL. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fBBN_bn2bin()\fR returns the length of the big-endian number placed at \fBto\fR. +\&\fBBN_bn2bin()\fR returns the length of the big\-endian number placed at \fBto\fR. \&\fBBN_bin2bn()\fR returns the \fBBIGNUM\fR, NULL on error. .PP \&\fBBN_bn2binpad()\fR, \fBBN_signed_bn2bin()\fR, \fBBN_bn2lebinpad()\fR, \fBBN_signed_bn2lebin()\fR, \&\fBBN_bn2nativepad()\fR, and_signed \fBBN_bn2native()\fR return the number of bytes written or \-1 if the supplied buffer is too small. .PP -\&\fBBN_bn2hex()\fR and \fBBN_bn2dec()\fR return a NUL-terminated string, or NULL +\&\fBBN_bn2hex()\fR and \fBBN_bn2dec()\fR return a NUL\-terminated string, or NULL on error. \fBBN_hex2bn()\fR and \fBBN_dec2bn()\fR return the number of characters used in parsing, or 0 on error, in which case no new \fBBIGNUM\fR will be created. diff --git a/secure/lib/libcrypto/man/man3/BN_cmp.3 b/secure/lib/libcrypto/man/man3/BN_cmp.3 index ec3c67a4d46d..c80d7c241c6c 100644 --- a/secure/lib/libcrypto/man/man3/BN_cmp.3 +++ b/secure/lib/libcrypto/man/man3/BN_cmp.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_CMP 3ossl" -.TH BN_CMP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_CMP 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -100,7 +103,7 @@ of \fIa\fR and \fIb\fR. \&\fBBN_is_zero()\fR, \fBBN_is_one()\fR \fBBN_is_word()\fR, \fBBN_abs_is_word()\fR and \&\fBBN_is_odd()\fR return 1 if the condition is true, 0 otherwise. .PP -\&\fBBN_are_coprime()\fR returns 1 if the \fBBIGNUM\fR's are coprime, otherwise it +\&\fBBN_are_coprime()\fR returns 1 if the \fBBIGNUM\fR\*(Aqs are coprime, otherwise it returns 0. .SH HISTORY .IX Header "HISTORY" diff --git a/secure/lib/libcrypto/man/man3/BN_copy.3 b/secure/lib/libcrypto/man/man3/BN_copy.3 index 6db6baa3b82b..53dbf86d5787 100644 --- a/secure/lib/libcrypto/man/man3/BN_copy.3 +++ b/secure/lib/libcrypto/man/man3/BN_copy.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_COPY 3ossl" -.TH BN_COPY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_COPY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,7 +94,7 @@ restrictions apply to the use of \fBdest\fR: \&\fBdest\fR should be a newly allocated BIGNUM obtained via a call to \fBBN_new()\fR. It should not have been used for other purposes or initialised in any way. .IP \(bu 2 -\&\fBdest\fR must only be used in "read-only" operations, i.e. typically those +\&\fBdest\fR must only be used in "read\-only" operations, i.e. typically those functions where the relevant parameter is declared "const". .IP \(bu 2 \&\fBdest\fR must be used and freed before any further subsequent use of \fBb\fR diff --git a/secure/lib/libcrypto/man/man3/BN_generate_prime.3 b/secure/lib/libcrypto/man/man3/BN_generate_prime.3 index 08d428611b8f..e52ce8345e29 100644 --- a/secure/lib/libcrypto/man/man3/BN_generate_prime.3 +++ b/secure/lib/libcrypto/man/man3/BN_generate_prime.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_GENERATE_PRIME 3ossl" -.TH BN_GENERATE_PRIME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_GENERATE_PRIME 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -123,13 +126,13 @@ see \fBopenssl_user_macros\fR\|(7): .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBBN_generate_prime_ex2()\fR generates a pseudo-random prime number of +\&\fBBN_generate_prime_ex2()\fR generates a pseudo\-random prime number of at least bit length \fBbits\fR using the BN_CTX provided in \fBctx\fR. The value of \&\fBctx\fR must not be NULL. .PP The returned number is probably prime with a negligible error. The maximum error rate is 2^\-128. -It's 2^\-287 for a 512 bit prime, 2^\-435 for a 1024 bit prime, +It\*(Aqs 2^\-287 for a 512 bit prime, 2^\-435 for a 1024 bit prime, 2^\-648 for a 2048 bit prime, and lower than 2^\-882 for primes larger than 2048 bit. .PP @@ -152,7 +155,7 @@ The callers of \fBBN_generate_prime_ex()\fR may call \fBBN_GENCB_call(cb, i, j)\ other values as described in their respective man pages; see "SEE ALSO". .PP The prime may have to fulfill additional requirements for use in -Diffie-Hellman key exchange: +Diffie\-Hellman key exchange: .PP If \fBadd\fR is not \fBNULL\fR, the prime will fulfill the condition p % \fBadd\fR == \fBrem\fR (p % \fBadd\fR == 1 if \fBrem\fR == \fBNULL\fR) in order to suit a given @@ -181,15 +184,15 @@ or all the tests passed. If \fBp\fR passes all these tests, it is considered a probable prime. .PP The test performed on \fBp\fR are trial division by a number of small primes -and rounds of the Miller-Rabin probabilistic primality test. +and rounds of the Miller\-Rabin probabilistic primality test. .PP -The functions do at least 64 rounds of the Miller-Rabin test giving a maximum +The functions do at least 64 rounds of the Miller\-Rabin test giving a maximum false positive rate of 2^\-128. If the size of \fBp\fR is more than 2048 bits, they do at least 128 rounds giving a maximum false positive rate of 2^\-256. .PP If \fBnchecks\fR is larger than the minimum above (64 or 128), \fBnchecks\fR -rounds of the Miller-Rabin test will be done. +rounds of the Miller\-Rabin test will be done. .PP If \fBdo_trial_division\fR set to \fB0\fR, the trial division will be skipped. \&\fBBN_is_prime_ex()\fR and \fBBN_is_prime()\fR always skip the trial division. @@ -207,7 +210,7 @@ freeing the structure in a loop), or \fBNULL\fR. If the trial division is done, and no divisors are found and \fBcb\fR is not \fBNULL\fR, \fBBN_GENCB_call(cb, 1, \-1)\fR is called. .PP -After each round of the Miller-Rabin probabilistic primality test, +After each round of the Miller\-Rabin probabilistic primality test, if \fBcb\fR is not \fBNULL\fR, \fBBN_GENCB_call(cb, 1, j)\fR is called with \fBj\fR the iteration (j = 0, 1, ...). .PP @@ -236,7 +239,7 @@ It is possible to obtain the argument associated with a BN_GENCB structure (set via a call to BN_GENCB_set or BN_GENCB_set_old) using BN_GENCB_get_arg. .PP \&\fBBN_generate_prime()\fR (deprecated) works in the same way as -\&\fBBN_generate_prime_ex()\fR but expects an old-style callback function +\&\fBBN_generate_prime_ex()\fR but expects an old\-style callback function directly in the \fBcallback\fR parameter, and an argument to pass to it in the \fBcb_arg\fR. \fBBN_is_prime()\fR and \fBBN_is_prime_fasttest()\fR can similarly be compared to \fBBN_is_prime_ex()\fR and diff --git a/secure/lib/libcrypto/man/man3/BN_mod_exp_mont.3 b/secure/lib/libcrypto/man/man3/BN_mod_exp_mont.3 index 6ccfb89ee779..b9878ae89eb9 100644 --- a/secure/lib/libcrypto/man/man3/BN_mod_exp_mont.3 +++ b/secure/lib/libcrypto/man/man3/BN_mod_exp_mont.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_MOD_EXP_MONT 3ossl" -.TH BN_MOD_EXP_MONT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_MOD_EXP_MONT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -92,7 +95,7 @@ function, so you can save time on initialization if you provide it in advance. \&\fBBN_mod_exp_mont_consttime()\fR computes \fIa\fR to the \fIp\fR\-th power modulo \fIm\fR (\f(CW\*(C`rr=a^p % m\*(C'\fR) using Montgomery multiplication. It is a variant of \&\fBBN_mod_exp_mont\fR\|(3) that uses fixed windows and the special precomputation -memory layout to limit data-dependency to a minimum to protect secret exponents. +memory layout to limit data\-dependency to a minimum to protect secret exponents. It is called automatically when \fBBN_mod_exp_mont\fR\|(3) is called with parameters \&\fIa\fR, \fIp\fR, \fIm\fR, any of which have \fBBN_FLG_CONSTTIME\fR flag. .PP diff --git a/secure/lib/libcrypto/man/man3/BN_mod_inverse.3 b/secure/lib/libcrypto/man/man3/BN_mod_inverse.3 index 0bb0ea7d79a5..f6002da58afa 100644 --- a/secure/lib/libcrypto/man/man3/BN_mod_inverse.3 +++ b/secure/lib/libcrypto/man/man3/BN_mod_inverse.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_MOD_INVERSE 3ossl" -.TH BN_MOD_INVERSE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_MOD_INVERSE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BN_mod_mul_montgomery.3 b/secure/lib/libcrypto/man/man3/BN_mod_mul_montgomery.3 index dc70f6f451a9..b1531eeef737 100644 --- a/secure/lib/libcrypto/man/man3/BN_mod_mul_montgomery.3 +++ b/secure/lib/libcrypto/man/man3/BN_mod_mul_montgomery.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_MOD_MUL_MONTGOMERY 3ossl" -.TH BN_MOD_MUL_MONTGOMERY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_MOD_MUL_MONTGOMERY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BN_mod_mul_reciprocal.3 b/secure/lib/libcrypto/man/man3/BN_mod_mul_reciprocal.3 index 922808c50555..dd42294fa507 100644 --- a/secure/lib/libcrypto/man/man3/BN_mod_mul_reciprocal.3 +++ b/secure/lib/libcrypto/man/man3/BN_mod_mul_reciprocal.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_MOD_MUL_RECIPROCAL 3ossl" -.TH BN_MOD_MUL_RECIPROCAL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_MOD_MUL_RECIPROCAL 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BN_new.3 b/secure/lib/libcrypto/man/man3/BN_new.3 index 685c65fbaf19..5a93ae085ae7 100644 --- a/secure/lib/libcrypto/man/man3/BN_new.3 +++ b/secure/lib/libcrypto/man/man3/BN_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_NEW 3ossl" -.TH BN_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BN_num_bytes.3 b/secure/lib/libcrypto/man/man3/BN_num_bytes.3 index 0e96d80dcccb..4c115e83a16a 100644 --- a/secure/lib/libcrypto/man/man3/BN_num_bytes.3 +++ b/secure/lib/libcrypto/man/man3/BN_num_bytes.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_NUM_BYTES 3ossl" -.TH BN_NUM_BYTES 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_NUM_BYTES 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,14 +94,14 @@ The size. .SH NOTES .IX Header "NOTES" Some have tried using \fBBN_num_bits()\fR on individual numbers in RSA keys, -DH keys and DSA keys, and found that they don't always come up with +DH keys and DSA keys, and found that they don\*(Aqt always come up with the number of bits they expected (something like 512, 1024, 2048, \&...). This is because generating a number with some specific number -of bits doesn't always set the highest bits, thereby making the number +of bits doesn\*(Aqt always set the highest bits, thereby making the number of \fIsignificant\fR bits a little lower. If you want to know the "key size" of such a key, either use functions like \fBRSA_size()\fR, \fBDH_size()\fR and \fBDSA_size()\fR, or use \fBBN_num_bytes()\fR and multiply with 8 (although -there's no real guarantee that will match the "key size", just a lot +there\*(Aqs no real guarantee that will match the "key size", just a lot more probability). .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/BN_rand.3 b/secure/lib/libcrypto/man/man3/BN_rand.3 index 37868bbe0e30..3dcaaa5cfdaa 100644 --- a/secure/lib/libcrypto/man/man3/BN_rand.3 +++ b/secure/lib/libcrypto/man/man3/BN_rand.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_RAND 3ossl" -.TH BN_RAND 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_RAND 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,7 +100,7 @@ see \fBopenssl_user_macros\fR\|(7): .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBBN_rand_ex()\fR generates a cryptographically strong pseudo-random +\&\fBBN_rand_ex()\fR generates a cryptographically strong pseudo\-random number of \fIbits\fR in length and security strength at least \fIstrength\fR bits using the random number generator for the library context associated with \&\fIctx\fR. The function stores the generated data in \fIrnd\fR. The parameter \fIctx\fR @@ -119,7 +122,7 @@ If \fIbits\fR is 1 then \fItop\fR cannot also be \fBBN_RAND_TOP_TWO\fR. \&\fBBN_rand()\fR is the same as \fBBN_rand_ex()\fR except that the default library context is always used. .PP -\&\fBBN_rand_range_ex()\fR generates a cryptographically strong pseudo-random +\&\fBBN_rand_range_ex()\fR generates a cryptographically strong pseudo\-random number \fIrnd\fR, of security strength at least \fIstrength\fR bits, in the range 0 <= \fIrnd\fR < \fIrange\fR using the random number generator for the library context associated with \fIctx\fR. The parameter \fIctx\fR diff --git a/secure/lib/libcrypto/man/man3/BN_security_bits.3 b/secure/lib/libcrypto/man/man3/BN_security_bits.3 index 15449df90a33..b846406f9d6e 100644 --- a/secure/lib/libcrypto/man/man3/BN_security_bits.3 +++ b/secure/lib/libcrypto/man/man3/BN_security_bits.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_SECURITY_BITS 3ossl" -.TH BN_SECURITY_BITS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_SECURITY_BITS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ of asymmetric algorithms: the FFC (Finite Field Cryptography) and IFC (Integer Factorization Cryptography). For FFC, e.g., DSA and DH, both parameters \fBL\fR and \fBN\fR are used to decide the bits of security, where \&\fBL\fR is the size of the public key and \fBN\fR is the size of the private -key. For IFC, e.g., RSA, only \fBL\fR is used and it's commonly considered +key. For IFC, e.g., RSA, only \fBL\fR is used and it\*(Aqs commonly considered to be the key size (modulus). .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/BN_set_bit.3 b/secure/lib/libcrypto/man/man3/BN_set_bit.3 index 955ca4459ddb..ae9fcd7f3ad1 100644 --- a/secure/lib/libcrypto/man/man3/BN_set_bit.3 +++ b/secure/lib/libcrypto/man/man3/BN_set_bit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_SET_BIT 3ossl" -.TH BN_SET_BIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_SET_BIT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,7 +97,7 @@ error occurs if \fBa\fR is shorter than \fBn\fR bits. \&\fBBN_mask_bits()\fR truncates \fBa\fR to an \fBn\fR bit number (\f(CW\*(C`a&=~((~0)<<n)\*(C'\fR). An error occurs if \fBn\fR is negative. An error is also returned if the internal representation of \fBa\fR is already shorter than -\&\fBn\fR bits. The internal representation depends on the platform's word size, and +\&\fBn\fR bits. The internal representation depends on the platform\*(Aqs word size, and this error can be safely ignored. Use \fBBN_num_bits\fR\|(3) to determine the exact number of bits if needed. .PP diff --git a/secure/lib/libcrypto/man/man3/BN_swap.3 b/secure/lib/libcrypto/man/man3/BN_swap.3 index bb898c1a4516..4c4fb3f37580 100644 --- a/secure/lib/libcrypto/man/man3/BN_swap.3 +++ b/secure/lib/libcrypto/man/man3/BN_swap.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_SWAP 3ossl" -.TH BN_SWAP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_SWAP 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/BN_zero.3 b/secure/lib/libcrypto/man/man3/BN_zero.3 index f4a6f25b5eeb..688f2400a84e 100644 --- a/secure/lib/libcrypto/man/man3/BN_zero.3 +++ b/secure/lib/libcrypto/man/man3/BN_zero.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BN_ZERO 3ossl" -.TH BN_ZERO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BN_ZERO 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,7 +93,7 @@ is useful for use in comparisons and assignment. \&\fBBN_get_word()\fR returns \fBa\fR, if it can be represented as a \fBBN_ULONG\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fBBN_get_word()\fR returns the value \fBa\fR, or all-bits-set if \fBa\fR cannot +\&\fBBN_get_word()\fR returns the value \fBa\fR, or all\-bits\-set if \fBa\fR cannot be represented as a single integer. .PP \&\fBBN_one()\fR and \fBBN_set_word()\fR return 1 on success, 0 otherwise. @@ -98,7 +101,7 @@ be represented as a single integer. \&\fBBN_zero()\fR never fails and returns no value. .SH BUGS .IX Header "BUGS" -If a \fBBIGNUM\fR is equal to the value of all-bits-set, it will collide +If a \fBBIGNUM\fR is equal to the value of all\-bits\-set, it will collide with the error condition returned by \fBBN_get_word()\fR which uses that as an error value. .PP diff --git a/secure/lib/libcrypto/man/man3/BUF_MEM_new.3 b/secure/lib/libcrypto/man/man3/BUF_MEM_new.3 index ce09ddfef899..9eb7020dbd2c 100644 --- a/secure/lib/libcrypto/man/man3/BUF_MEM_new.3 +++ b/secure/lib/libcrypto/man/man3/BUF_MEM_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BUF_MEM_NEW 3ossl" -.TH BUF_MEM_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH BUF_MEM_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -99,11 +102,11 @@ If the argument is NULL, nothing is done. \&\fBlen\fR. Any data already in the buffer is preserved if it increases in size. .PP -\&\fBBUF_MEM_grow_clean()\fR is similar to \fBBUF_MEM_grow()\fR but it sets any free'd -or additionally-allocated memory to zero. +\&\fBBUF_MEM_grow_clean()\fR is similar to \fBBUF_MEM_grow()\fR but it sets any free\*(Aqd +or additionally\-allocated memory to zero. .PP \&\fBBUF_reverse()\fR reverses \fBsize\fR bytes at \fBin\fR into \fBout\fR. If \fBin\fR -is NULL, the array is reversed in-place. +is NULL, the array is reversed in\-place. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBBUF_MEM_new()\fR returns the buffer or NULL on error. diff --git a/secure/lib/libcrypto/man/man3/CMAC_CTX.3 b/secure/lib/libcrypto/man/man3/CMAC_CTX.3 index c122160ae7ce..f3fc6a291b3b 100644 --- a/secure/lib/libcrypto/man/man3/CMAC_CTX.3 +++ b/secure/lib/libcrypto/man/man3/CMAC_CTX.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMAC_CTX 3ossl" -.TH CMAC_CTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMAC_CTX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,7 +94,7 @@ value, see \fBopenssl_user_macros\fR\|(7). .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The low-level MAC functions documented on this page are deprecated. +The low\-level MAC functions documented on this page are deprecated. Applications should use the new \fBEVP_MAC\fR\|(3) interface. Specifically, utilize the following functions for MAC operations: .IP "\fBEVP_MAC_CTX_new\fR\|(3) to create a new MAC context." 4 @@ -107,11 +110,11 @@ Specifically, utilize the following functions for MAC operations: .IX Item "EVP_MAC_final to finalize the MAC and retrieve the output." .PD .PP -Alternatively, for a single-step MAC computation, use the \fBEVP_Q_mac\fR\|(3) +Alternatively, for a single\-step MAC computation, use the \fBEVP_Q_mac\fR\|(3) function. .PP The \fBCMAC_CTX\fR type is a structure used for the provision of CMAC -(Cipher-based Message Authentication Code) operations. +(Cipher\-based Message Authentication Code) operations. .PP \&\fBCMAC_CTX_new()\fR creates a new \fBCMAC_CTX\fR structure and returns a pointer to it. .PP diff --git a/secure/lib/libcrypto/man/man3/CMS_EncryptedData_decrypt.3 b/secure/lib/libcrypto/man/man3/CMS_EncryptedData_decrypt.3 index a79b613587ba..918e68914c1d 100644 --- a/secure/lib/libcrypto/man/man3/CMS_EncryptedData_decrypt.3 +++ b/secure/lib/libcrypto/man/man3/CMS_EncryptedData_decrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_ENCRYPTEDDATA_DECRYPT 3ossl" -.TH CMS_ENCRYPTEDDATA_DECRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_ENCRYPTEDDATA_DECRYPT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,10 +83,10 @@ CMS_EncryptedData_decrypt, CMS_EnvelopedData_decrypt .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBCMS_EncryptedData_decrypt()\fR decrypts a \fIcms\fR EncryptedData object using the -symmetric \fIkey\fR of size \fIkeylen\fR bytes. \fIout\fR is a BIO to write the content -to and \fIflags\fR is an optional set of flags. -\&\fIdcont\fR is used in the rare case where the encrypted content is detached. It -will normally be set to NULL. +symmetric \fIkey\fR of size \fIkeylen\fR bytes. AEAD cipher algorithms are not +supported. \fIout\fR is a BIO to write the content to and \fIflags\fR is an optional +set of flags. \fIdcont\fR is used in the rare case where the encrypted content is +detached. It will normally be set to NULL. .PP The following flags can be passed in the \fIflags\fR parameter. .PP diff --git a/secure/lib/libcrypto/man/man3/CMS_EncryptedData_encrypt.3 b/secure/lib/libcrypto/man/man3/CMS_EncryptedData_encrypt.3 index c1b0e6330951..6e2cb3eca61d 100644 --- a/secure/lib/libcrypto/man/man3/CMS_EncryptedData_encrypt.3 +++ b/secure/lib/libcrypto/man/man3/CMS_EncryptedData_encrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_ENCRYPTEDDATA_ENCRYPT 3ossl" -.TH CMS_ENCRYPTEDDATA_ENCRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_ENCRYPTEDDATA_ENCRYPT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -93,7 +96,7 @@ The \fIflags\fR field supports the options \fBCMS_DETACHED\fR, \fBCMS_STREAM\fR \&\fBCMS_PARTIAL\fR is specified. .PP The algorithm passed in the \fIcipher\fR parameter must support ASN1 encoding of -its parameters. +its parameters. AEAD cipher algorithms are not supported. .PP The \fBCMS_ContentInfo\fR structure can be freed using \fBCMS_ContentInfo_free\fR\|(3). .PP diff --git a/secure/lib/libcrypto/man/man3/CMS_EncryptedData_set1_key.3 b/secure/lib/libcrypto/man/man3/CMS_EncryptedData_set1_key.3 new file mode 100644 index 000000000000..0f7bff95d623 --- /dev/null +++ b/secure/lib/libcrypto/man/man3/CMS_EncryptedData_set1_key.3 @@ -0,0 +1,96 @@ +.\" -*- mode: troff; coding: utf-8 -*- +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. +.ie n \{\ +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{\ +. if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +. \} +.\} +.rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l +.\" ======================================================================== +.\" +.IX Title "CMS_ENCRYPTEDDATA_SET1_KEY 3ossl" +.TH CMS_ENCRYPTEDDATA_SET1_KEY 3ossl 2026-04-07 3.5.6 OpenSSL +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH NAME +CMS_EncryptedData_set1_key \- Sets the cipher and key for +CMS EncryptedData +.SH SYNOPSIS +.IX Header "SYNOPSIS" +.Vb 1 +\& #include <openssl/cms.h> +\& +\& int CMS_EncryptedData_set1_key(CMS_ContentInfo *cms, const EVP_CIPHER *ciph, +\& const unsigned char *key, size_t keylen); +.Ve +.SH DESCRIPTION +.IX Header "DESCRIPTION" +\&\fBCMS_EncryptedData_set1_key()\fR takes in a \fIcms\fR EncryptedData object and sets +the appropriate attributes to \fIciph\fR, it makes a copy of the symmetric \fIkey\fR +of size \fIkeylen\fR. AEAD cipher algorithms are not supported. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fBCMS_EncryptedData_set1_key()\fR returns 0 if an error occurred otherwise +returns 1. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fBCMS_EncryptedData_encrypt\fR\|(3), \fBCMS_EncryptedData_decrypt\fR\|(3) +.SH COPYRIGHT +.IX Header "COPYRIGHT" +Copyright 2025 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/lib/libcrypto/man/man3/CMS_EnvelopedData_create.3 b/secure/lib/libcrypto/man/man3/CMS_EnvelopedData_create.3 index 491621ef8ee9..fd110100c776 100644 --- a/secure/lib/libcrypto/man/man3/CMS_EnvelopedData_create.3 +++ b/secure/lib/libcrypto/man/man3/CMS_EnvelopedData_create.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_ENVELOPEDDATA_CREATE 3ossl" -.TH CMS_ENVELOPEDDATA_CREATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_ENVELOPEDDATA_CREATE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_add0_cert.3 b/secure/lib/libcrypto/man/man3/CMS_add0_cert.3 index 9563c6a8f286..e86c517d90b6 100644 --- a/secure/lib/libcrypto/man/man3/CMS_add0_cert.3 +++ b/secure/lib/libcrypto/man/man3/CMS_add0_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_ADD0_CERT 3ossl" -.TH CMS_ADD0_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_ADD0_CERT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -116,7 +119,7 @@ For enveloped data they are added to \fBOriginatorInfo\fR. .PP \&\fBCMS_get1_certs()\fR and \fBCMS_get1_crls()\fR return the STACK of certificates or CRLs or NULL if there are none or an error occurs. -Besides out-of-memory, the only error which will occur +Besides out\-of\-memory, the only error which will occur in practice is if the \fIcms\fR type is invalid. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/CMS_add1_recipient_cert.3 b/secure/lib/libcrypto/man/man3/CMS_add1_recipient_cert.3 index c2f2eef5e2b9..15e26f5d7a2e 100644 --- a/secure/lib/libcrypto/man/man3/CMS_add1_recipient_cert.3 +++ b/secure/lib/libcrypto/man/man3/CMS_add1_recipient_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_ADD1_RECIPIENT_CERT 3ossl" -.TH CMS_ADD1_RECIPIENT_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_ADD1_RECIPIENT_CERT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,7 +88,7 @@ CMS_add1_recipient, CMS_add1_recipient_cert, CMS_add0_recipient_key \- add recip .IX Header "DESCRIPTION" \&\fBCMS_add1_recipient()\fR adds recipient \fBrecip\fR and provides the originator pkey \&\fBoriginatorPrivKey\fR and originator certificate \fBoriginator\fR to CMS_ContentInfo. -The originator-related fields are relevant only in case when the keyAgreement +The originator\-related fields are relevant only in case when the keyAgreement method of providing of the shared key is in use. .PP \&\fBCMS_add1_recipient_cert()\fR adds recipient \fBrecip\fR to CMS_ContentInfo enveloped diff --git a/secure/lib/libcrypto/man/man3/CMS_add1_signer.3 b/secure/lib/libcrypto/man/man3/CMS_add1_signer.3 index f9597c29985c..5acd767b1af2 100644 --- a/secure/lib/libcrypto/man/man3/CMS_add1_signer.3 +++ b/secure/lib/libcrypto/man/man3/CMS_add1_signer.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_ADD1_SIGNER 3ossl" -.TH CMS_ADD1_SIGNER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_ADD1_SIGNER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,7 +83,7 @@ key \fBpkey\fR using message digest \fBmd\fR to CMS_ContentInfo SignedData structure \fBcms\fR. .PP The CMS_ContentInfo structure should be obtained from an initial call to -\&\fBCMS_sign()\fR with the flag \fBCMS_PARTIAL\fR set or in the case or re-signing a +\&\fBCMS_sign()\fR with the flag \fBCMS_PARTIAL\fR set or in the case or re\-signing a valid CMS_ContentInfo SignedData structure. .PP If the \fBmd\fR parameter is \fBNULL\fR then the default digest for the public @@ -116,8 +119,8 @@ CMS_SignerInfo structure will not be finalized so additional attributes can be added. In this case an explicit call to \fBCMS_SignerInfo_sign()\fR is needed to finalize it. .PP -If \fBCMS_NOCERTS\fR is set the signer's certificate will not be included in the -CMS_ContentInfo structure, the signer's certificate must still be supplied in +If \fBCMS_NOCERTS\fR is set the signer\*(Aqs certificate will not be included in the +CMS_ContentInfo structure, the signer\*(Aqs certificate must still be supplied in the \fBsigncert\fR parameter though. This can reduce the size of the signature if the signers certificate can be obtained by other means: for example a previously signed message. diff --git a/secure/lib/libcrypto/man/man3/CMS_compress.3 b/secure/lib/libcrypto/man/man3/CMS_compress.3 index f7bc05d07d65..e98930278a71 100644 --- a/secure/lib/libcrypto/man/man3/CMS_compress.3 +++ b/secure/lib/libcrypto/man/man3/CMS_compress.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_COMPRESS 3ossl" -.TH CMS_COMPRESS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_COMPRESS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_data_create.3 b/secure/lib/libcrypto/man/man3/CMS_data_create.3 index 292efbd0f55a..0f153d465ec4 100644 --- a/secure/lib/libcrypto/man/man3/CMS_data_create.3 +++ b/secure/lib/libcrypto/man/man3/CMS_data_create.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_DATA_CREATE 3ossl" -.TH CMS_DATA_CREATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_DATA_CREATE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_decrypt.3 b/secure/lib/libcrypto/man/man3/CMS_decrypt.3 index 4bc1b0f9c31a..f8ec47156c43 100644 --- a/secure/lib/libcrypto/man/man3/CMS_decrypt.3 +++ b/secure/lib/libcrypto/man/man3/CMS_decrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_DECRYPT 3ossl" -.TH CMS_DECRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_DECRYPT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -115,7 +118,7 @@ needed to locate the appropriate (of possible several) recipients in the CMS structure. .PP If \fIcert\fR is set to NULL all possible recipients are tried. This case however -is problematic. To thwart the MMA attack (Bleichenbacher's attack on +is problematic. To thwart the MMA attack (Bleichenbacher\*(Aqs attack on PKCS #1 v1.5 RSA padding) all recipients are tried whether they succeed or not. If no recipient succeeds then a random symmetric key is used to decrypt the content: this will typically output garbage and may (but is not guaranteed diff --git a/secure/lib/libcrypto/man/man3/CMS_digest_create.3 b/secure/lib/libcrypto/man/man3/CMS_digest_create.3 index 3ba012aaf81d..84337957fed6 100644 --- a/secure/lib/libcrypto/man/man3/CMS_digest_create.3 +++ b/secure/lib/libcrypto/man/man3/CMS_digest_create.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_DIGEST_CREATE 3ossl" -.TH CMS_DIGEST_CREATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_DIGEST_CREATE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_encrypt.3 b/secure/lib/libcrypto/man/man3/CMS_encrypt.3 index 23f67683d4c2..3d878eb21c47 100644 --- a/secure/lib/libcrypto/man/man3/CMS_encrypt.3 +++ b/secure/lib/libcrypto/man/man3/CMS_encrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_ENCRYPT 3ossl" -.TH CMS_ENCRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_ENCRYPT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,7 +85,7 @@ AuthEnvelopedData structure. \fIcerts\fR is a list of recipient certificates. property query \fIpropq\fR are used internally when retrieving algorithms from providers. .PP -Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this +Only certificates carrying RSA, Diffie\-Hellman or EC keys are supported by this function. .PP \&\fBEVP_des_ede3_cbc()\fR (triple DES) is the algorithm of choice for S/MIME use diff --git a/secure/lib/libcrypto/man/man3/CMS_final.3 b/secure/lib/libcrypto/man/man3/CMS_final.3 index eb4ccf8eda32..0fe2d24fb67b 100644 --- a/secure/lib/libcrypto/man/man3/CMS_final.3 +++ b/secure/lib/libcrypto/man/man3/CMS_final.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_FINAL 3ossl" -.TH CMS_FINAL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_FINAL 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,7 +83,7 @@ processed. The \fBdcont\fR parameter contains a BIO to write content to after processing: this is only used with detached data and will usually be set to NULL. .PP -\&\fBCMS_final_digest()\fR finalises the structure \fBcms\fR using a pre-computed digest, +\&\fBCMS_final_digest()\fR finalises the structure \fBcms\fR using a pre\-computed digest, rather than computing the digest from the original data. .SH NOTES .IX Header "NOTES" @@ -88,10 +91,10 @@ These functions will normally be called when the \fBCMS_PARTIAL\fR flag is used. should only be used when streaming is not performed because the streaming I/O functions perform finalisation operations internally. .PP -To sign a pre-computed digest, \fBCMS_sign\fR\|(3) or \fBCMS_sign_ex()\fR is called +To sign a pre\-computed digest, \fBCMS_sign\fR\|(3) or \fBCMS_sign_ex()\fR is called with the \fBdata\fR parameter set to NULL before the CMS structure is finalised with the digest provided to \fBCMS_final_digest()\fR in binary form. -When signing a pre-computed digest, the security relies on the digest and its +When signing a pre\-computed digest, the security relies on the digest and its computation from the original message being trusted. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/CMS_get0_RecipientInfos.3 b/secure/lib/libcrypto/man/man3/CMS_get0_RecipientInfos.3 index a15dc438afeb..baac15abbd09 100644 --- a/secure/lib/libcrypto/man/man3/CMS_get0_RecipientInfos.3 +++ b/secure/lib/libcrypto/man/man3/CMS_get0_RecipientInfos.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_GET0_RECIPIENTINFOS 3ossl" -.TH CMS_GET0_RECIPIENTINFOS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_GET0_RECIPIENTINFOS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_get0_SignerInfos.3 b/secure/lib/libcrypto/man/man3/CMS_get0_SignerInfos.3 index b7f6e94d81b0..e13604c35ef6 100644 --- a/secure/lib/libcrypto/man/man3/CMS_get0_SignerInfos.3 +++ b/secure/lib/libcrypto/man/man3/CMS_get0_SignerInfos.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_GET0_SIGNERINFOS 3ossl" -.TH CMS_GET0_SIGNERINFOS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_GET0_SIGNERINFOS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,7 +100,7 @@ modified. identifier \fBsi\fR. It returns zero if the comparison is successful and non zero if not. .PP -\&\fBCMS_SignerInfo_set1_signer_cert()\fR sets the signer's certificate of \fBsi\fR to +\&\fBCMS_SignerInfo_set1_signer_cert()\fR sets the signer\*(Aqs certificate of \fBsi\fR to \&\fBsigner\fR. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man3/CMS_get0_type.3 b/secure/lib/libcrypto/man/man3/CMS_get0_type.3 index 52a169d06c85..082d5db296ba 100644 --- a/secure/lib/libcrypto/man/man3/CMS_get0_type.3 +++ b/secure/lib/libcrypto/man/man3/CMS_get0_type.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_GET0_TYPE 3ossl" -.TH CMS_GET0_TYPE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_GET0_TYPE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_get1_ReceiptRequest.3 b/secure/lib/libcrypto/man/man3/CMS_get1_ReceiptRequest.3 index a50549b0d269..294891d71d0a 100644 --- a/secure/lib/libcrypto/man/man3/CMS_get1_ReceiptRequest.3 +++ b/secure/lib/libcrypto/man/man3/CMS_get1_ReceiptRequest.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_GET1_RECEIPTREQUEST 3ossl" -.TH CMS_GET1_RECEIPTREQUEST 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_GET1_RECEIPTREQUEST 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_sign.3 b/secure/lib/libcrypto/man/man3/CMS_sign.3 index 65ca28081f89..93790b30502c 100644 --- a/secure/lib/libcrypto/man/man3/CMS_sign.3 +++ b/secure/lib/libcrypto/man/man3/CMS_sign.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_SIGN 3ossl" -.TH CMS_SIGN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_SIGN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -99,8 +102,8 @@ Many S/MIME clients expect the signed content to include valid MIME headers. If the \fBCMS_TEXT\fR flag is set MIME headers for type \fBtext/plain\fR are prepended to the data. .PP -If \fBCMS_NOCERTS\fR is set the signer's certificate will not be included in the -CMS_ContentInfo structure, the signer's certificate must still be supplied in +If \fBCMS_NOCERTS\fR is set the signer\*(Aqs certificate will not be included in the +CMS_ContentInfo structure, the signer\*(Aqs certificate must still be supplied in the \fBsigncert\fR parameter though. This can reduce the size of the signature if the signers certificate can be obtained by other means: for example a previously signed message. diff --git a/secure/lib/libcrypto/man/man3/CMS_sign_receipt.3 b/secure/lib/libcrypto/man/man3/CMS_sign_receipt.3 index a486f9468583..f20cac5a44f5 100644 --- a/secure/lib/libcrypto/man/man3/CMS_sign_receipt.3 +++ b/secure/lib/libcrypto/man/man3/CMS_sign_receipt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_SIGN_RECEIPT 3ossl" -.TH CMS_SIGN_RECEIPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_SIGN_RECEIPT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_signed_get_attr.3 b/secure/lib/libcrypto/man/man3/CMS_signed_get_attr.3 index 22b156943dbd..3226473e3db4 100644 --- a/secure/lib/libcrypto/man/man3/CMS_signed_get_attr.3 +++ b/secure/lib/libcrypto/man/man3/CMS_signed_get_attr.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_SIGNED_GET_ATTR 3ossl" -.TH CMS_SIGNED_GET_ATTR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_SIGNED_GET_ATTR 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -130,7 +133,7 @@ Since the \fBCMS_unsigned_XXX()\fR functions work in the same way as the described below. .PP \&\fBCMS_signed_get_attr_by_OBJ()\fR finds the location of the first matching object -\&\fIobj\fR in the SignerInfo's \fIsi\fR signed attribute list. The search starts at the +\&\fIobj\fR in the SignerInfo\*(Aqs \fIsi\fR signed attribute list. The search starts at the position after \fIlastpos\fR. If the returned value is positive then it can be used on the next call to \fBCMS_signed_get_attr_by_OBJ()\fR as the value of \fIlastpos\fR in order to iterate through the remaining attributes. \fIlastpos\fR can be set to any @@ -156,7 +159,7 @@ required. An error occurs if \fIattr\fR is NULL. \&\fBCMS_signed_add1_attr_by_OBJ()\fR creates a new signed \fBX509_ATTRIBUTE\fR using \&\fBX509_ATTRIBUTE_set1_object()\fR and \fBX509_ATTRIBUTE_set1_data()\fR to assign a new \&\fIobj\fR with type \fItype\fR and data \fIbytes\fR of length \fIlen\fR and then pushes it -to the \fIkey\fR object's attribute list. +to the \fIkey\fR object\*(Aqs attribute list. .PP \&\fBCMS_signed_add1_attr_by_NID()\fR is similar to \fBCMS_signed_add1_attr_by_OBJ()\fR except that it passes the numerical identifier (NID) \fInid\fR associated with the object. @@ -188,7 +191,7 @@ SignerInfo \fIsi\fR, or \-1 if the signed attribute list is NULL. .PP \&\fBCMS_signed_get_attr_by_OBJ()\fR returns \-1 if either the signed attribute list of \&\fIsi\fR is empty OR if \fIobj\fR is not found, otherwise it returns the location of -the \fIobj\fR in the SignerInfo's \fIsi\fR signed attribute list. +the \fIobj\fR in the SignerInfo\*(Aqs \fIsi\fR signed attribute list. .PP \&\fBCMS_signed_get_attr_by_NID()\fR is similar to \fBCMS_signed_get_attr_by_OBJ()\fR except that it returns \-2 if the \fInid\fR is not known by OpenSSL. diff --git a/secure/lib/libcrypto/man/man3/CMS_uncompress.3 b/secure/lib/libcrypto/man/man3/CMS_uncompress.3 index 20002585d252..217a2dca4cd6 100644 --- a/secure/lib/libcrypto/man/man3/CMS_uncompress.3 +++ b/secure/lib/libcrypto/man/man3/CMS_uncompress.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_UNCOMPRESS 3ossl" -.TH CMS_UNCOMPRESS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_UNCOMPRESS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_verify.3 b/secure/lib/libcrypto/man/man3/CMS_verify.3 index 76f55dab3dcf..6a1ae9b6b9df 100644 --- a/secure/lib/libcrypto/man/man3/CMS_verify.3 +++ b/secure/lib/libcrypto/man/man3/CMS_verify.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_VERIFY 3ossl" -.TH CMS_VERIFY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_VERIFY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CMS_verify_receipt.3 b/secure/lib/libcrypto/man/man3/CMS_verify_receipt.3 index 455286122272..e3aca4c5e620 100644 --- a/secure/lib/libcrypto/man/man3/CMS_verify_receipt.3 +++ b/secure/lib/libcrypto/man/man3/CMS_verify_receipt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CMS_VERIFY_RECEIPT 3ossl" -.TH CMS_VERIFY_RECEIPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CMS_VERIFY_RECEIPT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/COMP_CTX_new.3 b/secure/lib/libcrypto/man/man3/COMP_CTX_new.3 index 1fe1bac3e017..feb38cd8af01 100644 --- a/secure/lib/libcrypto/man/man3/COMP_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/COMP_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "COMP_CTX_NEW 3ossl" -.TH COMP_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH COMP_CTX_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -133,17 +136,17 @@ Methods (\fBCOMP_METHOD\fR) may be specified by one of these functions. These fu will be available even if their corresponding compression algorithm is not configured into the OpenSSL library. In such a case, NULL will be returned. .IP \(bu 4 -\&\fBCOMP_zlib()\fR returns a \fBCOMP_METHOD\fR for stream-based ZLIB compression. +\&\fBCOMP_zlib()\fR returns a \fBCOMP_METHOD\fR for stream\-based ZLIB compression. .IP \(bu 4 -\&\fBCOMP_zlib_oneshot()\fR returns a \fBCOMP_METHOD\fR for one-shot ZLIB compression. +\&\fBCOMP_zlib_oneshot()\fR returns a \fBCOMP_METHOD\fR for one\-shot ZLIB compression. .IP \(bu 4 -\&\fBCOMP_brotli()\fR returns a \fBCOMP_METHOD\fR for stream-based Brotli compression. +\&\fBCOMP_brotli()\fR returns a \fBCOMP_METHOD\fR for stream\-based Brotli compression. .IP \(bu 4 -\&\fBCOMP_brotli_oneshot()\fR returns a \fBCOMP_METHOD\fR for one-shot Brotli compression. +\&\fBCOMP_brotli_oneshot()\fR returns a \fBCOMP_METHOD\fR for one\-shot Brotli compression. .IP \(bu 4 -\&\fBCOMP_zstd()\fR returns a \fBCOMP_METHOD\fR for stream-based Zstandard compression. +\&\fBCOMP_zstd()\fR returns a \fBCOMP_METHOD\fR for stream\-based Zstandard compression. .IP \(bu 4 -\&\fBCOMP_zstd_oneshot()\fR returns a \fBCOMP_METHOD\fR for one-shot Zstandard compression. +\&\fBCOMP_zstd_oneshot()\fR returns a \fBCOMP_METHOD\fR for one\-shot Zstandard compression. .PP \&\fBBIO_f_zlib()\fR, \fBBIO_f_brotli()\fR \fBBIO_f_zstd()\fR each return a \fBBIO_METHOD\fR that may be used to create a \fBBIO\fR via \fBBIO_new\|(3)\fR to read and write compressed files or streams. @@ -151,7 +154,7 @@ The functions are only available if the corresponding algorithm is compiled into the OpenSSL library. NULL may be returned if the algorithm fails to load dynamically. .SH NOTES .IX Header "NOTES" -While compressing non-compressible data, the output may be larger than the +While compressing non\-compressible data, the output may be larger than the input. Care should be taken to size output buffers appropriate for both compression and expansion. .PP @@ -177,11 +180,11 @@ It may be disabled via the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION and SSL_OP_NO_RX_CERTIFICATE_COMPRESSION options of the \&\fBSSL_CTX_set_options\fR\|(3) or \fBSSL_set_options\fR\|(3) functions. .PP -\&\fBCOMP_zlib()\fR, \fBCOMP_brotli()\fR and \fBCOMP_zstd()\fR are stream-based compression methods. +\&\fBCOMP_zlib()\fR, \fBCOMP_brotli()\fR and \fBCOMP_zstd()\fR are stream\-based compression methods. Internal state (including compression dictionary) is maintained between calls. If an error is returned, the stream is corrupted, and should be closed. .PP -\&\fBCOMP_zlib_oneshot()\fR, \fBCOMP_brotli_oneshot()\fR and \fBCOMP_zstd_oneshot()\fR are not stream-based. These +\&\fBCOMP_zlib_oneshot()\fR, \fBCOMP_brotli_oneshot()\fR and \fBCOMP_zstd_oneshot()\fR are not stream\-based. These methods do not maintain state between calls. An error in one call does not affect future calls. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/CONF_modules_free.3 b/secure/lib/libcrypto/man/man3/CONF_modules_free.3 index a8df993da09e..7ded3dcb5b6f 100644 --- a/secure/lib/libcrypto/man/man3/CONF_modules_free.3 +++ b/secure/lib/libcrypto/man/man3/CONF_modules_free.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CONF_MODULES_FREE 3ossl" -.TH CONF_MODULES_FREE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CONF_MODULES_FREE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,7 +94,7 @@ to free up any configuration that module may have performed. .PP \&\fBCONF_modules_unload()\fR finishes and unloads configuration modules. If \&\fBall\fR is set to \fB0\fR only modules loaded from DSOs will be unloads. If -\&\fBall\fR is \fB1\fR all modules, including built-in modules will be unloaded. +\&\fBall\fR is \fB1\fR all modules, including built\-in modules will be unloaded. .SH "RETURN VALUES" .IX Header "RETURN VALUES" None of the functions return a value. diff --git a/secure/lib/libcrypto/man/man3/CONF_modules_load_file.3 b/secure/lib/libcrypto/man/man3/CONF_modules_load_file.3 index 8131eecadf1d..137e48d77890 100644 --- a/secure/lib/libcrypto/man/man3/CONF_modules_load_file.3 +++ b/secure/lib/libcrypto/man/man3/CONF_modules_load_file.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CONF_MODULES_LOAD_FILE 3ossl" -.TH CONF_MODULES_LOAD_FILE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CONF_MODULES_LOAD_FILE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -114,7 +117,7 @@ Normally any modules errors will add error information to the error queue. If If \fBCONF_MFLAGS_IGNORE_RETURN_CODES\fR is set the function unconditionally returns success. This is used by default in \fBOPENSSL_init_crypto\fR\|(3) to ignore any errors in -the default system-wide configuration file, as having all OpenSSL applications +the default system\-wide configuration file, as having all OpenSSL applications fail to start when there are potentially minor issues in the file is too risky. Applications calling \fBCONF_modules_load_file_ex\fR explicitly should not generally set this flag. diff --git a/secure/lib/libcrypto/man/man3/CRYPTO_THREAD_run_once.3 b/secure/lib/libcrypto/man/man3/CRYPTO_THREAD_run_once.3 index a632d28f876c..5c459868b377 100644 --- a/secure/lib/libcrypto/man/man3/CRYPTO_THREAD_run_once.3 +++ b/secure/lib/libcrypto/man/man3/CRYPTO_THREAD_run_once.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CRYPTO_THREAD_RUN_ONCE 3ossl" -.TH CRYPTO_THREAD_RUN_ONCE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CRYPTO_THREAD_RUN_ONCE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -103,22 +106,22 @@ OSSL_THREAD_SUPPORT_FLAG_DEFAULT_SPAWN \- OpenSSL thread support .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -OpenSSL can be safely used in multi-threaded applications provided that -support for the underlying OS threading API is built-in. Currently, OpenSSL +OpenSSL can be safely used in multi\-threaded applications provided that +support for the underlying OS threading API is built\-in. Currently, OpenSSL supports the pthread and Windows APIs. OpenSSL can also be built without -any multi-threading support, for example on platforms that don't provide +any multi\-threading support, for example on platforms that don\*(Aqt provide any threading support or that provide a threading API that is not yet supported by OpenSSL. .PP -The following multi-threading function are provided: +The following multi\-threading function are provided: .IP \(bu 2 -\&\fBCRYPTO_THREAD_run_once()\fR can be used to perform one-time initialization. +\&\fBCRYPTO_THREAD_run_once()\fR can be used to perform one\-time initialization. The \fIonce\fR argument must be a pointer to a static object of type \&\fBCRYPTO_ONCE\fR that was statically initialized to the value \&\fBCRYPTO_ONCE_STATIC_INIT\fR. The \fIinit\fR argument is a pointer to a function that performs the desired exactly once initialization. -In particular, this can be used to allocate locks in a thread-safe manner, +In particular, this can be used to allocate locks in a thread\-safe manner, which can then be used with the locking functions below. .IP \(bu 2 \&\fBCRYPTO_THREAD_lock_new()\fR allocates, initializes and returns a new read/write @@ -202,7 +205,7 @@ functionality to be used. \&\fBCRYPTO_THREAD_lock_free()\fR returns no value. .PP \&\fBOSSL_set_max_threads()\fR returns 1 on success and 0 on failure. Returns failure -if OpenSSL-managed thread pooling is not supported (for example, if it is not +if OpenSSL\-managed thread pooling is not supported (for example, if it is not supported on the current platform, or because OpenSSL is not built with the necessary support). .PP @@ -221,7 +224,7 @@ On Windows platforms the CRYPTO_THREAD_* types and functions in the customarily made available by including \fI<windows.h>\fR. The application developer is likely to require control over when the latter is included, commonly as one of the first included headers. Therefore, it is defined as an -application developer's responsibility to include \fI<windows.h>\fR prior to +application developer\*(Aqs responsibility to include \fI<windows.h>\fR prior to \&\fI<openssl/crypto.h>\fR where use of CRYPTO_THREAD_* types and functions is required. .SH EXAMPLES diff --git a/secure/lib/libcrypto/man/man3/CRYPTO_get_ex_new_index.3 b/secure/lib/libcrypto/man/man3/CRYPTO_get_ex_new_index.3 index 5c86bd8de67f..9493fd2a5c73 100644 --- a/secure/lib/libcrypto/man/man3/CRYPTO_get_ex_new_index.3 +++ b/secure/lib/libcrypto/man/man3/CRYPTO_get_ex_new_index.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CRYPTO_GET_EX_NEW_INDEX 3ossl" -.TH CRYPTO_GET_EX_NEW_INDEX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CRYPTO_GET_EX_NEW_INDEX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -99,7 +102,7 @@ CRYPTO_free_ex_data, CRYPTO_new_ex_data .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -Several OpenSSL structures can have application-specific data attached to them, +Several OpenSSL structures can have application\-specific data attached to them, known as "exdata." The specific structures are: .PP @@ -150,24 +153,24 @@ are called in increasing order of their \fBindex\fR value. .PP If a dynamic library can be unloaded, it should call \fBCRYPTO_free_ex_index()\fR when this is done. -This will replace the callbacks with no-ops -so that applications don't crash. Any existing exdata will be leaked. +This will replace the callbacks with no\-ops +so that applications don\*(Aqt crash. Any existing exdata will be leaked. .PP -To set or get the exdata on an object, the appropriate type-specific +To set or get the exdata on an object, the appropriate type\-specific routine must be used. This is because the containing structure is opaque -and the \fBCRYPTO_EX_DATA\fR field is not accessible. In both API's, the -\&\fBidx\fR parameter should be an already-created index value. +and the \fBCRYPTO_EX_DATA\fR field is not accessible. In both API\*(Aqs, the +\&\fBidx\fR parameter should be an already\-created index value. .PP When setting exdata, the pointer specified with a particular index is saved, and returned on a subsequent "get" call. If the application is going to release the data, it must make sure to set a \fBNULL\fR value at the index, -to avoid likely double-free crashes. +to avoid likely double\-free crashes. .PP The function \fBCRYPTO_free_ex_data\fR is used to free all exdata attached -to a structure. The appropriate type-specific routine must be used. +to a structure. The appropriate type\-specific routine must be used. The \fBclass_index\fR identifies the structure type, the \fBobj\fR is a pointer to the actual structure, and \fBr\fR is a pointer to the -structure's exdata field. +structure\*(Aqs exdata field. .SS "Callback Functions" .IX Subsection "Callback Functions" This section describes how the callback functions are used. Applications @@ -182,7 +185,7 @@ exdata, and perhaps an "initialized" flag within that memory. The exdata value may be allocated later on with \fBCRYPTO_alloc_ex_data()\fR, or may be set by calling \fBCRYPTO_set_ex_data()\fR. .PP -When a structure is free'd (such as \fBSSL_CTX_free()\fR) then the +When a structure is free\*(Aqd (such as \fBSSL_CTX_free()\fR) then the \&\fBfree_func()\fR is called for every defined index. Again, the state of the parent structure is not guaranteed. The \fBfree_func()\fR may be called with a NULL pointer. diff --git a/secure/lib/libcrypto/man/man3/CRYPTO_memcmp.3 b/secure/lib/libcrypto/man/man3/CRYPTO_memcmp.3 index 445313242edd..4673f54b388d 100644 --- a/secure/lib/libcrypto/man/man3/CRYPTO_memcmp.3 +++ b/secure/lib/libcrypto/man/man3/CRYPTO_memcmp.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CRYPTO_MEMCMP 3ossl" -.TH CRYPTO_MEMCMP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CRYPTO_MEMCMP 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/CTLOG_STORE_get0_log_by_id.3 b/secure/lib/libcrypto/man/man3/CTLOG_STORE_get0_log_by_id.3 index 04697b8f3185..e00e168620c8 100644 --- a/secure/lib/libcrypto/man/man3/CTLOG_STORE_get0_log_by_id.3 +++ b/secure/lib/libcrypto/man/man3/CTLOG_STORE_get0_log_by_id.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CTLOG_STORE_GET0_LOG_BY_ID 3ossl" -.TH CTLOG_STORE_GET0_LOG_BY_ID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CTLOG_STORE_GET0_LOG_BY_ID 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -75,7 +78,7 @@ Get a Certificate Transparency log from a CTLOG_STORE .SH DESCRIPTION .IX Header "DESCRIPTION" A Signed Certificate Timestamp (SCT) identifies the Certificate Transparency -(CT) log that issued it using the log's LogID (see RFC 6962, Section 3.2). +(CT) log that issued it using the log\*(Aqs LogID (see RFC 6962, Section 3.2). Therefore, it is useful to be able to look up more information about a log (e.g. its public key) using this LogID. .PP diff --git a/secure/lib/libcrypto/man/man3/CTLOG_STORE_new.3 b/secure/lib/libcrypto/man/man3/CTLOG_STORE_new.3 index 8d8fcef0093f..cd4c0c7c19ae 100644 --- a/secure/lib/libcrypto/man/man3/CTLOG_STORE_new.3 +++ b/secure/lib/libcrypto/man/man3/CTLOG_STORE_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CTLOG_STORE_NEW 3ossl" -.TH CTLOG_STORE_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CTLOG_STORE_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -93,7 +96,7 @@ The CTLOG_STORE is then populated by \fBCTLOG_STORE_load_default_file()\fR or \&\fBCTLOG_STORE_load_file()\fR. \fBCTLOG_STORE_load_default_file()\fR loads from the default file, which is named \fIct_log_list.cnf\fR in OPENSSLDIR (see the output of \&\fBopenssl\-version\fR\|(1)). This can be overridden using an environment variable -named \fBCTLOG_FILE\fR. \fBCTLOG_STORE_load_file()\fR loads from a caller-specified file +named \fBCTLOG_FILE\fR. \fBCTLOG_STORE_load_file()\fR loads from a caller\-specified file path instead. Both of these functions append any loaded CT logs to the CTLOG_STORE. .PP diff --git a/secure/lib/libcrypto/man/man3/CTLOG_new.3 b/secure/lib/libcrypto/man/man3/CTLOG_new.3 index e9e278b72278..7b5b9b2000d7 100644 --- a/secure/lib/libcrypto/man/man3/CTLOG_new.3 +++ b/secure/lib/libcrypto/man/man3/CTLOG_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CTLOG_NEW 3ossl" -.TH CTLOG_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CTLOG_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -107,14 +110,14 @@ string \fIpropq\fR. property query string are used. .PP Regardless of whether \fBCTLOG_new()\fR or \fBCTLOG_new_from_base64()\fR is used, it is the -caller's responsibility to pass the CTLOG to \fBCTLOG_free()\fR once it is no longer +caller\*(Aqs responsibility to pass the CTLOG to \fBCTLOG_free()\fR once it is no longer needed. This will delete it and, if created by \fBCTLOG_new()\fR, the EVP_PKEY that was passed to it. If the argument to \fBCTLOG_free()\fR is NULL, nothing is done. .PP \&\fBCTLOG_get0_name()\fR returns the name of the log, as provided when the CTLOG was created. Ownership of the string remains with the CTLOG. .PP -\&\fBCTLOG_get0_log_id()\fR sets *log_id to point to a string containing that log's +\&\fBCTLOG_get0_log_id()\fR sets *log_id to point to a string containing that log\*(Aqs LogID (see RFC 6962). It sets *log_id_len to the length of that LogID. For a v1 CT log, the LogID will be a SHA\-256 hash (i.e. 32 bytes long). Ownership of the string remains with the CTLOG. diff --git a/secure/lib/libcrypto/man/man3/CT_POLICY_EVAL_CTX_new.3 b/secure/lib/libcrypto/man/man3/CT_POLICY_EVAL_CTX_new.3 index 72d0f72614e5..c6686826d6cf 100644 --- a/secure/lib/libcrypto/man/man3/CT_POLICY_EVAL_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/CT_POLICY_EVAL_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CT_POLICY_EVAL_CTX_NEW 3ossl" -.TH CT_POLICY_EVAL_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH CT_POLICY_EVAL_CTX_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -92,14 +95,14 @@ Encapsulates the data required to evaluate whether SCTs meet a Certificate Trans A \fBCT_POLICY_EVAL_CTX\fR is used by functions that evaluate whether Signed Certificate Timestamps (SCTs) fulfil a Certificate Transparency (CT) policy. This policy may be, for example, that at least one valid SCT is available. To -determine this, an SCT's timestamp and signature must be verified. +determine this, an SCT\*(Aqs timestamp and signature must be verified. This requires: .IP \(bu 2 the public key of the log that issued the SCT .IP \(bu 2 the certificate that the SCT was issued for .IP \(bu 2 -the issuer certificate (if the SCT was issued for a pre-certificate) +the issuer certificate (if the SCT was issued for a pre\-certificate) .IP \(bu 2 the current time .PP @@ -145,7 +148,7 @@ When no longer required, the \fBCT_POLICY_EVAL_CTX\fR should be passed to .SH NOTES .IX Header "NOTES" The issuer certificate only needs to be provided if at least one of the SCTs -was issued for a pre-certificate. This will be the case for SCTs embedded in a +was issued for a pre\-certificate. This will be the case for SCTs embedded in a certificate (i.e. those in an X.509 extension), but may not be the case for SCTs found in the TLS SCT extension or OCSP response. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/DEFINE_STACK_OF.3 b/secure/lib/libcrypto/man/man3/DEFINE_STACK_OF.3 index 32022ed0b083..4b2dfd4531b4 100644 --- a/secure/lib/libcrypto/man/man3/DEFINE_STACK_OF.3 +++ b/secure/lib/libcrypto/man/man3/DEFINE_STACK_OF.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DEFINE_STACK_OF 3ossl" -.TH DEFINE_STACK_OF 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DEFINE_STACK_OF 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -136,7 +139,7 @@ This can be used in every header file that references the stack. There are several \fBDEFINE...\fR macros that create static inline functions for all of the functions described on this page. This should normally be used in one source file, and the stack manipulation -is wrapped with application-specific functions. +is wrapped with application\-specific functions. .PP \&\fBDEFINE_STACK_OF()\fR creates set of functions for a stack of \fR\f(BITYPE\fR\fB\fR elements. The type is referenced by @@ -270,7 +273,7 @@ Copying is performed by the supplied \fBcopyfunc()\fR and freeing by \fBfreefunc The function \fBfreefunc()\fR is only called if an error occurs. .SH NOTES .IX Header "NOTES" -Care should be taken when accessing stacks in multi-threaded environments. +Care should be taken when accessing stacks in multi\-threaded environments. Any operation which increases the size of a stack such as \fBsk_\fR\f(BITYPE\fR\fB_insert\fR() or \fBsk_\fR\f(BITYPE\fR\fB_push\fR() can "grow" the size of an internal array and cause race conditions if the same stack is accessed in a different thread. Operations such @@ -353,7 +356,7 @@ and was not a public API. 1.1.1. .PP From OpenSSL 3.2.0, the \fBsk_\fR\f(BITYPE\fR\fB_find\fR(), \fBsk_\fR\f(BITYPE\fR\fB_find_ex\fR() -and \fBsk_\fR\f(BITYPE\fR\fB_find_all\fR() calls are read-only and do not sort the +and \fBsk_\fR\f(BITYPE\fR\fB_find_all\fR() calls are read\-only and do not sort the stack. To avoid any performance implications this change introduces, \&\fBsk_\fR\f(BITYPE\fR\fB_sort\fR() should be called before these find operations. .PP diff --git a/secure/lib/libcrypto/man/man3/DES_random_key.3 b/secure/lib/libcrypto/man/man3/DES_random_key.3 index 6e24554063f3..322d7f742f27 100644 --- a/secure/lib/libcrypto/man/man3/DES_random_key.3 +++ b/secure/lib/libcrypto/man/man3/DES_random_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DES_RANDOM_KEY 3ossl" -.TH DES_RANDOM_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DES_RANDOM_KEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -184,7 +187,7 @@ architecture dependent \fIDES_key_schedule\fR via the \&\fBDES_set_key_checked()\fR or \fBDES_set_key_unchecked()\fR function. .PP \&\fBDES_set_key_checked()\fR will check that the key passed is of odd parity -and is not a weak or semi-weak key. If the parity is wrong, then \-1 +and is not a weak or semi\-weak key. If the parity is wrong, then \-1 is returned. If the key is a weak key, then \-2 is returned. If an error is returned, the key schedule is not generated. .PP @@ -211,19 +214,19 @@ ciphertext) is decrypted into the \fIoutput\fR (now cleartext). Input and output may overlap. \fBDES_ecb_encrypt()\fR does not return a value. .PP \&\fBDES_ecb3_encrypt()\fR encrypts/decrypts the \fIinput\fR block by using -three-key Triple-DES encryption in ECB mode. This involves encrypting +three\-key Triple\-DES encryption in ECB mode. This involves encrypting the input with \fIks1\fR, decrypting with the key schedule \fIks2\fR, and then encrypting with \fIks3\fR. This routine greatly reduces the chances of brute force breaking of DES and has the advantage of if \fIks1\fR, \&\fIks2\fR and \fIks3\fR are the same, it is equivalent to just encryption using ECB mode and \fIks1\fR as the key. .PP -The macro \fBDES_ecb2_encrypt()\fR is provided to perform two-key Triple-DES +The macro \fBDES_ecb2_encrypt()\fR is provided to perform two\-key Triple\-DES encryption by using \fIks1\fR for the final encryption. .PP -\&\fBDES_ncbc_encrypt()\fR encrypts/decrypts using the \fIcipher-block-chaining\fR +\&\fBDES_ncbc_encrypt()\fR encrypts/decrypts using the \fIcipher\-block\-chaining\fR (CBC) mode of DES. If the \fIencrypt\fR argument is nonzero, the -routine cipher-block-chain encrypts the cleartext data pointed to by +routine cipher\-block\-chain encrypts the cleartext data pointed to by the \fIinput\fR argument into the ciphertext pointed to by the \fIoutput\fR argument, using the key schedule provided by the \fIschedule\fR argument, and initialization vector provided by the \fIivec\fR argument. If the @@ -231,8 +234,8 @@ and initialization vector provided by the \fIivec\fR argument. If the last block is copied to a temporary area and zero filled. The output is always an integral multiple of eight bytes. .PP -\&\fBDES_xcbc_encrypt()\fR is RSA's DESX mode of DES. It uses \fIinw\fR and -\&\fIoutw\fR to 'whiten' the encryption. \fIinw\fR and \fIoutw\fR are secret +\&\fBDES_xcbc_encrypt()\fR is RSA\*(Aqs DESX mode of DES. It uses \fIinw\fR and +\&\fIoutw\fR to \*(Aqwhiten\*(Aq the encryption. \fIinw\fR and \fIoutw\fR are secret (unlike the iv) and are as such, part of the key. So the key is sort of 24 bytes. This is much better than CBC DES. .PP @@ -240,9 +243,9 @@ of 24 bytes. This is much better than CBC DES. three keys. This means that each DES operation inside the CBC mode is \&\f(CW\*(C`C=E(ks3,D(ks2,E(ks1,M)))\*(C'\fR. This mode is used by SSL. .PP -The \fBDES_ede2_cbc_encrypt()\fR macro implements two-key Triple-DES by +The \fBDES_ede2_cbc_encrypt()\fR macro implements two\-key Triple\-DES by reusing \fIks1\fR for the final encryption. \f(CW\*(C`C=E(ks1,D(ks2,E(ks1,M)))\*(C'\fR. -This form of Triple-DES is used by the RSAREF library. +This form of Triple\-DES is used by the RSAREF library. .PP \&\fBDES_pcbc_encrypt()\fR encrypts/decrypts using the propagating cipher block chaining mode used by Kerberos v4. Its parameters are the same as @@ -261,11 +264,11 @@ implements CFB mode of DES with 64\-bit feedback. Why is this useful you ask? Because this routine will allow you to encrypt an arbitrary number of bytes, without 8 byte padding. Each call to this routine will encrypt the input bytes to output and then update ivec -and num. num contains 'how far' we are though ivec. If this does +and num. num contains \*(Aqhow far\*(Aq we are though ivec. If this does not make much sense, read more about CFB mode of DES. .PP \&\fBDES_ede3_cfb64_encrypt()\fR and \fBDES_ede2_cfb64_encrypt()\fR is the same as -\&\fBDES_cfb64_encrypt()\fR except that Triple-DES is used. +\&\fBDES_cfb64_encrypt()\fR except that Triple\-DES is used. .PP \&\fBDES_ofb_encrypt()\fR encrypts using output feedback mode. This method takes an array of characters as input and outputs an array of @@ -279,7 +282,7 @@ suggested for use when sending a small number of characters. Feed Back mode. .PP \&\fBDES_ede3_ofb64_encrypt()\fR and \fBDES_ede2_ofb64_encrypt()\fR is the same as -\&\fBDES_ofb64_encrypt()\fR, using Triple-DES. +\&\fBDES_ofb64_encrypt()\fR, using Triple\-DES. .PP The following functions are included in the DES library for compatibility with the MIT Kerberos library. @@ -293,10 +296,10 @@ used by Kerberos v4. Other applications should use \&\fBDES_quad_cksum()\fR is a Kerberos v4 function. It returns a 4 byte checksum from the input bytes. The algorithm can be iterated over the input, depending on \fIout_count\fR, 1, 2, 3 or 4 times. If \fIoutput\fR is -non-NULL, the 8 bytes generated by each pass are written into +non\-NULL, the 8 bytes generated by each pass are written into \&\fIoutput\fR. .PP -The following are DES-based transformations: +The following are DES\-based transformations: .PP \&\fBDES_fcrypt()\fR is a fast version of the Unix \fBcrypt\fR\|(3) function. This version takes only a small amount of space relative to other fast @@ -307,7 +310,7 @@ is thread safe, unlike the normal \fBcrypt()\fR. .PP \&\fBDES_crypt()\fR is a faster replacement for the normal system \fBcrypt()\fR. This function calls \fBDES_fcrypt()\fR with a static array passed as the -third parameter. This mostly emulates the normal non-thread-safe semantics +third parameter. This mostly emulates the normal non\-thread\-safe semantics of \fBcrypt\fR\|(3). The \fBsalt\fR must be two ASCII characters. .PP @@ -348,7 +351,7 @@ Applications should use the higher level functions \&\fBEVP_EncryptInit\fR\|(3) etc. instead of calling these functions directly. .PP -Single-key DES is insecure due to its short key size. ECB mode is +Single\-key DES is insecure due to its short key size. ECB mode is not suitable for most applications; see \fBdes_modes\fR\|(7). .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -361,7 +364,7 @@ is ok. \&\fBDES_cbc_cksum()\fR and \fBDES_quad_cksum()\fR return 4\-byte integer representing the last 4 bytes of the checksum of the input. .PP -\&\fBDES_fcrypt()\fR returns a pointer to the caller-provided buffer and \fBDES_crypt()\fR \- +\&\fBDES_fcrypt()\fR returns a pointer to the caller\-provided buffer and \fBDES_crypt()\fR \- to a static buffer on success; otherwise they return NULL. .SH "SEE ALSO" .IX Header "SEE ALSO" @@ -374,7 +377,7 @@ All of these functions were deprecated in OpenSSL 3.0. The requirement that the \fBsalt\fR parameter to \fBDES_crypt()\fR and \fBDES_fcrypt()\fR be two ASCII characters was first enforced in OpenSSL 1.1.0. Previous versions tried to use the letter uppercase \fBA\fR -if both character were not present, and could crash when given non-ASCII +if both character were not present, and could crash when given non\-ASCII on some platforms. .SH COPYRIGHT .IX Header "COPYRIGHT" diff --git a/secure/lib/libcrypto/man/man3/DH_generate_key.3 b/secure/lib/libcrypto/man/man3/DH_generate_key.3 index 67f658806672..b5634997b1f5 100644 --- a/secure/lib/libcrypto/man/man3/DH_generate_key.3 +++ b/secure/lib/libcrypto/man/man3/DH_generate_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DH_GENERATE_KEY 3ossl" -.TH DH_GENERATE_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DH_GENERATE_KEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,10 +89,10 @@ All of the functions described on this page are deprecated. Applications should instead use \fBEVP_PKEY_derive_init\fR\|(3) and \fBEVP_PKEY_derive\fR\|(3). .PP -\&\fBDH_generate_key()\fR performs the first step of a Diffie-Hellman key +\&\fBDH_generate_key()\fR performs the first step of a Diffie\-Hellman key exchange by generating private and public DH values. By calling \&\fBDH_compute_key()\fR or \fBDH_compute_key_padded()\fR, these are combined with -the other party's public value to compute the shared key. +the other party\*(Aqs public value to compute the shared key. .PP \&\fBDH_generate_key()\fR expects \fBdh\fR to contain the shared parameters \&\fBdh\->p\fR and \fBdh\->g\fR. It generates a random private DH value @@ -98,7 +101,7 @@ corresponding public value \fBdh\->pub_key\fR, which can then be published. .PP \&\fBDH_compute_key()\fR computes the shared secret from the private DH value -in \fBdh\fR and the other party's public value in \fBpub_key\fR and stores +in \fBdh\fR and the other party\*(Aqs public value in \fBpub_key\fR and stores it in \fBkey\fR. \fBkey\fR must point to \fBDH_size(dh)\fR bytes of memory. The padding style is RFC 5246 (8.1.2) that strips leading zero bytes. It is not constant time due to the leading zero bytes being stripped. diff --git a/secure/lib/libcrypto/man/man3/DH_generate_parameters.3 b/secure/lib/libcrypto/man/man3/DH_generate_parameters.3 index 70a6c57ca2c4..0a56a9f0cf16 100644 --- a/secure/lib/libcrypto/man/man3/DH_generate_parameters.3 +++ b/secure/lib/libcrypto/man/man3/DH_generate_parameters.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DH_GENERATE_PARAMETERS 3ossl" -.TH DH_GENERATE_PARAMETERS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DH_GENERATE_PARAMETERS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -102,9 +105,9 @@ Applications should instead use \fBEVP_PKEY_check\fR\|(3), \&\fBEVP_PKEY_public_check\fR\|(3), \fBEVP_PKEY_private_check\fR\|(3) and \&\fBEVP_PKEY_param_check\fR\|(3). .PP -\&\fBDH_generate_parameters_ex()\fR generates Diffie-Hellman parameters that can +\&\fBDH_generate_parameters_ex()\fR generates Diffie\-Hellman parameters that can be shared among a group of users, and stores them in the provided \fBDH\fR -structure. The pseudo-random number generator must be +structure. The pseudo\-random number generator must be seeded before calling it. The parameters generated by \fBDH_generate_parameters_ex()\fR should not be used in signature schemes. @@ -120,8 +123,8 @@ is called. See \fBBN_generate_prime_ex\fR\|(3) for information on the \fBBN_GENCB_call()\fR function. .PP \&\fBDH_generate_parameters()\fR is similar to \fBDH_generate_prime_ex()\fR but -expects an old-style callback function; see -\&\fBBN_generate_prime\fR\|(3) for information on the old-style callback. +expects an old\-style callback function; see +\&\fBBN_generate_prime\fR\|(3) for information on the old\-style callback. .PP \&\fBDH_check_params()\fR confirms that the \fBp\fR and \fBg\fR are likely enough to be valid. @@ -133,12 +136,12 @@ following bits may be set: .IP DH_CHECK_P_NOT_PRIME 4 .IX Item "DH_CHECK_P_NOT_PRIME" The parameter \fBp\fR has been determined to not being an odd prime. -Note that the lack of this bit doesn't guarantee that \fBp\fR is a +Note that the lack of this bit doesn\*(Aqt guarantee that \fBp\fR is a prime. .IP DH_NOT_SUITABLE_GENERATOR 4 .IX Item "DH_NOT_SUITABLE_GENERATOR" The generator \fBg\fR is not suitable. -Note that the lack of this bit doesn't guarantee that \fBg\fR is +Note that the lack of this bit doesn\*(Aqt guarantee that \fBg\fR is suitable, unless \fBp\fR is known to be a strong prime. .IP DH_MODULUS_TOO_SMALL 4 .IX Item "DH_MODULUS_TOO_SMALL" @@ -147,7 +150,7 @@ The modulus is too small. .IX Item "DH_MODULUS_TOO_LARGE" The modulus is too large. .PP -\&\fBDH_check()\fR confirms that the Diffie-Hellman parameters \fBdh\fR are valid. The +\&\fBDH_check()\fR confirms that the Diffie\-Hellman parameters \fBdh\fR are valid. The value of \fB*codes\fR is updated with any problems found. If \fB*codes\fR is zero then no problems were found, otherwise the following bits may be set: .IP DH_CHECK_P_NOT_PRIME 4 @@ -173,12 +176,12 @@ The parameter \fBq\fR is invalid. The parameter \fBj\fR is invalid. .PP If 0 is returned or \fB*codes\fR is set to a nonzero value the supplied -parameters should not be used for Diffie-Hellman operations otherwise +parameters should not be used for Diffie\-Hellman operations otherwise the security properties of the key exchange are not guaranteed. .PP \&\fBDH_check_ex()\fR, \fBDH_check_params()\fR and \fBDH_check_pub_key_ex()\fR are similar to \&\fBDH_check()\fR and \fBDH_check_params()\fR respectively, but the error reasons are added -to the thread's error queue instead of provided as return values from the +to the thread\*(Aqs error queue instead of provided as return values from the function. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/DH_get0_pqg.3 b/secure/lib/libcrypto/man/man3/DH_get0_pqg.3 index 5450e6078044..06c043970c3e 100644 --- a/secure/lib/libcrypto/man/man3/DH_get0_pqg.3 +++ b/secure/lib/libcrypto/man/man3/DH_get0_pqg.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DH_GET0_PQG 3ossl" -.TH DH_GET0_PQG 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DH_GET0_PQG 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DH_get_1024_160.3 b/secure/lib/libcrypto/man/man3/DH_get_1024_160.3 index c1b0ec1f8d8e..ff03914bd7e3 100644 --- a/secure/lib/libcrypto/man/man3/DH_get_1024_160.3 +++ b/secure/lib/libcrypto/man/man3/DH_get_1024_160.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DH_GET_1024_160 3ossl" -.TH DH_GET_1024_160 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DH_GET_1024_160 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DH_meth_new.3 b/secure/lib/libcrypto/man/man3/DH_meth_new.3 index 4d33a6b49731..7872c33d8777 100644 --- a/secure/lib/libcrypto/man/man3/DH_meth_new.3 +++ b/secure/lib/libcrypto/man/man3/DH_meth_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DH_METH_NEW 3ossl" -.TH DH_METH_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DH_METH_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -155,7 +158,7 @@ DH_METHOD. \fBDH_meth_set_flags()\fR provides the ability to set these flags. .PP The functions \fBDH_meth_get0_app_data()\fR and \fBDH_meth_set0_app_data()\fR provide the ability to associate implementation specific data with the DH_METHOD. It is -the application's responsibility to free this data before the DH_METHOD is +the application\*(Aqs responsibility to free this data before the DH_METHOD is freed via a call to \fBDH_meth_free()\fR. .PP \&\fBDH_meth_get_generate_key()\fR and \fBDH_meth_set_generate_key()\fR get and set the diff --git a/secure/lib/libcrypto/man/man3/DH_new.3 b/secure/lib/libcrypto/man/man3/DH_new.3 index ca761c6ee5b3..e4e9bf967af5 100644 --- a/secure/lib/libcrypto/man/man3/DH_new.3 +++ b/secure/lib/libcrypto/man/man3/DH_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DH_NEW 3ossl" -.TH DH_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DH_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DH_new_by_nid.3 b/secure/lib/libcrypto/man/man3/DH_new_by_nid.3 index b318f663e42b..3ba9e10edc45 100644 --- a/secure/lib/libcrypto/man/man3/DH_new_by_nid.3 +++ b/secure/lib/libcrypto/man/man3/DH_new_by_nid.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DH_NEW_BY_NID 3ossl" -.TH DH_NEW_BY_NID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DH_NEW_BY_NID 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DH_set_method.3 b/secure/lib/libcrypto/man/man3/DH_set_method.3 index 5755d60ea442..09f726503e29 100644 --- a/secure/lib/libcrypto/man/man3/DH_set_method.3 +++ b/secure/lib/libcrypto/man/man3/DH_set_method.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DH_SET_METHOD 3ossl" -.TH DH_SET_METHOD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DH_SET_METHOD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -89,7 +92,7 @@ see \fBopenssl_user_macros\fR\|(7): All of the functions described on this page are deprecated. Applications should instead use the provider APIs. .PP -A \fBDH_METHOD\fR specifies the functions that OpenSSL uses for Diffie-Hellman +A \fBDH_METHOD\fR specifies the functions that OpenSSL uses for Diffie\-Hellman operations. By modifying the method, alternative implementations such as hardware accelerators may be used. IMPORTANT: See the NOTES section for important information about how these DH API functions are affected by the use @@ -102,7 +105,7 @@ returned by \fBDH_OpenSSL()\fR. structures created later. \&\fBNB\fR: This is true only whilst no ENGINE has been set as a default for DH, so this function is no longer recommended. -This function is not thread-safe and should not be called at the same time +This function is not thread\-safe and should not be called at the same time as other OpenSSL functions. .PP \&\fBDH_get_default_method()\fR returns a pointer to the current default DH_METHOD. @@ -114,7 +117,7 @@ This will replace the DH_METHOD used by the DH key and if the previous method was supplied by an ENGINE, the handle to that ENGINE will be released during the change. It is possible to have DH keys that only work with certain DH_METHOD implementations (e.g. from an ENGINE module that supports embedded -hardware-protected keys), and in such cases attempting to change the DH_METHOD +hardware\-protected keys), and in such cases attempting to change the DH_METHOD for the key can have unexpected results. .PP \&\fBDH_new_method()\fR allocates and initializes a DH structure so that \fBengine\fR will diff --git a/secure/lib/libcrypto/man/man3/DH_size.3 b/secure/lib/libcrypto/man/man3/DH_size.3 index dad280298cf3..06795a994db0 100644 --- a/secure/lib/libcrypto/man/man3/DH_size.3 +++ b/secure/lib/libcrypto/man/man3/DH_size.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DH_SIZE 3ossl" -.TH DH_SIZE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DH_SIZE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,7 +93,7 @@ Applications should instead use \fBEVP_PKEY_get_bits\fR\|(3), .PP \&\fBdh\fR and \fBdh\->p\fR must not be \fBNULL\fR. .PP -\&\fBDH_size()\fR returns the Diffie-Hellman prime size in bytes. It can be used +\&\fBDH_size()\fR returns the Diffie\-Hellman prime size in bytes. It can be used to determine how much memory must be allocated for the shared secret computed by \fBDH_compute_key\fR\|(3). .PP @@ -99,13 +102,13 @@ key. See \fBBN_security_bits\fR\|(3). .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBDH_bits()\fR returns the number of bits in the key, or \-1 if -\&\fBdh\fR doesn't hold any key parameters. +\&\fBdh\fR doesn\*(Aqt hold any key parameters. .PP -\&\fBDH_size()\fR returns the prime size of Diffie-Hellman in bytes, or \-1 if -\&\fBdh\fR doesn't hold any key parameters. +\&\fBDH_size()\fR returns the prime size of Diffie\-Hellman in bytes, or \-1 if +\&\fBdh\fR doesn\*(Aqt hold any key parameters. .PP \&\fBDH_security_bits()\fR returns the number of security bits, or \-1 if -\&\fBdh\fR doesn't hold any key parameters. +\&\fBdh\fR doesn\*(Aqt hold any key parameters. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_PKEY_get_bits\fR\|(3), diff --git a/secure/lib/libcrypto/man/man3/DSA_SIG_new.3 b/secure/lib/libcrypto/man/man3/DSA_SIG_new.3 index 669f39363e3a..157414d3ca32 100644 --- a/secure/lib/libcrypto/man/man3/DSA_SIG_new.3 +++ b/secure/lib/libcrypto/man/man3/DSA_SIG_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_SIG_NEW 3ossl" -.TH DSA_SIG_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_SIG_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DSA_do_sign.3 b/secure/lib/libcrypto/man/man3/DSA_do_sign.3 index 76f04b7d9230..577a351e3abb 100644 --- a/secure/lib/libcrypto/man/man3/DSA_do_sign.3 +++ b/secure/lib/libcrypto/man/man3/DSA_do_sign.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_DO_SIGN 3ossl" -.TH DSA_DO_SIGN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_DO_SIGN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,10 +93,10 @@ newly allocated \fBDSA_SIG\fR structure. .PP \&\fBDSA_sign_setup\fR\|(3) may be used to precompute part of the signing operation in case signature generation is -time-critical. +time\-critical. .PP \&\fBDSA_do_verify()\fR verifies that the signature \fBsig\fR matches a given -message digest \fBdgst\fR of size \fBlen\fR. \fBdsa\fR is the signer's public +message digest \fBdgst\fR of size \fBlen\fR. \fBdsa\fR is the signer\*(Aqs public key. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/DSA_dup_DH.3 b/secure/lib/libcrypto/man/man3/DSA_dup_DH.3 index 7dc83c25f08b..0a769e8f80c8 100644 --- a/secure/lib/libcrypto/man/man3/DSA_dup_DH.3 +++ b/secure/lib/libcrypto/man/man3/DSA_dup_DH.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_DUP_DH 3ossl" -.TH DSA_DUP_DH 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_DUP_DH 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ see \fBopenssl_user_macros\fR\|(7): .SH DESCRIPTION .IX Header "DESCRIPTION" The function described on this page is deprecated. There is no direct -replacement, applications should use the EVP_PKEY APIs for Diffie-Hellman +replacement, applications should use the EVP_PKEY APIs for Diffie\-Hellman operations. .PP \&\fBDSA_dup_DH()\fR duplicates DSA parameters/keys as DH parameters/keys. q diff --git a/secure/lib/libcrypto/man/man3/DSA_generate_key.3 b/secure/lib/libcrypto/man/man3/DSA_generate_key.3 index ecb848df0459..9cdf411fc896 100644 --- a/secure/lib/libcrypto/man/man3/DSA_generate_key.3 +++ b/secure/lib/libcrypto/man/man3/DSA_generate_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_GENERATE_KEY 3ossl" -.TH DSA_GENERATE_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_GENERATE_KEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DSA_generate_parameters.3 b/secure/lib/libcrypto/man/man3/DSA_generate_parameters.3 index 16f01ddbc65c..cd58f83666f4 100644 --- a/secure/lib/libcrypto/man/man3/DSA_generate_parameters.3 +++ b/secure/lib/libcrypto/man/man3/DSA_generate_parameters.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_GENERATE_PARAMETERS 3ossl" -.TH DSA_GENERATE_PARAMETERS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_GENERATE_PARAMETERS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -115,15 +118,15 @@ BN_GENCB_call function discussed below, refer to \&\fBBN_generate_prime\fR\|(3). .PP \&\fBDSA_generate_parameters()\fR is similar to \fBDSA_generate_parameters_ex()\fR but -expects an old-style callback function; see -\&\fBBN_generate_prime\fR\|(3) for information on the old-style callback. +expects an old\-style callback function; see +\&\fBBN_generate_prime\fR\|(3) for information on the old\-style callback. .IP \(bu 2 When a candidate for q is generated, \fBBN_GENCB_call(cb, 0, m++)\fR is called (m is 0 for the first candidate). .IP \(bu 2 When a candidate for q has passed a test by trial division, \&\fBBN_GENCB_call(cb, 1, \-1)\fR is called. -While a candidate for q is tested by Miller-Rabin primality tests, +While a candidate for q is tested by Miller\-Rabin primality tests, \&\fBBN_GENCB_call(cb, 1, i)\fR is called in the outer loop (once for each witness that confirms that the candidate may be prime); i is the loop counter (starting at 0). @@ -136,7 +139,7 @@ Before a candidate for p (other than the first) is generated and tested, .IP \(bu 2 When a candidate for p has passed the test by trial division, \&\fBBN_GENCB_call(cb, 1, \-1)\fR is called. -While it is tested by the Miller-Rabin primality test, +While it is tested by the Miller\-Rabin primality test, \&\fBBN_GENCB_call(cb, 1, i)\fR is called in the outer loop (once for each witness that confirms that the candidate may be prime). i is the loop counter (starting at 0). diff --git a/secure/lib/libcrypto/man/man3/DSA_get0_pqg.3 b/secure/lib/libcrypto/man/man3/DSA_get0_pqg.3 index 1352fee08312..09b31df25a35 100644 --- a/secure/lib/libcrypto/man/man3/DSA_get0_pqg.3 +++ b/secure/lib/libcrypto/man/man3/DSA_get0_pqg.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_GET0_PQG 3ossl" -.TH DSA_GET0_PQG 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_GET0_PQG 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -122,7 +125,7 @@ be. The values point to the internal representation of the public key and private key values. This memory should not be freed directly. .PP The public and private key values can be set using \fBDSA_set0_key()\fR. The public -key must be non-NULL the first time this function is called on a given DSA +key must be non\-NULL the first time this function is called on a given DSA object. The private key may be NULL. On subsequent calls, either may be NULL, which means the corresponding DSA field is left untouched. As for \fBDSA_set0_pqg()\fR this function transfers the memory management of the key values to the DSA diff --git a/secure/lib/libcrypto/man/man3/DSA_meth_new.3 b/secure/lib/libcrypto/man/man3/DSA_meth_new.3 index 1e4a90a1a7f5..ab881aed9756 100644 --- a/secure/lib/libcrypto/man/man3/DSA_meth_new.3 +++ b/secure/lib/libcrypto/man/man3/DSA_meth_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_METH_NEW 3ossl" -.TH DSA_METH_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_METH_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -184,7 +187,7 @@ DSA_METHOD. \fBDSA_meth_set_flags()\fR provides the ability to set these flags. .PP The functions \fBDSA_meth_get0_app_data()\fR and \fBDSA_meth_set0_app_data()\fR provide the ability to associate implementation specific data with the DSA_METHOD. It is -the application's responsibility to free this data before the DSA_METHOD is +the application\*(Aqs responsibility to free this data before the DSA_METHOD is freed via a call to \fBDSA_meth_free()\fR. .PP \&\fBDSA_meth_get_sign()\fR and \fBDSA_meth_set_sign()\fR get and set the function used for diff --git a/secure/lib/libcrypto/man/man3/DSA_new.3 b/secure/lib/libcrypto/man/man3/DSA_new.3 index 79ae74063079..0fe60d1de0b7 100644 --- a/secure/lib/libcrypto/man/man3/DSA_new.3 +++ b/secure/lib/libcrypto/man/man3/DSA_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_NEW 3ossl" -.TH DSA_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DSA_set_method.3 b/secure/lib/libcrypto/man/man3/DSA_set_method.3 index f063f53a19db..71fc42a5a760 100644 --- a/secure/lib/libcrypto/man/man3/DSA_set_method.3 +++ b/secure/lib/libcrypto/man/man3/DSA_set_method.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_SET_METHOD 3ossl" -.TH DSA_SET_METHOD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_SET_METHOD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -102,7 +105,7 @@ as returned by \fBDSA_OpenSSL()\fR. structures created later. \&\fBNB\fR: This is true only whilst no ENGINE has been set as a default for DSA, so this function is no longer recommended. -This function is not thread-safe and should not be called at the same time +This function is not thread\-safe and should not be called at the same time as other OpenSSL functions. .PP \&\fBDSA_get_default_method()\fR returns a pointer to the current default @@ -115,7 +118,7 @@ recommended. previous method was supplied by an ENGINE, the handle to that ENGINE will be released during the change. It is possible to have DSA keys that only work with certain DSA_METHOD implementations (e.g. from an ENGINE module -that supports embedded hardware-protected keys), and in such cases +that supports embedded hardware\-protected keys), and in such cases attempting to change the DSA_METHOD for the key can have unexpected results. See \fBDSA_meth_new\fR\|(3) for information on constructing custom DSA_METHOD objects; diff --git a/secure/lib/libcrypto/man/man3/DSA_sign.3 b/secure/lib/libcrypto/man/man3/DSA_sign.3 index 54d16a1e197f..6d9da50f8bfb 100644 --- a/secure/lib/libcrypto/man/man3/DSA_sign.3 +++ b/secure/lib/libcrypto/man/man3/DSA_sign.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_SIGN 3ossl" -.TH DSA_SIGN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_SIGN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,7 +104,7 @@ cause overhead, and does not affect the actual signature .PP \&\fBDSA_verify()\fR verifies that the signature \fBsigbuf\fR of size \fBsiglen\fR matches a given message digest \fBdgst\fR of size \fBlen\fR. -\&\fBdsa\fR is the signer's public key. +\&\fBdsa\fR is the signer\*(Aqs public key. .PP The \fBtype\fR parameter is ignored. .PP diff --git a/secure/lib/libcrypto/man/man3/DSA_size.3 b/secure/lib/libcrypto/man/man3/DSA_size.3 index 517c5ce83301..aec87ce1ab8e 100644 --- a/secure/lib/libcrypto/man/man3/DSA_size.3 +++ b/secure/lib/libcrypto/man/man3/DSA_size.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DSA_SIZE 3ossl" -.TH DSA_SIZE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DSA_SIZE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,12 +100,12 @@ key. See \fBBN_security_bits\fR\|(3). .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBDSA_security_bits()\fR returns the number of security bits in the key, or \-1 if -\&\fIdsa\fR doesn't hold any key parameters. +\&\fIdsa\fR doesn\*(Aqt hold any key parameters. .PP -\&\fBDSA_bits()\fR returns the number of bits in the key, or \-1 if \fIdsa\fR doesn't +\&\fBDSA_bits()\fR returns the number of bits in the key, or \-1 if \fIdsa\fR doesn\*(Aqt hold any key parameters. .PP -\&\fBDSA_size()\fR returns the signature size in bytes, or \-1 if \fIdsa\fR doesn't +\&\fBDSA_size()\fR returns the signature size in bytes, or \-1 if \fIdsa\fR doesn\*(Aqt hold any key parameters. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/DTLS_get_data_mtu.3 b/secure/lib/libcrypto/man/man3/DTLS_get_data_mtu.3 index 873f4cb89d21..b3c32ded2205 100644 --- a/secure/lib/libcrypto/man/man3/DTLS_get_data_mtu.3 +++ b/secure/lib/libcrypto/man/man3/DTLS_get_data_mtu.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DTLS_GET_DATA_MTU 3ossl" -.TH DTLS_GET_DATA_MTU 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DTLS_GET_DATA_MTU 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DTLS_set_timer_cb.3 b/secure/lib/libcrypto/man/man3/DTLS_set_timer_cb.3 index 1e262e61ac10..eb57b8576b85 100644 --- a/secure/lib/libcrypto/man/man3/DTLS_set_timer_cb.3 +++ b/secure/lib/libcrypto/man/man3/DTLS_set_timer_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DTLS_SET_TIMER_CB 3ossl" -.TH DTLS_SET_TIMER_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DTLS_SET_TIMER_CB 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DTLSv1_get_timeout.3 b/secure/lib/libcrypto/man/man3/DTLSv1_get_timeout.3 index 1580ed7918cc..c2f24a89d5b9 100644 --- a/secure/lib/libcrypto/man/man3/DTLSv1_get_timeout.3 +++ b/secure/lib/libcrypto/man/man3/DTLSv1_get_timeout.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DTLSV1_GET_TIMEOUT 3ossl" -.TH DTLSV1_GET_TIMEOUT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DTLSV1_GET_TIMEOUT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DTLSv1_handle_timeout.3 b/secure/lib/libcrypto/man/man3/DTLSv1_handle_timeout.3 index 5500937efa5c..9f11dc0a1767 100644 --- a/secure/lib/libcrypto/man/man3/DTLSv1_handle_timeout.3 +++ b/secure/lib/libcrypto/man/man3/DTLSv1_handle_timeout.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DTLSV1_HANDLE_TIMEOUT 3ossl" -.TH DTLSV1_HANDLE_TIMEOUT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DTLSV1_HANDLE_TIMEOUT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/DTLSv1_listen.3 b/secure/lib/libcrypto/man/man3/DTLSv1_listen.3 index bc9e228ed008..3f0e214975a7 100644 --- a/secure/lib/libcrypto/man/man3/DTLSv1_listen.3 +++ b/secure/lib/libcrypto/man/man3/DTLSv1_listen.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DTLSV1_LISTEN 3ossl" -.TH DTLSV1_LISTEN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH DTLSV1_LISTEN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -92,9 +95,9 @@ message then the amplification attack has succeeded. .PP If DTLS is used over UDP (or any datagram based protocol that does not validate the source IP) then it is susceptible to this type of attack. TLSv1.3 is -designed to operate over a stream-based transport protocol (such as TCP). +designed to operate over a stream\-based transport protocol (such as TCP). If TCP is being used then there is no need to use \fBSSL_stateless()\fR. However, some -stream-based transport protocols (e.g. QUIC) may not validate the source +stream\-based transport protocols (e.g. QUIC) may not validate the source address. In this case a TLSv1.3 application would be susceptible to this attack. .PP As a countermeasure to this issue TLSv1.3 and DTLS include a stateless cookie @@ -128,11 +131,11 @@ the peer after making use of \fBDTLSv1_listen()\fR. In the typical case where datagram on an unconnected socket. If the socket is not connected, it can receive datagrams from any host on the network, which will cause subsequent outgoing datagrams transmitted by DTLS to be transmitted to that host. In other -words, failing to call \fBBIO_connect()\fR or a similar OS-specific function on a +words, failing to call \fBBIO_connect()\fR or a similar OS\-specific function on a socket means that any host on the network can cause outgoing DTLS traffic to be redirected to it by sending a datagram to the socket in question. This does not break the cryptographic protections of DTLS but may facilitate a -denial-of-service attack or allow unencrypted information in the DTLS handshake +denial\-of\-service attack or allow unencrypted information in the DTLS handshake to be learned by an attacker. This is due to the historical design of \&\fBBIO_s_datagram\fR\|(3); see \fBBIO_s_datagram\fR\|(3) for details on this issue. .PP @@ -152,7 +155,7 @@ require the allocation of state). An implication of this is that \fBDTLSv1_liste .PP For \fBSSL_stateless()\fR if an entire ClientHello message cannot be read without the "read" BIO becoming empty then the \fBSSL_stateless()\fR call will fail. It is the -application's responsibility to ensure that data read from the "read" BIO during +application\*(Aqs responsibility to ensure that data read from the "read" BIO during a single \fBSSL_stateless()\fR call is all from the same peer. .PP \&\fBSSL_stateless()\fR will fail (with a 0 return value) if some TLS version less than @@ -174,18 +177,18 @@ For \fBDTLSv1_listen()\fR a return value of >= 1 indicates success. The \fBssl\f will be set up ready to continue the handshake. the \fBpeer\fR value will also be filled in. .PP -A return value of 0 indicates a non-fatal error. This could (for +A return value of 0 indicates a non\-fatal error. This could (for example) be because of nonblocking IO, or some invalid message having been received from a peer. Errors may be placed on the OpenSSL error queue with further information if appropriate. Typically user code is expected to retry the -call to \fBDTLSv1_listen()\fR in the event of a non-fatal error. +call to \fBDTLSv1_listen()\fR in the event of a non\-fatal error. .PP A return value of <0 indicates a fatal error. This could (for example) be because of a failure to allocate sufficient memory for the operation. .PP -For \fBDTLSv1_listen()\fR, prior to OpenSSL 1.1.0, fatal and non-fatal errors both +For \fBDTLSv1_listen()\fR, prior to OpenSSL 1.1.0, fatal and non\-fatal errors both produce return codes <= 0 (in typical implementations user code treats all -errors as non-fatal), whilst return codes >0 indicate success. +errors as non\-fatal), whilst return codes >0 indicate success. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBSSL_CTX_set_cookie_generate_cb\fR\|(3), \fBSSL_CTX_set_cookie_verify_cb\fR\|(3), diff --git a/secure/lib/libcrypto/man/man3/ECDSA_SIG_new.3 b/secure/lib/libcrypto/man/man3/ECDSA_SIG_new.3 index e49d84202ed6..340c23cb4c2b 100644 --- a/secure/lib/libcrypto/man/man3/ECDSA_SIG_new.3 +++ b/secure/lib/libcrypto/man/man3/ECDSA_SIG_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ECDSA_SIG_NEW 3ossl" -.TH ECDSA_SIG_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ECDSA_SIG_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -100,7 +103,7 @@ is not returned. The values \fIr\fR, \fIs\fR can also be retrieved separately by the corresponding function \fBECDSA_SIG_get0_r()\fR and \fBECDSA_SIG_get0_s()\fR, respectively. .PP -Non-NULL \fIr\fR and \fIs\fR values can be set on the \fIsig\fR by calling +Non\-NULL \fIr\fR and \fIs\fR values can be set on the \fIsig\fR by calling \&\fBECDSA_SIG_set0()\fR. Calling this function transfers the memory management of the values to the \fBECDSA_SIG\fR object, and therefore the values that have been passed in should not be freed by the caller. diff --git a/secure/lib/libcrypto/man/man3/ECDSA_sign.3 b/secure/lib/libcrypto/man/man3/ECDSA_sign.3 index 021f96320ba7..98e502222ca0 100644 --- a/secure/lib/libcrypto/man/man3/ECDSA_sign.3 +++ b/secure/lib/libcrypto/man/man3/ECDSA_sign.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ECDSA_SIGN 3ossl" -.TH ECDSA_SIGN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ECDSA_SIGN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,7 +144,7 @@ either \fIkinv\fR or \fIr\fR is not NULL. used in a later call to \fBECDSA_sign_ex()\fR or \fBECDSA_do_sign_ex()\fR. .PP \&\fBECDSA_sign_ex()\fR computes a digital signature of the \fIdgstlen\fR bytes hash value -\&\fIdgst\fR using the private EC key \fIeckey\fR and the optional pre-computed values +\&\fIdgst\fR using the private EC key \fIeckey\fR and the optional pre\-computed values \&\fIkinv\fR and \fIrp\fR. The DER encoded signature is stored in \fIsig\fR and its length is returned in \fIsiglen\fR. Note: \fIsig\fR must point to ECDSA_size(eckey) bytes of memory. The parameter \fItype\fR is ignored. diff --git a/secure/lib/libcrypto/man/man3/ECPKParameters_print.3 b/secure/lib/libcrypto/man/man3/ECPKParameters_print.3 index c7dc05db3a83..d346e20bf87e 100644 --- a/secure/lib/libcrypto/man/man3/ECPKParameters_print.3 +++ b/secure/lib/libcrypto/man/man3/ECPKParameters_print.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ECPKPARAMETERS_PRINT 3ossl" -.TH ECPKPARAMETERS_PRINT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ECPKPARAMETERS_PRINT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,7 +89,7 @@ The ECPKParameters represent the public parameters for an \&\fBEC_GROUP\fR structure, which represents a curve. .PP The \fBECPKParameters_print()\fR and \fBECPKParameters_print_fp()\fR functions print -a human-readable output of the public parameters of the EC_GROUP to \fBbp\fR +a human\-readable output of the public parameters of the EC_GROUP to \fBbp\fR or \fBfp\fR. The output lines are indented by \fBoff\fR spaces. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/EC_GFp_simple_method.3 b/secure/lib/libcrypto/man/man3/EC_GFp_simple_method.3 index 592758e68d8c..245b93ff326f 100644 --- a/secure/lib/libcrypto/man/man3/EC_GFp_simple_method.3 +++ b/secure/lib/libcrypto/man/man3/EC_GFp_simple_method.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EC_GFP_SIMPLE_METHOD 3ossl" -.TH EC_GFP_SIMPLE_METHOD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EC_GFP_SIMPLE_METHOD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EC_GROUP_copy.3 b/secure/lib/libcrypto/man/man3/EC_GROUP_copy.3 index 1b4c9b929c1a..8a5b774b00ce 100644 --- a/secure/lib/libcrypto/man/man3/EC_GROUP_copy.3 +++ b/secure/lib/libcrypto/man/man3/EC_GROUP_copy.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EC_GROUP_COPY 3ossl" -.TH EC_GROUP_COPY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EC_GROUP_COPY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -207,7 +210,7 @@ in that a parameter obtained in this way is highly unlikely to be susceptible to If the seed is present for a curve then the b parameter was generated in a verifiable fashion using that seed. The OpenSSL EC library does not use this seed value but does enable you to inspect it using \fBEC_GROUP_get0_seed()\fR. This returns a pointer to a memory block containing the seed that was used. The length of the memory block can be obtained using \fBEC_GROUP_get_seed_len()\fR. A number of the -built-in curves within the library provide seed values that can be obtained. It is also possible to set a custom seed using +built\-in curves within the library provide seed values that can be obtained. It is also possible to set a custom seed using \&\fBEC_GROUP_set_seed()\fR and passing a pointer to a memory block, along with the length of the seed. Again, the EC library will not use this seed value, although it will be preserved in any ASN1 based communications. .PP @@ -227,13 +230,13 @@ For the OpenSSL default provider it performs a number of checks on a curve to ve verifying that the discriminant is non zero; that a generator has been defined; that the generator is on the curve and has the correct order. For the OpenSSL FIPS provider it uses \fBEC_GROUP_check_named_curve()\fR to conform to SP800\-56Ar3. .PP -The function \fBEC_GROUP_check_named_curve()\fR determines if the group's domain parameters match one of the built-in curves supported by the library. -The curve name is returned as a \fBNID\fR if it matches. If the group's domain parameters have been modified then no match will be found. +The function \fBEC_GROUP_check_named_curve()\fR determines if the group\*(Aqs domain parameters match one of the built\-in curves supported by the library. +The curve name is returned as a \fBNID\fR if it matches. If the group\*(Aqs domain parameters have been modified then no match will be found. If the curve name of the given group is \fBNID_undef\fR (e.g. it has been created by using explicit parameters with no curve name), -then this method can be used to lookup the name of the curve that matches the group domain parameters. The built-in curves contain -aliases, so that multiple NID's can map to the same domain parameters. For such curves it is unspecified which of the aliases will be +then this method can be used to lookup the name of the curve that matches the group domain parameters. The built\-in curves contain +aliases, so that multiple NID\*(Aqs can map to the same domain parameters. For such curves it is unspecified which of the aliases will be returned if the curve name of the given group is NID_undef. -If \fBnist_only\fR is 1 it will only look for NIST approved curves, otherwise it searches all built-in curves. +If \fBnist_only\fR is 1 it will only look for NIST approved curves, otherwise it searches all built\-in curves. This function may be passed a BN_CTX object in the \fBctx\fR parameter. The \fBctx\fR parameter may be NULL. .PP diff --git a/secure/lib/libcrypto/man/man3/EC_GROUP_new.3 b/secure/lib/libcrypto/man/man3/EC_GROUP_new.3 index e9adf2f72149..39f24be341cf 100644 --- a/secure/lib/libcrypto/man/man3/EC_GROUP_new.3 +++ b/secure/lib/libcrypto/man/man3/EC_GROUP_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EC_GROUP_NEW 3ossl" -.TH EC_GROUP_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EC_GROUP_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -213,7 +216,7 @@ above, there are also a number of predefined curves that are available. In order to obtain a list of all of the predefined curves, call the function \&\fBEC_get_builtin_curves()\fR. The parameter \fIr\fR should be an array of EC_builtin_curve structures of size \fInitems\fR. The function will populate the -\&\fIr\fR array with information about the built-in curves. If \fInitems\fR is less than +\&\fIr\fR array with information about the built\-in curves. If \fInitems\fR is less than the total number of curves available, then the first \fInitems\fR curves will be returned. Otherwise the total number of curves will be provided. The return value is the total number of curves available (whether that number has been @@ -231,7 +234,7 @@ The EC_builtin_curve structure is defined as follows: Each EC_builtin_curve item has a unique integer id (\fInid\fR), and a human readable comment string describing the curve. .PP -In order to construct a built-in curve use the function +In order to construct a built\-in curve use the function \&\fBEC_GROUP_new_by_curve_name_ex()\fR and provide the \fInid\fR of the curve to be constructed, the associated library context to be used in \fIctx\fR (see \&\fBOSSL_LIB_CTX\fR\|(3)) and any property query string in \fIpropq\fR. The \fIctx\fR value @@ -257,7 +260,7 @@ If \fIgroup\fR is NULL nothing is done. All EC_GROUP_new* functions return a pointer to the newly constructed group, or NULL on error. .PP -\&\fBEC_get_builtin_curves()\fR returns the number of built-in curves that are +\&\fBEC_get_builtin_curves()\fR returns the number of built\-in curves that are available. .PP \&\fBEC_GROUP_set_curve_GFp()\fR, \fBEC_GROUP_get_curve_GFp()\fR, \fBEC_GROUP_set_curve_GF2m()\fR, diff --git a/secure/lib/libcrypto/man/man3/EC_KEY_get_enc_flags.3 b/secure/lib/libcrypto/man/man3/EC_KEY_get_enc_flags.3 index b9f681bc11e1..60b376ba0ea1 100644 --- a/secure/lib/libcrypto/man/man3/EC_KEY_get_enc_flags.3 +++ b/secure/lib/libcrypto/man/man3/EC_KEY_get_enc_flags.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EC_KEY_GET_ENC_FLAGS 3ossl" -.TH EC_KEY_GET_ENC_FLAGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EC_KEY_GET_ENC_FLAGS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EC_KEY_new.3 b/secure/lib/libcrypto/man/man3/EC_KEY_new.3 index af9dc57a8c46..3bcde18c5815 100644 --- a/secure/lib/libcrypto/man/man3/EC_KEY_new.3 +++ b/secure/lib/libcrypto/man/man3/EC_KEY_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EC_KEY_NEW 3ossl" -.TH EC_KEY_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EC_KEY_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -257,7 +260,7 @@ integer. .PP \&\fBEC_KEY_copy()\fR returns a pointer to the destination key, or NULL on error. .PP -\&\fBEC_KEY_get0_engine()\fR returns a pointer to an ENGINE, or NULL if it wasn't set. +\&\fBEC_KEY_get0_engine()\fR returns a pointer to an ENGINE, or NULL if it wasn\*(Aqt set. .PP \&\fBEC_KEY_up_ref()\fR, \fBEC_KEY_set_group()\fR, \fBEC_KEY_set_public_key()\fR, \&\fBEC_KEY_precompute_mult()\fR, \fBEC_KEY_generate_key()\fR, \fBEC_KEY_check_key()\fR, diff --git a/secure/lib/libcrypto/man/man3/EC_POINT_add.3 b/secure/lib/libcrypto/man/man3/EC_POINT_add.3 index e23957d68d10..c25feb976381 100644 --- a/secure/lib/libcrypto/man/man3/EC_POINT_add.3 +++ b/secure/lib/libcrypto/man/man3/EC_POINT_add.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EC_POINT_ADD 3ossl" -.TH EC_POINT_ADD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EC_POINT_ADD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,12 +113,12 @@ forced. These functions were deprecated in OpenSSL 3.0 and should no longer be u Modern versions automatically perform this conversion when needed. .PP EC_POINT_mul calculates the value generator * \fBn\fR + \fBq\fR * \fBm\fR and stores the result in \fBr\fR. -The value \fBn\fR may be NULL in which case the result is just \fBq\fR * \fBm\fR (variable point multiplication). Alternatively, both \fBq\fR and \fBm\fR may be NULL, and \fBn\fR non-NULL, in which case the result is just generator * \fBn\fR (fixed point multiplication). +The value \fBn\fR may be NULL in which case the result is just \fBq\fR * \fBm\fR (variable point multiplication). Alternatively, both \fBq\fR and \fBm\fR may be NULL, and \fBn\fR non\-NULL, in which case the result is just generator * \fBn\fR (fixed point multiplication). When performing a single fixed or variable point multiplication, the underlying implementation uses a constant time algorithm, when the input scalar (either \fBn\fR or \fBm\fR) is in the range [0, ec_group_order). .PP Although deprecated in OpenSSL 3.0 and should no longer be used, EC_POINTs_mul calculates the value generator * \fBn\fR + \fBq[0]\fR * \fBm[0]\fR + ... + \fBq[num\-1]\fR * \fBm[num\-1]\fR. As for EC_POINT_mul the value \fBn\fR may be NULL or \fBnum\fR may be zero. -When performing a fixed point multiplication (\fBn\fR is non-NULL and \fBnum\fR is 0) or a variable point multiplication (\fBn\fR is NULL and \fBnum\fR is 1), the underlying implementation uses a constant time algorithm, when the input scalar (either \fBn\fR or \fBm[0]\fR) is in the range [0, ec_group_order). +When performing a fixed point multiplication (\fBn\fR is non\-NULL and \fBnum\fR is 0) or a variable point multiplication (\fBn\fR is NULL and \fBnum\fR is 1), the underlying implementation uses a constant time algorithm, when the input scalar (either \fBn\fR or \fBm[0]\fR) is in the range [0, ec_group_order). Modern versions should instead use \fBEC_POINT_mul()\fR, combined (if needed) with \fBEC_POINT_add()\fR in such rare circumstances. .PP The function EC_GROUP_precompute_mult stores multiples of the generator for faster point multiplication, whilst diff --git a/secure/lib/libcrypto/man/man3/EC_POINT_new.3 b/secure/lib/libcrypto/man/man3/EC_POINT_new.3 index 04c93e0244d7..ab0038f834a8 100644 --- a/secure/lib/libcrypto/man/man3/EC_POINT_new.3 +++ b/secure/lib/libcrypto/man/man3/EC_POINT_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EC_POINT_NEW 3ossl" -.TH EC_POINT_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EC_POINT_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -274,7 +277,7 @@ buffer with a call to \fBOPENSSL_free()\fR. Since the allocated buffer value is written to \fB*pbuf\fR the \fBpbuf\fR parameter \fBMUST NOT\fR be \fBNULL\fR. .PP The function \fBEC_POINT_point2hex()\fR will allocate sufficient memory to store the -hexadecimal string. It is the caller's responsibility to free this memory with +hexadecimal string. It is the caller\*(Aqs responsibility to free this memory with a subsequent call to \fBOPENSSL_free()\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/ENGINE_add.3 b/secure/lib/libcrypto/man/man3/ENGINE_add.3 index 39fef76e327e..ab07a7b8afea 100644 --- a/secure/lib/libcrypto/man/man3/ENGINE_add.3 +++ b/secure/lib/libcrypto/man/man3/ENGINE_add.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ENGINE_ADD 3ossl" -.TH ENGINE_ADD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ENGINE_ADD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -235,7 +238,7 @@ Applications should instead use the provider APIs. These functions create, manipulate, and use cryptographic modules in the form of \fBENGINE\fR objects. These objects act as containers for implementations of cryptographic algorithms, and support a -reference-counted mechanism to allow them to be dynamically loaded in and +reference\-counted mechanism to allow them to be dynamically loaded in and out of the running application. .PP The cryptographic functionality that can be provided by an \fBENGINE\fR @@ -257,7 +260,7 @@ the underlying ENGINE object. Ie. one should obtain a new reference when making copies of an ENGINE pointer if the copies will be used (and released) independently. .PP -ENGINE objects have two levels of reference-counting to match the way in +ENGINE objects have two levels of reference\-counting to match the way in which the objects are used. At the most basic level, each ENGINE pointer is inherently a \fBstructural\fR reference \- a structural reference is required to use the pointer value at all, as this kind of reference is a guarantee @@ -265,13 +268,13 @@ that the structure can not be deallocated until the reference is released. .PP However, a structural reference provides no guarantee that the ENGINE is initialised and able to use any of its cryptographic -implementations. Indeed it's quite possible that most ENGINEs will not +implementations. Indeed it\*(Aqs quite possible that most ENGINEs will not initialise at all in typical environments, as ENGINEs are typically used to -support specialised hardware. To use an ENGINE's functionality, you need a +support specialised hardware. To use an ENGINE\*(Aqs functionality, you need a \&\fBfunctional\fR reference. This kind of reference can be considered a specialised form of structural reference, because each functional reference implicitly contains a structural reference as well \- however to avoid -difficult-to-find programming bugs, it is recommended to treat the two +difficult\-to\-find programming bugs, it is recommended to treat the two kinds of reference independently. If you have a functional reference to an ENGINE, you have a guarantee that the ENGINE has been initialised and is ready to perform cryptographic operations, and will remain initialised @@ -280,7 +283,7 @@ until after you have released your reference. \&\fIStructural references\fR .PP This basic type of reference is used for instantiating new ENGINEs, -iterating across OpenSSL's internal linked-list of loaded +iterating across OpenSSL\*(Aqs internal linked\-list of loaded ENGINEs, reading information about an ENGINE, etc. Essentially a structural reference is sufficient if you only need to query or manipulate the data of an ENGINE implementation rather than use its functionality. @@ -298,20 +301,20 @@ It should also be noted that many ENGINE API function calls that accept a structural reference will internally obtain another reference \- typically this happens whenever the supplied ENGINE will be needed by OpenSSL after the function has returned. Eg. the function to add a new ENGINE to -OpenSSL's internal list is \fBENGINE_add()\fR \- if this function returns success, +OpenSSL\*(Aqs internal list is \fBENGINE_add()\fR \- if this function returns success, then OpenSSL will have stored a new structural reference internally so the caller is still responsible for freeing their own reference with \&\fBENGINE_free()\fR when they are finished with it. In a similar way, some functions will automatically release the structural reference passed to it -if part of the function's job is to do so. Eg. the \fBENGINE_get_next()\fR and +if part of the function\*(Aqs job is to do so. Eg. the \fBENGINE_get_next()\fR and \&\fBENGINE_get_prev()\fR functions are used for iterating across the internal ENGINE list \- they will return a new structural reference to the next (or previous) ENGINE in the list or NULL if at the end (or beginning) of the list, but in either case the structural reference passed to the function is released on behalf of the caller. .PP -To clarify a particular function's handling of references, one should -always consult that function's documentation "man" page, or failing that +To clarify a particular function\*(Aqs handling of references, one should +always consult that function\*(Aqs documentation "man" page, or failing that the \fI<openssl/engine.h>\fR header file includes some hints. .PP \&\fIFunctional references\fR @@ -324,7 +327,7 @@ operational ENGINE for a given cryptographic purpose. .PP To obtain a functional reference from an existing structural reference, call the \fBENGINE_init()\fR function. This returns zero if the ENGINE was not -already operational and couldn't be successfully initialised (e.g. lack of +already operational and couldn\*(Aqt be successfully initialised (e.g. lack of system drivers, no special hardware attached, etc), otherwise it will return nonzero to indicate that the ENGINE is now operational and will have allocated a new \fBfunctional\fR reference to the ENGINE. All functional @@ -336,17 +339,17 @@ default implementation for a given task, e.g. by \fBENGINE_get_default_RSA()\fR, \&\fBENGINE_get_default_cipher_engine()\fR, etc. These are discussed in the next section, though they are not usually required by application programmers as they are used automatically when creating and using the relevant -algorithm-specific types in OpenSSL, such as RSA, DSA, EVP_CIPHER_CTX, etc. +algorithm\-specific types in OpenSSL, such as RSA, DSA, EVP_CIPHER_CTX, etc. .SS "Default implementations" .IX Subsection "Default implementations" For each supported abstraction, the ENGINE code maintains an internal table of state to control which implementations are available for a given abstraction and which should be used by default. These implementations are -registered in the tables and indexed by an 'nid' value, because +registered in the tables and indexed by an \*(Aqnid\*(Aq value, because abstractions like EVP_CIPHER and EVP_DIGEST support many distinct algorithms and modes, and ENGINEs can support arbitrarily many of them. In the case of other abstractions like RSA, DSA, etc, there is only one -"algorithm" so all implementations implicitly register using the same 'nid' +"algorithm" so all implementations implicitly register using the same \*(Aqnid\*(Aq index. .PP When a default ENGINE is requested for a given abstraction/algorithm/mode, (e.g. @@ -365,16 +368,16 @@ table trying to initialise each of them in turn, in case one of them is operational. If it returns a functional reference to an ENGINE, it will also cache another reference to speed up processing future queries (without needing to iterate across the table). Likewise, it will cache a NULL -response if no ENGINE was available so that future queries won't repeat the +response if no ENGINE was available so that future queries won\*(Aqt repeat the same iteration unless the state table changes. This behaviour can also be changed; if the ENGINE_TABLE_FLAG_NOINIT flag is set (using \&\fBENGINE_set_table_flags()\fR), no attempted initialisations will take place, -instead the only way for the state table to return a non-NULL ENGINE to the +instead the only way for the state table to return a non\-NULL ENGINE to the "get_default" query will be if one is expressly set in the table. Eg. \&\fBENGINE_set_default_RSA()\fR does the same job as \fBENGINE_register_RSA()\fR except -that it also sets the state table's cached response for the "get_default" +that it also sets the state table\*(Aqs cached response for the "get_default" query. In the case of abstractions like EVP_CIPHER, where implementations are -indexed by 'nid', these flags and cached-responses are distinct for each 'nid' +indexed by \*(Aqnid\*(Aq, these flags and cached\-responses are distinct for each \*(Aqnid\*(Aq value. .SS "Application requirements" .IX Subsection "Application requirements" @@ -383,7 +386,7 @@ support to make the most useful elements of the ENGINE functionality available to the user. The first thing to consider is whether the programmer wishes to make alternative ENGINE modules available to the application and user. OpenSSL maintains an internal linked list of -"visible" ENGINEs from which it has to operate \- at start-up, this list is +"visible" ENGINEs from which it has to operate \- at start\-up, this list is empty and in fact if an application does not call any ENGINE API calls and it uses static linking against openssl, then the resulting application binary will not contain any alternative ENGINE code at all. So the first @@ -392,18 +395,18 @@ made visible to OpenSSL \- this is controlled by calling the various "load" functions. .PP The fact that ENGINEs are made visible to OpenSSL (and thus are linked into -the program and loaded into memory at run-time) does not mean they are +the program and loaded into memory at run\-time) does not mean they are "registered" or called into use by OpenSSL automatically \- that behaviour is something for the application to control. Some applications will want to allow the user to specify exactly which ENGINE they want used if any is to be used at all. Others may prefer to load all support and have -OpenSSL automatically use at run-time any ENGINE that is able to +OpenSSL automatically use at run\-time any ENGINE that is able to successfully initialise \- i.e. to assume that this corresponds to acceleration hardware attached to the machine or some such thing. There are probably numerous other ways in which applications may prefer to handle things, so we will simply illustrate the consequences as they apply to a couple of simple cases and leave developers to consider these and the -source code to openssl's built-in utilities as guides. +source code to openssl\*(Aqs built\-in utilities as guides. .PP If no ENGINE API functions are called within an application, then OpenSSL will not allocate any internal resources. Prior to OpenSSL 1.1.0, however, @@ -412,11 +415,11 @@ call \fBENGINE_cleanup()\fR before the program exits. .PP \&\fIUsing a specific ENGINE implementation\fR .PP -Here we'll assume an application has been configured by its user or admin +Here we\*(Aqll assume an application has been configured by its user or admin to want to use the "ACME" ENGINE if it is available in the version of OpenSSL the application was compiled with. If it is available, it should be used by default for all RSA, DSA, and symmetric cipher operations, otherwise -OpenSSL should use its built-in software as per usual. The following code +OpenSSL should use its built\-in software as per usual. The following code illustrates how to approach this; .PP .Vb 10 @@ -446,9 +449,9 @@ illustrates how to approach this; \& ENGINE_free(e); .Ve .PP -\&\fIAutomatically using built-in ENGINE implementations\fR +\&\fIAutomatically using built\-in ENGINE implementations\fR .PP -Here we'll assume we want to load and register all ENGINE implementations +Here we\*(Aqll assume we want to load and register all ENGINE implementations bundled with OpenSSL, such that for any cryptographic algorithm required by OpenSSL \- if there is an ENGINE that implements it and can be initialised, it should be used. The following code illustrates how this can work; @@ -460,7 +463,7 @@ it should be used. The following code illustrates how this can work; \& ENGINE_register_all_complete(); .Ve .PP -That's all that's required. Eg. the next time OpenSSL tries to set up an +That\*(Aqs all that\*(Aqs required. Eg. the next time OpenSSL tries to set up an RSA key, any bundled ENGINEs that implement RSA_METHOD will be passed to \&\fBENGINE_init()\fR and if any of those succeed, that ENGINE will be set as the default for RSA use from then on. @@ -469,7 +472,7 @@ default for RSA use from then on. There is a mechanism supported by the ENGINE framework that allows each ENGINE implementation to define an arbitrary set of configuration "commands" and expose them to OpenSSL and any applications based on -OpenSSL. This mechanism is entirely based on the use of name-value pairs +OpenSSL. This mechanism is entirely based on the use of name\-value pairs and assumes ASCII input (no unicode or UTF for now!), so it is ideal if applications want to provide a transparent way for users to provide arbitrary configuration "directives" directly to such ENGINEs. It is also @@ -488,22 +491,22 @@ control commands; the first is to provide the necessary details to the implementation (which may know nothing at all specific to the host system) so that it can be initialised for use. This could include the path to any driver or config files it needs to load, required network addresses, -smart-card identifiers, passwords to initialise protected devices, +smart\-card identifiers, passwords to initialise protected devices, logging information, etc etc. This class of commands typically needs to be passed to an ENGINE \fBbefore\fR attempting to initialise it, i.e. before calling \fBENGINE_init()\fR. The other class of commands consist of settings or operations that tweak certain behaviour or cause certain operations to take place, and these commands may work either before or after \fBENGINE_init()\fR, or in some cases both. ENGINE implementations should provide indications of -this in the descriptions attached to built-in control commands and/or in +this in the descriptions attached to built\-in control commands and/or in external product documentation. .PP \&\fIIssuing control commands to an ENGINE\fR .PP -Let's illustrate by example; a function for which the caller supplies the -name of the ENGINE it wishes to use, a table of string-pairs for use before +Let\*(Aqs illustrate by example; a function for which the caller supplies the +name of the ENGINE it wishes to use, a table of string\-pairs for use before initialisation, and another table for use after initialisation. Note that -the string-pairs used for control commands consist of a command "name" +the string\-pairs used for control commands consist of a command "name" followed by the command "parameter" \- the parameter could be NULL in some cases but the name can not. This function should initialise the ENGINE (issuing the "pre" commands beforehand and the "post" commands afterwards) @@ -554,18 +557,18 @@ boolean success or failure. Note that \fBENGINE_ctrl_cmd_string()\fR accepts a boolean argument that can relax the semantics of the function \- if set nonzero it will only return failure if the ENGINE supported the given command name but failed while -executing it, if the ENGINE doesn't support the command name it will simply +executing it, if the ENGINE doesn\*(Aqt support the command name it will simply return success without doing anything. In this case we assume the user is only supplying commands specific to the given ENGINE so we set this to FALSE. .PP \&\fIDiscovering supported control commands\fR .PP -It is possible to discover at run-time the names, numerical-ids, descriptions +It is possible to discover at run\-time the names, numerical\-ids, descriptions and input parameters of the control commands supported by an ENGINE using a structural reference. Note that some control commands are defined by OpenSSL itself and it will intercept and handle these control commands on behalf of the -ENGINE, i.e. the ENGINE's \fBctrl()\fR handler is not used for the control command. +ENGINE, i.e. the ENGINE\*(Aqs \fBctrl()\fR handler is not used for the control command. \&\fI<openssl/engine.h>\fR defines an index, ENGINE_CMD_BASE, that all control commands implemented by ENGINEs should be numbered from. Any command value lower than this symbol is considered a "generic" command is handled directly @@ -590,9 +593,9 @@ Whilst these commands are automatically processed by the OpenSSL framework code, they use various properties exposed by each ENGINE to process these queries. An ENGINE has 3 properties it exposes that can affect how this behaves; it can supply a \fBctrl()\fR handler, it can specify ENGINE_FLAGS_MANUAL_CMD_CTRL in -the ENGINE's flags, and it can expose an array of control command descriptions. +the ENGINE\*(Aqs flags, and it can expose an array of control command descriptions. If an ENGINE specifies the ENGINE_FLAGS_MANUAL_CMD_CTRL flag, then it will -simply pass all these "core" control commands directly to the ENGINE's \fBctrl()\fR +simply pass all these "core" control commands directly to the ENGINE\*(Aqs \fBctrl()\fR handler (and thus, it must have supplied one), so it is up to the ENGINE to reply to these "discovery" commands itself. If that flag is not set, then the OpenSSL framework code will work with the following rules: @@ -609,7 +612,7 @@ OpenSSL framework code will work with the following rules: \& all other commands proceed processing ... .Ve .PP -If the ENGINE's array of control commands is empty then all other commands will +If the ENGINE\*(Aqs array of control commands is empty then all other commands will fail, otherwise; ENGINE_CTRL_GET_FIRST_CMD_TYPE returns the identifier of the first command supported by the ENGINE, ENGINE_GET_NEXT_CMD_TYPE takes the identifier of a command supported by the ENGINE and returns the next command @@ -619,7 +622,7 @@ command name exists, and the remaining commands take a command identifier and return properties of the corresponding commands. All except ENGINE_CTRL_GET_FLAGS return the string length of a command name or description, or populate a supplied character buffer with a copy of the command name or -description. ENGINE_CTRL_GET_FLAGS returns a bitwise-OR'd mask of the following +description. ENGINE_CTRL_GET_FLAGS returns a bitwise\-OR\*(Aqd mask of the following possible values: .PP .Vb 4 @@ -631,8 +634,8 @@ possible values: .PP If the ENGINE_CMD_FLAG_INTERNAL flag is set, then any other flags are purely informational to the caller \- this flag will prevent the command being usable -for any higher-level ENGINE functions such as \fBENGINE_ctrl_cmd_string()\fR. -"INTERNAL" commands are not intended to be exposed to text-based configuration +for any higher\-level ENGINE functions such as \fBENGINE_ctrl_cmd_string()\fR. +"INTERNAL" commands are not intended to be exposed to text\-based configuration by applications, administrations, users, etc. These can support arbitrary operations via \fBENGINE_ctrl()\fR, including passing to and/or from the control commands data of any arbitrary type. These commands are supported in the @@ -646,7 +649,7 @@ extension). .IP \fBOPENSSL_ENGINES\fR 4 .IX Item "OPENSSL_ENGINES" The path to the engines directory. -Ignored in set-user-ID and set-group-ID programs. +Ignored in set\-user\-ID and set\-group\-ID programs. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBENGINE_get_first()\fR, \fBENGINE_get_last()\fR, \fBENGINE_get_next()\fR and \fBENGINE_get_prev()\fR @@ -712,7 +715,7 @@ error occurred. \&\fBENGINE_get_flags()\fR returns an integer representing the ENGINE flags which are used to control various behaviours of an ENGINE. .PP -\&\fBENGINE_get_cmd_defns()\fR returns an \fBENGINE_CMD_DEFN\fR structure or NULL if it's +\&\fBENGINE_get_cmd_defns()\fR returns an \fBENGINE_CMD_DEFN\fR structure or NULL if it\*(Aqs not set. .PP \&\fBENGINE_load_private_key()\fR and \fBENGINE_load_public_key()\fR return a valid \fBEVP_PKEY\fR diff --git a/secure/lib/libcrypto/man/man3/ERR_GET_LIB.3 b/secure/lib/libcrypto/man/man3/ERR_GET_LIB.3 index 11cb0f7b10c4..17b30536b527 100644 --- a/secure/lib/libcrypto/man/man3/ERR_GET_LIB.3 +++ b/secure/lib/libcrypto/man/man3/ERR_GET_LIB.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_GET_LIB 3ossl" -.TH ERR_GET_LIB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_GET_LIB 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,12 +88,12 @@ and \fBERR_GET_REASON()\fR can be used to extract these. The library number describes where the error occurred, the reason code is the information about what went wrong. .PP -Each sub-library of OpenSSL has a unique library number; the -reason code is unique within each sub-library. Note that different +Each sub\-library of OpenSSL has a unique library number; the +reason code is unique within each sub\-library. Note that different libraries may use the same value to signal different reasons. .PP \&\fBERR_R_...\fR reason codes such as \fBERR_R_MALLOC_FAILURE\fR are globally -unique. However, when checking for sub-library specific reason codes, +unique. However, when checking for sub\-library specific reason codes, be sure to also compare the library number. .PP \&\fBERR_GET_LIB()\fR, \fBERR_GET_REASON()\fR, and \fBERR_FATAL_ERROR()\fR are macros. diff --git a/secure/lib/libcrypto/man/man3/ERR_clear_error.3 b/secure/lib/libcrypto/man/man3/ERR_clear_error.3 index 6fed0f11268f..65fdc4836dba 100644 --- a/secure/lib/libcrypto/man/man3/ERR_clear_error.3 +++ b/secure/lib/libcrypto/man/man3/ERR_clear_error.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_CLEAR_ERROR 3ossl" -.TH ERR_CLEAR_ERROR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_CLEAR_ERROR 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -71,7 +74,7 @@ ERR_clear_error \- clear the error queue .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBERR_clear_error()\fR empties the current thread's error queue. +\&\fBERR_clear_error()\fR empties the current thread\*(Aqs error queue. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBERR_clear_error()\fR has no return value. diff --git a/secure/lib/libcrypto/man/man3/ERR_error_string.3 b/secure/lib/libcrypto/man/man3/ERR_error_string.3 index 2f6366df534c..32249647affb 100644 --- a/secure/lib/libcrypto/man/man3/ERR_error_string.3 +++ b/secure/lib/libcrypto/man/man3/ERR_error_string.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_ERROR_STRING 3ossl" -.TH ERR_ERROR_STRING 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_ERROR_STRING 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,11 +86,11 @@ Deprecated in OpenSSL 3.0: .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBERR_error_string()\fR generates a human-readable string representing the +\&\fBERR_error_string()\fR generates a human\-readable string representing the error code \fIe\fR, and places it at \fIbuf\fR. \fIbuf\fR must be at least 256 bytes long. If \fIbuf\fR is \fBNULL\fR, the error string is placed in a static buffer. -Note that this function is not thread-safe and does no checks on the size +Note that this function is not thread\-safe and does no checks on the size of the buffer; use \fBERR_error_string_n()\fR instead. .PP \&\fBERR_error_string_n()\fR is a variant of \fBERR_error_string()\fR that writes diff --git a/secure/lib/libcrypto/man/man3/ERR_get_error.3 b/secure/lib/libcrypto/man/man3/ERR_get_error.3 index 92346798a406..9d7dd34ba52e 100644 --- a/secure/lib/libcrypto/man/man3/ERR_get_error.3 +++ b/secure/lib/libcrypto/man/man3/ERR_get_error.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_GET_ERROR 3ossl" -.TH ERR_GET_ERROR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_GET_ERROR 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -112,19 +115,19 @@ see \fBopenssl_user_macros\fR\|(7): .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBERR_get_error()\fR returns the earliest error code from the thread's error +\&\fBERR_get_error()\fR returns the earliest error code from the thread\*(Aqs error queue and removes the entry. This function can be called repeatedly until there are no more error codes to return. .PP -\&\fBERR_peek_error()\fR returns the earliest error code from the thread's +\&\fBERR_peek_error()\fR returns the earliest error code from the thread\*(Aqs error queue without modifying it. .PP -\&\fBERR_peek_last_error()\fR returns the latest error code from the thread's +\&\fBERR_peek_last_error()\fR returns the latest error code from the thread\*(Aqs error queue without modifying it. .PP See \fBERR_GET_LIB\fR\|(3) for obtaining further specific information such as the reason of the error, -and \fBERR_error_string\fR\|(3) for human-readable error messages. +and \fBERR_error_string\fR\|(3) for human\-readable error messages. .PP \&\fBERR_get_error_all()\fR is the same as \fBERR_get_error()\fR, but on success it additionally stores the filename, line number and function where the error diff --git a/secure/lib/libcrypto/man/man3/ERR_load_crypto_strings.3 b/secure/lib/libcrypto/man/man3/ERR_load_crypto_strings.3 index 758a1a359705..32dbda3dfa46 100644 --- a/secure/lib/libcrypto/man/man3/ERR_load_crypto_strings.3 +++ b/secure/lib/libcrypto/man/man3/ERR_load_crypto_strings.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_LOAD_CRYPTO_STRINGS 3ossl" -.TH ERR_LOAD_CRYPTO_STRINGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_LOAD_CRYPTO_STRINGS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ERR_load_strings.3 b/secure/lib/libcrypto/man/man3/ERR_load_strings.3 index a7ecca4af127..b81cc0a7298f 100644 --- a/secure/lib/libcrypto/man/man3/ERR_load_strings.3 +++ b/secure/lib/libcrypto/man/man3/ERR_load_strings.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_LOAD_STRINGS 3ossl" -.TH ERR_LOAD_STRINGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_LOAD_STRINGS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ERR_new.3 b/secure/lib/libcrypto/man/man3/ERR_new.3 index 4c4f1e259ec5..e0aba0634aaf 100644 --- a/secure/lib/libcrypto/man/man3/ERR_new.3 +++ b/secure/lib/libcrypto/man/man3/ERR_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_NEW 3ossl" -.TH ERR_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,10 +83,10 @@ rather through macros such as \fBERR_raise\fR\|(3). They can still be useful for anyone that wants to make their own macros. .PP -\&\fBERR_new()\fR allocates a new slot in the thread's error queue. +\&\fBERR_new()\fR allocates a new slot in the thread\*(Aqs error queue. .PP \&\fBERR_set_debug()\fR sets the debug information related to the current -error in the thread's error queue. +error in the thread\*(Aqs error queue. The values that can be given are the filename \fIfile\fR, line in the file \fIline\fR and the name of the function \fIfunc\fR where the error occurred. diff --git a/secure/lib/libcrypto/man/man3/ERR_print_errors.3 b/secure/lib/libcrypto/man/man3/ERR_print_errors.3 index 7aeccac9086d..f6fb14a9305e 100644 --- a/secure/lib/libcrypto/man/man3/ERR_print_errors.3 +++ b/secure/lib/libcrypto/man/man3/ERR_print_errors.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_PRINT_ERRORS 3ossl" -.TH ERR_PRINT_ERRORS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_PRINT_ERRORS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ERR_put_error.3 b/secure/lib/libcrypto/man/man3/ERR_put_error.3 index 47ddb8c28e8c..eaabb580bd36 100644 --- a/secure/lib/libcrypto/man/man3/ERR_put_error.3 +++ b/secure/lib/libcrypto/man/man3/ERR_put_error.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_PUT_ERROR 3ossl" -.TH ERR_PUT_ERROR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_PUT_ERROR 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,7 +91,7 @@ see \fBopenssl_user_macros\fR\|(7): .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBERR_raise()\fR adds a new error to the thread's error queue. The +\&\fBERR_raise()\fR adds a new error to the thread\*(Aqs error queue. The error occurred in the library \fBlib\fR for the reason given by the \&\fBreason\fR code. Furthermore, the name of the file, the line, and name of the function where the error occurred is saved with the error @@ -98,7 +101,7 @@ record. caller specify additional information as a format string \fBfmt\fR and an arbitrary number of values, which are processed with \fBBIO_snprintf\fR\|(3). .PP -\&\fBERR_put_error()\fR adds an error code to the thread's error queue. It +\&\fBERR_put_error()\fR adds an error code to the thread\*(Aqs error queue. It signals that the error of reason code \fBreason\fR occurred in function \&\fBfunc\fR of library \fBlib\fR, in line number \fBline\fR of \fBfile\fR. This function is usually called by a macro. @@ -120,23 +123,23 @@ it is split over sufficiently many new copies of the last error queue entry. .PP \&\fBERR_add_error_mem_bio()\fR is the same as \fBERR_add_error_txt()\fR except that the text string is taken from the given memory BIO. -It appends '\e0' to the BIO contents if not already NUL-terminated. +It appends \*(Aq\e0\*(Aq to the BIO contents if not already NUL\-terminated. .PP \&\fBERR_load_strings\fR\|(3) can be used to register -error strings so that the application can a generate human-readable +error strings so that the application can a generate human\-readable error messages for the error code. .SS "Reporting errors" .IX Subsection "Reporting errors" \fIOpenSSL library reports\fR .IX Subsection "OpenSSL library reports" .PP -Each OpenSSL sub-library has library code \fBERR_LIB_XXX\fR and has its own set +Each OpenSSL sub\-library has library code \fBERR_LIB_XXX\fR and has its own set of reason codes \fBXXX_R_...\fR. These are both passed in combination to \&\fBERR_raise()\fR and \fBERR_raise_data()\fR, and the combination ultimately produces the correct error text for the reported error. .PP All these macros and the numbers they have as values are specific to -OpenSSL's libraries. OpenSSL reason codes normally consist of textual error +OpenSSL\*(Aqs libraries. OpenSSL reason codes normally consist of textual error descriptions. For example, the function \fBssl3_read_bytes()\fR reports a "handshake failure" as follows: .PP @@ -157,7 +160,7 @@ be \fBerrno\fR\|(3). .IP \fBERR_R_XXX\fR 4 .IX Item "ERR_R_XXX" This set of error codes is considered global, and may be used in combination -with any sub-library code. +with any sub\-library code. .Sp .Vb 1 \& ERR_raise(ERR_LIB_RSA, ERR_R_PASSED_INVALID_ARGUMENT); @@ -166,7 +169,7 @@ with any sub-library code. \fIOther pieces of software\fR .IX Subsection "Other pieces of software" .PP -Other pieces of software that may want to use OpenSSL's error reporting +Other pieces of software that may want to use OpenSSL\*(Aqs error reporting system, such as engines or applications, must normally get their own numbers. .IP \(bu 4 diff --git a/secure/lib/libcrypto/man/man3/ERR_remove_state.3 b/secure/lib/libcrypto/man/man3/ERR_remove_state.3 index b29bfd79b080..23957a214a59 100644 --- a/secure/lib/libcrypto/man/man3/ERR_remove_state.3 +++ b/secure/lib/libcrypto/man/man3/ERR_remove_state.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_REMOVE_STATE 3ossl" -.TH ERR_REMOVE_STATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_REMOVE_STATE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/ERR_set_mark.3 b/secure/lib/libcrypto/man/man3/ERR_set_mark.3 index 68bc094fa9d6..53e794461853 100644 --- a/secure/lib/libcrypto/man/man3/ERR_set_mark.3 +++ b/secure/lib/libcrypto/man/man3/ERR_set_mark.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "ERR_SET_MARK 3ossl" -.TH ERR_SET_MARK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH ERR_SET_MARK 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_ASYM_CIPHER_free.3 b/secure/lib/libcrypto/man/man3/EVP_ASYM_CIPHER_free.3 index 521b47659e49..8a6e5a20acf0 100644 --- a/secure/lib/libcrypto/man/man3/EVP_ASYM_CIPHER_free.3 +++ b/secure/lib/libcrypto/man/man3/EVP_ASYM_CIPHER_free.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_ASYM_CIPHER_FREE 3ossl" -.TH EVP_ASYM_CIPHER_FREE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_ASYM_CIPHER_FREE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,7 +113,7 @@ structure is freed. If the argument is NULL, nothing is done. \&\fBEVP_ASYM_CIPHER\fR structure. .PP \&\fBEVP_ASYM_CIPHER_is_a()\fR returns 1 if \fIcipher\fR is an implementation of an -algorithm that's identifiable with \fIname\fR, otherwise 0. +algorithm that\*(Aqs identifiable with \fIname\fR, otherwise 0. .PP \&\fBEVP_ASYM_CIPHER_get0_provider()\fR returns the provider that \fIcipher\fR was fetched from. diff --git a/secure/lib/libcrypto/man/man3/EVP_BytesToKey.3 b/secure/lib/libcrypto/man/man3/EVP_BytesToKey.3 index a5bb1af62b0a..abf49819d0b1 100644 --- a/secure/lib/libcrypto/man/man3/EVP_BytesToKey.3 +++ b/secure/lib/libcrypto/man/man3/EVP_BytesToKey.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_BYTESTOKEY 3ossl" -.TH EVP_BYTESTOKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_BYTESTOKEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_app_data.3 b/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_app_data.3 new file mode 100644 index 000000000000..8ca9df970062 --- /dev/null +++ b/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_app_data.3 @@ -0,0 +1,96 @@ +.\" -*- mode: troff; coding: utf-8 -*- +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. +.ie n \{\ +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{\ +. if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +. \} +.\} +.rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l +.\" ======================================================================== +.\" +.IX Title "EVP_CIPHER_CTX_GET_APP_DATA 3ossl" +.TH EVP_CIPHER_CTX_GET_APP_DATA 3ossl 2026-04-07 3.5.6 OpenSSL +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH NAME +EVP_CIPHER_CTX_get_app_data, EVP_CIPHER_CTX_set_app_data \- Routines to +inspect and modify application data related to EVP_CIPHER_CTX +.SH SYNOPSIS +.IX Header "SYNOPSIS" +.Vb 1 +\& #include <openssl/evp.h> +\& +\& void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx); +\& void EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx, void *data); +.Ve +.SH DESCRIPTION +.IX Header "DESCRIPTION" +The functions \fBEVP_CIPHER_CTX_set_app_data()\fR and \fBEVP_CIPHER_CTX_get_app_data()\fR +associate an opaque, application\-defined pointer with an EVP_CIPHER_CTX object. +.PP +This pointer is not interpreted by the library and is reserved entirely for use +by the application. It may be used to store arbitrary context or state that +needs to be accessible wherever the corresponding EVP_CIPHER_CTX is available. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +The \fBEVP_CIPHER_CTX_get_app_data()\fR function returns a opaque pointer to the +current application data for the EVP_CIPHER_CTX. +.SH COPYRIGHT +.IX Header "COPYRIGHT" +Copyright 2026 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_cipher_data.3 b/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_cipher_data.3 index 0b19d485c9c0..76b5e4203303 100644 --- a/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_cipher_data.3 +++ b/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_cipher_data.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER_CTX_GET_CIPHER_DATA 3ossl" -.TH EVP_CIPHER_CTX_GET_CIPHER_DATA 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER_CTX_GET_CIPHER_DATA 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_original_iv.3 b/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_original_iv.3 index 369cb2dad790..a10c8213c202 100644 --- a/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_original_iv.3 +++ b/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_original_iv.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER_CTX_GET_ORIGINAL_IV 3ossl" -.TH EVP_CIPHER_CTX_GET_ORIGINAL_IV 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER_CTX_GET_ORIGINAL_IV 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,7 +89,7 @@ see \fBopenssl_user_macros\fR\|(7): .IX Header "DESCRIPTION" \&\fBEVP_CIPHER_CTX_get_original_iv()\fR and \fBEVP_CIPHER_CTX_get_updated_iv()\fR copy initialization vector (IV) information from the \fBEVP_CIPHER_CTX\fR into the -caller-supplied buffer. \fBEVP_CIPHER_CTX_get_iv_length\fR\|(3) can be used to +caller\-supplied buffer. \fBEVP_CIPHER_CTX_get_iv_length\fR\|(3) can be used to determine an appropriate buffer size, and if the supplied buffer is too small, an error will be returned (and no data copied). \&\fBEVP_CIPHER_CTX_get_original_iv()\fR accesses the ("original") IV that was diff --git a/secure/lib/libcrypto/man/man3/EVP_CIPHER_meth_new.3 b/secure/lib/libcrypto/man/man3/EVP_CIPHER_meth_new.3 index 52987c8f3ffb..df3445eb04de 100644 --- a/secure/lib/libcrypto/man/man3/EVP_CIPHER_meth_new.3 +++ b/secure/lib/libcrypto/man/man3/EVP_CIPHER_meth_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER_METH_NEW 3ossl" -.TH EVP_CIPHER_METH_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER_METH_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -149,7 +152,7 @@ This is only needed when the implemented cipher mode requires it. \&\fBEVP_CIPHER_meth_set_flags()\fR sets the flags to describe optional behaviours in the particular \fBcipher\fR. With the exception of cipher modes, of which only one may be present, -several flags can be or'd together. +several flags can be or\*(Aqd together. The available flags are: .IP "EVP_CIPH_STREAM_CIPHER, EVP_CIPH_ECB_MODE EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE, EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE, EVP_CIPH_WRAP_MODE, EVP_CIPH_OCB_MODE, EVP_CIPH_SIV_MODE" 4 .IX Item "EVP_CIPH_STREAM_CIPHER, EVP_CIPH_ECB_MODE EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE, EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE, EVP_CIPH_WRAP_MODE, EVP_CIPH_OCB_MODE, EVP_CIPH_SIV_MODE" @@ -163,32 +166,32 @@ Storing and initialising the IV is left entirely to the implementation. .IP EVP_CIPH_ALWAYS_CALL_INIT 4 .IX Item "EVP_CIPH_ALWAYS_CALL_INIT" -Set this if the implementation's \fBinit()\fR function should be called even +Set this if the implementation\*(Aqs \fBinit()\fR function should be called even if \fBkey\fR is \fBNULL\fR. .IP EVP_CIPH_CTRL_INIT 4 .IX Item "EVP_CIPH_CTRL_INIT" -Set this to have the implementation's \fBctrl()\fR function called with +Set this to have the implementation\*(Aqs \fBctrl()\fR function called with command code \fBEVP_CTRL_INIT\fR early in its setup. .IP EVP_CIPH_CUSTOM_KEY_LENGTH 4 .IX Item "EVP_CIPH_CUSTOM_KEY_LENGTH" Checking and setting the key length after creating the \fBEVP_CIPHER\fR is left to the implementation. Whenever someone uses \fBEVP_CIPHER_CTX_set_key_length()\fR on a -\&\fBEVP_CIPHER\fR with this flag set, the implementation's \fBctrl()\fR function +\&\fBEVP_CIPHER\fR with this flag set, the implementation\*(Aqs \fBctrl()\fR function will be called with the control code \fBEVP_CTRL_SET_KEY_LENGTH\fR and the key length in \fBarg\fR. .IP EVP_CIPH_NO_PADDING 4 .IX Item "EVP_CIPH_NO_PADDING" -Don't use standard block padding. +Don\*(Aqt use standard block padding. .IP EVP_CIPH_RAND_KEY 4 .IX Item "EVP_CIPH_RAND_KEY" Making a key with random content is left to the implementation. -This is done by calling the implementation's \fBctrl()\fR function with the +This is done by calling the implementation\*(Aqs \fBctrl()\fR function with the control code \fBEVP_CTRL_RAND_KEY\fR and the pointer to the key memory storage in \fBptr\fR. .IP EVP_CIPH_CUSTOM_COPY 4 .IX Item "EVP_CIPH_CUSTOM_COPY" -Set this to have the implementation's \fBctrl()\fR function called with +Set this to have the implementation\*(Aqs \fBctrl()\fR function called with command code \fBEVP_CTRL_COPY\fR at the end of \fBEVP_CIPHER_CTX_copy()\fR. The intended use is for further things to deal with after the implementation specific data block has been copied. @@ -223,7 +226,7 @@ This indicates that this is an AEAD cipher implementation. Allow interleaving of crypto blocks, a particular optimization only applicable to certain TLS ciphers. .PP -\&\fBEVP_CIPHER_meth_set_impl_ctx_size()\fR sets the size of the EVP_CIPHER's +\&\fBEVP_CIPHER_meth_set_impl_ctx_size()\fR sets the size of the EVP_CIPHER\*(Aqs implementation context so that it can be automatically allocated. .PP \&\fBEVP_CIPHER_meth_set_init()\fR sets the cipher init function for @@ -240,7 +243,7 @@ The cipher function is called by \fBEVP_CipherUpdate()\fR, \&\fBEVP_DecryptFinal_ex()\fR. .PP \&\fBEVP_CIPHER_meth_set_cleanup()\fR sets the function for \fBcipher\fR to do -extra cleanup before the method's private data structure is cleaned +extra cleanup before the method\*(Aqs private data structure is cleaned out and freed. Note that the cleanup function is passed a \fBEVP_CIPHER_CTX *\fR, the private data structure is then available with diff --git a/secure/lib/libcrypto/man/man3/EVP_DigestInit.3 b/secure/lib/libcrypto/man/man3/EVP_DigestInit.3 index c768ea135206..9e5adee1c760 100644 --- a/secure/lib/libcrypto/man/man3/EVP_DigestInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_DigestInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_DIGESTINIT 3ossl" -.TH EVP_DIGESTINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_DIGESTINIT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -199,7 +202,7 @@ see \fBopenssl_user_macros\fR\|(7): .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP digest routines are a high-level interface to message digests, and +The EVP digest routines are a high\-level interface to message digests, and Extendable Output Functions (XOF). .PP The \fBEVP_MD\fR type is a structure for digest method implementation. @@ -246,7 +249,7 @@ If the argument is NULL, nothing is done. is the mechanism that should be used to set and get parameters that are used by providers.\fR .Sp -Performs digest-specific control actions on context \fIctx\fR. The control command +Performs digest\-specific control actions on context \fIctx\fR. The control command is indicated in \fIcmd\fR and any additional arguments in \fIp1\fR and \fIp2\fR. \&\fBEVP_MD_CTX_ctrl()\fR must be called after \fBEVP_DigestInit_ex2()\fR. Other restrictions may apply depending on the control type and digest implementation. @@ -280,18 +283,18 @@ Get a constant \fBOSSL_PARAM\fR\|(3) array that describes the retrievable parame that can be used with \fBEVP_MD_CTX_get_params()\fR. \fBEVP_MD_gettable_ctx_params()\fR returns the parameters that can be retrieved from the algorithm, whereas \&\fBEVP_MD_CTX_gettable_params()\fR returns the parameters that can be retrieved -in the context's current state. +in the context\*(Aqs current state. .IP "\fBEVP_MD_settable_ctx_params()\fR, \fBEVP_MD_CTX_settable_params()\fR" 4 .IX Item "EVP_MD_settable_ctx_params(), EVP_MD_CTX_settable_params()" Get a constant \fBOSSL_PARAM\fR\|(3) array that describes the settable parameters that can be used with \fBEVP_MD_CTX_set_params()\fR. \fBEVP_MD_settable_ctx_params()\fR returns the parameters that can be set from the algorithm, whereas \&\fBEVP_MD_CTX_settable_params()\fR returns the parameters that can be set in the -context's current state. +context\*(Aqs current state. .IP "\fBEVP_MD_CTX_set_flags()\fR, \fBEVP_MD_CTX_clear_flags()\fR, \fBEVP_MD_CTX_test_flags()\fR" 4 .IX Item "EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags(), EVP_MD_CTX_test_flags()" Sets, clears and tests \fIctx\fR flags. See "FLAGS" below for more information. -.IP "\fBEVP_Q_digest()\fR is a quick one-shot digest function." 4 +.IP "\fBEVP_Q_digest()\fR is a quick one\-shot digest function." 4 .IX Item "EVP_Q_digest() is a quick one-shot digest function." It hashes \fIdatalen\fR bytes of data at \fIdata\fR using the digest algorithm \&\fIname\fR, which is fetched using the optional \fIlibctx\fR and \fIpropq\fR parameters. @@ -321,7 +324,7 @@ Sets up digest context \fIctx\fR to use a digest \fItype\fR. \&\fItype\fR is typically supplied by a function such as \fBEVP_sha1()\fR, or a value explicitly fetched with \fBEVP_MD_fetch()\fR. .Sp -If \fIimpl\fR is non-NULL, its implementation of the digest \fItype\fR is used if +If \fIimpl\fR is non\-NULL, its implementation of the digest \fItype\fR is used if there is one, and if not, the default implementation is used. .Sp The \fItype\fR parameter can be NULL if \fIctx\fR has been already initialized @@ -344,7 +347,7 @@ application. After calling \fBEVP_DigestFinal_ex()\fR no additional calls to initialize a new digest operation. \fIctx\fR \fBMUST NOT\fR be NULL. .IP \fBEVP_DigestFinalXOF()\fR 4 .IX Item "EVP_DigestFinalXOF()" -Interfaces to extendable-output functions, XOFs, such as SHAKE128 and SHAKE256. +Interfaces to extendable\-output functions, XOFs, such as SHAKE128 and SHAKE256. It retrieves the digest value from \fIctx\fR and places it in \fIoutlen\fR\-sized \fIout\fR. After calling this function no additional calls to \fBEVP_DigestUpdate()\fR can be made, but \fBEVP_DigestInit_ex2()\fR can be called to initialize a new operation. @@ -366,7 +369,7 @@ useful if large amounts of data are to be hashed which only differ in the last few bytes. .IP \fBEVP_DigestInit()\fR 4 .IX Item "EVP_DigestInit()" -Behaves in the same way as \fBEVP_DigestInit_ex2()\fR except it doesn't set any +Behaves in the same way as \fBEVP_DigestInit_ex2()\fR except it doesn\*(Aqt set any parameters and calls \fBEVP_MD_CTX_reset()\fR so it cannot be used with an \fItype\fR of NULL. .IP \fBEVP_DigestFinal()\fR 4 @@ -379,22 +382,22 @@ Similar to \fBEVP_MD_CTX_copy_ex()\fR except the destination \fIout\fR does not be initialized. .IP \fBEVP_MD_is_a()\fR 4 .IX Item "EVP_MD_is_a()" -Returns 1 if \fImd\fR is an implementation of an algorithm that's +Returns 1 if \fImd\fR is an implementation of an algorithm that\*(Aqs identifiable with \fIname\fR, otherwise 0. .Sp -If \fImd\fR is a legacy digest (it's the return value from the likes of +If \fImd\fR is a legacy digest (it\*(Aqs the return value from the likes of \&\fBEVP_sha256()\fR rather than the result of an \fBEVP_MD_fetch()\fR), only cipher names registered with the default library context (see \&\fBOSSL_LIB_CTX\fR\|(3)) will be considered. .IP \fBEVP_MD_xof()\fR 4 .IX Item "EVP_MD_xof()" -Returns 1 if \fImd\fR is an Extendable-output Function (XOF) otherwise it returns +Returns 1 if \fImd\fR is an Extendable\-output Function (XOF) otherwise it returns 0. SHAKE128 and SHAKE256 are XOF functions. It returns 0 for BLAKE2B algorithms. .IP "\fBEVP_MD_get0_name()\fR, \fBEVP_MD_CTX_get0_name()\fR" 4 .IX Item "EVP_MD_get0_name(), EVP_MD_CTX_get0_name()" Return the name of the given message digest. For fetched message -digests with multiple names, only one of them is returned; it's +digests with multiple names, only one of them is returned; it\*(Aqs recommended to use \fBEVP_MD_names_do_all()\fR instead. .IP \fBEVP_MD_names_do_all()\fR 4 .IX Item "EVP_MD_names_do_all()" @@ -472,7 +475,7 @@ Returns an \fBEVP_MD\fR structure when passed a digest name, a digest \fBNID\fR The \fBEVP_get_digestbyname()\fR function is present for backwards compatibility with OpenSSL prior to version 3 and is different to the \fBEVP_MD_fetch()\fR function since it does not attempt to "fetch" an implementation of the cipher. -Additionally, it only knows about digests that are built-in to OpenSSL and have +Additionally, it only knows about digests that are built\-in to OpenSSL and have an associated NID. Similarly \fBEVP_get_digestbynid()\fR and \fBEVP_get_digestbyobj()\fR also return objects without an associated implementation. .Sp @@ -524,7 +527,7 @@ It may be used by BLAKE2B\-512 to set the output length used by \&\fBEVP_DigestFinal_ex()\fR and \fBEVP_DigestFinal()\fR. .PP \&\fBEVP_MD_CTX_set_params()\fR can be used with the following OSSL_PARAM keys: -.IP """pad-type"" (\fBOSSL_DIGEST_PARAM_PAD_TYPE\fR) <unsigned integer>" 4 +.IP """pad\-type"" (\fBOSSL_DIGEST_PARAM_PAD_TYPE\fR) <unsigned integer>" 4 .IX Item """pad-type"" (OSSL_DIGEST_PARAM_PAD_TYPE) <unsigned integer>" Sets the padding type. It is used by the MDC2 algorithm. @@ -629,7 +632,7 @@ that the callback was not called for any names. .SH NOTES .IX Header "NOTES" The \fBEVP\fR interface to message digests should almost always be used in -preference to the low-level interfaces. This is because the code then becomes +preference to the low\-level interfaces. This is because the code then becomes transparent to the digest used and much more flexible. .PP New applications should use the SHA\-2 (such as \fBEVP_sha256\fR\|(3)) or the SHA\-3 @@ -775,7 +778,7 @@ The \fBEVP_MD_type()\fR, \fBEVP_MD_nid()\fR, \fBEVP_MD_name()\fR, \fBEVP_MD_pkey \&\fBEVP_MD_size()\fR, \fBEVP_MD_block_size()\fR, \fBEVP_MD_flags()\fR, \fBEVP_MD_CTX_size()\fR, \&\fBEVP_MD_CTX_block_size()\fR, \fBEVP_MD_CTX_type()\fR, and \fBEVP_MD_CTX_md_data()\fR functions were renamed to include \f(CW\*(C`get\*(C'\fR or \f(CW\*(C`get0\*(C'\fR in their names in -OpenSSL 3.0, respectively. The old names are kept as non-deprecated +OpenSSL 3.0, respectively. The old names are kept as non\-deprecated alias macros. .PP The \fBEVP_MD_CTX_md()\fR function was deprecated in OpenSSL 3.0; use diff --git a/secure/lib/libcrypto/man/man3/EVP_DigestSignInit.3 b/secure/lib/libcrypto/man/man3/EVP_DigestSignInit.3 index 284a9acd5781..3414b09b0e9b 100644 --- a/secure/lib/libcrypto/man/man3/EVP_DigestSignInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_DigestSignInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_DIGESTSIGNINIT 3ossl" -.TH EVP_DIGESTSIGNINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_DIGESTSIGNINIT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,7 +86,7 @@ EVP_DigestSignFinal, EVP_DigestSign \- EVP signing functions .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP signature routines are a high-level interface to digital signatures. +The EVP signature routines are a high\-level interface to digital signatures. Input data is digested first before the signing takes place. .PP \&\fBEVP_DigestSignInit_ex()\fR sets up signing context \fIctx\fR to use a digest @@ -126,7 +129,7 @@ See also \fBSM2\fR\|(7). .PP Only EVP_PKEY types that support signing can be used with these functions. This includes MAC algorithms where the MAC generation is considered as a form of -"signing". Built-in EVP_PKEY types supported by these functions are CMAC, +"signing". Built\-in EVP_PKEY types supported by these functions are CMAC, Poly1305, DSA, ECDSA, HMAC, RSA, SipHash, Ed25519 and Ed448. .PP Not all digests can be used for all key types. The following combinations apply. @@ -156,7 +159,7 @@ Supports any digest .IX Item "CMAC, Poly1305 and SipHash" Will ignore any digest provided. .PP -If RSA-PSS is used and restrictions apply then the digest must match. +If RSA\-PSS is used and restrictions apply then the digest must match. .PP \&\fBEVP_DigestSignInit()\fR works in the same way as \fBEVP_DigestSignInit_ex()\fR except that the \fImdname\fR parameter will be inferred from the supplied @@ -190,7 +193,7 @@ The error codes can be obtained from \fBERR_get_error\fR\|(3). .SH NOTES .IX Header "NOTES" The \fBEVP\fR interface to digital signatures should almost always be used in -preference to the low-level interfaces. This is because the code then becomes +preference to the low\-level interfaces. This is because the code then becomes transparent to the algorithm used and much more flexible. .PP \&\fBEVP_DigestSign()\fR is a one shot operation which signs a single block of data diff --git a/secure/lib/libcrypto/man/man3/EVP_DigestVerifyInit.3 b/secure/lib/libcrypto/man/man3/EVP_DigestVerifyInit.3 index fd3d18afcd24..e3548ea9b41b 100644 --- a/secure/lib/libcrypto/man/man3/EVP_DigestVerifyInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_DigestVerifyInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_DIGESTVERIFYINIT 3ossl" -.TH EVP_DIGESTVERIFYINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_DIGESTVERIFYINIT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,7 +85,7 @@ EVP_DigestVerifyFinal, EVP_DigestVerify \- EVP signature verification functions .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP signature routines are a high-level interface to digital signatures. +The EVP signature routines are a high\-level interface to digital signatures. Input data is digested first before the signature verification takes place. .PP \&\fBEVP_DigestVerifyInit_ex()\fR sets up verification context \fBctx\fR to use a @@ -147,7 +150,7 @@ Supports any digest .IX Item "CMAC, Poly1305 and Siphash" Will ignore any digest provided. .PP -If RSA-PSS is used and restrictions apply then the digest must match. +If RSA\-PSS is used and restrictions apply then the digest must match. .PP \&\fBEVP_DigestVerifyInit()\fR works in the same way as \&\fBEVP_DigestVerifyInit_ex()\fR except that the \fBmdname\fR parameter will be @@ -179,7 +182,7 @@ The error codes can be obtained from \fBERR_get_error\fR\|(3). .SH NOTES .IX Header "NOTES" The \fBEVP\fR interface to digital signatures should almost always be used in -preference to the low-level interfaces. This is because the code then becomes +preference to the low\-level interfaces. This is because the code then becomes transparent to the algorithm used and much more flexible. .PP \&\fBEVP_DigestVerify()\fR is a one shot operation which verifies a single block of diff --git a/secure/lib/libcrypto/man/man3/EVP_EncodeInit.3 b/secure/lib/libcrypto/man/man3/EVP_EncodeInit.3 index 9b16686cf317..05712ab2e389 100644 --- a/secure/lib/libcrypto/man/man3/EVP_EncodeInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_EncodeInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_ENCODEINIT 3ossl" -.TH EVP_ENCODEINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_ENCODEINIT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,7 +91,7 @@ EVP_DecodeBlock \- EVP base64 encode/decode routines .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP encode routines provide a high-level interface to base64 encoding and +The EVP encode routines provide a high\-level interface to base64 encoding and decoding. Base64 encoding converts binary data into a printable form that uses the characters A\-Z, a\-z, 0\-9, "+" and "/" to represent the data. For every 3 @@ -116,7 +119,7 @@ will also be output. .PP \&\fBEVP_EncodeUpdate()\fR encode \fBinl\fR bytes of data found in the buffer pointed to by \&\fBin\fR. The output is stored in the buffer \fBout\fR and the number of bytes output -is stored in \fB*outl\fR. It is the caller's responsibility to ensure that the +is stored in \fB*outl\fR. It is the caller\*(Aqs responsibility to ensure that the buffer at \fBout\fR is sufficiently large to accommodate the output data. Only full blocks of data (48 bytes) will be immediately processed and output by this function. Any remainder is held in the \fBctx\fR object and will be processed by a @@ -133,7 +136,7 @@ returned. \&\fBEVP_EncodeFinal()\fR must be called at the end of an encoding operation. It will process any partial block of data remaining in the \fBctx\fR object. The output data will be stored in \fBout\fR and the length of the data written will be stored -in \fB*outl\fR. It is the caller's responsibility to ensure that \fBout\fR is +in \fB*outl\fR. It is the caller\*(Aqs responsibility to ensure that \fBout\fR is sufficiently large to accommodate the output data which will never be more than 65 bytes plus an additional NUL terminator (i.e. 66 bytes in total). .PP @@ -158,7 +161,7 @@ the data generated \fIwithout\fR the NUL terminator is returned from the functio pointed to by \fBin\fR. The output is stored in the buffer \fBout\fR and the number of bytes output is stored in \fB*outl\fR. -It is the caller's responsibility to ensure that the buffer at \fBout\fR is +It is the caller\*(Aqs responsibility to ensure that the buffer at \fBout\fR is sufficiently large to accommodate the output data. This function will attempt to decode as much data as possible in chunks of up to 80 base64 characters at a time. @@ -170,11 +173,11 @@ not buffered. .PP Any whitespace, newline or carriage return characters are ignored. For compatibility with \fBPEM\fR, the \fB\-\fR (hyphen) character is treated as a soft -end-of-input, subsequent bytes are not buffered, and the return value will be +end\-of\-input, subsequent bytes are not buffered, and the return value will be 0 to indicate that the end of the base64 input has been detected. -The soft end-of-input, if present, MUST occur after a multiple of 4 valid base64 +The soft end\-of\-input, if present, MUST occur after a multiple of 4 valid base64 input bytes. -The soft end-of-input condition is not remembered in \fBctx\fR, it is up to the +The soft end\-of\-input condition is not remembered in \fBctx\fR, it is up to the caller to avoid further calls to \fBEVP_DecodeUpdate()\fR after a 0 or negative (error) return. .PP @@ -184,7 +187,7 @@ character (\fB=\fR) is encountered in the middle of the data then A return value of 0 or 1 indicates successful processing of the data. A return value of 0 additionally indicates that the last 4 bytes processed ended with base64 padding (\fB=\fR), or that the next 4 byte group starts with the -soft end-of-input (\fB\-\fR) character, and therefore no more input data is +soft end\-of\-input (\fB\-\fR) character, and therefore no more input data is expected to be processed. .PP For every 4 valid base64 bytes processed (ignoring whitespace, carriage returns @@ -224,7 +227,7 @@ object or NULL on error. terminator. .PP \&\fBEVP_DecodeUpdate()\fR returns \-1 on error and 0 or 1 on success. If 0 is returned -then no more non-padding base64 characters are expected. +then no more non\-padding base64 characters are expected. .PP \&\fBEVP_DecodeFinal()\fR returns \-1 on error or 1 on success. .PP diff --git a/secure/lib/libcrypto/man/man3/EVP_EncryptInit.3 b/secure/lib/libcrypto/man/man3/EVP_EncryptInit.3 index 4026ef899f2a..664b588d448b 100644 --- a/secure/lib/libcrypto/man/man3/EVP_EncryptInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_EncryptInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_ENCRYPTINIT 3ossl" -.TH EVP_ENCRYPTINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_ENCRYPTINIT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -128,8 +131,6 @@ EVP_CIPHER_CTX_get_block_size, EVP_CIPHER_CTX_get_key_length, EVP_CIPHER_CTX_get_iv_length, EVP_CIPHER_CTX_get_tag_length, -EVP_CIPHER_CTX_get_app_data, -EVP_CIPHER_CTX_set_app_data, EVP_CIPHER_CTX_flags, EVP_CIPHER_CTX_set_flags, EVP_CIPHER_CTX_clear_flags, @@ -285,8 +286,6 @@ EVP_CIPHER_CTX_mode \& int EVP_CIPHER_CTX_get_key_length(const EVP_CIPHER_CTX *ctx); \& int EVP_CIPHER_CTX_get_iv_length(const EVP_CIPHER_CTX *ctx); \& int EVP_CIPHER_CTX_get_tag_length(const EVP_CIPHER_CTX *ctx); -\& void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx); -\& void EVP_CIPHER_CTX_set_app_data(const EVP_CIPHER_CTX *ctx, void *data); \& int EVP_CIPHER_CTX_get_type(const EVP_CIPHER_CTX *ctx); \& int EVP_CIPHER_CTX_get_mode(const EVP_CIPHER_CTX *ctx); \& int EVP_CIPHER_CTX_get_num(const EVP_CIPHER_CTX *ctx); @@ -336,7 +335,7 @@ see \fBopenssl_user_macros\fR\|(7): .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP cipher routines are a high-level interface to certain +The EVP cipher routines are a high\-level interface to certain symmetric ciphers. .PP The \fBEVP_CIPHER\fR type is a structure for cipher method implementation. @@ -380,7 +379,7 @@ Can be used to copy the cipher state from \fIin\fR to \fIout\fR. \&\fBEVP_CIPHER_CTX_get_params()\fR is the mechanism that should be used to set and get parameters that are used by providers. .Sp -Performs cipher-specific control actions on context \fIctx\fR. The control command +Performs cipher\-specific control actions on context \fIctx\fR. The control command is indicated in \fIcmd\fR and any additional arguments in \fIp1\fR and \fIp2\fR. \&\fBEVP_CIPHER_CTX_ctrl()\fR must be called after \fBEVP_CipherInit_ex2()\fR. Other restrictions may apply depending on the control type and cipher implementation. @@ -414,14 +413,14 @@ Get a constant \fBOSSL_PARAM\fR\|(3) array that describes the retrievable parame that can be used with \fBEVP_CIPHER_CTX_get_params()\fR. \&\fBEVP_CIPHER_gettable_ctx_params()\fR returns the parameters that can be retrieved from the algorithm, whereas \fBEVP_CIPHER_CTX_gettable_params()\fR returns the -parameters that can be retrieved in the context's current state. +parameters that can be retrieved in the context\*(Aqs current state. .IP "\fBEVP_CIPHER_settable_ctx_params()\fR and \fBEVP_CIPHER_CTX_settable_params()\fR" 4 .IX Item "EVP_CIPHER_settable_ctx_params() and EVP_CIPHER_CTX_settable_params()" Get a constant \fBOSSL_PARAM\fR\|(3) array that describes the settable parameters that can be used with \fBEVP_CIPHER_CTX_set_params()\fR. \&\fBEVP_CIPHER_settable_ctx_params()\fR returns the parameters that can be set from the algorithm, whereas \fBEVP_CIPHER_CTX_settable_params()\fR returns the parameters that -can be set in the context's current state. +can be set in the context\*(Aqs current state. .IP \fBEVP_EncryptInit_ex2()\fR 4 .IX Item "EVP_EncryptInit_ex2()" Sets up cipher context \fIctx\fR for encryption with cipher \fItype\fR. \fIctx\fR \fBMUST NOT\fR be NULL. @@ -445,10 +444,10 @@ exists. .IX Item "EVP_EncryptUpdate()" Encrypts \fIinl\fR bytes from the buffer \fIin\fR and writes the encrypted version to \&\fIout\fR. The pointers \fIout\fR and \fIin\fR may point to the same location, in which -case the encryption will be done in-place. However, in-place encryption is +case the encryption will be done in\-place. However, in\-place encryption is guaranteed to work only if the encryption context (\fIctx\fR) has processed data in multiples of the block size. If the context contains an incomplete data block -from previous operations, in-place encryption will fail. \fIctx\fR \fBMUST NOT\fR be NULL. +from previous operations, in\-place encryption will fail. \fIctx\fR \fBMUST NOT\fR be NULL. .Sp If \fIout\fR and \fIin\fR point to different locations, the two buffers must be disjoint, otherwise the operation might fail or the outcome might be undefined. @@ -489,7 +488,7 @@ identical to the encryption operations. \fIctx\fR \fBMUST NOT\fR be NULL. These functions can be used for decryption or encryption. The operation performed depends on the value of the \fIenc\fR parameter. It should be set to 1 for encryption, 0 for decryption and \-1 to leave the value unchanged -(the actual value of 'enc' being supplied in a previous call). +(the actual value of \*(Aqenc\*(Aq being supplied in a previous call). .IP \fBEVP_CipherInit_SKEY()\fR 4 .IX Item "EVP_CipherInit_SKEY()" This function is similar to \fBEVP_CipherInit_ex2()\fR but accepts a @@ -516,20 +515,20 @@ must be called to free any context resources. Encrypts or decrypts a maximum \fIinl\fR amount of bytes from \fIin\fR and leaves the result in \fIout\fR. .Sp -For legacy ciphers \- If the cipher doesn't have the flag +For legacy ciphers \- If the cipher doesn\*(Aqt have the flag \&\fBEVP_CIPH_FLAG_CUSTOM_CIPHER\fR set, then \fIinl\fR must be a multiple of -\&\fBEVP_CIPHER_get_block_size()\fR. If it isn't, the result is undefined. If the cipher +\&\fBEVP_CIPHER_get_block_size()\fR. If it isn\*(Aqt, the result is undefined. If the cipher has that flag set, then \fIinl\fR can be any size. .Sp -Due to the constraints of the API contract of this function it shouldn't be used +Due to the constraints of the API contract of this function it shouldn\*(Aqt be used in applications, please consider using \fBEVP_CipherUpdate()\fR and \&\fBEVP_CipherFinal_ex()\fR instead. .IP \fBEVP_CIPHER_can_pipeline()\fR 4 .IX Item "EVP_CIPHER_can_pipeline()" This function checks if a \fBEVP_CIPHER\fR fetched using \fBEVP_CIPHER_fetch()\fR supports cipher pipelining. If the cipher supports pipelining, it returns 1, otherwise 0. -This function will return 0 for non-fetched ciphers such as \fBEVP_aes_128_gcm()\fR. -There are currently no built-in ciphers that support pipelining. +This function will return 0 for non\-fetched ciphers such as \fBEVP_aes_128_gcm()\fR. +There are currently no built\-in ciphers that support pipelining. .Sp Cipher pipelining support allows an application to submit multiple chunks of data in one set of \fBEVP_CipherUpdate()\fR/EVP_CipherFinal calls, thereby allowing @@ -537,7 +536,7 @@ the provided implementation to take advantage of parallel computing. This is beneficial for hardware accelerators as pipeline amortizes the latency over multiple chunks. .Sp -For non-fetched ciphers, \fBEVP_CipherPipelineEncryptInit()\fR or +For non\-fetched ciphers, \fBEVP_CipherPipelineEncryptInit()\fR or \&\fBEVP_CipherPipelineDecryptInit()\fR may be directly called, which will perform a fetch and return an error if a pipeline supported implementation is not found. .IP "\fBEVP_CipherPipelineEncryptInit()\fR, \fBEVP_CipherPipelineDecryptInit()\fR, \fBEVP_CipherPipelineUpdate()\fR and \fBEVP_CipherPipelineFinal()\fR" 4 @@ -579,7 +578,7 @@ accessible via low level interfaces. The \fBEVP_get_cipherbyname()\fR function is present for backwards compatibility with OpenSSL prior to version 3 and is different to the \fBEVP_CIPHER_fetch()\fR function since it does not attempt to "fetch" an implementation of the cipher. -Additionally, it only knows about ciphers that are built-in to OpenSSL and have +Additionally, it only knows about ciphers that are built\-in to OpenSSL and have an associated NID. Similarly \fBEVP_get_cipherbynid()\fR and \fBEVP_get_cipherbyobj()\fR also return objects without an associated implementation. .Sp @@ -659,8 +658,8 @@ object identifier or does not have ASN1 support this function will return \&\fBNID_undef\fR. .IP \fBEVP_CIPHER_is_a()\fR 4 .IX Item "EVP_CIPHER_is_a()" -Returns 1 if \fIcipher\fR is an implementation of an algorithm that's identifiable -with \fIname\fR, otherwise 0. If \fIcipher\fR is a legacy cipher (it's the return +Returns 1 if \fIcipher\fR is an implementation of an algorithm that\*(Aqs identifiable +with \fIname\fR, otherwise 0. If \fIcipher\fR is a legacy cipher (it\*(Aqs the return value from the likes of \fBEVP_aes128()\fR rather than the result of an \&\fBEVP_CIPHER_fetch()\fR), only cipher names registered with the default library context (see \fBOSSL_LIB_CTX\fR\|(3)) will be considered. @@ -700,7 +699,7 @@ for a list of currently defined flags. .IP "\fBEVP_CIPHER_CTX_get_num()\fR and \fBEVP_CIPHER_CTX_set_num()\fR" 4 .IX Item "EVP_CIPHER_CTX_get_num() and EVP_CIPHER_CTX_set_num()" Gets or sets the cipher specific "num" parameter for the associated \fIctx\fR. -Built-in ciphers typically use this to track how much of the current underlying block +Built\-in ciphers typically use this to track how much of the current underlying block has been "used" already. .IP \fBEVP_CIPHER_CTX_is_encrypting()\fR 4 .IX Item "EVP_CIPHER_CTX_is_encrypting()" @@ -776,7 +775,7 @@ Use \fBEVP_CIPHER_get_block_size()\fR to retrieve the cached value. Gets 1 if this is an AEAD cipher algorithm, otherwise it gets 0. Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) to retrieve the cached value. -.IP """custom-iv"" (\fBOSSL_CIPHER_PARAM_CUSTOM_IV\fR) <integer>" 4 +.IP """custom\-iv"" (\fBOSSL_CIPHER_PARAM_CUSTOM_IV\fR) <integer>" 4 .IX Item """custom-iv"" (OSSL_CIPHER_PARAM_CUSTOM_IV) <integer>" Gets 1 if the cipher algorithm \fIcipher\fR has a custom IV, otherwise it gets 0. Storing and initializing the IV is left entirely to the implementation, if a @@ -791,19 +790,19 @@ This is currently used to indicate that the cipher is a one shot that only allows a single call to \fBEVP_CipherUpdate()\fR. Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_CTS) to retrieve the cached value. -.IP """tls-multi"" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK\fR) <integer>" 4 +.IP """tls\-multi"" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK\fR) <integer>" 4 .IX Item """tls-multi"" (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK) <integer>" Gets 1 if the cipher algorithm \fIcipher\fR supports interleaving of crypto blocks, otherwise it gets 0. The interleaving is an optimization only applicable to certain TLS ciphers. Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) to retrieve the cached value. -.IP """has-randkey"" (\fBOSSL_CIPHER_PARAM_HAS_RANDKEY\fR) <integer>" 4 +.IP """has\-randkey"" (\fBOSSL_CIPHER_PARAM_HAS_RANDKEY\fR) <integer>" 4 .IX Item """has-randkey"" (OSSL_CIPHER_PARAM_HAS_RANDKEY) <integer>" Gets 1 if the cipher algorithm \fIcipher\fR supports the gettable EVP_CIPHER_CTX parameter \fBOSSL_CIPHER_PARAM_RANDOM_KEY\fR. Only DES and 3DES set this to 1, all other OpenSSL ciphers return 0. -.IP """decrypt-only"" (\fBOSSL_CIPHER_PARAM_DECRYPT_ONLY) <integer\fR" 4 +.IP """decrypt\-only"" (\fBOSSL_CIPHER_PARAM_DECRYPT_ONLY) <integer\fR" 4 .IX Item """decrypt-only"" (OSSL_CIPHER_PARAM_DECRYPT_ONLY) <integer" Gets 1 if the cipher algorithm \fIcipher\fR implementation supports only the decryption operation such as the 3DES ciphers in the fips provider. @@ -820,7 +819,7 @@ See also \fBEVP_CIPHER_CTX_set_padding()\fR. .IP """num"" (\fBOSSL_CIPHER_PARAM_NUM\fR) <unsigned integer>" 4 .IX Item """num"" (OSSL_CIPHER_PARAM_NUM) <unsigned integer>" Gets or sets the cipher specific "num" parameter for the cipher context \fIctx\fR. -Built-in ciphers typically use this to track how much of the current underlying +Built\-in ciphers typically use this to track how much of the current underlying block has been "used" already. See also \fBEVP_CIPHER_CTX_get_num()\fR and \fBEVP_CIPHER_CTX_set_num()\fR. .IP """keylen"" (\fBOSSL_CIPHER_PARAM_KEYLEN\fR) <unsigned integer>" 4 @@ -832,7 +831,7 @@ See also \fBEVP_CIPHER_CTX_get_key_length()\fR and \fBEVP_CIPHER_CTX_set_key_len .IX Item """tag"" (OSSL_CIPHER_PARAM_AEAD_TAG) <octet string>" Gets or sets the AEAD tag for the associated cipher context \fIctx\fR. See "AEAD INTERFACE" in \fBEVP_EncryptInit\fR\|(3). -.IP """pipeline-tag"" (\fBOSSL_CIPHER_PARAM_PIPELINE_AEAD_TAG\fR) <octet ptr>" 4 +.IP """pipeline\-tag"" (\fBOSSL_CIPHER_PARAM_PIPELINE_AEAD_TAG\fR) <octet ptr>" 4 .IX Item """pipeline-tag"" (OSSL_CIPHER_PARAM_PIPELINE_AEAD_TAG) <octet ptr>" Gets or sets the AEAD tag when using cipher pipelining. The pointer must point to an array of buffers, where the aead tag will be read from or written to. @@ -846,12 +845,12 @@ The length of the "keybits" parameter should not exceed that of a \fBsize_t\fR. .IX Item """rounds"" (OSSL_CIPHER_PARAM_ROUNDS) <unsigned integer>" Gets or sets the number of rounds to be used for a cipher. This is used by the RC5 cipher. -.IP """algorithm-id"" (\fBOSSL_CIPHER_PARAM_ALGORITHM_ID\fR) <octet string>" 4 +.IP """algorithm\-id"" (\fBOSSL_CIPHER_PARAM_ALGORITHM_ID\fR) <octet string>" 4 .IX Item """algorithm-id"" (OSSL_CIPHER_PARAM_ALGORITHM_ID) <octet string>" Used to get the DER encoded AlgorithmIdentifier from the cipher implementation. Functions like \fBEVP_PKEY_CTX_get_algor\fR\|(3) use this parameter. -.IP """algorithm-id-params"" (\fBOSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS\fR) <octet string>" 4 +.IP """algorithm\-id\-params"" (\fBOSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS\fR) <octet string>" 4 .IX Item """algorithm-id-params"" (OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS) <octet string>" Used to pass the DER encoded AlgorithmIdentifier parameter to or from the cipher implementation. @@ -859,7 +858,7 @@ Functions like \fBEVP_CIPHER_CTX_set_algor_params\fR\|(3) and \&\fBEVP_CIPHER_CTX_get_algor_params\fR\|(3) use this parameter. .IP """alg_id_params"" (\fBOSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD\fR) <octet string>" 4 .IX Item """alg_id_params"" (OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD) <octet string>" -An deprecated alias for "algorithm-id-params", only used by +An deprecated alias for "algorithm\-id\-params", only used by \&\fBEVP_CIPHER_param_to_asn1\fR\|(3) and \fBEVP_CIPHER_asn1_to_param\fR\|(3). .IP """cts_mode"" (\fBOSSL_CIPHER_PARAM_CTS_MODE\fR) <UTF8 string>" 4 .IX Item """cts_mode"" (OSSL_CIPHER_PARAM_CTS_MODE) <UTF8 string>" @@ -873,19 +872,19 @@ Valid values for the mode are: .IX Item """CS1""" The NIST variant of cipher text stealing. For input lengths that are multiples of the block size it is equivalent to -using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher otherwise the second last +using a "AES\-XXX\-CBC" or "CAMELLIA\-XXX\-CBC" cipher otherwise the second last cipher text block is a partial block. .IP """CS2""" 4 .IX Item """CS2""" For input lengths that are multiples of the block size it is equivalent to -using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher, otherwise it is the same as +using a "AES\-XXX\-CBC" or "CAMELLIA\-XXX\-CBC" cipher, otherwise it is the same as "CS3" mode. .IP """CS3""" 4 .IX Item """CS3""" The Kerberos5 variant of cipher text stealing which always swaps the last cipher text block with the previous block (which may be a partial or full block depending on the input length). If the input length is exactly one full block -then this is equivalent to using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher. +then this is equivalent to using a "AES\-XXX\-CBC" or "CAMELLIA\-XXX\-CBC" cipher. .RE .RS 4 .Sp @@ -909,9 +908,9 @@ See also \fBEVP_CIPHER_CTX_get_iv_length()\fR. .IX Item """iv"" (OSSL_CIPHER_PARAM_IV) <octet string OR octet ptr>" Gets the IV used to initialize the associated cipher context \fIctx\fR. See also \fBEVP_CIPHER_CTX_get_original_iv()\fR. -.IP """updated-iv"" (\fBOSSL_CIPHER_PARAM_UPDATED_IV\fR) <octet string OR octet ptr>" 4 +.IP """updated\-iv"" (\fBOSSL_CIPHER_PARAM_UPDATED_IV\fR) <octet string OR octet ptr>" 4 .IX Item """updated-iv"" (OSSL_CIPHER_PARAM_UPDATED_IV) <octet string OR octet ptr>" -Gets the updated pseudo-IV state for the associated cipher context, e.g., +Gets the updated pseudo\-IV state for the associated cipher context, e.g., the previous ciphertext block for CBC mode or the iteratively encrypted IV value for OFB mode. Note that octet pointer access is deprecated and is provided only for backwards compatibility with historical libcrypto APIs. @@ -947,17 +946,17 @@ The length of the "tls1multi_maxbufsz" parameter should not exceed that of a \fB .IP """tls1multi_aadpacklen"" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN\fR) <unsigned integer>" 4 .IX Item """tls1multi_aadpacklen"" (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN) <unsigned integer>" Gets the result of running the "tls1multi_aad" operation. -.IP """tls-mac"" (\fBOSSL_CIPHER_PARAM_TLS_MAC\fR) <octet ptr>" 4 +.IP """tls\-mac"" (\fBOSSL_CIPHER_PARAM_TLS_MAC\fR) <octet ptr>" 4 .IX Item """tls-mac"" (OSSL_CIPHER_PARAM_TLS_MAC) <octet ptr>" Used to pass the TLS MAC data. -.IP """fips-indicator"" (\fBOSSL_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_CIPHER_PARAM_FIPS_APPROVED_INDICATOR) <integer>" This option is used by the OpenSSL FIPS provider. .Sp A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling a cipher final operation such as -\&\fBEVP_EncryptFinal_ex()\fR. It may return 0 if the "encrypt-check" option is set to 0. -.IP """iv-generated"" (\fBOSSL_CIPHER_PARAM_AEAD_IV_GENERATED\fR) <unsigned integer>" 4 +\&\fBEVP_EncryptFinal_ex()\fR. It may return 0 if the "encrypt\-check" option is set to 0. +.IP """iv\-generated"" (\fBOSSL_CIPHER_PARAM_AEAD_IV_GENERATED\fR) <unsigned integer>" 4 .IX Item """iv-generated"" (OSSL_CIPHER_PARAM_AEAD_IV_GENERATED) <unsigned integer>" An indicator that returns 1 if an IV was generated internally during encryption, or O otherwise. @@ -978,18 +977,18 @@ Sets the speed option for the associated cipher context. This is only supported by AES SIV ciphers which disallow multiple operations by default. Setting "speed" to 1 allows another encrypt or decrypt operation to be performed. This is used for performance testing. -.IP """use-bits"" (\fBOSSL_CIPHER_PARAM_USE_BITS\fR) <unsigned integer>" 4 +.IP """use\-bits"" (\fBOSSL_CIPHER_PARAM_USE_BITS\fR) <unsigned integer>" 4 .IX Item """use-bits"" (OSSL_CIPHER_PARAM_USE_BITS) <unsigned integer>" Determines if the input length \fIinl\fR passed to \fBEVP_EncryptUpdate()\fR, \&\fBEVP_DecryptUpdate()\fR and \fBEVP_CipherUpdate()\fR is the number of bits or number of bytes. -Setting "use-bits" to 1 uses bits. The default is in bytes. +Setting "use\-bits" to 1 uses bits. The default is in bytes. This is only used for \fBCFB1\fR ciphers. .Sp This can be set using EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS). -.IP """tls-version"" (\fBOSSL_CIPHER_PARAM_TLS_VERSION\fR) <integer>" 4 +.IP """tls\-version"" (\fBOSSL_CIPHER_PARAM_TLS_VERSION\fR) <integer>" 4 .IX Item """tls-version"" (OSSL_CIPHER_PARAM_TLS_VERSION) <integer>" Sets the TLS version. -.IP """tls-mac-size"" (\fBOSSL_CIPHER_PARAM_TLS_MAC_SIZE\fR) <unsigned integer>" 4 +.IP """tls\-mac\-size"" (\fBOSSL_CIPHER_PARAM_TLS_MAC_SIZE\fR) <unsigned integer>" 4 .IX Item """tls-mac-size"" (OSSL_CIPHER_PARAM_TLS_MAC_SIZE) <unsigned integer>" Set the TLS MAC size. .IP """tlsaad"" (\fBOSSL_CIPHER_PARAM_AEAD_TLS1_AAD\fR) <octet string>" 4 @@ -1092,16 +1091,16 @@ The IEEE Std. 1619\-2007 variant of SM4\-XTS algorithm. .Sp The default value is "GB". .RE -.IP """encrypt-check"" (\fBOSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK\fR) <integer>" 4 +.IP """encrypt\-check"" (\fBOSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK\fR) <integer>" 4 .IX Item """encrypt-check"" (OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK) <integer>" This option is used by the OpenSSL FIPS provider. .Sp If required this parameter should be set early via an cipher encrypt init function such as \fBEVP_EncryptInit_ex2()\fR. The default value of 1 causes an error when an encryption operation is triggered. -Setting this to 0 will ignore the error and set the approved "fips-indicator" to +Setting this to 0 will ignore the error and set the approved "fips\-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH CONTROLS .IX Header "CONTROLS" @@ -1213,7 +1212,7 @@ Used by \fBEVP_CIPHER_CTX_set_padding()\fR. See also "Gettable and Settable EVP_CIPHER_CTX parameters" "padding" .IP EVP_CIPH_FLAG_LENGTH_BITS 4 .IX Item "EVP_CIPH_FLAG_LENGTH_BITS" -See "Settable EVP_CIPHER_CTX parameters" "use-bits". +See "Settable EVP_CIPHER_CTX parameters" "use\-bits". .IP EVP_CIPHER_CTX_FLAG_WRAP_ALLOW 4 .IX Item "EVP_CIPHER_CTX_FLAG_WRAP_ALLOW" Used for Legacy purposes only. This flag needed to be set to indicate the @@ -1226,16 +1225,16 @@ have mappings to "Gettable EVP_CIPHER parameters": See "Gettable EVP_CIPHER parameters" "aead". .IP EVP_CIPH_CUSTOM_IV 4 .IX Item "EVP_CIPH_CUSTOM_IV" -See "Gettable EVP_CIPHER parameters" "custom-iv". +See "Gettable EVP_CIPHER parameters" "custom\-iv". .IP EVP_CIPH_FLAG_CTS 4 .IX Item "EVP_CIPH_FLAG_CTS" See "Gettable EVP_CIPHER parameters" "cts". .IP EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK; 4 .IX Item "EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK;" -See "Gettable EVP_CIPHER parameters" "tls-multi". +See "Gettable EVP_CIPHER parameters" "tls\-multi". .IP EVP_CIPH_RAND_KEY 4 .IX Item "EVP_CIPH_RAND_KEY" -See "Gettable EVP_CIPHER parameters" "has-randkey". +See "Gettable EVP_CIPHER parameters" "has\-randkey". .PP \&\fBEVP_CIPHER_flags()\fR uses the following flags for legacy purposes only: .IP EVP_CIPH_VARIABLE_LENGTH 4 @@ -1319,7 +1318,7 @@ length, zero if the cipher does not use an IV and a negative value on error. does not use a tag. .PP \&\fBEVP_CIPHER_get_type()\fR and \fBEVP_CIPHER_CTX_get_type()\fR return the NID of the -cipher's OBJECT IDENTIFIER or NID_undef if it has no defined +cipher\*(Aqs OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER. .PP \&\fBEVP_CIPHER_CTX_cipher()\fR returns an \fBEVP_CIPHER\fR structure. @@ -1342,6 +1341,9 @@ for failure. .PP \&\fBEVP_CIPHER_names_do_all()\fR returns 1 if the callback was called for all names. A return value of 0 means that the callback was not called for any names. +.PP +\&\fBEVP_CIPHER_get_params()\fR, \fBEVP_CIPHER_CTX_get_params()\fR and +\&\fBEVP_CIPHER_CTX_set_params()\fR return 1 for success and 0 for failure. .SH "CIPHER LISTING" .IX Header "CIPHER LISTING" All algorithms have a fixed key length unless otherwise stated. @@ -1360,7 +1362,12 @@ depending on the mode specified. To specify additional authenticated data (AAD), a call to \fBEVP_CipherUpdate()\fR, \&\fBEVP_EncryptUpdate()\fR or \fBEVP_DecryptUpdate()\fR should be made with the output parameter \fIout\fR set to NULL. In this case, on success, the parameter -\&\fIoutl\fR is set to the number of bytes authenticated. +\&\fIoutl\fR is set to the number of AAD bytes processed in that call +(that is, the value of \fIinl\fR), and does not include any plaintext +or ciphertext bytes processed by other calls. +.PP +If no AAD is used, this call can be omitted. See the mode\-specific notes +below for any exceptions. .PP When decrypting, the return value of \fBEVP_DecryptFinal()\fR or \fBEVP_CipherFinal()\fR indicates whether the operation was successful. If it does not indicate success, @@ -1440,7 +1447,7 @@ nonce value. The nonce length is given by \fB15 \- L\fR so it is 7 by default fo AES. .SS "SIV Mode" .IX Subsection "SIV Mode" -Both the AES-SIV and AES-GCM-SIV ciphers fall under this mode. +Both the AES\-SIV and AES\-GCM\-SIV ciphers fall under this mode. .PP For SIV mode ciphers the behaviour of the EVP interface is subtly altered and several additional ctrl operations are supported. @@ -1484,7 +1491,7 @@ calls). For SIV mode the taglen must be 16. .PP SIV mode makes two passes over the input data, thus, only one call to \&\fBEVP_CipherUpdate()\fR, \fBEVP_EncryptUpdate()\fR or \fBEVP_DecryptUpdate()\fR should be made -with \fIout\fR set to a non-NULL value. A call to \fBEVP_DecryptFinal()\fR or +with \fIout\fR set to a non\-NULL value. A call to \fBEVP_DecryptFinal()\fR or \&\fBEVP_CipherFinal()\fR is not required, but will indicate if the update operation succeeded. .SS ChaCha20\-Poly1305 @@ -1513,10 +1520,10 @@ This call is only valid when decrypting data. .SH NOTES .IX Header "NOTES" Where possible the \fBEVP\fR interface to symmetric ciphers should be used in -preference to the low-level interfaces. This is because the code then becomes +preference to the low\-level interfaces. This is because the code then becomes transparent to the cipher used and much more flexible. Additionally, the \&\fBEVP\fR interface will ensure the use of platform specific cryptographic -acceleration such as AES-NI (the low-level interfaces do not provide the +acceleration such as AES\-NI (the low\-level interfaces do not provide the guarantee). .PP PKCS padding works by adding \fBn\fR padding bytes of value \fBn\fR to make the total @@ -1547,7 +1554,7 @@ it up on each call. There are some differences between functions \fBEVP_CipherInit()\fR and \&\fBEVP_CipherInit_ex()\fR, significant in some circumstances. \fBEVP_CipherInit()\fR fills the passed context object with zeros. As a consequence, \fBEVP_CipherInit()\fR does -not allow step-by-step initialization of the ctx when the \fIkey\fR and \fIiv\fR are +not allow step\-by\-step initialization of the ctx when the \fIkey\fR and \fIiv\fR are passed in separate calls. It also means that the flags set for the CTX are removed, and it is especially important for the \&\fBEVP_CIPHER_CTX_FLAG_WRAP_ALLOW\fR flag treated specially in @@ -1695,7 +1702,7 @@ with a 128\-bit key: \& } .Ve .PP -Encryption using AES-CBC with a 256\-bit key with "CS1" ciphertext stealing. +Encryption using AES\-CBC with a 256\-bit key with "CS1" ciphertext stealing. .PP .Vb 10 \& int encrypt(const unsigned char *key, const unsigned char *iv, @@ -1792,12 +1799,12 @@ The \fBEVP_CIPHER_nid()\fR, \fBEVP_CIPHER_name()\fR, \fBEVP_CIPHER_block_size()\ \&\fBEVP_CIPHER_CTX_iv_length()\fR, \fBEVP_CIPHER_CTX_tag_length()\fR, \&\fBEVP_CIPHER_CTX_num()\fR, \fBEVP_CIPHER_CTX_type()\fR, and \fBEVP_CIPHER_CTX_mode()\fR functions were renamed to include \f(CW\*(C`get\*(C'\fR or \f(CW\*(C`get0\*(C'\fR in their names in -OpenSSL 3.0, respectively. The old names are kept as non-deprecated +OpenSSL 3.0, respectively. The old names are kept as non\-deprecated alias macros. .PP The \fBEVP_CIPHER_CTX_encrypting()\fR function was renamed to \&\fBEVP_CIPHER_CTX_is_encrypting()\fR in OpenSSL 3.0. The old name is kept as -non-deprecated alias macro. +non\-deprecated alias macro. .PP The \fBEVP_CIPHER_CTX_flags()\fR macro was deprecated in OpenSSL 1.1.0. .PP @@ -1810,7 +1817,7 @@ Prior to OpenSSL 3.5, passing a NULL \fIctx\fR to rather than a 0 return value indicating an error. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2000\-2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/EVP_KDF.3 b/secure/lib/libcrypto/man/man3/EVP_KDF.3 index bb8e293a0421..0d9a0572ec54 100644 --- a/secure/lib/libcrypto/man/man3/EVP_KDF.3 +++ b/secure/lib/libcrypto/man/man3/EVP_KDF.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF 3ossl" -.TH EVP_KDF 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -113,8 +116,8 @@ EVP_KDF_CTX_gettable_params, EVP_KDF_CTX_settable_params \- EVP KDF routines .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP KDF routines are a high-level interface to Key Derivation Function -algorithms and should be used instead of algorithm-specific functions. +The EVP KDF routines are a high\-level interface to Key Derivation Function +algorithms and should be used instead of algorithm\-specific functions. .PP After creating a \fBEVP_KDF_CTX\fR for the required algorithm using \&\fBEVP_KDF_CTX_new()\fR, inputs to the algorithm are supplied either by @@ -142,7 +145,7 @@ The returned value must eventually be freed with KDF. .PP \&\fBEVP_KDF_free()\fR frees a fetched algorithm. -NULL is a valid parameter, for which this function is a no-op. +NULL is a valid parameter, for which this function is a no\-op. .SS "Context manipulation functions" .IX Subsection "Context manipulation functions" \&\fBEVP_KDF_CTX_new()\fR creates a new context for the KDF implementation \fIkdf\fR. @@ -183,7 +186,7 @@ The set of parameters given with \fIparams\fR determine exactly what parameters are passed down. Note that a parameter that is unknown in the underlying context is simply ignored. -Also, what happens when a needed parameter isn't passed down is +Also, what happens when a needed parameter isn\*(Aqt passed down is defined by the implementation. .PP \&\fBEVP_KDF_gettable_params()\fR returns an \fBOSSL_PARAM\fR\|(3) array that describes @@ -195,14 +198,14 @@ return constant \fBOSSL_PARAM\fR\|(3) arrays that describe the retrievable parameters that can be used with \fBEVP_KDF_CTX_get_params()\fR. \&\fBEVP_KDF_gettable_ctx_params()\fR returns the parameters that can be retrieved from the algorithm, whereas \fBEVP_KDF_CTX_gettable_params()\fR returns -the parameters that can be retrieved in the context's current state. +the parameters that can be retrieved in the context\*(Aqs current state. .PP \&\fBEVP_KDF_settable_ctx_params()\fR and \fBEVP_KDF_CTX_settable_params()\fR return constant \fBOSSL_PARAM\fR\|(3) arrays that describe the settable parameters that can be used with \fBEVP_KDF_CTX_set_params()\fR. \fBEVP_KDF_settable_ctx_params()\fR returns the parameters that can be retrieved from the algorithm, whereas \fBEVP_KDF_CTX_settable_params()\fR returns the parameters that can -be retrieved in the context's current state. +be retrieved in the context\*(Aqs current state. .SS "Information functions" .IX Subsection "Information functions" \&\fBEVP_KDF_CTX_get_kdf_size()\fR returns the output size if the algorithm produces a fixed amount @@ -211,7 +214,7 @@ For some algorithms an error may result if input parameters necessary to calculate a fixed output size have not yet been supplied. .PP \&\fBEVP_KDF_is_a()\fR returns 1 if \fIkdf\fR is an implementation of an -algorithm that's identifiable with \fIname\fR, otherwise 0. +algorithm that\*(Aqs identifiable with \fIname\fR, otherwise 0. .PP \&\fBEVP_KDF_get0_provider()\fR returns the provider that holds the implementation of the given \fIkdf\fR. @@ -222,7 +225,7 @@ implementations, calls the given function \fIfn\fR with the implementation metho and the given \fIarg\fR as argument. .PP \&\fBEVP_KDF_get0_name()\fR return the name of the given KDF. For fetched KDFs -with multiple names, only one of them is returned; it's +with multiple names, only one of them is returned; it\*(Aqs recommended to use \fBEVP_KDF_names_do_all()\fR instead. .PP \&\fBEVP_KDF_names_do_all()\fR traverses all names for \fIkdf\fR, and calls @@ -240,7 +243,7 @@ Some KDF implementations require a password. For those KDF implementations that support it, this parameter sets the password. .IP """salt"" (\fBOSSL_KDF_PARAM_SALT\fR) <octet string>" 4 .IX Item """salt"" (OSSL_KDF_PARAM_SALT) <octet string>" -Some KDF implementations can take a non-secret unique cryptographic salt. +Some KDF implementations can take a non\-secret unique cryptographic salt. For those KDF implementations that support it, this parameter sets the salt. .Sp The default value, if any, is implementation dependent. @@ -276,9 +279,9 @@ For those KDF implementations that support it, this octet string parameter sets the key. .IP """info"" (\fBOSSL_KDF_PARAM_INFO\fR) <octet string>" 4 .IX Item """info"" (OSSL_KDF_PARAM_INFO) <octet string>" -Some KDF implementations, such as \fBEVP_KDF\-HKDF\fR\|(7), take an 'info' parameter +Some KDF implementations, such as \fBEVP_KDF\-HKDF\fR\|(7), take an \*(Aqinfo\*(Aq parameter for binding the derived key material -to application\- and context-specific information. +to application\- and context\-specific information. This parameter sets the info, fixed info, other info or shared info argument. You can specify this parameter multiple times, and each instance will be concatenated to form the final value. @@ -292,7 +295,7 @@ The default value, if any, is implementation dependent. The length must never exceed what can be given with a \fBsize_t\fR. .IP """maxmem_bytes"" (\fBOSSL_KDF_PARAM_SCRYPT_MAXMEM\fR) <unsigned integer>" 4 .IX Item """maxmem_bytes"" (OSSL_KDF_PARAM_SCRYPT_MAXMEM) <unsigned integer>" -Memory-hard password-based KDF algorithms, such as scrypt, use an amount of +Memory\-hard password\-based KDF algorithms, such as scrypt, use an amount of memory that depends on the load factors provided as input. For those KDF implementations that support it, this \fBuint64_t\fR parameter sets an upper limit on the amount of memory that may be consumed while performing @@ -328,7 +331,7 @@ return value of 0 means that the callback was not called for any names. The remaining functions return 1 for success and 0 for failure. .SH NOTES .IX Header "NOTES" -The KDF life-cycle is described in \fBlife_cycle\-kdf\fR\|(7). In the future, +The KDF life\-cycle is described in \fBlife_cycle\-kdf\fR\|(7). In the future, the transitions described there will be enforced. When this is done, it will not be considered a breaking change to the API. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/EVP_KEM_free.3 b/secure/lib/libcrypto/man/man3/EVP_KEM_free.3 index 94f2feeb02e8..c6358a4099a8 100644 --- a/secure/lib/libcrypto/man/man3/EVP_KEM_free.3 +++ b/secure/lib/libcrypto/man/man3/EVP_KEM_free.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEM_FREE 3ossl" -.TH EVP_KEM_FREE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEM_FREE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,7 +108,7 @@ If the argument is NULL, nothing is done. \&\fBEVP_KEM_up_ref()\fR increments the reference count for an \fBEVP_KEM\fR structure. .PP \&\fBEVP_KEM_is_a()\fR returns 1 if \fIkem\fR is an implementation of an -algorithm that's identifiable with \fIname\fR, otherwise 0. +algorithm that\*(Aqs identifiable with \fIname\fR, otherwise 0. .PP \&\fBEVP_KEM_get0_provider()\fR returns the provider that \fIkem\fR was fetched from. .PP diff --git a/secure/lib/libcrypto/man/man3/EVP_KEYEXCH_free.3 b/secure/lib/libcrypto/man/man3/EVP_KEYEXCH_free.3 index 50cb7406be41..f2a253fa4de5 100644 --- a/secure/lib/libcrypto/man/man3/EVP_KEYEXCH_free.3 +++ b/secure/lib/libcrypto/man/man3/EVP_KEYEXCH_free.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEYEXCH_FREE 3ossl" -.TH EVP_KEYEXCH_FREE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEYEXCH_FREE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -109,7 +112,7 @@ structure. fetched from. .PP \&\fBEVP_KEYEXCH_is_a()\fR checks if \fIexchange\fR is an implementation of an -algorithm that's identifiable with \fIname\fR. +algorithm that\*(Aqs identifiable with \fIname\fR. .PP \&\fBEVP_KEYEXCH_get0_name()\fR returns the algorithm name from the provided implementation for the given \fIexchange\fR. Note that the \fIexchange\fR may have diff --git a/secure/lib/libcrypto/man/man3/EVP_KEYMGMT.3 b/secure/lib/libcrypto/man/man3/EVP_KEYMGMT.3 index fd2695a7018c..901dc77b15f2 100644 --- a/secure/lib/libcrypto/man/man3/EVP_KEYMGMT.3 +++ b/secure/lib/libcrypto/man/man3/EVP_KEYMGMT.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEYMGMT 3ossl" -.TH EVP_KEYMGMT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEYMGMT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -129,7 +132,7 @@ If the argument is NULL, nothing is done. implementation. .PP \&\fBEVP_KEYMGMT_is_a()\fR checks if \fIkeymgmt\fR is an implementation of an -algorithm that's identifiable with \fIname\fR. +algorithm that\*(Aqs identifiable with \fIname\fR. .PP \&\fBEVP_KEYMGMT_get0_name()\fR returns the algorithm name from the provided implementation for the given \fIkeymgmt\fR. Note that the \fIkeymgmt\fR may have @@ -174,7 +177,7 @@ error. \&\fBEVP_KEYMGMT_names_do_all()\fR returns 1 if the callback was called for all names. A return value of 0 means that the callback was not called for any names. .PP -\&\fBEVP_KEYMGMT_free()\fR doesn't return any value. +\&\fBEVP_KEYMGMT_free()\fR doesn\*(Aqt return any value. .PP \&\fBEVP_KEYMGMT_get0_provider()\fR returns a pointer to a provider object, or NULL on error. @@ -185,7 +188,7 @@ otherwise 0. \&\fBEVP_KEYMGMT_get0_name()\fR returns the algorithm name, or NULL on error. .PP \&\fBEVP_KEYMGMT_get0_description()\fR returns a pointer to a description, or NULL if -there isn't one. +there isn\*(Aqt one. .PP \&\fBEVP_KEYMGMT_gettable_params()\fR, \fBEVP_KEYMGMT_settable_params()\fR, \&\fBEVP_KEYMGMT_gen_gettable_params()\fR and \fBEVP_KEYMGMT_gen_settable_params()\fR diff --git a/secure/lib/libcrypto/man/man3/EVP_MAC.3 b/secure/lib/libcrypto/man/man3/EVP_MAC.3 index 08b99f1be6f9..c6113995389a 100644 --- a/secure/lib/libcrypto/man/man3/EVP_MAC.3 +++ b/secure/lib/libcrypto/man/man3/EVP_MAC.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MAC 3ossl" -.TH EVP_MAC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MAC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -163,7 +166,7 @@ The returned value must eventually be freed with MAC. .PP \&\fBEVP_MAC_free()\fR frees a fetched algorithm. -NULL is a valid parameter, for which this function is a no-op. +NULL is a valid parameter, for which this function is a no\-op. .SS "Context manipulation functions" .IX Subsection "Context manipulation functions" \&\fBEVP_MAC_CTX_new()\fR creates a new context for the MAC type \fImac\fR. @@ -172,7 +175,7 @@ described here. .PP \&\fBEVP_MAC_CTX_free()\fR frees the contents of the context, including an underlying context if there is one, as well as the context itself. -NULL is a valid parameter, for which this function is a no-op. +NULL is a valid parameter, for which this function is a no\-op. .PP \&\fBEVP_MAC_CTX_dup()\fR duplicates the \fIsrc\fR context and returns a newly allocated context. @@ -199,10 +202,10 @@ via the \fIkey\fR and \fIparams\fR arguments. The MAC \fIkey\fR has a length of \&\fIkeylen\fR and the parameters in \fIparams\fR are processed before setting the key. If \fIkey\fR is NULL, the key must be set via \fIparams\fR either as part of this call or separately using \fBEVP_MAC_CTX_set_params()\fR. -Providing non-NULL \fIparams\fR to this function is equivalent to calling +Providing non\-NULL \fIparams\fR to this function is equivalent to calling \&\fBEVP_MAC_CTX_set_params()\fR with those \fIparams\fR for the same \fIctx\fR beforehand. Note: There are additional requirements for some MAC algorithms during -re-initalization (i.e. calling \fBEVP_MAC_init()\fR on an EVP_MAC after \fBEVP_MAC_final()\fR +re\-initalization (i.e. calling \fBEVP_MAC_init()\fR on an EVP_MAC after \fBEVP_MAC_final()\fR has been called on the same object). See the NOTES section below. .PP \&\fBEVP_MAC_init()\fR should be called before \fBEVP_MAC_update()\fR and \fBEVP_MAC_final()\fR. @@ -246,7 +249,7 @@ parameters are passed down. If \fIparams\fR are NULL, the underlying context should do nothing and return 1. Note that a parameter that is unknown in the underlying context is simply ignored. -Also, what happens when a needed parameter isn't passed down is +Also, what happens when a needed parameter isn\*(Aqt passed down is defined by the implementation. .PP \&\fBEVP_MAC_gettable_params()\fR returns an \fBOSSL_PARAM\fR\|(3) array that describes @@ -258,14 +261,14 @@ return constant \fBOSSL_PARAM\fR\|(3) arrays that describe the retrievable parameters that can be used with \fBEVP_MAC_CTX_get_params()\fR. \&\fBEVP_MAC_gettable_ctx_params()\fR returns the parameters that can be retrieved from the algorithm, whereas \fBEVP_MAC_CTX_gettable_params()\fR returns -the parameters that can be retrieved in the context's current state. +the parameters that can be retrieved in the context\*(Aqs current state. .PP \&\fBEVP_MAC_settable_ctx_params()\fR and \fBEVP_MAC_CTX_settable_params()\fR return constant \fBOSSL_PARAM\fR\|(3) arrays that describe the settable parameters that can be used with \fBEVP_MAC_CTX_set_params()\fR. \fBEVP_MAC_settable_ctx_params()\fR returns the parameters that can be retrieved from the algorithm, whereas \fBEVP_MAC_CTX_settable_params()\fR returns the parameters that can -be retrieved in the context's current state. +be retrieved in the context\*(Aqs current state. .SS "Information functions" .IX Subsection "Information functions" \&\fBEVP_MAC_CTX_get_mac_size()\fR returns the MAC output size for the given context. @@ -274,7 +277,7 @@ be retrieved in the context's current state. Not all MAC algorithms support this. .PP \&\fBEVP_MAC_is_a()\fR checks if the given \fImac\fR is an implementation of an -algorithm that's identifiable with \fIname\fR. +algorithm that\*(Aqs identifiable with \fIname\fR. .PP \&\fBEVP_MAC_get0_provider()\fR returns the provider that holds the implementation of the given \fImac\fR. @@ -285,7 +288,7 @@ implementations, calls the given function \fIfn\fR with the implementation metho and the given \fIarg\fR as argument. .PP \&\fBEVP_MAC_get0_name()\fR return the name of the given MAC. For fetched MACs -with multiple names, only one of them is returned; it's +with multiple names, only one of them is returned; it\*(Aqs recommended to use \fBEVP_MAC_names_do_all()\fR instead. .PP \&\fBEVP_MAC_names_do_all()\fR traverses all names for \fImac\fR, and calls @@ -323,17 +326,17 @@ empty string. This option is used by BLAKE2 MAC. .IP """xof"" (\fBOSSL_MAC_PARAM_XOF\fR) <integer>" 4 .IX Item """xof"" (OSSL_MAC_PARAM_XOF) <integer>" -It's a simple flag, the value 0 or 1 are expected. +It\*(Aqs a simple flag, the value 0 or 1 are expected. .Sp This option is used by KMAC. -.IP """digest-noinit"" (\fBOSSL_MAC_PARAM_DIGEST_NOINIT\fR) <integer>" 4 +.IP """digest\-noinit"" (\fBOSSL_MAC_PARAM_DIGEST_NOINIT\fR) <integer>" 4 .IX Item """digest-noinit"" (OSSL_MAC_PARAM_DIGEST_NOINIT) <integer>" A simple flag to set the MAC digest to not initialise the implementation specific data. The value 0 or 1 is expected. .Sp This option is deprecated and will be removed in a future release. The option may be set, but is ignored. -.IP """digest-oneshot"" (\fBOSSL_MAC_PARAM_DIGEST_ONESHOT\fR) <integer>" 4 +.IP """digest\-oneshot"" (\fBOSSL_MAC_PARAM_DIGEST_ONESHOT\fR) <integer>" 4 .IX Item """digest-oneshot"" (OSSL_MAC_PARAM_DIGEST_ONESHOT) <integer>" A simple flag to set the MAC digest to be a oneshot operation. The value 0 or 1 is expected. @@ -363,10 +366,10 @@ For MAC implementations that support it, set the output size that \&\fBEVP_MAC_final()\fR should produce. The allowed sizes vary between MAC implementations, but must never exceed what can be given with a \fBsize_t\fR. -.IP """tls-data-size"" (\fBOSSL_MAC_PARAM_TLS_DATA_SIZE\fR) <unsigned integer>" 4 +.IP """tls\-data\-size"" (\fBOSSL_MAC_PARAM_TLS_DATA_SIZE\fR) <unsigned integer>" 4 .IX Item """tls-data-size"" (OSSL_MAC_PARAM_TLS_DATA_SIZE) <unsigned integer>" This parameter is only supported by HMAC. If set then special handling is -activated for calculating the MAC of a received mac-then-encrypt TLS record +activated for calculating the MAC of a received mac\-then\-encrypt TLS record where variable length record padding has been used (as in the case of CBC mode ciphersuites). The value represents the total length of the record that is having the MAC calculated including the received MAC and the record padding. @@ -374,7 +377,7 @@ having the MAC calculated including the received MAC and the record padding. When used EVP_MAC_update must be called precisely twice. The first time with the 13 bytes of TLS "header" data, and the second time with the entire record including the MAC itself and any padding. The entire record length must equal -the value passed in the "tls-data-size" parameter. The length passed in the +the value passed in the "tls\-data\-size" parameter. The length passed in the \&\fBdatalen\fR parameter to \fBEVP_MAC_update()\fR should be equal to the length of the record after the MAC and any padding has been removed. .PP @@ -384,7 +387,7 @@ computation. Anything else may give undefined results. .SH NOTES .IX Header "NOTES" -The MAC life-cycle is described in \fBlife_cycle\-mac\fR\|(7). In the future, +The MAC life\-cycle is described in \fBlife_cycle\-mac\fR\|(7). In the future, the transitions described there will be enforced. When this is done, it will not be considered a breaking change to the API. .PP @@ -392,7 +395,7 @@ The usage of the parameter names "custom", "iv" and "salt" correspond to the names used in the standard where the algorithm was defined. .PP Some MAC algorithms store internal state that cannot be extracted during -re-initalization. For example GMAC cannot extract an \fBIV\fR from the +re\-initalization. For example GMAC cannot extract an \fBIV\fR from the underlying CIPHER context, and so calling \fBEVP_MAC_init()\fR on an EVP_MAC object after \fBEVP_MAC_final()\fR has been called cannot reset its cipher state to what it was when the \fBIV\fR was initially generated. For such instances, an @@ -430,11 +433,11 @@ success, 0 on error. \&\fBEVP_MAC_init()\fR, \fBEVP_MAC_init_SKEY()\fR, \fBEVP_MAC_update()\fR, \fBEVP_MAC_final()\fR, and \&\fBEVP_MAC_finalXOF()\fR return 1 on success, 0 on error. .PP -\&\fBEVP_MAC_CTX_get_mac_size()\fR returns the expected output size, or 0 if it isn't -set. If it isn't set, a call to \fBEVP_MAC_init()\fR will set it. +\&\fBEVP_MAC_CTX_get_mac_size()\fR returns the expected output size, or 0 if it isn\*(Aqt +set. If it isn\*(Aqt set, a call to \fBEVP_MAC_init()\fR will set it. .PP -\&\fBEVP_MAC_CTX_get_block_size()\fR returns the block size, or 0 if it isn't set. -If it isn't set, a call to \fBEVP_MAC_init()\fR will set it. +\&\fBEVP_MAC_CTX_get_block_size()\fR returns the block size, or 0 if it isn\*(Aqt set. +If it isn\*(Aqt set, a call to \fBEVP_MAC_init()\fR will set it. .PP \&\fBEVP_MAC_do_all_provided()\fR returns nothing at all. .SH EXAMPLES diff --git a/secure/lib/libcrypto/man/man3/EVP_MD_meth_new.3 b/secure/lib/libcrypto/man/man3/EVP_MD_meth_new.3 index 6dc600cc64f9..b5a01e856165 100644 --- a/secure/lib/libcrypto/man/man3/EVP_MD_meth_new.3 +++ b/secure/lib/libcrypto/man/man3/EVP_MD_meth_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD_METH_NEW 3ossl" -.TH EVP_MD_METH_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD_METH_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -148,14 +151,14 @@ allocate for it. \fBEVP_MD_meth_set_app_datasize()\fR should be used to set the size for it to \fBdatasize\fR. .PP \&\fBEVP_MD_meth_set_flags()\fR sets the flags to describe optional -behaviours in the particular \fBmd\fR. Several flags can be or'd +behaviours in the particular \fBmd\fR. Several flags can be or\*(Aqd together. The available flags are: .IP EVP_MD_FLAG_ONESHOT 4 .IX Item "EVP_MD_FLAG_ONESHOT" This digest method can only handle one block of input. .IP EVP_MD_FLAG_XOF 4 .IX Item "EVP_MD_FLAG_XOF" -This digest method is an extensible-output function (XOF) and supports +This digest method is an extensible\-output function (XOF) and supports the \fBEVP_MD_CTRL_XOF_LEN\fR control. .IP EVP_MD_FLAG_DIGALGID_NULL 4 .IX Item "EVP_MD_FLAG_DIGALGID_NULL" @@ -192,8 +195,8 @@ The digest final function is called by \fBEVP_Digest()\fR, \fBEVP_DigestFinal()\ \&\fBEVP_DigestFinal_ex()\fR, \fBEVP_SignFinal()\fR and \fBEVP_VerifyFinal()\fR. .PP \&\fBEVP_MD_meth_set_copy()\fR sets the function for \fBmd\fR to do extra -computations after the method's private data structure has been copied -from one \fBEVP_MD_CTX\fR to another. If all that's needed is to copy +computations after the method\*(Aqs private data structure has been copied +from one \fBEVP_MD_CTX\fR to another. If all that\*(Aqs needed is to copy the data, there is no need for this copy function. Note that the copy function is passed two \fBEVP_MD_CTX *\fR, the private data structure is then available with \fBEVP_MD_CTX_get0_md_data()\fR. @@ -201,7 +204,7 @@ This copy function is called by \fBEVP_MD_CTX_copy()\fR and \&\fBEVP_MD_CTX_copy_ex()\fR. .PP \&\fBEVP_MD_meth_set_cleanup()\fR sets the function for \fBmd\fR to do extra -cleanup before the method's private data structure is cleaned out and +cleanup before the method\*(Aqs private data structure is cleaned out and freed. Note that the cleanup function is passed a \fBEVP_MD_CTX *\fR, the private data structure is then available with \fBEVP_MD_CTX_get0_md_data()\fR. diff --git a/secure/lib/libcrypto/man/man3/EVP_OpenInit.3 b/secure/lib/libcrypto/man/man3/EVP_OpenInit.3 index 96c17f2627f6..c97fb12e94bf 100644 --- a/secure/lib/libcrypto/man/man3/EVP_OpenInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_OpenInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_OPENINIT 3ossl" -.TH EVP_OPENINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_OPENINIT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -75,7 +78,7 @@ EVP_OpenInit, EVP_OpenUpdate, EVP_OpenFinal \- EVP envelope decryption .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP envelope routines are a high-level interface to envelope +The EVP envelope routines are a high\-level interface to envelope decryption. They decrypt a public key encrypted symmetric key and then decrypt data using it. .PP diff --git a/secure/lib/libcrypto/man/man3/EVP_PBE_CipherInit.3 b/secure/lib/libcrypto/man/man3/EVP_PBE_CipherInit.3 index 836a618439b9..0bc78a73e6e7 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PBE_CipherInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PBE_CipherInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PBE_CIPHERINIT 3ossl" -.TH EVP_PBE_CIPHERINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PBE_CIPHERINIT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,14 +108,14 @@ implementations. .IP \(bu 4 EVP_PBE_TYPE_OUTER \- A PBE algorithm .IP \(bu 4 -EVP_PBE_TYPE_PRF \- A pseudo-random function +EVP_PBE_TYPE_PRF \- A pseudo\-random function .IP \(bu 4 EVP_PBE_TYPE_KDF \- A key derivation function .PP 2. A \fIpbe_nid\fR which can represent the algorithm identifier with parameters e.g. \&\fBNID_pbeWithSHA1AndRC2_CBC\fR or an algorithm class e.g. \fBNID_pbes2\fR. .PP -They return the algorithm's cipher ID \fIpcnid\fR, digest ID \fIpmnid\fR and a key +They return the algorithm\*(Aqs cipher ID \fIpcnid\fR, digest ID \fIpmnid\fR and a key generation function for the algorithm \fIpkeygen\fR. \fBEVP_PBE_CipherInit_ex()\fR also returns an extended key generation function \fIkeygen_ex\fR which takes a library context and property query. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY2PKCS8.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY2PKCS8.3 index bb69458a7af5..e3b466c4a946 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY2PKCS8.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY2PKCS8.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY2PKCS8 3ossl" -.TH EVP_PKEY2PKCS8 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY2PKCS8 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_ASN1_METHOD.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_ASN1_METHOD.3 index 6786a4f44a07..9ec51b4bf36f 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_ASN1_METHOD.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_ASN1_METHOD.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_ASN1_METHOD 3ossl" -.TH EVP_PKEY_ASN1_METHOD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_ASN1_METHOD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -205,9 +208,9 @@ conversion, printing and information methods for a specific public key algorithm. .PP There are two places where the \fBEVP_PKEY_ASN1_METHOD\fR objects are -stored: one is a built-in array representing the standard methods for -different algorithms, and the other one is a stack of user-defined -application-specific methods, which can be manipulated by using +stored: one is a built\-in array representing the standard methods for +different algorithms, and the other one is a stack of user\-defined +application\-specific methods, which can be manipulated by using \&\fBEVP_PKEY_asn1_add0\fR\|(3). .SS Methods .IX Subsection "Methods" @@ -225,17 +228,17 @@ key algorithm present by the \fBEVP_PKEY\fR object. The \fBpub_decode()\fR and \fBpub_encode()\fR methods are called to decode / encode \fBX509_PUBKEY\fR ASN.1 parameters to / from \fBpk\fR. They MUST return 0 on error, 1 on success. -They're called by \fBX509_PUBKEY_get0\fR\|(3) and \fBX509_PUBKEY_set\fR\|(3). +They\*(Aqre called by \fBX509_PUBKEY_get0\fR\|(3) and \fBX509_PUBKEY_set\fR\|(3). .PP The \fBpub_cmp()\fR method is called when two public keys are to be compared. It MUST return 1 when the keys are equal, 0 otherwise. -It's called by \fBEVP_PKEY_eq\fR\|(3). +It\*(Aqs called by \fBEVP_PKEY_eq\fR\|(3). .PP The \fBpub_print()\fR method is called to print a public key in humanly readable text to \fBout\fR, indented \fBindent\fR spaces. It MUST return 0 on error, 1 on success. -It's called by \fBEVP_PKEY_print_public\fR\|(3). +It\*(Aqs called by \fBEVP_PKEY_print_public\fR\|(3). .PP .Vb 4 \& int (*priv_decode) (EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO *p8inf); @@ -247,12 +250,12 @@ It's called by \fBEVP_PKEY_print_public\fR\|(3). The \fBpriv_decode()\fR and \fBpriv_encode()\fR methods are called to decode / encode \fBPKCS8_PRIV_KEY_INFO\fR form private key to / from \fBpk\fR. They MUST return 0 on error, 1 on success. -They're called by \fBEVP_PKCS82PKEY\fR\|(3) and \fBEVP_PKEY2PKCS8\fR\|(3). +They\*(Aqre called by \fBEVP_PKCS82PKEY\fR\|(3) and \fBEVP_PKEY2PKCS8\fR\|(3). .PP The \fBpriv_print()\fR method is called to print a private key in humanly readable text to \fBout\fR, indented \fBindent\fR spaces. It MUST return 0 on error, 1 on success. -It's called by \fBEVP_PKEY_print_private\fR\|(3). +It\*(Aqs called by \fBEVP_PKEY_print_private\fR\|(3). .PP .Vb 3 \& int (*pkey_size) (const EVP_PKEY *pk); @@ -261,10 +264,10 @@ It's called by \fBEVP_PKEY_print_private\fR\|(3). .Ve .PP The \fBpkey_size()\fR method returns the key size in bytes. -It's called by \fBEVP_PKEY_get_size\fR\|(3). +It\*(Aqs called by \fBEVP_PKEY_get_size\fR\|(3). .PP The \fBpkey_bits()\fR method returns the key size in bits. -It's called by \fBEVP_PKEY_get_bits\fR\|(3). +It\*(Aqs called by \fBEVP_PKEY_get_bits\fR\|(3). .PP .Vb 8 \& int (*param_decode) (EVP_PKEY *pkey, @@ -280,26 +283,26 @@ It's called by \fBEVP_PKEY_get_bits\fR\|(3). The \fBparam_decode()\fR and \fBparam_encode()\fR methods are called to decode / encode DER formatted parameters to / from \fBpk\fR. They MUST return 0 on error, 1 on success. -They're called by \fBPEM_read_bio_Parameters\fR\|(3) and the \fBfile:\fR +They\*(Aqre called by \fBPEM_read_bio_Parameters\fR\|(3) and the \fBfile:\fR \&\fBOSSL_STORE_LOADER\fR\|(3). .PP The \fBparam_missing()\fR method returns 0 if a key parameter is missing, otherwise 1. -It's called by \fBEVP_PKEY_missing_parameters\fR\|(3). +It\*(Aqs called by \fBEVP_PKEY_missing_parameters\fR\|(3). .PP The \fBparam_copy()\fR method copies key parameters from \fBfrom\fR to \fBto\fR. It MUST return 0 on error, 1 on success. -It's called by \fBEVP_PKEY_copy_parameters\fR\|(3). +It\*(Aqs called by \fBEVP_PKEY_copy_parameters\fR\|(3). .PP The \fBparam_cmp()\fR method compares the parameters of keys \fBa\fR and \fBb\fR. It MUST return 1 when the keys are equal, 0 when not equal, or a negative number on error. -It's called by \fBEVP_PKEY_parameters_eq\fR\|(3). +It\*(Aqs called by \fBEVP_PKEY_parameters_eq\fR\|(3). .PP The \fBparam_print()\fR method prints the private key parameters in humanly readable text to \fBout\fR, indented \fBindent\fR spaces. It MUST return 0 on error, 1 on success. -It's called by \fBEVP_PKEY_print_params\fR\|(3). +It\*(Aqs called by \fBEVP_PKEY_print_params\fR\|(3). .PP .Vb 3 \& int (*sig_print) (BIO *out, @@ -310,17 +313,17 @@ It's called by \fBEVP_PKEY_print_params\fR\|(3). The \fBsig_print()\fR method prints a signature in humanly readable text to \&\fBout\fR, indented \fBindent\fR spaces. \&\fBsigalg\fR contains the exact signature algorithm. -If the signature in \fBsig\fR doesn't correspond to what this method +If the signature in \fBsig\fR doesn\*(Aqt correspond to what this method expects, \fBX509_signature_dump()\fR must be used as a last resort. It MUST return 0 on error, 1 on success. -It's called by \fBX509_signature_print\fR\|(3). +It\*(Aqs called by \fBX509_signature_print\fR\|(3). .PP .Vb 1 \& void (*pkey_free) (EVP_PKEY *pkey); .Ve .PP The \fBpkey_free()\fR method helps freeing the internals of \fBpkey\fR. -It's called by \fBEVP_PKEY_free\fR\|(3), \fBEVP_PKEY_set_type\fR\|(3), +It\*(Aqs called by \fBEVP_PKEY_free\fR\|(3), \fBEVP_PKEY_set_type\fR\|(3), \&\fBEVP_PKEY_set_type_str\fR\|(3), and \fBEVP_PKEY_assign\fR\|(3). .PP .Vb 1 @@ -328,7 +331,7 @@ It's called by \fBEVP_PKEY_free\fR\|(3), \fBEVP_PKEY_set_type\fR\|(3), .Ve .PP The \fBpkey_ctrl()\fR method adds extra algorithm specific control. -It's called by \fBEVP_PKEY_get_default_digest_nid\fR\|(3), +It\*(Aqs called by \fBEVP_PKEY_get_default_digest_nid\fR\|(3), \&\fBEVP_PKEY_set1_encoded_public_key\fR\|(3), \&\fBEVP_PKEY_get1_encoded_public_key\fR\|(3), \fBPKCS7_SIGNER_INFO_set\fR\|(3), \&\fBPKCS7_RECIP_INFO_set\fR\|(3), ... @@ -346,7 +349,7 @@ PKCS#8) PEM formatted encrypted private keys. \&\fBold_priv_decode()\fR MUST return 0 on error, 1 on success. \&\fBold_priv_encode()\fR MUST the return same kind of values as \&\fBi2d_PrivateKey()\fR. -They're called by \fBd2i_PrivateKey\fR\|(3) and \fBi2d_PrivateKey\fR\|(3). +They\*(Aqre called by \fBd2i_PrivateKey\fR\|(3) and \fBi2d_PrivateKey\fR\|(3). .PP .Vb 5 \& int (*item_verify) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, @@ -401,7 +404,7 @@ expected to continue with the default signature production. The \fBsiginf_set()\fR method is used to set custom \fBX509_SIG_INFO\fR parameters. It MUST return 0 on error, or 1 on success. -It's called as part of \fBX509_check_purpose\fR\|(3), \fBX509_check_ca\fR\|(3) +It\*(Aqs called as part of \fBX509_check_purpose\fR\|(3), \fBX509_check_ca\fR\|(3) and \fBX509_check_issued\fR\|(3). .PP .Vb 3 @@ -411,7 +414,7 @@ and \fBX509_check_issued\fR\|(3). .Ve .PP The \fBpkey_check()\fR, \fBpkey_public_check()\fR and \fBpkey_param_check()\fR methods are used -to check the validity of \fBpk\fR for key-pair, public component and parameters, +to check the validity of \fBpk\fR for key\-pair, public component and parameters, respectively. They MUST return 0 for an invalid key, or 1 for a valid key. They are called by \fBEVP_PKEY_check\fR\|(3), \fBEVP_PKEY_public_check\fR\|(3) and @@ -432,7 +435,7 @@ They are called by \fBEVP_PKEY_new_raw_private_key\fR\|(3), and \& void *(*export_to) (const EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); .Ve .PP -\&\fBdirty_cnt()\fR returns the internal key's dirty count. +\&\fBdirty_cnt()\fR returns the internal key\*(Aqs dirty count. This can be used to synchronise different copies of the same keys. .PP The \fBexport_to()\fR method exports the key material from the given key to @@ -459,7 +462,7 @@ See \fBX509_ALGOR_set0\fR\|(3) for more information. .PP \&\fBEVP_PKEY_asn1_copy()\fR copies an \fBEVP_PKEY_ASN1_METHOD\fR object from \&\fBsrc\fR to \fBdst\fR. -This function is not thread safe, it's recommended to only use this +This function is not thread safe, it\*(Aqs recommended to only use this when initializing the application. .PP \&\fBEVP_PKEY_asn1_free()\fR frees an existing \fBEVP_PKEY_ASN1_METHOD\fR pointed @@ -468,13 +471,13 @@ by \fBameth\fR. If the argument is NULL, nothing is done. \&\fBEVP_PKEY_asn1_add0()\fR adds \fBameth\fR to the user defined stack of methods unless another \fBEVP_PKEY_ASN1_METHOD\fR with the same NID is already there. -This function is not thread safe, it's recommended to only use this +This function is not thread safe, it\*(Aqs recommended to only use this when initializing the application. .PP \&\fBEVP_PKEY_asn1_add_alias()\fR creates an alias with the NID \fBto\fR for the \&\fBEVP_PKEY_ASN1_METHOD\fR with NID \fBfrom\fR unless another \&\fBEVP_PKEY_ASN1_METHOD\fR with the same NID is already added. -This function is not thread safe, it's recommended to only use this +This function is not thread safe, it\*(Aqs recommended to only use this when initializing the application. .PP \&\fBEVP_PKEY_asn1_set_public()\fR, \fBEVP_PKEY_asn1_set_private()\fR, diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_ctrl.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_ctrl.3 index ee376a4116ec..3d3eb8e580a5 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_ctrl.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_ctrl.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_CTRL 3ossl" -.TH EVP_PKEY_CTX_CTRL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_CTRL 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -301,7 +304,7 @@ the \fBEVP_PKEY_new_raw_private_key\fR\|(3) function. key generation. For example for EC keys this will set the curve name and for DH keys it will set the name of the finite field group. .PP -\&\fBEVP_PKEY_CTX_get_group_name()\fR finds the group name that's currently +\&\fBEVP_PKEY_CTX_get_group_name()\fR finds the group name that\*(Aqs currently set with \fIctx\fR, and writes it to the location that \fIname\fR points at, as long as its size \fInamelen\fR is large enough to store that name, including a terminating NUL byte. @@ -388,7 +391,7 @@ The padding mode must have been set to \fBRSA_PKCS1_OAEP_PADDING\fR or .PP \&\fBEVP_PKEY_CTX_get_rsa_mgf1_md()\fR does the same as \&\fBEVP_PKEY_CTX_get_rsa_mgf1_md_name()\fR except that it returns a pointer to an -EVP_MD object instead. Note that only known, built-in EVP_MD objects will be +EVP_MD object instead. Note that only known, built\-in EVP_MD objects will be returned. The EVP_MD object may be NULL if the digest is not one of these (such as a digest only implemented in a third party provider). .PP @@ -411,7 +414,7 @@ expected digest algorithm names or the function will fail. .PP \&\fBEVP_PKEY_CTX_get_rsa_oaep_md()\fR does the same as \&\fBEVP_PKEY_CTX_get_rsa_oaep_md_name()\fR except that it returns a pointer to an -EVP_MD object instead. Note that only known, built-in EVP_MD objects will be +EVP_MD object instead. Note that only known, built\-in EVP_MD objects will be returned. The EVP_MD object may be NULL if the digest is not one of these (such as a digest only implemented in a third party provider). .PP @@ -427,7 +430,7 @@ must have been set to \fBRSA_PKCS1_OAEP_PADDING\fR. The resulting pointer is own by the library and should not be freed by the caller. .PP \&\fBRSA_PKCS1_WITH_TLS_PADDING\fR is used when decrypting an RSA encrypted TLS -pre-master secret in a TLS ClientKeyExchange message. It is the same as +pre\-master secret in a TLS ClientKeyExchange message. It is the same as RSA_PKCS1_PADDING except that it additionally verifies that the result is the correct length and the first two bytes are the protocol version initially requested by the client. If the encrypted content is publicly invalid then the @@ -449,7 +452,7 @@ Similarly to the \fBRSA_PKCS1_WITH_TLS_PADDING\fR above, since OpenSSL version 3.2.0, the use of \fBRSA_PKCS1_PADDING\fR will return a randomly generated message instead of padding errors in case padding checks fail. Applications that want to remain secure while using earlier versions of OpenSSL, or a provider -that doesn't implement the implicit rejection mechanism, still need to +that doesn\*(Aqt implement the implicit rejection mechanism, still need to handle both the error code from the RSA decryption operation and the returned message in a side channel secure manner. This protection against Bleichenbacher attacks can be disabled by setting @@ -473,7 +476,7 @@ parameter generation using \fImd_name\fR and \fImd_properties\fR to retrieve the digest from a provider. If not specified, \fImd_name\fR will be set to one of SHA\-1, SHA\-224, or SHA\-256 depending on the bit length of \fIq\fR above. \fImd_properties\fR is a -property query string that has a default value of '' if not specified. +property query string that has a default value of \*(Aq\*(Aq if not specified. .PP \&\fBEVP_PKEY_CTX_set_dsa_paramgen_gindex()\fR sets the \fIgindex\fR used by the generator G. The default value is \-1 which uses unverifiable g, otherwise a positive value @@ -622,7 +625,7 @@ These function can also be called to set the curve explicitly when generating an EC key. .PP \&\fBEVP_PKEY_CTX_get_group_name()\fR (described above) can be used to obtain the curve -name that's currently set with \fIctx\fR. +name that\*(Aqs currently set with \fIctx\fR. .PP \&\fBEVP_PKEY_CTX_set_ec_param_enc()\fR sets the EC parameter encoding to \fIparam_enc\fR when generating EC parameters or an EC key. The encoding can be @@ -689,11 +692,11 @@ allocate adequate memory space for the \fIid\fR before calling \fBEVP_PKEY_CTX_g .PP \&\fBEVP_PKEY_CTX_set_kem_op()\fR sets the KEM operation to run. This can be set after \&\fBEVP_PKEY_encapsulate_init()\fR or \fBEVP_PKEY_decapsulate_init()\fR to select the kem -operation. For the key types that support encapsulation and don't have the +operation. For the key types that support encapsulation and don\*(Aqt have the default operation, e.g. RSA, this function must be called before \&\fBEVP_PKEY_encapsulate()\fR or \fBEVP_PKEY_decapsulate()\fR. .PP -The supported parameters for the built-in algorithms are documented in +The supported parameters for the built\-in algorithms are documented in \&\fBEVP_KEM\-RSA\fR\|(7), \fBEVP_KEM\-EC\fR\|(7), \fBEVP_KEM\-X25519\fR\|(7), \&\fBEVP_KEM\-X448\fR\|(7), and \fBEVP_KEM\-ML\-KEM\fR\|(7). .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_libctx.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_libctx.3 index e4049d33dfb9..9bd7521ed004 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_libctx.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_libctx.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_GET0_LIBCTX 3ossl" -.TH EVP_PKEY_CTX_GET0_LIBCTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_GET0_LIBCTX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_pkey.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_pkey.3 index 90242ee6643e..267b1f3900ad 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_pkey.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_pkey.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_GET0_PKEY 3ossl" -.TH EVP_PKEY_CTX_GET0_PKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_GET0_PKEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get_algor.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get_algor.3 index 645f00e12fde..5bfd0abea22f 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get_algor.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get_algor.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_GET_ALGOR 3ossl" -.TH EVP_PKEY_CTX_GET_ALGOR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_GET_ALGOR 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,7 +108,7 @@ function is supported at all by the \fBEVP_\fR\f(BITYPE\fR\fB\fR implementation. .SH "RETURN VALUES" .IX Header "RETURN VALUES" All functions return 1 for success, and 0 or a negative number if an error -occurs. In particular, \-2 is returned when the function isn't supported by +occurs. In particular, \-2 is returned when the function isn\*(Aqt supported by the \fBEVP_\fR\f(BITYPE\fR implementation. .SH HISTORY .IX Header "HISTORY" diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_new.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_new.3 index 56ff4f039fdd..9dadc75a6122 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_NEW 3ossl" -.TH EVP_PKEY_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -123,7 +126,7 @@ If \fIctx\fR is NULL, nothing is done. .SS "On \fBEVP_PKEY_CTX\fP" .IX Subsection "On EVP_PKEY_CTX" The \fBEVP_PKEY_CTX\fR structure is an opaque public key algorithm context used -by the OpenSSL high-level public key API. Contexts \fBMUST NOT\fR be shared between +by the OpenSSL high\-level public key API. Contexts \fBMUST NOT\fR be shared between threads: that is it is not permissible to use the same context simultaneously in two threads. .SS "On Key Types" @@ -146,7 +149,7 @@ These are \fBEVP_PKEY_RSA\fR, \fBEVP_PKEY_RSA_PSS\fR, \fBEVP_PKEY_DSA\fR, .IX Item "Name strings" This is the \fIname\fR used with \fBEVP_PKEY_CTX_new_from_name()\fR. .Sp -These are names like "RSA", "DSA", and what's available depends on what +These are names like "RSA", "DSA", and what\*(Aqs available depends on what providers are currently accessible. .Sp The OpenSSL providers offer a set of key types available this way, please diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set1_pbe_pass.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set1_pbe_pass.3 index fe5cd9c5c091..8f8ed4eea7bb 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set1_pbe_pass.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set1_pbe_pass.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_SET1_PBE_PASS 3ossl" -.TH EVP_PKEY_CTX_SET1_PBE_PASS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_SET1_PBE_PASS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_hkdf_md.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_hkdf_md.3 index ef4d1cd5d68d..331e81fae378 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_hkdf_md.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_hkdf_md.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_SET_HKDF_MD 3ossl" -.TH EVP_PKEY_CTX_SET_HKDF_MD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_SET_HKDF_MD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,9 +89,9 @@ HMAC\-based Extract\-and\-Expand key derivation algorithm .SH DESCRIPTION .IX Header "DESCRIPTION" The EVP_PKEY_HKDF algorithm implements the HKDF key derivation function. -HKDF follows the "extract-then-expand" paradigm, where the KDF logically +HKDF follows the "extract\-then\-expand" paradigm, where the KDF logically consists of two modules. The first stage takes the input keying material -and "extracts" from it a fixed-length pseudorandom key K. The second stage +and "extracts" from it a fixed\-length pseudorandom key K. The second stage "expands" the key K into several additional pseudorandom keys (the output of the KDF). .PP @@ -99,14 +102,14 @@ are three modes that are currently defined: This is the default mode. Calling \fBEVP_PKEY_derive\fR\|(3) on an EVP_PKEY_CTX set up for HKDF will perform an extract followed by an expand operation in one go. The derived key returned will be the result after the expand operation. The -intermediate fixed-length pseudorandom key K is not returned. +intermediate fixed\-length pseudorandom key K is not returned. .Sp In this mode the digest, key, salt and info values must be set before a key is derived or an error occurs. .IP EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY 4 .IX Item "EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY" In this mode calling \fBEVP_PKEY_derive\fR\|(3) will just perform the extract -operation. The value returned will be the intermediate fixed-length pseudorandom +operation. The value returned will be the intermediate fixed\-length pseudorandom key K. .Sp The digest, key and salt values must be set before a key is derived or an @@ -114,7 +117,7 @@ error occurs. .IP EVP_PKEY_HKDEF_MODE_EXPAND_ONLY 4 .IX Item "EVP_PKEY_HKDEF_MODE_EXPAND_ONLY" In this mode calling \fBEVP_PKEY_derive\fR\|(3) will just perform the expand -operation. The input key should be set to the intermediate fixed-length +operation. The input key should be set to the intermediate fixed\-length pseudorandom key K returned from a previous extract operation. .Sp The digest, key and info values must be set before a key is derived or an diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_params.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_params.3 index 2016a3178679..8e1446e79db5 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_params.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_params.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_SET_PARAMS 3ossl" -.TH EVP_PKEY_CTX_SET_PARAMS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_SET_PARAMS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,7 +144,7 @@ of \-2 indicates the operation is not supported by the public key algorithm. .IX Header "HISTORY" All functions were added in OpenSSL 3.0. .PP -Support for \fBML-DSA\fR> and \fBML-KEM\fR was added in OpenSSL 3.5. +Support for \fBML\-DSA\fR> and \fBML\-KEM\fR was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 index 7704b48587a7..aed929a1760d 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_SET_RSA_PSS_KEYGEN_MD 3ossl" -.TH EVP_PKEY_CTX_SET_RSA_PSS_KEYGEN_MD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_SET_RSA_PSS_KEYGEN_MD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -108,7 +111,7 @@ similar to the \fBRSA\fR versions. .SS "Key Generation" .IX Subsection "Key Generation" As with RSA key generation the \fBEVP_PKEY_CTX_set_rsa_keygen_bits()\fR -and \fBEVP_PKEY_CTX_set_rsa_keygen_pubexp()\fR macros are supported for RSA-PSS: +and \fBEVP_PKEY_CTX_set_rsa_keygen_pubexp()\fR macros are supported for RSA\-PSS: they have exactly the same meaning as for the RSA algorithm. .PP Optional parameter restrictions can be specified when generating a PSS key. @@ -132,7 +135,7 @@ passes the algorithm by name rather than by \fBEVP_MD\fR. to \fIsaltlen\fR. .SH NOTES .IX Header "NOTES" -A context for the \fBRSA-PSS\fR algorithm can be obtained by calling: +A context for the \fBRSA\-PSS\fR algorithm can be obtained by calling: .PP .Vb 1 \& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA_PSS, NULL); diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_scrypt_N.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_scrypt_N.3 index 7df058edaba8..706a3f171eba 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_scrypt_N.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_scrypt_N.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_SET_SCRYPT_N 3ossl" -.TH EVP_PKEY_CTX_SET_SCRYPT_N 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_SET_SCRYPT_N 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3 index 72b97de3ae6e..01a965d11a43 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CTX_SET_TLS1_PRF_MD 3ossl" -.TH EVP_PKEY_CTX_SET_TLS1_PRF_MD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CTX_SET_TLS1_PRF_MD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_asn1_get_count.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_asn1_get_count.3 index 027b8324c613..33848cc84681 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_asn1_get_count.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_asn1_get_count.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_ASN1_GET_COUNT 3ossl" -.TH EVP_PKEY_ASN1_GET_COUNT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_ASN1_GET_COUNT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,13 +97,13 @@ The value of \fBidx\fR must be between zero and \fBEVP_PKEY_asn1_get_count()\fR .PP \&\fBEVP_PKEY_asn1_find()\fR looks up the \fBEVP_PKEY_ASN1_METHOD\fR with NID \&\fBtype\fR. -If \fBpe\fR isn't \fBNULL\fR, then it will look up an engine implementing a +If \fBpe\fR isn\*(Aqt \fBNULL\fR, then it will look up an engine implementing a \&\fBEVP_PKEY_ASN1_METHOD\fR for the NID \fBtype\fR and return that instead, and also set \fB*pe\fR to point at the engine that implements it. .PP \&\fBEVP_PKEY_asn1_find_str()\fR looks up the \fBEVP_PKEY_ASN1_METHOD\fR with PEM type string \fBstr\fR. -Just like \fBEVP_PKEY_asn1_find()\fR, if \fBpe\fR isn't \fBNULL\fR, then it will +Just like \fBEVP_PKEY_asn1_find()\fR, if \fBpe\fR isn\*(Aqt \fBNULL\fR, then it will look up an engine implementing a \fBEVP_PKEY_ASN1_METHOD\fR for the NID \&\fBtype\fR and return that instead, and also set \fB*pe\fR to point at the engine that implements it. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_check.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_check.3 index 8e69b04543cd..0282d7bc63bc 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_check.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_check.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_CHECK 3ossl" -.TH EVP_PKEY_CHECK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_CHECK 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_copy_parameters.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_copy_parameters.3 index 030fd8e56522..b28c4c54beb9 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_copy_parameters.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_copy_parameters.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_COPY_PARAMETERS 3ossl" -.TH EVP_PKEY_COPY_PARAMETERS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_COPY_PARAMETERS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,7 +91,7 @@ see \fBopenssl_user_macros\fR\|(7): .IX Header "DESCRIPTION" The function \fBEVP_PKEY_missing_parameters()\fR returns 1 if the public key parameters of \fBpkey\fR are missing and 0 if they are present or the algorithm -doesn't use parameters. +doesn\*(Aqt use parameters. .PP The function \fBEVP_PKEY_copy_parameters()\fR copies the parameters from key \&\fBfrom\fR to key \fBto\fR. An error is returned if the parameters are missing in @@ -114,7 +117,7 @@ their return values compared to other \fB_cmp()\fR functions. They are aliases f The function \fBEVP_PKEY_cmp()\fR previously only checked the key parameters (if there are any) and the public key, assuming that there always was a public key and that private key equality could be derived from that. -Because it's no longer assumed that the private key in an \fBEVP_PKEY\fR\|(3) is +Because it\*(Aqs no longer assumed that the private key in an \fBEVP_PKEY\fR\|(3) is always accompanied by a public key, the comparison can not rely on public key comparison alone. .PP @@ -128,14 +131,14 @@ what they both contain. .IX Header "RETURN VALUES" The function \fBEVP_PKEY_missing_parameters()\fR returns 1 if the public key parameters of \fBpkey\fR are missing and 0 if they are present or the algorithm -doesn't use parameters. +doesn\*(Aqt use parameters. .PP These functions \fBEVP_PKEY_copy_parameters()\fR returns 1 for success and 0 for failure. .PP The functions \fBEVP_PKEY_cmp_parameters()\fR, \fBEVP_PKEY_parameters_eq()\fR, \&\fBEVP_PKEY_cmp()\fR and \fBEVP_PKEY_eq()\fR return 1 if their -inputs match, 0 if they don't match, \-1 if the key types are different and +inputs match, 0 if they don\*(Aqt match, \-1 if the key types are different and \&\-2 if the operation is not supported. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_decapsulate.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_decapsulate.3 index d8d382c2346c..872bead492a1 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_decapsulate.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_decapsulate.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_DECAPSULATE 3ossl" -.TH EVP_PKEY_DECAPSULATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_DECAPSULATE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -89,11 +92,11 @@ key that is used during decapsulation. .PP The \fBEVP_PKEY_decapsulate()\fR function performs a private key decapsulation operation using \fIctx\fR. The data to be decapsulated is specified using the -\&\fIwrapped\fR and \fIwrappedlen\fR parameters (which must both non-NULL). +\&\fIwrapped\fR and \fIwrappedlen\fR parameters (which must both non\-NULL). .PP The \fIwrapped\fR parameter is an output argument, to which the decapsulated shared secret is written. -The shared secret may not match the peer's value even when decapsulation +The shared secret may not match the peer\*(Aqs value even when decapsulation returns success. Instead, the shared secret must be used to derive a key that is used to authenticate data subsequently received from the peer. @@ -114,7 +117,7 @@ The length returned via \fI*unwrappedlen\fR SHOULD be used to determine the actu length of the output. .SH NOTES .IX Header "NOTES" -After the call to \fBEVP_PKEY_decapsulate_init()\fR algorithm-specific parameters +After the call to \fBEVP_PKEY_decapsulate_init()\fR algorithm\-specific parameters for the operation may be set or modified using \fBEVP_PKEY_CTX_set_params\fR\|(3). .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -177,7 +180,7 @@ in OpenSSL 3.0. .PP The function \fBEVP_PKEY_auth_decapsulate_init()\fR was added in OpenSSL 3.2. .PP -Support for \fBML-KEM\fR was added in OpenSSL 3.5. +Support for \fBML\-KEM\fR was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_decrypt.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_decrypt.3 index 145f011bc139..e3178d0dea0c 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_decrypt.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_decrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_DECRYPT 3ossl" -.TH EVP_PKEY_DECRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_DECRYPT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -112,19 +115,19 @@ algorithm. In OpenSSL versions before 3.2.0, when used in PKCS#1 v1.5 padding, both the return value from the \fBEVP_PKEY_decrypt()\fR and the \fBoutlen\fR provided information useful in mounting a Bleichenbacher attack against the -used private key. They had to be processed in a side-channel free way. +used private key. They had to be processed in a side\-channel free way. .PP Since version 3.2.0, the \fBEVP_PKEY_decrypt()\fR method when used with PKCS#1 v1.5 padding as implemented in the \fBdefault\fR provider implements the implicit rejection mechanism (see \&\fBOSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION\fR in \fBprovider\-asym_cipher\fR\|(7)). -That means it doesn't return an error when it detects an error in padding, -instead it returns a pseudo-randomly generated message, removing the need -of side-channel secure code from applications using OpenSSL. -If OpenSSL is configured to use a provider that doesn't implement implicit +That means it doesn\*(Aqt return an error when it detects an error in padding, +instead it returns a pseudo\-randomly generated message, removing the need +of side\-channel secure code from applications using OpenSSL. +If OpenSSL is configured to use a provider that doesn\*(Aqt implement implicit rejection, the code still needs to handle the returned values -using side-channel free code. -Side-channel free handling of the error stack can be performed using +using side\-channel free code. +Side\-channel free handling of the error stack can be performed using either a pair of unconditional \fBERR_set_mark\fR\|(3) and \fBERR_pop_to_mark\fR\|(3) calls or by using the \fBERR_clear_error\fR\|(3) call. .SH EXAMPLES diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_derive.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_derive.3 index 7d7382bf8252..462597bac31c 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_derive.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_derive.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_DERIVE 3ossl" -.TH EVP_PKEY_DERIVE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_DERIVE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_digestsign_supports_digest.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_digestsign_supports_digest.3 index f1cab50bdcd0..5e481081d8d8 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_digestsign_supports_digest.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_digestsign_supports_digest.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_DIGESTSIGN_SUPPORTS_DIGEST 3ossl" -.TH EVP_PKEY_DIGESTSIGN_SUPPORTS_DIGEST 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_DIGESTSIGN_SUPPORTS_DIGEST 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_encapsulate.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_encapsulate.3 index 99630a34c7dc..8c953f532f28 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_encapsulate.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_encapsulate.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_ENCAPSULATE 3ossl" -.TH EVP_PKEY_ENCAPSULATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_ENCAPSULATE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,7 +100,7 @@ size of the provided buffer. The ciphertext written to \fIwrappedkey\fR is an encapsulated form, which is expected to be only usable by the holder of the private key corresponding to the public key associated with \fIctx\fR. -This ciphertext is then communicated to the private-key holder, who can use +This ciphertext is then communicated to the private\-key holder, who can use \&\fBEVP_PKEY_decapsulate\fR\|(3) to securely recover the same shared secret. .PP If \fIwrappedkey\fR is NULL then the maximum size of the output buffer is written @@ -107,9 +110,9 @@ maximum size of the generated key buffer is written to \fI*genkeylen\fR unless .PP If \fIwrappedkey\fR is not NULL and the call is successful then the generated shared secret is written to \fIgenkey\fR and its size is written to -\&\fI*genkeylen\fR (which must be non-NULL). +\&\fI*genkeylen\fR (which must be non\-NULL). The encapsulated ciphertext is written to \fIwrappedkey\fR and -its size is written to \fI*wrappedkeylen\fR (must also be non-NULL), +its size is written to \fI*wrappedkeylen\fR (must also be non\-NULL), The value pointed to by \fIwrappedlen\fR initially hold the size of the \&\fIunwrapped\fR buffer so that its size can be validated by the call, ensuring it is large enough to hold the result written to \fIwrapped\fR. @@ -121,7 +124,7 @@ The lengths returned via \fI*wrappedkeylen\fR and \fI*genkeylen\fR SHOULD be used to determine the actual lengths of the outputs. .SH NOTES .IX Header "NOTES" -After the call to \fBEVP_PKEY_encapsulate_init()\fR, algorithm-specific parameters +After the call to \fBEVP_PKEY_encapsulate_init()\fR, algorithm\-specific parameters for the operation may be set or modified using \fBEVP_PKEY_CTX_set_params\fR\|(3). .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -186,7 +189,7 @@ The functions \fBEVP_PKEY_encapsulate_init()\fR and \fBEVP_PKEY_encapsulate()\fR added in OpenSSL 3.0. The function \fBEVP_PKEY_auth_encapsulate_init()\fR was added in OpenSSL 3.2. .PP -Support for \fBML-KEM\fR was added in OpenSSL 3.5. +Support for \fBML\-KEM\fR was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_encrypt.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_encrypt.3 index befd74468727..50ad4c9e6d15 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_encrypt.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_encrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_ENCRYPT 3ossl" -.TH EVP_PKEY_ENCRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_ENCRYPT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -109,7 +112,7 @@ algorithm. .IX Header "EXAMPLES" Encrypt data using OAEP (for RSA keys). See also \fBPEM_read_PUBKEY\fR\|(3) or \&\fBd2i_X509\fR\|(3) for means to load a public key. You may also simply -set 'eng = NULL;' to start with the default OpenSSL RSA implementation: +set \*(Aqeng = NULL;\*(Aq to start with the default OpenSSL RSA implementation: .PP .Vb 3 \& #include <openssl/evp.h> diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_fromdata.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_fromdata.3 index 989086f2e882..b3a809e6cc1c 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_fromdata.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_fromdata.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_FROMDATA 3ossl" -.TH EVP_PKEY_FROMDATA 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_FROMDATA 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,7 +93,7 @@ These are passed as an \fBOSSL_PARAM\fR\|(3) array. for creating a key or key parameters from user data. .PP \&\fBEVP_PKEY_fromdata()\fR creates the structure to store a key or key parameters, -given data from \fIparams\fR, \fIselection\fR and a context that's been initialized +given data from \fIparams\fR, \fIselection\fR and a context that\*(Aqs been initialized with \fBEVP_PKEY_fromdata_init()\fR. The result is written to \fI*ppkey\fR. \&\fIselection\fR is described in "Selections". The parameters that can be used for various types of key are as described by @@ -142,7 +145,7 @@ operation is not supported by the public key algorithm. These examples are very terse for the sake of staying on topic, which is the \fBEVP_PKEY_fromdata()\fR set of functions. In real applications, BIGNUMs would be handled and converted to byte arrays with -\&\fBBN_bn2nativepad()\fR, but that's off topic here. +\&\fBBN_bn2nativepad()\fR, but that\*(Aqs off topic here. .SS "Creating an RSA keypair using raw key data" .IX Subsection "Creating an RSA keypair using raw key data" .Vb 1 @@ -320,7 +323,7 @@ example with \fBOSSL_PARAM_allocate_from_text\fR\|(3). .IX Header "HISTORY" These functions were added in OpenSSL 3.0. .PP -Support for \fBML-DSA\fR, \fBML-KEM\fR and \fBSLH-DSA\fR was added in OpenSSL 3.5. +Support for \fBML\-DSA\fR, \fBML\-KEM\fR and \fBSLH\-DSA\fR was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_attr.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_attr.3 index 437beaa7ad79..7fba9c34b07c 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_attr.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_attr.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_GET_ATTR 3ossl" -.TH EVP_PKEY_GET_ATTR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_GET_ATTR 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -119,7 +122,7 @@ An error occurs if either \fIattr\fR is NULL, or the attribute already exists. \&\fBEVP_PKEY_add1_attr_by_OBJ()\fR creates a new \fBX509_ATTRIBUTE\fR using \&\fBX509_ATTRIBUTE_set1_object()\fR and \fBX509_ATTRIBUTE_set1_data()\fR to assign a new \&\fIobj\fR with type \fItype\fR and data \fIbytes\fR of length \fIlen\fR and then pushes it -to the \fIkey\fR object's attribute list. If \fIobj\fR already exists in the attribute +to the \fIkey\fR object\*(Aqs attribute list. If \fIobj\fR already exists in the attribute list then an error occurs. .PP \&\fBEVP_PKEY_add1_attr_by_NID()\fR is similar to \fBEVP_PKEY_add1_attr_by_OBJ()\fR except @@ -150,7 +153,7 @@ there is a error. and \fBEVP_PKEY_add1_attr_by_txt()\fR return 1 on success or 0 otherwise. .SH NOTES .IX Header "NOTES" -A \fBEVP_PKEY\fR object's attribute list is initially NULL. All the above functions +A \fBEVP_PKEY\fR object\*(Aqs attribute list is initially NULL. All the above functions listed will return an error unless \fBEVP_PKEY_add1_attr()\fR is called. All functions listed assume that the \fIkey\fR is not NULL. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_default_digest_nid.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_default_digest_nid.3 index 6eb8d2050411..a0a92dbd0c06 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_default_digest_nid.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_default_digest_nid.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_GET_DEFAULT_DIGEST_NID 3ossl" -.TH EVP_PKEY_GET_DEFAULT_DIGEST_NID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_GET_DEFAULT_DIGEST_NID 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_field_type.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_field_type.3 index e0bf93d32c1b..224c04e81ea4 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_field_type.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_field_type.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_GET_FIELD_TYPE 3ossl" -.TH EVP_PKEY_GET_FIELD_TYPE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_GET_FIELD_TYPE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -74,13 +77,13 @@ or point conversion form of a key .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBEVP_PKEY_get_field_type()\fR returns the field type NID of the \fIpkey\fR, if -\&\fIpkey\fR's key type supports it. The types currently supported -by the built-in OpenSSL providers are either \fBNID_X9_62_prime_field\fR +\&\fIpkey\fR\*(Aqs key type supports it. The types currently supported +by the built\-in OpenSSL providers are either \fBNID_X9_62_prime_field\fR for prime curves or \fBNID_X9_62_characteristic_two_field\fR for binary curves; these values are defined in the \fI<openssl/obj_mac.h>\fR header file. .PP \&\fBEVP_PKEY_get_ec_point_conv_form()\fR returns the point conversion format -of the \fIpkey\fR, if \fIpkey\fR's key type supports it. +of the \fIpkey\fR, if \fIpkey\fR\*(Aqs key type supports it. .SH NOTES .IX Header "NOTES" Among the standard OpenSSL key types, this is only supported for EC and diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_group_name.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_group_name.3 index 97ed946d3009..5068dac144fb 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_group_name.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_group_name.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_GET_GROUP_NAME 3ossl" -.TH EVP_PKEY_GET_GROUP_NAME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_GET_GROUP_NAME 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -75,8 +78,8 @@ EVP_PKEY_get_group_name \- get group name of a key \&\fBEVP_PKEY_get_group_name()\fR fills in the group name of the \fIpkey\fR into \&\fIgname\fR, up to at most \fIgname_sz\fR bytes including the ending NUL byte and assigns \fI*gname_len\fR the actual length of the name not including -the NUL byte, if \fIpkey\fR's key type supports it. -\&\fIgname\fR as well as \fIgname_len\fR may individually be NULL, and won't be +the NUL byte, if \fIpkey\fR\*(Aqs key type supports it. +\&\fIgname\fR as well as \fIgname_len\fR may individually be NULL, and won\*(Aqt be filled in or assigned in that case. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_size.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_size.3 index 243f94fa846e..e219a436d788 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_size.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_size.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_GET_SIZE 3ossl" -.TH EVP_PKEY_GET_SIZE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_GET_SIZE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,12 +86,12 @@ EVP_PKEY_bits, EVP_PKEY_security_bits, EVP_PKEY_size buffers for almost all operations that can be done with \fIpkey\fR. This corresponds to the provider parameter \fBOSSL_PKEY_PARAM_MAX_SIZE\fR. The primary documented use is with \fBEVP_SignFinal\fR\|(3) and -\&\fBEVP_SealInit\fR\|(3), but it isn't limited there. The returned size is +\&\fBEVP_SealInit\fR\|(3), but it isn\*(Aqt limited there. The returned size is also large enough for the output buffer of \fBEVP_PKEY_sign\fR\|(3), \&\fBEVP_PKEY_encrypt\fR\|(3), \fBEVP_PKEY_decrypt\fR\|(3), \fBEVP_PKEY_derive\fR\|(3). .PP It must be stressed that, unless the documentation for the operation -that's being performed says otherwise, the size returned by +that\*(Aqs being performed says otherwise, the size returned by \&\fBEVP_PKEY_get_size()\fR is only preliminary and not exact, so the final contents of the target buffer may be smaller. It is therefore crucial to take note of the size given back by the function that performs the @@ -106,21 +109,21 @@ This corresponds to the provider parameter \fBOSSL_PKEY_PARAM_SECURITY_BITS\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBEVP_PKEY_get_size()\fR, \fBEVP_PKEY_get_bits()\fR and \fBEVP_PKEY_get_security_bits()\fR -return a positive number, or 0 if this size isn't available. +return a positive number, or 0 if this size isn\*(Aqt available. .SH NOTES .IX Header "NOTES" Most functions that have an output buffer and are mentioned with \&\fBEVP_PKEY_get_size()\fR have a functionality where you can pass NULL for the buffer and still pass a pointer to an integer and get the exact size -that this function call delivers in the context that it's called in. +that this function call delivers in the context that it\*(Aqs called in. This allows those functions to be called twice, once to find out the exact buffer size, then allocate the buffer in between, and call that function again actually output the data. For those functions, it -isn't strictly necessary to call \fBEVP_PKEY_get_size()\fR to find out the -buffer size, but may be useful in cases where it's desirable to know +isn\*(Aqt strictly necessary to call \fBEVP_PKEY_get_size()\fR to find out the +buffer size, but may be useful in cases where it\*(Aqs desirable to know the upper limit in advance. .PP -It should also be especially noted that \fBEVP_PKEY_get_size()\fR shouldn't be +It should also be especially noted that \fBEVP_PKEY_get_size()\fR shouldn\*(Aqt be used to get the output size for \fBEVP_DigestSignFinal()\fR, according to "NOTES" in \fBEVP_DigestSignFinal\fR\|(3). .SH "SEE ALSO" @@ -136,7 +139,7 @@ used to get the output size for \fBEVP_DigestSignFinal()\fR, according to .IX Header "HISTORY" The \fBEVP_PKEY_bits()\fR, \fBEVP_PKEY_security_bits()\fR, and \fBEVP_PKEY_size()\fR functions were renamed to include \f(CW\*(C`get\*(C'\fR in their names in OpenSSL 3.0, respectively. -The old names are kept as non-deprecated alias macros. +The old names are kept as non\-deprecated alias macros. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_gettable_params.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_gettable_params.3 index 97f226e029ad..14617dc0949a 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_gettable_params.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_gettable_params.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_GETTABLE_PARAMS 3ossl" -.TH EVP_PKEY_GETTABLE_PARAMS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_GETTABLE_PARAMS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -126,7 +129,7 @@ not including the terminating NUL byte. The required buffer size not including the terminating NUL byte can be obtained from \fI*out_len\fR by calling the function with \fIstr\fR set to NULL. .PP -\&\fBEVP_PKEY_get_octet_string_param()\fR get a key \fIpkey\fR's octet string value into a +\&\fBEVP_PKEY_get_octet_string_param()\fR get a key \fIpkey\fR\*(Aqs octet string value into a buffer \fIbuf\fR of maximum size \fImax_buf_sz\fR associated with a name of \fIkey_name\fR. If \fIout_len\fR is not NULL, \fI*out_len\fR is set to the length of the contents. The required buffer size can be obtained from \fI*out_len\fR by calling the @@ -138,7 +141,7 @@ These functions only work for \fBEVP_PKEY\fRs that contain a provider side key. .IX Header "RETURN VALUES" \&\fBEVP_PKEY_gettable_params()\fR returns NULL on error or if it is not supported. .PP -All other methods return 1 if a value associated with the key's \fIkey_name\fR was +All other methods return 1 if a value associated with the key\*(Aqs \fIkey_name\fR was successfully returned, or 0 if there was an error. An error may be returned by methods \fBEVP_PKEY_get_utf8_string_param()\fR and \&\fBEVP_PKEY_get_octet_string_param()\fR if \fImax_buf_sz\fR is not big enough to hold the diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_is_a.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_is_a.3 index ca49be720bee..6c4f21a5f4d0 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_is_a.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_is_a.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_IS_A 3ossl" -.TH EVP_PKEY_IS_A 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_IS_A 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,7 +89,7 @@ EVP_PKEY_get0_type_name, EVP_PKEY_get0_description, EVP_PKEY_get0_provider \&\fIpkey\fR supports signing. No other check is done, such as whether \&\fIpkey\fR contains a private key. .PP -\&\fBEVP_PKEY_type_names_do_all()\fR traverses all names for \fIpkey\fR's key type, and +\&\fBEVP_PKEY_type_names_do_all()\fR traverses all names for \fIpkey\fR\*(Aqs key type, and calls \fIfn\fR with each name and \fIdata\fR. For example, an RSA \fBEVP_PKEY\fR may be named both \f(CW\*(C`RSA\*(C'\fR and \f(CW\*(C`rsaEncryption\*(C'\fR. The order of the names depends on the provider implementation that holds @@ -103,7 +106,7 @@ not be freed by the caller. meant for display and human consumption. The description is at the discretion of the key type implementation. .PP -\&\fBEVP_PKEY_get0_provider()\fR returns the provider of the \fBEVP_PKEY\fR's +\&\fBEVP_PKEY_get0_provider()\fR returns the provider of the \fBEVP_PKEY\fR\*(Aqs \&\fBEVP_KEYMGMT\fR\|(3). .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_keygen.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_keygen.3 index efd1719b72fa..047f8451bf94 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_keygen.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_keygen.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_KEYGEN 3ossl" -.TH EVP_PKEY_KEYGEN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_KEYGEN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -95,14 +98,14 @@ EVP_PKEY_paramgen, EVP_PKEY_keygen .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -Generating keys is sometimes straight forward, just generate the key's +Generating keys is sometimes straight forward, just generate the key\*(Aqs numbers and be done with it. However, there are certain key types that need key parameters, often called domain parameters but not necessarily limited to that, that also need to be generated. In addition to this, the caller may want to set user provided generation parameters that further affect key parameter or key generation, such as the desired key size. .PP -To flexibly allow all that's just been described, key parameter and key +To flexibly allow all that\*(Aqs just been described, key parameter and key generation is divided into an initialization of a key algorithm context, functions to set user provided parameters, and finally the key parameter or key generation function itself. @@ -145,13 +148,15 @@ If the callback returns 0 then the key generation operation is aborted and an error occurs. This might occur during a time consuming operation where a user clicks on a "cancel" button. .PP -The functions \fBEVP_PKEY_CTX_set_app_data()\fR and \fBEVP_PKEY_CTX_get_app_data()\fR set -and retrieve an opaque pointer. This can be used to set some application -defined value which can be retrieved in the callback: for example a handle -which is used to update a "progress dialog". +The functions \fBEVP_PKEY_CTX_set_app_data()\fR and \fBEVP_PKEY_CTX_get_app_data()\fR +associate an opaque, application\-defined pointer with an EVP_PKEY_CTX object. +.PP +This pointer is not interpreted by the library and is reserved entirely for use +by the application. It may be used to store arbitrary context or state that +needs to be accessible wherever the corresponding EVP_PKEY_CTX is available. .PP \&\fBEVP_PKEY_Q_keygen()\fR abstracts from the explicit use of \fBEVP_PKEY_CTX\fR while -providing a 'quick' but limited way of generating a new asymmetric key pair. +providing a \*(Aqquick\*(Aq but limited way of generating a new asymmetric key pair. It provides shorthands for simple and common cases of key generation. As usual, the library context \fIlibctx\fR and property query \fIpropq\fR can be given for fetching algorithms from providers. @@ -298,7 +303,7 @@ OpenSSL 1.0.0. \&\fBEVP_PKEY_Q_keygen()\fR and \fBEVP_PKEY_generate()\fR were added in OpenSSL 3.0. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2006\-2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_get_count.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_get_count.3 index 76008c2a709f..00d2828a550c 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_get_count.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_get_count.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_METH_GET_COUNT 3ossl" -.TH EVP_PKEY_METH_GET_COUNT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_METH_GET_COUNT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_new.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_new.3 index dd1a6b45e7e0..17a42205b408 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_new.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_METH_NEW 3ossl" -.TH EVP_PKEY_METH_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_METH_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -314,8 +317,8 @@ used to perform different jobs, such as generating a key, signing or verifying, encrypting or decrypting, etc. .PP There are two places where the \fBEVP_PKEY_METHOD\fR objects are stored: one -is a built-in static array representing the standard methods for different -algorithms, and the other one is a stack of user-defined application-specific +is a built\-in static array representing the standard methods for different +algorithms, and the other one is a stack of user\-defined application\-specific methods, which can be manipulated by using \fBEVP_PKEY_meth_add0\fR\|(3). .PP The \fBEVP_PKEY_METHOD\fR objects are usually referenced by \fBEVP_PKEY_CTX\fR @@ -331,7 +334,7 @@ algorithm present by the \fBEVP_PKEY_CTX\fR object. \& void (*cleanup) (EVP_PKEY_CTX *ctx); .Ve .PP -The \fBinit()\fR method is called to initialize algorithm-specific data when a new +The \fBinit()\fR method is called to initialize algorithm\-specific data when a new \&\fBEVP_PKEY_CTX\fR is created. As opposed to \fBinit()\fR, the \fBcleanup()\fR method is called when an \fBEVP_PKEY_CTX\fR is freed. The \fBcopy()\fR method is called when an \fBEVP_PKEY_CTX\fR is being duplicated. Refer to \fBEVP_PKEY_CTX_new\fR\|(3), \fBEVP_PKEY_CTX_new_id\fR\|(3), @@ -439,7 +442,7 @@ from a public key algorithm (for instance, the DH algorithm). They are called by \& int (*ctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value); .Ve .PP -The \fBctrl()\fR and \fBctrl_str()\fR methods are used to adjust algorithm-specific +The \fBctrl()\fR and \fBctrl_str()\fR methods are used to adjust algorithm\-specific settings. See \fBEVP_PKEY_CTX_ctrl\fR\|(3) and related functions for details. .PP .Vb 5 @@ -451,7 +454,7 @@ settings. See \fBEVP_PKEY_CTX_ctrl\fR\|(3) and related functions for details. .Ve .PP The \fBdigestsign()\fR and \fBdigestverify()\fR methods are used to generate or verify -a signature in a one-shot mode. They could be called by \fBEVP_DigestSign\fR\|(3) +a signature in a one\-shot mode. They could be called by \fBEVP_DigestSign\fR\|(3) and \fBEVP_DigestVerify\fR\|(3). .PP .Vb 3 @@ -461,7 +464,7 @@ and \fBEVP_DigestVerify\fR\|(3). .Ve .PP The \fBcheck()\fR, \fBpublic_check()\fR and \fBparam_check()\fR methods are used to validate a -key-pair, the public component and parameters respectively for a given \fBpkey\fR. +key\-pair, the public component and parameters respectively for a given \fBpkey\fR. They could be called by \fBEVP_PKEY_check\fR\|(3), \fBEVP_PKEY_public_check\fR\|(3) and \&\fBEVP_PKEY_param_check\fR\|(3) respectively. .PP @@ -489,7 +492,7 @@ supported: If an \fBEVP_PKEY_METHOD\fR is set with the \fBEVP_PKEY_FLAG_AUTOARGLEN\fR flag, the maximum size of the output buffer will be automatically calculated or checked in corresponding EVP methods by the EVP framework. Thus the implementations of -these methods don't need to care about handling the case of returning output +these methods don\*(Aqt need to care about handling the case of returning output buffer size by themselves. For details on the output buffer size, refer to \&\fBEVP_PKEY_sign\fR\|(3). .PP @@ -504,8 +507,8 @@ digest signing operation by calling \fBEVP_DigestSignFinal\fR\|(3). to \fBdst\fR. .PP \&\fBEVP_PKEY_meth_find()\fR finds an \fBEVP_PKEY_METHOD\fR object with the \fBid\fR. -This function first searches through the user-defined method objects and -then the built-in objects. +This function first searches through the user\-defined method objects and +then the built\-in objects. .PP \&\fBEVP_PKEY_meth_add0()\fR adds \fBpmeth\fR to the user defined stack of methods. .PP @@ -534,7 +537,7 @@ if an error occurred. 0 if an error occurred. .PP All EVP_PKEY_meth_set and EVP_PKEY_meth_get functions have no return -values. For the 'get' functions, function pointers are returned by +values. For the \*(Aqget\*(Aq functions, function pointers are returned by arguments. .SH HISTORY .IX Header "HISTORY" diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_new.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_new.3 index 6d478bb51674..f43d0853c48a 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_new.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_NEW 3ossl" -.TH EVP_PKEY_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -173,7 +176,7 @@ algorithm type). .PP \&\fBEVP_PKEY_new_raw_private_key()\fR does the same as \&\fBEVP_PKEY_new_raw_private_key_ex()\fR except that the default library context and -default property query are used instead. If \fIe\fR is non-NULL then the new +default property query are used instead. If \fIe\fR is non\-NULL then the new \&\fBEVP_PKEY\fR structure is associated with the engine \fIe\fR. The \fItype\fR argument indicates what kind of key this is. The value should be a NID for a public key algorithm that supports raw private keys, i.e. one of \fBEVP_PKEY_X25519\fR, @@ -233,7 +236,7 @@ and \&\fBML\-KEM\-512\fR, \&\fBML\-KEM\-768\fR and \&\fBML\-KEM\-1024\fR -keys, which don't have legacy numeric \fINID\fR assignments, but their raw form is +keys, which don\*(Aqt have legacy numeric \fINID\fR assignments, but their raw form is nevertheless available. .PP \&\fBEVP_PKEY_get_raw_public_key()\fR fills the buffer provided by \fIpub\fR with raw @@ -256,14 +259,14 @@ and \&\fBML\-KEM\-512\fR, \&\fBML\-KEM\-768\fR and \&\fBML\-KEM\-1024\fR -keys, which don't have legacy numeric \fINID\fR assignments, but their raw form is +keys, which don\*(Aqt have legacy numeric \fINID\fR assignments, but their raw form is nevertheless available. .PP \&\fBEVP_PKEY_new_CMAC_key()\fR works in the same way as \fBEVP_PKEY_new_raw_private_key()\fR except it is only for the \fBEVP_PKEY_CMAC\fR algorithm type. In addition to the raw private key data, it also takes a cipher algorithm to be used during creation of a CMAC in the \fBcipher\fR argument. The cipher should be a standard -encryption-only cipher. For example AEAD and XTS ciphers should not be used. +encryption\-only cipher. For example AEAD and XTS ciphers should not be used. .PP Applications should use the \fBEVP_MAC\fR\|(3) API instead and set the \fBOSSL_MAC_PARAM_CIPHER\fR parameter on the \fBEVP_MAC_CTX\fR object @@ -279,7 +282,7 @@ key to this empty structure use the appropriate functions described in \&\fBEVP_PKEY_set1_EC_KEY\fR\|(3) for legacy key types implemented in internal OpenSSL providers. .PP -For fully provider-managed key types (see \fBprovider\-keymgmt\fR\|(7)), +For fully provider\-managed key types (see \fBprovider\-keymgmt\fR\|(7)), possibly implemented in external providers, use functions such as \&\fBEVP_PKEY_set1_encoded_public_key\fR\|(3) or \fBEVP_PKEY_fromdata\fR\|(3) to populate key data. @@ -336,7 +339,7 @@ The documentation of \fBEVP_PKEY\fR was amended in OpenSSL 3.0 to allow there to be the private part of the keypair without the public part, where this was previously implied to be disallowed. .PP -Support for \fBML-DSA\fR and \fBML-KEM\fR was added in OpenSSL 3.5. +Support for \fBML\-DSA\fR and \fBML\-KEM\fR was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2002\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_print_private.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_print_private.3 index eb5b3b496e68..e2f8f6b8dafe 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_print_private.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_print_private.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_PRINT_PRIVATE 3ossl" -.TH EVP_PKEY_PRINT_PRIVATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_PRINT_PRIVATE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_RSA.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_RSA.3 index 580779e93f99..3d4fe488f58d 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_RSA.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_RSA.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_SET1_RSA 3ossl" -.TH EVP_PKEY_SET1_RSA 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_SET1_RSA 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -124,12 +127,12 @@ see \fBopenssl_user_macros\fR\|(7): an RSA key will return \fBEVP_PKEY_RSA\fR. .PP \&\fBEVP_PKEY_get_id()\fR returns the actual NID associated with \fIpkey\fR -only if the \fIpkey\fR type isn't implemented just in a \fBprovider\fR\|(7). +only if the \fIpkey\fR type isn\*(Aqt implemented just in a \fBprovider\fR\|(7). Historically keys using the same algorithm could use different NIDs. For example an RSA key could use the NIDs corresponding to the NIDs \fBNID_rsaEncryption\fR (equivalent to \fBEVP_PKEY_RSA\fR) or \&\fBNID_rsa\fR (equivalent to \fBEVP_PKEY_RSA2\fR). The use of -alternative non-standard NIDs is now rare so \fBEVP_PKEY_RSA2\fR et al are not +alternative non\-standard NIDs is now rare so \fBEVP_PKEY_RSA2\fR et al are not often seen in practice. \&\fBEVP_PKEY_get_id()\fR returns \-1 (\fBEVP_PKEY_KEYMGMT\fR) if the \fIpkey\fR is only implemented in a \fBprovider\fR\|(7). @@ -180,10 +183,10 @@ described above then the internal key will be managed by a provider (see \&\fBEVP_PKEY_get1_DSA()\fR, \fBEVP_PKEY_get1_DH()\fR, \fBEVP_PKEY_get1_EC_KEY()\fR, \&\fBEVP_PKEY_get0_hmac()\fR, \fBEVP_PKEY_get0_poly1305()\fR, \fBEVP_PKEY_get0_siphash()\fR, \&\fBEVP_PKEY_get0_RSA()\fR, \fBEVP_PKEY_get0_DSA()\fR, \fBEVP_PKEY_get0_DH()\fR or -\&\fBEVP_PKEY_get0_EC_KEY()\fR will be a cached copy of the provider's key. Subsequent -updates to the provider's key will not be reflected back in the cached copy, and +\&\fBEVP_PKEY_get0_EC_KEY()\fR will be a cached copy of the provider\*(Aqs key. Subsequent +updates to the provider\*(Aqs key will not be reflected back in the cached copy, and updates made by an application to the returned key will not be reflected back in -the provider's key. Subsequent calls to \fBEVP_PKEY_get1_RSA()\fR, +the provider\*(Aqs key. Subsequent calls to \fBEVP_PKEY_get1_RSA()\fR, \&\fBEVP_PKEY_get1_DSA()\fR, \fBEVP_PKEY_get1_DH()\fR and \fBEVP_PKEY_get1_EC_KEY()\fR will always return the cached copy returned by the first call. .PP @@ -212,12 +215,12 @@ The keys returned from the functions \fBEVP_PKEY_get0_RSA()\fR, \fBEVP_PKEY_get0 \&\fBEVP_PKEY_get0_DH()\fR and \fBEVP_PKEY_get0_EC_KEY()\fR were changed to have a "const" return type in OpenSSL 3.0. As described above the keys returned may be cached copies of the key held in a provider. Due to this, and unlike in earlier -versions of OpenSSL, they should be considered read-only copies of the key. +versions of OpenSSL, they should be considered read\-only copies of the key. Updates to these keys will not be reflected back in the provider side key. The \&\fBEVP_PKEY_get1_RSA()\fR, \fBEVP_PKEY_get1_DSA()\fR, \fBEVP_PKEY_get1_DH()\fR and \&\fBEVP_PKEY_get1_EC_KEY()\fR functions were not changed to have a "const" return type in order that applications can "free" the return value. However applications -should still consider them as read-only copies. +should still consider them as read\-only copies. .SH NOTES .IX Header "NOTES" In accordance with the OpenSSL naming convention the key obtained @@ -266,7 +269,7 @@ type or \fBNID_undef\fR (equivalently \fBEVP_PKEY_NONE\fR) on error. .IX Header "HISTORY" The \fBEVP_PKEY_id()\fR and \fBEVP_PKEY_base_id()\fR functions were renamed to include \f(CW\*(C`get\*(C'\fR in their names in OpenSSL 3.0, respectively. The old names -are kept as non-deprecated alias macros. +are kept as non\-deprecated alias macros. .PP EVP_PKEY_set1_RSA, EVP_PKEY_set1_DSA, EVP_PKEY_set1_DH, EVP_PKEY_set1_EC_KEY, EVP_PKEY_get1_RSA, EVP_PKEY_get1_DSA, EVP_PKEY_get1_DH, EVP_PKEY_get1_EC_KEY, diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_encoded_public_key.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_encoded_public_key.3 index a1d9270fe8a7..54f0bc6a0bb6 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_encoded_public_key.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_encoded_public_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_SET1_ENCODED_PUBLIC_KEY 3ossl" -.TH EVP_PKEY_SET1_ENCODED_PUBLIC_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_SET1_ENCODED_PUBLIC_KEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,7 +93,7 @@ see \fBopenssl_user_macros\fR\|(7): \&\fBEVP_PKEY_set1_encoded_public_key()\fR can be used to set the public key value within an existing EVP_PKEY object, which does not yet have either a public or private key assigned. -For the built-in OpenSSL algorithms this currently only works for those that +For the built\-in OpenSSL algorithms this currently only works for those that support key exchange or key encapsulation. Parameters are not set as part of this operation, so typically an application will create an EVP_PKEY first, set the parameters on it, and then call this @@ -99,12 +102,12 @@ For example setting the parameters might be done using \&\fBEVP_PKEY_copy_parameters\fR\|(3). .PP The format for the encoded public key will depend on the algorithm in use. For -DH it should be encoded as a positive integer in big-endian form. For EC is +DH it should be encoded as a positive integer in big\-endian form. For EC is should be a point conforming to Sec. 2.3.4 of the SECG SEC 1 ("Elliptic Curve Cryptography") standard. For \fBX25519\fR and \fBX448\fR it should be encoded in the format defined by RFC7748. For \fBML\-KEM\-512\fR, \fBML\-KEM\-768\fR and \fBML\-KEM\-1024\fR, this is the public key -format defined in \fBFIPS 203\fR (the 12\-bit per-coefficient encoded public \fIt\fR +format defined in \fBFIPS 203\fR (the 12\-bit per\-coefficient encoded public \fIt\fR vector and 32\-byte matrix seed \fIrho\fR). .PP The key to be updated is supplied in \fBpkey\fR. The buffer containing the encoded @@ -134,7 +137,7 @@ value for failure. .IX Header "EXAMPLES" See \fBEVP_PKEY_derive_init\fR\|(3) and \fBEVP_PKEY_derive\fR\|(3) for information about performing a key exchange operation. -.SS "Set up a peer's EVP_PKEY ready for a key exchange operation" +.SS "Set up a peer\*(Aqs EVP_PKEY ready for a key exchange operation" .IX Subsection "Set up a peer's EVP_PKEY ready for a key exchange operation" .Vb 1 \& #include <openssl/evp.h> @@ -201,7 +204,7 @@ added in OpenSSL 3.0. \&\fBEVP_PKEY_set1_tls_encodedpoint()\fR and \fBEVP_PKEY_get1_tls_encodedpoint()\fR were deprecated in OpenSSL 3.0. .PP -Support for \fBML-KEM\fR was added in OpenSSL 3.5. +Support for \fBML\-KEM\fR was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_set_type.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_set_type.3 index 26b1fbad43b2..d2d39dae661a 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_set_type.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_set_type.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_SET_TYPE 3ossl" -.TH EVP_PKEY_SET_TYPE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_SET_TYPE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ All the functions described here behave the same in so far that they clear all the previous key data and methods from \fIpkey\fR, and reset it to be of the type of key given by the different arguments. If \&\fIpkey\fR is NULL, these functions will still return the same return -values as if it wasn't. +values as if it wasn\*(Aqt. .PP \&\fBEVP_PKEY_set_type()\fR initialises \fIpkey\fR to contain an internal legacy key. When doing this, it finds a \fBEVP_PKEY_ASN1_METHOD\fR\|(3) diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_settable_params.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_settable_params.3 index 67fa0773f1bc..2c5368915d56 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_settable_params.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_settable_params.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_SETTABLE_PARAMS 3ossl" -.TH EVP_PKEY_SETTABLE_PARAMS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_SETTABLE_PARAMS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_sign.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_sign.3 index 3b9d67165356..52a1fd7cb137 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_sign.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_sign.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_SIGN 3ossl" -.TH EVP_PKEY_SIGN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_SIGN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -95,12 +98,12 @@ for more information about implicit fetches. sets the passed parameters \fIparams\fR on the context before returning. .PP \&\fBEVP_PKEY_sign_init_ex2()\fR initializes a public key algorithm context \fIctx\fR for -signing a pre-computed message digest using the algorithm given by \fIalgo\fR and +signing a pre\-computed message digest using the algorithm given by \fIalgo\fR and the key given through \fBEVP_PKEY_CTX_new\fR\|(3) or \fBEVP_PKEY_CTX_new_from_pkey\fR\|(3). -A context \fIctx\fR without a pre-loaded key cannot be used with this function. +A context \fIctx\fR without a pre\-loaded key cannot be used with this function. This function provides almost the same functionality as \fBEVP_PKEY_sign_init_ex()\fR, -but is uniquely intended to be used with a pre-computed message digest, and -allows pre-determining the exact conditions for that message digest, if a +but is uniquely intended to be used with a pre\-computed message digest, and +allows pre\-determining the exact conditions for that message digest, if a composite signature algorithm (such as RSA\-SHA256) was fetched. Following a call to this function, setting parameters that modifies the digest implementation or padding is not normally supported. @@ -108,7 +111,7 @@ implementation or padding is not normally supported. \&\fBEVP_PKEY_sign_message_init()\fR initializes a public key algorithm context \fIctx\fR for signing an unlimited size message using the algorithm given by \fIalgo\fR and the key given through \fBEVP_PKEY_CTX_new\fR\|(3) or \fBEVP_PKEY_CTX_new_from_pkey\fR\|(3). -Passing the message is supported both in a one-shot fashion using +Passing the message is supported both in a one\-shot fashion using \&\fBEVP_PKEY_sign()\fR, and through the combination of \fBEVP_PKEY_sign_message_update()\fR and \fBEVP_PKEY_sign_message_final()\fR. This function enables using algorithms that can process input of arbitrary @@ -116,17 +119,17 @@ length, such as ED25519, RSA\-SHA256 and similar. .PP \&\fBEVP_PKEY_sign_message_update()\fR adds \fIinlen\fR bytes from \fIin\fR to the data to be processed for signature. The signature algorithm specification and -implementation determine how the input bytes are processed and if there's a +implementation determine how the input bytes are processed and if there\*(Aqs a limit on the total size of the input. See "NOTES" below for a deeper explanation. .PP \&\fBEVP_PKEY_sign_message_final()\fR signs the processed data and places the data in \&\fIsig\fR, and the number of signature bytes in \fI*siglen\fR, if the number of -bytes doesn't surpass the size given by \fIsigsize\fR. +bytes doesn\*(Aqt surpass the size given by \fIsigsize\fR. \&\fIsig\fR may be NULL, and in that case, only \fI*siglen\fR is updated with the number of signature bytes. .PP -\&\fBEVP_PKEY_sign()\fR is a one-shot function that can be used with all the init +\&\fBEVP_PKEY_sign()\fR is a one\-shot function that can be used with all the init functions above. When initialization was done with \fBEVP_PKEY_sign_init()\fR, \fBEVP_PKEY_sign_init_ex()\fR or \fBEVP_PKEY_sign_init_ex2()\fR, the data specified by \fItbs\fR and \fItbslen\fR is @@ -161,13 +164,13 @@ Similarly, an RSA implementation usually expects additional details to be set, like the message digest algorithm that the input is supposed to be digested with, as well as the padding mode (see \fBEVP_PKEY_CTX_set_signature_md\fR\|(3) and \&\fBEVP_PKEY_CTX_set_rsa_padding\fR\|(3) and similar others), while an RSA\-SHA256 -implementation usually has these details pre-set and immutable. +implementation usually has these details pre\-set and immutable. .PP -The functions described here can't be used to combine separate algorithms. In +The functions described here can\*(Aqt be used to combine separate algorithms. In particular, neither \fBEVP_PKEY_CTX_set_signature_md\fR\|(3) nor the \fBOSSL_PARAM\fR parameter "digest" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) can be used to combine a signature algorithm with a hash algorithm to process the input. In other -words, it's not possible to specify a \fIctx\fR pre-loaded with an RSA pkey, or +words, it\*(Aqs not possible to specify a \fIctx\fR pre\-loaded with an RSA pkey, or an \fIalgo\fR that fetched \f(CW\*(C`RSA\*(C'\fR and try to specify SHA256 separately to get the functionality of RSA\-SHA256. If combining algorithms in that manner is desired, please use \fBEVP_DigestSignInit\fR\|(3) and associated functions. @@ -175,9 +178,9 @@ desired, please use \fBEVP_DigestSignInit\fR\|(3) and associated functions. .IX Subsection "Performing multiple signatures" When initialized using \fBEVP_PKEY_sign_init_ex()\fR or \fBEVP_PKEY_sign_init_ex2()\fR, \&\fBEVP_PKEY_sign()\fR can be called more than once on the same context to have -several one-shot operations performed using the same parameters. +several one\-shot operations performed using the same parameters. .PP -When initialized using \fBEVP_PKEY_sign_message_init()\fR, it's not possible to +When initialized using \fBEVP_PKEY_sign_message_init()\fR, it\*(Aqs not possible to call \fBEVP_PKEY_sign()\fR multiple times. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -230,11 +233,11 @@ Sign data using RSA with PKCS#1 padding and a SHA256 digest as input: \& \& /* Signature is siglen bytes written to buffer sig */ .Ve -.SS "RSA\-SHA256 with a pre-computed digest" +.SS "RSA\-SHA256 with a pre\-computed digest" .IX Subsection "RSA-SHA256 with a pre-computed digest" -Sign a digest with RSA\-SHA256 using one-shot functions. To be noted is that +Sign a digest with RSA\-SHA256 using one\-shot functions. To be noted is that RSA\-SHA256 is assumed to be an implementation of \f(CW\*(C`sha256WithRSAEncryption\*(C'\fR, -for which the padding is pre-determined to be \fBRSA_PKCS1_PADDING\fR, and the +for which the padding is pre\-determined to be \fBRSA_PKCS1_PADDING\fR, and the input digest is assumed to have been computed using SHA256. .PP .Vb 2 @@ -274,11 +277,11 @@ input digest is assumed to have been computed using SHA256. \& \& /* Signature is siglen bytes written to buffer sig */ .Ve -.SS "RSA\-SHA256, one-shot" +.SS "RSA\-SHA256, one\-shot" .IX Subsection "RSA-SHA256, one-shot" -Sign a document with RSA\-SHA256 using one-shot functions. +Sign a document with RSA\-SHA256 using one\-shot functions. To be noted is that RSA\-SHA256 is assumed to be an implementation of -\&\f(CW\*(C`sha256WithRSAEncryption\*(C'\fR, for which the padding is pre-determined to be +\&\f(CW\*(C`sha256WithRSAEncryption\*(C'\fR, for which the padding is pre\-determined to be \&\fBRSA_PKCS1_PADDING\fR. .PP .Vb 2 @@ -323,7 +326,7 @@ To be noted is that RSA\-SHA256 is assumed to be an implementation of .Ve .SS "RSA\-SHA256, using update and final" .IX Subsection "RSA-SHA256, using update and final" -This is the same as the previous example, but allowing stream-like +This is the same as the previous example, but allowing stream\-like functionality. .PP .Vb 2 diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_todata.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_todata.3 index 8e886927e932..52ae3082ff2a 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_todata.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_todata.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_TODATA 3ossl" -.TH EVP_PKEY_TODATA 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_TODATA 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -115,7 +118,7 @@ This is the mirror function to \fBEVP_PKEY_fromdata\fR\|(3). .IX Header "HISTORY" These functions were added in OpenSSL 3.0. .PP -Support for \fBML-DSA\fR, \fBML-KEM\fR and \fBSLH-DSA\fR was added in OpenSSL 3.5. +Support for \fBML\-DSA\fR, \fBML\-KEM\fR and \fBSLH\-DSA\fR was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2021\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_verify.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_verify.3 index cc23de159372..3ce1342f4bf7 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_verify.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_verify.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_VERIFY 3ossl" -.TH EVP_PKEY_VERIFY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_VERIFY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,9 +101,9 @@ sets the passed parameters \fIparams\fR on the context before returning. .PP \&\fBEVP_PKEY_verify_init_ex2()\fR is the same as \fBEVP_PKEY_verify_init_ex()\fR, but works with an explicitly fetched \fBEVP_SIGNATURE\fR \fIalgo\fR. -A context \fIctx\fR without a pre-loaded key cannot be used with this function. +A context \fIctx\fR without a pre\-loaded key cannot be used with this function. Depending on what algorithm was fetched, certain details revolving around the -treatment of the input to \fBEVP_PKEY_verify()\fR may be pre-determined, and in that +treatment of the input to \fBEVP_PKEY_verify()\fR may be pre\-determined, and in that case, those details may normally not be changed. See "NOTES" below for a deeper explanation. .PP @@ -108,7 +111,7 @@ See "NOTES" below for a deeper explanation. \&\fIctx\fR for verifying an unlimited size message using the algorithm given by \&\fIalgo\fR and the key given through \fBEVP_PKEY_CTX_new\fR\|(3) or \&\fBEVP_PKEY_CTX_new_from_pkey\fR\|(3). -Passing the message is supported both in a one-shot fashion using +Passing the message is supported both in a one\-shot fashion using \&\fBEVP_PKEY_verify()\fR, and through the combination of \fBEVP_PKEY_verify_update()\fR and \&\fBEVP_PKEY_verify_final()\fR. This function enables using algorithms that can process input of arbitrary @@ -122,7 +125,7 @@ See "NOTES" below for a deeper explanation. .PP \&\fBEVP_PKEY_verify_update()\fR adds \fIinlen\fR bytes from \fIin\fR to the data to be processed for verification. The signature algorithm specification and -implementation determine how the input bytes are processed and if there's a +implementation determine how the input bytes are processed and if there\*(Aqs a limit on the total size of the input. See "NOTES" below for a deeper explanation. .PP @@ -130,7 +133,7 @@ explanation. The signature to verify against must have been given with \&\fBEVP_PKEY_CTX_set_signature()\fR. .PP -\&\fBEVP_PKEY_verify()\fR is a one-shot function that performs the same thing as +\&\fBEVP_PKEY_verify()\fR is a one\-shot function that performs the same thing as \&\fBEVP_PKEY_CTX_set_signature()\fR call with \fIsig\fR and \fIsiglen\fR as parameters, followed by a single \fBEVP_PKEY_verify_update()\fR call with \fItbs\fR and \fItbslen\fR, followed by \fBEVP_PKEY_verify_final()\fR call. @@ -156,13 +159,13 @@ Similarly, an RSA implementation usually expects additional details to be set, like the message digest algorithm that the input is supposed to be digested with, as well as the padding mode (see \fBEVP_PKEY_CTX_set_signature_md\fR\|(3) and \&\fBEVP_PKEY_CTX_set_rsa_padding\fR\|(3) and similar others), while an RSA\-SHA256 -implementation usually has these details pre-set and immutable. +implementation usually has these details pre\-set and immutable. .PP -The functions described here can't be used to combine separate algorithms. In +The functions described here can\*(Aqt be used to combine separate algorithms. In particular, neither \fBEVP_PKEY_CTX_set_signature_md\fR\|(3) nor the \fBOSSL_PARAM\fR parameter "digest" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) can be used to combine a signature algorithm with a hash algorithm to process the input. In other -words, it's not possible to specify a \fIctx\fR pre-loaded with an RSA pkey, or +words, it\*(Aqs not possible to specify a \fIctx\fR pre\-loaded with an RSA pkey, or an \fIalgo\fR that fetched \f(CW\*(C`RSA\*(C'\fR and try to specify SHA256 separately to get the functionality of RSA\-SHA256. If combining algorithms in that manner is desired, please use \fBEVP_DigestVerifyInit\fR\|(3) and associated functions, or @@ -171,16 +174,16 @@ desired, please use \fBEVP_DigestVerifyInit\fR\|(3) and associated functions, or .IX Subsection "Performing multiple verifications" When initialized using \fBEVP_PKEY_verify_init_ex()\fR or \fBEVP_PKEY_verify_init_ex2()\fR, \&\fBEVP_PKEY_verify()\fR can be called more than once on the same context to have -several one-shot operations performed using the same parameters. +several one\-shot operations performed using the same parameters. .PP -When initialized using \fBEVP_PKEY_verify_message_init()\fR, it's not possible to +When initialized using \fBEVP_PKEY_verify_message_init()\fR, it\*(Aqs not possible to call \fBEVP_PKEY_verify()\fR multiple times. .SS "On \fBEVP_PKEY_CTX_set_signature()\fP" .IX Subsection "On EVP_PKEY_CTX_set_signature()" Some signature algorithms (such as LMS) require the signature verification data be specified before verifying the message. Other algorithms allow the signature to be specified late. -To allow either way (which may depend on the application's flow of input), the +To allow either way (which may depend on the application\*(Aqs flow of input), the signature to be verified against \fImust\fR be specified using this function when using \fBEVP_PKEY_verify_message_update()\fR and \fBEVP_PKEY_verify_message_final()\fR to perform the verification. @@ -233,11 +236,11 @@ Verify signature using PKCS#1 padding and a SHA256 digest as input: \& * other error. \& */ .Ve -.SS "RSA\-SHA256 with a pre-computed digest" +.SS "RSA\-SHA256 with a pre\-computed digest" .IX Subsection "RSA-SHA256 with a pre-computed digest" -Verify a digest with RSA\-SHA256 using one-shot functions. To be noted is that +Verify a digest with RSA\-SHA256 using one\-shot functions. To be noted is that RSA\-SHA256 is assumed to be an implementation of \f(CW\*(C`sha256WithRSAEncryption\*(C'\fR, -for which the padding is pre-determined to be \fBRSA_PKCS1_PADDING\fR, and the +for which the padding is pre\-determined to be \fBRSA_PKCS1_PADDING\fR, and the input digest is assumed to have been computed using SHA256. .PP .Vb 2 @@ -274,11 +277,11 @@ input digest is assumed to have been computed using SHA256. \& * other error. \& */ .Ve -.SS "RSA\-SHA256, one-shot" +.SS "RSA\-SHA256, one\-shot" .IX Subsection "RSA-SHA256, one-shot" -Verify a document with RSA\-SHA256 using one-shot functions. +Verify a document with RSA\-SHA256 using one\-shot functions. To be noted is that RSA\-SHA256 is assumed to be an implementation of -\&\f(CW\*(C`sha256WithRSAEncryption\*(C'\fR, for which the padding is pre-determined to be +\&\f(CW\*(C`sha256WithRSAEncryption\*(C'\fR, for which the padding is pre\-determined to be \&\fBRSA_PKCS1_PADDING\fR. .PP .Vb 2 @@ -317,7 +320,7 @@ To be noted is that RSA\-SHA256 is assumed to be an implementation of .Ve .SS "RSA\-SHA256, using update and final" .IX Subsection "RSA-SHA256, using update and final" -This is the same as the previous example, but allowing stream-like +This is the same as the previous example, but allowing stream\-like functionality. .PP .Vb 2 diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_verify_recover.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_verify_recover.3 index 1b33d9ed499c..f41235507518 100644 --- a/secure/lib/libcrypto/man/man3/EVP_PKEY_verify_recover.3 +++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_verify_recover.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY_VERIFY_RECOVER 3ossl" -.TH EVP_PKEY_VERIFY_RECOVER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY_VERIFY_RECOVER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -92,9 +95,9 @@ for more information about implicit fetches. .PP \&\fBEVP_PKEY_verify_recover_init_ex2()\fR is the same as \fBEVP_PKEY_verify_recover_init_ex()\fR, but works with an explicitly fetched \fBEVP_SIGNATURE\fR \fIalgo\fR. -A context \fIctx\fR without a pre-loaded key cannot be used with this function. +A context \fIctx\fR without a pre\-loaded key cannot be used with this function. Depending on what algorithm was fetched, certain details revolving around the -treatment of the input to \fBEVP_PKEY_verify()\fR may be pre-determined, and in that +treatment of the input to \fBEVP_PKEY_verify()\fR may be pre\-determined, and in that case, those details may normally not be changed. See "NOTES" below for a deeper explanation. .PP @@ -121,7 +124,7 @@ operation. .PP After the call to \fBEVP_PKEY_verify_recover_init_ex2()\fR, algorithm specific control operations may not be needed if the chosen algorithm implies that those controls -pre-set (and immutable). +pre\-set (and immutable). .PP The function \fBEVP_PKEY_verify_recover()\fR can be called more than once on the same context if several operations are performed using the same parameters. diff --git a/secure/lib/libcrypto/man/man3/EVP_RAND.3 b/secure/lib/libcrypto/man/man3/EVP_RAND.3 index 5b3c03fb6a8b..df385a6a8198 100644 --- a/secure/lib/libcrypto/man/man3/EVP_RAND.3 +++ b/secure/lib/libcrypto/man/man3/EVP_RAND.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RAND 3ossl" -.TH EVP_RAND 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RAND 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -133,9 +136,9 @@ EVP_RAND_STATE_ERROR \- EVP RAND routines .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP RAND routines are a high-level interface to random number generators +The EVP RAND routines are a high\-level interface to random number generators both deterministic and not. -If you just want to generate random bytes then you don't need to use +If you just want to generate random bytes then you don\*(Aqt need to use these functions: just call \fBRAND_bytes()\fR or \fBRAND_priv_bytes()\fR. If you want to do more, these calls should be used instead of the older RAND and RAND_DRBG functions. @@ -164,7 +167,7 @@ The returned value must eventually be freed with RAND. .PP \&\fBEVP_RAND_free()\fR frees a fetched algorithm. -NULL is a valid parameter, for which this function is a no-op. +NULL is a valid parameter, for which this function is a no\-op. .SS "Context manipulation functions" .IX Subsection "Context manipulation functions" \&\fBEVP_RAND_CTX_new()\fR creates a new context for the RAND implementation \fIrand\fR. @@ -202,7 +205,7 @@ will be sought. This call operates as per NIST SP 800\-90A and SP 800\-90C. Entropy \fIent\fR of length \fIent_len\fR bytes can be supplied as can additional input \fIaddin\fR of length \fIaddin_len\fR bytes. In the FIPS provider, both are treated as additional input as per NIST SP\-800\-90Ar1, Sections 9.1 and 9.2. -Additional seed material is also drawn from the RAND's parent or the +Additional seed material is also drawn from the RAND\*(Aqs parent or the operating system. If \fIprediction_resistance\fR is specified, fresh entropy from a live source will be sought. This call operates as per NIST SP 800\-90A and SP 800\-90C. @@ -236,7 +239,7 @@ The set of parameters given with \fIparams\fR determine exactly what parameters are passed down. Note that a parameter that is unknown in the underlying context is simply ignored. -Also, what happens when a needed parameter isn't passed down is +Also, what happens when a needed parameter isn\*(Aqt passed down is defined by the implementation. .PP \&\fBEVP_RAND_gettable_params()\fR returns an \fBOSSL_PARAM\fR\|(3) array that describes @@ -248,14 +251,14 @@ constant \fBOSSL_PARAM\fR\|(3) arrays that describe the retrievable parameters t can be used with \fBEVP_RAND_CTX_get_params()\fR. \fBEVP_RAND_gettable_ctx_params()\fR returns the parameters that can be retrieved from the algorithm, whereas \&\fBEVP_RAND_CTX_gettable_params()\fR returns the parameters that can be retrieved -in the context's current state. +in the context\*(Aqs current state. .PP \&\fBEVP_RAND_settable_ctx_params()\fR and \fBEVP_RAND_CTX_settable_params()\fR return constant \fBOSSL_PARAM\fR\|(3) arrays that describe the settable parameters that can be used with \fBEVP_RAND_CTX_set_params()\fR. \fBEVP_RAND_settable_ctx_params()\fR returns the parameters that can be retrieved from the algorithm, whereas \&\fBEVP_RAND_CTX_settable_params()\fR returns the parameters that can be retrieved -in the context's current state. +in the context\*(Aqs current state. .SS "Information functions" .IX Subsection "Information functions" \&\fBEVP_RAND_get_strength()\fR returns the security strength of the RAND \fIctx\fR. @@ -271,7 +274,7 @@ EVP_RAND_STATE_READY: this RNG is currently ready to generate output. EVP_RAND_STATE_ERROR: this RNG is in an error state. .PP \&\fBEVP_RAND_is_a()\fR returns 1 if \fIrand\fR is an implementation of an -algorithm that's identifiable with \fIname\fR, otherwise 0. +algorithm that\*(Aqs identifiable with \fIname\fR, otherwise 0. .PP \&\fBEVP_RAND_get0_provider()\fR returns the provider that holds the implementation of the given \fIrand\fR. @@ -302,7 +305,7 @@ Returns the state of the random number generator. .IP """strength"" (\fBOSSL_RAND_PARAM_STRENGTH\fR) <unsigned integer>" 4 .IX Item """strength"" (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>" Returns the bit strength of the random number generator. -.IP """fips-indicator"" (\fBOSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This option is used by the OpenSSL FIPS provider and is not supported @@ -372,18 +375,18 @@ The use of a nonzero value for the \fIprediction_resistance\fR argument to be used sparingly. In the default setup, this will cause all public and private DRBGs to be reseeded on next use. Since, by default, public and private DRBGs are allocated on a per thread basis, this can result in -significant overhead for highly multi-threaded applications. For normal -use-cases, the default "reseed_requests" and "reseed_time_interval" +significant overhead for highly multi\-threaded applications. For normal +use\-cases, the default "reseed_requests" and "reseed_time_interval" thresholds ensure sufficient prediction resistance over time and you can reduce those values if you think they are too high. Explicitly -requesting prediction resistance is intended for more special use-cases -like generating long-term secrets. +requesting prediction resistance is intended for more special use\-cases +like generating long\-term secrets. .PP An \fBEVP_RAND_CTX\fR needs to have locking enabled if it acts as the parent of more than one child and the children can be accessed concurrently. This must be done by explicitly calling \fBEVP_RAND_enable_locking()\fR. .PP -The RAND life-cycle is described in \fBlife_cycle\-rand\fR\|(7). In the future, +The RAND life\-cycle is described in \fBlife_cycle\-rand\fR\|(7). In the future, the transitions described there will be enforced. When this is done, it will not be considered a breaking change to the API. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/EVP_SIGNATURE.3 b/secure/lib/libcrypto/man/man3/EVP_SIGNATURE.3 index c176bd86fca6..3b5633e0e065 100644 --- a/secure/lib/libcrypto/man/man3/EVP_SIGNATURE.3 +++ b/secure/lib/libcrypto/man/man3/EVP_SIGNATURE.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SIGNATURE 3ossl" -.TH EVP_SIGNATURE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SIGNATURE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -114,7 +117,7 @@ structure is freed. If the argument is NULL, nothing is done. structure. .PP \&\fBEVP_SIGNATURE_is_a()\fR returns 1 if \fIsignature\fR is an implementation of an -algorithm that's identifiable with \fIname\fR, otherwise 0. +algorithm that\*(Aqs identifiable with \fIname\fR, otherwise 0. .PP \&\fBEVP_SIGNATURE_get0_provider()\fR returns the provider that \fIsignature\fR was fetched from. diff --git a/secure/lib/libcrypto/man/man3/EVP_SKEY.3 b/secure/lib/libcrypto/man/man3/EVP_SKEY.3 index 311551ecf454..3214dfe84649 100644 --- a/secure/lib/libcrypto/man/man3/EVP_SKEY.3 +++ b/secure/lib/libcrypto/man/man3/EVP_SKEY.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SKEY 3ossl" -.TH EVP_SKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SKEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,7 +83,7 @@ EVP_SKEY_free, EVP_SKEY_is_a, EVP_SKEY_to_provider \& const char *propquery, \& int selection, const OSSL_PARAM *params); \& EVP_SKEY *EVP_SKEY_import_raw_key(OSSL_LIB_CTX *libctx, const char *skeymgmtname, -\& unsigned char *key, size_t *len, +\& unsigned char *key, size_t len, \& const char *propquery); \& int EVP_SKEY_export(const EVP_SKEY *skey, int selection, \& OSSL_CALLBACK *export_cb, void *export_cbarg); @@ -114,8 +117,10 @@ which is used by OpenSSL to store symmetric keys, assigns the \&\fBEVP_SKEYMGMT\fR object associated with the key, and initializes the object from the \fBparams\fR argument. .PP -The \fBEVP_SKEY_import_raw_key()\fR function is a helper that creates an \fBEVP_SKEY\fR object -containing the raw byte representation of the symmetric keys. +The \fBEVP_SKEY_import_raw_key()\fR function is a helper that creates an \fBEVP_SKEY\fR +object containing the raw byte representation of the symmetric keys from the +buffer \fIkey\fR having length \fIlen\fR. The \fIskeymgmtname\fR defines the name of the +target \fBEVP_SKEYMGMT\fR for the newly created key. .PP The \fBEVP_SKEY_export()\fR function extracts values from a key \fIskey\fR using the \&\fIselection\fR. \fIselection\fR is described below. It uses a callback \fIexport_cb\fR @@ -125,11 +130,11 @@ is passed to the callback is not persistent after the callback returns. .PP The \fBEVP_SKEY_get0_raw_key()\fR returns a pointer to a raw key bytes to the passed address and sets the key len. The returned address is managed by the internal -key management and shouldn't be freed explicitly. The operation can fail when -the underlying key management doesn't support export of the secret key. +key management and shouldn\*(Aqt be freed explicitly. The operation can fail when +the underlying key management doesn\*(Aqt support export of the secret key. .PP -The \fBEVP_SKEY_get0_key_id()\fR returns a NUL-terminated string providing some -human-readable identifier of the key if provided by the underlying key +The \fBEVP_SKEY_get0_key_id()\fR returns a NUL\-terminated string providing some +human\-readable identifier of the key if provided by the underlying key management. The pointer becomes invalid after freeing the EVP_SKEY object. .PP The \fBEVP_SKEY_get0_skeymgmt_name()\fR and \fBEVP_SKEY_get0_provider_name()\fR return the @@ -177,7 +182,7 @@ either the newly allocated \fBEVP_SKEY\fR structure or NULL if an error occurred \&\fBEVP_SKEY_export()\fR and \fBEVP_SKEY_get0_raw_key()\fR return 1 for success and 0 on failure. .PP \&\fBEVP_SKEY_get0_skeymgmt_name()\fR and \fBEVP_SKEY_get0_provider_name()\fR return the -names of the associated EVP_SKEYMGMT object and its provider correspondigly. +names of the associated EVP_SKEYMGMT object and its provider correspondingly. .PP \&\fBEVP_SKEY_is_a()\fR returns 1 if \fIskey\fR has the key type \fIname\fR, otherwise 0. @@ -197,7 +202,7 @@ The \fBEVP_SKEY\fR API and functions \fBEVP_SKEY_export()\fR, were introduced in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2025\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/EVP_SKEYMGMT.3 b/secure/lib/libcrypto/man/man3/EVP_SKEYMGMT.3 index ea56e4d608dc..42c8f964878f 100644 --- a/secure/lib/libcrypto/man/man3/EVP_SKEYMGMT.3 +++ b/secure/lib/libcrypto/man/man3/EVP_SKEYMGMT.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SKEYMGMT 3ossl" -.TH EVP_SKEYMGMT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SKEYMGMT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -125,7 +128,7 @@ If the argument is NULL, nothing is done. implementation. .PP \&\fBEVP_SKEYMGMT_is_a()\fR checks if \fIskeymgmt\fR is an implementation of an -algorithm that's identified by \fIname\fR. +algorithm that\*(Aqs identified by \fIname\fR. .PP \&\fBEVP_SKEYMGMT_get0_name()\fR returns the algorithm name from the provided implementation for the given \fIskeymgmt\fR. Note that the \fIskeymgmt\fR may have @@ -164,7 +167,7 @@ error. \&\fBEVP_SKEYMGMT_names_do_all()\fR returns 1 if the callback was called for all names. A return value of 0 means that the callback was not called for any names. .PP -\&\fBEVP_SKEYMGMT_free()\fR doesn't return any value. +\&\fBEVP_SKEYMGMT_free()\fR doesn\*(Aqt return any value. .PP \&\fBEVP_SKEYMGMT_get0_provider()\fR returns a pointer to a provider object, or NULL on error. @@ -174,7 +177,7 @@ on error. \&\fBEVP_SKEYMGMT_get0_name()\fR returns the algorithm name, or NULL on error. .PP \&\fBEVP_SKEYMGMT_get0_description()\fR returns a pointer to a description, or NULL if -there isn't one. +there isn\*(Aqt one. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_SKEY\fR\|(3), \fBEVP_MD_fetch\fR\|(3), \fBOSSL_LIB_CTX\fR\|(3) diff --git a/secure/lib/libcrypto/man/man3/EVP_SealInit.3 b/secure/lib/libcrypto/man/man3/EVP_SealInit.3 index a703ae757efc..2cc7b1a0617f 100644 --- a/secure/lib/libcrypto/man/man3/EVP_SealInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_SealInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SEALINIT 3ossl" -.TH EVP_SEALINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SEALINIT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -76,7 +79,7 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal \- EVP envelope encryption .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP envelope routines are a high-level interface to envelope +The EVP envelope routines are a high\-level interface to envelope encryption. They generate a random key and IV (if required) then "envelope" it by using public key encryption. Data can then be encrypted using this key. @@ -93,7 +96,7 @@ size of each encrypted secret key is written to the array \fBekl\fR. \fBpubk\fR an array of \fBnpubk\fR public keys. .PP The \fBiv\fR parameter is a buffer where the generated IV is written to. It must -contain enough room for the corresponding cipher's IV, as determined by (for +contain enough room for the corresponding cipher\*(Aqs IV, as determined by (for example) EVP_CIPHER_get_iv_length(type). .PP If the cipher does not require an IV then the \fBiv\fR parameter is ignored diff --git a/secure/lib/libcrypto/man/man3/EVP_SignInit.3 b/secure/lib/libcrypto/man/man3/EVP_SignInit.3 index 87996c93b70b..7bddf398fa6a 100644 --- a/secure/lib/libcrypto/man/man3/EVP_SignInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_SignInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SIGNINIT 3ossl" -.TH EVP_SIGNINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SIGNINIT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,7 +83,7 @@ EVP_SignFinal_ex, EVP_SignFinal .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP signature routines are a high-level interface to digital +The EVP signature routines are a high\-level interface to digital signatures. .PP \&\fBEVP_SignInit_ex()\fR sets up signing context \fIctx\fR to use digest @@ -114,7 +117,7 @@ The error codes can be obtained by \fBERR_get_error\fR\|(3). .SH NOTES .IX Header "NOTES" The \fBEVP\fR interface to digital signatures should almost always be used in -preference to the low-level interfaces. This is because the code then becomes +preference to the low\-level interfaces. This is because the code then becomes transparent to the algorithm used and much more flexible. .PP When signing with some private key types the random number generator must diff --git a/secure/lib/libcrypto/man/man3/EVP_VerifyInit.3 b/secure/lib/libcrypto/man/man3/EVP_VerifyInit.3 index a6e5bf699536..7f46acb913d1 100644 --- a/secure/lib/libcrypto/man/man3/EVP_VerifyInit.3 +++ b/secure/lib/libcrypto/man/man3/EVP_VerifyInit.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_VERIFYINIT 3ossl" -.TH EVP_VERIFYINIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_VERIFYINIT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,7 +84,7 @@ EVP_VerifyInit, EVP_VerifyUpdate, EVP_VerifyFinal_ex, EVP_VerifyFinal .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP signature verification routines are a high-level interface to digital +The EVP signature verification routines are a high\-level interface to digital signatures. .PP \&\fBEVP_VerifyInit_ex()\fR sets up verification context \fIctx\fR to use digest @@ -114,7 +117,7 @@ The error codes can be obtained by \fBERR_get_error\fR\|(3). .SH NOTES .IX Header "NOTES" The \fBEVP\fR interface to digital signatures should almost always be used in -preference to the low-level interfaces. This is because the code then becomes +preference to the low\-level interfaces. This is because the code then becomes transparent to the algorithm used and much more flexible. .PP The call to \fBEVP_VerifyFinal()\fR internally finalizes a copy of the digest context. diff --git a/secure/lib/libcrypto/man/man3/EVP_aes_128_gcm.3 b/secure/lib/libcrypto/man/man3/EVP_aes_128_gcm.3 index 50816e73d4fb..b6756af13525 100644 --- a/secure/lib/libcrypto/man/man3/EVP_aes_128_gcm.3 +++ b/secure/lib/libcrypto/man/man3/EVP_aes_128_gcm.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_AES_128_GCM 3ossl" -.TH EVP_AES_128_GCM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_AES_128_GCM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -143,7 +146,7 @@ some undocumented ctrl functions. These ciphers do not conform to the EVP AEAD interface. .IP "\fBEVP_aes_128_ccm()\fR, \fBEVP_aes_192_ccm()\fR, \fBEVP_aes_256_ccm()\fR, \fBEVP_aes_128_gcm()\fR, \fBEVP_aes_192_gcm()\fR, \fBEVP_aes_256_gcm()\fR, \fBEVP_aes_128_ocb()\fR, \fBEVP_aes_192_ocb()\fR, \fBEVP_aes_256_ocb()\fR" 4 .IX Item "EVP_aes_128_ccm(), EVP_aes_192_ccm(), EVP_aes_256_ccm(), EVP_aes_128_gcm(), EVP_aes_192_gcm(), EVP_aes_256_gcm(), EVP_aes_128_ocb(), EVP_aes_192_ocb(), EVP_aes_256_ocb()" -AES for 128, 192 and 256 bit keys in CBC-MAC Mode (CCM), Galois Counter Mode +AES for 128, 192 and 256 bit keys in CBC\-MAC Mode (CCM), Galois Counter Mode (GCM) and OCB Mode respectively. These ciphers require additional control operations to function correctly, see the "AEAD INTERFACE" in \fBEVP_EncryptInit\fR\|(3) section for details. @@ -153,13 +156,13 @@ AES key wrap with 128, 192 and 256 bit keys, as according to RFC 3394 section 2.2.1 ("wrap") and RFC 5649 section 4.1 ("wrap with padding") respectively. .IP "\fBEVP_aes_128_xts()\fR, \fBEVP_aes_256_xts()\fR" 4 .IX Item "EVP_aes_128_xts(), EVP_aes_256_xts()" -AES XTS mode (XTS-AES) is standardized in IEEE Std. 1619\-2007 and described in NIST -SP 800\-38E. The XTS (XEX-based tweaked-codebook mode with ciphertext stealing) +AES XTS mode (XTS\-AES) is standardized in IEEE Std. 1619\-2007 and described in NIST +SP 800\-38E. The XTS (XEX\-based tweaked\-codebook mode with ciphertext stealing) mode was designed by Prof. Phillip Rogaway of University of California, Davis, intended for encrypting data on a storage device. .Sp -XTS-AES provides confidentiality but not authentication of data. It also -requires a key of double-length for protection of a certain key size. +XTS\-AES provides confidentiality but not authentication of data. It also +requires a key of double\-length for protection of a certain key size. In particular, XTS\-AES\-128 (\fBEVP_aes_128_xts\fR) takes input of a 256\-bit key to achieve AES 128\-bit security, and XTS\-AES\-256 (\fBEVP_aes_256_xts\fR) takes input of a 512\-bit key to achieve AES 256\-bit security. diff --git a/secure/lib/libcrypto/man/man3/EVP_aria_128_gcm.3 b/secure/lib/libcrypto/man/man3/EVP_aria_128_gcm.3 index d46564482077..1fdcff35b37f 100644 --- a/secure/lib/libcrypto/man/man3/EVP_aria_128_gcm.3 +++ b/secure/lib/libcrypto/man/man3/EVP_aria_128_gcm.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_ARIA_128_GCM 3ossl" -.TH EVP_ARIA_128_GCM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_ARIA_128_GCM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -111,7 +114,7 @@ ARIA for 128, 192 and 256 bit keys in the following modes: CBC, CFB with 128\-bit shift, CFB with 1\-bit shift, CFB with 8\-bit shift, CTR, ECB and OFB. .IP "\fBEVP_aria_128_ccm()\fR, \fBEVP_aria_192_ccm()\fR, \fBEVP_aria_256_ccm()\fR, \fBEVP_aria_128_gcm()\fR, \fBEVP_aria_192_gcm()\fR, \fBEVP_aria_256_gcm()\fR," 4 .IX Item "EVP_aria_128_ccm(), EVP_aria_192_ccm(), EVP_aria_256_ccm(), EVP_aria_128_gcm(), EVP_aria_192_gcm(), EVP_aria_256_gcm()," -ARIA for 128, 192 and 256 bit keys in CBC-MAC Mode (CCM) and Galois Counter +ARIA for 128, 192 and 256 bit keys in CBC\-MAC Mode (CCM) and Galois Counter Mode (GCM). These ciphers require additional control operations to function correctly, see the "AEAD INTERFACE" in \fBEVP_EncryptInit\fR\|(3) section for details. .SH NOTES diff --git a/secure/lib/libcrypto/man/man3/EVP_bf_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_bf_cbc.3 index 46e14e666e3e..b2fdf4c4194c 100644 --- a/secure/lib/libcrypto/man/man3/EVP_bf_cbc.3 +++ b/secure/lib/libcrypto/man/man3/EVP_bf_cbc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_BF_CBC 3ossl" -.TH EVP_BF_CBC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_BF_CBC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_blake2b512.3 b/secure/lib/libcrypto/man/man3/EVP_blake2b512.3 index 4c53ad77a167..ff3c4c470e90 100644 --- a/secure/lib/libcrypto/man/man3/EVP_blake2b512.3 +++ b/secure/lib/libcrypto/man/man3/EVP_blake2b512.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_BLAKE2B512 3ossl" -.TH EVP_BLAKE2B512 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_BLAKE2B512 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,7 +93,7 @@ calling these functions multiple times and should consider using \&\fBEVP_MD_fetch\fR\|(3) with \fBEVP_MD\-BLAKE2\fR\|(7) instead. See "Performance" in \fBcrypto\fR\|(7) for further information. .PP -Both algorithms support a variable-length digest, +Both algorithms support a variable\-length digest, but this is only available through \fBEVP_MD\-BLAKE2\fR\|(7). .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/EVP_camellia_128_ecb.3 b/secure/lib/libcrypto/man/man3/EVP_camellia_128_ecb.3 index 9f540572cdd0..00a924e96acc 100644 --- a/secure/lib/libcrypto/man/man3/EVP_camellia_128_ecb.3 +++ b/secure/lib/libcrypto/man/man3/EVP_camellia_128_ecb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CAMELLIA_128_ECB 3ossl" -.TH EVP_CAMELLIA_128_ECB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CAMELLIA_128_ECB 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_cast5_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_cast5_cbc.3 index 3ef1740a8051..86c50b742d25 100644 --- a/secure/lib/libcrypto/man/man3/EVP_cast5_cbc.3 +++ b/secure/lib/libcrypto/man/man3/EVP_cast5_cbc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CAST5_CBC 3ossl" -.TH EVP_CAST5_CBC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CAST5_CBC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_chacha20.3 b/secure/lib/libcrypto/man/man3/EVP_chacha20.3 index 6d2ea3dcfded..3eb50bdb7b7e 100644 --- a/secure/lib/libcrypto/man/man3/EVP_chacha20.3 +++ b/secure/lib/libcrypto/man/man3/EVP_chacha20.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CHACHA20 3ossl" -.TH EVP_CHACHA20 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CHACHA20 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ The ChaCha20 stream cipher for EVP. .IP \fBEVP_chacha20()\fR 4 .IX Item "EVP_chacha20()" The ChaCha20 stream cipher. The key length is 256 bits, the IV is 128 bits long. -The first 64 bits consists of a counter in little-endian order followed by a 64 +The first 64 bits consists of a counter in little\-endian order followed by a 64 bit nonce. For example a nonce of: .Sp 0000000000000002 diff --git a/secure/lib/libcrypto/man/man3/EVP_des_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_des_cbc.3 index 499178d17555..5ae1be21a973 100644 --- a/secure/lib/libcrypto/man/man3/EVP_des_cbc.3 +++ b/secure/lib/libcrypto/man/man3/EVP_des_cbc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_DES_CBC 3ossl" -.TH EVP_DES_CBC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_DES_CBC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,11 +113,11 @@ implementation. Two key triple DES in ECB, CBC, CFB with 64\-bit shift and OFB modes. .IP "\fBEVP_des_ede3()\fR, \fBEVP_des_ede3_cbc()\fR, \fBEVP_des_ede3_cfb()\fR, \fBEVP_des_ede3_cfb1()\fR, \fBEVP_des_ede3_cfb8()\fR, \fBEVP_des_ede3_cfb64()\fR, \fBEVP_des_ede3_ecb()\fR, \fBEVP_des_ede3_ofb()\fR" 4 .IX Item "EVP_des_ede3(), EVP_des_ede3_cbc(), EVP_des_ede3_cfb(), EVP_des_ede3_cfb1(), EVP_des_ede3_cfb8(), EVP_des_ede3_cfb64(), EVP_des_ede3_ecb(), EVP_des_ede3_ofb()" -Three-key triple DES in ECB, CBC, CFB with 64\-bit shift, CFB with 1\-bit shift, +Three\-key triple DES in ECB, CBC, CFB with 64\-bit shift, CFB with 1\-bit shift, CFB with 8\-bit shift and OFB modes. .IP \fBEVP_des_ede3_wrap()\fR 4 .IX Item "EVP_des_ede3_wrap()" -Triple-DES key wrap according to RFC 3217 Section 3. +Triple\-DES key wrap according to RFC 3217 Section 3. .SH NOTES .IX Header "NOTES" Developers should be aware of the negative performance implications of diff --git a/secure/lib/libcrypto/man/man3/EVP_desx_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_desx_cbc.3 index b651b4d5900c..58336d38a7fe 100644 --- a/secure/lib/libcrypto/man/man3/EVP_desx_cbc.3 +++ b/secure/lib/libcrypto/man/man3/EVP_desx_cbc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_DESX_CBC 3ossl" -.TH EVP_DESX_CBC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_DESX_CBC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -72,12 +75,12 @@ EVP_desx_cbc .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The DES-X encryption algorithm for EVP. +The DES\-X encryption algorithm for EVP. .PP All modes below use a key length of 128 bits and acts on blocks of 128\-bits. .IP \fBEVP_desx_cbc()\fR 4 .IX Item "EVP_desx_cbc()" -The DES-X algorithm in CBC mode. +The DES\-X algorithm in CBC mode. .Sp This algorithm is not provided by the OpenSSL default provider. To use it is necessary to load either the OpenSSL legacy provider or another diff --git a/secure/lib/libcrypto/man/man3/EVP_idea_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_idea_cbc.3 index bc5c16e511a2..3a95e0c6f66d 100644 --- a/secure/lib/libcrypto/man/man3/EVP_idea_cbc.3 +++ b/secure/lib/libcrypto/man/man3/EVP_idea_cbc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_IDEA_CBC 3ossl" -.TH EVP_IDEA_CBC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_IDEA_CBC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_md2.3 b/secure/lib/libcrypto/man/man3/EVP_md2.3 index 4f267f1053d7..c78331761cd0 100644 --- a/secure/lib/libcrypto/man/man3/EVP_md2.3 +++ b/secure/lib/libcrypto/man/man3/EVP_md2.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD2 3ossl" -.TH EVP_MD2 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD2 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_md4.3 b/secure/lib/libcrypto/man/man3/EVP_md4.3 index 56f76f0817c9..f615f93a6736 100644 --- a/secure/lib/libcrypto/man/man3/EVP_md4.3 +++ b/secure/lib/libcrypto/man/man3/EVP_md4.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD4 3ossl" -.TH EVP_MD4 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD4 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_md5.3 b/secure/lib/libcrypto/man/man3/EVP_md5.3 index be15b9d5492a..f35d6ea482b4 100644 --- a/secure/lib/libcrypto/man/man3/EVP_md5.3 +++ b/secure/lib/libcrypto/man/man3/EVP_md5.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD5 3ossl" -.TH EVP_MD5 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD5 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -87,7 +90,7 @@ The MD5 algorithm which produces a 128\-bit output from a given input. A hash algorithm of SSL v3 that combines MD5 with SHA\-1 as described in RFC 6101. .Sp -WARNING: this algorithm is not intended for non-SSL usage. +WARNING: this algorithm is not intended for non\-SSL usage. .SH NOTES .IX Header "NOTES" Developers should be aware of the negative performance implications of diff --git a/secure/lib/libcrypto/man/man3/EVP_mdc2.3 b/secure/lib/libcrypto/man/man3/EVP_mdc2.3 index b0667f6b0eb0..3d9c9cab0516 100644 --- a/secure/lib/libcrypto/man/man3/EVP_mdc2.3 +++ b/secure/lib/libcrypto/man/man3/EVP_mdc2.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MDC2 3ossl" -.TH EVP_MDC2 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MDC2 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -72,7 +75,7 @@ EVP_mdc2 .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -MDC\-2 (Modification Detection Code 2 or Meyer-Schilling) is a cryptographic +MDC\-2 (Modification Detection Code 2 or Meyer\-Schilling) is a cryptographic hash function based on a block cipher. This implementation is only available with the legacy provider. .IP \fBEVP_mdc2()\fR 4 @@ -92,7 +95,7 @@ implementation of the message digest. See \fBEVP_MD_meth_new\fR\|(3) for details of the \fBEVP_MD\fR structure. .SH "CONFORMING TO" .IX Header "CONFORMING TO" -ISO/IEC 10118\-2:2000 Hash-Function 2, with DES as the underlying block cipher. +ISO/IEC 10118\-2:2000 Hash\-Function 2, with DES as the underlying block cipher. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBevp\fR\|(7), diff --git a/secure/lib/libcrypto/man/man3/EVP_rc2_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_rc2_cbc.3 index 30a133c7fac6..de410b13d74f 100644 --- a/secure/lib/libcrypto/man/man3/EVP_rc2_cbc.3 +++ b/secure/lib/libcrypto/man/man3/EVP_rc2_cbc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RC2_CBC 3ossl" -.TH EVP_RC2_CBC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RC2_CBC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_rc4.3 b/secure/lib/libcrypto/man/man3/EVP_rc4.3 index 86b74e874c6f..1e9dbca7d2dc 100644 --- a/secure/lib/libcrypto/man/man3/EVP_rc4.3 +++ b/secure/lib/libcrypto/man/man3/EVP_rc4.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RC4 3ossl" -.TH EVP_RC4 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RC4 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_rc5_32_12_16_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_rc5_32_12_16_cbc.3 index 80bd2c04c306..3b642e684496 100644 --- a/secure/lib/libcrypto/man/man3/EVP_rc5_32_12_16_cbc.3 +++ b/secure/lib/libcrypto/man/man3/EVP_rc5_32_12_16_cbc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RC5_32_12_16_CBC 3ossl" -.TH EVP_RC5_32_12_16_CBC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RC5_32_12_16_CBC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_ripemd160.3 b/secure/lib/libcrypto/man/man3/EVP_ripemd160.3 index 6e49aba8527b..951455378408 100644 --- a/secure/lib/libcrypto/man/man3/EVP_ripemd160.3 +++ b/secure/lib/libcrypto/man/man3/EVP_ripemd160.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RIPEMD160 3ossl" -.TH EVP_RIPEMD160 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RIPEMD160 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,7 +94,7 @@ implementation of the message digest. See \fBEVP_MD_meth_new\fR\|(3) for details of the \fBEVP_MD\fR structure. .SH "CONFORMING TO" .IX Header "CONFORMING TO" -ISO/IEC 10118\-3:2016 Dedicated Hash-Function 1 (RIPEMD\-160). +ISO/IEC 10118\-3:2016 Dedicated Hash\-Function 1 (RIPEMD\-160). .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBevp\fR\|(7), diff --git a/secure/lib/libcrypto/man/man3/EVP_seed_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_seed_cbc.3 index ffb1af9fee48..bcccd7cf9f33 100644 --- a/secure/lib/libcrypto/man/man3/EVP_seed_cbc.3 +++ b/secure/lib/libcrypto/man/man3/EVP_seed_cbc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SEED_CBC 3ossl" -.TH EVP_SEED_CBC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SEED_CBC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_set_default_properties.3 b/secure/lib/libcrypto/man/man3/EVP_set_default_properties.3 index 08ce76625b6b..f36d806366e1 100644 --- a/secure/lib/libcrypto/man/man3/EVP_set_default_properties.3 +++ b/secure/lib/libcrypto/man/man3/EVP_set_default_properties.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SET_DEFAULT_PROPERTIES 3ossl" -.TH EVP_SET_DEFAULT_PROPERTIES 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SET_DEFAULT_PROPERTIES 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,7 +85,7 @@ future EVP algorithm fetches, implicit as well as explicit. See fetching. .PP EVP_set_default_properties stores the properties given with the string -\&\fIpropq\fR among the EVP data that's been stored in the library context +\&\fIpropq\fR among the EVP data that\*(Aqs been stored in the library context given with \fIlibctx\fR (NULL signifies the default library context). .PP Any previous default property for the specified library context will @@ -92,12 +95,12 @@ be dropped. algorithm fetches, implicit as well as explicit, for the specific library context. .PP -\&\fBEVP_default_properties_enable_fips()\fR sets the 'fips=yes' to be a default property -if \fIenable\fR is non zero, otherwise it clears 'fips' from the default property +\&\fBEVP_default_properties_enable_fips()\fR sets the \*(Aqfips=yes\*(Aq to be a default property +if \fIenable\fR is non zero, otherwise it clears \*(Aqfips\*(Aq from the default property query for the given \fIlibctx\fR. It merges the fips default property query with any existing query strings that have been set via \fBEVP_set_default_properties()\fR. .PP -\&\fBEVP_default_properties_is_fips_enabled()\fR indicates if 'fips=yes' is a default +\&\fBEVP_default_properties_is_fips_enabled()\fR indicates if \*(Aqfips=yes\*(Aq is a default property for the given \fIlibctx\fR. .SH NOTES .IX Header "NOTES" @@ -114,7 +117,7 @@ being modified by a different thread. on success, or 0 on failure. An error is placed on the error stack if a failure occurs. .PP -\&\fBEVP_default_properties_is_fips_enabled()\fR returns 1 if the 'fips=yes' default +\&\fBEVP_default_properties_is_fips_enabled()\fR returns 1 if the \*(Aqfips=yes\*(Aq default property is set for the given \fIlibctx\fR, otherwise it returns 0. .PP \&\fBEVP_get1_default_properties()\fR returns allocated memory that must be freed by diff --git a/secure/lib/libcrypto/man/man3/EVP_sha1.3 b/secure/lib/libcrypto/man/man3/EVP_sha1.3 index 16ce19c5dd78..ddf364094c68 100644 --- a/secure/lib/libcrypto/man/man3/EVP_sha1.3 +++ b/secure/lib/libcrypto/man/man3/EVP_sha1.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SHA1 3ossl" -.TH EVP_SHA1 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SHA1 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_sha224.3 b/secure/lib/libcrypto/man/man3/EVP_sha224.3 index 8d9db1fc7302..7c031f2ec763 100644 --- a/secure/lib/libcrypto/man/man3/EVP_sha224.3 +++ b/secure/lib/libcrypto/man/man3/EVP_sha224.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SHA224 3ossl" -.TH EVP_SHA224 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SHA224 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_sha3_224.3 b/secure/lib/libcrypto/man/man3/EVP_sha3_224.3 index e74d14adbf9e..993d57adae66 100644 --- a/secure/lib/libcrypto/man/man3/EVP_sha3_224.3 +++ b/secure/lib/libcrypto/man/man3/EVP_sha3_224.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SHA3_224 3ossl" -.TH EVP_SHA3_224 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SHA3_224 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_sm3.3 b/secure/lib/libcrypto/man/man3/EVP_sm3.3 index d89d381da96c..5e6359ee951a 100644 --- a/secure/lib/libcrypto/man/man3/EVP_sm3.3 +++ b/secure/lib/libcrypto/man/man3/EVP_sm3.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SM3 3ossl" -.TH EVP_SM3 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SM3 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_sm4_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_sm4_cbc.3 index 99b659ec27dc..c39dbd8677e9 100644 --- a/secure/lib/libcrypto/man/man3/EVP_sm4_cbc.3 +++ b/secure/lib/libcrypto/man/man3/EVP_sm4_cbc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SM4_CBC 3ossl" -.TH EVP_SM4_CBC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SM4_CBC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/EVP_whirlpool.3 b/secure/lib/libcrypto/man/man3/EVP_whirlpool.3 index 63c8e5f50d2d..0b9c263324c1 100644 --- a/secure/lib/libcrypto/man/man3/EVP_whirlpool.3 +++ b/secure/lib/libcrypto/man/man3/EVP_whirlpool.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_WHIRLPOOL 3ossl" -.TH EVP_WHIRLPOOL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_WHIRLPOOL 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/GENERAL_NAME.3 b/secure/lib/libcrypto/man/man3/GENERAL_NAME.3 index 45f040ff10f8..d15be743b45b 100644 --- a/secure/lib/libcrypto/man/man3/GENERAL_NAME.3 +++ b/secure/lib/libcrypto/man/man3/GENERAL_NAME.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "GENERAL_NAME 3ossl" -.TH GENERAL_NAME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH GENERAL_NAME 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/HMAC.3 b/secure/lib/libcrypto/man/man3/HMAC.3 index 97bd885f7d53..23db836e227b 100644 --- a/secure/lib/libcrypto/man/man3/HMAC.3 +++ b/secure/lib/libcrypto/man/man3/HMAC.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "HMAC 3ossl" -.TH HMAC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH HMAC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -140,7 +143,7 @@ Use \fBEVP_Q_mac\fR\|(3) instead if a library context is required. All of the functions described below are deprecated. Applications should instead use \fBEVP_MAC_CTX_new\fR\|(3), \fBEVP_MAC_CTX_free\fR\|(3), \&\fBEVP_MAC_init\fR\|(3), \fBEVP_MAC_update\fR\|(3) and \fBEVP_MAC_final\fR\|(3) -or the 'quick' single-shot MAC function \fBEVP_Q_mac\fR\|(3). +or the \*(Aqquick\*(Aq single\-shot MAC function \fBEVP_Q_mac\fR\|(3). .PP \&\fBHMAC_CTX_new()\fR creates a new HMAC_CTX in heap memory. .PP diff --git a/secure/lib/libcrypto/man/man3/MD5.3 b/secure/lib/libcrypto/man/man3/MD5.3 index ba1e24009f7c..7095942a4fc3 100644 --- a/secure/lib/libcrypto/man/man3/MD5.3 +++ b/secure/lib/libcrypto/man/man3/MD5.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "MD5 3ossl" -.TH MD5 3ossl 2025-09-30 3.5.4 OpenSSL +.TH MD5 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/MDC2_Init.3 b/secure/lib/libcrypto/man/man3/MDC2_Init.3 index 4ae0b4df5c8a..ca1e7004c90b 100644 --- a/secure/lib/libcrypto/man/man3/MDC2_Init.3 +++ b/secure/lib/libcrypto/man/man3/MDC2_Init.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "MDC2_INIT 3ossl" -.TH MDC2_INIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH MDC2_INIT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -117,7 +120,7 @@ hash functions directly. \&\fBMDC2_Init()\fR, \fBMDC2_Update()\fR and \fBMDC2_Final()\fR return 1 for success, 0 otherwise. .SH "CONFORMING TO" .IX Header "CONFORMING TO" -ISO/IEC 10118\-2:2000 Hash-Function 2, with DES as the underlying block cipher. +ISO/IEC 10118\-2:2000 Hash\-Function 2, with DES as the underlying block cipher. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_DigestInit\fR\|(3) diff --git a/secure/lib/libcrypto/man/man3/Makefile b/secure/lib/libcrypto/man/man3/Makefile index 0fc9cc100077..8e81b1871d33 100644 --- a/secure/lib/libcrypto/man/man3/Makefile +++ b/secure/lib/libcrypto/man/man3/Makefile @@ -54,6 +54,7 @@ MAN+= BIO_s_null.3 MAN+= BIO_s_socket.3 MAN+= BIO_sendmmsg.3 MAN+= BIO_set_callback.3 +MAN+= BIO_set_flags.3 MAN+= BIO_should_retry.3 MAN+= BIO_socket_wait.3 MAN+= BN_BLINDING_new.3 @@ -81,6 +82,7 @@ MAN+= CMAC_CTX.3 MAN+= CMS_EncryptedData_decrypt.3 MAN+= CMS_EncryptedData_encrypt.3 MAN+= CMS_EnvelopedData_create.3 +MAN+= CMS_EncryptedData_set1_key.3 MAN+= CMS_add0_cert.3 MAN+= CMS_add1_recipient_cert.3 MAN+= CMS_add1_signer.3 @@ -161,6 +163,7 @@ MAN+= ERR_remove_state.3 MAN+= ERR_set_mark.3 MAN+= EVP_ASYM_CIPHER_free.3 MAN+= EVP_BytesToKey.3 +MAN+= EVP_CIPHER_CTX_get_app_data.3 MAN+= EVP_CIPHER_CTX_get_cipher_data.3 MAN+= EVP_CIPHER_CTX_get_original_iv.3 MAN+= EVP_CIPHER_meth_new.3 @@ -280,6 +283,7 @@ MAN+= OPENSSL_instrument_bus.3 MAN+= OPENSSL_load_builtin_modules.3 MAN+= OPENSSL_load_u16_le.3 MAN+= OPENSSL_malloc.3 +MAN+= OPENSSL_ppccap.3 MAN+= OPENSSL_riscvcap.3 MAN+= OPENSSL_s390xcap.3 MAN+= OPENSSL_secure_malloc.3 @@ -659,6 +663,7 @@ MAN+= X509_sign.3 MAN+= X509_verify.3 MAN+= X509_verify_cert.3 MAN+= X509v3_get_ext_by_NID.3 +MAN+= X509V3_EXT_print.3 MAN+= b2i_PVK_bio_ex.3 MAN+= d2i_PKCS8PrivateKey_bio.3 MAN+= d2i_PrivateKey.3 @@ -1969,7 +1974,6 @@ MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_free.3 MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_get0_cipher.3 MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_get0_name.3 MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_get1_cipher.3 -MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_get_app_data.3 MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_get_block_size.3 MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_get_iv_length.3 MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_get_key_length.3 @@ -5612,6 +5616,7 @@ MLINKS+= X509v3_get_ext_by_NID.3 X509v3_get_ext.3 MLINKS+= X509v3_get_ext_by_NID.3 X509v3_get_ext_by_OBJ.3 MLINKS+= X509v3_get_ext_by_NID.3 X509v3_get_ext_by_critical.3 MLINKS+= X509v3_get_ext_by_NID.3 X509v3_get_ext_count.3 +MLINKS+= X509V3_EXT_print.3 X509V3_EXT_print_fp.3 MLINKS+= b2i_PVK_bio_ex.3 b2i_PVK_bio.3 MLINKS+= b2i_PVK_bio_ex.3 i2b_PVK_bio.3 MLINKS+= b2i_PVK_bio_ex.3 i2b_PVK_bio_ex.3 diff --git a/secure/lib/libcrypto/man/man3/NCONF_new_ex.3 b/secure/lib/libcrypto/man/man3/NCONF_new_ex.3 index 1e5cdc7e4cdd..65a81be502e0 100644 --- a/secure/lib/libcrypto/man/man3/NCONF_new_ex.3 +++ b/secure/lib/libcrypto/man/man3/NCONF_new_ex.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "NCONF_NEW_EX 3ossl" -.TH NCONF_NEW_EX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH NCONF_NEW_EX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OBJ_nid2obj.3 b/secure/lib/libcrypto/man/man3/OBJ_nid2obj.3 index 251a25331321..55f6cbdb7529 100644 --- a/secure/lib/libcrypto/man/man3/OBJ_nid2obj.3 +++ b/secure/lib/libcrypto/man/man3/OBJ_nid2obj.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OBJ_NID2OBJ 3ossl" -.TH OBJ_NID2OBJ 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OBJ_NID2OBJ 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -133,10 +136,10 @@ is acceptable. .PP \&\fBOBJ_obj2txt()\fR converts the \fBASN1_OBJECT\fR \fIa\fR into a textual representation. Unless \fIbuf\fR is NULL, -the representation is written as a NUL-terminated string to \fIbuf\fR, where +the representation is written as a NUL\-terminated string to \fIbuf\fR, where at most \fIbuf_len\fR bytes are written, truncating the result if necessary. In any case it returns the total string length, excluding the NUL character, -required for non-truncated representation, or \-1 on error. +required for non\-truncated representation, or \-1 on error. If \fIno_name\fR is 0 then if the object has a long or short name then that will be used, otherwise the numerical form will be used. If \fIno_name\fR is 1 then the numerical form will always be used. @@ -202,7 +205,7 @@ decoded as part of ASN.1 structures. Applications can determine if there is a corresponding OBJECT IDENTIFIER by checking \fBOBJ_length()\fR is not zero. .PP These functions cannot return \fBconst\fR because an \fBASN1_OBJECT\fR can -represent both an internal, constant, OID and a dynamically-created one. +represent both an internal, constant, OID and a dynamically\-created one. The latter cannot be constant because it needs to be freed after use. .PP These functions were not thread safe in OpenSSL 3.0 and before. diff --git a/secure/lib/libcrypto/man/man3/OCSP_REQUEST_new.3 b/secure/lib/libcrypto/man/man3/OCSP_REQUEST_new.3 index c6ae22525d46..16ac8ed45990 100644 --- a/secure/lib/libcrypto/man/man3/OCSP_REQUEST_new.3 +++ b/secure/lib/libcrypto/man/man3/OCSP_REQUEST_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OCSP_REQUEST_NEW 3ossl" -.TH OCSP_REQUEST_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OCSP_REQUEST_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OCSP_cert_to_id.3 b/secure/lib/libcrypto/man/man3/OCSP_cert_to_id.3 index e42b388357c9..321eddbddb62 100644 --- a/secure/lib/libcrypto/man/man3/OCSP_cert_to_id.3 +++ b/secure/lib/libcrypto/man/man3/OCSP_cert_to_id.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OCSP_CERT_TO_ID 3ossl" -.TH OCSP_CERT_TO_ID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OCSP_CERT_TO_ID 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OCSP_request_add1_nonce.3 b/secure/lib/libcrypto/man/man3/OCSP_request_add1_nonce.3 index 5add784d7e90..2177e0878ce2 100644 --- a/secure/lib/libcrypto/man/man3/OCSP_request_add1_nonce.3 +++ b/secure/lib/libcrypto/man/man3/OCSP_request_add1_nonce.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OCSP_REQUEST_ADD1_NONCE 3ossl" -.TH OCSP_REQUEST_ADD1_NONCE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OCSP_REQUEST_ADD1_NONCE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -116,7 +119,7 @@ The return values of \fBOCSP_check_nonce()\fR can be checked to cover each case. positive return value effectively indicates success: nonces are both present and match, both absent or present in the response only. A nonzero return additionally covers the case where the nonce is present in the request only: -this will happen if the responder doesn't support nonces. A zero return value +this will happen if the responder doesn\*(Aqt support nonces. A zero return value indicates present and mismatched nonces: this should be treated as an error condition. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/OCSP_resp_find_status.3 b/secure/lib/libcrypto/man/man3/OCSP_resp_find_status.3 index ed6ba2e347f2..5262ec319ee5 100644 --- a/secure/lib/libcrypto/man/man3/OCSP_resp_find_status.3 +++ b/secure/lib/libcrypto/man/man3/OCSP_resp_find_status.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OCSP_RESP_FIND_STATUS 3ossl" -.TH OCSP_RESP_FIND_STATUS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OCSP_RESP_FIND_STATUS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -154,7 +157,7 @@ single response \fIbs\fR. signed \fIbs\fR. The OCSP protocol does not require that this certificate is included in the \fBcerts\fR field of the response, so additional certificates can be supplied via the \fIextra_certs\fR if the certificates that may have -signed the response are known via some out-of-band mechanism. +signed the response are known via some out\-of\-band mechanism. .PP \&\fBOCSP_resp_get0_id()\fR gets the responder id of \fIbs\fR. If the responder ID is a name then <*pname> is set to the name and \fI*pid\fR is set to NULL. If the @@ -191,7 +194,7 @@ If \fIflags\fR contains \fBOCSP_NOCHAIN\fR it ignores all certificates in \fIcer and in \fIbs\fR, else it takes them as untrusted intermediate CA certificates and uses them for constructing the validation path for the signer certificate. Certificate revocation status checks using CRLs is disabled during path validation -if the signer certificate contains the \fBid-pkix-ocsp-no-check\fR extension. +if the signer certificate contains the \fBid\-pkix\-ocsp\-no\-check\fR extension. After successful path validation the function returns success if the \fBOCSP_NOCHECKS\fR flag is set. Otherwise it verifies that the signer certificate meets the OCSP issuer diff --git a/secure/lib/libcrypto/man/man3/OCSP_response_status.3 b/secure/lib/libcrypto/man/man3/OCSP_response_status.3 index b7d086624a74..60798ba86036 100644 --- a/secure/lib/libcrypto/man/man3/OCSP_response_status.3 +++ b/secure/lib/libcrypto/man/man3/OCSP_response_status.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OCSP_RESPONSE_STATUS 3ossl" -.TH OCSP_RESPONSE_STATUS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OCSP_RESPONSE_STATUS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OCSP_sendreq_new.3 b/secure/lib/libcrypto/man/man3/OCSP_sendreq_new.3 index 530f84b35537..e58deb2214e2 100644 --- a/secure/lib/libcrypto/man/man3/OCSP_sendreq_new.3 +++ b/secure/lib/libcrypto/man/man3/OCSP_sendreq_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OCSP_SENDREQ_NEW 3ossl" -.TH OCSP_SENDREQ_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OCSP_SENDREQ_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_Applink.3 b/secure/lib/libcrypto/man/man3/OPENSSL_Applink.3 index 7c3513c66da5..b6d04a87665d 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_Applink.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_Applink.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_APPLINK 3ossl" -.TH OPENSSL_APPLINK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_APPLINK 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -69,9 +72,9 @@ OPENSSL_Applink \- glue between OpenSSL BIO and Win32 compiler run\-time .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -OPENSSL_Applink is application-side interface which provides a glue -between OpenSSL BIO layer and Win32 compiler run-time environment. -Even though it appears at application side, it's essentially OpenSSL +OPENSSL_Applink is application\-side interface which provides a glue +between OpenSSL BIO layer and Win32 compiler run\-time environment. +Even though it appears at application side, it\*(Aqs essentially OpenSSL private interface. For this reason application developers are not expected to implement it, but to compile provided module with compiler of their choice and link it into the target application. diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_FILE.3 b/secure/lib/libcrypto/man/man3/OPENSSL_FILE.3 index eb54aa1bd264..0eea81e3bc31 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_FILE.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_FILE.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_FILE 3ossl" -.TH OPENSSL_FILE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_FILE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_LH_COMPFUNC.3 b/secure/lib/libcrypto/man/man3/OPENSSL_LH_COMPFUNC.3 index 212781bdc9d3..e1420d01c6be 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_LH_COMPFUNC.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_LH_COMPFUNC.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_LH_COMPFUNC 3ossl" -.TH OPENSSL_LH_COMPFUNC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_LH_COMPFUNC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,20 +145,20 @@ The following macro is deprecated: .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -This library implements type-checked dynamic hash tables. The hash +This library implements type\-checked dynamic hash tables. The hash table entries can be arbitrary structures. Usually they consist of key and value fields. In the description here, \fR\f(BITYPE\fR\fB\fR is used a placeholder for any of the OpenSSL datatypes, such as \fISSL_SESSION\fR. .PP -To define a new type-checked dynamic hash table, use \fBDEFINE_LHASH_OF_EX\fR(). +To define a new type\-checked dynamic hash table, use \fBDEFINE_LHASH_OF_EX\fR(). \&\fBDEFINE_LHASH_OF\fR() was previously used for this purpose, but is now deprecated. The \fBDEFINE_LHASH_OF_EX\fR() macro provides all functionality of \&\fBDEFINE_LHASH_OF\fR() except for certain deprecated statistics functions (see \&\fBOPENSSL_LH_stats\fR\|(3)). .PP \&\fBlh_\fR\f(BITYPE\fR\fB_new\fR() creates a new \fBLHASH_OF\fR(\fR\f(BITYPE\fR\fB\fR) structure to store -arbitrary data entries, and specifies the 'hash' and 'compare' -callbacks to be used in organising the table's entries. The \fIhash\fR +arbitrary data entries, and specifies the \*(Aqhash\*(Aq and \*(Aqcompare\*(Aq +callbacks to be used in organising the table\*(Aqs entries. The \fIhash\fR callback takes a pointer to a table entry as its argument and returns an unsigned long hash value for its key field. The hash value is normally truncated to a power of 2, so make sure that your hash @@ -252,7 +255,7 @@ that is passed both the table entry and an extra argument). As with \&\fBlh_doall()\fR, you can instead choose to declare your callback with a prototype matching the types you are dealing with and use the declare/implement macros to create compatible wrappers that cast -variables before calling your type-specific callbacks. An example of +variables before calling your type\-specific callbacks. An example of this is demonstrated here (printing all hash table entries to a BIO that is provided by the caller): .PP @@ -328,7 +331,7 @@ NULL is returned if there is no such value in the hash table. if it has been found, NULL otherwise. .PP \&\fBlh_\fR\f(BITYPE\fR\fB_error\fR() and \fBOPENSSL_LH_error()\fR return 1 if an error occurred in -the last operation, 0 otherwise. It's meaningful only after non-retrieve +the last operation, 0 otherwise. It\*(Aqs meaningful only after non\-retrieve operations. .PP \&\fBlh_\fR\f(BITYPE\fR\fB_free\fR(), \fBOPENSSL_LH_free()\fR, \fBlh_\fR\f(BITYPE\fR\fB_flush\fR(), @@ -345,11 +348,11 @@ statistics, using the functions from \fBOPENSSL_LH_stats\fR\|(3), a read lock suffices. .PP The LHASH code regards table entries as constant data. As such, it -internally represents \fBlh_insert()\fR'd items with a "const void *" +internally represents \fBlh_insert()\fR\*(Aqd items with a "const void *" pointer type. This is why callbacks such as those used by \fBlh_doall()\fR and \fBlh_doall_arg()\fR declare their prototypes with "const", even for the -parameters that pass back the table items' data pointers \- for -consistency, user-provided data is "const" at all times as far as the +parameters that pass back the table items\*(Aq data pointers \- for +consistency, user\-provided data is "const" at all times as far as the LHASH code is concerned. However, as callers are themselves providing these pointers, they can choose whether they too should be treating all such parameters as constant. @@ -358,15 +361,15 @@ As an example, a hash table may be maintained by code that, for reasons of encapsulation, has only "const" access to the data being indexed in the hash table (i.e. it is returned as "const" from elsewhere in their code) \- in this case the LHASH prototypes are -appropriate as-is. Conversely, if the caller is responsible for the -life-time of the data in question, then they may well wish to make +appropriate as\-is. Conversely, if the caller is responsible for the +life\-time of the data in question, then they may well wish to make modifications to table item passed back in the \fBlh_doall()\fR or \&\fBlh_doall_arg()\fR callbacks (see the "TYPE_cleanup" example above). If -so, the caller can either cast the "const" away (if they're providing +so, the caller can either cast the "const" away (if they\*(Aqre providing the raw callbacks themselves) or use the macros to declare/implement the wrapper functions without "const" types. .PP -Callers that only have "const" access to data they're indexing in a +Callers that only have "const" access to data they\*(Aqre indexing in a table, yet declare callbacks without constant types (or cast the "const" away themselves), are therefore creating their own risks/bugs without being encouraged to do so by the API. On a related note, diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_LH_stats.3 b/secure/lib/libcrypto/man/man3/OPENSSL_LH_stats.3 index 62456d1ed039..55b0d33d0982 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_LH_stats.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_LH_stats.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_LH_STATS 3ossl" -.TH OPENSSL_LH_STATS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_LH_STATS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,16 +97,16 @@ many entries are in it. For historical reasons, this function also outputs a number of additional statistics, but the tracking of these statistics is no longer supported and these statistics are always reported as zero. .PP -\&\fBOPENSSL_LH_node_stats()\fR prints the number of entries for each 'bucket' in the +\&\fBOPENSSL_LH_node_stats()\fR prints the number of entries for each \*(Aqbucket\*(Aq in the hash table. .PP \&\fBOPENSSL_LH_node_usage_stats()\fR prints out a short summary of the state of the -hash table. It prints the 'load' and the 'actual load'. The load is -the average number of data items per 'bucket' in the hash table. The -\&'actual load' is the average number of items per 'bucket', but only -for buckets which contain entries. So the 'actual load' is the +hash table. It prints the \*(Aqload\*(Aq and the \*(Aqactual load\*(Aq. The load is +the average number of data items per \*(Aqbucket\*(Aq in the hash table. The +\&\*(Aqactual load\*(Aq is the average number of items per \*(Aqbucket\*(Aq, but only +for buckets which contain entries. So the \*(Aqactual load\*(Aq is the average number of searches that will need to find an item in the hash -table, while the 'load' is the average number that will be done to +table, while the \*(Aqload\*(Aq is the average number that will be done to record a miss. .PP \&\fBOPENSSL_LH_stats_bio()\fR, \fBOPENSSL_LH_node_stats_bio()\fR and \fBOPENSSL_LH_node_usage_stats_bio()\fR diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_config.3 b/secure/lib/libcrypto/man/man3/OPENSSL_config.3 index 5286b72db31e..7b4a2ba93648 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_config.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_config.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_CONFIG 3ossl" -.TH OPENSSL_CONFIG 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_CONFIG 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -106,7 +109,7 @@ advisable. For example, to load dynamic ENGINEs from shared libraries (DSOs). However, very few applications currently support the control interface and so very few can load and use dynamic ENGINEs. Equally in future more sophisticated ENGINEs will require certain control operations to customize them. If an -application calls \fBOPENSSL_config()\fR it doesn't need to know or care about +application calls \fBOPENSSL_config()\fR it doesn\*(Aqt need to know or care about ENGINE control operations because they can be performed by editing a configuration file. .SH ENVIRONMENT @@ -114,7 +117,7 @@ configuration file. .IP \fBOPENSSL_CONF\fR 4 .IX Item "OPENSSL_CONF" The path to the config file. -Ignored in set-user-ID and set-group-ID programs. +Ignored in set\-user\-ID and set\-group\-ID programs. .SH "RETURN VALUES" .IX Header "RETURN VALUES" Neither \fBOPENSSL_config()\fR nor \fBOPENSSL_no_config()\fR return a value. diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_fork_prepare.3 b/secure/lib/libcrypto/man/man3/OPENSSL_fork_prepare.3 index 74efb2b859c4..b999bee38300 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_fork_prepare.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_fork_prepare.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_FORK_PREPARE 3ossl" -.TH OPENSSL_FORK_PREPARE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_FORK_PREPARE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_gmtime.3 b/secure/lib/libcrypto/man/man3/OPENSSL_gmtime.3 index b77224f41eca..0b4ca6dc0611 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_gmtime.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_gmtime.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_GMTIME 3ossl" -.TH OPENSSL_GMTIME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_GMTIME 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_hexchar2int.3 b/secure/lib/libcrypto/man/man3/OPENSSL_hexchar2int.3 index b5b01af3434e..f1d4c804ce5d 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_hexchar2int.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_hexchar2int.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_HEXCHAR2INT 3ossl" -.TH OPENSSL_HEXCHAR2INT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_HEXCHAR2INT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,25 +89,25 @@ equivalent. .PP \&\fBOPENSSL_hexstr2buf_ex()\fR decodes the hex string \fBstr\fR and places the resulting string of bytes in the given \fIbuf\fR. -The character \fIsep\fR is the separator between the bytes, setting this to '\e0' +The character \fIsep\fR is the separator between the bytes, setting this to \*(Aq\e0\*(Aq means that there is no separator. \&\fIbuf_n\fR gives the size of the buffer. If \fIbuflen\fR is not NULL, it is filled in with the result length. To find out how large the result will be, call this function with NULL for \fIbuf\fR. -Colons between two-character hex "bytes" are accepted and ignored. +Colons between two\-character hex "bytes" are accepted and ignored. An odd number of hex digits is an error. .PP \&\fBOPENSSL_hexstr2buf()\fR does the same thing as \fBOPENSSL_hexstr2buf_ex()\fR, but allocates the space for the result, and returns the result. It uses a -default separator of ':'. +default separator of \*(Aq:\*(Aq. The memory is allocated by calling \fBOPENSSL_malloc()\fR and should be released by calling \fBOPENSSL_free()\fR. .PP \&\fBOPENSSL_buf2hexstr_ex()\fR encodes the contents of the given \fIbuf\fR with length \fIbuflen\fR and places the resulting hexadecimal character string in the given \fIstr\fR. -The character \fIsep\fR is the separator between the bytes, setting this to '\e0' +The character \fIsep\fR is the separator between the bytes, setting this to \*(Aq\e0\*(Aq means that there is no separator. \&\fIstr_n\fR gives the size of the of the string buffer. If \fIstrlength\fR is not NULL, it is filled in with the result length. @@ -113,7 +116,7 @@ for \fIstr\fR. .PP \&\fBOPENSSL_buf2hexstr()\fR does the same thing as \fBOPENSSL_buf2hexstr_ex()\fR, but allocates the space for the result, and returns the result. It uses a -default separator of ':'. +default separator of \*(Aq:\*(Aq. The memory is allocated by calling \fBOPENSSL_malloc()\fR and should be released by calling \fBOPENSSL_free()\fR. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_ia32cap.3 b/secure/lib/libcrypto/man/man3/OPENSSL_ia32cap.3 index c3fa9651d393..be40046740b0 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_ia32cap.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_ia32cap.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_IA32CAP 3ossl" -.TH OPENSSL_IA32CAP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_IA32CAP 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,13 +88,13 @@ range of x86[_64] based processors. .PP Further CPUID information can be found in the Intel(R) Architecture Instruction Set Extensions Programming Reference, and the AMD64 Architecture -Programmer's Manual (Volume 3). +Programmer\*(Aqs Manual (Volume 3). .SS "Notable Capability Bits for LV0" .IX Subsection "Notable Capability Bits for LV0" The following are notable capability bits from logical vector 0 (LV0) resulting from the following execution of CPUID.(EAX=01H).EDX and CPUID.(EAX=01H).ECX: -.IP "bit #0+4 denoting presence of Time-Stamp Counter;" 4 +.IP "bit #0+4 denoting presence of Time\-Stamp Counter;" 4 .IX Item "bit #0+4 denoting presence of Time-Stamp Counter;" .PD 0 .IP "bit #0+19 denoting availability of CLFLUSH instruction;" 4 @@ -114,11 +117,11 @@ CPUID.(EAX=01H).ECX: .IX Item "bit #0+33 denoting availability of PCLMULQDQ instruction;" .IP "bit #0+41 denoting SSSE3, Supplemental SSE3, support;" 4 .IX Item "bit #0+41 denoting SSSE3, Supplemental SSE3, support;" -.IP "bit #0+43 denoting AMD XOP support (forced to zero on non-AMD CPUs);" 4 +.IP "bit #0+43 denoting AMD XOP support (forced to zero on non\-AMD CPUs);" 4 .IX Item "bit #0+43 denoting AMD XOP support (forced to zero on non-AMD CPUs);" .IP "bit #0+54 denoting availability of MOVBE instruction;" 4 .IX Item "bit #0+54 denoting availability of MOVBE instruction;" -.IP "bit #0+57 denoting AES-NI instruction set extension;" 4 +.IP "bit #0+57 denoting AES\-NI instruction set extension;" 4 .IX Item "bit #0+57 denoting AES-NI instruction set extension;" .IP "bit #0+58, XSAVE bit, lack of which in combination with MOVBE is used to identify Atom Silvermont core;" 4 .IX Item "bit #0+58, XSAVE bit, lack of which in combination with MOVBE is used to identify Atom Silvermont core;" @@ -178,7 +181,7 @@ CPUID.(EAX=07H,ECX=1H).EAX: .IX Item "bit #128+33 denoting availability of SM3 extension;" .IP "bit #128+34 denoting availability of SM4 extension;" 4 .IX Item "bit #128+34 denoting availability of SM4 extension;" -.IP "bit #128+55 denoting availability of AVX-IFMA extension;" 4 +.IP "bit #128+55 denoting availability of AVX\-IFMA extension;" 4 .IX Item "bit #128+55 denoting availability of AVX-IFMA extension;" .PD .SS "Notable Capability Bits for LV3" @@ -212,18 +215,18 @@ CPUID.(EAX=24H,ECX=0H).EBX: The \fBOPENSSL_ia32cap\fR environment variable provides a mechanism to override the default capability vector values at library initialization time. The variable consists of a series of 64\-bit numbers representing each -of the logical vectors (LV) described above. Each value is delimited by a '\fB:\fR'. +of the logical vectors (LV) described above. Each value is delimited by a \*(Aq\fB:\fR\*(Aq. Decimal/Octal/Hexadecimal values representations are supported. .PP \&\f(CW\*(C`env OPENSSL_ia32cap=LV0:LV1:LV2:LV3:LV4\*(C'\fR .PP -Used in this form, each non-null logical vector will *overwrite* the entire corresponding +Used in this form, each non\-null logical vector will *overwrite* the entire corresponding capability vector pair with the provided value. To keep compatibility with the behaviour of the original OPENSSL_ia32cap environment variable <env OPENSSL_ia32cap=LV0:LV1>, the next capability vector pairs will be set to zero. .PP To illustrate, the following will zero all capability bits in logical vectors 1 and further -(disable all post-AVX extensions): +(disable all post\-AVX extensions): .PP \&\f(CW\*(C`env OPENSSL_ia32cap=:0\*(C'\fR .PP @@ -235,7 +238,7 @@ The following will zero all capability bits only in logical vector 1: \&\f(CW\*(C`env OPENSSL_ia32cap=:0::::\*(C'\fR .PP A more likely usage scenario would be to disable specific instruction set extensions. -The '\fB~\fR' character is used to specify a bit mask of the extensions to be disabled for +The \*(Aq\fB~\fR\*(Aq character is used to specify a bit mask of the extensions to be disabled for a particular logical vector. .PP To illustrate, the following will disable AVX2 code paths and further extensions: @@ -253,7 +256,7 @@ Not all capability bits are copied from CPUID output verbatim. An example of this is the somewhat less intuitive clearing of LV0 bit #28, or ~0x10000000 in the "environment variable" terms. It has been adjusted to reflect whether or not the data cache is actually shared between logical cores. This in turn affects -the decision on whether or not expensive countermeasures against cache-timing attacks +the decision on whether or not expensive countermeasures against cache\-timing attacks are applied, most notably in AES assembler module. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_init_crypto.3 b/secure/lib/libcrypto/man/man3/OPENSSL_init_crypto.3 index ff806e798701..8ea45a7cab62 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_init_crypto.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_init_crypto.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_INIT_CRYPTO 3ossl" -.TH OPENSSL_INIT_CRYPTO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_INIT_CRYPTO 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,7 +94,7 @@ and deinitialisation functions During normal operation OpenSSL (libcrypto) will allocate various resources at start up that must, subsequently, be freed on close down of the library. Additionally some resources are allocated on a per thread basis (if the -application is multi-threaded), and these resources must be freed prior to the +application is multi\-threaded), and these resources must be freed prior to the thread closing. .PP As of version 1.1.0 OpenSSL will automatically allocate all resources that it @@ -165,7 +168,7 @@ option. .IP OPENSSL_INIT_ASYNC 4 .IX Item "OPENSSL_INIT_ASYNC" With this option the library with automatically initialise the libcrypto async -sub-library (see \fBASYNC_start_job\fR\|(3)). This is a default option. +sub\-library (see \fBASYNC_start_job\fR\|(3)). This is a default option. .IP OPENSSL_INIT_ENGINE_RDRAND 4 .IX Item "OPENSSL_INIT_ENGINE_RDRAND" With this option the library will automatically load and initialise the @@ -234,7 +237,7 @@ automatically on application exit. This is done via the standard C library that will not call the registered \fBatexit()\fR handlers then the application should call \fBOPENSSL_cleanup()\fR directly. Developers of libraries using OpenSSL are discouraged from calling this function and should instead, typically, rely -on auto-deinitialisation. This is to avoid error conditions where both an +on auto\-deinitialisation. This is to avoid error conditions where both an application and a library it depends on both use OpenSSL, and the library deinitialises it before the application has finished using it. .PP @@ -276,7 +279,7 @@ The \fBOPENSSL_INIT_LOAD_CONFIG\fR flag will load a configuration file, as with \&\fBCONF_MFLAGS_IGNORE_MISSING_FILE\fR, \fBCONF_MFLAGS_IGNORE_RETURN_CODES\fR and \&\fBCONF_MFLAGS_DEFAULT_SECTION\fR flags. The filename, application name, and flags can be customized by providing a -non-null \fBOPENSSL_INIT_SETTINGS\fR object. +non\-null \fBOPENSSL_INIT_SETTINGS\fR object. The object can be allocated via \fBOPENSSL_INIT_new()\fR. The \fBOPENSSL_INIT_set_config_filename()\fR function can be used to specify a nondefault filename, which is copied and need not refer to persistent storage. @@ -304,7 +307,7 @@ threads are not destroyed until after \fBFreeLibrary()\fR is called then each th should call \fBOPENSSL_thread_stop()\fR prior to the \fBFreeLibrary()\fR call. .PP On Linux/Unix where OpenSSL has been loaded via \fBdlopen()\fR and the application is -multi-threaded and if \fBdlclose()\fR is subsequently called prior to the threads +multi\-threaded and if \fBdlclose()\fR is subsequently called prior to the threads being destroyed then OpenSSL will not be able to deallocate resources associated with those threads. The application should either call \fBOPENSSL_thread_stop()\fR on each thread prior to the \fBdlclose()\fR call, or alternatively the original \fBdlopen()\fR diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_init_ssl.3 b/secure/lib/libcrypto/man/man3/OPENSSL_init_ssl.3 index b806e541e6e1..423c3743f4d0 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_init_ssl.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_init_ssl.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_INIT_SSL 3ossl" -.TH OPENSSL_INIT_SSL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_INIT_SSL 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -74,7 +77,7 @@ OPENSSL_init_ssl \- OpenSSL (libssl and libcrypto) initialisation During normal operation OpenSSL (libssl and libcrypto) will allocate various resources at start up that must, subsequently, be freed on close down of the library. Additionally some resources are allocated on a per thread basis (if the -application is multi-threaded), and these resources must be freed prior to the +application is multi\-threaded), and these resources must be freed prior to the thread closing. .PP As of version 1.1.0 OpenSSL will automatically allocate all resources that it diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_instrument_bus.3 b/secure/lib/libcrypto/man/man3/OPENSSL_instrument_bus.3 index eafa7a60c313..512113bf42ab 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_instrument_bus.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_instrument_bus.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_INSTRUMENT_BUS 3ossl" -.TH OPENSSL_INSTRUMENT_BUS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_INSTRUMENT_BUS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -73,13 +76,13 @@ OPENSSL_instrument_bus, OPENSSL_instrument_bus2 \- instrument references to memo .SH DESCRIPTION .IX Header "DESCRIPTION" It was empirically found that timings of references to primary memory -are subject to irregular, apparently non-deterministic variations. The +are subject to irregular, apparently non\-deterministic variations. The subroutines in question instrument these references for purposes of gathering randomness for random number generator. In order to make it -bus-bound a 'flush cache line' instruction is used between probes. In +bus\-bound a \*(Aqflush cache line\*(Aq instruction is used between probes. In addition probes are added to \fBvector\fR elements in atomic or interlocked manner, which should contribute additional noise on -multi-processor systems. This also means that \fBvector[num]\fR should be +multi\-processor systems. This also means that \fBvector[num]\fR should be zeroed upon invocation (if you want to retrieve actual probe values). .PP \&\fBOPENSSL_instrument_bus()\fR performs \fBnum\fR probes and records the number of @@ -93,9 +96,9 @@ with \fBmax\fR value of 0 meaning "as many as it takes." .SH "RETURN VALUES" .IX Header "RETURN VALUES" Return value of 0 indicates that CPU is not capable of performing the -benchmark, either because oscillator counter or 'flush cache line' is -not available on current platform. For reference, on x86 'flush cache -line' was introduced with the SSE2 extensions. +benchmark, either because oscillator counter or \*(Aqflush cache line\*(Aq is +not available on current platform. For reference, on x86 \*(Aqflush cache +line\*(Aq was introduced with the SSE2 extensions. .PP Otherwise number of recorded values is returned. .SH COPYRIGHT diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_load_builtin_modules.3 b/secure/lib/libcrypto/man/man3/OPENSSL_load_builtin_modules.3 index f295f970cf95..7c155727ead6 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_load_builtin_modules.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_load_builtin_modules.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_LOAD_BUILTIN_MODULES 3ossl" -.TH OPENSSL_LOAD_BUILTIN_MODULES 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_LOAD_BUILTIN_MODULES 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_load_u16_le.3 b/secure/lib/libcrypto/man/man3/OPENSSL_load_u16_le.3 index d74866fe731f..2f8b3c9985f1 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_load_u16_le.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_load_u16_le.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_LOAD_U16_LE 3ossl" -.TH OPENSSL_LOAD_U16_LE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_LOAD_U16_LE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,10 +104,10 @@ Read and write unsigned 16, 32 and 64\-bit integers in a specific byte order .IX Header "DESCRIPTION" These functions read and write 16, 32 and 64 bit unsigned integers in a specified byte order. -The \f(CW\*(C`_be\*(C'\fR functions use big-endian byte order, while the \f(CW\*(C`_le\*(C'\fR functions use -little-endian byte order. -They're implemented directly in the header file, and declared static. When the -compiler supports inline functions, they're also declared inline. +The \f(CW\*(C`_be\*(C'\fR functions use big\-endian byte order, while the \f(CW\*(C`_le\*(C'\fR functions use +little\-endian byte order. +They\*(Aqre implemented directly in the header file, and declared static. When the +compiler supports inline functions, they\*(Aqre also declared inline. An optimising compiler will often convert these to just one or two machine instructions: a load or store with a possible byte swap. .PP diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_malloc.3 b/secure/lib/libcrypto/man/man3/OPENSSL_malloc.3 index c774725b62da..8cf57496594c 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_malloc.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_malloc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_MALLOC 3ossl" -.TH OPENSSL_MALLOC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_MALLOC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -150,8 +153,8 @@ see \fBopenssl_user_macros\fR\|(7): .SH DESCRIPTION .IX Header "DESCRIPTION" OpenSSL memory allocation is handled by the \fBOPENSSL_xxx\fR API. These are -generally macro's that add the standard C \fB_\|_FILE_\|_\fR and \fB_\|_LINE_\|_\fR -parameters and call a lower-level \fBCRYPTO_xxx\fR API. +generally macro\*(Aqs that add the standard C \fB_\|_FILE_\|_\fR and \fB_\|_LINE_\|_\fR +parameters and call a lower\-level \fBCRYPTO_xxx\fR API. Some functions do not add those parameters, but exist for consistency. .PP \&\fBOPENSSL_malloc_init()\fR does nothing and does not need to be called. It is @@ -177,17 +180,21 @@ the returned pointer. .PP \&\fBOPENSSL_clear_realloc()\fR and \fBOPENSSL_clear_free()\fR should be used when the buffer at \fBaddr\fR holds sensitive information. -The old buffer is filled with zero's by calling \fBOPENSSL_cleanse()\fR -before ultimately calling \fBOPENSSL_free()\fR. If the argument to \fBOPENSSL_free()\fR is -NULL, nothing is done. +The old buffer is filled with zero\*(Aqs by calling \fBOPENSSL_cleanse()\fR +before ultimately calling \fBOPENSSL_free()\fR. If the argument to +\&\fBOPENSSL_clear_free()\fR is NULL, nothing is done. .PP -\&\fBOPENSSL_cleanse()\fR fills \fBptr\fR of size \fBlen\fR with a string of 0's. +\&\fBOPENSSL_cleanse()\fR fills \fBptr\fR of size \fBlen\fR with a string of 0\*(Aqs. +It is useful in cases when it is needed to ensure that memory (that contains +sensitive information) is overwritten (for example, before it is reclaimed, +or when it is stored on stack), and such operation is not optimised out +by compiler optimisations such as dead store elimination (as \fBmemset\fR\|(3) may be). Use \fBOPENSSL_cleanse()\fR with care if the memory is a mapping of a file. -If the storage controller uses write compression, then it's possible +If the storage controller uses write compression, then it\*(Aqs possible that sensitive tail bytes will survive zeroization because the block of zeros will be compressed. If the storage controller uses wear leveling, then the old sensitive data will not be overwritten; rather, a block of -0's will be written at a new physical location. +0\*(Aqs will be written at a new physical location. .PP \&\fBOPENSSL_strdup()\fR, \fBOPENSSL_strndup()\fR and \fBOPENSSL_memdup()\fR are like the equivalent C functions, except that memory is allocated by calling the @@ -211,8 +218,8 @@ function pointers for the current implementations. With \fBCRYPTO_set_mem_functions()\fR, you can specify a different set of functions. If any of \fBmalloc_fn\fR, \fBrealloc_fn\fR, or \fBfree_fn\fR are NULL, then the function is not changed. -While it's permitted to swap out only a few and not all the functions -with \fBCRYPTO_set_mem_functions()\fR, it's recommended to swap them all out +While it\*(Aqs permitted to swap out only a few and not all the functions +with \fBCRYPTO_set_mem_functions()\fR, it\*(Aqs recommended to swap them all out at once. .PP If the library is built with the \f(CW\*(C`crypto\-mdebug\*(C'\fR option, then one @@ -267,11 +274,11 @@ return a pointer to allocated memory or NULL on error. always because allocations have already happened). .PP \&\fBCRYPTO_mem_leaks()\fR, \fBCRYPTO_mem_leaks_fp()\fR, \fBCRYPTO_mem_leaks_cb()\fR, -\&\fBCRYPTO_set_mem_debug()\fR, and \fBCRYPTO_mem_ctrl()\fR are deprecated and are no-ops that +\&\fBCRYPTO_set_mem_debug()\fR, and \fBCRYPTO_mem_ctrl()\fR are deprecated and are no\-ops that always return \-1. \&\fBOPENSSL_mem_debug_push()\fR, \fBOPENSSL_mem_debug_pop()\fR, \&\fBCRYPTO_mem_debug_push()\fR, and \fBCRYPTO_mem_debug_pop()\fR -are deprecated and are no-ops that always return 0. +are deprecated and are no\-ops that always return 0. .PP \&\fBOPENSSL_strtoul()\fR returns 1 on success and 0 in the event that an error has occurred. Specifically, 0 is returned in the following events: @@ -291,7 +298,7 @@ translation has been performed. For instance calling .Ve .PP will result in a successful translation with num having the value 0, and -*endptr = 'x'. Be sure to validate how much data was consumed when calling this +*endptr = \*(Aqx\*(Aq. Be sure to validate how much data was consumed when calling this function. .SH HISTORY .IX Header "HISTORY" @@ -300,13 +307,13 @@ function. \&\fBCRYPTO_mem_leaks()\fR, \fBCRYPTO_mem_leaks_fp()\fR, \&\fBCRYPTO_mem_leaks_cb()\fR, \fBCRYPTO_set_mem_debug()\fR, \fBCRYPTO_mem_ctrl()\fR were deprecated in OpenSSL 3.0. -The memory-leak checking has been deprecated in OpenSSL 3.0 in favor of -clang's memory and leak sanitizer. +The memory\-leak checking has been deprecated in OpenSSL 3.0 in favor of +clang\*(Aqs memory and leak sanitizer. \&\fBOPENSSL_aligned_alloc()\fR, \fBCRYPTO_aligned_alloc()\fR, \fBOPENSSL_strtoul()\fR were added in OpenSSL 3.4. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_ppccap.3 b/secure/lib/libcrypto/man/man3/OPENSSL_ppccap.3 new file mode 100644 index 000000000000..b5734163a026 --- /dev/null +++ b/secure/lib/libcrypto/man/man3/OPENSSL_ppccap.3 @@ -0,0 +1,206 @@ +.\" -*- mode: troff; coding: utf-8 -*- +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. +.ie n \{\ +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{\ +. if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +. \} +.\} +.rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l +.\" ======================================================================== +.\" +.IX Title "OPENSSL_PPCCAP 3ossl" +.TH OPENSSL_PPCCAP 3ossl 2026-04-07 3.5.6 OpenSSL +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH NAME +OPENSSL_ppccap \- the PowerPC processor capabilities vector +.SH SYNOPSIS +.IX Header "SYNOPSIS" +.Vb 1 +\& env OPENSSL_ppccap=... <application> +.Ve +.SH DESCRIPTION +.IX Header "DESCRIPTION" +libcrypto supports PowerPC instruction set extensions. These extensions are +represented by bits in the PowerPC capabilities vector. When libcrypto +initializes, it stores the results returned by PowerPC CPU capabilities detection +logic in the PowerPC capabilities vector. The CPU capabilities detection methods +are OS\-dependent and use a combination of information gathered by the kernel +during boot and probe functions that attempt to execute instructions and trap +illegal instruction signals with a signal handler. +.PP +To override the set of extensions available to an application, you can set the +\&\fBOPENSSL_ppccap\fR environment variable before you start the application. The +environment variable is assigned a numerical value that denotes the bits in +the PowerPC capabilities vector. The ppc_arch.h header file states that, "Flags\*(Aq +usage can appear ambiguous, because they are set rather to reflect OpenSSL +performance preferences than actual processor capabilities." +.PP +Multiple extensions are enabled by logically OR\-ing the values that represent the +desired extensions. +.PP +\&\fBNotes\fR: Enabling an extension on a CPU that does not support the extension +will result in a SIGILL crash. On AIX, all vector instructions can be disabled +with the schedo \-ro allow_vmx=0 command. DO NOT USE THIS COMMAND to disable +vector instructions in the OS when it is running on a CPU level that supports the +instructions without also disabling them in libcrpto via the OPENSSL_ppccap +environment variable or the application will crash with a SIGILL. +.PP +Currently, the following extensions are defined: +.IP 0x01 4 +.IX Item "0x01" +Name: \fBPPC_FPU64\fR +.Sp +This flag is obsolete. +.IP 0x02 4 +.IX Item "0x02" +Name: \fBPPC_ALTIVEC\fR +.Sp +Meaning: Use AltiVec (aka VMX) instructions. In some but not all cases, this +capability gates the use of later ISA vector instructions. The associated probe +instruction is vor (vector logical or). +.Sp +Effect: Enables use of vector instructions but does not enable extensions added +at specific ISA levels. However, disabling this capability disables a subset of +vector extensions added at specific ISA levels even if they are otherwise +enabled. +.IP 0x04 4 +.IX Item "0x04" +Name: \fBPPC_CRYPTO207\fR +.Sp +Meaning: Use instructions added in ISA level 2.07. The associated probe +instruction instruction is vcipher (vector AES cipher round). +.Sp +Effect: Enables AES, SHA\-2 sigma, and other ISA 2.07 instructions for AES, SHA\-2, +GHASH, and Poly1305. +.IP 0x08 4 +.IX Item "0x08" +Name: \fBPPC_FPU\fR +.Sp +Meaning: Use FPU instructions. The associated probe instruction is fmr (floating +move register). +.Sp +Effect: Enables Poly1305 FPU implementation. The PPC_CRYPTO207 capability +overrides this effect. +.IP 0x10 4 +.IX Item "0x10" +Name: \fBPPC_MADD300\fR +.Sp +Meaning: Use instructions added in ISA level 3.00. The associated probe +instruction is maddhdu (multiply\-add high doubleword unsigned). +.Sp +Effect: Enables use of the polynomial multiply and other ISA 3.00 instructions +for AES\-GCM, P\-384, and P\-521. +.IP 0x20 4 +.IX Item "0x20" +Name: \fBPPC_MFTB\fR +.Sp +Meaning: Use the mftb (move from time base) instruction. The associated probe +instruction is mftb. +.Sp +Effect: Enables use of the mftb instruction to sample the lower 32 bits of the +CPU time base register in order to acquire entropy. Considered obsolete. The +PPC_MFSPR268 capability overrides this capability. +.IP 0x40 4 +.IX Item "0x40" +Name: \fBPPC_MFSPR268\fR +.Sp +Meaning: Use the mfspr (move from special purpose register) instruction to +read SPR 268. The associated probe instruction is mfspr 268. +.Sp +Effect: Enables use of the mfspr instruction to sample the lower 32 bits of the +CPU time base register from SPR 268, the TBL (time base lower) register, in order +to acquire entropy. +.IP 0x80 4 +.IX Item "0x80" +Name: \fBPPC_BRD31\fR +.Sp +Meaning: Use instructions added in ISA level 3.1. The associated probe instruction +is brd (byte\-reverse doubleword). +.Sp +Effect: Enables use of ISA 3.1 instructions in ChaCha20. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +Not available. +.SH EXAMPLES +.IX Header "EXAMPLES" +Check currently detected capabilities: +.PP +.Vb 2 +\& $ openssl info \-cpusettings +\& OPENSSL_ppccap=0x2E +.Ve +.PP +The detected capabilities in the above example indicate that PPC_MFTB, PPC_FPU, +PPC_CRYPTO207, PPC_MFSPR268, and PPC_ALTIVEC are enabled. +.PP +Disable all instruction set extensions: +.PP +.Vb 1 +\& OPENSSL_ppccap=0x00 +.Ve +.PP +Enable base AltiVec extensions: +.PP +.Vb 1 +\& OPENSSL_ppccap=0x02 +.Ve +.SH COPYRIGHT +.IX Header "COPYRIGHT" +Copyright 2025 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_riscvcap.3 b/secure/lib/libcrypto/man/man3/OPENSSL_riscvcap.3 index e8dec8930974..b5e72f16fa84 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_riscvcap.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_riscvcap.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_RISCVCAP 3ossl" -.TH OPENSSL_RISCVCAP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_RISCVCAP 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -69,18 +72,18 @@ OPENSSL_riscvcap \- the RISC\-V processor capabilities vector .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -libcrypto supports RISC-V instruction set extensions. These +libcrypto supports RISC\-V instruction set extensions. These extensions are denoted by individual extension names in the capabilities vector. For Linux platform, when libcrypto is initialized, the results -returned by the RISC-V Hardware Probing syscall (hwprobe) are stored +returned by the RISC\-V Hardware Probing syscall (hwprobe) are stored in the vector. Otherwise all capabilities are disabled. .PP To override the set of instructions available to an application, you can set the \fBOPENSSL_riscvcap\fR environment variable before you start the application. .PP -The environment variable is similar to the RISC-V ISA string defined in the -RISC-V Instruction Set Manual. It is case insensitive. Though due to the limit +The environment variable is similar to the RISC\-V ISA string defined in the +RISC\-V Instruction Set Manual. It is case insensitive. Though due to the limit of the environment variable parser inside libcrypto, an extension must be prefixed with an underscore to make it recognizable. This also applies to the Vector extension. @@ -101,27 +104,27 @@ Address Generation Could be detected using hwprobe for Linux kernel >= 6.5 .IP ZBB 4 .IX Item "ZBB" -Basic bit-manipulation +Basic bit\-manipulation .Sp Could be detected using hwprobe for Linux kernel >= 6.5 .IP ZBC 4 .IX Item "ZBC" -Carry-less multiplication +Carry\-less multiplication .Sp Could be detected using hwprobe for Linux kernel >= 6.8 .IP ZBS 4 .IX Item "ZBS" -Single-bit instructions +Single\-bit instructions .Sp Could be detected using hwprobe for Linux kernel >= 6.5 .IP ZBKB 4 .IX Item "ZBKB" -Bit-manipulation for Cryptography +Bit\-manipulation for Cryptography .Sp Could be detected using hwprobe for Linux kernel >= 6.8 .IP ZBKC 4 .IX Item "ZBKC" -Carry-less multiplication for Cryptography +Carry\-less multiplication for Cryptography .Sp Could be detected using hwprobe for Linux kernel >= 6.8 .IP ZBKX 4 @@ -169,7 +172,7 @@ Vector Extension for Application Processors Could be detected using hwprobe for Linux kernel >= 6.5 .IP ZVBB 4 .IX Item "ZVBB" -Vector Basic Bit-manipulation +Vector Basic Bit\-manipulation .Sp Could be detected using hwprobe for Linux kernel >= 6.8 .IP ZVBC 4 @@ -179,7 +182,7 @@ Vector Carryless Multiplication Could be detected using hwprobe for Linux kernel >= 6.8 .IP ZVKB 4 .IX Item "ZVKB" -Vector Cryptography Bit-manipulation +Vector Cryptography Bit\-manipulation .Sp Could be detected using hwprobe for Linux kernel >= 6.8 .IP ZVKG 4 @@ -221,19 +224,25 @@ Check currently detected capabilities .PP .Vb 2 \& $ openssl info \-cpusettings -\& OPENSSL_riscvcap=ZBA_ZBB_ZBC_ZBS_V +\& OPENSSL_riscvcap=RV64GC_ZBA_ZBB_ZBC_ZBS_V vlen:256 .Ve .PP +Note: The first word in the displayed capabilities is the RISC\-V base +architecture value, which is derived from the compiler configuration. +It is therefore not overridable by the environment variable. +When the V extension is given the riscv_vlen value is always displayed, +there is no way to override the riscv_vlen by the environment variable. +.PP Disables all instruction set extensions: .PP .Vb 1 -\& OPENSSL_riscvcap="rv64gc" +\& export OPENSSL_riscvcap="rv64gc" .Ve .PP Only enable the vector extension: .PP .Vb 1 -\& OPENSSL_riscvcap="rv64gc_v" +\& export OPENSSL_riscvcap="rv64gc_v" .Ve .SH COPYRIGHT .IX Header "COPYRIGHT" diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_s390xcap.3 b/secure/lib/libcrypto/man/man3/OPENSSL_s390xcap.3 index ce151ff66887..a81e173f9c36 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_s390xcap.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_s390xcap.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_S390XCAP 3ossl" -.TH OPENSSL_S390XCAP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_S390XCAP 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -79,7 +82,7 @@ set the \fBOPENSSL_s390xcap\fR environment variable before you start the application. After initialization, the capability vector is ANDed bitwise with a mask which is derived from the environment variable. .PP -The environment variable is a semicolon-separated list of tokens which is +The environment variable is a semicolon\-separated list of tokens which is processed from left to right (whitespace is ignored): .PP .Vb 1 @@ -89,7 +92,7 @@ processed from left to right (whitespace is ignored): There are four types of tokens: .IP <string> 4 .IX Item "<string>" -The name of a processor generation. A bit in the environment variable's +The name of a processor generation. A bit in the environment variable\*(Aqs mask is set to one if and only if the specified processor generation implements the corresponding instruction set extension. Possible values are \fBz900\fR, \fBz990\fR, \fBz9\fR, \fBz10\fR, \fBz196\fR, \fBzEC12\fR, \fBz13\fR, \fBz14\fR, @@ -97,14 +100,14 @@ are \fBz900\fR, \fBz990\fR, \fBz9\fR, \fBz10\fR, \fBz196\fR, \fBzEC12\fR, \fBz13 .IP <string>:<mask>:<mask> 4 .IX Item "<string>:<mask>:<mask>" The name of an instruction followed by two 64\-bit masks. The part of the -environment variable's mask corresponding to the specified instruction is +environment variable\*(Aqs mask corresponding to the specified instruction is set to the specified 128\-bit mask. Possible values are \fBkimd\fR, \fBklmd\fR, \&\fBkm\fR, \fBkmc\fR, \fBkmac\fR, \fBkmctr\fR, \fBkmo\fR, \fBkmf\fR, \fBprno\fR, \fBkma\fR, \fBpcc\fR and \fBkdsa\fR. .IP stfle:<mask>:<mask>:<mask> 4 .IX Item "stfle:<mask>:<mask>:<mask>" -Store-facility-list-extended (stfle) followed by three 64\-bit masks. The -part of the environment variable's mask corresponding to the stfle +Store\-facility\-list\-extended (stfle) followed by three 64\-bit masks. The +part of the environment variable\*(Aqs mask corresponding to the stfle instruction is set to the specified 192\-bit mask. .IP nocex 4 .IX Item "nocex" @@ -248,7 +251,7 @@ Disables the vector facility: \& OPENSSL_s390xcap="stfle:~0:~0:~0x4000000000000000" .Ve .PP -Disables the KM-XTS-AES and the KIMD-SHAKE function codes: +Disables the KM\-XTS\-AES and the KIMD\-SHAKE function codes: .PP .Vb 1 \& OPENSSL_s390xcap="km:~0x2800:~0;kimd:~0xc000000:~0" diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_secure_malloc.3 b/secure/lib/libcrypto/man/man3/OPENSSL_secure_malloc.3 index b873a8b88d49..8f6cc784266b 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_secure_malloc.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_secure_malloc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_SECURE_MALLOC 3ossl" -.TH OPENSSL_SECURE_MALLOC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_SECURE_MALLOC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,9 +101,9 @@ CRYPTO_secure_used \- secure heap storage .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -In order to help protect applications (particularly long-running servers) +In order to help protect applications (particularly long\-running servers) from pointer overruns or underruns that could return arbitrary data from -the program's dynamic memory area, where keys and other sensitive +the program\*(Aqs dynamic memory area, where keys and other sensitive information might be stored, OpenSSL supports the concept of a "secure heap." The level and type of security guarantees depend on the operating system. It is a good idea to review the code and see if it addresses your @@ -109,10 +112,10 @@ uses a single read/write lock, and therefore any operations that involve allocation or freeing of secure heap memory are serialised, blocking other threads. With that in mind, highly concurrent applications should enable the secure heap with caution and be aware of the performance -implications for multi-threaded code. +implications for multi\-threaded code. .PP If a secure heap is used, then private key \fBBIGNUM\fR values are stored there. -This protects long-term storage of private keys, but will not necessarily +This protects long\-term storage of private keys, but will not necessarily put all intermediate values and computations there. .PP \&\fBCRYPTO_secure_malloc_init()\fR creates the secure heap, with the specified diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_strcasecmp.3 b/secure/lib/libcrypto/man/man3/OPENSSL_strcasecmp.3 index 1e48b7b4e77e..e19234caa2d6 100644 --- a/secure/lib/libcrypto/man/man3/OPENSSL_strcasecmp.3 +++ b/secure/lib/libcrypto/man/man3/OPENSSL_strcasecmp.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_STRCASECMP 3ossl" -.TH OPENSSL_STRCASECMP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_STRCASECMP 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -72,13 +75,13 @@ OPENSSL_strcasecmp, OPENSSL_strncasecmp \- compare two strings ignoring case .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The OPENSSL_strcasecmp function performs a byte-by-byte comparison of the strings +The OPENSSL_strcasecmp function performs a byte\-by\-byte comparison of the strings \&\fBs1\fR and \fBs2\fR, ignoring the case of the characters. .PP The OPENSSL_strncasecmp function is similar, except that it compares no more than \&\fBn\fR bytes of \fBs1\fR and \fBs2\fR. .PP -In POSIX-compatible system and on Windows these functions use "C" locale for +In POSIX\-compatible system and on Windows these functions use "C" locale for case insensitive. Otherwise the comparison is done in current locale. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -87,9 +90,9 @@ s1 is found, respectively, to be less than, to match, or be greater than s2. .SH NOTES .IX Header "NOTES" OpenSSL extensively uses case insensitive comparison of ASCII strings. Though -OpenSSL itself is locale-agnostic, the applications using OpenSSL libraries may +OpenSSL itself is locale\-agnostic, the applications using OpenSSL libraries may unpredictably suffer when they use localization (e.g. Turkish locale is -well-known with a specific I/i cases). These functions use C locale for string +well\-known with a specific I/i cases). These functions use C locale for string comparison. .SH HISTORY .IX Header "HISTORY" diff --git a/secure/lib/libcrypto/man/man3/OSSL_ALGORITHM.3 b/secure/lib/libcrypto/man/man3/OSSL_ALGORITHM.3 index 5d0a0e5383af..6c1cd283f0c0 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_ALGORITHM.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_ALGORITHM.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_ALGORITHM 3ossl" -.TH OSSL_ALGORITHM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_ALGORITHM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,7 +89,7 @@ properties. Arrays of this type must be terminated with a tuple where \fIalgorithm_names\fR is NULL. .PP -This type of array is typically returned by the provider's operation querying +This type of array is typically returned by the provider\*(Aqs operation querying function, further described in "Provider Functions" in \fBprovider\-base\fR\|(7). .SS "\fBOSSL_ALGORITHM\fP fields" .IX Subsection "OSSL_ALGORITHM fields" @@ -105,8 +108,8 @@ known identities: .IP \(bu 4 \&\f(CW\*(C`rsaEncryption\*(C'\fR .Sp -This is the name of the algorithm's OBJECT IDENTIFIER (OID), as given by the -PKCS#1 RFC's ASN.1 module <https://www.rfc-editor.org/rfc/rfc8017#appendix-C> +This is the name of the algorithm\*(Aqs OBJECT IDENTIFIER (OID), as given by the +PKCS#1 RFC\*(Aqs ASN.1 module <https://www.rfc-editor.org/rfc/rfc8017#appendix-C> .IP \(bu 4 \&\f(CW1.2.840.113549.1.1.1\fR .Sp @@ -125,7 +128,7 @@ or canonical name, on a per algorithm implementation basis. .Sp See the notes "On the subject of algorithm names" below for a more in depth discussion on \fIalgorithm_names\fR and how that may interact with -applications and libraries, including OpenSSL's. +applications and libraries, including OpenSSL\*(Aqs. .RE .IP \fIproperty_definition\fR 4 .IX Item "property_definition" @@ -143,7 +146,7 @@ Pointer to an \fBOSSL_DISPATCH\fR\|(3) array, containing pointers to the functions of a particular algorithm implementation. .IP \fIalgorithm_description\fR 4 .IX Item "algorithm_description" -A string with a short human-readable description of the algorithm. +A string with a short human\-readable description of the algorithm. .SH NOTES .IX Header "NOTES" .SS "On the subject of algorithm names" @@ -153,16 +156,16 @@ Providers may find the need to register ASN.1 OIDs for algorithms using \&\fBprovider\-base\fR\|(7), because some application or library \-\- possibly still the OpenSSL libraries, even \-\- use NIDs to look up algorithms. .PP -In that scenario, you must make sure that the corresponding \fBOSSL_ALGORITHM\fR's +In that scenario, you must make sure that the corresponding \fBOSSL_ALGORITHM\fR\*(Aqs \&\fIalgorithm_names\fR includes both the short and the long name. .PP -Most of the time, registering ASN.1 OIDs like this shouldn't be necessary, +Most of the time, registering ASN.1 OIDs like this shouldn\*(Aqt be necessary, and applications and libraries are encouraged to use \fBOBJ_obj2txt\fR\|(3) to get a text representation of the OID, which may be a long or short name for OIDs that are registered, or the OID itself in canonical decimal text form if not (or if \fBOBJ_obj2txt\fR\|(3) is called with \fIno_name\fR = 1). .PP -It's recommended to make sure that the corresponding \fBOSSL_ALGORITHM\fR's +It\*(Aqs recommended to make sure that the corresponding \fBOSSL_ALGORITHM\fR\*(Aqs \&\fIalgorithm_names\fR include known names as well as the OID itself in canonical decimal text form. That should cover all scenarios. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/OSSL_CALLBACK.3 b/secure/lib/libcrypto/man/man3/OSSL_CALLBACK.3 index 03dd66bdfc25..cf20b4a30ee9 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CALLBACK.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CALLBACK.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CALLBACK 3ossl" -.TH OSSL_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CALLBACK 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,7 +86,7 @@ Callback functions themselves are always provided by or through the calling OpenSSL libraries, along with a generic pointer to data \fIarg\fR. As far as the function receiving the pointer to the function pointer and \fIarg\fR is concerned, the data that \fIarg\fR points at is opaque, and the pointer should -simply be passed back to the callback function when it's called. +simply be passed back to the callback function when it\*(Aqs called. .IP \fBOSSL_CALLBACK\fR 4 .IX Item "OSSL_CALLBACK" This is a generic callback function. When calling this callback function, diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_ATAV_set0.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_ATAV_set0.3 index 3f71e60293e1..fa07c22afa85 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_ATAV_set0.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_ATAV_set0.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_ATAV_SET0 3ossl" -.TH OSSL_CMP_ATAV_SET0 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_ATAV_SET0 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -138,7 +141,7 @@ pointed to by \fI*sk_p\fR. It creates a new stack if \fI*sk_p\fR points to NULL. \&\fBOSSL_CMP_ATAV_free()\fR deallocates \fIatav\fR. It is defined as a macro. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210. CRMF is defined in RFC 4211. +CMP is defined in RFC 9810. CRMF is defined in RFC 4211. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_CMP_ATAV_create()\fR, diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_CTX_new.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_CTX_new.3 index d3fcb15c3088..b1879efa0628 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_CTX_NEW 3ossl" -.TH OSSL_CMP_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_CTX_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -246,7 +249,7 @@ both of which may be NULL to select the defaults. It initializes the remaining fields to their default values \- for instance, the logging verbosity is set to OSSL_CMP_LOG_INFO, the message timeout is set to 120 seconds, -and the proof-of-possession method is set to OSSL_CRMF_POPO_SIGNATURE. +and the proof\-of\-possession method is set to OSSL_CRMF_POPO_SIGNATURE. .PP \&\fBOSSL_CMP_CTX_free()\fR deallocates an OSSL_CMP_CTX structure. If the argument is NULL, nothing is done. @@ -283,7 +286,7 @@ i.e., in case the server does not grant them an error occurs. The default value is 1: prefer to keep the connection open. .IP \fBOSSL_CMP_OPT_MSG_TIMEOUT\fR 4 .IX Item "OSSL_CMP_OPT_MSG_TIMEOUT" -Number of seconds a CMP request-response message round trip +Number of seconds a CMP request\-response message round trip is allowed to take before a timeout error is returned. A value <= 0 means no limitation (waiting indefinitely). Default is to use the \fBOSSL_CMP_OPT_TOTAL_TIMEOUT\fR setting. @@ -297,12 +300,12 @@ Default is 0. .IX Item "OSSL_CMP_OPT_USE_TLS" Use this option to indicate to the HTTP implementation whether TLS is going to be used for the connection (resulting in HTTPS). -The value 1 indicates that TLS is used for client-side HTTP connections, +The value 1 indicates that TLS is used for client\-side HTTP connections, which needs to be implemented via a callback function set by \&\fBOSSL_CMP_CTX_set_http_cb()\fR. The value 0 indicates that TLS is not used. Default is \-1 for backward compatibility: TLS is used by the client side -if and only if \fBOSSL_CMP_CTX_set_http_cb_arg()\fR sets a non-NULL \fIarg\fR. +if and only if \fBOSSL_CMP_CTX_set_http_cb_arg()\fR sets a non\-NULL \fIarg\fR. .IP \fBOSSL_CMP_OPT_VALIDITY_DAYS\fR 4 .IX Item "OSSL_CMP_OPT_VALIDITY_DAYS" Number of days new certificates are asked to be valid for. @@ -331,18 +334,18 @@ Select the proof of possession method to use. Possible values are: \& ("indirect method") .Ve .Sp -Note that a signature-based POPO can only be produced if a private key -is provided as the newPkey or client's pkey component of the CMP context. +Note that a signature\-based POPO can only be produced if a private key +is provided as the newPkey or client\*(Aqs pkey component of the CMP context. .IP \fBOSSL_CMP_OPT_DIGEST_ALGNID\fR 4 .IX Item "OSSL_CMP_OPT_DIGEST_ALGNID" -The NID of the digest algorithm to be used in RFC 4210's MSG_SIG_ALG -for signature-based message protection and Proof-of-Possession (POPO). +The NID of the digest algorithm to be used in RFC 9810\*(Aqs MSG_SIG_ALG +for signature\-based message protection and Proof\-of\-Possession (POPO). Default is SHA256. -.IP "\fBOSSL_CMP_OPT_OWF_ALGNID\fR The NID of the digest algorithm to be used as one-way function (OWF) for MAC-based message protection with password-based MAC (PBM). See RFC 4210 section 5.1.3.1 for details. Default is SHA256." 4 -.IX Item "OSSL_CMP_OPT_OWF_ALGNID The NID of the digest algorithm to be used as one-way function (OWF) for MAC-based message protection with password-based MAC (PBM). See RFC 4210 section 5.1.3.1 for details. Default is SHA256." +.IP "\fBOSSL_CMP_OPT_OWF_ALGNID\fR The NID of the digest algorithm to be used as one\-way function (OWF) for MAC\-based message protection with password\-based MAC (PBM). See RFC 9810 section 5.1.3.1 for details. Default is SHA256." 4 +.IX Item "OSSL_CMP_OPT_OWF_ALGNID The NID of the digest algorithm to be used as one-way function (OWF) for MAC-based message protection with password-based MAC (PBM). See RFC 9810 section 5.1.3.1 for details. Default is SHA256." .PD 0 -.IP "\fBOSSL_CMP_OPT_MAC_ALGNID\fR The NID of the MAC algorithm to be used for message protection with PBM. Default is HMAC\-SHA1 as per RFC 4210." 4 -.IX Item "OSSL_CMP_OPT_MAC_ALGNID The NID of the MAC algorithm to be used for message protection with PBM. Default is HMAC-SHA1 as per RFC 4210." +.IP "\fBOSSL_CMP_OPT_MAC_ALGNID\fR The NID of the MAC algorithm to be used for message protection with PBM. Default is HMAC\-SHA1, for backward compatibility with RFC 4210." 4 +.IX Item "OSSL_CMP_OPT_MAC_ALGNID The NID of the MAC algorithm to be used for message protection with PBM. Default is HMAC-SHA1, for backward compatibility with RFC 4210." .IP \fBOSSL_CMP_OPT_REVOCATION_REASON\fR 4 .IX Item "OSSL_CMP_OPT_REVOCATION_REASON" .PD @@ -360,10 +363,10 @@ Do not confirm enrolled certificates, to cope with broken servers not supporting implicit confirmation correctly. \&\fBWARNING:\fR This setting leads to unspecified behavior and it is meant exclusively to allow interoperability with server implementations violating -RFC 4210. +RFC 9810. .IP \fBOSSL_CMP_OPT_UNPROTECTED_SEND\fR 4 .IX Item "OSSL_CMP_OPT_UNPROTECTED_SEND" -Send request or response messages without CMP-level protection. +Send request or response messages without CMP\-level protection. .IP \fBOSSL_CMP_OPT_UNPROTECTED_ERRORS\fR 4 .IX Item "OSSL_CMP_OPT_UNPROTECTED_ERRORS" Accept unprotected error responses which are either explicitly @@ -372,12 +375,12 @@ error messages as well as certificate responses (IP/CP/KUP) and revocation responses (RP) with rejection. \&\fBWARNING:\fR This setting leads to unspecified behavior and it is meant exclusively to allow interoperability with server implementations violating -RFC 4210. +RFC 9810. .IP \fBOSSL_CMP_OPT_IGNORE_KEYUSAGE\fR 4 .IX Item "OSSL_CMP_OPT_IGNORE_KEYUSAGE" -Ignore key usage restrictions in the signer's certificate when -validating signature-based protection in received CMP messages. -Else, 'digitalSignature' must be allowed by CMP signer certificates. +Ignore key usage restrictions in the signer\*(Aqs certificate when +validating signature\-based protection in received CMP messages. +Else, \*(AqdigitalSignature\*(Aq must be allowed by CMP signer certificates. .IP \fBOSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR\fR 4 .IX Item "OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR" Allow retrieving a trust anchor from extraCerts and using that @@ -386,11 +389,17 @@ This is a quirk option added to support 3GPP TS 33.310. .Sp Note that using this option is dangerous as the certificate obtained this way has not been authenticated (at least not at CMP level). -Taking it over as a trust anchor implements trust-on-first-use (TOFU). +Taking it over as a trust anchor implements trust\-on\-first\-use (TOFU). .IP \fBOSSL_CMP_OPT_NO_CACHE_EXTRACERTS\fR 4 .IX Item "OSSL_CMP_OPT_NO_CACHE_EXTRACERTS" Do not cache certificates received in the extraCerts CMP message field. Otherwise they are stored to potentially help validate further messages. +.Sp +In any case, after successfully validating an incoming message, its protection +certificate (if any) is cached for reuse with validation of subsequent messages. +This is done not only for efficiency but also +to eliminate the need for the sender to include its certificate and related chain +in the extraCerts field of subsequent messages of the same transaction. .PP \&\fBOSSL_CMP_CTX_get_option()\fR reads the current value of the given option (e.g., OSSL_CMP_OPT_IMPLICIT_CONFIRM) from the given OSSL_CMP_CTX structure. @@ -415,13 +424,13 @@ The default is \f(CW\*(C`/\*(C'\fR. .PP \&\fBOSSL_CMP_CTX_set1_server()\fR sets the given server \fIaddress\fR (which may be a hostname or IP address or NULL) in the given \fIctx\fR. -If \fBOSSL_CMP_CTX_get_transfer_cb_arg()\fR sets a non-NULL argument, +If \fBOSSL_CMP_CTX_get_transfer_cb_arg()\fR sets a non\-NULL argument, this server address information is used for diagnostic output only. .PP \&\fBOSSL_CMP_CTX_set_serverPort()\fR sets the port of the CMP server to connect to. If not used or the \fIport\fR argument is 0 the default port applies, which is 80 for HTTP and 443 for HTTPS. -If \fBOSSL_CMP_CTX_get_transfer_cb_arg()\fR sets a non-NULL argument, +If \fBOSSL_CMP_CTX_get_transfer_cb_arg()\fR sets a non\-NULL argument, this server port information is used for diagnostic output only. .PP \&\fBOSSL_CMP_CTX_set1_proxy()\fR sets the HTTP proxy to be used for connecting to @@ -459,8 +468,8 @@ a structure containing arguments such as an \fBSSL_CTX\fR structure, optionally to be used by the http connect/disconnect callback function. \&\fIarg\fR is not consumed, and it must therefore explicitly be freed when not needed any more. \fIarg\fR may be NULL to clear the entry. -If a non-NULL argument is set, it is an error to use \fBOSSL_CMP_CTX_set1_proxy()\fR -or \fBOSSL_CMP_CTX_set1_no_proxy()\fR for setting non-NULL strings. +If a non\-NULL argument is set, it is an error to use \fBOSSL_CMP_CTX_set1_proxy()\fR +or \fBOSSL_CMP_CTX_set1_no_proxy()\fR for setting non\-NULL strings. .PP \&\fBOSSL_CMP_CTX_get_http_cb_arg()\fR gets the argument, respectively the pointer to a structure containing arguments, previously set by @@ -516,7 +525,7 @@ It sets in the CMP context \fIctx\fR the certificate store of type X509_STORE containing trusted certificates, typically of root CAs. This is ignored when a certificate is pinned using \fBOSSL_CMP_CTX_set1_srvCert()\fR. The store may also hold CRLs and a certificate verification callback function -used for signature-based peer authentication. +used for signature\-based peer authentication. Any store entry already set before is freed. When given a NULL parameter the entry is cleared. .PP @@ -525,7 +534,7 @@ When given a NULL parameter the entry is cleared. It extracts from the CMP context \fIctx\fR the pointer to the currently set certificate store containing trust anchors etc., or an empty store if unset. .PP -\&\fBOSSL_CMP_CTX_set1_untrusted()\fR sets up a list of non-trusted certificates +\&\fBOSSL_CMP_CTX_set1_untrusted()\fR sets up a list of non\-trusted certificates of intermediate CAs that may be useful for path construction for the own CMP signer certificate, for the own TLS certificate (if any), when verifying peer CMP protection certificates, and when verifying newly enrolled certificates. @@ -538,10 +547,10 @@ list of untrusted certs in \fIctx\fR, which may be empty if unset. .PP \&\fBOSSL_CMP_CTX_set1_cert()\fR sets the CMP \fIsigner certificate\fR, also called \fIprotection certificate\fR, -related to the private key used for signature-based CMP message protection. +related to the private key used for signature\-based CMP message protection. Therefore the public key of this \fIcert\fR must correspond to the private key set before or thereafter via \fBOSSL_CMP_CTX_set1_pkey()\fR. -When using signature-based protection of CMP request messages +When using signature\-based protection of CMP request messages this CMP signer certificate will be included first in the extraCerts field. It serves as fallback reference certificate, see \fBOSSL_CMP_CTX_set1_oldCert()\fR. The subject of this \fIcert\fR will be used as the sender field of outgoing @@ -560,35 +569,35 @@ If \fIown_trusted\fR is NULL it builds the chain as far down as possible and ignores any verification errors. Else the CMP signer certificate must be verifiable where the chain reaches a trust anchor contained in \fIown_trusted\fR. On success the function stores the resulting chain in \fIctx\fR -for inclusion in the extraCerts field of signature-protected messages. +for inclusion in the extraCerts field of signature\-protected messages. Calling this function is optional; by default a chain construction is performed on demand that is equivalent to calling this function with the \fIcandidates\fR and \fIown_trusted\fR arguments being NULL. .PP -\&\fBOSSL_CMP_CTX_set1_pkey()\fR sets the client's private key corresponding to the +\&\fBOSSL_CMP_CTX_set1_pkey()\fR sets the client\*(Aqs private key corresponding to the CMP signer certificate set via \fBOSSL_CMP_CTX_set1_cert()\fR. -This key is used create signature-based protection (protectionAlg = MSG_SIG_ALG) +This key is used create signature\-based protection (protectionAlg = MSG_SIG_ALG) of outgoing messages unless a symmetric secret has been set via \fBOSSL_CMP_CTX_set1_secretValue()\fR. The \fIpkey\fR argument may be NULL to clear the entry. .PP \&\fBOSSL_CMP_CTX_set1_secretValue()\fR sets in \fIctx\fR the byte string \fIsec\fR of length -\&\fIlen\fR to use as pre-shared secret, or clears it if the \fIsec\fR argument is NULL. -If present, this secret is used to create MAC-based authentication and integrity -protection (rather than applying signature-based protection) +\&\fIlen\fR to use as pre\-shared secret, or clears it if the \fIsec\fR argument is NULL. +If present, this secret is used to create MAC\-based authentication and integrity +protection (rather than applying signature\-based protection) of outgoing messages and to verify authenticity and integrity of incoming -messages that have MAC-based protection (protectionAlg = \f(CW\*(C`MSG_MAC_ALG\*(C'\fR). +messages that have MAC\-based protection (protectionAlg = \f(CW\*(C`MSG_MAC_ALG\*(C'\fR). .PP \&\fBOSSL_CMP_CTX_set1_referenceValue()\fR sets the given referenceValue \fIref\fR with length \fIlen\fR in the given \fIctx\fR or clears it if the \fIref\fR argument is NULL. -According to RFC 4210 section 5.1.1, if no value for the sender field in +According to RFC 9810 section 5.1.1, if no value for the sender field in CMP message headers can be determined (i.e., no CMP signer certificate and no subject DN is set via \fBOSSL_CMP_CTX_set1_subjectName()\fR -then the sender field will contain the NULL-DN +then the sender field will contain the NULL\-DN and the senderKID field of the CMP message header must be set. -When signature-based protection is used the senderKID will be set to +When signature\-based protection is used the senderKID will be set to the subjectKeyIdentifier of the CMP signer certificate as far as present. -If not present or when MAC-based protection is used +If not present or when MAC\-based protection is used the \fIref\fR value is taken as the fallback value for the senderKID. .PP \&\fBOSSL_CMP_CTX_set1_recipient()\fR sets the recipient name that will be used in the @@ -600,7 +609,7 @@ the subject of the CMP server certificate set using \fBOSSL_CMP_CTX_set1_srvCert the value set using \fBOSSL_CMP_CTX_set1_issuer()\fR, the issuer of the certificate set using \fBOSSL_CMP_CTX_set1_oldCert()\fR, the issuer of the CMP signer certificate, -as far as any of those is present, else the NULL-DN as last resort. +as far as any of those is present, else the NULL\-DN as last resort. .PP \&\fBOSSL_CMP_CTX_push0_geninfo_ITAV()\fR adds \fIitav\fR to the stack in the \fIctx\fR to be added to the generalInfo field of the CMP PKIMessage header of a request @@ -623,7 +632,7 @@ The \fIpriv\fR parameter must be 0 if and only if the given key is a public key. \&\fBOSSL_CMP_CTX_get0_newPkey()\fR gives the key to use for certificate enrollment dependent on fields of the CMP context structure: the newPkey (which may be a private or public key) if present, -else the public key in the p10CSR if present, else the client's private key. +else the public key in the p10CSR if present, else the client\*(Aqs private key. If the \fIpriv\fR parameter is not 0 and the selected key does not have a private component then NULL is returned. .PP @@ -708,7 +717,7 @@ a positive or negative certConf message to the server. The callback has type .Ve .PP and should inspect the certificate it obtains via the \fIcert\fR parameter and may -overrule the pre-decision given in the \fIfail_info\fR and \fI*txt\fR parameters. +overrule the pre\-decision given in the \fIfail_info\fR and \fI*txt\fR parameters. If it accepts the certificate it must return 0, indicating success. Else it must return a bit field reflecting PKIFailureInfo with at least one failure bit and may set the \fI*txt\fR output parameter to point to a string constant with more @@ -759,8 +768,8 @@ OSSL_CMP_CTX_FAILINFO_badAlg. Returns \-1 if the failInfoCode field is unset. .PP \&\fBOSSL_CMP_CTX_get0_validatedSrvCert()\fR returns the successfully validated certificate, if any, that the CMP server used -in the current transaction for signature-based response message protection, -or NULL if the server used MAC-based protection. +in the current transaction for signature\-based response message protection, +or NULL if the server used MAC\-based protection. The value is relevant only at the end of a successful transaction. It may be used to check the authorization of the server based on its cert. .PP @@ -788,7 +797,7 @@ OSSL_CMP_CTX structure. the \fIctx\fR. This will be used to validate the recipNonce in incoming messages. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810 (and CRMF in RFC 4211). .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_CMP_CTX_free()\fR and \fBOSSL_CMP_CTX_print_errors()\fR do not return anything. @@ -837,7 +846,7 @@ Set up a CMP client context for sending requests and verifying responses: \& OSSL_CMP_CTX_set0_trusted(cmp_ctx, ts); .Ve .PP -Set up symmetric credentials for MAC-based message protection such as PBM: +Set up symmetric credentials for MAC\-based message protection such as PBM: .PP .Vb 2 \& OSSL_CMP_CTX_set1_referenceValue(cmp_ctx, ref, ref_len); @@ -886,7 +895,7 @@ Perform a Key Update Request, signed using the cert (and key) to be updated: .Ve .PP Perform a General Message transaction including, as an example, -the id-it-signKeyPairTypes OID and prints info on the General Response contents: +the id\-it\-signKeyPairTypes OID and prints info on the General Response contents: .PP .Vb 1 \& OSSL_CMP_CTX_reinit(cmp_ctx); @@ -921,13 +930,14 @@ in OpenSSL 3.2. \&\fBOSSL_CMP_CTX_get0_libctx()\fR, \fBOSSL_CMP_CTX_get0_propq()\fR, and \&\fBOSSL_CMP_CTX_get0_validatedSrvCert()\fR were added in OpenSSL 3.2. .PP -\&\fBOSSL_CMP_CTX_get0_geninfo_ITAVs()\fR was added in OpenSSL 3.3. +\&\fBOSSL_CMP_CTX_get0_geninfo_ITAVs()\fR and +the \fBOSSL_CMP_OPT_NO_CACHE_EXTRACERTS\fR option were added in OpenSSL 3.3. .PP Support for central key generation, requested via \fBOSSL_CRMF_POPO_NONE\fR, was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2007\-2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_HDR_get0_transactionID.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_HDR_get0_transactionID.3 index a8675e8f6fce..8509befaf2a2 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_HDR_get0_transactionID.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_HDR_get0_transactionID.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_HDR_GET0_TRANSACTIONID 3ossl" -.TH OSSL_CMP_HDR_GET0_TRANSACTIONID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_HDR_GET0_TRANSACTIONID 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,7 +91,7 @@ OSSL_CMP_HDR_get0_recipNonce returns the recipient nonce of the given PKIHeader. in the generalInfo field of the given PKIHeader. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210. +CMP is defined in RFC 9810. .SH "RETURN VALUES" .IX Header "RETURN VALUES" The functions return the intended pointer value as described above diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_new_caCerts.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_new_caCerts.3 index 9e4ae02d9505..f0002afc6dc9 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_new_caCerts.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_new_caCerts.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_ITAV_NEW_CACERTS 3ossl" -.TH OSSL_CMP_ITAV_NEW_CACERTS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_ITAV_NEW_CACERTS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -145,20 +148,20 @@ is not NULL. \&\fBrootCaKeyUpdate\fR. If an update of a root CA certificate is included, it assigns to \fI*newWithNew\fR the internal pointer -to the certificate contained in the newWithNew infoValue sub-field of \fIitav\fR. +to the certificate contained in the newWithNew infoValue sub\-field of \fIitav\fR. If \fInewWithOld\fR is not NULL, it assigns to \fI*newWithOld\fR the internal pointer -to the certificate contained in the newWithOld infoValue sub-field of \fIitav\fR. +to the certificate contained in the newWithOld infoValue sub\-field of \fIitav\fR. If \fIoldWithNew\fR is not NULL, it assigns to \fI*oldWithNew\fR the internal pointer -to the certificate contained in the oldWithNew infoValue sub-field of \fIitav\fR. +to the certificate contained in the oldWithNew infoValue sub\-field of \fIitav\fR. Each of these pointers will be set to NULL if no root CA certificate update -is present or the respective sub-field is not included. +is present or the respective sub\-field is not included. .PP \&\fBOSSL_CMP_CRLSTATUS_new1()\fR allocates a new \fBOSSL_CMP_CRLSTATUS\fR structure that contains either a copy of the distribution point name \fIdpn\fR or a copy of the certificate issuer \fIissuer\fR, while giving both is an error. If given, a copy of the CRL issuance time \fIthisUpdate\fR is also included. .PP -\&\fBOSSL_CMP_CRLSTATUS_create()\fR is a high-level variant of \fBOSSL_CMP_CRLSTATUS_new1()\fR. +\&\fBOSSL_CMP_CRLSTATUS_create()\fR is a high\-level variant of \fBOSSL_CMP_CRLSTATUS_new1()\fR. It fills the thisUpdate field with a copy of the thisUpdate field of \fIcrl\fR if present. It fills the CRLSource field with a copy of the first data item found using the \fIcrl\fR and/or \fIcert\fR parameters as follows. @@ -228,7 +231,7 @@ Otherwise, the function checks that all elements of keySpec field are of type \&\fBalgId\fR or \fBrsaKeyLen\fR and assigns to \fI*keySpec\fR a copy of the keySpec field. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210. +CMP is defined in RFC 9810. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_CMP_ITAV_new_caCerts()\fR, \fBOSSL_CMP_ITAV_new_rootCaCert()\fR, diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_set0.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_set0.3 index 9d42953da094..a545907d5c38 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_set0.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_set0.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_ITAV_SET0 3ossl" -.TH OSSL_CMP_ITAV_SET0 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_ITAV_SET0 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,9 +91,9 @@ OSSL_CMP_ITAV_get0_certProfile .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -ITAV is short for InfoTypeAndValue. This type is defined in RFC 4210 +ITAV is short for InfoTypeAndValue. This type is defined in RFC 9810 section 5.3.19 and Appendix F. It is used at various places in CMP messages, -e.g., in the generalInfo PKIHeader field, to hold a key-value pair. +e.g., in the generalInfo PKIHeader field, to hold a key\-value pair. .PP \&\fBOSSL_CMP_ITAV_create()\fR creates a new \fBOSSL_CMP_ITAV\fR structure and fills it in. It combines \fBOSSL_CMP_ITAV_new()\fR and \fBOSSL_CMP_ITAV_set0()\fR. @@ -119,7 +122,7 @@ The pointer may be NULL if no profile name is included. It is an error if the infoType of \fIitav\fR is not \fBcertProfile\fR. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210 and RFC 9480 (and CRMF in RFC 4211). +CMP is defined in RFC 9810. .PP OIDs to use as types in \fBOSSL_CMP_ITAV\fR can be found at <https://datatracker.ietf.org/doc/html/rfc9480#section\-4.2.2>. @@ -142,7 +145,7 @@ return 1 on success, 0 on error. The following code creates and sets a structure representing a generic InfoTypeAndValue sequence, using an OID created from text as type, and an integer as value. Afterwards, it is pushed to the \fBOSSL_CMP_CTX\fR to be later -included in the requests' PKIHeader's genInfo field. +included in the requests\*(Aq PKIHeader\*(Aqs genInfo field. .PP .Vb 2 \& ASN1_OBJECT *type = OBJ_txt2obj("1.2.3.4.5", 1); diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_get0_header.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_get0_header.3 index 95a1fd30a017..ebd4692992e4 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_get0_header.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_get0_header.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_MSG_GET0_HEADER 3ossl" -.TH OSSL_CMP_MSG_GET0_HEADER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_MSG_GET0_HEADER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -100,11 +103,11 @@ message and returns the public key in its certificate template if present. \&\fBOSSL_CMP_MSG_update_transactionID()\fR updates the transactionID field in the header of the given message according to the CMP_CTX. If \fIctx\fR does not contain a transaction ID, a fresh one is created before. -The message gets re-protected (if protecting requests is required). +The message gets re\-protected (if protecting requests is required). .PP \&\fBOSSL_CMP_MSG_update_recipNonce()\fR updates the recipNonce field in the header of the given message according to the CMP_CTX. -The message gets re-protected (if protecting requests is required). +The message gets re\-protected (if protecting requests is required). .PP \&\fBOSSL_CMP_CTX_setup_CRM()\fR creates a CRMF certificate request message from various information provided in the CMP context argument \fIctx\fR @@ -113,7 +116,7 @@ The \fIrid\fR argument defines the request identifier to use, which typically is .PP The subject DN included in the certificate template is the first available value of these: -.IP "any subject name in \fIctx\fR set via \fBOSSL_CMP_CTX_set1_subjectName\fR\|(3) \- if it is the NULL-DN (i.e., any empty sequence of RDNs), no subject is included," 4 +.IP "any subject name in \fIctx\fR set via \fBOSSL_CMP_CTX_set1_subjectName\fR\|(3) \- if it is the NULL\-DN (i.e., any empty sequence of RDNs), no subject is included," 4 .IX Item "any subject name in ctx set via OSSL_CMP_CTX_set1_subjectName - if it is the NULL-DN (i.e., any empty sequence of RDNs), no subject is included," .PD 0 .IP "the subject field of any PKCS#10 CSR set in \fIctx\fR via \fBOSSL_CMP_CTX_set1_p10CSR\fR\|(3)," 4 @@ -130,7 +133,7 @@ The public key included is the first available value of these: .IX Item "the public key of any PKCS#10 CSR given in ctx," .IP "the public key of any reference certificate given in \fIctx\fR (see \fBOSSL_CMP_CTX_set1_oldCert\fR\|(3))," 4 .IX Item "the public key of any reference certificate given in ctx (see OSSL_CMP_CTX_set1_oldCert)," -.IP "the public key derived from any client's private key set via \fBOSSL_CMP_CTX_set1_pkey\fR\|(3)." 4 +.IP "the public key derived from any client\*(Aqs private key set via \fBOSSL_CMP_CTX_set1_pkey\fR\|(3)." 4 .IX Item "the public key derived from any client's private key set via OSSL_CMP_CTX_set1_pkey." .PD .PP @@ -151,7 +154,7 @@ Finally, policies are overridden by any policies included in \fIctx\fR via for KUR messages using the issuer name and serial number of the reference certificate, if present. .PP -\&\fBOSSL_CMP_MSG_read()\fR loads a DER-encoded OSSL_CMP_MSG from \fIfile\fR. +\&\fBOSSL_CMP_MSG_read()\fR loads a DER\-encoded OSSL_CMP_MSG from \fIfile\fR. .PP \&\fBOSSL_CMP_MSG_write()\fR stores the given OSSL_CMP_MSG to \fIfile\fR in DER encoding. .PP @@ -162,7 +165,7 @@ It assigns a pointer to the new structure to \fI*msg\fR if \fImsg\fR is not NULL to BIO \fIbio\fR. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210. +CMP is defined in RFC 9810. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_CMP_MSG_get0_header()\fR returns the intended pointer value as described above diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_http_perform.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_http_perform.3 index 8e2ea6a8df92..29035f5db66c 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_http_perform.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_http_perform.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_MSG_HTTP_PERFORM 3ossl" -.TH OSSL_CMP_MSG_HTTP_PERFORM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_MSG_HTTP_PERFORM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,17 +81,17 @@ CMP server specified in \fIctx\fR and returns the result obtained from it. .PP If \fBOSSL_CMP_CTX_set_transfer_cb_arg\fR\|(3) has been used to set the transfer callback argument then the provided pointer \fIbios\fR is taken as -a two-element \fBBIO\fR array to use for the exchange with the server +a two\-element \fBBIO\fR array to use for the exchange with the server as described for the \fIbio\fR and \fIrbio\fR parameters of \fBOSSL_HTTP_open\fR\|(3). For instance, the two BIO pointers may be equal and refer to a TLS connection, -such as in BRSKI-AE where a pre-established TLS channel is reused for CMP. +such as in BRSKI\-AE where a pre\-established TLS channel is reused for CMP. .PP Otherwise the server specified via \fBOSSL_CMP_CTX_set1_server\fR\|(3) and optionally \fBOSSL_CMP_CTX_set_serverPort\fR\|(3) is contacted, where the default port is 80 for HTTP and 443 for HTTPS. The HTTP path (aka "CMP alias" in this context) to use is by default \f(CW\*(C`/\*(C'\fR, otherwise the string specified via \fBOSSL_CMP_CTX_set1_serverPath\fR\|(3). -On success the function returns the server's response PKIMessage. +On success the function returns the server\*(Aqs response PKIMessage. .PP The function makes use of any HTTP callback function set via \fBOSSL_CMP_CTX_set_http_cb\fR\|(3). @@ -101,8 +104,8 @@ while using a proxy for HTTPS connections requires a suitable callback function such as \fBOSSL_HTTP_proxy_connect\fR\|(3). .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210. -HTTP transfer for CMP is defined in RFC 6712. +CMP is defined in RFC 9810. +HTTP transfer for CMP is defined in RFC 9811. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_CMP_MSG_http_perform()\fR diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_SRV_CTX_new.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_SRV_CTX_new.3 index ee8eb34bc6b8..6a206a1f5336 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_SRV_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_SRV_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_SRV_CTX_NEW 3ossl" -.TH OSSL_CMP_SRV_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_SRV_CTX_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -166,6 +169,7 @@ which may be due to normal successful end of the transaction or due to an error. \&\fBOSSL_CMP_CTX_server_perform()\fR is an interface to \&\fBOSSL_CMP_SRV_process_request()\fR that can be used by a CMP client in the same way as \fBOSSL_CMP_MSG_http_perform\fR\|(3). +In particular, the first parameter \fIclient_ctx\fR is the \fBOSSL_CMP_CTX\fR of the client. The \fBOSSL_CMP_SRV_CTX\fR must be set as \fItransfer_cb_arg\fR of \fIclient_ctx\fR. .PP \&\fBOSSL_CMP_SRV_CTX_new()\fR creates and initializes an \fBOSSL_CMP_SRV_CTX\fR structure @@ -209,13 +213,13 @@ and other forms of negative responses unprotected. without protection of with invalid protection. .PP \&\fBOSSL_CMP_SRV_CTX_set_accept_raverified()\fR enables acceptance of ir/cr/kur -messages with POPO 'RAVerified'. +messages with POPO \*(AqRAVerified\*(Aq. .PP \&\fBOSSL_CMP_SRV_CTX_set_grant_implicit_confirm()\fR enables granting implicit confirmation of newly enrolled certificates if requested. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810 (and CRMF in RFC 4211). .PP So far the CMP server implementation is limited to one request per CMP message (and consequently to at most one response component per CMP message). diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_STATUSINFO_new.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_STATUSINFO_new.3 index 394b7c989e73..11113901d896 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_STATUSINFO_new.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_STATUSINFO_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_STATUSINFO_NEW 3ossl" -.TH OSSL_CMP_STATUSINFO_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_STATUSINFO_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,16 +91,16 @@ It sets the status field to \fIstatus\fR, copies \fItext\fR (unless it is NULL) to statusString, and interprets \fIfail_info\fR as bit pattern for the failInfo field. .PP -\&\fBOSSL_CMP_snprint_PKIStatusInfo()\fR places a human-readable string +\&\fBOSSL_CMP_snprint_PKIStatusInfo()\fR places a human\-readable string representing the given statusInfo in the given buffer, with the given maximal length. .PP -\&\fBOSSL_CMP_CTX_snprint_PKIStatus()\fR places a human-readable string +\&\fBOSSL_CMP_CTX_snprint_PKIStatus()\fR places a human\-readable string representing the PKIStatusInfo components of the CMP context \fIctx\fR in the given buffer, with the given maximal length. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_CMP_STATUSINFO_new()\fR diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_exec_certreq.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_exec_certreq.3 index 1fe4ebad6971..e4357894ce00 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_exec_certreq.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_exec_certreq.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_EXEC_CERTREQ 3ossl" -.TH OSSL_CMP_EXEC_CERTREQ 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_EXEC_CERTREQ 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -112,7 +115,7 @@ OSSL_CMP_get1_certReqTemplate .Ve .PP This is the OpenSSL API for doing CMP (Certificate Management Protocol) -client-server transactions, i.e., sequences of CMP requests and responses. +client\-server transactions, i.e., sequences of CMP requests and responses. .PP All functions take a populated OSSL_CMP_CTX structure as their first argument. Usually the server name, port, and path ("CMP alias") need to be set, as well as @@ -123,7 +126,7 @@ also accessor functions for retrieving various results and status information from the \fIctx\fR. See \fBOSSL_CMP_CTX_new\fR\|(3) etc. for details. .PP The default conveying protocol is HTTP. -Timeout values may be given per request-response pair and per transaction. +Timeout values may be given per request\-response pair and per transaction. See \fBOSSL_CMP_MSG_http_perform\fR\|(3) for details. .PP \&\fBOSSL_CMP_exec_IR_ses()\fR requests an initial certificate from the given PKI. @@ -153,7 +156,7 @@ more flexible regarding what to do after receiving a checkAfter value. When called for the first time (with no certificate request in progress for the given \fIctx\fR) it starts a new transaction by sending a certificate request constructed as stated above using the \fIreq_type\fR and optional \fIcrm\fR parameter. -Otherwise (when according to \fIctx\fR a 'waiting' status has been received before) +Otherwise (when according to \fIctx\fR a \*(Aqwaiting\*(Aq status has been received before) it continues polling for the pending request unless the \fIreq_type\fR argument is < 0, which aborts the request. If the requested certificate is available the function returns 1 and the @@ -179,7 +182,7 @@ otherwise the issuer DN and serial number of the certificate set by \fBOSSL_CMP_CTX_set1_oldCert\fR\|(3), otherwise the subject DN and public key of the certificate signing request set by \fBOSSL_CMP_CTX_set1_p10CSR\fR\|(3). -RFC 4210 is vague in which PKIStatus should be returned by the server. +RFC 9810 is vague in which PKIStatus should be returned by the server. We take "accepted" and "grantedWithMods" as clear success and handle "revocationWarning" and "revocationNotification" just as warnings because CAs typically return them as an indication that the certificate was already revoked. @@ -198,7 +201,7 @@ and returns the list of \fBITAV\fRs received in a genp response message. This can be used, for instance, with infoType \f(CW\*(C`signKeyPairTypes\*(C'\fR to obtain the set of signature algorithm identifiers that the CA will certify for subject public keys. -See RFC 4210 section 5.3.19 and appendix E.5 for details. +See RFC 9810 section 5.3.19 and appendix D.5 for details. Functions implementing more specific genm/genp exchanges are described next. .PP \&\fBOSSL_CMP_get1_caCerts()\fR uses a genm/genp message exchange with infoType caCerts @@ -211,7 +214,7 @@ NULL output means that no CA certificates were provided by the server. with infoType rootCaCert to obtain from the CMP server referenced by \fIctx\fR in a genp response message with infoType rootCaKeyUpdate any update of the given root CA certificate \fIoldWithOld\fR and verifies it as far as possible. -See RFC 4210 section 4.4 for details. +See RFC 9810 section 4.4 for details. On success it assigns to \fI*newWithNew\fR the root certificate received. When the \fInewWithOld\fR and \fIoldWithNew\fR output parameters are not NULL, it assigns to them the corresponding transition certificates. @@ -242,7 +245,7 @@ if received, otherwise it set to NULL. Both must be freed by the caller. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810 (and CRMF in RFC 4211). .PP The CMP client implementation is limited to one request per CMP message (and consequently to at most one response component per CMP message). @@ -253,9 +256,9 @@ functions like \fBOSSL_CMP_get1_caCerts()\fR and \fBOSSL_CMP_get1_rootCaKeyUpdat authentication of the CMP server is particularly critical. So special care must be taken setting up server authentication in \fIctx\fR using functions such as -\&\fBOSSL_CMP_CTX_set0_trusted\fR\|(3) (for certificate-based authentication) or -\&\fBOSSL_CMP_CTX_set1_secretValue\fR\|(3) (for MAC-based protection). -If authentication is certificate-based, \fBOSSL_CMP_CTX_get0_validatedSrvCert\fR\|(3) +\&\fBOSSL_CMP_CTX_set0_trusted\fR\|(3) (for certificate\-based authentication) or +\&\fBOSSL_CMP_CTX_set1_secretValue\fR\|(3) (for MAC\-based protection). +If authentication is certificate\-based, \fBOSSL_CMP_CTX_get0_validatedSrvCert\fR\|(3) should be used to obtain the server validated certificate and perform an authorization check based on it. .SH "RETURN VALUES" @@ -269,7 +272,7 @@ This pointer will be freed implicitly by \fBOSSL_CMP_CTX_free()\fR or \&\fBOSSL_CMP_try_certreq()\fR returns 1 if the requested certificate is available via \fBOSSL_CMP_CTX_get0_newCert\fR\|(3) or on successfully aborting a pending certificate request, 0 on error, and \-1 -in case a 'waiting' status has been received and checkAfter value is available. +in case a \*(Aqwaiting\*(Aq status has been received and checkAfter value is available. In the latter case \fBOSSL_CMP_CTX_get0_newCert\fR\|(3) yields NULL and the output parameter \fIcheckAfter\fR has been used to assign the received value unless \fIcheckAfter\fR is NULL. diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_log_open.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_log_open.3 index dbce9f1f2ee8..e22b47e01014 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_log_open.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_log_open.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_LOG_OPEN 3ossl" -.TH OSSL_CMP_LOG_OPEN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_LOG_OPEN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -108,7 +111,7 @@ OSSL_CMP_print_errors_cb .SH DESCRIPTION .IX Header "DESCRIPTION" The logging and error reporting facility described here contains -convenience functions for CMP-specific logging, +convenience functions for CMP\-specific logging, including a string prefix mirroring the severity levels of syslog.h, and enhancements of the error queue mechanism needed for large diagnostic messages produced by the CMP library in case of certificate validation failures. @@ -129,7 +132,7 @@ some component info (which may be a module name and/or function name) or NULL, a file pathname or NULL, a line number or 0 indicating the source code location, a severity level, and -a message string describing the nature of the event, terminated by '\en'. +a message string describing the nature of the event, terminated by \*(Aq\en\*(Aq. .PP Even when an activity is successful some warnings may be useful and some degree of auditing may be required. Therefore, the logging facility supports a severity @@ -138,18 +141,18 @@ level, such that error, warning, info, debug, etc. can be treated differently. The callback is activated only when the severity level is sufficient according to the current level of verbosity, which by default is \fBOSSL_CMP_LOG_INFO\fR. .PP -The callback function may itself do non-trivial tasks like writing to +The callback function may itself do non\-trivial tasks like writing to a log file or remote stream, which in turn may fail. Therefore, the function should return 1 on success and 0 on failure. .PP -\&\fBOSSL_CMP_log_open()\fR initializes the CMP-specific logging facility to output +\&\fBOSSL_CMP_log_open()\fR initializes the CMP\-specific logging facility to output everything to STDOUT. It fails if the integrated tracing is disabled or STDIO is not available. It may be called during application startup. Alternatively, \fBOSSL_CMP_CTX_set_log_cb\fR\|(3) can be used for more flexibility. As long as neither if the two is used any logging output is ignored. .PP \&\fBOSSL_CMP_log_close()\fR may be called when all activities are finished to flush -any pending CMP-specific log output and deallocate related resources. +any pending CMP\-specific log output and deallocate related resources. It may be called multiple times. It does get called at OpenSSL shutdown. .PP \&\fBOSSL_CMP_print_to_bio()\fR prints the given component info, filename, line number, diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_validate_msg.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_validate_msg.3 index 59deab832ff7..b9b284676f79 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_validate_msg.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_validate_msg.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CMP_VALIDATE_MSG 3ossl" -.TH OSSL_CMP_VALIDATE_MSG 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CMP_VALIDATE_MSG 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -79,7 +82,7 @@ which includes validating CMP message sender certificates and their paths while optionally checking the revocation status of the certificates(s). .PP \&\fBOSSL_CMP_validate_msg()\fR validates the protection of the given \fImsg\fR, -which must be signature-based or using password-based MAC (PBM). +which must be signature\-based or using password\-based MAC (PBM). In the former case a suitable trust anchor must be given in the CMP context \&\fIctx\fR, and in the latter case the matching secret must have been set there using \fBOSSL_CMP_CTX_set1_secretValue\fR\|(3). @@ -101,24 +104,24 @@ using any trust store set via \fBOSSL_CMP_CTX_set0_trusted\fR\|(3). .PP If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by calling \&\fBOSSL_CMP_CTX_set_option\fR\|(3), for an Initialization Response (IP) message -any self-issued certificate from the \fImsg\fR extraCerts field may be used -as a trust anchor for the path verification of an 'acceptable' cert if it can be +any self\-issued certificate from the \fImsg\fR extraCerts field may be used +as a trust anchor for the path verification of an \*(Aqacceptable\*(Aq cert if it can be used also to validate the issued certificate returned in the IP message. This is according to TS 33.310 [Network Domain Security (NDS); Authentication Framework (AF)] document specified by The 3rd Generation Partnership Project (3GPP). Note that using this option is dangerous as the certificate obtained this way has not been authenticated (at least not at CMP level). -Taking it over as a trust anchor implements trust-on-first-use (TOFU). +Taking it over as a trust anchor implements trust\-on\-first\-use (TOFU). .PP Any cert that has been found as described above is cached and tried first when validating the signatures of subsequent messages in the same transaction. .PP \&\fBOSSL_CMP_validate_cert_path()\fR attempts to validate the given certificate and its path using the given store of trusted certs (possibly including CRLs and a cert -verification callback) and non-trusted intermediate certs from the \fIctx\fR. +verification callback) and non\-trusted intermediate certs from the \fIctx\fR. .SH NOTES .IX Header "NOTES" -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_CMP_validate_msg()\fR and \fBOSSL_CMP_validate_cert_path()\fR diff --git a/secure/lib/libcrypto/man/man3/OSSL_CORE_MAKE_FUNC.3 b/secure/lib/libcrypto/man/man3/OSSL_CORE_MAKE_FUNC.3 index 3bd9d0ea7dae..08b1305038c6 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CORE_MAKE_FUNC.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CORE_MAKE_FUNC.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CORE_MAKE_FUNC 3ossl" -.TH OSSL_CORE_MAKE_FUNC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CORE_MAKE_FUNC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_get0_tmpl.3 b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_get0_tmpl.3 index 4471be950284..824d15e6fee3 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_get0_tmpl.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_get0_tmpl.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CRMF_MSG_GET0_TMPL 3ossl" -.TH OSSL_CRMF_MSG_GET0_TMPL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CRMF_MSG_GET0_TMPL 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -151,7 +154,7 @@ of the given CertId \fIcid\fR, which must be of ASN.1 type GEN_DIRNAME. \&\fBOSSL_CRMF_ENCRYPTEDKEY_get1_encCert()\fR decrypts the certificate in the given encryptedKey \fIecert\fR, using the private key \fIpkey\fR, library context \&\fIlibctx\fR and property query string \fIpropq\fR (see \fBOSSL_LIB_CTX\fR\|(3)). -This is needed for the indirect POPO method as in RFC 4210 section 5.2.8.2. +This is needed for the indirect POPO method as in RFC 9810 section 5.2.8.3.2. The function returns the decrypted certificate as a copy, leaving its ownership with the caller, who is responsible for freeing it. .PP @@ -178,16 +181,16 @@ encryptedValue \fIenc\fR, using the private key \fIpkey\fR, library context \&\fBOSSL_CRMF_ENCRYPTEDVALUE_get1_encCert()\fR decrypts the certificate in the given encryptedValue \fIecert\fR, using the private key \fIpkey\fR, library context \&\fIlibctx\fR and property query string \fIpropq\fR (see \fBOSSL_LIB_CTX\fR\|(3)). -This is needed for the indirect POPO method as in RFC 4210 section 5.2.8.2. +This is needed for the indirect POPO method as in RFC 9810 section 5.2.8.3.2. The function returns the decrypted certificate as a copy, leaving its ownership with the caller, who is responsible for freeing it. .PP \&\fBOSSL_CRMF_MSG_get_certReqId()\fR retrieves the certReqId of \fIcrm\fR. .PP \&\fBOSSL_CRMF_MSG_centralkeygen_requested()\fR returns 1 if central key generation -is requested i.e., the public key in the certificate request (\fIcrm\fR is taken if it is non-NULL, +is requested i.e., the public key in the certificate request (\fIcrm\fR is taken if it is non\-NULL, otherwise \fIp10cr\fR) is NULL or has an empty key value (with length zero). -In case \fIcrm\fR is non-NULL, this is checked for consistency with its \fBpopo\fR field +In case \fIcrm\fR is non\-NULL, this is checked for consistency with its \fBpopo\fR field (must be NULL if and only if central key generation is requested). Otherwise it returns 0, and on error a negative value. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set0_validity.3 b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set0_validity.3 index 45fa682f1797..af1ae2e7e17e 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set0_validity.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set0_validity.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CRMF_MSG_SET0_VALIDITY 3ossl" -.TH OSSL_CRMF_MSG_SET0_VALIDITY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CRMF_MSG_SET0_VALIDITY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -108,19 +111,19 @@ On success ownership of \fInotBefore\fR and \fInotAfter\fR is transferred to \fI \&\fBOSSL_CRMF_MSG_set_certReqId()\fR sets \fIrid\fR as the certReqId of \fIcrm\fR. .PP \&\fBOSSL_CRMF_CERTTEMPLATE_fill()\fR sets those fields of the certTemplate \fItmpl\fR -for which non-NULL values are provided: \fIpubkey\fR, \fIsubject\fR, \fIissuer\fR, +for which non\-NULL values are provided: \fIpubkey\fR, \fIsubject\fR, \fIissuer\fR, and/or \fIserial\fR. X.509 extensions may be set using \fBOSSL_CRMF_MSG_set0_extensions()\fR. On success the reference counter of the \fIpubkey\fR (if given) is incremented, while the \fIsubject\fR, \fIissuer\fR, and \fIserial\fR structures (if given) are copied. .PP \&\fBOSSL_CRMF_MSG_set0_extensions()\fR sets \fIexts\fR as the extensions in the -certTemplate of \fIcrm\fR. Frees any pre-existing ones and consumes \fIexts\fR. +certTemplate of \fIcrm\fR. Frees any pre\-existing ones and consumes \fIexts\fR. .PP \&\fBOSSL_CRMF_MSG_push0_extension()\fR pushes the X509 extension \fIext\fR to the extensions in the certTemplate of \fIcrm\fR. Consumes \fIext\fR. .PP -\&\fBOSSL_CRMF_MSG_create_popo()\fR creates and sets the Proof-of-Possession (POPO) +\&\fBOSSL_CRMF_MSG_create_popo()\fR creates and sets the Proof\-of\-Possession (POPO) according to the method \fImeth\fR in \fIcrm\fR. The library context \fIlibctx\fR and property query string \fIpropq\fR, may be NULL to select the defaults. @@ -132,7 +135,7 @@ Ed25519 and Ed448) that is implicitly associated with a digest algorithm. \&\fImeth\fR can be one of the following: .IP \(bu 8 OSSL_CRMF_POPO_NONE \- RFC 4211, section 4, POP field omitted. -CA/RA uses out-of-band method to verify POP. Note that servers may fail in this +CA/RA uses out\-of\-band method to verify POP. Note that servers may fail in this case, resulting for instance in HTTP error code 500 (Internal error). .IP \(bu 8 OSSL_CRMF_POPO_RAVERIFIED \- RFC 4211, section 4, explicit indication @@ -143,11 +146,11 @@ so far. .IP \(bu 8 OSSL_CRMF_POPO_KEYENC \- RFC 4211, section 4.2, only indirect method (subsequentMessage/enccert) supported, -challenge-response exchange (challengeResp) not yet supported. +challenge\-response exchange (challengeResp) not yet supported. .IP \(bu 8 OSSL_CRMF_POPO_KEYAGREE \- RFC 4211, section 4.3, not yet supported. .PP -OSSL_CRMF_MSGS_verify_popo verifies the Proof-of-Possession of the request with +OSSL_CRMF_MSGS_verify_popo verifies the Proof\-of\-Possession of the request with the given \fIrid\fR in the list of \fIreqs\fR. Optionally accepts RAVerified. It can make use of the library context \fIlibctx\fR and property query string \fIpropq\fR. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.3 b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.3 index 58e94d645e42..0950b97fcc3c 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CRMF_MSG_SET1_REGCTRL_REGTOKEN 3ossl" -.TH OSSL_CRMF_MSG_SET1_REGCTRL_REGTOKEN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CRMF_MSG_SET1_REGCTRL_REGTOKEN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.3 b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.3 index 2d692d030385..12e2479b2c5e 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CRMF_MSG_SET1_REGINFO_CERTREQ 3ossl" -.TH OSSL_CRMF_MSG_SET1_REGINFO_CERTREQ 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CRMF_MSG_SET1_REGINFO_CERTREQ 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_CRMF_pbmp_new.3 b/secure/lib/libcrypto/man/man3/OSSL_CRMF_pbmp_new.3 index 95ecd22aff83..0c1e8ac30583 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CRMF_pbmp_new.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CRMF_pbmp_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_CRMF_PBMP_NEW 3ossl" -.TH OSSL_CRMF_PBMP_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_CRMF_PBMP_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,7 +84,7 @@ OSSL_CRMF_pbmp_new .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBOSSL_CRMF_pbm_new()\fR generates a PBM (Password-Based MAC) based on given PBM +\&\fBOSSL_CRMF_pbm_new()\fR generates a PBM (Password\-Based MAC) based on given PBM parameters \fIpbmp\fR, message \fImsg\fR, and secret \fIsec\fR, along with the respective lengths \fImsglen\fR and \fIseclen\fR. The optional library context \fIlibctx\fR and \fIpropq\fR parameters may be used @@ -93,22 +96,23 @@ allocated MAC via the \fImac\fR reference parameter and writes the length via th .PP \&\fBOSSL_CRMF_pbmp_new()\fR initializes and returns a new \fBPBMParameter\fR structure with a new random salt of given length \fIsaltlen\fR, -OWF (one-way function) NID \fIowfnid\fR, OWF iteration count \fIitercnt\fR, +OWF (one\-way function) NID \fIowfnid\fR, OWF iteration count \fIitercnt\fR, and MAC NID \fImacnid\fR. The library context \fIlibctx\fR parameter may be used to select the provider for the random number generation (DRBG) and may be NULL for the default. .SH NOTES .IX Header "NOTES" -The algorithms for the OWF (one-way function) and for the MAC (message +The algorithms for the OWF (one\-way function) and for the MAC (message authentication code) may be any with a NID defined in \fI<openssl/objects.h>\fR. -As specified by RFC 4210, these should include NID_hmac_sha1. +For backward compatibility with RFC 4210, these should include NID_hmac_sha1. .PP -RFC 4210 recommends that the salt SHOULD be at least 8 bytes (64 bits) long, +RFC 4210 recommended that the salt SHOULD be at least 8 bytes (64 bits) long, where 16 bytes is common. .PP The iteration count must be at least 100, as stipulated by RFC 4211, and is limited to at most 100000 to avoid DoS through manipulated or otherwise malformed input. +See RFC 9045 for currently suggested values. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_CRMF_pbm_new()\fR returns 1 on success, 0 on error. diff --git a/secure/lib/libcrypto/man/man3/OSSL_DECODER.3 b/secure/lib/libcrypto/man/man3/OSSL_DECODER.3 index 15918a5712d4..35235214980d 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_DECODER.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_DECODER.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_DECODER 3ossl" -.TH OSSL_DECODER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_DECODER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -129,7 +132,7 @@ If the argument is NULL, nothing is done. with the given \fIdecoder\fR. .PP \&\fBOSSL_DECODER_is_a()\fR checks if \fIdecoder\fR is an implementation -of an algorithm that's identifiable with \fIname\fR. +of an algorithm that\*(Aqs identifiable with \fIname\fR. .PP \&\fBOSSL_DECODER_get0_name()\fR returns the name used to fetch the given \fIdecoder\fR. .PP @@ -150,7 +153,7 @@ array of parameter descriptors. .PP \&\fBOSSL_DECODER_get_params()\fR attempts to get parameters specified with an \fBOSSL_PARAM\fR\|(3) array \fIparams\fR. Parameters that the -implementation doesn't recognise should be ignored. +implementation doesn\*(Aqt recognise should be ignored. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_DECODER_fetch()\fR returns a pointer to an OSSL_DECODER object, @@ -158,7 +161,7 @@ or NULL on error. .PP \&\fBOSSL_DECODER_up_ref()\fR returns 1 on success, or 0 on error. .PP -\&\fBOSSL_DECODER_free()\fR doesn't return any value. +\&\fBOSSL_DECODER_free()\fR doesn\*(Aqt return any value. .PP \&\fBOSSL_DECODER_get0_provider()\fR returns a pointer to a provider object, or NULL on error. @@ -176,7 +179,7 @@ algorithm definition is returned. Ownership of the returned string is retained by the \fIdecoder\fR object and should not be freed by the caller. .PP \&\fBOSSL_DECODER_get0_description()\fR returns a pointer to a description, or NULL if -there isn't one. +there isn\*(Aqt one. .PP \&\fBOSSL_DECODER_names_do_all()\fR returns 1 if the callback was called for all names. A return value of 0 means that the callback was not called for any names. diff --git a/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX.3 b/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX.3 index 616aca3869d1..2abe63e31819 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_DECODER_CTX 3ossl" -.TH OSSL_DECODER_CTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_DECODER_CTX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -157,7 +160,7 @@ added those that take the specified input type, and functions like the decoder implementations that take that input type. For example, if the input type is set to \f(CW\*(C`DER\*(C'\fR, a PEM to DER decoder will be ignored. .PP -The input type can also be NULL, which means that the caller doesn't know +The input type can also be NULL, which means that the caller doesn\*(Aqt know what type of input they have. In this case, \fBOSSL_DECODER_from_bio()\fR will simply try with one decoder implementation after the other, and thereby discover what kind of input the caller gave it. @@ -181,7 +184,7 @@ parameter descriptors. \&\fBOSSL_DECODER_CTX_set_params()\fR attempts to set parameters specified with an \&\fBOSSL_PARAM\fR\|(3) array \fIparams\fR. These parameters are passed to all decoders that have been added to the \fIctx\fR so far. Parameters that an -implementation doesn't recognise should be ignored by it. +implementation doesn\*(Aqt recognise should be ignored by it. .PP \&\fBOSSL_DECODER_CTX_free()\fR frees the given context \fIctx\fR. If the argument is NULL, nothing is done. @@ -199,7 +202,7 @@ above. .PP \&\fBOSSL_DECODER_CTX_set_input_structure()\fR sets the name of the structure that the input is expected to have. This may be used to determines what decoder -implementations may be used. NULL is a valid input structure, when it's not +implementations may be used. NULL is a valid input structure, when it\*(Aqs not relevant, or when the decoder implementations are expected to figure it out. .PP \&\fBOSSL_DECODER_CTX_get_num_decoders()\fR gets the number of decoders currently @@ -208,7 +211,7 @@ added to the context \fIctx\fR. \&\fBOSSL_DECODER_CTX_set_construct()\fR sets the constructor \fIconstruct\fR. .PP \&\fBOSSL_DECODER_CTX_set_construct_data()\fR sets the constructor data that is -passed to the constructor every time it's called. +passed to the constructor every time it\*(Aqs called. .PP \&\fBOSSL_DECODER_CTX_set_cleanup()\fR sets the constructor data \fIcleanup\fR function. This is called by \fBOSSL_DECODER_CTX_free\fR\|(3). @@ -224,6 +227,13 @@ decode instance \fIdecoder_inst\fR that the constructor got and an object \&\fIreference\fR, unpacks the object which it refers to, and exports it by creating an \fBOSSL_PARAM\fR\|(3) array that it then passes to \fIexport_cb\fR, along with \fIexport_arg\fR. +.PP +Note that functions \fBOSSL_DECODER_CTX_set_selection()\fR, +\&\fBOSSL_DECODER_CTX_set_output_type()\fR, \fBOSSL_DECODER_CTX_set_output_structure()\fR, +\&\fBOSSL_DECODER_CTX_add_encoder()\fR, \fBOSSL_DECODER_CTX_add_extra()\fR, +\&\fBOSSL_DECODER_CTX_set_construct()\fR, \fBOSSL_DECODER_CTX_set_construct_data()\fR, and +\&\fBOSSL_DECODER_CTX_set_cleanup()\fR shouldn\*(Aqt be used after the context is finalised, +in particular after calling the function \fBOSSL_DECODER_CTX_new_for_pkey()\fR. .SS Constructor .IX Subsection "Constructor" A \fBOSSL_DECODER_CONSTRUCT\fR gets the following arguments: @@ -233,8 +243,8 @@ The \fBOSSL_DECODER_INSTANCE\fR for the decoder from which the constructor gets its data. .IP \fIobject\fR 4 .IX Item "object" -A provider-native object abstraction produced by the decoder. Further -information on the provider-native object abstraction can be found in +A provider\-native object abstraction produced by the decoder. Further +information on the provider\-native object abstraction can be found in \&\fBprovider\-object\fR\|(7). .IP \fIconstruct_data\fR 4 .IX Item "construct_data" @@ -249,10 +259,10 @@ These utility functions may be used by a constructor: implementation from a decoder instance \fIdecoder_inst\fR. .PP \&\fBOSSL_DECODER_INSTANCE_get_decoder_ctx()\fR can be used to get the decoder -implementation's provider context from a decoder instance \fIdecoder_inst\fR. +implementation\*(Aqs provider context from a decoder instance \fIdecoder_inst\fR. .PP \&\fBOSSL_DECODER_INSTANCE_get_input_type()\fR can be used to get the decoder -implementation's input type from a decoder instance \fIdecoder_inst\fR. +implementation\*(Aqs input type from a decoder instance \fIdecoder_inst\fR. .PP \&\fBOSSL_DECODER_INSTANCE_get_input_structure()\fR can be used to get the input structure for the decoder implementation from a decoder instance @@ -261,7 +271,7 @@ This may be NULL. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_DECODER_CTX_new()\fR returns a pointer to a \fBOSSL_DECODER_CTX\fR, or NULL -if the context structure couldn't be allocated. +if the context structure couldn\*(Aqt be allocated. .PP \&\fBOSSL_DECODER_settable_ctx_params()\fR returns an \fBOSSL_PARAM\fR\|(3) array, or NULL if none is available. diff --git a/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX_new_for_pkey.3 b/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX_new_for_pkey.3 index 1710ece2160f..679bd0490587 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX_new_for_pkey.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX_new_for_pkey.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_DECODER_CTX_NEW_FOR_PKEY 3ossl" -.TH OSSL_DECODER_CTX_NEW_FOR_PKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_DECODER_CTX_NEW_FOR_PKEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -130,6 +133,10 @@ zero). This helps the caller to distinguish between an error when creating the \fBOSSL_ENCODER_CTX\fR and missing encoder implementation, and allows it to act accordingly. .PP +Note that \fBOSSL_DECODER_CTX_new_for_pkey()\fR finalises the OSSL_DECODER_CTX; +after that the OSSL_DECODER_CTX_set_* and OSSL_DECODER_CTX_add_* functions +described in \fBOSSL_DECODER_CTX\fR\|(3) shouldn\*(Aqt be called. +.PP \&\fBOSSL_DECODER_CTX_set_passphrase()\fR gives the implementation a pass phrase to use when decrypting the encoded private key. Alternatively, a pass phrase callback may be specified with the following functions. @@ -173,7 +180,7 @@ auto detect the selection. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_DECODER_CTX_new_for_pkey()\fR returns a pointer to a -\&\fBOSSL_DECODER_CTX\fR, or NULL if it couldn't be created. +\&\fBOSSL_DECODER_CTX\fR, or NULL if it couldn\*(Aqt be created. .PP \&\fBOSSL_DECODER_CTX_set_passphrase()\fR, \fBOSSL_DECODER_CTX_set_pem_password_cb()\fR, \&\fBOSSL_DECODER_CTX_set_passphrase_ui()\fR and diff --git a/secure/lib/libcrypto/man/man3/OSSL_DECODER_from_bio.3 b/secure/lib/libcrypto/man/man3/OSSL_DECODER_from_bio.3 index f75cc305644d..f5a3e02f835a 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_DECODER_from_bio.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_DECODER_from_bio.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_DECODER_FROM_BIO 3ossl" -.TH OSSL_DECODER_FROM_BIO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_DECODER_FROM_BIO 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,13 +86,13 @@ Feature availability macros: .IX Header "DESCRIPTION" \&\fBOSSL_DECODER_from_data()\fR runs the decoding process for the context \fIctx\fR, with input coming from \fI*pdata\fR, \fI*pdata_len\fR bytes long. Both \fI*pdata\fR -and \fI*pdata_len\fR must be non-NULL. When \fBOSSL_DECODER_from_data()\fR returns, +and \fI*pdata_len\fR must be non\-NULL. When \fBOSSL_DECODER_from_data()\fR returns, \&\fI*pdata\fR is updated to point at the location after what has been decoded, and \fI*pdata_len\fR to have the number of remaining bytes. .PP \&\fBOSSL_DECODER_from_bio()\fR runs the decoding process for the context \fIctx\fR, with the input coming from the \fBBIO\fR \fIin\fR. Should it make a difference, -it's recommended to have the BIO set in binary mode rather than text mode. +it\*(Aqs recommended to have the BIO set in binary mode rather than text mode. .PP \&\fBOSSL_DECODER_from_fp()\fR does the same thing as \fBOSSL_DECODER_from_bio()\fR, except that the input is coming from the \fBFILE\fR \fIfp\fR. diff --git a/secure/lib/libcrypto/man/man3/OSSL_DISPATCH.3 b/secure/lib/libcrypto/man/man3/OSSL_DISPATCH.3 index 1df93624f99b..3506823e219f 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_DISPATCH.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_DISPATCH.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_DISPATCH 3ossl" -.TH OSSL_DISPATCH 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_DISPATCH 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -96,7 +99,7 @@ signature that corresponds to the \fIfunction_id\fR Available function identities and corresponding function signatures are defined in \fBopenssl\-core_dispatch.h\fR\|(7). Furthermore, the chosen function identities and associated function -signature must be chosen specifically for the operation that it's intended +signature must be chosen specifically for the operation that it\*(Aqs intended for, as determined by the intended \fBOSSL_ALGORITHM\fR\|(3) array. .PP Any function identity not recognised by the recipient of this type diff --git a/secure/lib/libcrypto/man/man3/OSSL_ENCODER.3 b/secure/lib/libcrypto/man/man3/OSSL_ENCODER.3 index cca37a8602f0..4231d89427f2 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_ENCODER.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_ENCODER.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_ENCODER 3ossl" -.TH OSSL_ENCODER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_ENCODER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -129,7 +132,7 @@ If the argument is NULL, nothing is done. with the given \fIencoder\fR. .PP \&\fBOSSL_ENCODER_is_a()\fR checks if \fIencoder\fR is an implementation of an -algorithm that's identifiable with \fIname\fR. +algorithm that\*(Aqs identifiable with \fIname\fR. .PP \&\fBOSSL_ENCODER_get0_name()\fR returns the name used to fetch the given \fIencoder\fR. .PP @@ -150,7 +153,7 @@ array of parameter descriptors. .PP \&\fBOSSL_ENCODER_get_params()\fR attempts to get parameters specified with an \fBOSSL_PARAM\fR\|(3) array \fIparams\fR. Parameters that the -implementation doesn't recognise should be ignored. +implementation doesn\*(Aqt recognise should be ignored. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_ENCODER_fetch()\fR returns a pointer to the key management @@ -159,7 +162,7 @@ error. .PP \&\fBOSSL_ENCODER_up_ref()\fR returns 1 on success, or 0 on error. .PP -\&\fBOSSL_ENCODER_free()\fR doesn't return any value. +\&\fBOSSL_ENCODER_free()\fR doesn\*(Aqt return any value. .PP \&\fBOSSL_ENCODER_get0_provider()\fR returns a pointer to a provider object, or NULL on error. @@ -177,7 +180,7 @@ algorithm definition is returned. Ownership of the returned string is retained by the \fIencoder\fR object and should not be freed by the caller. .PP \&\fBOSSL_ENCODER_get0_description()\fR returns a pointer to a description, or NULL if -there isn't one. +there isn\*(Aqt one. .PP \&\fBOSSL_ENCODER_names_do_all()\fR returns 1 if the callback was called for all names. A return value of 0 means that the callback was not called for any names. diff --git a/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX.3 b/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX.3 index 98b727c320f1..d07017be9011 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_ENCODER_CTX 3ossl" -.TH OSSL_ENCODER_CTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_ENCODER_CTX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -140,7 +143,7 @@ The final output type must be given, and a chain of encoders must end with an implementation that produces that output type. .PP At the beginning of the encoding process, a constructor provided by the -caller is called to ensure that there is an appropriate provider-side object +caller is called to ensure that there is an appropriate provider\-side object to start with. The constructor is set with \fBOSSL_ENCODER_CTX_set_construct()\fR. .PP @@ -157,7 +160,7 @@ array of parameter descriptors. .PP \&\fBOSSL_ENCODER_CTX_set_params()\fR attempts to set parameters specified with an \fBOSSL_PARAM\fR\|(3) array \fIparams\fR. Parameters that the -implementation doesn't recognise should be ignored. +implementation doesn\*(Aqt recognise should be ignored. .PP \&\fBOSSL_ENCODER_CTX_free()\fR frees the given context \fIctx\fR. If the argument is NULL, nothing is done. @@ -183,10 +186,17 @@ added to the context \fIctx\fR. \&\fBOSSL_ENCODER_CTX_set_construct()\fR sets the constructor \fIconstruct\fR. .PP \&\fBOSSL_ENCODER_CTX_set_construct_data()\fR sets the constructor data that is -passed to the constructor every time it's called. +passed to the constructor every time it\*(Aqs called. .PP \&\fBOSSL_ENCODER_CTX_set_cleanup()\fR sets the constructor data \fIcleanup\fR function. This is called by \fBOSSL_ENCODER_CTX_free\fR\|(3). +.PP +Note that functions \fBOSSL_ENCODER_CTX_set_selection()\fR, +\&\fBOSSL_ENCODER_CTX_set_output_type()\fR, \fBOSSL_ENCODER_CTX_set_output_structure()\fR, +\&\fBOSSL_ENCODER_CTX_add_encoder()\fR, \fBOSSL_ENCODER_CTX_add_extra()\fR, +\&\fBOSSL_ENCODER_CTX_set_construct()\fR, \fBOSSL_ENCODER_CTX_set_construct_data()\fR, and +\&\fBOSSL_ENCODER_CTX_set_cleanup()\fR shouldn\*(Aqt be used after the context is finalised, +in particular after calling the function \fBOSSL_ENCODER_CTX_new_for_pkey()\fR. .SS Constructor .IX Subsection "Constructor" A \fBOSSL_ENCODER_CONSTRUCT\fR gets the following arguments: @@ -198,8 +208,8 @@ its data. .IX Item "construct_data" The pointer that was set with \fBOSSL_ENCODE_CTX_set_construct_data()\fR. .PP -The constructor is expected to return a valid (non-NULL) pointer to a -provider-native object that can be used as first input of an encoding chain, +The constructor is expected to return a valid (non\-NULL) pointer to a +provider\-native object that can be used as first input of an encoding chain, or NULL to indicate that an error has occurred. .PP These utility functions may be used by a constructor: @@ -208,7 +218,7 @@ These utility functions may be used by a constructor: implementation of the encoder instance \fIencoder_inst\fR. .PP \&\fBOSSL_ENCODER_INSTANCE_get_encoder_ctx()\fR can be used to get the encoder -implementation's provider context of the encoder instance \fIencoder_inst\fR. +implementation\*(Aqs provider context of the encoder instance \fIencoder_inst\fR. .PP \&\fBOSSL_ENCODER_INSTANCE_get_output_type()\fR can be used to get the output type for the encoder implementation of the encoder instance \fIencoder_inst\fR. @@ -221,7 +231,7 @@ This may be NULL. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_ENCODER_CTX_new()\fR returns a pointer to a \fBOSSL_ENCODER_CTX\fR, or NULL -if the context structure couldn't be allocated. +if the context structure couldn\*(Aqt be allocated. .PP \&\fBOSSL_ENCODER_settable_ctx_params()\fR returns an \fBOSSL_PARAM\fR\|(3) array, or NULL if none is available. @@ -251,6 +261,11 @@ output type. .PP \&\fBOSSL_ENCODER_INSTANCE_get_output_structure()\fR returns a string with the name of the output structure. +.SH "NOTES AND BUGS" +.IX Header "NOTES AND BUGS" +The chain mechanism in ENCODE is not yet completely implemented. +It affects functions such as OSSL_ENCODER_CTX_add_extra and the +inner processing loop. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBprovider\fR\|(7), \fBOSSL_ENCODER\fR\|(3) diff --git a/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX_new_for_pkey.3 b/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX_new_for_pkey.3 index bf732b85f784..3677f790e20d 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX_new_for_pkey.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX_new_for_pkey.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_ENCODER_CTX_NEW_FOR_PKEY 3ossl" -.TH OSSL_ENCODER_CTX_NEW_FOR_PKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_ENCODER_CTX_NEW_FOR_PKEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -109,7 +112,7 @@ Internally, \fBOSSL_ENCODER_CTX_new_for_pkey()\fR uses the names from the \&\fBEVP_KEYMGMT\fR\|(3) implementation associated with \fIpkey\fR to build a list of applicable encoder implementations that are used to process the \fIpkey\fR into the encoding named by \fIoutput_type\fR, with the outermost structure named by -\&\fIoutput_structure\fR if that's relevant. All these implementations are +\&\fIoutput_structure\fR if that\*(Aqs relevant. All these implementations are implicitly fetched, with \fIpropquery\fR for finer selection. .PP If no suitable encoder implementation is found, @@ -119,6 +122,10 @@ zero). This helps the caller to distinguish between an error when creating the \fBOSSL_ENCODER_CTX\fR and missing encoder implementation, and allows it to act accordingly. .PP +Note that \fBOSSL_ENCODER_CTX_new_for_pkey()\fR finalises the OSSL_ENCODER_CTX; +after that the OSSL_ENCODER_CTX_set_* and OSSL_ENCODER_CTX_add_* functions +described in \fBOSSL_ENCODER_CTX\fR\|(3) shouldn\*(Aqt be called. +.PP \&\fBOSSL_ENCODER_CTX_set_cipher()\fR tells the implementation what cipher should be used to encrypt encoded keys. The cipher is given by name \fIcipher_name\fR. The interpretation of that \fIcipher_name\fR is @@ -164,14 +171,14 @@ The output is the \fIselection\fR of the \fIpkey\fR in PEM format. \&\fIselection\fR can be any one of the values described in "Selections" in \fBEVP_PKEY_fromdata\fR\|(3). .PP -These are only 'hints' since the encoder implementations are free to +These are only \*(Aqhints\*(Aq since the encoder implementations are free to determine what makes sense to include in the output, and this may depend on -the desired output. For example, an EC key in a PKCS#8 structure doesn't +the desired output. For example, an EC key in a PKCS#8 structure doesn\*(Aqt usually include the public key. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_ENCODER_CTX_new_for_pkey()\fR returns a pointer to an \fBOSSL_ENCODER_CTX\fR, -or NULL if it couldn't be created. +or NULL if it couldn\*(Aqt be created. .PP \&\fBOSSL_ENCODER_CTX_set_cipher()\fR, \fBOSSL_ENCODER_CTX_set_passphrase()\fR, \&\fBOSSL_ENCODER_CTX_set_pem_password_cb()\fR, \fBOSSL_ENCODER_CTX_set_passphrase_ui()\fR diff --git a/secure/lib/libcrypto/man/man3/OSSL_ENCODER_to_bio.3 b/secure/lib/libcrypto/man/man3/OSSL_ENCODER_to_bio.3 index 263ebff6be3a..93fad4d17e32 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_ENCODER_to_bio.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_ENCODER_to_bio.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_ENCODER_TO_BIO 3ossl" -.TH OSSL_ENCODER_TO_BIO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_ENCODER_TO_BIO 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -87,7 +90,7 @@ If \fI*pdata\fR is NULL when \fBOSSL_ENCODER_to_data()\fR is called, a buffer wi allocated using \fBOPENSSL_zalloc\fR\|(3), and \fI*pdata\fR will be set to point at the start of that buffer, and \fI*pdata_len\fR will be assigned its length when \&\fBOSSL_ENCODER_to_data()\fR returns. -If \fI*pdata\fR is non-NULL when \fBOSSL_ENCODER_to_data()\fR is called, \fI*pdata_len\fR +If \fI*pdata\fR is non\-NULL when \fBOSSL_ENCODER_to_data()\fR is called, \fI*pdata_len\fR is assumed to have its size. In this case, \fI*pdata\fR will be set to point after the encoded bytes, and \fI*pdata_len\fR will be assigned the number of remaining bytes. diff --git a/secure/lib/libcrypto/man/man3/OSSL_ERR_STATE_save.3 b/secure/lib/libcrypto/man/man3/OSSL_ERR_STATE_save.3 index 141f2b4d7591..3d9371780177 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_ERR_STATE_save.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_ERR_STATE_save.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_ERR_STATE_SAVE 3ossl" -.TH OSSL_ERR_STATE_SAVE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_ERR_STATE_SAVE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_ESS_check_signing_certs.3 b/secure/lib/libcrypto/man/man3/OSSL_ESS_check_signing_certs.3 index dd3b5fcc7395..57ff9856cd59 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_ESS_check_signing_certs.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_ESS_check_signing_certs.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_ESS_CHECK_SIGNING_CERTS 3ossl" -.TH OSSL_ESS_CHECK_SIGNING_CERTS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_ESS_CHECK_SIGNING_CERTS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -114,7 +117,7 @@ it must match the certificate issuer and serial number attributes. .IX Header "NOTES" ESS has been defined in RFC 2634, which has been updated in RFC 5035 (ESS version 2) to support hash algorithms other than SHA\-1. -This is used for TSP (RFC 3161) and CAdES-BES (informational RFC 5126). +This is used for TSP (RFC 3161) and CAdES\-BES (informational RFC 5126). .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_ESS_signing_cert_new_init()\fR and \fBOSSL_ESS_signing_cert_v2_new_init()\fR diff --git a/secure/lib/libcrypto/man/man3/OSSL_GENERAL_NAMES_print.3 b/secure/lib/libcrypto/man/man3/OSSL_GENERAL_NAMES_print.3 index 295124b95aed..ddb4a2884ec5 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_GENERAL_NAMES_print.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_GENERAL_NAMES_print.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_GENERAL_NAMES_PRINT 3ossl" -.TH OSSL_GENERAL_NAMES_PRINT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_GENERAL_NAMES_PRINT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_HPKE_CTX_new.3 b/secure/lib/libcrypto/man/man3/OSSL_HPKE_CTX_new.3 index a40dcee5d5fb..3900a564e61c 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_HPKE_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_HPKE_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_HPKE_CTX_NEW 3ossl" -.TH OSSL_HPKE_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_HPKE_CTX_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -213,18 +216,18 @@ HPKE supports the following variants of Authentication using a mode Identifier: Authentication is not used. .IP "\fBOSSL_HPKE_MODE_PSK\fR, 0x01" 4 .IX Item "OSSL_HPKE_MODE_PSK, 0x01" -Authenticates possession of a pre-shared key (PSK). +Authenticates possession of a pre\-shared key (PSK). .IP "\fBOSSL_HPKE_MODE_AUTH\fR, 0x02" 4 .IX Item "OSSL_HPKE_MODE_AUTH, 0x02" -Authenticates possession of a KEM-based sender private key. +Authenticates possession of a KEM\-based sender private key. .IP "\fBOSSL_HPKE_MODE_PSKAUTH\fR, 0x03" 4 .IX Item "OSSL_HPKE_MODE_PSKAUTH, 0x03" A combination of \fBOSSL_HPKE_MODE_PSK\fR and \fBOSSL_HPKE_MODE_AUTH\fR. Both the PSK and the senders authentication public/private must be supplied before the encapsulation/decapsulation operation will work. .PP -For further information related to authentication see "Pre-Shared Key HPKE -modes" and "Sender-authenticated HPKE Modes". +For further information related to authentication see "Pre\-Shared Key HPKE +modes" and "Sender\-authenticated HPKE Modes". .SS "HPKE Roles" .IX Subsection "HPKE Roles" HPKE contexts have a role \- either sender or receiver. This is used @@ -257,7 +260,7 @@ vectors present in RFC9180, Appendix A.) .PP In accordance with RFC9180, section 9.5, we define a constant \&\fIOSSL_HPKE_MIN_PSKLEN\fR with a value of 32 for the minimum length of a -pre-shared key, passed in \fIpsklen\fR. +pre\-shared key, passed in \fIpsklen\fR. .PP While RFC9180 also RECOMMENDS a 64 octet limit for the \fIinfolen\fR parameter, that is not sufficient for TLS Encrypted ClientHello (ECH) processing, so we @@ -276,9 +279,9 @@ previously by a call to \fBOSSL_HPKE_CTX_new()\fR. If the argument to \&\fBOSSL_HPKE_CTX_free()\fR is NULL, nothing is done. .SS "Sender APIs" .IX Subsection "Sender APIs" -A sender's goal is to use HPKE to encrypt using a public key, via use of a +A sender\*(Aqs goal is to use HPKE to encrypt using a public key, via use of a KEM, then a KDF and finally an AEAD. The first step is to encapsulate (using -\&\fBOSSL_HPKE_encap()\fR) the sender's public value using the recipient's public key, +\&\fBOSSL_HPKE_encap()\fR) the sender\*(Aqs public value using the recipient\*(Aqs public key, (\fIpub\fR) and to internally derive secrets. This produces the encapsulated public value (\fIenc\fR) to be sent to the recipient in whatever protocol is using HPKE. Having done the encapsulation step, the sender can then make one or more calls to @@ -292,7 +295,7 @@ the output size. An error will occur if the input \fIenclen\fR is smaller than the value returned from \fBOSSL_HPKE_get_public_encap_size()\fR. \&\fIinfo\fR may be used to bind other protocol or application artefacts such as identifiers. Generally, the encapsulated public value \fIenc\fR corresponds to a -single-use ephemeral private value created as part of the encapsulation +single\-use ephemeral private value created as part of the encapsulation process. Only a single call to \fBOSSL_HPKE_encap()\fR is allowed for a given \&\fBOSSL_HPKE_CTX\fR. .PP @@ -316,7 +319,7 @@ outside the scope of this API. Private keys use normal \fBEVP_PKEY\fR\|(3) point so normal private key management mechanisms can be used for the relevant values. .PP -In order to enable encapsulation, the recipient needs to make it's public value +In order to enable encapsulation, the recipient needs to make it\*(Aqs public value available to the sender. There is no generic HPKE format defined for that \- the relevant formatting is intended to be defined by the application/protocols that makes use of HPKE. ECH for example defines an ECHConfig data structure that @@ -339,9 +342,9 @@ then a randomly generated key for the relevant \fIsuite\fR will be produced. If required \fIikmlen\fR should be greater than or equal to \&\fBOSSL_HPKE_get_recommended_ikmelen()\fR. .PP -\&\fBOSSL_HPKE_decap()\fR takes as input the sender's encapsulated public value -produced by \fBOSSL_HPKE_encap()\fR (\fIenc\fR) and the recipient's \fBEVP_PKEY\fR\|(3) -pointer (\fIprov\fR), and then re-generates the internal secret derived by the +\&\fBOSSL_HPKE_decap()\fR takes as input the sender\*(Aqs encapsulated public value +produced by \fBOSSL_HPKE_encap()\fR (\fIenc\fR) and the recipient\*(Aqs \fBEVP_PKEY\fR\|(3) +pointer (\fIprov\fR), and then re\-generates the internal secret derived by the sender. As before, an optional \fIinfo\fR parameter allows binding that derived secret to other application/protocol artefacts. Only a single call to \&\fBOSSL_HPKE_decap()\fR is allowed for a given \fBOSSL_HPKE_CTX\fR. @@ -357,7 +360,7 @@ An error will occur if the input \fIptlen\fR is too small. \&\fBOSSL_HPKE_open()\fR may be called multiple times, but as with \fBOSSL_HPKE_seal()\fR there is an internally incrementing nonce value so ciphertexts need to be presented in the same order as used by the \fBOSSL_HPKE_seal()\fR. -See "Re-sequencing" if you need to process multiple ciphertexts in a +See "Re\-sequencing" if you need to process multiple ciphertexts in a different order. .SS "Exporting Secrets" .IX Subsection "Exporting Secrets" @@ -374,11 +377,11 @@ same secret. \&\fIOSSL_HPKE_AEAD_ID_EXPORTONLY\fR may be used as the \fBOSSL_HPKE_SUITE\fR \fIaead_id\fR that is passed to \fBOSSL_HPKE_CTX_new()\fR if the user needs to produce a shared secret, but does not wish to perform HPKE encryption. -.SS "Sender-authenticated HPKE Modes" +.SS "Sender\-authenticated HPKE Modes" .IX Subsection "Sender-authenticated HPKE Modes" -HPKE defines modes that support KEM-based sender-authentication +HPKE defines modes that support KEM\-based sender\-authentication \&\fBOSSL_HPKE_MODE_AUTH\fR and \fBOSSL_HPKE_MODE_PSKAUTH\fR. This works by binding -the sender's authentication private/public values into the encapsulation and +the sender\*(Aqs authentication private/public values into the encapsulation and decapsulation operations. The key used for such modes must also use the same KEM as used for the overall exchange. \fBOSSL_HPKE_keygen()\fR can be used to generate the private value required. @@ -390,16 +393,16 @@ private \fIpriv\fR \fBEVP_PKEY\fR key into the \fBOSSL_HPKE_CTX\fR \fIctx\fR bef \&\fBOSSL_HPKE_CTX_set1_authpub()\fR can be used by the receiver to set the senders encoded pub key \fIpub\fR of size \fIpublen\fR into the \fBOSSL_HPKE_CTX\fR \fIctx\fR before calling \fBOSSL_HPKE_decap()\fR. -.SS "Pre-Shared Key HPKE modes" +.SS "Pre\-Shared Key HPKE modes" .IX Subsection "Pre-Shared Key HPKE modes" HPKE also defines a symmetric equivalent to the authentication described above -using a pre-shared key (PSK) and a PSK identifier. PSKs can be used with the +using a pre\-shared key (PSK) and a PSK identifier. PSKs can be used with the \&\fBOSSL_HPKE_MODE_PSK\fR and \fBOSSL_HPKE_MODE_PSKAUTH\fR modes. .PP \&\fBOSSL_HPKE_CTX_set1_psk()\fR sets the PSK identifier \fIpskid\fR string, and PSK buffer \&\fIpsk\fR of size \fIpsklen\fR into the \fIctx\fR. If required this must be called before \fBOSSL_HPKE_encap()\fR or \fBOSSL_HPKE_decap()\fR. -As per RFC9180, if required, both \fIpsk\fR and \fIpskid\fR must be set to non-NULL values. +As per RFC9180, if required, both \fIpsk\fR and \fIpskid\fR must be set to non\-NULL values. As PSKs are symmetric the same calls must happen on both sender and receiver sides. .SS "Deterministic key generation for senders" @@ -417,7 +420,7 @@ It is generally undesirable to use \fBOSSL_HPKE_CTX_set1_ikme()\fR, since it exposes the relevant secret to the application rather then preserving it within the library, and is more likely to result in use of predictable values or values that leak. -.SS Re-sequencing +.SS Re\-sequencing .IX Subsection "Re-sequencing" Some protocols may have to deal with packet loss while still being able to decrypt arriving packets later. We provide a way to set the increment used for @@ -466,7 +469,7 @@ public value needs to be regenerated by a sender before calling \fBOSSL_HPKE_sea .PP \&\fBOSSL_HPKE_get_grease_value()\fR produces values of the appropriate length for a given \fIsuite_in\fR value (or a random value if \fIsuite_in\fR is NULL) so that a -protocol using HPKE can send so-called GREASE (see RFC8701) values that are +protocol using HPKE can send so\-called GREASE (see RFC8701) values that are harder to distinguish from a real use of HPKE. The buffer sizes should be supplied on input. The output \fIenc\fR value will have an appropriate length for \fIsuite_out\fR and a random value, and the \fIct\fR output will be @@ -474,13 +477,13 @@ a random value. The relevant sizes for buffers can be found using \&\fBOSSL_HPKE_get_ciphertext_size()\fR and \fBOSSL_HPKE_get_public_encap_size()\fR. .PP \&\fBOSSL_HPKE_str2suite()\fR maps input \fIstr\fR strings to an \fBOSSL_HPKE_SUITE\fR object. -The input \fIstr\fR should be a comma-separated string with a KEM, -KDF and AEAD name in that order, for example "x25519,hkdf\-sha256,aes128gcm". +The input \fIstr\fR should be a comma\-separated string with a KEM, +KDF and AEAD name in that order, for example "x25519,hkdf\-sha256,aes\-128\-gcm". This can be used by command line tools that accept string form names for HPKE -codepoints. Valid (case-insensitive) names are: +codepoints. Valid (case\-insensitive) names are: "p\-256", "p\-384", "p\-521", "x25519" and "x448" for KEM, "hkdf\-sha256", "hkdf\-sha384" and "hkdf\-sha512" for KDF, and -"aes\-gcm\-128", "aes\-gcm\-256", "chacha20\-poly1305" and "exporter" for AEAD. +"aes\-128\-gcm", "aes\-256\-gcm", "chacha20\-poly1305" and "exporter" for AEAD. String variants of the numbers listed in "OSSL_HPKE_SUITE Identifiers" can also be used. .SH "RETURN VALUES" @@ -494,7 +497,7 @@ relevant value or zero on error. All other functions return 1 for success or zero for error. .SH EXAMPLES .IX Header "EXAMPLES" -This example demonstrates a minimal round-trip using HPKE. +This example demonstrates a minimal round\-trip using HPKE. .PP .Vb 4 \& #include <stddef.h> @@ -571,7 +574,7 @@ This example demonstrates a minimal round-trip using HPKE. .SH WARNINGS .IX Header "WARNINGS" Note that the \fBOSSL_HPKE_CTX_set_seq()\fR API could be dangerous \- if used with GCM -that could lead to nonce-reuse, which is a known danger. So avoid that +that could lead to nonce\-reuse, which is a known danger. So avoid that entirely, or be very very careful when using that API. .PP Use of an IKM value for deterministic key generation (via @@ -586,7 +589,7 @@ The RFC9180 specification: https://datatracker.ietf.org/doc/rfc9180/ This functionality described here was added in OpenSSL 3.2. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2022\-2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/OSSL_HTTP_REQ_CTX.3 b/secure/lib/libcrypto/man/man3/OSSL_HTTP_REQ_CTX.3 index 05fe9b60f3eb..b78be6f825f1 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_HTTP_REQ_CTX.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_HTTP_REQ_CTX.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_HTTP_REQ_CTX 3ossl" -.TH OSSL_HTTP_REQ_CTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_HTTP_REQ_CTX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -117,7 +120,7 @@ OSSL_HTTP_is_alive \&\fBOSSL_HTTP_REQ_CTX\fR is a context structure for an HTTP request and response, used to collect all the necessary data to perform that request. .PP -This file documents low-level HTTP functions rarely used directly. High-level +This file documents low\-level HTTP functions rarely used directly. High\-level HTTP client functions like \fBOSSL_HTTP_get\fR\|(3) and \fBOSSL_HTTP_transfer\fR\|(3) should be preferred. .PP @@ -132,7 +135,7 @@ The allocated context structure includes an internal memory \fBBIO\fR, which collects the HTTP request header lines. .PP \&\fBOSSL_HTTP_REQ_CTX_free()\fR frees up the HTTP request context \fIrctx\fR. -The \fIrbio\fR is not free'd, \fIwbio\fR will be free'd if \fIfree_wbio\fR is set. +The \fIrbio\fR is not free\*(Aqd, \fIwbio\fR will be free\*(Aqd if \fIfree_wbio\fR is set. If the argument is NULL, nothing is done. .PP \&\fBOSSL_HTTP_REQ_CTX_set_request_line()\fR adds the 1st HTTP request line to \fIrctx\fR. @@ -160,7 +163,7 @@ Due to the structure of an HTTP request, if the \fIkeep_alive\fR argument is nonzero the function must be used before calling \fBOSSL_HTTP_REQ_CTX_set1_req()\fR. .PP If the \fIexpected_content_type\fR argument is not NULL, the client will -check in a case-insensitive way that the specified \f(CW\*(C`Content\-Type\*(C'\fR string value +check in a case\-insensitive way that the specified \f(CW\*(C`Content\-Type\*(C'\fR string value is included in the HTTP header of the response and return an error if not. In the \f(CW\*(C`Content\-Type\*(C'\fR header line the specified string should be present either as a whole, or in case the specified string does not include a \f(CW\*(C`;\*(C'\fR character, @@ -196,13 +199,13 @@ i.e., an error occurs in case the server does not grant it. It is needed if the \fImethod_POST\fR parameter in the \&\fBOSSL_HTTP_REQ_CTX_set_request_line()\fR call was 1 and an ASN.1\-encoded request should be sent. -It must also be used when requesting "keep-alive", +It must also be used when requesting "keep\-alive", even if a GET request is going to be sent, in which case \fIreq\fR must be NULL. Unless \fIreq\fR is NULL, the function adds the DER encoding of \fIreq\fR using the ASN.1 template \fIit\fR to do the encoding (which does not support streaming). The HTTP header \f(CW\*(C`Content\-Length\*(C'\fR is filled out with the length of the request. \&\fIcontent_type\fR must be NULL if \fIreq\fR is NULL. -If \fIcontent_type\fR isn't NULL, +If \fIcontent_type\fR isn\*(Aqt NULL, the HTTP header \f(CW\*(C`Content\-Type\*(C'\fR is also added with the given string value. The header lines are added to the internal memory \fBBIO\fR for the request header. .PP @@ -213,7 +216,7 @@ The function may need to be called again if its result is \-1, which indicates \&\fBBIO_should_retry\fR\|(3). In such a case it is advisable to sleep a little in between, using \fBBIO_wait\fR\|(3) on the read BIO to prevent a busy loop. See \fBOSSL_HTTP_REQ_CTX_set_expected()\fR how the response content type, -the response body, the HTTP transfer timeout, and "keep-alive" are treated. +the response body, the HTTP transfer timeout, and "keep\-alive" are treated. Any error message body is consumed if a \f(CW\*(C`Content\-Type\*(C'\fR header is not included or its value starts with \f(CW\*(C`text/\*(C'\fR. This is used for tracing the body contents if HTTP tracing is enabled. @@ -224,7 +227,7 @@ or the content is an ASN.1\-encoded structure with a length exceeding this value or both length indications are present but disagree then an error occurs. .PP \&\fBOSSL_HTTP_REQ_CTX_nbio_d2i()\fR is like \fBOSSL_HTTP_REQ_CTX_nbio()\fR but on success -in addition parses the response, which must be a DER-encoded ASN.1 structure, +in addition parses the response, which must be a DER\-encoded ASN.1 structure, using the ASN.1 template \fIit\fR and places the result in \fI*pval\fR. .PP \&\fBOSSL_HTTP_REQ_CTX_exchange()\fR calls \fBOSSL_HTTP_REQ_CTX_nbio()\fR as often as needed @@ -274,7 +277,7 @@ for any reason at the server side, it will notice this obtaining an I/O error when trying to send the next request via \fIrctx\fR. .SH WARNINGS .IX Header "WARNINGS" -The server's response may be unexpected if the hostname that was used to +The server\*(Aqs response may be unexpected if the hostname that was used to create the \fIwbio\fR, any \f(CW\*(C`Host\*(C'\fR header, and the host specified in the request URL do not match. .PP @@ -291,7 +294,7 @@ Adding extra header lines with \fBOSSL_HTTP_REQ_CTX_add1_header()\fR. This is optional and may be done multiple times with different names. .IP 3. 4 Finalize the request using \fBOSSL_HTTP_REQ_CTX_set1_req()\fR. -This may be omitted if the GET method is used and "keep-alive" is not requested. +This may be omitted if the GET method is used and "keep\-alive" is not requested. .PP When the request context is fully prepared, the HTTP exchange may be performed with \fBOSSL_HTTP_REQ_CTX_nbio()\fR or \fBOSSL_HTTP_REQ_CTX_exchange()\fR. @@ -323,7 +326,7 @@ The returned BIO must not be freed by the caller. \&\fBOSSL_HTTP_REQ_CTX_get_resp_len()\fR returns the size of the response contents or 0 if not available or an error occurred. .PP -\&\fBOSSL_HTTP_is_alive()\fR returns 1 if its argument is non-NULL +\&\fBOSSL_HTTP_is_alive()\fR returns 1 if its argument is non\-NULL and the client requested a persistent connection and the server did not disagree on keeping the connection open, else 0. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/OSSL_HTTP_parse_url.3 b/secure/lib/libcrypto/man/man3/OSSL_HTTP_parse_url.3 index 75830467ae9b..3053555dad91 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_HTTP_parse_url.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_HTTP_parse_url.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_HTTP_PARSE_URL 3ossl" -.TH OSSL_HTTP_PARSE_URL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_HTTP_PARSE_URL 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -119,10 +122,10 @@ The port component is optional and defaults to \f(CW0\fR. If given, it must be in decimal form. If the \fIpport_num\fR argument is not NULL the integer value of the port number is assigned to \fI*pport_num\fR on success. The path component is also optional and defaults to \f(CW\*(C`/\*(C'\fR. -Each non-NULL result pointer argument \fIpscheme\fR, \fIpuser\fR, \fIphost\fR, \fIpport\fR, +Each non\-NULL result pointer argument \fIpscheme\fR, \fIpuser\fR, \fIphost\fR, \fIpport\fR, \&\fIppath\fR, \fIpquery\fR, and \fIpfrag\fR, is assigned the respective url component. Any IPv6 address in \fI*phost\fR is enclosed in \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*(C'\fR. -On success, they are guaranteed to contain non-NULL string pointers, else NULL. +On success, they are guaranteed to contain non\-NULL string pointers, else NULL. It is the responsibility of the caller to free them using \fBOPENSSL_free\fR\|(3). If \fIpquery\fR is NULL, any given query component is handled as part of the path. A string returned via \fI*ppath\fR is guaranteed to begin with a \f(CW\*(C`/\*(C'\fR character. diff --git a/secure/lib/libcrypto/man/man3/OSSL_HTTP_transfer.3 b/secure/lib/libcrypto/man/man3/OSSL_HTTP_transfer.3 index 4863e639a8b6..4c325861d7fc 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_HTTP_transfer.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_HTTP_transfer.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_HTTP_TRANSFER 3ossl" -.TH OSSL_HTTP_TRANSFER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_HTTP_TRANSFER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -115,7 +118,7 @@ OSSL_HTTP_close NULL, else by connecting to a given \fIserver\fR optionally via a \fIproxy\fR. .PP Typically the OpenSSL build supports sockets and the \fIbio\fR parameter is NULL. -In this case \fIrbio\fR must be NULL as well and the \fIserver\fR must be non-NULL. +In this case \fIrbio\fR must be NULL as well and the \fIserver\fR must be non\-NULL. The function creates a network BIO internally using \fBBIO_new_connect\fR\|(3) for connecting to the given server and the optionally given \fIport\fR, defaulting to 80 for HTTP or 443 for HTTPS. @@ -130,7 +133,7 @@ As soon as the client has flushed \fIbio\fR the server must be ready to provide a response or indicate a waiting condition via \fIrbio\fR. .PP If \fIbio\fR is given, -it is an error to provide non-NULL \fIproxy\fR or \fIno_proxy\fR arguments, +it is an error to provide non\-NULL \fIproxy\fR or \fIno_proxy\fR arguments, while \fIserver\fR and \fIport\fR arguments may be given to support diagnostic output. If \fIbio\fR is NULL the optional \fIproxy\fR parameter can be used to set an HTTP(S) proxy to use (unless overridden by "no_proxy" settings). @@ -217,7 +220,7 @@ A value <= 0 enables waiting indefinitely, i.e., no timeout. \&\fBOSSL_HTTP_proxy_connect()\fR may be used by an above BIO connect callback function to set up an SSL/TLS connection via an HTTPS proxy. It promotes the given BIO \fIbio\fR representing a connection -pre-established with a TLS proxy using the HTTP CONNECT method, +pre\-established with a TLS proxy using the HTTP CONNECT method, optionally using proxy client credentials \fIproxyuser\fR and \fIproxypass\fR, to connect with TLS protection ultimately to \fIserver\fR and \fIport\fR. If the \fIport\fR argument is NULL or the empty string it defaults to "443". @@ -226,7 +229,7 @@ seconds the connection setup is allowed to take. A value <= 0 enables waiting indefinitely, i.e., no timeout. Since this function is typically called by applications such as \&\fBopenssl\-s_client\fR\|(1) it uses the \fIbio_err\fR and \fIprog\fR parameters (unless -NULL) to print additional diagnostic information in a user-oriented way. +NULL) to print additional diagnostic information in a user\-oriented way. .PP \&\fBOSSL_HTTP_set1_request()\fR sets up in \fIrctx\fR the request header and content data and expectations on the response using the following parameters. @@ -239,7 +242,7 @@ If \fIpath\fR is NULL it defaults to "/". If \fIreq\fR is NULL the HTTP GET method will be used to send the request else HTTP POST with the contents of \fIreq\fR and optional \fIcontent_type\fR, where the length of the data in \fIreq\fR does not need to be determined in advance: the -BIO will be read on-the-fly while sending the request, which supports streaming. +BIO will be read on\-the\-fly while sending the request, which supports streaming. The optional list \fIheaders\fR may contain additional custom HTTP header lines. The \fImax_resp_len\fR parameter specifies the maximum allowed response content length, where the value 0 indicates no limit. @@ -265,11 +268,11 @@ Otherwise it returns directly the read BIO that holds the response contents, which allows a response of indefinite length and may support streaming. The caller is responsible for freeing the BIO pointer obtained. .PP -\&\fBOSSL_HTTP_get()\fR uses HTTP GET to obtain data from \fIbio\fR if non-NULL, +\&\fBOSSL_HTTP_get()\fR uses HTTP GET to obtain data from \fIbio\fR if non\-NULL, else from the server contained in the \fIurl\fR, and returns it as a BIO. It supports redirection via HTTP status code 301 or 302. It is meant for transfers with a single round trip, so does not support persistent connections. -If \fIbio\fR is non-NULL, any host and port components in the \fIurl\fR are not used +If \fIbio\fR is non\-NULL, any host and port components in the \fIurl\fR are not used for connecting but the hostname is used, as usual, for the \f(CW\*(C`Host\*(C'\fR header. Any userinfo and fragment components in the \fIurl\fR are ignored. Any query component is handled as part of the path component. @@ -283,7 +286,7 @@ The caller is responsible for freeing the BIO pointer obtained. over a connection managed via \fIprctx\fR without supporting redirection. It combines \fBOSSL_HTTP_open()\fR, \fBOSSL_HTTP_set1_request()\fR, \fBOSSL_HTTP_exchange()\fR, and \fBOSSL_HTTP_close()\fR. -If \fIprctx\fR is not NULL it reuses any open connection represented by a non-NULL +If \fIprctx\fR is not NULL it reuses any open connection represented by a non\-NULL \&\fI*prctx\fR. It keeps the connection open if a persistent connection is requested or required and this was granted by the server, else it closes the connection and assigns NULL to \fI*prctx\fR. diff --git a/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX.3 b/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX.3 index 97ddfe91a06a..22574d81a809 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_IETF_ATTR_SYNTAX 3ossl" -.TH OSSL_IETF_ATTR_SYNTAX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_IETF_ATTR_SYNTAX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX_print.3 b/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX_print.3 index 9d47575bdd1f..50126a4488b1 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX_print.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX_print.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_IETF_ATTR_SYNTAX_PRINT 3ossl" -.TH OSSL_IETF_ATTR_SYNTAX_PRINT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_IETF_ATTR_SYNTAX_PRINT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_INDICATOR_set_callback.3 b/secure/lib/libcrypto/man/man3/OSSL_INDICATOR_set_callback.3 index e6af4de3ced3..66ca18b3d6bd 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_INDICATOR_set_callback.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_INDICATOR_set_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_INDICATOR_SET_CALLBACK 3ossl" -.TH OSSL_INDICATOR_SET_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_INDICATOR_SET_CALLBACK 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,14 +86,14 @@ typedef int (OSSL_INDICATOR_CALLBACK)(const char *type, const char *desc, \&\fBOSSL_INDICATOR_set_callback()\fR sets a user callback \fIcb\fR associated with a \&\fIlibctx\fR that will be called when a non approved FIPS operation is detected. .PP -The user's callback may be triggered multiple times during an algorithm operation +The user\*(Aqs callback may be triggered multiple times during an algorithm operation to indicate different approved mode checks have failed. .PP Non approved operations may only occur if the user has deliberately chosen to do so (either by setting a global FIPS configuration option or via an option in an -algorithm's operation context). +algorithm\*(Aqs operation context). .PP -The user's callback \fBOSSL_INDICATOR_CALLBACK\fR \fItype\fR and \fIdesc\fR +The user\*(Aqs callback \fBOSSL_INDICATOR_CALLBACK\fR \fItype\fR and \fIdesc\fR contain the algorithm type and operation that is not approved. \&\fIparams\fR is not currently used. .PP diff --git a/secure/lib/libcrypto/man/man3/OSSL_ITEM.3 b/secure/lib/libcrypto/man/man3/OSSL_ITEM.3 index 8a84ccca30a5..54f9f40d574d 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_ITEM.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_ITEM.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_ITEM 3ossl" -.TH OSSL_ITEM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_ITEM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -76,13 +79,13 @@ OSSL_ITEM \- OpenSSL Core type for generic itemized data .SH DESCRIPTION .IX Header "DESCRIPTION" This type is a tuple of integer and pointer. -It's a generic type used as a generic descriptor, its exact meaning -being defined by how it's used. +It\*(Aqs a generic type used as a generic descriptor, its exact meaning +being defined by how it\*(Aqs used. Arrays of this type are passed between the OpenSSL libraries and the providers, and must be terminated with a tuple where the integer is zero and the pointer NULL. .PP -This is currently mainly used for the return value of the provider's error +This is currently mainly used for the return value of the provider\*(Aqs error reason strings array, see "Provider Functions" in \fBprovider\-base\fR\|(7). .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX.3 b/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX.3 index 849db8e6f42e..023403293e52 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_LIB_CTX 3ossl" -.TH OSSL_LIB_CTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_LIB_CTX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -92,7 +95,7 @@ a default context with functions that take an \fBOSSL_LIB_CTX\fR argument. .PP When a non default library context is in use care should be taken with -multi-threaded applications to properly clean up thread local resources before +multi\-threaded applications to properly clean up thread local resources before the OSSL_LIB_CTX is freed. See \fBOPENSSL_thread_stop_ex\fR\|(3) for more information. .PP @@ -101,7 +104,7 @@ See \fBOPENSSL_thread_stop_ex\fR\|(3) for more information. \&\fBOSSL_LIB_CTX_new_from_dispatch()\fR creates a new OpenSSL library context initialised to use callbacks from the OSSL_DISPATCH structure. This is primarily useful for provider authors. The \fIhandle\fR and dispatch structure arguments -passed should be the same ones as passed to a provider's +passed should be the same ones as passed to a provider\*(Aqs OSSL_provider_init function. Some OpenSSL functions, such as \&\fBBIO_new_from_core_bio\fR\|(3), require the library context to be created in this way in order to work. @@ -136,12 +139,12 @@ context. If \fBEVP_set_default_properties\fR\|(3) is called directly on a child library context then the new properties will override anything from the parent library context and mirroring of the properties will stop. .PP -When \fBOSSL_LIB_CTX_new_child()\fR is called from within the scope of a provider's +When \fBOSSL_LIB_CTX_new_child()\fR is called from within the scope of a provider\*(Aqs \&\fBOSSL_provider_init\fR function the currently initialising provider is not yet -available in the application's library context and therefore will similarly not +available in the application\*(Aqs library context and therefore will similarly not yet be available in the newly constructed child library context. As soon as the \&\fBOSSL_provider_init\fR function returns then the new provider is available in the -application's library context and will be similarly mirrored in the child +application\*(Aqs library context and will be similarly mirrored in the child library context. .PP \&\fBOSSL_LIB_CTX_load_config()\fR loads a configuration file using the given \fIctx\fR. @@ -185,7 +188,7 @@ depends on the index. \&\fBOSSL_LIB_CTX_set0_default()\fR return a library context pointer on success, or NULL on error. .PP -\&\fBOSSL_LIB_CTX_free()\fR doesn't return any value. +\&\fBOSSL_LIB_CTX_free()\fR doesn\*(Aqt return any value. .PP \&\fBOSSL_LIB_CTX_load_config()\fR returns 1 on success, 0 on error. .PP diff --git a/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX_set_conf_diagnostics.3 b/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX_set_conf_diagnostics.3 index 9a098c65dd77..321fe31935f1 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX_set_conf_diagnostics.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX_set_conf_diagnostics.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_LIB_CTX_SET_CONF_DIAGNOSTICS 3ossl" -.TH OSSL_LIB_CTX_SET_CONF_DIAGNOSTICS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_LIB_CTX_SET_CONF_DIAGNOSTICS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_PARAM.3 b/secure/lib/libcrypto/man/man3/OSSL_PARAM.3 index ea8ea1b62b5f..48b1b2d386f4 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_PARAM.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_PARAM.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PARAM 3ossl" -.TH OSSL_PARAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PARAM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -163,7 +166,7 @@ counting the terminating NUL byte. When requesting parameters, the size should be set to the size of the buffer to be populated, which should accommodate enough space for a terminating NUL byte. .Sp -When \fIrequesting parameters\fR, it's acceptable for \fIdata\fR to be NULL. +When \fIrequesting parameters\fR, it\*(Aqs acceptable for \fIdata\fR to be NULL. This can be used by the \fIrequester\fR to figure out dynamically exactly how much buffer space is needed to store the parameter data. In this case, \fIdata_size\fR is ignored. @@ -208,7 +211,7 @@ The \fIdata_type\fR field can be one of the following types: .PD The parameter data is an integer (signed or unsigned) of arbitrary length, organized in native form, i.e. most significant byte first on -Big-Endian systems, and least significant byte first on Little-Endian +Big\-Endian systems, and least significant byte first on Little\-Endian systems. .IP \fBOSSL_PARAM_REAL\fR 4 .IX Item "OSSL_PARAM_REAL" @@ -224,7 +227,7 @@ The parameter data is an arbitrary string of bytes. The parameter data is a pointer to a printable string. .Sp The difference between this and \fBOSSL_PARAM_UTF8_STRING\fR is that \fIdata\fR -doesn't point directly at the data, but to a pointer that points to the data. +doesn\*(Aqt point directly at the data, but to a pointer that points to the data. .Sp If there is any uncertainty about which to use, \fBOSSL_PARAM_UTF8_STRING\fR is almost certainly the correct choice. @@ -241,14 +244,14 @@ If this is used in a parameter request, .Sp Note that the use of this type is \fBfragile\fR and can only be safely used for data that remains constant and in a constant location for a -long enough duration (such as the life-time of the entity that +long enough duration (such as the life\-time of the entity that offers these parameters). .IP \fBOSSL_PARAM_OCTET_PTR\fR 4 .IX Item "OSSL_PARAM_OCTET_PTR" The parameter data is a pointer to an arbitrary string of bytes. .Sp The difference between this and \fBOSSL_PARAM_OCTET_STRING\fR is that -\&\fIdata\fR doesn't point directly at the data, but to a pointer that +\&\fIdata\fR doesn\*(Aqt point directly at the data, but to a pointer that points to the data. .Sp If there is any uncertainty about which to use, \fBOSSL_PARAM_OCTET_STRING\fR is @@ -266,7 +269,7 @@ If this is used in a parameter request, .Sp Note that the use of this type is \fBfragile\fR and can only be safely used for data that remains constant and in a constant location for a -long enough duration (such as the life-time of the entity that +long enough duration (such as the life\-time of the entity that offers these parameters). .SH NOTES .IX Header "NOTES" @@ -274,9 +277,9 @@ Both when setting and requesting parameters, the functions that are called will have to decide what is and what is not an error. The recommended behaviour is: .IP \(bu 4 -Keys that a \fIsetter\fR or \fIresponder\fR doesn't recognise should simply +Keys that a \fIsetter\fR or \fIresponder\fR doesn\*(Aqt recognise should simply be ignored. -That in itself isn't an error. +That in itself isn\*(Aqt an error. .IP \(bu 4 If the keys that a called \fIsetter\fR recognises form a consistent enough set of data, that call should succeed. @@ -286,11 +289,11 @@ of an \fBOSSL_PARAM\fR. To return a value, it should change the contents of the memory that \&\fIdata\fR points at. .IP \(bu 4 -If the data type for a key that it's associated with is incorrect, +If the data type for a key that it\*(Aqs associated with is incorrect, the called function may return an error. .Sp The called function may also try to convert the data to a suitable -form (for example, it's plausible to pass a large number as an octet +form (for example, it\*(Aqs plausible to pass a large number as an octet string, so even though a given key is defined as an \&\fBOSSL_PARAM_UNSIGNED_INTEGER\fR, is plausible to pass the value as an \&\fBOSSL_PARAM_OCTET_STRING\fR), but this is in no way mandatory. @@ -308,7 +311,7 @@ an error. .IP \(bu 4 For the integer type parameters (\fBOSSL_PARAM_UNSIGNED_INTEGER\fR and \&\fBOSSL_PARAM_INTEGER\fR), a \fIresponder\fR may choose to return an error -if the \fIdata_size\fR isn't a suitable size (even if \fIdata_size\fR is +if the \fIdata_size\fR isn\*(Aqt a suitable size (even if \fIdata_size\fR is bigger than needed). If the \fIresponder\fR finds the size suitable, it must fill all \fIdata_size\fR bytes and ensure correct padding for the native endianness, and set \fIreturn_size\fR to the same value as diff --git a/secure/lib/libcrypto/man/man3/OSSL_PARAM_BLD.3 b/secure/lib/libcrypto/man/man3/OSSL_PARAM_BLD.3 index 4954923174fb..9bd8fc083b42 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_PARAM_BLD.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_PARAM_BLD.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PARAM_BLD 3ossl" -.TH OSSL_PARAM_BLD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PARAM_BLD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_PARAM_allocate_from_text.3 b/secure/lib/libcrypto/man/man3/OSSL_PARAM_allocate_from_text.3 index b3f9894fae43..845878c1078c 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_PARAM_allocate_from_text.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_PARAM_allocate_from_text.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PARAM_ALLOCATE_FROM_TEXT 3ossl" -.TH OSSL_PARAM_ALLOCATE_FROM_TEXT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PARAM_ALLOCATE_FROM_TEXT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -87,14 +90,14 @@ size (see \fBOSSL_PARAM\fR\|(3) for more information). .PP \&\fBOSSL_PARAM_allocate_from_text()\fR uses \fIkey\fR to look up an item in \&\fIparamdefs\fR. If an item was found, it converts \fIvalue\fR to something -suitable for that item's \fIdata_type\fR, and stores the result in +suitable for that item\*(Aqs \fIdata_type\fR, and stores the result in \&\fIto\->data\fR as well as its size in \fIto\->data_size\fR. \&\fIto\->key\fR and \fIto\->data_type\fR are assigned the corresponding values from the item that was found, and \fIto\->return_size\fR is set to zero. .PP \&\fIto\->data\fR is always allocated using \fBOPENSSL_zalloc\fR\|(3) and -needs to be freed by the caller when it's not useful any more, using +needs to be freed by the caller when it\*(Aqs not useful any more, using \&\fBOPENSSL_free\fR\|(3). .PP If \fIfound\fR is not NULL, \fI*found\fR is set to 1 if \fIkey\fR could be @@ -107,10 +110,10 @@ located in \fIparamdefs\fR, and to 0 otherwise. will be looked up in \fIparamdefs\fR. .PP When an item in \fIparamdefs\fR has been found, \fIvalue\fR is converted -depending on that item's \fIdata_type\fR, as follows: +depending on that item\*(Aqs \fIdata_type\fR, as follows: .IP "\fBOSSL_PARAM_INTEGER\fR and \fBOSSL_PARAM_UNSIGNED_INTEGER\fR" 4 .IX Item "OSSL_PARAM_INTEGER and OSSL_PARAM_UNSIGNED_INTEGER" -If \fIkey\fR didn't start with "hex", \fIvalue\fR is assumed to contain +If \fIkey\fR didn\*(Aqt start with "hex", \fIvalue\fR is assumed to contain \&\fIvalue_n\fR decimal characters, which are decoded, and the resulting bytes become the number stored in the \fIto\->data\fR storage. .Sp @@ -120,7 +123,7 @@ hexadecimal characters. If \fIkey\fR started with "hex", \fIvalue\fR is assumed to contain \&\fIvalue_n\fR hexadecimal characters without the "0x" prefix. .Sp -If \fIvalue\fR contains characters that couldn't be decoded as +If \fIvalue\fR contains characters that couldn\*(Aqt be decoded as hexadecimal or decimal characters, \fBOSSL_PARAM_allocate_from_text()\fR considers that an error. .IP \fBOSSL_PARAM_UTF8_STRING\fR 4 @@ -137,11 +140,11 @@ On systems where the native character encoding is EBCDIC, the bytes in If \fIkey\fR started with "hex", \fIvalue\fR is assumed to contain \&\fIvalue_n\fR hexadecimal characters, which are decoded, and the resulting bytes are stored in the \fIto\->data\fR storage. -If \fIvalue\fR contains characters that couldn't be decoded as +If \fIvalue\fR contains characters that couldn\*(Aqt be decoded as hexadecimal or decimal characters, \fBOSSL_PARAM_allocate_from_text()\fR considers that an error. .Sp -If \fIkey\fR didn't start with "hex", \fIvalue_n\fR bytes from \fIvalue\fR are +If \fIkey\fR didn\*(Aqt start with "hex", \fIvalue_n\fR bytes from \fIvalue\fR are copied to the \fIto\->data\fR storage. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/OSSL_PARAM_dup.3 b/secure/lib/libcrypto/man/man3/OSSL_PARAM_dup.3 index d251e67d02ce..38bbb775500e 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_PARAM_dup.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_PARAM_dup.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PARAM_DUP 3ossl" -.TH OSSL_PARAM_DUP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PARAM_DUP 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,7 +86,7 @@ deep copy of the data. .PP \&\fBOSSL_PARAM_merge()\fR merges the parameter arrays \fIparams\fR and \fIparams1\fR into a new parameter array. If \fIparams\fR and \fIparams1\fR contain values with the same -\&'key' then the value from \fIparams1\fR will replace the \fIparam\fR value. This +\&\*(Aqkey\*(Aq then the value from \fIparams1\fR will replace the \fIparam\fR value. This function does a shallow copy of the parameters. Either \fIparams\fR or \fIparams1\fR may be NULL. The behaviour of the merge is unpredictable if \fIparams\fR and \&\fIparams1\fR contain the same key, and there are multiple entries within either diff --git a/secure/lib/libcrypto/man/man3/OSSL_PARAM_int.3 b/secure/lib/libcrypto/man/man3/OSSL_PARAM_int.3 index ab3fe3452300..652b05940afc 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_PARAM_int.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_PARAM_int.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PARAM_INT 3ossl" -.TH OSSL_PARAM_INT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PARAM_INT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -257,8 +260,8 @@ Type coercion takes place as discussed in the NOTES section. .PP \&\fBOSSL_PARAM_set_TYPE()\fR stores a value \fIval\fR of type \fR\f(BITYPE\fR\fB\fR into the parameter \fIp\fR. -If the parameter's \fIdata\fR field is NULL, then only its \fIreturn_size\fR field -will be assigned the size the parameter's \fIdata\fR buffer should have. +If the parameter\*(Aqs \fIdata\fR field is NULL, then only its \fIreturn_size\fR field +will be assigned the size the parameter\*(Aqs \fIdata\fR buffer should have. Type coercion takes place as discussed in the NOTES section. .PP \&\fBOSSL_PARAM_get_BN()\fR retrieves a BIGNUM from the parameter pointed to by \fIp\fR. @@ -266,8 +269,8 @@ The BIGNUM referenced by \fIval\fR is updated and is allocated if \fI*val\fR is NULL. .PP \&\fBOSSL_PARAM_set_BN()\fR stores the BIGNUM \fIval\fR into the parameter \fIp\fR. -If the parameter's \fIdata\fR field is NULL, then only its \fIreturn_size\fR field -will be assigned the size the parameter's \fIdata\fR buffer should have. +If the parameter\*(Aqs \fIdata\fR field is NULL, then only its \fIreturn_size\fR field +will be assigned the size the parameter\*(Aqs \fIdata\fR buffer should have. .PP \&\fBOSSL_PARAM_get_utf8_string()\fR retrieves a UTF8 string from the parameter pointed to by \fIp\fR. @@ -280,14 +283,14 @@ If memory is allocated by this function, it must be freed by the caller. .PP \&\fBOSSL_PARAM_set_utf8_string()\fR sets a UTF8 string from the parameter pointed to by \fIp\fR to the value referenced by \fIval\fR. -If the parameter's \fIdata\fR field isn't NULL, its \fIdata_size\fR must indicate +If the parameter\*(Aqs \fIdata\fR field isn\*(Aqt NULL, its \fIdata_size\fR must indicate that the buffer is large enough to accommodate the string that \fIval\fR points at, not including the terminating NUL byte, or this function will fail. -A terminating NUL byte is added only if the parameter's \fIdata_size\fR indicates +A terminating NUL byte is added only if the parameter\*(Aqs \fIdata_size\fR indicates the buffer is longer than the string length, otherwise the string will not be NUL terminated. -If the parameter's \fIdata\fR field is NULL, then only its \fIreturn_size\fR field -will be assigned the minimum size the parameter's \fIdata\fR buffer should have +If the parameter\*(Aqs \fIdata\fR field is NULL, then only its \fIreturn_size\fR field +will be assigned the minimum size the parameter\*(Aqs \fIdata\fR buffer should have to accommodate the string, not including a terminating NUL byte. .PP \&\fBOSSL_PARAM_get_octet_string()\fR retrieves an OCTET string from the parameter @@ -301,8 +304,8 @@ If memory is allocated by this function, it must be freed by the caller. .PP \&\fBOSSL_PARAM_set_octet_string()\fR sets an OCTET string from the parameter pointed to by \fIp\fR to the value referenced by \fIval\fR. -If the parameter's \fIdata\fR field is NULL, then only its \fIreturn_size\fR field -will be assigned the size the parameter's \fIdata\fR buffer should have. +If the parameter\*(Aqs \fIdata\fR field is NULL, then only its \fIreturn_size\fR field +will be assigned the size the parameter\*(Aqs \fIdata\fR buffer should have. .PP \&\fBOSSL_PARAM_get_utf8_ptr()\fR retrieves the UTF8 string pointer from the parameter referenced by \fIp\fR and stores it in \fI*val\fR. @@ -325,7 +328,7 @@ string. .PP \&\fBOSSL_PARAM_get_octet_string_ptr()\fR retrieves the pointer to a octet string from the parameter pointed to by \fIp\fR, and stores that pointer in \fI*val\fR, -along with the string's length in \fI*used_len\fR. +along with the string\*(Aqs length in \fI*used_len\fR. This is different from \fBOSSL_PARAM_get_octet_string()\fR, which copies the string. .PP @@ -395,7 +398,7 @@ This example is for setting parameters on some object: .SS "Example 2" .IX Subsection "Example 2" This example is for requesting parameters on some object, and also -demonstrates that the requester isn't obligated to request all +demonstrates that the requester isn\*(Aqt obligated to request all available parameters: .PP .Vb 7 diff --git a/secure/lib/libcrypto/man/man3/OSSL_PARAM_print_to_bio.3 b/secure/lib/libcrypto/man/man3/OSSL_PARAM_print_to_bio.3 index 923be153ba0e..7336e5e86832 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_PARAM_print_to_bio.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_PARAM_print_to_bio.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PARAM_PRINT_TO_BIO 3ossl" -.TH OSSL_PARAM_PRINT_TO_BIO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PARAM_PRINT_TO_BIO 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -76,7 +79,7 @@ OSSL_PARAM_print_to_bio \&\fBOSSL_PARAM_print_to_bio()\fR formats each parameter contained in the passed in array of \fBOSSL_PARAM\fR values \fIp\fR, and prints both the key, and optionally its value, to a provided \fBBIO\fR. -\&\fIp\fR must be a non-null array of OSSL_PARAM values, terminated +\&\fIp\fR must be a non\-null array of OSSL_PARAM values, terminated with a value containing a null \fIkey\fR member. \&\fIprint_values\fR is a control parameter, indicating that key values should be printed, in addition to key names. diff --git a/secure/lib/libcrypto/man/man3/OSSL_PROVIDER.3 b/secure/lib/libcrypto/man/man3/OSSL_PROVIDER.3 index 5b636739f970..59ad7e9a67ce 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_PROVIDER.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_PROVIDER.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PROVIDER 3ossl" -.TH OSSL_PROVIDER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PROVIDER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -210,7 +213,7 @@ before a provider is in use by multiple threads. Parameters that only affect provider initialisation must, for now, be set in the configuration file, only parameters that are also queried later have any affect when set via this interface. -Only text parameters can be given, and it's up to the provider to +Only text parameters can be given, and it\*(Aqs up to the provider to interpret them. .PP \&\fBOSSL_PROVIDER_get_conf_parameters()\fR retrieves global configuration parameters @@ -224,32 +227,32 @@ the \fIparam\fR array must have \fBOSSL_PARAM_UTF8_PTR\fR as their \fBdata_type\ \&\fBOSSL_PROVIDER_conf_get_bool()\fR parses the global configuration parameter \fIname\fR associated with provider \fIprov\fR as a boolean value, returning a default value \&\fIdefval\fR when unable to retrieve or parse the parameter. -Parameter values equal (case-insensitively) to \f(CW1\fR, \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`yes\*(C'\fR, or \f(CW\*(C`true\*(C'\fR +Parameter values equal (case\-insensitively) to \f(CW1\fR, \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`yes\*(C'\fR, or \f(CW\*(C`true\*(C'\fR yield a true (nonzero) result. -Parameter values equal (case-insensitively) to \f(CW0\fR, \f(CW\*(C`off\*(C'\fR, \f(CW\*(C`no\*(C'\fR, or \f(CW\*(C`false\*(C'\fR +Parameter values equal (case\-insensitively) to \f(CW0\fR, \f(CW\*(C`off\*(C'\fR, \f(CW\*(C`no\*(C'\fR, or \f(CW\*(C`false\*(C'\fR yield a false (zero) result. .PP -\&\fBOSSL_PROVIDER_self_test()\fR is used to run a provider's self tests on demand. +\&\fBOSSL_PROVIDER_self_test()\fR is used to run a provider\*(Aqs self tests on demand. If the self tests fail then the provider will fail to provide any further services and algorithms. \fBOSSL_SELF_TEST_set_callback\fR\|(3) may be called beforehand in order to display diagnostics for the running self tests. .PP -\&\fBOSSL_PROVIDER_query_operation()\fR calls the provider's \fIquery_operation\fR +\&\fBOSSL_PROVIDER_query_operation()\fR calls the provider\*(Aqs \fIquery_operation\fR function (see \fBprovider\fR\|(7)), if the provider has one. It returns an array of \fIOSSL_ALGORITHM\fR for the given \fIoperation_id\fR terminated by an all -NULL OSSL_ALGORITHM entry. This is considered a low-level function that most +NULL OSSL_ALGORITHM entry. This is considered a low\-level function that most applications should not need to call. .PP -\&\fBOSSL_PROVIDER_unquery_operation()\fR calls the provider's \fIunquery_operation\fR +\&\fBOSSL_PROVIDER_unquery_operation()\fR calls the provider\*(Aqs \fIunquery_operation\fR function (see \fBprovider\fR\|(7)), if the provider has one. This is considered a -low-level function that most applications should not need to call. +low\-level function that most applications should not need to call. .PP \&\fBOSSL_PROVIDER_get0_provider_ctx()\fR returns the provider context for the given provider. The provider context is an opaque handle set by the provider itself and is passed back to the provider by libcrypto in various function calls. .PP -\&\fBOSSL_PROVIDER_get0_dispatch()\fR returns the provider's dispatch table as it was -returned in the \fIout\fR parameter from the provider's init function. See +\&\fBOSSL_PROVIDER_get0_dispatch()\fR returns the provider\*(Aqs dispatch table as it was +returned in the \fIout\fR parameter from the provider\*(Aqs init function. See \&\fBprovider\-base\fR\|(7). .PP If it is permissible to cache references to this array then \fI*no_store\fR is set @@ -264,7 +267,7 @@ supported by the provider specified in \fIprov\fR with the capability name will call the callback \fIcb\fR and supply a set of \fBOSSL_PARAM\fR\|(3)s describing the capability. It will also pass back the argument \fIarg\fR. For more details about capabilities and what they can be used for please see -"CAPABILTIIES" in \fBprovider\-base\fR\|(7). +"CAPABILITIES" in \fBprovider\-base\fR\|(7). .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_PROVIDER_set_default_search_path()\fR, \fBOSSL_PROVIDER_add()\fR, diff --git a/secure/lib/libcrypto/man/man3/OSSL_QUIC_client_method.3 b/secure/lib/libcrypto/man/man3/OSSL_QUIC_client_method.3 index 805a564c05a6..b8a6c95a732c 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_QUIC_client_method.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_QUIC_client_method.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_QUIC_CLIENT_METHOD 3ossl" -.TH OSSL_QUIC_CLIENT_METHOD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_QUIC_CLIENT_METHOD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,7 +88,7 @@ The \fBOSSL_QUIC_client_method()\fR does not use threads and depends on nonblocking mode of operation and the application periodically calling SSL functions. .PP -The \fBOSSL_QUIC_server_method()\fR provides server-side QUIC protocol support and +The \fBOSSL_QUIC_server_method()\fR provides server\-side QUIC protocol support and must be used with the \fBSSL_new_listener\fR\|(3) API. Attempting to use \&\fBOSSL_QUIC_server_method()\fR with \fBSSL_new\fR\|(3) will result in an error. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_new.3 b/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_new.3 index 3bc723cdd824..068c7548bef3 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_new.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_SELF_TEST_NEW 3ossl" -.TH OSSL_SELF_TEST_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_SELF_TEST_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,7 +100,7 @@ If the argument is NULL, nothing is done. code. It can be used for diagnostic purposes. If this method is called the callback \fIcb\fR will receive the following \&\fBOSSL_PARAM\fR\|(3) object. -.IP """st-phase"" (\fBOSSL_PROV_PARAM_SELF_TEST_PHASE\fR) <UTF8 string>" 4 +.IP """st\-phase"" (\fBOSSL_PROV_PARAM_SELF_TEST_PHASE\fR) <UTF8 string>" 4 .IX Item """st-phase"" (OSSL_PROV_PARAM_SELF_TEST_PHASE) <UTF8 string>" The value is the string "Start" .PP @@ -109,7 +112,7 @@ The \fItype\fR and \fIdesc\fR can be used to identify an individual self test to target for failure testing. If this method is called the callback \fIcb\fR will receive the following \&\fBOSSL_PARAM\fR\|(3) object. -.IP """st-phase"" (\fBOSSL_PROV_PARAM_SELF_TEST_PHASE\fR) <UTF8 string>" 4 +.IP """st\-phase"" (\fBOSSL_PROV_PARAM_SELF_TEST_PHASE\fR) <UTF8 string>" 4 .IX Item """st-phase"" (OSSL_PROV_PARAM_SELF_TEST_PHASE) <UTF8 string>" The value is the string "Corrupt" .PP @@ -118,7 +121,7 @@ just before cleanup to indicate if the test passed or failed. It can be used for diagnostic purposes. If this method is called the callback \fIcb\fR will receive the following \&\fBOSSL_PARAM\fR\|(3) object. -.IP """st-phase"" (\fBOSSL_PROV_PARAM_SELF_TEST_PHASE\fR) <UTF8 string>" 4 +.IP """st\-phase"" (\fBOSSL_PROV_PARAM_SELF_TEST_PHASE\fR) <UTF8 string>" 4 .IX Item """st-phase"" (OSSL_PROV_PARAM_SELF_TEST_PHASE) <UTF8 string>" The value of the string is "Pass" if \fIret\fR is non zero, otherwise it has the value "Fail". @@ -129,11 +132,11 @@ After the callback \fIcb\fR has been called the values that were set by If \fBOSSL_SELF_TEST_onbegin()\fR, \fBOSSL_SELF_TEST_oncorrupt_byte()\fR or \&\fBOSSL_SELF_TEST_onend()\fR is called the following additional \fBOSSL_PARAM\fR\|(3) are passed to the callback. -.IP """st-type"" (\fBOSSL_PROV_PARAM_SELF_TEST_TYPE\fR) <UTF8 string>" 4 +.IP """st\-type"" (\fBOSSL_PROV_PARAM_SELF_TEST_TYPE\fR) <UTF8 string>" 4 .IX Item """st-type"" (OSSL_PROV_PARAM_SELF_TEST_TYPE) <UTF8 string>" The value is setup by the \fItype\fR passed to \fBOSSL_SELF_TEST_onbegin()\fR. This allows the callback to identify the type of test being run. -.IP """st-desc"" (\fBOSSL_PROV_PARAM_SELF_TEST_DESC\fR) <UTF8 string>" 4 +.IP """st\-desc"" (\fBOSSL_PROV_PARAM_SELF_TEST_DESC\fR) <UTF8 string>" 4 .IX Item """st-desc"" (OSSL_PROV_PARAM_SELF_TEST_DESC) <UTF8 string>" The value is setup by the \fItype\fR passed to \fBOSSL_SELF_TEST_onbegin()\fR. This allows the callback to identify the sub category of the test being run. @@ -188,7 +191,7 @@ A single self test could be set up in the following way: \& EVP_MD_CTX_free(ctx); .Ve .PP -Multiple self test's can be set up in a similar way by repeating the pattern of +Multiple self test\*(Aqs can be set up in a similar way by repeating the pattern of \&\fBOSSL_SELF_TEST_onbegin()\fR, \fBOSSL_SELF_TEST_oncorrupt_byte()\fR, \fBOSSL_SELF_TEST_onend()\fR for each test. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_set_callback.3 b/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_set_callback.3 index e943cd23aa37..b0788e7d619c 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_set_callback.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_set_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_SELF_TEST_SET_CALLBACK 3ossl" -.TH OSSL_SELF_TEST_SET_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_SELF_TEST_SET_CALLBACK 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_INFO.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_INFO.3 index d29f3a46db95..c4db1368a2c1 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_STORE_INFO.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_INFO.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_STORE_INFO 3ossl" -.TH OSSL_STORE_INFO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_STORE_INFO 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -120,7 +123,7 @@ supported objects from \fBOSSL_STORE_INFO\fR objects and for scheme specific loaders to create \fBOSSL_STORE_INFO\fR holders. .SS Types .IX Subsection "Types" -\&\fBOSSL_STORE_INFO\fR is an opaque type that's just an intermediary holder for +\&\fBOSSL_STORE_INFO\fR is an opaque type that\*(Aqs just an intermediary holder for the objects that have been retrieved by \fBOSSL_STORE_load()\fR and similar functions. Supported OpenSSL type object can be extracted using one of STORE_INFO_get0_<TYPE>() where <TYPE> can be NAME, PARAMS, PKEY, CERT, or CRL. @@ -173,7 +176,7 @@ This description is meant to be human readable and should be used for information printout. .PP \&\fBOSSL_STORE_INFO_new()\fR creates a \fBOSSL_STORE_INFO\fR with an arbitrary \fItype\fR -number and \fIdata\fR structure. It's the responsibility of the caller to +number and \fIdata\fR structure. It\*(Aqs the responsibility of the caller to define type numbers other than the ones defined by \fI<openssl/store.h>\fR, and to handle freeing the associated data structure on their own. \&\fIUsing type numbers that are defined by <openssl/store.h> may cause @@ -190,7 +193,7 @@ Currently supported object types are: .IP OSSL_STORE_INFO_NAME 4 .IX Item "OSSL_STORE_INFO_NAME" A name is exactly that, a name. -It's like a name in a directory, but formatted as a complete URI. +It\*(Aqs like a name in a directory, but formatted as a complete URI. For example, the path in URI \f(CW\*(C`file:/foo/bar/\*(C'\fR could include a file named \f(CW\*(C`cookie.pem\*(C'\fR, and in that case, the returned \fBOSSL_STORE_INFO_NAME\fR object would have the URI \f(CW\*(C`file:/foo/bar/cookie.pem\*(C'\fR, which can be @@ -207,9 +210,9 @@ The returned URI is considered canonical and must be unique and permanent for the storage where the object (or collection of objects) resides. Each loader is responsible for ensuring that it only returns canonical URIs. -However, it's possible that certain schemes allow an object (or collection +However, it\*(Aqs possible that certain schemes allow an object (or collection thereof) to be reached with alternative URIs; just because one URI is -canonical doesn't mean that other variants can't be used. +canonical doesn\*(Aqt mean that other variants can\*(Aqt be used. .Sp At the discretion of the loader that was used to get these names, an extra description may be attached as well. diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_LOADER.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_LOADER.3 index 98c43ae18b58..89b7f9c5cd1f 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_STORE_LOADER.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_LOADER.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_STORE_LOADER 3ossl" -.TH OSSL_STORE_LOADER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_STORE_LOADER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -195,7 +198,7 @@ If the argument is NULL, nothing is done. with the given \fIloader\fR. .PP \&\fBOSSL_STORE_LOADER_is_a()\fR checks if \fIloader\fR is an implementation -of an algorithm that's identifiable with \fIscheme\fR. +of an algorithm that\*(Aqs identifiable with \fIscheme\fR. .PP \&\fBOSSL_STORE_LOADER_get0_description()\fR returns a description of the \fIloader\fR, meant for display and human consumption. The description is at the discretion of the @@ -276,7 +279,7 @@ function is expected to return 1 on success, 0 on error. .IX Item "OSSL_STORE_load_fn" This function takes a \fBOSSL_STORE_LOADER_CTX\fR pointer and a \fBUI_METHOD\fR with associated data. -It's expected to load the next available data, mold it into a data +It\*(Aqs expected to load the next available data, mold it into a data structure that can be wrapped in a \fBOSSL_STORE_INFO\fR using one of the \&\fBOSSL_STORE_INFO\fR\|(3) functions. If no more data is available or an error occurs, this function is @@ -356,7 +359,7 @@ or NULL on error. \&\fBOSSL_STORE_LOADER_names_do_all()\fR returns 1 if the callback was called for all names. A return value of 0 means that the callback was not called for any names. .PP -\&\fBOSSL_STORE_LOADER_free()\fR doesn't return any value. +\&\fBOSSL_STORE_LOADER_free()\fR doesn\*(Aqt return any value. .PP \&\fBOSSL_STORE_LOADER_get0_provider()\fR returns a pointer to a provider object, or NULL on error. @@ -368,7 +371,7 @@ definition string, or NULL on error. otherwise 0. .PP \&\fBOSSL_STORE_LOADER_get0_description()\fR returns a pointer to a description, or NULL if -there isn't one. +there isn\*(Aqt one. .PP The functions with the types \fBOSSL_STORE_open_fn\fR, \&\fBOSSL_STORE_open_ex_fn\fR, \fBOSSL_STORE_ctrl_fn\fR, diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_SEARCH.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_SEARCH.3 index 1cb7d92685bb..5ce27dbe7d2e 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_STORE_SEARCH.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_SEARCH.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_STORE_SEARCH 3ossl" -.TH OSSL_STORE_SEARCH 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_STORE_SEARCH 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,7 +108,7 @@ OSSL_STORE_SEARCH_get0_digest .SH DESCRIPTION .IX Header "DESCRIPTION" These functions are used to specify search criteria to help search for specific -objects through other names than just the URI that's given to \fBOSSL_STORE_open()\fR. +objects through other names than just the URI that\*(Aqs given to \fBOSSL_STORE_open()\fR. For example, this can be useful for an application that has received a URI and then wants to add on search criteria in a uniform and supported manner. .SS Types diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_attach.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_attach.3 index 5d31191a75c4..272432815db5 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_STORE_attach.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_attach.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_STORE_ATTACH 3ossl" -.TH OSSL_STORE_ATTACH 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_STORE_ATTACH 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_expect.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_expect.3 index 40e35fd78115..861408fa8197 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_STORE_expect.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_expect.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_STORE_EXPECT 3ossl" -.TH OSSL_STORE_EXPECT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_STORE_EXPECT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,7 +104,7 @@ supported search criterion types. .SH NOTES .IX Header "NOTES" If a more elaborate filter is required by the application, a better choice -would be to use a post-processing function. +would be to use a post\-processing function. See \fBOSSL_STORE_open\fR\|(3) for more information. .PP However, some loaders may take advantage of the knowledge of an expected type diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_open.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_open.3 index c9c7a3e204f1..6ec5cf8ad783 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_STORE_open.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_open.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_STORE_OPEN 3ossl" -.TH OSSL_STORE_OPEN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_STORE_OPEN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,7 +113,7 @@ These functions help the application to fetch supported objects (see from a given URI. The general method to do so is to "open" the URI using \fBOSSL_STORE_open()\fR, read each available and supported object using \fBOSSL_STORE_load()\fR as long as -\&\fBOSSL_STORE_eof()\fR hasn't been reached, and finish it off with \fBOSSL_STORE_close()\fR. +\&\fBOSSL_STORE_eof()\fR hasn\*(Aqt been reached, and finish it off with \fBOSSL_STORE_close()\fR. .PP The retrieved information is stored in a \fBOSSL_STORE_INFO\fR, which is further described in \fBOSSL_STORE_INFO\fR\|(3). @@ -146,7 +149,7 @@ the \fIparams\fR, the library context \fIlibctx\fR and property query \fIpropq\f \&\fBOSSL_STORE_ctrl()\fR takes a \fBOSSL_STORE_CTX\fR, and command number \fIcmd\fR and more arguments not specified here. The available loader specific command numbers and arguments they each -take depends on the loader that's used and is documented together with +take depends on the loader that\*(Aqs used and is documented together with that loader. .PP There are also global controls available: @@ -163,7 +166,7 @@ available object and return it wrapped with \fBOSSL_STORE_INFO\fR. .PP \&\fBOSSL_STORE_delete()\fR deletes the object identified by \fIuri\fR. .PP -\&\fBOSSL_STORE_eof()\fR takes a \fBOSSL_STORE_CTX\fR and checks if we've reached the end +\&\fBOSSL_STORE_eof()\fR takes a \fBOSSL_STORE_CTX\fR and checks if we\*(Aqve reached the end of data. .PP \&\fBOSSL_STORE_error()\fR takes a \fBOSSL_STORE_CTX\fR and checks if an error occurred in @@ -177,12 +180,12 @@ by \fBOSSL_STORE_open()\fR and frees all other information that was stored in th If \fIctx\fR is NULL it does nothing. .SH NOTES .IX Header "NOTES" -A string without a scheme prefix (that is, a non-URI string) is +A string without a scheme prefix (that is, a non\-URI string) is implicitly interpreted as using the \fIfile:\fR scheme. .PP There are some tools that can be used together with \&\fBOSSL_STORE_open()\fR to determine if any failure is caused by an unparsable -URI, or if it's a different error (such as memory allocation +URI, or if it\*(Aqs a different error (such as memory allocation failures); if the URI was parsable but the scheme unregistered, the top error will have the reason \f(CW\*(C`OSSL_STORE_R_UNREGISTERED_SCHEME\*(C'\fR. .PP diff --git a/secure/lib/libcrypto/man/man3/OSSL_sleep.3 b/secure/lib/libcrypto/man/man3/OSSL_sleep.3 index ccb724a474e1..9b35343e004b 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_sleep.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_sleep.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_SLEEP 3ossl" -.TH OSSL_SLEEP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_SLEEP 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_trace_enabled.3 b/secure/lib/libcrypto/man/man3/OSSL_trace_enabled.3 index 33b65043fcfd..9d5435cfa460 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_trace_enabled.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_trace_enabled.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_TRACE_ENABLED 3ossl" -.TH OSSL_TRACE_ENABLED 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_TRACE_ENABLED 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -123,7 +126,7 @@ The tracing types are described in detail in The fallback type \fBOSSL_TRACE_CATEGORY_ALL\fR should \fInot\fR be used with the functions described here. .PP -Tracing for a specific category is enabled at run-time if a so-called +Tracing for a specific category is enabled at run\-time if a so\-called \&\fItrace channel\fR is attached to it. A trace channel is simply a BIO object to which the application can write its trace output. .PP @@ -230,12 +233,12 @@ This will normally expand to: .Ve .PP \&\fBOSSL_TRACE()\fR and \fBOSSL_TRACE1()\fR, \fBOSSL_TRACE2()\fR, ... \fBOSSL_TRACE9()\fR are -so-called one-shot macros: +so\-called one\-shot macros: .PP The macro call \f(CW\*(C`OSSL_TRACE(category, text)\*(C'\fR, produces literal text trace output. .PP The macro call \f(CW\*(C`OSSL_TRACEn(category, format, arg1, ..., argn)\*(C'\fR produces -printf-style trace output with n format field arguments (n=1,...,9). +printf\-style trace output with n format field arguments (n=1,...,9). It expands to: .PP .Vb 3 @@ -244,7 +247,7 @@ It expands to: \& } OSSL_TRACE_END(category) .Ve .PP -Internally, all one-shot macros are implemented using a generic \fBOSSL_TRACEV()\fR +Internally, all one\-shot macros are implemented using a generic \fBOSSL_TRACEV()\fR macro, since C90 does not support variadic macros. This helper macro has a rather weird synopsis and should not be used directly. .PP @@ -314,14 +317,14 @@ contention. .Ve .PP Note however that premature optimization of tracing code is in general futile -and it's better to keep the tracing code as simple as possible. -Because most often the limiting factor for the application's speed is the time +and it\*(Aqs better to keep the tracing code as simple as possible. +Because most often the limiting factor for the application\*(Aqs speed is the time it takes to print the trace output, not to calculate it. .SS "Configure Tracing" .IX Subsection "Configure Tracing" By default, the OpenSSL library is built with tracing disabled. To use the tracing functionality documented here, it is therefore -necessary to configure and build OpenSSL with the 'enable\-trace' option. +necessary to configure and build OpenSSL with the \*(Aqenable\-trace\*(Aq option. .PP When the library is built with tracing disabled: .IP \(bu 4 @@ -346,7 +349,7 @@ For example, take this example from "Macros" section above: \& } OSSL_TRACE_END(TLS); .Ve .Sp -When the tracing API isn't operational, that will expand to: +When the tracing API isn\*(Aqt operational, that will expand to: .Sp .Vb 10 \& do { diff --git a/secure/lib/libcrypto/man/man3/OSSL_trace_get_category_num.3 b/secure/lib/libcrypto/man/man3/OSSL_trace_get_category_num.3 index 850ff85bb10c..34b334ef540c 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_trace_get_category_num.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_trace_get_category_num.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_TRACE_GET_CATEGORY_NUM 3ossl" -.TH OSSL_TRACE_GET_CATEGORY_NUM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_TRACE_GET_CATEGORY_NUM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OSSL_trace_set_channel.3 b/secure/lib/libcrypto/man/man3/OSSL_trace_set_channel.3 index 5f761e19d9af..553a909c94e8 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_trace_set_channel.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_trace_set_channel.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_TRACE_SET_CHANNEL 3ossl" -.TH OSSL_TRACE_SET_CHANNEL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_TRACE_SET_CHANNEL 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -84,7 +87,7 @@ This output comes in form of free text for humans to read. .PP The trace output is divided into categories which can be enabled individually. -Every category can be enabled individually by attaching a so-called +Every category can be enabled individually by attaching a so\-called \&\fItrace channel\fR to it, which in the simplest case is just a BIO object to which the application can write the tracing output for this category. Alternatively, the application can provide a tracer callback in order to @@ -98,7 +101,7 @@ respectively. \&\fBOSSL_TRACE_ENABLED\fR\|(3) can be used to check whether tracing is currently enabled for the given category. Functions like \fBOSSL_TRACE1\fR\|(3) and macros like \fBOSSL_TRACE_BEGIN\fR\|(3) -can be used for producing free-text trace output. +can be used for producing free\-text trace output. .SS Functions .IX Subsection "Functions" \&\fBOSSL_trace_set_channel()\fR is used to enable the given trace \f(CW\*(C`category\*(C'\fR @@ -118,11 +121,11 @@ tracing prefixes, consider setting a callback with \&\fBOSSL_trace_set_callback()\fR is used to enable the given trace \&\fIcategory\fR by giving it the tracer callback \fIcb\fR with the associated data \fIdata\fR, which will simply be passed through to \fIcb\fR whenever -it's called. The callback function is internally wrapped by a -dedicated BIO object, the so-called \fIcallback trace channel\fR. -This should be used when it's desirable to do form the trace output to +it\*(Aqs called. The callback function is internally wrapped by a +dedicated BIO object, the so\-called \fIcallback trace channel\fR. +This should be used when it\*(Aqs desirable to do form the trace output to something suitable for application needs where a prefix and suffix -line aren't enough. +line aren\*(Aqt enough. .PP \&\fBOSSL_trace_set_channel()\fR and \fBOSSL_trace_set_callback()\fR are mutually exclusive, calling one of them will clear whatever was set by the @@ -175,7 +178,7 @@ This needs special care, as OpenSSL will do automatic cleanup after exit from \f(CWmain()\fR, and any tracing output done during this cleanup will be lost if the tracing channel or callback were cleaned away prematurely. -A suggestion is to make such cleanup part of a function that's +A suggestion is to make such cleanup part of a function that\*(Aqs registered very early with \fBatexit\fR\|(3). .IP \fBOSSL_TRACE_CATEGORY_TLS\fR 4 .IX Item "OSSL_TRACE_CATEGORY_TLS" @@ -241,7 +244,7 @@ There is also \fBOSSL_TRACE_CATEGORY_ALL\fR, which works as a fallback and can be used to get \fIall\fR trace output. .PP Note, however, that in this case all trace output will effectively be -associated with the 'ALL' category, which is undesirable if the +associated with the \*(AqALL\*(Aq category, which is undesirable if the application intends to include the category name in the trace output. In this case it is better to register separate channels for each trace category instead. @@ -347,7 +350,7 @@ The output is almost the same as for the simple example above. .IX Subsection "Configure Tracing" By default, the OpenSSL library is built with tracing disabled. To use the tracing functionality documented here, it is therefore -necessary to configure and build OpenSSL with the 'enable\-trace' option. +necessary to configure and build OpenSSL with the \*(Aqenable\-trace\*(Aq option. .PP When the library is built with tracing disabled, the macro \&\fBOPENSSL_NO_TRACE\fR is defined in \fI<openssl/opensslconf.h>\fR and all diff --git a/secure/lib/libcrypto/man/man3/OpenSSL_add_all_algorithms.3 b/secure/lib/libcrypto/man/man3/OpenSSL_add_all_algorithms.3 index dd3984bba9eb..3930c3a30105 100644 --- a/secure/lib/libcrypto/man/man3/OpenSSL_add_all_algorithms.3 +++ b/secure/lib/libcrypto/man/man3/OpenSSL_add_all_algorithms.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_ADD_ALL_ALGORITHMS 3ossl" -.TH OPENSSL_ADD_ALL_ALGORITHMS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_ADD_ALL_ALGORITHMS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/OpenSSL_version.3 b/secure/lib/libcrypto/man/man3/OpenSSL_version.3 index ef70574cd3f8..9e39ae5ce379 100644 --- a/secure/lib/libcrypto/man/man3/OpenSSL_version.3 +++ b/secure/lib/libcrypto/man/man3/OpenSSL_version.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_VERSION 3ossl" -.TH OPENSSL_VERSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_VERSION 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -112,7 +115,7 @@ The three macros \fBOPENSSL_VERSION_MAJOR\fR, \fBOPENSSL_VERSION_MINOR\fR and identifier, \fR\f(BIMAJOR\fR\fB.\fR\f(BIMINOR\fR\fB.\fR\f(BIPATCH\fR\fB\fR. .PP The macro \fBOPENSSL_VERSION_PRE_RELEASE\fR is an added bit of text that -indicates that this is a pre-release version, such as \f(CW"\-dev"\fR for an +indicates that this is a pre\-release version, such as \f(CW"\-dev"\fR for an ongoing development snapshot or \f(CW"\-alpha3"\fR for an alpha release. The value must be a string. .PP @@ -133,7 +136,7 @@ version text, which includes \fBOPENSSL_FULL_VERSION_STR\fR and the release date. .PP \&\fBOPENSSL_VERSION_PREREQ\fR is a useful macro for checking whether the OpenSSL -version for the headers in use is at least at the given pre-requisite major +version for the headers in use is at least at the given pre\-requisite major (\fBmaj\fR) and minor (\fBmin\fR) number or not. It will evaluate to true if the header version number (\fBOPENSSL_VERSION_MAJOR\fR.\fBOPENSSL_VERSION_MINOR\fR) is greater than or equal to \fBmaj\fR.\fBmin\fR. @@ -206,7 +209,7 @@ The Windows install context. The Windows install context is used to compute the OpenSSL registry key name on Windows. The full registry key is \&\f(CW\*(C`SOFTWARE\eWOW6432Node\eOpenSSL\-{major}.{minor}\-{context}\*(C'\fR, where \f(CW\*(C`{major}\*(C'\fR, -\&\f(CW\*(C`{minor}\*(C'\fR and \f(CW\*(C`{context}\*(C'\fR are OpenSSL's major version number, minor version +\&\f(CW\*(C`{minor}\*(C'\fR and \f(CW\*(C`{context}\*(C'\fR are OpenSSL\*(Aqs major version number, minor version number and the Windows install context, respectively. .PP For an unknown \fIt\fR, the text \f(CW\*(C`not available\*(C'\fR is returned. @@ -252,7 +255,7 @@ The Windows install context. The Windows install context is used to compute the OpenSSL registry key name on Windows. The full registry key is \&\f(CW\*(C`SOFTWARE\eWOW6432Node\eOpenSSL\-{major}.{minor}\-{context}\*(C'\fR, where \f(CW\*(C`{major}\*(C'\fR, -\&\f(CW\*(C`{minor}\*(C'\fR and \f(CW\*(C`{context}\*(C'\fR are OpenSSL's major version number, minor version +\&\f(CW\*(C`{minor}\*(C'\fR and \f(CW\*(C`{context}\*(C'\fR are OpenSSL\*(Aqs major version number, minor version number and the Windows install context, respectively. .PP For an unknown \fIt\fR, NULL is returned. diff --git a/secure/lib/libcrypto/man/man3/PBMAC1_get1_pbkdf2_param.3 b/secure/lib/libcrypto/man/man3/PBMAC1_get1_pbkdf2_param.3 index f02a5337232f..70001f204576 100644 --- a/secure/lib/libcrypto/man/man3/PBMAC1_get1_pbkdf2_param.3 +++ b/secure/lib/libcrypto/man/man3/PBMAC1_get1_pbkdf2_param.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PBMAC1_GET1_PBKDF2_PARAM 3ossl" -.TH PBMAC1_GET1_PBKDF2_PARAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PBMAC1_GET1_PBKDF2_PARAM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PEM_X509_INFO_read_bio_ex.3 b/secure/lib/libcrypto/man/man3/PEM_X509_INFO_read_bio_ex.3 index 2d05e15fe278..d4afa5044502 100644 --- a/secure/lib/libcrypto/man/man3/PEM_X509_INFO_read_bio_ex.3 +++ b/secure/lib/libcrypto/man/man3/PEM_X509_INFO_read_bio_ex.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PEM_X509_INFO_READ_BIO_EX 3ossl" -.TH PEM_X509_INFO_READ_BIO_EX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PEM_X509_INFO_READ_BIO_EX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PEM_bytes_read_bio.3 b/secure/lib/libcrypto/man/man3/PEM_bytes_read_bio.3 index cd6d16ead5d6..caa1b5f2abb2 100644 --- a/secure/lib/libcrypto/man/man3/PEM_bytes_read_bio.3 +++ b/secure/lib/libcrypto/man/man3/PEM_bytes_read_bio.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PEM_BYTES_READ_BIO 3ossl" -.TH PEM_BYTES_READ_BIO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PEM_BYTES_READ_BIO 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -76,12 +79,12 @@ PEM_bytes_read_bio, PEM_bytes_read_bio_secmem \- read a PEM\-encoded data struct .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBPEM_bytes_read_bio()\fR reads PEM-formatted (IETF RFC 1421 and IETF RFC 7468) +\&\fBPEM_bytes_read_bio()\fR reads PEM\-formatted (IETF RFC 1421 and IETF RFC 7468) data from the BIO \&\fIbp\fR for the data type given in \fIname\fR (RSA PRIVATE KEY, CERTIFICATE, -etc.). If multiple PEM-encoded data structures are present in the same -stream, \fBPEM_bytes_read_bio()\fR will skip non-matching data types and -continue reading. Non-PEM data present in the stream may cause an +etc.). If multiple PEM\-encoded data structures are present in the same +stream, \fBPEM_bytes_read_bio()\fR will skip non\-matching data types and +continue reading. Non\-PEM data present in the stream may cause an error. .PP The PEM header may indicate that the following data is encrypted; if so, @@ -92,9 +95,9 @@ the decryption passphrase, if applicable. Some data types have compatibility aliases, such as a file containing X509 CERTIFICATE matching a request for the deprecated type CERTIFICATE. The actual type indicated by the file is returned in \fI*pnm\fR if \fIpnm\fR is -non-NULL. The caller must free the storage pointed to by \fI*pnm\fR. +non\-NULL. The caller must free the storage pointed to by \fI*pnm\fR. .PP -The returned data is the DER-encoded form of the requested type, in +The returned data is the DER\-encoded form of the requested type, in \&\fI*pdata\fR with length \fI*plen\fR. The caller must free the storage pointed to by \fI*pdata\fR. .PP diff --git a/secure/lib/libcrypto/man/man3/PEM_read.3 b/secure/lib/libcrypto/man/man3/PEM_read.3 index 919374867547..501028373949 100644 --- a/secure/lib/libcrypto/man/man3/PEM_read.3 +++ b/secure/lib/libcrypto/man/man3/PEM_read.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PEM_READ 3ossl" -.TH PEM_READ 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PEM_READ 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,7 +100,7 @@ PEM_write_bio, PEM_ASN1_write, PEM_ASN1_write_bio, PEM_ASN1_write_bio_ctx .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -These functions read and write PEM-encoded objects, using the PEM +These functions read and write PEM\-encoded objects, using the PEM type \fBname\fR, any additional \fBheader\fR information, and the raw \&\fBdata\fR of length \fBlen\fR. .PP @@ -126,7 +129,7 @@ for examples. .PP \&\fBPEM_read()\fR reads from the file \fBfp\fR, while \fBPEM_read_bio()\fR reads from the BIO \fBbp\fR. -Both skip any non-PEM data that precedes the start of the next PEM object. +Both skip any non\-PEM data that precedes the start of the next PEM object. When an object is successfully retrieved, the type name from the "\-\-\-\-BEGIN <type>\-\-\-\-\-" is returned via the \fBname\fR argument, any encapsulation headers are returned in \fBheader\fR and the base64\-decoded content and its length are @@ -175,7 +178,7 @@ The \fBdata\fR is likely meaningless if these functions fail. The \fBPEM_get_EVP_CIPHER_INFO()\fR and \fBPEM_do_header()\fR functions are deprecated. This is because the underlying PEM encryption format is obsolete, and should be avoided. -It uses an encryption format with an OpenSSL-specific key-derivation function, +It uses an encryption format with an OpenSSL\-specific key\-derivation function, which employs MD5 with an iteration count of 1! Instead, private keys should be stored in PKCS#8 form, with a strong PKCS#5 v2.0 PBE. @@ -189,7 +192,7 @@ It will simply be treated as a byte sequence. counting the PEM header and end marker) written on success or 0 on failure. .PP \&\fBPEM_ASN1_write_bio()\fR, and \fBPEM_ASN1_write_bio_ctx()\fR return 1 on success and 0 on -failure. The latter function passes an additional application-provided context +failure. The latter function passes an additional application\-provided context value to the \fBi2d\fR function that serialises the input ASN.1 object. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/PEM_read_CMS.3 b/secure/lib/libcrypto/man/man3/PEM_read_CMS.3 index a13ceb8de7ea..2525d17581d6 100644 --- a/secure/lib/libcrypto/man/man3/PEM_read_CMS.3 +++ b/secure/lib/libcrypto/man/man3/PEM_read_CMS.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PEM_READ_CMS 3ossl" -.TH PEM_READ_CMS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PEM_READ_CMS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -154,10 +157,10 @@ the next four lines of the synopsis. .PP These routines convert between local instances of ASN1 datatypes and the PEM encoding. For more information on the templates, see -\&\fBASN1_ITEM\fR\|(3). For more information on the lower-level routines used +\&\fBASN1_ITEM\fR\|(3). For more information on the lower\-level routines used by the functions here, see \fBPEM_read\fR\|(3). .PP -\&\fBPEM_read_\fR\f(BITYPE\fR() reads a PEM-encoded object of \fB\fR\f(BITYPE\fR\fB\fR from the file +\&\fBPEM_read_\fR\f(BITYPE\fR() reads a PEM\-encoded object of \fB\fR\f(BITYPE\fR\fB\fR from the file \&\fIfp\fR and returns it. The \fIcb\fR and \fIu\fR parameters are as described in \&\fBpem_password_cb\fR\|(3). .PP diff --git a/secure/lib/libcrypto/man/man3/PEM_read_bio_PrivateKey.3 b/secure/lib/libcrypto/man/man3/PEM_read_bio_PrivateKey.3 index 26322737087e..376ecef7bc97 100644 --- a/secure/lib/libcrypto/man/man3/PEM_read_bio_PrivateKey.3 +++ b/secure/lib/libcrypto/man/man3/PEM_read_bio_PrivateKey.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PEM_READ_BIO_PRIVATEKEY 3ossl" -.TH PEM_READ_BIO_PRIVATEKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PEM_READ_BIO_PRIVATEKEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -341,12 +344,12 @@ key is not DSA. .PP The \fBParameters\fR functions read or write key parameters in PEM format using an EVP_PKEY structure. The encoding depends on the type of key; for DSA key -parameters, it will be a Dss-Parms structure as defined in RFC2459, and for DH +parameters, it will be a Dss\-Parms structure as defined in RFC2459, and for DH key parameters, it will be a PKCS#3 DHparameter structure. \fIThese functions only exist for the \fR\f(BIBIO\fR\fI type\fR. .PP The \fBDSAparams\fR functions process DSA parameters using a DSA -structure. The parameters are encoded using a Dss-Parms structure +structure. The parameters are encoded using a Dss\-Parms structure as defined in RFC2459. .PP The \fBDHparams\fR functions process DH parameters using a DH @@ -485,17 +488,17 @@ The private key (or other data) takes the following form: \& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\- .Ve .PP -The line beginning with \fIProc-Type\fR contains the version and the -protection on the encapsulated data. The line beginning \fIDEK-Info\fR +The line beginning with \fIProc\-Type\fR contains the version and the +protection on the encapsulated data. The line beginning \fIDEK\-Info\fR contains two comma separated values: the encryption algorithm name as used by \fBEVP_get_cipherbyname()\fR and an initialization vector used by the cipher encoded as a set of hexadecimal digits. After those two lines is the base64\-encoded encrypted data. .PP -The encryption key is derived using \fBEVP_BytesToKey()\fR. The cipher's +The encryption key is derived using \fBEVP_BytesToKey()\fR. The cipher\*(Aqs initialization vector is passed to \fBEVP_BytesToKey()\fR as the \fIsalt\fR parameter. Internally, \fBPKCS5_SALT_LEN\fR bytes of the salt are used -(regardless of the size of the initialization vector). The user's +(regardless of the size of the initialization vector). The user\*(Aqs password is passed to \fBEVP_BytesToKey()\fR using the \fIdata\fR and \fIdatal\fR parameters. Finally, the library uses an iteration count of 1 for \&\fBEVP_BytesToKey()\fR. diff --git a/secure/lib/libcrypto/man/man3/PEM_read_bio_ex.3 b/secure/lib/libcrypto/man/man3/PEM_read_bio_ex.3 index 51c13d5b7a7d..8c804f6ceb31 100644 --- a/secure/lib/libcrypto/man/man3/PEM_read_bio_ex.3 +++ b/secure/lib/libcrypto/man/man3/PEM_read_bio_ex.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PEM_READ_BIO_EX 3ossl" -.TH PEM_READ_BIO_EX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PEM_READ_BIO_EX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PEM_write_bio_CMS_stream.3 b/secure/lib/libcrypto/man/man3/PEM_write_bio_CMS_stream.3 index a02b0060c261..b9dc51c261e9 100644 --- a/secure/lib/libcrypto/man/man3/PEM_write_bio_CMS_stream.3 +++ b/secure/lib/libcrypto/man/man3/PEM_write_bio_CMS_stream.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PEM_WRITE_BIO_CMS_STREAM 3ossl" -.TH PEM_WRITE_BIO_CMS_STREAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PEM_WRITE_BIO_CMS_STREAM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PEM_write_bio_PKCS7_stream.3 b/secure/lib/libcrypto/man/man3/PEM_write_bio_PKCS7_stream.3 index 26d3fe555291..24889550b0ba 100644 --- a/secure/lib/libcrypto/man/man3/PEM_write_bio_PKCS7_stream.3 +++ b/secure/lib/libcrypto/man/man3/PEM_write_bio_PKCS7_stream.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PEM_WRITE_BIO_PKCS7_STREAM 3ossl" -.TH PEM_WRITE_BIO_PKCS7_STREAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PEM_WRITE_BIO_PKCS7_STREAM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_PBE_keyivgen.3 b/secure/lib/libcrypto/man/man3/PKCS12_PBE_keyivgen.3 index 22993bc35667..59dffdd6cfb1 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_PBE_keyivgen.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_PBE_keyivgen.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_PBE_KEYIVGEN 3ossl" -.TH PKCS12_PBE_KEYIVGEN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_PBE_KEYIVGEN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,7 +104,7 @@ implementations. .PP \&\fBPKCS12_pbe_crypt()\fR and \fBPKCS12_pbe_crypt_ex()\fR will encrypt or decrypt a buffer based on the algorithm in \fIalgor\fR and password \fIpass\fR of length \fIpasslen\fR. -The input is from \fIin\fR of length \fIinlen\fR and output is into a malloc'd buffer +The input is from \fIin\fR of length \fIinlen\fR and output is into a malloc\*(Aqd buffer returned in \fI*data\fR of length \fIdatalen\fR. The operation is determined by \fIen_de\fR, encryption (\fIen_de\fR=1) or decryption (\fIen_de\fR=0). .PP diff --git a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_create_cert.3 b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_create_cert.3 index 2d857ac16859..138dcd60f0a9 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_create_cert.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_create_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_SAFEBAG_CREATE_CERT 3ossl" -.TH PKCS12_SAFEBAG_CREATE_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_SAFEBAG_CREATE_CERT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get0_attrs.3 b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get0_attrs.3 index efb40039e2bc..4c44c0381b2e 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get0_attrs.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get0_attrs.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_SAFEBAG_GET0_ATTRS 3ossl" -.TH PKCS12_SAFEBAG_GET0_ATTRS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_SAFEBAG_GET0_ATTRS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get1_cert.3 b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get1_cert.3 index a1e43b652459..d54df42ebefa 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get1_cert.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get1_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_SAFEBAG_GET1_CERT 3ossl" -.TH PKCS12_SAFEBAG_GET1_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_SAFEBAG_GET1_CERT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_set0_attrs.3 b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_set0_attrs.3 index 2b45b73e4ce7..b0fe269ee919 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_set0_attrs.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_set0_attrs.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_SAFEBAG_SET0_ATTRS 3ossl" -.TH PKCS12_SAFEBAG_SET0_ATTRS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_SAFEBAG_SET0_ATTRS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_add1_attr_by_NID.3 b/secure/lib/libcrypto/man/man3/PKCS12_add1_attr_by_NID.3 index 78ce077c4eee..75f30db0f1a7 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_add1_attr_by_NID.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_add1_attr_by_NID.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_ADD1_ATTR_BY_NID 3ossl" -.TH PKCS12_ADD1_ATTR_BY_NID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_ADD1_ATTR_BY_NID 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_add_CSPName_asc.3 b/secure/lib/libcrypto/man/man3/PKCS12_add_CSPName_asc.3 index efcd89b61583..865d90eeb926 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_add_CSPName_asc.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_add_CSPName_asc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_ADD_CSPNAME_ASC 3ossl" -.TH PKCS12_ADD_CSPNAME_ASC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_ADD_CSPNAME_ASC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_add_cert.3 b/secure/lib/libcrypto/man/man3/PKCS12_add_cert.3 index 5134656d422f..6d6d518659cf 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_add_cert.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_add_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_ADD_CERT 3ossl" -.TH PKCS12_ADD_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_ADD_CERT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_add_friendlyname_asc.3 b/secure/lib/libcrypto/man/man3/PKCS12_add_friendlyname_asc.3 index a9688fc8cf3c..af21b7847c1d 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_add_friendlyname_asc.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_add_friendlyname_asc.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_ADD_FRIENDLYNAME_ASC 3ossl" -.TH PKCS12_ADD_FRIENDLYNAME_ASC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_ADD_FRIENDLYNAME_ASC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_add_localkeyid.3 b/secure/lib/libcrypto/man/man3/PKCS12_add_localkeyid.3 index e60cd1c00d2b..2519389b1c67 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_add_localkeyid.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_add_localkeyid.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_ADD_LOCALKEYID 3ossl" -.TH PKCS12_ADD_LOCALKEYID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_ADD_LOCALKEYID 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_add_safe.3 b/secure/lib/libcrypto/man/man3/PKCS12_add_safe.3 index 09338c9072ab..4448eb41d8e6 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_add_safe.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_add_safe.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_ADD_SAFE 3ossl" -.TH PKCS12_ADD_SAFE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_ADD_SAFE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_create.3 b/secure/lib/libcrypto/man/man3/PKCS12_create.3 index f39790ca686f..9b3c6d620290 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_create.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_create.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_CREATE 3ossl" -.TH PKCS12_CREATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_CREATE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_decrypt_skey.3 b/secure/lib/libcrypto/man/man3/PKCS12_decrypt_skey.3 index aa43199c35cc..31ee41c1c8fc 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_decrypt_skey.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_decrypt_skey.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_DECRYPT_SKEY 3ossl" -.TH PKCS12_DECRYPT_SKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_DECRYPT_SKEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_gen_mac.3 b/secure/lib/libcrypto/man/man3/PKCS12_gen_mac.3 index 5980ae499e15..99be01885159 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_gen_mac.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_gen_mac.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_GEN_MAC 3ossl" -.TH PKCS12_GEN_MAC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_GEN_MAC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,7 +97,7 @@ Functions to create and manipulate a PKCS#12 MAC structure supplied password along with a set of already configured parameters. The default key generation mechanism used is PKCS12KDF. .PP -\&\fBPKCS12_verify_mac()\fR verifies the PKCS#12 object's HMAC using the supplied +\&\fBPKCS12_verify_mac()\fR verifies the PKCS#12 object\*(Aqs HMAC using the supplied password. .PP \&\fBPKCS12_setup_mac()\fR sets the MAC part of the PKCS#12 structure with the supplied diff --git a/secure/lib/libcrypto/man/man3/PKCS12_get_friendlyname.3 b/secure/lib/libcrypto/man/man3/PKCS12_get_friendlyname.3 index 83ddc5d332cc..60288a9b440d 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_get_friendlyname.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_get_friendlyname.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_GET_FRIENDLYNAME 3ossl" -.TH PKCS12_GET_FRIENDLYNAME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_GET_FRIENDLYNAME 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_init.3 b/secure/lib/libcrypto/man/man3/PKCS12_init.3 index feb5317862e5..687d97082ee8 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_init.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_init.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_INIT 3ossl" -.TH PKCS12_INIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_INIT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_item_decrypt_d2i.3 b/secure/lib/libcrypto/man/man3/PKCS12_item_decrypt_d2i.3 index 54830a9a1dd4..e848ff735706 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_item_decrypt_d2i.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_item_decrypt_d2i.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_ITEM_DECRYPT_D2I 3ossl" -.TH PKCS12_ITEM_DECRYPT_D2I 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_ITEM_DECRYPT_D2I 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_key_gen_utf8_ex.3 b/secure/lib/libcrypto/man/man3/PKCS12_key_gen_utf8_ex.3 index b736222a6e25..83057de6053b 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_key_gen_utf8_ex.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_key_gen_utf8_ex.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_KEY_GEN_UTF8_EX 3ossl" -.TH PKCS12_KEY_GEN_UTF8_EX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_KEY_GEN_UTF8_EX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -109,9 +112,9 @@ as an integrity key for MACing. .PP The intended format of the supplied password is determined by the method chosen: .IP \(bu 4 -\&\fBPKCS12_key_gen_asc()\fR and \fBPKCS12_key_gen_asc_ex()\fR expect an ASCII-formatted password. +\&\fBPKCS12_key_gen_asc()\fR and \fBPKCS12_key_gen_asc_ex()\fR expect an ASCII\-formatted password. .IP \(bu 4 -\&\fBPKCS12_key_gen_uni()\fR and \fBPKCS12_key_gen_uni_ex()\fR expect a Unicode-formatted password. +\&\fBPKCS12_key_gen_uni()\fR and \fBPKCS12_key_gen_uni_ex()\fR expect a Unicode\-formatted password. .IP \(bu 4 \&\fBPKCS12_key_gen_utf8()\fR and \fBPKCS12_key_gen_utf8_ex()\fR expect a UTF\-8 encoded password. .PP diff --git a/secure/lib/libcrypto/man/man3/PKCS12_newpass.3 b/secure/lib/libcrypto/man/man3/PKCS12_newpass.3 index 75d53629a744..8dc496ffc0b8 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_newpass.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_newpass.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_NEWPASS 3ossl" -.TH PKCS12_NEWPASS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_NEWPASS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS12_pack_p7encdata.3 b/secure/lib/libcrypto/man/man3/PKCS12_pack_p7encdata.3 index fd59f64b3133..5d82bf820f32 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_pack_p7encdata.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_pack_p7encdata.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_PACK_P7ENCDATA 3ossl" -.TH PKCS12_PACK_P7ENCDATA 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_PACK_P7ENCDATA 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ into a PKCS#7 encrypted data object .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBPKCS12_pack_p7encdata()\fR generates a PKCS#7 ContentInfo object of encrypted-data +\&\fBPKCS12_pack_p7encdata()\fR generates a PKCS#7 ContentInfo object of encrypted\-data type from the set of safeBags \fIbags\fR. The algorithm ID in \fIpbe_nid\fR can be a PKCS#12 or PKCS#5 password based encryption algorithm, or a cipher algorithm. If a cipher algorithm is passed, the PKCS#5 PBES2 algorithm will be used with diff --git a/secure/lib/libcrypto/man/man3/PKCS12_parse.3 b/secure/lib/libcrypto/man/man3/PKCS12_parse.3 index 3fccb8f1ded8..d62f5704b6c3 100644 --- a/secure/lib/libcrypto/man/man3/PKCS12_parse.3 +++ b/secure/lib/libcrypto/man/man3/PKCS12_parse.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS12_PARSE 3ossl" -.TH PKCS12_PARSE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS12_PARSE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,10 +85,10 @@ certificate to \fB*cert\fR and any additional certificates to \fB*ca\fR. Each of the parameters \fBpkey\fR, \fBcert\fR, and \fBca\fR can be NULL in which case the private key, the corresponding certificate, or the additional certificates, respectively, will be discarded. -If any of \fBpkey\fR and \fBcert\fR is non-NULL the variable it points to is +If any of \fBpkey\fR and \fBcert\fR is non\-NULL the variable it points to is initialized. -If \fBca\fR is non-NULL and \fB*ca\fR is NULL a new STACK will be allocated. -If \fBca\fR is non-NULL and \fB*ca\fR is a valid STACK +If \fBca\fR is non\-NULL and \fB*ca\fR is NULL a new STACK will be allocated. +If \fBca\fR is non\-NULL and \fB*ca\fR is a valid STACK then additional certificates are appended in the given order to \fB*ca\fR. .PP The \fBfriendlyName\fR and \fBlocalKeyID\fR attributes (if present) on each diff --git a/secure/lib/libcrypto/man/man3/PKCS5_PBE_keyivgen.3 b/secure/lib/libcrypto/man/man3/PKCS5_PBE_keyivgen.3 index 367956c8e70e..4bbb1eeeb145 100644 --- a/secure/lib/libcrypto/man/man3/PKCS5_PBE_keyivgen.3 +++ b/secure/lib/libcrypto/man/man3/PKCS5_PBE_keyivgen.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS5_PBE_KEYIVGEN 3ossl" -.TH PKCS5_PBE_KEYIVGEN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS5_PBE_KEYIVGEN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -169,6 +172,13 @@ equal to 1. RFC 2898 suggests an iteration count of at least 1000. Any .PP \&\fIdigest\fR is the message digest function used in the derivation. .PP +\&\fIaiv\fR is the initialization vector (IV) to use for the encryption algorithm. +If \fIaiv\fR is NULL, then a random IV will be generated. +.PP +\&\fIprf_nid\fR is the numeric identifier (NID) for the pseudo\-random function to +use with PBKDF2. If \fIprf_nid\fR is not specified (for example, \fIprf_nid\fR is set to 0), +a default PRF is used, which is currently set to SHA\-256 (NID_hmacWithSHA256). +.PP Functions ending in \fB_ex()\fR take optional parameters \fIlibctx\fR and \fIpropq\fR which are used to select appropriate algorithm implementations. .SS "Algorithm Identifier Creation" @@ -176,7 +186,9 @@ are used to select appropriate algorithm implementations. \&\fBPKCS5_pbe_set()\fR, \fBPKCS5_pbe_set_ex()\fR, \fBPKCS5_pbe2_set()\fR, \fBPKCS5_pbe2_set_iv()\fR, \&\fBPKCS5_pbe2_set_iv_ex()\fR and \fBPKCS5_pbe2_set_scrypt()\fR generate an \fBX509_ALGOR\fR object which represents an AlgorithmIdentifier containing the algorithm OID and -associated parameters for the PBE algorithm. +associated parameters for the PBE algorithm. These functions encode the +key derivation parameters (such as salt and iteration count) and the +encryption parameters (such as the IV) into the ASN.1 structure. .PP \&\fBPKCS5_pbkdf2_set()\fR and \fBPKCS5_pbkdf2_set_ex()\fR generate an \fBX509_ALGOR\fR object which represents an AlgorithmIdentifier containing the algorithm OID and @@ -229,7 +241,7 @@ related functions such as \fBPKCS5_pbe2_set()\fR. This is required for PBKDF2 FIPS compliance. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2021\-2023 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/PKCS5_PBKDF2_HMAC.3 b/secure/lib/libcrypto/man/man3/PKCS5_PBKDF2_HMAC.3 index 1b2748c2f369..7a0b880053d4 100644 --- a/secure/lib/libcrypto/man/man3/PKCS5_PBKDF2_HMAC.3 +++ b/secure/lib/libcrypto/man/man3/PKCS5_PBKDF2_HMAC.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS5_PBKDF2_HMAC 3ossl" -.TH PKCS5_PBKDF2_HMAC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS5_PBKDF2_HMAC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS7_decrypt.3 b/secure/lib/libcrypto/man/man3/PKCS7_decrypt.3 index dac9bae2da12..d6d1341ef820 100644 --- a/secure/lib/libcrypto/man/man3/PKCS7_decrypt.3 +++ b/secure/lib/libcrypto/man/man3/PKCS7_decrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS7_DECRYPT 3ossl" -.TH PKCS7_DECRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS7_DECRYPT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS7_encrypt.3 b/secure/lib/libcrypto/man/man3/PKCS7_encrypt.3 index 5f233187f78b..521271bfb0db 100644 --- a/secure/lib/libcrypto/man/man3/PKCS7_encrypt.3 +++ b/secure/lib/libcrypto/man/man3/PKCS7_encrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS7_ENCRYPT 3ossl" -.TH PKCS7_ENCRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS7_ENCRYPT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS7_get_octet_string.3 b/secure/lib/libcrypto/man/man3/PKCS7_get_octet_string.3 index 90ec58877b88..d25b8bb2f796 100644 --- a/secure/lib/libcrypto/man/man3/PKCS7_get_octet_string.3 +++ b/secure/lib/libcrypto/man/man3/PKCS7_get_octet_string.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS7_GET_OCTET_STRING 3ossl" -.TH PKCS7_GET_OCTET_STRING 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS7_GET_OCTET_STRING 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS7_sign.3 b/secure/lib/libcrypto/man/man3/PKCS7_sign.3 index 454876556c70..e9f124b563f2 100644 --- a/secure/lib/libcrypto/man/man3/PKCS7_sign.3 +++ b/secure/lib/libcrypto/man/man3/PKCS7_sign.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS7_SIGN 3ossl" -.TH PKCS7_SIGN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS7_SIGN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,10 +97,10 @@ Many S/MIME clients expect the signed content to include valid MIME headers. If the \fBPKCS7_TEXT\fR flag is set MIME headers for type \f(CW\*(C`text/plain\*(C'\fR are prepended to the data. .PP -If \fBPKCS7_NOCERTS\fR is set the signer's certificate and the extra \fIcerts\fR +If \fBPKCS7_NOCERTS\fR is set the signer\*(Aqs certificate and the extra \fIcerts\fR will not be included in the PKCS7 structure. -The signer's certificate must still be supplied in the \fIsigncert\fR parameter -though. This can reduce the size of the signatures if the signer's certificates +The signer\*(Aqs certificate must still be supplied in the \fIsigncert\fR parameter +though. This can reduce the size of the signatures if the signer\*(Aqs certificates can be obtained by other means: for example a previously signed message. .PP The data being signed is included in the PKCS7 structure, unless diff --git a/secure/lib/libcrypto/man/man3/PKCS7_sign_add_signer.3 b/secure/lib/libcrypto/man/man3/PKCS7_sign_add_signer.3 index 9719bca625e3..53f69eacb2e6 100644 --- a/secure/lib/libcrypto/man/man3/PKCS7_sign_add_signer.3 +++ b/secure/lib/libcrypto/man/man3/PKCS7_sign_add_signer.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS7_SIGN_ADD_SIGNER 3ossl" -.TH PKCS7_SIGN_ADD_SIGNER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS7_SIGN_ADD_SIGNER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -79,7 +82,7 @@ PKCS7_add_certificate, PKCS7_add_crl \- add information to PKCS7 structure key \fIpkey\fR using message digest \fImd\fR to a PKCS7 signed data structure \fIp7\fR. .PP The \fBPKCS7\fR structure should be obtained from an initial call to \fBPKCS7_sign()\fR -with the flag \fBPKCS7_PARTIAL\fR set or in the case or re-signing a valid PKCS#7 +with the flag \fBPKCS7_PARTIAL\fR set or in the case or re\-signing a valid PKCS#7 signed data structure. .PP If the \fImd\fR parameter is NULL then the default digest for the public @@ -108,8 +111,8 @@ If \fBPKCS7_PARTIAL\fR is set in addition to \fBPKCS7_REUSE_DIGEST\fR then the can be added. In this case an explicit call to \fBPKCS7_SIGNER_INFO_sign()\fR is needed to finalize it. .PP -If \fBPKCS7_NOCERTS\fR is set the signer's certificate will not be included in the -\&\fBPKCS7\fR structure, the signer's certificate must still be supplied in the +If \fBPKCS7_NOCERTS\fR is set the signer\*(Aqs certificate will not be included in the +\&\fBPKCS7\fR structure, the signer\*(Aqs certificate must still be supplied in the \&\fIsigncert\fR parameter though. This can reduce the size of the signature if the signers certificate can be obtained by other means: for example a previously signed message. @@ -129,7 +132,7 @@ structure just added, which can be used to set additional attributes before it is finalized. .PP \&\fBPKCS7_add_certificate()\fR adds to the \fBPKCS7\fR structure \fIp7\fR the certificate -\&\fIcert\fR, which may be an end-entity (signer) certificate +\&\fIcert\fR, which may be an end\-entity (signer) certificate or a CA certificate useful for chain building. This is done internally by \fBPKCS7_sign_ex\fR\|(3) and similar signing functions. It may have to be used before calling \fBPKCS7_verify\fR\|(3) diff --git a/secure/lib/libcrypto/man/man3/PKCS7_type_is_other.3 b/secure/lib/libcrypto/man/man3/PKCS7_type_is_other.3 index fe4aac62564a..461d05a3656f 100644 --- a/secure/lib/libcrypto/man/man3/PKCS7_type_is_other.3 +++ b/secure/lib/libcrypto/man/man3/PKCS7_type_is_other.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS7_TYPE_IS_OTHER 3ossl" -.TH PKCS7_TYPE_IS_OTHER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS7_TYPE_IS_OTHER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS7_verify.3 b/secure/lib/libcrypto/man/man3/PKCS7_verify.3 index 2da0b2ff911e..15e1dd1c0570 100644 --- a/secure/lib/libcrypto/man/man3/PKCS7_verify.3 +++ b/secure/lib/libcrypto/man/man3/PKCS7_verify.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS7_VERIFY 3ossl" -.TH PKCS7_VERIFY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS7_VERIFY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -77,7 +80,7 @@ PKCS7_verify, PKCS7_get0_signers \- verify a PKCS#7 signedData structure \&\fBPKCS7_verify()\fR is very similar to \fBCMS_verify\fR\|(3). It verifies a PKCS#7 signedData structure given in \fIp7\fR. The optional \fIcerts\fR parameter refers to a set of certificates -in which to search for signer's certificates. +in which to search for signer\*(Aqs certificates. It is also used as a source of untrusted intermediate CA certificates for chain building. \&\fIp7\fR may contain extra untrusted CA certificates that may be used for @@ -89,7 +92,7 @@ Otherwise \fIindata\fR should be NULL, and then the signed data must be in \fIp7 The content is written to the BIO \fIout\fR unless it is NULL. \&\fIflags\fR is an optional set of flags, which can be used to modify the operation. .PP -\&\fBPKCS7_get0_signers()\fR retrieves the signer's certificates from \fIp7\fR, it does +\&\fBPKCS7_get0_signers()\fR retrieves the signer\*(Aqs certificates from \fIp7\fR, it does \&\fBnot\fR check their validity or whether any signatures are valid. The \fIcerts\fR and \fIflags\fR parameters have the same meanings as in \fBPKCS7_verify()\fR. .SH "VERIFY PROCESS" @@ -105,12 +108,12 @@ embedded and external content. To treat this as an error, use the flag The default behavior allows this, for compatibility with older versions of OpenSSL. .PP -An attempt is made to locate all the signer's certificates, first looking in +An attempt is made to locate all the signer\*(Aqs certificates, first looking in the \fIcerts\fR parameter (if it is not NULL). Then they are looked up in any certificates contained in the \fIp7\fR structure unless \fBPKCS7_NOINTERN\fR is set. -If any signer's certificates cannot be located the operation fails. +If any signer\*(Aqs certificates cannot be located the operation fails. .PP -Each signer's certificate is chain verified using the \fBsmimesign\fR purpose and +Each signer\*(Aqs certificate is chain verified using the \fBsmimesign\fR purpose and using the trusted certificate store \fIstore\fR if supplied. Any internal certificates in the message, which may have been added using \&\fBPKCS7_add_certificate\fR\|(3), are used as untrusted CAs unless \fBPKCS7_NOCHAIN\fR @@ -130,8 +133,8 @@ parameter to change the default verify behaviour. Only the flag \fBPKCS7_NOINTERN\fR is meaningful to \fBPKCS7_get0_signers()\fR. .PP If \fBPKCS7_NOINTERN\fR is set the certificates in the message itself are not -searched when locating the signer's certificates. -This means that all the signer's certificates must be in the \fIcerts\fR parameter. +searched when locating the signer\*(Aqs certificates. +This means that all the signer\*(Aqs certificates must be in the \fIcerts\fR parameter. .PP If \fBPKCS7_NOCRL\fR is set and CRL checking is enabled in \fIstore\fR then any CRLs in the message itself are ignored. @@ -140,18 +143,18 @@ If the \fBPKCS7_TEXT\fR flag is set MIME headers for type \f(CW\*(C`text/plain\* from the content. If the content is not of type \f(CW\*(C`text/plain\*(C'\fR then an error is returned. .PP -If \fBPKCS7_NOVERIFY\fR is set the signer's certificates are not chain verified. +If \fBPKCS7_NOVERIFY\fR is set the signer\*(Aqs certificates are not chain verified. .PP If \fBPKCS7_NOCHAIN\fR is set then the certificates contained in the message are not used as untrusted CAs. This means that the whole verify chain (apart from -the signer's certificates) must be contained in the trusted store. +the signer\*(Aqs certificates) must be contained in the trusted store. .PP If \fBPKCS7_NOSIGS\fR is set then the signatures on the data are not checked. .SH NOTES .IX Header "NOTES" One application of \fBPKCS7_NOINTERN\fR is to only accept messages signed by a small number of certificates. The acceptable certificates would be passed -in the \fIcerts\fR parameter. In this case if the signer's certificate is not one +in the \fIcerts\fR parameter. In this case if the signer\*(Aqs certificate is not one of the certificates supplied in \fIcerts\fR then the verify will fail because the signer cannot be found. .PP @@ -174,7 +177,7 @@ timestamp). The error can be obtained from \fBERR_get_error\fR\|(3). .SH BUGS .IX Header "BUGS" -The trusted certificate store is not searched for the signer's certificates. +The trusted certificate store is not searched for the signer\*(Aqs certificates. This is primarily due to the inadequacies of the current \fBX509_STORE\fR functionality. .PP diff --git a/secure/lib/libcrypto/man/man3/PKCS8_encrypt.3 b/secure/lib/libcrypto/man/man3/PKCS8_encrypt.3 index a1d92f6286f4..f2a88ab58001 100644 --- a/secure/lib/libcrypto/man/man3/PKCS8_encrypt.3 +++ b/secure/lib/libcrypto/man/man3/PKCS8_encrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS8_ENCRYPT 3ossl" -.TH PKCS8_ENCRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS8_ENCRYPT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/PKCS8_pkey_add1_attr.3 b/secure/lib/libcrypto/man/man3/PKCS8_pkey_add1_attr.3 index b48d41bf9d79..eb05a7125844 100644 --- a/secure/lib/libcrypto/man/man3/PKCS8_pkey_add1_attr.3 +++ b/secure/lib/libcrypto/man/man3/PKCS8_pkey_add1_attr.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS8_PKEY_ADD1_ATTR 3ossl" -.TH PKCS8_PKEY_ADD1_ATTR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS8_PKEY_ADD1_ATTR 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/RAND_add.3 b/secure/lib/libcrypto/man/man3/RAND_add.3 index 2dca430c4210..a576ba778151 100644 --- a/secure/lib/libcrypto/man/man3/RAND_add.3 +++ b/secure/lib/libcrypto/man/man3/RAND_add.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RAND_ADD 3ossl" -.TH RAND_ADD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RAND_ADD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -99,7 +102,7 @@ built with automatic reseeding disabled, see \fBRAND\fR\|(7) for more details. \&\fBRAND_status()\fR indicates whether or not the random generator has been sufficiently seeded. If not, functions such as \fBRAND_bytes\fR\|(3) will fail. .PP -\&\fBRAND_poll()\fR uses the system's capabilities to seed the random generator using +\&\fBRAND_poll()\fR uses the system\*(Aqs capabilities to seed the random generator using random input obtained from polling various trusted entropy sources. The default choice of the entropy source can be modified at build time, see \fBRAND\fR\|(7) for more details. diff --git a/secure/lib/libcrypto/man/man3/RAND_bytes.3 b/secure/lib/libcrypto/man/man3/RAND_bytes.3 index ae8cbf4df547..04931c1b27c4 100644 --- a/secure/lib/libcrypto/man/man3/RAND_bytes.3 +++ b/secure/lib/libcrypto/man/man3/RAND_bytes.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RAND_BYTES 3ossl" -.TH RAND_BYTES 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RAND_BYTES 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -111,16 +114,16 @@ ignored. .PP \&\fBRAND_set1_random_provider()\fR specifies a provider, \fIprov\fR, which will be used by the library context \fIctx\fR for all of the generate calls above instead -of the built-in in DRBGs and entropy source. Pass NULL for the provider -to disable the random provider functionality. In this case, the built-in DRBGs +of the built\-in in DRBGs and entropy source. Pass NULL for the provider +to disable the random provider functionality. In this case, the built\-in DRBGs and entropy source will be used. This call should not be considered thread safe. .SH NOTES .IX Header "NOTES" By default, the OpenSSL CSPRNG supports a security level of 256 bits, provided it was able to seed itself from a trusted entropy source. -On all major platforms supported by OpenSSL (including the Unix-like platforms +On all major platforms supported by OpenSSL (including the Unix\-like platforms and Windows), OpenSSL is configured to automatically seed the CSPRNG on first use -using the operating systems's random generator. +using the operating systems\*(Aqs random generator. .PP If the entropy source fails or is not available, the CSPRNG will enter an error state and refuse to generate random bytes. For that reason, it is important @@ -129,8 +132,8 @@ not take randomness for granted. .PP On other platforms, there might not be a trusted entropy source available or OpenSSL might have been explicitly configured to use different entropy sources. -If you are in doubt about the quality of the entropy source, don't hesitate to ask -your operating system vendor or post a question on GitHub or the openssl-users +If you are in doubt about the quality of the entropy source, don\*(Aqt hesitate to ask +your operating system vendor or post a question on GitHub or the openssl\-users mailing list. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/RAND_cleanup.3 b/secure/lib/libcrypto/man/man3/RAND_cleanup.3 index b2e4f11f90df..a31d0485f2ec 100644 --- a/secure/lib/libcrypto/man/man3/RAND_cleanup.3 +++ b/secure/lib/libcrypto/man/man3/RAND_cleanup.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RAND_CLEANUP 3ossl" -.TH RAND_CLEANUP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RAND_CLEANUP 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -79,7 +82,7 @@ see \fBopenssl_user_macros\fR\|(7): .IX Header "DESCRIPTION" Prior to OpenSSL 1.1.0, \fBRAND_cleanup()\fR released all resources used by the PRNG. As of version 1.1.0, it does nothing and should not be called, -since no explicit initialisation or de-initialisation is necessary. See +since no explicit initialisation or de\-initialisation is necessary. See \&\fBOPENSSL_init_crypto\fR\|(3). .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/RAND_egd.3 b/secure/lib/libcrypto/man/man3/RAND_egd.3 index 682d9717b03a..846363f0c667 100644 --- a/secure/lib/libcrypto/man/man3/RAND_egd.3 +++ b/secure/lib/libcrypto/man/man3/RAND_egd.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RAND_EGD 3ossl" -.TH RAND_EGD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RAND_EGD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/RAND_get0_primary.3 b/secure/lib/libcrypto/man/man3/RAND_get0_primary.3 index 6a7ef66bfa94..5fc92bc842ed 100644 --- a/secure/lib/libcrypto/man/man3/RAND_get0_primary.3 +++ b/secure/lib/libcrypto/man/man3/RAND_get0_primary.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RAND_GET0_PRIMARY 3ossl" -.TH RAND_GET0_PRIMARY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RAND_GET0_PRIMARY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,7 +86,7 @@ RAND_set0_private The default RAND API implementation (\fBRAND_OpenSSL()\fR) utilizes three shared DRBG instances which are accessed via the RAND API: .PP -The \fIpublic\fR and \fIprivate\fR DRBG are thread-local instances, which are used +The \fIpublic\fR and \fIprivate\fR DRBG are thread\-local instances, which are used by \fBRAND_bytes()\fR and \fBRAND_priv_bytes()\fR, respectively. The \fIprimary\fR DRBG is a global instance, which is not intended to be used directly, but is used internally to reseed the other two instances. @@ -107,9 +110,9 @@ for the given OSSL_LIB_CTX \fBctx\fR. on error. .SH NOTES .IX Header "NOTES" -It is not thread-safe to access the \fIprimary\fR DRBG instance. +It is not thread\-safe to access the \fIprimary\fR DRBG instance. The \fIpublic\fR and \fIprivate\fR DRBG instance can be accessed safely, because -they are thread-local. Note however, that changes to these two instances +they are thread\-local. Note however, that changes to these two instances apply only to the current thread. .PP For that reason it is recommended not to change the settings of these diff --git a/secure/lib/libcrypto/man/man3/RAND_load_file.3 b/secure/lib/libcrypto/man/man3/RAND_load_file.3 index 446ff7e2e78a..17b1c22f6a94 100644 --- a/secure/lib/libcrypto/man/man3/RAND_load_file.3 +++ b/secure/lib/libcrypto/man/man3/RAND_load_file.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RAND_LOAD_FILE 3ossl" -.TH RAND_LOAD_FILE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RAND_LOAD_FILE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,13 +85,13 @@ if \fBmax_bytes\fR is \-1, the complete file is read (unless the file is not a regular file, in that case a fixed number of bytes, 256 in the current implementation, is attempted to be read). \&\fBRAND_load_file()\fR can read less than the complete file or the requested number -of bytes if it doesn't fit in the return value type. +of bytes if it doesn\*(Aqt fit in the return value type. Do not load the same file multiple times unless its contents have been updated by \fBRAND_write_file()\fR between reads. Also, note that \fBfilename\fR should be adequately protected so that an attacker cannot replace or examine the contents. If \fBfilename\fR is not a regular file, then user is considered to be -responsible for any side effects, e.g. non-anticipated blocking or +responsible for any side effects, e.g. non\-anticipated blocking or capture of controlling terminal. .PP \&\fBRAND_write_file()\fR writes a number of random bytes (currently 128) to @@ -118,7 +121,7 @@ Otherwise, the file is called \f(CW\*(C`.rnd\*(C'\fR, found in platform dependen \& $HOME .Ve .PP -If \f(CW$HOME\fR (on non-Windows and non-VMS system) is not set either, or +If \f(CW$HOME\fR (on non\-Windows and non\-VMS system) is not set either, or \&\fBnum\fR is too small for the pathname, an error occurs. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/RAND_set_DRBG_type.3 b/secure/lib/libcrypto/man/man3/RAND_set_DRBG_type.3 index 21bed1aa4f8c..6b5d32cf2b6e 100644 --- a/secure/lib/libcrypto/man/man3/RAND_set_DRBG_type.3 +++ b/secure/lib/libcrypto/man/man3/RAND_set_DRBG_type.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RAND_SET_DRBG_TYPE 3ossl" -.TH RAND_SET_DRBG_TYPE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RAND_SET_DRBG_TYPE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -96,11 +99,11 @@ These functions must be called before the random bit generators are first created in the library context. They will return an error if the call is made too late. .PP -The default DRBG is "CTR-DRBG" using the "AES\-256\-CTR" cipher. +The default DRBG is "CTR\-DRBG" using the "AES\-256\-CTR" cipher. .PP The default seed source can be configured when OpenSSL is compiled by setting \fB\-DOPENSSL_DEFAULT_SEED_SRC=SEED\-SRC\fR. If not set then -"SEED-SRC" is used. +"SEED\-SRC" is used. .SH EXAMPLES .IX Header "EXAMPLES" .Vb 3 diff --git a/secure/lib/libcrypto/man/man3/RAND_set_rand_method.3 b/secure/lib/libcrypto/man/man3/RAND_set_rand_method.3 index 24d11fc53d67..ab4442354b96 100644 --- a/secure/lib/libcrypto/man/man3/RAND_set_rand_method.3 +++ b/secure/lib/libcrypto/man/man3/RAND_set_rand_method.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RAND_SET_RAND_METHOD 3ossl" -.TH RAND_SET_RAND_METHOD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RAND_SET_RAND_METHOD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/RC4_set_key.3 b/secure/lib/libcrypto/man/man3/RC4_set_key.3 index 4331e940b846..f8d3d4d172f6 100644 --- a/secure/lib/libcrypto/man/man3/RC4_set_key.3 +++ b/secure/lib/libcrypto/man/man3/RC4_set_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RC4_SET_KEY 3ossl" -.TH RC4_SET_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RC4_SET_KEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -102,7 +105,7 @@ key at \fBdata\fR. \&\fBkey\fR and places the result at \fBoutdata\fR. Repeated \fBRC4()\fR calls with the same \fBkey\fR yield a continuous key stream. .PP -Since RC4 is a stream cipher (the input is XORed with a pseudo-random +Since RC4 is a stream cipher (the input is XORed with a pseudo\-random key stream to produce the output), decryption uses the same function calls as encryption. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/RIPEMD160_Init.3 b/secure/lib/libcrypto/man/man3/RIPEMD160_Init.3 index f0bae2a8cd33..3fca38075b43 100644 --- a/secure/lib/libcrypto/man/man3/RIPEMD160_Init.3 +++ b/secure/lib/libcrypto/man/man3/RIPEMD160_Init.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RIPEMD160_INIT 3ossl" -.TH RIPEMD160_INIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RIPEMD160_INIT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -119,7 +122,7 @@ Applications should use the higher level functions functions directly. .SH "CONFORMING TO" .IX Header "CONFORMING TO" -ISO/IEC 10118\-3:2016 Dedicated Hash-Function 1 (RIPEMD\-160). +ISO/IEC 10118\-3:2016 Dedicated Hash\-Function 1 (RIPEMD\-160). .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_DigestInit\fR\|(3) diff --git a/secure/lib/libcrypto/man/man3/RSA_blinding_on.3 b/secure/lib/libcrypto/man/man3/RSA_blinding_on.3 index b2be8d1a57d4..ca6b2c0d4d8d 100644 --- a/secure/lib/libcrypto/man/man3/RSA_blinding_on.3 +++ b/secure/lib/libcrypto/man/man3/RSA_blinding_on.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_BLINDING_ON 3ossl" -.TH RSA_BLINDING_ON 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_BLINDING_ON 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/RSA_check_key.3 b/secure/lib/libcrypto/man/man3/RSA_check_key.3 index 2afc27ac9d9d..d708db3a975a 100644 --- a/secure/lib/libcrypto/man/man3/RSA_check_key.3 +++ b/secure/lib/libcrypto/man/man3/RSA_check_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_CHECK_KEY 3ossl" -.TH RSA_CHECK_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_CHECK_KEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -118,13 +121,13 @@ override the way key data is stored and handled, and can even provide support for HSM keys \- in which case the RSA structure may contain \fBno\fR key data at all! If the ENGINE in question is only being used for acceleration or analysis purposes, then in all likelihood the RSA key data -is complete and untouched, but this can't be assumed in the general case. +is complete and untouched, but this can\*(Aqt be assumed in the general case. .SH BUGS .IX Header "BUGS" A method of verifying the RSA key using opaque RSA API functions might need to be considered. Right now \fBRSA_check_key()\fR simply uses the RSA structure elements directly, bypassing the RSA_METHOD table altogether (and -completely violating encapsulation and object-orientation in the process). +completely violating encapsulation and object\-orientation in the process). The best fix will probably be to introduce a "\fBcheck_key()\fR" handler to the RSA_METHOD function table so that alternative implementations can also provide their own verifiers. diff --git a/secure/lib/libcrypto/man/man3/RSA_generate_key.3 b/secure/lib/libcrypto/man/man3/RSA_generate_key.3 index 033332f05b6d..859776a5354b 100644 --- a/secure/lib/libcrypto/man/man3/RSA_generate_key.3 +++ b/secure/lib/libcrypto/man/man3/RSA_generate_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_GENERATE_KEY 3ossl" -.TH RSA_GENERATE_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_GENERATE_KEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -100,7 +103,7 @@ Applications should instead use \fBEVP_RSA_gen()\fR, \fBEVP_PKEY_Q_keygen\fR\|(3 \&\fBRSA_generate_key_ex()\fR generates a 2\-prime RSA key pair and stores it in the \&\fBRSA\fR structure provided in \fIrsa\fR. .PP -\&\fBRSA_generate_multi_prime_key()\fR generates a multi-prime RSA key pair and stores +\&\fBRSA_generate_multi_prime_key()\fR generates a multi\-prime RSA key pair and stores it in the \fBRSA\fR structure provided in \fIrsa\fR. The number of primes is given by the \fIprimes\fR parameter. If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to @@ -126,8 +129,8 @@ will be called as follows using the \fBBN_GENCB_call()\fR function described on the \fBBN_generate_prime\fR\|(3) page. .PP \&\fBRSA_generate_key()\fR is similar to \fBRSA_generate_key_ex()\fR but -expects an old-style callback function; see -\&\fBBN_generate_prime\fR\|(3) for information on the old-style callback. +expects an old\-style callback function; see +\&\fBBN_generate_prime\fR\|(3) for information on the old\-style callback. .IP \(bu 2 While a random prime number is generated, it is called as described in \fBBN_generate_prime\fR\|(3). diff --git a/secure/lib/libcrypto/man/man3/RSA_get0_key.3 b/secure/lib/libcrypto/man/man3/RSA_get0_key.3 index 1a311fd169aa..98d6000cbff2 100644 --- a/secure/lib/libcrypto/man/man3/RSA_get0_key.3 +++ b/secure/lib/libcrypto/man/man3/RSA_get0_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_GET0_KEY 3ossl" -.TH RSA_GET0_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_GET0_KEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -126,8 +129,8 @@ private key (see PKCS#1 section 3 Key Types), where \fBp\fR and \fBq\fR are the first and second factor of \fBn\fR and \fBdmp1\fR, \fBdmq1\fR and \fBiqmp\fR are the exponents and coefficient for CRT calculations. .PP -For multi-prime RSA (defined in RFC 8017), there are also one or more -\&'triplet' in an RSA object. A triplet contains three members, \fBr\fR, \fBd\fR +For multi\-prime RSA (defined in RFC 8017), there are also one or more +\&\*(Aqtriplet\*(Aq in an RSA object. A triplet contains three members, \fBr\fR, \fBd\fR and \fBt\fR. \fBr\fR is the additional prime besides \fBp\fR and \fBq\fR. \fBd\fR and \&\fBt\fR are the exponent and coefficient for CRT calculations. .PP @@ -140,7 +143,7 @@ by the caller. .PP The \fBn\fR, \fBe\fR and \fBd\fR parameter values can be set by calling \&\fBRSA_set0_key()\fR and passing the new values for \fBn\fR, \fBe\fR and \fBd\fR as -parameters to the function. The values \fBn\fR and \fBe\fR must be non-NULL +parameters to the function. The values \fBn\fR and \fBe\fR must be non\-NULL the first time this function is called on a given RSA object. The value \fBd\fR may be NULL. On subsequent calls any of these values may be NULL which means the corresponding RSA field is left untouched. @@ -155,12 +158,12 @@ set with \fBRSA_get0_factors()\fR and \fBRSA_set0_factors()\fR, and the \fBdmp1\ .PP For \fBRSA_get0_key()\fR, \fBRSA_get0_factors()\fR, and \fBRSA_get0_crt_params()\fR, NULL value BIGNUM ** output parameters are permitted. The functions -ignore NULL parameters but return values for other, non-NULL, parameters. +ignore NULL parameters but return values for other, non\-NULL, parameters. .PP -For multi-prime RSA, \fBRSA_get0_multi_prime_factors()\fR and \fBRSA_get0_multi_prime_params()\fR +For multi\-prime RSA, \fBRSA_get0_multi_prime_factors()\fR and \fBRSA_get0_multi_prime_params()\fR can be used to obtain other primes and related CRT parameters. The return values are stored in an array of \fBBIGNUM *\fR. \fBRSA_set0_multi_prime_params()\fR -sets a collect of multi-prime 'triplet' members (prime, exponent and coefficient) +sets a collect of multi\-prime \*(Aqtriplet\*(Aq members (prime, exponent and coefficient) into an RSA object. .PP Any of the values \fBn\fR, \fBe\fR, \fBd\fR, \fBp\fR, \fBq\fR, \fBdmp1\fR, \fBdmq1\fR, and \fBiqmp\fR can also be @@ -168,7 +171,7 @@ retrieved separately by the corresponding function \&\fBRSA_get0_n()\fR, \fBRSA_get0_e()\fR, \fBRSA_get0_d()\fR, \fBRSA_get0_p()\fR, \fBRSA_get0_q()\fR, \&\fBRSA_get0_dmp1()\fR, \fBRSA_get0_dmq1()\fR, and \fBRSA_get0_iqmp()\fR, respectively. .PP -\&\fBRSA_get0_pss_params()\fR is used to retrieve the RSA-PSS parameters. +\&\fBRSA_get0_pss_params()\fR is used to retrieve the RSA\-PSS parameters. .PP \&\fBRSA_set_flags()\fR sets the flags in the \fBflags\fR parameter on the RSA object. Multiple flags can be passed in one go (bitwise ORed together). @@ -195,7 +198,7 @@ The caller should obtain the size by calling \fBRSA_get_multi_prime_extra_count( in advance and allocate sufficient buffer to store the return values before calling \fBRSA_get0_multi_prime_factors()\fR and \fBRSA_get0_multi_prime_params()\fR. .PP -\&\fBRSA_set0_multi_prime_params()\fR always clears the original multi-prime +\&\fBRSA_set0_multi_prime_params()\fR always clears the original multi\-prime triplets in RSA object \fBr\fR and assign the new set of triplets into it. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -214,10 +217,10 @@ there is none. .PP \&\fBRSA_get_multi_prime_extra_count()\fR returns two less than the number of primes in use, which is 0 for traditional RSA and the number of extra primes for -multi-prime RSA. +multi\-prime RSA. .PP -\&\fBRSA_get_version()\fR returns \fBRSA_ASN1_VERSION_MULTI\fR for multi-prime RSA and -\&\fBRSA_ASN1_VERSION_DEFAULT\fR for normal two-prime RSA, as defined in RFC 8017. +\&\fBRSA_get_version()\fR returns \fBRSA_ASN1_VERSION_MULTI\fR for multi\-prime RSA and +\&\fBRSA_ASN1_VERSION_DEFAULT\fR for normal two\-prime RSA, as defined in RFC 8017. .PP \&\fBRSA_test_flags()\fR returns the current state of the flags in the RSA object. .PP diff --git a/secure/lib/libcrypto/man/man3/RSA_meth_new.3 b/secure/lib/libcrypto/man/man3/RSA_meth_new.3 index 2a7997622e13..daa76b385acf 100644 --- a/secure/lib/libcrypto/man/man3/RSA_meth_new.3 +++ b/secure/lib/libcrypto/man/man3/RSA_meth_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_METH_NEW 3ossl" -.TH RSA_METH_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_METH_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -223,7 +226,7 @@ these flags. .PP The functions \fBRSA_meth_get0_app_data()\fR and \fBRSA_meth_set0_app_data()\fR provide the ability to associate implementation specific data with the -RSA_METHOD. It is the application's responsibility to free this data +RSA_METHOD. It is the application\*(Aqs responsibility to free this data before the RSA_METHOD is freed via a call to \fBRSA_meth_free()\fR. .PP \&\fBRSA_meth_get_sign()\fR and \fBRSA_meth_set_sign()\fR get and set the function @@ -276,7 +279,7 @@ function will be called in response to the application calling meaning as for \fBRSA_generate_key_ex()\fR. .PP \&\fBRSA_meth_get_multi_prime_keygen()\fR and \fBRSA_meth_set_multi_prime_keygen()\fR get -and set the function used for generating a new multi-prime RSA key pair +and set the function used for generating a new multi\-prime RSA key pair respectively. This function will be called in response to the application calling \&\fBRSA_generate_multi_prime_key()\fR. The parameter for the function has the same meaning as for \fBRSA_generate_multi_prime_key()\fR. diff --git a/secure/lib/libcrypto/man/man3/RSA_new.3 b/secure/lib/libcrypto/man/man3/RSA_new.3 index d0d2733e9bef..0eacb3219f00 100644 --- a/secure/lib/libcrypto/man/man3/RSA_new.3 +++ b/secure/lib/libcrypto/man/man3/RSA_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_NEW 3ossl" -.TH RSA_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/RSA_padding_add_PKCS1_type_1.3 b/secure/lib/libcrypto/man/man3/RSA_padding_add_PKCS1_type_1.3 index 5247e7766468..51d3a17ac43a 100644 --- a/secure/lib/libcrypto/man/man3/RSA_padding_add_PKCS1_type_1.3 +++ b/secure/lib/libcrypto/man/man3/RSA_padding_add_PKCS1_type_1.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_PADDING_ADD_PKCS1_TYPE_1 3ossl" -.TH RSA_PADDING_ADD_PKCS1_TYPE_1 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_PADDING_ADD_PKCS1_TYPE_1 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,7 +145,7 @@ PKCS #1 v2.0 EMSA\-PKCS1\-v1_5 (PKCS #1 v1.5 block type 1); used for signatures PKCS #1 v2.0 EME\-PKCS1\-v1_5 (PKCS #1 v1.5 block type 2) .IP PKCS1_OAEP 4 .IX Item "PKCS1_OAEP" -PKCS #1 v2.0 EME-OAEP +PKCS #1 v2.0 EME\-OAEP .IP none 4 .IX Item "none" simply copy the data @@ -182,7 +185,7 @@ plaintext and additionally some application specific consistency checks on the plaintext need to be performed in constant time. If the plaintext is rejected it must be kept secret which of the checks caused the application to reject the message. -Do not remove the zero-padding from the decrypted raw RSA data +Do not remove the zero\-padding from the decrypted raw RSA data which was computed by \fBRSA_private_decrypt()\fR with \fBRSA_NO_PADDING\fR, as this would create a small timing side channel which could be used to mount a Bleichenbacher attack against any padding mode diff --git a/secure/lib/libcrypto/man/man3/RSA_print.3 b/secure/lib/libcrypto/man/man3/RSA_print.3 index c3f59341e835..e5a4180fd920 100644 --- a/secure/lib/libcrypto/man/man3/RSA_print.3 +++ b/secure/lib/libcrypto/man/man3/RSA_print.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_PRINT 3ossl" -.TH RSA_PRINT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_PRINT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -108,7 +111,7 @@ All of the functions described on this page are deprecated. Applications should instead use \fBEVP_PKEY_print_params\fR\|(3) and \&\fBEVP_PKEY_print_private\fR\|(3). .PP -A human-readable hexadecimal output of the components of the RSA +A human\-readable hexadecimal output of the components of the RSA key, DSA parameters or key or DH parameters is printed to \fBbp\fR or \fBfp\fR. .PP The output lines are indented by \fBoffset\fR spaces. diff --git a/secure/lib/libcrypto/man/man3/RSA_private_encrypt.3 b/secure/lib/libcrypto/man/man3/RSA_private_encrypt.3 index 554f636eb6a7..b2afb777a6b6 100644 --- a/secure/lib/libcrypto/man/man3/RSA_private_encrypt.3 +++ b/secure/lib/libcrypto/man/man3/RSA_private_encrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_PRIVATE_ENCRYPT 3ossl" -.TH RSA_PRIVATE_ENCRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_PRIVATE_ENCRYPT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,7 +89,7 @@ Applications should instead use \fBEVP_PKEY_sign_init_ex\fR\|(3), \&\fBEVP_PKEY_sign\fR\|(3), \fBEVP_PKEY_verify_recover_init\fR\|(3), and \&\fBEVP_PKEY_verify_recover\fR\|(3). .PP -These functions handle RSA signatures at a low-level. +These functions handle RSA signatures at a low\-level. .PP \&\fBRSA_private_encrypt()\fR signs the \fBflen\fR bytes at \fBfrom\fR (usually a message digest with an algorithm identifier) using the private key @@ -107,7 +110,7 @@ cryptographically sound padding modes in the application code. Signing user data directly with RSA is insecure. .PP \&\fBRSA_public_decrypt()\fR recovers the message digest from the \fBflen\fR -bytes long signature at \fBfrom\fR using the signer's public key +bytes long signature at \fBfrom\fR using the signer\*(Aqs public key \&\fBrsa\fR. \fBto\fR must point to a memory section large enough to hold the message digest (which is smaller than \fBRSA_size(rsa) \- 11\fR). \fBpadding\fR is the padding mode that was used to sign the data. diff --git a/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3 b/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3 index c169831a8841..0b7c58b8340f 100644 --- a/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3 +++ b/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_PUBLIC_ENCRYPT 3ossl" -.TH RSA_PUBLIC_ENCRYPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_PUBLIC_ENCRYPT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,7 +101,7 @@ However, it is highly recommended to use RSA_PKCS1_OAEP_PADDING in new applications. SEE WARNING BELOW. .IP RSA_PKCS1_OAEP_PADDING 4 .IX Item "RSA_PKCS1_OAEP_PADDING" -EME-OAEP as defined in PKCS #1 v2.0 with SHA\-1, MGF1 and an empty +EME\-OAEP as defined in PKCS #1 v2.0 with SHA\-1, MGF1 and an empty encoding parameter. This mode is recommended for all new applications. .IP RSA_NO_PADDING 4 .IX Item "RSA_NO_PADDING" @@ -149,12 +152,12 @@ returned value could be used to mount the Bleichenbacher attack. Since version 3.2.0, the default provider in OpenSSL does not return an error when padding checks fail. Instead it generates a random message based on used private -key and provided ciphertext so that application code doesn't have to implement -a side-channel secure error handling. -Applications that want to be secure against side-channel attacks with -providers that don't implement implicit rejection, still need to -handle the returned values using side-channel free code. -Side-channel free handling of the error stack can be performed using +key and provided ciphertext so that application code doesn\*(Aqt have to implement +a side\-channel secure error handling. +Applications that want to be secure against side\-channel attacks with +providers that don\*(Aqt implement implicit rejection, still need to +handle the returned values using side\-channel free code. +Side\-channel free handling of the error stack can be performed using either a pair of unconditional \fBERR_set_mark\fR\|(3) and \fBERR_pop_to_mark\fR\|(3) calls or by using the \fBERR_clear_error\fR\|(3) call. .SH "CONFORMING TO" diff --git a/secure/lib/libcrypto/man/man3/RSA_set_method.3 b/secure/lib/libcrypto/man/man3/RSA_set_method.3 index 5e7844cb54bb..f992c549665d 100644 --- a/secure/lib/libcrypto/man/man3/RSA_set_method.3 +++ b/secure/lib/libcrypto/man/man3/RSA_set_method.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_SET_METHOD 3ossl" -.TH RSA_SET_METHOD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_SET_METHOD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -107,7 +110,7 @@ as returned by \fBRSA_PKCS1_OpenSSL()\fR. structures created later. \&\fBNB\fR: This is true only whilst no ENGINE has been set as a default for RSA, so this function is no longer recommended. -This function is not thread-safe and should not be called at the same time +This function is not thread\-safe and should not be called at the same time as other OpenSSL functions. .PP \&\fBRSA_get_default_method()\fR returns a pointer to the current default @@ -120,7 +123,7 @@ recommended. previous method was supplied by an ENGINE, the handle to that ENGINE will be released during the change. It is possible to have RSA keys that only work with certain RSA_METHOD implementations (e.g. from an ENGINE module -that supports embedded hardware-protected keys), and in such cases +that supports embedded hardware\-protected keys), and in such cases attempting to change the RSA_METHOD for the key can have unexpected results. .PP @@ -130,7 +133,7 @@ it is, the return value can only be guaranteed to be valid as long as the RSA key itself is valid and does not have its implementation changed by \&\fBRSA_set_method()\fR. .PP -\&\fBRSA_flags()\fR returns the \fBflags\fR that are set for \fBrsa\fR's current +\&\fBRSA_flags()\fR returns the \fBflags\fR that are set for \fBrsa\fR\*(Aqs current RSA_METHOD. See the BUGS section. .PP \&\fBRSA_new_method()\fR allocates and initializes an RSA structure so that @@ -138,7 +141,7 @@ RSA_METHOD. See the BUGS section. default ENGINE for RSA operations is used, and if no default ENGINE is set, the RSA_METHOD controlled by \fBRSA_set_default_method()\fR is used. .PP -\&\fBRSA_flags()\fR returns the \fBflags\fR that are set for \fBrsa\fR's current method. +\&\fBRSA_flags()\fR returns the \fBflags\fR that are set for \fBrsa\fR\*(Aqs current method. .PP \&\fBRSA_new_method()\fR allocates and initializes an \fBRSA\fR structure so that \&\fBmethod\fR will be used for the RSA operations. If \fBmethod\fR is \fBNULL\fR, @@ -209,20 +212,14 @@ and \fBRSA_get_method()\fR return pointers to the respective RSA_METHODs. .PP \&\fBRSA_set_default_method()\fR returns no value. .PP -\&\fBRSA_set_method()\fR returns a pointer to the old RSA_METHOD implementation -that was replaced. However, this return value should probably be ignored -because if it was supplied by an ENGINE, the pointer could be invalidated -at any time if the ENGINE is unloaded (in fact it could be unloaded as a -result of the \fBRSA_set_method()\fR function releasing its handle to the -ENGINE). For this reason, the return type may be replaced with a \fBvoid\fR -declaration in a future release. +\&\fBRSA_set_method()\fR returns 1 for success. It always succeeds. .PP \&\fBRSA_new_method()\fR returns NULL and sets an error code that can be obtained by \fBERR_get_error\fR\|(3) if the allocation fails. Otherwise it returns a pointer to the newly allocated structure. .SH BUGS .IX Header "BUGS" -The behaviour of \fBRSA_flags()\fR is a mis-feature that is left as-is for now +The behaviour of \fBRSA_flags()\fR is a mis\-feature that is left as\-is for now to avoid creating compatibility problems. RSA functionality, such as the encryption functions, are controlled by the \fBflags\fR value in the RSA key itself, not by the \fBflags\fR value in the RSA_METHOD attached to the RSA key @@ -242,7 +239,7 @@ The \fBRSA_null_method()\fR, which was a partial attempt to avoid patent issues, was replaced to always return NULL in OpenSSL 1.1.1. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/RSA_sign.3 b/secure/lib/libcrypto/man/man3/RSA_sign.3 index 28a07533c953..1cb62356ff59 100644 --- a/secure/lib/libcrypto/man/man3/RSA_sign.3 +++ b/secure/lib/libcrypto/man/man3/RSA_sign.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_SIGN 3ossl" -.TH RSA_SIGN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_SIGN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -89,9 +92,9 @@ Applications should instead use \fBEVP_PKEY_sign_init\fR\|(3), \fBEVP_PKEY_sign\ private key \fBrsa\fR using RSASSA\-PKCS1\-v1_5 as specified in RFC 3447. It stores the signature in \fBsigret\fR and the signature size in \fBsiglen\fR. \&\fBsigret\fR must point to RSA_size(\fBrsa\fR) bytes of memory. -Note that PKCS #1 adds meta-data, placing limits on the size of the +Note that PKCS #1 adds meta\-data, placing limits on the size of the key that can be used. -See \fBRSA_private_encrypt\fR\|(3) for lower-level +See \fBRSA_private_encrypt\fR\|(3) for lower\-level operations. .PP \&\fBtype\fR denotes the message digest algorithm that was used to generate @@ -103,7 +106,7 @@ and no algorithm identifier) is created. \&\fBRSA_verify()\fR verifies that the signature \fBsigbuf\fR of size \fBsiglen\fR matches a given message digest \fBm\fR of size \fBm_len\fR. \fBtype\fR denotes the message digest algorithm that was used to generate the signature. -\&\fBrsa\fR is the signer's public key. +\&\fBrsa\fR is the signer\*(Aqs public key. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBRSA_sign()\fR returns 1 on success and 0 for failure. diff --git a/secure/lib/libcrypto/man/man3/RSA_sign_ASN1_OCTET_STRING.3 b/secure/lib/libcrypto/man/man3/RSA_sign_ASN1_OCTET_STRING.3 index c915ccd24991..187e7e1cb49f 100644 --- a/secure/lib/libcrypto/man/man3/RSA_sign_ASN1_OCTET_STRING.3 +++ b/secure/lib/libcrypto/man/man3/RSA_sign_ASN1_OCTET_STRING.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_SIGN_ASN1_OCTET_STRING 3ossl" -.TH RSA_SIGN_ASN1_OCTET_STRING 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_SIGN_ASN1_OCTET_STRING 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,7 +104,7 @@ external circumstances (see \fBRAND\fR\|(7)), the operation will fail. .PP \&\fBRSA_verify_ASN1_OCTET_STRING()\fR verifies that the signature \fBsigbuf\fR of size \fBsiglen\fR is the DER representation of a given octet string -\&\fBm\fR of size \fBm_len\fR. \fBdummy\fR is ignored. \fBrsa\fR is the signer's +\&\fBm\fR of size \fBm_len\fR. \fBdummy\fR is ignored. \fBrsa\fR is the signer\*(Aqs public key. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/RSA_size.3 b/secure/lib/libcrypto/man/man3/RSA_size.3 index f06b46be062d..017c64b3baf8 100644 --- a/secure/lib/libcrypto/man/man3/RSA_size.3 +++ b/secure/lib/libcrypto/man/man3/RSA_size.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA_SIZE 3ossl" -.TH RSA_SIZE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA_SIZE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SCT_new.3 b/secure/lib/libcrypto/man/man3/SCT_new.3 index 995b0109b903..870f9f30f86f 100644 --- a/secure/lib/libcrypto/man/man3/SCT_new.3 +++ b/secure/lib/libcrypto/man/man3/SCT_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SCT_NEW 3ossl" -.TH SCT_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SCT_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -150,7 +153,7 @@ Only SCT_VERSION_V1 is currently supported. \&\fBSCT_set_log_entry_type()\fR to set the type of certificate the SCT was issued for: .Sp \&\fBCT_LOG_ENTRY_TYPE_X509\fR for a normal certificate. -\&\fBCT_LOG_ENTRY_TYPE_PRECERT\fR for a pre-certificate. +\&\fBCT_LOG_ENTRY_TYPE_PRECERT\fR for a pre\-certificate. .IP \(bu 2 \&\fBSCT_set0_log_id()\fR or \fBSCT_set1_log_id()\fR to set the LogID of the CT log that the SCT came from. .Sp @@ -170,7 +173,7 @@ The former takes ownership, whereas the latter makes a copy. .Sp The former takes ownership, whereas the latter makes a copy. .PP -Alternatively, the SCT can be pre-populated from the following data using +Alternatively, the SCT can be pre\-populated from the following data using \&\fBSCT_new_from_base64()\fR: .IP \(bu 2 The SCT version (only SCT_VERSION_V1 is currently supported). @@ -179,7 +182,7 @@ The LogID (see RFC 6962, Section 3.2), base64 encoded. .IP \(bu 2 The type of certificate the SCT was issued for: \&\fBCT_LOG_ENTRY_TYPE_X509\fR for a normal certificate. -\&\fBCT_LOG_ENTRY_TYPE_PRECERT\fR for a pre-certificate. +\&\fBCT_LOG_ENTRY_TYPE_PRECERT\fR for a pre\-certificate. .IP \(bu 2 The time that the SCT was issued (time in milliseconds since the Unix Epoch). .IP \(bu 2 diff --git a/secure/lib/libcrypto/man/man3/SCT_print.3 b/secure/lib/libcrypto/man/man3/SCT_print.3 index 619ee9bb6308..5705d6117da5 100644 --- a/secure/lib/libcrypto/man/man3/SCT_print.3 +++ b/secure/lib/libcrypto/man/man3/SCT_print.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SCT_PRINT 3ossl" -.TH SCT_PRINT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SCT_PRINT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -76,7 +79,7 @@ Prints Signed Certificate Timestamps in a human\-readable way .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBSCT_print()\fR prints a single Signed Certificate Timestamp (SCT) to a \fBBIO\fR in -a human-readable format. \fBSCT_LIST_print()\fR prints an entire list of SCTs in a +a human\-readable format. \fBSCT_LIST_print()\fR prints an entire list of SCTs in a similar way. A separator can be specified to delimit each SCT in the output. .PP The output can be indented by a specified number of spaces. If a \fBCTLOG_STORE\fR @@ -85,11 +88,11 @@ each SCT (if that log is in the CTLOG_STORE). Alternatively, NULL can be passed as the CTLOG_STORE parameter to disable this feature. .PP \&\fBSCT_validation_status_string()\fR will return the validation status of an SCT as -a human-readable string. Call \fBSCT_validate()\fR or \fBSCT_LIST_validate()\fR +a human\-readable string. Call \fBSCT_validate()\fR or \fBSCT_LIST_validate()\fR beforehand in order to set the validation status of an SCT first. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fBSCT_validation_status_string()\fR returns a NUL-terminated string representing +\&\fBSCT_validation_status_string()\fR returns a NUL\-terminated string representing the validation status of an \fBSCT\fR object. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SCT_validate.3 b/secure/lib/libcrypto/man/man3/SCT_validate.3 index 3c3712f6a557..bc256ddcd879 100644 --- a/secure/lib/libcrypto/man/man3/SCT_validate.3 +++ b/secure/lib/libcrypto/man/man3/SCT_validate.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SCT_VALIDATE 3ossl" -.TH SCT_VALIDATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SCT_VALIDATE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,7 +100,7 @@ SCT_VALIDATION_STATUS_UNVERIFIED. .IP \(bu 2 The issuer of that certificate. .Sp -This is only required if the SCT was issued for a pre-certificate +This is only required if the SCT was issued for a pre\-certificate (see RFC 6962). If it is required but not provided, the validation status will be SCT_VALIDATION_STATUS_UNVERIFIED. .IP \(bu 2 @@ -109,7 +112,7 @@ status will be SCT_VALIDATION_STATUS_UNKNOWN_LOG. If the SCT is of an unsupported version (only v1 is currently supported), the validation status will be SCT_VALIDATION_STATUS_UNKNOWN_VERSION. .PP -If the SCT's signature is incorrect, its timestamp is in the future (relative to +If the SCT\*(Aqs signature is incorrect, its timestamp is in the future (relative to the time in CT_POLICY_EVAL_CTX), or if it is otherwise invalid, the validation status will be SCT_VALIDATION_STATUS_INVALID. .PP diff --git a/secure/lib/libcrypto/man/man3/SHA256_Init.3 b/secure/lib/libcrypto/man/man3/SHA256_Init.3 index 99dfc9be77d9..8bea260a93ae 100644 --- a/secure/lib/libcrypto/man/man3/SHA256_Init.3 +++ b/secure/lib/libcrypto/man/man3/SHA256_Init.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SHA256_INIT 3ossl" -.TH SHA256_INIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SHA256_INIT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -107,7 +110,7 @@ see \fBopenssl_user_macros\fR\|(7): All of the functions described on this page except for \fBSHA1()\fR, \fBSHA224()\fR, \fBSHA256()\fR, \fBSHA384()\fR and \fBSHA512()\fR are deprecated. Applications should instead use \fBEVP_DigestInit_ex\fR\|(3), \fBEVP_DigestUpdate\fR\|(3) -and \fBEVP_DigestFinal_ex\fR\|(3), or the quick one-shot function \fBEVP_Q_digest\fR\|(3). +and \fBEVP_DigestFinal_ex\fR\|(3), or the quick one\-shot function \fBEVP_Q_digest\fR\|(3). \&\fBSHA1()\fR, \fBSHA224()\fR, \fBSHA256()\fR, \fBSHA384()\fR, and \fBSHA256()\fR can continue to be used. They can also be replaced by, e.g., .PP diff --git a/secure/lib/libcrypto/man/man3/SMIME_read_ASN1.3 b/secure/lib/libcrypto/man/man3/SMIME_read_ASN1.3 index b0926d90a624..53f10c9ece7f 100644 --- a/secure/lib/libcrypto/man/man3/SMIME_read_ASN1.3 +++ b/secure/lib/libcrypto/man/man3/SMIME_read_ASN1.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SMIME_READ_ASN1 3ossl" -.TH SMIME_READ_ASN1 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SMIME_READ_ASN1 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SMIME_read_CMS.3 b/secure/lib/libcrypto/man/man3/SMIME_read_CMS.3 index e2ac2127e7a1..9b5a8857df71 100644 --- a/secure/lib/libcrypto/man/man3/SMIME_read_CMS.3 +++ b/secure/lib/libcrypto/man/man3/SMIME_read_CMS.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SMIME_READ_CMS 3ossl" -.TH SMIME_READ_CMS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SMIME_READ_CMS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SMIME_read_PKCS7.3 b/secure/lib/libcrypto/man/man3/SMIME_read_PKCS7.3 index 87621cb4cc8d..768c132aeea9 100644 --- a/secure/lib/libcrypto/man/man3/SMIME_read_PKCS7.3 +++ b/secure/lib/libcrypto/man/man3/SMIME_read_PKCS7.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SMIME_READ_PKCS7 3ossl" -.TH SMIME_READ_PKCS7 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SMIME_READ_PKCS7 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SMIME_write_ASN1.3 b/secure/lib/libcrypto/man/man3/SMIME_write_ASN1.3 index 482820a60153..0927d964b58a 100644 --- a/secure/lib/libcrypto/man/man3/SMIME_write_ASN1.3 +++ b/secure/lib/libcrypto/man/man3/SMIME_write_ASN1.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SMIME_WRITE_ASN1 3ossl" -.TH SMIME_WRITE_ASN1 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SMIME_WRITE_ASN1 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SMIME_write_CMS.3 b/secure/lib/libcrypto/man/man3/SMIME_write_CMS.3 index 91fa572c308e..e7db61e597e8 100644 --- a/secure/lib/libcrypto/man/man3/SMIME_write_CMS.3 +++ b/secure/lib/libcrypto/man/man3/SMIME_write_CMS.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SMIME_WRITE_CMS 3ossl" -.TH SMIME_WRITE_CMS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SMIME_WRITE_CMS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SMIME_write_PKCS7.3 b/secure/lib/libcrypto/man/man3/SMIME_write_PKCS7.3 index 97dc80451034..82cc67048154 100644 --- a/secure/lib/libcrypto/man/man3/SMIME_write_PKCS7.3 +++ b/secure/lib/libcrypto/man/man3/SMIME_write_PKCS7.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SMIME_WRITE_PKCS7 3ossl" -.TH SMIME_WRITE_PKCS7 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SMIME_WRITE_PKCS7 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SRP_Calc_B.3 b/secure/lib/libcrypto/man/man3/SRP_Calc_B.3 index a35182f7fa7f..178a947c86e7 100644 --- a/secure/lib/libcrypto/man/man3/SRP_Calc_B.3 +++ b/secure/lib/libcrypto/man/man3/SRP_Calc_B.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SRP_CALC_B 3ossl" -.TH SRP_CALC_B 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SRP_CALC_B 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -122,7 +125,7 @@ RFC2945 for a detailed description of their usage and the meaning of the various BIGNUM parameters to these functions. .PP Most of these functions come in two forms. Those that take a \fIlibctx\fR and -\&\fIpropq\fR parameter, and those that don't. Any cryptogrpahic functions that +\&\fIpropq\fR parameter, and those that don\*(Aqt. Any cryptogrpahic functions that are fetched and used during the calculation use the provided \fIlibctx\fR and \&\fIpropq\fR. See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for more details. The variants that do not take a \fIlibctx\fR and \fIpropq\fR parameter use the default library diff --git a/secure/lib/libcrypto/man/man3/SRP_VBASE_new.3 b/secure/lib/libcrypto/man/man3/SRP_VBASE_new.3 index 46a768c4cb61..6ff56ccefbe6 100644 --- a/secure/lib/libcrypto/man/man3/SRP_VBASE_new.3 +++ b/secure/lib/libcrypto/man/man3/SRP_VBASE_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SRP_VBASE_NEW 3ossl" -.TH SRP_VBASE_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SRP_VBASE_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,8 +100,8 @@ The \fBSRP_VBASE_new()\fR function allocates a structure to store server side SR verifier information. If \fBseed_key\fR is not NULL a copy is stored and used to generate dummy parameters for users that are not found by \fBSRP_VBASE_get1_by_user()\fR. This allows the server -to hide the fact that it doesn't have a verifier for a particular username, -as described in section 2.5.1.3 'Unknown SRP' of RFC 5054. +to hide the fact that it doesn\*(Aqt have a verifier for a particular username, +as described in section 2.5.1.3 \*(AqUnknown SRP\*(Aq of RFC 5054. The seed string should contain random NUL terminated binary data (therefore the random data should not contain NUL bytes!). .PP @@ -109,8 +112,8 @@ The \fBSRP_VBASE_init()\fR function parses the information in a verifier file an populates the \fBvb\fR structure. The verifier file is a text file containing multiple entries, whose format is: flag base64(verifier) base64(salt) username gNid userinfo(optional) -where the flag can be 'V' (valid) or 'R' (revoked). -Note that the base64 encoding used here is non-standard so it is recommended +where the flag can be \*(AqV\*(Aq (valid) or \*(AqR\*(Aq (revoked). +Note that the base64 encoding used here is non\-standard so it is recommended to use \fBopenssl\-srp\fR\|(1) to generate this file. .PP The \fBSRP_VBASE_add0_user()\fR function adds the \fBuser_pwd\fR verifier information @@ -123,7 +126,7 @@ whose username matches \fBusername\fR. It replaces the deprecated \&\fBSRP_VBASE_get_by_user()\fR. If no matching user is found but a seed_key and default gN parameters have been set, dummy authentication information is generated from the seed_key, allowing -the server to hide the fact that it doesn't have a verifier for a particular +the server to hide the fact that it doesn\*(Aqt have a verifier for a particular username. When using SRP as a TLS authentication mechanism, this will cause the handshake to proceed normally but the first client will be rejected with a "bad_record_mac" alert, as if the password was incorrect. diff --git a/secure/lib/libcrypto/man/man3/SRP_create_verifier.3 b/secure/lib/libcrypto/man/man3/SRP_create_verifier.3 index 930a0b162758..3d976250ba04 100644 --- a/secure/lib/libcrypto/man/man3/SRP_create_verifier.3 +++ b/secure/lib/libcrypto/man/man3/SRP_create_verifier.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SRP_CREATE_VERIFIER 3ossl" -.TH SRP_CREATE_VERIFIER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SRP_CREATE_VERIFIER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -116,7 +119,7 @@ The caller is responsible for freeing the allocated \fI*salt\fR and \fI*verifier BIGNUMS (use \fBBN_free\fR\|(3)). .PP The \fBSRP_create_verifier()\fR function is similar to \fBSRP_create_verifier_BN()\fR but -all numeric parameters are in a non-standard base64 encoding originally designed +all numeric parameters are in a non\-standard base64 encoding originally designed for compatibility with libsrp. This is mainly present for historical compatibility and its use is discouraged. It is possible to pass NULL as \fIN\fR and an SRP group id as \fIg\fR instead to @@ -137,7 +140,7 @@ The known ids are "1024", "1536", "2048", "3072", "4096", "6144" and "8192". 0 on failure. .PP \&\fBSRP_create_verifier_ex()\fR and \fBSRP_create_verifier()\fR return NULL on failure and a -non-NULL value on success: +non\-NULL value on success: "*" if \fIN\fR is not NULL, the selected group id otherwise. This value should not be freed. .PP diff --git a/secure/lib/libcrypto/man/man3/SRP_user_pwd_new.3 b/secure/lib/libcrypto/man/man3/SRP_user_pwd_new.3 index 9f917c54c9dd..afde8e243740 100644 --- a/secure/lib/libcrypto/man/man3/SRP_user_pwd_new.3 +++ b/secure/lib/libcrypto/man/man3/SRP_user_pwd_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SRP_USER_PWD_NEW 3ossl" -.TH SRP_USER_PWD_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SRP_USER_PWD_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CIPHER_get_name.3 b/secure/lib/libcrypto/man/man3/SSL_CIPHER_get_name.3 index 5e9b8b6250ca..ca026963a232 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CIPHER_get_name.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CIPHER_get_name.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CIPHER_GET_NAME 3ossl" -.TH SSL_CIPHER_GET_NAME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CIPHER_GET_NAME 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -159,15 +162,15 @@ ChaCha20/Poly1305), and 0 if it is not AEAD. .PP \&\fBSSL_CIPHER_find()\fR returns a \fBSSL_CIPHER\fR structure which has the cipher ID stored in \fBptr\fR. The \fBptr\fR parameter is a two element array of \fBchar\fR, which stores the -two-byte TLS cipher ID (as allocated by IANA) in network byte order. This parameter +two\-byte TLS cipher ID (as allocated by IANA) in network byte order. This parameter is usually retrieved from a TLS packet by using functions like \&\fBSSL_client_hello_get0_ciphers\fR\|(3). \fBSSL_CIPHER_find()\fR returns NULL if an error occurs or the indicated cipher is not found. .PP -\&\fBSSL_CIPHER_get_id()\fR returns the OpenSSL-specific ID of the given cipher \fBc\fR. That ID is -not the same as the IANA-specific ID. +\&\fBSSL_CIPHER_get_id()\fR returns the OpenSSL\-specific ID of the given cipher \fBc\fR. That ID is +not the same as the IANA\-specific ID. .PP -\&\fBSSL_CIPHER_get_protocol_id()\fR returns the two-byte ID used in the TLS protocol of the given +\&\fBSSL_CIPHER_get_protocol_id()\fR returns the two\-byte ID used in the TLS protocol of the given cipher \fBc\fR. .PP \&\fBSSL_CIPHER_description()\fR returns a textual description of the cipher used @@ -211,7 +214,7 @@ Some examples for the output of \fBSSL_CIPHER_description()\fR: .IX Header "RETURN VALUES" \&\fBSSL_CIPHER_get_name()\fR, \fBSSL_CIPHER_standard_name()\fR, \fBOPENSSL_cipher_name()\fR, \&\fBSSL_CIPHER_get_version()\fR and \fBSSL_CIPHER_description()\fR return the corresponding -value in a NUL-terminated string for a specific cipher or "(NONE)" +value in a NUL\-terminated string for a specific cipher or "(NONE)" if the cipher is not found. .PP \&\fBSSL_CIPHER_get_bits()\fR returns a positive integer representing the number of @@ -229,10 +232,10 @@ if an error occurred. \&\fBSSL_CIPHER_find()\fR returns a valid \fBSSL_CIPHER\fR structure or NULL if an error occurred. .PP -\&\fBSSL_CIPHER_get_id()\fR returns a 4\-byte integer representing the OpenSSL-specific ID. +\&\fBSSL_CIPHER_get_id()\fR returns a 4\-byte integer representing the OpenSSL\-specific ID. .PP \&\fBSSL_CIPHER_get_protocol_id()\fR returns a 2\-byte integer representing the TLS -protocol-specific ID. +protocol\-specific ID. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBssl\fR\|(7), \fBSSL_get_current_cipher\fR\|(3), @@ -248,7 +251,7 @@ rather than a fixed string, in OpenSSL 1.1.0. The \fBSSL_CIPHER_get_handshake_digest()\fR function was added in OpenSSL 1.1.1. .PP The \fBSSL_CIPHER_standard_name()\fR function was globally available in OpenSSL 1.1.1. - Before OpenSSL 1.1.1, tracing (\fBenable-ssl-trace\fR argument to Configure) was + Before OpenSSL 1.1.1, tracing (\fBenable\-ssl\-trace\fR argument to Configure) was required to enable this function. .PP The \fBOPENSSL_cipher_name()\fR function was added in OpenSSL 1.1.1. diff --git a/secure/lib/libcrypto/man/man3/SSL_COMP_add_compression_method.3 b/secure/lib/libcrypto/man/man3/SSL_COMP_add_compression_method.3 index 953229e2bc10..09214cae4838 100644 --- a/secure/lib/libcrypto/man/man3/SSL_COMP_add_compression_method.3 +++ b/secure/lib/libcrypto/man/man3/SSL_COMP_add_compression_method.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_COMP_ADD_COMPRESSION_METHOD 3ossl" -.TH SSL_COMP_ADD_COMPRESSION_METHOD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_COMP_ADD_COMPRESSION_METHOD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,7 +108,7 @@ into the communication. The TLS RFC does however not specify compression methods or their corresponding identifiers, so there is currently no compatible way to integrate compression with unknown peers. It is therefore currently not recommended to integrate compression into applications. Applications for -non-public use may agree on certain compression methods. Using different +non\-public use may agree on certain compression methods. Using different compression methods with the same identifier will lead to connection failure. .PP An OpenSSL client speaking a protocol that allows compression (SSLv3, TLSv1) diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_new.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_new.3 index 5ba1bd04def8..3291b8817f58 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CONF_CTX_NEW 3ossl" -.TH SSL_CONF_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CONF_CTX_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set1_prefix.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set1_prefix.3 index c321852c8594..158721e70343 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set1_prefix.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set1_prefix.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CONF_CTX_SET1_PREFIX 3ossl" -.TH SSL_CONF_CTX_SET1_PREFIX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CONF_CTX_SET1_PREFIX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_flags.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_flags.3 index 5163aa1d29ca..55d1f384a0ed 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_flags.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_flags.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CONF_CTX_SET_FLAGS 3ossl" -.TH SSL_CONF_CTX_SET_FLAGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CONF_CTX_SET_FLAGS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,7 +104,7 @@ file an error occurs. .IP SSL_CONF_FLAG_SHOW_ERRORS 4 .IX Item "SSL_CONF_FLAG_SHOW_ERRORS" indicate errors relating to unrecognised options or missing arguments in -the error queue. If this option isn't set such errors are only reflected +the error queue. If this option isn\*(Aqt set such errors are only reflected in the return values of \fBSSL_CONF_set_cmd()\fR or \fBSSL_CONF_set_argv()\fR .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_ssl_ctx.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_ssl_ctx.3 index 76d542adbb89..9ffe2016aa83 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_ssl_ctx.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_ssl_ctx.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CONF_CTX_SET_SSL_CTX 3ossl" -.TH SSL_CONF_CTX_SET_SSL_CTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CONF_CTX_SET_SSL_CTX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_cmd.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_cmd.3 index 439487dd4608..d1c595a06c83 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CONF_cmd.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CONF_cmd.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CONF_CMD 3ossl" -.TH SSL_CONF_CMD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CONF_CMD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -113,7 +116,7 @@ signature algorithm or elliptic curve to use for an incoming connection. Equivalent to \fBSSL_OP_CIPHER_SERVER_PREFERENCE\fR. Only used by servers. .IP \fB\-client_renegotiation\fR 4 .IX Item "-client_renegotiation" -Allows servers to accept client-initiated renegotiation. Equivalent to +Allows servers to accept client\-initiated renegotiation. Equivalent to setting \fBSSL_OP_ALLOW_CLIENT_RENEGOTIATION\fR. Only used by servers. .IP \fB\-legacy_renegotiation\fR 4 @@ -166,9 +169,9 @@ or \fBsignature_scheme\fR. For the default providers shipped with OpenSSL, \&\fBsignature_scheme\fR is one of the signature schemes defined in TLSv1.3, specified using the IETF name, e.g., \fBecdsa_secp256r1_sha256\fR, \&\fBed25519\fR, or \fBrsa_pss_pss_sha256\fR. Additional providers may make available -further algorithms via the TLS-SIGALG capability. +further algorithms via the TLS\-SIGALG capability. Signature scheme names and public key algorithm names (but not the hash names) -in the \fBalgorithm+hash\fR form are case-insensitive. +in the \fBalgorithm+hash\fR form are case\-insensitive. See \fBprovider\-base\fR\|(7). .Sp If this option is not set then all signature algorithms supported by all @@ -203,7 +206,7 @@ registry. For some groups, OpenSSL supports additional aliases. Such an alias could be a \fBNIST\fR name (e.g. \fBP\-256\fR), an OpenSSL OID name (e.g. \fBprime256v1\fR), or some other commonly used name. -Group names are case-insensitive in OpenSSL 3.5 and later. +Group names are case\-insensitive in OpenSSL 3.5 and later. The list should be in order of preference with the most preferred group first. .Sp The first group listed will also be used for the \fBkey_share\fR sent by a client @@ -217,16 +220,14 @@ respectively: \& $ openssl list \-tls1_3 \-tls\-groups .Ve .Sp -The recommended groups (in order of decreasing performance) for TLS 1.3 are presently: -.Sp -\&\fBx25519\fR, -\&\fBsecp256r1\fR, -\&\fBx448\fR, -and -\&\fBsecp384r1\fR. +The recommended groups for TLS 1.3 are presently documented in the default +TLS group list in the OpenSSL code base. Starting with OpenSSL 3.5, the +hybrid algorithm \fBX25519MLKEM768\fR is first in this default list. +It mitigates against threats from future quantum computers while +still providing state\-of\-the\-art classical key exchange protection. .Sp -The stronger security margins of the last two, come at a significant -performance penalty. +Further details regarding post\-quantum algorithm considerations are documented +in the HISTORY section below. .Sp An enriched alternative syntax, that enables clients to send multiple keyshares and allows servers to prioritise some groups over others, is described in @@ -249,7 +250,7 @@ curve can be either the \fBNIST\fR name (e.g. \fBP\-256\fR) or an OpenSSL OID na (e.g. \fBprime256v1\fR). Even with TLS 1.0 and 1.1, the default value of \f(CW\*(C`auto\*(C'\fR is strongly recommended over choosing a specific curve. -Curve names are case-insensitive in OpenSSL 3.5 and later. +Curve names are case\-insensitive in OpenSSL 3.5 and later. .IP \fB\-tx_cert_comp\fR 4 .IX Item "-tx_cert_comp" Enables support for sending TLSv1.3 compressed certificates. @@ -275,7 +276,7 @@ structure is associated with \fBctx\fR. .IP "\fB\-ciphersuites\fR \fI1.3ciphers\fR" 4 .IX Item "-ciphersuites 1.3ciphers" Sets the available ciphersuites for TLSv1.3 to value. This is a -colon-separated list of TLSv1.3 ciphersuite names in order of preference. This +colon\-separated list of TLSv1.3 ciphersuite names in order of preference. This list will be combined any configured TLSv1.2 and below ciphersuites. See \fBopenssl\-ciphers\fR\|(1) for more information. .IP "\fB\-min_protocol\fR \fIminprot\fR, \fB\-max_protocol\fR \fImaxprot\fR" 4 @@ -343,11 +344,11 @@ Switches replay protection, on or off respectively. With replay protection on, OpenSSL will automatically detect if a session ticket has been used more than once, TLSv1.3 has been negotiated, and early data is enabled on the server. A full handshake is forced if a session ticket is used a second or subsequent -time. Anti-Replay is on by default unless overridden by a configuration file and -is only used by servers. Anti-replay measures are required for compliance with +time. Anti\-Replay is on by default unless overridden by a configuration file and +is only used by servers. Anti\-replay measures are required for compliance with the TLSv1.3 specification. Some applications may be able to mitigate the replay -risks in other ways and in such cases the built-in OpenSSL functionality is not -required. Switching off anti-replay is equivalent to \fBSSL_OP_NO_ANTI_REPLAY\fR. +risks in other ways and in such cases the built\-in OpenSSL functionality is not +required. Switching off anti\-replay is equivalent to \fBSSL_OP_NO_ANTI_REPLAY\fR. .SH "SUPPORTED CONFIGURATION FILE COMMANDS" .IX Header "SUPPORTED CONFIGURATION FILE COMMANDS" Currently supported \fBoption\fR names for configuration files (i.e., when the @@ -366,7 +367,7 @@ structure is associated with \fBctx\fR. .IP \fBCiphersuites\fR 4 .IX Item "Ciphersuites" Sets the available ciphersuites for TLSv1.3 to \fBvalue\fR. This is a -colon-separated list of TLSv1.3 ciphersuite names in order of preference. This +colon\-separated list of TLSv1.3 ciphersuite names in order of preference. This list will be combined any configured TLSv1.2 and below ciphersuites. See \fBopenssl\-ciphers\fR\|(1) for more information. .IP \fBCertificate\fR 4 @@ -414,6 +415,11 @@ omitted, the same padding will be applied to all messages. Padding attempts to pad TLSv1.3 records so that they are a multiple of the set length on send. A value of 0 or 1 turns off padding as relevant. Otherwise, the values must be >1 or <=16384. +.Sp +Note that, for QUIC objects, padding is always performed at the +packet level, and so cannot be done at the record level. Given that, when the +config file is created, there is no knowledge of what kind of SSL objects are +being created, this option is silently ignored for QUIC objects. .IP \fBSignatureAlgorithms\fR 4 .IX Item "SignatureAlgorithms" This sets the supported signature algorithms for TLSv1.2 and TLSv1.3. @@ -431,7 +437,7 @@ or \fBSHA512\fR. specified using the IANA name, e.g., \fBecdsa_secp256r1_sha256\fR, \fBed25519\fR, or \fBrsa_pss_pss_sha256\fR. Signature scheme names and public key algorithm names (but not the hash names) -in the \fBalgorithm+hash\fR form are case-insensitive. +in the \fBalgorithm+hash\fR form are case\-insensitive. Additional providers may make available further signature schemes via the TLS_SIGALG capability. See "CAPABILITIES" in \fBprovider\-base\fR\|(7). .Sp @@ -469,7 +475,7 @@ registry. For some groups, OpenSSL supports additional aliases. Such an alias could be a \fBNIST\fR name (e.g. \fBP\-256\fR), an OpenSSL OID name (e.g. \fBprime256v1\fR), or some other commonly used name. -Group names are case-insensitive in OpenSSL 3.5 and later. +Group names are case\-insensitive in OpenSSL 3.5 and later. The list should be in order of preference with the most preferred group first. .Sp The commands below list the available groups for TLS 1.2 and TLS 1.3, @@ -495,8 +501,8 @@ This sets the minimum supported SSL, TLS or DTLS version. .Sp Currently supported protocol values are \fBSSLv3\fR, \fBTLSv1\fR, \fBTLSv1.1\fR, \&\fBTLSv1.2\fR, \fBTLSv1.3\fR, \fBDTLSv1\fR and \fBDTLSv1.2\fR. -The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds -apply only to DTLS-based contexts. +The SSL and TLS bounds apply only to TLS\-based contexts, while the DTLS bounds +apply only to DTLS\-based contexts. The command can be repeated with one instance setting a TLS bound, and the other setting a DTLS bound. The value \fBNone\fR applies to both types of contexts and disables the limits. @@ -506,8 +512,8 @@ This sets the maximum supported SSL, TLS or DTLS version. .Sp Currently supported protocol values are \fBSSLv3\fR, \fBTLSv1\fR, \fBTLSv1.1\fR, \&\fBTLSv1.2\fR, \fBTLSv1.3\fR, \fBDTLSv1\fR and \fBDTLSv1.2\fR. -The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds -apply only to DTLS-based contexts. +The SSL and TLS bounds apply only to TLS\-based contexts, while the DTLS bounds +apply only to DTLS\-based contexts. The command can be repeated with one instance setting a TLS bound, and the other setting a DTLS bound. The value \fBNone\fR applies to both types of contexts and disables the limits. @@ -530,7 +536,7 @@ Currently supported protocol values are \fBSSLv3\fR, \fBTLSv1\fR, \fBTLSv1.1\fR, \&\fBTLSv1.2\fR, \fBTLSv1.3\fR, \fBDTLSv1\fR and \fBDTLSv1.2\fR. The special value \fBALL\fR refers to all supported versions. .Sp -This can't enable protocols that are disabled using \fBMinProtocol\fR +This can\*(Aqt enable protocols that are disabled using \fBMinProtocol\fR or \fBMaxProtocol\fR, but can disable protocols that are still allowed by them. .Sp @@ -590,7 +596,7 @@ Equivalent to \fBSSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\fR. \&\fBUnsafeLegacyServerConnect\fR: permits the use of unsafe legacy renegotiation for OpenSSL clients only. Equivalent to \fBSSL_OP_LEGACY_SERVER_CONNECT\fR. .Sp -\&\fBEncryptThenMac\fR: use encrypt-then-mac extension, enabled by +\&\fBEncryptThenMac\fR: use encrypt\-then\-mac extension, enabled by default. Inverse of \fBSSL_OP_NO_ENCRYPT_THEN_MAC\fR: that is, \&\fB\-EncryptThenMac\fR is the same as setting \fBSSL_OP_NO_ENCRYPT_THEN_MAC\fR. .Sp @@ -613,10 +619,10 @@ default. Equivalent to \fBSSL_OP_ENABLE_MIDDLEBOX_COMPAT\fR. has been used more than once, TLSv1.3 has been negotiated, and early data is enabled on the server. A full handshake is forced if a session ticket is used a second or subsequent time. This option is set by default and is only used by -servers. Anti-replay measures are required to comply with the TLSv1.3 +servers. Anti\-replay measures are required to comply with the TLSv1.3 specification. Some applications may be able to mitigate the replay risks in -other ways and in such cases the built-in OpenSSL functionality is not required. -Disabling anti-replay is equivalent to setting \fBSSL_OP_NO_ANTI_REPLAY\fR. +other ways and in such cases the built\-in OpenSSL functionality is not required. +Disabling anti\-replay is equivalent to setting \fBSSL_OP_NO_ANTI_REPLAY\fR. .Sp \&\fBExtendedMasterSecret\fR: use extended master secret extension, enabled by default. Inverse of \fBSSL_OP_NO_EXTENDED_MASTER_SECRET\fR: that is, @@ -646,7 +652,7 @@ a performance boost when used with KTLS hardware offload. Note that invalid TLS records might be transmitted if the file is changed while being sent. This option has no effect if \fBKTLS\fR is not enabled. Equivalent to \&\fBSSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE\fR. This option only applies to Linux. -KTLS sendfile on FreeBSD doesn't offer an option to disable zerocopy and +KTLS sendfile on FreeBSD doesn\*(Aqt offer an option to disable zerocopy and always runs in this mode. .Sp \&\fBIgnoreUnexpectedEOF\fR: Equivalent to \fBSSL_OP_IGNORE_UNEXPECTED_EOF\fR. @@ -669,16 +675,16 @@ occurs if the client does not present a certificate. Servers only. not when renegotiating. Servers only. .Sp \&\fBRequestPostHandshake\fR configures the connection to support requests but does -not require a certificate from the client post-handshake. A certificate will +not require a certificate from the client post\-handshake. A certificate will not be requested during the initial handshake. The server application must -provide a mechanism to request a certificate post-handshake. Servers only. +provide a mechanism to request a certificate post\-handshake. Servers only. TLSv1.3 only. .Sp \&\fBRequiresPostHandshake\fR configures the connection to support requests and -requires a certificate from the client post-handshake: an error occurs if the +requires a certificate from the client post\-handshake: an error occurs if the client does not present a certificate. A certificate will not be requested during the initial handshake. The server application must provide a mechanism -to request a certificate post-handshake. Servers only. TLSv1.3 only. +to request a certificate post\-handshake. Servers only. TLSv1.3 only. .IP "\fBClientCAFile\fR, \fBClientCAPath\fR" 4 .IX Item "ClientCAFile, ClientCAPath" A file or directory of certificates in PEM format whose names are used as the @@ -703,7 +709,7 @@ The value is a filename. The value is a directory name. .IP \fBSSL_CONF_TYPE_NONE\fR 4 .IX Item "SSL_CONF_TYPE_NONE" -The value string is not used e.g. a command line option which doesn't take an +The value string is not used e.g. a command line option which doesn\*(Aqt take an argument. .SH NOTES .IX Header "NOTES" @@ -794,7 +800,7 @@ The following also disables SSLv3: The following will first enable all protocols, and then disable SSLv3. If no protocol versions were disabled before this has the same effect as -"\-SSLv3", but if some versions were disables this will re-enable them before +"\-SSLv3", but if some versions were disables this will re\-enable them before disabling SSLv3. .PP .Vb 1 @@ -844,11 +850,11 @@ Set supported curves to P\-256, P\-384: .IX Header "HISTORY" The \fBSSL_CONF_cmd()\fR function was added in OpenSSL 1.0.2. .PP -The \fBSSL_OP_NO_SSL2\fR option doesn't have effect since 1.1.0, but the macro +The \fBSSL_OP_NO_SSL2\fR option doesn\*(Aqt have effect since 1.1.0, but the macro is retained for backwards compatibility. .PP The \fBSSL_CONF_TYPE_NONE\fR was added in OpenSSL 1.1.0. In earlier versions of -OpenSSL passing a command which didn't take an argument would return +OpenSSL passing a command which didn\*(Aqt take an argument would return \&\fBSSL_CONF_TYPE_UNKNOWN\fR. .PP \&\fBMinProtocol\fR and \fBMaxProtocol\fR where added in OpenSSL 1.1.0. @@ -863,7 +869,7 @@ added in OpenSSL 3.2. .PP \&\fBPreferNoDHEKEX\fR was added in OpenSSL 3.3. .PP -OpenSSL 3.5 introduces support for post-quantum (PQ) TLS key exchange via the +OpenSSL 3.5 introduces support for post\-quantum (PQ) TLS key exchange via the \&\fBMLKEM512\fR, \fBMLKEM768\fR and \fBMLKEM1024\fR TLS groups. These are based on the underlying \fBML\-KEM\-512\fR, \fBML\-KEM\-768\fR and \&\fBML\-KEM\-1024\fR algorithms from FIPS 203. @@ -873,16 +879,16 @@ TLS groups: \fBX25519MLKEM768\fR, \fBSecP256r1MLKEM768\fR and \&\fBSecP384r1MLKEM1024\fR. They offer CPU performance comparable to the associated ECDH group, though at the cost of significantly larger key exchange messages. -The third group, \fBSecP384r1MLKEM1024\fR is substantially more CPU-intensive, +The third group, \fBSecP384r1MLKEM1024\fR is substantially more CPU\-intensive, largely as a result of the high CPU cost of ECDH for the underlying \fBP\-384\fR group. Also its key exchange messages at close to 1700 bytes are larger than the roughly 1200 bytes for the first two groups. .PP -As of OpenSSL 3.5 key exchange group names are case-insensitive. +As of OpenSSL 3.5 key exchange group names are case\-insensitive. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2012\-2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2012\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_cmd_argv.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_cmd_argv.3 index 5d48aeac0968..3d4ec09ac19f 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CONF_cmd_argv.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CONF_cmd_argv.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CONF_CMD_ARGV 3ossl" -.TH SSL_CONF_CMD_ARGV 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CONF_CMD_ARGV 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,7 +85,7 @@ or a negative error code. .PP If \-2 is returned then an argument for a command is missing. .PP -If \-1 is returned the command is recognised but couldn't be processed due +If \-1 is returned the command is recognised but couldn\*(Aqt be processed due to an error: for example a syntax error in the argument. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_add1_chain_cert.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_add1_chain_cert.3 index 2750635312c6..53e346475dfa 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_add1_chain_cert.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_add1_chain_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_ADD1_CHAIN_CERT 3ossl" -.TH SSL_CTX_ADD1_CHAIN_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_ADD1_CHAIN_CERT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_add_extra_chain_cert.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_add_extra_chain_cert.3 index d5d7ff0f7344..f021a2ea1f54 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_add_extra_chain_cert.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_add_extra_chain_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_ADD_EXTRA_CHAIN_CERT 3ossl" -.TH SSL_CTX_ADD_EXTRA_CHAIN_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_ADD_EXTRA_CHAIN_CERT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_add_session.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_add_session.3 index 446e2b508b5b..e361696d0b3b 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_add_session.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_add_session.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_ADD_SESSION 3ossl" -.TH SSL_CTX_ADD_SESSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_ADD_SESSION 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -79,7 +82,7 @@ the same session id already exists, the old session is removed by calling \&\fBSSL_SESSION_free\fR\|(3). .PP \&\fBSSL_CTX_remove_session()\fR removes the session \fBc\fR from the context \fBctx\fR and -marks it as non-resumable. \fBSSL_SESSION_free\fR\|(3) is called once for \fBc\fR. +marks it as non\-resumable. \fBSSL_SESSION_free\fR\|(3) is called once for \fBc\fR. .SH NOTES .IX Header "NOTES" When adding a new session to the internal session cache, it is examined @@ -88,12 +91,12 @@ it is assumed that both sessions are identical. If the same session is stored in a different SSL_SESSION object, The old session is removed and replaced by the new session. If the session is actually identical (the SSL_SESSION object is identical), \fBSSL_CTX_add_session()\fR -is a no-op, and the return value is 0. +is a no\-op, and the return value is 0. .PP If a server SSL_CTX is configured with the SSL_SESS_CACHE_NO_INTERNAL_STORE flag then the internal cache will not be populated automatically by new sessions negotiated by the SSL/TLS implementation, even though the internal -cache will be searched automatically for session-resume requests (the +cache will be searched automatically for session\-resume requests (the latter can be suppressed by SSL_SESS_CACHE_NO_INTERNAL_LOOKUP). So the application can use \fBSSL_CTX_add_session()\fR directly to have full control over the sessions that can be resumed if desired. diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_config.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_config.3 index 628bc8d437f7..59cecb84024d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_config.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_config.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_CONFIG 3ossl" -.TH SSL_CTX_CONFIG 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_CONFIG 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_ctrl.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_ctrl.3 index 3e1f9f8476ac..cb08c05b705d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_ctrl.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_ctrl.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_CTRL 3ossl" -.TH SSL_CTX_CTRL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_CTRL 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_dane_enable.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_dane_enable.3 index c448ac4ef3dd..8067de06c869 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_dane_enable.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_dane_enable.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_DANE_ENABLE 3ossl" -.TH SSL_CTX_DANE_ENABLE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_DANE_ENABLE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -95,7 +98,7 @@ peer authentication. \&\fBSSL_CTX_dane_enable()\fR must be called first to initialize the shared state required for DANE support. Individual connections associated with the context can then enable -per-connection DANE support as appropriate. +per\-connection DANE support as appropriate. DANE authentication is implemented in the \fBX509_verify_cert\fR\|(3) function, and applications that override \fBX509_verify_cert\fR\|(3) via \&\fBSSL_CTX_set_cert_verify_callback\fR\|(3) are responsible to authenticate the peer @@ -121,7 +124,7 @@ is mapped to \f(CWEVP_sha512()\fR with a strength ordinal of \f(CW2\fR. .PP \&\fBSSL_dane_enable()\fR must be called before the SSL handshake is initiated with \&\fBSSL_connect\fR\|(3) if (and only if) you want to enable DANE for that connection. -(The connection must be associated with a DANE-enabled SSL context). +(The connection must be associated with a DANE\-enabled SSL context). The \fBbasedomain\fR argument specifies the RFC7671 TLSA base domain, which will be the primary peer reference identifier for certificate name checks. @@ -146,12 +149,12 @@ call and take appropriate action if none are usable or an internal error is encountered in processing some records. .PP If no TLSA records are added successfully, DANE authentication is not enabled, -and authentication will be based on any configured traditional trust-anchors; +and authentication will be based on any configured traditional trust\-anchors; authentication success in this case does not mean that the peer was -DANE-authenticated. +DANE\-authenticated. .PP \&\fBSSL_get0_dane_authority()\fR can be used to get more detailed information about -the matched DANE trust-anchor after successful connection completion. +the matched DANE trust\-anchor after successful connection completion. The return value is negative if DANE verification failed (or was not enabled), 0 if an EE TLSA record directly matched the leaf certificate, or a positive number indicating the depth at which a TA record matched an issuer certificate. @@ -161,21 +164,21 @@ certificates sent by the peer as returned by \fBSSL_get_peer_cert_chain\fR\|(3). .PP If the \fBmcert\fR argument is not \fBNULL\fR and a TLSA record matched a chain certificate, a pointer to the matching certificate is returned via \fBmcert\fR. -The returned address is a short-term internal reference to the certificate and +The returned address is a short\-term internal reference to the certificate and must not be freed by the application. Applications that want to retain access to the certificate can call -\&\fBX509_up_ref\fR\|(3) to obtain a long-term reference which must then be freed via +\&\fBX509_up_ref\fR\|(3) to obtain a long\-term reference which must then be freed via \&\fBX509_free\fR\|(3) once no longer needed. .PP If no TLSA records directly matched any elements of the certificate chain, but a \fBDANE\-TA\fR\|(2) \fBSPKI\fR\|(1) \fBFull\fR\|(0) record provided the public key that signed an element of the chain, then that key is returned via \fBmspki\fR argument (if not NULL). -In this case the return value is the depth of the top-most element of the +In this case the return value is the depth of the top\-most element of the validated certificate chain. -As with \fBmcert\fR this is a short-term internal reference, and +As with \fBmcert\fR this is a short\-term internal reference, and \&\fBEVP_PKEY_up_ref\fR\|(3) and \fBEVP_PKEY_free\fR\|(3) can be used to acquire and -release long-term references respectively. +release long\-term references respectively. .PP \&\fBSSL_get0_dane_tlsa()\fR can be used to retrieve the fields of the TLSA record that matched the peer certificate chain. @@ -184,21 +187,21 @@ The return value indicates the match depth or failure to match just as with When the return value is nonnegative, the storage pointed to by the \fBusage\fR, \&\fBselector\fR, \fBmtype\fR and \fBdata\fR parameters is updated to the corresponding TLSA record fields. -The \fBdata\fR field is in binary wire form, and is therefore not NUL-terminated, +The \fBdata\fR field is in binary wire form, and is therefore not NUL\-terminated, its length is returned via the \fBdlen\fR parameter. If any of these parameters is NULL, the corresponding field is not returned. -The \fBdata\fR parameter is set to a short-term internal-copy of the associated +The \fBdata\fR parameter is set to a short\-term internal\-copy of the associated data field and must not be freed by the application. -Applications that need long-term access to this field need to copy the content. +Applications that need long\-term access to this field need to copy the content. .PP \&\fBSSL_CTX_dane_set_flags()\fR and \fBSSL_dane_set_flags()\fR can be used to enable optional DANE verification features. \&\fBSSL_CTX_dane_clear_flags()\fR and \fBSSL_dane_clear_flags()\fR can be used to disable the same features. -The \fBflags\fR argument is a bit-mask of the features to enable or disable. +The \fBflags\fR argument is a bit\-mask of the features to enable or disable. The \fBflags\fR set for an \fBSSL_CTX\fR context are copied to each \fBSSL\fR handle associated with that context at the time the handle is created. -Subsequent changes in the context's \fBflags\fR have no effect on the \fBflags\fR set +Subsequent changes in the context\*(Aqs \fBflags\fR have no effect on the \fBflags\fR set for the handle. .PP At present, the only available option is \fBDANE_FLAG_NO_DANE_EE_NAMECHECKS\fR @@ -208,7 +211,7 @@ For some applications, primarily web browsers, it is not safe to disable name checks due to "unknown key share" attacks, in which a malicious server can convince a client that a connection to a victim server is instead a secure connection to the malicious server. -The malicious server may then be able to violate cross-origin scripting +The malicious server may then be able to violate cross\-origin scripting restrictions. Thus, despite the text of RFC7671, name checks are by default enabled for \&\fBDANE\-EE\fR\|(3) TLSA records, and can be disabled in applications where it is safe @@ -232,7 +235,7 @@ certificate or a public key that fails to parse. The functions \fBSSL_get0_dane_authority()\fR and \fBSSL_get0_dane_tlsa()\fR return a negative value when DANE authentication failed or was not enabled, a nonnegative value indicates the chain depth at which the TLSA record matched a -chain certificate, or the depth of the top-most certificate, when the TLSA +chain certificate, or the depth of the top\-most certificate, when the TLSA record is a full public key that is its signer. .PP The functions \fBSSL_CTX_dane_set_flags()\fR, \fBSSL_CTX_dane_clear_flags()\fR, @@ -241,7 +244,7 @@ before they were called. .SH EXAMPLES .IX Header "EXAMPLES" Suppose "smtp.example.com" is the MX host of the domain "example.com", and has -DNSSEC-validated TLSA records. +DNSSEC\-validated TLSA records. The calls below will perform DANE authentication and arrange to match either the MX hostname or the destination domain name in the SMTP server certificate. Wildcards are supported, but must match the entire label. @@ -389,7 +392,7 @@ the lifetime of the SSL connection. .IX Header "NOTES" It is expected that the majority of clients employing DANE TLS will be doing "opportunistic DANE TLS" in the sense of RFC7672 and RFC7435. -That is, they will use DANE authentication when DNSSEC-validated TLSA records +That is, they will use DANE authentication when DNSSEC\-validated TLSA records are published for a given peer, and otherwise will use unauthenticated TLS or even cleartext. .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_flush_sessions.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_flush_sessions.3 index 22ce66cda33f..4d329c30320f 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_flush_sessions.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_flush_sessions.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_FLUSH_SESSIONS 3ossl" -.TH SSL_CTX_FLUSH_SESSIONS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_FLUSH_SESSIONS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_free.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_free.3 index 729c650c6ac2..a7b83eb8a4f6 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_free.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_free.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_FREE 3ossl" -.TH SSL_CTX_FREE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_FREE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,8 +84,8 @@ the certificates and keys. If \fBctx\fR is NULL nothing is done. .SH WARNINGS .IX Header "WARNINGS" -If a session-remove callback is set (\fBSSL_CTX_sess_set_remove_cb()\fR), this -callback will be called for each session being freed from \fBctx\fR's +If a session\-remove callback is set (\fBSSL_CTX_sess_set_remove_cb()\fR), this +callback will be called for each session being freed from \fBctx\fR\*(Aqs session cache. This implies, that all corresponding sessions from an external session cache are removed as well. If this is not desired, the user should explicitly unset the callback by calling diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_get0_param.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_get0_param.3 index d00f5702265f..177a4d257efd 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_get0_param.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_get0_param.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_GET0_PARAM 3ossl" -.TH SSL_CTX_GET0_PARAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_GET0_PARAM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_get_verify_mode.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_get_verify_mode.3 index e446b5d4fa26..742ed9d89bc4 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_get_verify_mode.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_get_verify_mode.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_GET_VERIFY_MODE 3ossl" -.TH SSL_CTX_GET_VERIFY_MODE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_GET_VERIFY_MODE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_has_client_custom_ext.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_has_client_custom_ext.3 index 50c0ad567c7e..3cdbd9365ba8 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_has_client_custom_ext.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_has_client_custom_ext.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_HAS_CLIENT_CUSTOM_EXT 3ossl" -.TH SSL_CTX_HAS_CLIENT_CUSTOM_EXT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_HAS_CLIENT_CUSTOM_EXT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_load_verify_locations.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_load_verify_locations.3 index 3017574ffc21..de052200ff12 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_load_verify_locations.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_load_verify_locations.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_LOAD_VERIFY_LOCATIONS 3ossl" -.TH SSL_CTX_LOAD_VERIFY_LOCATIONS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_LOAD_VERIFY_LOCATIONS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -154,10 +157,10 @@ will search for suitable certificates first in \fBCAfile\fR, then in \fBCApath\f Details of the chain building process are described in "Certification Path Building" in \fBopenssl\-verification\-options\fR\|(1). .PP -If \fBCAstore\fR is not NULL, it's a URI for to a store, which may +If \fBCAstore\fR is not NULL, it\*(Aqs a URI for to a store, which may represent a single container or a whole catalogue of containers. Apart from the \fBCAstore\fR not necessarily being a local file or -directory, it's generally treated the same way as a \fBCApath\fR. +directory, it\*(Aqs generally treated the same way as a \fBCApath\fR. .PP In server mode, when requesting a client certificate, the server must send the list of CAs of which it will accept client certificates. This list diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_new.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_new.3 index 3e26ab1a7b35..256171303f6f 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_NEW 3ossl" -.TH SSL_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -171,17 +174,17 @@ with \fBSSL_CTX_get0_param\fR\|(3), to override the default purpose of the sessi .PP The SSL_CTX object uses \fImethod\fR as the connection method. Three method variants are available: a generic method (for either client or -server use), a server-only method, and a client-only method. +server use), a server\-only method, and a client\-only method. .PP The \fImethod\fR parameter of \fBSSL_CTX_new_ex()\fR and \fBSSL_CTX_new()\fR can be one of the following: .IP "\fBTLS_method()\fR, \fBTLS_server_method()\fR, \fBTLS_client_method()\fR" 4 .IX Item "TLS_method(), TLS_server_method(), TLS_client_method()" -These are the general-purpose \fIversion-flexible\fR SSL/TLS methods. +These are the general\-purpose \fIversion\-flexible\fR SSL/TLS methods. The actual protocol version used will be negotiated to the highest version mutually supported by the client and the server. The supported protocols are SSLv3, TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3. -Applications should use these methods, and avoid the version-specific +Applications should use these methods, and avoid the version\-specific methods described below, which are deprecated. .IP "\fBSSLv23_method()\fR, \fBSSLv23_server_method()\fR, \fBSSLv23_client_method()\fR" 4 .IX Item "SSLv23_method(), SSLv23_server_method(), SSLv23_client_method()" @@ -210,25 +213,25 @@ SSLv3 protocol. The SSLv3 protocol is deprecated and should not be used. .IP "\fBDTLS_method()\fR, \fBDTLS_server_method()\fR, \fBDTLS_client_method()\fR" 4 .IX Item "DTLS_method(), DTLS_server_method(), DTLS_client_method()" -These are the version-flexible DTLS methods. +These are the version\-flexible DTLS methods. Currently supported protocols are DTLS 1.0 and DTLS 1.2. .IP "\fBDTLSv1_2_method()\fR, \fBDTLSv1_2_server_method()\fR, \fBDTLSv1_2_client_method()\fR" 4 .IX Item "DTLSv1_2_method(), DTLSv1_2_server_method(), DTLSv1_2_client_method()" -These are the version-specific methods for DTLSv1.2. +These are the version\-specific methods for DTLSv1.2. These methods are deprecated. .IP "\fBDTLSv1_method()\fR, \fBDTLSv1_server_method()\fR, \fBDTLSv1_client_method()\fR" 4 .IX Item "DTLSv1_method(), DTLSv1_server_method(), DTLSv1_client_method()" -These are the version-specific methods for DTLSv1. +These are the version\-specific methods for DTLSv1. These methods are deprecated. .PP \&\fBSSL_CTX_new()\fR initializes the list of ciphers, the session cache setting, the callbacks, the keys and certificates and the options to their default values. .PP \&\fBTLS_method()\fR, \fBTLS_server_method()\fR, \fBTLS_client_method()\fR, \fBDTLS_method()\fR, -\&\fBDTLS_server_method()\fR and \fBDTLS_client_method()\fR are the \fIversion-flexible\fR +\&\fBDTLS_server_method()\fR and \fBDTLS_client_method()\fR are the \fIversion\-flexible\fR methods. All other methods only support one specific protocol version. -Use the \fIversion-flexible\fR methods instead of the version specific methods. +Use the \fIversion\-flexible\fR methods instead of the version specific methods. .PP If you want to limit the supported protocols for the version flexible methods you can use \fBSSL_CTX_set_min_proto_version\fR\|(3), @@ -281,7 +284,7 @@ removed in OpenSSL 1.1.0. were deprecated and the preferred \fBTLS_method()\fR, \fBTLS_server_method()\fR and \fBTLS_client_method()\fR functions were added in OpenSSL 1.1.0. .PP -All version-specific methods were deprecated in OpenSSL 1.1.0. +All version\-specific methods were deprecated in OpenSSL 1.1.0. .PP \&\fBSSL_CTX_new_ex()\fR was added in OpenSSL 3.0. .SH COPYRIGHT diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_number.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_number.3 index b50907c2297b..c1778bd8330a 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_number.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_number.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SESS_NUMBER 3ossl" -.TH SSL_CTX_SESS_NUMBER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SESS_NUMBER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_cache_size.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_cache_size.3 index 1a93b5fe250c..0096f9a17b1b 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_cache_size.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_cache_size.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SESS_SET_CACHE_SIZE 3ossl" -.TH SSL_CTX_SESS_SET_CACHE_SIZE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SESS_SET_CACHE_SIZE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_get_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_get_cb.3 index 87c40f9824fd..acf08d54ef95 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_get_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_get_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SESS_SET_GET_CB 3ossl" -.TH SSL_CTX_SESS_SET_GET_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SESS_SET_GET_CB 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -116,12 +119,12 @@ The \fBnew_session_cb()\fR is called whenever a new session has been negotiated session caching is enabled (see \fBSSL_CTX_set_session_cache_mode\fR\|(3)). The \&\fBnew_session_cb()\fR is passed the \fBssl\fR connection and the nascent ssl session \fBsess\fR. -Since sessions are reference-counted objects, the reference count on the +Since sessions are reference\-counted objects, the reference count on the session is incremented before the callback, on behalf of the application. If the callback returns \fB0\fR, the session will be immediately removed from the internal cache and the reference count released. If the callback returns \fB1\fR, the application retains the reference (for an entry in the -application-maintained "external session cache"), and is responsible for +application\-maintained "external session cache"), and is responsible for calling \fBSSL_SESSION_free()\fR when the session reference is no longer in use. .PP Note that in TLSv1.3, sessions are established after the main diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_sessions.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_sessions.3 index bf0508a2e28f..746653d04e15 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_sessions.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_sessions.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SESSIONS 3ossl" -.TH SSL_CTX_SESSIONS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SESSIONS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set0_CA_list.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set0_CA_list.3 index 107388d3579b..4972f972c1b0 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set0_CA_list.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set0_CA_list.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET0_CA_LIST 3ossl" -.TH SSL_CTX_SET0_CA_LIST 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET0_CA_LIST 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -127,7 +130,7 @@ to \fBctx\fR and it should not be freed by the caller. .PP \&\fBSSL_set_client_CA_list()\fR sets the \fBlist\fR of CAs sent to the client when requesting a client certificate for the chosen \fBssl\fR, overriding the -setting valid for \fBssl\fR's SSL_CTX object. Ownership of \fBlist\fR is transferred +setting valid for \fBssl\fR\*(Aqs SSL_CTX object. Ownership of \fBlist\fR is transferred to \fBs\fR and it should not be freed by the caller. .PP \&\fBSSL_CTX_get_client_CA_list()\fR returns the list of client CAs explicitly set for @@ -135,7 +138,7 @@ to \fBs\fR and it should not be freed by the caller. by the caller. .PP \&\fBSSL_get_client_CA_list()\fR returns the list of client CAs explicitly -set for \fBssl\fR using \fBSSL_set_client_CA_list()\fR or \fBssl\fR's SSL_CTX object with +set for \fBssl\fR using \fBSSL_set_client_CA_list()\fR or \fBssl\fR\*(Aqs SSL_CTX object with \&\fBSSL_CTX_set_client_CA_list()\fR, when in server mode. In client mode, SSL_get_client_CA_list returns the list of client CAs sent from the server, if any. The returned list should not be freed by the caller. @@ -146,7 +149,7 @@ list of CAs sent to the client when requesting a client certificate for .PP \&\fBSSL_add_client_CA()\fR adds the CA name extracted from \fBcacert\fR to the list of CAs sent to the client when requesting a client certificate for -the chosen \fBssl\fR, overriding the setting valid for \fBssl\fR's SSL_CTX object. +the chosen \fBssl\fR, overriding the setting valid for \fBssl\fR\*(Aqs SSL_CTX object. .PP \&\fBSSL_get0_peer_CA_list()\fR retrieves the list of CA names (if any) the peer has sent. This can be called on either the server or the client side. The diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_cert_comp_preference.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_cert_comp_preference.3 index f1396c5211e0..54e0785c9430 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_cert_comp_preference.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_cert_comp_preference.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET1_CERT_COMP_PREFERENCE 3ossl" -.TH SSL_CTX_SET1_CERT_COMP_PREFERENCE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET1_CERT_COMP_PREFERENCE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -113,25 +116,25 @@ TLSEXT_comp_cert_zstd .PP The above is also the default preference order. If a preference order is not specified, then the default preference order is sent to the peer and the -received peer's preference order will be used when compressing a certificate. +received peer\*(Aqs preference order will be used when compressing a certificate. Otherwise, the configured preference order is sent to the peer and is used -to filter the peer's preference order. +to filter the peer\*(Aqs preference order. .PP -\&\fBSSL_CTX_compress_certs()\fR and \fBSSL_compress_certs()\fR are used to pre-compress all +\&\fBSSL_CTX_compress_certs()\fR and \fBSSL_compress_certs()\fR are used to pre\-compress all the configured certificates on an SSL_CTX/SSL object with algorithm \fBalg\fR. If \&\fBalg\fR is 0, then the certificates are compressed with the algorithms specified in the preference list. Calling these functions on a client SSL_CTX/SSL object -will result in an error, as only server certificates may be pre-compressed. +will result in an error, as only server certificates may be pre\-compressed. .PP \&\fBSSL_CTX_get1_compressed_cert()\fR and \fBSSL_get1_compressed_cert()\fR are used to get -the pre-compressed certificate most recently set that may be stored for later +the pre\-compressed certificate most recently set that may be stored for later use. Calling these functions on a client SSL_CTX/SSL object will result in an -error, as only server certificates may be pre-compressed. The \fBdata\fR and +error, as only server certificates may be pre\-compressed. The \fBdata\fR and \&\fBorig_len\fR arguments are required. .PP The compressed certificate data may be passed to \fBSSL_CTX_set1_compressed_cert()\fR -or \fBSSL_set1_compressed_cert()\fR to provide a pre-compressed version of the -most recently set certificate. This pre-compressed certificate can only be used +or \fBSSL_set1_compressed_cert()\fR to provide a pre\-compressed version of the +most recently set certificate. This pre\-compressed certificate can only be used by a server. .SH NOTES .IX Header "NOTES" @@ -139,14 +142,14 @@ Each side of the connection sends their compression algorithm preference list to their peer indicating compressed certificate support. The received preference list is filtered by the configured preference list (i.e. the intersection is saved). As the default list includes all the enabled algorithms, not specifying -a preference will allow any enabled algorithm by the peer. The filtered peer's +a preference will allow any enabled algorithm by the peer. The filtered peer\*(Aqs preference order is used to determine what algorithm to use when sending a compressed certificate. .PP -Only server certificates may be pre-compressed. Calling any of these functions +Only server certificates may be pre\-compressed. Calling any of these functions (except \fBSSL_CTX_set1_cert_comp_preference()\fR/\fBSSL_set1_cert_comp_preference()\fR) on a client SSL_CTX/SSL object will return an error. Client certificates are -compressed on-demand as unique context data from the server is compressed along +compressed on\-demand as unique context data from the server is compressed along with the certificate. .PP For \fBSSL_CTX_set1_cert_comp_preference()\fR and \fBSSL_set1_cert_comp_preference()\fR diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_curves.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_curves.3 index e240bded3260..2a3bfba6b798 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_curves.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_curves.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET1_CURVES 3ossl" -.TH SSL_CTX_SET1_CURVES 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET1_CURVES 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -99,13 +102,13 @@ SSL_get1_curves, SSL_get_shared_curve, SSL_CTX_get0_implemented_groups .IX Header "DESCRIPTION" For all of the functions below that set the supported groups there must be at least one group in the list. A number of these functions identify groups via a -unique integer NID value. However, support for some groups may be added by -external providers. In this case there will be no NID assigned for the group. +unique integer \fBNID\fR value. However, support for some groups may be added by +external providers. In this case there will be no \fBNID\fR assigned for the group. When setting such groups applications should use the "list" form of these functions (i.e. \fBSSL_CTX_set1_groups_list()\fR and \fBSSL_set1_groups_list()\fR). .PP \&\fBSSL_CTX_set1_groups()\fR sets the supported groups for \fBctx\fR to \fBglistlen\fR -groups in the array \fBglist\fR. The array consist of all NIDs of supported groups. +groups in the array \fBglist\fR. The array consist of all \fBNIDs\fR of supported groups. The supported groups for \fBTLSv1.3\fR include: \&\fBNID_X9_62_prime256v1\fR, \&\fBNID_secp384r1\fR, @@ -124,28 +127,35 @@ OpenSSL will use this array in different ways based on the TLS version, and whether the groups are used in a client or server. .PP For a TLS client, the groups are used directly in the supported groups -extension. The extension's preference order, to be evaluated by the server, is +extension. The extension\*(Aqs preference order, to be evaluated by the server, is determined by the order of the elements in the array. .PP For a TLS 1.2 server, the groups determine the selected group. If \&\fBSSL_OP_CIPHER_SERVER_PREFERENCE\fR is set, the order of the elements in the array determines the selected group. Otherwise, the order is ignored and the -client's order determines the selection. -.PP -For a TLS 1.3 server, the groups determine the selected group, but -selection is more complex. A TLS 1.3 client sends both a group list as well as a -predicted subset of groups. Choosing a group outside the predicted subset incurs -an extra roundtrip. However, in some situations, the most preferred group may -not be predicted. OpenSSL considers all supported groups in \fIclist\fR to be comparable -in security and prioritizes avoiding roundtrips above either client or server -preference order. If an application uses an external provider to extend OpenSSL -with, e.g., a post-quantum algorithm, this behavior may allow a network attacker -to downgrade connections to a weaker algorithm. It is therefore recommended -to use \fBSSL_CTX_set1_groups_list()\fR with the ability to specify group tuples. +client\*(Aqs order determines the selection. +.PP +For a TLS 1.3 server, the groups determine the selected group, but selection is +more complex. +A TLS 1.3 client sends both a group list and predicted keyshares for a subset +of groups. +A server choosing a group outside the client\*(Aqs predicted subset incurs an extra +roundtrip. +However, in some situations, the most preferred group may not be predicted. +.PP +When groups are specified via \fBSSL_CTX_set1_groups()\fR as a list of \fBNID\fR +values, OpenSSL considers all supported groups in \fIclist\fR to be comparable in +security and prioritises avoiding roundtrips above either client or server +preference order. +If an application uses an external provider to extend OpenSSL with, e.g., a +post\-quantum algorithm, this behavior may allow a network attacker to downgrade +connections to a weaker algorithm. +It is therefore recommended to use \fBSSL_CTX_set1_groups_list()\fR instead, making +it possible to specify group tuples as described below. .PP \&\fBSSL_CTX_set1_groups_list()\fR sets the supported groups for \fBctx\fR to string \fIlist\fR. In contrast to \fBSSL_CTX_set1_groups()\fR, the names of the -groups, rather than their NIDs, are used. +groups, rather than their \fBNIDs\fR, are used. .PP The commands below list the available groups for TLS 1.2 and TLS 1.3, respectively: @@ -158,45 +168,87 @@ respectively: Each group can be either the \fBNIST\fR name (e.g. \fBP\-256\fR), some other commonly used name where applicable (e.g. \fBX25519\fR, \fBffdhe2048\fR) or an OpenSSL OID name (e.g. \fBprime256v1\fR). -Group names are case-insensitive in OpenSSL 3.5 and later. +Group names are case\-insensitive in OpenSSL 3.5 and later. The preferred group names are those defined by IANA <https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8>. .PP The \fIlist\fR can be used to define several group tuples of comparable security -levels, and can specify which key shares should be sent by a client. -The specified list elements can optionally be ignored, if not implemented +levels, and can specify which predicted key shares should be sent by a client. +Group tuples are used by OpenSSL TLS servers to decide whether to request a +stronger keyshare than those predicted by sending a Hello Retry Request +(\fBHRR\fR) even if some of the predicted groups are supported. +OpenSSL clients ignore tuple boundaries, and pay attenion only to the overall +order of \fIlist\fR elements and which groups are selected as predicted keyshares +as described below. +.PP +The specified list elements can optionally be ignored if not implemented (listing unknown groups otherwise results in error). -It is also possible to specify the built-in default set of groups, and to explicitly -remove a group from that list. -.PP -In its simplest form, the string \fIlist\fR is just a colon separated list -of group names, for example "P\-521:P\-384:P\-256:X25519:ffdhe2048". The first -group listed will also be used for the \fBkey_share\fR sent by a client in a -TLSv1.3 \fBClientHello\fR. For servers note the discussion above. The list should -be in order of preference with the most preferred group first. -.PP -Group tuples of comparable security are defined by separating them from each -other by a tuple separator \f(CW\*(C`/\*(C'\fR. Keyshares to be sent by a client are specified -by prepending a \f(CW\*(C`*\*(C'\fR to the group name, while any \f(CW\*(C`*\*(C'\fR will be ignored by a -server. The following string \fIlist\fR for example defines three tuples when -used on the server-side, and triggers the generation of three key shares -when used on the client-side: P\-521:*P\-256/*P\-384/*X25519:P\-384:ffdhe2048. -.PP -If a group name is preceded with the \f(CW\*(C`?\*(C'\fR character, it will be ignored if an -implementation is missing. If a group name is preceded with the \f(CW\*(C`\-\*(C'\fR character, it -will be removed from the list of groups if present (including not sending a -key share for this group), ignored otherwise. The pseudo group name -\&\f(CW\*(C`DEFAULT\*(C'\fR can be used to select the OpenSSL built-in default list of groups. +It is also possible to specify the built\-in default set of groups, and to +explicitly remove a group from that list. +.PP +In its simplest legacy form, the string \fIlist\fR is just a colon separated list +of group names, for example "P\-521:P\-384:P\-256:X25519:ffdhe2048". +The first group listed will in this case be used as the sole predicted +\&\fBkey_share\fR sent by a client in a TLSv1.3 \fBClientHello\fR. +The list should be in order of preference with the most preferred group first. +.PP +A more expressive syntax supports definition of group tuples of comparable +security by separating them from each other with \f(CW\*(C`/\*(C'\fR characters. +.PP +The predicted keyshares to be sent by clients can be explicitly specified by +adding a \f(CW\*(C`*\*(C'\fR prefix to the associated group name. +These \f(CW\*(C`*\*(C'\fR prefixes are ignored by servers. +.PP +If a group name is prefixed with the \f(CW\*(C`?\*(C'\fR character, it will be ignored if an +implementation is missing. +Otherwise, listing an unknown group name will cause a failure to parse the +\&\fIlist\fR. +Note that whether a group is known or not may depend on the OpenSSL version, +how OpenSSL was compiled and/or which providers are loaded. +Make sure you have the correct spelling of the group name and when in doubt +prefix it with a \f(CW\*(C`?\*(C'\fR to handle configurations in which it might nevertheless +be unknown. +.PP +If a group name is prefixed with the \f(CW\*(C`\-\*(C'\fR character, it will be removed from +the list of groups specified up to that point. +It can be added again if specified later. +Removal of groups that have not been included earlier in the list is silently +ignored. +.PP +The pseudo group name \f(CW\*(C`DEFAULT\*(C'\fR can be used to select the OpenSSL built\-in +default list of groups. +Prepending one or more groups to \f(CW\*(C`DEFAULT\*(C'\fR using only \f(CW\*(C`:\*(C'\fR separators prepends those +groups to the built\-in default list\*(Aqs first tuple. +Additional tuples can be prepended by use of the \f(CW\*(C`/\*(C'\fR separator. +Appending a set of groups to \f(CW\*(C`DEFAULT\*(C'\fR using only \f(CW\*(C`:\*(C'\fR separators appends those +groups to the built\-in default list\*(Aqs last tuple. +Additional tuples can be appended by use of the \f(CW\*(C`/\*(C'\fR separator. +.PP +The \fBDEFAULT\fR list selects \fBX25519MLKEM768\fR as one of the predicted keyshares. +In rare cases this can lead to failures or timeouts because the resulting +larger TLS Client Hello message may no longer fit in a single TCP segment and +firewall software may erroneously disrupt the TLS handshake. +If this is an issue or concern, prepending \f(CW\*(C`?X25519MLKEM768:\*(C'\fR without a \f(CW\*(C`*\*(C'\fR +prefix leads to its occurrence in the default list to be ignored as a duplicate, +and along with that also the keyshare prediction. +The group will then only be selected by servers that specifically expect it, +after a Hello Retry Request (HRR). +Servers that specifically prefer \fBX25519MLKEM768\fR, are much less likely to be +found behind problematic firewalls. +.PP +The following string \fIlist\fR for example defines three tuples when used on the +server\-side, and triggers the generation of three key shares when used on the +client\-side: P\-521:*P\-256/*P\-384/*X25519:P\-384:ffdhe2048. .PP For a TLS 1.3 client, all the groups in the string \fIlist\fR are added to the supported groups extension of a \f(CW\*(C`ClientHello\*(C'\fR, in the order in which they are listed, -thereby interpreting tuple separators as group separators. The extension's +thereby interpreting tuple separators as group separators. The extension\*(Aqs preference order, to be evaluated by the server, is determined by the order of the elements in the array, see below. .PP If a group name is preceded by \f(CW\*(C`*\*(C'\fR, a key share will be sent for this group. When preceding \f(CW\*(C`DEFAULT\*(C'\fR with \f(CW\*(C`*\*(C'\fR, a key share will be sent for the first group -of the OpenSSL built-in default list of groups. If no \f(CW\*(C`*\*(C'\fR is used anywhere in the list, +of the OpenSSL built\-in default list of groups. If no \f(CW\*(C`*\*(C'\fR is used anywhere in the list, a single key share for the leftmost valid group is sent. A maximum of 4 key shares are supported. Example: "P\-521:*P\-256/*P\-384" will add P\-521, P\-256 and P\-384 to the supported groups extension in a \f(CW\*(C`ClientHello\*(C'\fR and will send key shares for P\-256 and P\-384. @@ -209,7 +261,7 @@ can be enforced by setting \fBSSL_OP_CIPHER_SERVER_PREFERENCE\fR using \&\fBSSL_set_options\fR (default: client preference). .PP The server will select the group to be used for a key agreement using the following -pseudo-code algorithm: +pseudo\-code algorithm: .PP .Vb 12 \& FOR each group tuple @@ -251,13 +303,13 @@ bitwise OR of TLSEXT_nid_unknown (0x1000000) and the id of the group. .PP \&\fBSSL_get0_iana_groups()\fR retrieves the list of groups sent by the client in the supported_groups extension. The \fB*out\fR array of bytes -is populated with the host-byte-order representation of the uint16_t group +is populated with the host\-byte\-order representation of the uint16_t group identifiers, as assigned by IANA. The group list is returned in the same order that was received in the ClientHello. The return value is the number of groups, not the number of bytes written. .PP \&\fBSSL_get_shared_group()\fR returns the NID of the shared group \fBn\fR for a -server-side SSL \fBssl\fR. If \fBn\fR is \-1 then the total number of shared groups is +server\-side SSL \fBssl\fR. If \fBn\fR is \-1 then the total number of shared groups is returned, which may be zero. Other than for diagnostic purposes, most applications will only be interested in the first shared group so \fBn\fR is normally set to zero. If the value \fBn\fR is out of range, @@ -267,11 +319,11 @@ group. .PP \&\fBSSL_get_negotiated_group()\fR returns the NID of the negotiated group used for the handshake key exchange process. For TLSv1.3 connections this typically -reflects the state of the current connection, though in the case of PSK-only +reflects the state of the current connection, though in the case of PSK\-only resumption, the returned value will be from a previous connection. For earlier TLS versions, when a session has been resumed, it always reflects the group used for key exchange during the initial handshake (otherwise it is from the -current, non-resumption, connection). This can be called by either client or +current, non\-resumption, connection). This can be called by either client or server. If the NID for the shared group is unknown then the value is set to the bitwise OR of TLSEXT_nid_unknown (0x1000000) and the id of the group. See also \&\fBSSL_get0_group_name\fR\|(3) which returns the name of the negotiated group @@ -282,7 +334,7 @@ groups that are compatible with the TLS version of the \fBctx\fR argument. The returned names are references to internal constants and must not be modified or freed. When \fBall\fR is nonzero, the returned list includes not only the preferred IANA names of the groups, but also any associated aliases. -If the SSL_CTX is version-flexible, the groups will be those compatible +If the SSL_CTX is version\-flexible, the groups will be those compatible with any configured minimum and maximum protocol versions. The \fBnames\fR stack should be allocated by the caller and be empty, the matching group names are appended to the provided stack. @@ -329,15 +381,15 @@ client supports \f(CW\*(C`P\-521\*(C'\fR but does not send a key share for this server, and the client supports \f(CW\*(C`P\-384\*(C'\fR including key share for this group. With both server and client preference, an HRR will be triggered for \f(CW\*(C`P\-521\*(C'\fR despite the availability of a key share for P\-384, which overlaps with a lower -priority server-side tuple. +priority server\-side tuple. .PP As a separate example, consider a server \fIlist\fR "A:B/C:D/E:F". Listed in order of highest preference to least, 3 group tuples are created: "A:B", "C:D", and "E:F". Here are some examples of a client \fIlist\fR where setting server/client preference will not change the outcome: .PP -\&\- "A:D:*F": Both prefer "A", but the server didn't receive a keyshare for the -most-preferred tuple in which there's at least one group supported by both. +\&\- "A:D:*F": Both prefer "A", but the server didn\*(Aqt receive a keyshare for the +most\-preferred tuple in which there\*(Aqs at least one group supported by both. Therefore, an HRR is triggered for "A". .PP \&\- "B:*C": Both prefer "B" from the first group tuple "A:B", so an HRR is @@ -386,29 +438,29 @@ was added in OpenSSL 3.0.0. Support for ignoring unknown groups in \fBSSL_CTX_set1_groups_list()\fR and \&\fBSSL_set1_groups_list()\fR was added in OpenSSL 3.3. .PP -Support for \fBML-KEM\fR was added in OpenSSL 3.5. +Support for \fBML\-KEM\fR was added in OpenSSL 3.5. .PP OpenSSL 3.5 also introduces support for three \fIhybrid\fR ECDH PQ key exchange TLS groups: \fBX25519MLKEM768\fR, \fBSecP256r1MLKEM768\fR and \&\fBSecP384r1MLKEM1024\fR. They offer CPU performance comparable to the associated ECDH group, though at the cost of significantly larger key exchange messages. -The third group, \fBSecP384r1MLKEM1024\fR is substantially more CPU-intensive, +The third group, \fBSecP384r1MLKEM1024\fR is substantially more CPU\-intensive, largely as a result of the high CPU cost of ECDH for the underlying \fBP\-384\fR group. Also its key exchange messages at close to 1700 bytes are larger than the roughly 1200 bytes for the first two groups. .PP -As of OpenSSL 3.5 key exchange group names are case-insensitive. +As of OpenSSL 3.5 key exchange group names are case\-insensitive. .PP \&\fBSSL_CTX_get0_implemented_groups\fR was first implemented in OpenSSL 3.5. .PP Earlier versions of this document described the list as a preference order. -However, OpenSSL's behavior as a TLS 1.3 server is to consider \fIall\fR +However, OpenSSL\*(Aqs behavior as a TLS 1.3 server is to consider \fIall\fR supported groups as comparable in security. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2013\-2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_sigalgs.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_sigalgs.3 index b0dee600e8b4..5679f6f2ee75 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_sigalgs.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_sigalgs.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET1_SIGALGS 3ossl" -.TH SSL_CTX_SET1_SIGALGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET1_SIGALGS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,7 +97,7 @@ elements, where each element is either a combination of a public key algorithm and a digest separated by \fB+\fR, or a TLS 1.3\-style named SignatureScheme such as rsa_pss_pss_sha256. Signature scheme names and public key algorithm names (but not the digest -names) in the \fBalgorithm+hash\fR form are case-insensitive. +names) in the \fBalgorithm+hash\fR form are case\-insensitive. If a list entry is preceded with the \f(CW\*(C`?\*(C'\fR character, it will be ignored if an implementation is missing. .PP @@ -138,7 +141,7 @@ EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, EVP_PKEY_DSA and EVP_PKEY_EC. .PP The short or long name values for digests can be used in a string (for example "MD5", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512") and -the public key algorithm strings "RSA", "RSA-PSS", "DSA" or "ECDSA". +the public key algorithm strings "RSA", "RSA\-PSS", "DSA" or "ECDSA". .PP The TLS 1.3 signature scheme names (such as "rsa_pss_pss_sha256") can also be used with the \fB_list\fR forms of the API. diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_verify_cert_store.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_verify_cert_store.3 index 12acbecd5f14..ad5ee8cb38e9 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_verify_cert_store.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_verify_cert_store.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET1_VERIFY_CERT_STORE 3ossl" -.TH SSL_CTX_SET1_VERIFY_CERT_STORE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET1_VERIFY_CERT_STORE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -117,7 +120,7 @@ affected if the parent SSL_CTX store pointer is set to a new value. .PP The verification store is used to verify the certificate chain sent by the peer: that is an SSL/TLS client will use the verification store to verify -the server's certificate chain and an SSL/TLS server will use it to verify +the server\*(Aqs certificate chain and an SSL/TLS server will use it to verify any client certificate chain. .PP The chain store is used to build the certificate chain. diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_alpn_select_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_alpn_select_cb.3 index 54acdba9817b..e668f97e5aa9 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_alpn_select_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_alpn_select_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_ALPN_SELECT_CB 3ossl" -.TH SSL_CTX_SET_ALPN_SELECT_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_ALPN_SELECT_CB 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,7 +113,7 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated .IX Header "DESCRIPTION" \&\fBSSL_CTX_set_alpn_protos()\fR and \fBSSL_set_alpn_protos()\fR are used by the client to set the list of protocols available to be negotiated. The \fBprotos\fR must be in -protocol-list format, described below. The length of \fBprotos\fR is specified in +protocol\-list format, described below. The length of \fBprotos\fR is specified in \&\fBprotos_len\fR. Setting \fBprotos_len\fR to 0 clears any existing list of ALPN protocols and no ALPN extension will be sent to the server. .PP @@ -120,7 +123,7 @@ is NULL, ALPN is not used. The \fBarg\fR value is a pointer which is passed to the application callback. .PP \&\fBcb\fR is the application defined callback. The \fBin\fR, \fBinlen\fR parameters are a -vector in protocol-list format. The value of the \fBout\fR, \fBoutlen\fR vector +vector in protocol\-list format. The value of the \fBout\fR, \fBoutlen\fR vector should be set to the value of a single protocol selected from the \fBin\fR, \&\fBinlen\fR vector. The \fBout\fR buffer may point directly into \fBin\fR, or to a buffer that outlives the handshake. The \fBarg\fR parameter is the pointer set via @@ -129,7 +132,7 @@ buffer that outlives the handshake. The \fBarg\fR parameter is the pointer set v \&\fBSSL_select_next_proto()\fR is a helper function used to select protocols. It implements the standard protocol selection. It is expected that this function is called from the application callback \fBcb\fR. The protocol data in \fBserver\fR, -\&\fBserver_len\fR and \fBclient\fR, \fBclient_len\fR must be in the protocol-list format +\&\fBserver_len\fR and \fBclient\fR, \fBclient_len\fR must be in the protocol\-list format described below. The first item in the \fBserver\fR, \fBserver_len\fR list that matches an item in the \fBclient\fR, \fBclient_len\fR list is selected, and returned in \fBout\fR, \fBoutlen\fR. The \fBout\fR value will point into either \fBserver\fR or @@ -145,12 +148,12 @@ must be ignored if \fBOPENSSL_NPN_NO_OVERLAP\fR has been returned from \&\fBSSL_select_next_proto()\fR. .PP \&\fBSSL_CTX_set_next_proto_select_cb()\fR sets a callback \fBcb\fR that is called when a -client needs to select a protocol from the server's provided list, and a -user-defined pointer argument \fBarg\fR which will be passed to this callback. +client needs to select a protocol from the server\*(Aqs provided list, and a +user\-defined pointer argument \fBarg\fR which will be passed to this callback. For the callback itself, \fBout\fR must be set to point to the selected protocol (which may be within \fBin\fR). The length of the protocol name must be written into \fBoutlen\fR. The -server's advertised protocols are provided in \fBin\fR and \fBinlen\fR. The +server\*(Aqs advertised protocols are provided in \fBin\fR and \fBinlen\fR. The callback can assume that \fBin\fR is syntactically valid. The client must select a protocol (although it may be an empty, zero length protocol). It is fatal to the connection if this callback returns a value other than @@ -159,7 +162,7 @@ parameter is the pointer set via \fBSSL_CTX_set_next_proto_select_cb()\fR. .PP \&\fBSSL_CTX_set_next_protos_advertised_cb()\fR sets a callback \fBcb\fR that is called when a TLS server needs a list of supported protocols for Next Protocol -Negotiation. The returned list must be in protocol-list format, described +Negotiation. The returned list must be in protocol\-list format, described below. The list is returned by setting \fBout\fR to point to it and \fBoutlen\fR to its length. This memory will not be modified, but the \fBSSL\fR does keep a @@ -168,11 +171,11 @@ wishes to advertise. Otherwise, no such extension will be included in the ServerHello. .PP \&\fBSSL_get0_alpn_selected()\fR returns a pointer to the selected protocol in \fBdata\fR -with length \fBlen\fR. It is not NUL-terminated. \fBdata\fR is set to NULL and \fBlen\fR +with length \fBlen\fR. It is not NUL\-terminated. \fBdata\fR is set to NULL and \fBlen\fR is set to 0 if no protocol has been selected. \fBdata\fR must not be freed. .PP \&\fBSSL_get0_next_proto_negotiated()\fR sets \fBdata\fR and \fBlen\fR to point to the -client's requested protocol for this connection. If the client did not +client\*(Aqs requested protocol for this connection. If the client did not request any protocol or NPN is not enabled, then \fBdata\fR is set to NULL and \&\fBlen\fR to 0. Note that the client can request any protocol it chooses. The value returned from @@ -185,10 +188,10 @@ when using QUIC SSL objects. \fBSSL_CTX_set_next_protos_advertised_cb()\fR and context. .SH NOTES .IX Header "NOTES" -The protocol-lists must be in wire-format, which is defined as a vector of -nonempty, 8\-bit length-prefixed, byte strings. The length-prefix byte is not -included in the length. Each string is limited to 255 bytes. A byte-string -length of 0 is invalid. A truncated byte-string is invalid. The length of the +The protocol\-lists must be in wire\-format, which is defined as a vector of +nonempty, 8\-bit length\-prefixed, byte strings. The length\-prefix byte is not +included in the length. Each string is limited to 255 bytes. A byte\-string +length of 0 is invalid. A truncated byte\-string is invalid. The length of the vector is not in the vector itself, but in a separate variable. .PP Example: @@ -227,7 +230,7 @@ The ALPN select callback \fBcb\fR, must return one of the following: ALPN protocol selected. .IP SSL_TLSEXT_ERR_ALERT_FATAL 4 .IX Item "SSL_TLSEXT_ERR_ALERT_FATAL" -There was no overlap between the client's supplied list and the server +There was no overlap between the client\*(Aqs supplied list and the server configuration. .IP SSL_TLSEXT_ERR_NOACK 4 .IX Item "SSL_TLSEXT_ERR_NOACK" diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_cb.3 index c10c71cb9076..a4f1f5ef9208 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_CERT_CB 3ossl" -.TH SSL_CTX_SET_CERT_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_CERT_CB 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_store.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_store.3 index 20e43c77d26f..3ce02a0cf81a 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_store.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_store.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_CERT_STORE 3ossl" -.TH SSL_CTX_SET_CERT_STORE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_CERT_STORE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,7 +83,7 @@ take ownership of the \fBstore\fR, i.e., the call \f(CWX509_STORE_free(store)\fR longer needed. .PP \&\fBSSL_CTX_set1_cert_store()\fR sets/replaces the certificate verification storage -of \fBctx\fR to/with \fBstore\fR. The \fBstore\fR's reference count is incremented. +of \fBctx\fR to/with \fBstore\fR. The \fBstore\fR\*(Aqs reference count is incremented. If another X509_STORE object is currently set in \fBctx\fR, it will be \fBX509_STORE_free()\fRed. .PP \&\fBSSL_CTX_get_cert_store()\fR returns a pointer to the current certificate @@ -107,7 +110,7 @@ overridden with the \fBverify_callback()\fR set via the This document must therefore be updated when documentation about the X509_STORE object and its handling becomes available. .PP -\&\fBSSL_CTX_set_cert_store()\fR does not increment the \fBstore\fR's reference +\&\fBSSL_CTX_set_cert_store()\fR does not increment the \fBstore\fR\*(Aqs reference count, so it should not be used to assign an X509_STORE that is owned by another SSL_CTX. .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_verify_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_verify_callback.3 index 610e9230a347..057594b62725 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_verify_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_verify_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_CERT_VERIFY_CALLBACK 3ossl" -.TH SSL_CTX_SET_CERT_VERIFY_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_CERT_VERIFY_CALLBACK 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,7 +84,7 @@ the time when \fBSSL_new\fR\|(3) is called. When a peer certificate has been received during an SSL/TLS handshake, a verification function is called regardless of the verification mode. If the application does not explicitly specify a verification callback function, -the built-in verification function is used. +the built\-in verification function is used. If a verification callback \fIcallback\fR is specified via \&\fBSSL_CTX_set_cert_verify_callback()\fR, the supplied callback function is called instead with the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). @@ -114,13 +117,18 @@ which can be done using \fBX509_STORE_CTX_set_error\fR\|(3). This is particularly important in case the \fIcallback\fR allows the connection to continue (by returning 1). Note that the verification status in the store context is a possibly durable -indication of the chain's validity! +indication of the chain\*(Aqs validity! This gets recorded in the SSL session (and thus also in session tickets) and the validity of the originally presented chain is then visible on resumption, even though no chain is presented int that case. Moreover, the calling application will be informed about the detailed result of the verification procedure and may elect to base further decisions on it. .PP +\&\fIcallback\fR may call \fBX509_verify_cert\fR\|(3) to run the built\-in verification +function. This may be useful if application wishes to dynamically reconfigure +\&\fIx509_store_ctx\fR before verification, or postprocess the result. In this case, +\&\fBX509_verify_cert\fR\|(3) will set the \fBerror\fR member as described above. +.PP Within \fIx509_store_ctx\fR, \fIcallback\fR has access to the \fIverify_callback\fR function set using \fBSSL_CTX_set_verify\fR\|(3). .SH "RETURN VALUES" @@ -134,7 +142,7 @@ latter is set using the \fBSSL_CTX_set_verify\fR\|(3) family of functions. .PP Providing a complete verification procedure including certificate purpose -settings etc is a complex task. The built-in procedure is quite powerful +settings etc is a complex task. The built\-in procedure is quite powerful and in most cases it should be sufficient to modify its behaviour using the \fBverify_callback\fR function. .SH BUGS diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cipher_list.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cipher_list.3 index ea5152a023dd..2b2f033afdff 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cipher_list.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cipher_list.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_CIPHER_LIST 3ossl" -.TH SSL_CTX_SET_CIPHER_LIST 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_CIPHER_LIST 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -107,9 +110,9 @@ ciphersuite names in order of preference. Valid TLSv1.3 ciphersuite names are: .IX Item "TLS_AES_128_CCM_SHA256" .IP TLS_AES_128_CCM_8_SHA256 4 .IX Item "TLS_AES_128_CCM_8_SHA256" -.IP "TLS_SHA384_SHA384 \- integrity-only" 4 +.IP "TLS_SHA384_SHA384 \- integrity\-only" 4 .IX Item "TLS_SHA384_SHA384 - integrity-only" -.IP "TLS_SHA256_SHA256 \- integrity-only" 4 +.IP "TLS_SHA256_SHA256 \- integrity\-only" 4 .IX Item "TLS_SHA256_SHA256 - integrity-only" .PD .PP @@ -137,15 +140,15 @@ It should be noted, that inclusion of a cipher to be used into the list is a necessary condition. On the client side, the inclusion into the list is also sufficient unless the security level excludes it. On the server side, additional restrictions apply. All ciphers have additional requirements. -ADH ciphers don't need a certificate, but DH-parameters must have been set. +ADH ciphers don\*(Aqt need a certificate, but DH\-parameters must have been set. All other ciphers need a corresponding certificate and key. .PP An RSA cipher can only be chosen, when an RSA certificate is available. -RSA ciphers using DHE need a certificate and key and additional DH-parameters +RSA ciphers using DHE need a certificate and key and additional DH\-parameters (see \fBSSL_CTX_set_tmp_dh_callback\fR\|(3)). .PP A DSA cipher can only be chosen, when a DSA certificate is available. -DSA ciphers always use DH key exchange and therefore need DH-parameters +DSA ciphers always use DH key exchange and therefore need DH\-parameters (see \fBSSL_CTX_set_tmp_dh_callback\fR\|(3)). .PP When these conditions are not met for any cipher in the list (e.g. a diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_cert_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_cert_cb.3 index 94240f6f3892..e1c3aa96b377 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_cert_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_cert_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_CLIENT_CERT_CB 3ossl" -.TH SSL_CTX_SET_CLIENT_CERT_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_CLIENT_CERT_CB 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_hello_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_hello_cb.3 index 3e0b7ccb7854..8b01778fe91c 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_hello_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_hello_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_CLIENT_HELLO_CB 3ossl" -.TH SSL_CTX_SET_CLIENT_HELLO_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_CLIENT_HELLO_CB 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -102,7 +105,7 @@ success, normal handshake processing will continue from that point. SSLv2 record and is in the SSLv2 format. The SSLv2 format has substantial differences from the normal SSLv3 format, including using three bytes per cipher suite, and not allowing extensions. Additionally, the SSLv2 format -\&'challenge' field is exposed via \fBSSL_client_hello_get0_random()\fR, padded to +\&\*(Aqchallenge\*(Aq field is exposed via \fBSSL_client_hello_get0_random()\fR, padded to SSL3_RANDOM_SIZE bytes with zeros if needed. For SSLv2 format ClientHellos, \&\fBSSL_client_hello_get0_compression_methods()\fR returns a dummy list that only includes the null compression method, since the SSLv2 format does not include a @@ -115,7 +118,7 @@ ClientHello fields, returning the field length and optionally setting an out pointer to the octets of that field. .PP Similarly, \fBSSL_client_hello_get0_ext()\fR provides access to individual extensions -from the ClientHello on a per-extension basis. For the provided wire +from the ClientHello on a per\-extension basis. For the provided wire protocol extension type value, the extension value and length are returned in the output parameters (if present). .PP @@ -128,6 +131,9 @@ holding the numerical value of the TLS extension types in the order they appear in the ClientHello. \fB*outlen\fR contains the number of elements in the array. In situations when the ClientHello has no extensions, the function will return success with \fB*out\fR set to NULL and \fB*outlen\fR set to 0. +Note that \fBSSL_client_hello_get1_extensions_present()\fR returns only recognised +extensions; therefore, unrecognised (including GREASE) extensions will not +appear in the output. .PP \&\fBSSL_client_hello_get_extension_order()\fR is similar to \&\fBSSL_client_hello_get1_extensions_present()\fR, without internal memory allocation. @@ -149,8 +155,8 @@ allow the server to examine the server name indication extension provided by the client in order to select an appropriate certificate to present, and make other configuration adjustments relevant to that server name and its configuration. Such configuration changes can include swapping out -the associated SSL_CTX pointer, modifying the server's list of permitted TLS -versions, changing the server's cipher list in response to the client's +the associated SSL_CTX pointer, modifying the server\*(Aqs list of permitted TLS +versions, changing the server\*(Aqs cipher list in response to the client\*(Aqs cipher list, etc. .PP It is also recommended that applications utilize a ClientHello callback and @@ -158,11 +164,15 @@ not use a servername callback, in order to avoid unexpected behavior that occurs due to the relative order of processing between things like session resumption and the historical servername callback. .PP -The SSL_client_hello_* family of functions may only be called from code executing -within a ClientHello callback. +The SSL_client_hello_* family of functions may only be called from code +executing within a ClientHello callback. +.PP +The SSL_client_hello_get0_*() functions return raw ClientHello data, whereas +\&\fBSSL_client_hello_get1_extensions_present()\fR returns only recognized extensions +(so unknown/GREASE\-extensions are not included). .SH "RETURN VALUES" .IX Header "RETURN VALUES" -The application's supplied ClientHello callback returns +The application\*(Aqs supplied ClientHello callback returns SSL_CLIENT_HELLO_SUCCESS on success, SSL_CLIENT_HELLO_ERROR on failure, and SSL_CLIENT_HELLO_RETRY to suspend processing. .PP @@ -174,7 +184,7 @@ SSL_CLIENT_HELLO_RETRY to suspend processing. corresponding ClientHello fields. If zero is returned, the output pointer should not be assumed to be valid. .PP -\&\fBSSL_client_hello_get0_ext()\fR returns 1 if the extension of type 'type' is present, and +\&\fBSSL_client_hello_get0_ext()\fR returns 1 if the extension of type \*(Aqtype\*(Aq is present, and 0 otherwise. .PP \&\fBSSL_client_hello_get1_extensions_present()\fR returns 1 on success and 0 on failure. diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ct_validation_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ct_validation_callback.3 index df28a83e984d..804ba4ad99af 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ct_validation_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ct_validation_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_CT_VALIDATION_CALLBACK 3ossl" -.TH SSL_CTX_SET_CT_VALIDATION_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_CT_VALIDATION_CALLBACK 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,7 +94,7 @@ control Certificate Transparency policy \&\fBSSL_enable_ct()\fR and \fBSSL_CTX_enable_ct()\fR enable the processing of signed certificate timestamps (SCTs) either for a given SSL connection or for all connections that share the given SSL context, respectively. -This is accomplished by setting a built-in CT validation callback. +This is accomplished by setting a built\-in CT validation callback. The behaviour of the callback is determined by the \fBvalidation_mode\fR argument, which can be either of \fBSSL_CT_VALIDATION_PERMISSIVE\fR or \&\fBSSL_CT_VALIDATION_STRICT\fR as described below. @@ -101,7 +104,7 @@ TLS handshake with the verification mode set to \fBSSL_VERIFY_PEER\fR, if the pe presents no valid SCTs the handshake will be aborted. If the verification mode is \fBSSL_VERIFY_NONE\fR, the handshake will continue despite lack of valid SCTs. -However, in that case if the verification status before the built-in callback +However, in that case if the verification status before the built\-in callback was \fBX509_V_OK\fR it will be set to \fBX509_V_ERR_NO_VALID_SCTS\fR after the callback. Applications can call \fBSSL_get_verify_result\fR\|(3) to check the status at @@ -123,10 +126,10 @@ session is not resumed. \&\fBSSL_set_ct_validation_callback()\fR and \fBSSL_CTX_set_ct_validation_callback()\fR register a custom callback that may implement a different policy than either of the above. -This callback can examine the peer's SCTs and determine whether they are +This callback can examine the peer\*(Aqs SCTs and determine whether they are sufficient to allow the connection to continue. The TLS handshake is aborted if the verification mode is not \fBSSL_VERIFY_NONE\fR -and the callback returns a non-positive result. +and the callback returns a non\-positive result. .PP An arbitrary callback data argument, \fBarg\fR, can be passed in when setting the callback. @@ -148,11 +151,11 @@ nor to have specified server verification via \fBDANE\-TA\fR\|(2) or \fBDANE\-EE records. .PP \&\fBSSL_disable_ct()\fR and \fBSSL_CTX_disable_ct()\fR turn off CT processing, whether -enabled via the built-in or the custom callbacks, by setting a NULL callback. +enabled via the built\-in or the custom callbacks, by setting a NULL callback. These may be implemented as macros. .PP \&\fBSSL_ct_is_enabled()\fR and \fBSSL_CTX_ct_is_enabled()\fR return 1 if CT processing is -enabled via either \fBSSL_enable_ct()\fR or a non-null custom callback, and 0 +enabled via either \fBSSL_enable_ct()\fR or a non\-null custom callback, and 0 otherwise. .SH NOTES .IX Header "NOTES" @@ -176,7 +179,7 @@ been setup to handle SCTs. .PP \&\fBSSL_disable_ct()\fR and \fBSSL_CTX_disable_ct()\fR do not return a result. .PP -\&\fBSSL_CTX_ct_is_enabled()\fR and \fBSSL_ct_is_enabled()\fR return a 1 if a non-null CT +\&\fBSSL_CTX_ct_is_enabled()\fR and \fBSSL_ct_is_enabled()\fR return a 1 if a non\-null CT validation callback is set, or 0 if no callback (or equivalently a NULL callback) is set. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ctlog_list_file.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ctlog_list_file.3 index bd458d0d476d..c57660fdfed8 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ctlog_list_file.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ctlog_list_file.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_CTLOG_LIST_FILE 3ossl" -.TH SSL_CTX_SET_CTLOG_LIST_FILE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_CTLOG_LIST_FILE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_default_passwd_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_default_passwd_cb.3 index d1a0dd406f3e..ec6156719c76 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_default_passwd_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_default_passwd_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_DEFAULT_PASSWD_CB 3ossl" -.TH SSL_CTX_SET_DEFAULT_PASSWD_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_DEFAULT_PASSWD_CB 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -135,7 +138,7 @@ These functions do not provide diagnostic information. .SH EXAMPLES .IX Header "EXAMPLES" The following example returns the password provided as userdata to the -calling function. The password is considered to be a '\e0' terminated +calling function. The password is considered to be a \*(Aq\e0\*(Aq terminated string. If the password does not fit into the buffer, the password is truncated. .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_domain_flags.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_domain_flags.3 index 99ad744b9319..478a1d657fbb 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_domain_flags.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_domain_flags.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_DOMAIN_FLAGS 3ossl" -.TH SSL_CTX_SET_DOMAIN_FLAGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_DOMAIN_FLAGS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,17 +97,17 @@ to these concepts can be found in \fBopenssl\-quic\-concurrency\fR\|(7). Applications may use either one the flags here: .IP \fBSSL_DOMAIN_FLAG_SINGLE_THREAD\fR 4 .IX Item "SSL_DOMAIN_FLAG_SINGLE_THREAD" -Specifying this flag configures the Single-Threaded Concurrency Model (SCM). +Specifying this flag configures the Single\-Threaded Concurrency Model (SCM). .IP \fBSSL_DOMAIN_FLAG_MULTI_THREAD\fR 4 .IX Item "SSL_DOMAIN_FLAG_MULTI_THREAD" -Speciyfing this flag configures the Contentive Concurrency Model (CCM) (unless +Specifying this flag configures the Contentive Concurrency Model (CCM) (unless \&\fBSSL_DOMAIN_FLAG_THREAD_ASSISTED\fR is also specified). .Sp If OpenSSL was built without thread support, this is identical to \&\fBSSL_DOMAIN_FLAG_SINGLE_THREAD\fR. .IP \fBSSL_DOMAIN_FLAG_THREAD_ASSISTED\fR 4 .IX Item "SSL_DOMAIN_FLAG_THREAD_ASSISTED" -Specifying this flag configures the Thread-Assisted Concurrency Model (TACM). +Specifying this flag configures the Thread\-Assisted Concurrency Model (TACM). It implies \fBSSL_DOMAIN_FLAG_MULTI_THREAD\fR and \fBSSL_DOMAIN_FLAG_BLOCKING\fR. .Sp This concurrency model is not available if OpenSSL was built without thread @@ -147,7 +150,7 @@ inconsistent or which cannot be supported given the current environment. \&\fBSSL_CTX_set_domain_flags()\fR and \fBSSL_CTX_get_domain_flags()\fR fail if called on a \&\fBSSL_CTX\fR which is not using a QUIC \fBSSL_METHOD\fR. .PP -\&\fBSSL_get_domain_flags()\fR fails if called on a non-QUIC SSL object. +\&\fBSSL_get_domain_flags()\fR fails if called on a non\-QUIC SSL object. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBSSL_new_domain\fR\|(3), \fBopenssl\-quic\-concurrency\fR\|(7) diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_generate_session_id.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_generate_session_id.3 index 1ccfb21d2fdf..e261321596aa 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_generate_session_id.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_generate_session_id.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_GENERATE_SESSION_ID 3ossl" -.TH SSL_CTX_SET_GENERATE_SESSION_ID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_GENERATE_SESSION_ID 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_info_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_info_callback.3 index 2527ae080499..8144dacb3462 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_info_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_info_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_INFO_CALLBACK 3ossl" -.TH SSL_CTX_SET_INFO_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_INFO_CALLBACK 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -112,7 +115,7 @@ the callback function was called. If \fBret\fR is 0, an error condition occurred If an alert is handled, SSL_CB_ALERT is set and \fBret\fR specifies the alert information. .PP -\&\fBwhere\fR is a bit-mask made up of the following bits: +\&\fBwhere\fR is a bit\-mask made up of the following bits: .IP SSL_CB_LOOP 4 .IX Item "SSL_CB_LOOP" Callback has been called to indicate state change or some other significant diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_keylog_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_keylog_callback.3 index 5d10cc5960ac..3bdc549dba2a 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_keylog_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_keylog_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_KEYLOG_CALLBACK 3ossl" -.TH SSL_CTX_SET_KEYLOG_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_KEYLOG_CALLBACK 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,7 +91,7 @@ The key logging callback is called with two items: the \fBssl\fR object associat with the connection, and \fBline\fR, a string containing the key material in the format used by NSS for its \fBSSLKEYLOGFILE\fR debugging output. To recreate that file, the key logging callback should log \fBline\fR, followed by a newline. -\&\fBline\fR will always be a NUL-terminated string. +\&\fBline\fR will always be a NUL\-terminated string. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBSSL_CTX_get_keylog_callback()\fR returns a pointer to \fBSSL_CTX_keylog_cb_func\fR or diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_max_cert_list.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_max_cert_list.3 index 7431d6529be5..a0fc271ddaea 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_max_cert_list.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_max_cert_list.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,16 +52,19 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_MAX_CERT_LIST 3ossl" -.TH SSL_CTX_SET_MAX_CERT_LIST 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_MAX_CERT_LIST 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH NAME -SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list \- manipulate allowed size for the peer's certificate chain +SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list \- manipulate allowed size for the peer\*(Aqs certificate chain .SH SYNOPSIS .IX Header "SYNOPSIS" .Vb 1 @@ -75,14 +78,14 @@ SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBSSL_CTX_set_max_cert_list()\fR sets the maximum size allowed for the peer's +\&\fBSSL_CTX_set_max_cert_list()\fR sets the maximum size allowed for the peer\*(Aqs certificate chain for all SSL objects created from \fBctx\fR to be <size> bytes. The SSL objects inherit the setting valid for \fBctx\fR at the time \&\fBSSL_new\fR\|(3) is being called. .PP \&\fBSSL_CTX_get_max_cert_list()\fR returns the currently set maximum size for \fBctx\fR. .PP -\&\fBSSL_set_max_cert_list()\fR sets the maximum size allowed for the peer's +\&\fBSSL_set_max_cert_list()\fR sets the maximum size allowed for the peer\*(Aqs certificate chain for \fBssl\fR to be <size> bytes. This setting stays valid until a new value is set. .PP @@ -98,7 +101,7 @@ chain is set. .PP The default value for the maximum certificate chain size is 100kB (30kB on the 16\-bit DOS platform). This should be sufficient for usual certificate -chains (OpenSSL's default maximum chain length is 10, see +chains (OpenSSL\*(Aqs default maximum chain length is 10, see \&\fBSSL_CTX_set_verify\fR\|(3), and certificates without special extensions have a typical size of 1\-2kB). .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_min_proto_version.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_min_proto_version.3 index d60633dbc7ce..1ff0bcc568cf 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_min_proto_version.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_min_proto_version.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_MIN_PROTO_VERSION 3ossl" -.TH SSL_CTX_SET_MIN_PROTO_VERSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_MIN_PROTO_VERSION 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -107,7 +110,7 @@ TLSv1.3. Calling these functions on a QUIC object has no effect. .SH "RETURN VALUES" .IX Header "RETURN VALUES" These setter functions return 1 on success and 0 on failure. The getter -functions return the configured version or 0 for auto-configuration of +functions return the configured version or 0 for auto\-configuration of lowest or highest protocol, respectively. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_mode.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_mode.3 index 2fa123a9bfb4..db6e20acddd2 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_mode.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_mode.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_MODE 3ossl" -.TH SSL_CTX_SET_MODE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_MODE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -77,13 +80,13 @@ SSL_CTX_set_mode, SSL_CTX_clear_mode, SSL_set_mode, SSL_clear_mode, SSL_CTX_get_ .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBSSL_CTX_set_mode()\fR adds the mode set via bit-mask in \fBmode\fR to \fBctx\fR. +\&\fBSSL_CTX_set_mode()\fR adds the mode set via bit\-mask in \fBmode\fR to \fBctx\fR. Options already set before are not cleared. -\&\fBSSL_CTX_clear_mode()\fR removes the mode set via bit-mask in \fBmode\fR from \fBctx\fR. +\&\fBSSL_CTX_clear_mode()\fR removes the mode set via bit\-mask in \fBmode\fR from \fBctx\fR. .PP -\&\fBSSL_set_mode()\fR adds the mode set via bit-mask in \fBmode\fR to \fBssl\fR. +\&\fBSSL_set_mode()\fR adds the mode set via bit\-mask in \fBmode\fR to \fBssl\fR. Options already set before are not cleared. -\&\fBSSL_clear_mode()\fR removes the mode set via bit-mask in \fBmode\fR from \fBssl\fR. +\&\fBSSL_clear_mode()\fR removes the mode set via bit\-mask in \fBmode\fR from \fBssl\fR. .PP \&\fBSSL_CTX_get_mode()\fR returns the mode set for \fBctx\fR. .PP @@ -111,19 +114,19 @@ avoid the misconception that nonblocking \fBSSL_write()\fR behaves like nonblocking \fBwrite()\fR. .IP SSL_MODE_AUTO_RETRY 4 .IX Item "SSL_MODE_AUTO_RETRY" -During normal operations, non-application data records might need to be sent or +During normal operations, non\-application data records might need to be sent or received that the application is not aware of. -If a non-application data record was processed, +If a non\-application data record was processed, \&\fBSSL_read_ex\fR\|(3) and \fBSSL_read\fR\|(3) can return with a failure and indicate the need to retry with \fBSSL_ERROR_WANT_READ\fR. -If such a non-application data record was processed, the flag +If such a non\-application data record was processed, the flag \&\fBSSL_MODE_AUTO_RETRY\fR causes it to try to process the next record instead of returning. .Sp In a nonblocking environment applications must be prepared to handle incomplete read/write operations. Setting \fBSSL_MODE_AUTO_RETRY\fR for a nonblocking \fBBIO\fR will process -non-application data records until either no more data is available or +non\-application data records until either no more data is available or an application data record has been processed. .Sp In a blocking environment, applications are not always prepared to @@ -135,7 +138,7 @@ failure. Turning off \fBSSL_MODE_AUTO_RETRY\fR can be useful with blocking \fBBIO\fRs in case they are used in combination with something like \fBselect()\fR or \fBpoll()\fR. Otherwise the call to \fBSSL_read()\fR or \fBSSL_read_ex()\fR might hang when a -non-application record was sent and no application data was sent. +non\-application record was sent and no application data was sent. .IP SSL_MODE_RELEASE_BUFFERS 4 .IX Item "SSL_MODE_RELEASE_BUFFERS" When we no longer need a read buffer or a write buffer for a given SSL, @@ -160,7 +163,7 @@ used to perform cryptographic operations. See \fBSSL_get_error\fR\|(3). .IP SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG 4 .IX Item "SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG" Older versions of OpenSSL had a bug in the computation of the label length -used for computing the endpoint-pair shared secret. The bug was that the +used for computing the endpoint\-pair shared secret. The bug was that the terminating zero was included in the length of the label. Setting this option enables this behaviour to allow interoperability with such broken implementations. Please note that setting this option breaks interoperability @@ -170,10 +173,10 @@ All modes are off by default except for SSL_MODE_AUTO_RETRY which is on by default since 1.1.1. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fBSSL_CTX_set_mode()\fR and \fBSSL_set_mode()\fR return the new mode bit-mask +\&\fBSSL_CTX_set_mode()\fR and \fBSSL_set_mode()\fR return the new mode bit\-mask after adding \fBmode\fR. .PP -\&\fBSSL_CTX_get_mode()\fR and \fBSSL_get_mode()\fR return the current bit-mask. +\&\fBSSL_CTX_get_mode()\fR and \fBSSL_get_mode()\fR return the current bit\-mask. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBssl\fR\|(7), \fBSSL_read_ex\fR\|(3), \fBSSL_read\fR\|(3), \fBSSL_write_ex\fR\|(3) or diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_msg_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_msg_callback.3 index e76e87dcf339..c9abe58aae2c 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_msg_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_msg_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_MSG_CALLBACK 3ossl" -.TH SSL_CTX_SET_MSG_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_MSG_CALLBACK 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -134,10 +137,10 @@ longer valid after the callback function has returned. The \fBSSL\fR object that received or sent the message. .IP \fIarg\fR 4 .IX Item "arg" -The user-defined argument optionally defined by +The user\-defined argument optionally defined by \&\fBSSL_CTX_set_msg_callback_arg()\fR or \fBSSL_set_msg_callback_arg()\fR. .PP -The \fBSSL_trace()\fR function can be used as a pre-written callback in a call to +The \fBSSL_trace()\fR function can be used as a pre\-written callback in a call to \&\fBSSL_CTX_set_msg_callback()\fR or \fBSSL_set_msg_callback()\fR. It requires a BIO to be set as the callback argument via \fBSSL_CTX_set_msg_callback_arg()\fR or \&\fBSSL_set_msg_callback_arg()\fR. Setting this callback will cause human readable @@ -179,7 +182,7 @@ Used when a QUIC datagram is sent or received. Used when a QUIC packet is sent or received. .IP \fBSSL3_RT_QUIC_FRAME_FULL\fR 4 .IX Item "SSL3_RT_QUIC_FRAME_FULL" -Used when a QUIC frame is sent or received. This is only used for non-crypto +Used when a QUIC frame is sent or received. This is only used for non\-crypto and stream data related frames. The full QUIC frame data is supplied. .IP \fBSSL3_RT_QUIC_FRAME_HEADER\fR 4 .IX Item "SSL3_RT_QUIC_FRAME_HEADER" diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_new_pending_conn_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_new_pending_conn_cb.3 index e93ad7a6d17c..3965fa98b609 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_new_pending_conn_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_new_pending_conn_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_NEW_PENDING_CONN_CB 3ossl" -.TH SSL_CTX_SET_NEW_PENDING_CONN_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_NEW_PENDING_CONN_CB 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -102,7 +105,7 @@ into consideration when writing an application. .RS 4 QUIC connections may begin processing prior to when an application calls \&\fBSSL_accept_connection()\fR on them. As such, it may occur that callbacks are -delivered to applications' registered TLS callbacks prior to those SSL objects +delivered to applications\*(Aq registered TLS callbacks prior to those SSL objects being returned in \fBSSL_accept_connection()\fR. Applications should expect this possibility. .Sp diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_num_tickets.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_num_tickets.3 index 75dfdbce2882..ef6e4f105eb9 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_num_tickets.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_num_tickets.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_NUM_TICKETS 3ossl" -.TH SSL_CTX_SET_NUM_TICKETS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_NUM_TICKETS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,7 +94,7 @@ issued will never be more than 1 regardless of the value set via \&\fBSSL_set_num_tickets()\fR or \fBSSL_CTX_set_num_tickets()\fR. If \fBnum_tickets\fR is set to 0 then no tickets will be issued for either a normal connection or a resumption. .PP -Tickets are also issued on receipt of a post-handshake certificate from the +Tickets are also issued on receipt of a post\-handshake certificate from the client following a request by the server using \&\fBSSL_verify_client_post_handshake\fR\|(3). These new tickets will be associated with the updated client identity (i.e. including their certificate and @@ -101,7 +104,7 @@ handshake then \fBSSL_set_num_tickets()\fR can be called again prior to calling \&\fBSSL_verify_client_post_handshake()\fR to update the number of tickets that will be sent. .PP -To issue tickets after other events (such as application-layer changes), +To issue tickets after other events (such as application\-layer changes), \&\fBSSL_new_session_ticket()\fR is used by a server application to request that a new ticket be sent when it is safe to do so. New tickets are only allowed to be sent in this manner after the initial handshake has completed, and only for @@ -117,7 +120,7 @@ together when it is safe to do so and triggered by \fBSSL_write()\fR or \&\fBSSL_do_handshake()\fR. Note that a successful return from \&\fBSSL_new_session_ticket()\fR indicates only that the request to send a ticket was processed, not that the ticket itself was sent. To be notified when the -ticket itself is sent, a new-session callback can be registered with +ticket itself is sent, a new\-session callback can be registered with \&\fBSSL_CTX_sess_set_new_cb\fR\|(3) that will be invoked as the ticket or tickets are generated. .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3 index e19269cf2eff..ac00a4dc6a1e 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_OPTIONS 3ossl" -.TH SSL_CTX_SET_OPTIONS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_OPTIONS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,17 +85,17 @@ SSL_get_secure_renegotiation_support \- manipulate SSL options .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBSSL_CTX_set_options()\fR adds the options set via bit-mask in \fBoptions\fR to \fBctx\fR. +\&\fBSSL_CTX_set_options()\fR adds the options set via bit\-mask in \fBoptions\fR to \fBctx\fR. \&\fBctx\fR \fBMUST NOT\fR be NULL. Options already set before are not cleared! .PP -\&\fBSSL_set_options()\fR adds the options set via bit-mask in \fBoptions\fR to \fBssl\fR. +\&\fBSSL_set_options()\fR adds the options set via bit\-mask in \fBoptions\fR to \fBssl\fR. Options already set before are not cleared! .PP -\&\fBSSL_CTX_clear_options()\fR clears the options set via bit-mask in \fBoptions\fR +\&\fBSSL_CTX_clear_options()\fR clears the options set via bit\-mask in \fBoptions\fR to \fBctx\fR. .PP -\&\fBSSL_clear_options()\fR clears the options set via bit-mask in \fBoptions\fR to \fBssl\fR. +\&\fBSSL_clear_options()\fR clears the options set via bit\-mask in \fBoptions\fR to \fBssl\fR. .PP \&\fBSSL_CTX_get_options()\fR returns the options set for \fBctx\fR. .PP @@ -104,7 +107,7 @@ Note, this is implemented via a macro. .SH NOTES .IX Header "NOTES" The behaviour of the SSL library can be changed by setting several options. -The options are coded as bit-masks and can be combined by a bitwise \fBor\fR +The options are coded as bit\-masks and can be combined by a bitwise \fBor\fR operation (|). .PP \&\fBSSL_CTX_set_options()\fR and \fBSSL_set_options()\fR affect the (external) @@ -120,7 +123,7 @@ SSL objects. \fBSSL_clear()\fR does not affect the settings. The following \fBbug workaround\fR options are available: .IP SSL_OP_CRYPTOPRO_TLSEXT_BUG 4 .IX Item "SSL_OP_CRYPTOPRO_TLSEXT_BUG" -Add server-hello extension from the early version of cryptopro draft +Add server\-hello extension from the early version of cryptopro draft when GOST ciphersuite is negotiated. Required for interoperability with CryptoPro CSP 3.x. .IP SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 4 @@ -131,8 +134,8 @@ broken SSL implementations. This option has no effect for connections using other ciphers. .IP SSL_OP_SAFARI_ECDHE_ECDSA_BUG 4 .IX Item "SSL_OP_SAFARI_ECDHE_ECDSA_BUG" -Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X. -OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers. +Don\*(Aqt prefer ECDHE\-ECDSA ciphers when the client appears to be Safari on OS X. +OS X 10.8..10.8.3 has broken support for ECDHE\-ECDSA ciphers. .IP SSL_OP_TLSEXT_PADDING 4 .IX Item "SSL_OP_TLSEXT_PADDING" Adds a padding extension to ensure the ClientHello size is never between @@ -149,7 +152,7 @@ desired. The following \fBmodifying\fR options are available: .IP SSL_OP_ALLOW_CLIENT_RENEGOTIATION 4 .IX Item "SSL_OP_ALLOW_CLIENT_RENEGOTIATION" -Client-initiated renegotiation is disabled by default. Use +Client\-initiated renegotiation is disabled by default. Use this option to enable it. .IP SSL_OP_ALLOW_NO_DHE_KEX 4 .IX Item "SSL_OP_ALLOW_NO_DHE_KEX" @@ -166,13 +169,13 @@ Allow legacy insecure renegotiation between OpenSSL and unpatched clients or servers. See the \fBSECURE RENEGOTIATION\fR section for more details. .IP SSL_OP_CIPHER_SERVER_PREFERENCE 4 .IX Item "SSL_OP_CIPHER_SERVER_PREFERENCE" -When choosing a cipher, use the server's preferences instead of the client +When choosing a cipher, use the server\*(Aqs preferences instead of the client preferences. When not set, the SSL server will always follow the clients preferences. When set, the SSL/TLS server will choose following its own preferences. .IP SSL_OP_CISCO_ANYCONNECT 4 .IX Item "SSL_OP_CISCO_ANYCONNECT" -Use Cisco's version identifier of DTLS_BAD_VER when establishing a DTLSv1 +Use Cisco\*(Aqs version identifier of DTLS_BAD_VER when establishing a DTLSv1 connection. Only available when using the deprecated \fBDTLSv1_client_method()\fR API. .IP SSL_OP_CLEANSE_PLAINTEXT 4 .IX Item "SSL_OP_CLEANSE_PLAINTEXT" @@ -211,9 +214,9 @@ have been compiled with support for it, and it must be supported by the negotiated ciphersuites and extensions. The specific ciphersuites and extensions that are supported may vary by platform and kernel version. .Sp -The kernel TLS data-path implements the record layer, and the encryption +The kernel TLS data\-path implements the record layer, and the encryption algorithm. The kernel will utilize the best hardware -available for encryption. Using the kernel data-path should reduce the memory +available for encryption. Using the kernel data\-path should reduce the memory footprint of OpenSSL because no buffering is required. Also, the throughput should improve because data copy is avoided when user data is encrypted into kernel memory instead of the usual encrypt then copy to kernel. @@ -233,7 +236,7 @@ performance boost when used with KTLS hardware offload. Note that invalid TLS records might be transmitted if the file is changed while being sent. This option has no effect if \fBSSL_OP_ENABLE_KTLS\fR is not enabled. .Sp -This option only applies to Linux. KTLS sendfile on FreeBSD doesn't offer an +This option only applies to Linux. KTLS sendfile on FreeBSD doesn\*(Aqt offer an option to disable zerocopy and always runs in this mode. .IP SSL_OP_ENABLE_MIDDLEBOX_COMPAT 4 .IX Item "SSL_OP_ENABLE_MIDDLEBOX_COMPAT" @@ -264,11 +267,11 @@ Allow legacy insecure renegotiation between OpenSSL and unpatched servers .IX Item "SSL_OP_NO_ANTI_REPLAY" By default, when a server is configured for early data (i.e., max_early_data > 0), OpenSSL will switch on replay protection. See \fBSSL_read_early_data\fR\|(3) for a -description of the replay protection feature. Anti-replay measures are required +description of the replay protection feature. Anti\-replay measures are required to comply with the TLSv1.3 specification. Some applications may be able to mitigate the replay risks in other ways and in such cases the built in OpenSSL functionality is not required. Those applications can turn this feature off by -setting this option. This is a server-side option only. It is ignored by +setting this option. This is a server\-side option only. It is ignored by clients. .IP SSL_OP_NO_TX_CERTIFICATE_COMPRESSION 4 .IX Item "SSL_OP_NO_TX_CERTIFICATE_COMPRESSION" @@ -295,9 +298,9 @@ will have no effect without also changing the default security level. See .IP SSL_OP_NO_ENCRYPT_THEN_MAC 4 .IX Item "SSL_OP_NO_ENCRYPT_THEN_MAC" Normally clients and servers will transparently attempt to negotiate the -RFC7366 Encrypt-then-MAC option on TLS and DTLS connection. +RFC7366 Encrypt\-then\-MAC option on TLS and DTLS connection. .Sp -If this option is set, Encrypt-then-MAC is disabled. Clients will not +If this option is set, Encrypt\-then\-MAC is disabled. Clients will not propose, and servers will not accept the extension. .IP SSL_OP_NO_EXTENDED_MASTER_SECRET 4 .IX Item "SSL_OP_NO_EXTENDED_MASTER_SECRET" @@ -356,7 +359,7 @@ its cache. By default OpenSSL will use stateless tickets. The SSL_OP_NO_TICKET option will cause stateless tickets to not be issued. In TLSv1.2 and below this means no ticket gets sent to the client at all. In TLSv1.3 a stateful ticket will be -sent. This is a server-side option only. +sent. This is a server\-side option only. .Sp In TLSv1.3 it is possible to suppress all tickets (stateful and stateless) from being sent by calling \fBSSL_CTX_set_num_tickets\fR\|(3) or @@ -375,11 +378,11 @@ Disable version rollback attack detection. .Sp During the client key exchange, the client must send the same information about acceptable SSL/TLS protocol levels as during the first hello. Some -clients violate this rule by adapting to the server's answer. (Example: +clients violate this rule by adapting to the server\*(Aqs answer. (Example: the client sends an SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server only understands up to SSLv3. In this case the client must still use the same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect -to the server's answer and violate the version rollback protection.) +to the server\*(Aqs answer and violate the version rollback protection.) .PP The following options no longer have any effect but their identifiers are retained for compatibility purposes: @@ -428,7 +431,7 @@ aware of. In the description below an implementation supporting secure renegotiation is referred to as \fIpatched\fR. A server not supporting secure renegotiation is referred to as \fIunpatched\fR. .PP -The following sections describe the operations permitted by OpenSSL's secure +The following sections describe the operations permitted by OpenSSL\*(Aqs secure renegotiation implementation. .SS "Patched client and server" .IX Subsection "Patched client and server" @@ -505,16 +508,16 @@ default options set on any future streams which are created. Other options not mentioned above do not have an effect and will be ignored. .PP Options which relate to QUIC streams may also be set directly on QUIC stream SSL -objects. Setting connection-related options on such an object has no effect. +objects. Setting connection\-related options on such an object has no effect. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fBSSL_CTX_set_options()\fR and \fBSSL_set_options()\fR return the new options bit-mask +\&\fBSSL_CTX_set_options()\fR and \fBSSL_set_options()\fR return the new options bit\-mask after adding \fBoptions\fR. .PP -\&\fBSSL_CTX_clear_options()\fR and \fBSSL_clear_options()\fR return the new options bit-mask +\&\fBSSL_CTX_clear_options()\fR and \fBSSL_clear_options()\fR return the new options bit\-mask after clearing \fBoptions\fR. .PP -\&\fBSSL_CTX_get_options()\fR and \fBSSL_get_options()\fR return the current bit-mask. +\&\fBSSL_CTX_get_options()\fR and \fBSSL_get_options()\fR return the current bit\-mask. .PP \&\fBSSL_get_secure_renegotiation_support()\fR returns 1 is the peer supports secure renegotiation and 0 if it does not. diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_psk_client_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_psk_client_callback.3 index 10fdd624b2f9..801a69bf7bff 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_psk_client_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_psk_client_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_PSK_CLIENT_CALLBACK 3ossl" -.TH SSL_CTX_SET_PSK_CLIENT_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_PSK_CLIENT_CALLBACK 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -138,12 +141,20 @@ Additionally the maximum early data value should be set via a call to \&\fBSSL_SESSION_set_max_early_data\fR\|(3) if the PSK will be used for sending early data. .PP -Alternatively an SSL_SESSION created from a previous non-PSK handshake may also +Alternatively an SSL_SESSION created from a previous non\-PSK handshake may also be used as the basis for a PSK. .PP Ownership of the SSL_SESSION object is passed to the OpenSSL library and so it should not be freed by the application. .PP +Note that as described above, the callback may be called a second time during a +handshake. Since ownership of the SSL_SESSION is transferred to OpenSSL on each +call, if the callback wishes to return the same SSL_SESSION pointer on a +subsequent invocation, it must first call \fBSSL_SESSION_up_ref\fR\|(3) to increment +the reference count. Failure to do so will result in a use\-after\-free error. +Alternatively, the callback may return a different SSL_SESSION object on each +call (e.g., by calling \fBSSL_SESSION_dup\fR\|(3)). +.PP It is also possible for the callback to succeed but not supply a PSK. In this case no PSK will be sent to the server but the handshake will continue. To do this the callback should return successfully and ensure that \fB*sess\fR is @@ -154,7 +165,7 @@ provide a different callback function. This function will be called when the client is sending the ClientKeyExchange message to the server. .PP The purpose of the callback function is to select the PSK identity and -the pre-shared key to use during the connection setup phase. +the pre\-shared key to use during the connection setup phase. .PP The callback is set using functions \fBSSL_CTX_set_psk_client_callback()\fR or \fBSSL_set_psk_client_callback()\fR. The callback function is given the @@ -162,7 +173,7 @@ connection in parameter \fBssl\fR, a \fBNUL\fR\-terminated PSK identity hint sent by the server in parameter \fBhint\fR, a buffer \fBidentity\fR of length \fBmax_identity_len\fR bytes (including the \fBNUL\fR\-terminator) where the resulting \fBNUL\fR\-terminated identity is to be stored, and a buffer \fBpsk\fR -of length \fBmax_psk_len\fR bytes where the resulting pre-shared key is to +of length \fBmax_psk_len\fR bytes where the resulting pre\-shared key is to be stored. .PP The callback for use in TLSv1.2 will also work in TLSv1.3 although it is @@ -189,14 +200,14 @@ below) and TLSv1.3. However, the RFC has this note of caution: .PP "While there is no known way in which the same PSK might produce related output in both versions, only limited analysis has been done. Implementations can -ensure safety from cross-protocol related output by not reusing PSKs between +ensure safety from cross\-protocol related output by not reusing PSKs between TLS 1.3 and TLS 1.2." .SH "RETURN VALUES" .IX Header "RETURN VALUES" Return values from the \fBSSL_psk_client_cb_func\fR callback are interpreted as follows: .PP -On success (callback found a PSK identity and a pre-shared key to use) +On success (callback found a PSK identity and a pre\-shared key to use) the length (> 0) of \fBpsk\fR in bytes is returned. .PP Otherwise or on errors the callback should return 0. In this case @@ -215,7 +226,7 @@ failure. In the event of failure the connection setup fails. were added in OpenSSL 1.1.1. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2006\-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_quiet_shutdown.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_quiet_shutdown.3 index 44cf0fada3e2..2a8630501271 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_quiet_shutdown.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_quiet_shutdown.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_QUIET_SHUTDOWN 3ossl" -.TH SSL_CTX_SET_QUIET_SHUTDOWN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_QUIET_SHUTDOWN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_read_ahead.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_read_ahead.3 index 923d493c82b7..ca78e45f3513 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_read_ahead.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_read_ahead.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_READ_AHEAD 3ossl" -.TH SSL_CTX_SET_READ_AHEAD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_READ_AHEAD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -102,17 +105,17 @@ These functions have no impact when used with DTLS. The return values for \&\fBread_ahead\fR can impact the behaviour of the \fBSSL_pending()\fR function (see \fBSSL_pending\fR\|(3)). .PP -Since \fBSSL_read()\fR can return \fBSSL_ERROR_WANT_READ\fR for non-application data -records, and \fBSSL_has_pending()\fR can't tell the difference between processed and -unprocessed data, it's recommended that if read ahead is turned on that +Since \fBSSL_read()\fR can return \fBSSL_ERROR_WANT_READ\fR for non\-application data +records, and \fBSSL_has_pending()\fR can\*(Aqt tell the difference between processed and +unprocessed data, it\*(Aqs recommended that if read ahead is turned on that \&\fBSSL_MODE_AUTO_RETRY\fR is not turned off using \fBSSL_CTX_clear_mode()\fR. That will prevent getting \fBSSL_ERROR_WANT_READ\fR when there is still a complete -record available that hasn't been processed. +record available that hasn\*(Aqt been processed. .PP If the application wants to continue to use the underlying transport (e.g. TCP connection) after the SSL connection is finished using \fBSSL_shutdown()\fR reading ahead should be turned off. -Otherwise the SSL structure might read data that it shouldn't. +Otherwise the SSL structure might read data that it shouldn\*(Aqt. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBSSL_get_read_ahead()\fR and \fBSSL_CTX_get_read_ahead()\fR return 0 if reading ahead is off, diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_record_padding_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_record_padding_callback.3 index fe072d33ac33..7daf402cefba 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_record_padding_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_record_padding_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_RECORD_PADDING_CALLBACK 3ossl" -.TH SSL_CTX_SET_RECORD_PADDING_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_RECORD_PADDING_CALLBACK 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,13 +145,13 @@ the callback function is not set because Kernel TLS is configured for the SSL ob .IX Header "NOTES" The default behavior is to add no padding to the record. .PP -A user-supplied padding callback function will override the behavior set by -\&\fBSSL_set_block_padding()\fR or \fBSSL_CTX_set_block_padding()\fR. Setting the user-supplied +A user\-supplied padding callback function will override the behavior set by +\&\fBSSL_set_block_padding()\fR or \fBSSL_CTX_set_block_padding()\fR. Setting the user\-supplied callback to NULL will restore the configured block padding behavior. .PP These functions only apply to TLS 1.3 records being written. .PP -Padding bytes are not added in constant-time. +Padding bytes are not added in constant\-time. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBssl\fR\|(7), \fBSSL_new\fR\|(3) diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_security_level.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_security_level.3 index 9391d1fff523..a4c14d26fc72 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_security_level.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_security_level.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_SECURITY_LEVEL 3ossl" -.TH SSL_CTX_SET_SECURITY_LEVEL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_SECURITY_LEVEL 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -117,7 +120,7 @@ value is passed to the callback verbatim and can be set to any convenient application specific value. .SH "DEFAULT CALLBACK BEHAVIOUR" .IX Header "DEFAULT CALLBACK BEHAVIOUR" -If an application doesn't set its own security callback the default +If an application doesn\*(Aqt set its own security callback the default callback is used. It is intended to provide sane defaults. The meaning of each level is described below. .IP "\fBLevel 0\fR" 4 @@ -182,7 +185,7 @@ then only cipher suites consistent with the security level are permissible. See SP800\-57 for how the security limits are related to individual algorithms. .PP -Some security levels require large key sizes for non-ECC public key +Some security levels require large key sizes for non\-ECC public key algorithms which can severely degrade performance. For example 256 bits of security requires the use of RSA keys of at least 15360 bits in size. .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_cache_mode.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_cache_mode.3 index eef4db6f2b57..829761495903 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_cache_mode.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_cache_mode.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_SESSION_CACHE_MODE 3ossl" -.TH SSL_CTX_SET_SESSION_CACHE_MODE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_SESSION_CACHE_MODE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,7 +86,7 @@ The sessions can be held in memory for each \fBctx\fR, if more than one SSL_CTX object is being maintained, the sessions are unique for each SSL_CTX object. .PP -In order to reuse a session, a client must send the session's id to the +In order to reuse a session, a client must send the session\*(Aqs id to the server. It can only send exactly one id. The server then either agrees to reuse the session or it starts a full handshake (to create a new session). @@ -130,7 +133,7 @@ flushing may be disabled and explicitly by the application. .IP SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 4 .IX Item "SSL_SESS_CACHE_NO_INTERNAL_LOOKUP" -By setting this flag, session-resume operations in an SSL/TLS server will not +By setting this flag, session\-resume operations in an SSL/TLS server will not automatically look up sessions in the internal cache, even if sessions are automatically stored there. If external session caching callbacks are in use, this flag guarantees that all lookups are directed to the external cache. @@ -145,7 +148,7 @@ session caching (callback) that is configured for the SSL_CTX. This flag will prevent sessions being stored in the internal cache (though the application can add them manually using \fBSSL_CTX_add_session\fR\|(3)). Note: in any SSL/TLS servers where external caching is configured, any successful -session lookups in the external cache (i.e. for session-resume requests) would +session lookups in the external cache (i.e. for session\-resume requests) would normally be copied into the local cache before processing continues \- this flag prevents these additions to the internal cache as well. .IP SSL_SESS_CACHE_NO_INTERNAL 4 diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_id_context.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_id_context.3 index b2a027e98a8a..74c5333eae7d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_id_context.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_id_context.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_SESSION_ID_CONTEXT 3ossl" -.TH SSL_CTX_SET_SESSION_ID_CONTEXT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_SESSION_ID_CONTEXT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,7 +86,7 @@ SSL_CTX_set_session_id_context, SSL_set_session_id_context \- set context within .IX Header "NOTES" Sessions are generated within a certain context. When exporting/importing sessions with \fBi2d_SSL_SESSION\fR/\fBd2i_SSL_SESSION\fR it would be possible, -to re-import a session generated from another context (e.g. another +to re\-import a session generated from another context (e.g. another application), which might lead to malfunctions. Therefore, each application must set its own session id context \fBsid_ctx\fR which is used to distinguish the contexts and is stored in exported sessions. The \fBsid_ctx\fR can be diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_ticket_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_ticket_cb.3 index e5ebb6f745be..f68830b30823 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_ticket_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_ticket_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_SESSION_TICKET_CB 3ossl" -.TH SSL_CTX_SET_SESSION_TICKET_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_SESSION_TICKET_CB 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -139,7 +142,7 @@ sent to the client. This only occurs in TLSv1.2 or below. In TLSv1.3 it is not valid for a client to send an empty ticket. .IP SSL_TICKET_NO_DECRYPT 4 .IX Item "SSL_TICKET_NO_DECRYPT" -The ticket couldn't be decrypted. No ticket data will be used and a new ticket +The ticket couldn\*(Aqt be decrypted. No ticket data will be used and a new ticket should be sent to the client. .IP SSL_TICKET_SUCCESS 4 .IX Item "SSL_TICKET_SUCCESS" diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_split_send_fragment.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_split_send_fragment.3 index 0b6ef970e468..942957a6e3c6 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_split_send_fragment.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_split_send_fragment.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_SPLIT_SEND_FRAGMENT 3ossl" -.TH SSL_CTX_SET_SPLIT_SEND_FRAGMENT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_SPLIT_SEND_FRAGMENT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -112,7 +115,7 @@ functions will only accept a value in the range 512 \- SSL3_RT_MAX_PLAIN_LENGTH. \&\fBSSL_CTX_set_max_pipelines()\fR and \fBSSL_set_max_pipelines()\fR set the maximum number of pipelines that will be used at any one time. This value applies to both "read" pipelining and "write" pipelining. By default only one pipeline will be -used (i.e. normal non-parallel operation). The number of pipelines set must be +used (i.e. normal non\-parallel operation). The number of pipelines set must be in the range 1 \- SSL_MAX_PIPELINES (32). Setting this to a value > 1 will also automatically turn on "read_ahead" (see \fBSSL_CTX_set_read_ahead\fR\|(3)). This is explained further below. OpenSSL will only ever use more than one pipeline if @@ -140,7 +143,7 @@ SSL_write/SSL_write_ex called with 6001+ bytes == 4 pipelines used \&\fBsplit_send_fragment\fR must always be less than or equal to \&\fBmax_send_fragment\fR. By default it is set to be equal to \fBmax_send_fragment\fR. This will mean that the same number of records will always be created as would -have been created in the non-parallel case, although the data will be +have been created in the non\-parallel case, although the data will be apportioned differently. In the parallel case data will be spread equally between the pipelines. .PP @@ -170,14 +173,14 @@ SSL3_RT_MAX_PLAIN_LENGTH + SSL3_RT_MAX_ENCRYPTED_OVERHEAD (16704) bytes. \&\fBSSL_CTX_set_tlsext_max_fragment_length()\fR sets the default maximum fragment length negotiation mode via value \fBmode\fR to \fBctx\fR. This setting affects only SSL instances created after this function is called. -It affects the client-side as only its side may initiate this extension use. +It affects the client\-side as only its side may initiate this extension use. .PP \&\fBSSL_set_tlsext_max_fragment_length()\fR sets the maximum fragment length negotiation mode via value \fBmode\fR to \fBssl\fR. This setting will be used during a handshake when extensions are exchanged between client and server. So it only affects SSL sessions created after this function is called. -It affects the client-side as only its side may initiate this extension use. +It affects the client\-side as only its side may initiate this extension use. .PP \&\fBSSL_SESSION_get_max_fragment_length()\fR gets the maximum fragment length negotiated in \fBsession\fR. @@ -188,7 +191,7 @@ These functions cannot be used with QUIC SSL objects. \&\fBSSL_set_tlsext_max_fragment_length()\fR fail if called on a QUIC SSL object. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -All non-void functions return 1 on success and 0 on failure. +All non\-void functions return 1 on success and 0 on failure. .SH NOTES .IX Header "NOTES" The Maximum Fragment Length extension support is optional on the server side. diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_srp_password.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_srp_password.3 index 214d92eefb4a..3e09a3412fcf 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_srp_password.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_srp_password.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_SRP_PASSWORD 3ossl" -.TH SSL_CTX_SET_SRP_PASSWORD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_SRP_PASSWORD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ssl_version.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ssl_version.3 index eb954f836dd5..c59b2e00a891 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ssl_version.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ssl_version.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_SSL_VERSION 3ossl" -.TH SSL_CTX_SET_SSL_VERSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_SSL_VERSION 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,7 +108,7 @@ it would usually be preferable to create a new SSL_CTX object than to try to reuse an existing one in this fashion. Its usage is considered deprecated. .PP -\&\fBSSL_set_ssl_method()\fR cannot be used to change a non-QUIC SSL object to a QUIC +\&\fBSSL_set_ssl_method()\fR cannot be used to change a non\-QUIC SSL object to a QUIC SSL object or vice versa, or change a QUIC SSL object from one QUIC method to another. .SH "RETURN VALUES" @@ -118,7 +121,7 @@ The new choice failed, check the error stack to find out the reason. .IX Item "1" The operation succeeded. .PP -\&\fBSSL_CTX_get_ssl_method()\fR and \fBSSL_get_ssl_method()\fR always return non-NULL +\&\fBSSL_CTX_get_ssl_method()\fR and \fBSSL_get_ssl_method()\fR always return non\-NULL pointers. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3 index fd2d7316742b..8a7398042486 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_STATELESS_COOKIE_GENERATE_CB 3ossl" -.TH SSL_CTX_SET_STATELESS_COOKIE_GENERATE_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_STATELESS_COOKIE_GENERATE_CB 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,7 +101,7 @@ SSL_CTX_set_cookie_verify_cb .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBSSL_CTX_set_stateless_cookie_generate_cb()\fR sets the callback used by -\&\fBSSL_stateless\fR\|(3) to generate the application-controlled portion of the cookie +\&\fBSSL_stateless\fR\|(3) to generate the application\-controlled portion of the cookie provided to clients in the HelloRetryRequest transmitted as a response to a ClientHello with a missing or invalid cookie. \fBgen_stateless_cookie_cb()\fR must write at most SSL_COOKIE_LENGTH bytes into \fBcookie\fR, and must write the number @@ -106,11 +109,11 @@ of bytes written to \fBcookie_len\fR. If a cookie cannot be generated, a zero return value can be used to abort the handshake. .PP \&\fBSSL_CTX_set_stateless_cookie_verify_cb()\fR sets the callback used by -\&\fBSSL_stateless\fR\|(3) to determine whether the application-controlled portion of a +\&\fBSSL_stateless\fR\|(3) to determine whether the application\-controlled portion of a ClientHello cookie is valid. The cookie data is pointed to by \fBcookie\fR and is of length \fBcookie_len\fR. A nonzero return value from \fBverify_stateless_cookie_cb()\fR communicates that the cookie is valid. The integrity of the entire cookie, -including the application-controlled portion, is automatically verified by HMAC +including the application\-controlled portion, is automatically verified by HMAC before \fBverify_stateless_cookie_cb()\fR is called. .PP \&\fBSSL_CTX_set_cookie_generate_cb()\fR sets the callback used by \fBDTLSv1_listen\fR\|(3) diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_timeout.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_timeout.3 index c22e65bbf29f..9c65e67994aa 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_timeout.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_timeout.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_TIMEOUT 3ossl" -.TH SSL_CTX_SET_TIMEOUT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_TIMEOUT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_servername_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_servername_callback.3 index e03611f32ee9..20123713dc0e 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_servername_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_servername_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3ossl" -.TH SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -115,7 +118,7 @@ treated the same way as SSL_TLSEXT_ERR_NOACK. This return value indicates that the servername is not accepted by the server. No alerts are sent and the server will not acknowledge the requested servername. .PP -\&\fBSSL_CTX_set_tlsext_servername_arg()\fR sets a context-specific argument to be +\&\fBSSL_CTX_set_tlsext_servername_arg()\fR sets a context\-specific argument to be passed into the callback (via the \fBarg\fR parameter) for this \fBSSL_CTX\fR. .PP The behaviour of \fBSSL_get_servername()\fR depends on a number of different factors. diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_status_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_status_cb.3 index 16f427d69488..fb63b2f91228 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_status_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_status_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_TLSEXT_STATUS_CB 3ossl" -.TH SSL_CTX_SET_TLSEXT_STATUS_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_TLSEXT_STATUS_CB 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3 index 723ba66e9493..1ee1fdf834be 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3ossl" -.TH SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -113,7 +116,7 @@ Before the callback function is started \fIctx\fR and \fIhctx\fR have been initialised with \fBEVP_CIPHER_CTX_reset\fR\|(3) and \fBEVP_MAC_CTX_new\fR\|(3) respectively. .PP -For new sessions tickets, when the client doesn't present a session ticket, or +For new sessions tickets, when the client doesn\*(Aqt present a session ticket, or an attempted retrieval of the ticket failed, or a renew option was indicated, the callback function will be called with \fIenc\fR equal to 1. The OpenSSL library expects that the function will set an arbitrary \fIname\fR, initialize @@ -178,7 +181,7 @@ The \fIhctx\fR key material can be set using \fBHMAC_Init_ex\fR\|(3). .SH NOTES .IX Header "NOTES" Session resumption shortcuts the TLS handshake so that the client certificate -negotiation doesn't occur. It makes up for this by storing the client certificate +negotiation doesn\*(Aqt occur. It makes up for this by storing the client certificate and all other negotiated state information encrypted within the ticket. In a resumed session the applications will have all this state information available exactly as if a full negotiation had occurred. diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_use_srtp.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_use_srtp.3 index 4a4aa31b380a..b6ef3ced404d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_use_srtp.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_use_srtp.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_TLSEXT_USE_SRTP 3ossl" -.TH SSL_CTX_SET_TLSEXT_USE_SRTP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_TLSEXT_USE_SRTP 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -79,7 +82,7 @@ SSL_get_selected_srtp_profile .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -SRTP is the Secure Real-Time Transport Protocol. OpenSSL implements support for +SRTP is the Secure Real\-Time Transport Protocol. OpenSSL implements support for the "use_srtp" DTLS extension defined in RFC5764. This provides a mechanism for establishing SRTP keying material, algorithms and parameters using DTLS. This capability may be used as part of an implementation that conforms to RFC5763. @@ -92,7 +95,7 @@ An OpenSSL client wishing to send the "use_srtp" extension should call \&\fBSSL_CTX_set_tlsext_use_srtp()\fR to set its use for all SSL objects subsequently created from an SSL_CTX. Alternatively a client may call \&\fBSSL_set_tlsext_use_srtp()\fR to set its use for an individual SSL object. The -\&\fBprofiles\fR parameters should point to a NUL-terminated, colon delimited list of +\&\fBprofiles\fR parameters should point to a NUL\-terminated, colon delimited list of SRTP protection profile names. .PP The currently supported protection profile names are: diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_dh_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_dh_callback.3 index 0cb913a0273d..fd7a74233f10 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_dh_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_dh_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_TMP_DH_CALLBACK 3ossl" -.TH SSL_CTX_SET_TMP_DH_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_TMP_DH_CALLBACK 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -95,7 +98,7 @@ see \fBopenssl_user_macros\fR\|(7): .IX Header "DESCRIPTION" The functions described on this page are relevant for servers only. .PP -Some ciphersuites may use ephemeral Diffie-Hellman (DH) key exchange. In these +Some ciphersuites may use ephemeral Diffie\-Hellman (DH) key exchange. In these cases, the session data is negotiated using the ephemeral/temporary DH key and the key supplied and certified by the certificate chain is only used for signing. Anonymous ciphers (without a permanent server key) also use ephemeral @@ -116,9 +119,9 @@ As generating DH parameters is extremely time consuming, an application should not generate the parameters on the fly. DH parameters can be reused, as the actual key is newly generated during the negotiation. .PP -Typically applications should use well known DH parameters that have built-in +Typically applications should use well known DH parameters that have built\-in support in OpenSSL. The macros \fBSSL_CTX_set_dh_auto()\fR and \fBSSL_set_dh_auto()\fR -configure OpenSSL to use the default built-in DH parameters for the \fBSSL_CTX\fR +configure OpenSSL to use the default built\-in DH parameters for the \fBSSL_CTX\fR and \fBSSL\fR objects respectively. Passing a value of 2 or 1 in the \fIonoff\fR parameter switches it on. If the \fIonoff\fR parameter is set to 2, it will force the DH key size to 1024 if the \fBSSL_CTX\fR or \fBSSL\fR security level @@ -126,13 +129,13 @@ the DH key size to 1024 if the \fBSSL_CTX\fR or \fBSSL\fR security level it off. The default setting is off. .PP If "auto" DH parameters are switched on then the parameters will be selected to -be consistent with the size of the key associated with the server's certificate. +be consistent with the size of the key associated with the server\*(Aqs certificate. If there is no certificate (e.g. for PSK ciphersuites), then it it will be consistent with the size of the negotiated symmetric cipher key. .PP -Applications may supply their own DH parameters instead of using the built-in +Applications may supply their own DH parameters instead of using the built\-in values. This approach is discouraged and applications should in preference use -the built-in parameter support described above. Applications wishing to supply +the built\-in parameter support described above. Applications wishing to supply their own DH parameters should call \fBSSL_CTX_set0_tmp_dh_pkey()\fR or \&\fBSSL_set0_tmp_dh_pkey()\fR to supply the parameters for the \fBSSL_CTX\fR or \fBSSL\fR respectively. The parameters should be supplied in the \fIdhpkey\fR argument as @@ -157,7 +160,7 @@ as appropriate. The callback will be invoked during a connection when DH parameters are required. The \fBSSL\fR object for the current connection is supplied as an argument. Previous versions of OpenSSL used the \fBis_export\fR and \fBkeylength\fR -arguments to control parameter generation for export and non-export +arguments to control parameter generation for export and non\-export cipher suites. Modern OpenSSL does not support export ciphersuites and so these arguments are unused and can be ignored by the callback. The callback should return the parameters to be used in a DH object. Ownership of the DH object is diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_ecdh.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_ecdh.3 index 2bec98784759..e4e5af419b20 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_ecdh.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_ecdh.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_TMP_ECDH 3ossl" -.TH SSL_CTX_SET_TMP_ECDH 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_TMP_ECDH 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3 index 52dea0e935f2..f65fd87806df 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_VERIFY 3ossl" -.TH SSL_CTX_SET_VERIFY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_SET_VERIFY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -125,8 +128,8 @@ verification that shall be allowed for \fBctx\fR. verification that shall be allowed for \fBssl\fR. .PP \&\fBSSL_CTX_set_post_handshake_auth()\fR and \fBSSL_set_post_handshake_auth()\fR enable the -Post-Handshake Authentication extension to be added to the ClientHello such that -post-handshake authentication can be requested by the server. If \fBval\fR is 0 +Post\-Handshake Authentication extension to be added to the ClientHello such that +post\-handshake authentication can be requested by the server. If \fBval\fR is 0 then the extension is not sent, otherwise it is. By default the extension is not sent. A certificate callback will need to be set via \&\fBSSL_CTX_set_client_cert_cb()\fR if no certificate is provided at initialization. @@ -137,7 +140,7 @@ be set; the SSL_VERIFY_POST_HANDSHAKE flag is optional. .SH NOTES .IX Header "NOTES" The verification of certificates can be controlled by a set of logically -or'ed \fBmode\fR flags: +or\*(Aqed \fBmode\fR flags: .IP SSL_VERIFY_NONE 4 .IX Item "SSL_VERIFY_NONE" \&\fBServer mode:\fR the server will not send a client certificate request to the @@ -175,7 +178,7 @@ This flag must be used together with SSL_VERIFY_PEER. .IX Item "SSL_VERIFY_CLIENT_ONCE" \&\fBServer mode:\fR only request a client certificate once during the connection. Do not ask for a client certificate again during -renegotiation or post-authentication if a certificate was requested +renegotiation or post\-authentication if a certificate was requested during the initial handshake. This flag must be used together with SSL_VERIFY_PEER. .Sp @@ -185,7 +188,7 @@ SSL_VERIFY_PEER. \&\fBServer mode:\fR the server will not send a client certificate request during the initial handshake, but will send the request via \&\fBSSL_verify_client_post_handshake()\fR. This allows the SSL_CTX or SSL -to be configured for post-handshake peer verification before the +to be configured for post\-handshake peer verification before the handshake occurs. This flag must be used together with SSL_VERIFY_PEER. TLSv1.3 only; no effect on pre\-TLSv1.3 connections. .Sp @@ -196,25 +199,25 @@ If the \fBmode\fR is SSL_VERIFY_NONE none of the other flags may be set. If verification flags are not modified explicitly by \f(CWSSL_CTX_set_verify()\fR or \f(CWSSL_set_verify()\fR, the default value will be SSL_VERIFY_NONE. .PP -The actual verification procedure is performed either using the built-in +The actual verification procedure is performed either using the built\-in verification procedure or using another application provided verification function set with \&\fBSSL_CTX_set_cert_verify_callback\fR\|(3). -The following descriptions apply in the case of the built-in procedure. An +The following descriptions apply in the case of the built\-in procedure. An application provided procedure also has access to the verify depth information and the \fBverify_callback()\fR function, but the way this information is used may be different. .PP \&\fBSSL_CTX_set_verify_depth()\fR and \fBSSL_set_verify_depth()\fR set a limit on the -number of certificates between the end-entity and trust-anchor certificates. +number of certificates between the end\-entity and trust\-anchor certificates. Neither the -end-entity nor the trust-anchor certificates count against \fBdepth\fR. If the +end\-entity nor the trust\-anchor certificates count against \fBdepth\fR. If the certificate chain needed to reach a trusted issuer is longer than \fBdepth+2\fR, X509_V_ERR_CERT_CHAIN_TOO_LONG will be issued. The depth count is "level 0:peer certificate", "level 1: CA certificate", "level 2: higher level CA certificate", and so on. Setting the maximum -depth to 2 allows the levels 0, 1, 2 and 3 (0 being the end-entity and 3 the -trust-anchor). +depth to 2 allows the levels 0, 1, 2 and 3 (0 being the end\-entity and 3 the +trust\-anchor). The default depth limit is 100, allowing for the peer certificate, at most 100 intermediate CA certificates and a final trust anchor certificate. @@ -227,7 +230,7 @@ the certificate in question was passed (preverify_ok=1) or not for the certificate chain verification. .PP The certificate chain is checked starting with the deepest nesting level -(the root CA certificate) and worked upward to the peer's certificate. +(the root CA certificate) and worked upward to the peer\*(Aqs certificate. At each level signatures and issuer attributes are checked. Whenever a verification error is found, the error number is stored in \fBx509_ctx\fR and \fBverify_callback\fR is called with \fBpreverify_ok\fR=0. By applying @@ -258,16 +261,16 @@ certificate or certificate callback to its configuration before it can successfully authenticate. This must be called before \fBSSL_connect()\fR. .PP \&\fBSSL_verify_client_post_handshake()\fR requires that verify flags have been -previously set, and that a client sent the post-handshake authentication +previously set, and that a client sent the post\-handshake authentication extension. When the client returns a certificate the verify callback will be invoked. A write operation must take place for the Certificate Request to be sent to the client, this can be done with \fBSSL_do_handshake()\fR or \fBSSL_write_ex()\fR. Only one certificate request may be outstanding at any time. .PP -When post-handshake authentication occurs, a refreshed NewSessionTicket +When post\-handshake authentication occurs, a refreshed NewSessionTicket message is sent to the client. .PP -Post-handshake authentication cannot be used with QUIC. +Post\-handshake authentication cannot be used with QUIC. \&\fBSSL_set_post_handshake_auth()\fR has no effect if called on a QUIC SSL object. .SH BUGS .IX Header "BUGS" diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_use_certificate.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_use_certificate.3 index ede541adb720..3df81a17c526 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_use_certificate.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_use_certificate.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_USE_CERTIFICATE 3ossl" -.TH SSL_CTX_USE_CERTIFICATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_USE_CERTIFICATE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,7 +145,7 @@ should be preferred. .PP \&\fBSSL_CTX_use_certificate_chain_file()\fR loads a certificate chain from \&\fBfile\fR into \fBctx\fR. The certificates must be in PEM format and must -be sorted starting with the subject's certificate (actual client or server +be sorted starting with the subject\*(Aqs certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA. \fBSSL_use_certificate_chain_file()\fR is similar except it loads the certificate chain into \fBssl\fR. diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_use_psk_identity_hint.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_use_psk_identity_hint.3 index 5b5d288bcc09..b145462691d5 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_use_psk_identity_hint.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_use_psk_identity_hint.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_USE_PSK_IDENTITY_HINT 3ossl" -.TH SSL_CTX_USE_PSK_IDENTITY_HINT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_USE_PSK_IDENTITY_HINT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -127,12 +130,12 @@ ServerKeyExchange message to the client. A server application wishing to use PSKs for TLSv1.2 and below must provide a callback function which is called when the server receives the ClientKeyExchange message from the client. The purpose of the callback function -is to validate the received PSK identity and to fetch the pre-shared key used +is to validate the received PSK identity and to fetch the pre\-shared key used during the connection setup phase. The callback is set using the functions \&\fBSSL_CTX_set_psk_server_callback()\fR or \fBSSL_set_psk_server_callback()\fR. The callback function is given the connection in parameter \fBssl\fR, \fBNUL\fR\-terminated PSK identity sent by the client in parameter \fBidentity\fR, and a buffer \fBpsk\fR of -length \fBmax_psk_len\fR bytes where the pre-shared key is to be stored. +length \fBmax_psk_len\fR bytes where the pre\-shared key is to be stored. .PP The callback for use in TLSv1.2 will also work in TLSv1.3 although it is recommended to use \fBSSL_CTX_set_psk_find_session_callback()\fR @@ -180,7 +183,7 @@ below) and TLSv1.3. However, the RFC has this note of caution: .PP "While there is no known way in which the same PSK might produce related output in both versions, only limited analysis has been done. Implementations can -ensure safety from cross-protocol related output by not reusing PSKs between +ensure safety from cross\-protocol related output by not reusing PSKs between TLS 1.3 and TLS 1.2." .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_use_serverinfo.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_use_serverinfo.3 index 839de1ff0a02..beccc7e45359 100644 --- a/secure/lib/libcrypto/man/man3/SSL_CTX_use_serverinfo.3 +++ b/secure/lib/libcrypto/man/man3/SSL_CTX_use_serverinfo.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CTX_USE_SERVERINFO 3ossl" -.TH SSL_CTX_USE_SERVERINFO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CTX_USE_SERVERINFO 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -95,7 +98,7 @@ length bytes of extension_data. The context and type values have the same meaning as for \fBSSL_CTX_add_custom_ext\fR\|(3). If serverinfo is being loaded for extensions to be added to a Certificate message, then the extension will only be added for the first certificate in the message (which is always the -end-entity certificate). +end\-entity certificate). .PP If \fBversion\fR is \fBSSL_SERVERINFOV1\fR then the extensions in the array must consist of a 2\-byte Extension Type, a 2\-byte length, and then length bytes of diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_free.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_free.3 index e13dc37a2114..3ade78fe8796 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_free.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_free.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_FREE 3ossl" -.TH SSL_SESSION_FREE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_FREE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_cipher.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_cipher.3 index c6e9ce19f9e2..ee501b781b5c 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_cipher.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_cipher.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_GET0_CIPHER 3ossl" -.TH SSL_SESSION_GET0_CIPHER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_GET0_CIPHER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_hostname.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_hostname.3 index 2e4dc1ec2ee0..a8bc131a8f19 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_hostname.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_hostname.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_GET0_HOSTNAME 3ossl" -.TH SSL_SESSION_GET0_HOSTNAME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_GET0_HOSTNAME 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -84,18 +87,18 @@ SSL_SESSION_set1_alpn_selected .IX Header "DESCRIPTION" \&\fBSSL_SESSION_get0_hostname()\fR retrieves the Server Name Indication (SNI) value that was sent by the client when the session was created if the server -acknowledged the client's SNI extension by including an empty SNI extension +acknowledged the client\*(Aqs SNI extension by including an empty SNI extension in response. Otherwise NULL is returned. .PP The value returned is a pointer to memory maintained within \fBs\fR and -should not be free'd. +should not be free\*(Aqd. .PP \&\fBSSL_SESSION_set1_hostname()\fR sets the SNI value for the hostname to a copy of the string provided in hostname. .PP \&\fBSSL_SESSION_get0_alpn_selected()\fR retrieves the selected ALPN protocol for this session and its associated length in bytes. The returned value of \fB*alpn\fR is a -pointer to memory maintained within \fBs\fR and should not be free'd. +pointer to memory maintained within \fBs\fR and should not be free\*(Aqd. .PP \&\fBSSL_SESSION_set1_alpn_selected()\fR sets the ALPN protocol for this session to the value in \fBalpn\fR which should be of length \fBlen\fR bytes. A copy of the input diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_id_context.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_id_context.3 index 22bf238b31a8..cbfdece3b306 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_id_context.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_id_context.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_GET0_ID_CONTEXT 3ossl" -.TH SSL_SESSION_GET0_ID_CONTEXT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_GET0_ID_CONTEXT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_peer.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_peer.3 index 8a8640029ff7..6c0d1592fc02 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_peer.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_peer.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,17 +52,20 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_GET0_PEER 3ossl" -.TH SSL_SESSION_GET0_PEER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_GET0_PEER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH NAME SSL_SESSION_get0_peer -\&\- get details about peer's certificate for a session +\&\- get details about peer\*(Aqs certificate for a session .SH SYNOPSIS .IX Header "SYNOPSIS" .Vb 1 diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_compress_id.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_compress_id.3 index cd6bd4a5372e..e097e7547433 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_compress_id.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_compress_id.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_GET_COMPRESS_ID 3ossl" -.TH SSL_SESSION_GET_COMPRESS_ID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_GET_COMPRESS_ID 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -74,7 +77,7 @@ SSL_SESSION_get_compress_id .IX Header "DESCRIPTION" If compression has been negotiated for an ssl session then \&\fBSSL_SESSION_get_compress_id()\fR will return the id for the compression method or -0 otherwise. The only built-in supported compression method is zlib which has an +0 otherwise. The only built\-in supported compression method is zlib which has an id of 1. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_protocol_version.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_protocol_version.3 index e4d85938b5d0..d96f5b3c8535 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_protocol_version.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_protocol_version.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_GET_PROTOCOL_VERSION 3ossl" -.TH SSL_SESSION_GET_PROTOCOL_VERSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_GET_PROTOCOL_VERSION 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_time.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_time.3 index 4ad3c22b4855..5d9323a58f28 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_time.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_time.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_GET_TIME 3ossl" -.TH SSL_SESSION_GET_TIME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_GET_TIME 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_has_ticket.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_has_ticket.3 index 6237606756a0..d77eb95d1da1 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_has_ticket.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_has_ticket.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_HAS_TICKET 3ossl" -.TH SSL_SESSION_HAS_TICKET 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_HAS_TICKET 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_is_resumable.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_is_resumable.3 index c8714b31baa9..4ef26cfa9682 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_is_resumable.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_is_resumable.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_IS_RESUMABLE 3ossl" -.TH SSL_SESSION_IS_RESUMABLE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_IS_RESUMABLE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -74,7 +77,7 @@ SSL_SESSION_is_resumable .IX Header "DESCRIPTION" \&\fBSSL_SESSION_is_resumable()\fR determines whether an SSL_SESSION object can be used to resume a session or not. Returns 1 if it can or 0 if not. Note that -attempting to resume with a non-resumable session will result in a full +attempting to resume with a non\-resumable session will result in a full handshake. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_print.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_print.3 index 225f08b98a45..abb2eeaff545 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_print.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_print.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_PRINT 3ossl" -.TH SSL_SESSION_PRINT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_PRINT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_set1_id.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_set1_id.3 index a812a723c4ec..001d15c95180 100644 --- a/secure/lib/libcrypto/man/man3/SSL_SESSION_set1_id.3 +++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_set1_id.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_SET1_ID 3ossl" -.TH SSL_SESSION_SET1_ID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_SET1_ID 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_accept.3 b/secure/lib/libcrypto/man/man3/SSL_accept.3 index 3080c7c6d42e..b763a42e1128 100644 --- a/secure/lib/libcrypto/man/man3/SSL_accept.3 +++ b/secure/lib/libcrypto/man/man3/SSL_accept.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_ACCEPT 3ossl" -.TH SSL_ACCEPT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_ACCEPT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_accept_stream.3 b/secure/lib/libcrypto/man/man3/SSL_accept_stream.3 index 4576233a4878..c7c8eab768f5 100644 --- a/secure/lib/libcrypto/man/man3/SSL_accept_stream.3 +++ b/secure/lib/libcrypto/man/man3/SSL_accept_stream.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_ACCEPT_STREAM 3ossl" -.TH SSL_ACCEPT_STREAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_ACCEPT_STREAM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_alert_type_string.3 b/secure/lib/libcrypto/man/man3/SSL_alert_type_string.3 index fb18de2df110..6ea69f95ab06 100644 --- a/secure/lib/libcrypto/man/man3/SSL_alert_type_string.3 +++ b/secure/lib/libcrypto/man/man3/SSL_alert_type_string.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_ALERT_TYPE_STRING 3ossl" -.TH SSL_ALERT_TYPE_STRING 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_ALERT_TYPE_STRING 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -93,9 +96,9 @@ a special situation, it sends an alert. The alert is sent as a special message and does not influence the normal data stream (unless its contents results in the communication being canceled). .PP -A warning alert is sent, when a non-fatal error condition occurs. The +A warning alert is sent, when a non\-fatal error condition occurs. The "close notify" alert is sent as a warning alert. Other examples for -non-fatal errors are certificate errors ("certificate expired", +non\-fatal errors are certificate errors ("certificate expired", "unsupported certificate"), for which a warning alert may be sent. (The sending party may however decide to send a fatal error.) The receiving side may cancel the connection on reception of a warning @@ -169,9 +172,9 @@ A field in the handshake was out of range or inconsistent with other fields. This is always fatal. .IP """DC""/""decryption failed""" 4 .IX Item """DC""/""decryption failed""" -A TLSCiphertext decrypted in an invalid way: either it wasn't an +A TLSCiphertext decrypted in an invalid way: either it wasn\*(Aqt an even multiple of the block length or its padding values, when -checked, weren't correct. This message is always fatal. +checked, weren\*(Aqt correct. This message is always fatal. .IP """RO""/""record overflow""" 4 .IX Item """RO""/""record overflow""" A TLSCiphertext record was received which had a length more than @@ -181,7 +184,7 @@ with more than 2^14+1024 bytes. This message is always fatal. .IX Item """CA""/""unknown CA""" A valid certificate chain or partial chain was received, but the certificate was not accepted because the CA certificate could not -be located or couldn't be matched with a known, trusted CA. This +be located or couldn\*(Aqt be matched with a known, trusted CA. This message is always fatal. .IP """AD""/""access denied""" 4 .IX Item """AD""/""access denied""" diff --git a/secure/lib/libcrypto/man/man3/SSL_alloc_buffers.3 b/secure/lib/libcrypto/man/man3/SSL_alloc_buffers.3 index cda8b5c6e24d..c8c9880b1a6d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_alloc_buffers.3 +++ b/secure/lib/libcrypto/man/man3/SSL_alloc_buffers.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_ALLOC_BUFFERS 3ossl" -.TH SSL_ALLOC_BUFFERS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_ALLOC_BUFFERS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,7 +88,7 @@ can be used to make sure the buffers are preallocated. This can be used to avoid allocation during data processing or with \fBCRYPTO_set_mem_functions()\fR to control where and how buffers are allocated. .PP -These functions are no-ops when used with QUIC SSL objects. For QUIC, +These functions are no\-ops when used with QUIC SSL objects. For QUIC, \&\fBSSL_free_buffers()\fR always fails, and \fBSSL_alloc_buffers()\fR always succeeds. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_check_chain.3 b/secure/lib/libcrypto/man/man3/SSL_check_chain.3 index bf6bec255c18..2d62f054ce85 100644 --- a/secure/lib/libcrypto/man/man3/SSL_check_chain.3 +++ b/secure/lib/libcrypto/man/man3/SSL_check_chain.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CHECK_CHAIN 3ossl" -.TH SSL_CHECK_CHAIN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CHECK_CHAIN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_clear.3 b/secure/lib/libcrypto/man/man3/SSL_clear.3 index 18241a39e243..34efc9633ce9 100644 --- a/secure/lib/libcrypto/man/man3/SSL_clear.3 +++ b/secure/lib/libcrypto/man/man3/SSL_clear.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CLEAR 3ossl" -.TH SSL_CLEAR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CLEAR 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,7 +93,7 @@ session was a TLSv1 session, an SSL client object will use a TLSv1 client method for the next handshake and an SSL server object will use a TLSv1 server method, even if TLS_*_methods were chosen on startup. This will might lead to connection failures (see \fBSSL_new\fR\|(3)) -for a description of the method's properties. +for a description of the method\*(Aqs properties. .PP This function is not supported on QUIC SSL objects and returns failure if called on such an object. diff --git a/secure/lib/libcrypto/man/man3/SSL_connect.3 b/secure/lib/libcrypto/man/man3/SSL_connect.3 index bdedab3d755c..72b1875b1092 100644 --- a/secure/lib/libcrypto/man/man3/SSL_connect.3 +++ b/secure/lib/libcrypto/man/man3/SSL_connect.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_CONNECT 3ossl" -.TH SSL_CONNECT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_CONNECT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -93,7 +96,7 @@ nothing is to be done, but \fBselect()\fR can be used to check for the required condition. When using a buffering BIO, like a BIO pair, data must be written into or retrieved out of the BIO before being able to continue. .PP -Many systems implement Nagle's algorithm by default which means that it will +Many systems implement Nagle\*(Aqs algorithm by default which means that it will buffer outgoing TCP data if a TCP packet has already been sent for which no corresponding ACK has been received yet from the peer. This can have performance impacts after a successful TLSv1.3 handshake or a successful TLSv1.2 (or below) @@ -102,8 +105,8 @@ the client. If the client is also the first to send application data (as is typical for many protocols) then this data could be buffered until an ACK has been received for the final handshake message. .PP -The \fBTCP_NODELAY\fR socket option is often available to disable Nagle's -algorithm. If an application opts to disable Nagle's algorithm consideration +The \fBTCP_NODELAY\fR socket option is often available to disable Nagle\*(Aqs +algorithm. If an application opts to disable Nagle\*(Aqs algorithm consideration should be given to turning it back on again later if appropriate. The helper function \fBBIO_set_tcp_ndelay()\fR can be used to turn on or off the \fBTCP_NODELAY\fR option. diff --git a/secure/lib/libcrypto/man/man3/SSL_do_handshake.3 b/secure/lib/libcrypto/man/man3/SSL_do_handshake.3 index 854e479aeffd..501363051a07 100644 --- a/secure/lib/libcrypto/man/man3/SSL_do_handshake.3 +++ b/secure/lib/libcrypto/man/man3/SSL_do_handshake.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_DO_HANDSHAKE 3ossl" -.TH SSL_DO_HANDSHAKE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_DO_HANDSHAKE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_export_keying_material.3 b/secure/lib/libcrypto/man/man3/SSL_export_keying_material.3 index acef4594e2cd..4043fbcccd1a 100644 --- a/secure/lib/libcrypto/man/man3/SSL_export_keying_material.3 +++ b/secure/lib/libcrypto/man/man3/SSL_export_keying_material.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_EXPORT_KEYING_MATERIAL 3ossl" -.TH SSL_EXPORT_KEYING_MATERIAL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_EXPORT_KEYING_MATERIAL 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_extension_supported.3 b/secure/lib/libcrypto/man/man3/SSL_extension_supported.3 index f7c21fad7745..ce2cc7a20888 100644 --- a/secure/lib/libcrypto/man/man3/SSL_extension_supported.3 +++ b/secure/lib/libcrypto/man/man3/SSL_extension_supported.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_EXTENSION_SUPPORTED 3ossl" -.TH SSL_EXTENSION_SUPPORTED 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_EXTENSION_SUPPORTED 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -230,7 +233,7 @@ the callback returns. .IX Header "EXTENSION CONTEXTS" An extension context defines which messages and under which conditions an extension should be added or expected. The context is built up by performing -a bitwise OR of multiple pre-defined values together. The valid context values +a bitwise OR of multiple pre\-defined values together. The valid context values are: .IP SSL_EXT_TLS_ONLY 4 .IX Item "SSL_EXT_TLS_ONLY" diff --git a/secure/lib/libcrypto/man/man3/SSL_free.3 b/secure/lib/libcrypto/man/man3/SSL_free.3 index a9cdfae29089..55bcbcec64d6 100644 --- a/secure/lib/libcrypto/man/man3/SSL_free.3 +++ b/secure/lib/libcrypto/man/man3/SSL_free.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_FREE 3ossl" -.TH SSL_FREE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_FREE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,14 +100,14 @@ parts of the stream are reset unless those parts have already been concluded normally: .IP \(bu 4 If the stream has a sending part (in other words, if it is bidirectional or a -locally-initiated unidirectional stream) and that part has not been concluded +locally\-initiated unidirectional stream) and that part has not been concluded via a call to \fBSSL_stream_conclude\fR\|(3) or \fBSSL_stream_reset\fR\|(3) on the QUIC stream SSL object, a call to \fBSSL_free()\fR automatically resets the sending part of the stream as though \fBSSL_stream_reset\fR\|(3) were called with a QUIC application error code of 0. .IP \(bu 4 If the stream has a receiving part (in other words, if it is bidirectional or a -remotely-initiated unidirectional stream), and the peer has not yet concluded +remotely\-initiated unidirectional stream), and the peer has not yet concluded that part of the stream normally (such as via a call to \&\fBSSL_stream_conclude\fR\|(3) on its own end), a call to \fBSSL_free()\fR automatically requests the reset of the receiving part of the stream using a QUIC STOP_SENDING diff --git a/secure/lib/libcrypto/man/man3/SSL_get0_connection.3 b/secure/lib/libcrypto/man/man3/SSL_get0_connection.3 index 54737056af2d..829b007ec3f7 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get0_connection.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get0_connection.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET0_CONNECTION 3ossl" -.TH SSL_GET0_CONNECTION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET0_CONNECTION 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -79,15 +82,15 @@ to. .PP When called on a QUIC connection SSL object, it returns the same object. .PP -When called on a non-QUIC object, it returns the same object it was passed. +When called on a non\-QUIC object, it returns the same object it was passed. .PP -\&\fBSSL_is_connection()\fR returns 1 for QUIC connection SSL objects and for non-QUIC +\&\fBSSL_is_connection()\fR returns 1 for QUIC connection SSL objects and for non\-QUIC SSL objects, but returns 0 for QUIC stream SSL objects. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBSSL_get0_connection()\fR returns the QUIC connection SSL object (for a QUIC stream SSL object) and otherwise returns the same SSL object passed. It always returns -non-NULL. +non\-NULL. .PP \&\fBSSL_is_connection()\fR returns 1 if the SSL object is not a QUIC stream SSL object and 0 otherwise. diff --git a/secure/lib/libcrypto/man/man3/SSL_get0_group_name.3 b/secure/lib/libcrypto/man/man3/SSL_get0_group_name.3 index 16cdf66dc09a..7c13c248f1c0 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get0_group_name.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get0_group_name.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET0_GROUP_NAME 3ossl" -.TH SSL_GET0_GROUP_NAME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET0_GROUP_NAME 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -76,7 +79,7 @@ agreement of the current TLS session establishment the key agreement of the current TLS session establishment. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -If non-NULL, \fBSSL_get0_group_name()\fR returns the name of the group that was used for +If non\-NULL, \fBSSL_get0_group_name()\fR returns the name of the group that was used for the key agreement of the current TLS session establishment. If \fBSSL_get0_group_name()\fR returns NULL, an error occurred; possibly no TLS session has been established. See also \fBSSL_get_negotiated_group\fR\|(3). diff --git a/secure/lib/libcrypto/man/man3/SSL_get0_peer_rpk.3 b/secure/lib/libcrypto/man/man3/SSL_get0_peer_rpk.3 index 6654705c9e0d..3e8c4a0fdbe4 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get0_peer_rpk.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get0_peer_rpk.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET0_PEER_RPK 3ossl" -.TH SSL_GET0_PEER_RPK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET0_PEER_RPK 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,17 +83,17 @@ SSL_SESSION_get0_peer_rpk \- raw public key (RFC7250) support .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBSSL_add_expected_rpk()\fR adds a DANE TLSA record matching public key \fBrpk\fR -to SSL \fBs\fR's DANE validation policy. +to SSL \fBs\fR\*(Aqs DANE validation policy. .PP -\&\fBSSL_get_negotiated_client_cert_type()\fR returns the connection's negotiated +\&\fBSSL_get_negotiated_client_cert_type()\fR returns the connection\*(Aqs negotiated client certificate type. .PP -\&\fBSSL_get_negotiated_server_cert_type()\fR returns the connection's negotiated +\&\fBSSL_get_negotiated_server_cert_type()\fR returns the connection\*(Aqs negotiated server certificate type. .PP -\&\fBSSL_get0_peer_rpk()\fR returns the peer's raw public key from SSL \fBs\fR. +\&\fBSSL_get0_peer_rpk()\fR returns the peer\*(Aqs raw public key from SSL \fBs\fR. .PP -\&\fBSSL_SESSION_get0_peer_rpk()\fR returns the peer's raw public key from +\&\fBSSL_SESSION_get0_peer_rpk()\fR returns the peer\*(Aqs raw public key from SSL_SESSION \fBss\fR. .SH NOTES .IX Header "NOTES" @@ -115,13 +118,13 @@ private key. The \fBSSL_add_expected_rpk()\fR function is a wrapper around \&\fBSSL_dane_tlsa_add\fR\|(3). When DANE is enabled via \fBSSL_dane_enable\fR\|(3), the configured TLSA records -will be used to validate the peer's public key or certificate. +will be used to validate the peer\*(Aqs public key or certificate. If DANE is not enabled, then no validation will occur. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBSSL_add_expected_rpk()\fR returns 1 on success and 0 on failure. .PP -\&\fBSSL_get0_peer_rpk()\fR and \fBSSL_SESSION_get0_peer_rpk()\fR return the peer's raw +\&\fBSSL_get0_peer_rpk()\fR and \fBSSL_SESSION_get0_peer_rpk()\fR return the peer\*(Aqs raw public key as an EVP_PKEY or NULL when the raw public key is not available. .PP \&\fBSSL_get_negotiated_client_cert_type()\fR and \fBSSL_get_negotiated_server_cert_type()\fR diff --git a/secure/lib/libcrypto/man/man3/SSL_get0_peer_scts.3 b/secure/lib/libcrypto/man/man3/SSL_get0_peer_scts.3 index 8a95e66edd15..42ae3097fe0e 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get0_peer_scts.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get0_peer_scts.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET0_PEER_SCTS 3ossl" -.TH SSL_GET0_PEER_SCTS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET0_PEER_SCTS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -74,7 +77,7 @@ SSL_get0_peer_scts \- get SCTs received \&\fBSSL_get0_peer_scts()\fR returns the signed certificate timestamps (SCTs) that have been received. If this is the first time that this function has been called for a given \fBSSL\fR instance, it will examine the TLS extensions, OCSP response and -the peer's certificate for SCTs. Future calls will return the same SCTs. +the peer\*(Aqs certificate for SCTs. Future calls will return the same SCTs. .SH RESTRICTIONS .IX Header "RESTRICTIONS" If no Certificate Transparency validation callback has been set (using diff --git a/secure/lib/libcrypto/man/man3/SSL_get1_builtin_sigalgs.3 b/secure/lib/libcrypto/man/man3/SSL_get1_builtin_sigalgs.3 index e45b2dab22ea..fc23f3ae15b0 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get1_builtin_sigalgs.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get1_builtin_sigalgs.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET1_BUILTIN_SIGALGS 3ossl" -.TH SSL_GET1_BUILTIN_SIGALGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET1_BUILTIN_SIGALGS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -71,12 +74,12 @@ SSL_get1_builtin_sigalgs \- get list of built\-in signature algorithms .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -Return the colon-separated list of built-in and available TLS signature +Return the colon\-separated list of built\-in and available TLS signature algorithms. The string returned must be freed by the user using \fBOPENSSL_free\fR\|(3). .SH NOTES .IX Header "NOTES" -The string may be empty (strlen==0) if none of the built-in TLS signature +The string may be empty (strlen==0) if none of the built\-in TLS signature algorithms can be activated, e.g., if suitable providers are missing. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_get_SSL_CTX.3 b/secure/lib/libcrypto/man/man3/SSL_get_SSL_CTX.3 index c492534d2563..8b81abc53ae3 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_SSL_CTX.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_SSL_CTX.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_SSL_CTX 3ossl" -.TH SSL_GET_SSL_CTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_SSL_CTX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_get_all_async_fds.3 b/secure/lib/libcrypto/man/man3/SSL_get_all_async_fds.3 index 5e910688f6a8..2d3f0922b9f9 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_all_async_fds.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_all_async_fds.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_ALL_ASYNC_FDS 3ossl" -.TH SSL_GET_ALL_ASYNC_FDS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_ALL_ASYNC_FDS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -119,7 +122,7 @@ On Windows platforms the \fI<openssl/async.h>\fR header is dependent on some of the types customarily made available by including \fI<windows.h>\fR. The application developer is likely to require control over when the latter is included, commonly as one of the first included headers. Therefore, -it is defined as an application developer's responsibility to include +it is defined as an application developer\*(Aqs responsibility to include \&\fI<windows.h>\fR prior to \fI<openssl/async.h>\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_get_certificate.3 b/secure/lib/libcrypto/man/man3/SSL_get_certificate.3 index 5f63cb3fa9bf..ebc12453a9c3 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_certificate.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_certificate.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_CERTIFICATE 3ossl" -.TH SSL_GET_CERTIFICATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_CERTIFICATE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -74,7 +77,7 @@ private key .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBSSL_get_certificate()\fR returns a pointer to an \fBX509\fR object representing a -certificate used as the local peer's identity. +certificate used as the local peer\*(Aqs identity. .PP Multiple certificates can be configured; for example, a server might have both RSA and ECDSA certificates. The certificate which is returned by @@ -94,8 +97,8 @@ selection occurs. .PP A specific use for \fBSSL_get_certificate()\fR is inside a callback set via a call to \&\fBSSL_CTX_set_tlsext_status_cb\fR\|(3). This callback occurs after certificate -selection, where it can be used to examine a server's chosen certificate, for -example for the purpose of identifying a certificate's OCSP responder URL so +selection, where it can be used to examine a server\*(Aqs chosen certificate, for +example for the purpose of identifying a certificate\*(Aqs OCSP responder URL so that an OCSP response can be obtained. .PP \&\fBSSL_get_privatekey()\fR returns a pointer to the \fBEVP_PKEY\fR object corresponding diff --git a/secure/lib/libcrypto/man/man3/SSL_get_ciphers.3 b/secure/lib/libcrypto/man/man3/SSL_get_ciphers.3 index 117273697827..9132f0018605 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_ciphers.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_ciphers.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_CIPHERS 3ossl" -.TH SSL_GET_CIPHERS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_CIPHERS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,10 +113,10 @@ list received from the client on \fBssl\fR. If \fBssl\fR is NULL, no ciphers are available, or \fBssl\fR is not operating in server mode, NULL is returned. .PP \&\fBSSL_bytes_to_cipher_list()\fR treats the supplied \fBlen\fR octets in \fBbytes\fR -as a wire-protocol cipher suite specification (in the three-octet-per-cipher -SSLv2 wire format if \fBisv2format\fR is nonzero; otherwise the two-octet +as a wire\-protocol cipher suite specification (in the three\-octet\-per\-cipher +SSLv2 wire format if \fBisv2format\fR is nonzero; otherwise the two\-octet SSLv3/TLS wire format), and parses the cipher suites supported by the library -into the returned stacks of SSL_CIPHER objects sk and Signalling Cipher-Suite +into the returned stacks of SSL_CIPHER objects sk and Signalling Cipher\-Suite Values scsvs. Unsupported cipher suites are ignored. Returns 1 on success and 0 on failure. .PP @@ -134,6 +137,8 @@ description of \fBSSL_get1_supported_ciphers()\fR above). This function will ret available shared ciphersuites whether or not they are enabled. This is a server side function only and must only be called after the completion of the initial handshake. +The function sets an empty string when \fBssl\fR fails the handshake due to the +absence of shared ciphers. .SH NOTES .IX Header "NOTES" The details of the ciphers obtained by \fBSSL_get_ciphers()\fR, \fBSSL_CTX_get_ciphers()\fR @@ -162,7 +167,7 @@ See DESCRIPTION \&\fBSSL_CIPHER_get_name\fR\|(3) .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/SSL_get_client_random.3 b/secure/lib/libcrypto/man/man3/SSL_get_client_random.3 index 266836d34feb..14f328f19071 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_client_random.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_client_random.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_CLIENT_RANDOM 3ossl" -.TH SSL_GET_CLIENT_RANDOM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_CLIENT_RANDOM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -104,15 +107,15 @@ associated with \fBin\fR. The caller must ensure that the length of the key is suitable for the ciphersuite associated with the SSL_SESSION. .SH NOTES .IX Header "NOTES" -You probably shouldn't use these functions. +You probably shouldn\*(Aqt use these functions. .PP These functions expose internal values from the TLS handshake, for -use in low-level protocols. You probably should not use them, unless +use in low\-level protocols. You probably should not use them, unless you are implementing something that needs access to the internal protocol details. .PP Despite the names of \fBSSL_get_client_random()\fR and \fBSSL_get_server_random()\fR, they -ARE NOT random number generators. Instead, they return the mostly-random values that +ARE NOT random number generators. Instead, they return the mostly\-random values that were already generated and used in the TLS protocol. Using them in place of \fBRAND_bytes()\fR would be grossly foolish. .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_get_conn_close_info.3 b/secure/lib/libcrypto/man/man3/SSL_get_conn_close_info.3 index 1d6693696ba1..dc9b8c2ac24b 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_conn_close_info.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_conn_close_info.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_CONN_CLOSE_INFO 3ossl" -.TH SSL_GET_CONN_CLOSE_INFO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_CONN_CLOSE_INFO 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -134,7 +137,7 @@ OSSL_QUIC_LOCAL_ERR_IDLE_TIMEOUT The \fBSSL_get_conn_close_info()\fR function provides information about why and how a QUIC connection was closed. .PP -Connection closure information is written to \fI*info\fR, which must be non-NULL. +Connection closure information is written to \fI*info\fR, which must be non\-NULL. \&\fIinfo_len\fR must be set to \f(CWsizeof(*info)\fR. .PP The following fields are set: @@ -152,9 +155,9 @@ frame type was specified as causing the connection to be closed. If \&\fBSSL_CONN_CLOSE_FLAG_TRANSPORT\fR is not set, this is set to 0. .IP \fIreason\fR 4 .IX Item "reason" -If non-NULL, this is intended to be a UTF\-8 textual string briefly describing +If non\-NULL, this is intended to be a UTF\-8 textual string briefly describing the reason for connection closure. The length of the reason string in bytes is -given in \fIreason_len\fR. While, if non-NULL, OpenSSL guarantees that this string +given in \fIreason_len\fR. While, if non\-NULL, OpenSSL guarantees that this string will be zero terminated, consider that this buffer may originate from the (untrusted) peer and thus may also contain zero bytes elsewhere. Therefore, use of \fIreason_len\fR is recommended. @@ -183,7 +186,7 @@ a TLS alert code into a QUIC transport error code by mapping it into the range reserved for such codes by RFC 9000. This range begins at \&\fBOSSL_QUIC_ERR_CRYPTO_ERR_BEGIN\fR and ends at \fBOSSL_QUIC_ERR_CRYPTO_ERR_END\fR inclusive. -.SH "NON-STANDARD TRANSPORT ERROR CODES" +.SH "NON\-STANDARD TRANSPORT ERROR CODES" .IX Header "NON-STANDARD TRANSPORT ERROR CODES" Some conditions which can cause QUIC connection termination are not signalled on the wire and therefore do not have standard error codes. OpenSSL indicates these @@ -197,7 +200,7 @@ The connection was terminated immediately due to the idle timeout expiring. .IX Header "RETURN VALUES" \&\fBSSL_get_conn_close_info()\fR returns 1 on success and 0 on failure. This function fails if called on a QUIC connection SSL object which has not yet been -terminated. It also fails if called on a QUIC stream SSL object or a non-QUIC +terminated. It also fails if called on a QUIC stream SSL object or a non\-QUIC SSL object. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_get_current_cipher.3 b/secure/lib/libcrypto/man/man3/SSL_get_current_cipher.3 index a153710a430c..f7e4578213ca 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_current_cipher.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_current_cipher.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_CURRENT_CIPHER 3ossl" -.TH SSL_GET_CURRENT_CIPHER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_CURRENT_CIPHER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,7 +101,7 @@ This may be the case during handshake processing, when control flow can be returned to the application via any of several callback methods. The internal sequencing of handshake processing and callback invocation is not guaranteed to be stable from release to release, and at present only the callback set -by \fBSSL_CTX_set_alpn_select_cb()\fR is guaranteed to have a non-NULL return value. +by \fBSSL_CTX_set_alpn_select_cb()\fR is guaranteed to have a non\-NULL return value. Other callbacks may be added to this list over time. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_get_default_timeout.3 b/secure/lib/libcrypto/man/man3/SSL_get_default_timeout.3 index 78fd7e628ca3..7c143929110c 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_default_timeout.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_default_timeout.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_DEFAULT_TIMEOUT 3ossl" -.TH SSL_GET_DEFAULT_TIMEOUT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_DEFAULT_TIMEOUT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_get_error.3 b/secure/lib/libcrypto/man/man3/SSL_get_error.3 index 5d9a1b139cf2..35882750cd48 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_error.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_error.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_ERROR 3ossl" -.TH SSL_GET_ERROR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_ERROR 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,11 +81,12 @@ statement) for a preceding call to \fBSSL_connect()\fR, \fBSSL_accept()\fR, \fBS function must be passed to \fBSSL_get_error()\fR in parameter \fBret\fR. .PP In addition to \fBssl\fR and \fBret\fR, \fBSSL_get_error()\fR inspects the -current thread's OpenSSL error queue. Thus, \fBSSL_get_error()\fR must be +current thread\*(Aqs OpenSSL error queue. Thus, \fBSSL_get_error()\fR must be used in the same thread that performed the TLS/SSL I/O operation, and no other OpenSSL function calls should appear in between. The current -thread's error queue must be empty before the TLS/SSL I/O operation is -attempted, or \fBSSL_get_error()\fR will not work reliably. +thread\*(Aqs error queue must be empty before the TLS/SSL I/O operation is +attempted, or \fBSSL_get_error()\fR will not work reliably. Emptying the +current thread\*(Aqs error queue is done with \fBERR_clear_error\fR\|(3). .SH NOTES .IX Header "NOTES" Some TLS implementations do not send a close_notify alert on shutdown. @@ -114,7 +118,7 @@ is set. See \fBSSL_CTX_set_options\fR\|(3) for more details. .IX Item "SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE" The operation did not complete and can be retried later. .Sp -For non-QUIC SSL objects, \fBSSL_ERROR_WANT_READ\fR is returned when the last +For non\-QUIC SSL objects, \fBSSL_ERROR_WANT_READ\fR is returned when the last operation was a read operation from a nonblocking \fBBIO\fR. It means that not enough data was available at this time to complete the operation. @@ -126,7 +130,7 @@ still unprocessed data available at either the \fBSSL\fR or the \fBBIO\fR layer, for a blocking \fBBIO\fR. See \fBSSL_read\fR\|(3) for more information. .Sp -For non-QUIC SSL objects, \fBSSL_ERROR_WANT_WRITE\fR is returned when the last +For non\-QUIC SSL objects, \fBSSL_ERROR_WANT_WRITE\fR is returned when the last operation was a write to a nonblocking \fBBIO\fR and it was unable to send all data to the \fBBIO\fR. When the \fBBIO\fR is writable again, the same function can be called again. @@ -210,7 +214,7 @@ The TLS/SSL I/O function should be called again later. Details depend on the application. .IP SSL_ERROR_SYSCALL 4 .IX Item "SSL_ERROR_SYSCALL" -Some non-recoverable, fatal I/O error occurred. The OpenSSL error queue may +Some non\-recoverable, fatal I/O error occurred. The OpenSSL error queue may contain more information on the error. For socket I/O on Unix systems, consult \&\fBerrno\fR for details. If this error occurs then no further I/O operations should be performed on the connection and \fBSSL_shutdown()\fR must not be called. @@ -219,13 +223,17 @@ This value can also be returned for other errors, check the error queue for details. .IP SSL_ERROR_SSL 4 .IX Item "SSL_ERROR_SSL" -A non-recoverable, fatal error in the SSL library occurred, usually a protocol +A non\-recoverable, fatal error in the SSL library occurred, usually a protocol error. The OpenSSL error queue contains more information on the error. If this error occurs then no further I/O operations should be performed on the connection and \fBSSL_shutdown()\fR must not be called. +.PP +The OpenSSL error queue can be inspected with the \fBERR\fR family of functions, +such as \fBERR_print_errors\fR\|(3) and \fBERR_peek_last_error_all\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fBssl\fR\|(7) +\&\fBssl\fR\|(7), +\&\fBERR_clear_error\fR\|(3), \fBERR_print_errors\fR\|(3), \fBERR_peek_last_error_all\fR\|(3) .SH HISTORY .IX Header "HISTORY" The SSL_ERROR_WANT_ASYNC error code was added in OpenSSL 1.1.0. diff --git a/secure/lib/libcrypto/man/man3/SSL_get_event_timeout.3 b/secure/lib/libcrypto/man/man3/SSL_get_event_timeout.3 index 6457e8c3dbb2..dfbde25cad21 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_event_timeout.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_event_timeout.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_EVENT_TIMEOUT 3ossl" -.TH SSL_GET_EVENT_TIMEOUT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_EVENT_TIMEOUT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -75,7 +78,7 @@ handled \&\fBSSL_get_event_timeout()\fR determines when the SSL object next needs to perform internal processing due to the passage of time. .PP -All arguments are required; \fItv\fR and \fIis_infinite\fR must be non-NULL. +All arguments are required; \fItv\fR and \fIis_infinite\fR must be non\-NULL. .PP Upon the successful return of \fBSSL_get_event_timeout()\fR, one of the following cases applies: diff --git a/secure/lib/libcrypto/man/man3/SSL_get_extms_support.3 b/secure/lib/libcrypto/man/man3/SSL_get_extms_support.3 index 86540ba0228c..96869929c9a8 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_extms_support.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_extms_support.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_EXTMS_SUPPORT 3ossl" -.TH SSL_GET_EXTMS_SUPPORT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_EXTMS_SUPPORT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_get_fd.3 b/secure/lib/libcrypto/man/man3/SSL_get_fd.3 index ca61e5a49abd..d3d7f105064f 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_fd.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_fd.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_FD 3ossl" -.TH SSL_GET_FD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_FD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_get_handshake_rtt.3 b/secure/lib/libcrypto/man/man3/SSL_get_handshake_rtt.3 index 53acd3f6a938..9c2bddd5fea0 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_handshake_rtt.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_handshake_rtt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_HANDSHAKE_RTT 3ossl" -.TH SSL_GET_HANDSHAKE_RTT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_HANDSHAKE_RTT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -72,7 +75,7 @@ SSL_get_handshake_rtt .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBSSL_get_handshake_rtt()\fR retrieves the round-trip time (RTT) for \fIssl\fR. +\&\fBSSL_get_handshake_rtt()\fR retrieves the round\-trip time (RTT) for \fIssl\fR. .PP This metric is represented in microseconds (us) as a uint64_t data type. .SH NOTES @@ -83,17 +86,17 @@ providing the difference between these two times. When acting as the server, one timestamp is taken when the server is finished writing to the client. This is during the ServerFinished in TLS 1.3 and ServerHelloDone in TLS 1.2. The other timestamp is taken when the server is -done reading the client's response. This is after the client has responded +done reading the client\*(Aqs response. This is after the client has responded with ClientFinished. .PP When acting as the client, one timestamp is taken when the client is finished writing the ClientHello and early data (if any). The other is taken when -client is done reading the server's response. This is after ServerFinished in +client is done reading the server\*(Aqs response. This is after ServerFinished in TLS 1.3 and after ServerHelloDone in TLS 1.2. .PP In addition to network propagation delay and network stack overhead, this metric includes processing time on both endpoints, as this is based on TLS -protocol-level messages and the TLS protocol is not designed to measure +protocol\-level messages and the TLS protocol is not designed to measure network timings. In some cases the processing time can be significant, especially when the processing includes asymmetric cryptographic operations. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_get_peer_cert_chain.3 b/secure/lib/libcrypto/man/man3/SSL_get_peer_cert_chain.3 index 660a9396f182..19fdf25df055 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_peer_cert_chain.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_peer_cert_chain.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_PEER_CERT_CHAIN 3ossl" -.TH SSL_GET_PEER_CERT_CHAIN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_PEER_CERT_CHAIN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -75,8 +78,8 @@ chain of the peer .IX Header "DESCRIPTION" \&\fBSSL_get_peer_cert_chain()\fR returns a pointer to STACK_OF(X509) certificates forming the certificate chain sent by the peer. If called on the client side, -the stack also contains the peer's certificate; if called on the server -side, the peer's certificate must be obtained separately using +the stack also contains the peer\*(Aqs certificate; if called on the server +side, the peer\*(Aqs certificate must be obtained separately using \&\fBSSL_get_peer_certificate\fR\|(3). If the peer did not present a certificate, NULL is returned. .PP @@ -85,7 +88,7 @@ only consists of certificates the peer has sent (in the order the peer has sent them) it is \fBnot\fR a verified chain. .PP \&\fBSSL_get0_verified_chain()\fR returns the \fBverified\fR certificate chain -of the peer including the peer's end entity certificate. It must be called +of the peer including the peer\*(Aqs end entity certificate. It must be called after a session has been successfully established. If peer verification was not successful (as indicated by \fBSSL_get_verify_result()\fR not returning X509_V_OK) the chain may be incomplete or invalid. diff --git a/secure/lib/libcrypto/man/man3/SSL_get_peer_certificate.3 b/secure/lib/libcrypto/man/man3/SSL_get_peer_certificate.3 index 323e5f9d6fe3..1a7575706094 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_peer_certificate.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_peer_certificate.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_PEER_CERTIFICATE 3ossl" -.TH SSL_GET_PEER_CERTIFICATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_PEER_CERTIFICATE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_get_peer_signature_nid.3 b/secure/lib/libcrypto/man/man3/SSL_get_peer_signature_nid.3 index b95d2775140e..95f852d3e520 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_peer_signature_nid.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_peer_signature_nid.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_PEER_SIGNATURE_NID 3ossl" -.TH SSL_GET_PEER_SIGNATURE_NID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_PEER_SIGNATURE_NID 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -93,8 +96,8 @@ by the peer to sign TLS messages. It is implemented as a macro. type used by the peer to sign TLS messages. Currently the signature type is the NID of the public key type used for signing except for PSS signing where it is \fBEVP_PKEY_RSA_PSS\fR. To differentiate between -\&\fBrsa_pss_rsae_*\fR and \fBrsa_pss_pss_*\fR signatures, it's necessary to check -the type of public key in the peer's certificate. +\&\fBrsa_pss_rsae_*\fR and \fBrsa_pss_pss_*\fR signatures, it\*(Aqs necessary to check +the type of public key in the peer\*(Aqs certificate. .PP \&\fBSSL_get0_signature_name()\fR, \fBSSL_get_signature_nid()\fR and \&\fBSSL_get_signature_type_nid()\fR return the equivalent information for the local diff --git a/secure/lib/libcrypto/man/man3/SSL_get_peer_tmp_key.3 b/secure/lib/libcrypto/man/man3/SSL_get_peer_tmp_key.3 index 35b5240e70ba..733d1f818cb7 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_peer_tmp_key.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_peer_tmp_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_PEER_TMP_KEY 3ossl" -.TH SSL_GET_PEER_TMP_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_PEER_TMP_KEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -76,14 +79,14 @@ about temporary keys used during a handshake .IX Header "DESCRIPTION" \&\fBSSL_get_peer_tmp_key()\fR returns the temporary key provided by the peer and used during key exchange. For example, if ECDHE is in use, then this represents -the peer's public ECDHE key. On success a pointer to the key is stored in -\&\fB*key\fR. It is the caller's responsibility to free this key after use using +the peer\*(Aqs public ECDHE key. On success a pointer to the key is stored in +\&\fB*key\fR. It is the caller\*(Aqs responsibility to free this key after use using \&\fBEVP_PKEY_free\fR\|(3). .PP \&\fBSSL_get_server_tmp_key()\fR is a backwards compatibility alias for \&\fBSSL_get_peer_tmp_key()\fR. Under that name it worked just on the client side of the connection, its -behaviour on the server end is release-dependent. +behaviour on the server end is release\-dependent. .PP \&\fBSSL_get_tmp_key()\fR returns the equivalent information for the local end of the connection. diff --git a/secure/lib/libcrypto/man/man3/SSL_get_psk_identity.3 b/secure/lib/libcrypto/man/man3/SSL_get_psk_identity.3 index 504ac6e78fb9..0fa31a040c33 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_psk_identity.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_psk_identity.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_PSK_IDENTITY 3ossl" -.TH SSL_GET_PSK_IDENTITY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_PSK_IDENTITY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_get_rbio.3 b/secure/lib/libcrypto/man/man3/SSL_get_rbio.3 index ac5cfe180c62..26a30a72dfd8 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_rbio.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_rbio.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_RBIO 3ossl" -.TH SSL_GET_RBIO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_RBIO 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_get_rpoll_descriptor.3 b/secure/lib/libcrypto/man/man3/SSL_get_rpoll_descriptor.3 index e8de4b7c1c1a..1577d5bce902 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_rpoll_descriptor.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_rpoll_descriptor.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_RPOLL_DESCRIPTOR 3ossl" -.TH SSL_GET_RPOLL_DESCRIPTOR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_RPOLL_DESCRIPTOR 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -115,12 +118,12 @@ may change in response to any call to the SSL object other than \&\fBSSL_net_read_desired()\fR, \fBSSL_net_write_desired()\fR, \fBSSL_get_rpoll_descriptor()\fR, \&\fBSSL_get_wpoll_descriptor()\fR and \fBSSL_get_event_timeout()\fR. .PP -On non-QUIC SSL objects, calls to \fBSSL_get_rpoll_descriptor()\fR and +On non\-QUIC SSL objects, calls to \fBSSL_get_rpoll_descriptor()\fR and \&\fBSSL_get_wpoll_descriptor()\fR function the same as calls to \&\fBBIO_get_rpoll_descriptor()\fR and \fBBIO_get_wpoll_descriptor()\fR on the respective read and write BIOs configured on the SSL object. .PP -On non-QUIC SSL objects, calls to \fBSSL_net_read_desired()\fR and +On non\-QUIC SSL objects, calls to \fBSSL_net_read_desired()\fR and \&\fBSSL_net_write_desired()\fR function identically to calls to \fBSSL_want_read()\fR and \&\fBSSL_want_write()\fR respectively. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_get_session.3 b/secure/lib/libcrypto/man/man3/SSL_get_session.3 index b2d189fbb611..f55e69702d0c 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_session.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_session.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_SESSION 3ossl" -.TH SSL_GET_SESSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_SESSION 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,7 +86,7 @@ that the pointer can become invalid by other operations. count of the \fBSSL_SESSION\fR is incremented by one. .SH NOTES .IX Header "NOTES" -The ssl session contains all information required to re-establish the +The ssl session contains all information required to re\-establish the connection without a full handshake for SSL versions up to and including TLSv1.2. In TLSv1.3 the same is true, but sessions are established after the main handshake has occurred. The server will send the session information to the @@ -110,7 +113,7 @@ enables applications to obtain information about all sessions sent by the server. .PP A session will be automatically removed from the session cache and marked as -non-resumable if the connection is not closed down cleanly, e.g. if a fatal +non\-resumable if the connection is not closed down cleanly, e.g. if a fatal error occurs on the connection or \fBSSL_shutdown\fR\|(3) is not called prior to \&\fBSSL_free\fR\|(3). .PP @@ -132,7 +135,7 @@ but stays in memory. In order to remove the session to decrement the reference count again. .PP SSL_SESSION objects keep internal link information about the session cache -list, when being inserted into one SSL_CTX object's session cache. +list, when being inserted into one SSL_CTX object\*(Aqs session cache. One SSL_SESSION object, regardless of its reference count, must therefore only be used with one SSL_CTX object (and the SSL objects created from this SSL_CTX object). diff --git a/secure/lib/libcrypto/man/man3/SSL_get_shared_sigalgs.3 b/secure/lib/libcrypto/man/man3/SSL_get_shared_sigalgs.3 index 32600c67002c..c2591e8dab23 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_shared_sigalgs.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_shared_sigalgs.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_SHARED_SIGALGS 3ossl" -.TH SSL_GET_SHARED_SIGALGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_SHARED_SIGALGS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,7 +97,7 @@ signature algorithms or \fB0\fR if the \fBidx\fR parameter is out of range. .SH NOTES .IX Header "NOTES" These functions are typically called for debugging purposes (to report -the peer's preferences) or where an application wants finer control over +the peer\*(Aqs preferences) or where an application wants finer control over certificate selection. Most applications will rely on internal handling and will not need to call them. .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_get_stream_id.3 b/secure/lib/libcrypto/man/man3/SSL_get_stream_id.3 index 4532db6247d3..b24077ab70a8 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_stream_id.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_stream_id.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_STREAM_ID 3ossl" -.TH SSL_GET_STREAM_ID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_STREAM_ID 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -93,7 +96,7 @@ The SSL object is a QUIC connection SSL object without a default stream attached. .IP \fBSSL_STREAM_TYPE_BIDI\fR 4 .IX Item "SSL_STREAM_TYPE_BIDI" -The SSL object is a non-QUIC SSL object, or is a QUIC stream object (or QUIC +The SSL object is a non\-QUIC SSL object, or is a QUIC stream object (or QUIC connection SSL object with a default stream attached), and that stream is a bidirectional QUIC stream. .IP \fBSSL_STREAM_TYPE_READ\fR 4 diff --git a/secure/lib/libcrypto/man/man3/SSL_get_stream_read_state.3 b/secure/lib/libcrypto/man/man3/SSL_get_stream_read_state.3 index 4c9e5f147b02..784ed2c787a7 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_stream_read_state.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_stream_read_state.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_STREAM_READ_STATE 3ossl" -.TH SSL_GET_STREAM_READ_STATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_STREAM_READ_STATE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,7 +97,7 @@ overall state of the receiving and sending parts of a QUIC stream, respectively. They both return one of the following values: .IP \fBSSL_STREAM_STATE_NONE\fR 4 .IX Item "SSL_STREAM_STATE_NONE" -This value is returned if called on a non-QUIC SSL object, or on a QUIC +This value is returned if called on a non\-QUIC SSL object, or on a QUIC connection SSL object without a default stream attached. .IP \fBSSL_STREAM_STATE_OK\fR 4 .IX Item "SSL_STREAM_STATE_OK" @@ -103,9 +106,9 @@ healthy. .IP \fBSSL_STREAM_STATE_WRONG_DIR\fR 4 .IX Item "SSL_STREAM_STATE_WRONG_DIR" This value is returned if \fBSSL_get_stream_read_state()\fR is called on a -locally-initiated (and thus send-only) unidirectional stream, or, conversely, if -\&\fBSSL_get_stream_write_state()\fR is called on a remotely-initiated (and thus -receive-only) unidirectional stream. +locally\-initiated (and thus send\-only) unidirectional stream, or, conversely, if +\&\fBSSL_get_stream_write_state()\fR is called on a remotely\-initiated (and thus +receive\-only) unidirectional stream. .IP \fBSSL_STREAM_STATE_FINISHED\fR 4 .IX Item "SSL_STREAM_STATE_FINISHED" For \fBSSL_get_stream_read_state()\fR, this value is returned when the remote peer has @@ -128,7 +131,7 @@ read by calling \fBSSL_read\fR\|(3). .Sp For \fBSSL_get_stream_write_state()\fR, this means that the sending part of the stream was aborted, for example because the application called \fBSSL_stream_reset\fR\|(3), -or because a QUIC stream SSL object with an un-concluded sending part was freed +or because a QUIC stream SSL object with an un\-concluded sending part was freed using \fBSSL_free\fR\|(3). Calls to \fBSSL_write\fR\|(3) will fail. .Sp When this value is returned, the application error code which was signalled can @@ -161,7 +164,7 @@ will fail. \fBSSL_get_stream_read_state()\fR will return this state if and only \&\fBSSL_get_stream_write_state()\fR will also return this state. .PP \&\fBSSL_get_stream_read_error_code()\fR and \fBSSL_get_stream_write_error_code()\fR provide -the application error code which was signalled during non-normal termination of +the application error code which was signalled during non\-normal termination of the receiving or sending parts of a stream, respectively. On success, the application error code is written to \fI*app_error_code\fR. .SH NOTES @@ -176,7 +179,7 @@ with the connection closure using \fBSSL_get_conn_close_info\fR\|(3). .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBSSL_get_stream_read_state()\fR and \fBSSL_get_stream_write_state()\fR return one of the -\&\fBSSL_STREAM_STATE\fR values. If called on a non-QUIC SSL object, or a QUIC +\&\fBSSL_STREAM_STATE\fR values. If called on a non\-QUIC SSL object, or a QUIC connection SSL object without a default stream, \fBSSL_STREAM_STATE_NONE\fR is returned. .PP @@ -184,7 +187,7 @@ returned. on success and 0 if the stream was terminated normally. They return \-1 on error, for example if the stream is still healthy, was still healthy at the time of connection closure, if called on a stream for which the respective stream part -does not exist (e.g. on a unidirectional stream), or if called on a non-QUIC +does not exist (e.g. on a unidirectional stream), or if called on a non\-QUIC object or a QUIC connection SSL object without a default stream attached. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_get_value_uint.3 b/secure/lib/libcrypto/man/man3/SSL_get_value_uint.3 index 22bdf69e55b0..dc04f234f402 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_value_uint.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_value_uint.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_VALUE_UINT 3ossl" -.TH SSL_GET_VALUE_UINT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_VALUE_UINT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -154,17 +157,17 @@ within a given value class. The value classes are enumerated by Values in this class do not participate in the feature negotiation process. They may represent connection parameters which do not participate in explicit negotiation or provide connection statistics. Values in this class might be -read-write or read-only. +read\-write or read\-only. .Sp You can access values in this class using the convenience macros \&\fBSSL_get_generic_value_uint()\fR and \fBSSL_set_generic_value_uint()\fR for brevity. .IP \fBSSL_VALUE_CLASS_FEATURE_REQUEST\fR 4 .IX Item "SSL_VALUE_CLASS_FEATURE_REQUEST" -Values in this class are read-write, and represent what the local party is +Values in this class are read\-write, and represent what the local party is requesting during feature negotiation. Such a request will not necessarily be honoured; see \fBSSL_VALUE_CLASS_FEATURE_NEGOTIATED\fR. .Sp -A value in this class may become read-only in certain circumstances; for +A value in this class may become read\-only in certain circumstances; for example, after a connection has been established, for a value which cannot be renegotiated after connection establishment. Setting a value in this class after connection establishment represents a request for online renegotiation of the @@ -174,7 +177,7 @@ You can access values in this class using the convenience macros \&\fBSSL_get_feature_request_uint()\fR and \fBSSL_set_feature_request_uint()\fR for brevity. .IP \fBSSL_VALUE_CLASS_FEATURE_PEER_REQUEST\fR 4 .IX Item "SSL_VALUE_CLASS_FEATURE_PEER_REQUEST" -Values in this value class are read-only, and represent what was requested by a +Values in this value class are read\-only, and represent what was requested by a peer during feature negotiation. Such a request has not necessarily been honoured; see \fBSSL_VALUE_CLASS_FEATURE_NEGOTIATED\fR. .Sp @@ -182,7 +185,7 @@ You can access values in this class using the convenience macro \&\fBSSL_get_feature_peer_request_uint()\fR for brevity. .IP \fBSSL_VALUE_CLASS_FEATURE_NEGOTIATED\fR 4 .IX Item "SSL_VALUE_CLASS_FEATURE_NEGOTIATED" -Values in this value class are read-only, and represent the value which was +Values in this value class are read\-only, and represent the value which was actually negotiated based on both local and peer input during feature negotiation. This is the effective value in actual use. .Sp @@ -190,7 +193,7 @@ Attempting to read a value in this class will generally fail if the feature negotiation process has not yet completed and the value is therefore currently unknown, unless the nature of the feature in question causes a provisional value to be used prior to completion of feature negotiation, in which case that value -may be returned. If an online (post-handshake) renegotiation of a feature is +may be returned. If an online (post\-handshake) renegotiation of a feature is in progress, retrieving the negotiated value will continue to retrieve the previous negotiated value until that process is completed. See the documentation of specific values for full details of its behaviour. @@ -218,8 +221,8 @@ This release of OpenSSL uses a default value of 30 seconds. This default value may change between releases of OpenSSL. .IP "\fBSSL_VALUE_QUIC_STREAM_BIDI_LOCAL_AVAIL\fR (connection object)" 4 .IX Item "SSL_VALUE_QUIC_STREAM_BIDI_LOCAL_AVAIL (connection object)" -Generic read-only statistical value. The number of bidirectional, -locally-initiated streams available to be created (but not yet created). For +Generic read\-only statistical value. The number of bidirectional, +locally\-initiated streams available to be created (but not yet created). For example, a value of 100 would mean that \fBSSL_new_stream\fR\|(3) could be called 100 times to create 100 bidirectional streams before \fBSSL_new_stream\fR\|(3) would block or fail due to backpressure. @@ -228,14 +231,14 @@ Can be queried using the convenience macro \&\fBSSL_get_quic_stream_bidi_local_avail()\fR. .IP "\fBSSL_VALUE_QUIC_STREAM_UNI_LOCAL_AVAIL\fR (connection object)" 4 .IX Item "SSL_VALUE_QUIC_STREAM_UNI_LOCAL_AVAIL (connection object)" -As above, but provides the number of unidirectional, locally-initiated streams +As above, but provides the number of unidirectional, locally\-initiated streams available to be created (but not yet created). .Sp Can be queried using the convenience macro \&\fBSSL_get_quic_stream_uni_local_avail()\fR. .IP "\fBSSL_VALUE_QUIC_STREAM_BIDI_REMOTE_AVAIL\fR (connection object)" 4 .IX Item "SSL_VALUE_QUIC_STREAM_BIDI_REMOTE_AVAIL (connection object)" -As above, but provides the number of bidirectional, remotely-initiated streams +As above, but provides the number of bidirectional, remotely\-initiated streams available to be created (but not yet created) by the peer. This represents the number of streams the local endpoint has authorised the peer to create in terms of QUIC stream creation flow control. @@ -244,7 +247,7 @@ Can be queried using the convenience macro \&\fBSSL_get_quic_stream_bidi_remote_avail()\fR. .IP "\fBSSL_VALUE_QUIC_STREAM_UNI_REMOTE_AVAIL\fR (connection object)" 4 .IX Item "SSL_VALUE_QUIC_STREAM_UNI_REMOTE_AVAIL (connection object)" -As above, but provides the number of unidirectional, remotely-initiated streams +As above, but provides the number of unidirectional, remotely\-initiated streams available to be created (but not yet created). .Sp Can be queried using the convenience macro @@ -278,7 +281,7 @@ model, \fBnonblocking\fR calls to I/O functions such as \fBSSL_read_ex\fR\|(3) o new incoming network traffic is not handled; no new outgoing network traffic is generated, and pending timeout events are not processed. This allows an application to obtain greater control over the circumstances in which QUIC event -processing occurs. If this event handling model is used, it is the application's +processing occurs. If this event handling model is used, it is the application\*(Aqs responsibility to call \fBSSL_handle_events\fR\|(3) as and when called for by the QUIC implementation; see the \fBSSL_get_rpoll_descriptor\fR\|(3) man page for more information. @@ -312,7 +315,7 @@ also affect the state of any other object related to a connection. .RE .IP "\fBSSL_VALUE_STREAM_WRITE_BUF_SIZE\fR (stream object)" 4 .IX Item "SSL_VALUE_STREAM_WRITE_BUF_SIZE (stream object)" -Generic read-only statistical value. The size of the write buffer allocated to +Generic read\-only statistical value. The size of the write buffer allocated to hold data written to a stream with \fBSSL_write_ex\fR\|(3) until it is transmitted and subsequently acknowledged by the peer. This value may change at any time, as buffer sizes are optimised in response to network conditions to optimise @@ -321,7 +324,7 @@ throughput. Can be queried using the convenience macro \fBSSL_get_stream_write_buf_size()\fR. .IP "\fBSSL_VALUE_STREAM_WRITE_BUF_USED\fR (stream object)" 4 .IX Item "SSL_VALUE_STREAM_WRITE_BUF_USED (stream object)" -Generic read-only statistical value. The number of bytes currently consumed +Generic read\-only statistical value. The number of bytes currently consumed in the write buffer which have yet to be acknowledged by the peer. Successful calls to \fBSSL_write_ex\fR\|(3) which accept data cause this number to increase. This number will then decrease as data is acknowledged by the peer. @@ -329,7 +332,7 @@ This number will then decrease as data is acknowledged by the peer. Can be queried using the convenience macro \fBSSL_get_stream_write_buf_used()\fR. .IP "\fBSSL_VALUE_STREAM_WRITE_BUF_AVAIL\fR (stream object)" 4 .IX Item "SSL_VALUE_STREAM_WRITE_BUF_AVAIL (stream object)" -Generic read-only statistical value. The number of bytes available in the write +Generic read\-only statistical value. The number of bytes available in the write buffer which have yet to be consumed by calls to \fBSSL_write_ex\fR\|(3). Successful calls to \fBSSL_write_ex\fR\|(3) which accept data cause this number to decrease. This number will increase as data is acknowledged by the peer. It may also @@ -337,7 +340,7 @@ change if the buffer is resized automatically to optimise throughput. .Sp Can be queried using the convenience macro \fBSSL_get_stream_write_buf_avail()\fR. .PP -No configurable values are currently defined for non-QUIC SSL objects. +No configurable values are currently defined for non\-QUIC SSL objects. .SH "RETURN VALUES" .IX Header "RETURN VALUES" Returns 1 on success or 0 on failure. This function can fail for a number of diff --git a/secure/lib/libcrypto/man/man3/SSL_get_verify_result.3 b/secure/lib/libcrypto/man/man3/SSL_get_verify_result.3 index 070ce68bc46e..020d2a78c5c0 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_verify_result.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_verify_result.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_VERIFY_RESULT 3ossl" -.TH SSL_GET_VERIFY_RESULT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_VERIFY_RESULT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_get_version.3 b/secure/lib/libcrypto/man/man3/SSL_get_version.3 index 8c128496340a..e143367ba108 100644 --- a/secure/lib/libcrypto/man/man3/SSL_get_version.3 +++ b/secure/lib/libcrypto/man/man3/SSL_get_version.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GET_VERSION 3ossl" -.TH SSL_GET_VERSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GET_VERSION 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -116,7 +119,7 @@ The connection uses the TLSv1.2 protocol. The connection uses the TLSv1.3 protocol. .IP DTLSv0.9 4 .IX Item "DTLSv0.9" -The connection uses an obsolete pre-standardisation DTLS protocol +The connection uses an obsolete pre\-standardisation DTLS protocol .IP DTLSv1 4 .IX Item "DTLSv1" The connection uses the DTLSv1 protocol @@ -150,7 +153,7 @@ The connection uses the TLSv1.3 protocol (never returned for \&\fBSSL_client_version()\fR). .IP DTLS1_BAD_VER 4 .IX Item "DTLS1_BAD_VER" -The connection uses an obsolete pre-standardisation DTLS protocol +The connection uses an obsolete pre\-standardisation DTLS protocol .IP DTLS1_VERSION 4 .IX Item "DTLS1_VERSION" The connection uses the DTLSv1 protocol diff --git a/secure/lib/libcrypto/man/man3/SSL_group_to_name.3 b/secure/lib/libcrypto/man/man3/SSL_group_to_name.3 index d4b480dbe520..db1c1201804e 100644 --- a/secure/lib/libcrypto/man/man3/SSL_group_to_name.3 +++ b/secure/lib/libcrypto/man/man3/SSL_group_to_name.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_GROUP_TO_NAME 3ossl" -.TH SSL_GROUP_TO_NAME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_GROUP_TO_NAME 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -72,13 +75,13 @@ SSL_group_to_name \- get name of group .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBSSL_group_to_name()\fR is used to retrieve the TLS group name -associated with a given TLS group ID, as registered via built-in +associated with a given TLS group ID, as registered via built\-in or external providers and as returned by a call to \fBSSL_get1_groups()\fR or \fBSSL_get_shared_group()\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -If non-NULL, \fBSSL_group_to_name()\fR returns the TLS group name -corresponding to the given \fIid\fR as a NUL-terminated string. +If non\-NULL, \fBSSL_group_to_name()\fR returns the TLS group name +corresponding to the given \fIid\fR as a NUL\-terminated string. If \fBSSL_group_to_name()\fR returns NULL, an error occurred; possibly no corresponding tlsname was registered during provider initialisation. .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_handle_events.3 b/secure/lib/libcrypto/man/man3/SSL_handle_events.3 index 558ddb871608..294969397fc1 100644 --- a/secure/lib/libcrypto/man/man3/SSL_handle_events.3 +++ b/secure/lib/libcrypto/man/man3/SSL_handle_events.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_HANDLE_EVENTS 3ossl" -.TH SSL_HANDLE_EVENTS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_HANDLE_EVENTS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -119,11 +122,11 @@ will be made to the object for a substantial period of time. So long as at least one call to the SSL object is blocking, no such call is needed. However, \&\fBSSL_handle_events()\fR may optionally be used on a QUIC connection object if desired. .Sp -With the thread-assisted mode of operation \fBOSSL_QUIC_client_thread_method\fR\|(3) +With the thread\-assisted mode of operation \fBOSSL_QUIC_client_thread_method\fR\|(3) it is unnecessary to call \fBSSL_handle_events()\fR as the assist thread handles the QUIC connection events. .PP -Calling \fBSSL_handle_events()\fR on any other kind of SSL object is a no-op. This is +Calling \fBSSL_handle_events()\fR on any other kind of SSL object is a no\-op. This is considered a success case. .PP Note that \fBSSL_handle_events()\fR supersedes the older \fBDTLSv1_handle_timeout\fR\|(3) function diff --git a/secure/lib/libcrypto/man/man3/SSL_in_init.3 b/secure/lib/libcrypto/man/man3/SSL_in_init.3 index f74ddbce597c..24c1484c724e 100644 --- a/secure/lib/libcrypto/man/man3/SSL_in_init.3 +++ b/secure/lib/libcrypto/man/man3/SSL_in_init.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_IN_INIT 3ossl" -.TH SSL_IN_INIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_IN_INIT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_inject_net_dgram.3 b/secure/lib/libcrypto/man/man3/SSL_inject_net_dgram.3 index 778e263dba4e..23dd14e1454a 100644 --- a/secure/lib/libcrypto/man/man3/SSL_inject_net_dgram.3 +++ b/secure/lib/libcrypto/man/man3/SSL_inject_net_dgram.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_INJECT_NET_DGRAM 3ossl" -.TH SSL_INJECT_NET_DGRAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_INJECT_NET_DGRAM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_key_update.3 b/secure/lib/libcrypto/man/man3/SSL_key_update.3 index 4019834e96d7..d7e0806dd56b 100644 --- a/secure/lib/libcrypto/man/man3/SSL_key_update.3 +++ b/secure/lib/libcrypto/man/man3/SSL_key_update.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_KEY_UPDATE 3ossl" -.TH SSL_KEY_UPDATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_KEY_UPDATE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_library_init.3 b/secure/lib/libcrypto/man/man3/SSL_library_init.3 index 5cfa9e77a146..77a65ed998f9 100644 --- a/secure/lib/libcrypto/man/man3/SSL_library_init.3 +++ b/secure/lib/libcrypto/man/man3/SSL_library_init.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_LIBRARY_INIT 3ossl" -.TH SSL_LIBRARY_INIT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_LIBRARY_INIT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_load_client_CA_file.3 b/secure/lib/libcrypto/man/man3/SSL_load_client_CA_file.3 index 8ab47c02bf4a..37f666addfb4 100644 --- a/secure/lib/libcrypto/man/man3/SSL_load_client_CA_file.3 +++ b/secure/lib/libcrypto/man/man3/SSL_load_client_CA_file.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_LOAD_CLIENT_CA_FILE 3ossl" -.TH SSL_LOAD_CLIENT_CA_FILE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_LOAD_CLIENT_CA_FILE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_new.3 b/secure/lib/libcrypto/man/man3/SSL_new.3 index 711da31b9e26..84d57de39658 100644 --- a/secure/lib/libcrypto/man/man3/SSL_new.3 +++ b/secure/lib/libcrypto/man/man3/SSL_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_NEW 3ossl" -.TH SSL_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_new_domain.3 b/secure/lib/libcrypto/man/man3/SSL_new_domain.3 index 29a46ebc718b..4d69d47fc8d7 100644 --- a/secure/lib/libcrypto/man/man3/SSL_new_domain.3 +++ b/secure/lib/libcrypto/man/man3/SSL_new_domain.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_NEW_DOMAIN 3ossl" -.TH SSL_NEW_DOMAIN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_NEW_DOMAIN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_new_listener.3 b/secure/lib/libcrypto/man/man3/SSL_new_listener.3 index 4495a1e7ac76..3a68969d87b1 100644 --- a/secure/lib/libcrypto/man/man3/SSL_new_listener.3 +++ b/secure/lib/libcrypto/man/man3/SSL_new_listener.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_NEW_LISTENER 3ossl" -.TH SSL_NEW_LISTENER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_NEW_LISTENER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,7 +145,7 @@ descended from a listener object (e.g. a connection obtained using \&\fBSSL_accept_connection()\fR) or indirectly from a listener object (e.g. a QUIC stream SSL object obtained using \fBSSL_accept_stream()\fR called on a connection obtained using \fBSSL_accept_connection()\fR) the return value is NULL. See NOTES -below for caveats related to pending SSL connections on a QUIC listener's accept +below for caveats related to pending SSL connections on a QUIC listener\*(Aqs accept queue. .PP The \fBSSL_listen()\fR function begins monitoring the listener \fIssl\fR for incoming @@ -154,7 +157,7 @@ called automatically on the first call to \fBSSL_accept_connection()\fR. However the listening process begins, or to ensure that no errors occur when starting to listen for connections. After a call to \fBSSL_listen()\fR (or \&\fBSSL_accept_connection()\fR) succeeds. The \fBSSL_listen()\fR function is idempotent, -subsequent calls on the same \fIssl\fR object are no-ops. This call is supported +subsequent calls on the same \fIssl\fR object are no\-ops. This call is supported only on listener SSL objects. .PP The \fBSSL_accept_connection()\fR call is supported only on a listener SSL object and @@ -176,21 +179,21 @@ The \fBSSL_ACCEPT_CONNECTION_NO_BLOCK\fR flag may be specified to listener SSL object is configured in blocking mode. .PP The \fBSSL_get_accept_connection_queue_len()\fR call returns the number of pending -connections on the \fIssl\fR listener's queue. \fBSSL_accept_connection()\fR returns the +connections on the \fIssl\fR listener\*(Aqs queue. \fBSSL_accept_connection()\fR returns the next pending connection, removing it from the queue. The returned connection -count is a point-in-time value, the actual number of connections that will +count is a point\-in\-time value, the actual number of connections that will ultimately be returned may be different. .PP Currently, listener SSL objects are only supported for QUIC server usage via -\&\fBOSSL_QUIC_server_method\fR\|(3), or QUIC client-only usage via +\&\fBOSSL_QUIC_server_method\fR\|(3), or QUIC client\-only usage via \&\fBOSSL_QUIC_client_method\fR\|(3) or \fBOSSL_QUIC_client_thread_method\fR\|(3) (see -"CLIENT-ONLY USAGE"). It is expected that the listener interface, which +"CLIENT\-ONLY USAGE"). It is expected that the listener interface, which provides an abstracted API for connection acceptance, will be expanded to support other protocols, such as TLS over TCP, plain TCP or DTLS in future. .PP \&\fBSSL_listen()\fR and \fBSSL_accept_connection()\fR are "I/O" functions, meaning that they update the value returned by \fBSSL_get_error\fR\|(3) if they fail. -.SH "CLIENT-ONLY USAGE" +.SH "CLIENT\-ONLY USAGE" .IX Header "CLIENT-ONLY USAGE" It is also possible to use the listener interface without accepting any connections and without listening for connections. This can be useful in diff --git a/secure/lib/libcrypto/man/man3/SSL_new_stream.3 b/secure/lib/libcrypto/man/man3/SSL_new_stream.3 index fa7d3cb80d3b..acafd954cbb4 100644 --- a/secure/lib/libcrypto/man/man3/SSL_new_stream.3 +++ b/secure/lib/libcrypto/man/man3/SSL_new_stream.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_NEW_STREAM 3ossl" -.TH SSL_NEW_STREAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_NEW_STREAM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -76,7 +79,7 @@ SSL_STREAM_FLAG_ADVANCE \- create a new locally\-initiated QUIC stream .SH DESCRIPTION .IX Header "DESCRIPTION" The \fBSSL_new_stream()\fR function, when passed a QUIC connection SSL object, creates -a new locally-initiated bidirectional or unidirectional QUIC stream and returns +a new locally\-initiated bidirectional or unidirectional QUIC stream and returns the newly created QUIC stream SSL object. .PP If the \fBSSL_STREAM_FLAG_UNI\fR flag is passed, a unidirectional stream is @@ -85,7 +88,7 @@ created; else a bidirectional stream is created. To retrieve the stream ID of the newly created stream, use \&\fBSSL_get_stream_id\fR\|(3). .PP -It is the caller's responsibility to free the QUIC stream SSL object using +It is the caller\*(Aqs responsibility to free the QUIC stream SSL object using \&\fBSSL_free\fR\|(3). The lifetime of the QUIC connection SSL object must exceed that of the QUIC stream SSL object; in other words, the QUIC stream SSL object must be freed first. @@ -93,7 +96,7 @@ be freed first. Once a stream has been created using \fBSSL_new_stream()\fR, it may be used in the normal way using \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3). .PP -This function can only be used to create stream objects for locally-initiated +This function can only be used to create stream objects for locally\-initiated streams. To accept incoming streams initiated by a peer, use \&\fBSSL_accept_stream\fR\|(3). .PP @@ -124,7 +127,7 @@ remainder of the connection lifetime. .IX Header "RETURN VALUES" \&\fBSSL_new_stream()\fR returns a new stream object, or NULL on error. .PP -This function fails if called on a QUIC stream SSL object or on a non-QUIC SSL +This function fails if called on a QUIC stream SSL object or on a non\-QUIC SSL object. .PP \&\fBSSL_new_stream()\fR may also fail if the underlying connection has reached the diff --git a/secure/lib/libcrypto/man/man3/SSL_pending.3 b/secure/lib/libcrypto/man/man3/SSL_pending.3 index 5c571877c231..acd8bf1f24d8 100644 --- a/secure/lib/libcrypto/man/man3/SSL_pending.3 +++ b/secure/lib/libcrypto/man/man3/SSL_pending.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_PENDING 3ossl" -.TH SSL_PENDING 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_PENDING 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,7 +83,7 @@ read by the application via a call to \fBSSL_read_ex\fR\|(3) or \fBSSL_read\fR\| \&\fBSSL_pending()\fR returns the number of bytes which have been processed, buffered and are available inside \fBssl\fR for immediate read. .PP -If the \fBSSL\fR object's \fIread_ahead\fR flag is set (see +If the \fBSSL\fR object\*(Aqs \fIread_ahead\fR flag is set (see \&\fBSSL_CTX_set_read_ahead\fR\|(3)), additional protocol bytes (beyond the current record) may have been read containing more TLS/SSL records. This also applies to DTLS and pipelining (see \fBSSL_CTX_set_split_send_fragment\fR\|(3)). These diff --git a/secure/lib/libcrypto/man/man3/SSL_poll.3 b/secure/lib/libcrypto/man/man3/SSL_poll.3 index 95ba9d818ef9..6dda229bf65f 100644 --- a/secure/lib/libcrypto/man/man3/SSL_poll.3 +++ b/secure/lib/libcrypto/man/man3/SSL_poll.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_POLL 3ossl" -.TH SSL_POLL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_POLL 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -172,7 +175,7 @@ actually applicable to the resource described by \fIdesc\fR. As for \fIevents\fR it is a collection of zero or more \fBSSL_POLL_EVENT\fR flags. .Sp \&\fIrevents\fR need not be a subset of the events specified in \fIevents\fR, as some -event types are defined as always being enabled (non-maskable). See "EVENT +event types are defined as always being enabled (non\-maskable). See "EVENT TYPES" for more information. .PP To use \fBSSL_poll()\fR, call it with an array of \fBSSL_POLL_ITEM\fR structures. The @@ -186,11 +189,11 @@ to use \fBSSL_poll()\fR in blocking or nonblocking mode: If \fItimeout\fR is NULL, the function blocks indefinitely until at least one resource is ready. .IP \(bu 4 -If \fItimeout\fR is non-NULL, and it points to a \fBstruct timeval\fR which is set to +If \fItimeout\fR is non\-NULL, and it points to a \fBstruct timeval\fR which is set to zero, the function operates in nonblocking mode and returns immediately with readiness information. .IP \(bu 4 -If \fItimeout\fR is non-NULL, and it points to a \fBstruct timeval\fR which is set to +If \fItimeout\fR is non\-NULL, and it points to a \fBstruct timeval\fR which is set to a value other than zero, the function blocks for the specified interval or until at least one of the specified resources is ready, whichever comes first. .PP @@ -210,7 +213,7 @@ state machine processing is performed. If this flag is used in blocking mode (for example, with \fItimeout\fR set to NULL), event processing does not occur unless the function blocks. .PP -The \fIresult_count\fR argument is optional. If it is non-NULL, it is used to +The \fIresult_count\fR argument is optional. If it is non\-NULL, it is used to output the number of entries in the array which have nonzero \fIrevents\fR fields when the call to \fBSSL_poll()\fR returns; see "RETURN VALUES" for details. .SH "EVENT TYPES" @@ -228,7 +231,7 @@ repeated notifications and has not caused the underlying readiness condition \&\fBSSL_POLL_EVENT_R\fR is reported) to be deasserted. .PP Some event types do not make sense on a given kind of resource. In this case, -specifying that event type in \fIevents\fR is a no-op and will be ignored, and the +specifying that event type in \fIevents\fR is a no\-op and will be ignored, and the given event will never be reported in \fIrevents\fR. .PP Failure of the polling mechanism itself is considered distinct from an exception @@ -237,10 +240,10 @@ and "RETURN VALUES" for details. .PP In general, an application should always listen for the event types corresponding to exception conditions if it is listening to the corresponding -non-exception event types (e.g. \fBSSL_POLL_EVENT_EC\fR and \fBSSL_POLL_EVENT_ER\fR +non\-exception event types (e.g. \fBSSL_POLL_EVENT_EC\fR and \fBSSL_POLL_EVENT_ER\fR for \fBSSL_POLL_EVENT_R\fR), as not doing so is unlikely to be a sound design. .PP -Some event types are non-maskable and may be reported in \fIrevents\fR regardless +Some event types are non\-maskable and may be reported in \fIrevents\fR regardless of whether they were requested in \fIevents\fR. .PP The following event types are supported: @@ -306,7 +309,7 @@ Writable. This event is raised when a QUIC stream SSL object (or a QUIC connection SSL object with a default stream attached) could accept more application data using \fBSSL_write_ex\fR\|(3). .Sp -This event is never raised by a receive-only stream. +This event is never raised by a receive\-only stream. .Sp This event is never raised by a stream which has had its send part concluded normally (as with \fBSSL_stream_conclude\fR\|(3)) or locally reset (as with @@ -356,7 +359,7 @@ Unless the \fIitems\fR pointer itself is invalid, \fBSSL_poll()\fR will always i the \fIrevents\fR fields of all items in the input array upon returning, even if it returns failure. .PP -If \fIresult_count\fR is non-NULL, it is always written with the number of items in +If \fIresult_count\fR is non\-NULL, it is always written with the number of items in the array with nonzero \fIrevents\fR fields, even if the \fBSSL_poll()\fR call returns failure. .PP diff --git a/secure/lib/libcrypto/man/man3/SSL_read.3 b/secure/lib/libcrypto/man/man3/SSL_read.3 index d2e93e2991f7..86adff085dc0 100644 --- a/secure/lib/libcrypto/man/man3/SSL_read.3 +++ b/secure/lib/libcrypto/man/man3/SSL_read.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_READ 3ossl" -.TH SSL_READ 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_READ 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,7 +94,7 @@ In the paragraphs below a "read function" is defined as one of \fBSSL_read_ex()\ .PP If necessary, a read function will negotiate a TLS/SSL session, if not already explicitly performed by \fBSSL_connect\fR\|(3) or \fBSSL_accept\fR\|(3). If the -peer requests a re-negotiation, it will be performed transparently during +peer requests a re\-negotiation, it will be performed transparently during the read function operation. The behaviour of the read functions depends on the underlying BIO. .PP @@ -115,7 +118,7 @@ of the underlying transport (e.g. TCP), it may be necessary to read several packets from the transport layer before the record is complete and the read call can succeed. .PP -If \fBSSL_MODE_AUTO_RETRY\fR has been switched off and a non-application data +If \fBSSL_MODE_AUTO_RETRY\fR has been switched off and a non\-application data record has been processed, the read function can return and set the error to \&\fBSSL_ERROR_WANT_READ\fR. In this case there might still be unprocessed data available in the \fBBIO\fR. @@ -125,9 +128,9 @@ This behaviour can be controlled using the \fBSSL_CTX_set_mode\fR\|(3) call. .PP If the underlying BIO is \fBblocking\fR, a read function will only return once the read operation has been finished or an error occurred, except when a -non-application data record has been processed and \fBSSL_MODE_AUTO_RETRY\fR is +non\-application data record has been processed and \fBSSL_MODE_AUTO_RETRY\fR is not set. -Note that if \fBSSL_MODE_AUTO_RETRY\fR is set and only non-application data is +Note that if \fBSSL_MODE_AUTO_RETRY\fR is set and only non\-application data is available the call will hang. .PP If the underlying BIO is \fBnonblocking\fR, a read function will also return when @@ -136,7 +139,7 @@ operation. In this case a call to \fBSSL_get_error\fR\|(3) with the return value of the read function will yield \fBSSL_ERROR_WANT_READ\fR or \&\fBSSL_ERROR_WANT_WRITE\fR. -As at any time it's possible that non-application data needs to be sent, +As at any time it\*(Aqs possible that non\-application data needs to be sent, a read function can also cause write operations. The calling process then must repeat the call after taking appropriate action to satisfy the needs of the read function. @@ -165,7 +168,7 @@ Success means that 1 or more application data bytes have been read from the SSL connection. Failure means that no bytes could be read from the SSL connection. Failures can be retryable (e.g. we are waiting for more bytes to -be delivered by the network) or non-retryable (e.g. a fatal network error). +be delivered by the network) or non\-retryable (e.g. a fatal network error). In the event of a failure call \fBSSL_get_error\fR\|(3) to find out the reason which indicates whether the call is retryable or not. .PP @@ -183,7 +186,7 @@ Call \fBSSL_get_error\fR\|(3) with the return value \fBret\fR to find out the re .Sp Old documentation indicated a difference between 0 and \-1, and that \-1 was retryable. -You should instead call \fBSSL_get_error()\fR to find out if it's retryable. +You should instead call \fBSSL_get_error()\fR to find out if it\*(Aqs retryable. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBSSL_get_error\fR\|(3), \fBSSL_write_ex\fR\|(3), diff --git a/secure/lib/libcrypto/man/man3/SSL_read_early_data.3 b/secure/lib/libcrypto/man/man3/SSL_read_early_data.3 index 0f769aaff8b6..d8c7ed47c012 100644 --- a/secure/lib/libcrypto/man/man3/SSL_read_early_data.3 +++ b/secure/lib/libcrypto/man/man3/SSL_read_early_data.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_READ_EARLY_DATA 3ossl" -.TH SSL_READ_EARLY_DATA 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_READ_EARLY_DATA 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -118,7 +121,7 @@ These functions are used to send and receive early data where TLSv1.3 has been negotiated. Early data can be sent by the client immediately after its initial ClientHello without having to wait for the server to complete the handshake. Early data can be sent if a session has previously been established with the -server or when establishing a new session using an out-of-band PSK, and only +server or when establishing a new session using an out\-of\-band PSK, and only when the server is known to support it. Additionally these functions can be used to send data from the server to the client when the client has not yet completed the authentication stage of the handshake. @@ -131,7 +134,7 @@ data. For specific details, consult the TLS 1.3 specification. .PP When a server receives early data it may opt to immediately respond by sending application data back to the client. Data sent by the server at this stage is -done before the full handshake has been completed. Specifically the client's +done before the full handshake has been completed. Specifically the client\*(Aqs authentication messages have not yet been received, i.e. the client is unauthenticated at this point and care should be taken when using this capability. @@ -288,7 +291,7 @@ decision is made to accept or reject early data. The callback is provided with a pointer to the user data argument that was provided when the callback was first set. Returning 1 from the callback will allow early data and returning 0 will reject it. Note that the OpenSSL library may reject early data for other reasons -in which case this callback will not get called. Notably, the built-in replay +in which case this callback will not get called. Notably, the built\-in replay protection feature will still be used even if a callback is present unless it has been explicitly disabled using the SSL_OP_NO_ANTI_REPLAY option. See "REPLAY PROTECTION" below. @@ -302,10 +305,10 @@ These functions cannot currently be used with QUIC SSL objects. The whole purpose of early data is to enable a client to start sending data to the server before a full round trip of network traffic has occurred. Application developers should ensure they consider optimisation of the underlying TCP socket -to obtain a performant solution. For example Nagle's algorithm is commonly used +to obtain a performant solution. For example Nagle\*(Aqs algorithm is commonly used by operating systems in an attempt to avoid lots of small TCP packets. In many scenarios this is beneficial for performance, but it does not work well with the -early data solution as implemented in OpenSSL. In Nagle's algorithm the OS will +early data solution as implemented in OpenSSL. In Nagle\*(Aqs algorithm the OS will buffer outgoing TCP data if a TCP packet has already been sent which we have not yet received an ACK for from the peer. The buffered data will only be transmitted if enough data to fill an entire TCP packet is accumulated, or if @@ -320,7 +323,7 @@ sent until a complete round trip with the server has occurred which defeats the objective of early data. .PP In many operating systems the TCP_NODELAY socket option is available to disable -Nagle's algorithm. If an application opts to disable Nagle's algorithm +Nagle\*(Aqs algorithm. If an application opts to disable Nagle\*(Aqs algorithm consideration should be given to turning it back on again after the handshake is complete if appropriate. .PP @@ -359,7 +362,7 @@ does not exist then the resumption is not allowed and a full handshake will occur. .PP Note that some applications may maintain an external cache of sessions (see -\&\fBSSL_CTX_sess_set_new_cb\fR\|(3) and similar functions). It is the application's +\&\fBSSL_CTX_sess_set_new_cb\fR\|(3) and similar functions). It is the application\*(Aqs responsibility to ensure that any sessions in the external cache are also populated in the internal cache and that once removed from the internal cache they are similarly removed from the external cache. Failing to do this could @@ -376,7 +379,7 @@ The OpenSSL replay protection does not apply to external Pre Shared Keys (PSKs) should be applied when combining external PSKs with early data. .PP Some applications may mitigate the replay risks in other ways. For those -applications it is possible to turn off the built-in replay protection feature +applications it is possible to turn off the built\-in replay protection feature using the \fBSSL_OP_NO_ANTI_REPLAY\fR option. See \fBSSL_CTX_set_options\fR\|(3) for details. Applications can also set a callback to make decisions about accepting early data or not. See \fBSSL_CTX_set_allow_early_data_cb()\fR above for details. diff --git a/secure/lib/libcrypto/man/man3/SSL_rstate_string.3 b/secure/lib/libcrypto/man/man3/SSL_rstate_string.3 index 115806c881b5..c47614c74c58 100644 --- a/secure/lib/libcrypto/man/man3/SSL_rstate_string.3 +++ b/secure/lib/libcrypto/man/man3/SSL_rstate_string.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_RSTATE_STRING 3ossl" -.TH SSL_RSTATE_STRING 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_RSTATE_STRING 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_session_reused.3 b/secure/lib/libcrypto/man/man3/SSL_session_reused.3 index 58cec1f57e74..83cde4dbf107 100644 --- a/secure/lib/libcrypto/man/man3/SSL_session_reused.3 +++ b/secure/lib/libcrypto/man/man3/SSL_session_reused.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SESSION_REUSED 3ossl" -.TH SSL_SESSION_REUSED 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SESSION_REUSED 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_set1_host.3 b/secure/lib/libcrypto/man/man3/SSL_set1_host.3 index 005abe729f73..1e4b44dc6364 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set1_host.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set1_host.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET1_HOST 3ossl" -.TH SSL_SET1_HOST 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET1_HOST 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,7 +93,7 @@ the primary reference identifier of the peer, and should not call \&\fBSSL_set1_host()\fR. .PP \&\fBSSL_add1_host()\fR adds \fIhost\fR as an additional reference identifier -that can match the peer's certificate. Any previous hostnames +that can match the peer\*(Aqs certificate. Any previous hostnames set via \fBSSL_set1_host()\fR or \fBSSL_add1_host()\fR are retained. Adding an IP address is allowed only if no IP address has been set before. No change is made if \fIhost\fR is NULL or empty. @@ -115,7 +118,7 @@ identifiers. When wildcard matching is not disabled, the name matched in the peer certificate may be a wildcard name. When one of the reference identifiers configured via \fBSSL_set1_host()\fR or \&\fBSSL_add1_host()\fR starts with ".", which indicates a parent domain prefix -rather than a fixed name, the matched peer name may be a sub-domain +rather than a fixed name, the matched peer name may be a sub\-domain of the reference identifier. The returned string is allocated by the library and is no longer valid once the associated \fIssl\fR handle is cleared or freed, or a renegotiation takes place. Applications diff --git a/secure/lib/libcrypto/man/man3/SSL_set1_initial_peer_addr.3 b/secure/lib/libcrypto/man/man3/SSL_set1_initial_peer_addr.3 index 01ea3ffd736a..16aa3000bac1 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set1_initial_peer_addr.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set1_initial_peer_addr.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET1_INITIAL_PEER_ADDR 3ossl" -.TH SSL_SET1_INITIAL_PEER_ADDR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET1_INITIAL_PEER_ADDR 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_set1_server_cert_type.3 b/secure/lib/libcrypto/man/man3/SSL_set1_server_cert_type.3 index ffc2356523ac..06239cfaa2cf 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set1_server_cert_type.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set1_server_cert_type.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET1_SERVER_CERT_TYPE 3ossl" -.TH SSL_SET1_SERVER_CERT_TYPE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET1_SERVER_CERT_TYPE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -132,7 +135,7 @@ Which corresponds to an X.509 certificate normally used in TLS. .IX Item "TLSEXT_cert_type_rpk" Which corresponds to a raw public key. .PP -If \fBval\fR is set to a non-NULL value, then the extension is sent in the handshake. +If \fBval\fR is set to a non\-NULL value, then the extension is sent in the handshake. If b<val> is set to a NULL value (and \fBlen\fR is 0), then the extension is disabled. The default value is NULL, meaning the extension is not sent, and X.509 certificates are used in the handshake. diff --git a/secure/lib/libcrypto/man/man3/SSL_set_async_callback.3 b/secure/lib/libcrypto/man/man3/SSL_set_async_callback.3 index be474806f295..913044b975b3 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_async_callback.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_async_callback.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_ASYNC_CALLBACK 3ossl" -.TH SSL_SET_ASYNC_CALLBACK 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_ASYNC_CALLBACK 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -124,14 +127,14 @@ At a future point in time (probably via a polling mechanism or via an interrupt) the engine will become aware that the asynchronous request has finished processing. .IP 6. 4 -The engine will call the application's callback passing the callback data as +The engine will call the application\*(Aqs callback passing the callback data as a parameter. .IP 7. 4 The callback function should then run. Note: it is a requirement that the callback function is small and nonblocking as it will be run in the context of a polling mechanism or an interrupt. .IP 8. 4 -It is the application's responsibility via the callback function to schedule +It is the application\*(Aqs responsibility via the callback function to schedule recalling the OpenSSL asynchronous function and to continue processing. .IP 9. 4 The callback function has the option to check the status returned via diff --git a/secure/lib/libcrypto/man/man3/SSL_set_bio.3 b/secure/lib/libcrypto/man/man3/SSL_set_bio.3 index c72c90b43a05..591829d7a1d7 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_bio.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_bio.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_BIO 3ossl" -.TH SSL_SET_BIO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_BIO 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -139,7 +142,7 @@ use \fBSSL_set0_rbio()\fR and \fBSSL_set0_wbio()\fR instead. Where a new BIO is set on a QUIC connection SSL object, blocking mode will be disabled on that SSL object if the BIO cannot support blocking mode. If another BIO is subsequently set on the SSL object which can support blocking mode, -blocking mode will not be automatically re-enabled. For more information, see +blocking mode will not be automatically re\-enabled. For more information, see \&\fBSSL_set_blocking_mode\fR\|(3). .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_set_blocking_mode.3 b/secure/lib/libcrypto/man/man3/SSL_set_blocking_mode.3 index 405a4c97ac77..78ad8ca39673 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_blocking_mode.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_blocking_mode.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_BLOCKING_MODE 3ossl" -.TH SSL_SET_BLOCKING_MODE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_BLOCKING_MODE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -100,7 +103,7 @@ is responsible for ensuring that the SSL object is ticked regularly; see .PP Blocking mode is disabled automatically if the application provides a QUIC connection SSL object with a network BIO which cannot support blocking mode. To -re-enable blocking mode in this case, an application must set a network BIO +re\-enable blocking mode in this case, an application must set a network BIO which can support blocking mode and explicitly call \fBSSL_set_blocking_mode()\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_set_connect_state.3 b/secure/lib/libcrypto/man/man3/SSL_set_connect_state.3 index 4507bddf609c..c655548a2bc5 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_connect_state.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_connect_state.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_CONNECT_STATE 3ossl" -.TH SSL_SET_CONNECT_STATE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_CONNECT_STATE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_set_default_stream_mode.3 b/secure/lib/libcrypto/man/man3/SSL_set_default_stream_mode.3 index ce8c95d9297d..19a4de259f62 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_default_stream_mode.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_default_stream_mode.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_DEFAULT_STREAM_MODE 3ossl" -.TH SSL_SET_DEFAULT_STREAM_MODE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_DEFAULT_STREAM_MODE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -87,15 +90,15 @@ connection. When not disabled, a default stream is automatically created on an outgoing connection once \fBSSL_read\fR\|(3) or \fBSSL_write\fR\|(3) is called. .PP -A QUIC stream must be explicitly designated as client-initiated or -server-initiated up front. This broadly corresponds to whether an application +A QUIC stream must be explicitly designated as client\-initiated or +server\-initiated up front. This broadly corresponds to whether an application protocol involves the client transmitting first, or the server transmitting first. As such, if \fBSSL_read\fR\|(3) is called first (before any call to \&\fBSSL_write\fR\|(3)) after establishing a connection, OpenSSL will wait for the -server to open the first server-initiated stream, and then bind this as the +server to open the first server\-initiated stream, and then bind this as the default stream. Conversely, if \fBSSL_write\fR\|(3) is called before any call to \&\fBSSL_read\fR\|(3), OpenSSL assumes the client wishes to transmit first, creates a -client-initiated stream, and binds this as the default stream. +client\-initiated stream, and binds this as the default stream. .PP By default, the default stream created is bidirectional. If a unidirectional stream is desired, or if the application wishes to disable default stream @@ -119,7 +122,7 @@ after calling \fBSSL_new\fR\|(3), prior to initiating a connection. The argument .IP SSL_DEFAULT_STREAM_MODE_AUTO_BIDI 4 .IX Item "SSL_DEFAULT_STREAM_MODE_AUTO_BIDI" This is the default setting. If \fBSSL_write\fR\|(3) is called prior to any call to -\&\fBSSL_read\fR\|(3), a bidirectional client-initiated stream is created and bound as +\&\fBSSL_read\fR\|(3), a bidirectional client\-initiated stream is created and bound as the default stream. If \fBSSL_read\fR\|(3) is called prior to any call to \&\fBSSL_write\fR\|(3), OpenSSL waits for an incoming stream from the peer (causing \&\fBSSL_read\fR\|(3) to block if the connection is in blocking mode), and then binds @@ -131,7 +134,7 @@ determine the type of a stream after a call to \fBSSL_read\fR\|(3), use .IP SSL_DEFAULT_STREAM_MODE_AUTO_UNI 4 .IX Item "SSL_DEFAULT_STREAM_MODE_AUTO_UNI" In this mode, if \fBSSL_write\fR\|(3) is called prior to any call to \fBSSL_read\fR\|(3), -a unidirectional client-initiated stream is created and bound as the default +a unidirectional client\-initiated stream is created and bound as the default stream. The behaviour is otherwise identical to that of \&\fBSSL_DEFAULT_STREAM_MODE_AUTO_BIDI\fR. The behaviour when \fBSSL_read\fR\|(3) is called prior to any call to \fBSSL_write\fR\|(3) is unchanged. @@ -154,7 +157,7 @@ stream functionality. \&\fBSSL_set_default_stream_mode()\fR fails if it is called after a default stream has already been established. .PP -These functions fail if called on a QUIC stream SSL object or on a non-QUIC SSL +These functions fail if called on a QUIC stream SSL object or on a non\-QUIC SSL object. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_set_fd.3 b/secure/lib/libcrypto/man/man3/SSL_set_fd.3 index cfe006922785..e8fece739820 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_fd.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_fd.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_FD 3ossl" -.TH SSL_SET_FD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_FD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -102,7 +105,7 @@ The operation succeeded. .SH NOTES .IX Header "NOTES" On Windows, a socket handle is a 64\-bit data type (UINT_PTR), which leads to a -compiler warning (conversion from 'SOCKET' to 'int', possible loss of data) when +compiler warning (conversion from \*(AqSOCKET\*(Aq to \*(Aqint\*(Aq, possible loss of data) when passing the socket handle to SSL_set_*\fBfd()\fR. For the time being, this warning can safely be ignored, because although the Microsoft documentation claims that the upper limit is INVALID_SOCKET\-1 (2^64 \- 2), in practice the current \fBsocket()\fR diff --git a/secure/lib/libcrypto/man/man3/SSL_set_incoming_stream_policy.3 b/secure/lib/libcrypto/man/man3/SSL_set_incoming_stream_policy.3 index a8a845c6d2f6..f3700d69b27d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_incoming_stream_policy.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_incoming_stream_policy.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_INCOMING_STREAM_POLICY 3ossl" -.TH SSL_SET_INCOMING_STREAM_POLICY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_INCOMING_STREAM_POLICY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,8 +85,8 @@ policy \&\fBSSL_set_incoming_stream_policy()\fR policy changes the incoming stream policy for a QUIC connection. Depending on the policy configured, OpenSSL QUIC may automatically reject incoming streams initiated by the peer. This is intended to -ensure that legacy applications using single-stream operation with a default -stream on a QUIC connection SSL object are not passed remotely-initiated streams +ensure that legacy applications using single\-stream operation with a default +stream on a QUIC connection SSL object are not passed remotely\-initiated streams by a peer which those applications are not prepared to handle. .PP \&\fIapp_error_code\fR is an application error code which will be used in any QUIC @@ -123,7 +126,7 @@ appropriate. .IX Header "RETURN VALUES" Returns 1 on success and 0 on failure. .PP -This function fails if called on a QUIC stream SSL object, or on a non-QUIC SSL +This function fails if called on a QUIC stream SSL object, or on a non\-QUIC SSL object. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_set_quic_tls_cbs.3 b/secure/lib/libcrypto/man/man3/SSL_set_quic_tls_cbs.3 index 509a3d617c09..99ca38523393 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_quic_tls_cbs.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_quic_tls_cbs.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_QUIC_TLS_CBS 3ossl" -.TH SSL_SET_QUIC_TLS_CBS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_QUIC_TLS_CBS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -129,6 +132,11 @@ given SSL object \fIs\fR, a set of callbacks are supplied in an \fBOSSL_DISPATCH table via \fIqtdis\fR. The \fIarg\fR parameter will be passed as an argument when the various callbacks are called. .PP +The above callbacks are invoked, as needed, by \fBSSL_do_handshake()\fR and \fBSSL_read()\fR (including +SSL_read_ex, SSL_peek, SSL_peek_ex). Once the SSL handshake is complete, the QUIC +stack must arrange to call one of the \fBSSL_read()\fR variants whenever a post\-handshake CRYPTO +frame is received. The number of bytes requested may be zero. +.PP An \fBOSSL_DISPATCH\fR table should consist of an array of \fBOSSL_DISPATCH\fR entries where each entry is a function id, and a function pointer. The array should be terminated with an empty entry (i.e. a 0 function id, and a NULL function diff --git a/secure/lib/libcrypto/man/man3/SSL_set_retry_verify.3 b/secure/lib/libcrypto/man/man3/SSL_set_retry_verify.3 index 9fb384e418f0..2db08d10bdfc 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_retry_verify.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_retry_verify.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_RETRY_VERIFY 3ossl" -.TH SSL_SET_RETRY_VERIFY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_RETRY_VERIFY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_set_session.3 b/secure/lib/libcrypto/man/man3/SSL_set_session.3 index 8467f0e4d481..6be172ec7234 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_session.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_session.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_SESSION 3ossl" -.TH SSL_SET_SESSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_SESSION 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -89,7 +92,7 @@ set the SSL_SENT_SHUTDOWN state). .SH NOTES .IX Header "NOTES" SSL_SESSION objects keep internal link information about the session cache -list, when being inserted into one SSL_CTX object's session cache. +list, when being inserted into one SSL_CTX object\*(Aqs session cache. One SSL_SESSION object, regardless of its reference count, must therefore only be used with one SSL_CTX object (and the SSL objects created from this SSL_CTX object). diff --git a/secure/lib/libcrypto/man/man3/SSL_set_session_secret_cb.3 b/secure/lib/libcrypto/man/man3/SSL_set_session_secret_cb.3 index c098d051d814..0f1ce29b45fa 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_session_secret_cb.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_session_secret_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_SESSION_SECRET_CB 3ossl" -.TH SSL_SET_SESSION_SECRET_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_SESSION_SECRET_CB 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,10 +84,10 @@ SSL_set_session_secret_cb, tls_session_secret_cb_fn \&\fBSSL_set_session_secret_cb()\fR sets the session secret callback to be used (\fIsession_secret_cb\fR), and an optional argument (\fIarg\fR) to be passed to that callback when it is called. This is only useful for an implementation of -EAP-FAST (RFC4851). The presence of the callback also modifies the internal +EAP\-FAST (RFC4851). The presence of the callback also modifies the internal OpenSSL TLS state machine to match the modified TLS behaviour as described in RFC4851. Therefore this callback should not be used except when implementing -EAP-FAST. +EAP\-FAST. .PP The callback is expected to set the master secret to be used by filling in the data pointed to by \fI*secret\fR. The size of the secret buffer is initially diff --git a/secure/lib/libcrypto/man/man3/SSL_set_shutdown.3 b/secure/lib/libcrypto/man/man3/SSL_set_shutdown.3 index d6b9c03375c8..2b99cbbc3bcd 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_shutdown.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_shutdown.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_SHUTDOWN 3ossl" -.TH SSL_SET_SHUTDOWN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_SHUTDOWN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ SSL_set_shutdown, SSL_get_shutdown \- manipulate shutdown state of an SSL connec \&\fBSSL_get_shutdown()\fR returns the shutdown mode of \fBssl\fR. .SH NOTES .IX Header "NOTES" -The shutdown state of an ssl connection is a bit-mask of: +The shutdown state of an ssl connection is a bit\-mask of: .IP 0 4 No shutdown setting, yet. .IP SSL_SENT_SHUTDOWN 4 @@ -98,7 +101,7 @@ the ssl session. If the session is still open, when it is considered bad and removed according to RFC2246. The actual condition for a correctly closed session is SSL_SENT_SHUTDOWN (according to the TLS RFC, it is acceptable to only send the close_notify -alert but to not wait for the peer's answer, when the underlying connection +alert but to not wait for the peer\*(Aqs answer, when the underlying connection is closed). \&\fBSSL_set_shutdown()\fR can be used to set this state without sending a close alert to the peer (see \fBSSL_shutdown\fR\|(3)). diff --git a/secure/lib/libcrypto/man/man3/SSL_set_verify_result.3 b/secure/lib/libcrypto/man/man3/SSL_set_verify_result.3 index 4982fcc96728..eac543e584e6 100644 --- a/secure/lib/libcrypto/man/man3/SSL_set_verify_result.3 +++ b/secure/lib/libcrypto/man/man3/SSL_set_verify_result.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SET_VERIFY_RESULT 3ossl" -.TH SSL_SET_VERIFY_RESULT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SET_VERIFY_RESULT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/SSL_shutdown.3 b/secure/lib/libcrypto/man/man3/SSL_shutdown.3 index 0ffd3780368f..57eb6d24608d 100644 --- a/secure/lib/libcrypto/man/man3/SSL_shutdown.3 +++ b/secure/lib/libcrypto/man/man3/SSL_shutdown.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_SHUTDOWN 3ossl" -.TH SSL_SHUTDOWN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_SHUTDOWN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,11 +85,11 @@ SSL_shutdown, SSL_shutdown_ex \- shut down a TLS/SSL or QUIC connection .IX Header "DESCRIPTION" \&\fBSSL_shutdown()\fR shuts down an active connection represented by an SSL object. \fIssl\fR \fBMUST NOT\fR be NULL. .PP -\&\fBSSL_shutdown_ex()\fR is an extended version of \fBSSL_shutdown()\fR. If non-NULL, \fIargs\fR +\&\fBSSL_shutdown_ex()\fR is an extended version of \fBSSL_shutdown()\fR. If non\-NULL, \fIargs\fR must point to a \fBSSL_SHUTDOWN_EX_ARGS\fR structure and \fIargs_len\fR must be set to \&\f(CWsizeof(SSL_SHUTDOWN_EX_ARGS)\fR. The \fBSSL_SHUTDOWN_EX_ARGS\fR structure must be -zero-initialized. If \fIargs\fR is NULL, the behaviour is the same as passing a -zero-initialised \fBSSL_SHUTDOWN_EX_ARGS\fR structure. Currently, all extended +zero\-initialized. If \fIargs\fR is NULL, the behaviour is the same as passing a +zero\-initialised \fBSSL_SHUTDOWN_EX_ARGS\fR structure. Currently, all extended arguments relate to usage with QUIC, therefore this call functions identically to \fBSSL_shutdown()\fR when not being used with QUIC. .PP @@ -104,7 +107,7 @@ information. \&\fBSSL_shutdown()\fR should not be called if a previous fatal error has occurred on a connection; i.e., if \fBSSL_get_error\fR\|(3) has returned \fBSSL_ERROR_SYSCALL\fR or \&\fBSSL_ERROR_SSL\fR. -.SH "TLS AND DTLS-SPECIFIC CONSIDERATIONS" +.SH "TLS AND DTLS\-SPECIFIC CONSIDERATIONS" .IX Header "TLS AND DTLS-SPECIFIC CONSIDERATIONS" Shutdown for SSL/TLS and DTLS is implemented in terms of the SSL/TLS/DTLS close_notify alert message. The shutdown process for SSL/TLS and DTLS @@ -116,7 +119,7 @@ A close_notify shutdown alert message is received from the peer. .PP These steps can occur in either order depending on whether the connection shutdown process was first initiated by the local application or by the peer. -.SS "Locally-Initiated Shutdown" +.SS "Locally\-Initiated Shutdown" .IX Subsection "Locally-Initiated Shutdown" Calling \fBSSL_shutdown()\fR on an SSL/TLS or DTLS SSL object initiates the shutdown process and causes OpenSSL to try to send a close_notify shutdown alert to the @@ -128,11 +131,11 @@ read direction is closed by the peer. Once \fBSSL_shutdown()\fR is called, \&\fBSSL_write\fR\|(3) can no longer be used, but \fBSSL_read\fR\|(3) may still be used until the peer decides to close the connection in turn. The peer might continue sending data for some period of time before handling the local -application's shutdown indication. +application\*(Aqs shutdown indication. .PP \&\fBSSL_shutdown()\fR does not affect an underlying network connection such as a TCP connection, which remains open. -.SS "Remotely-Initiated Shutdown" +.SS "Remotely\-Initiated Shutdown" .IX Subsection "Remotely-Initiated Shutdown" If the peer was the first to initiate the shutdown process by sending a close_notify alert message, an application will be notified of this as an EOF @@ -169,12 +172,12 @@ received). However, the preferred method of waiting for the shutdown to complete is to use \&\fBSSL_read\fR\|(3) until \fBSSL_get_error\fR\|(3) indicates EOF by returning \&\fBSSL_ERROR_ZERO_RETURN\fR. This ensures any data received immediately before the -peer's close_notify alert is still provided to the application. It also ensures -any final handshake-layer messages received are processed (for example, messages +peer\*(Aqs close_notify alert is still provided to the application. It also ensures +any final handshake\-layer messages received are processed (for example, messages issuing new session tickets). .PP If this approach is not used, the second call to \fBSSL_shutdown()\fR (to complete the -shutdown by confirming receipt of the peer's close_notify message) will fail if +shutdown by confirming receipt of the peer\*(Aqs close_notify message) will fail if it is called when the application has not read all pending application data sent by the peer using \fBSSL_read\fR\|(3). .PP @@ -188,7 +191,7 @@ may be checked using \fBSSL_get_shutdown\fR\|(3). .IX Subsection "Fast Shutdown" Alternatively, it is acceptable for an application to call \fBSSL_shutdown()\fR once (such that it returns 0) and then close the underlying connection without -waiting for the peer's response. This allows for a more rapid shutdown process +waiting for the peer\*(Aqs response. This allows for a more rapid shutdown process if the application does not wish to wait for the peer. .PP This alternative "fast shutdown" approach should only be done if it is known @@ -221,11 +224,11 @@ state without actually sending a close_notify alert message; see \&\fBSSL_CTX_set_quiet_shutdown\fR\|(3). When "quiet shutdown" is enabled, \&\fBSSL_shutdown()\fR will always succeed and return 1 immediately. .PP -This is not standards-compliant behaviour. It should only be done when the +This is not standards\-compliant behaviour. It should only be done when the application protocol in use enables the peer to ensure that all data has been -received, such that it doesn't need to wait for a close_notify alert, otherwise +received, such that it doesn\*(Aqt need to wait for a close_notify alert, otherwise application data may be truncated unexpectedly. -.SS "Non-Compliant Peers" +.SS "Non\-Compliant Peers" .IX Subsection "Non-Compliant Peers" There are SSL/TLS implementations that never send the required close_notify alert message but simply close the underlying transport (e.g. a TCP connection) @@ -256,13 +259,13 @@ to benefit from session resumption are advised to perform a complete shutdown procedure by calling \fBSSL_shutdown()\fR until it returns 1, as described above. This will ensure there is an opportunity for SSL/TLS session ticket messages to be received and processed by OpenSSL. -.SH "QUIC-SPECIFIC SHUTDOWN CONSIDERATIONS" +.SH "QUIC\-SPECIFIC SHUTDOWN CONSIDERATIONS" .IX Header "QUIC-SPECIFIC SHUTDOWN CONSIDERATIONS" When used with a QUIC connection SSL object, \fBSSL_shutdown()\fR initiates a QUIC immediate close using QUIC \fBCONNECTION_CLOSE\fR frames. .PP \&\fBSSL_shutdown()\fR cannot be used on QUIC stream SSL objects. To conclude a stream -normally, see \fBSSL_stream_conclude\fR\|(3); to perform a non-normal stream +normally, see \fBSSL_stream_conclude\fR\|(3); to perform a non\-normal stream termination, see \fBSSL_stream_reset\fR\|(3). .PP \&\fBSSL_shutdown_ex()\fR may be used instead of \fBSSL_shutdown()\fR by an application to @@ -275,10 +278,10 @@ must be in the range [0, 2**62\-1], else the call to \fBSSL_shutdown_ex()\fR fai not provided, an error code of 0 is used by default. .IP \fIquic_reason\fR 4 .IX Item "quic_reason" -An optional zero-terminated (UTF\-8) reason string to be signalled to the peer. +An optional zero\-terminated (UTF\-8) reason string to be signalled to the peer. The application is responsible for providing a valid UTF\-8 string and OpenSSL will not validate the string. If a reason is not provided, or \fBSSL_shutdown()\fR is -used, a zero-length string is used as the reason. If provided, the reason string +used, a zero\-length string is used as the reason. If provided, the reason string is copied and stored inside the QUIC connection SSL object and need not remain allocated after the call to \fBSSL_shutdown_ex()\fR returns. Reason strings are bounded by the path MTU and may be silently truncated if they are too long to @@ -320,15 +323,15 @@ application has been sent to the peer, and until the receipt of all such data is acknowledged by the peer. Only once this process is completed is the shutdown considered complete. .PP -An exception to this is streams which terminated in a non-normal fashion, for -example due to a stream reset; only streams which are non-terminated at the time +An exception to this is streams which terminated in a non\-normal fashion, for +example due to a stream reset; only streams which are non\-terminated at the time \&\fBSSL_shutdown()\fR is called, or which terminated in a normal fashion, have their pending send buffers flushed in this manner. .PP This behaviour of flushing streams during the shutdown process can be skipped by setting the \fBSSL_SHUTDOWN_FLAG_NO_STREAM_FLUSH\fR flag in a call to \&\fBSSL_shutdown_ex()\fR; in this case, data remaining in stream send buffers may not -be transmitted to the peer. This flag may be used when a non-normal application +be transmitted to the peer. This flag may be used when a non\-normal application condition has occurred and the delivery of data written to streams via \&\fBSSL_write\fR\|(3) is no longer relevant. .SS "Shutdown Mode" @@ -338,9 +341,9 @@ applications. Ordinarily, QUIC expects a connection to continue to be serviced for a substantial period of time after it is nominally closed. This is necessary to ensure that any connection closure notification sent to the peer was successfully received. However, a consequence of this is that a fully -RFC-compliant QUIC connection closure process could take of the order of -seconds. This may be unsuitable for some applications, such as short-lived -processes which need to exit immediately after completing an application-layer +RFC\-compliant QUIC connection closure process could take of the order of +seconds. This may be unsuitable for some applications, such as short\-lived +processes which need to exit immediately after completing an application\-layer transaction. .PP As such, there are two shutdown modes available to users of QUIC connection SSL @@ -368,12 +371,12 @@ yet been fully shut down (unless it has already done so, in which case it will return 1). .PP If \fBSSL_SHUTDOWN_FLAG_RAPID\fR is specified in \fIflags\fR, a rapid shutdown is -performed, otherwise an RFC-compliant shutdown is performed. +performed, otherwise an RFC\-compliant shutdown is performed. .PP If an application calls \fBSSL_shutdown_ex()\fR with \fBSSL_SHUTDOWN_FLAG_RAPID\fR, an application can subsequently change its mind about performing a rapid shutdown by making a subsequent call to \fBSSL_shutdown_ex()\fR without the flag set. -.SS "Peer-Initiated Shutdown" +.SS "Peer\-Initiated Shutdown" .IX Subsection "Peer-Initiated Shutdown" In some cases, an application may wish to wait for a shutdown initiated by the peer rather than triggered locally. To do this, call \fBSSL_shutdown_ex()\fR with @@ -414,7 +417,7 @@ even though no error occurred. .IX Item "1" The shutdown was successfully completed. .Sp -For TLS and DTLS, this means that a close_notify alert was sent and the peer's +For TLS and DTLS, this means that a close_notify alert was sent and the peer\*(Aqs close_notify alert was received. .Sp For QUIC connection SSL objects, this means that the connection closure process diff --git a/secure/lib/libcrypto/man/man3/SSL_state_string.3 b/secure/lib/libcrypto/man/man3/SSL_state_string.3 index be33cc662261..a7d654e470f4 100644 --- a/secure/lib/libcrypto/man/man3/SSL_state_string.3 +++ b/secure/lib/libcrypto/man/man3/SSL_state_string.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_STATE_STRING 3ossl" -.TH SSL_STATE_STRING 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_STATE_STRING 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -73,7 +76,7 @@ SSL_state_string, SSL_state_string_long \- get textual description of state of a .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBSSL_state_string()\fR returns an abbreviated string indicating the current state -of the SSL object \fBssl\fR. The returned NUL-terminated string contains 6 or fewer characters. +of the SSL object \fBssl\fR. The returned NUL\-terminated string contains 6 or fewer characters. .PP \&\fBSSL_state_string_long()\fR returns a descriptive string indicating the current state of the SSL object \fBssl\fR. diff --git a/secure/lib/libcrypto/man/man3/SSL_stream_conclude.3 b/secure/lib/libcrypto/man/man3/SSL_stream_conclude.3 index 1c6cee7b37c8..946830337533 100644 --- a/secure/lib/libcrypto/man/man3/SSL_stream_conclude.3 +++ b/secure/lib/libcrypto/man/man3/SSL_stream_conclude.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_STREAM_CONCLUDE 3ossl" -.TH SSL_STREAM_CONCLUDE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_STREAM_CONCLUDE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -71,14 +74,14 @@ SSL_stream_conclude \- conclude the sending part of a QUIC stream .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -\&\fBSSL_stream_conclude()\fR signals the normal end-of-stream condition for the send +\&\fBSSL_stream_conclude()\fR signals the normal end\-of\-stream condition for the send part of a QUIC stream. If called on a QUIC connection SSL object with an associated default stream, it signals the end of the single stream to the peer. .PP Any data already queued for transmission via a call to \fBSSL_write()\fR will still be -written in a reliable manner before the end-of-stream is signalled, assuming the +written in a reliable manner before the end\-of\-stream is signalled, assuming the connection remains healthy. This function can be thought of as appending a -logical end-of-stream marker after any data which has previously been written to +logical end\-of\-stream marker after any data which has previously been written to the stream via calls to \fBSSL_write()\fR. Further attempts to call \fBSSL_write()\fR after calling this function will fail. .PP @@ -89,7 +92,7 @@ of the stream. Thus, \fBSSL_read()\fR can still be used. \&\fIflags\fR is reserved and should be set to 0. .PP Only the first call to this function has any effect for a given stream; -subsequent calls are no-ops. This is considered a success case. +subsequent calls are no\-ops. This is considered a success case. .PP This function is not supported on an object other than a QUIC stream SSL object. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/SSL_stream_reset.3 b/secure/lib/libcrypto/man/man3/SSL_stream_reset.3 index 6e0b959ee66e..3d46aa51acbb 100644 --- a/secure/lib/libcrypto/man/man3/SSL_stream_reset.3 +++ b/secure/lib/libcrypto/man/man3/SSL_stream_reset.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_STREAM_RESET 3ossl" -.TH SSL_STREAM_RESET 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_STREAM_RESET 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,9 +84,9 @@ The \fBSSL_stream_reset()\fR function resets the send part of a QUIC stream when called on a QUIC stream SSL object, or on a QUIC connection SSL object with a default stream attached. .PP -If \fIargs\fR is non-NULL, \fIargs_len\fR must be set to \f(CWsizeof(*args)\fR. +If \fIargs\fR is non\-NULL, \fIargs_len\fR must be set to \f(CWsizeof(*args)\fR. .PP -\&\fIquic_error_code\fR is an application-specified error code, which must be in the +\&\fIquic_error_code\fR is an application\-specified error code, which must be in the range [0, 2**62\-1]. If \fIargs\fR is NULL, a value of 0 is used. .PP Resetting a stream indicates to an application that the sending part of the @@ -110,7 +113,7 @@ This function corresponds to the QUIC \fBRESET_STREAM\fR frame. Returns 1 on success and 0 on failure. .PP This function fails if called on a QUIC connection SSL object without a default -stream attached, or on a non-QUIC SSL object. +stream attached, or on a non\-QUIC SSL object. .PP After the first call to this function succeeds for a given stream, subsequent calls succeed but are ignored. The application error code diff --git a/secure/lib/libcrypto/man/man3/SSL_want.3 b/secure/lib/libcrypto/man/man3/SSL_want.3 index 6b2639aaa979..10b168b627b9 100644 --- a/secure/lib/libcrypto/man/man3/SSL_want.3 +++ b/secure/lib/libcrypto/man/man3/SSL_want.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_WANT 3ossl" -.TH SSL_WANT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_WANT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -143,7 +146,7 @@ A call to \fBSSL_get_error\fR\|(3) should return \fBSSL_ERROR_WANT_CLIENT_HELLO_ \&\fBSSL_want_x509_lookup()\fR, \fBSSL_want_retry_verify()\fR, \&\fBSSL_want_async()\fR, \fBSSL_want_async_job()\fR, and \fBSSL_want_client_hello_cb()\fR return 1 when the corresponding condition is true or 0 otherwise. -.SH "QUIC-SPECIFIC CONSIDERATIONS" +.SH "QUIC\-SPECIFIC CONSIDERATIONS" .IX Header "QUIC-SPECIFIC CONSIDERATIONS" For QUIC, these functions relate only to the TLS handshake layer. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man3/SSL_write.3 b/secure/lib/libcrypto/man/man3/SSL_write.3 index 66c4ec2c2623..743223bbc275 100644 --- a/secure/lib/libcrypto/man/man3/SSL_write.3 +++ b/secure/lib/libcrypto/man/man3/SSL_write.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "SSL_WRITE 3ossl" -.TH SSL_WRITE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH SSL_WRITE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -89,7 +92,7 @@ optional flags which modify its behaviour. Calling \fBSSL_write_ex2()\fR with a .PP \&\fBSSL_sendfile()\fR writes \fBsize\fR bytes from offset \fBoffset\fR in the file descriptor \fBfd\fR to the specified SSL connection \fBs\fR. This function provides -efficient zero-copy semantics. \fBSSL_sendfile()\fR is available only when +efficient zero\-copy semantics. \fBSSL_sendfile()\fR is available only when Kernel TLS is enabled, which can be checked by calling \fBBIO_get_ktls_send()\fR. It is provided here to allow users to maintain the same interface. The meaning of \fBflags\fR is platform dependent. @@ -105,7 +108,7 @@ objects with a default stream attached). .Sp If this flag is set, and the call to \fBSSL_write_ex2()\fR succeeds, and all of the data passed to the call is written (meaning that \f(CW\*(C`*written == num\*(C'\fR), the -relevant QUIC stream's send part is concluded automatically as though +relevant QUIC stream\*(Aqs send part is concluded automatically as though \&\fBSSL_stream_conclude\fR\|(3) was called (causing transmission of a FIN for the stream). .Sp @@ -115,7 +118,7 @@ flag enables greater efficiency than making these two API calls separately, as it enables the written stream data and the FIN flag indicating the end of the stream to be scheduled as part of the same QUIC STREAM frame and QUIC packet. .Sp -Setting this flag does not cause a stream's send part to be concluded if not all +Setting this flag does not cause a stream\*(Aqs send part to be concluded if not all of the data passed to the call was consumed. .PP A call to \fBSSL_write_ex2()\fR fails if a flag is passed which is not supported or @@ -129,7 +132,7 @@ In the paragraphs below a "write function" is defined as one of either .PP If necessary, a write function will negotiate a TLS/SSL session, if not already explicitly performed by \fBSSL_connect\fR\|(3) or \fBSSL_accept\fR\|(3). If the peer -requests a re-negotiation, it will be performed transparently during +requests a re\-negotiation, it will be performed transparently during the write function operation. The behaviour of the write functions depends on the underlying BIO. .PP @@ -145,7 +148,7 @@ If the underlying BIO is \fBnonblocking\fR the write functions will also return when the underlying BIO could not satisfy the needs of the function to continue the operation. In this case a call to \fBSSL_get_error\fR\|(3) with the return value of the write function will yield \fBSSL_ERROR_WANT_READ\fR -or \fBSSL_ERROR_WANT_WRITE\fR. As at any time a re-negotiation is possible, a +or \fBSSL_ERROR_WANT_WRITE\fR. As at any time a re\-negotiation is possible, a call to a write function can also cause read operations! The calling process then must repeat the call after taking appropriate action to satisfy the needs of the write function. The action depends on the underlying BIO. When using a @@ -191,7 +194,7 @@ not all the requested bytes have been written yet (if SSL_MODE_ENABLE_PARTIAL_WRITE is not in use) or no bytes could be written to the SSL connection (if SSL_MODE_ENABLE_PARTIAL_WRITE is in use). Failures can be retryable (e.g. the network write buffer has temporarily filled up) or -non-retryable (e.g. a fatal network error). In the event of a failure call +non\-retryable (e.g. a fatal network error). In the event of a failure call \&\fBSSL_get_error\fR\|(3) to find out the reason which indicates whether the call is retryable or not. .PP @@ -208,7 +211,7 @@ Call \fBSSL_get_error()\fR with the return value \fBret\fR to find out the reaso .Sp Old documentation indicated a difference between 0 and \-1, and that \-1 was retryable. -You should instead call \fBSSL_get_error()\fR to find out if it's retryable. +You should instead call \fBSSL_get_error()\fR to find out if it\*(Aqs retryable. .PP For \fBSSL_sendfile()\fR, the following return values can occur: .IP ">= 0" 4 diff --git a/secure/lib/libcrypto/man/man3/TS_RESP_CTX_new.3 b/secure/lib/libcrypto/man/man3/TS_RESP_CTX_new.3 index b52d6c1e25fa..e96750953bb3 100644 --- a/secure/lib/libcrypto/man/man3/TS_RESP_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/TS_RESP_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "TS_RESP_CTX_NEW 3ossl" -.TH TS_RESP_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH TS_RESP_CTX_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/TS_VERIFY_CTX.3 b/secure/lib/libcrypto/man/man3/TS_VERIFY_CTX.3 index b8860d0d5577..679dc68adbce 100644 --- a/secure/lib/libcrypto/man/man3/TS_VERIFY_CTX.3 +++ b/secure/lib/libcrypto/man/man3/TS_VERIFY_CTX.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "TS_VERIFY_CTX 3ossl" -.TH TS_VERIFY_CTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH TS_VERIFY_CTX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -106,15 +109,15 @@ The following function has been deprecated since OpenSSL 3.0: .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The Time-Stamp Protocol (TSP) is defined by RFC 3161. TSP is a protocol used to -provide long-term proof of the existence of certain data before a particular +The Time\-Stamp Protocol (TSP) is defined by RFC 3161. TSP is a protocol used to +provide long\-term proof of the existence of certain data before a particular time. TSP defines a Time Stamping Authority (TSA) and an entity that makes requests to the TSA. Usually, the TSA is referred to as the server side, and the requesting entity is referred to as the client. .PP In TSP, when a server sends a response to a client, the server normally needs to sign the response data \- the TimeStampToken (TST) \- with its private -key. Then the client verifies the received TST using the server's certificate +key. Then the client verifies the received TST using the server\*(Aqs certificate chain. .PP For all the following methods, unless noted otherwise, \fIctx\fR is the @@ -131,7 +134,7 @@ verification context to be freed. If \fIctx\fR is NULL, the call is ignored. the flags to be set. .PP \&\fBTS_VERIFY_CTX_add_flags()\fR adds flags to the verification context. \fIf\fR are the -flags to be added (OR'd). +flags to be added (OR\*(Aqd). .PP \&\fBTS_VERIFY_CTX_set0_data()\fR sets the data to be verified. \fIb\fR is the \fBBIO\fR with the data. A previously assigned \fBBIO\fR is freed. @@ -142,7 +145,7 @@ message imprint to be assigned. A previously assigned imprint is freed. \&\fBTS_VERIFY_CTX_set0_store()\fR sets the store for the verification context. \fIs\fR is the store to be assigned. A previously assigned store is freed. .PP -\&\fBTS_VERIFY_CTX_set0_certs()\fR is used to set the server's certificate chain when +\&\fBTS_VERIFY_CTX_set0_certs()\fR is used to set the server\*(Aqs certificate chain when verifying a TST. \fIcerts\fR is a stack of \fBX509\fR certificates. .PP \&\fBTS_VERIFY_CTX_cleanup()\fR frees all data associated with the given @@ -165,7 +168,7 @@ message imprint to assign. \&\fBTS_VERIFY_CTX_set_store()\fR is used to set the certificate store. A previously assigned store is \fBnot freed\fR by this call. \fIs\fR is the store to assign. .PP -\&\fBTS_VERIFY_CTX_set_certs()\fR is used to set the server's certificate chain. +\&\fBTS_VERIFY_CTX_set_certs()\fR is used to set the server\*(Aqs certificate chain. A previously assigned stack is \fBnot freed\fR by this call. \fIcerts\fR is a stack of \fBX509\fR certificates. .PP diff --git a/secure/lib/libcrypto/man/man3/UI_STRING.3 b/secure/lib/libcrypto/man/man3/UI_STRING.3 index e231a3b23de1..ffb3a2b64950 100644 --- a/secure/lib/libcrypto/man/man3/UI_STRING.3 +++ b/secure/lib/libcrypto/man/man3/UI_STRING.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "UI_STRING 3ossl" -.TH UI_STRING 3ossl 2025-09-30 3.5.4 OpenSSL +.TH UI_STRING 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -103,7 +106,7 @@ one of the functions \fBUI_add_input_string()\fR, \fBUI_dup_input_string()\fR, \&\fBUI_add_input_boolean()\fR, \fBUI_dup_input_boolean()\fR, \fBUI_add_info_string()\fR, \&\fBUI_dup_info_string()\fR, \fBUI_add_error_string()\fR or \fBUI_dup_error_string()\fR is called. -For a \fBUI_METHOD\fR user, there's no need to know more. +For a \fBUI_METHOD\fR user, there\*(Aqs no need to know more. For a \fBUI_METHOD\fR creator, it is of interest to fetch text from these \&\fBUI_STRING\fR objects as well as adding results to some of them. .PP @@ -146,7 +149,7 @@ For \fBUIT_BOOLEAN\fR type UI strings, this sets the first character of the result retrievable with \fBUI_get0_result_string()\fR to the first \&\fBok_char\fR given with \fBUI_add_input_boolean()\fR or \fBUI_dup_input_boolean()\fR if the \fBresult\fR matched any of them, or the first of the -\&\fBcancel_chars\fR if the \fBresult\fR matched any of them, otherwise it's +\&\fBcancel_chars\fR if the \fBresult\fR matched any of them, otherwise it\*(Aqs set to the NUL char \f(CW\*(C`\e0\*(C'\fR. See \fBUI_add_input_boolean\fR\|(3) for more information on \fBok_chars\fR and \&\fBcancel_chars\fR. @@ -170,7 +173,7 @@ string for \fBUIT_BOOLEAN\fR type UI strings, NULL for any other type. \&\fBUIT_PROMPT\fR and \fBUIT_VERIFY\fR type UI strings, NULL for any other type. .PP -\&\fBUI_get_result_string_length()\fR returns the UI string result buffer's +\&\fBUI_get_result_string_length()\fR returns the UI string result buffer\*(Aqs content length for \fBUIT_PROMPT\fR and \fBUIT_VERIFY\fR type UI strings, \&\-1 for any other type. .PP diff --git a/secure/lib/libcrypto/man/man3/UI_UTIL_read_pw.3 b/secure/lib/libcrypto/man/man3/UI_UTIL_read_pw.3 index eeae8beddf8e..8b349c80d16a 100644 --- a/secure/lib/libcrypto/man/man3/UI_UTIL_read_pw.3 +++ b/secure/lib/libcrypto/man/man3/UI_UTIL_read_pw.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "UI_UTIL_READ_PW 3ossl" -.TH UI_UTIL_READ_PW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH UI_UTIL_READ_PW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/UI_create_method.3 b/secure/lib/libcrypto/man/man3/UI_create_method.3 index 3a5c496e71a0..ce850aa41235 100644 --- a/secure/lib/libcrypto/man/man3/UI_create_method.3 +++ b/secure/lib/libcrypto/man/man3/UI_create_method.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "UI_CREATE_METHOD 3ossl" -.TH UI_CREATE_METHOD 3ossl 2025-09-30 3.5.4 OpenSSL +.TH UI_CREATE_METHOD 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,7 +113,7 @@ interface method creation and destruction .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -A method contains a few functions that implement the low-level of the +A method contains a few functions that implement the low\-level of the User Interface. These functions are: .IP "an opener" 4 @@ -143,17 +146,17 @@ This function takes a reference to a UI, and closes the session, maybe by closing the channel to the tty, maybe by destroying a dialog box. .PP All of these functions are expected to return 0 on error, 1 on -success, or \-1 on out-off-band events, for example if some prompting -has been cancelled (by pressing Ctrl-C, for example). +success, or \-1 on out\-off\-band events, for example if some prompting +has been cancelled (by pressing Ctrl\-C, for example). Only the flusher or the reader are expected to return \-1. -If returned by another of the functions, it's treated as if 0 was +If returned by another of the functions, it\*(Aqs treated as if 0 was returned. .PP -Regarding the writer and the reader, don't assume the former should -only write and don't assume the latter should only read. +Regarding the writer and the reader, don\*(Aqt assume the former should +only write and don\*(Aqt assume the latter should only read. This depends on the needs of the method. .PP -For example, a typical tty reader wouldn't write the prompts in the +For example, a typical tty reader wouldn\*(Aqt write the prompts in the write, but would rather do so in the reader, because of the sequential nature of prompting on a tty. This is how the \fBUI_OpenSSL()\fR method does it. @@ -166,21 +169,21 @@ fetch those results. The central function that uses these method functions is \fBUI_process()\fR, and it does it in five steps: .IP 1. 4 -Open the session using the opener function if that one's defined. +Open the session using the opener function if that one\*(Aqs defined. If an error occurs, jump to 5. .IP 2. 4 For every UI String associated with the UI, call the writer function -if that one's defined. +if that one\*(Aqs defined. If an error occurs, jump to 5. .IP 3. 4 -Flush everything using the flusher function if that one's defined. +Flush everything using the flusher function if that one\*(Aqs defined. If an error occurs, jump to 5. .IP 4. 4 For every UI String associated with the UI, call the reader function -if that one's defined. +if that one\*(Aqs defined. If an error occurs, jump to 5. .IP 5. 4 -Close the session using the closer function if that one's defined. +Close the session using the closer function if that one\*(Aqs defined. .PP \&\fBUI_create_method()\fR creates a new UI method with a given \fBname\fR. .PP @@ -228,7 +231,7 @@ return 0 on success, \-1 if the given \fBmethod\fR is NULL. \&\fBUI_method_get_flusher()\fR, \fBUI_method_get_reader()\fR, \&\fBUI_method_get_closer()\fR, \fBUI_method_get_data_duplicator()\fR, \&\fBUI_method_get_data_destructor()\fR and \fBUI_method_get_prompt_constructor()\fR -return the requested function pointer if it's set in the method, +return the requested function pointer if it\*(Aqs set in the method, otherwise NULL. .PP \&\fBUI_method_get_ex_data()\fR returns a pointer to the application specific diff --git a/secure/lib/libcrypto/man/man3/UI_new.3 b/secure/lib/libcrypto/man/man3/UI_new.3 index fb040251d829..7a46a4d9cce9 100644 --- a/secure/lib/libcrypto/man/man3/UI_new.3 +++ b/secure/lib/libcrypto/man/man3/UI_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "UI_NEW 3ossl" -.TH UI_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH UI_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -127,7 +130,7 @@ UI_get_method, UI_set_method, UI_OpenSSL, UI_null \- user interface .SH DESCRIPTION .IX Header "DESCRIPTION" UI stands for User Interface, and is general purpose set of routines to -prompt the user for text-based information. Through user-written methods +prompt the user for text\-based information. Through user\-written methods (see \fBUI_create_method\fR\|(3)), prompting can be done in any way imaginable, be it plain text prompting, through dialog boxes or from a cell phone. @@ -139,9 +142,9 @@ carry out the actual prompting. .PP The first thing to do is to create a UI with \fBUI_new()\fR or \fBUI_new_method()\fR, then add information to it with the UI_add or UI_dup functions. Also, -user-defined random data can be passed down to the underlying method +user\-defined random data can be passed down to the underlying method through calls to \fBUI_add_user_data()\fR or \fBUI_dup_user_data()\fR. The default -UI method doesn't care about these data, but other methods might. Finally, +UI method doesn\*(Aqt care about these data, but other methods might. Finally, use \fBUI_process()\fR to actually perform the prompting and \fBUI_get0_result()\fR and \fBUI_get_result_length()\fR to find the result to the prompt and its length. .PP @@ -161,7 +164,7 @@ this UI, it should be freed using \fBUI_free()\fR. \&\fBUI_new_method()\fR creates a new UI using the given UI method. When done with this UI, it should be freed using \fBUI_free()\fR. .PP -\&\fBUI_OpenSSL()\fR returns the built-in UI method (note: not necessarily the +\&\fBUI_OpenSSL()\fR returns the built\-in UI method (note: not necessarily the default one, since the default can be changed. See further on). This method is the most machine/OS dependent part of OpenSSL and normally generates the most problems when porting. @@ -170,7 +173,7 @@ generates the most problems when porting. getting internal defaults for passed UI_METHOD pointers. .PP \&\fBUI_free()\fR removes a UI from memory, along with all other pieces of memory -that's connected to it, like duplicated input strings, results and others. +that\*(Aqs connected to it, like duplicated input strings, results and others. If \fBui\fR is NULL nothing is done. .PP \&\fBUI_add_input_string()\fR and \fBUI_add_verify_string()\fR add a prompt to the UI, @@ -180,9 +183,9 @@ information is used to prompt for information, for example a password, and to verify a password (i.e. having the user enter it twice and check that the same string was entered twice). \fBUI_add_verify_string()\fR takes and extra argument that should be a pointer to the result buffer of the -input string that it's supposed to verify, or verification will fail. +input string that it\*(Aqs supposed to verify, or verification will fail. .PP -\&\fBUI_add_input_boolean()\fR adds a prompt to the UI that's supposed to be answered +\&\fBUI_add_input_boolean()\fR adds a prompt to the UI that\*(Aqs supposed to be answered in a boolean way, with a single character for yes and a different character for no. A set of characters that can be used to cancel the prompt is given as well. The prompt itself is divided in two, one part being the @@ -191,8 +194,8 @@ the possible answers (given through the \fIaction_desc\fR argument). .PP \&\fBUI_add_info_string()\fR and \fBUI_add_error_string()\fR add strings that are shown at the same time as the prompt for extra information or to show an error string. -The difference between the two is only conceptual. With the built-in method, -there's no technical difference between them. Other methods may make a +The difference between the two is only conceptual. With the built\-in method, +there\*(Aqs no technical difference between them. Other methods may make a difference between them, however. .PP The flags currently supported are \fBUI_INPUT_FLAG_ECHO\fR, which is relevant for @@ -218,17 +221,20 @@ With the description "pass phrase" and the filename "foo.key", that becomes string and may include encodings that will be processed by the other method functions. .PP -\&\fBUI_add_user_data()\fR adds a user data pointer for the method to use at any -time. The built-in UI method doesn't care about this info. Note that several -calls to this function doesn't add data, it replaces the previous blob +\&\fBUI_add_user_data()\fR sets the user data pointer for the method to use at any +time. The built\-in UI method doesn\*(Aqt care about this info. Note that several +calls to this function doesn\*(Aqt add data, it replaces the previous pointer with the one given as argument. +The return value is the previously set user data pointer if it was set +using \fBUI_add_user_data()\fR and thus the caller owns it, otherwise NULL. .PP \&\fBUI_dup_user_data()\fR duplicates the user data and works as an alternative to \fBUI_add_user_data()\fR when the user data needs to be preserved for a longer duration, perhaps even the lifetime of the application. The UI object takes ownership of this duplicate and will free it whenever it gets replaced or the UI is destroyed. \fBUI_dup_user_data()\fR returns 0 on success, or \-1 on memory -allocation failure or if the method doesn't have a duplicator function. +allocation failure or if the method doesn\*(Aqt have a duplicator and a destructor +function. .PP \&\fBUI_get0_user_data()\fR retrieves the data that has last been given to the UI with \fBUI_add_user_data()\fR or UI_dup_user_data. @@ -240,7 +246,7 @@ the information indexed by \fIi\fR. the information indexed by \fIi\fR. .PP \&\fBUI_process()\fR goes through the information given so far, does all the printing -and prompting and returns the final status, which is \-2 on out-of-band events +and prompting and returns the final status, which is \-2 on out\-of\-band events (Interrupt, Cancel, ...), \-1 on error and 0 on success. .PP \&\fBUI_ctrl()\fR adds extra control for the application author. For now, it @@ -250,7 +256,7 @@ print the OpenSSL error stack as part of processing the UI, and be used again or not. .PP \&\fBUI_set_default_method()\fR changes the default UI method to the one given. -This function is not thread-safe and should not be called at the same time +This function is not thread\-safe and should not be called at the same time as other OpenSSL functions. .PP \&\fBUI_get_default_method()\fR returns a pointer to the current default UI method. @@ -266,7 +272,7 @@ Windows) code page. For applications having different demands, these strings need to be converted appropriately by the caller. For Windows, if the \fBOPENSSL_WIN32_UTF8\fR environment variable is set, -the built-in method \fBUI_OpenSSL()\fR will produce UTF\-8 encoded strings +the built\-in method \fBUI_OpenSSL()\fR will produce UTF\-8 encoded strings instead. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -281,6 +287,9 @@ is less than or equal to 0 otherwise. .PP \&\fBUI_construct_prompt()\fR returns a string or NULL if an error occurred. .PP +\&\fBUI_add_user_data()\fR returns +the user data pointer previously set using this function, otherwise NULL. +.PP \&\fBUI_dup_user_data()\fR returns 0 on success or \-1 on error. .PP \&\fBUI_get0_result()\fR returns a string or NULL on error. @@ -300,7 +309,7 @@ respectively. The \fBUI_dup_user_data()\fR function was added in OpenSSL 1.1.1. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/X509V3_EXT_print.3 b/secure/lib/libcrypto/man/man3/X509V3_EXT_print.3 new file mode 100644 index 000000000000..f23dc989ae29 --- /dev/null +++ b/secure/lib/libcrypto/man/man3/X509V3_EXT_print.3 @@ -0,0 +1,108 @@ +.\" -*- mode: troff; coding: utf-8 -*- +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. +.ie n \{\ +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{\ +. if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +. \} +.\} +.rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l +.\" ======================================================================== +.\" +.IX Title "X509V3_EXT_PRINT 3ossl" +.TH X509V3_EXT_PRINT 3ossl 2026-04-07 3.5.6 OpenSSL +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH NAME +X509V3_EXT_print, X509V3_EXT_print_fp \- pretty print X509 certificate extensions +.SH SYNOPSIS +.IX Header "SYNOPSIS" +.Vb 1 +\& #include <openssl/x509v3.h> +\& +\& int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent); +\& int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent); +.Ve +.SH DESCRIPTION +.IX Header "DESCRIPTION" +\&\fBX509V3_EXT_print()\fR and \fBX509V3_EXT_print_fp()\fR parse and print the extension +info from \fIext\fR to \fIbio\fR or \fIout\fR with indentation set via \fIindent\fR. +\&\fIflag\fR determines the behaviour if an extension could not be parsed and can be +one of: +\&\fBX509V3_EXT_DEFAULT\fR (equivalent to 0): an unknown or unparsable extension +stops the parsing and the function returns a failure. +\&\fBX509V3_EXT_PARSE_UNKNOWN\fR: an unknown or unparsable extension is handled by +printing it through the \fBASN1_parse_dump()\fR function, and the function returns +success. +\&\fBX509V3_EXT_DUMP_UNKNOWN\fR: an unknown or unparsable extension is handled by +printing it through the \fBBIO_dump_indent()\fR function, and the function returns +success, +\&\fBX509V3_EXT_ERROR_UNKNOWN\fR: an unknown or unparsable extension is handled by +printing either "<Not Supported>" or "<Parse Error>", and the function returns +success. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fBX509V3_EXT_print()\fR and \fBX509V3_EXT_print_fp()\fR return 1 for success and 0 for +failure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fBBIO_dump_indent\fR\|(3), +\&\fBASN1_parse_dump\fR\|(3), +.SH COPYRIGHT +.IX Header "COPYRIGHT" +Copyright 2026 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +<https://www.openssl.org/source/license.html>. diff --git a/secure/lib/libcrypto/man/man3/X509V3_get_d2i.3 b/secure/lib/libcrypto/man/man3/X509V3_get_d2i.3 index bcc553028fed..9d1c8b9475ef 100644 --- a/secure/lib/libcrypto/man/man3/X509V3_get_d2i.3 +++ b/secure/lib/libcrypto/man/man3/X509V3_get_d2i.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509V3_GET_D2I 3ossl" -.TH X509V3_GET_D2I 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509V3_GET_D2I 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -280,7 +283,7 @@ The following extensions are used by certificate transparency, RFC6962 a pointer to an extension specific structure or NULL if an error occurs. .PP \&\fBX509V3_add1_i2d()\fR and its variants return 1 if the operation is successful -and 0 if it fails due to a non-fatal error (extension not found, already exists, +and 0 if it fails due to a non\-fatal error (extension not found, already exists, cannot be encoded) or \-1 due to a fatal error such as a memory allocation failure. .PP diff --git a/secure/lib/libcrypto/man/man3/X509V3_set_ctx.3 b/secure/lib/libcrypto/man/man3/X509V3_set_ctx.3 index 3808a5d63480..917bad54ba47 100644 --- a/secure/lib/libcrypto/man/man3/X509V3_set_ctx.3 +++ b/secure/lib/libcrypto/man/man3/X509V3_set_ctx.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509V3_SET_CTX 3ossl" -.TH X509V3_SET_CTX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509V3_SET_CTX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ X509V3_set_issuer_pkey \- X.509 v3 extension generation utilities providing details potentially needed by functions producing X509 v3 extensions. These may make use of fields of the certificate \fIsubject\fR, the certification request \fIreq\fR, or the certificate revocation list \fIcrl\fR. -At most one of these three parameters can be non-NULL. +At most one of these three parameters can be non\-NULL. When constructing the subject key identifier of a certificate by computing a hash value of its public key, the public key is taken from \fIsubject\fR or \fIreq\fR. Similarly, when constructing subject alternative names from any email addresses @@ -86,7 +89,7 @@ contained in a subject DN, the subject DN is taken from \fIsubject\fR or \fIreq\ If \fIsubject\fR or \fIcrl\fR is provided, \fIissuer\fR should point to its issuer, for instance as a reference for generating the authority key identifier extension. \&\fIissuer\fR may be the same pointer value as \fIsubject\fR (which usually is an -indication that the \fIsubject\fR certificate is self-issued or even self-signed). +indication that the \fIsubject\fR certificate is self\-issued or even self\-signed). In this case the fallback source for generating the authority key identifier extension will be taken from any value provided using \fBX509V3_set_issuer_pkey()\fR. \&\fIflags\fR may be 0 diff --git a/secure/lib/libcrypto/man/man3/X509_ACERT_add1_attr.3 b/secure/lib/libcrypto/man/man3/X509_ACERT_add1_attr.3 index d751cad5553b..29a563bd7735 100644 --- a/secure/lib/libcrypto/man/man3/X509_ACERT_add1_attr.3 +++ b/secure/lib/libcrypto/man/man3/X509_ACERT_add1_attr.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_ACERT_ADD1_ATTR 3ossl" -.TH X509_ACERT_ADD1_ATTR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_ACERT_ADD1_ATTR 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_ACERT_add_attr_nconf.3 b/secure/lib/libcrypto/man/man3/X509_ACERT_add_attr_nconf.3 index 2e3bbd8aa91c..5c8b5c6745bf 100644 --- a/secure/lib/libcrypto/man/man3/X509_ACERT_add_attr_nconf.3 +++ b/secure/lib/libcrypto/man/man3/X509_ACERT_add_attr_nconf.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_ACERT_ADD_ATTR_NCONF 3ossl" -.TH X509_ACERT_ADD_ATTR_NCONF 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_ACERT_ADD_ATTR_NCONF 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_ACERT_get0_holder_baseCertId.3 b/secure/lib/libcrypto/man/man3/X509_ACERT_get0_holder_baseCertId.3 index 217895c8b927..00e537a8f26d 100644 --- a/secure/lib/libcrypto/man/man3/X509_ACERT_get0_holder_baseCertId.3 +++ b/secure/lib/libcrypto/man/man3/X509_ACERT_get0_holder_baseCertId.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_ACERT_GET0_HOLDER_BASECERTID 3ossl" -.TH X509_ACERT_GET0_HOLDER_BASECERTID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_ACERT_GET0_HOLDER_BASECERTID 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -124,7 +127,7 @@ attribute certificate \fIx\fR can be retrieved with \&\fBX509_ACERT_get0_holder_digest()\fR. .PP A \fBOSSL_ISSUER_SERIAL\fR object holds the subject name and UID of a certificate -issuer and a certificate's serial number. \fBOSSL_ISSUER_SERIAL_set1_issuer()\fR, +issuer and a certificate\*(Aqs serial number. \fBOSSL_ISSUER_SERIAL_set1_issuer()\fR, \&\fBOSSL_ISSUER_SERIAL_set1_issuerUID()\fR, and \fBOSSL_ISSUER_SERIAL_set1_serial()\fR respectively copy these values into the \fBOSSL_ISSUER_SERIAL\fR structure. The application is responsible for freeing its own copy of these values after @@ -149,7 +152,7 @@ Hash of another object. See NOTES below. .SH "RETURN VALUES" .IX Header "RETURN VALUES" All \fIset0\fR/\fIset1\fR routines return 1 for success and 0 for failure. -All \fIget0\fR functions return a pointer to the object's inner structure. These +All \fIget0\fR functions return a pointer to the object\*(Aqs inner structure. These pointers must not be freed after use. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man3/X509_ACERT_get_attr.3 b/secure/lib/libcrypto/man/man3/X509_ACERT_get_attr.3 index 967203523bde..1dfeaca98b0c 100644 --- a/secure/lib/libcrypto/man/man3/X509_ACERT_get_attr.3 +++ b/secure/lib/libcrypto/man/man3/X509_ACERT_get_attr.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_ACERT_GET_ATTR 3ossl" -.TH X509_ACERT_GET_ATTR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_ACERT_GET_ATTR 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -87,7 +90,7 @@ of attributes in the \fBX509_ACERT\fR. attribute location matching \fInid\fR or \fIobj\fR after \fIlastpos\fR. \fIlastpos\fR should initially be set to \-1. If there are no more entries \-1 is returned. If \fInid\fR is invalid -(doesn't correspond to a valid OID) then \-2 is returned. +(doesn\*(Aqt correspond to a valid OID) then \-2 is returned. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBX509_ACERT_get0_attr()\fR return a \fBX509_ATTRIBUTE\fR from an attribute diff --git a/secure/lib/libcrypto/man/man3/X509_ACERT_print_ex.3 b/secure/lib/libcrypto/man/man3/X509_ACERT_print_ex.3 index a4d110b0ac74..8c1730d90df7 100644 --- a/secure/lib/libcrypto/man/man3/X509_ACERT_print_ex.3 +++ b/secure/lib/libcrypto/man/man3/X509_ACERT_print_ex.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_ACERT_PRINT_EX 3ossl" -.TH X509_ACERT_PRINT_EX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_ACERT_PRINT_EX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,7 +104,7 @@ holder issuer name is present, the first GENERAL_NAME returned by \fBX509_ACERT_get0_holder_entityName()\fR is printed. If the holder baseCertificateId is present, the issuer name (printed with X509_NAME_print_ex) and serial number of the -holder's certificate are displayed. (X509_FLAG_NO_SUBJECT) +holder\*(Aqs certificate are displayed. (X509_FLAG_NO_SUBJECT) .Sp = item * .Sp diff --git a/secure/lib/libcrypto/man/man3/X509_ALGOR_dup.3 b/secure/lib/libcrypto/man/man3/X509_ALGOR_dup.3 index 5ea460069195..dd215fb143c5 100644 --- a/secure/lib/libcrypto/man/man3/X509_ALGOR_dup.3 +++ b/secure/lib/libcrypto/man/man3/X509_ALGOR_dup.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_ALGOR_DUP 3ossl" -.TH X509_ALGOR_DUP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_ALGOR_DUP 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_ATTRIBUTE.3 b/secure/lib/libcrypto/man/man3/X509_ATTRIBUTE.3 index 6327db7d44ff..c3b82f7822b9 100644 --- a/secure/lib/libcrypto/man/man3/X509_ATTRIBUTE.3 +++ b/secure/lib/libcrypto/man/man3/X509_ATTRIBUTE.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_ATTRIBUTE 3ossl" -.TH X509_ATTRIBUTE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_ATTRIBUTE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -143,7 +146,7 @@ in RFC 5280, i.e. \& AttributeValue ::= ANY \-\- DEFINED BY AttributeType .Ve .PP -For example CMS defines the signing-time attribute as: +For example CMS defines the signing\-time attribute as: .PP .Vb 2 \& id\-signingTime OBJECT IDENTIFIER ::= { iso(1) member\-body(2) diff --git a/secure/lib/libcrypto/man/man3/X509_CRL_get0_by_serial.3 b/secure/lib/libcrypto/man/man3/X509_CRL_get0_by_serial.3 index 902d932b81e7..f0a050da4959 100644 --- a/secure/lib/libcrypto/man/man3/X509_CRL_get0_by_serial.3 +++ b/secure/lib/libcrypto/man/man3/X509_CRL_get0_by_serial.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_CRL_GET0_BY_SERIAL 3ossl" -.TH X509_CRL_GET0_BY_SERIAL 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_CRL_GET0_BY_SERIAL 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_EXTENSION_set_object.3 b/secure/lib/libcrypto/man/man3/X509_EXTENSION_set_object.3 index b4ad2d8fd2ff..b826511cd1da 100644 --- a/secure/lib/libcrypto/man/man3/X509_EXTENSION_set_object.3 +++ b/secure/lib/libcrypto/man/man3/X509_EXTENSION_set_object.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_EXTENSION_SET_OBJECT 3ossl" -.TH X509_EXTENSION_SET_OBJECT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_EXTENSION_SET_OBJECT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,7 +93,7 @@ functions \&\fBobj\fR pointer is duplicated internally so \fBobj\fR should be freed up after use. .PP \&\fBX509_EXTENSION_set_critical()\fR sets the criticality of \fBex\fR to \fBcrit\fR. If -\&\fBcrit\fR is zero the extension in non-critical otherwise it is critical. +\&\fBcrit\fR is zero the extension in non\-critical otherwise it is critical. .PP \&\fBX509_EXTENSION_set_data()\fR sets the data in extension \fBex\fR to \fBdata\fR. The \&\fBdata\fR pointer is duplicated internally. @@ -109,7 +112,7 @@ except it creates and extension using \fBobj\fR instead of a NID. not be freed up. .PP \&\fBX509_EXTENSION_get_critical()\fR returns the criticality of extension \fBex\fR it -returns \fB1\fR for critical and \fB0\fR for non-critical. +returns \fB1\fR for critical and \fB0\fR for non\-critical. .PP \&\fBX509_EXTENSION_get_data()\fR returns the data of extension \fBex\fR. The returned pointer is an internal value which must not be freed up. @@ -132,7 +135,7 @@ an \fBX509_EXTENSION\fR pointer or \fBNULL\fR if an error occurs. .PP \&\fBX509_EXTENSION_get_object()\fR returns an \fBASN1_OBJECT\fR pointer. .PP -\&\fBX509_EXTENSION_get_critical()\fR returns \fB0\fR for non-critical and \fB1\fR for +\&\fBX509_EXTENSION_get_critical()\fR returns \fB0\fR for non\-critical and \fB1\fR for critical. .PP \&\fBX509_EXTENSION_get_data()\fR returns an \fBASN1_OCTET_STRING\fR pointer. diff --git a/secure/lib/libcrypto/man/man3/X509_LOOKUP.3 b/secure/lib/libcrypto/man/man3/X509_LOOKUP.3 index 7fe9bfac1042..1d7cbc7d23b2 100644 --- a/secure/lib/libcrypto/man/man3/X509_LOOKUP.3 +++ b/secure/lib/libcrypto/man/man3/X509_LOOKUP.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_LOOKUP 3ossl" -.TH X509_LOOKUP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_LOOKUP 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -182,7 +185,7 @@ certificates and CRLs are loaded on demand into the associated This can only be used with a lookup using the implementation \&\fBX509_LOOKUP_hash_dir\fR\|(3). .PP -\&\fBX509_LOOKUP_add_store_ex()\fR passes a URI for a directory-like structure +\&\fBX509_LOOKUP_add_store_ex()\fR passes a URI for a directory\-like structure from which containers with certificates and CRLs are loaded on demand into the associated \fBX509_STORE\fR. The library context \fIlibctx\fR and property query \fIpropq\fR are used when fetching algorithms from providers. @@ -247,9 +250,9 @@ or NULL on error. 0 on error. .PP \&\fBX509_LOOKUP_ctrl_ex()\fR and \fBX509_LOOKUP_ctrl()\fR -return \-1 if the \fBX509_LOOKUP\fR doesn't have an +return \-1 if the \fBX509_LOOKUP\fR doesn\*(Aqt have an associated \fBX509_LOOKUP_METHOD\fR, or 1 if the -doesn't have a control function. +doesn\*(Aqt have a control function. Otherwise, it returns what the control function in the \&\fBX509_LOOKUP_METHOD\fR returns, which is usually 1 on success and 0 on error but could also be \-1 on failure. @@ -268,7 +271,7 @@ but passes NULL for both the libctx and propq. .PP \&\fBX509_LOOKUP_by_issuer_serial()\fR, \fBX509_LOOKUP_by_fingerprint()\fR, and \&\fBX509_LOOKUP_by_alias()\fR all return 0 if there is no \fBX509_LOOKUP_METHOD\fR or that -method doesn't implement the corresponding function. +method doesn\*(Aqt implement the corresponding function. Otherwise, they return what the corresponding function in the \&\fBX509_LOOKUP_METHOD\fR returns, which is usually 1 on success and 0 in error. diff --git a/secure/lib/libcrypto/man/man3/X509_LOOKUP_hash_dir.3 b/secure/lib/libcrypto/man/man3/X509_LOOKUP_hash_dir.3 index 1a7bc5fa4210..4799603ec9ac 100644 --- a/secure/lib/libcrypto/man/man3/X509_LOOKUP_hash_dir.3 +++ b/secure/lib/libcrypto/man/man3/X509_LOOKUP_hash_dir.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_LOOKUP_HASH_DIR 3ossl" -.TH X509_LOOKUP_HASH_DIR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_LOOKUP_HASH_DIR 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -181,9 +184,9 @@ certificates or CRLs, but can also be references to catalogues of such objects (that behave like directories). .PP This method overlaps the "File Method" and "Hashed Directory Method" -because of the 'file:' scheme loader. +because of the \*(Aqfile:\*(Aq scheme loader. It does no caching of its own, but can use a caching \fBossl_store\fR\|(7) -loader, and therefore depends on the loader's capability. +loader, and therefore depends on the loader\*(Aqs capability. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBX509_LOOKUP_hash_dir()\fR, \fBX509_LOOKUP_file()\fR and \fBX509_LOOKUP_store()\fR diff --git a/secure/lib/libcrypto/man/man3/X509_LOOKUP_meth_new.3 b/secure/lib/libcrypto/man/man3/X509_LOOKUP_meth_new.3 index 7a3fa3b64ea1..e636bca6e2f7 100644 --- a/secure/lib/libcrypto/man/man3/X509_LOOKUP_meth_new.3 +++ b/secure/lib/libcrypto/man/man3/X509_LOOKUP_meth_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_LOOKUP_METH_NEW 3ossl" -.TH X509_LOOKUP_METH_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_LOOKUP_METH_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -165,7 +168,7 @@ of an X509_LOOKUP_METHOD can be associated to many instantiations of an \&\fBX509_LOOKUP\fR structure. .PP \&\fBX509_LOOKUP_meth_new()\fR creates a new \fBX509_LOOKUP_METHOD\fR structure. It should -be given a human-readable string containing a brief description of the lookup +be given a human\-readable string containing a brief description of the lookup method. .PP \&\fBX509_LOOKUP_meth_free()\fR destroys a \fBX509_LOOKUP_METHOD\fR structure. @@ -200,7 +203,7 @@ points to a location where any return data should be written to. How .PP \&\fBX509_LOOKUP_set_get_by_subject()\fR, \fBX509_LOOKUP_set_get_by_issuer_serial()\fR, \&\fBX509_LOOKUP_set_get_by_fingerprint()\fR, \fBX509_LOOKUP_set_get_by_alias()\fR set -the functions used to retrieve an X509 or X509_CRL object by the object's +the functions used to retrieve an X509 or X509_CRL object by the object\*(Aqs subject, issuer, fingerprint, and alias respectively. These functions are given the X509_LOOKUP context, the type of the X509_OBJECT being requested, parameters related to the lookup, and an X509_OBJECT that will receive the requested @@ -216,7 +219,7 @@ reference count again. .PP Implementations should also use either \fBX509_OBJECT_set1_X509()\fR or \&\fBX509_OBJECT_set1_X509_CRL()\fR to set the result. Note that this also -increments the result's reference count. +increments the result\*(Aqs reference count. .PP Any method data that was created as a result of the new_item function set by \fBX509_LOOKUP_meth_set_new_item()\fR can be accessed with diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_ENTRY_get_object.3 b/secure/lib/libcrypto/man/man3/X509_NAME_ENTRY_get_object.3 index f6e116e01e4b..7b6ebdcad8fd 100644 --- a/secure/lib/libcrypto/man/man3/X509_NAME_ENTRY_get_object.3 +++ b/secure/lib/libcrypto/man/man3/X509_NAME_ENTRY_get_object.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_NAME_ENTRY_GET_OBJECT 3ossl" -.TH X509_NAME_ENTRY_GET_OBJECT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_NAME_ENTRY_GET_OBJECT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_add_entry_by_txt.3 b/secure/lib/libcrypto/man/man3/X509_NAME_add_entry_by_txt.3 index d11ad8bd3be4..98101f5c16e1 100644 --- a/secure/lib/libcrypto/man/man3/X509_NAME_add_entry_by_txt.3 +++ b/secure/lib/libcrypto/man/man3/X509_NAME_add_entry_by_txt.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_NAME_ADD_ENTRY_BY_TXT 3ossl" -.TH X509_NAME_ADD_ENTRY_BY_TXT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_NAME_ADD_ENTRY_BY_TXT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -129,8 +132,8 @@ If it is zero a new RDN is created. .PP If \fBset\fR is \-1 or 1 it is added as a new set member to the previous or next RDN structure, respectively. -This will then become part of a multi-valued RDN (containing a set of AVAs). -Since multi-valued RDNs are very rarely used \fBset\fR typically will be zero. +This will then become part of a multi\-valued RDN (containing a set of AVAs). +Since multi\-valued RDNs are very rarely used \fBset\fR typically will be zero. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBX509_NAME_add_entry_by_txt()\fR, \fBX509_NAME_add_entry_by_OBJ()\fR, diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_get0_der.3 b/secure/lib/libcrypto/man/man3/X509_NAME_get0_der.3 index 673b17565d87..cb2df3d2714b 100644 --- a/secure/lib/libcrypto/man/man3/X509_NAME_get0_der.3 +++ b/secure/lib/libcrypto/man/man3/X509_NAME_get0_der.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_NAME_GET0_DER 3ossl" -.TH X509_NAME_GET0_DER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_NAME_GET0_DER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_get_index_by_NID.3 b/secure/lib/libcrypto/man/man3/X509_NAME_get_index_by_NID.3 index 0cda14055ff3..cad49adf5cbc 100644 --- a/secure/lib/libcrypto/man/man3/X509_NAME_get_index_by_NID.3 +++ b/secure/lib/libcrypto/man/man3/X509_NAME_get_index_by_NID.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_NAME_GET_INDEX_BY_NID 3ossl" -.TH X509_NAME_GET_INDEX_BY_NID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_NAME_GET_INDEX_BY_NID 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,7 +94,7 @@ and issuer names. \&\fBX509_NAME_get_index_by_NID()\fR and \fBX509_NAME_get_index_by_OBJ()\fR retrieve the next index matching \fBnid\fR or \fBobj\fR after \fBlastpos\fR. \fBlastpos\fR should initially be set to \-1. If there are no more entries \-1 is returned. -If \fBnid\fR is invalid (doesn't correspond to a valid OID) then \-2 is returned. +If \fBnid\fR is invalid (doesn\*(Aqt correspond to a valid OID) then \-2 is returned. .PP \&\fBX509_NAME_entry_count()\fR returns the total number of entries in \fBname\fR. .PP diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_print_ex.3 b/secure/lib/libcrypto/man/man3/X509_NAME_print_ex.3 index 3dd987e2cbab..01069d85c54f 100644 --- a/secure/lib/libcrypto/man/man3/X509_NAME_print_ex.3 +++ b/secure/lib/libcrypto/man/man3/X509_NAME_print_ex.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_NAME_PRINT_EX 3ossl" -.TH X509_NAME_PRINT_EX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_NAME_PRINT_EX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,19 +88,18 @@ output format can be extensively customised by use of the \fIflags\fR parameter. except the output is written to FILE pointer \fIfp\fR. .PP \&\fBX509_NAME_oneline()\fR prints an ASCII version of \fIa\fR to \fIbuf\fR. -This supports multi-valued RDNs and escapes \fB/\fR and \fB+\fR characters in values. +This supports multi\-valued RDNs and escapes \fB/\fR and \fB+\fR characters in values. If \fIbuf\fR is \fBNULL\fR then a buffer is dynamically allocated and returned, and \&\fIsize\fR is ignored. -Otherwise, at most \fIsize\fR bytes will be written, including the ending '\e0', +Otherwise, at most \fIsize\fR bytes will be written, including the ending \*(Aq\e0\*(Aq, and \fIbuf\fR is returned. .PP -\&\fBX509_NAME_print()\fR prints out \fIname\fR to \fIbp\fR indenting each line by \fIobase\fR -characters. Multiple lines are used if the output (including indent) exceeds -80 characters. +\&\fBX509_NAME_print()\fR prints out \fIname\fR to \fIbp\fR on a single line. +The \fIobase\fR parameter is ignored and retained only for API compatibility. .SH NOTES .IX Header "NOTES" The functions \fBX509_NAME_oneline()\fR and \fBX509_NAME_print()\fR -produce a non standard output form, they don't handle multi-character fields and +produce a non standard output form, they don\*(Aqt handle multi\-character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications and they could be deprecated in a future release. @@ -116,8 +118,8 @@ The options \fBXN_FLAG_SEP_COMMA_PLUS\fR, \fBXN_FLAG_SEP_CPLUS_SPC\fR, \&\fBXN_FLAG_SEP_SPLUS_SPC\fR and \fBXN_FLAG_SEP_MULTILINE\fR determine the field separators to use. Two distinct separators are used between distinct RelativeDistinguishedName -components and separate values in the same RDN for a multi-valued RDN. -Multi-valued RDNs are currently very rare +components and separate values in the same RDN for a multi\-valued RDN. +Multi\-valued RDNs are currently very rare so the second separator will hardly ever be used. .PP \&\fBXN_FLAG_SEP_COMMA_PLUS\fR uses comma and plus as separators. @@ -134,7 +136,7 @@ use the short name (e.g. CN) the long name (e.g. commonName) always use OID numerical form (normally OIDs are only used if the field name is not recognised) and no field name respectively. .PP -If \fBXN_FLAG_SPC_EQ\fR is set then spaces will be placed around the '=' character +If \fBXN_FLAG_SPC_EQ\fR is set then spaces will be placed around the \*(Aq=\*(Aq character separating field names and values. .PP If \fBXN_FLAG_DUMP_UNKNOWN_FIELDS\fR is set then the encoding of unknown fields is @@ -177,7 +179,7 @@ Otherwise, it returns \-1 on error or other values on success. \&\fBASN1_STRING_print_ex\fR\|(3) .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man3/X509_PUBKEY_new.3 b/secure/lib/libcrypto/man/man3/X509_PUBKEY_new.3 index c219dd763e28..e5454f4cac30 100644 --- a/secure/lib/libcrypto/man/man3/X509_PUBKEY_new.3 +++ b/secure/lib/libcrypto/man/man3/X509_PUBKEY_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_PUBKEY_NEW 3ossl" -.TH X509_PUBKEY_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_PUBKEY_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -155,18 +158,18 @@ similar to \fBd2i_PUBKEY()\fR and \fBi2d_PUBKEY()\fR except they decode or encod \&\fBd2i_PUBKEY_ex_bio()\fR and \fBd2i_PUBKEY_ex_fp()\fR are similar to \fBd2i_PUBKEY_ex()\fR except they decode using a \fBBIO\fR or \fBFILE\fR pointer. .PP -\&\fBX509_PUBKEY_set0_public_key()\fR sets the public-key encoding of \fIpub\fR +\&\fBX509_PUBKEY_set0_public_key()\fR sets the public\-key encoding of \fIpub\fR to the \fIpenclen\fR bytes contained in buffer \fIpenc\fR. -Any earlier public-key encoding in \fIpub\fR is freed. +Any earlier public\-key encoding in \fIpub\fR is freed. \&\fIpenc\fR may be NULL to indicate that there is no actual public key data. Ownership of the \fIpenc\fR argument is passed to \fIpub\fR. .PP -\&\fBX509_PUBKEY_set0_param()\fR sets the public-key parameters of \fIpub\fR. +\&\fBX509_PUBKEY_set0_param()\fR sets the public\-key parameters of \fIpub\fR. The OID associated with the algorithm is set to \fIaobj\fR. The type of the algorithm parameters is set to \fItype\fR using the structure \fIpval\fR. If \fIpenc\fR is not NULL the encoding of the public key itself is set to the \fIpenclen\fR bytes contained in buffer \fIpenc\fR and -any earlier public-key encoding in \fIpub\fR is freed. +any earlier public\-key encoding in \fIpub\fR is freed. On success ownership of all the supplied arguments is passed to \fIpub\fR so they must not be freed after the call. .PP diff --git a/secure/lib/libcrypto/man/man3/X509_REQ_get_attr.3 b/secure/lib/libcrypto/man/man3/X509_REQ_get_attr.3 index 38684e536f07..99ab9cd4099c 100644 --- a/secure/lib/libcrypto/man/man3/X509_REQ_get_attr.3 +++ b/secure/lib/libcrypto/man/man3/X509_REQ_get_attr.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_REQ_GET_ATTR 3ossl" -.TH X509_REQ_GET_ATTR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_REQ_GET_ATTR 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,13 +113,13 @@ See <openssl/obj_mac.h> for a list of NID_*. the \fIreq\fR objects list of attributes. An error occurs if \fIreq\fR is NULL. .PP \&\fBX509_REQ_add1_attr()\fR pushes a copy of the passed in \fBX509_ATTRIBUTE\fR \fRattr> -to the \fIreq\fR object's attribute list. An error will occur if either the +to the \fIreq\fR object\*(Aqs attribute list. An error will occur if either the attribute list is NULL or the attribute already exists. .PP \&\fBX509_REQ_add1_attr_by_OBJ()\fR creates a new \fBX509_ATTRIBUTE\fR using \&\fBX509_ATTRIBUTE_set1_object()\fR and \fBX509_ATTRIBUTE_set1_data()\fR to assign a new \&\fIobj\fR with type \fItype\fR and data \fIbytes\fR of length \fIlen\fR and then pushes it -to the \fIreq\fR object's attribute list. \fIreq\fR must be non NULL or an error +to the \fIreq\fR object\*(Aqs attribute list. \fIreq\fR must be non NULL or an error will occur. If \fIobj\fR already exists in the attribute list then an error occurs. .PP \&\fBX509_REQ_add1_attr_by_NID()\fR is similar to \fBX509_REQ_add1_attr_by_OBJ()\fR except @@ -133,7 +136,7 @@ Refer to \fBX509_ATTRIBUTE\fR\|(3) for information related to attributes. \&\fBX509_REQ_get_attr_count()\fR returns the number of attributes in the \fIreq\fR object attribute list or \-1 if the attribute list is NULL. .PP -\&\fBX509_REQ_get_attr_by_OBJ()\fR returns \-1 if either the \fIreq\fR object's attribute +\&\fBX509_REQ_get_attr_by_OBJ()\fR returns \-1 if either the \fIreq\fR object\*(Aqs attribute list is empty OR \fIobj\fR is not found, otherwise it returns the location of the \&\fIobj\fR in the attribute list. .PP diff --git a/secure/lib/libcrypto/man/man3/X509_REQ_get_extensions.3 b/secure/lib/libcrypto/man/man3/X509_REQ_get_extensions.3 index acaec721998a..271d154b94b0 100644 --- a/secure/lib/libcrypto/man/man3/X509_REQ_get_extensions.3 +++ b/secure/lib/libcrypto/man/man3/X509_REQ_get_extensions.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_REQ_GET_EXTENSIONS 3ossl" -.TH X509_REQ_GET_EXTENSIONS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_REQ_GET_EXTENSIONS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,7 +89,7 @@ using \fInid\fR to identify the extensions attribute. \&\fIreq\fR is unchanged if \fIexts\fR is NULL or an empty list. This function may be called more than once on the same \fIreq\fR and \fInid\fR. In such case any previous extensions are augmented, where an extension to be -added that has the same OID as a pre-existing one replaces this earlier one. +added that has the same OID as a pre\-existing one replaces this earlier one. .PP \&\fBX509_REQ_add_extensions()\fR is like \fBX509_REQ_add_extensions_nid()\fR except that the default \fBNID_ext_req\fR is used. diff --git a/secure/lib/libcrypto/man/man3/X509_SIG_get0.3 b/secure/lib/libcrypto/man/man3/X509_SIG_get0.3 index 5d3b63ab1b04..acdd21bb2e76 100644 --- a/secure/lib/libcrypto/man/man3/X509_SIG_get0.3 +++ b/secure/lib/libcrypto/man/man3/X509_SIG_get0.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_SIG_GET0 3ossl" -.TH X509_SIG_GET0 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_SIG_GET0 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_by_subject.3 b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_by_subject.3 index ff07ebdc5acf..67a256aff02d 100644 --- a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_by_subject.3 +++ b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_by_subject.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_STORE_CTX_GET_BY_SUBJECT 3ossl" -.TH X509_STORE_CTX_GET_BY_SUBJECT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_STORE_CTX_GET_BY_SUBJECT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_error.3 b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_error.3 index d05578b71283..0633f36ff4ae 100644 --- a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_error.3 +++ b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_error.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_STORE_CTX_GET_ERROR 3ossl" -.TH X509_STORE_CTX_GET_ERROR 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_STORE_CTX_GET_ERROR 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -167,17 +170,17 @@ Unspecified error; should not happen. .IX Item "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate" The issuer certificate of a locally looked up certificate could not be found. This normally means the list of trusted certificates is not complete. -To allow any certificate (not only a self-signed one) in the trust store +To allow any certificate (not only a self\-signed one) in the trust store to terminate the chain the \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag may be set. .IP "\fBX509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL\fR" 4 .IX Item "X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL" The CRL of a certificate could not be found. -.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature\fR" 4 +.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate\*(Aqs signature\fR" 4 .IX Item "X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature" The certificate signature could not be decrypted. This means that the actual signature value could not be determined rather than it not matching the expected value, this is only meaningful for RSA keys. -.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature\fR" 4 +.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL\*(Aqs signature\fR" 4 .IX Item "X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature" The CRL signature could not be decrypted: this means that the actual signature value could not be determined rather than it not matching the expected value. @@ -206,29 +209,29 @@ The CRL is not yet valid. .IP "\fBX509_V_ERR_CRL_HAS_EXPIRED: CRL has expired\fR" 4 .IX Item "X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired" The CRL has expired. -.IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field\fR" 4 +.IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate\*(Aqs notBefore field\fR" 4 .IX Item "X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field" The certificate \f(CW\*(C`notBefore\*(C'\fR field contains an invalid time. -.IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field\fR" 4 +.IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate\*(Aqs notAfter field\fR" 4 .IX Item "X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field" The certificate \f(CW\*(C`notAfter\*(C'\fR field contains an invalid time. -.IP "\fBX509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field\fR" 4 +.IP "\fBX509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL\*(Aqs lastUpdate field\fR" 4 .IX Item "X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field" The CRL \fBlastUpdate\fR field contains an invalid time. -.IP "\fBX509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field\fR" 4 +.IP "\fBX509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL\*(Aqs nextUpdate field\fR" 4 .IX Item "X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field" The CRL \f(CW\*(C`nextUpdate\*(C'\fR field contains an invalid time. .IP "\fBX509_V_ERR_OUT_OF_MEM: out of memory\fR" 4 .IX Item "X509_V_ERR_OUT_OF_MEM: out of memory" An error occurred trying to allocate memory. -.IP "\fBX509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self-signed certificate\fR" 4 +.IP "\fBX509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self\-signed certificate\fR" 4 .IX Item "X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self-signed certificate" -The passed certificate is self-signed and the same certificate cannot be found +The passed certificate is self\-signed and the same certificate cannot be found in the list of trusted certificates. -.IP "\fBX509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self-signed certificate in certificate chain\fR" 4 +.IP "\fBX509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self\-signed certificate in certificate chain\fR" 4 .IX Item "X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self-signed certificate in certificate chain" The certificate chain could be built up using the untrusted certificates -but no suitable trust anchor (which typically is a self-signed root certificate) +but no suitable trust anchor (which typically is a self\-signed root certificate) could be found in the trust store. .IP "\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate\fR" 4 .IX Item "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate" @@ -237,19 +240,19 @@ of an untrusted certificate cannot be found. .IP "\fBX509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate\fR" 4 .IX Item "X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate" No signatures could be verified because the chain contains only one certificate -and it is not self-signed and the \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag is not set. +and it is not self\-signed and the \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag is not set. .IP "\fBX509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long\fR" 4 .IX Item "X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long" The certificate chain length is greater than the supplied maximum depth. .IP "\fBX509_V_ERR_CERT_REVOKED: certificate revoked\fR" 4 .IX Item "X509_V_ERR_CERT_REVOKED: certificate revoked" The certificate has been revoked. -.IP "\fBX509_V_ERR_NO_ISSUER_PUBLIC_KEY: issuer certificate doesn't have a public key\fR" 4 +.IP "\fBX509_V_ERR_NO_ISSUER_PUBLIC_KEY: issuer certificate doesn\*(Aqt have a public key\fR" 4 .IX Item "X509_V_ERR_NO_ISSUER_PUBLIC_KEY: issuer certificate doesn't have a public key" The issuer certificate does not have a public key. .IP "\fBX509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded\fR" 4 .IX Item "X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded" -The basicConstraints path-length parameter has been exceeded. +The basicConstraints path\-length parameter has been exceeded. .IP "\fBX509_V_ERR_INVALID_PURPOSE: unsuitable certificate purpose\fR" 4 .IX Item "X509_V_ERR_INVALID_PURPOSE: unsuitable certificate purpose" The target certificate cannot be used for the specified purpose. @@ -289,9 +292,9 @@ Key usage does not include CRL signing. .IP "\fBX509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: unhandled critical CRL extension\fR" 4 .IX Item "X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: unhandled critical CRL extension" Unhandled critical CRL extension. -.IP "\fBX509_V_ERR_INVALID_NON_CA: invalid non-CA certificate (has CA markings)\fR" 4 +.IP "\fBX509_V_ERR_INVALID_NON_CA: invalid non\-CA certificate (has CA markings)\fR" 4 .IX Item "X509_V_ERR_INVALID_NON_CA: invalid non-CA certificate (has CA markings)" -Invalid non-CA certificate has CA markings. +Invalid non\-CA certificate has CA markings. .IP "\fBX509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: proxy path length constraint exceeded\fR" 4 .IX Item "X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: proxy path length constraint exceeded" Proxy path length constraint exceeded. @@ -322,7 +325,7 @@ The only CRLs that could be found did not match the scope of the certificate. .IP "\fBX509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: unsupported extension feature\fR" 4 .IX Item "X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: unsupported extension feature" Some feature of a certificate extension is not supported. Unused. -.IP "\fBX509_V_ERR_UNNESTED_RESOURCE: RFC 3779 resource not subset of parent's resources\fR" 4 +.IP "\fBX509_V_ERR_UNNESTED_RESOURCE: RFC 3779 resource not subset of parent\*(Aqs resources\fR" 4 .IX Item "X509_V_ERR_UNNESTED_RESOURCE: RFC 3779 resource not subset of parent's resources" See RFC 3779 for details. .IP "\fBX509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation\fR" 4 @@ -408,8 +411,8 @@ recognized by the OCSP responder. Cannot find certificate signature algorithm. .IP "\fBX509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH: subject signature algorithm and issuer public key algorithm mismatch\fR" 4 .IX Item "X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH: subject signature algorithm and issuer public key algorithm mismatch" -The issuer's public key is not of the type required by the signature in -the subject's certificate. +The issuer\*(Aqs public key is not of the type required by the signature in +the subject\*(Aqs certificate. .IP "\fBX509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY: cert info signature and signature algorithm mismatch\fR" 4 .IX Item "X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY: cert info signature and signature algorithm mismatch" The algorithm given in the certificate info is inconsistent diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_new.3 b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_new.3 index 17bedd104014..35d624b971fb 100644 --- a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_new.3 +++ b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_STORE_CTX_NEW 3ossl" -.TH X509_STORE_CTX_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_STORE_CTX_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -186,14 +189,14 @@ The target certificate is not copied (its reference count is not updated), and the caller must not free it before verification is complete. .PP \&\fBX509_STORE_CTX_set0_rpk()\fR sets the target raw public key to be verified in \fIctx\fR -to \fItarget\fR, a non-NULL raw public key preempts any target certificate, which +to \fItarget\fR, a non\-NULL raw public key preempts any target certificate, which is then ignored. The \fItarget\fR public key is not copied (its reference count is not updated), and the caller must not free it before verification is complete. .PP \&\fBX509_STORE_CTX_set0_verified_chain()\fR sets the validated chain to \fIchain\fR. Ownership of the chain is transferred to \fIctx\fR, -and so it should not be free'd by the caller. +and so it should not be free\*(Aqd by the caller. .PP \&\fBX509_STORE_CTX_get0_chain()\fR returns the internal pointer used by the \&\fIctx\fR that contains the constructed (output) chain. @@ -236,14 +239,14 @@ Details of the chain building and checking process are described in \&\fBX509_STORE_CTX_set0_verified_chain()\fR sets the validated chain used by \fIctx\fR to be \fIchain\fR. Ownership of the chain is transferred to \fIctx\fR, -and so it should not be free'd by the caller. +and so it should not be free\*(Aqd by the caller. .PP \&\fBX509_STORE_CTX_set_default()\fR looks up and sets the default verification method. This uses the function \fBX509_VERIFY_PARAM_lookup()\fR to find the set of parameters associated with the given verification method \fIname\fR. Among others, the parameters determine the trust model and verification purpose. More detail, including the list of currently predefined methods, -is described for the \fB\-verify_name\fR command-line option +is described for the \fB\-verify_name\fR command\-line option in "Verification Options" in \fBopenssl\-verification\-options\fR\|(1). .PP \&\fBX509_STORE_CTX_set_verify()\fR provides the capability for overriding the default @@ -279,7 +282,7 @@ custom "purpose" (see below) or supply a nondefault verification callback (\fBX509_STORE_set_verify_cb_func\fR\|(3)). .PP \&\fBX509_STORE_CTX_set_purpose()\fR sets the purpose for the target certificate being -verified in the \fIctx\fR. Built-in available values for the \fIpurpose\fR argument +verified in the \fIctx\fR. Built\-in available values for the \fIpurpose\fR argument are \fBX509_PURPOSE_SSL_CLIENT\fR, \fBX509_PURPOSE_SSL_SERVER\fR, \&\fBX509_PURPOSE_NS_SSL_SERVER\fR, \fBX509_PURPOSE_SMIME_SIGN\fR, \&\fBX509_PURPOSE_SMIME_ENCRYPT\fR, \fBX509_PURPOSE_CRL_SIGN\fR, \fBX509_PURPOSE_ANY\fR, @@ -297,7 +300,7 @@ to check whether it is consistent with the trust set by the system administrator for certificates in the chain. .PP \&\fBX509_STORE_CTX_set_trust()\fR sets the trust value for the target certificate -being verified in the \fIctx\fR. Built-in available values for the \fItrust\fR +being verified in the \fIctx\fR. Built\-in available values for the \fItrust\fR argument are \fBX509_TRUST_COMPAT\fR, \fBX509_TRUST_SSL_CLIENT\fR, \&\fBX509_TRUST_SSL_SERVER\fR, \fBX509_TRUST_EMAIL\fR, \fBX509_TRUST_OBJECT_SIGN\fR, \&\fBX509_TRUST_OCSP_SIGN\fR, \fBX509_TRUST_OCSP_REQUEST\fR and \fBX509_TRUST_TSA\fR. It is diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_set_verify_cb.3 b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_set_verify_cb.3 index 940fe076ffb5..5ed1e2596642 100644 --- a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_set_verify_cb.3 +++ b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_set_verify_cb.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_STORE_CTX_SET_VERIFY_CB 3ossl" -.TH X509_STORE_CTX_SET_VERIFY_CB 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_STORE_CTX_SET_VERIFY_CB 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -201,7 +204,7 @@ to continue after this error: \& } .Ve .PP -More complex example, we don't wish to continue after \fBany\fR certificate has +More complex example, we don\*(Aqt wish to continue after \fBany\fR certificate has expired just one specific case: .PP .Vb 4 diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_add_cert.3 b/secure/lib/libcrypto/man/man3/X509_STORE_add_cert.3 index 89a38feb6694..4d34a53a651d 100644 --- a/secure/lib/libcrypto/man/man3/X509_STORE_add_cert.3 +++ b/secure/lib/libcrypto/man/man3/X509_STORE_add_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_STORE_ADD_CERT 3ossl" -.TH X509_STORE_ADD_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_STORE_ADD_CERT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -125,10 +128,10 @@ via mechanisms such as \fBX509_STORE_add_lookup()\fR and \fBX509_LOOKUP_file()\f and many behaviors configured as desired. .PP Once the \fBX509_STORE\fR is suitably configured, \fBX509_STORE_CTX_new()\fR is -used to instantiate a single-use \fBX509_STORE_CTX\fR for each chain-building -and verification operation. That process includes providing the end-entity +used to instantiate a single\-use \fBX509_STORE_CTX\fR for each chain\-building +and verification operation. That process includes providing the end\-entity certificate to be verified and an additional set of untrusted certificates -that may be used in chain-building. As such, it is expected that the +that may be used in chain\-building. As such, it is expected that the certificates included in the \fBX509_STORE\fR are certificates that represent trusted entities such as root certificate authorities (CAs). OpenSSL represents these trusted certificates internally as \fBX509\fR objects @@ -138,8 +141,8 @@ The public interfaces that operate on such trusted certificates still operate on pointers to \fBX509\fR objects, though. .PP \&\fBX509_STORE_add_cert()\fR and \fBX509_STORE_add_crl()\fR add the respective object -to the \fBX509_STORE\fR's local storage. Untrusted objects should not be -added in this way. The added object's reference count is incremented by one, +to the \fBX509_STORE\fR\*(Aqs local storage. Untrusted objects should not be +added in this way. The added object\*(Aqs reference count is incremented by one, hence the caller retains ownership of the object and needs to free it when it is no longer needed. .PP diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_get0_param.3 b/secure/lib/libcrypto/man/man3/X509_STORE_get0_param.3 index 9c8b5c9b1a5e..ccec1ca3caba 100644 --- a/secure/lib/libcrypto/man/man3/X509_STORE_get0_param.3 +++ b/secure/lib/libcrypto/man/man3/X509_STORE_get0_param.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_STORE_GET0_PARAM 3ossl" -.TH X509_STORE_GET0_PARAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_STORE_GET0_PARAM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,18 +86,20 @@ X509_STORE_get1_objects, X509_STORE_get0_objects, X509_STORE_get1_all_certs parameters for \fIxs\fR. The returned pointer must not be freed by the calling application .PP -\&\fBX509_STORE_get1_objects()\fR returns a snapshot of all objects in the store's X509 -cache. The cache contains \fBX509\fR and \fBX509_CRL\fR objects. The caller is -responsible for freeing the returned list. +\&\fBX509_STORE_get1_objects()\fR returns a snapshot of all objects in the store\*(Aqs X509 +cache. The cache contains \fBX509\fR and \fBX509_CRL\fR objects. The caller +is responsible for freeing the returned list, +using sk_X509_OBJECT_pop_free(sk, X509_OBJECT_free). .PP -\&\fBX509_STORE_get0_objects()\fR retrieves an internal pointer to the store's +\&\fBX509_STORE_get0_objects()\fR retrieves an internal pointer to the store\*(Aqs X509 object cache. The cache contains \fBX509\fR and \fBX509_CRL\fR objects. The returned pointer must not be freed by the calling application. If the store is shared across multiple threads, it is not safe to use the result of this function. Use \fBX509_STORE_get1_objects()\fR instead, which avoids this problem. .PP \&\fBX509_STORE_get1_all_certs()\fR returns a list of all certificates in the store. -The caller is responsible for freeing the returned list. +The caller is responsible for freeing the returned list +with \fBOSSL_STACK_OF_X509_free()\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBX509_STORE_get0_param()\fR returns a pointer to an @@ -111,6 +116,7 @@ objects on success, else NULL. certificates on success, else NULL. .SH "SEE ALSO" .IX Header "SEE ALSO" +\&\fBDEFINE_STACK_OF\fR\|(3), \&\fBX509_STORE_new\fR\|(3) .SH HISTORY .IX Header "HISTORY" diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_new.3 b/secure/lib/libcrypto/man/man3/X509_STORE_new.3 index 622418fd24dc..9cdb16ce6210 100644 --- a/secure/lib/libcrypto/man/man3/X509_STORE_new.3 +++ b/secure/lib/libcrypto/man/man3/X509_STORE_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_STORE_NEW 3ossl" -.TH X509_STORE_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_STORE_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_set_verify_cb_func.3 b/secure/lib/libcrypto/man/man3/X509_STORE_set_verify_cb_func.3 index 08f6a6503ec7..f7b41cacd4ca 100644 --- a/secure/lib/libcrypto/man/man3/X509_STORE_set_verify_cb_func.3 +++ b/secure/lib/libcrypto/man/man3/X509_STORE_set_verify_cb_func.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_STORE_SET_VERIFY_CB_FUNC 3ossl" -.TH X509_STORE_SET_VERIFY_CB_FUNC 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_STORE_SET_VERIFY_CB_FUNC 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -191,7 +194,7 @@ please see \fBX509_STORE_CTX_set_verify_cb\fR\|(3) for further information. \&\fIxs\fR to \fIverify\fR. Its purpose is to go through the chain of certificates and check that all signatures are valid and that the current time is within the -limits of each certificate's first and last validity time. +limits of each certificate\*(Aqs first and last validity time. The final chain verification functions must return 0 on failure and 1 on success. \&\fIIf no chain verification function is provided, the internal default @@ -207,7 +210,7 @@ Note that this search does not support backtracking. .PP \&\fBX509_STORE_set_get_issuer()\fR sets the function \fIget_issuer\fR that is used to get the "best" candidate issuer certificate of the given certificate \fIx\fR. -When such a certificate is found, \fIget_issuer\fR must up-ref and assign it +When such a certificate is found, \fIget_issuer\fR must up\-ref and assign it to \fI*issuer\fR and then return 1. Otherwise \fIget_issuer\fR must return 0 if not found and \-1 (or 0) on failure. If \fBX509_STORE_set_get_issuer()\fR is not used or \fIget_issuer\fR is NULL @@ -215,7 +218,7 @@ then \fBX509_STORE_CTX_get1_issuer()\fR is used as the default implementation. .PP \&\fBX509_STORE_set_check_issued()\fR sets the function to check that a given certificate \fIx\fR is issued by the issuer certificate \fIissuer\fR. -This function must return 0 on failure (among others if \fIx\fR hasn't +This function must return 0 on failure (among others if \fIx\fR hasn\*(Aqt been issued with \fIissuer\fR) and 1 on success. \&\fIIf no function to get the issuer is provided, the internal default function will be used instead.\fR @@ -264,7 +267,7 @@ function will be used instead.\fR .PP \&\fBX509_STORE_set_cleanup()\fR sets the final cleanup function, which is called when the context (\fBX509_STORE_CTX\fR) is being torn down. -This function doesn't return any value. +This function doesn\*(Aqt return any value. \&\fIIf no function to get the issuer is provided, the internal default function will be used instead.\fR .PP diff --git a/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3 b/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3 index 6b0b700431e0..e287b6d57073 100644 --- a/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3 +++ b/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_VERIFY_PARAM_SET_FLAGS 3ossl" -.TH X509_VERIFY_PARAM_SET_FLAGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_VERIFY_PARAM_SET_FLAGS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -174,11 +177,11 @@ an existing policy set. That is the maximum number of intermediate CA certificates that can appear in a chain. A maximal depth chain contains 2 more certificates than the limit, since -neither the end-entity certificate nor the trust-anchor count against this +neither the end\-entity certificate nor the trust\-anchor count against this limit. -Thus a \fBdepth\fR limit of 0 only allows the end-entity certificate to be signed +Thus a \fBdepth\fR limit of 0 only allows the end\-entity certificate to be signed directly by the trust anchor, while with a \fBdepth\fR limit of 1 there can be one -intermediate CA certificate between the trust anchor and the end-entity +intermediate CA certificate between the trust anchor and the end\-entity certificate. .PP \&\fBX509_VERIFY_PARAM_set_auth_level()\fR sets the authentication security level to @@ -187,7 +190,7 @@ The authentication security level determines the acceptable signature and public key strength when verifying certificate chains. For a certificate chain to validate, the public keys of all the certificates must meet the specified security level. -The signature algorithm security level is not enforced for the chain's \fItrust +The signature algorithm security level is not enforced for the chain\*(Aqs \fItrust anchor\fR certificate, which is either directly trusted or validated by means other than its signature. See \fBSSL_CTX_set_security_level\fR\|(3) for the definitions of the available @@ -207,7 +210,7 @@ pointer is returned. \&\fBname\fR clearing any previously specified hostname. If \&\fBname\fR is NULL, or empty the list of hostnames is cleared, and name checks are not performed on the peer certificate. If \fBname\fR -is NUL-terminated, \fBnamelen\fR may be zero, otherwise \fBnamelen\fR +is NUL\-terminated, \fBnamelen\fR may be zero, otherwise \fBnamelen\fR must be set to the length of \fBname\fR. .PP When a hostname is specified, @@ -236,7 +239,7 @@ flag takes precedence over the \fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR flag. call to \fBX509_VERIFY_PARAM_set_hostflags()\fR. .PP \&\fBX509_VERIFY_PARAM_add1_host()\fR adds \fBname\fR as an additional reference -identifier that can match the peer's certificate. Any previous names +identifier that can match the peer\*(Aqs certificate. Any previous names set via \fBX509_VERIFY_PARAM_set1_host()\fR or \fBX509_VERIFY_PARAM_add1_host()\fR are retained, no change is made if \fBname\fR is NULL or empty. When multiple names are configured, the peer is considered verified when @@ -247,7 +250,7 @@ CommonName from the peer certificate that matched one of the reference identifiers. When wildcard matching is not disabled, or when a reference identifier specifies a parent domain (starts with ".") rather than a hostname, the peer name may be a wildcard name or a -sub-domain of the reference identifier respectively. The return +sub\-domain of the reference identifier respectively. The return string is allocated by the library and is no longer valid once the associated \fBparam\fR argument is freed. Applications must not free the return value. @@ -255,7 +258,7 @@ the return value. \&\fBX509_VERIFY_PARAM_get0_email()\fR returns the expected RFC822 email address. .PP \&\fBX509_VERIFY_PARAM_set1_email()\fR sets the expected RFC822 email address to -\&\fBemail\fR. If \fBemail\fR is NUL-terminated, \fBemaillen\fR may be zero, otherwise +\&\fBemail\fR. If \fBemail\fR is NUL\-terminated, \fBemaillen\fR may be zero, otherwise \&\fBemaillen\fR must be set to the length of \fBemail\fR. When an email address is specified, certificate verification automatically invokes \&\fBX509_check_email\fR\|(3). @@ -264,14 +267,14 @@ is specified, certificate verification automatically invokes The caller is responsible for freeing it. .PP \&\fBX509_VERIFY_PARAM_set1_ip()\fR sets the expected IP address to \fBip\fR. -The \fBip\fR argument is in binary format, in network byte-order and +The \fBip\fR argument is in binary format, in network byte\-order and \&\fBiplen\fR must be set to 4 for IPv4 and 16 for IPv6. When an IP address is specified, certificate verification automatically invokes \&\fBX509_check_ip\fR\|(3). .PP \&\fBX509_VERIFY_PARAM_set1_ip_asc()\fR sets the expected IP address to -\&\fBipasc\fR. The \fBipasc\fR argument is a NUL-terminal ASCII string: -dotted decimal quad for IPv4 and colon-separated hexadecimal for +\&\fBipasc\fR. The \fBipasc\fR argument is a NUL\-terminal ASCII string: +dotted decimal quad for IPv4 and colon\-separated hexadecimal for IPv6. The condensed "::" notation is supported for IPv6 addresses. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -350,12 +353,12 @@ If \fBX509_V_FLAG_USE_DELTAS\fR is set delta CRLs (if present) are used to determine certificate status. If not set deltas are ignored. .PP \&\fBX509_V_FLAG_CHECK_SS_SIGNATURE\fR requests checking the signature of -the last certificate in a chain if the certificate is supposedly self-signed. -This is prohibited and will result in an error if it is a non-conforming CA +the last certificate in a chain if the certificate is supposedly self\-signed. +This is prohibited and will result in an error if it is a non\-conforming CA certificate with key usage restrictions not including the \fIkeyCertSign\fR bit. -By default this check is disabled because it doesn't +By default this check is disabled because it doesn\*(Aqt add any additional security but in some cases applications might want to -check the signature anyway. A side effect of not checking the self-signature +check the signature anyway. A side effect of not checking the self\-signature of such a certificate is that disabled or unsupported message digests used for the signature are not treated as fatal errors. .PP @@ -378,15 +381,15 @@ found that is trusted. As of OpenSSL 1.1.0, with \fBX509_V_FLAG_TRUSTED_FIRST\fR always set, this option has no effect. .PP -The \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag causes non-self-signed certificates in the -trust store to be treated as trust anchors, in the same way as self-signed +The \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag causes non\-self\-signed certificates in the +trust store to be treated as trust anchors, in the same way as self\-signed root CA certificates. -This makes it possible to trust self-issued certificates as well as certificates +This makes it possible to trust self\-issued certificates as well as certificates issued by an intermediate CA without having to trust their ancestor root CA. With OpenSSL 1.1.0 and later and \fBX509_V_FLAG_PARTIAL_CHAIN\fR set, chain construction stops as soon as the first certificate contained in the trust store -is added to the chain, whether that certificate is a self-signed "root" -certificate or a not self-signed "intermediate" or self-issued certificate. +is added to the chain, whether that certificate is a self\-signed "root" +certificate or a not self\-signed "intermediate" or self\-issued certificate. Thus, when an intermediate certificate is found in the trust store, the verified chain passed to callbacks may be shorter than it otherwise would be without the \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag. diff --git a/secure/lib/libcrypto/man/man3/X509_add_cert.3 b/secure/lib/libcrypto/man/man3/X509_add_cert.3 index 67d3fe572ff3..2673821f2b3e 100644 --- a/secure/lib/libcrypto/man/man3/X509_add_cert.3 +++ b/secure/lib/libcrypto/man/man3/X509_add_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_ADD_CERT 3ossl" -.TH X509_ADD_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_ADD_CERT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,7 +101,7 @@ In both cases the original order of the added certificates is preserved. If \fBX509_ADD_FLAG_NO_DUP\fR is set then certificates already contained in \fIsk\fR, which is determined using \fBX509_cmp\fR\|(3), are ignored. .PP -If \fBX509_ADD_FLAG_NO_SS\fR is set then certificates that are marked self-signed, +If \fBX509_ADD_FLAG_NO_SS\fR is set then certificates that are marked self\-signed, which is determined using \fBX509_self_signed\fR\|(3), are ignored. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/X509_check_ca.3 b/secure/lib/libcrypto/man/man3/X509_check_ca.3 index cf40df71f6af..efc04d467338 100644 --- a/secure/lib/libcrypto/man/man3/X509_check_ca.3 +++ b/secure/lib/libcrypto/man/man3/X509_check_ca.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_CHECK_CA 3ossl" -.TH X509_CHECK_CA 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_CHECK_CA 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ otherwise an error is returned. .IX Header "RETURN VALUES" Function return 0, if it is not CA certificate, 1 if it is proper X509v3 CA certificate with \fBbasicConstraints\fR extension CA:TRUE, -3, if it is self-signed X509 v1 certificate, 4, if it is certificate with +3, if it is self\-signed X509 v1 certificate, 4, if it is certificate with \&\fBkeyUsage\fR extension with bit \fBkeyCertSign\fR set, but without \&\fBbasicConstraints\fR, and 5 if it has outdated Netscape Certificate Type extension telling that it is CA certificate. diff --git a/secure/lib/libcrypto/man/man3/X509_check_host.3 b/secure/lib/libcrypto/man/man3/X509_check_host.3 index 15dcedbdf41d..230b139c95f3 100644 --- a/secure/lib/libcrypto/man/man3/X509_check_host.3 +++ b/secure/lib/libcrypto/man/man3/X509_check_host.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_CHECK_HOST 3ossl" -.TH X509_CHECK_HOST 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_CHECK_HOST 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,7 +89,7 @@ other means. Name (SAN) or Subject CommonName (CN) matches the specified hostname, which must be encoded in the preferred name syntax described in section 3.5 of RFC 1034. By default, wildcards are supported -and they match only in the left-most label; but they may match +and they match only in the left\-most label; but they may match part of that label with an explicit prefix or suffix. For example, by default, the host \fBname\fR "www.example.com" would match a certificate with a SAN or CN value of "*.example.com", "w*.example.com" @@ -97,7 +100,7 @@ domain names must be given in A\-label form. The \fBnamelen\fR argument must be the number of characters in the name string or zero in which case the length is calculated with strlen(\fBname\fR). When \fBname\fR starts with a dot (e.g. ".example.com"), it will be matched by a certificate -valid for any sub-domain of \fBname\fR, (see also +valid for any sub\-domain of \fBname\fR, (see also \&\fBX509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS\fR below). .PP When the certificate is matched, and \fBpeername\fR is not NULL, a @@ -124,7 +127,7 @@ explicitly marked addresses in the certificates are considered; IP addresses stored in DNS names and Common Names are ignored. There are currently no \fBflags\fR that would affect the behavior of this call. .PP -\&\fBX509_check_ip_asc()\fR is similar, except that the NUL-terminated +\&\fBX509_check_ip_asc()\fR is similar, except that the NUL\-terminated string \fBaddress\fR is first converted to the internal representation. .PP The \fBflags\fR argument is usually 0. It can be the bitwise OR of the @@ -172,8 +175,8 @@ to match more than one label in \fBname\fR; this flag only applies to \fBX509_check_host\fR. .PP If set, \fBX509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS\fR restricts \fBname\fR -values which start with ".", that would otherwise match any sub-domain -in the peer certificate, to only match direct child sub-domains. +values which start with ".", that would otherwise match any sub\-domain +in the peer certificate, to only match direct child sub\-domains. Thus, for instance, with this flag set a \fBname\fR of ".example.com" would match a peer certificate with a DNS name of "www.example.com", but would not match a peer certificate with a DNS name of diff --git a/secure/lib/libcrypto/man/man3/X509_check_issued.3 b/secure/lib/libcrypto/man/man3/X509_check_issued.3 index 0fb944ec85b8..768dd0d8b1d3 100644 --- a/secure/lib/libcrypto/man/man3/X509_check_issued.3 +++ b/secure/lib/libcrypto/man/man3/X509_check_issued.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_CHECK_ISSUED 3ossl" -.TH X509_CHECK_ISSUED 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_CHECK_ISSUED 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -75,7 +78,7 @@ certificate \&\fBX509_check_issued()\fR checks if certificate \fIsubject\fR was apparently issued using (CA) certificate \fIissuer\fR. This function takes into account not only matching of the issuer field of \fIsubject\fR with the subject field of \fIissuer\fR, -but also compares all sub-fields of the \fBauthorityKeyIdentifier\fR extension of +but also compares all sub\-fields of the \fBauthorityKeyIdentifier\fR extension of \&\fIsubject\fR, as far as present, with the respective \fBsubjectKeyIdentifier\fR, serial number, and issuer fields of \fIissuer\fR, as far as present. It also checks if the \fBkeyUsage\fR field (if present) of \fIissuer\fR allows certificate signing. diff --git a/secure/lib/libcrypto/man/man3/X509_check_private_key.3 b/secure/lib/libcrypto/man/man3/X509_check_private_key.3 index 1458f2a66eae..4b98ff3705c0 100644 --- a/secure/lib/libcrypto/man/man3/X509_check_private_key.3 +++ b/secure/lib/libcrypto/man/man3/X509_check_private_key.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_CHECK_PRIVATE_KEY 3ossl" -.TH X509_CHECK_PRIVATE_KEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_CHECK_PRIVATE_KEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_check_purpose.3 b/secure/lib/libcrypto/man/man3/X509_check_purpose.3 index 193d5201d54e..63428a3a6b4e 100644 --- a/secure/lib/libcrypto/man/man3/X509_check_purpose.3 +++ b/secure/lib/libcrypto/man/man3/X509_check_purpose.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_CHECK_PURPOSE 3ossl" -.TH X509_CHECK_PURPOSE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_CHECK_PURPOSE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,11 +104,11 @@ X509_PURPOSE_set \- functions related to checking the purpose of a certificate .IX Header "DESCRIPTION" \&\fBX509_check_purpose()\fR checks if certificate \fIx\fR was created with the purpose represented by \fIid\fR. If \fIca\fR is nonzero, then certificate \fIx\fR is -checked to determine if it's a possible CA with various levels of certainty +checked to determine if it\*(Aqs a possible CA with various levels of certainty possibly returned. The certificate \fIx\fR must be a complete certificate otherwise the function returns an error. .PP -Below are the potential ID's that can be checked: +Below are the potential ID\*(Aqs that can be checked: .PP .Vb 10 \& # define X509_PURPOSE_SSL_CLIENT 1 @@ -144,7 +147,7 @@ the purpose (long) name \fIname\fR, the short name \fIsname\fR, the purpose chec function \fIck\fR of type \fBint (*) (const X509_PURPOSE *, const X509 *, int)\fR, and its user data \fIarg\fR which may be retrieved via the \fBX509_PURPOSE\fR pointer. .PP -\&\fBX509_PURPOSE_cleanup()\fR removes all purposes that are not pre-defined. +\&\fBX509_PURPOSE_cleanup()\fR removes all purposes that are not pre\-defined. .PP \&\fBX509_PURPOSE_get0()\fR returns an \fBX509_PURPOSE\fR pointer or NULL on error. .PP @@ -162,7 +165,7 @@ This resets to the any purpose if \fIpurpose\fR is \fBX509_PURPOSE_DEFAULT_ANY\f .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBX509_check_purpose()\fR returns the following values. -For non-CA checks +For non\-CA checks .IP "\-1 an error condition has occurred" 4 .IX Item "-1 an error condition has occurred" .PD 0 @@ -217,7 +220,7 @@ int \fBX509_PURPOSE_add()\fR returns 1 on success, 0 on error. \&\fBX509_PURPOSE_set()\fR returns 1 on success, 0 on error. .SH BUGS .IX Header "BUGS" -The X509_PURPOSE implementation so far is not thread-safe. +The X509_PURPOSE implementation so far is not thread\-safe. There may be race conditions retrieving purpose information while \&\fBX509_PURPOSE_add()\fR or X509_PURPOSE_cleanup(void) is being called. .SH HISTORY diff --git a/secure/lib/libcrypto/man/man3/X509_cmp.3 b/secure/lib/libcrypto/man/man3/X509_cmp.3 index 70214dbad22f..f63052f57407 100644 --- a/secure/lib/libcrypto/man/man3/X509_cmp.3 +++ b/secure/lib/libcrypto/man/man3/X509_cmp.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_CMP 3ossl" -.TH X509_CMP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_CMP 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,7 +97,7 @@ canonical (DER) encoding values of the two objects using \fBi2d_X509_NAME\fR\|(3 This procedure adheres to the matching rules for Distinguished Names (DN) given in RFC 4517 section 4.2.15 and RFC 5280 section 7.1. In particular, the order of Relative Distinguished Names (RDNs) is relevant. -On the other hand, if an RDN is multi-valued, i.e., it contains a set of +On the other hand, if an RDN is multi\-valued, i.e., it contains a set of AttributeValueAssertions (AVAs), its members are effectively not ordered. .PP The \fBX509_issuer_and_serial_cmp()\fR function compares the serial number and issuer diff --git a/secure/lib/libcrypto/man/man3/X509_cmp_time.3 b/secure/lib/libcrypto/man/man3/X509_cmp_time.3 index e220223d2393..04d178e68482 100644 --- a/secure/lib/libcrypto/man/man3/X509_cmp_time.3 +++ b/secure/lib/libcrypto/man/man3/X509_cmp_time.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_CMP_TIME 3ossl" -.TH X509_CMP_TIME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_CMP_TIME 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_digest.3 b/secure/lib/libcrypto/man/man3/X509_digest.3 index 142f77fe84c7..dc69f9c59646 100644 --- a/secure/lib/libcrypto/man/man3/X509_digest.3 +++ b/secure/lib/libcrypto/man/man3/X509_digest.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_DIGEST 3ossl" -.TH X509_DIGEST 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_DIGEST 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_dup.3 b/secure/lib/libcrypto/man/man3/X509_dup.3 index 9f1ccb64aa78..8f4482b3c7ea 100644 --- a/secure/lib/libcrypto/man/man3/X509_dup.3 +++ b/secure/lib/libcrypto/man/man3/X509_dup.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_DUP 3ossl" -.TH X509_DUP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_DUP 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -534,7 +537,7 @@ see \fBopenssl_user_macros\fR\|(7): In the description below, \fR\f(BITYPE\fR\fB\fR is used as a placeholder for any of the OpenSSL datatypes, such as \fBX509\fR. .PP -The OpenSSL ASN1 parsing library templates are like a data-driven bytecode +The OpenSSL ASN1 parsing library templates are like a data\-driven bytecode interpreter. Every ASN1 object as a global variable, TYPE_it, that describes the item such as its fields. (On systems which cannot export variables from shared @@ -564,16 +567,16 @@ To avoid such situations, better use \fB\fR\f(BITYPE\fR\fB_up_ref\fR() if availa For the case of \fBX509\fR objects, an alternative to using \fBX509_up_ref\fR\|(3) may be to still call \fB\fR\f(BITYPE\fR\fB_dup\fR(), e.g., \fIcopied_cert = X509_dup(cert)\fR, followed by \fIX509_check_purpose(copied_cert, \-1, 0)\fR, -which re-builds the cached data. +which re\-builds the cached data. .PP -\&\fR\f(BITYPE\fR\fB_free\fR() releases the object and all pointers and sub-objects +\&\fR\f(BITYPE\fR\fB_free\fR() releases the object and all pointers and sub\-objects within it. If the argument is NULL, nothing is done. .PP \&\fR\f(BITYPE\fR\fB_print_ctx\fR() prints the object \fIa\fR on the specified BIO \fIout\fR. Each line will be prefixed with \fIindent\fR spaces. The \fIpctx\fR specifies the printing context and is for internal use; use NULL to get the default behavior. If a print function is -user-defined, then pass in any \fIpctx\fR down to any nested calls. +user\-defined, then pass in any \fIpctx\fR down to any nested calls. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fR\f(BITYPE\fR\fB_new\fR(), \fB\fR\f(BITYPE\fR\fB_new_ex\fR() and \fB\fR\f(BITYPE\fR\fB_dup\fR() return a pointer to diff --git a/secure/lib/libcrypto/man/man3/X509_get0_distinguishing_id.3 b/secure/lib/libcrypto/man/man3/X509_get0_distinguishing_id.3 index aa1c826af237..961e70add2a4 100644 --- a/secure/lib/libcrypto/man/man3/X509_get0_distinguishing_id.3 +++ b/secure/lib/libcrypto/man/man3/X509_get0_distinguishing_id.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET0_DISTINGUISHING_ID 3ossl" -.TH X509_GET0_DISTINGUISHING_ID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET0_DISTINGUISHING_ID 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_get0_notBefore.3 b/secure/lib/libcrypto/man/man3/X509_get0_notBefore.3 index 9cbe8977fc3a..65004fb7d7f5 100644 --- a/secure/lib/libcrypto/man/man3/X509_get0_notBefore.3 +++ b/secure/lib/libcrypto/man/man3/X509_get0_notBefore.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET0_NOTBEFORE 3ossl" -.TH X509_GET0_NOTBEFORE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET0_NOTBEFORE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -102,7 +105,7 @@ the call. \fIx\fR \fBMUST NOT\fR be NULL. .PP \&\fBX509_getm_notBefore()\fR and \fBX509_getm_notAfter()\fR are similar to \&\fBX509_get0_notBefore()\fR and \fBX509_get0_notAfter()\fR except they return -non-constant mutable references to the associated date field of +non\-constant mutable references to the associated date field of the certificate. .PP \&\fBX509_set1_notBefore()\fR and \fBX509_set1_notAfter()\fR set the \fBnotBefore\fR diff --git a/secure/lib/libcrypto/man/man3/X509_get0_signature.3 b/secure/lib/libcrypto/man/man3/X509_get0_signature.3 index 222733a4dd60..a8dce441d9df 100644 --- a/secure/lib/libcrypto/man/man3/X509_get0_signature.3 +++ b/secure/lib/libcrypto/man/man3/X509_get0_signature.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET0_SIGNATURE 3ossl" -.TH X509_GET0_SIGNATURE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET0_SIGNATURE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_get0_uids.3 b/secure/lib/libcrypto/man/man3/X509_get0_uids.3 index 55bd709997f9..0233417bf631 100644 --- a/secure/lib/libcrypto/man/man3/X509_get0_uids.3 +++ b/secure/lib/libcrypto/man/man3/X509_get0_uids.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET0_UIDS 3ossl" -.TH X509_GET0_UIDS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET0_UIDS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_get_default_cert_file.3 b/secure/lib/libcrypto/man/man3/X509_get_default_cert_file.3 index 32740736cc47..32eaf57dc5b2 100644 --- a/secure/lib/libcrypto/man/man3/X509_get_default_cert_file.3 +++ b/secure/lib/libcrypto/man/man3/X509_get_default_cert_file.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET_DEFAULT_CERT_FILE 3ossl" -.TH X509_GET_DEFAULT_CERT_FILE 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET_DEFAULT_CERT_FILE 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -83,13 +86,13 @@ the default path when it is asked to load trusted CA certificates from a file and no other path is specified. If the file exists, CA certificates are loaded from the file. .PP -The \fBX509_get_default_cert_dir()\fR function returns a default delimeter-separated +The \fBX509_get_default_cert_dir()\fR function returns a default delimeter\-separated list of paths to a directories containing trusted CA certificates named in the hashed format. OpenSSL will use this as the default list of paths when it is asked to load trusted CA certificates from a directory and no other path is specified. If a given directory in the list exists, OpenSSL attempts to lookup CA certificates in this directory by calculating a filename based on a hash of -the certificate's subject name. +the certificate\*(Aqs subject name. .PP \&\fBX509_get_default_cert_file_env()\fR returns an environment variable name which is recommended to specify a nondefault value to be used instead of the value @@ -107,7 +110,7 @@ variable can also be a store URI (but see BUGS below). .IX Header "BUGS" By default (for example, when \fBX509_STORE_set_default_paths\fR\|(3) is used), the environment variable name returned by \fBX509_get_default_cert_dir_env()\fR is -interpreted both as a delimiter-separated list of paths, and as a store URI. +interpreted both as a delimiter\-separated list of paths, and as a store URI. This is ambiguous. For example, specifying a value of \fB"file:///etc/certs"\fR would cause instantiation of the "file" store provided as part of the default provider, but would also cause an \fBX509_LOOKUP_hash_dir\fR\|(3) instance to look diff --git a/secure/lib/libcrypto/man/man3/X509_get_extension_flags.3 b/secure/lib/libcrypto/man/man3/X509_get_extension_flags.3 index 566f23d0b7f7..f00653a3f04c 100644 --- a/secure/lib/libcrypto/man/man3/X509_get_extension_flags.3 +++ b/secure/lib/libcrypto/man/man3/X509_get_extension_flags.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET_EXTENSION_FLAGS 3ossl" -.TH X509_GET_EXTENSION_FLAGS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET_EXTENSION_FLAGS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -128,7 +131,7 @@ The certificate contains an unhandled critical extension. .IX Item "EXFLAG_INVALID" Some certificate extension values are invalid or inconsistent. The certificate should be rejected. -This bit may also be raised after an out-of-memory error while +This bit may also be raised after an out\-of\-memory error while processing the X509 object, so it may not be related to the processed ASN1 object itself. .IP \fBEXFLAG_NO_FINGERPRINT\fR 4 @@ -139,7 +142,7 @@ This may be due to malloc failure or because no SHA1 implementation was found. .IX Item "EXFLAG_INVALID_POLICY" The NID_certificate_policies certificate extension is invalid or inconsistent. The certificate should be rejected. -This bit may also be raised after an out-of-memory error while +This bit may also be raised after an out\-of\-memory error while processing the X509 object, so it may not be related to the processed ASN1 object itself. .IP \fBEXFLAG_KUSAGE\fR 4 @@ -163,9 +166,9 @@ returned. extension. If extended key usage is present it will return zero or more of the flags: \fBXKU_SSL_SERVER\fR, \fBXKU_SSL_CLIENT\fR, \fBXKU_SMIME\fR, \fBXKU_CODE_SIGN\fR \&\fBXKU_OCSP_SIGN\fR, \fBXKU_TIMESTAMP\fR, \fBXKU_DVCS\fR or \fBXKU_ANYEKU\fR. These -correspond to the OIDs \fBid-kp-serverAuth\fR, \fBid-kp-clientAuth\fR, -\&\fBid-kp-emailProtection\fR, \fBid-kp-codeSigning\fR, \fBid-kp-OCSPSigning\fR, -\&\fBid-kp-timeStamping\fR, \fBid-kp-dvcs\fR and \fBanyExtendedKeyUsage\fR respectively. +correspond to the OIDs \fBid\-kp\-serverAuth\fR, \fBid\-kp\-clientAuth\fR, +\&\fBid\-kp\-emailProtection\fR, \fBid\-kp\-codeSigning\fR, \fBid\-kp\-OCSPSigning\fR, +\&\fBid\-kp\-timeStamping\fR, \fBid\-kp\-dvcs\fR and \fBanyExtendedKeyUsage\fR respectively. Additionally \fBXKU_SGC\fR is set if either Netscape or Microsoft SGC OIDs are present. .PP diff --git a/secure/lib/libcrypto/man/man3/X509_get_pubkey.3 b/secure/lib/libcrypto/man/man3/X509_get_pubkey.3 index c325bcb4f922..88f0277d6a59 100644 --- a/secure/lib/libcrypto/man/man3/X509_get_pubkey.3 +++ b/secure/lib/libcrypto/man/man3/X509_get_pubkey.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET_PUBKEY 3ossl" -.TH X509_GET_PUBKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET_PUBKEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_get_serialNumber.3 b/secure/lib/libcrypto/man/man3/X509_get_serialNumber.3 index 28008de3666a..11a7d67a23ce 100644 --- a/secure/lib/libcrypto/man/man3/X509_get_serialNumber.3 +++ b/secure/lib/libcrypto/man/man3/X509_get_serialNumber.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET_SERIALNUMBER 3ossl" -.TH X509_GET_SERIALNUMBER 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET_SERIALNUMBER 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_get_subject_name.3 b/secure/lib/libcrypto/man/man3/X509_get_subject_name.3 index cd3f99cfc118..d12885e26d46 100644 --- a/secure/lib/libcrypto/man/man3/X509_get_subject_name.3 +++ b/secure/lib/libcrypto/man/man3/X509_get_subject_name.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET_SUBJECT_NAME 3ossl" -.TH X509_GET_SUBJECT_NAME 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET_SUBJECT_NAME 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_get_version.3 b/secure/lib/libcrypto/man/man3/X509_get_version.3 index 584fd8275680..e5d3a3c6af1b 100644 --- a/secure/lib/libcrypto/man/man3/X509_get_version.3 +++ b/secure/lib/libcrypto/man/man3/X509_get_version.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_GET_VERSION 3ossl" -.TH X509_GET_VERSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_GET_VERSION 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_load_http.3 b/secure/lib/libcrypto/man/man3/X509_load_http.3 index 8ab562a084bc..1087de72c036 100644 --- a/secure/lib/libcrypto/man/man3/X509_load_http.3 +++ b/secure/lib/libcrypto/man/man3/X509_load_http.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_LOAD_HTTP 3ossl" -.TH X509_LOAD_HTTP 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_LOAD_HTTP 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/X509_new.3 b/secure/lib/libcrypto/man/man3/X509_new.3 index 11e74bdf231a..f6a6f22a9193 100644 --- a/secure/lib/libcrypto/man/man3/X509_new.3 +++ b/secure/lib/libcrypto/man/man3/X509_new.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_NEW 3ossl" -.TH X509_NEW 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_NEW 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -112,7 +115,7 @@ The function \fBX509_up_ref()\fR if useful if a certificate structure is being used by several different operations each of which will free it up after use: this avoids the need to duplicate the entire certificate structure. .PP -The function \fBX509_chain_up_ref()\fR doesn't just up the reference count of +The function \fBX509_chain_up_ref()\fR doesn\*(Aqt just up the reference count of each certificate. It also returns a copy of the stack, using \fBsk_X509_dup()\fR, but it serves a similar purpose: the returned chain persists after the original has been freed. diff --git a/secure/lib/libcrypto/man/man3/X509_sign.3 b/secure/lib/libcrypto/man/man3/X509_sign.3 index ee2a2dd48f9e..a7cb3c2d7761 100644 --- a/secure/lib/libcrypto/man/man3/X509_sign.3 +++ b/secure/lib/libcrypto/man/man3/X509_sign.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_SIGN 3ossl" -.TH X509_SIGN 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_SIGN 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,7 +104,7 @@ sign certificate requests and CRLs, respectively. .IX Header "NOTES" \&\fBX509_sign_ctx()\fR is used where the default parameters for the corresponding public key and digest are not suitable. It can be used to sign keys using -RSA-PSS for example. +RSA\-PSS for example. .PP For efficiency reasons and to work around ASN.1 encoding issues the encoding of the signed portion of a certificate, certificate request and CRL is cached diff --git a/secure/lib/libcrypto/man/man3/X509_verify.3 b/secure/lib/libcrypto/man/man3/X509_verify.3 index 8997f77a53b0..4b9d527313cc 100644 --- a/secure/lib/libcrypto/man/man3/X509_verify.3 +++ b/secure/lib/libcrypto/man/man3/X509_verify.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_VERIFY 3ossl" -.TH X509_VERIFY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_VERIFY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -87,7 +90,7 @@ verify certificate, certificate request, or CRL signature \&\fIpkey\fR. Only the signature is checked: no other checks (such as certificate chain validity) are performed. .PP -\&\fBX509_self_signed()\fR checks whether certificate \fIcert\fR is self-signed. +\&\fBX509_self_signed()\fR checks whether certificate \fIcert\fR is self\-signed. For success the issuer and subject names must match, the components of the authority key identifier (if present) must match the subject key identifier etc. The signature itself is actually verified only if \fBverify_signature\fR is 1, as @@ -101,7 +104,7 @@ respectively. \&\fBX509_verify()\fR, \&\fBX509_REQ_verify_ex()\fR, \fBX509_REQ_verify()\fR and \fBX509_CRL_verify()\fR return 1 if the signature is valid and 0 if the signature check fails. -If the signature could not be checked at all because it was ill-formed, +If the signature could not be checked at all because it was ill\-formed, the certificate or the request was not complete or some other error occurred then \-1 is returned. .PP diff --git a/secure/lib/libcrypto/man/man3/X509_verify_cert.3 b/secure/lib/libcrypto/man/man3/X509_verify_cert.3 index 5c34f3c38627..108add8d20be 100644 --- a/secure/lib/libcrypto/man/man3/X509_verify_cert.3 +++ b/secure/lib/libcrypto/man/man3/X509_verify_cert.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509_VERIFY_CERT 3ossl" -.TH X509_VERIFY_CERT 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509_VERIFY_CERT 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,11 +88,11 @@ It internally uses a \fBX509_STORE_CTX\fR structure associated with the library context \fIlibctx\fR and property query string \fIpropq\fR, both of which may be NULL. In case there is more than one possibility for the chain, only one is taken. .PP -On success it returns a pointer to a new stack of (up_ref'ed) certificates +On success it returns a pointer to a new stack of (up_ref\*(Aqed) certificates starting with \fItarget\fR and followed by all available intermediate certificates. -A self-signed trust anchor is included only if \fItarget\fR is the trust anchor +A self\-signed trust anchor is included only if \fItarget\fR is the trust anchor of \fIwith_self_signed\fR is 1. -If a non-NULL stack is returned the caller is responsible for freeing it. +If a non\-NULL stack is returned the caller is responsible for freeing it. .PP The \fBX509_verify_cert()\fR function attempts to discover and validate a certificate chain based on parameters in \fIctx\fR. @@ -97,7 +100,7 @@ The verification context, of type \fBX509_STORE_CTX\fR, can be constructed using \fBX509_STORE_CTX_new\fR\|(3) and \fBX509_STORE_CTX_init\fR\|(3). It usually includes a target certificate to be verified, a set of certificates serving as trust anchors, -a list of non-trusted certificates that may be helpful for chain construction, +a list of non\-trusted certificates that may be helpful for chain construction, flags such as X509_V_FLAG_X509_STRICT, and various other optional components such as a callback function that allows customizing the verification outcome. A complete description of the certificate verification process is contained in diff --git a/secure/lib/libcrypto/man/man3/X509v3_get_ext_by_NID.3 b/secure/lib/libcrypto/man/man3/X509v3_get_ext_by_NID.3 index 962b32c7dd0f..21b8d992213d 100644 --- a/secure/lib/libcrypto/man/man3/X509v3_get_ext_by_NID.3 +++ b/secure/lib/libcrypto/man/man3/X509v3_get_ext_by_NID.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509V3_GET_EXT_BY_NID 3ossl" -.TH X509V3_GET_EXT_BY_NID 3ossl 2025-09-30 3.5.4 OpenSSL +.TH X509V3_GET_EXT_BY_NID 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -134,7 +137,7 @@ the extension is found, its index is returned, otherwise \-1 is returned. .PP \&\fBX509v3_get_ext_by_critical()\fR is similar to \fBX509v3_get_ext_by_NID()\fR except it looks for an extension of criticality \fIcrit\fR. A zero value for \fIcrit\fR -looks for a non-critical extension. A nonzero value looks for a critical +looks for a non\-critical extension. A nonzero value looks for a critical extension. .PP \&\fBX509v3_delete_ext()\fR deletes the extension with index \fIloc\fR from \fIx\fR. @@ -150,7 +153,7 @@ The passed extension \fIex\fR is duplicated so it must be freed after use. The STACK \fI*target\fR is returned unchanged if \fIexts\fR is NULL or an empty list. Otherwise a new stack is allocated if \fI*target\fR is NULL. An extension to be added -that has the same OID as a pre-existing one replaces this earlier one. +that has the same OID as a pre\-existing one replaces this earlier one. .PP \&\fBX509_get_ext_count()\fR, \fBX509_get_ext()\fR, \fBX509_get_ext_by_NID()\fR, \&\fBX509_get_ext_by_OBJ()\fR, \fBX509_get_ext_by_critical()\fR, \fBX509_delete_ext()\fR @@ -181,7 +184,7 @@ These search functions start from the extension \fBafter\fR the \fIlastpos\fR pa so it should initially be set to \-1. If it is set to zero, the initial extension will not be checked. .PP -\&\fBX509v3_delete_ext()\fR and its variants are a bit counter-intuitive +\&\fBX509v3_delete_ext()\fR and its variants are a bit counter\-intuitive because these functions do not free the extension they delete. They return an \fBX509_EXTENSION\fR object which must be explicitly freed using \fBX509_EXTENSION_free()\fR. diff --git a/secure/lib/libcrypto/man/man3/b2i_PVK_bio_ex.3 b/secure/lib/libcrypto/man/man3/b2i_PVK_bio_ex.3 index da15b9a4ab9f..81dad9d666c4 100644 --- a/secure/lib/libcrypto/man/man3/b2i_PVK_bio_ex.3 +++ b/secure/lib/libcrypto/man/man3/b2i_PVK_bio_ex.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "B2I_PVK_BIO_EX 3ossl" -.TH B2I_PVK_BIO_EX 3ossl 2025-09-30 3.5.4 OpenSSL +.TH B2I_PVK_BIO_EX 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/d2i_PKCS8PrivateKey_bio.3 b/secure/lib/libcrypto/man/man3/d2i_PKCS8PrivateKey_bio.3 index d90c45f3baba..8d10cb4a0155 100644 --- a/secure/lib/libcrypto/man/man3/d2i_PKCS8PrivateKey_bio.3 +++ b/secure/lib/libcrypto/man/man3/d2i_PKCS8PrivateKey_bio.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "D2I_PKCS8PRIVATEKEY_BIO 3ossl" -.TH D2I_PKCS8PRIVATEKEY_BIO 3ossl 2025-09-30 3.5.4 OpenSSL +.TH D2I_PKCS8PRIVATEKEY_BIO 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/d2i_PrivateKey.3 b/secure/lib/libcrypto/man/man3/d2i_PrivateKey.3 index 49072770717a..ae2a47b8d0ff 100644 --- a/secure/lib/libcrypto/man/man3/d2i_PrivateKey.3 +++ b/secure/lib/libcrypto/man/man3/d2i_PrivateKey.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "D2I_PRIVATEKEY 3ossl" -.TH D2I_PRIVATEKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH D2I_PRIVATEKEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -109,7 +112,7 @@ i2d_PrivateKey_fp .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBd2i_PrivateKey_ex()\fR decodes a private key using algorithm \fItype\fR. It attempts -to use any key-specific format or PKCS#8 unencrypted PrivateKeyInfo format. +to use any key\-specific format or PKCS#8 unencrypted PrivateKeyInfo format. The \fItype\fR parameter should be a public key algorithm constant such as \&\fBEVP_PKEY_RSA\fR. An error occurs if the decoded key does not match \fItype\fR. Some private key decoding implementations may use cryptographic algorithms (for @@ -153,7 +156,7 @@ to encrypt or decrypt private keys should use other functions such as \&\fBd2i_PKCS8PrivateKey()\fR instead. .PP To decode a key with type \fBEVP_PKEY_EC\fR, \fBd2i_PublicKey()\fR requires \fI*a\fR to be -a non-NULL EVP_PKEY structure assigned an EC_KEY structure referencing the proper +a non\-NULL EVP_PKEY structure assigned an EC_KEY structure referencing the proper EC_GROUP. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/d2i_RSAPrivateKey.3 b/secure/lib/libcrypto/man/man3/d2i_RSAPrivateKey.3 index e617d564606f..5c77a28bdb07 100644 --- a/secure/lib/libcrypto/man/man3/d2i_RSAPrivateKey.3 +++ b/secure/lib/libcrypto/man/man3/d2i_RSAPrivateKey.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "D2I_RSAPRIVATEKEY 3ossl" -.TH D2I_RSAPRIVATEKEY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH D2I_RSAPRIVATEKEY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -172,11 +175,11 @@ OpenSSL datatypes, such as \fBRSA\fR. The function parameters \fIppin\fR and \fIppout\fR are generally either both named \&\fIpp\fR in the headers, or \fIin\fR and \fIout\fR. .PP -All the functions here behave the way that's described in \fBd2i_X509\fR\|(3). +All the functions here behave the way that\*(Aqs described in \fBd2i_X509\fR\|(3). .PP Please note that not all functions in the synopsis are available for all key types. For example, there are no \fBd2i_RSAparams()\fR or \fBi2d_RSAparams()\fR, -because the PKCS#1 \fBRSA\fR structure doesn't include any key parameters. +because the PKCS#1 \fBRSA\fR structure doesn\*(Aqt include any key parameters. .PP \&\fBd2i_\fR\f(BITYPE\fR\fBPrivateKey\fR() and derivates thereof decode DER encoded \&\fR\f(BITYPE\fR\fB\fR private key data organized in a type specific structure. @@ -307,7 +310,7 @@ of the encoded structure. The ways that \fI*ppin\fR and \fI*ppout\fR are incremented after the operation can trap the unwary. See the \fBWARNINGS\fR section in \fBd2i_X509\fR\|(3) for some common errors. -The reason for this-auto increment behaviour is to reflect a typical +The reason for this\-auto increment behaviour is to reflect a typical usage of ASN1 functions: after one structure is encoded or decoded another will be processed after it. .PP @@ -317,7 +320,7 @@ The following points about the data types might be useful: Represents a DSA public key using a \fBSubjectPublicKeyInfo\fR structure. .IP "\fBDSAPublicKey\fR, \fBDSAPrivateKey\fR" 4 .IX Item "DSAPublicKey, DSAPrivateKey" -Use a non-standard OpenSSL format and should be avoided; use \fBDSA_PUBKEY\fR, +Use a non\-standard OpenSSL format and should be avoided; use \fBDSA_PUBKEY\fR, \&\fBPEM_write_PrivateKey\fR\|(3), or similar instead. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man3/d2i_SSL_SESSION.3 b/secure/lib/libcrypto/man/man3/d2i_SSL_SESSION.3 index ac0f4d3d861e..0cf8bcf6d2ab 100644 --- a/secure/lib/libcrypto/man/man3/d2i_SSL_SESSION.3 +++ b/secure/lib/libcrypto/man/man3/d2i_SSL_SESSION.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "D2I_SSL_SESSION 3ossl" -.TH D2I_SSL_SESSION 3ossl 2025-09-30 3.5.4 OpenSSL +.TH D2I_SSL_SESSION 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,7 +83,7 @@ These functions decode and encode an SSL_SESSION object. For encoding details see \fBd2i_X509\fR\|(3). .PP SSL_SESSION objects keep internal link information about the session cache -list, when being inserted into one SSL_CTX object's session cache. +list, when being inserted into one SSL_CTX object\*(Aqs session cache. One SSL_SESSION object, regardless of its reference count, must therefore only be used with one SSL_CTX object (and the SSL objects created from this SSL_CTX object). @@ -88,7 +91,7 @@ from this SSL_CTX object). .IX Header "RETURN VALUES" \&\fBd2i_SSL_SESSION()\fR and \fBd2i_SSL_SESSION_ex()\fR return a pointer to the newly allocated SSL_SESSION object. -In case of failure the NULL-pointer is returned and the error message +In case of failure the NULL\-pointer is returned and the error message can be retrieved from the error stack. .PP \&\fBi2d_SSL_SESSION()\fR returns the size of the ASN1 representation in bytes. diff --git a/secure/lib/libcrypto/man/man3/d2i_X509.3 b/secure/lib/libcrypto/man/man3/d2i_X509.3 index 37e64608b5e6..343f5af64d42 100644 --- a/secure/lib/libcrypto/man/man3/d2i_X509.3 +++ b/secure/lib/libcrypto/man/man3/d2i_X509.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "D2I_X509 3ossl" -.TH D2I_X509 3ossl 2025-09-30 3.5.4 OpenSSL +.TH D2I_X509 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -517,7 +520,7 @@ The function parameters \fIppin\fR and \fIppout\fR are generally either both named \fIpp\fR in the headers, or \fIin\fR and \fIout\fR. .PP These functions convert OpenSSL objects to and from their ASN.1/DER -encoding. Unlike the C structures which can have pointers to sub-objects +encoding. Unlike the C structures which can have pointers to sub\-objects within, the DER is a serialized encoding, suitable for sending over the network, writing to a file, and so on. .PP @@ -583,7 +586,7 @@ of the encoded structure. The ways that \fI*ppin\fR and \fI*ppout\fR are incremented after the operation can trap the unwary. See the \fBWARNINGS\fR section for some common errors. -The reason for this-auto increment behaviour is to reflect a typical +The reason for this\-auto increment behaviour is to reflect a typical usage of ASN1 functions: after one structure is encoded or decoded another will be processed after it. .PP @@ -627,6 +630,10 @@ value if an error occurs. \&\fBi2d_\fR\f(BITYPE\fR\fB_bio\fR() and \fBi2d_\fR\f(BITYPE\fR\fB_fp\fR(), as well as \fBi2d_ASN1_bio_stream()\fR, return 1 for success and 0 if an error occurs. +.PP +On error, these functions may record the error in the OpenSSL error queue. +That error queue can be inspected with the \fBERR\fR family of functions, such as +\&\fBERR_print_errors\fR\|(3) and \fBERR_peek_last_error_all\fR\|(3). .SH EXAMPLES .IX Header "EXAMPLES" Allocate and encode the DER encoding of an X509 structure: @@ -748,6 +755,9 @@ Any function which encodes a structure (\fBi2d_\fR\f(BITYPE\fR(), structure has been modified after deserialization or previous serialization. This is because some objects cache the encoding for efficiency reasons. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fBERR_print_errors\fR\|(3), \fBERR_peek_last_error_all\fR\|(3) .SH HISTORY .IX Header "HISTORY" \&\fBd2i_OSSL_ATTRIBUTES_SYNTAX()\fR, \fBd2i_OSSL_BASIC_ATTR_CONSTRAINTS()\fR, diff --git a/secure/lib/libcrypto/man/man3/i2d_CMS_bio_stream.3 b/secure/lib/libcrypto/man/man3/i2d_CMS_bio_stream.3 index d4d214ccfecb..98bae0bc622d 100644 --- a/secure/lib/libcrypto/man/man3/i2d_CMS_bio_stream.3 +++ b/secure/lib/libcrypto/man/man3/i2d_CMS_bio_stream.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "I2D_CMS_BIO_STREAM 3ossl" -.TH I2D_CMS_BIO_STREAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH I2D_CMS_BIO_STREAM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/i2d_PKCS7_bio_stream.3 b/secure/lib/libcrypto/man/man3/i2d_PKCS7_bio_stream.3 index fe09c04fa3b5..28a0bdb38259 100644 --- a/secure/lib/libcrypto/man/man3/i2d_PKCS7_bio_stream.3 +++ b/secure/lib/libcrypto/man/man3/i2d_PKCS7_bio_stream.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "I2D_PKCS7_BIO_STREAM 3ossl" -.TH I2D_PKCS7_BIO_STREAM 3ossl 2025-09-30 3.5.4 OpenSSL +.TH I2D_PKCS7_BIO_STREAM 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/i2d_re_X509_tbs.3 b/secure/lib/libcrypto/man/man3/i2d_re_X509_tbs.3 index 2916ffd818f1..69fb66ed2d24 100644 --- a/secure/lib/libcrypto/man/man3/i2d_re_X509_tbs.3 +++ b/secure/lib/libcrypto/man/man3/i2d_re_X509_tbs.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "I2D_RE_X509_TBS 3ossl" -.TH I2D_RE_X509_TBS 3ossl 2025-09-30 3.5.4 OpenSSL +.TH I2D_RE_X509_TBS 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,21 +91,21 @@ This function should not be called on untrusted input. \&\fBi2d_X509_AUX()\fR is similar to \fBi2d_X509\fR\|(3), but the encoded output contains both the certificate and any auxiliary trust information. This is used by the PEM routines to write "TRUSTED CERTIFICATE" objects. -Note that this is a non-standard OpenSSL-specific data format. +Note that this is a non\-standard OpenSSL\-specific data format. .PP \&\fBi2d_re_X509_tbs()\fR is similar to \fBi2d_X509\fR\|(3) except it encodes only the TBSCertificate portion of the certificate. \fBi2d_re_X509_CRL_tbs()\fR and \fBi2d_re_X509_REQ_tbs()\fR are analogous for CRL and certificate request, -respectively. The "re" in \fBi2d_re_X509_tbs\fR stands for "re-encode", +respectively. The "re" in \fBi2d_re_X509_tbs\fR stands for "re\-encode", and ensures that a fresh encoding is generated in case the object has been modified after creation (see the BUGS section). .PP The encoding of the TBSCertificate portion of a certificate is cached in the \fBX509\fR structure internally to improve encoding performance and to ensure certificate signatures are verified correctly in some -certificates with broken (non-DER) encodings. +certificates with broken (non\-DER) encodings. .PP -If, after modification, the \fBX509\fR object is re-signed with \fBX509_sign()\fR, +If, after modification, the \fBX509\fR object is re\-signed with \fBX509_sign()\fR, the encoding is automatically renewed. Otherwise, the encoding of the TBSCertificate portion of the \fBX509\fR can be manually renewed by calling \&\fBi2d_re_X509_tbs()\fR. diff --git a/secure/lib/libcrypto/man/man3/o2i_SCT_LIST.3 b/secure/lib/libcrypto/man/man3/o2i_SCT_LIST.3 index b45deee66b1b..fe477830baaa 100644 --- a/secure/lib/libcrypto/man/man3/o2i_SCT_LIST.3 +++ b/secure/lib/libcrypto/man/man3/o2i_SCT_LIST.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "O2I_SCT_LIST 3ossl" -.TH O2I_SCT_LIST 3ossl 2025-09-30 3.5.4 OpenSSL +.TH O2I_SCT_LIST 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man3/s2i_ASN1_IA5STRING.3 b/secure/lib/libcrypto/man/man3/s2i_ASN1_IA5STRING.3 index 3d41751532a6..c937ea0fe37c 100644 --- a/secure/lib/libcrypto/man/man3/s2i_ASN1_IA5STRING.3 +++ b/secure/lib/libcrypto/man/man3/s2i_ASN1_IA5STRING.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "S2I_ASN1_IA5STRING 3ossl" -.TH S2I_ASN1_IA5STRING 3ossl 2025-09-30 3.5.4 OpenSSL +.TH S2I_ASN1_IA5STRING 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,7 +108,7 @@ The letters \fBi\fR and \fBs\fR in \fBi2s\fR and \fBs2i\fR stand for "internal" (that is, an internal C structure) and string respectively. So \fBi2s_ASN1_IA5STRING\fR() converts from internal to string. .PP -It is the caller's responsibility to free the returned string. +It is the caller\*(Aqs responsibility to free the returned string. In the \fBi2s_ASN1_IA5STRING\fR() function the string is copied and the ownership of the original string remains with the caller. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man5/config.5 b/secure/lib/libcrypto/man/man5/config.5 index 9815f4de5393..67c96360cc97 100644 --- a/secure/lib/libcrypto/man/man5/config.5 +++ b/secure/lib/libcrypto/man/man5/config.5 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CONFIG 5ossl" -.TH CONFIG 5ossl 2025-09-30 3.5.4 OpenSSL +.TH CONFIG 5ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,7 +83,7 @@ The syntax for defining ASN.1 values is described in A configuration file is a series of lines. Blank lines, and whitespace between the elements of a line, have no significance. A comment starts with a \fB#\fR character; the rest of the line is ignored. If the \fB#\fR -is the first non-space character in a line, the entire line is ignored. +is the first non\-space character in a line, the entire line is ignored. .SS Directives .IX Subsection "Directives" Two directives can be used to control the parsing of configuration files: @@ -100,7 +103,7 @@ If \fBpathname\fR is a simple filename, that file is included directly at that point. Included files can have \fB.include\fR statements that specify other files. If \fBpathname\fR is a directory, all files within that directory that have a \f(CW\*(C`.cnf\*(C'\fR or \f(CW\*(C`.conf\*(C'\fR extension will be included. (This is only -available on systems with POSIX IO support.) Any sub-directories found +available on systems with POSIX IO support.) Any sub\-directories found inside the \fBpathname\fR are \fBignored\fR. Similarly, if a file is opened while scanning a directory, and that file has an \fB.include\fR directive that specifies a directory, that is also ignored. @@ -135,7 +138,7 @@ done with the following directive: The default behavior, where the \fBvalue\fR is \fBfalse\fR or \fBoff\fR, is to treat the dollarsign as indicating a variable name; \f(CW\*(C`foo$bar\*(C'\fR is interpreted as \&\f(CW\*(C`foo\*(C'\fR followed by the expansion of the variable \f(CW\*(C`bar\*(C'\fR. If \fBvalue\fR is -\&\fBtrue\fR or \fBon\fR, then \f(CW\*(C`foo$bar\*(C'\fR is a single seven-character name and +\&\fBtrue\fR or \fBon\fR, then \f(CW\*(C`foo$bar\*(C'\fR is a single seven\-character name and variable expansions must be specified using braces or parentheses. .PP .Vb 1 @@ -143,7 +146,7 @@ variable expansions must be specified using braces or parentheses. .Ve .PP If a relative pathname is specified in the \fB.include\fR directive, and -the \fBOPENSSL_CONF_INCLUDE\fR environment variable doesn't exist, then +the \fBOPENSSL_CONF_INCLUDE\fR environment variable doesn\*(Aqt exist, then the value of the \fBincludedir\fR pragma, if it exists, is prepended to the pathname. .SS Settings @@ -211,7 +214,7 @@ to the configuration file, but are not propagated to the environment. .PP It is an error if the value ends up longer than 64k. .PP -It is possible to escape certain characters by using a single \fB'\fR or +It is possible to escape certain characters by using a single \fB\*(Aq\fR or double \fB"\fR quote around the value, or using a backslash \fB\e\fR before the character, By making the last character of a line a \fB\e\fR @@ -281,10 +284,10 @@ is used to specify the individual sections. .SS "ASN.1 Object Identifier Configuration" .IX Subsection "ASN.1 Object Identifier Configuration" The name \fBoid_section\fR in the initialization section names the section -containing name/value pairs of OID's. +containing name/value pairs of OID\*(Aqs. The name is the short name; the value is an optional long name followed by a comma, and the numeric value. -While some OpenSSL commands have their own section for specifying OID's, +While some OpenSSL commands have their own section for specifying OID\*(Aqs, this section makes them available to all commands and applications. .PP .Vb 4 @@ -313,7 +316,7 @@ showing that the OID "newoid1" has been added as "1.2.3.4.1". The name \fBproviders\fR in the initialization section names the section containing cryptographic provider configuration. The name/value assignments in this section each name a provider, and point to the configuration section -for that provider. The provider-specific section is used to specify how +for that provider. The provider\-specific section is used to specify how to load the module, activate it, and set other parameters. .PP Within a provider section, the following names have meaning: @@ -348,7 +351,7 @@ activate this setting, while a value of 0, no, false, or off (again in lower or uppercase) will disable this setting. Any other value will produce an error. Note this setting defaults to off if not provided .PP -All parameters in the section as well as sub-sections are made +All parameters in the section as well as sub\-sections are made available to the provider. .PP \fIDefault provider and its activation\fR @@ -403,7 +406,7 @@ section with the configuration for that name. For example: .PP The configuration name \fBsystem_default\fR has a special meaning. If it exists, it is applied whenever an \fBSSL_CTX\fR object is created. For example, -to impose system-wide minimum TLS and DTLS protocol versions: +to impose system\-wide minimum TLS and DTLS protocol versions: .PP .Vb 3 \& [tls_system_default] @@ -411,8 +414,8 @@ to impose system-wide minimum TLS and DTLS protocol versions: \& MinProtocol = DTLSv1.2 .Ve .PP -The minimum TLS protocol is applied to \fBSSL_CTX\fR objects that are TLS-based, -and the minimum DTLS protocol to those are DTLS-based. +The minimum TLS protocol is applied to \fBSSL_CTX\fR objects that are TLS\-based, +and the minimum DTLS protocol to those are DTLS\-based. The same applies also to maximum versions set with \fBMaxProtocol\fR. .PP Each configuration section consists of name/value pairs that are parsed @@ -433,7 +436,7 @@ The name \fBengines\fR in the initialization section names the section containing the list of ENGINE configurations. As with the providers, each name in this section identifies an engine with the configuration for that engine. -The engine-specific section is used to specify how to load the engine, +The engine\-specific section is used to specify how to load the engine, activate it, and set other parameters. .PP Within an engine section, the following names have meaning: @@ -503,25 +506,25 @@ For example: .Sp The available random bit generators are: .RS 4 -.IP \fBCTR-DRBG\fR 4 +.IP \fBCTR\-DRBG\fR 4 .IX Item "CTR-DRBG" .PD 0 -.IP \fBHASH-DRBG\fR 4 +.IP \fBHASH\-DRBG\fR 4 .IX Item "HASH-DRBG" -.IP \fBHMAC-DRBG\fR 4 +.IP \fBHMAC\-DRBG\fR 4 .IX Item "HMAC-DRBG" +.PD .RE .RS 4 .RE .IP \fBcipher\fR 4 .IX Item "cipher" -.PD -This specifies what cipher a \fBCTR-DRBG\fR random bit generator will use. +This specifies what cipher a \fBCTR\-DRBG\fR random bit generator will use. Other random bit generators ignore this name. The default value is \fBAES\-256\-CTR\fR. .IP \fBdigest\fR 4 .IX Item "digest" -This specifies what digest the \fBHASH-DRBG\fR or \fBHMAC-DRBG\fR random bit +This specifies what digest the \fBHASH\-DRBG\fR or \fBHMAC\-DRBG\fR random bit generators will use. Other random bit generators ignore this name. .IP \fBproperties\fR 4 .IX Item "properties" @@ -529,7 +532,7 @@ This sets the property query used when fetching the random bit generator and any underlying algorithms. .IP \fBseed\fR 4 .IX Item "seed" -This sets the randomness source that should be used. By default \fBSEED-SRC\fR +This sets the randomness source that should be used. By default \fBSEED\-SRC\fR will be used outside of the FIPS provider. The FIPS provider uses call backs to access the same randomness sources from outside the validated boundary. .IP \fBseed_properties\fR 4 @@ -537,9 +540,9 @@ to access the same randomness sources from outside the validated boundary. This sets the property query used when fetching the randomness source. .IP \fBrandom_provider\fR 4 .IX Item "random_provider" -This sets the provider to use for the \fBRAND_bytes\fR\|(3) calls instead of the built-in +This sets the provider to use for the \fBRAND_bytes\fR\|(3) calls instead of the built\-in entropy sources. It defaults to "fips". If the named provider is not loaded, the -built-in entropy sources will be used. +built\-in entropy sources will be used. .SH EXAMPLES .IX Header "EXAMPLES" This example shows how to use quoting and escaping. @@ -596,15 +599,15 @@ This example shows how to enforce FIPS mode for the application .IP \fBOPENSSL_CONF\fR 4 .IX Item "OPENSSL_CONF" The path to the config file, or the empty string for none. -Ignored in set-user-ID and set-group-ID programs. +Ignored in set\-user\-ID and set\-group\-ID programs. .IP \fBOPENSSL_ENGINES\fR 4 .IX Item "OPENSSL_ENGINES" The path to the engines directory. -Ignored in set-user-ID and set-group-ID programs. +Ignored in set\-user\-ID and set\-group\-ID programs. .IP \fBOPENSSL_MODULES\fR 4 .IX Item "OPENSSL_MODULES" The path to the directory with OpenSSL modules, such as providers. -Ignored in set-user-ID and set-group-ID programs. +Ignored in set\-user\-ID and set\-group\-ID programs. .IP \fBOPENSSL_CONF_INCLUDE\fR 4 .IX Item "OPENSSL_CONF_INCLUDE" The optional path to prepend to all \fB.include\fR paths. @@ -613,8 +616,8 @@ The optional path to prepend to all \fB.include\fR paths. There is no way to include characters using the octal \fB\ennn\fR form. Strings are all null terminated so nulls cannot form part of the value. .PP -The escaping isn't quite right: if you want to use sequences like \fB\en\fR -you can't use any quote escaping on the same line. +The escaping isn\*(Aqt quite right: if you want to use sequences like \fB\en\fR +you can\*(Aqt use any quote escaping on the same line. .PP The limit that only one directory can be opened and read at a time can be considered a bug and should be fixed. @@ -624,8 +627,8 @@ An undocumented API, \fBNCONF_WIN32()\fR, used a slightly different set of parsing rules there were intended to be tailored to the Microsoft Windows platform. Specifically, the backslash character was not an escape character and -could be used in pathnames, only the double-quote character was recognized, -and comments began with a semi-colon. +could be used in pathnames, only the double\-quote character was recognized, +and comments began with a semi\-colon. This function was deprecated in OpenSSL 3.0; applications with configuration files using that syntax will have to be modified. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man5/fips_config.5 b/secure/lib/libcrypto/man/man5/fips_config.5 index 7c05da10f535..dbedf8488306 100644 --- a/secure/lib/libcrypto/man/man5/fips_config.5 +++ b/secure/lib/libcrypto/man/man5/fips_config.5 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "FIPS_CONFIG 5ossl" -.TH FIPS_CONFIG 5ossl 2025-09-30 3.5.4 OpenSSL +.TH FIPS_CONFIG 5ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,14 +69,14 @@ fips_config \- OpenSSL FIPS configuration .IX Header "DESCRIPTION" A separate configuration file, using the OpenSSL \fBconfig\fR\|(5) syntax, is used to hold information about the FIPS module. This includes a digest -of the shared library file, and status about the self-testing. +of the shared library file, and status about the self\-testing. This data is used automatically by the module itself for two purposes: -.IP "\- Run the startup FIPS self-test known answer tests (KATS)." 4 +.IP "\- Run the startup FIPS self\-test known answer tests (KATS)." 4 .IX Item "- Run the startup FIPS self-test known answer tests (KATS)." This is normally done once, at installation time, but may also be set up to run each time the module is used. -.IP "\- Verify the module's checksum." 4 +.IP "\- Verify the module\*(Aqs checksum." 4 .IX Item "- Verify the module's checksum." This is done each time the module is used. .PP @@ -87,7 +90,7 @@ section, as described in "Provider Configuration Module" in \fBconfig\fR\|(5). .IX Item "activate" If present, the module is activated. The value assigned to this name is not significant. -.IP \fBconditional-errors\fR 4 +.IP \fBconditional\-errors\fR 4 .IX Item "conditional-errors" The FIPS module normally enters an internal error mode if any self test fails. Once this error mode is active, no services or cryptographic algorithms are @@ -99,45 +102,45 @@ continuous test fails. The default value of \f(CW1\fR will trigger the error mod Regardless of the value, the operation (e.g., key generation) that called the continuous test will return an error code if its continuous test fails. The operation may then be retried if the error mode has not been triggered. -.IP \fBmodule-mac\fR 4 +.IP \fBmodule\-mac\fR 4 .IX Item "module-mac" The calculated MAC of the FIPS provider file. -.IP \fBinstall-version\fR 4 +.IP \fBinstall\-version\fR 4 .IX Item "install-version" A version number for the fips install process. Should be 1. -.IP \fBinstall-status\fR 4 +.IP \fBinstall\-status\fR 4 .IX Item "install-status" This field is deprecated and is no longer used. -.IP \fBinstall-mac\fR 4 +.IP \fBinstall\-mac\fR 4 .IX Item "install-mac" This field is deprecated and is no longer used. .SS "FIPS indicator options" .IX Subsection "FIPS indicator options" -The following FIPS configuration options indicate if run-time checks related to +The following FIPS configuration options indicate if run\-time checks related to enforcement of FIPS security parameters such as minimum security strength of keys and approved curve names are used. -A value of '1' will perform the checks, otherwise if the value is '0' the checks +A value of \*(Aq1\*(Aq will perform the checks, otherwise if the value is \*(Aq0\*(Aq the checks are not performed and FIPS compliance must be done by procedures documented in the relevant Security Policy. .PP See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) for further information related to these options. -.IP \fBsecurity-checks\fR 4 +.IP \fBsecurity\-checks\fR 4 .IX Item "security-checks" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-no_security_checks\fR .IP \fBtls1\-prf\-ems\-check\fR 4 .IX Item "tls1-prf-ems-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-ems_check\fR -.IP \fBno-short-mac\fR 4 +.IP \fBno\-short\-mac\fR 4 .IX Item "no-short-mac" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-no_short_mac\fR -.IP \fBdrbg-no-trunc-md\fR 4 +.IP \fBdrbg\-no\-trunc\-md\fR 4 .IX Item "drbg-no-trunc-md" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-no_drbg_truncated_digests\fR -.IP \fBsignature-digest-check\fR 4 +.IP \fBsignature\-digest\-check\fR 4 .IX Item "signature-digest-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-signature_digest_check\fR -.IP \fBhkdf-digest-check\fR 4 +.IP \fBhkdf\-digest\-check\fR 4 .IX Item "hkdf-digest-check" This option is deprecated. .IP \fBtls13\-kdf\-digest\-check\fR 4 @@ -146,34 +149,34 @@ See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tls13_kdf_digest_check\fR .IP \fBtls1\-prf\-digest\-check\fR 4 .IX Item "tls1-prf-digest-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tls1_prf_digest_check\fR -.IP \fBsshkdf-digest-check\fR 4 +.IP \fBsshkdf\-digest\-check\fR 4 .IX Item "sshkdf-digest-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-sshkdf_digest_check\fR -.IP \fBsskdf-digest-check\fR 4 +.IP \fBsskdf\-digest\-check\fR 4 .IX Item "sskdf-digest-check" This option is deprecated. .IP \fBx963kdf\-digest\-check\fR 4 .IX Item "x963kdf-digest-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-x963kdf_digest_check\fR -.IP \fBdsa-sign-disabled\fR 4 +.IP \fBdsa\-sign\-disabled\fR 4 .IX Item "dsa-sign-disabled" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-dsa_sign_disabled\fR -.IP \fBtdes-encrypt-disabled\fR 4 +.IP \fBtdes\-encrypt\-disabled\fR 4 .IX Item "tdes-encrypt-disabled" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tdes_encrypt_disabled\fR .IP \fBrsa\-pkcs15\-pad\-disabled\fR 4 .IX Item "rsa-pkcs15-pad-disabled" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-rsa_pkcs15_pad_disabled\fR -.IP \fBrsa-pss-saltlen-check\fR 4 +.IP \fBrsa\-pss\-saltlen\-check\fR 4 .IX Item "rsa-pss-saltlen-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-rsa_pss_saltlen_check\fR .IP \fBrsa\-sign\-x931\-pad\-disabled\fR 4 .IX Item "rsa-sign-x931-pad-disabled" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-rsa_sign_x931_disabled\fR -.IP \fBhkdf-key-check\fR 4 +.IP \fBhkdf\-key\-check\fR 4 .IX Item "hkdf-key-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-hkdf_key_check\fR -.IP \fBkbkdf-key-check\fR 4 +.IP \fBkbkdf\-key\-check\fR 4 .IX Item "kbkdf-key-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-kbkdf_key_check\fR .IP \fBtls13\-kdf\-key\-check\fR 4 @@ -182,10 +185,10 @@ See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tls13_kdf_key_check\fR .IP \fBtls1\-prf\-key\-check\fR 4 .IX Item "tls1-prf-key-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tls1_prf_key_check\fR -.IP \fBsshkdf-key-check\fR 4 +.IP \fBsshkdf\-key\-check\fR 4 .IX Item "sshkdf-key-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-sshkdf_key_check\fR -.IP \fBsskdf-key-check\fR 4 +.IP \fBsskdf\-key\-check\fR 4 .IX Item "sskdf-key-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-sskdf_key_check\fR .IP \fBx963kdf\-key\-check\fR 4 @@ -197,13 +200,13 @@ See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-x942kdf_key_check\fR .IP \fBpbkdf2\-lower\-bound\-check\fR 4 .IX Item "pbkdf2-lower-bound-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-no_pbkdf2_lower_bound_check\fR -.IP \fBecdh-cofactor-check\fR 4 +.IP \fBecdh\-cofactor\-check\fR 4 .IX Item "ecdh-cofactor-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-ecdh_cofactor_check\fR -.IP \fBhmac-key-check\fR 4 +.IP \fBhmac\-key\-check\fR 4 .IX Item "hmac-key-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-hmac_key_check\fR -.IP \fBkmac-key-check\fR 4 +.IP \fBkmac\-key\-check\fR 4 .IX Item "kmac-key-check" See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-kmac_key_check\fR .PP @@ -223,7 +226,7 @@ For example: .IX Header "NOTES" When using the FIPS provider, it is recommended that the \&\fBconfig_diagnostics\fR option is enabled to prevent accidental use of -non-FIPS validated algorithms via broken or mistaken configuration. +non\-FIPS validated algorithms via broken or mistaken configuration. See \fBconfig\fR\|(5). .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man5/x509v3_config.5 b/secure/lib/libcrypto/man/man5/x509v3_config.5 index afb14b4c5186..d33902feb602 100644 --- a/secure/lib/libcrypto/man/man5/x509v3_config.5 +++ b/secure/lib/libcrypto/man/man5/x509v3_config.5 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509V3_CONFIG 5ossl" -.TH X509V3_CONFIG 5ossl 2025-09-30 3.5.4 OpenSSL +.TH X509V3_CONFIG 5ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -87,7 +90,7 @@ If multiple entries are processed for the same extension name, later entries override earlier ones with the same name. .PP The format of \fBvalues\fR depends on the value of \fBname\fR, many have a -type-value pairing where the type and value are separated by a colon. +type\-value pairing where the type and value are separated by a colon. There are four main types of extension: .PP .Vb 4 @@ -102,8 +105,8 @@ Each is described in the following paragraphs. String extensions simply have a string which contains either the value itself or how it is obtained. .PP -Multi-valued extensions have a short form and a long form. The short form -is a comma-separated list of names and values: +Multi\-valued extensions have a short form and a long form. The short form +is a comma\-separated list of names and values: .PP .Vb 1 \& basicConstraints = critical, CA:true, pathlen:1 @@ -122,7 +125,7 @@ The long form allows the values to be placed in a separate section: .PP Both forms are equivalent. .PP -If an extension is multi-value and a field value must contain a comma the long +If an extension is multi\-value and a field value must contain a comma the long form must be used otherwise the comma would be misinterpreted as a field separator. For example: .PP @@ -178,7 +181,7 @@ The following sections describe the syntax of each supported extension. They do not define the semantics of the extension. .SS "Basic Constraints" .IX Subsection "Basic Constraints" -This is a multi-valued extension which indicates whether a certificate is +This is a multi\-valued extension which indicates whether a certificate is a CA certificate. The first value is \fBCA\fR followed by \fBTRUE\fR or \&\fBFALSE\fR. If \fBCA\fR is \fBTRUE\fR then an optional \fBpathlen\fR name followed by a nonnegative value can be included. @@ -194,14 +197,14 @@ For example: .Ve .PP A CA certificate \fImust\fR include the \fBbasicConstraints\fR name with the \fBCA\fR -parameter set to \fBTRUE\fR. An end-user certificate must either have \fBCA:FALSE\fR +parameter set to \fBTRUE\fR. An end\-user certificate must either have \fBCA:FALSE\fR or omit the extension entirely. The \fBpathlen\fR parameter specifies the maximum number of CAs that can appear below this one in a chain. A \fBpathlen\fR of zero means the CA cannot sign -any sub-CA's, and can only sign end-entity certificates. +any sub\-CA\*(Aqs, and can only sign end\-entity certificates. .SS "Key Usage" .IX Subsection "Key Usage" -Key usage is a multi-valued extension consisting of a list of names of +Key usage is a multi\-valued extension consisting of a list of names of the permitted key usages. The defined values are: \f(CW\*(C`digitalSignature\*(C'\fR, \&\f(CW\*(C`nonRepudiation\*(C'\fR, \f(CW\*(C`keyEncipherment\*(C'\fR, \f(CW\*(C`dataEncipherment\*(C'\fR, \f(CW\*(C`keyAgreement\*(C'\fR, \&\f(CW\*(C`keyCertSign\*(C'\fR, \f(CW\*(C`cRLSign\*(C'\fR, \f(CW\*(C`encipherOnly\*(C'\fR, and \f(CW\*(C`decipherOnly\*(C'\fR. @@ -236,7 +239,7 @@ The following text names, and their intended meaning, are known: \& msEFS Microsoft Encrypted File System .Ve .PP -While IETF RFC 5280 says that \fBid-kp-serverAuth\fR and \fBid-kp-clientAuth\fR +While IETF RFC 5280 says that \fBid\-kp\-serverAuth\fR and \fBid\-kp\-clientAuth\fR are only for WWW use, in practice they are used for all kinds of TLS clients and servers, and this is what OpenSSL assumes as well. .PP @@ -279,14 +282,14 @@ Otherwise it may have the value \fBkeyid\fR or \fBissuer\fR or both of them, separated by \f(CW\*(C`,\*(C'\fR. Either or both can have the option \fBalways\fR, indicated by putting a colon \f(CW\*(C`:\*(C'\fR between the value and this option. -For self-signed certificates the AKID is suppressed unless \fBalways\fR is present. +For self\-signed certificates the AKID is suppressed unless \fBalways\fR is present. .PP By default the \fBx509\fR, \fBreq\fR, and \fBca\fR apps behave as if \fBnone\fR was given -for self-signed certificates and \fBkeyid\fR\f(CW\*(C`,\*(C'\fR \fBissuer\fR otherwise. +for self\-signed certificates and \fBkeyid\fR\f(CW\*(C`,\*(C'\fR \fBissuer\fR otherwise. .PP If \fBkeyid\fR is present, an attempt is made to copy the subject key identifier (SKID) from the issuer certificate except if -the issuer certificate is the same as the current one and it is not self-signed. +the issuer certificate is the same as the current one and it is not self\-signed. The hash of the public key related to the signing key is taken as fallback if the issuer certificate is the same as the current certificate. If \fBalways\fR is present but no value can be obtained, an error is returned. @@ -305,7 +308,7 @@ Examples: .Ve .SS "Subject Alternative Name" .IX Subsection "Subject Alternative Name" -This is a multi-valued extension that supports several types of name +This is a multi\-valued extension that supports several types of name identifier, including \&\fBemail\fR (an email address), \&\fBURI\fR (a uniform resource indicator), @@ -325,8 +328,8 @@ from the certificate subject name to the extension. The IP address used in the \fBIP\fR option can be in either IPv4 or IPv6 format. .PP The value of \fBdirName\fR is specifies the configuration section containing -the distinguished name to use, as a set of name-value pairs. -Multi-valued AVAs can be formed by prefacing the name with a \fB+\fR character. +the distinguished name to use, as a set of name\-value pairs. +Multi\-valued AVAs can be formed by prefacing the name with a \fB+\fR character. .PP The value of \fBotherName\fR can include arbitrary data associated with an OID; the value should be the OID followed by a semicolon and the content in specified @@ -355,7 +358,7 @@ Examples: \& CN = My Name .Ve .PP -Non-ASCII Email Address conforming the syntax defined in Section 3.3 of RFC 6531 +Non\-ASCII Email Address conforming the syntax defined in Section 3.3 of RFC 6531 are provided as otherName.SmtpUTF8Mailbox. According to RFC 8398, the email address should be provided as UTF8String. To enforce the valid representation in the certificate, the SmtpUTF8Mailbox should be provided as follows @@ -382,7 +385,7 @@ Example: This extension gives details about how to retrieve information that related to the certificate that the CA makes available. The syntax is \&\fBaccess_id;location\fR, where \fBaccess_id\fR is an object identifier -(although only a few values are well-known) and \fBlocation\fR has the same +(although only a few values are well\-known) and \fBlocation\fR has the same syntax as subject alternative name (except that \fBemail:copy\fR is not supported). .PP Possible values for access_id include \fBOCSP\fR (OCSP responder), @@ -400,11 +403,11 @@ Examples: .Ve .SS "CRL distribution points" .IX Subsection "CRL distribution points" -This is a multi-valued extension whose values can be either a name-value +This is a multi\-valued extension whose values can be either a name\-value pair using the same form as subject alternative name or a single value specifying the section name containing all the distribution point values. .PP -When a name-value pair is used, a DistributionPoint extension will +When a name\-value pair is used, a DistributionPoint extension will be set with the given value as the fullName field as the distributionPoint value, and the reasons and cRLIssuer fields will be omitted. .PP @@ -423,7 +426,7 @@ value of the nameRelativeToCRLIssuer field. The value must in the same format as the subject alternative name. .IP reasons 4 .IX Item "reasons" -A multi-value field that contains the reasons for revocation. The recognized +A multi\-value field that contains the reasons for revocation. The recognized values are: \f(CW\*(C`keyCompromise\*(C'\fR, \f(CW\*(C`CACompromise\*(C'\fR, \f(CW\*(C`affiliationChanged\*(C'\fR, \&\f(CW\*(C`superseded\*(C'\fR, \f(CW\*(C`cessationOfOperation\*(C'\fR, \f(CW\*(C`certificateHold\*(C'\fR, \&\f(CW\*(C`privilegeWithdrawn\*(C'\fR, and \f(CW\*(C`AACompromise\*(C'\fR. @@ -456,7 +459,7 @@ Full distribution point example: .Ve .SS "Issuing Distribution Point" .IX Subsection "Issuing Distribution Point" -This extension should only appear in CRLs. It is a multi-valued extension +This extension should only appear in CRLs. It is a multi\-valued extension whose syntax is similar to the "section" pointed to by the CRL distribution points extension. The following names have meaning: .IP fullname 4 @@ -469,7 +472,7 @@ The value is taken as a distinguished name fragment that is set as the value of the nameRelativeToCRLIssuer field. .IP onlysomereasons 4 .IX Item "onlysomereasons" -A multi-value field that contains the reasons for revocation. The recognized +A multi\-value field that contains the reasons for revocation. The recognized values are: \f(CW\*(C`keyCompromise\*(C'\fR, \f(CW\*(C`CACompromise\*(C'\fR, \f(CW\*(C`affiliationChanged\*(C'\fR, \&\f(CW\*(C`superseded\*(C'\fR, \f(CW\*(C`cessationOfOperation\*(C'\fR, \f(CW\*(C`certificateHold\*(C'\fR, \&\f(CW\*(C`privilegeWithdrawn\*(C'\fR, and \f(CW\*(C`AACompromise\*(C'\fR. @@ -494,7 +497,7 @@ This is a \fIraw\fR extension that supports all of the defined fields of the certificate extension. .PP Policies without qualifiers are specified by giving the OID. -Multiple policies are comma-separated. For example: +Multiple policies are comma\-separated. For example: .PP .Vb 1 \& certificatePolicies = 1.2.4.5, 1.1.3.4 @@ -553,7 +556,7 @@ value with \fBUTF8\fR, \fBBMP\fR, or \fBVISIBLE\fR followed by colon. For exampl .Ve .SS "Policy Constraints" .IX Subsection "Policy Constraints" -This is a multi-valued extension which consisting of the names +This is a multi\-valued extension which consisting of the names \&\fBrequireExplicitPolicy\fR or \fBinhibitPolicyMapping\fR and a non negative integer value. At least one component must be present. .PP @@ -573,7 +576,7 @@ Example: .Ve .SS "Name Constraints" .IX Subsection "Name Constraints" -This is a multi-valued extension. The name should +This is a multi\-valued extension. The name should begin with the word \fBpermitted\fR or \fBexcluded\fR followed by a \fB;\fR. The rest of the name and the value follows the syntax of subjectAltName except \&\fBemail:copy\fR @@ -600,7 +603,7 @@ Example: .Ve .SS "TLS Feature (aka Must Staple)" .IX Subsection "TLS Feature (aka Must Staple)" -This is a multi-valued extension consisting of a list of TLS extension +This is a multi\-valued extension consisting of a list of TLS extension identifiers. Each identifier may be a number (0..65535) or a supported name. When a TLS client sends a listed extension, the TLS server is expected to include that extension in its reply. @@ -625,7 +628,7 @@ Other extensions of this type are: \fBnsBaseUrl\fR, and \fBnsSslServerName\fR. .SS "Netscape Certificate Type" .IX Subsection "Netscape Certificate Type" -This is a multi-valued extensions which consists of a list of flags to be +This is a multi\-valued extensions which consists of a list of flags to be included. It was used to indicate the purposes for which a certificate could be used. The basicConstraints, keyUsage and extended key usage extensions are now used instead. diff --git a/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-RSA.7 b/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-RSA.7 index 585c80700a75..36e5e2f8e2e9 100644 --- a/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-RSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-RSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_ASYM_CIPHER-RSA 7ossl" -.TH EVP_ASYM_CIPHER-RSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_ASYM_CIPHER-RSA 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -68,7 +71,7 @@ EVP_ASYM_CIPHER\-RSA Asymmetric Cipher support for the \fBRSA\fR key type. .SS "RSA Asymmetric Cipher parameters" .IX Subsection "RSA Asymmetric Cipher parameters" -.IP """pad-mode"" (\fBOSSL_ASYM_CIPHER_PARAM_PAD_MODE\fR) <UTF8 string>" 4 +.IP """pad\-mode"" (\fBOSSL_ASYM_CIPHER_PARAM_PAD_MODE\fR) <UTF8 string>" 4 .IX Item """pad-mode"" (OSSL_ASYM_CIPHER_PARAM_PAD_MODE) <UTF8 string>" The default provider understands these RSA padding modes in string form: .RS 4 @@ -89,10 +92,8 @@ See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-rsa_pkcs15_pad_disabled\fR .RE .RS 4 .RE -.PD 0 -.IP """pad-mode"" (\fBOSSL_ASYM_CIPHER_PARAM_PAD_MODE\fR) <integer>" 4 +.IP """pad\-mode"" (\fBOSSL_ASYM_CIPHER_PARAM_PAD_MODE\fR) <integer>" 4 .IX Item """pad-mode"" (OSSL_ASYM_CIPHER_PARAM_PAD_MODE) <integer>" -.PD The default provider understands these RSA padding modes in integer form: .RS 4 .IP "1 (\fBRSA_PKCS1_PADDING\fR)" 4 @@ -107,38 +108,38 @@ agreement and key transport. .IX Item "4 (RSA_PKCS1_OAEP_PADDING)" .IP "5 (\fBRSA_X931_PADDING\fR)" 4 .IX Item "5 (RSA_X931_PADDING)" +.PD .RE .RS 4 -.PD .Sp See \fBEVP_PKEY_CTX_set_rsa_padding\fR\|(3) for further details. .RE .IP """digest"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST\fR) <UTF8 string>" 4 .IX Item """digest"" (OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST) <UTF8 string>" .PD 0 -.IP """digest-props"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS\fR) <UTF8 string>" 4 +.IP """digest\-props"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS\fR) <UTF8 string>" 4 .IX Item """digest-props"" (OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS) <UTF8 string>" .IP """mgf1\-digest"" (\fBOSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST\fR) <UTF8 string>" 4 .IX Item """mgf1-digest"" (OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST) <UTF8 string>" .IP """mgf1\-digest\-props"" (\fBOSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS\fR) <UTF8 string>" 4 .IX Item """mgf1-digest-props"" (OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS) <UTF8 string>" -.IP """oaep-label"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\fR) <octet string>" 4 +.IP """oaep\-label"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\fR) <octet string>" 4 .IX Item """oaep-label"" (OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL) <octet string>" -.IP """tls-client-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4 +.IP """tls\-client\-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4 .IX Item """tls-client-version"" (OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION) <unsigned integer>" .PD See \fBRSA_PKCS1_WITH_TLS_PADDING\fR on the page \fBEVP_PKEY_CTX_set_rsa_padding\fR\|(3). -.IP """tls-negotiated-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4 +.IP """tls\-negotiated\-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4 .IX Item """tls-negotiated-version"" (OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION) <unsigned integer>" See \fBRSA_PKCS1_WITH_TLS_PADDING\fR on the page \fBEVP_PKEY_CTX_set_rsa_padding\fR\|(3). .Sp See "Asymmetric Cipher Parameters" in \fBprovider\-asym_cipher\fR\|(7) for more information. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR) <integer>" .PD 0 -.IP """key-check"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK) <integer>" .PD See "Asymmetric Cipher Parameters" in \fBprovider\-asym_cipher\fR\|(7) for more information. @@ -147,8 +148,8 @@ See "Asymmetric Cipher Parameters" in \fBprovider\-asym_cipher\fR\|(7) for more The default value of 1 causes an error during encryption if the RSA padding mode is set to "pkcs1". Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-SM2.7 b/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-SM2.7 index 729701d9b34e..e2d2dafc5eae 100644 --- a/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-SM2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-SM2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_ASYM_CIPHER-SM2 7ossl" -.TH EVP_ASYM_CIPHER-SM2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_ASYM_CIPHER-SM2 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -71,7 +74,7 @@ Asymmetric Cipher support for the \fBSM2\fR key type. .IP """digest"" (\fBOSSL_ASYM_CIPHER_PARAM_DIGEST\fR) <UTF8 string>" 4 .IX Item """digest"" (OSSL_ASYM_CIPHER_PARAM_DIGEST) <UTF8 string>" .PD 0 -.IP """digest-props"" (\fBOSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS\fR) <UTF8 string>" 4 +.IP """digest\-props"" (\fBOSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS\fR) <UTF8 string>" 4 .IX Item """digest-props"" (OSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS) <UTF8 string>" .PD See "Asymmetric Cipher Parameters" in \fBprovider\-asym_cipher\fR\|(7). diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-AES.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-AES.7 index 8b18e070a770..d809139d1196 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-AES.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-AES.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-AES 7ossl" -.TH EVP_CIPHER-AES 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-AES 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,11 +113,11 @@ This implementation supports the parameters described in "PARAMETERS" in \fBEVP_EncryptInit\fR\|(3). .SH NOTES .IX Header "NOTES" -The AES-SIV and AES-WRAP mode implementations do not support streaming. That +The AES\-SIV and AES\-WRAP mode implementations do not support streaming. That means to obtain correct results there can be only one \fBEVP_EncryptUpdate\fR\|(3) or \fBEVP_DecryptUpdate\fR\|(3) call after the initialization of the context. .PP -The AES-XTS implementations allow streaming to be performed, but each +The AES\-XTS implementations allow streaming to be performed, but each \&\fBEVP_EncryptUpdate\fR\|(3) or \fBEVP_DecryptUpdate\fR\|(3) call requires each input to be a multiple of the blocksize. Only the final \fBEVP_EncryptUpdate()\fR or \&\fBEVP_DecryptUpdate()\fR call can optionally have an input that is not a multiple @@ -125,7 +128,7 @@ stealing (CTS) is used to fill the block. \&\fBprovider\-cipher\fR\|(7), \fBOSSL_PROVIDER\-FIPS\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7) .SH HISTORY .IX Header "HISTORY" -The GCM-SIV mode ciphers were added in OpenSSL version 3.2. +The GCM\-SIV mode ciphers were added in OpenSSL version 3.2. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2021\-2023 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-ARIA.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-ARIA.7 index 0d0dcf472c6d..ebc560903cdd 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-ARIA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-ARIA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-ARIA 7ossl" -.TH EVP_CIPHER-ARIA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-ARIA 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-BLOWFISH.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-BLOWFISH.7 index 959c2e5c36f7..bf0807ce80bc 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-BLOWFISH.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-BLOWFISH.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-BLOWFISH 7ossl" -.TH EVP_CIPHER-BLOWFISH 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-BLOWFISH 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -68,14 +71,14 @@ Support for BLOWFISH symmetric encryption using the \fBEVP_CIPHER\fR API. .SS "Algorithm Names" .IX Subsection "Algorithm Names" The following algorithms are available in the legacy provider: -.IP """BF-ECB""" 4 +.IP """BF\-ECB""" 4 .IX Item """BF-ECB""" .PD 0 -.IP """BF-CBC""" 4 +.IP """BF\-CBC""" 4 .IX Item """BF-CBC""" -.IP """BF-OFB""" 4 +.IP """BF\-OFB""" 4 .IX Item """BF-OFB""" -.IP """BF-CFB""" 4 +.IP """BF\-CFB""" 4 .IX Item """BF-CFB""" .PD .SS Parameters diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAMELLIA.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAMELLIA.7 index e89cc8717be1..029a330b4858 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAMELLIA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAMELLIA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-CAMELLIA 7ossl" -.TH EVP_CIPHER-CAMELLIA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-CAMELLIA 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAST.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAST.7 index 829abd1e2f7a..f3338f2e9d2d 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAST.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAST.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-CAST 7ossl" -.TH EVP_CIPHER-CAST 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-CAST 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-CHACHA.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-CHACHA.7 index 699f4cfa8cfd..3acd53c2b5c6 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-CHACHA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-CHACHA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-CHACHA 7ossl" -.TH EVP_CIPHER-CHACHA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-CHACHA 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-DES.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-DES.7 index f19084a11e70..abd4e28577b2 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-DES.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-DES.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-DES 7ossl" -.TH EVP_CIPHER-DES 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-DES 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,35 +84,35 @@ FIPS provider: .IP """DES\-EDE3\-CFB8"" and ""DES\-EDE3\-CFB1""" 4 .IX Item """DES-EDE3-CFB8"" and ""DES-EDE3-CFB1""" .PD 0 -.IP """DES-EDE-ECB"" or ""DES-EDE""" 4 +.IP """DES\-EDE\-ECB"" or ""DES\-EDE""" 4 .IX Item """DES-EDE-ECB"" or ""DES-EDE""" -.IP """DES-EDE-CBC""" 4 +.IP """DES\-EDE\-CBC""" 4 .IX Item """DES-EDE-CBC""" -.IP """DES-EDE-OFB""" 4 +.IP """DES\-EDE\-OFB""" 4 .IX Item """DES-EDE-OFB""" -.IP """DES-EDE-CFB""" 4 +.IP """DES\-EDE\-CFB""" 4 .IX Item """DES-EDE-CFB""" .IP """DES3\-WRAP""" 4 .IX Item """DES3-WRAP""" .PD .PP The following algorithms are available in the legacy provider: -.IP """DES-ECB""" 4 +.IP """DES\-ECB""" 4 .IX Item """DES-ECB""" .PD 0 -.IP """DES-CBC""" 4 +.IP """DES\-CBC""" 4 .IX Item """DES-CBC""" -.IP """DES-OFB""" 4 +.IP """DES\-OFB""" 4 .IX Item """DES-OFB""" -.IP """DES-CFB"", ""DES\-CFB1"" and ""DES\-CFB8""" 4 +.IP """DES\-CFB"", ""DES\-CFB1"" and ""DES\-CFB8""" 4 .IX Item """DES-CFB"", ""DES-CFB1"" and ""DES-CFB8""" -.IP """DESX-CBC""" 4 +.IP """DESX\-CBC""" 4 .IX Item """DESX-CBC""" .PD .SS Parameters .IX Subsection "Parameters" This implementation supports the parameters described in -"PARAMETERS" in \fBEVP_EncryptInit\fR\|(3) including "encrypt-check" and "fips-indicator". +"PARAMETERS" in \fBEVP_EncryptInit\fR\|(3) including "encrypt\-check" and "fips\-indicator". .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBprovider\-cipher\fR\|(7), \fBOSSL_PROVIDER\-FIPS\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7), diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-IDEA.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-IDEA.7 index 2e4dd1ab6d58..fb6e748526b4 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-IDEA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-IDEA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-IDEA 7ossl" -.TH EVP_CIPHER-IDEA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-IDEA 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -68,14 +71,14 @@ Support for IDEA symmetric encryption using the \fBEVP_CIPHER\fR API. .SS "Algorithm Names" .IX Subsection "Algorithm Names" The following algorithms are available in the legacy provider: -.IP """IDEA-ECB""" 4 +.IP """IDEA\-ECB""" 4 .IX Item """IDEA-ECB""" .PD 0 -.IP """IDEA-CBC""" 4 +.IP """IDEA\-CBC""" 4 .IX Item """IDEA-CBC""" -.IP """IDEA-OFB"" or ""IDEA\-OFB64""" 4 +.IP """IDEA\-OFB"" or ""IDEA\-OFB64""" 4 .IX Item """IDEA-OFB"" or ""IDEA-OFB64""" -.IP """IDEA-CFB"" or ""IDEA\-CFB64""" 4 +.IP """IDEA\-CFB"" or ""IDEA\-CFB64""" 4 .IX Item """IDEA-CFB"" or ""IDEA-CFB64""" .PD .SS Parameters diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-NULL.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-NULL.7 index dcfc26968524..0efd7731f0de 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-NULL.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-NULL.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-NULL 7ossl" -.TH EVP_CIPHER-NULL 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-NULL 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,7 +91,7 @@ See "Gettable EVP_CIPHER parameters" in \fBEVP_EncryptInit\fR\|(3) .PD 0 .IP """ivlen"" (\fBOSSL_CIPHER_PARAM_IVLEN\fR and <\fBOSSL_CIPHER_PARAM_AEAD_IVLEN\fR) <unsigned integer>" 4 .IX Item """ivlen"" (OSSL_CIPHER_PARAM_IVLEN and <OSSL_CIPHER_PARAM_AEAD_IVLEN) <unsigned integer>" -.IP """tls-mac"" (\fBOSSL_CIPHER_PARAM_TLS_MAC\fR) <octet ptr>" 4 +.IP """tls\-mac"" (\fBOSSL_CIPHER_PARAM_TLS_MAC\fR) <octet ptr>" 4 .IX Item """tls-mac"" (OSSL_CIPHER_PARAM_TLS_MAC) <octet ptr>" .PD .PP @@ -96,7 +99,7 @@ See "PARAMETERS" in \fBEVP_EncryptInit\fR\|(3) for further information. .PP \fISettable EVP_CIPHER_CTX parameters\fR .IX Subsection "Settable EVP_CIPHER_CTX parameters" -.IP """tls-mac-size"" (\fBOSSL_CIPHER_PARAM_TLS_MAC_SIZE\fR) <unsigned integer>" 4 +.IP """tls\-mac\-size"" (\fBOSSL_CIPHER_PARAM_TLS_MAC_SIZE\fR) <unsigned integer>" 4 .IX Item """tls-mac-size"" (OSSL_CIPHER_PARAM_TLS_MAC_SIZE) <unsigned integer>" .PP See "PARAMETERS" in \fBEVP_EncryptInit\fR\|(3) for further information. diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC2.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC2.7 index 9b8cc42d1dfd..a2c0ac5f4130 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-RC2 7ossl" -.TH EVP_CIPHER-RC2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-RC2 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC4.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC4.7 index 1f5fb7f1ffcc..4cfeb8756e52 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC4.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC4.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-RC4 7ossl" -.TH EVP_CIPHER-RC4 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-RC4 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC5.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC5.7 index 6586d997099b..010b1169370f 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC5.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC5.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-RC5 7ossl" -.TH EVP_CIPHER-RC5 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-RC5 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-SEED.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-SEED.7 index 6aaf4802764e..43d866db38eb 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-SEED.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-SEED.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-SEED 7ossl" -.TH EVP_CIPHER-SEED 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-SEED 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -68,14 +71,14 @@ Support for SEED symmetric encryption using the \fBEVP_CIPHER\fR API. .SS "Algorithm Names" .IX Subsection "Algorithm Names" The following algorithms are available in the legacy provider: -.IP """SEED-CBC"" or ""SEED""" 4 +.IP """SEED\-CBC"" or ""SEED""" 4 .IX Item """SEED-CBC"" or ""SEED""" .PD 0 -.IP """SEED-ECB""" 4 +.IP """SEED\-ECB""" 4 .IX Item """SEED-ECB""" -.IP """SEED-OFB"" or ""SEED\-OFB128""" 4 +.IP """SEED\-OFB"" or ""SEED\-OFB128""" 4 .IX Item """SEED-OFB"" or ""SEED-OFB128""" -.IP """SEED-CFB"" or ""SEED\-CFB128""" 4 +.IP """SEED\-CFB"" or ""SEED\-CFB128""" 4 .IX Item """SEED-CFB"" or ""SEED-CFB128""" .PD .SS Parameters diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-SM4.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-SM4.7 index 903f1624aa38..0189f892e1c7 100644 --- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-SM4.7 +++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-SM4.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_CIPHER-SM4 7ossl" -.TH EVP_CIPHER-SM4 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_CIPHER-SM4 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-ARGON2.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-ARGON2.7 index 78a02825abce..850fe892fc6c 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-ARGON2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-ARGON2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-ARGON2 7ossl" -.TH EVP_KDF-ARGON2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-ARGON2 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,25 +67,25 @@ EVP_KDF\-ARGON2 \- The Argon2 EVP KDF implementation .SH DESCRIPTION .IX Header "DESCRIPTION" -Support for computing the \fBargon2\fR password-based KDF through the \fBEVP_KDF\fR +Support for computing the \fBargon2\fR password\-based KDF through the \fBEVP_KDF\fR API. .PP -The EVP_KDF\-ARGON2 algorithm implements the Argon2 password-based key -derivation function, as described in IETF RFC 9106. It is memory-hard in +The EVP_KDF\-ARGON2 algorithm implements the Argon2 password\-based key +derivation function, as described in IETF RFC 9106. It is memory\-hard in the sense that it deliberately requires a significant amount of RAM for efficient computation. The intention of this is to render brute forcing of passwords on systems that lack large amounts of main memory (such as GPUs or ASICs) computationally infeasible. .PP -Argon2d (Argon2i) uses data-dependent (data-independent) memory access and -primary seek to address trade-off (side-channel) attacks. +Argon2d (Argon2i) uses data\-dependent (data\-independent) memory access and +primary seek to address trade\-off (side\-channel) attacks. .PP Argon2id is a hybrid construction which, in the first two slices of the first -pass, generates reference addresses data-independently as in Argon2i, whereas -in later slices and next passes it generates them data-dependently as in +pass, generates reference addresses data\-independently as in Argon2i, whereas +in later slices and next passes it generates them data\-dependently as in Argon2d. .PP -Sbox-hardened version Argon2ds is not supported. +Sbox\-hardened version Argon2ds is not supported. .PP For more information, please refer to RFC 9106. .SS "Supported parameters" @@ -114,7 +117,7 @@ password. .IX Item """threads"" (OSSL_KDF_PARAM_THREADS) <unsigned integer>" The number of threads, bounded above by the number of lanes. .Sp -This can only be used with built-in thread support. Threading must be +This can only be used with built\-in thread support. Threading must be explicitly enabled. See EXAMPLES section for more information. .IP """ad"" (\fBOSSL_KDF_PARAM_ARGON2_AD\fR) <octet string>" 4 .IX Item """ad"" (OSSL_KDF_PARAM_ARGON2_AD) <octet string>" @@ -123,12 +126,12 @@ to a particular public key, without having to modify salt. .IP """lanes"" (\fBOSSL_KDF_PARAM_ARGON2_LANES\fR) <unsigned integer>" 4 .IX Item """lanes"" (OSSL_KDF_PARAM_ARGON2_LANES) <unsigned integer>" Argon2 splits the requested memory size into lanes, each of which is designed -to be processed in parallel. For example, on a system with p cores, it's +to be processed in parallel. For example, on a system with p cores, it\*(Aqs recommended to use p lanes. .Sp The number of lanes is used to derive the key. It is possible to specify more lanes than the number of available computational threads. This is -especially encouraged if multi-threading is disabled. +especially encouraged if multi\-threading is disabled. .IP """memcost"" (\fBOSSL_KDF_PARAM_ARGON2_MEMCOST\fR) <unsigned integer>" 4 .IX Item """memcost"" (OSSL_KDF_PARAM_ARGON2_MEMCOST) <unsigned integer>" Memory cost parameter (the number of 1k memory blocks used). diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-HKDF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-HKDF.7 index aab786491abf..de2c3abbc06b 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-HKDF.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-HKDF.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-HKDF 7ossl" -.TH EVP_KDF-HKDF 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-HKDF 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -67,9 +70,9 @@ EVP_KDF\-HKDF \- The HKDF EVP_KDF implementation Support for computing the \fBHKDF\fR KDF through the \fBEVP_KDF\fR API. .PP The EVP_KDF\-HKDF algorithm implements the HKDF key derivation function. -HKDF follows the "extract-then-expand" paradigm, where the KDF logically +HKDF follows the "extract\-then\-expand" paradigm, where the KDF logically consists of two modules. The first stage takes the input keying material -and "extracts" from it a fixed-length pseudorandom key K. The second stage +and "extracts" from it a fixed\-length pseudorandom key K. The second stage "expands" the key K into several additional pseudorandom keys (the output of the KDF). .PP @@ -107,14 +110,14 @@ There are three modes that are currently defined: This is the default mode. Calling \fBEVP_KDF_derive\fR\|(3) on an EVP_KDF_CTX set up for HKDF will perform an extract followed by an expand operation in one go. The derived key returned will be the result after the expand operation. The -intermediate fixed-length pseudorandom key K is not returned. +intermediate fixed\-length pseudorandom key K is not returned. .Sp In this mode the digest, key, salt and info values must be set before a key is derived otherwise an error will occur. .IP """EXTRACT_ONLY"" or \fBEVP_KDF_HKDF_MODE_EXTRACT_ONLY\fR" 4 .IX Item """EXTRACT_ONLY"" or EVP_KDF_HKDF_MODE_EXTRACT_ONLY" In this mode calling \fBEVP_KDF_derive\fR\|(3) will just perform the extract -operation. The value returned will be the intermediate fixed-length pseudorandom +operation. The value returned will be the intermediate fixed\-length pseudorandom key K. The \fIkeylen\fR parameter must match the size of K, which can be looked up by calling \fBEVP_KDF_CTX_get_kdf_size()\fR after setting the mode and digest. .Sp @@ -123,7 +126,7 @@ an error will occur. .IP """EXPAND_ONLY"" or \fBEVP_KDF_HKDF_MODE_EXPAND_ONLY\fR" 4 .IX Item """EXPAND_ONLY"" or EVP_KDF_HKDF_MODE_EXPAND_ONLY" In this mode calling \fBEVP_KDF_derive\fR\|(3) will just perform the expand -operation. The input key should be set to the intermediate fixed-length +operation. The input key should be set to the intermediate fixed\-length pseudorandom key K returned from a previous extract operation. .Sp The digest, key and info values must be set before a key is derived otherwise @@ -133,19 +136,19 @@ an error will occur. .RE .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. -This may be used after calling EVP_KDF_derive. It returns 0 if "key-check" +This may be used after calling EVP_KDF_derive. It returns 0 if "key\-check" is set to 0 and the check fails. -.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the -length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 +length of used key\-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 bits. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH NOTES .IX Header "NOTES" @@ -159,7 +162,7 @@ A context for HKDF can be obtained by calling: The output length of an HKDF expand operation is specified via the \fIkeylen\fR parameter to the \fBEVP_KDF_derive\fR\|(3) function. When using EVP_KDF_HKDF_MODE_EXTRACT_ONLY the \fIkeylen\fR parameter must equal the size of -the intermediate fixed-length pseudorandom key otherwise an error will occur. +the intermediate fixed\-length pseudorandom key otherwise an error will occur. For that mode, the fixed output size can be looked up by calling \fBEVP_KDF_CTX_get_kdf_size()\fR after setting the mode and digest on the \fBEVP_KDF_CTX\fR. .SH EXAMPLES diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-HMAC-DRBG.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-HMAC-DRBG.7 index 9f052e930e37..62b8951b82d8 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-HMAC-DRBG.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-HMAC-DRBG.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-HMAC-DRBG 7ossl" -.TH EVP_KDF-HMAC-DRBG 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-HMAC-DRBG 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -71,7 +74,7 @@ values. This is used to generate deterministic nonce value required by ECDSA and DSA (as defined in RFC 6979). .SS Identity .IX Subsection "Identity" -"HMAC-DRBG-KDF" is the name for this implementation; it can be used +"HMAC\-DRBG\-KDF" is the name for this implementation; it can be used with the \fBEVP_KDF_fetch()\fR function. .SS "Supported parameters" .IX Subsection "Supported parameters" @@ -85,10 +88,10 @@ The supported parameters are: These parameters work as described in "PARAMETERS" in \fBEVP_KDF\fR\|(3). .IP """entropy"" (\fBOSSL_KDF_PARAM_HMACDRBG_ENTROPY\fR) <octet string>" 4 .IX Item """entropy"" (OSSL_KDF_PARAM_HMACDRBG_ENTROPY) <octet string>" -Sets the entropy bytes supplied to the HMAC-DRBG. +Sets the entropy bytes supplied to the HMAC\-DRBG. .IP """nonce"" (\fBOSSL_KDF_PARAM_HMACDRBG_NONCE\fR) <octet string>" 4 .IX Item """nonce"" (OSSL_KDF_PARAM_HMACDRBG_NONCE) <octet string>" -Sets the nonce bytes supplied to the HMAC-DRBG. +Sets the nonce bytes supplied to the HMAC\-DRBG. .SH NOTES .IX Header "NOTES" A context for KDF HMAC DRBG can be obtained by calling: diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-KB.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-KB.7 index 738a06916bfb..0d174366cf99 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-KB.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-KB.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-KB 7ossl" -.TH EVP_KDF-KB 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-KB 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,7 +67,7 @@ EVP_KDF\-KB \- The Key\-Based EVP_KDF implementation .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP_KDF\-KB algorithm implements the Key-Based key derivation function +The EVP_KDF\-KB algorithm implements the Key\-Based key derivation function (KBKDF). KBKDF derives a key from repeated application of a keyed MAC to an input secret (and other optional values). .PP @@ -101,36 +104,36 @@ The value is either CMAC, HMAC, KMAC128 or KMAC256. .IX Item """seed"" (OSSL_KDF_PARAM_SEED) <octet string>" .PD The seed parameter is unused in counter mode. -.IP """use-l"" (\fBOSSL_KDF_PARAM_KBKDF_USE_L\fR) <integer>" 4 +.IP """use\-l"" (\fBOSSL_KDF_PARAM_KBKDF_USE_L\fR) <integer>" 4 .IX Item """use-l"" (OSSL_KDF_PARAM_KBKDF_USE_L) <integer>" -Set to \fB0\fR to disable use of the optional Fixed Input data 'L' (see SP800\-108). +Set to \fB0\fR to disable use of the optional Fixed Input data \*(AqL\*(Aq (see SP800\-108). The default value of \fB1\fR will be used if unspecified. -.IP """use-separator"" (\fBOSSL_KDF_PARAM_KBKDF_USE_SEPARATOR\fR) <integer>" 4 +.IP """use\-separator"" (\fBOSSL_KDF_PARAM_KBKDF_USE_SEPARATOR\fR) <integer>" 4 .IX Item """use-separator"" (OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR) <integer>" -Set to \fB0\fR to disable use of the optional Fixed Input data 'zero separator' +Set to \fB0\fR to disable use of the optional Fixed Input data \*(Aqzero separator\*(Aq (see SP800\-108) that is placed between the Label and Context. The default value of \fB1\fR will be used if unspecified. .IP """r"" (\fBOSSL_KDF_PARAM_KBKDF_R\fR) <integer>" 4 .IX Item """r"" (OSSL_KDF_PARAM_KBKDF_R) <integer>" -Set the fixed value 'r', indicating the length of the counter in bits. +Set the fixed value \*(Aqr\*(Aq, indicating the length of the counter in bits. .Sp Supported values are \fB8\fR, \fB16\fR, \fB24\fR, and \fB32\fR. The default value of \fB32\fR will be used if unspecified. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. -This may be used after calling EVP_KDF_derive. It returns 0 if "key-check" +This may be used after calling EVP_KDF_derive. It returns 0 if "key\-check" is set to 0 and the check fails. -.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the -length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 +length of used key\-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 bits. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .PP Depending on whether mac is CMAC or HMAC, either digest or cipher is required diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-KRB5KDF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-KRB5KDF.7 index 0f1a7bd69150..db1f91a65ffc 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-KRB5KDF.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-KRB5KDF.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-KRB5KDF 7ossl" -.TH EVP_KDF-KRB5KDF 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-KRB5KDF 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -102,7 +105,7 @@ A context for KRB5KDF can be obtained by calling: The output length of the KRB5KDF derivation is specified via the \fIkeylen\fR parameter to the \fBEVP_KDF_derive\fR\|(3) function, and MUST match the key length for the chosen cipher or an error is returned. Moreover, the -constant's length must not exceed the block size of the cipher. +constant\*(Aqs length must not exceed the block size of the cipher. Since the KRB5KDF output length depends on the chosen cipher, calling \&\fBEVP_KDF_CTX_get_kdf_size\fR\|(3) to obtain the requisite length returns the correct length only after the cipher is set. Prior to that \fBEVP_MAX_KEY_LENGTH\fR is returned. diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF1.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF1.7 index 25f0db72ea71..219dbda592e5 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF1.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF1.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-PBKDF1 7ossl" -.TH EVP_KDF-PBKDF1 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-PBKDF1 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,10 +67,10 @@ EVP_KDF\-PBKDF1 \- The PBKDF1 EVP_KDF implementation .SH DESCRIPTION .IX Header "DESCRIPTION" -Support for computing the \fBPBKDF1\fR password-based KDF through the \fBEVP_KDF\fR +Support for computing the \fBPBKDF1\fR password\-based KDF through the \fBEVP_KDF\fR API. .PP -The EVP_KDF\-PBKDF1 algorithm implements the PBKDF1 password-based key +The EVP_KDF\-PBKDF1 algorithm implements the PBKDF1 password\-based key derivation function, as described in RFC 8018; it derives a key from a password using a salt and iteration count. .SS Identity diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF2.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF2.7 index 7607d24bab02..03b73479a246 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-PBKDF2 7ossl" -.TH EVP_KDF-PBKDF2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-PBKDF2 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,10 +67,10 @@ EVP_KDF\-PBKDF2 \- The PBKDF2 EVP_KDF implementation .SH DESCRIPTION .IX Header "DESCRIPTION" -Support for computing the \fBPBKDF2\fR password-based KDF through the \fBEVP_KDF\fR +Support for computing the \fBPBKDF2\fR password\-based KDF through the \fBEVP_KDF\fR API. .PP -The EVP_KDF\-PBKDF2 algorithm implements the PBKDF2 password-based key +The EVP_KDF\-PBKDF2 algorithm implements the PBKDF2 password\-based key derivation function, as described in SP800\-132; it derives a key from a password using a salt and iteration count. .PP @@ -109,16 +112,16 @@ The checks performed are: .IX Item "- the salt length is at least 128 bits." .IP "\- the derived key length is at least 112 bits." 4 .IX Item "- the derived key length is at least 112 bits." +.PD .RE .RS 4 -.PD .Sp The default provider uses a default mode of 1 for backwards compatibility, and the FIPS provider uses a default mode of 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .RE -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" This option is used by the OpenSSL FIPS provider. .Sp diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-PKCS12KDF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-PKCS12KDF.7 index 341f1d862e50..aa62ad84aaf0 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-PKCS12KDF.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-PKCS12KDF.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-PKCS12KDF 7ossl" -.TH EVP_KDF-PKCS12KDF 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-PKCS12KDF 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,10 +67,10 @@ EVP_KDF\-PKCS12KDF \- The PKCS#12 EVP_KDF implementation .SH DESCRIPTION .IX Header "DESCRIPTION" -Support for computing the \fBPKCS#12\fR password-based KDF through the \fBEVP_KDF\fR +Support for computing the \fBPKCS#12\fR password\-based KDF through the \fBEVP_KDF\fR API. .PP -The EVP_KDF\-PKCS12KDF algorithm implements the PKCS#12 password-based key +The EVP_KDF\-PKCS12KDF algorithm implements the PKCS#12 password\-based key derivation function, as described in appendix B of RFC 7292 (PKCS #12: Personal Information Exchange Syntax); it derives a key from a password using a salt, iteration count and the intended usage. diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-PVKKDF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-PVKKDF.7 index 3e905f6b0e31..d1f0eafafb34 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-PVKKDF.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-PVKKDF.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-PVKKDF 7ossl" -.TH EVP_KDF-PVKKDF 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-PVKKDF 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,10 +67,10 @@ EVP_KDF\-PVKKDF \- The PVK EVP_KDF implementation .SH DESCRIPTION .IX Header "DESCRIPTION" -Support for computing the \fBPVK KDF\fR PIN-based KDF through the \fBEVP_KDF\fR +Support for computing the \fBPVK KDF\fR PIN\-based KDF through the \fBEVP_KDF\fR API. .PP -The EVP_KDF\-PVKKDF algorithm implements a PVK PIN-based key +The EVP_KDF\-PVKKDF algorithm implements a PVK PIN\-based key derivation function; it derives a key from a password using a salt. .SS Identity .IX Subsection "Identity" diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-SCRYPT.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-SCRYPT.7 index a08ad8fed8e8..d16ffd40ebec 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-SCRYPT.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-SCRYPT.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-SCRYPT 7ossl" -.TH EVP_KDF-SCRYPT 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-SCRYPT 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,11 +67,11 @@ EVP_KDF\-SCRYPT \- The scrypt EVP_KDF implementation .SH DESCRIPTION .IX Header "DESCRIPTION" -Support for computing the \fBscrypt\fR password-based KDF through the \fBEVP_KDF\fR +Support for computing the \fBscrypt\fR password\-based KDF through the \fBEVP_KDF\fR API. .PP -The EVP_KDF\-SCRYPT algorithm implements the scrypt password-based key -derivation function, as described in RFC 7914. It is memory-hard in the sense +The EVP_KDF\-SCRYPT algorithm implements the scrypt password\-based key +derivation function, as described in RFC 7914. It is memory\-hard in the sense that it deliberately requires a significant amount of RAM for efficient computation. The intention of this is to render brute forcing of passwords on systems that lack large amounts of main memory (such as GPUs or ASICs) @@ -82,7 +85,7 @@ greater than zero. The amount of RAM that scrypt requires for its computation is roughly (128 * N * r * p) bytes. .PP In the original paper of Colin Percival ("Stronger Key Derivation via -Sequential Memory-Hard Functions", 2009), the suggested values that give a +Sequential Memory\-Hard Functions", 2009), the suggested values that give a computation time of less than 5 seconds on a 2.5 GHz Intel Core 2 Duo are N = 2^20 = 1048576, r = 8, p = 1. Consequently, the required amount of memory for this computation is roughly 1 GiB. On a more recent CPU (Intel i7\-5930K at 3.5 diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-SS.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-SS.7 index e10084e0fcea..c57662eaa454 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-SS.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-SS.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-SS 7ossl" -.TH EVP_KDF-SS 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-SS 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -67,7 +70,7 @@ EVP_KDF\-SS \- The Single Step / One Step EVP_KDF implementation The EVP_KDF\-SS algorithm implements the Single Step key derivation function (SSKDF). SSKDF derives a key using input such as a shared secret key (that was generated during the execution of a key establishment scheme) and fixedinfo. -SSKDF is also informally referred to as 'Concat KDF'. +SSKDF is also informally referred to as \*(AqConcat KDF\*(Aq. .PP The output is considered to be keying material. .SS "Auxiliary function" @@ -82,7 +85,7 @@ The implementation uses a selectable auxiliary function H, which can be one of: .IX Item "H(x) = KMACxxx(x, key=salt, custom=""KDF"", outlen=mac_size)" .PD .PP -Both the HMAC and KMAC implementations set the key using the 'salt' value. +Both the HMAC and KMAC implementations set the key using the \*(Aqsalt\*(Aq value. The hash and HMAC also require the digest to be set. .SS Identity .IX Subsection "Identity" @@ -115,19 +118,19 @@ This parameter set the shared secret that is used for key derivation. This parameter sets an optional value for fixedinfo, also known as otherinfo. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. -This may be used after calling EVP_KDF_derive. It returns 0 if "key-check" +This may be used after calling EVP_KDF_derive. It returns 0 if "key\-check" is set to 0 and the check fails. -.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the -length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 +length of used key\-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 bits. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-SSHKDF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-SSHKDF.7 index c00d36a8a7ba..e5504744dde6 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-SSHKDF.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-SSHKDF.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-SSHKDF 7ossl" -.TH EVP_KDF-SSHKDF 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-SSHKDF 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -106,56 +109,56 @@ There are six supported types: .IP EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 4 .IX Item "EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV" The Initial IV from client to server. -A single char of value 65 (ASCII char 'A'). +A single char of value 65 (ASCII char \*(AqA\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 4 .IX Item "EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI" The Initial IV from server to client -A single char of value 66 (ASCII char 'B'). +A single char of value 66 (ASCII char \*(AqB\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 4 .IX Item "EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV" The Encryption Key from client to server -A single char of value 67 (ASCII char 'C'). +A single char of value 67 (ASCII char \*(AqC\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI 4 .IX Item "EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI" The Encryption Key from server to client -A single char of value 68 (ASCII char 'D'). +A single char of value 68 (ASCII char \*(AqD\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV 4 .IX Item "EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV" The Integrity Key from client to server -A single char of value 69 (ASCII char 'E'). +A single char of value 69 (ASCII char \*(AqE\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI 4 .IX Item "EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI" The Integrity Key from client to server -A single char of value 70 (ASCII char 'F'). +A single char of value 70 (ASCII char \*(AqF\*(Aq). .RE .RS 4 .RE .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling EVP_KDF_derive. It returns 0 if any "***\-check" related parameter is set to 0 and the check fails. -.IP """digest-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_KDF_PARAM_FIPS_DIGEST_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if used digest is not approved. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .Sp According to SP 800\-135r1, the following are approved digest algorithms: SHA\-1, SHA2\-224, SHA2\-256, SHA2\-384, SHA2\-512. -.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the -length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 +length of used key\-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 bits. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-TLS13_KDF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-TLS13_KDF.7 index 225b2e0878a4..36565ceb551f 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-TLS13_KDF.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-TLS13_KDF.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-TLS13_KDF 7ossl" -.TH EVP_KDF-TLS13_KDF 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-TLS13_KDF 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -110,7 +113,7 @@ There are two modes that are currently defined: .IP """EXTRACT_ONLY"" or \fBEVP_KDF_HKDF_MODE_EXTRACT_ONLY\fR" 4 .IX Item """EXTRACT_ONLY"" or EVP_KDF_HKDF_MODE_EXTRACT_ONLY" In this mode calling \fBEVP_KDF_derive\fR\|(3) will just perform the extract -operation. The value returned will be the intermediate fixed-length pseudorandom +operation. The value returned will be the intermediate fixed\-length pseudorandom key K. The \fIkeylen\fR parameter must match the size of K, which can be looked up by calling \fBEVP_KDF_CTX_get_kdf_size()\fR after setting the mode and digest. .Sp @@ -119,7 +122,7 @@ an error will occur. .IP """EXPAND_ONLY"" or \fBEVP_KDF_HKDF_MODE_EXPAND_ONLY\fR" 4 .IX Item """EXPAND_ONLY"" or EVP_KDF_HKDF_MODE_EXPAND_ONLY" In this mode calling \fBEVP_KDF_derive\fR\|(3) will just perform the expand -operation. The input key should be set to the intermediate fixed-length +operation. The input key should be set to the intermediate fixed\-length pseudorandom key K returned from a previous extract operation. .Sp The digest, key and info values must be set before a key is derived otherwise @@ -129,30 +132,30 @@ an error will occur. .RE .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling EVP_KDF_derive. It returns 0 if any "***\-check" related parameter is set to 0 and the check fails. -.IP """digest-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_KDF_PARAM_FIPS_DIGEST_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if used digest is not approved. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .Sp According to RFC 8446, the following are approved digest algorithms: SHA2\-256, SHA2\-384. -.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the -length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 +length of used key\-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 bits. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH NOTES .IX Header "NOTES" @@ -173,7 +176,7 @@ A context for a TLS 1.3 KDF can be obtained by calling: The output length of a TLS 1.3 KDF expand operation is specified via the \&\fIkeylen\fR parameter to the \fBEVP_KDF_derive\fR\|(3) function. When using EVP_KDF_HKDF_MODE_EXTRACT_ONLY the \fIkeylen\fR parameter must equal the size of -the intermediate fixed-length pseudorandom key otherwise an error will occur. +the intermediate fixed\-length pseudorandom key otherwise an error will occur. For that mode, the fixed output size can be looked up by calling \&\fBEVP_KDF_CTX_get_kdf_size()\fR after setting the mode and digest on the \&\fBEVP_KDF_CTX\fR. diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-TLS1_PRF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-TLS1_PRF.7 index 29310eeb6dce..de4b652691e9 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-TLS1_PRF.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-TLS1_PRF.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-TLS1_PRF 7ossl" -.TH EVP_KDF-TLS1_PRF 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-TLS1_PRF 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -100,7 +103,7 @@ The length of the context seed cannot exceed 1024 bytes; this should be more than enough for any normal use of the TLS PRF. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling EVP_KDF_derive. It returns 0 if any "***\-check" @@ -109,28 +112,28 @@ related parameter is set to 0 and the check fails. .IX Item """ems_check"" (OSSL_KDF_PARAM_FIPS_EMS_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_derive()\fR if "master secret" is used instead of "extended master secret" Setting this to zero -will ignore the error and set the approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +will ignore the error and set the approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. -.IP """digest-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_KDF_PARAM_FIPS_DIGEST_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if used digest is not approved. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .Sp According to SP 800\-135r1, the following are approved digest algorithms: SHA2\-256, SHA2\-384, SHA2\-512. -.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the -length of used key-derivation key (\fBOSSL_KDF_PARAM_SECRET\fR) is shorter than 112 +length of used key\-derivation key (\fBOSSL_KDF_PARAM_SECRET\fR) is shorter than 112 bits. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-X942-ASN1.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-X942-ASN1.7 index ab6662cccdb5..db099158206f 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-X942-ASN1.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-X942-ASN1.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-X942-ASN1 7ossl" -.TH EVP_KDF-X942-ASN1 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-X942-ASN1 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -67,8 +70,8 @@ EVP_KDF\-X942\-ASN1 \- The X9.42\-2003 asn1 EVP_KDF implementation The EVP_KDF\-X942\-ASN1 algorithm implements the key derivation function X942KDF\-ASN1. It is used by DH KeyAgreement, to derive a key using input such as a shared secret key and other info. The other info is DER encoded data that -contains a 32 bit counter as well as optional fields for "partyu-info", -"partyv-info", "supp-pubinfo" and "supp-privinfo". +contains a 32 bit counter as well as optional fields for "partyu\-info", +"partyv\-info", "supp\-pubinfo" and "supp\-privinfo". This kdf is used by Cryptographic Message Syntax (CMS). .PP The output is considered to be keying material. @@ -89,34 +92,34 @@ These parameters work as described in "PARAMETERS" in \fBEVP_KDF\fR\|(3). .IP """secret"" (\fBOSSL_KDF_PARAM_SECRET\fR) <octet string>" 4 .IX Item """secret"" (OSSL_KDF_PARAM_SECRET) <octet string>" The shared secret used for key derivation. This parameter sets the secret. -.IP """acvp-info"" (\fBOSSL_KDF_PARAM_X942_ACVPINFO\fR) <octet string>" 4 +.IP """acvp\-info"" (\fBOSSL_KDF_PARAM_X942_ACVPINFO\fR) <octet string>" 4 .IX Item """acvp-info"" (OSSL_KDF_PARAM_X942_ACVPINFO) <octet string>" This value should not be used in production and should only be used for ACVP testing. It is an optional octet string containing a combined DER encoded blob -of any of the optional fields related to "partyu-info", "partyv-info", -"supp-pubinfo" and "supp-privinfo". If it is specified then none of these other +of any of the optional fields related to "partyu\-info", "partyv\-info", +"supp\-pubinfo" and "supp\-privinfo". If it is specified then none of these other fields should be used. -.IP """partyu-info"" (\fBOSSL_KDF_PARAM_X942_PARTYUINFO\fR) <octet string>" 4 +.IP """partyu\-info"" (\fBOSSL_KDF_PARAM_X942_PARTYUINFO\fR) <octet string>" 4 .IX Item """partyu-info"" (OSSL_KDF_PARAM_X942_PARTYUINFO) <octet string>" An optional octet string containing public info contributed by the initiator. .IP """ukm"" (\fBOSSL_KDF_PARAM_UKM\fR) <octet string>" 4 .IX Item """ukm"" (OSSL_KDF_PARAM_UKM) <octet string>" -An alias for "partyu-info". +An alias for "partyu\-info". In CMS this is the user keying material. -.IP """partyv-info"" (\fBOSSL_KDF_PARAM_X942_PARTYVINFO\fR) <octet string>" 4 +.IP """partyv\-info"" (\fBOSSL_KDF_PARAM_X942_PARTYVINFO\fR) <octet string>" 4 .IX Item """partyv-info"" (OSSL_KDF_PARAM_X942_PARTYVINFO) <octet string>" An optional octet string containing public info contributed by the responder. -.IP """supp-pubinfo"" (\fBOSSL_KDF_PARAM_X942_SUPP_PUBINFO\fR) <octet string>" 4 +.IP """supp\-pubinfo"" (\fBOSSL_KDF_PARAM_X942_SUPP_PUBINFO\fR) <octet string>" 4 .IX Item """supp-pubinfo"" (OSSL_KDF_PARAM_X942_SUPP_PUBINFO) <octet string>" -An optional octet string containing some additional, mutually-known public -information. Setting this value also sets "use-keybits" to 0. -.IP """use-keybits"" (\fBOSSL_KDF_PARAM_X942_USE_KEYBITS\fR) <integer>" 4 +An optional octet string containing some additional, mutually\-known public +information. Setting this value also sets "use\-keybits" to 0. +.IP """use\-keybits"" (\fBOSSL_KDF_PARAM_X942_USE_KEYBITS\fR) <integer>" 4 .IX Item """use-keybits"" (OSSL_KDF_PARAM_X942_USE_KEYBITS) <integer>" The default value of 1 will use the KEK key length (in bits) as the -"supp-pubinfo". A value of 0 disables setting the "supp-pubinfo". -.IP """supp-privinfo"" (\fBOSSL_KDF_PARAM_X942_SUPP_PRIVINFO\fR) <octet string>" 4 +"supp\-pubinfo". A value of 0 disables setting the "supp\-pubinfo". +.IP """supp\-privinfo"" (\fBOSSL_KDF_PARAM_X942_SUPP_PRIVINFO\fR) <octet string>" 4 .IX Item """supp-privinfo"" (OSSL_KDF_PARAM_X942_SUPP_PRIVINFO) <octet string>" -An optional octet string containing some additional, mutually-known private +An optional octet string containing some additional, mutually\-known private information. .IP """cekalg"" (\fBOSSL_KDF_PARAM_CEK_ALG\fR) <UTF8 string>" 4 .IX Item """cekalg"" (OSSL_KDF_PARAM_CEK_ALG) <UTF8 string>" @@ -124,19 +127,19 @@ This parameter sets the CEK wrapping algorithm name. Valid values are "AES\-128\-WRAP", "AES\-192\-WRAP", "AES\-256\-WRAP" and "DES3\-WRAP". .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. -This may be used after calling EVP_KDF_derive. It returns 0 if "key-check" +This may be used after calling EVP_KDF_derive. It returns 0 if "key\-check" parameter is set to 0 and the check fails. -.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the -length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 +length of used key\-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 bits. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-X942-CONCAT.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-X942-CONCAT.7 index 801b89da4cac..50640e9fb46c 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-X942-CONCAT.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-X942-CONCAT.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-X942-CONCAT 7ossl" -.TH EVP_KDF-X942-CONCAT 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-X942-CONCAT 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-X963.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-X963.7 index c21382cdd60c..288ffbb5145f 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KDF-X963.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KDF-X963.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KDF-X963 7ossl" -.TH EVP_KDF-X963 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KDF-X963 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -92,31 +95,31 @@ This parameter sets the secret. This parameter specifies an optional value for shared info. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling EVP_KDF_derive. It returns 0 if any "***\-check" related parameter is set to 0 and the check fails. -.IP """digest-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <int>" 4 +.IP """digest\-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <int>" 4 .IX Item """digest-check"" (OSSL_KDF_PARAM_FIPS_DIGEST_CHECK) <int>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if used digest is not approved. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .Sp According to ANSI X9.63\-2001, the following are approved digest algorithms: SHA2\-224, SHA2\-256, SHA2\-384, SHA2\-512, SHA2\-512/224, SHA2\-512/256, SHA3\-224, SHA3\-256, SHA3\-384, SHA3\-512. -.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>" The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the -length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 +length of used key\-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112 bits. Setting this to zero will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man7/EVP_KEM-EC.7 b/secure/lib/libcrypto/man/man7/EVP_KEM-EC.7 index 8cae2016c1a4..47379e275305 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KEM-EC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KEM-EC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEM-EC 7ossl" -.TH EVP_KEM-EC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEM-EC 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_KEM-ML-KEM.7 b/secure/lib/libcrypto/man/man7/EVP_KEM-ML-KEM.7 index 80f1fd720b6b..effa1cfd35cf 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KEM-ML-KEM.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KEM-ML-KEM.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEM-ML-KEM 7ossl" -.TH EVP_KEM-ML-KEM 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEM-ML-KEM 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,14 +68,14 @@ EVP_KEM\-ML\-KEM\-512, EVP_KEM\-ML\-KEM\-768, EVP_KEM\-ML\-KEM\-1024, EVP_KEM\-M \&\- EVP_KEM ML\-KEM keytype and algorithm support .SH DESCRIPTION .IX Header "DESCRIPTION" -The \fBML-KEM\fR keytypes and parameters are described in \fBEVP_PKEY\-ML\-KEM\fR\|(7). +The \fBML\-KEM\fR keytypes and parameters are described in \fBEVP_PKEY\-ML\-KEM\fR\|(7). See \fBEVP_PKEY_encapsulate\fR\|(3) and \fBEVP_PKEY_decapsulate\fR\|(3) for more details about basic KEM operations. -.SS "ML-KEM KEM parameters" +.SS "ML\-KEM KEM parameters" .IX Subsection "ML-KEM KEM parameters" .IP """ikme"" (\fBOSSL_KEM_PARAM_IKME\fR) <octet string>" 4 .IX Item """ikme"" (OSSL_KEM_PARAM_IKME) <octet string>" -The OpenSSL ML-KEM encapsulation mechanism can only be modified by +The OpenSSL ML\-KEM encapsulation mechanism can only be modified by setting randomness during encapsulation, this enables testing, as per FIPS 203, section 6.2, algorithm 17. .Sp diff --git a/secure/lib/libcrypto/man/man7/EVP_KEM-RSA.7 b/secure/lib/libcrypto/man/man7/EVP_KEM-RSA.7 index 2465e98296fe..67087c53d90a 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KEM-RSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KEM-RSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEM-RSA 7ossl" -.TH EVP_KEM-RSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEM-RSA 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -84,10 +87,10 @@ The decapsulate function recovers the secret using the RSA private key. .Sp This can be set using \fBEVP_PKEY_CTX_set_kem_op()\fR. .RE -.IP """fips-indicator"" (\fBOSSL_KEM_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KEM_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KEM_PARAM_FIPS_APPROVED_INDICATOR) <integer>" .PD 0 -.IP """key-check"" (\fBOSSL_KEM_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_KEM_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KEM_PARAM_FIPS_KEY_CHECK) <integer>" .PD These parameters are described in \fBprovider\-kem\fR\|(7). diff --git a/secure/lib/libcrypto/man/man7/EVP_KEM-X25519.7 b/secure/lib/libcrypto/man/man7/EVP_KEM-X25519.7 index 0cb4e209da7d..7a0ba8a0e5fd 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KEM-X25519.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KEM-X25519.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEM-X25519 7ossl" -.TH EVP_KEM-X25519 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEM-X25519 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-DH.7 b/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-DH.7 index b965e24e5b35..9f7037e8c129 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-DH.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-DH.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEYEXCH-DH 7ossl" -.TH EVP_KEYEXCH-DH 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEYEXCH-DH 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,22 +88,22 @@ filled with zeros where necessary to make the shared secret the same size as the largest possible secret size. The padding mode parameter is ignored (and padding implicitly enabled) when the KDF type is set to "X942KDF\-ASN1" (\fBOSSL_KDF_NAME_X942KDF_ASN1\fR). -.IP """kdf-type"" (\fBOSSL_EXCHANGE_PARAM_KDF_TYPE\fR) <UTF8 string>" 4 +.IP """kdf\-type"" (\fBOSSL_EXCHANGE_PARAM_KDF_TYPE\fR) <UTF8 string>" 4 .IX Item """kdf-type"" (OSSL_EXCHANGE_PARAM_KDF_TYPE) <UTF8 string>" .PD 0 -.IP """kdf-digest"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST\fR) <UTF8 string>" 4 +.IP """kdf\-digest"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST\fR) <UTF8 string>" 4 .IX Item """kdf-digest"" (OSSL_EXCHANGE_PARAM_KDF_DIGEST) <UTF8 string>" -.IP """kdf-digest-props"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\fR) <UTF8 string>" 4 +.IP """kdf\-digest\-props"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\fR) <UTF8 string>" 4 .IX Item """kdf-digest-props"" (OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS) <UTF8 string>" -.IP """kdf-outlen"" (\fBOSSL_EXCHANGE_PARAM_KDF_OUTLEN\fR) <unsigned integer>" 4 +.IP """kdf\-outlen"" (\fBOSSL_EXCHANGE_PARAM_KDF_OUTLEN\fR) <unsigned integer>" 4 .IX Item """kdf-outlen"" (OSSL_EXCHANGE_PARAM_KDF_OUTLEN) <unsigned integer>" -.IP """kdf-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string>" 4 +.IP """kdf\-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string>" 4 .IX Item """kdf-ukm"" (OSSL_EXCHANGE_PARAM_KDF_UKM) <octet string>" -.IP """fips-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR) <integer>" -.IP """key-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK) <integer>" -.IP """digest-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK) <integer>" .PD See "Common Key Exchange parameters" in \fBprovider\-keyexch\fR\|(7). @@ -113,7 +116,7 @@ The examples assume a host and peer both generate keys using the same named group (or domain parameters). See "Examples" in \fBEVP_PKEY\-DH\fR\|(7). Both the host and peer transfer their public key to each other. .PP -To convert the peer's generated key pair to a public key in DER format in order +To convert the peer\*(Aqs generated key pair to a public key in DER format in order to transfer to the host: .PP .Vb 3 @@ -126,7 +129,7 @@ to transfer to the host: \& OPENSSL_free(peer_pub_der); .Ve .PP -To convert the received peer's public key from DER format on the host: +To convert the received peer\*(Aqs public key from DER format on the host: .PP .Vb 4 \& const unsigned char *pd = peer_pub_der; @@ -135,7 +138,7 @@ To convert the received peer's public key from DER format on the host: \& EVP_PKEY_free(peer_pub_key); .Ve .PP -To derive a shared secret on the host using the host's key and the peer's public +To derive a shared secret on the host using the host\*(Aqs key and the peer\*(Aqs public key: .PP .Vb 8 @@ -169,7 +172,7 @@ key: .Ve .PP Very similar code can be used by the peer to derive the same shared secret -using the host's public key and the peer's generated key pair. +using the host\*(Aqs public key and the peer\*(Aqs generated key pair. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_PKEY\-DH\fR\|(7), diff --git a/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-ECDH.7 b/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-ECDH.7 index 660e3b333945..0f9f97085203 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-ECDH.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-ECDH.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEYEXCH-ECDH 7ossl" -.TH EVP_KEYEXCH-ECDH 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEYEXCH-ECDH 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -67,13 +70,13 @@ EVP_KEYEXCH\-ECDH \- ECDH Key Exchange algorithm support Key exchange support for the \fBECDH\fR key type. .SS "ECDH Key Exchange parameters" .IX Subsection "ECDH Key Exchange parameters" -.IP """ecdh-cofactor-mode"" (\fBOSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE\fR) <integer>" 4 +.IP """ecdh\-cofactor\-mode"" (\fBOSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE\fR) <integer>" 4 .IX Item """ecdh-cofactor-mode"" (OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE) <integer>" Sets or gets the ECDH mode of operation for the associated key exchange ctx. .Sp -In the context of an Elliptic Curve Diffie-Hellman key exchange, this parameter -can be used to select between the plain Diffie-Hellman (DH) or Cofactor -Diffie-Hellman (CDH) variants of the key exchange algorithm. +In the context of an Elliptic Curve Diffie\-Hellman key exchange, this parameter +can be used to select between the plain Diffie\-Hellman (DH) or Cofactor +Diffie\-Hellman (CDH) variants of the key exchange algorithm. .Sp When setting, the value should be 1, 0 or \-1, respectively forcing cofactor mode on, off, or resetting it to the default for the private key associated with the @@ -84,38 +87,38 @@ cofactor mode is on or off. .Sp See also \fBprovider\-keymgmt\fR\|(7) for the related \&\fBOSSL_PKEY_PARAM_USE_COFACTOR_ECDH\fR parameter that can be set on a -per-key basis. -.IP """kdf-type"" (\fBOSSL_EXCHANGE_PARAM_KDF_TYPE\fR) <UTF8 string>" 4 +per\-key basis. +.IP """kdf\-type"" (\fBOSSL_EXCHANGE_PARAM_KDF_TYPE\fR) <UTF8 string>" 4 .IX Item """kdf-type"" (OSSL_EXCHANGE_PARAM_KDF_TYPE) <UTF8 string>" .PD 0 -.IP """kdf-digest"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST\fR) <UTF8 string>" 4 +.IP """kdf\-digest"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST\fR) <UTF8 string>" 4 .IX Item """kdf-digest"" (OSSL_EXCHANGE_PARAM_KDF_DIGEST) <UTF8 string>" -.IP """kdf-digest-props"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\fR) <UTF8 string>" 4 +.IP """kdf\-digest\-props"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\fR) <UTF8 string>" 4 .IX Item """kdf-digest-props"" (OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS) <UTF8 string>" -.IP """kdf-outlen"" (\fBOSSL_EXCHANGE_PARAM_KDF_OUTLEN\fR) <unsigned integer>" 4 +.IP """kdf\-outlen"" (\fBOSSL_EXCHANGE_PARAM_KDF_OUTLEN\fR) <unsigned integer>" 4 .IX Item """kdf-outlen"" (OSSL_EXCHANGE_PARAM_KDF_OUTLEN) <unsigned integer>" -.IP """kdf-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string>" 4 +.IP """kdf\-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string>" 4 .IX Item """kdf-ukm"" (OSSL_EXCHANGE_PARAM_KDF_UKM) <octet string>" .PD .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR) <integer>" .PD 0 -.IP """key-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK) <integer>" -.IP """digest-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK) <integer>" .PD See "Common Key Exchange parameters" in \fBprovider\-keyexch\fR\|(7). -.IP """ecdh-cofactor-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_ECDH_COFACTOR_CHECK\fR) <integer>" 4 +.IP """ecdh\-cofactor\-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_ECDH_COFACTOR_CHECK\fR) <integer>" 4 .IX Item """ecdh-cofactor-check"" (OSSL_EXCHANGE_PARAM_FIPS_ECDH_COFACTOR_CHECK) <integer>" If required this parameter should before \fBOSSL_FUNC_keyexch_derive()\fR. The default value of 1 causes an error during the OSSL_FUNC_keyexch_derive if the EC curve has a cofactor that is not 1, and the cofactor is not used. Setting this to 0 will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH EXAMPLES .IX Header "EXAMPLES" @@ -127,7 +130,7 @@ Keys for the host and peer must be generated as shown in The code to generate a shared secret for the normal case is identical to "Examples" in \fBEVP_KEYEXCH\-DH\fR\|(7). .PP -To derive a shared secret on the host using the host's key and the peer's public +To derive a shared secret on the host using the host\*(Aqs key and the peer\*(Aqs public key but also using X963KDF with a user key material: .PP .Vb 10 diff --git a/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-X25519.7 b/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-X25519.7 index 15c3c18d9f40..f4e85ca65ce7 100644 --- a/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-X25519.7 +++ b/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-X25519.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_KEYEXCH-X25519 7ossl" -.TH EVP_KEYEXCH-X25519 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_KEYEXCH-X25519 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -72,7 +75,7 @@ Key exchange support for the \fBX25519\fR and \fBX448\fR key types. .IP """pad"" (\fBOSSL_EXCHANGE_PARAM_PAD\fR) <unsigned integer>" 4 .IX Item """pad"" (OSSL_EXCHANGE_PARAM_PAD) <unsigned integer>" .PD 0 -.IP """fips-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR) <integer>" .PD \&\fBX25519\fR and \fBX448\fR are not FIPS approved in FIPS 140\-3. diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-BLAKE2.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-BLAKE2.7 index 08b3b920d191..33506a51238c 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MAC-BLAKE2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MAC-BLAKE2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MAC-BLAKE2 7ossl" -.TH EVP_MAC-BLAKE2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MAC-BLAKE2 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,12 +84,12 @@ properties, to be used with \fBEVP_MAC_fetch()\fR: The general description of these parameters can be found in "PARAMETERS" in \fBEVP_MAC\fR\|(3). .PP -All these parameters (except for "block-size") can be set with +All these parameters (except for "block\-size") can be set with \&\fBEVP_MAC_CTX_set_params()\fR. Furthermore, the "size" parameter can be retrieved with \&\fBEVP_MAC_CTX_get_params()\fR, or with \fBEVP_MAC_CTX_get_mac_size()\fR. The length of the "size" parameter should not exceed that of a \fBsize_t\fR. -Likewise, the "block-size" parameter can be retrieved with +Likewise, the "block\-size" parameter can be retrieved with \&\fBEVP_MAC_CTX_get_params()\fR, or with \fBEVP_MAC_CTX_get_block_size()\fR. .IP """key"" (\fBOSSL_MAC_PARAM_KEY\fR) <octet string>" 4 .IX Item """key"" (OSSL_MAC_PARAM_KEY) <octet string>" @@ -110,7 +113,7 @@ Sets the MAC size. It can be any number between 1 and 32 for EVP_MAC_BLAKE2S or between 1 and 64 for EVP_MAC_BLAKE2B. It is 32 and 64 respectively by default. -.IP """block-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4 +.IP """block\-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4 .IX Item """block-size"" (OSSL_MAC_PARAM_BLOCK_SIZE) <unsigned integer>" Gets the MAC block size. It is 64 for EVP_MAC_BLAKE2S and 128 for EVP_MAC_BLAKE2B. diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-CMAC.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-CMAC.7 index 9b21397475b5..4e2923f5e6ad 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MAC-CMAC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MAC-CMAC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MAC-CMAC 7ossl" -.TH EVP_MAC-CMAC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MAC-CMAC 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -93,16 +96,16 @@ must be CBC. Sets the properties to be queried when trying to fetch the underlying cipher. This must be given together with the cipher naming parameter to be considered valid. -.IP """encrypt-check"" (\fBOSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK\fR) <integer>" 4 +.IP """encrypt\-check"" (\fBOSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK\fR) <integer>" 4 .IX Item """encrypt-check"" (OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK) <integer>" This option is used by the OpenSSL FIPS provider. If required this parameter should be set before \fBEVP_MAC_init()\fR .Sp -The default value of 1 causes an error when a unapproved Triple-DES encryption +The default value of 1 causes an error when a unapproved Triple\-DES encryption operation is triggered. Setting this to 0 will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .PP The following parameters can be retrieved with @@ -111,17 +114,17 @@ The following parameters can be retrieved with .IX Item """size"" (OSSL_MAC_PARAM_SIZE) <unsigned integer>" The "size" parameter can also be retrieved with with \fBEVP_MAC_CTX_get_mac_size()\fR. The length of the "size" parameter is equal to that of an \fBunsigned int\fR. -.IP """block-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4 +.IP """block\-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4 .IX Item """block-size"" (OSSL_MAC_PARAM_BLOCK_SIZE) <unsigned integer>" -Gets the MAC block size. The "block-size" parameter can also be retrieved with +Gets the MAC block size. The "block\-size" parameter can also be retrieved with \&\fBEVP_MAC_CTX_get_block_size()\fR. -.IP """fips-indicator"" (\fBOSSL_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_CIPHER_PARAM_FIPS_APPROVED_INDICATOR) <integer>" This option is used by the OpenSSL FIPS provider. .Sp A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling \fBEVP_MAC_final()\fR. -It may return 0 if the "encrypt-check" option is set to 0. +It may return 0 if the "encrypt\-check" option is set to 0. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_MAC_CTX_get_params\fR\|(3), \fBEVP_MAC_CTX_set_params\fR\|(3), diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-GMAC.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-GMAC.7 index 38f9f01f8d9b..18383d4df7a7 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MAC-GMAC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MAC-GMAC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MAC-GMAC 7ossl" -.TH EVP_MAC-GMAC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MAC-GMAC 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-HMAC.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-HMAC.7 index d4839cb779c1..e9a930fbca63 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MAC-HMAC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MAC-HMAC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MAC-HMAC 7ossl" -.TH EVP_MAC-HMAC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MAC-HMAC 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -92,23 +95,23 @@ Sets the name of the underlying digest to be used. Sets the properties to be queried when trying to fetch the underlying digest. This must be given together with the digest naming parameter ("digest", or \&\fBOSSL_MAC_PARAM_DIGEST\fR) to be considered valid. -.IP """digest-noinit"" (\fBOSSL_MAC_PARAM_DIGEST_NOINIT\fR) <integer>" 4 +.IP """digest\-noinit"" (\fBOSSL_MAC_PARAM_DIGEST_NOINIT\fR) <integer>" 4 .IX Item """digest-noinit"" (OSSL_MAC_PARAM_DIGEST_NOINIT) <integer>" A flag to set the MAC digest to not initialise the implementation specific data. The value 0 or 1 is expected. This option is deprecated and will be removed in a future release. It may be set but is currently ignored -.IP """digest-oneshot"" (\fBOSSL_MAC_PARAM_DIGEST_ONESHOT\fR) <integer>" 4 +.IP """digest\-oneshot"" (\fBOSSL_MAC_PARAM_DIGEST_ONESHOT\fR) <integer>" 4 .IX Item """digest-oneshot"" (OSSL_MAC_PARAM_DIGEST_ONESHOT) <integer>" -A flag to set the MAC digest to be a one-shot operation. +A flag to set the MAC digest to be a one\-shot operation. The value 0 or 1 is expected. This option is deprecated and will be removed in a future release. It may be set but is currently ignored. -.IP """tls-data-size"" (\fBOSSL_MAC_PARAM_TLS_DATA_SIZE\fR) <unsigned integer>" 4 +.IP """tls\-data\-size"" (\fBOSSL_MAC_PARAM_TLS_DATA_SIZE\fR) <unsigned integer>" 4 .IX Item """tls-data-size"" (OSSL_MAC_PARAM_TLS_DATA_SIZE) <unsigned integer>" .PD 0 -.IP """key-check"" (\fBOSSL_MAC_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_MAC_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_MAC_PARAM_FIPS_KEY_CHECK) <integer>" .PD See "Mac Parameters" in \fBprovider\-mac\fR\|(7). @@ -118,11 +121,11 @@ The following parameters can be retrieved with \fBEVP_MAC_CTX_get_params()\fR: .IX Item """size"" (OSSL_MAC_PARAM_SIZE) <unsigned integer>" The "size" parameter can also be retrieved with \fBEVP_MAC_CTX_get_mac_size()\fR. The length of the "size" parameter is equal to that of an \fBunsigned int\fR. -.IP """block-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4 +.IP """block\-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4 .IX Item """block-size"" (OSSL_MAC_PARAM_BLOCK_SIZE) <unsigned integer>" -Gets the MAC block size. The "block-size" parameter can also be retrieved with +Gets the MAC block size. The "block\-size" parameter can also be retrieved with \&\fBEVP_MAC_CTX_get_block_size()\fR. -.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>" See "Mac Parameters" in \fBprovider\-mac\fR\|(7). .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-KMAC.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-KMAC.7 index 2dca95a15233..8c5bb5e734f1 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MAC-KMAC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MAC-KMAC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MAC-KMAC 7ossl" -.TH EVP_MAC-KMAC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MAC-KMAC 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,12 +84,12 @@ properties, to be used with \fBEVP_MAC_fetch()\fR: The general description of these parameters can be found in "PARAMETERS" in \fBEVP_MAC\fR\|(3). .PP -All these parameters (except for "block-size") can be set with +All these parameters (except for "block\-size") can be set with \&\fBEVP_MAC_CTX_set_params()\fR. Furthermore, the "size" parameter can be retrieved with \&\fBEVP_MAC_CTX_get_params()\fR, or with \fBEVP_MAC_CTX_get_mac_size()\fR. The length of the "size" parameter should not exceed that of a \fBsize_t\fR. -Likewise, the "block-size" parameter can be retrieved with +Likewise, the "block\-size" parameter can be retrieved with \&\fBEVP_MAC_CTX_get_params()\fR, or with \fBEVP_MAC_CTX_get_block_size()\fR. .IP """key"" (\fBOSSL_MAC_PARAM_KEY\fR) <octet string>" 4 .IX Item """key"" (OSSL_MAC_PARAM_KEY) <octet string>" @@ -102,7 +105,7 @@ empty by default. .IX Item """size"" (OSSL_MAC_PARAM_SIZE) <unsigned integer>" Sets the MAC size. By default, it is 32 for \f(CW\*(C`KMAC\-128\*(C'\fR and 64 for \f(CW\*(C`KMAC\-256\*(C'\fR. -.IP """block-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4 +.IP """block\-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4 .IX Item """block-size"" (OSSL_MAC_PARAM_BLOCK_SIZE) <unsigned integer>" Gets the MAC block size. It is 168 for \f(CW\*(C`KMAC\-128\*(C'\fR and 136 for \f(CW\*(C`KMAC\-256\*(C'\fR. @@ -110,19 +113,19 @@ It is 168 for \f(CW\*(C`KMAC\-128\*(C'\fR and 136 for \f(CW\*(C`KMAC\-256\*(C'\f .IX Item """xof"" (OSSL_MAC_PARAM_XOF) <integer>" The "xof" parameter value is expected to be 1 or 0. Use 1 to enable XOF mode. The default value is 0. -.IP """fips-indicator"" (\fBOSSL_MAC_PARAM_FIPS_APPROVED_INDICATOR\fR) <int>" 4 +.IP """fips\-indicator"" (\fBOSSL_MAC_PARAM_FIPS_APPROVED_INDICATOR\fR) <int>" 4 .IX Item """fips-indicator"" (OSSL_MAC_PARAM_FIPS_APPROVED_INDICATOR) <int>" This settable parameter is described in \fBprovider\-mac\fR\|(7). -.IP """no-short-mac"" (\fBOSSL_MAC_PARAM_FIPS_NO_SHORT_MAC\fR) <integer>" 4 +.IP """no\-short\-mac"" (\fBOSSL_MAC_PARAM_FIPS_NO_SHORT_MAC\fR) <integer>" 4 .IX Item """no-short-mac"" (OSSL_MAC_PARAM_FIPS_NO_SHORT_MAC) <integer>" This settable parameter is described in \fBprovider\-mac\fR\|(7). It is used by the OpenSSL FIPS provider and the minimum length output for KMAC -is defined by NIST's SP 800\-185 8.4.2. -.IP """key-check"" (\fBOSSL_MAC_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +is defined by NIST\*(Aqs SP 800\-185 8.4.2. +.IP """key\-check"" (\fBOSSL_MAC_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_MAC_PARAM_FIPS_KEY_CHECK) <integer>" This settable parameter is described in \fBprovider\-mac\fR\|(7). .PP -The "custom" and "no-short-mac" parameters must be set as part of or before +The "custom" and "no\-short\-mac" parameters must be set as part of or before the \fBEVP_MAC_init()\fR call. The "xof" and "size" parameters can be set at any time before \fBEVP_MAC_final()\fR. The "key" parameter is set as part of the \fBEVP_MAC_init()\fR call, but can be diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-Poly1305.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-Poly1305.7 index e8eb0fbff32c..58cda8bbefae 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MAC-Poly1305.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MAC-Poly1305.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MAC-POLY1305 7ossl" -.TH EVP_MAC-POLY1305 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MAC-POLY1305 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-Siphash.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-Siphash.7 index 03c4c51426fd..efab5d0cab2e 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MAC-Siphash.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MAC-Siphash.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MAC-SIPHASH 7ossl" -.TH EVP_MAC-SIPHASH 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MAC-SIPHASH 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-BLAKE2.7 b/secure/lib/libcrypto/man/man7/EVP_MD-BLAKE2.7 index a8b50f506e10..5f3ddcccede8 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-BLAKE2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-BLAKE2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-BLAKE2 7ossl" -.TH EVP_MD-BLAKE2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-BLAKE2 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-KECCAK.7 b/secure/lib/libcrypto/man/man7/EVP_MD-KECCAK.7 index fde9613ea92b..58464ec1c1ce 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-KECCAK.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-KECCAK.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-KECCAK 7ossl" -.TH EVP_MD-KECCAK 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-KECCAK 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-MD2.7 b/secure/lib/libcrypto/man/man7/EVP_MD-MD2.7 index 9853422b2a74..767039d819ac 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-MD2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-MD2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-MD2 7ossl" -.TH EVP_MD-MD2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-MD2 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-MD4.7 b/secure/lib/libcrypto/man/man7/EVP_MD-MD4.7 index 6b8bb7a6f3ba..abaa6767db86 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-MD4.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-MD4.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-MD4 7ossl" -.TH EVP_MD-MD4 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-MD4 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-MD5-SHA1.7 b/secure/lib/libcrypto/man/man7/EVP_MD-MD5-SHA1.7 index dc63de91a25f..aeb05ff88f65 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-MD5-SHA1.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-MD5-SHA1.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-MD5-SHA1 7ossl" -.TH EVP_MD-MD5-SHA1 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-MD5-SHA1 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,7 +69,7 @@ EVP_MD\-MD5\-SHA1 \- The MD5\-SHA1 EVP_MD implementation .IX Header "DESCRIPTION" Support for computing MD5\-SHA1 digests through the \fBEVP_MD\fR API. .PP -MD5\-SHA1 is a rather special digest that's used with SSLv3. +MD5\-SHA1 is a rather special digest that\*(Aqs used with SSLv3. .SS Identity .IX Subsection "Identity" This implementation is only available with the default provider, and is diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-MD5.7 b/secure/lib/libcrypto/man/man7/EVP_MD-MD5.7 index e9031ceaad2c..f56c89a2ba62 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-MD5.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-MD5.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-MD5 7ossl" -.TH EVP_MD-MD5 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-MD5 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-MDC2.7 b/secure/lib/libcrypto/man/man7/EVP_MD-MDC2.7 index a36a78c9fca8..b022e0e317e2 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-MDC2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-MDC2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-MDC2 7ossl" -.TH EVP_MD-MDC2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-MDC2 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -77,7 +80,7 @@ in \fBEVP_MD\-common\fR\|(7). .IX Subsection "Settable Context Parameters" This implementation supports the following \fBOSSL_PARAM\fR\|(3) entries, settable for an \fBEVP_MD_CTX\fR with \fBEVP_MD_CTX_set_params\fR\|(3): -.IP """pad-type"" (\fBOSSL_DIGEST_PARAM_PAD_TYPE\fR) <unsigned integer>" 4 +.IP """pad\-type"" (\fBOSSL_DIGEST_PARAM_PAD_TYPE\fR) <unsigned integer>" 4 .IX Item """pad-type"" (OSSL_DIGEST_PARAM_PAD_TYPE) <unsigned integer>" Sets the padding type to be used. Normally the final MDC2 block is padded with zeros. diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-NULL.7 b/secure/lib/libcrypto/man/man7/EVP_MD-NULL.7 index 5cc0892c88e4..abbebad4ebab 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-NULL.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-NULL.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-NULL 7ossl" -.TH EVP_MD-NULL 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-NULL 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-RIPEMD160.7 b/secure/lib/libcrypto/man/man7/EVP_MD-RIPEMD160.7 index c8157af2e42d..131e1de102f2 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-RIPEMD160.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-RIPEMD160.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-RIPEMD160 7ossl" -.TH EVP_MD-RIPEMD160 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-RIPEMD160 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-SHA1.7 b/secure/lib/libcrypto/man/man7/EVP_MD-SHA1.7 index 54470345abe6..1030a357f90b 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-SHA1.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-SHA1.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-SHA1 7ossl" -.TH EVP_MD-SHA1 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-SHA1 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-SHA2.7 b/secure/lib/libcrypto/man/man7/EVP_MD-SHA2.7 index e42cf8d2a40c..c4e6219549f4 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-SHA2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-SHA2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-SHA2 7ossl" -.TH EVP_MD-SHA2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-SHA2 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-SHA3.7 b/secure/lib/libcrypto/man/man7/EVP_MD-SHA3.7 index cfa809d5f380..52c3986732dc 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-SHA3.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-SHA3.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-SHA3 7ossl" -.TH EVP_MD-SHA3 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-SHA3 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-SHAKE.7 b/secure/lib/libcrypto/man/man7/EVP_MD-SHAKE.7 index b5b3bbc465d7..bd5d6886fb41 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-SHAKE.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-SHAKE.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-SHAKE 7ossl" -.TH EVP_MD-SHAKE 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-SHAKE 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,10 +68,10 @@ EVP_MD\-SHAKE, EVP_MD\-KECCAK\-KMAC \&\- The SHAKE / KECCAK family EVP_MD implementations .SH DESCRIPTION .IX Header "DESCRIPTION" -Support for computing SHAKE or KECCAK-KMAC digests through the +Support for computing SHAKE or KECCAK\-KMAC digests through the \&\fBEVP_MD\fR API. .PP -KECCAK-KMAC is an Extendable Output Function (XOF), with a definition +KECCAK\-KMAC is an Extendable Output Function (XOF), with a definition similar to SHAKE, used by the KMAC EVP_MAC implementation (see \&\fBEVP_MAC\-KMAC\fR\|(7)). .SS Identities diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-SM3.7 b/secure/lib/libcrypto/man/man7/EVP_MD-SM3.7 index fee09c3e8c7f..5ab91a1fa445 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-SM3.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-SM3.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-SM3 7ossl" -.TH EVP_MD-SM3 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-SM3 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-WHIRLPOOL.7 b/secure/lib/libcrypto/man/man7/EVP_MD-WHIRLPOOL.7 index 8cf939c6ac94..9c56dec708c2 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-WHIRLPOOL.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-WHIRLPOOL.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-WHIRLPOOL 7ossl" -.TH EVP_MD-WHIRLPOOL 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-WHIRLPOOL 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-common.7 b/secure/lib/libcrypto/man/man7/EVP_MD-common.7 index fa6c0970b233..70200b501ddc 100644 --- a/secure/lib/libcrypto/man/man7/EVP_MD-common.7 +++ b/secure/lib/libcrypto/man/man7/EVP_MD-common.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_MD-COMMON 7ossl" -.TH EVP_MD-COMMON 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_MD-COMMON 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-DH.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-DH.7 index 90555420683b..d86b089e0a8c 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-DH.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-DH.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-DH 7ossl" -.TH EVP_PKEY-DH 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-DH 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,12 +68,12 @@ EVP_PKEY\-DH, EVP_PKEY\-DHX, EVP_KEYMGMT\-DH, EVP_KEYMGMT\-DHX \&\- EVP_PKEY DH and DHX keytype and algorithm support .SH DESCRIPTION .IX Header "DESCRIPTION" -For finite field Diffie-Hellman key agreement, two classes of domain +For finite field Diffie\-Hellman key agreement, two classes of domain parameters can be used: "safe" domain parameters that are associated with -approved named safe-prime groups, and a class of "FIPS186\-type" domain +approved named safe\-prime groups, and a class of "FIPS186\-type" domain parameters. FIPS186\-type domain parameters should only be used for backward compatibility with existing applications that cannot be upgraded to use the -approved safe-prime groups. +approved safe\-prime groups. .PP See \fBEVP_PKEY\-FFC\fR\|(7) for more information about FFC keys. .PP @@ -90,11 +93,11 @@ implementations support the following: Sets or gets a string that associates a \fBDH\fR or \fBDHX\fR named safe prime group with known values for \fIp\fR, \fIq\fR and \fIg\fR. .Sp -The following values can be used by the OpenSSL's default and FIPS providers: +The following values can be used by the OpenSSL\*(Aqs default and FIPS providers: "ffdhe2048", "ffdhe3072", "ffdhe4096", "ffdhe6144", "ffdhe8192", "modp_2048", "modp_3072", "modp_4096", "modp_6144", "modp_8192". .Sp -The following additional values can also be used by OpenSSL's default provider: +The following additional values can also be used by OpenSSL\*(Aqs default provider: "modp_1536", "dh_1024_160", "dh_2048_224", "dh_2048_256". .Sp DH/DHX named groups can be easily validated since the parameters are well known. @@ -102,14 +105,14 @@ For protocols that only transfer \fIp\fR and \fIg\fR the value of \fIq\fR can al retrieved. .SS "DH and DHX additional parameters" .IX Subsection "DH and DHX additional parameters" -.IP """encoded-pub-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4 +.IP """encoded\-pub\-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4 .IX Item """encoded-pub-key"" (OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY) <octet string>" Used for getting and setting the encoding of the DH public key used in a key exchange message for the TLS protocol. See \fBEVP_PKEY_set1_encoded_public_key()\fR and \fBEVP_PKEY_get1_encoded_public_key()\fR. .SS "DH additional domain parameters" .IX Subsection "DH additional domain parameters" -.IP """safeprime-generator"" (\fBOSSL_PKEY_PARAM_DH_GENERATOR\fR) <integer>" 4 +.IP """safeprime\-generator"" (\fBOSSL_PKEY_PARAM_DH_GENERATOR\fR) <integer>" 4 .IX Item """safeprime-generator"" (OSSL_PKEY_PARAM_DH_GENERATOR) <integer>" Used for DH generation of safe primes using the old safe prime generator code. The default value is 2. @@ -143,14 +146,14 @@ This specifies that a named safe prime name will be chosen using the "pbits" type. .IP """generator""" 4 .IX Item """generator""" -A safe prime generator. See the "safeprime-generator" type above. +A safe prime generator. See the "safeprime\-generator" type above. This is only valid for \fBDH\fR keys. .RE .RS 4 .RE .IP """pbits"" (\fBOSSL_PKEY_PARAM_FFC_PBITS\fR) <unsigned integer>" 4 .IX Item """pbits"" (OSSL_PKEY_PARAM_FFC_PBITS) <unsigned integer>" -Sets the size (in bits) of the prime 'p'. +Sets the size (in bits) of the prime \*(Aqp\*(Aq. .Sp For "fips186_4" this must be 2048. For "fips186_2" this must be 1024. @@ -177,7 +180,7 @@ With the OpenSSL FIPS provider, \fBEVP_PKEY_param_check\fR\|(3) and \&\fBEVP_PKEY_param_check_quick\fR\|(3) behave in the following way: the parameters are tested if they are either an approved safe prime group OR that the FFC parameters conform to FIPS186\-4 as defined in SP800\-56Ar3 \fIAssurances of -Domain-Parameter Validity\fR. +Domain\-Parameter Validity\fR. .PP The OpenSSL default provider uses simpler checks that allows there to be no \fIq\fR value for backwards compatibility, however the \fBEVP_PKEY_param_check\fR\|(3) will @@ -186,10 +189,10 @@ which can take significant time. The \fBEVP_PKEY_param_check_quick\fR\|(3) avoid the prime tests. .PP \&\fBEVP_PKEY_public_check\fR\|(3) conforms to SP800\-56Ar3 -\&\fIFFC Full Public-Key Validation\fR. +\&\fIFFC Full Public\-Key Validation\fR. .PP \&\fBEVP_PKEY_public_check_quick\fR\|(3) conforms to SP800\-56Ar3 -\&\fIFFC Partial Public-Key Validation\fR when the key is an approved named safe +\&\fIFFC Partial Public\-Key Validation\fR when the key is an approved named safe prime group, otherwise it is the same as \fBEVP_PKEY_public_check\fR\|(3). .PP \&\fBEVP_PKEY_private_check\fR\|(3) tests that the private key is in the correct range @@ -199,7 +202,7 @@ For backwards compatibility the OpenSSL default provider only requires \fIp\fR t be set. .PP \&\fBEVP_PKEY_pairwise_check\fR\|(3) conforms to SP800\-56Ar3 -\&\fIOwner Assurance of Pair-wise Consistency\fR. +\&\fIOwner Assurance of Pair\-wise Consistency\fR. .SH EXAMPLES .IX Header "EXAMPLES" An \fBEVP_PKEY\fR context can be obtained by calling: @@ -337,7 +340,7 @@ The following sections of SP800\-56Ar3: .IP "5.5.1.1 FFC Domain Parameter Selection/Generation" 4 .IX Item "5.5.1.1 FFC Domain Parameter Selection/Generation" .PD 0 -.IP "Appendix D: FFC Safe-prime Groups" 4 +.IP "Appendix D: FFC Safe\-prime Groups" 4 .IX Item "Appendix D: FFC Safe-prime Groups" .PD .PP diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-DSA.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-DSA.7 index a000dc5703f5..6f955bc51a44 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-DSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-DSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-DSA 7ossl" -.TH EVP_PKEY-DSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-DSA 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -79,10 +82,10 @@ The \fBDSA\fR key type supports the FFC parameters (see "FFC parameters" in \fBEVP_PKEY\-FFC\fR\|(7)). .PP It also supports the following parameters: -.IP """sign-check"" (\fBOSSL_PKEY_PARAM_FIPS_SIGN_CHECK\fR) <integer" 4 +.IP """sign\-check"" (\fBOSSL_PKEY_PARAM_FIPS_SIGN_CHECK\fR) <integer" 4 .IX Item """sign-check"" (OSSL_PKEY_PARAM_FIPS_SIGN_CHECK) <integer" .PD 0 -.IP """fips-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR) <integer>" .PD See "Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7) for more information. diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-EC.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-EC.7 index b838ea84b660..c5d3f1a076f4 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-EC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-EC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-EC 7ossl" -.TH EVP_PKEY-EC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-EC 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,24 +69,24 @@ EVP_KEYMGMT\-EC \&\- EVP_PKEY EC keytype and algorithm support .SH DESCRIPTION .IX Header "DESCRIPTION" -The \fBEC\fR keytype is implemented in OpenSSL's default provider. +The \fBEC\fR keytype is implemented in OpenSSL\*(Aqs default provider. .SS "Common EC parameters" .IX Subsection "Common EC parameters" The normal way of specifying domain parameters for an EC curve is via the curve name "group". For curves with no curve name, explicit parameters can be -used that specify "field-type", "p", "a", "b", "generator" and "order". +used that specify "field\-type", "p", "a", "b", "generator" and "order". Explicit parameters are supported for backwards compatibility reasons, but they are not compliant with multiple standards (including RFC5915) which only allow named curves. .PP The following Key generation/Gettable/Import/Export types are available for the -built-in EC algorithm: +built\-in EC algorithm: .IP """group"" (\fBOSSL_PKEY_PARAM_GROUP_NAME\fR) <UTF8 string>" 4 .IX Item """group"" (OSSL_PKEY_PARAM_GROUP_NAME) <UTF8 string>" The curve name. -.IP """field-type"" (\fBOSSL_PKEY_PARAM_EC_FIELD_TYPE\fR) <UTF8 string>" 4 +.IP """field\-type"" (\fBOSSL_PKEY_PARAM_EC_FIELD_TYPE\fR) <UTF8 string>" 4 .IX Item """field-type"" (OSSL_PKEY_PARAM_EC_FIELD_TYPE) <UTF8 string>" -The value should be either "prime-field" or "characteristic-two-field", +The value should be either "prime\-field" or "characteristic\-two\-field", which correspond to prime field Fp and binary field F2^m. .IP """p"" (\fBOSSL_PKEY_PARAM_EC_P\fR) <unsigned integer>" 4 .IX Item """p"" (OSSL_PKEY_PARAM_EC_P) <unsigned integer>" @@ -121,37 +124,37 @@ Integers used for point multiplications will be between 0 and \&\fIorder\fR \- 1. \&\fIcofactor\fR is an optional value. \&\fIorder\fR multiplied by the \fIcofactor\fR gives the number of points on the curve. -.IP """decoded-from-explicit"" (\fBOSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS\fR) <integer>" 4 +.IP """decoded\-from\-explicit"" (\fBOSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS\fR) <integer>" 4 .IX Item """decoded-from-explicit"" (OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS) <integer>" Gets a flag indicating whether the key or parameters were decoded from explicit curve parameters. Set to 1 if so or 0 if a named curve was used. -.IP """use-cofactor-flag"" (\fBOSSL_PKEY_PARAM_USE_COFACTOR_ECDH\fR) <integer>" 4 +.IP """use\-cofactor\-flag"" (\fBOSSL_PKEY_PARAM_USE_COFACTOR_ECDH\fR) <integer>" 4 .IX Item """use-cofactor-flag"" (OSSL_PKEY_PARAM_USE_COFACTOR_ECDH) <integer>" Enable Cofactor DH (ECC CDH) if this value is 1, otherwise it uses normal EC DH if the value is zero. The cofactor variant multiplies the shared secret by the -EC curve's cofactor (note for some curves the cofactor is 1). +EC curve\*(Aqs cofactor (note for some curves the cofactor is 1). .Sp See also \fBEVP_KEYEXCH\-ECDH\fR\|(7) for the related \&\fBOSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE\fR parameter that can be set on a -per-operation basis. +per\-operation basis. .IP """encoding"" (\fBOSSL_PKEY_PARAM_EC_ENCODING\fR) <UTF8 string>" 4 .IX Item """encoding"" (OSSL_PKEY_PARAM_EC_ENCODING) <UTF8 string>" Set the format used for serializing the EC group parameters. Valid values are "explicit" or "named_curve". The default value is "named_curve". -.IP """point-format"" (\fBOSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT\fR) <UTF8 string>" 4 +.IP """point\-format"" (\fBOSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT\fR) <UTF8 string>" 4 .IX Item """point-format"" (OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT) <UTF8 string>" Sets or gets the point_conversion_form for the \fIkey\fR. For a description of point_conversion_forms please see \fBEC_POINT_new\fR\|(3). Valid values are "uncompressed" or "compressed". The default value is "uncompressed". -.IP """group-check"" (\fBOSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE\fR) <UTF8 string>" 4 +.IP """group\-check"" (\fBOSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE\fR) <UTF8 string>" 4 .IX Item """group-check"" (OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE) <UTF8 string>" Sets or Gets the type of group check done when \fBEVP_PKEY_param_check()\fR is called. -Valid values are "default", "named" and "named-nist". +Valid values are "default", "named" and "named\-nist". The "named" type checks that the domain parameters match the inbuilt curve parameters, -"named-nist" is similar but also checks that the named curve is a nist curve. +"named\-nist" is similar but also checks that the named curve is a nist curve. The "default" type does domain parameter validation for the OpenSSL default provider, -but is equivalent to "named-nist" for the OpenSSL FIPS provider. -.IP """include-public"" (\fBOSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC\fR) <integer>" 4 +but is equivalent to "named\-nist" for the OpenSSL FIPS provider. +.IP """include\-public"" (\fBOSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC\fR) <integer>" 4 .IX Item """include-public"" (OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC) <integer>" Setting this value to 0 indicates that the public key should not be included when encoding the private key. The default value of 1 will include the public key. @@ -173,7 +176,7 @@ to uncompressed format. .IP """priv"" (\fBOSSL_PKEY_PARAM_PRIV_KEY\fR) <unsigned integer>" 4 .IX Item """priv"" (OSSL_PKEY_PARAM_PRIV_KEY) <unsigned integer>" The private key value. -.IP """encoded-pub-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4 +.IP """encoded\-pub\-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4 .IX Item """encoded-pub-key"" (OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY) <octet string>" Used for getting and setting the encoding of an EC public key. The public key is expected to be a point conforming to Sec. 2.3.4 of the SECG SEC 1 ("Elliptic @@ -184,11 +187,11 @@ Used for getting the EC public key X component. .IP """qy"" (\fBOSSL_PKEY_PARAM_EC_PUB_Y\fR) <unsigned integer>" 4 .IX Item """qy"" (OSSL_PKEY_PARAM_EC_PUB_Y) <unsigned integer>" Used for getting the EC public key Y component. -.IP """default-digest"" (\fBOSSL_PKEY_PARAM_DEFAULT_DIGEST\fR) <UTF8 string>" 4 +.IP """default\-digest"" (\fBOSSL_PKEY_PARAM_DEFAULT_DIGEST\fR) <UTF8 string>" 4 .IX Item """default-digest"" (OSSL_PKEY_PARAM_DEFAULT_DIGEST) <UTF8 string>" Getter that returns the default digest name. (Currently returns "SHA256" as of OpenSSL 3.0). -.IP """dhkem-ikm"" (\fBOSSL_PKEY_PARAM_DHKEM_IKM\fR) <octet string>" 4 +.IP """dhkem\-ikm"" (\fBOSSL_PKEY_PARAM_DHKEM_IKM\fR) <octet string>" 4 .IX Item """dhkem-ikm"" (OSSL_PKEY_PARAM_DHKEM_IKM) <octet string>" DHKEM requires the generation of a keypair using an input key material (seed). Use this to specify the key material used for generation of the private key. @@ -196,8 +199,8 @@ This value should not be reused for other purposes. It can only be used for the curves "P\-256", "P\-384" and "P\-521" and should have a length of at least the size of the encoded private key (i.e. 32, 48 and 66 for the listed curves). .PP -The following Gettable types are also available for the built-in EC algorithm: -.IP """basis-type"" (\fBOSSL_PKEY_PARAM_EC_CHAR2_TYPE\fR) <UTF8 string>" 4 +The following Gettable types are also available for the built\-in EC algorithm: +.IP """basis\-type"" (\fBOSSL_PKEY_PARAM_EC_CHAR2_TYPE\fR) <UTF8 string>" 4 .IX Item """basis-type"" (OSSL_PKEY_PARAM_EC_CHAR2_TYPE) <UTF8 string>" Supports the values "tpBasis" for a trinomial or "ppBasis" for a pentanomial. This field is only used for a binary field F2^m. @@ -223,14 +226,14 @@ range m > tp > 0. that m > k3 > k2 > k1 > 0 .PP The following key generation settable parameter is also available for the -OpenSSL FIPS provider's EC algorithm: -.IP """key-check"" (\fBOSSL_PKEY_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +OpenSSL FIPS provider\*(Aqs EC algorithm: +.IP """key\-check"" (\fBOSSL_PKEY_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_PKEY_PARAM_FIPS_KEY_CHECK) <integer>" See "Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7) for further information. .PP The following key generation Gettable parameter is available for the OpenSSL -FIPS provider's EC algorithm: -.IP """fips-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +FIPS provider\*(Aqs EC algorithm: +.IP """fips\-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR) <integer>" See "Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7) for further information. .SS "EC key validation" @@ -240,18 +243,18 @@ For the OpenSSL default provider it uses either \&\fBEC_GROUP_check\fR\|(3) or \fBEC_GROUP_check_named_curve\fR\|(3) depending on the flag EC_FLAG_CHECK_NAMED_GROUP. The OpenSSL FIPS provider uses \fBEC_GROUP_check_named_curve\fR\|(3) in order to -conform to SP800\-56Ar3 \fIAssurances of Domain-Parameter Validity\fR. +conform to SP800\-56Ar3 \fIAssurances of Domain\-Parameter Validity\fR. .PP For EC keys, \fBEVP_PKEY_param_check_quick\fR\|(3) is equivalent to \&\fBEVP_PKEY_param_check\fR\|(3). .PP For EC keys, \fBEVP_PKEY_public_check\fR\|(3) and \fBEVP_PKEY_public_check_quick\fR\|(3) -conform to SP800\-56Ar3 \fIECC Full Public-Key Validation\fR and -\&\fIECC Partial Public-Key Validation\fR respectively. +conform to SP800\-56Ar3 \fIECC Full Public\-Key Validation\fR and +\&\fIECC Partial Public\-Key Validation\fR respectively. .PP For EC Keys, \fBEVP_PKEY_private_check\fR\|(3) and \fBEVP_PKEY_pairwise_check\fR\|(3) conform to SP800\-56Ar3 \fIPrivate key validity\fR and -\&\fIOwner Assurance of Pair-wise Consistency\fR respectively. +\&\fIOwner Assurance of Pair\-wise Consistency\fR respectively. .SH EXAMPLES .IX Header "EXAMPLES" An \fBEVP_PKEY\fR context can be obtained by calling: @@ -291,7 +294,7 @@ or like this: \& EVP_PKEY_CTX_free(gctx); .Ve .PP -An \fBEVP_PKEY\fR EC CDH (Cofactor Diffie-Hellman) key can be generated with a +An \fBEVP_PKEY\fR EC CDH (Cofactor Diffie\-Hellman) key can be generated with a "K\-571" named group by calling: .PP .Vb 5 diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-FFC.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-FFC.7 index 4fc71c49a970..e8b390b11a8b 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-FFC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-FFC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-FFC 7ossl" -.TH EVP_PKEY-FFC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-FFC 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,10 +69,10 @@ EVP_PKEY\-FFC \- EVP_PKEY DSA and DH/DHX shared FFC parameters. .IX Header "DESCRIPTION" Finite field cryptography (FFC) is a method of implementing discrete logarithm cryptography using finite field mathematics. DSA is an example of FFC and -Diffie-Hellman key establishment algorithms specified in SP800\-56A can also be +Diffie\-Hellman key establishment algorithms specified in SP800\-56A can also be implemented as FFC. .PP -The \fBDSA\fR, \fBDH\fR and \fBDHX\fR keytypes are implemented in OpenSSL's default and +The \fBDSA\fR, \fBDH\fR and \fBDHX\fR keytypes are implemented in OpenSSL\*(Aqs default and FIPS providers. The implementations support the basic DSA, DH and DHX keys, containing the public and private keys \fIpub\fR and \fIpriv\fR as well as the three main domain parameters @@ -84,8 +87,8 @@ For \fBDH\fR the \fIseed\fR and \fIpcounter\fR can be stored in ASN1 data (but the \fIgindex\fR is not). For \fBDSA\fR however, these fields are not stored in the ASN1 data so they need to be stored externally if validation is required. .PP -The \fBDH\fR key type uses PKCS#3 format which saves p and g, but not the 'q' value. -The \fBDHX\fR key type uses X9.42 format which saves the value of 'q' and this +The \fBDH\fR key type uses PKCS#3 format which saves p and g, but not the \*(Aqq\*(Aq value. +The \fBDHX\fR key type uses X9.42 format which saves the value of \*(Aqq\*(Aq and this must be used for FIPS186\-4. .SS "FFC parameters" .IX Subsection "FFC parameters" @@ -102,15 +105,15 @@ The private key value. .IX Subsection "FFC DSA, DH and DHX domain parameters" .IP """p"" (\fBOSSL_PKEY_PARAM_FFC_P\fR) <unsigned integer>" 4 .IX Item """p"" (OSSL_PKEY_PARAM_FFC_P) <unsigned integer>" -A DSA or Diffie-Hellman prime "p" value. +A DSA or Diffie\-Hellman prime "p" value. .IP """g"" (\fBOSSL_PKEY_PARAM_FFC_G\fR) <unsigned integer>" 4 .IX Item """g"" (OSSL_PKEY_PARAM_FFC_G) <unsigned integer>" -A DSA or Diffie-Hellman generator "g" value. +A DSA or Diffie\-Hellman generator "g" value. .SS "FFC DSA and DHX domain parameters" .IX Subsection "FFC DSA and DHX domain parameters" .IP """q"" (\fBOSSL_PKEY_PARAM_FFC_Q\fR) <unsigned integer>" 4 .IX Item """q"" (OSSL_PKEY_PARAM_FFC_Q) <unsigned integer>" -A DSA or Diffie-Hellman prime "q" value. +A DSA or Diffie\-Hellman prime "q" value. .IP """seed"" (\fBOSSL_PKEY_PARAM_FFC_SEED\fR) <octet string>" 4 .IX Item """seed"" (OSSL_PKEY_PARAM_FFC_SEED) <octet string>" An optional domain parameter \fIseed\fR value used during generation and validation @@ -136,18 +139,18 @@ satisfies g = h^j mod p (where g != 1 and "j" is the cofactor). .IP """j"" (\fBOSSL_PKEY_PARAM_FFC_COFACTOR\fR) <unsigned integer>" 4 .IX Item """j"" (OSSL_PKEY_PARAM_FFC_COFACTOR) <unsigned integer>" An optional informational cofactor parameter that should equal to (p \- 1) / q. -.IP """validate-pq"" (\fBOSSL_PKEY_PARAM_FFC_VALIDATE_PQ\fR) <unsigned integer>" 4 +.IP """validate\-pq"" (\fBOSSL_PKEY_PARAM_FFC_VALIDATE_PQ\fR) <unsigned integer>" 4 .IX Item """validate-pq"" (OSSL_PKEY_PARAM_FFC_VALIDATE_PQ) <unsigned integer>" .PD 0 -.IP """validate-g"" (\fBOSSL_PKEY_PARAM_FFC_VALIDATE_G\fR) <unsigned integer>" 4 +.IP """validate\-g"" (\fBOSSL_PKEY_PARAM_FFC_VALIDATE_G\fR) <unsigned integer>" 4 .IX Item """validate-g"" (OSSL_PKEY_PARAM_FFC_VALIDATE_G) <unsigned integer>" .PD These boolean values are used during FIPS186\-4 or FIPS186\-2 key validation checks (See \fBEVP_PKEY_param_check\fR\|(3)) to select validation options. By default -\&\fIvalidate-pq\fR and \fIvalidate-g\fR are both set to 1 to check that p,q and g are +\&\fIvalidate\-pq\fR and \fIvalidate\-g\fR are both set to 1 to check that p,q and g are valid. Either of these may be set to 0 to skip a test, which is mainly useful for testing purposes. -.IP """validate-legacy"" (\fBOSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY\fR) <unsigned integer>" 4 +.IP """validate\-legacy"" (\fBOSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY\fR) <unsigned integer>" 4 .IX Item """validate-legacy"" (OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY) <unsigned integer>" This boolean value is used during key validation checks (See \fBEVP_PKEY_param_check\fR\|(3)) to select the validation type. The default @@ -175,10 +178,10 @@ parameters set for parameter generation. .RE .IP """pbits"" (\fBOSSL_PKEY_PARAM_FFC_PBITS\fR) <unsigned integer>" 4 .IX Item """pbits"" (OSSL_PKEY_PARAM_FFC_PBITS) <unsigned integer>" -Sets the size (in bits) of the prime 'p'. +Sets the size (in bits) of the prime \*(Aqp\*(Aq. .IP """qbits"" (\fBOSSL_PKEY_PARAM_FFC_QBITS\fR) <unsigned integer>" 4 .IX Item """qbits"" (OSSL_PKEY_PARAM_FFC_QBITS) <unsigned integer>" -Sets the size (in bits) of the prime 'q'. +Sets the size (in bits) of the prime \*(Aqq\*(Aq. .Sp For "fips186_4" this can be either 224 or 256. For "fips186_2" this has a size of 160. diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-HMAC.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-HMAC.7 index ff85046b6364..2eb4ada4ab24 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-HMAC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-HMAC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-HMAC 7ossl" -.TH EVP_PKEY-HMAC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-HMAC 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,7 +69,7 @@ EVP_PKEY\-Poly1305, EVP_KEYMGMT\-Poly1305, EVP_PKEY\-CMAC, EVP_KEYMGMT\-CMAC \&\- EVP_PKEY legacy MAC keytypes and algorithm support .SH DESCRIPTION .IX Header "DESCRIPTION" -The \fBHMAC\fR and \fBCMAC\fR key types are implemented in OpenSSL's default and FIPS +The \fBHMAC\fR and \fBCMAC\fR key types are implemented in OpenSSL\*(Aqs default and FIPS providers. Additionally the \fBSiphash\fR and \fBPoly1305\fR key types are implemented in the default provider. Performing MAC operations via an EVP_PKEY is considered legacy and are only available for backwards compatibility purposes diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-DSA.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-DSA.7 index 998eed41a047..e723fff2a823 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-DSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-DSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-ML-DSA 7ossl" -.TH EVP_PKEY-ML-DSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-ML-DSA 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,16 +69,16 @@ EVP_PKEY\-ML\-DSA\-44, EVP_PKEY\-ML\-DSA\-65, EVP_PKEY\-ML\-DSA\-87 \&\- EVP_PKEY ML\-DSA keytype and algorithm support .SH DESCRIPTION .IX Header "DESCRIPTION" -ML-DSA implements the algorithms \fBML\-DSA\-44\fR, \fBML\-DSA\-65\fR and \fBML\-DSA\-87\fR. +ML\-DSA implements the algorithms \fBML\-DSA\-44\fR, \fBML\-DSA\-65\fR and \fBML\-DSA\-87\fR. The key types \fBEVP_PKEY_ML_DSA_44\fR, \fBEVP_PKEY_ML_DSA_65\fR and -\&\fBEVP_PKEY_ML_DSA_87\fR are implemented in OpenSSL's default and FIPS providers. +\&\fBEVP_PKEY_ML_DSA_87\fR are implemented in OpenSSL\*(Aqs default and FIPS providers. These implementations support the associated key, containing the public key \fIpub\fR and the private key \fIpriv\fR. .PP Each of the different key types has an associated security category. This value is one of 2, 3 or 5 for key types \fBML\-DSA\-44\fR, \fBML\-DSA\-65\fR and \fBML\-DSA\-87\fR respectively, which correspond to security strengths of -128, 192 and 256 repsectively. +128, 192 and 256 respectively. .SS "Keygen Parameters" .IX Subsection "Keygen Parameters" .IP """seed"" (\fBOSSL_PKEY_PARAM_ML_DSA_SEED\fR) <octet string>" 4 @@ -99,10 +102,10 @@ key files will contain only the private key in FIPS 204 \f(CW\*(C`sk\*(C'\fR for .IP """properties"" (\fBOSSL_PKEY_PARAM_PROPERTIES\fR) <UTF8 string>" 4 .IX Item """properties"" (OSSL_PKEY_PARAM_PROPERTIES) <UTF8 string>" Sets properties to be used when fetching algorithm implementations used for -ML-DSA hashing operations. +ML\-DSA hashing operations. .PP Use \fBEVP_PKEY_CTX_set_params\fR\|(3) after calling \fBEVP_PKEY_keygen_init\fR\|(3). -.SS "Common ML-DSA parameters" +.SS "Common ML\-DSA parameters" .IX Subsection "Common ML-DSA parameters" In addition to the common parameters that all keytypes should support (see "Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7), the implementation of @@ -151,10 +154,10 @@ used instead. List of enabled private key input formats when parsing PKCS#8 objects. List elements are separated by commas, spaces or tabs. The list of enabled formats can be specified in the configuration file, as seen -in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command-line +in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command\-line option (see also \fBOSSL_PROVIDER_add_conf_parameter\fR\|(3)). .Sp -Values specified on the command-line override any configuration file settings. +Values specified on the command\-line override any configuration file settings. By default all the supported formats are enabled. The supported formats are: .RS 4 @@ -222,7 +225,7 @@ recognised on input. Ordered list of enabled private key output formats when writing \fBPKCS#8\fR files. List elements are separated by commas, spaces or tabs. The list of enabled formats can be specified in the configuration file, as seen -in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command-line +in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command\-line option. .Sp This supports the same set of formats as described under \f(CW\*(C`ml\-dsa.input_formats\*(C'\fR @@ -274,7 +277,7 @@ The key pair components can be extracted from a key by calling: \& pub, sizeof(pub), &pub_len)); .Ve .PP -An \fBML-DSA\fR private key in seed format can be converted to a key in the FIPS +An \fBML\-DSA\fR private key in seed format can be converted to a key in the FIPS 204 \fBsk\fR format by running: .PP .Vb 2 diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-KEM.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-KEM.7 index bb3e59e82f7f..dec22862aad5 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-KEM.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-KEM.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-ML-KEM 7ossl" -.TH EVP_PKEY-ML-KEM 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-ML-KEM 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -73,7 +76,7 @@ EVP_KEYMGMT\-ML\-KEM\-1024 .SH DESCRIPTION .IX Header "DESCRIPTION" The \fBML\-KEM\-512\fR, \fBML\-KEM\-768\fR, and \fBML\-KEM\-1024\fR keytypes are implemented -in OpenSSL's default and FIPS providers. +in OpenSSL\*(Aqs default and FIPS providers. .SS "Keygen Parameters" .IX Subsection "Keygen Parameters" No mandatory parameters are required for generating a key pair. @@ -81,9 +84,9 @@ To set explicit parameters, use \fBEVP_PKEY_CTX_set_params()\fR after calling \&\fBEVP_PKEY_keygen_init()\fR. .IP """seed"" (\fBOSSL_PKEY_PARAM_ML_KEM_SEED\fR) <octet string>" 4 .IX Item """seed"" (OSSL_PKEY_PARAM_ML_KEM_SEED) <octet string>" -Internally, ML-KEM generates keys using a 64\-byte random value (seed), which is +Internally, ML\-KEM generates keys using a 64\-byte random value (seed), which is the concatenation of the 32\-byte \fId\fR and \fIz\fR parameters described in FIPS 203. -This optional parameter can be used to set a pre-determined seed prior to +This optional parameter can be used to set a pre\-determined seed prior to keypair generation. .Sp Generated keys default to retaining the seed used. @@ -100,13 +103,13 @@ key files will contain only the private key in FIPS 203 \f(CW\*(C`dk\*(C'\fR for .IP """properties"" (\fBOSSL_PKEY_PARAM_PROPERTIES\fR) <UTF8 string>" 4 .IX Item """properties"" (OSSL_PKEY_PARAM_PROPERTIES) <UTF8 string>" Sets properties to be used when fetching algorithm implementations used for -ML-KEM hashing operations. +ML\-KEM hashing operations. .Sp Use \fBEVP_PKEY_CTX_set_params\fR\|(3) after calling \fBEVP_PKEY_keygen_init\fR\|(3). .SS "Common parameters" .IX Subsection "Common parameters" In addition to the common parameters that all keytypes should support (see -"Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7)), \fBML-KEM\fR keys +"Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7)), \fBML\-KEM\fR keys keys support the parameters listed below. These are gettable using \&\fBEVP_PKEY_get_octet_string_param\fR\|(3) or \fBEVP_PKEY_get_params\fR\|(3). @@ -121,7 +124,7 @@ The public key value. This parameter is used when importing or exporting the public key value with the \fBEVP_PKEY_fromdata()\fR and \fBEVP_PKEY_todata()\fR functions. The key length and content is that of the FIPS 203 (Algorithm 16: -\&\fBML\-KEM.KeyGen_internal\fR) \fBek\fR public key for the given ML-KEM variant. +\&\fBML\-KEM.KeyGen_internal\fR) \fBek\fR public key for the given ML\-KEM variant. Initial import aside, this parameter is otherwise only gettable. .IP """priv"" (\fBOSSL_PKEY_PARAM_PRIV_KEY\fR) <octet string>" 4 .IX Item """priv"" (OSSL_PKEY_PARAM_PRIV_KEY) <octet string>" @@ -130,9 +133,9 @@ The private key value. This parameter is used when importing or exporting the private key value with the \fBEVP_PKEY_fromdata()\fR and \fBEVP_PKEY_todata()\fR functions. The key length and content is that of the FIPS 203 (Algorithm 16: -\&\fBML\-KEM.KeyGen_internal\fR) \fBdk\fR private key for the given ML-KEM variant. +\&\fBML\-KEM.KeyGen_internal\fR) \fBdk\fR private key for the given ML\-KEM variant. Initial import aside, this parameter is otherwise only gettable. -.IP """encoded-pub-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4 +.IP """encoded\-pub\-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4 .IX Item """encoded-pub-key"" (OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY) <octet string>" Used for getting and setting the encoding of a public key. The key format is that of \fBek\fR in FIPS 203, Algorithm 16: @@ -150,7 +153,7 @@ configuration options programmatically. .ie n .IP """ml\-kem.import_pct_type"" (\fBOSSL_PKEY_PARAM_ML_KEM_IMPORT_PCT_TYPE\fR) <UTF8 string>" 4 .el .IP "\f(CWml\-kem.import_pct_type\fR (\fBOSSL_PKEY_PARAM_ML_KEM_IMPORT_PCT_TYPE\fR) <UTF8 string>" 4 .IX Item "ml-kem.import_pct_type (OSSL_PKEY_PARAM_ML_KEM_IMPORT_PCT_TYPE) <UTF8 string>" -When an \fBML-KEM\fR key is imported as an explict FIPS 203 \fBdk\fR decapsulation +When an \fBML\-KEM\fR key is imported as an explicit FIPS 203 \fBdk\fR decapsulation key, rather than a seed, a pairwise consistency test (PCT) is optionally performed. By default, or when this parameter is set explicitly to \f(CW\*(C`random\*(C'\fR, the PCT @@ -182,10 +185,10 @@ used instead. List of enabled private key input formats when parsing PKCS#8 objects. List elements are separated by commas and/or spaces or tabs. The list of enabled formats can be specified in the configuration file, as seen -in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command-line +in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command\-line option (see also \fBOSSL_PROVIDER_add_conf_parameter\fR\|(3)). .Sp -Values specified on the command-line override any configuration file settings. +Values specified on the command\-line override any configuration file settings. By default all the supported formats are enabled. The supported formats are: .RS 4 @@ -253,7 +256,7 @@ recognised on input. Ordered list of enabled private key output formats when writing \fBPKCS#8\fR files. List elements are separated by commas, spaces or tabs. The list of enabled formats can be specified in the configuration file, as seen -in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command-line +in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command\-line option. .Sp This supports the same set of formats as described under \f(CW\*(C`ml\-kem.input_formats\*(C'\fR @@ -290,7 +293,7 @@ An \fBML\-KEM\-768\fR key can be generated like this: \& pkey = EVP_PKEY_Q_keygen(NULL, NULL, "ML\-KEM\-768"); .Ve .PP -An \fBML-KEM\fR private key in seed format can be converted to a key in the FIPS +An \fBML\-KEM\fR private key in seed format can be converted to a key in the FIPS 203 \fBdk\fR format by running: .PP .Vb 2 diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-RSA.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-RSA.7 index 15ef60e96c0f..ca7d1796f91d 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-RSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-RSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-RSA 7ossl" -.TH EVP_PKEY-RSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-RSA 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,7 +68,7 @@ EVP_PKEY\-RSA, EVP_KEYMGMT\-RSA, RSA \&\- EVP_PKEY RSA keytype and algorithm support .SH DESCRIPTION .IX Header "DESCRIPTION" -The \fBRSA\fR keytype is implemented in OpenSSL's default and FIPS providers. +The \fBRSA\fR keytype is implemented in OpenSSL\*(Aqs default and FIPS providers. That implementation supports the basic RSA keys, containing the modulus \fIn\fR, the public exponent \fIe\fR, the private exponent \fId\fR, and a collection of prime factors, exponents and coefficient for CRT calculations, of which the first @@ -169,7 +172,7 @@ bits. .IP """primes"" (\fBOSSL_PKEY_PARAM_RSA_PRIMES\fR) <unsigned integer>" 4 .IX Item """primes"" (OSSL_PKEY_PARAM_RSA_PRIMES) <unsigned integer>" The value should be the number of primes for the generated \fBRSA\fR key. The -default is 2. It isn't permitted to specify a larger number of primes than +default is 2. It isn\*(Aqt permitted to specify a larger number of primes than 10. Additionally, the number of primes is limited by the length of the key being generated so the maximum number could be less. Some providers may only support a value of 2. @@ -178,7 +181,7 @@ Some providers may only support a value of 2. The RSA "e" value. The value may be any odd number greater than or equal to 65537. The default value is 65537. For legacy reasons a value of 3 is currently accepted but is deprecated. -.IP """rsa-derive-from-pq"" (\fBOSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ\fR) <unsigned integer>" 4 +.IP """rsa\-derive\-from\-pq"" (\fBOSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ\fR) <unsigned integer>" 4 .IX Item """rsa-derive-from-pq"" (OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ) <unsigned integer>" Indicate that missing parameters not passed in the parameter list should be derived if not provided. Setting a nonzero value will cause all @@ -245,14 +248,14 @@ For RSA keys, \fBEVP_PKEY_private_check\fR\|(3) conforms to the SP800\-56Br1 .PP For RSA keys, \fBEVP_PKEY_pairwise_check\fR\|(3) conforms to the SP800\-56Br1 \fIKeyPair Validation check\fR for the OpenSSL FIPS provider. The -OpenSSL default provider allows testing of the validity of multi-primes. +OpenSSL default provider allows testing of the validity of multi\-primes. .SH "CONFORMING TO" .IX Header "CONFORMING TO" .IP FIPS186\-4 4 .IX Item "FIPS186-4" Section B.3.6 Generation of Probable Primes with Conditions Based on Auxiliary Probable Primes -.IP "RFC 8017, excluding RSA-PSS and RSA-OAEP" 4 +.IP "RFC 8017, excluding RSA\-PSS and RSA\-OAEP" 4 .IX Item "RFC 8017, excluding RSA-PSS and RSA-OAEP" .SH EXAMPLES .IX Header "EXAMPLES" diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-SLH-DSA.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-SLH-DSA.7 index 2b3a66fe55c0..a3f693f2b287 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-SLH-DSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-SLH-DSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-SLH-DSA 7ossl" -.TH EVP_PKEY-SLH-DSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-SLH-DSA 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -77,13 +80,13 @@ The \fBSLH\-DSA\-SHA2\-128s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHA2\-128f\fR, \&\fBSLH\-DSA\-SHAKE\-128s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHAKE\-128f\fR, \&\fBSLH\-DSA\-SHAKE\-192s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHAKE\-192f\fR, \&\fBSLH\-DSA\-SHAKE\-256s\fR and \fBEVP_PKEY\-SLH\-DSA\-SHAKE\-256f\fR key types are -implemented in OpenSSL's default and FIPS providers. These implementations +implemented in OpenSSL\*(Aqs default and FIPS providers. These implementations support the associated key, containing the public key \fIpub\fR and the private key \fIpriv\fR. .PP -SLH-DSA (Stateless Hash-based Digital Signature Standard) uses small keys, +SLH\-DSA (Stateless Hash\-based Digital Signature Standard) uses small keys, but has relatively large signatures and is relatively slow performing all -operations compared to \fBML-DSA\fR. It does however have proven security proofs, +operations compared to \fBML\-DSA\fR. It does however have proven security proofs, since it relies only on hash functions. .PP Each of the different key types has an associated security parameter \fBn\fR. @@ -123,10 +126,10 @@ purposes only. The length of the value supplied must be 3 * \fBn\fR. .IP """properties"" (\fBOSSL_PKEY_PARAM_PROPERTIES\fR) <utf8_string>" 4 .IX Item """properties"" (OSSL_PKEY_PARAM_PROPERTIES) <utf8_string>" Sets properties to be used when fetching algorithm implementations used for -SLH-DSA hashing operations. +SLH\-DSA hashing operations. .PP Use \fBEVP_PKEY_CTX_set_params()\fR after calling \fBEVP_PKEY_keygen_init()\fR. -.SS "Common SLH-DSA parameters" +.SS "Common SLH\-DSA parameters" .IX Subsection "Common SLH-DSA parameters" In addition to the common parameters that all keytypes should support (see "Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7)), the implementation of @@ -144,7 +147,7 @@ as defined by FIPS 205 Figure 16. The private key has a size of 4 * \fBn\fR bytes, which includes the public key components. i.e. It consists of the concatenation of SK.seed, SK.prf, PK.seed and PF.root as defined by FIPS 205 Figure 15. -.IP """mandatory-digest"" (\fBOSSL_PKEY_PARAM_MANDATORY_DIGEST\fR) <UTF8 string>" 4 +.IP """mandatory\-digest"" (\fBOSSL_PKEY_PARAM_MANDATORY_DIGEST\fR) <UTF8 string>" 4 .IX Item """mandatory-digest"" (OSSL_PKEY_PARAM_MANDATORY_DIGEST) <UTF8 string>" The empty string, signifying that no digest may be specified. .SH "CONFORMING TO" @@ -160,7 +163,7 @@ An \fBEVP_PKEY\fR context can be obtained by calling: \& EVP_PKEY_CTX_new_from_name(NULL, "SLH\-DSA\-SHA2\-128f", NULL); .Ve .PP -An \fBSLH-DSA\fR key can be generated like this: +An \fBSLH\-DSA\fR key can be generated like this: .PP .Vb 1 \& pkey = EVP_PKEY_Q_keygen(NULL, NULL, "SLH\-DSA\-SHA2\-128f"); diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-SM2.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-SM2.7 index de2844379391..d705b01f676b 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-SM2.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-SM2.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-SM2 7ossl" -.TH EVP_PKEY-SM2 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-SM2 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,9 +88,9 @@ Getter that returns the default digest name. (Currently returns "SM3" as of OpenSSL 3.0). .SH NOTES .IX Header "NOTES" -\&\fBSM2\fR signatures can be generated by using the 'DigestSign' series of APIs, for +\&\fBSM2\fR signatures can be generated by using the \*(AqDigestSign\*(Aq series of APIs, for instance, \fBEVP_DigestSignInit()\fR, \fBEVP_DigestSignUpdate()\fR and \fBEVP_DigestSignFinal()\fR. -Ditto for the verification process by calling the 'DigestVerify' series of APIs. +Ditto for the verification process by calling the \*(AqDigestVerify\*(Aq series of APIs. Note that the SM2 algorithm requires the presence of the public key for signatures, as such the \fBOSSL_PKEY_PARAM_PUB_KEY\fR option must be set on any key used in signature generation. diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-X25519.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-X25519.7 index 500e39400c79..97382a04f447 100644 --- a/secure/lib/libcrypto/man/man7/EVP_PKEY-X25519.7 +++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-X25519.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_PKEY-X25519 7ossl" -.TH EVP_PKEY-X25519 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_PKEY-X25519 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -67,19 +70,19 @@ EVP_KEYMGMT\-X25519, EVP_KEYMGMT\-X448, EVP_KEYMGMT\-ED25519, EVP_KEYMGMT\-ED448 .SH DESCRIPTION .IX Header "DESCRIPTION" The \fBX25519\fR, \fBX448\fR, \fBED25519\fR and \fBED448\fR keytypes are -implemented in OpenSSL's default and FIPS providers. These implementations +implemented in OpenSSL\*(Aqs default and FIPS providers. These implementations support the associated key, containing the public key \fIpub\fR and the private key \fIpriv\fR. .SS "Keygen Parameters" .IX Subsection "Keygen Parameters" -.IP """dhkem-ikm"" (\fBOSSL_PKEY_PARAM_DHKEM_IKM\fR) <octet string>" 4 +.IP """dhkem\-ikm"" (\fBOSSL_PKEY_PARAM_DHKEM_IKM\fR) <octet string>" 4 .IX Item """dhkem-ikm"" (OSSL_PKEY_PARAM_DHKEM_IKM) <octet string>" DHKEM requires the generation of a keypair using an input key material (seed). Use this to specify the key material used for generation of the private key. This value should not be reused for other purposes. It should have a length of at least 32 for X25519, and 56 for X448. This is only supported by X25519 and X448. -.IP """fips-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR) <integer>" This getter is only supported by X25519 and X448 for the FIPS provider. Since X25519 and X448 are unapproved in FIPS 140\-3 this getter return 0. @@ -103,14 +106,14 @@ The public key value. .IP """priv"" (\fBOSSL_PKEY_PARAM_PRIV_KEY\fR) <octet string>" 4 .IX Item """priv"" (OSSL_PKEY_PARAM_PRIV_KEY) <octet string>" The private key value. -.IP """encoded-pub-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4 +.IP """encoded\-pub\-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4 .IX Item """encoded-pub-key"" (OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY) <octet string>" Used for getting and setting the encoding of a public key for the \fBX25519\fR and \&\fBX448\fR key types. Public keys are expected be encoded in a format as defined by RFC7748. .SS "ED25519 and ED448 parameters" .IX Subsection "ED25519 and ED448 parameters" -.IP """mandatory-digest"" (\fBOSSL_PKEY_PARAM_MANDATORY_DIGEST\fR) <UTF8 string>" 4 +.IP """mandatory\-digest"" (\fBOSSL_PKEY_PARAM_MANDATORY_DIGEST\fR) <UTF8 string>" 4 .IX Item """mandatory-digest"" (OSSL_PKEY_PARAM_MANDATORY_DIGEST) <UTF8 string>" The empty string, signifying that no digest may be specified. .SH "CONFORMING TO" diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-CRNG-TEST.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-CRNG-TEST.7 index 21832dbcad47..3807589ed44f 100644 --- a/secure/lib/libcrypto/man/man7/EVP_RAND-CRNG-TEST.7 +++ b/secure/lib/libcrypto/man/man7/EVP_RAND-CRNG-TEST.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RAND-CRNG-TEST 7ossl" -.TH EVP_RAND-CRNG-TEST 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RAND-CRNG-TEST 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -71,11 +74,11 @@ Tests". Most requests are forwarded to the entropy source, either via its parent reference or via the provider entropy upcalls. .SS Identity .IX Subsection "Identity" -"CRNG-TEST" is the name for this implementation; it can be used with the +"CRNG\-TEST" is the name for this implementation; it can be used with the \&\fBEVP_RAND_fetch()\fR function. .SS "Supported parameters" .IX Subsection "Supported parameters" -If a parent EVP_RAND is specified on context creation, the parent's +If a parent EVP_RAND is specified on context creation, the parent\*(Aqs parameters are supported because the request is forwarded to the parent seed source for processing. .PP @@ -90,7 +93,7 @@ are supported: .IX Item """max_request"" (OSSL_RAND_PARAM_MAX_REQUEST) <unsigned integer>" .PD These parameters work as described in "PARAMETERS" in \fBEVP_RAND\fR\|(3). -.IP """fips-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR) <integer>" This parameter works as described in "PARAMETERS" in \fBprovider\-rand\fR\|(7). .SH NOTES diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-CTR-DRBG.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-CTR-DRBG.7 index 7818e16a2e56..c0529778081b 100644 --- a/secure/lib/libcrypto/man/man7/EVP_RAND-CTR-DRBG.7 +++ b/secure/lib/libcrypto/man/man7/EVP_RAND-CTR-DRBG.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RAND-CTR-DRBG 7ossl" -.TH EVP_RAND-CTR-DRBG 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RAND-CTR-DRBG 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -68,7 +71,7 @@ Support for the counter deterministic random bit generator through the \&\fBEVP_RAND\fR API. .SS Identity .IX Subsection "Identity" -"CTR-DRBG" is the name for this implementation; it can be used with the +"CTR\-DRBG" is the name for this implementation; it can be used with the \&\fBEVP_RAND_fetch()\fR function. .SS "Supported parameters" .IX Subsection "Supported parameters" @@ -118,7 +121,7 @@ A context for CTR DRBG can be obtained by calling: \& EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand, NULL); .Ve .PP -The default CTR-DRBG implementation attempts to fetch the required internal +The default CTR\-DRBG implementation attempts to fetch the required internal algorithms from the provider they are built into (eg the default provider) regardless of the properties provided. Should the provider not implement the required algorithms then properties will be used to find a different diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-HASH-DRBG.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-HASH-DRBG.7 index 9972e152bca2..fc22202220a4 100644 --- a/secure/lib/libcrypto/man/man7/EVP_RAND-HASH-DRBG.7 +++ b/secure/lib/libcrypto/man/man7/EVP_RAND-HASH-DRBG.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RAND-HASH-DRBG 7ossl" -.TH EVP_RAND-HASH-DRBG 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RAND-HASH-DRBG 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -68,7 +71,7 @@ Support for the hash deterministic random bit generator through the \&\fBEVP_RAND\fR API. .SS Identity .IX Subsection "Identity" -"HASH-DRBG" is the name for this implementation; it can be used with the +"HASH\-DRBG" is the name for this implementation; it can be used with the \&\fBEVP_RAND_fetch()\fR function. .SS "Supported parameters" .IX Subsection "Supported parameters" @@ -104,10 +107,10 @@ The supported parameters are: .IX Item """digest"" (OSSL_DRBG_PARAM_DIGEST) <UTF8 string>" .PD These parameters work as described in "PARAMETERS" in \fBEVP_RAND\fR\|(3). -.IP """fips-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR) <integer>" .PD 0 -.IP """digest-check"" (\fBOSSL_DRBG_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_DRBG_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_DRBG_PARAM_FIPS_DIGEST_CHECK) <integer>" .PD These parameters work as described in "PARAMETERS" in \fBprovider\-rand\fR\|(7). @@ -117,7 +120,7 @@ When the FIPS provider is installed using the \fB\-no_drbg_truncated_digests\fR option to fipsinstall, only these digests are permitted (as per FIPS 140\-3 IG D.R <https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf>): .PP -The default HASH-DRBG implementation attempts to fetch the required internal +The default HASH\-DRBG implementation attempts to fetch the required internal algorithms from the provider they are built into (eg the default provider) regardless of the properties provided. Should the provider not implement the required algorithms then properties will be used to find a different diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-HMAC-DRBG.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-HMAC-DRBG.7 index 7b929d257547..233450f2d418 100644 --- a/secure/lib/libcrypto/man/man7/EVP_RAND-HMAC-DRBG.7 +++ b/secure/lib/libcrypto/man/man7/EVP_RAND-HMAC-DRBG.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RAND-HMAC-DRBG 7ossl" -.TH EVP_RAND-HMAC-DRBG 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RAND-HMAC-DRBG 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -68,7 +71,7 @@ Support for the HMAC deterministic random bit generator through the \&\fBEVP_RAND\fR API. .SS Identity .IX Subsection "Identity" -"HMAC-DRBG" is the name for this implementation; it can be used with the +"HMAC\-DRBG" is the name for this implementation; it can be used with the \&\fBEVP_RAND_fetch()\fR function. .SS "Supported parameters" .IX Subsection "Supported parameters" @@ -106,10 +109,10 @@ The supported parameters are: .IX Item """digest"" (OSSL_DRBG_PARAM_DIGEST) <UTF8 string>" .PD These parameters work as described in "PARAMETERS" in \fBEVP_RAND\fR\|(3). -.IP """fips-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR) <integer>" .PD 0 -.IP """digest-check"" (\fBOSSL_DRBG_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_DRBG_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_DRBG_PARAM_FIPS_DIGEST_CHECK) <integer>" .PD These parameters work as described in "PARAMETERS" in \fBprovider\-rand\fR\|(7). @@ -118,7 +121,7 @@ These parameters work as described in "PARAMETERS" in \fBprovider\-rand\fR\|(7). When using the FIPS provider, only these digests are permitted (as per FIPS 140\-3 IG D.R <https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf>): .PP -The default HMAC-DRBG implementation attempts to fetch the required internal +The default HMAC\-DRBG implementation attempts to fetch the required internal algorithms from the provider they are built into (eg the default provider) regardless of the properties provided. Should the provider not implement the required algorithms then properties will be used to find a different diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-JITTER.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-JITTER.7 index 562e653c0148..3c16c8aa3722 100644 --- a/secure/lib/libcrypto/man/man7/EVP_RAND-JITTER.7 +++ b/secure/lib/libcrypto/man/man7/EVP_RAND-JITTER.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RAND-JITTER 7ossl" -.TH EVP_RAND-JITTER 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RAND-JITTER 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -70,7 +73,7 @@ Support for deterministic random number generator seeding through the This software seed source produces randomness based on tiny CPU "jitter" fluctuations. .PP -It is available when OpenSSL is compiled with \fBenable-jitter\fR +It is available when OpenSSL is compiled with \fBenable\-jitter\fR option. When available it is listed in \fBopenssl list \&\-random\-generators\fR and \fBopenssl info \-seeds\fR. .SS Identity @@ -98,11 +101,11 @@ A context for the seed source can be obtained by calling: \& EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand, NULL); .Ve .PP -The \fBenable-jitter\fR option was added in OpenSSL 3.4. +The \fBenable\-jitter\fR option was added in OpenSSL 3.4. .PP -By specifying the \fBenable-fips-jitter\fR configuration option, the FIPS +By specifying the \fBenable\-fips\-jitter\fR configuration option, the FIPS provider will use an internal jitter source for its entropy. Enabling -this option will cause the FIPS provider to operate in a non-compliant +this option will cause the FIPS provider to operate in a non\-compliant mode unless an entropy assessment ESV <https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations> and validation through the diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-SEED-SRC.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-SEED-SRC.7 index 34acbbbc7b73..771e0d79c4db 100644 --- a/secure/lib/libcrypto/man/man7/EVP_RAND-SEED-SRC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_RAND-SEED-SRC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RAND-SEED-SRC 7ossl" -.TH EVP_RAND-SEED-SRC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RAND-SEED-SRC 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -72,7 +75,7 @@ building using the \fB\-\-with\-rand\-seed=\fR option. By default, operating sy randomness sources are used. .SS Identity .IX Subsection "Identity" -"SEED-SRC" is the name for this implementation; it can be used with the +"SEED\-SRC" is the name for this implementation; it can be used with the \&\fBEVP_RAND_fetch()\fR function. .SS "Supported parameters" .IX Subsection "Supported parameters" diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-TEST-RAND.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-TEST-RAND.7 index 42c9fffdfad6..26cf6992a783 100644 --- a/secure/lib/libcrypto/man/man7/EVP_RAND-TEST-RAND.7 +++ b/secure/lib/libcrypto/man/man7/EVP_RAND-TEST-RAND.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RAND-TEST-RAND 7ossl" -.TH EVP_RAND-TEST-RAND 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RAND-TEST-RAND 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -68,7 +71,7 @@ Support for a test generator through the \fBEVP_RAND\fR API. This generator is for test purposes only, it does not generate random numbers. .SS Identity .IX Subsection "Identity" -"TEST-RAND" is the name for this implementation; it can be used with the +"TEST\-RAND" is the name for this implementation; it can be used with the \&\fBEVP_RAND_fetch()\fR function. .SS "Supported parameters" .IX Subsection "Supported parameters" @@ -76,7 +79,7 @@ The supported parameters are: .IP """state"" (\fBOSSL_RAND_PARAM_STATE\fR) <integer>" 4 .IX Item """state"" (OSSL_RAND_PARAM_STATE) <integer>" .PD 0 -.IP """fips-indicator"" (\fBOSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR) <integer>" .PD These parameter works as described in "PARAMETERS" in \fBEVP_RAND\fR\|(3). @@ -119,7 +122,7 @@ Each nonce request will return all of the bytes. .IX Item """generate"" (OSSL_RAND_PARAM_GENERATE) <integer>" If this parameter is zero, it will only emit the nonce and entropy data supplied via the aforementioned parameters. Otherwise, low quality -non-cryptographic pseudorandom output is produced. This parameter defaults +non\-cryptographic pseudorandom output is produced. This parameter defaults to zero. .SH NOTES .IX Header "NOTES" diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND.7 b/secure/lib/libcrypto/man/man7/EVP_RAND.7 index 8d7ad73ee30c..d12f823753b1 100644 --- a/secure/lib/libcrypto/man/man7/EVP_RAND.7 +++ b/secure/lib/libcrypto/man/man7/EVP_RAND.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RAND 7ossl" -.TH EVP_RAND 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RAND 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -71,14 +74,14 @@ EVP_RAND \- the random bit generator .SH DESCRIPTION .IX Header "DESCRIPTION" The default OpenSSL RAND method is based on the EVP_RAND classes to provide -non-deterministic inputs to other cryptographic algorithms. +non\-deterministic inputs to other cryptographic algorithms. .PP -While the RAND API is the 'frontend' which is intended to be used by +While the RAND API is the \*(Aqfrontend\*(Aq which is intended to be used by application developers for obtaining random bytes, the EVP_RAND API -serves as the 'backend', connecting the former with the operating -systems's entropy sources and providing access to deterministic random +serves as the \*(Aqbackend\*(Aq, connecting the former with the operating +systems\*(Aqs entropy sources and providing access to deterministic random bit generators (DRBG) and their configuration parameters. -A DRBG is a certain type of cryptographically-secure pseudo-random +A DRBG is a certain type of cryptographically\-secure pseudo\-random number generator (CSPRNG), which is described in [NIST SP 800\-90A Rev. 1]. .SS Disclaimer @@ -94,7 +97,7 @@ Typical examples for such special use cases are the following: You want to use your own private DRBG instances. Multiple DRBG instances which are accessed only by a single thread provide additional security (because their internal states are independent) and -better scalability in multithreaded applications (because they don't need +better scalability in multithreaded applications (because they don\*(Aqt need to be locked). .IP \(bu 2 You need to integrate a previously unsupported entropy source. @@ -121,10 +124,10 @@ a live entropy source may ignore and not use its parent. Currently, there are three shared DRBG instances, the <primary>, <public>, and <private> DRBG. While the <primary> DRBG is a single global instance, the <public> and <private> -DRBG are created per thread and accessed through thread-local storage. +DRBG are created per thread and accessed through thread\-local storage. .PP By default, the functions \fBRAND_bytes\fR\|(3) and \fBRAND_priv_bytes\fR\|(3) use -the thread-local <public> and <private> DRBG instance, respectively. +the thread\-local <public> and <private> DRBG instance, respectively. .SS "The <primary> DRBG instance" .IX Subsection "The <primary> DRBG instance" The <primary> DRBG is not used directly by the application, only for reseeding @@ -141,24 +144,24 @@ This instance is used per default by \fBRAND_priv_bytes\fR\|(3) .IX Header "LOCKING" The <primary> DRBG is intended to be accessed concurrently for reseeding by its child DRBG instances. The necessary locking is done internally. -It is \fInot\fR thread-safe to access the <primary> DRBG directly via the +It is \fInot\fR thread\-safe to access the <primary> DRBG directly via the EVP_RAND interface. -The <public> and <private> DRBG are thread-local, i.e. there is an +The <public> and <private> DRBG are thread\-local, i.e. there is an instance of each per thread. So they can safely be accessed without locking via the EVP_RAND interface. .PP Pointers to these DRBG instances can be obtained using \&\fBRAND_get0_primary()\fR, \fBRAND_get0_public()\fR and \fBRAND_get0_private()\fR, respectively. -Note that it is not allowed to store a pointer to one of the thread-local +Note that it is not allowed to store a pointer to one of the thread\-local DRBG instances in a variable or other memory location where it will be accessed and used by multiple threads. .PP -All other DRBG instances created by an application don't support locking, +All other DRBG instances created by an application don\*(Aqt support locking, because they are intended to be used by a single thread. Instead of accessing a single DRBG instance concurrently from different threads, it is recommended to instantiate a separate DRBG instance per thread. Using the <primary> DRBG as entropy source for multiple DRBG -instances on different threads is thread-safe, because the DRBG instance +instances on different threads is thread\-safe, because the DRBG instance will lock the <primary> DRBG automatically for obtaining random input. .SH "THE OVERALL PICTURE" .IX Header "THE OVERALL PICTURE" @@ -249,7 +252,7 @@ previous OpenSSL versions to call \fBRAND_add()\fR before calling \fBRAND_bytes( .SS "Entropy Input and Additional Data" .IX Subsection "Entropy Input and Additional Data" The DRBG distinguishes two different types of random input: \fIentropy\fR, -which comes from a trusted source, and \fIadditional input\fR', +which comes from a trusted source, and \fIadditional input\fR\*(Aq, which can optionally be added by the user and is considered untrusted. It is possible to add \fIadditional input\fR not only during reseeding, but also for every generate request. @@ -259,11 +262,11 @@ In most cases OpenSSL will automatically choose a suitable seed source for automatically seeding and reseeding its <primary> DRBG. The default seed source can be configured when OpenSSL is compiled by setting \fB\-DOPENSSL_DEFAULT_SEED_SRC=SEED\-SRC\fR. If not set then -"SEED-SRC" is used. One can specify a third-party provider seed-source, +"SEED\-SRC" is used. One can specify a third\-party provider seed\-source, or \fB\-DOPENSSL_DEFAULT_SEED_SRC=JITTER\fR if available. .PP In some cases however, it will be necessary to explicitly specify a -seed source used by "SEED-SRC" during configuration, using the +seed source used by "SEED\-SRC" during configuration, using the \&\-\-with\-rand\-seed option. For more information, see the INSTALL instructions. There are also operating systems where no seed source is available and automatic reseeding is disabled by default. diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-DSA.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-DSA.7 index e77ed38d5a61..1e307d674934 100644 --- a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-DSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-DSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SIGNATURE-DSA 7ossl" -.TH EVP_SIGNATURE-DSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SIGNATURE-DSA 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -85,7 +88,7 @@ The base signature algorithm, supported explicitly fetched with EC keys) with \fBEVP_DigestSignInit\fR\|(3) and \&\fBEVP_DigestVerifyInit\fR\|(3). .Sp -It can't be used with \fBEVP_PKEY_sign_message_init\fR\|(3) +It can\*(Aqt be used with \fBEVP_PKEY_sign_message_init\fR\|(3) .IP """DSA\-SHA1"", ""DSA\-SHA\-1"", ""dsaWithSHA1"", ""1.2.840.10040.4.3""" 4 .IX Item """DSA-SHA1"", ""DSA-SHA-1"", ""dsaWithSHA1"", ""1.2.840.10040.4.3""" .PD 0 @@ -123,28 +126,28 @@ using \fBEVP_PKEY_sign_init_ex()\fR or \fBEVP_PKEY_verify_init_ex()\fR. .PD These two are not supported with the DSA signature schemes that already include a message digest algorithm, See "Algorithm Names" above. -.IP """nonce-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 +.IP """nonce\-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 .IX Item """nonce-type"" (OSSL_SIGNATURE_PARAM_NONCE_TYPE) <unsigned integer>" .PD 0 -.IP """key-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) <integer>" -.IP """digest-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) <integer>" -.IP """sign-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK\fR) <int>" 4 +.IP """sign\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK\fR) <int>" 4 .IX Item """sign-check"" (OSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK) <int>" .PD The settable parameters are described in \fBprovider\-signature\fR\|(7). .PP The following signature parameters can be retrieved using \&\fBEVP_PKEY_CTX_get_params()\fR. -.IP """algorithm-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4 +.IP """algorithm\-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4 .IX Item """algorithm-id"" (OSSL_SIGNATURE_PARAM_ALGORITHM_ID) <octet string>" .PD 0 .IP """digest"" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) <UTF8 string>" 4 .IX Item """digest"" (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>" -.IP """nonce-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 +.IP """nonce\-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 .IX Item """nonce-type"" (OSSL_SIGNATURE_PARAM_NONCE_TYPE) <unsigned integer>" -.IP """fips-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR) <integer>" .PD The gettable parameters are described in \fBprovider\-signature\fR\|(7). @@ -160,7 +163,7 @@ DSA Key generation and signature generation are no longer FIPS approved in OpenSSL 3.4. See "FIPS indicators" in \fBfips_module\fR\|(7) for more information. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ECDSA.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ECDSA.7 index 77afb3656577..0c5ce2a2af92 100644 --- a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ECDSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ECDSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,16 +52,19 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SIGNATURE-ECDSA 7ossl" -.TH EVP_SIGNATURE-ECDSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SIGNATURE-ECDSA 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH NAME -EVP_SIGNATURE\-ECDSA \- The EVP_PKEY ECDSA signature implementation. +EVP_SIGNATURE\-ECDSA \- The EVP_PKEY ECDSA signature implementation .SH DESCRIPTION .IX Header "DESCRIPTION" Support for computing ECDSA signatures. @@ -79,7 +82,7 @@ The base signature algorithm, supported explicitly fetched with EC keys) with \fBEVP_DigestSignInit\fR\|(3) and \&\fBEVP_DigestVerifyInit\fR\|(3). .Sp -It can't be used with \fBEVP_PKEY_sign_message_init\fR\|(3) +It can\*(Aqt be used with \fBEVP_PKEY_sign_message_init\fR\|(3) .IP """ECDSA\-SHA1"", ""ECDSA\-SHA\-1"", ""ecdsa\-with\-SHA1"", ""1.2.840.10045.4.1""" 4 .IX Item """ECDSA-SHA1"", ""ECDSA-SHA-1"", ""ecdsa-with-SHA1"", ""1.2.840.10045.4.1""" .PD 0 @@ -116,28 +119,28 @@ and before calling \fBEVP_PKEY_sign()\fR or \fBEVP_PKEY_verify()\fR. .PD These two are not supported with the ECDSA signature schemes that already include a message digest algorithm, See "Algorithm Names" above. -.IP """nonce-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 +.IP """nonce\-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 .IX Item """nonce-type"" (OSSL_SIGNATURE_PARAM_NONCE_TYPE) <unsigned integer>" .PD 0 -.IP """key-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) <integer>" -.IP """digest-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) <integer>" .PD These parameters are described in \fBprovider\-signature\fR\|(7). .PP The following signature parameters can be retrieved using \&\fBEVP_PKEY_CTX_get_params()\fR. -.IP """algorithm-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4 +.IP """algorithm\-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4 .IX Item """algorithm-id"" (OSSL_SIGNATURE_PARAM_ALGORITHM_ID) <octet string>" .PD 0 .IP """digest"" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) <UTF8 string>" 4 .IX Item """digest"" (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>" -.IP """nonce-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 +.IP """nonce\-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 .IX Item """nonce-type"" (OSSL_SIGNATURE_PARAM_NONCE_TYPE) <unsigned integer>" -.IP """fips-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR) <integer>" -.IP """verify-message"" (\fBOSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE\fR <integer>" 4 +.IP """verify\-message"" (\fBOSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE\fR <integer>" 4 .IX Item """verify-message"" (OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE <integer>" .PD The parameters are described in \fBprovider\-signature\fR\|(7). @@ -149,7 +152,7 @@ The parameters are described in \fBprovider\-signature\fR\|(7). \&\fBprovider\-signature\fR\|(7), .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ED25519.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ED25519.7 index 2cd9a4e16e1d..c3d81ddd22d5 100644 --- a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ED25519.7 +++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ED25519.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SIGNATURE-ED25519 7ossl" -.TH EVP_SIGNATURE-ED25519 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SIGNATURE-ED25519 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,11 +68,11 @@ EVP_SIGNATURE\-ED25519, EVP_SIGNATURE\-ED448, Ed25519, Ed448 -\&\- EVP_PKEY Ed25519 and Ed448 support +\&\- The EVP_PKEY Ed25519 and Ed448 signature implementations .SH DESCRIPTION .IX Header "DESCRIPTION" The \fBEd25519\fR and \fBEd448\fR EVP_PKEY implementation supports key -generation, one-shot digest-sign and digest-verify using the EdDSA +generation, one\-shot digest\-sign and digest\-verify using the EdDSA signature schemes described in RFC 8032. It has associated private and public key formats compatible with RFC 8410. .SS "EdDSA Instances" @@ -89,9 +92,9 @@ Ed448ph, the hash function is SHAKE256 with an output length of 512 bits. .PP The instances Ed25519ctx, Ed25519ph, Ed448, Ed448ph accept an optional -\&\fBcontext-string\fR as input to sign and verify operations (and for -Ed25519ctx, the context-string must be nonempty). For the Ed25519 -instance, a nonempty context-string is not permitted. +\&\fBcontext\-string\fR as input to sign and verify operations (and for +Ed25519ctx, the context\-string must be nonempty). For the Ed25519 +instance, a nonempty context\-string is not permitted. .PP These instances can be specified as signature parameters when using \&\fBEVP_DigestSignInit\fR\|(3) and \fBEVP_DigestVerifyInit\fR\|(3), see @@ -104,7 +107,7 @@ These instances are also explicitly fetchable as algorithms using .SS "ED25519 and ED448 Signature Parameters" .IX Subsection "ED25519 and ED448 Signature Parameters" Two parameters can be set during signing or verification: the EdDSA -\&\fBinstance name\fR and the \fBcontext-string value\fR. They can be set by +\&\fBinstance name\fR and the \fBcontext\-string value\fR. They can be set by passing an OSSL_PARAM array to \fBEVP_DigestSignInit_ex()\fR. .IP \(bu 4 "instance" (\fBOSSL_SIGNATURE_PARAM_INSTANCE\fR) <utf8 string> @@ -115,7 +118,7 @@ One of the five strings "Ed25519", "Ed25519ctx", "Ed25519ph", "Ed448", "Ed448ph" .Sp "Ed448", "Ed448ph" are valid only for an Ed448 EVP_PKEY. .IP \(bu 4 -"context-string" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string> +"context\-string" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string> .Sp A string of octets with length at most 255. .PP @@ -134,7 +137,7 @@ When using \fBEVP_PKEY_sign_init_ex2\fR\|(3), \fBEVP_PKEY_verify_init_ex2\fR\|(3 instance is the explicit signature algorithm name, and may not be changed (trying to give one with the "instance" parameter is therefore an error). .PP -If a context-string is not specified, then an empty context-string is +If a context\-string is not specified, then an empty context\-string is used. .PP See \fBEVP_PKEY\-X25519\fR\|(7) for information related to \fBX25519\fR and \fBX448\fR keys. @@ -142,22 +145,22 @@ See \fBEVP_PKEY\-X25519\fR\|(7) for information related to \fBX25519\fR and \fBX The following signature parameters can be retrieved using \&\fBEVP_PKEY_CTX_get_params()\fR. .IP \(bu 4 -"algorithm-id" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string> +"algorithm\-id" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string> .IP \(bu 4 "instance" (\fBOSSL_SIGNATURE_PARAM_INSTANCE\fR) <utf8 string> .IP \(bu 4 -"context-string" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string> +"context\-string" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string> .PP The parameters are described in \fBprovider\-signature\fR\|(7). .SH NOTES .IX Header "NOTES" The PureEdDSA instances do not support the streaming mechanism of other signature algorithms using, for example, \fBEVP_DigestUpdate()\fR. -The message to sign or verify must be passed using the one-shot +The message to sign or verify must be passed using the one\-shot \&\fBEVP_DigestSign()\fR and \fBEVP_DigestVerify()\fR functions. .PP The HashEdDSA instances do not yet support the streaming mechanisms -(so the one-shot functions must be used with HashEdDSA as well). +(so the one\-shot functions must be used with HashEdDSA as well). .PP When calling \fBEVP_DigestSignInit()\fR or \fBEVP_DigestVerifyInit()\fR, the digest \fItype\fR parameter \fBMUST\fR be set to NULL. @@ -180,6 +183,9 @@ Ed25519 and Ed448 can be tested with the \fBopenssl\-speed\fR\|(1) application since version 1.1.1. Valid algorithm names are \fBed25519\fR, \fBed448\fR and \fBeddsa\fR. If \fBeddsa\fR is specified, then both Ed25519 and Ed448 are benchmarked. +.PP +Since Ed25519ctx is not included in FIPS 186\-5, it is not present +in the FIPS provider. .SH EXAMPLES .IX Header "EXAMPLES" To sign a message using an ED25519 EVP_PKEY structure: @@ -218,7 +224,7 @@ To sign a message using an ED25519 EVP_PKEY structure: \&\fBEVP_DigestVerifyInit\fR\|(3), .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2017\-2024 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-HMAC.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-HMAC.7 index d9d85ab8b502..763ca7bf7efe 100644 --- a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-HMAC.7 +++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-HMAC.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SIGNATURE-HMAC 7ossl" -.TH EVP_SIGNATURE-HMAC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SIGNATURE-HMAC 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -97,7 +100,7 @@ be set via \fBEVP_MAC_CTX_set_params()\fR for the underlying EVP_MAC. See \&\fBprovider\-signature\fR\|(7), .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ML-DSA.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ML-DSA.7 index 51b46b446b59..58afdab0470a 100644 --- a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ML-DSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ML-DSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,22 +52,25 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SIGNATURE-ML-DSA 7ossl" -.TH EVP_SIGNATURE-ML-DSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SIGNATURE-ML-DSA 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH NAME EVP_SIGNATURE\-ML\-DSA, -EVP_SIGNATURE\-ML\-DSA\-44, EVP_SIGNATURE\-ML\-DSA\-65, EVP_SIGNATURE\-ML\-DSA\-87, -\&\- EVP_SIGNATURE ML\-DSA support +EVP_SIGNATURE\-ML\-DSA\-44, EVP_SIGNATURE\-ML\-DSA\-65, EVP_SIGNATURE\-ML\-DSA\-87 +\&\- The EVP_PKEY ML\-DSA signature implementations .SH DESCRIPTION .IX Header "DESCRIPTION" The \fBML\-DSA\-44\fR, \fBML\-DSA\-65\fR and \fBML\-DSA\-87\fR EVP_PKEY implementations -support key generation, and one-shot sign and verify using the ML-DSA +support key generation, and one\-shot sign and verify using the ML\-DSA signature schemes described in FIPS 204 <https://csrc.nist.gov/pubs/fips/204/final>. .PP The different algorithms names correspond to the parameter sets defined in @@ -75,39 +78,39 @@ FIPS 204 <https://csrc.nist.gov/pubs/fips/204/final> Section 4 Table 1. (The signatures range in size from ~2.5K to ~4.5K depending on the type chosen). There are 3 different security categories also depending on the type. .PP -\&\fBEVP_SIGNATURE_fetch\fR\|(3) can be used to explicitely fetch one of the 3 +\&\fBEVP_SIGNATURE_fetch\fR\|(3) can be used to explicitly fetch one of the 3 algorithms which can then be used with \fBEVP_PKEY_sign_message_init\fR\|(3), \&\fBEVP_PKEY_sign\fR\|(3), \fBEVP_PKEY_verify_message_init\fR\|(3), and -\&\fBEVP_PKEY_verify\fR\|(3) to perform one-shot message signing or signature verification. +\&\fBEVP_PKEY_verify\fR\|(3) to perform one\-shot message signing or signature verification. .PP -The normal signing process (called Pure ML-DSA Signature Generation) +The normal signing process (called Pure ML\-DSA Signature Generation) encodes the message internally as 0x00 || len(ctx) || ctx || message. where \fBctx\fR is some optional value of size 0x00..0xFF. This process is defined in FIPS 204 <https://csrc.nist.gov/pubs/fips/204/final> Algorithm 2 step 10 and Algorithm 3 step 5. OpenSSL also allows the message to not be encoded which is required for -testing. OpenSSL does not support Pre Hash ML-DSA Signature Generation, but this +testing. OpenSSL does not support Pre Hash ML\-DSA Signature Generation, but this may be done by the user by doing Pre hash encoding externally and then choosing the option to not encode the message. -.SS "ML-DSA Signature Parameters" +.SS "ML\-DSA Signature Parameters" .IX Subsection "ML-DSA Signature Parameters" The following parameter can be used for both signing and verification. it may be set by passing an OSSL_PARAM array to \fBEVP_PKEY_sign_message_init\fR\|(3) or \fBEVP_PKEY_verify_message_init\fR\|(3) -.IP """context-string"" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string>" 4 +.IP """context\-string"" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string>" 4 .IX Item """context-string"" (OSSL_SIGNATURE_PARAM_CONTEXT_STRING) <octet string>" A string of octets with length at most 255. By default it is the empty string. .PP The following parameters can be used when signing: They can be set by passing an OSSL_PARAM array to \fBEVP_PKEY_sign_init_ex2\fR\|(3). -.IP """message-encoding"" (\fBOSSL_SIGNATURE_PARAM_MESSAGE_ENCODING\fR) <integer>" 4 +.IP """message\-encoding"" (\fBOSSL_SIGNATURE_PARAM_MESSAGE_ENCODING\fR) <integer>" 4 .IX Item """message-encoding"" (OSSL_SIGNATURE_PARAM_MESSAGE_ENCODING) <integer>" -The default value of 1 uses 'Pure ML-DSA Signature Generation' as described +The default value of 1 uses \*(AqPure ML\-DSA Signature Generation\*(Aq as described above. Setting it to 0 does not encode the message, which is used for testing. The message encoding steps are defined in FIPS 204 <https://csrc.nist.gov/pubs/fips/204/final> Algorithm 2 step 10 and Algorithm 3 step 5. -.IP """test-entropy"" (\fBOSSL_SIGNATURE_PARAM_TEST_ENTROPY\fR) <octet string>" 4 +.IP """test\-entropy"" (\fBOSSL_SIGNATURE_PARAM_TEST_ENTROPY\fR) <octet string>" 4 .IX Item """test-entropy"" (OSSL_SIGNATURE_PARAM_TEST_ENTROPY) <octet string>" Used for testing to pass an optional deterministic per message random value. If set the size must be 32 bytes. @@ -115,7 +118,7 @@ If set the size must be 32 bytes. .IX Item """deterministic"" (OSSL_SIGNATURE_PARAM_DETERMINISTIC) <integer>" The default value of 0 causes the per message randomness to be randomly generated using a DRBG. Setting this to 1 causes the per message randomness -to be set to 32 bytes of zeros. This value is ignored if "test-entropy" is set. +to be set to 32 bytes of zeros. This value is ignored if "test\-entropy" is set. .IP """mu"" (\fBOSSL_SIGNATURE_PARAM_MU\fR) <integer>" 4 .IX Item """mu"" (OSSL_SIGNATURE_PARAM_MU) <integer>" The default value of 0 causes sign and verify operations to process a raw message. @@ -127,15 +130,15 @@ Note that the message encoding steps from FIPS 204 <https://csrc.nist.gov/pubs/fips/204/final> Algorithm 2 step 10 and Algorithm 3 step 5 are omitted when this setting is 1. .PP -See \fBEVP_PKEY\-ML\-DSA\fR\|(7) for information related to \fBML-DSA\fR keys. +See \fBEVP_PKEY\-ML\-DSA\fR\|(7) for information related to \fBML\-DSA\fR keys. .SH NOTES .IX Header "NOTES" -For backwards compatability reasons \fBEVP_DigestSignInit_ex()\fR, \fBEVP_DigestSign()\fR, +For backwards compatibility reasons \fBEVP_DigestSignInit_ex()\fR, \fBEVP_DigestSign()\fR, \&\fBEVP_DigestVerifyInit_ex()\fR and \fBEVP_DigestVerify()\fR may also be used, but the digest passed in \fImdname\fR must be NULL. .SH EXAMPLES .IX Header "EXAMPLES" -To sign a message using an ML-DSA EVP_PKEY structure: +To sign a message using an ML\-DSA EVP_PKEY structure: .PP .Vb 10 \& void do_sign(EVP_PKEY *key, unsigned char *msg, size_t msg_len) @@ -172,7 +175,7 @@ FIPS 204 <https://csrc.nist.gov/pubs/fips/204/final> This functionality was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2025\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-RSA.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-RSA.7 index c4b8a85899e4..c455837e9c34 100644 --- a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-RSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-RSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SIGNATURE-RSA 7ossl" -.TH EVP_SIGNATURE-RSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SIGNATURE-RSA 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,7 +83,7 @@ The base signature algorithm, supported explicitly fetched with RSA keys) with \fBEVP_DigestSignInit\fR\|(3) and \&\fBEVP_DigestVerifyInit\fR\|(3). .Sp -It can't be used with \fBEVP_PKEY_sign_message_init\fR\|(3) +It can\*(Aqt be used with \fBEVP_PKEY_sign_message_init\fR\|(3) .IP """RSA\-RIPEMD160"", ""ripemd160WithRSA"", ""1.3.36.3.3.1.2""" 4 .IX Item """RSA-RIPEMD160"", ""ripemd160WithRSA"", ""1.3.36.3.3.1.2""" .PD 0 @@ -110,7 +113,7 @@ It can't be used with \fBEVP_PKEY_sign_message_init\fR\|(3) PKCS#1 v1.5 RSA signature schemes with diverse message digest algorithms. They are all supported explicitly fetched with \fBEVP_PKEY_sign_init_ex2\fR\|(3) and \&\fBEVP_PKEY_sign_message_init\fR\|(3). -They are all pre-set to use the pad mode "pkcs1". This cannot be changed. +They are all pre\-set to use the pad mode "pkcs1". This cannot be changed. .SS "Signature Parameters" .IX Subsection "Signature Parameters" The following signature parameters can be set using \fBEVP_PKEY_CTX_set_params()\fR. @@ -127,7 +130,7 @@ These are not supported with the RSA signature schemes that already include a message digest algorithm, See "Algorithm Names" above. .Sp These common parameters are described in \fBprovider\-signature\fR\|(7). -.IP """pad-mode"" (\fBOSSL_SIGNATURE_PARAM_PAD_MODE\fR) <UTF8 string>" 4 +.IP """pad\-mode"" (\fBOSSL_SIGNATURE_PARAM_PAD_MODE\fR) <UTF8 string>" 4 .IX Item """pad-mode"" (OSSL_SIGNATURE_PARAM_PAD_MODE) <UTF8 string>" The type of padding to be used. Its value can be one of the following: .RS 4 @@ -147,10 +150,8 @@ generation, but may be used for signature verification for legacy use cases. .RE .RS 4 .RE -.PD 0 .IP """mgf1\-digest"" (\fBOSSL_SIGNATURE_PARAM_MGF1_DIGEST\fR) <UTF8 string>" 4 .IX Item """mgf1-digest"" (OSSL_SIGNATURE_PARAM_MGF1_DIGEST) <UTF8 string>" -.PD The digest algorithm name to use for the maskGenAlgorithm used by "pss" mode. .IP """mgf1\-properties"" (\fBOSSL_SIGNATURE_PARAM_MGF1_PROPERTIES\fR) <UTF8 string>" 4 .IX Item """mgf1-properties"" (OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES) <UTF8 string>" @@ -170,7 +171,7 @@ Use the maximum salt length. .IP """auto"" (\fBOSSL_PKEY_RSA_PSS_SALT_LEN_AUTO\fR)" 4 .IX Item """auto"" (OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO)" Auto detect the salt length. -.IP """auto-digestmax"" (\fBOSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX\fR)" 4 +.IP """auto\-digestmax"" (\fBOSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX\fR)" 4 .IX Item """auto-digestmax"" (OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX)" Auto detect the salt length when verifying. Maximize the salt length up to the digest size when signing to comply with FIPS 186\-4 section 5.5. @@ -179,40 +180,40 @@ digest size when signing to comply with FIPS 186\-4 section 5.5. .RE .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """key-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) <integer>" .PD 0 -.IP """digest-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) <integer>" .IP """sign\-x931\-pad\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK\fR) <integer>" 4 .IX Item """sign-x931-pad-check"" (OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK) <integer>" .PD These parameters are described in \fBprovider\-signature\fR\|(7). -.IP """rsa-pss-saltlen-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK\fR) <integer>" 4 +.IP """rsa\-pss\-saltlen\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK\fR) <integer>" 4 .IX Item """rsa-pss-saltlen-check"" (OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK) <integer>" The default value of 1 causes an error during signature generation or verification if salt length (\fBOSSL_SIGNATURE_PARAM_PSS_SALTLEN\fR) is not between zero and the output block size of the digest function (inclusive). -Setting this to zero will ignore the error and set the approved "fips-indicator" +Setting this to zero will ignore the error and set the approved "fips\-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .PP The following signature parameters can be retrieved using \&\fBEVP_PKEY_CTX_get_params()\fR. -.IP """algorithm-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4 +.IP """algorithm\-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4 .IX Item """algorithm-id"" (OSSL_SIGNATURE_PARAM_ALGORITHM_ID) <octet string>" .PD 0 -.IP """fips-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR) <integer>" -.IP """verify-message"" (\fBOSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE\fR <integer>" 4 +.IP """verify\-message"" (\fBOSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE\fR <integer>" 4 .IX Item """verify-message"" (OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE <integer>" .PD These common parameter are described in \fBprovider\-signature\fR\|(7). .IP """digest"" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) <UTF8 string>" 4 .IX Item """digest"" (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>" .PD 0 -.IP """pad-mode"" (\fBOSSL_SIGNATURE_PARAM_PAD_MODE\fR) <UTF8 string>" 4 +.IP """pad\-mode"" (\fBOSSL_SIGNATURE_PARAM_PAD_MODE\fR) <UTF8 string>" 4 .IX Item """pad-mode"" (OSSL_SIGNATURE_PARAM_PAD_MODE) <UTF8 string>" .IP """mgf1\-digest"" (\fBOSSL_SIGNATURE_PARAM_MGF1_DIGEST\fR) <UTF8 string>" 4 .IX Item """mgf1-digest"" (OSSL_SIGNATURE_PARAM_MGF1_DIGEST) <UTF8 string>" @@ -228,7 +229,7 @@ These parameters are as described above. \&\fBprovider\-signature\fR\|(7), .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-SLH-DSA.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-SLH-DSA.7 index 79d43741e1a2..caed88a4329e 100644 --- a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-SLH-DSA.7 +++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-SLH-DSA.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_SIGNATURE-SLH-DSA 7ossl" -.TH EVP_SIGNATURE-SLH-DSA 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_SIGNATURE-SLH-DSA 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -68,7 +71,7 @@ EVP_SIGNATURE\-SLH\-DSA\-SHA2\-256s, EVP_SIGNATURE\-SLH\-DSA\-SHA2\-256f, EVP_SIGNATURE\-SLH\-DSA\-SHAKE\-128s, EVP_SIGNATURE\-SLH\-DSA\-SHAKE\-128f, EVP_SIGNATURE\-SLH\-DSA\-SHAKE\-192s, EVP_SIGNATURE\-SLH\-DSA\-SHAKE\-192f, EVP_SIGNATURE\-SLH\-DSA\-SHAKE\-256s, EVP_SIGNATURE\-SLH\-DSA\-SHAKE\-256f -\&\- EVP_PKEY SLH\-DSA support +\&\- The EVP_PKEY SLH\-DSA signature implementations .SH DESCRIPTION .IX Header "DESCRIPTION" The \fBSLH\-DSA\-SHA2\-128s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHA2\-128f\fR, @@ -77,7 +80,7 @@ The \fBSLH\-DSA\-SHA2\-128s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHA2\-128f\fR, \&\fBSLH\-DSA\-SHAKE\-128s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHAKE\-128f\fR, \&\fBSLH\-DSA\-SHAKE\-192s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHAKE\-192f\fR, \&\fBSLH\-DSA\-SHAKE\-256s\fR and \fBEVP_PKEY\-SLH\-DSA\-SHAKE\-256f\fR EVP_PKEY implementations -supports key generation, one-shot sign and verify using the SLH-DSA +supports key generation, one\-shot sign and verify using the SLH\-DSA signature schemes described in FIPS 205. .PP The different algorithms names correspond to the parameter sets defined in @@ -86,45 +89,45 @@ FIPS 205 Section 11 Table 2. (The signatures range from ~8K to ~50K depending on the type chosen). There are 3 different security categories also depending on the type. .PP -\&\fBEVP_SIGNATURE_fetch\fR\|(3) can be used to explicitely fetch one of the 12 +\&\fBEVP_SIGNATURE_fetch\fR\|(3) can be used to explicitly fetch one of the 12 algorithms which can then be used with \fBEVP_PKEY_sign_message_init\fR\|(3), \&\fBEVP_PKEY_sign\fR\|(3), \fBEVP_PKEY_verify_message_init\fR\|(3), and -\&\fBEVP_PKEY_verify\fR\|(3) to perform one-shot message signing or verification. +\&\fBEVP_PKEY_verify\fR\|(3) to perform one\-shot message signing or verification. .PP -The normal signing process (called Pure SLH-DSA Signature Generation) +The normal signing process (called Pure SLH\-DSA Signature Generation) encodes the message internally as 0x00 || len(ctx) || ctx || message. where \fBctx\fR is some optional value of size 0x00..0xFF. OpenSSL also allows the message to not be encoded which is required for -testing. OpenSSL does not support Pre Hash SLH-DSA Signature Generation, but this -may be done by the user by doing Pre hash encoding externally and then chosing +testing. OpenSSL does not support Pre Hash SLH\-DSA Signature Generation, but this +may be done by the user by doing Pre hash encoding externally and then choosing the option to not encode the message. -.SS "SLH-DSA Signature Parameters" +.SS "SLH\-DSA Signature Parameters" .IX Subsection "SLH-DSA Signature Parameters" The \f(CW\*(C`context\-string\*(C'\fR parameter, described below, can be used for both signing and verification. It may be set by passing an OSSL_PARAM array to \fBEVP_PKEY_sign_init_ex2\fR\|(3) or \&\fBEVP_PKEY_verify_init_ex2\fR\|(3) -.IP """context-string"" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string>" 4 +.IP """context\-string"" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string>" 4 .IX Item """context-string"" (OSSL_SIGNATURE_PARAM_CONTEXT_STRING) <octet string>" A string of octets with length at most 255. By default it is the empty string. .PP The following parameters can be used when signing: They can be set by passing an OSSL_PARAM array to \fBEVP_PKEY_sign_init_ex2\fR\|(3). -.IP """message-encoding"" (\fBOSSL_SIGNATURE_PARAM_MESSAGE_ENCODING\fR) <integer>" 4 +.IP """message\-encoding"" (\fBOSSL_SIGNATURE_PARAM_MESSAGE_ENCODING\fR) <integer>" 4 .IX Item """message-encoding"" (OSSL_SIGNATURE_PARAM_MESSAGE_ENCODING) <integer>" -The default value of 1 uses 'Pure SLH-DSA Signature Generation' as described +The default value of 1 uses \*(AqPure SLH\-DSA Signature Generation\*(Aq as described above. Setting it to 0 does not encode the message, which is used for testing, -but can also be used for 'Pre Hash SLH-DSA Signature Generation'. -.IP """test-entropy"" (\fBOSSL_SIGNATURE_PARAM_TEST_ENTROPY <octet string\fR" 4 +but can also be used for \*(AqPre Hash SLH\-DSA Signature Generation\*(Aq. +.IP """test\-entropy"" (\fBOSSL_SIGNATURE_PARAM_TEST_ENTROPY <octet string\fR" 4 .IX Item """test-entropy"" (OSSL_SIGNATURE_PARAM_TEST_ENTROPY <octet string" Used for testing to pass a optional random value. .IP """deterministic"" (\fBOSSL_SIGNATURE_PARAM_DETERMINISTIC\fR) <integer>" 4 .IX Item """deterministic"" (OSSL_SIGNATURE_PARAM_DETERMINISTIC) <integer>" The default value of 0 generates a random value (using a DRBG) this is used when processing the message. Setting this to 1 causes the private key seed to be used -instead. This value is ignored if "test-entropy" is set. +instead. This value is ignored if "test\-entropy" is set. .PP -See \fBEVP_PKEY\-SLH\-DSA\fR\|(7) for information related to \fBSLH-DSA\fR keys. +See \fBEVP_PKEY\-SLH\-DSA\fR\|(7) for information related to \fBSLH\-DSA\fR keys. .SH NOTES .IX Header "NOTES" For backwards compatibility reasons \fBEVP_DigestSignInit_ex()\fR, \fBEVP_DigestSign()\fR, @@ -132,7 +135,7 @@ For backwards compatibility reasons \fBEVP_DigestSignInit_ex()\fR, \fBEVP_Digest passed in \fImdname\fR must be NULL. .SH EXAMPLES .IX Header "EXAMPLES" -To sign a message using an SLH-DSA EVP_PKEY structure: +To sign a message using an SLH\-DSA EVP_PKEY structure: .PP .Vb 10 \& void do_sign(EVP_PKEY *key, unsigned char *msg, size_t msg_len) @@ -168,7 +171,7 @@ To sign a message using an SLH-DSA EVP_PKEY structure: This functionality was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2024\-2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2024\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-FIPS.7 b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-FIPS.7 index 2ec89d2a6f38..34e83f28b28a 100644 --- a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-FIPS.7 +++ b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-FIPS.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PROVIDER-FIPS 7ossl" -.TH OSSL_PROVIDER-FIPS 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PROVIDER-FIPS 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,7 +68,7 @@ OSSL_PROVIDER\-FIPS \- OpenSSL FIPS provider .SH DESCRIPTION .IX Header "DESCRIPTION" The OpenSSL FIPS provider is a special provider that conforms to the Federal -Information Processing Standards (FIPS) specified in FIPS 140\-3. This 'module' +Information Processing Standards (FIPS) specified in FIPS 140\-3. This \*(Aqmodule\*(Aq contains an approved set of cryptographic algorithms that is validated by an accredited testing laboratory. .SS Properties @@ -87,7 +90,7 @@ functions that take a property query string, such as To be FIPS compliant, it is mandatory to include \f(CW\*(C`fips=yes\*(C'\fR as part of all property queries. This ensures that only FIPS approved implementations are used for cryptographic operations. The \f(CW\*(C`fips=yes\*(C'\fR -query may also include other non-crypto support operations that +query may also include other non\-crypto support operations that are not in the FIPS provider, such as asymmetric key encoders, see "Asymmetric Key Management" in \fBOSSL_PROVIDER\-default\fR\|(7). .PP @@ -117,7 +120,7 @@ The OpenSSL FIPS provider supports these operations and algorithms: .IX Item "SHA2, see EVP_MD-SHA2" .IP "SHA3, see \fBEVP_MD\-SHA3\fR\|(7)" 4 .IX Item "SHA3, see EVP_MD-SHA3" -.IP "KECCAK-KMAC, see \fBEVP_MD\-KECCAK\-KMAC\fR\|(7)" 4 +.IP "KECCAK\-KMAC, see \fBEVP_MD\-KECCAK\-KMAC\fR\|(7)" 4 .IX Item "KECCAK-KMAC, see EVP_MD-KECCAK-KMAC" .IP "SHAKE, see \fBEVP_MD\-SHAKE\fR\|(7)" 4 .IX Item "SHAKE, see EVP_MD-SHAKE" @@ -177,7 +180,7 @@ The OpenSSL FIPS provider supports these operations and algorithms: .IX Item "X25519, see EVP_KEYEXCH-X25519" .IP "X448, see \fBEVP_KEYEXCH\-X448\fR\|(7)" 4 .IX Item "X448, see EVP_KEYEXCH-X448" -.IP "ML-KEM, see \fBEVP_KEM\-ML\-KEM\fR\|(7)" 4 +.IP "ML\-KEM, see \fBEVP_KEM\-ML\-KEM\fR\|(7)" 4 .IX Item "ML-KEM, see EVP_KEM-ML-KEM" .IP TLS1\-PRF 4 .IX Item "TLS1-PRF" @@ -206,7 +209,7 @@ for signature generation, but may be used for verification for legacy use cases. .IX Item "ML-DSA-65, see EVP_SIGNATURE-ML-DSA" .IP "ML\-DSA\-87, see \fBEVP_SIGNATURE\-ML\-DSA\fR\|(7)" 4 .IX Item "ML-DSA-87, see EVP_SIGNATURE-ML-DSA" -.IP "SLH-DSA, see \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7)" 4 +.IP "SLH\-DSA, see \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7)" 4 .IX Item "SLH-DSA, see EVP_SIGNATURE-SLH-DSA" .IP "HMAC, see \fBEVP_SIGNATURE\-HMAC\fR\|(7)" 4 .IX Item "HMAC, see EVP_SIGNATURE-HMAC" @@ -219,10 +222,8 @@ for signature generation, but may be used for verification for legacy use cases. .IX Item "RSA, see EVP_ASYM_CIPHER-RSA" .SS "Asymmetric Key Encapsulation" .IX Subsection "Asymmetric Key Encapsulation" -.PD 0 .IP "RSA, see \fBEVP_KEM\-RSA\fR\|(7)" 4 .IX Item "RSA, see EVP_KEM-RSA" -.PD .SS "Asymmetric Key Management" .IX Subsection "Asymmetric Key Management" .IP "DH, see \fBEVP_KEYMGMT\-DH\fR\|(7)" 4 @@ -234,7 +235,7 @@ for signature generation, but may be used for verification for legacy use cases. .IX Item "DSA, see EVP_KEYMGMT-DSA" .IP "RSA, see \fBEVP_KEYMGMT\-RSA\fR\|(7)" 4 .IX Item "RSA, see EVP_KEYMGMT-RSA" -.IP RSA-PSS 4 +.IP RSA\-PSS 4 .IX Item "RSA-PSS" .IP "EC, see \fBEVP_KEYMGMT\-EC\fR\|(7)" 4 .IX Item "EC, see EVP_KEYMGMT-EC" @@ -295,19 +296,19 @@ included in SP 800\-56Arev3 are not approved for key agreement". .PD .SS "Random Number Generation" .IX Subsection "Random Number Generation" -.IP "CRNG-TEST, see \fBEVP_RAND\-CRNG\-TEST\fR\|(7)" 4 +.IP "CRNG\-TEST, see \fBEVP_RAND\-CRNG\-TEST\fR\|(7)" 4 .IX Item "CRNG-TEST, see EVP_RAND-CRNG-TEST" .PD 0 -.IP "CTR-DRBG, see \fBEVP_RAND\-CTR\-DRBG\fR\|(7)" 4 +.IP "CTR\-DRBG, see \fBEVP_RAND\-CTR\-DRBG\fR\|(7)" 4 .IX Item "CTR-DRBG, see EVP_RAND-CTR-DRBG" -.IP "HASH-DRBG, see \fBEVP_RAND\-HASH\-DRBG\fR\|(7)" 4 +.IP "HASH\-DRBG, see \fBEVP_RAND\-HASH\-DRBG\fR\|(7)" 4 .IX Item "HASH-DRBG, see EVP_RAND-HASH-DRBG" -.IP "HMAC-DRBG, see \fBEVP_RAND\-HMAC\-DRBG\fR\|(7)" 4 +.IP "HMAC\-DRBG, see \fBEVP_RAND\-HMAC\-DRBG\fR\|(7)" 4 .IX Item "HMAC-DRBG, see EVP_RAND-HMAC-DRBG" -.IP "TEST-RAND, see \fBEVP_RAND\-TEST\-RAND\fR\|(7)" 4 +.IP "TEST\-RAND, see \fBEVP_RAND\-TEST\-RAND\fR\|(7)" 4 .IX Item "TEST-RAND, see EVP_RAND-TEST-RAND" .PD -TEST-RAND is an unapproved algorithm. +TEST\-RAND is an unapproved algorithm. .SH "SELF TESTING" .IX Header "SELF TESTING" A requirement of FIPS modules is to run cryptographic algorithm self tests. @@ -400,11 +401,11 @@ The FIPS module passes the following descriptions(s) to \fBOSSL_SELF_TEST_onbegi .IX Item """EDDSA"" (OSSL_SELF_TEST_DESC_PCT_EDDSA)" .IP """DSA"" (\fBOSSL_SELF_TEST_DESC_PCT_DSA\fR)" 4 .IX Item """DSA"" (OSSL_SELF_TEST_DESC_PCT_DSA)" -.IP """ML-DSA"" (\fBOSSL_SELF_TEST_DESC_PCT_ML_DSA\fR)" 4 +.IP """ML\-DSA"" (\fBOSSL_SELF_TEST_DESC_PCT_ML_DSA\fR)" 4 .IX Item """ML-DSA"" (OSSL_SELF_TEST_DESC_PCT_ML_DSA)" -.IP """ML-KEM"" (\fBOSSL_SELF_TEST_DESC_PCT_ML_KEM\fR)" 4 +.IP """ML\-KEM"" (\fBOSSL_SELF_TEST_DESC_PCT_ML_KEM\fR)" 4 .IX Item """ML-KEM"" (OSSL_SELF_TEST_DESC_PCT_ML_KEM)" -.IP """SLH-DSA"" (\fBOSSL_SELF_TEST_DESC_PCT_SLH_DSA\fR)" 4 +.IP """SLH\-DSA"" (\fBOSSL_SELF_TEST_DESC_PCT_SLH_DSA\fR)" 4 .IX Item """SLH-DSA"" (OSSL_SELF_TEST_DESC_PCT_SLH_DSA)" .PD Key generation tests used with the "Pairwise_Consistency_Test" type. @@ -415,12 +416,12 @@ Key generation tests used with the "Pairwise_Consistency_Test" type. .IX Item """RSA_Decrypt"" (OSSL_SELF_TEST_DESC_ASYM_RSA_DEC)" .PD "KAT_AsymmetricCipher" uses this to indicate an encrypt or decrypt KAT. -.IP """ML-DSA"" (\fBOSSL_SELF_TEST_DESC_KEYGEN_ML_DSA\fR)" 4 +.IP """ML\-DSA"" (\fBOSSL_SELF_TEST_DESC_KEYGEN_ML_DSA\fR)" 4 .IX Item """ML-DSA"" (OSSL_SELF_TEST_DESC_KEYGEN_ML_DSA)" .PD 0 -.IP """ML-KEM"" (\fBOSSL_SELF_TEST_DESC_KEYGEN_ML_KEM\fR)" 4 +.IP """ML\-KEM"" (\fBOSSL_SELF_TEST_DESC_KEYGEN_ML_KEM\fR)" 4 .IX Item """ML-KEM"" (OSSL_SELF_TEST_DESC_KEYGEN_ML_KEM)" -.IP """SLH-DSA"" (\fBOSSL_SELF_TEST_DESC_KEYGEN_SLH_DSA\fR)" 4 +.IP """SLH\-DSA"" (\fBOSSL_SELF_TEST_DESC_KEYGEN_SLH_DSA\fR)" 4 .IX Item """SLH-DSA"" (OSSL_SELF_TEST_DESC_KEYGEN_SLH_DSA)" .PD "KAT_AsymmetricKeyGeneration" uses this to indicate a key generation KAT. @@ -451,9 +452,9 @@ Digest tests used with the "KAT_Digest" type. .IX Item """ECDSA"" (OSSL_SELF_TEST_DESC_SIGN_ECDSA)" .IP """EDDSA"" (\fBOSSL_SELF_TEST_DESC_SIGN_EDDSA\fR)" 4 .IX Item """EDDSA"" (OSSL_SELF_TEST_DESC_SIGN_EDDSA)" -.IP """ML-DSA"" (\fBOSSL_SELF_TEST_DESC_SIGN_ML_DSA\fR)" 4 +.IP """ML\-DSA"" (\fBOSSL_SELF_TEST_DESC_SIGN_ML_DSA\fR)" 4 .IX Item """ML-DSA"" (OSSL_SELF_TEST_DESC_SIGN_ML_DSA)" -.IP """SLH-DSA"" (\fBOSSL_SELF_TEST_DESC_SIGN_SLH_DSA\fR)" 4 +.IP """SLH\-DSA"" (\fBOSSL_SELF_TEST_DESC_SIGN_SLH_DSA\fR)" 4 .IX Item """SLH-DSA"" (OSSL_SELF_TEST_DESC_SIGN_SLH_DSA)" .PD Signature tests used with the "KAT_Signature" type. @@ -562,7 +563,7 @@ Some released versions of OpenSSL do not include a validated FIPS provider. To determine which versions have undergone the validation process, please refer to the OpenSSL Downloads page <https://www.openssl.org/source/>. If you -require FIPS-approved functionality, it is essential to build your FIPS +require FIPS\-approved functionality, it is essential to build your FIPS provider using one of the validated versions listed there. Normally, it is possible to utilize a FIPS provider constructed from one of the validated versions alongside \fIlibcrypto\fR and \fIlibssl\fR compiled from any diff --git a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-base.7 b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-base.7 index 0d978cc170ec..631e64fcf491 100644 --- a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-base.7 +++ b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-base.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PROVIDER-BASE 7ossl" -.TH OSSL_PROVIDER-BASE 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PROVIDER-BASE 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,7 +67,7 @@ OSSL_PROVIDER\-base \- OpenSSL base provider .SH DESCRIPTION .IX Header "DESCRIPTION" -The OpenSSL base provider supplies the encoding for OpenSSL's +The OpenSSL base provider supplies the encoding for OpenSSL\*(Aqs asymmetric cryptography. .SS Properties .IX Subsection "Properties" @@ -75,7 +78,7 @@ defined: .PP It may be used in a property query string with fetching functions. .PP -It isn't mandatory to query for this property, except to make sure to get +It isn\*(Aqt mandatory to query for this property, except to make sure to get implementations of this provider and none other. .IP """type=parameters""" 4 .IX Item """type=parameters""" @@ -106,21 +109,21 @@ currently permitted. The OpenSSL base provider supports these operations and algorithms: .SS "Random Number Generation" .IX Subsection "Random Number Generation" -.IP "SEED-SRC, see \fBEVP_RAND\-SEED\-SRC\fR\|(7)" 4 +.IP "SEED\-SRC, see \fBEVP_RAND\-SEED\-SRC\fR\|(7)" 4 .IX Item "SEED-SRC, see EVP_RAND-SEED-SRC" .PD 0 .IP "JITTER, see \fBEVP_RAND\-JITTER\fR\|(7)" 4 .IX Item "JITTER, see EVP_RAND-JITTER" .PD .PP -In addition to this provider, the "SEED-SRC" and "JITTER" algorithms +In addition to this provider, the "SEED\-SRC" and "JITTER" algorithms are also available in the default provider. .SS "Asymmetric Key Encoder" .IX Subsection "Asymmetric Key Encoder" .IP RSA 4 .IX Item "RSA" .PD 0 -.IP RSA-PSS 4 +.IP RSA\-PSS 4 .IX Item "RSA-PSS" .IP DH 4 .IX Item "DH" @@ -186,7 +189,7 @@ combination with the FIPS provider. .IP RSA 4 .IX Item "RSA" .PD 0 -.IP RSA-PSS 4 +.IP RSA\-PSS 4 .IX Item "RSA-PSS" .IP DH 4 .IX Item "DH" @@ -268,7 +271,7 @@ available in the default provider. .IX Header "HISTORY" This functionality was added in OpenSSL 3.0. .PP -Support for \fBML-DSA\fR and <ML\-KEM> was added in OpenSSL 3.5. +Support for \fBML\-DSA\fR and <ML\-KEM> was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-default.7 b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-default.7 index 6d3ee808f7db..66f561576b91 100644 --- a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-default.7 +++ b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-default.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PROVIDER-DEFAULT 7ossl" -.TH OSSL_PROVIDER-DEFAULT 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PROVIDER-DEFAULT 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,15 +67,15 @@ OSSL_PROVIDER\-default \- OpenSSL default provider .SH DESCRIPTION .IX Header "DESCRIPTION" -The OpenSSL default provider supplies the majority of OpenSSL's diverse -algorithm implementations. If an application doesn't specify anything else +The OpenSSL default provider supplies the majority of OpenSSL\*(Aqs diverse +algorithm implementations. If an application doesn\*(Aqt specify anything else explicitly (e.g. in the application or via config), then this is the provider that will be used as fallback: It is loaded automatically the first time that an algorithm is fetched from a provider or a function acting on providers is called and no other provider has been loaded yet. .PP If an attempt to load a provider has already been made (whether successful -or not) then the default provider won't be loaded automatically. Therefore +or not) then the default provider won\*(Aqt be loaded automatically. Therefore if the default provider is to be used in conjunction with other providers then it must be loaded explicitly. Automatic loading of the default provider only occurs a maximum of once; if the default provider is @@ -90,7 +93,7 @@ It may be used in a property query string with fetching functions such as functions that take a property query string, such as \&\fBEVP_PKEY_CTX_new_from_name\fR\|(3). .PP -It isn't mandatory to query for this property, except to make sure to get +It isn\*(Aqt mandatory to query for this property, except to make sure to get implementations of this provider and none other. .PP Some implementations may define additional properties. Exact information is @@ -109,7 +112,7 @@ The OpenSSL default provider supports these operations and algorithms: .IX Item "SHA3, see EVP_MD-SHA3" .IP "KECCAK, see \fBEVP_MD\-KECCAK\fR\|(7)" 4 .IX Item "KECCAK, see EVP_MD-KECCAK" -.IP "KECCAK-KMAC, see \fBEVP_MD\-KECCAK\-KMAC\fR\|(7)" 4 +.IP "KECCAK\-KMAC, see \fBEVP_MD\-KECCAK\-KMAC\fR\|(7)" 4 .IX Item "KECCAK-KMAC, see EVP_MD-KECCAK-KMAC" .IP "SHAKE, see \fBEVP_MD\-SHAKE\fR\|(7)" 4 .IX Item "SHAKE, see EVP_MD-SHAKE" @@ -193,7 +196,7 @@ The OpenSSL default provider supports these operations and algorithms: .IX Item "SCRYPT, see EVP_KDF-SCRYPT" .IP "KRB5KDF, see \fBEVP_KDF\-KRB5KDF\fR\|(7)" 4 .IX Item "KRB5KDF, see EVP_KDF-KRB5KDF" -.IP "HMAC-DRBG, see \fBEVP_KDF\-HMAC\-DRBG\fR\|(7)" 4 +.IP "HMAC\-DRBG, see \fBEVP_KDF\-HMAC\-DRBG\fR\|(7)" 4 .IX Item "HMAC-DRBG, see EVP_KDF-HMAC-DRBG" .IP "ARGON2, see \fBEVP_KDF\-ARGON2\fR\|(7)" 4 .IX Item "ARGON2, see EVP_KDF-ARGON2" @@ -309,7 +312,7 @@ The OpenSSL default provider supports these operations and algorithms: .PD 0 .IP "RSA, see \fBEVP_KEYMGMT\-RSA\fR\|(7)" 4 .IX Item "RSA, see EVP_KEYMGMT-RSA" -.IP RSA-PSS 4 +.IP RSA\-PSS 4 .IX Item "RSA-PSS" .IP "EC, see \fBEVP_KEYMGMT\-EC\fR\|(7)" 4 .IX Item "EC, see EVP_KEYMGMT-EC" @@ -380,29 +383,29 @@ The OpenSSL default provider supports these operations and algorithms: .PD .SS "Random Number Generation" .IX Subsection "Random Number Generation" -.IP "CTR-DRBG, see \fBEVP_RAND\-CTR\-DRBG\fR\|(7)" 4 +.IP "CTR\-DRBG, see \fBEVP_RAND\-CTR\-DRBG\fR\|(7)" 4 .IX Item "CTR-DRBG, see EVP_RAND-CTR-DRBG" .PD 0 -.IP "HASH-DRBG, see \fBEVP_RAND\-HASH\-DRBG\fR\|(7)" 4 +.IP "HASH\-DRBG, see \fBEVP_RAND\-HASH\-DRBG\fR\|(7)" 4 .IX Item "HASH-DRBG, see EVP_RAND-HASH-DRBG" -.IP "HMAC-DRBG, see \fBEVP_RAND\-HMAC\-DRBG\fR\|(7)" 4 +.IP "HMAC\-DRBG, see \fBEVP_RAND\-HMAC\-DRBG\fR\|(7)" 4 .IX Item "HMAC-DRBG, see EVP_RAND-HMAC-DRBG" -.IP "SEED-SRC, see \fBEVP_RAND\-SEED\-SRC\fR\|(7)" 4 +.IP "SEED\-SRC, see \fBEVP_RAND\-SEED\-SRC\fR\|(7)" 4 .IX Item "SEED-SRC, see EVP_RAND-SEED-SRC" .IP "JITTER, see \fBEVP_RAND\-JITTER\fR\|(7)" 4 .IX Item "JITTER, see EVP_RAND-JITTER" -.IP "TEST-RAND, see \fBEVP_RAND\-TEST\-RAND\fR\|(7)" 4 +.IP "TEST\-RAND, see \fBEVP_RAND\-TEST\-RAND\fR\|(7)" 4 .IX Item "TEST-RAND, see EVP_RAND-TEST-RAND" .PD .PP -In addition to this provider, the "SEED-SRC" and "JITTER" algorithms +In addition to this provider, the "SEED\-SRC" and "JITTER" algorithms are also available in the base provider. .SS "Asymmetric Key Encoder" .IX Subsection "Asymmetric Key Encoder" .IP RSA 4 .IX Item "RSA" .PD 0 -.IP RSA-PSS 4 +.IP RSA\-PSS 4 .IX Item "RSA-PSS" .IP DH 4 .IX Item "DH" @@ -468,7 +471,7 @@ combination with the FIPS provider. .IP RSA 4 .IX Item "RSA" .PD 0 -.IP RSA-PSS 4 +.IP RSA\-PSS 4 .IX Item "RSA-PSS" .IP DH 4 .IX Item "DH" diff --git a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-legacy.7 b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-legacy.7 index 6626df7f56ed..8779903eb138 100644 --- a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-legacy.7 +++ b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-legacy.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PROVIDER-LEGACY 7ossl" -.TH OSSL_PROVIDER-LEGACY 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PROVIDER-LEGACY 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,7 +85,7 @@ It may be used in a property query string with fetching functions such as functions that take a property query string, such as \&\fBEVP_PKEY_CTX_new_from_name\fR\|(3). .PP -It isn't mandatory to query for any of these properties, except to +It isn\*(Aqt mandatory to query for any of these properties, except to make sure to get implementations of this provider and none other. .SH "OPERATIONS AND ALGORITHMS" .IX Header "OPERATIONS AND ALGORITHMS" @@ -130,9 +133,9 @@ Disabled by default. Use \fIenable\-rc5\fR config option to enable. .IX Item "SEED, see EVP_CIPHER-SEED" .SS "Key Derivation Function (KDF)" .IX Subsection "Key Derivation Function (KDF)" -.PD 0 .IP PBKDF1 4 .IX Item "PBKDF1" +.PD 0 .IP PVKKDF 4 .IX Item "PVKKDF" .PD diff --git a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-null.7 b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-null.7 index bfff452070ee..e6c9a530123d 100644 --- a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-null.7 +++ b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-null.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_PROVIDER-NULL 7ossl" -.TH OSSL_PROVIDER-NULL 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_PROVIDER-NULL 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/OSSL_STORE-winstore.7 b/secure/lib/libcrypto/man/man7/OSSL_STORE-winstore.7 index 9a7f3d2bb580..d6c82aa5e2dd 100644 --- a/secure/lib/libcrypto/man/man7/OSSL_STORE-winstore.7 +++ b/secure/lib/libcrypto/man/man7/OSSL_STORE-winstore.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_STORE-WINSTORE 7ossl" -.TH OSSL_STORE-WINSTORE 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_STORE-WINSTORE 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,7 +67,7 @@ OSSL_STORE\-winstore \- OpenSSL built in OSSL_STORE for Windows .SH DESCRIPTION .IX Header "DESCRIPTION" -The OSSL_STORE implementation for Windows provides access to Windows' system +The OSSL_STORE implementation for Windows provides access to Windows\*(Aq system \&\f(CW\*(C`ROOT\*(C'\fR certificate store through URIs, using the URI scheme \&\f(CW\*(C`org.openssl.winstore\*(C'\fR. .SS "Supported URIs" @@ -111,7 +114,7 @@ The winstore (\f(CW\*(C`org.openssl.winstore\*(C'\fR) implementation was added i .SH NOTES .IX Header "NOTES" OpenSSL uses \fBOSSL_DECODER\fR\|(3) implementations under the hood. -To influence what \fBOSSL_DECODER\fR\|(3) implementations are used, it's advisable +To influence what \fBOSSL_DECODER\fR\|(3) implementations are used, it\*(Aqs advisable to use \fBOSSL_STORE_open_ex\fR\|(3) and set the \fIpropq\fR argument. .SH COPYRIGHT .IX Header "COPYRIGHT" diff --git a/secure/lib/libcrypto/man/man7/RAND.7 b/secure/lib/libcrypto/man/man7/RAND.7 index 07f4e2f7cdf3..9640d3890a6f 100644 --- a/secure/lib/libcrypto/man/man7/RAND.7 +++ b/secure/lib/libcrypto/man/man7/RAND.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RAND 7ossl" -.TH RAND 7ossl 2025-09-30 3.5.4 OpenSSL +.TH RAND 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -67,8 +70,8 @@ RAND .IX Header "DESCRIPTION" Random numbers are a vital part of cryptography, they are needed to provide unpredictability for tasks like key generation, creating salts, and many more. -Software-based generators must be seeded with external randomness before they -can be used as a cryptographically-secure pseudo-random number generator +Software\-based generators must be seeded with external randomness before they +can be used as a cryptographically\-secure pseudo\-random number generator (CSPRNG). The availability of common hardware with special instructions and modern operating systems, which may use items such as interrupt jitter @@ -78,7 +81,7 @@ OpenSSL comes with a default implementation of the RAND API which is based on the deterministic random bit generator (DRBG) model as described in [NIST SP 800\-90A Rev. 1]. The default random generator will initialize automatically on first use and will be fully functional without having -to be initialized ('seeded') explicitly. +to be initialized (\*(Aqseeded\*(Aq) explicitly. It seeds and reseeds itself automatically using trusted random sources provided by the operating system. .PP @@ -95,7 +98,7 @@ For more details on reseeding and error recovery, see \fBEVP_RAND\fR\|(7). .PP For values that should remain secret, you can use \fBRAND_priv_bytes\fR\|(3) instead. -This method does not provide 'better' randomness, it uses the same type of +This method does not provide \*(Aqbetter\*(Aq randomness, it uses the same type of CSPRNG. The intention behind using a dedicated CSPRNG exclusively for private values is that none of its output should be visible to an attacker (e.g., @@ -122,7 +125,7 @@ family of functions. .IX Header "DEFAULT SETUP" The default OpenSSL RAND method is based on the EVP_RAND deterministic random bit generator (DRBG) classes. -A DRBG is a certain type of cryptographically-secure pseudo-random +A DRBG is a certain type of cryptographically\-secure pseudo\-random number generator (CSPRNG), which is described in [NIST SP 800\-90A Rev. 1]. .SH "SEE ALSO" .IX Header "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man7/RSA-PSS.7 b/secure/lib/libcrypto/man/man7/RSA-PSS.7 index 6258e5a5a791..97c1c45d3117 100644 --- a/secure/lib/libcrypto/man/man7/RSA-PSS.7 +++ b/secure/lib/libcrypto/man/man7/RSA-PSS.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "RSA-PSS 7ossl" -.TH RSA-PSS 7ossl 2025-09-30 3.5.4 OpenSSL +.TH RSA-PSS 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,7 +67,7 @@ RSA\-PSS \- EVP_PKEY RSA\-PSS algorithm support .SH DESCRIPTION .IX Header "DESCRIPTION" -The \fBRSA-PSS\fR EVP_PKEY implementation is a restricted version of the RSA +The \fBRSA\-PSS\fR EVP_PKEY implementation is a restricted version of the RSA algorithm which only supports signing, verification and key generation using PSS padding modes with optional parameter restrictions. .PP @@ -87,8 +90,8 @@ By default no parameter restrictions are placed on the generated key. .IX Header "NOTES" The public key format is documented in RFC4055. .PP -The PKCS#8 private key format used for RSA-PSS keys is similar to the RSA -format except it uses the \fBid-RSASSA-PSS\fR OID and the parameters field, if +The PKCS#8 private key format used for RSA\-PSS keys is similar to the RSA +format except it uses the \fBid\-RSASSA\-PSS\fR OID and the parameters field, if present, restricts the key parameters in the same way as the public key. .SH "CONFORMING TO" .IX Header "CONFORMING TO" diff --git a/secure/lib/libcrypto/man/man7/X25519.7 b/secure/lib/libcrypto/man/man7/X25519.7 index 9e8e6265b4d0..60d2d86a2bfb 100644 --- a/secure/lib/libcrypto/man/man7/X25519.7 +++ b/secure/lib/libcrypto/man/man7/X25519.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X25519 7ossl" -.TH X25519 7ossl 2025-09-30 3.5.4 OpenSSL +.TH X25519 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/bio.7 b/secure/lib/libcrypto/man/man7/bio.7 index 22aed27ce473..3a5cc7dacc7d 100644 --- a/secure/lib/libcrypto/man/man7/bio.7 +++ b/secure/lib/libcrypto/man/man7/bio.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "BIO 7ossl" -.TH BIO 7ossl 2025-09-30 3.5.4 OpenSSL +.TH BIO 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -123,7 +126,7 @@ FreeBSD 12.0 and later, supports both client and server TFO. macOS 10.14 and later. .PP Each operating system has a slightly different API for TFO. Please -refer to the operating systems' API documentation when using +refer to the operating systems\*(Aq API documentation when using sockets directly. .SH EXAMPLES .IX Header "EXAMPLES" diff --git a/secure/lib/libcrypto/man/man7/ct.7 b/secure/lib/libcrypto/man/man7/ct.7 index 6f0f30e36b67..29d541dfef34 100644 --- a/secure/lib/libcrypto/man/man7/ct.7 +++ b/secure/lib/libcrypto/man/man7/ct.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CT 7ossl" -.TH CT 7ossl 2025-09-30 3.5.4 OpenSSL +.TH CT 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/des_modes.7 b/secure/lib/libcrypto/man/man7/des_modes.7 index a04287e3429e..215b021a861f 100644 --- a/secure/lib/libcrypto/man/man7/des_modes.7 +++ b/secure/lib/libcrypto/man/man7/des_modes.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "DES_MODES 7ossl" -.TH DES_MODES 7ossl 2025-09-30 3.5.4 OpenSSL +.TH DES_MODES 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ Normally, this is found as the function \fIalgorithm\fR\fB_ecb_encrypt()\fR. The order of the blocks can be rearranged without detection. .IP \(bu 2 The same plaintext block always produces the same ciphertext block -(for the same key) making it vulnerable to a 'dictionary attack'. +(for the same key) making it vulnerable to a \*(Aqdictionary attack\*(Aq. .IP \(bu 2 An error will only affect one ciphertext block. .SS "Cipher Block Chaining Mode (CBC)" @@ -154,15 +157,15 @@ OFB mode of operation does not extend ciphertext errors in the resultant plaintext output. Every bit error in the ciphertext causes only one bit to be in error in the deciphered plaintext. .IP \(bu 2 -OFB mode is not self-synchronizing. If the two operation of +OFB mode is not self\-synchronizing. If the two operation of encipherment and decipherment get out of synchronism, the system needs -to be re-initialized. +to be re\-initialized. .IP \(bu 2 -Each re-initialization should use a value of the start variable +Each re\-initialization should use a value of the start variable different from the start variable values used before with the same key. The reason for this is that an identical bit stream would be produced each time from the same parameters. This would be -susceptible to a 'known plaintext' attack. +susceptible to a \*(Aqknown plaintext\*(Aq attack. .SS "Triple ECB Mode" .IX Subsection "Triple ECB Mode" Normally, this is found as the function \fIalgorithm\fR\fB_ecb3_encrypt()\fR. diff --git a/secure/lib/libcrypto/man/man7/evp.7 b/secure/lib/libcrypto/man/man7/evp.7 index 6e7b80004630..a44d076f6985 100644 --- a/secure/lib/libcrypto/man/man7/evp.7 +++ b/secure/lib/libcrypto/man/man7/evp.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP 7ossl" -.TH EVP 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -69,7 +72,7 @@ evp \- high\-level cryptographic functions .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The EVP library provides a high-level interface to cryptographic +The EVP library provides a high\-level interface to cryptographic functions. .PP The \fBEVP_Seal\fR\fIXXX\fR and \fBEVP_Open\fR\fIXXX\fR @@ -84,7 +87,7 @@ functions. Symmetric encryption is available with the \fBEVP_Encrypt\fR\fIXXX\fR functions. The \fBEVP_Digest\fR\fIXXX\fR functions provide message digests. .PP -The \fBEVP_PKEY\fR\fIXXX\fR functions provide a high-level interface to +The \fBEVP_PKEY\fR\fIXXX\fR functions provide a high\-level interface to asymmetric algorithms. To create a new EVP_PKEY see \&\fBEVP_PKEY_new\fR\|(3). EVP_PKEYs can be associated with a private key of a particular algorithm by using the functions @@ -120,12 +123,12 @@ as defaults, then the various EVP functions will automatically use those implementations automatically in preference to built in software implementations. For more information, consult the \fBengine\fR\|(3) man page. .PP -Although low-level algorithm specific functions exist for many algorithms +Although low\-level algorithm specific functions exist for many algorithms their use is discouraged. They cannot be used with an ENGINE and ENGINE -versions of new algorithms cannot be accessed using the low-level functions. +versions of new algorithms cannot be accessed using the low\-level functions. Also makes code harder to adapt to new algorithms and some options are not -cleanly supported at the low-level and some operations are more efficient -using the high-level interface. +cleanly supported at the low\-level and some operations are more efficient +using the high\-level interface. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_DigestInit\fR\|(3), diff --git a/secure/lib/libcrypto/man/man7/fips_module.7 b/secure/lib/libcrypto/man/man7/fips_module.7 index 69bcfe3c9958..0c08560074ee 100644 --- a/secure/lib/libcrypto/man/man7/fips_module.7 +++ b/secure/lib/libcrypto/man/man7/fips_module.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "FIPS_MODULE 7ossl" -.TH FIPS_MODULE 7ossl 2025-09-30 3.5.4 OpenSSL +.TH FIPS_MODULE 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -152,7 +155,7 @@ FIPS module config file that you installed earlier. See <https://github.com/openssl/openssl/blob/master/README\-FIPS.md>. .PP For FIPS usage, it is recommended that the \fBconfig_diagnostics\fR option is -enabled to prevent accidental use of non-FIPS validated algorithms via broken +enabled to prevent accidental use of non\-FIPS validated algorithms via broken or mistaken configuration. See \fBconfig\fR\|(5). .PP Any applications that use OpenSSL 3.0 and are started after these changes are @@ -193,7 +196,7 @@ application basis. The default OpenSSL config file depends on the compiled in value for \fBOPENSSLDIR\fR as described in the section above. However it is also possible to override the config file to be used via the \fBOPENSSL_CONF\fR environment variable. For example the following, on Unix, will cause the -application to be executed with a non-standard config file location: +application to be executed with a non\-standard config file location: .PP .Vb 1 \& $ OPENSSL_CONF=/my/nondefault/openssl.cnf myapplication @@ -260,7 +263,7 @@ have not explicitly specified via a property query (see below) which one should be used. .PP Also note that in this example we have additionally loaded the "base" provider. -This loads a sub-set of algorithms that are also available in the default +This loads a sub\-set of algorithms that are also available in the default provider \- specifically non cryptographic ones which may be used in conjunction with the FIPS provider. For example this contains algorithms for encoding and decoding keys. If you decide not to load the default provider then you @@ -312,14 +315,14 @@ default property query is defined then the two queries are merged together and both apply. The local property query overrides the default properties if the same property name is specified in both. .PP -There are two important built-in properties that you should be aware of: +There are two important built\-in properties that you should be aware of: .PP The "provider" property enables you to specify which provider you want an implementation to be fetched from, e.g. \f(CW\*(C`provider=default\*(C'\fR or \f(CW\*(C`provider=fips\*(C'\fR. All algorithms implemented in a provider have this property set on them. .PP There is also the \f(CW\*(C`fips\*(C'\fR property. All FIPS algorithms match against the -property query \f(CW\*(C`fips=yes\*(C'\fR. There are also some non-cryptographic algorithms +property query \f(CW\*(C`fips=yes\*(C'\fR. There are also some non\-cryptographic algorithms available in the default and base providers that also have the \f(CW\*(C`fips=yes\*(C'\fR property defined for them. These are the encoder and decoder algorithms that can (for example) be used to write out a key generated in the FIPS provider to a @@ -437,7 +440,7 @@ library contexts then the default library context will be automatically used. This could be the case for your own existing applications as well as certain parts of OpenSSL itself. Not all parts of OpenSSL are library context aware. If this happens then you could "accidentally" use the wrong library context for a -particular operation. To be sure this doesn't happen you can load the "null" +particular operation. To be sure this doesn\*(Aqt happen you can load the "null" provider into the default library context. Because a provider has been explicitly loaded, the default provider will not automatically load. This means code using the default context by accident will fail because no algorithms will @@ -455,7 +458,7 @@ you need a decoder to read previously saved keys and parameters. In most cases this will be invisible to you if you are using APIs that existed in OpenSSL 1.1.1 or earlier such as \fBi2d_PrivateKey\fR\|(3). However the appropriate encoder/decoder will need to be available in the library context associated with -the key or parameter object. The built-in OpenSSL encoders and decoders are +the key or parameter object. The built\-in OpenSSL encoders and decoders are implemented in both the default and base providers and are not in the FIPS module boundary. However since they are not cryptographic algorithms themselves it is still possible to use them in conjunction with the FIPS module, and @@ -534,11 +537,11 @@ setter. Overriding the check means that the algorithm is not FIPS compliant. \&\fBOSSL_INDICATOR_set_callback\fR\|(3) can be called to register a callback to log unapproved algorithms. At the end of any algorithm operation the approved status can be queried using an algorithm context getter to retrieve the indicator -(e.g. "fips-indicator"). -An example of an algorithm context setter is "key-check" +(e.g. "fips\-indicator"). +An example of an algorithm context setter is "key\-check" in "Supported parameters" in \fBEVP_KDF\-HKDF\fR\|(7). .PP -The following algorithms use "fips-indicator" to query if the algorithm +The following algorithms use "fips\-indicator" to query if the algorithm is approved: .IP "DSA Key generation" 4 .IX Item "DSA Key generation" @@ -569,7 +572,7 @@ See "Supported parameters" in \fBEVP_RAND\-HASH\-DRBG\fR\|(7) and \&\fBEVP_RAND\-HMAC\-DRBG\fR\|(7)/Supported parameters> .IP DES 4 .IX Item "DES" -Triple-DES is not longer approved for encryption. +Triple\-DES is not longer approved for encryption. See "Parameters" in \fBEVP_CIPHER\-DES\fR\|(7) .IP DH 4 .IX Item "DH" @@ -585,8 +588,8 @@ See relevant KDF documentation e.g. "Supported parameters" in \fBEVP_KDF\-HKDF\f See "Supported parameters" in \fBEVP_MAC\-CMAC\fR\|(7) and "Supported parameters" in \fBEVP_MAC\-KMAC\fR\|(7) .PP -The following FIPS algorithms are unapproved and use the "fips-indicator". -.IP RAND-TEST-RAND 4 +The following FIPS algorithms are unapproved and use the "fips\-indicator". +.IP RAND\-TEST\-RAND 4 .IX Item "RAND-TEST-RAND" See "Supported parameters" in \fBEVP_RAND\-TEST\-RAND\fR\|(7) The indicator callback is NOT triggered for this algorithm since it is used @@ -599,10 +602,10 @@ The unapproved (non FIPS validated) algorithms have a property query value of .PP The following algorithms use a unique indicator and do not trigger the indicator callback. -.IP "AES-GCM ciphers support the indicator ""iv-generated""" 4 +.IP "AES\-GCM ciphers support the indicator ""iv\-generated""" 4 .IX Item "AES-GCM ciphers support the indicator ""iv-generated""" See "PARAMETERS" in \fBEVP_EncryptInit\fR\|(3) for further information. -.IP "ECDSA and RSA Signatures support the indicator ""verify-message""." 4 +.IP "ECDSA and RSA Signatures support the indicator ""verify\-message""." 4 .IX Item "ECDSA and RSA Signatures support the indicator ""verify-message""." See "ECDSA Signature Parameters" in \fBEVP_SIGNATURE\-ECDSA\fR\|(7) and "Signature Parameters" in \fBEVP_SIGNATURE\-RSA\fR\|(7) /for further information. @@ -612,14 +615,14 @@ Some released versions of OpenSSL do not include a validated FIPS provider. To determine which versions have undergone the validation process, please refer to the OpenSSL Downloads page <https://www.openssl.org/source/>. If you -require FIPS-approved functionality, it is essential to build your FIPS +require FIPS\-approved functionality, it is essential to build your FIPS provider using one of the validated versions listed there. Normally, it is possible to utilize a FIPS provider constructed from one of the validated versions alongside \fIlibcrypto\fR and \fIlibssl\fR compiled from any release within the same major release series. This flexibility enables you to address bug fixes and CVEs that fall outside the FIPS boundary. .PP -As the FIPS provider still supports non-FIPS validated algorithms, +As the FIPS provider still supports non\-FIPS validated algorithms, The property query \f(CW\*(C`fips=yes\*(C'\fR is mandatory for applications that want to operate in a FIPS approved manner. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man7/life_cycle-cipher.7 b/secure/lib/libcrypto/man/man7/life_cycle-cipher.7 index 8ac8518659ef..192fabbbf9f4 100644 --- a/secure/lib/libcrypto/man/man7/life_cycle-cipher.7 +++ b/secure/lib/libcrypto/man/man7/life_cycle-cipher.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "LIFE_CYCLE-CIPHER 7ossl" -.TH LIFE_CYCLE-CIPHER 7ossl 2025-09-30 3.5.4 OpenSSL +.TH LIFE_CYCLE-CIPHER 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,11 +68,11 @@ life_cycle\-cipher \- The cipher algorithm life\-cycle .SH DESCRIPTION .IX Header "DESCRIPTION" All symmetric ciphers (CIPHERs) go through a number of stages in their -life-cycle: +life\-cycle: .IP start 4 .IX Item "start" This state represents the CIPHER before it has been allocated. It is the -starting state for any life-cycle transitions. +starting state for any life\-cycle transitions. .IP newed 4 .IX Item "newed" This state represents the CIPHER after it has been allocated. @@ -85,12 +88,12 @@ input. There are three possible initialised states: .IX Item "initialised for decryption using EVP_DecryptInit" .IP "initialised for encryption using EVP_EncryptInit" 4 .IX Item "initialised for encryption using EVP_EncryptInit" +.PD .RE .RS 4 .RE .IP updated 4 .IX Item "updated" -.PD These states represent the CIPHER when it is set up and capable of processing additional input or generating output. The three possible states directly correspond to those for initialised above. The three different streams should @@ -101,18 +104,18 @@ This state represents the CIPHER when it has generated output. .IP freed 4 .IX Item "freed" This state is entered when the CIPHER is freed. It is the terminal state -for all life-cycle transitions. +for all life\-cycle transitions. .SS "State Transition Diagram" .IX Subsection "State Transition Diagram" -The usual life-cycle of a CIPHER is illustrated: +The usual life\-cycle of a CIPHER is illustrated: +---------------------------+ | | | start | | | +---------------------------+ + - - - - - - - - - - - - - + - | ' any of the initialised ' - | EVP_CIPHER_CTX_new ' updated or finaled states ' - v ' ' + | \*(Aq any of the initialised \*(Aq + | EVP_CIPHER_CTX_new \*(Aq updated or finaled states \*(Aq + v \*(Aq \*(Aq +---------------------------+ + - - - - - - - - - - - - - + | | | | newed | | EVP_CIPHER_CTX_reset diff --git a/secure/lib/libcrypto/man/man7/life_cycle-digest.7 b/secure/lib/libcrypto/man/man7/life_cycle-digest.7 index 783c078c9b6b..d480dcaabb9b 100644 --- a/secure/lib/libcrypto/man/man7/life_cycle-digest.7 +++ b/secure/lib/libcrypto/man/man7/life_cycle-digest.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "LIFE_CYCLE-DIGEST 7ossl" -.TH LIFE_CYCLE-DIGEST 7ossl 2025-09-30 3.5.4 OpenSSL +.TH LIFE_CYCLE-DIGEST 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,11 +67,11 @@ life_cycle\-digest \- The digest algorithm life\-cycle .SH DESCRIPTION .IX Header "DESCRIPTION" -All message digests (MDs) go through a number of stages in their life-cycle: +All message digests (MDs) go through a number of stages in their life\-cycle: .IP start 4 .IX Item "start" This state represents the MD before it has been allocated. It is the -starting state for any life-cycle transitions. +starting state for any life\-cycle transitions. .IP newed 4 .IX Item "newed" This state represents the MD after it has been allocated. @@ -84,7 +87,7 @@ additional input or generating output. .IX Item "finaled" This state represents the MD when it has generated output. For an XOF digest, this state represents the MD when it has generated a -single-shot output. +single\-shot output. .IP squeezed 4 .IX Item "squeezed" For an XOF digest, this state represents the MD when it has generated output. @@ -93,10 +96,10 @@ variable for each call. .IP freed 4 .IX Item "freed" This state is entered when the MD is freed. It is the terminal state -for all life-cycle transitions. +for all life\-cycle transitions. .SS "State Transition Diagram" .IX Subsection "State Transition Diagram" -The usual life-cycle of a MD is illustrated: +The usual life\-cycle of a MD is illustrated: +--------------------+ | start | +--------------------+ @@ -104,13 +107,13 @@ The usual life-cycle of a MD is illustrated: | EVP_MD_CTX_new +-------------------------------------------------+ v v | EVP_MD_CTX_reset + - - - - - - - - - - - - - - - - - - - - - - + EVP_MD_CTX_reset | - +-------------------> ' newed ' <--------------------+ | + +-------------------> \*(Aq newed \*(Aq <--------------------+ | | + - - - - - - - - - - - - - - - - - - - - - - + | | | | | | | | EVP_DigestInit | | | v | | | EVP_DigestInit + - - - - - - - - - - - - - - - - - - - - - - + | | - +----+-------------------> ' initialised ' <+ EVP_DigestInit | | + +----+-------------------> \*(Aq initialised \*(Aq <+ EVP_DigestInit | | | | + - - - - - - - - - - - - - - - - - - - - - - + | | | | | | ^ | | | | | | EVP_DigestUpdate | EVP_DigestInit | | | diff --git a/secure/lib/libcrypto/man/man7/life_cycle-kdf.7 b/secure/lib/libcrypto/man/man7/life_cycle-kdf.7 index 29b2b74abfb4..298026602cb5 100644 --- a/secure/lib/libcrypto/man/man7/life_cycle-kdf.7 +++ b/secure/lib/libcrypto/man/man7/life_cycle-kdf.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "LIFE_CYCLE-KDF 7ossl" -.TH LIFE_CYCLE-KDF 7ossl 2025-09-30 3.5.4 OpenSSL +.TH LIFE_CYCLE-KDF 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,11 +68,11 @@ life_cycle\-kdf \- The KDF algorithm life\-cycle .SH DESCRIPTION .IX Header "DESCRIPTION" All key derivation functions (KDFs) and pseudo random functions (PRFs) -go through a number of stages in their life-cycle: +go through a number of stages in their life\-cycle: .IP start 4 .IX Item "start" This state represents the KDF/PRF before it has been allocated. It is the -starting state for any life-cycle transitions. +starting state for any life\-cycle transitions. .IP newed 4 .IX Item "newed" This state represents the KDF/PRF after it has been allocated. @@ -80,10 +83,10 @@ output. .IP freed 4 .IX Item "freed" This state is entered when the KDF/PRF is freed. It is the terminal state -for all life-cycle transitions. +for all life\-cycle transitions. .SS "State Transition Diagram" .IX Subsection "State Transition Diagram" -The usual life-cycle of a KDF/PRF is illustrated: +The usual life\-cycle of a KDF/PRF is illustrated: +-------------------+ | start | +-------------------+ @@ -98,7 +101,7 @@ The usual life-cycle of a KDF/PRF is illustrated: v | EVP_KDF_CTX_reset EVP_KDF_derive +-------------------+ | + - - - - - - - - | | | - ' | deriving | | + \*(Aq | deriving | | + - - - - - - - -> | | -+ +-------------------+ | diff --git a/secure/lib/libcrypto/man/man7/life_cycle-mac.7 b/secure/lib/libcrypto/man/man7/life_cycle-mac.7 index 31de698f3133..24cec0265394 100644 --- a/secure/lib/libcrypto/man/man7/life_cycle-mac.7 +++ b/secure/lib/libcrypto/man/man7/life_cycle-mac.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "LIFE_CYCLE-MAC 7ossl" -.TH LIFE_CYCLE-MAC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH LIFE_CYCLE-MAC 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,11 +68,11 @@ life_cycle\-mac \- The MAC algorithm life\-cycle .SH DESCRIPTION .IX Header "DESCRIPTION" All message authentication codes (MACs) -go through a number of stages in their life-cycle: +go through a number of stages in their life\-cycle: .IP start 4 .IX Item "start" This state represents the MAC before it has been allocated. It is the -starting state for any life-cycle transitions. +starting state for any life\-cycle transitions. .IP newed 4 .IX Item "newed" This state represents the MAC after it has been allocated. @@ -87,10 +90,10 @@ This state represents the MAC when it has generated output. .IP freed 4 .IX Item "freed" This state is entered when the MAC is freed. It is the terminal state -for all life-cycle transitions. +for all life\-cycle transitions. .SS "State Transition Diagram" .IX Subsection "State Transition Diagram" -The usual life-cycle of a MAC is illustrated: +The usual life\-cycle of a MAC is illustrated: +-------------------+ | start | +-------------------+ diff --git a/secure/lib/libcrypto/man/man7/life_cycle-pkey.7 b/secure/lib/libcrypto/man/man7/life_cycle-pkey.7 index 53d6c5b85ef1..8403f2aaa31d 100644 --- a/secure/lib/libcrypto/man/man7/life_cycle-pkey.7 +++ b/secure/lib/libcrypto/man/man7/life_cycle-pkey.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "LIFE_CYCLE-PKEY 7ossl" -.TH LIFE_CYCLE-PKEY 7ossl 2025-09-30 3.5.4 OpenSSL +.TH LIFE_CYCLE-PKEY 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,11 +67,11 @@ life_cycle\-pkey \- The PKEY algorithm life\-cycle .SH DESCRIPTION .IX Header "DESCRIPTION" -All public keys (PKEYs) go through a number of stages in their life-cycle: +All public keys (PKEYs) go through a number of stages in their life\-cycle: .IP start 4 .IX Item "start" This state represents the PKEY before it has been allocated. It is the -starting state for any life-cycle transitions. +starting state for any life\-cycle transitions. .IP newed 4 .IX Item "newed" This state represents the PKEY after it has been allocated. @@ -108,10 +111,10 @@ This state represents the PKEY when it is ready to recover a public key signatur .IP freed 4 .IX Item "freed" This state is entered when the PKEY is freed. It is the terminal state -for all life-cycle transitions. +for all life\-cycle transitions. .SS "State Transition Diagram" .IX Subsection "State Transition Diagram" -The usual life-cycle of a PKEY object is illustrated: +The usual life\-cycle of a PKEY object is illustrated: +-------------+ | | | start | @@ -166,9 +169,9 @@ The usual life-cycle of a PKEY object is illustrated: + - - - - - + +-----------+ - ' ' EVP_PKEY_CTX_free | | - ' any state '------------------->| freed | - ' ' | | + \*(Aq \*(Aq EVP_PKEY_CTX_free | | + \*(Aq any state \*(Aq------------------->| freed | + \*(Aq \*(Aq | | + - - - - - + +-----------+ .SS "Formal State Transitions" .IX Subsection "Formal State Transitions" diff --git a/secure/lib/libcrypto/man/man7/life_cycle-rand.7 b/secure/lib/libcrypto/man/man7/life_cycle-rand.7 index c4a887294dbe..2d5de896cff6 100644 --- a/secure/lib/libcrypto/man/man7/life_cycle-rand.7 +++ b/secure/lib/libcrypto/man/man7/life_cycle-rand.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "LIFE_CYCLE-RAND 7ossl" -.TH LIFE_CYCLE-RAND 7ossl 2025-09-30 3.5.4 OpenSSL +.TH LIFE_CYCLE-RAND 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,11 +68,11 @@ life_cycle\-rand \- The RAND algorithm life\-cycle .SH DESCRIPTION .IX Header "DESCRIPTION" All random number generator (RANDs) -go through a number of stages in their life-cycle: +go through a number of stages in their life\-cycle: .IP start 4 .IX Item "start" This state represents the RAND before it has been allocated. It is the -starting state for any life-cycle transitions. +starting state for any life\-cycle transitions. .IP newed 4 .IX Item "newed" This state represents the RAND after it has been allocated but unable to @@ -85,10 +88,10 @@ capable of generating output. .IP freed 4 .IX Item "freed" This state is entered when the RAND is freed. It is the terminal state -for all life-cycle transitions. +for all life\-cycle transitions. .SS "State Transition Diagram" .IX Subsection "State Transition Diagram" -The usual life-cycle of a RAND is illustrated: +The usual life\-cycle of a RAND is illustrated: +-------------------------+ | start | +-------------------------+ @@ -105,11 +108,11 @@ The usual life-cycle of a RAND is illustrated: +-------------------- | | | | instantiated | +-------------------> | | <+ - +-------------------------+ ' - | ' - | EVP_RAND_uninstantiate ' EVP_RAND_instantiate - v ' - +-------------------------+ ' + +-------------------------+ \*(Aq + | \*(Aq + | EVP_RAND_uninstantiate \*(Aq EVP_RAND_instantiate + v \*(Aq + +-------------------------+ \*(Aq | uninstantiated | -+ +-------------------------+ | diff --git a/secure/lib/libcrypto/man/man7/openssl-core.h.7 b/secure/lib/libcrypto/man/man7/openssl-core.h.7 index 177a73608ee1..d9da43e839b1 100644 --- a/secure/lib/libcrypto/man/man7/openssl-core.h.7 +++ b/secure/lib/libcrypto/man/man7/openssl-core.h.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-CORE.H 7ossl" -.TH OPENSSL-CORE.H 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-CORE.H 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/openssl-core_dispatch.h.7 b/secure/lib/libcrypto/man/man7/openssl-core_dispatch.h.7 index 608f0019359f..13fe8d6e02c2 100644 --- a/secure/lib/libcrypto/man/man7/openssl-core_dispatch.h.7 +++ b/secure/lib/libcrypto/man/man7/openssl-core_dispatch.h.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-CORE_DISPATCH.H 7ossl" -.TH OPENSSL-CORE_DISPATCH.H 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-CORE_DISPATCH.H 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libcrypto/man/man7/openssl-core_names.h.7 b/secure/lib/libcrypto/man/man7/openssl-core_names.h.7 index d3a121360a14..8db1935c160e 100644 --- a/secure/lib/libcrypto/man/man7/openssl-core_names.h.7 +++ b/secure/lib/libcrypto/man/man7/openssl-core_names.h.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-CORE_NAMES.H 7ossl" -.TH OPENSSL-CORE_NAMES.H 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-CORE_NAMES.H 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -71,9 +74,9 @@ openssl/core_names.h \- OpenSSL provider parameter names .IX Header "DESCRIPTION" The \fI<openssl/core_names.h>\fR header defines a multitude of macros for \fBOSSL_PARAM\fR\|(3) names, algorithm names and other known names used -with OpenSSL's providers, made available for practical purposes only. +with OpenSSL\*(Aqs providers, made available for practical purposes only. .PP -Existing names are further described in the manuals for OpenSSL's +Existing names are further described in the manuals for OpenSSL\*(Aqs providers (see "SEE ALSO") and the manuals for each algorithm they provide (listed in those provider manuals). .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man7/openssl-env.7 b/secure/lib/libcrypto/man/man7/openssl-env.7 index 1b1163c8c9f4..6a4f1ae42520 100644 --- a/secure/lib/libcrypto/man/man7/openssl-env.7 +++ b/secure/lib/libcrypto/man/man7/openssl-env.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-ENV 7ossl" -.TH OPENSSL-ENV 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-ENV 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,9 +68,9 @@ openssl\-env \- OpenSSL environment variables .SH DESCRIPTION .IX Header "DESCRIPTION" The OpenSSL libraries use environment variables to override the -compiled-in default paths for various data. +compiled\-in default paths for various data. To avoid security risks, the environment is usually not consulted when -the executable is set-user-ID or set-group-ID. +the executable is set\-user\-ID or set\-group\-ID. .IP \fBCTLOG_FILE\fR 4 .IX Item "CTLOG_FILE" Specifies the path to a certificate transparency log list. @@ -98,7 +101,7 @@ See \fBOPENSSL_malloc\fR\|(3). .IP \fBOPENSSL_MODULES\fR 4 .IX Item "OPENSSL_MODULES" Specifies the directory from which cryptographic providers are loaded. -Equivalently, the generic \fB\-provider\-path\fR command-line option may be used. +Equivalently, the generic \fB\-provider\-path\fR command\-line option may be used. .IP \fBOPENSSL_TRACE\fR 4 .IX Item "OPENSSL_TRACE" By default the OpenSSL trace feature is disabled statically. @@ -109,8 +112,14 @@ Unless OpenSSL tracing support is generally disabled, enable trace output of specific parts of OpenSSL libraries, by name. This output usually makes sense only if you know OpenSSL internals well. .Sp -The value of this environment varialble is a comma-separated list of names, +The value of this environment variable is a comma\-separated list of names, with the following available: +.IP \fBOPENSSL_RUNNING_UNIT_TESTS\fR 4 +.IX Item "OPENSSL_RUNNING_UNIT_TESTS" +This environment variable is used to flag the fact that unit tests are being run +(i.e. \`make test\`). It is used to detect when the OpenSSL should behave in a special +manner during unit tests (i.e. when unit tests are being run on fuzzing builds). It should +generally not be set by users. .RS 4 .IP \fBTRACE\fR 4 .IX Item "TRACE" @@ -177,7 +186,7 @@ Traces the HTTP client and server, such as messages being sent and received. .IX Item "OPENSSL_WIN32_UTF8" If set, then \fBUI_OpenSSL\fR\|(3) returns UTF\-8 encoded strings, rather than ones encoded in the current code page, and -the \fBopenssl\fR\|(1) program also transcodes the command-line parameters +the \fBopenssl\fR\|(1) program also transcodes the command\-line parameters from the current code page to UTF\-8. This environment variable is only checked on Microsoft Windows platforms. .IP \fBRANDFILE\fR 4 @@ -198,7 +207,8 @@ OpenSSL supports a number of different algorithm implementations for various machines and, by default, it determines which to use based on the processor capabilities and run time feature enquiry. These environment variables can be used to exert more control over this selection process. -See \fBOPENSSL_ia32cap\fR\|(3), \fBOPENSSL_s390xcap\fR\|(3) and \fBOPENSSL_riscvcap\fR\|(3). +See \fBOPENSSL_ia32cap\fR\|(3), \fBOPENSSL_ppccap\fR\|(3), \fBOPENSSL_riscvcap\fR\|(3), +and \fBOPENSSL_s390xcap\fR\|(3). .IP "\fBNO_PROXY\fR, \fBHTTPS_PROXY\fR, \fBHTTP_PROXY\fR" 4 .IX Item "NO_PROXY, HTTPS_PROXY, HTTP_PROXY" Specify a proxy hostname. @@ -214,7 +224,7 @@ Used to set a QUIC qlog filter specification. See \fBopenssl\-qlog\fR\|(7). Used to produce the standard format output file for SSL key logging. Optionally set this variable to a filename to log all secrets produced by SSL connections. Note, use of the environment variable is predicated on configuring OpenSSL at -build time with the enable-sslkeylog feature. The file format standard can be +build time with the enable\-sslkeylog feature. The file format standard can be found at <https://datatracker.ietf.org/doc/draft\-ietf\-tls\-keylogfile/>. Note: the use of \fBSSLKEYLOGFILE\fR poses an explicit security risk. By recording the exchanged keys during an SSL session, it allows any available party with @@ -222,7 +232,7 @@ read access to the file to decrypt application traffic sent over that session. Use of this feature should be restricted to test and debug environments only. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man7/openssl-glossary.7 b/secure/lib/libcrypto/man/man7/openssl-glossary.7 index e0a24a3529f6..995e59dcafc2 100644 --- a/secure/lib/libcrypto/man/man7/openssl-glossary.7 +++ b/secure/lib/libcrypto/man/man7/openssl-glossary.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-GLOSSARY 7ossl" -.TH OPENSSL-GLOSSARY 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-GLOSSARY 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -74,7 +77,7 @@ implementation for any given algorithm available for use. .IP "ASN.1, ASN1" 4 .IX Item "ASN.1, ASN1" ASN.1 ("Abstract Syntax Notation One") is a notation for describing abstract -types and values. It is defined in the ITU-T documents X.680 to X.683: +types and values. It is defined in the ITU\-T documents X.680 to X.683: .Sp <https://www.itu.int/rec/T\-REC\-X.680>, <https://www.itu.int/rec/T\-REC\-X.681>, @@ -107,7 +110,7 @@ DER is a binary encoding of data, structured according to an ASN.1 specification. This is a common encoding used for cryptographic objects such as private and public keys, certificates, CRLs, ... .Sp -It is defined in ITU-T document X.690: +It is defined in ITU\-T document X.690: .Sp <https://www.itu.int/rec/T\-REC\-X.690> .IP Encoder 4 diff --git a/secure/lib/libcrypto/man/man7/openssl-qlog.7 b/secure/lib/libcrypto/man/man7/openssl-qlog.7 index 0330f3bcf375..1dfcebc18bc0 100644 --- a/secure/lib/libcrypto/man/man7/openssl-qlog.7 +++ b/secure/lib/libcrypto/man/man7/openssl-qlog.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-QLOG 7ossl" -.TH OPENSSL-QLOG 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-QLOG 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -72,7 +75,7 @@ contained within them, as well as loss detection and other events. The qlog output generated by OpenSSL can be used to obtain diagnostic visualisations of a given QUIC connection using tools such as \fBqvis\fR. .PP -\&\fBWARNING:\fR The output of OpenSSL's qlog functionality uses an unstable format +\&\fBWARNING:\fR The output of OpenSSL\*(Aqs qlog functionality uses an unstable format based on a draft specification. qlog output is not subject to any format stability or compatibility guarantees at this time, and \fBwill\fR change in incompatible ways in future versions of OpenSSL. See \fBFORMAT STABILITY\fR below @@ -84,7 +87,7 @@ the standard \fBQLOGDIR\fR environment variable to point to a directory where ql files should be written. Once set, any QUIC connection established by OpenSSL will have a qlog file written automatically to the specified directory. .PP -Log files are generated in the \fI.sqlog\fR format based on JSON-SEQ (RFC 7464). +Log files are generated in the \fI.sqlog\fR format based on JSON\-SEQ (RFC 7464). .PP The filenames of generated log files under the specified \fBQLOGDIR\fR use the following structure: @@ -94,13 +97,13 @@ following structure: .Ve .PP where \fB{connection_odcid}\fR is the lowercase hexadecimal encoding of a QUIC -connection's Original Destination Connection ID, which is the Destination +connection\*(Aqs Original Destination Connection ID, which is the Destination Connection ID used in the header of the first Initial packet sent as part of the connection process, and \fB{vantage_point_type}\fR is either \f(CW\*(C`client\*(C'\fR or \&\f(CW\*(C`server\*(C'\fR, reflecting the perspective of the endpoint producing the qlog output. .PP The qlog functionality can be disabled at OpenSSL build time using the -\&\fIno-unstable-qlog\fR configure flag. +\&\fIno\-unstable\-qlog\fR configure flag. .SH "SUPPORTED EVENT TYPES" .IX Header "SUPPORTED EVENT TYPES" The following event types are currently supported: @@ -125,7 +128,7 @@ The following event types are currently supported: By default, all supported event types are logged. The \fBOSSL_QFILTER\fR environment variable can be used to configure a filter specification which determines which event types are to be logged. Each event type can be turned on -and off individually. The filter specification is a space-separated list of +and off individually. The filter specification is a space\-separated list of terms listing event types to enable or disable. The terms are applied in order, thus the effects of later terms override the effects of earlier terms. .SS Examples @@ -219,7 +222,7 @@ the qlog format. The OpenSSL qlog functionality will transition to producing output in this format in the future once standardisation is complete. .PP Because of this, the qlog output of OpenSSL \fBwill\fR change in incompatible and -breaking ways in the future, including in non-major releases of OpenSSL. The +breaking ways in the future, including in non\-major releases of OpenSSL. The qlog output of OpenSSL is considered unstable and not subject to any format stability or compatibility guarantees at this time. .PP @@ -240,7 +243,7 @@ a disparity between the current draft and what qvis supports, the OpenSSL qlog functionality will generally aim for qvis compatibility over compliance with the latest draft. .PP -As such, OpenSSL's qlog functionality currently implements qlog version 0.3 as +As such, OpenSSL\*(Aqs qlog functionality currently implements qlog version 0.3 as defined in \fBdraft\-ietf\-quic\-qlog\-main\-schema\-05\fR and \&\fBdraft\-ietf\-quic\-qlog\-quic\-events\-04\fR. These revisions are intentionally used instead of more recent revisions due to their qvis compatibility. @@ -250,7 +253,7 @@ The OpenSSL implementation of qlog currently has the following limitations: .IP \(bu 4 Not all event types defined by the draft specification are implemented. .IP \(bu 4 -Only the JSON-SEQ (\fB.sqlog\fR) output format is supported. +Only the JSON\-SEQ (\fB.sqlog\fR) output format is supported. .IP \(bu 4 Only the \fBQLOGDIR\fR environment variable is supported for configuring the qlog output directory. The standard \fBQLOGFILE\fR environment variable is not diff --git a/secure/lib/libcrypto/man/man7/openssl-quic-concurrency.7 b/secure/lib/libcrypto/man/man7/openssl-quic-concurrency.7 index 94019da3c1fd..96e4d0530668 100644 --- a/secure/lib/libcrypto/man/man7/openssl-quic-concurrency.7 +++ b/secure/lib/libcrypto/man/man7/openssl-quic-concurrency.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-QUIC-CONCURRENCY 7ossl" -.TH OPENSSL-QUIC-CONCURRENCY 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-QUIC-CONCURRENCY 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -100,18 +103,18 @@ a wide variety of usage scenarios. .PP The available concurrency models are as follows: .IP \(bu 4 -The \fBSingle-Threaded Concurrency Model (SCM)\fR, which supports only -application-synchronised single-threaded usage. +The \fBSingle\-Threaded Concurrency Model (SCM)\fR, which supports only +application\-synchronised single\-threaded usage. .IP \(bu 4 -The \fBContentive Concurrency Model (CCM)\fR, which supports multi-threaded usage. +The \fBContentive Concurrency Model (CCM)\fR, which supports multi\-threaded usage. .IP \(bu 4 -The \fBThread-Assisted Concurrency Model (TACM)\fR, which also supports -multi-threaded usage and provides assistance to an application for handling QUIC +The \fBThread\-Assisted Concurrency Model (TACM)\fR, which also supports +multi\-threaded usage and provides assistance to an application for handling QUIC timer events. .PP The merits of these models are as follows: .IP \(bu 4 -The \fBSingle-Threaded Concurrency Model (SCM)\fR performs no locking or +The \fBSingle\-Threaded Concurrency Model (SCM)\fR performs no locking or synchronisation. It is entirely up to the application to synchronise access to the QUIC domain and its subsidiary SSL objects. .Sp @@ -120,13 +123,13 @@ OpenSSL QUIC implementation as a pure state machine. .IP \(bu 4 The \fBContentive Concurrency Model (CCM)\fR performs automatic locking when making API calls to SSL objects in a QUIC domain. This provides automatic -synchronisation for multi-threaded usage of QUIC objects. For example, different +synchronisation for multi\-threaded usage of QUIC objects. For example, different QUIC stream SSL objects in the same QUIC connection can be safely accessed from different threads. .Sp -This concurrency model adds the overhead of locking over the Single-Threaded -Concurrency Model in order to support multi-threaded usage, but provides limited -performance in highly contended multi-threaded usage due to its simple approach. +This concurrency model adds the overhead of locking over the Single\-Threaded +Concurrency Model in order to support multi\-threaded usage, but provides limited +performance in highly contended multi\-threaded usage due to its simple approach. However, it may still prove a good solution for a broad class of applications which spend the majority of their time in application logic and not in QUIC I/O processing. @@ -134,11 +137,11 @@ processing. An advantage of this model relative to the more sophisticated concurrency models below is that it does not create any OS threads. .IP \(bu 4 -The \fBThread-Assisted Concurrency Model (TACM)\fR is identical to the Contentive +The \fBThread\-Assisted Concurrency Model (TACM)\fR is identical to the Contentive Concurrency Model except that a thread is spun up in the background to ensure that QUIC timer events are handled in a timely fashion. This ensures that QUIC timeout events are handled even if an application does not periodically call -into the QUIC domain to ensure that any outstanding QUIC-related timer or +into the QUIC domain to ensure that any outstanding QUIC\-related timer or network I/O events are handled. The assist thread contends for the same resources like any other thread. However, handshake layer events (TLS) are never processed by the assist thread. @@ -152,11 +155,11 @@ Additional concurrency models may be offered in future releases of OpenSSL. .SH "BLOCKING I/O CAPABILITIES" .IX Header "BLOCKING I/O CAPABILITIES" All of the supported concurrency models are capable of supporting blocking I/O -calls, where application-level I/O calls (for example, to \fBSSL_read_ex\fR\|(3) or +calls, where application\-level I/O calls (for example, to \fBSSL_read_ex\fR\|(3) or \&\fBSSL_write_ex\fR\|(3) on a QUIC stream SSL object) block until the request can be serviced. This includes the use of \fBSSL_poll\fR\|(3) in a blocking fashion. .PP -Supporting blocking API calls reliably with multi-threaded usage requires the +Supporting blocking API calls reliably with multi\-threaded usage requires the creation of additional OS resources such as internal file descriptors to allow threads to be woken when necessary. This creation of internal OS resources is optional and may need to be explicitly requested by an application depending on @@ -167,23 +170,23 @@ notwithstanding the following section. .SS "Legacy Blocking Support Compatibility" .IX Subsection "Legacy Blocking Support Compatibility" OpenSSL 3.2 and 3.3 contained a buggy implementation of blocking QUIC I/O calls -which is only reliable under single-threaded usage. This functionality is always -available in the Single-Threaded Concurrency Model (SCM), where it works +which is only reliable under single\-threaded usage. This functionality is always +available in the Single\-Threaded Concurrency Model (SCM), where it works reliably. .PP For compatibility reasons, this functionality is also available under the default concurrency model if the application does not explicitly specify a concurrency model or disable it. This is known as Legacy Blocking Compatibility -Mode, and its usage is not recommended for multi-threaded applications. +Mode, and its usage is not recommended for multi\-threaded applications. .SH "RECOMMENDED USAGE" .IX Header "RECOMMENDED USAGE" New applications are advised to choose a concurrency model as follows: .IP \(bu 4 -A purely single-threaded application, or an application which wishes to use +A purely single\-threaded application, or an application which wishes to use OpenSSL QUIC as a state machine and manage synchronisation itself, should explicitly select the SCM concurrency model. .IP \(bu 4 -An application which wants to engage in multi-threaded usage of different QUIC +An application which wants to engage in multi\-threaded usage of different QUIC connections or streams in the same QUIC domain should a) select the CCM or TACM concurrency model and b) explicitly opt in or out of blocking I/O support (depending on whether the application wishes to make blocking I/O calls), @@ -203,14 +206,14 @@ If using an explicit QUIC domain, a concurrency model is chosen when calling \&\fBSSL_new_domain\fR\|(3) by specifying zero or more of the following flags: .IP \fBSSL_DOMAIN_FLAG_SINGLE_THREAD\fR 4 .IX Item "SSL_DOMAIN_FLAG_SINGLE_THREAD" -Specifying this flag configures the Single-Threaded Concurrency Model (SCM). +Specifying this flag configures the Single\-Threaded Concurrency Model (SCM). .IP \fBSSL_DOMAIN_FLAG_MULTI_THREAD\fR 4 .IX Item "SSL_DOMAIN_FLAG_MULTI_THREAD" -Speciyfing this flag configures the Contentive Concurrency Model (CCM) (unless +Specifying this flag configures the Contentive Concurrency Model (CCM) (unless \&\fBSSL_DOMAIN_FLAG_THREAD_ASSISTED\fR is also specified). .IP \fBSSL_DOMAIN_FLAG_THREAD_ASSISTED\fR 4 .IX Item "SSL_DOMAIN_FLAG_THREAD_ASSISTED" -Specifying this flag configures the Thread-Assisted Concurrency Model (TACM). +Specifying this flag configures the Thread\-Assisted Concurrency Model (TACM). It implies \fBSSL_DOMAIN_FLAG_MULTI_THREAD\fR. .IP \fBSSL_DOMAIN_FLAG_BLOCKING\fR 4 .IX Item "SSL_DOMAIN_FLAG_BLOCKING" @@ -244,10 +247,10 @@ The default concurrency model set on a newly created \fBSSL_CTX\fR is determined follows: .IP \(bu 4 If an \fBSSL_METHOD\fR of \fBOSSL_QUIC_client_thread_method\fR\|(3) is used, the -Thread-Assisted Concurrency Model (TACM) is used with the +Thread\-Assisted Concurrency Model (TACM) is used with the \&\fBSSL_DOMAIN_FLAG_BLOCKING\fR flag. This provides reliable blocking functionality. .IP \(bu 4 -Otherwise, if OpenSSL was built without threading support, the Single-Threaded +Otherwise, if OpenSSL was built without threading support, the Single\-Threaded Concurrency Model (SCM) is used, with the \fBSSL_DOMAIN_FLAG_LEGACY_BLOCKING\fR flag. .IP \(bu 4 @@ -269,12 +272,12 @@ an implicit QUIC domain is created when calling \fBSSL_new_listener\fR\|(3) or .SH "CONSUMPTION OF OS RESOURCES" .IX Header "CONSUMPTION OF OS RESOURCES" If full blocking I/O support is selected using \fBSSL_DOMAIN_FLAG_BLOCKING\fR, at -least one socket, socket-like OS handle or file descriptor must be allocated to +least one socket, socket\-like OS handle or file descriptor must be allocated to allow one thread to wake other threads which may be blocking in calls to OS socket polling interfaces such as \fBselect\fR\|(2) or \fBpoll\fR\|(2). This is allocated automatically internally by OpenSSL. .PP -If the Thread-Assisted Concurrency Model (TACM) is selected, a background thread +If the Thread\-Assisted Concurrency Model (TACM) is selected, a background thread is spawned. This also implies \fBSSL_DOMAIN_FLAG_BLOCKING\fR and the above. .PP The internal consumption by OpenSSL of mutexes, condition variables, spin locks @@ -282,11 +285,11 @@ or other similar thread synchronisation primitives is unspecified under all concurrency models. .PP The internal consumption by OpenSSL of threads is unspecified under the -Thread-Assisted Concurrency Model. +Thread\-Assisted Concurrency Model. .PP -The internal consumption by OpenSSL of sockets, socket-like OS handles or file -descriptors, or other resources as needed to support inter-thread notification, -is unspecified under the Thread-Assisted Concurrency Model or when using +The internal consumption by OpenSSL of sockets, socket\-like OS handles or file +descriptors, or other resources as needed to support inter\-thread notification, +is unspecified under the Thread\-Assisted Concurrency Model or when using \&\fBSSL_DOMAIN_FLAG_BLOCKING\fR. .SH "BEHAVIOUR OF SSL OBJECTS" .IX Header "BEHAVIOUR OF SSL OBJECTS" diff --git a/secure/lib/libcrypto/man/man7/openssl-quic.7 b/secure/lib/libcrypto/man/man7/openssl-quic.7 index d50b06cd1b87..ce5014ca0328 100644 --- a/secure/lib/libcrypto/man/man7/openssl-quic.7 +++ b/secure/lib/libcrypto/man/man7/openssl-quic.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-QUIC 7ossl" -.TH OPENSSL-QUIC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-QUIC 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,7 +68,7 @@ openssl\-quic \- OpenSSL QUIC .SH DESCRIPTION .IX Header "DESCRIPTION" OpenSSL 3.2 and later features support for the QUIC transport protocol. -You can use OpenSSL's QUIC capabilities for both client and server applications. +You can use OpenSSL\*(Aqs QUIC capabilities for both client and server applications. This man page describes how to let applications use the QUIC protocol using the libssl API. .PP @@ -79,9 +82,9 @@ option: SSL method \fBOSSL_QUIC_server_method\fR\|(3) with \fBSSL_CTX_new\fR\|(3 .PP The remainder of this man page discusses, in order: .IP \(bu 4 -Default stream mode versus multi-stream mode for clients; +Default stream mode versus multi\-stream mode for clients; .IP \(bu 4 -The changes to existing libssl APIs which are driven by QUIC-related +The changes to existing libssl APIs which are driven by QUIC\-related implementation requirements, which existing applications should bear in mind; .IP \(bu 4 Aspects which must be considered by existing applications when adopting QUIC, @@ -89,25 +92,25 @@ including potential changes which may be needed. .IP \(bu 4 Recommended usage approaches for new applications. .IP \(bu 4 -New, QUIC-specific APIs. +New, QUIC\-specific APIs. .SH "CLIENT MODES OF OPERATION" .IX Header "CLIENT MODES OF OPERATION" When a client creates a QUIC connection, by default, it operates in default -stream mode, which is intended to provide compatibility with existing non-QUIC +stream mode, which is intended to provide compatibility with existing non\-QUIC application usage patterns. In this mode, the connection has a single stream associated with it. Calls to \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3) on the QUIC connection SSL object read and write from that stream. Whether the stream is -client-initiated or server-initiated from a QUIC perspective depends on whether +client\-initiated or server\-initiated from a QUIC perspective depends on whether \&\fBSSL_read\fR\|(3) or \fBSSL_write\fR\|(3) is called first. .PP Default stream mode is primarily for compatibility with existing applications. -For new applications utilizing QUIC, it's recommended to disable this mode and -instead adopt the multi-stream API. See the RECOMMENDATIONS FOR NEW APPLICATIONS +For new applications utilizing QUIC, it\*(Aqs recommended to disable this mode and +instead adopt the multi\-stream API. See the RECOMMENDATIONS FOR NEW APPLICATIONS section for more details. .SS "Default Stream Mode" .IX Subsection "Default Stream Mode" A QUIC client connection can be used in either default stream mode or -multi-stream mode. By default, a newly created QUIC connection SSL object uses +multi\-stream mode. By default, a newly created QUIC connection SSL object uses default stream mode. .PP In default stream mode, a stream is implicitly created and bound to the QUIC @@ -119,45 +122,45 @@ stream SSL object can also be called on a QUIC connection SSL object, in which case it affects the default stream bound to the connection. .PP The identity of a QUIC stream, including its stream ID, varies depending on -whether a stream is client-initiated or server-initiated. In default stream +whether a stream is client\-initiated or server\-initiated. In default stream mode, if a client application calls \fBSSL_read\fR\|(3) first before any call to \&\fBSSL_write\fR\|(3) on the connection, it is assumed that the application protocol -is using a server-initiated stream, and the \fBSSL_read\fR\|(3) call will not +is using a server\-initiated stream, and the \fBSSL_read\fR\|(3) call will not complete (either blocking, or failing appropriately if nonblocking mode is configured) until the server initiates a stream. Conversely, if the client application calls \fBSSL_write\fR\|(3) before any call to \fBSSL_read\fR\|(3) on the -connection, it is assumed that a client-initiated stream is to be used +connection, it is assumed that a client\-initiated stream is to be used and such a stream is created automatically. .PP Default stream mode is intended to aid compatibility with legacy applications. -New applications adopting QUIC should use multi-stream mode, described below, +New applications adopting QUIC should use multi\-stream mode, described below, and avoid use of the default stream functionality. .PP It is possible to use additional streams in default stream mode using \&\fBSSL_new_stream\fR\|(3) and \fBSSL_accept_stream\fR\|(3); note that the default incoming stream policy will need to be changed using \fBSSL_set_incoming_stream_policy\fR\|(3) in order to use \fBSSL_accept_stream\fR\|(3) in this case. However, applications -using additional streams are strongly recommended to use multi-stream mode +using additional streams are strongly recommended to use multi\-stream mode instead. .PP Calling \fBSSL_new_stream\fR\|(3) or \fBSSL_accept_stream\fR\|(3) before a default stream has been associated with the QUIC connection SSL object will inhibit future creation of a default stream. -.SS "Multi-Stream Mode" +.SS "Multi\-Stream Mode" .IX Subsection "Multi-Stream Mode" -The recommended usage mode for new applications adopting QUIC is multi-stream +The recommended usage mode for new applications adopting QUIC is multi\-stream mode, in which no default stream is attached to the QUIC connection SSL object and attempts to call \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3) on the QUIC connection SSL object fail. Instead, an application calls \fBSSL_new_stream\fR\|(3) or \&\fBSSL_accept_stream\fR\|(3) to create individual stream SSL objects for sending and receiving application data using \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3). .PP -To use multi-stream mode, call \fBSSL_set_default_stream_mode\fR\|(3) with an +To use multi\-stream mode, call \fBSSL_set_default_stream_mode\fR\|(3) with an argument of \fBSSL_DEFAULT_STREAM_MODE_NONE\fR; this function must be called prior to initiating the connection. The default stream mode cannot be changed after initiating a connection. .PP -When multi-stream mode is used, meaning that no default stream is associated +When multi\-stream mode is used, meaning that no default stream is associated with the connection, calls to API functions which are defined as operating on a QUIC stream fail if called on the QUIC connection SSL object. For example, calls such as \fBSSL_write\fR\|(3) or \fBSSL_get_stream_id\fR\|(3) will fail. @@ -176,11 +179,11 @@ BIO: \&\fBBIO_s_datagram\fR\|(3), recommended for most applications, replaces \&\fBBIO_s_socket\fR\|(3) and provides a UDP socket. .IP \(bu 4 -\&\fBBIO_s_dgram_pair\fR\|(3) provides BIO pair-like functionality but with datagram +\&\fBBIO_s_dgram_pair\fR\|(3) provides BIO pair\-like functionality but with datagram semantics, and is recommended for existing applications which use a BIO pair or -memory BIO to manage libssl's communication with the network. +memory BIO to manage libssl\*(Aqs communication with the network. .IP \(bu 4 -\&\fBBIO_s_dgram_mem\fR\|(3) provides a simple memory BIO-like interface but with +\&\fBBIO_s_dgram_mem\fR\|(3) provides a simple memory BIO\-like interface but with datagram semantics. Unlike \fBBIO_s_dgram_pair\fR\|(3), it is unidirectional. .IP \(bu 4 An application may also choose to implement a custom BIO. The new @@ -194,18 +197,18 @@ instantiate a \fBBIO_s_socket\fR\|(3). For QUIC, these functions instead instant a \fBBIO_s_datagram\fR\|(3). This is equivalent to instantiating a \&\fBBIO_s_datagram\fR\|(3) and using \fBSSL_set0_rbio\fR\|(3) and \fBSSL_set0_wbio\fR\|(3). .IP \(bu 4 -Traditionally, whether the application-level I/O APIs (such as \fBSSL_read\fR\|(3) +Traditionally, whether the application\-level I/O APIs (such as \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3) operated in a blocking fashion was directly correlated with whether the underlying network socket was configured in a blocking fashion. This is no longer the case; applications must explicitly configure the desired -application-level blocking mode using \fBSSL_set_blocking_mode\fR\|(3). See +application\-level blocking mode using \fBSSL_set_blocking_mode\fR\|(3). See \&\fBSSL_set_blocking_mode\fR\|(3) for details. .IP \(bu 4 -Network-level I/O must always be performed in a nonblocking manner. The -application can still enjoy blocking semantics for calls to application-level +Network\-level I/O must always be performed in a nonblocking manner. The +application can still enjoy blocking semantics for calls to application\-level I/O functions such as \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3), but the underlying network BIO provided to QUIC (such as a \fBBIO_s_datagram\fR\|(3)) must be configured -in nonblocking mode. For application-level blocking functionality, see +in nonblocking mode. For application\-level blocking functionality, see \&\fBSSL_set_blocking_mode\fR\|(3). .IP \(bu 4 \&\fBBIO_new_ssl_connect\fR\|(3) has been changed to automatically use a @@ -217,8 +220,8 @@ change to use \fBBIO_new_ssl_connect\fR\|(3) instead. .IP \(bu 4 \&\fBSSL_shutdown\fR\|(3) has significant changes in relation to how QUIC connections must be shut down. In particular, applications should be advised that the full -RFC-conformant QUIC shutdown process may take an extended amount of time. This -may not be suitable for short-lived processes which should exit immediately +RFC\-conformant QUIC shutdown process may take an extended amount of time. This +may not be suitable for short\-lived processes which should exit immediately after their usage of a QUIC connection is completed. A rapid shutdown mode is available for such applications. For details, see \fBSSL_shutdown\fR\|(3). .IP \(bu 4 @@ -229,7 +232,7 @@ object. .Sp When used in nonblocking mode, \fBSSL_ERROR_WANT_READ\fR indicates that the receive part of a QUIC stream does not currently have any more data available to -be read, and \fBSSL_ERROR_WANT_WRITE\fR indicates that the stream's internal buffer +be read, and \fBSSL_ERROR_WANT_WRITE\fR indicates that the stream\*(Aqs internal buffer is full. .Sp To determine if the QUIC implementation currently wishes to be informed of @@ -237,7 +240,7 @@ incoming network datagrams, use the new function \fBSSL_net_read_desired\fR\|(3) likewise, to determine if the QUIC implementation currently wishes to be informed when it is possible to transmit network datagrams, use the new function \&\fBSSL_net_write_desired\fR\|(3). Only applications which wish to manage their own event -loops need to use these functions; see \fBAPPLICATION-DRIVEN EVENT LOOPS\fR for +loops need to use these functions; see \fBAPPLICATION\-DRIVEN EVENT LOOPS\fR for further discussion. .IP \(bu 4 The use of ALPN is mandatory when using QUIC. Attempts to connect without @@ -273,7 +276,7 @@ TLSv1.3 Early Data TLS Next Protocol Negotiation cannot be used and is superseded by ALPN, which must be used instead. The use of ALPN is mandatory with QUIC. .IP \(bu 4 -Post-Handshake Client Authentication is not available as QUIC prohibits its use. +Post\-Handshake Client Authentication is not available as QUIC prohibits its use. .IP \(bu 4 QUIC requires the use of TLSv1.3 or later, therefore functionality only relevant to older TLS versions is not available. @@ -287,7 +290,7 @@ CCM mode is not currently supported. .RS 4 .Sp The following libssl functionality is also not available when used with QUIC, -but calls to the relevant functions are treated as no-ops: +but calls to the relevant functions are treated as no\-ops: .IP \(bu 4 Readahead (\fBSSL_set_read_ahead\fR\|(3), etc.) .RE @@ -316,7 +319,7 @@ the SSL object to provide it with network access. Changes needed: Change your application to use \fBBIO_s_datagram\fR\|(3) instead when using QUIC. The socket must be configured in nonblocking mode. You may or may not need to use \fBSSL_set1_initial_peer_addr\fR\|(3) to set the initial peer -address; see the \fBQUIC-SPECIFIC APIS\fR section for details. +address; see the \fBQUIC\-SPECIFIC APIS\fR section for details. .IP \(bu 4 Your application uses \fBBIO_new_ssl_connect\fR\|(3) to construct a BIO which is passed to the SSL object to provide it with network @@ -345,7 +348,7 @@ instance. Your application uses a custom BIO method to provide the SSL object with network access. .Sp -Changes needed: The custom BIO must be re-architected to have datagram +Changes needed: The custom BIO must be re\-architected to have datagram semantics. \fBBIO_sendmmsg\fR\|(3) and \fBBIO_recvmmsg\fR\|(3) must be implemented. These calls must operate in a nonblocking fashion. Optionally, implement the \&\fBBIO_get_rpoll_descriptor\fR\|(3) and \fBBIO_get_wpoll_descriptor\fR\|(3) methods if @@ -395,10 +398,10 @@ APIS\fR. In particular, you should use these APIs to determine the ability of a QUIC stream to receive or provide application data, not to to determine if network I/O is required. .IP \(bu 4 -Evaluate your application's use of \fBSSL_shutdown\fR\|(3) in light of the changes +Evaluate your application\*(Aqs use of \fBSSL_shutdown\fR\|(3) in light of the changes discussed in \fBCHANGES TO EXISTING APIS\fR. Depending on whether your application wishes to prioritise RFC conformance or rapid shutdown, consider using the new -\&\fBSSL_shutdown_ex\fR\|(3) API instead. See \fBQUIC-SPECIFIC APIS\fR for details. +\&\fBSSL_shutdown_ex\fR\|(3) API instead. See \fBQUIC\-SPECIFIC APIS\fR for details. .SH "RECOMMENDED USAGE IN NEW APPLICATIONS" .IX Header "RECOMMENDED USAGE IN NEW APPLICATIONS" The recommended usage in new applications varies depending on three independent @@ -408,7 +411,7 @@ Whether the application will use blocking or nonblocking I/O at the application level (configured using \fBSSL_set_blocking_mode\fR\|(3)). .Sp If the application does nonblocking I/O at the application level it can choose -to manage its own polling and event loop; see \fBAPPLICATION-DRIVEN EVENT LOOPS\fR. +to manage its own polling and event loop; see \fBAPPLICATION\-DRIVEN EVENT LOOPS\fR. .IP \(bu 4 Whether the application intends to give the QUIC implementation direct access to a network socket (e.g. via \fBBIO_s_datagram\fR\|(3)) or whether it intends to buffer @@ -423,17 +426,17 @@ Whether thread assisted mode will be used (see \fBTHREAD ASSISTED MODE\fR). Simple demos for QUIC usage under these various scenarios can be found at <https://github.com/openssl/openssl/tree/master/doc/designs/ddd>. .PP -Applications which wish to implement QUIC-specific protocols should be aware of -the APIs listed under \fBQUIC-SPECIFIC APIS\fR which provide access to -QUIC-specific functionality. For example, \fBSSL_stream_conclude\fR\|(3) can be used +Applications which wish to implement QUIC\-specific protocols should be aware of +the APIs listed under \fBQUIC\-SPECIFIC APIS\fR which provide access to +QUIC\-specific functionality. For example, \fBSSL_stream_conclude\fR\|(3) can be used to indicate the end of the sending part of a stream, and \fBSSL_shutdown_ex\fR\|(3) can be used to provide a QUIC application error code when closing a connection. .PP Regardless of the design decisions chosen above, it is recommended that new -applications avoid use of the default stream mode and use the multi-stream API +applications avoid use of the default stream mode and use the multi\-stream API by calling \fBSSL_set_default_stream_mode\fR\|(3); see the MODES OF OPERATION section for details. -.SH "QUIC-SPECIFIC APIS" +.SH "QUIC\-SPECIFIC APIS" .IX Header "QUIC-SPECIFIC APIS" This section details new APIs which are directly or indirectly related to QUIC. For details on the operation of each API, see the referenced man pages. @@ -449,7 +452,7 @@ This can also be used with DTLS and supersedes \fBDTLSv1_get_timeout\fR\|(3) for usage. .IP \fBSSL_handle_events\fR\|(3) 4 .IX Item "SSL_handle_events" -This is a non-specific I/O operation which makes a best effort attempt to +This is a non\-specific I/O operation which makes a best effort attempt to perform any pending I/O or timeout processing. It can be used to advance the QUIC state machine by processing incoming network traffic, generating outgoing network traffic and handling any expired timeout events. Most other I/O @@ -465,10 +468,10 @@ The following SSL APIs are specific to QUIC: .IX Item "SSL_new_listener" Creates a listener SSL object, which differs from an ordinary SSL object in that it is used to provide an abstraction for the acceptance of network connections -in a protocol-agnostic manner. +in a protocol\-agnostic manner. .Sp Currently, listener SSL objects are only supported for QUIC server usage or -client-only usage. The listener interface may expand to support additional +client\-only usage. The listener interface may expand to support additional protocols in the future. .IP \fBSSL_new_listener_from\fR\|(3) 4 .IX Item "SSL_new_listener_from" @@ -489,7 +492,7 @@ to call this because it will be called automatically on the first call to \&\fBSSL_accept_connection\fR\|(3). .IP \fBSSL_accept_connection\fR\|(3) 4 .IX Item "SSL_accept_connection" -Accepts a new incoming connection for a listner SSL object. A new SSL object +Accepts a new incoming connection for a listener SSL object. A new SSL object representing the accepted connection is created and returned on success. If no incoming connection is available and the listener SSL object is configured in nonblocking mode, NULL is returned. @@ -558,7 +561,7 @@ QUIC stream. This corresponds to the FIN flag in the QUIC RFC. The receiving part of a stream remains usable. .IP \fBSSL_stream_reset\fR\|(3) 4 .IX Item "SSL_stream_reset" -This allows an application to indicate the non-normal termination of the sending +This allows an application to indicate the non\-normal termination of the sending part of a stream. This corresponds to the RESET_STREAM frame in the QUIC RFC. .IP "\fBSSL_get_stream_write_state\fR\|(3) and \fBSSL_get_stream_read_state\fR\|(3)" 4 .IX Item "SSL_get_stream_write_state and SSL_get_stream_read_state" @@ -567,7 +570,7 @@ sending and receiving parts of a stream respectively. .IP "\fBSSL_get_stream_write_error_code\fR\|(3) and \fBSSL_get_stream_read_error_code\fR\|(3)" 4 .IX Item "SSL_get_stream_write_error_code and SSL_get_stream_read_error_code" This allows an application to determine the application error code which was -signalled by a peer which has performed a non-normal stream termination of the +signalled by a peer which has performed a non\-normal stream termination of the respective sending or receiving part of a stream, if any. .IP \fBSSL_get_conn_close_info\fR\|(3) 4 .IX Item "SSL_get_conn_close_info" @@ -589,19 +592,19 @@ Returns the QUIC stream ID which the QUIC protocol has associated with a QUIC stream. .IP \fBSSL_new_stream\fR\|(3) 4 .IX Item "SSL_new_stream" -Creates a new QUIC stream SSL object representing a new, locally-initiated QUIC +Creates a new QUIC stream SSL object representing a new, locally\-initiated QUIC stream. .IP \fBSSL_accept_stream\fR\|(3) 4 .IX Item "SSL_accept_stream" Potentially yields a new QUIC stream SSL object representing a new -remotely-initiated QUIC stream, blocking until one is available if the +remotely\-initiated QUIC stream, blocking until one is available if the connection is configured to do so. .IP \fBSSL_get_accept_stream_queue_len\fR\|(3) 4 .IX Item "SSL_get_accept_stream_queue_len" -Provides information on the number of pending remotely-initiated streams. +Provides information on the number of pending remotely\-initiated streams. .IP \fBSSL_set_incoming_stream_policy\fR\|(3) 4 .IX Item "SSL_set_incoming_stream_policy" -Configures how incoming, remotely-initiated streams are handled. The incoming +Configures how incoming, remotely\-initiated streams are handled. The incoming stream policy can be used to automatically reject streams created by the peer, or allow them to be handled using \fBSSL_accept_stream\fR\|(3). .IP \fBSSL_set_default_stream_mode\fR\|(3) 4 @@ -610,7 +613,7 @@ Used to configure or disable default stream mode; see the MODES OF OPERATION section for details. .PP The following BIO APIs are not specific to QUIC but have been added to -facilitate QUIC-specific requirements and are closely associated with its use: +facilitate QUIC\-specific requirements and are closely associated with its use: .IP \fBBIO_s_dgram_pair\fR\|(3) 4 .IX Item "BIO_s_dgram_pair" This is a new BIO method which is similar to a conventional BIO pair but @@ -670,13 +673,13 @@ does provide the simplest mode of usage for an application. .PP The implementation may or may not use a common thread or thread pool to service multiple SSL objects in the same \fBSSL_CTX\fR. -.SH "APPLICATION-DRIVEN EVENT LOOPS" +.SH "APPLICATION\-DRIVEN EVENT LOOPS" .IX Header "APPLICATION-DRIVEN EVENT LOOPS" -OpenSSL's QUIC implementation is designed to facilitate applications which wish +OpenSSL\*(Aqs QUIC implementation is designed to facilitate applications which wish to use the SSL APIs in a blocking fashion, but is also designed to facilitate applications which wish to use the SSL APIs in a nonblocking fashion and manage their own event loops and polling directly. This is useful when it is desirable -to host OpenSSL's QUIC implementation on top of an application's existing +to host OpenSSL\*(Aqs QUIC implementation on top of an application\*(Aqs existing nonblocking I/O infrastructure. .PP This is supported via the concept of poll descriptors; see @@ -751,6 +754,19 @@ The application must call \fBSSL_get_event_timeout\fR\|(3) after every call to \&\fBSSL_handle_events\fR\|(3) (or another I/O function on the SSL object), and ensure that a call to \fBSSL_handle_events\fR\|(3) is performed after the specified timeout (if any). +.SH "WINDOWS APPLICATION NOTES" +.IX Header "WINDOWS APPLICATION NOTES" +QUIC protocol uses UDP sockets. The \fBrecvfrom()\fR function on Windows may fail +with \f(CW\*(C`WSAECONNRESET\*(C'\fR error causing OpenSSL QUIC stack to enter permanent +error, which prevents further communication over QUIC protocol. Applications +should disable SIO_UDP_CONNRESET and SIO_UDP_NETRESET error notification +on UDP sockets they pass to OpenSSL QUIC stack. More details can be found here: +https://learn.microsoft.com/en\-us/windows/win32/winsock/winsock\-ioctls#sio_udp_connreset\-opcode\-setting\-i\-t3 +.PP +OpenSSL attempts to always disable SIO_UDP_CONNRESET and SIO_UDP_NETRESET +on UDP sockets it receives from application, but no error is reported back +if the respective \f(CWWSAIoctl()\fR calls fail. Robust application should set those +options itself so it can handle error notifications from \f(CWWSAIoctl()\fR properly. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBSSL_handle_events\fR\|(3), \fBSSL_get_event_timeout\fR\|(3), @@ -769,7 +785,7 @@ that a call to \fBSSL_handle_events\fR\|(3) is performed after the specified tim \&\fBSSL_is_domain\fR\|(3), \fBSSL_get0_domain\fR\|(3) .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2022\-2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man7/openssl-threads.7 b/secure/lib/libcrypto/man/man7/openssl-threads.7 index 252b195da2b7..e65f6532188d 100644 --- a/secure/lib/libcrypto/man/man7/openssl-threads.7 +++ b/secure/lib/libcrypto/man/man7/openssl-threads.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-THREADS 7ossl" -.TH OPENSSL-THREADS 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-THREADS 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -64,22 +67,22 @@ openssl\-threads \- Overview of thread safety in OpenSSL .SH DESCRIPTION .IX Header "DESCRIPTION" -In this man page, we use the term \fBthread-safe\fR to indicate that an +In this man page, we use the term \fBthread\-safe\fR to indicate that an object or function can be used by multiple threads at the same time. .PP OpenSSL can be built with or without threads support. The most important use of this support is so that OpenSSL itself can use a single consistent API, as shown in "EXAMPLES" in \fBCRYPTO_THREAD_run_once\fR\|(3). -Multi-platform applications can also use this API. +Multi\-platform applications can also use this API. .PP In particular, being configured for threads support does not imply that -all OpenSSL objects are thread-safe. +all OpenSSL objects are thread\-safe. To emphasize: \fImost objects are not safe for simultaneous use\fR. Exceptions to this should be documented on the specific manual pages, and -some general high-level guidance is given here. +some general high\-level guidance is given here. .PP One major use of the OpenSSL thread API is to implement reference counting. -Many objects within OpenSSL are reference-counted, so resources are not +Many objects within OpenSSL are reference\-counted, so resources are not released, until the last reference is removed. References are often increased automatically (such as when an \fBX509\fR certificate object is added into an \fBX509_STORE\fR trust store). @@ -89,24 +92,24 @@ Failure to match \fB\fR\f(BIobject\fR\fB_up_ref\fR() calls with the right number \&\fB\fR\f(BIobject\fR\fB_free\fR() calls is a common source of memory leaks when a program exits. .PP -Many objects have set and get API's to set attributes in the object. +Many objects have set and get API\*(Aqs to set attributes in the object. A \f(CW\*(C`set0\*(C'\fR passes ownership from the caller to the object and a \&\f(CW\*(C`get0\*(C'\fR returns a pointer but the attribute ownership remains with the object and a reference to it is returned. A \f(CW\*(C`set1\*(C'\fR or \f(CW\*(C`get1\*(C'\fR function does not change the ownership, but instead -updates the attribute's reference count so that the object is shared +updates the attribute\*(Aqs reference count so that the object is shared between the caller and the object; the caller must free the returned attribute when finished. Functions that involve attributes that have reference counts themselves, but are named with just \f(CW\*(C`set\*(C'\fR or \f(CW\*(C`get\*(C'\fR are historical; and the documentation must state how the references are handled. -Get methods are often thread-safe as long as the ownership requirements are +Get methods are often thread\-safe as long as the ownership requirements are met and shared objects are not modified. -Set methods, or modifying shared objects, are generally not thread-safe +Set methods, or modifying shared objects, are generally not thread\-safe as discussed below. .PP -Objects are thread-safe -as long as the API's being invoked don't modify the object; in this +Objects are thread\-safe +as long as the API\*(Aqs being invoked don\*(Aqt modify the object; in this case the parameter is usually marked in the API as \f(CW\*(C`const\*(C'\fR. Not all parameters are marked this way. Note that a \f(CW\*(C`const\*(C'\fR declaration does not mean immutable; for example @@ -114,30 +117,30 @@ Note that a \f(CW\*(C`const\*(C'\fR declaration does not mean immutable; for exa uses a C cast to remove that so it can lock objects, generate and cache a DER encoding, and so on. .PP -Another instance of thread-safety is when updates to an object's +Another instance of thread\-safety is when updates to an object\*(Aqs internal state, such as cached values, are done with locks. -One example of this is the reference counting API's described above. +One example of this is the reference counting API\*(Aqs described above. .PP In all cases, however, it is generally not safe for one thread to mutate an object, such as setting elements of a private or public key, while another thread is using that object, such as verifying a signature. .PP -The same API's can usually be used simultaneously on different objects +The same API\*(Aqs can usually be used simultaneously on different objects without interference. For example, two threads can calculate a signature using two different \&\fBEVP_PKEY_CTX\fR objects. .PP -For implicit global state or singletons, thread-safety depends on the facility. -The \fBCRYPTO_secure_malloc\fR\|(3) and related API's have their own lock, +For implicit global state or singletons, thread\-safety depends on the facility. +The \fBCRYPTO_secure_malloc\fR\|(3) and related API\*(Aqs have their own lock, while \fBCRYPTO_malloc\fR\|(3) assumes the underlying platform allocation will do any necessary locking. -Some API's, such as \fBNCONF_load\fR\|(3) and related do no locking at all; +Some API\*(Aqs, such as \fBNCONF_load\fR\|(3) and related do no locking at all; this can be considered a bug. .PP A separate, although related, issue is modifying "factory" objects when other objects have been created from that. For example, an \fBSSL_CTX\fR object created by \fBSSL_CTX_new\fR\|(3) is used -to create per-connection \fBSSL\fR objects by calling \fBSSL_new\fR\|(3). +to create per\-connection \fBSSL\fR objects by calling \fBSSL_new\fR\|(3). In this specific case, and probably for factory methods in general, it is not safe to modify the factory object after it has been used to create other objects. diff --git a/secure/lib/libcrypto/man/man7/openssl_user_macros.7 b/secure/lib/libcrypto/man/man7/openssl_user_macros.7 index c668a30b28fc..0f685f8ecb93 100644 --- a/secure/lib/libcrypto/man/man7/openssl_user_macros.7 +++ b/secure/lib/libcrypto/man/man7/openssl_user_macros.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL_USER_MACROS 7ossl" -.TH OPENSSL_USER_MACROS 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL_USER_MACROS 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -87,7 +90,7 @@ The value is a version number, given in one of the following two forms: This is the form supported for all versions up to 1.1.x, where \f(CW\*(C`M\*(C'\fR represents the major number, \f(CW\*(C`NN\*(C'\fR represents the minor number, and \&\f(CW\*(C`FF\*(C'\fR represents the fix number, as a hexadecimal number. For version -1.1.0, that's \f(CW\*(C`0x10100000L\*(C'\fR. +1.1.0, that\*(Aqs \f(CW\*(C`0x10100000L\*(C'\fR. .Sp Any version number may be given, but these numbers are the current known major deprecation points, making them the most @@ -103,9 +106,9 @@ meaningful: .ie n .IP """0x10100000L"" (version 1.1.0)" 4 .el .IP "\f(CW0x10100000L\fR (version 1.1.0)" 4 .IX Item "0x10100000L (version 1.1.0)" +.PD .RE .RS 4 -.PD .Sp For convenience, higher numbers are accepted as well, as long as feasible. For example, \f(CW\*(C`0x60000000L\*(C'\fR will work as expected. @@ -128,12 +131,12 @@ minor and patch components of the version number. For example: .IX Item "10002 corresponds to version 1.0.2" .IP "420101 corresponds to version 42.1.1" 4 .IX Item "420101 corresponds to version 42.1.1" +.PD .RE .RS 4 .RE .RE .RS 4 -.PD .Sp If \fBOPENSSL_API_COMPAT\fR is undefined, this default value is used in its place: @@ -143,7 +146,7 @@ place: .IX Item "OPENSSL_NO_DEPRECATED" If this macro is defined, all deprecated public symbols in all OpenSSL versions up to and including the version given by \fBOPENSSL_API_COMPAT\fR -(or the default value given above, when \fBOPENSSL_API_COMPAT\fR isn't defined) +(or the default value given above, when \fBOPENSSL_API_COMPAT\fR isn\*(Aqt defined) will be hidden. .SH COPYRIGHT .IX Header "COPYRIGHT" diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-introduction.7 b/secure/lib/libcrypto/man/man7/ossl-guide-introduction.7 index af30d4713b20..3f7e65179714 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-introduction.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-introduction.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-INTRODUCTION 7ossl" -.TH OSSL-GUIDE-INTRODUCTION 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-INTRODUCTION 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -65,7 +68,7 @@ ossl\-guide\-introduction \&\- OpenSSL Guide: An introduction to OpenSSL .SH "WHAT IS OPENSSL?" .IX Header "WHAT IS OPENSSL?" -OpenSSL is a robust, commercial-grade, full-featured toolkit for general-purpose +OpenSSL is a robust, commercial\-grade, full\-featured toolkit for general\-purpose cryptography and secure communication. Its features are made available via a command line application that enables users to perform various cryptography related functions such as generating keys and certificates. Additionally it @@ -82,8 +85,8 @@ The OpenSSL Project develops and distributes the source code for OpenSSL. You can obtain that source code via the OpenSSL website (<https://www.openssl.org/source>). .PP -Many Operating Systems (notably Linux distributions) supply pre-built OpenSSL -binaries either pre-installed or available via the package management system in +Many Operating Systems (notably Linux distributions) supply pre\-built OpenSSL +binaries either pre\-installed or available via the package management system in use for that OS. It is worth checking whether this applies to you before attempting to build OpenSSL from the source code. .PP @@ -105,17 +108,17 @@ provides information about setting up Perl for use by the OpenSSL build system across multiple platforms. .PP Sometimes you may want to build and install OpenSSL from source on a system -which already has a pre-built version of OpenSSL installed on it via the +which already has a pre\-built version of OpenSSL installed on it via the Operating System package management system (for example if you want to use a newer version of OpenSSL than the one supplied by your Operating System). In this case it is strongly recommended to install OpenSSL to a different location -than where the pre-built version is installed. You should \fBnever\fR replace the -pre-built version with a different version as this may break your system. +than where the pre\-built version is installed. You should \fBnever\fR replace the +pre\-built version with a different version as this may break your system. .SH "CONTENTS OF THE OPENSSL GUIDE" .IX Header "CONTENTS OF THE OPENSSL GUIDE" The OpenSSL Guide is a series of documentation pages (starting with this one) that introduce some of the main concepts in OpenSSL. The guide can either be -read end-to-end in order, or alternatively you can simply skip to the parts most +read end\-to\-end in order, or alternatively you can simply skip to the parts most applicable to your use case. Note however that later pages may depend on and assume knowledge from earlier pages. .PP @@ -141,7 +144,7 @@ The pages in the guide are as follows: .IX Item "ossl-guide-quic-client-block: Writing a simple blocking QUIC client" .IP "\fBossl\-guide\-quic\-server\-block\fR\|(7): Writing a simple blocking QUIC server" 4 .IX Item "ossl-guide-quic-server-block: Writing a simple blocking QUIC server" -.IP "\fBossl\-guide\-quic\-multi\-stream\fR\|(7): Writing a simple multi-stream QUIC client" 4 +.IP "\fBossl\-guide\-quic\-multi\-stream\fR\|(7): Writing a simple multi\-stream QUIC client" 4 .IX Item "ossl-guide-quic-multi-stream: Writing a simple multi-stream QUIC client" .IP "\fBossl\-guide\-quic\-server\-non\-block\fR\|(7): Writing a simple nonblocking QUIC server" 4 .IX Item "ossl-guide-quic-server-non-block: Writing a simple nonblocking QUIC server" diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-libcrypto-introduction.7 b/secure/lib/libcrypto/man/man7/ossl-guide-libcrypto-introduction.7 index 67414659de75..f11336cffb77 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-libcrypto-introduction.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-libcrypto-introduction.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-LIBCRYPTO-INTRODUCTION 7ossl" -.TH OSSL-GUIDE-LIBCRYPTO-INTRODUCTION 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-LIBCRYPTO-INTRODUCTION 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -73,7 +76,7 @@ and protocols. .PP The functionality includes symmetric encryption, public key cryptography, key agreement, certificate handling, cryptographic hash functions, cryptographic -pseudo-random number generators, message authentication codes (MACs), key +pseudo\-random number generators, message authentication codes (MACs), key derivation functions (KDFs), and various utilities. .SS Algorithms .IX Subsection "Algorithms" diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-libraries-introduction.7 b/secure/lib/libcrypto/man/man7/ossl-guide-libraries-introduction.7 index 3e224034aa32..a4073d8fce84 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-libraries-introduction.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-libraries-introduction.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-LIBRARIES-INTRODUCTION 7ossl" -.TH OSSL-GUIDE-LIBRARIES-INTRODUCTION 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-LIBRARIES-INTRODUCTION 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,14 +101,14 @@ algorithm AES). In order to use an algorithm you must have at least one provider loaded that contains an implementation of it. OpenSSL comes with a number of providers and they may also be obtained from third parties. .PP -Providers may either be "built-in" or in the form of a separate loadable module +Providers may either be "built\-in" or in the form of a separate loadable module file (typically one ending in ".so" or ".dll" dependent on the platform). A -built-in provider is one that is either already present in \f(CW\*(C`libcrypto\*(C'\fR or one +built\-in provider is one that is either already present in \f(CW\*(C`libcrypto\*(C'\fR or one that the application has supplied itself directly. Third parties can also supply providers in the form of loadable modules. .PP -If you don't load a provider explicitly (either in program code or via config) -then the OpenSSL built-in "default" provider will be automatically loaded. +If you don\*(Aqt load a provider explicitly (either in program code or via config) +then the OpenSSL built\-in "default" provider will be automatically loaded. .PP See "OPENSSL PROVIDERS" below for a description of the providers that OpenSSL itself supplies. @@ -135,7 +138,7 @@ initialise OpenSSL for use. Unlike in earlier versions of OpenSSL (prior to 1.1.0) no explicit initialisation steps need to be taken. .PP Similarly when the application exits, the default library context is -automatically destroyed. No explicit de-initialisation steps need to be taken. +automatically destroyed. No explicit de\-initialisation steps need to be taken. .PP See \fBOSSL_LIB_CTX\fR\|(3) for more information about library contexts. See also "ALGORITHM FETCHING" in \fBossl\-guide\-libcrypto\-introduction\fR\|(7). @@ -163,12 +166,12 @@ there is a conflict. See "ALGORITHM FETCHING" in \fBossl\-guide\-libcrypto\-introduction\fR\|(7) for more information about fetching. See \fBproperty\fR\|(7) for more information about properties. -.SH "MULTI-THREADED APPLICATIONS" +.SH "MULTI\-THREADED APPLICATIONS" .IX Header "MULTI-THREADED APPLICATIONS" As long as OpenSSL has been built with support for threads (the default case -on most platforms) then most OpenSSL \fIfunctions\fR are thread-safe in the sense +on most platforms) then most OpenSSL \fIfunctions\fR are thread\-safe in the sense that it is safe to call the same function from multiple threads at the same -time. However most OpenSSL \fIdata structures\fR are not thread-safe. For example +time. However most OpenSSL \fIdata structures\fR are not thread\-safe. For example the \fBBIO_write\fR\|(3) and \fBBIO_read\fR\|(3) functions are thread safe. However it would not be thread safe to call \fBBIO_write()\fR from one thread while calling \&\fBBIO_read()\fR in another where both functions are passed the same \fBBIO\fR object @@ -232,14 +235,14 @@ As well as the OpenSSL providers third parties can also implement providers. For information on writing a provider see \fBprovider\fR\|(7). .SS "Default provider" .IX Subsection "Default provider" -The default provider is built-in as part of the \fIlibcrypto\fR library and +The default provider is built\-in as part of the \fIlibcrypto\fR library and contains all of the most commonly used algorithm implementations. Should it be needed (if other providers are loaded and offer implementations of the same algorithms), the property query string "provider=default" can be used as a search criterion for these implementations. The default provider includes all of the functionality in the base provider below. .PP -If you don't load any providers at all then the "default" provider will be +If you don\*(Aqt load any providers at all then the "default" provider will be automatically loaded. If you explicitly load any provider then the "default" provider would also need to be explicitly loaded if it is required. .PP @@ -267,7 +270,7 @@ providers are loaded and offer implementations of the same algorithms), the property query string "provider=fips" can be used as a search criterion for these implementations. All approved algorithm implementations in the FIPS provider can also be selected with the property "fips=yes". The FIPS provider -may also contain non-approved algorithm implementations and these can be +may also contain non\-approved algorithm implementations and these can be selected with the property "fips=no". .PP Typically the "Base provider" will also need to be loaded because the FIPS @@ -347,7 +350,7 @@ examples of how to use the various API functions. To look at them download the OpenSSL source code from the OpenSSL website (<https://www.openssl.org/source/>). Extract the downloaded \fB.tar.gz\fR file for the version of OpenSSL that you are using and look at the various files in the -\&\fBdemos\fR sub-directory. +\&\fBdemos\fR sub\-directory. .PP The Makefiles in the subdirectories give instructions on how to build and run the demo applications. diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-libssl-introduction.7 b/secure/lib/libcrypto/man/man7/ossl-guide-libssl-introduction.7 index ff205b48d623..f675b1baf2a8 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-libssl-introduction.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-libssl-introduction.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-LIBSSL-INTRODUCTION 7ossl" -.TH OSSL-GUIDE-LIBSSL-INTRODUCTION 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-LIBSSL-INTRODUCTION 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -91,15 +94,15 @@ used for exchanging data with the peer. .PP Both TLS and QUIC support the concept of a "stream" of data. Data sent via a stream is guaranteed to be delivered in order without any data loss. A stream -can be uni\- or bi-directional. +can be uni\- or bi\-directional. .PP SSL/TLS only supports one stream of data per connection and it is always -bi-directional. In this case the \fBSSL\fR object used for the connection also +bi\-directional. In this case the \fBSSL\fR object used for the connection also represents that stream. See \fBossl\-guide\-tls\-introduction\fR\|(7) for more information. .PP The QUIC protocol can support multiple streams per connection and they can be -uni\- or bi-directional. In this case an \fBSSL\fR object can represent the +uni\- or bi\-directional. In this case an \fBSSL\fR object can represent the underlying connection, or a stream, or both. Where multiple streams are in use a separate \fBSSL\fR object is used for each one. See \&\fBossl\-guide\-quic\-introduction\fR\|(7) for more information. diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-migration.7 b/secure/lib/libcrypto/man/man7/ossl-guide-migration.7 index 9cc9ad751edb..a79f80329c7c 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-migration.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-migration.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-MIGRATION 7ossl" -.TH OSSL-GUIDE-MIGRATION 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-MIGRATION 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -77,7 +80,7 @@ For an overview of some of the key concepts introduced in OpenSSL 3.0 see .IX Header "OPENSSL 3.1" .SS "Main Changes from OpenSSL 3.0" .IX Subsection "Main Changes from OpenSSL 3.0" -The FIPS provider in OpenSSL 3.1 includes some non-FIPS validated algorithms, +The FIPS provider in OpenSSL 3.1 includes some non\-FIPS validated algorithms, consequently the property query \f(CW\*(C`fips=yes\*(C'\fR is mandatory for applications that want to operate in a FIPS approved manner. The algorithms are: .IP "Triple DES ECB" 4 @@ -209,19 +212,19 @@ will still work. However, their applicability will be limited. .PP New algorithms provided via engines will still work. .PP -Engine-backed keys can be loaded via custom \fBOSSL_STORE\fR implementation. +Engine\-backed keys can be loaded via custom \fBOSSL_STORE\fR implementation. In this case the \fBEVP_PKEY\fR objects created via \fBENGINE_load_private_key\fR\|(3) will be considered legacy and will continue to work. .PP To ensure the future compatibility, the engines should be turned to providers. -To prefer the provider-based hardware offload, you can specify the default +To prefer the provider\-based hardware offload, you can specify the default properties to prefer your provider. .PP -Setting engine-based or application-based default low-level crypto method such +Setting engine\-based or application\-based default low\-level crypto method such as \fBRSA_METHOD\fR or \fBEC_KEY_METHOD\fR is still possible and keys inside the -default provider will use the engine-based implementation for the crypto +default provider will use the engine\-based implementation for the crypto operations. However \fBEVP_PKEY\fRs created by decoding by using \fBOSSL_DECODER\fR, -\&\fBPEM_\fR or \fBd2i_\fR APIs will be provider-based. To create a fully legacy +\&\fBPEM_\fR or \fBd2i_\fR APIs will be provider\-based. To create a fully legacy \&\fBEVP_PKEY\fRs \fBEVP_PKEY_set1_RSA\fR\|(3), \fBEVP_PKEY_set1_EC_KEY\fR\|(3) or similar functions must be used. .PP @@ -245,10 +248,10 @@ For more information, see \fBOpenSSL_version\fR\|(3). \fIOther major new features\fR .IX Subsection "Other major new features" .PP -Certificate Management Protocol (CMP, RFC 4210) -.IX Subsection "Certificate Management Protocol (CMP, RFC 4210)" +Certificate Management Protocol (CMP, RFC 9810) +.IX Subsection "Certificate Management Protocol (CMP, RFC 9810)" .PP -This also covers CRMF (RFC 4211) and HTTP transfer (RFC 6712) +This also covers CRMF (RFC 4211) and HTTP transfer (RFC 9811) See \fBopenssl\-cmp\fR\|(1) and \fBOSSL_CMP_exec_certreq\fR\|(3) as starting points. .PP HTTP(S) client @@ -262,7 +265,7 @@ Key Derivation Function API (EVP_KDF) .PP This simplifies the process of adding new KDF and PRF implementations. .PP -Previously KDF algorithms had been shoe-horned into using the EVP_PKEY object +Previously KDF algorithms had been shoe\-horned into using the EVP_PKEY object which was not a logical mapping. Existing applications that use KDF algorithms using EVP_PKEY (scrypt, TLS1 PRF and HKDF) may be slower as they use an EVP_KDF bridge @@ -316,7 +319,7 @@ KEM Algorithm "RSASVE" .Sp See \fBEVP_KEM\-RSA\fR\|(7). .IP \(bu 4 -Cipher Algorithm "AES-SIV" +Cipher Algorithm "AES\-SIV" .Sp See "SIV Mode" in \fBEVP_EncryptInit\fR\|(3). .IP \(bu 4 @@ -336,13 +339,13 @@ CS1, CS2 and CS3 variants are supported. CMS and PKCS#7 updates .IX Subsection "CMS and PKCS#7 updates" .IP \(bu 4 -Added CAdES-BES signature verification support. +Added CAdES\-BES signature verification support. .IP \(bu 4 -Added CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API. +Added CAdES\-BES signature scheme and attributes support (RFC 5126) to CMS API. .IP \(bu 4 Added AuthEnvelopedData content type structure (RFC 5083) using AES_GCM .Sp -This uses the AES-GCM parameter (RFC 5084) for the Cryptographic Message Syntax. +This uses the AES\-GCM parameter (RFC 5084) for the Cryptographic Message Syntax. Its purpose is to support encryption and decryption of a digital envelope that is both authenticated and encrypted using AES GCM mode. .IP \(bu 4 @@ -354,7 +357,7 @@ PKCS#12 API updates The default algorithms for pkcs12 creation with the \fBPKCS12_create()\fR function were changed to more modern PBKDF2 and AES based algorithms. The default MAC iteration count was changed to PKCS12_DEFAULT_ITER to make it equal -with the password-based encryption iteration count. The default digest +with the password\-based encryption iteration count. The default digest algorithm for the MAC computation was changed to SHA\-256. The pkcs12 application now supports \-legacy option that restores the previous default algorithms to support interoperability with legacy systems. @@ -425,7 +428,7 @@ This code is now always set to zero. Related functions are deprecated. STACK and HASH macros have been cleaned up .IX Subsection "STACK and HASH macros have been cleaned up" .PP -The type-safe wrappers are declared everywhere and implemented once. +The type\-safe wrappers are declared everywhere and implemented once. See \fBDEFINE_STACK_OF\fR\|(3) and \fBDEFINE_LHASH_OF_EX\fR\|(3). .PP The RAND_DRBG subsystem has been removed @@ -446,7 +449,7 @@ model. Applications should instead use Key generation is slower .IX Subsection "Key generation is slower" .PP -The Miller-Rabin test now uses 64 rounds, which is used for all prime generation, +The Miller\-Rabin test now uses 64 rounds, which is used for all prime generation, including RSA key generation. This affects the time for larger keys sizes. .PP The default key generation method for the regular 2\-prime RSA keys was changed @@ -502,7 +505,7 @@ Functions that return an internal key should be treated as read only .IX Subsection "Functions that return an internal key should be treated as read only" .PP Functions such as \fBEVP_PKEY_get0_RSA\fR\|(3) behave slightly differently in -OpenSSL 3.0. Previously they returned a pointer to the low-level key used +OpenSSL 3.0. Previously they returned a pointer to the low\-level key used internally by libcrypto. From OpenSSL 3.0 this key may now be held in a provider. Calling these functions will only return a handle on the internal key where the EVP_PKEY was constructed using this key in the first place, for @@ -515,15 +518,15 @@ the cached copy. Similarly any changes made to the cached copy by application code will not be reflected back in the internal provider key. .PP For the above reasons the keys returned from these functions should typically be -treated as read-only. To emphasise this the value returned from +treated as read\-only. To emphasise this the value returned from \&\fBEVP_PKEY_get0_RSA\fR\|(3), \fBEVP_PKEY_get0_DSA\fR\|(3), \fBEVP_PKEY_get0_EC_KEY\fR\|(3) and \&\fBEVP_PKEY_get0_DH\fR\|(3) have been made const. This may break some existing code. Applications broken by this change should be modified. The preferred solution is to refactor the code to avoid the use of these deprecated functions. Failing this the code should be modified to use a const pointer instead. The \fBEVP_PKEY_get1_RSA\fR\|(3), \fBEVP_PKEY_get1_DSA\fR\|(3), \fBEVP_PKEY_get1_EC_KEY\fR\|(3) -and \fBEVP_PKEY_get1_DH\fR\|(3) functions continue to return a non-const pointer to -enable them to be "freed". However they should also be treated as read-only. +and \fBEVP_PKEY_get1_DH\fR\|(3) functions continue to return a non\-const pointer to +enable them to be "freed". However they should also be treated as read\-only. .PP The public key check has moved from \fBEVP_PKEY_derive()\fR to \fBEVP_PKEY_derive_set_peer()\fR .IX Subsection "The public key check has moved from EVP_PKEY_derive() to EVP_PKEY_derive_set_peer()" @@ -619,9 +622,9 @@ As OpenSSL 3.0 provides a brand new Encoder/Decoder mechanism for working with widely used file formats, application code that checks for particular error reason codes on key loading failures might need an update. .PP -Password-protected keys may deserve special attention. If only some errors +Password\-protected keys may deserve special attention. If only some errors are treated as an indicator that the user should be asked about the password again, -it's worth testing these scenarios and processing the newly relevant codes. +it\*(Aqs worth testing these scenarios and processing the newly relevant codes. .PP There may be more cases to treat specially, depending on the calling application code. .SS "Upgrading from OpenSSL 1.0.2" @@ -690,7 +693,7 @@ See \fBfips_module\fR\|(7) and \fBOSSL_PROVIDER\-FIPS\fR\|(7) for details. .IX Subsection "Completing the installation of the FIPS Module" The FIPS Module will be built and installed automatically if FIPS support has been configured. The current documentation can be found in the -README-FIPS <https://github.com/openssl/openssl/blob/master/README-FIPS.md> file. +README\-FIPS <https://github.com/openssl/openssl/blob/master/README-FIPS.md> file. .SS Programming .IX Subsection "Programming" Applications written to work with OpenSSL 1.1.1 will mostly just work with @@ -937,7 +940,7 @@ This section describes some common categories of deprecations. See "Deprecated function mappings" for the list of deprecated functions that refer to these categories. .PP -Providers are a replacement for engines and low-level method overrides +Providers are a replacement for engines and low\-level method overrides .IX Subsection "Providers are a replacement for engines and low-level method overrides" .PP Any accessor that uses an ENGINE is deprecated (such as \fBEVP_PKEY_set1_engine()\fR). @@ -947,26 +950,26 @@ Before providers were added algorithms were overridden by changing the methods used by algorithms. All these methods such as \fBRSA_new_method()\fR and \fBRSA_meth_new()\fR are now deprecated and can be replaced by using providers instead. .PP -Deprecated i2d and d2i functions for low-level key types +Deprecated i2d and d2i functions for low\-level key types .IX Subsection "Deprecated i2d and d2i functions for low-level key types" .PP -Any i2d and d2i functions such as \fBd2i_DHparams()\fR that take a low-level key type +Any i2d and d2i functions such as \fBd2i_DHparams()\fR that take a low\-level key type have been deprecated. Applications should instead use the \fBOSSL_DECODER\fR\|(3) and \&\fBOSSL_ENCODER\fR\|(3) APIs to read and write files. See "Migration" in \fBd2i_RSAPrivateKey\fR\|(3) for further details. .PP -Deprecated low-level key object getters and setters +Deprecated low\-level key object getters and setters .IX Subsection "Deprecated low-level key object getters and setters" .PP -Applications that set or get low-level key objects (such as \fBEVP_PKEY_set1_DH()\fR +Applications that set or get low\-level key objects (such as \fBEVP_PKEY_set1_DH()\fR or \fBEVP_PKEY_get0()\fR) should instead use the OSSL_ENCODER (See \fBOSSL_ENCODER_to_bio\fR\|(3)) or OSSL_DECODER (See \fBOSSL_DECODER_from_bio\fR\|(3)) APIs, or alternatively use \fBEVP_PKEY_fromdata\fR\|(3) or \fBEVP_PKEY_todata\fR\|(3). .PP -Deprecated low-level key parameter getters +Deprecated low\-level key parameter getters .IX Subsection "Deprecated low-level key parameter getters" .PP -Functions that access low-level objects directly such as \fBRSA_get0_n\fR\|(3) are now +Functions that access low\-level objects directly such as \fBRSA_get0_n\fR\|(3) are now deprecated. Applications should use one of: \&\fBEVP_PKEY_get_bn_param\fR\|(3), \&\fBEVP_PKEY_get_int_param\fR\|(3), @@ -987,116 +990,116 @@ and "Common parameters" in \fBEVP_PKEY\-ML\-KEM\fR\|(7). Applications may also use \fBEVP_PKEY_todata\fR\|(3) to return all fields. .PP -Deprecated low-level key parameter setters +Deprecated low\-level key parameter setters .IX Subsection "Deprecated low-level key parameter setters" .PP -Functions that access low-level objects directly such as \fBRSA_set0_crt_params\fR\|(3) +Functions that access low\-level objects directly such as \fBRSA_set0_crt_params\fR\|(3) are now deprecated. Applications should use \fBEVP_PKEY_fromdata\fR\|(3) to create new keys from user provided key data. Keys should be immutable once they are created, so if required the user may use \fBEVP_PKEY_todata\fR\|(3), \fBOSSL_PARAM_merge\fR\|(3), and \fBEVP_PKEY_fromdata\fR\|(3) to create a modified key. See "Examples" in \fBEVP_PKEY\-DH\fR\|(7) for more information. -See "Deprecated low-level key generation functions" for information on +See "Deprecated low\-level key generation functions" for information on generating a key using parameters. .PP -Deprecated low-level object creation +Deprecated low\-level object creation .IX Subsection "Deprecated low-level object creation" .PP -Low-level objects were created using methods such as \fBRSA_new\fR\|(3), +Low\-level objects were created using methods such as \fBRSA_new\fR\|(3), \&\fBRSA_up_ref\fR\|(3) and \fBRSA_free\fR\|(3). Applications should instead use the -high-level EVP_PKEY APIs, e.g. \fBEVP_PKEY_new\fR\|(3), \fBEVP_PKEY_up_ref\fR\|(3) and +high\-level EVP_PKEY APIs, e.g. \fBEVP_PKEY_new\fR\|(3), \fBEVP_PKEY_up_ref\fR\|(3) and \&\fBEVP_PKEY_free\fR\|(3). See also \fBEVP_PKEY_CTX_new_from_name\fR\|(3) and \fBEVP_PKEY_CTX_new_from_pkey\fR\|(3). .PP EVP_PKEYs may be created in a variety of ways: -See also "Deprecated low-level key generation functions", -"Deprecated low-level key reading and writing functions" and -"Deprecated low-level key parameter setters". +See also "Deprecated low\-level key generation functions", +"Deprecated low\-level key reading and writing functions" and +"Deprecated low\-level key parameter setters". .PP -Deprecated low-level encryption functions +Deprecated low\-level encryption functions .IX Subsection "Deprecated low-level encryption functions" .PP -Low-level encryption functions such as \fBAES_encrypt\fR\|(3) and \fBAES_decrypt\fR\|(3) +Low\-level encryption functions such as \fBAES_encrypt\fR\|(3) and \fBAES_decrypt\fR\|(3) have been informally discouraged from use for a long time. Applications should instead use the high level EVP APIs \fBEVP_EncryptInit_ex\fR\|(3), \&\fBEVP_EncryptUpdate\fR\|(3), and \fBEVP_EncryptFinal_ex\fR\|(3) or \&\fBEVP_DecryptInit_ex\fR\|(3), \fBEVP_DecryptUpdate\fR\|(3) and \fBEVP_DecryptFinal_ex\fR\|(3). .PP -Deprecated low-level digest functions +Deprecated low\-level digest functions .IX Subsection "Deprecated low-level digest functions" .PP -Use of low-level digest functions such as \fBSHA1_Init\fR\|(3) have been +Use of low\-level digest functions such as \fBSHA1_Init\fR\|(3) have been informally discouraged from use for a long time. Applications should instead use the high level EVP APIs \fBEVP_DigestInit_ex\fR\|(3), \fBEVP_DigestUpdate\fR\|(3) -and \fBEVP_DigestFinal_ex\fR\|(3), or the quick one-shot \fBEVP_Q_digest\fR\|(3). +and \fBEVP_DigestFinal_ex\fR\|(3), or the quick one\-shot \fBEVP_Q_digest\fR\|(3). .PP Note that the functions \fBSHA1\fR\|(3), \fBSHA224\fR\|(3), \fBSHA256\fR\|(3), \fBSHA384\fR\|(3) and \fBSHA512\fR\|(3) have changed to macros that use \fBEVP_Q_digest\fR\|(3). .PP -Deprecated low-level signing functions +Deprecated low\-level signing functions .IX Subsection "Deprecated low-level signing functions" .PP -Use of low-level signing functions such as \fBDSA_sign\fR\|(3) have been +Use of low\-level signing functions such as \fBDSA_sign\fR\|(3) have been informally discouraged for a long time. Instead applications should use \&\fBEVP_DigestSign\fR\|(3) and \fBEVP_DigestVerify\fR\|(3). See also \fBEVP_SIGNATURE\-RSA\fR\|(7), \fBEVP_SIGNATURE\-DSA\fR\|(7), \&\fBEVP_SIGNATURE\-ECDSA\fR\|(7) and \fBEVP_SIGNATURE\-ED25519\fR\|(7). .PP -Deprecated low-level MAC functions +Deprecated low\-level MAC functions .IX Subsection "Deprecated low-level MAC functions" .PP -Low-level mac functions such as \fBCMAC_Init\fR\|(3) are deprecated. +Low\-level mac functions such as \fBCMAC_Init\fR\|(3) are deprecated. Applications should instead use the new \fBEVP_MAC\fR\|(3) interface, using \&\fBEVP_MAC_CTX_new\fR\|(3), \fBEVP_MAC_CTX_free\fR\|(3), \fBEVP_MAC_init\fR\|(3), -\&\fBEVP_MAC_update\fR\|(3) and \fBEVP_MAC_final\fR\|(3) or the single-shot MAC function +\&\fBEVP_MAC_update\fR\|(3) and \fBEVP_MAC_final\fR\|(3) or the single\-shot MAC function \&\fBEVP_Q_mac\fR\|(3). See \fBEVP_MAC\fR\|(3), \fBEVP_MAC\-HMAC\fR\|(7), \fBEVP_MAC\-CMAC\fR\|(7), \fBEVP_MAC\-GMAC\fR\|(7), \&\fBEVP_MAC\-KMAC\fR\|(7), \fBEVP_MAC\-BLAKE2\fR\|(7), \fBEVP_MAC\-Poly1305\fR\|(7) and \&\fBEVP_MAC\-Siphash\fR\|(7) for additional information. .PP -Note that the one-shot method \fBHMAC()\fR is still available for compatibility purposes, +Note that the one\-shot method \fBHMAC()\fR is still available for compatibility purposes, but this can also be replaced by using EVP_Q_MAC if a library context is required. .PP -Deprecated low-level validation functions +Deprecated low\-level validation functions .IX Subsection "Deprecated low-level validation functions" .PP -Low-level validation functions such as \fBDH_check\fR\|(3) have been informally -discouraged from use for a long time. Applications should instead use the high-level +Low\-level validation functions such as \fBDH_check\fR\|(3) have been informally +discouraged from use for a long time. Applications should instead use the high\-level EVP_PKEY APIs such as \fBEVP_PKEY_check\fR\|(3), \fBEVP_PKEY_param_check\fR\|(3), \&\fBEVP_PKEY_param_check_quick\fR\|(3), \fBEVP_PKEY_public_check\fR\|(3), \&\fBEVP_PKEY_public_check_quick\fR\|(3), \fBEVP_PKEY_private_check\fR\|(3), and \fBEVP_PKEY_pairwise_check\fR\|(3). .PP -Deprecated low-level key exchange functions +Deprecated low\-level key exchange functions .IX Subsection "Deprecated low-level key exchange functions" .PP -Many low-level functions have been informally discouraged from use for a long +Many low\-level functions have been informally discouraged from use for a long time. Applications should instead use \fBEVP_PKEY_derive\fR\|(3). See \fBEVP_KEYEXCH\-DH\fR\|(7), \fBEVP_KEYEXCH\-ECDH\fR\|(7) and \fBEVP_KEYEXCH\-X25519\fR\|(7). .PP -Deprecated low-level key generation functions +Deprecated low\-level key generation functions .IX Subsection "Deprecated low-level key generation functions" .PP -Many low-level functions have been informally discouraged from use for a long +Many low\-level functions have been informally discouraged from use for a long time. Applications should instead use \fBEVP_PKEY_keygen_init\fR\|(3) and \&\fBEVP_PKEY_generate\fR\|(3) as described in \fBEVP_PKEY\-DSA\fR\|(7), \fBEVP_PKEY\-DH\fR\|(7), \&\fBEVP_PKEY\-RSA\fR\|(7), \fBEVP_PKEY\-EC\fR\|(7) and \fBEVP_PKEY\-X25519\fR\|(7). -The 'quick' one-shot function \fBEVP_PKEY_Q_keygen\fR\|(3) and macros for the most +The \*(Aqquick\*(Aq one\-shot function \fBEVP_PKEY_Q_keygen\fR\|(3) and macros for the most common cases: <\fBEVP_RSA_gen\fR\|(3)> and \fBEVP_EC_gen\fR\|(3) may also be used. .PP -Deprecated low-level key reading and writing functions +Deprecated low\-level key reading and writing functions .IX Subsection "Deprecated low-level key reading and writing functions" .PP -Use of low-level objects (such as DSA) has been informally discouraged from use -for a long time. Functions to read and write these low-level objects (such as +Use of low\-level objects (such as DSA) has been informally discouraged from use +for a long time. Functions to read and write these low\-level objects (such as \&\fBPEM_read_DSA_PUBKEY()\fR) should be replaced. Applications should instead use \&\fBOSSL_ENCODER_to_bio\fR\|(3) and \fBOSSL_DECODER_from_bio\fR\|(3). .PP -Deprecated low-level key printing functions +Deprecated low\-level key printing functions .IX Subsection "Deprecated low-level key printing functions" .PP -Use of low-level objects (such as DSA) has been informally discouraged from use -for a long time. Functions to print these low-level objects such as +Use of low\-level objects (such as DSA) has been informally discouraged from use +for a long time. Functions to print these low\-level objects such as \&\fBDSA_print()\fR should be replaced with the equivalent EVP_PKEY functions. Application should use one of \fBEVP_PKEY_print_public\fR\|(3), \&\fBEVP_PKEY_print_private\fR\|(3), \fBEVP_PKEY_print_params\fR\|(3), @@ -1114,7 +1117,7 @@ The following functions have been deprecated in 3.0. There is no replacement for the IGE functions. New code should not use these modes. These undocumented functions were never integrated into the EVP layer. They implemented the AES Infinite Garble Extension (IGE) mode and AES -Bi-directional IGE mode. These modes were never formally standardised and +Bi\-directional IGE mode. These modes were never formally standardised and usage of these functions is believed to be very small. In particular \&\fBAES_bi_ige_encrypt()\fR has a known bug. It accepts 2 AES keys, but only one is ever used. The security implications are believed to be minimal, but @@ -1126,7 +1129,7 @@ this issue was never fixed for backwards compatibility reasons. .IP \(bu 4 \&\fBAES_unwrap_key()\fR, \fBAES_wrap_key()\fR .Sp -See "Deprecated low-level encryption functions" +See "Deprecated low\-level encryption functions" .IP \(bu 4 \&\fBAES_options()\fR .Sp @@ -1146,7 +1149,7 @@ previously passed in pointer. \&\fBBF_encrypt()\fR, \fBBF_decrypt()\fR, \fBBF_set_key()\fR, \fBBF_cbc_encrypt()\fR, \fBBF_cfb64_encrypt()\fR, \&\fBBF_ecb_encrypt()\fR, \fBBF_ofb64_encrypt()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". The Blowfish algorithm has been moved to the Legacy Provider. .IP \(bu 4 \&\fBBF_options()\fR @@ -1155,12 +1158,12 @@ There is no replacement. This option returned a constant string. .IP \(bu 4 \&\fBBIO_get_callback()\fR, \fBBIO_set_callback()\fR, \fBBIO_debug_callback()\fR .Sp -Use the respective non-deprecated \fB_ex()\fR functions. +Use the respective non\-deprecated \fB_ex()\fR functions. .IP \(bu 4 \&\fBBN_is_prime_ex()\fR, \fBBN_is_prime_fasttest_ex()\fR .Sp Use \fBBN_check_prime\fR\|(3) which avoids possible misuse and always uses at least -64 rounds of the Miller-Rabin primality test. +64 rounds of the Miller\-Rabin primality test. .IP \(bu 4 \&\fBBN_pseudo_rand()\fR, \fBBN_pseudo_rand_range()\fR .Sp @@ -1168,7 +1171,7 @@ Use \fBBN_rand\fR\|(3) and \fBBN_rand_range\fR\|(3). .IP \(bu 4 \&\fBBN_X931_derive_prime_ex()\fR, \fBBN_X931_generate_prime_ex()\fR, \fBBN_X931_generate_Xpq()\fR .Sp -There are no replacements for these low-level functions. They were used internally +There are no replacements for these low\-level functions. They were used internally by \fBRSA_X931_derive_ex()\fR and \fBRSA_X931_generate_key_ex()\fR which are also deprecated. Use \fBEVP_PKEY_keygen\fR\|(3) instead. .IP \(bu 4 @@ -1177,29 +1180,29 @@ Use \fBEVP_PKEY_keygen\fR\|(3) instead. \&\fBCamellia_cfb8_encrypt()\fR, \fBCamellia_ctr128_encrypt()\fR, \fBCamellia_ecb_encrypt()\fR, \&\fBCamellia_ofb128_encrypt()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". .IP \(bu 4 \&\fBCAST_encrypt()\fR, \fBCAST_decrypt()\fR, \fBCAST_set_key()\fR, \fBCAST_cbc_encrypt()\fR, \&\fBCAST_cfb64_encrypt()\fR, \fBCAST_ecb_encrypt()\fR, \fBCAST_ofb64_encrypt()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". The CAST algorithm has been moved to the Legacy Provider. .IP \(bu 4 \&\fBCMAC_CTX_new()\fR, \fBCMAC_CTX_cleanup()\fR, \fBCMAC_CTX_copy()\fR, \fBCMAC_CTX_free()\fR, \&\fBCMAC_CTX_get0_cipher_ctx()\fR .Sp -See "Deprecated low-level MAC functions". +See "Deprecated low\-level MAC functions". .IP \(bu 4 \&\fBCMAC_Init()\fR, \fBCMAC_Update()\fR, \fBCMAC_Final()\fR, \fBCMAC_resume()\fR .Sp -See "Deprecated low-level MAC functions". +See "Deprecated low\-level MAC functions". .IP \(bu 4 \&\fBCRYPTO_mem_ctrl()\fR, \fBCRYPTO_mem_debug_free()\fR, \fBCRYPTO_mem_debug_malloc()\fR, \&\fBCRYPTO_mem_debug_pop()\fR, \fBCRYPTO_mem_debug_push()\fR, \fBCRYPTO_mem_debug_realloc()\fR, \&\fBCRYPTO_mem_leaks()\fR, \fBCRYPTO_mem_leaks_cb()\fR, \fBCRYPTO_mem_leaks_fp()\fR, \&\fBCRYPTO_set_mem_debug()\fR .Sp -Memory-leak checking has been deprecated in favor of more modern development +Memory\-leak checking has been deprecated in favor of more modern development tools, such as compiler memory and leak sanitizers or Valgrind. .IP \(bu 4 \&\fBCRYPTO_cts128_encrypt_block()\fR, \fBCRYPTO_cts128_encrypt()\fR, @@ -1223,12 +1226,12 @@ See "EXAMPLES" in \fBEVP_EncryptInit\fR\|(3) for a AES\-256\-CBC\-CTS example. \&\fBd2i_RSA_PUBKEY_bio()\fR, \fBd2i_RSA_PUBKEY_fp()\fR, \fBd2i_RSAPublicKey()\fR, \&\fBd2i_RSAPublicKey_bio()\fR, \fBd2i_RSAPublicKey_fp()\fR .Sp -See "Deprecated i2d and d2i functions for low-level key types" +See "Deprecated i2d and d2i functions for low\-level key types" .IP \(bu 4 \&\fBo2i_ECPublicKey()\fR .Sp Use \fBEVP_PKEY_set1_encoded_public_key\fR\|(3). -See "Deprecated low-level key parameter setters" +See "Deprecated low\-level key parameter setters" .IP \(bu 4 \&\fBDES_crypt()\fR, \fBDES_fcrypt()\fR, \fBDES_encrypt1()\fR, \fBDES_encrypt2()\fR, \fBDES_encrypt3()\fR, \&\fBDES_decrypt3()\fR, \fBDES_ede3_cbc_encrypt()\fR, \fBDES_ede3_cfb64_encrypt()\fR, @@ -1240,8 +1243,8 @@ DES_cfb64_encrypt \fBDES_cfb_encrypt()\fR, \fBDES_cbc_encrypt()\fR, \fBDES_ncbc_ \&\fBDES_random_key()\fR, \fBDES_set_key()\fR, \fBDES_set_key_checked()\fR, \fBDES_set_key_unchecked()\fR, \&\fBDES_set_odd_parity()\fR, \fBDES_string_to_2keys()\fR, \fBDES_string_to_key()\fR .Sp -See "Deprecated low-level encryption functions". -Algorithms for "DESX-CBC", "DES-ECB", "DES-CBC", "DES-OFB", "DES-CFB", +See "Deprecated low\-level encryption functions". +Algorithms for "DESX\-CBC", "DES\-ECB", "DES\-CBC", "DES\-OFB", "DES\-CFB", "DES\-CFB1" and "DES\-CFB8" have been moved to the Legacy Provider. .IP \(bu 4 \&\fBDH_bits()\fR, \fBDH_security_bits()\fR, \fBDH_size()\fR @@ -1252,7 +1255,7 @@ Use \fBEVP_PKEY_get_bits\fR\|(3), \fBEVP_PKEY_get_security_bits\fR\|(3) and \&\fBDH_check()\fR, \fBDH_check_ex()\fR, \fBDH_check_params()\fR, \fBDH_check_params_ex()\fR, \&\fBDH_check_pub_key()\fR, \fBDH_check_pub_key_ex()\fR .Sp -See "Deprecated low-level validation functions" +See "Deprecated low\-level validation functions" .IP \(bu 4 \&\fBDH_clear_flags()\fR, \fBDH_test_flags()\fR, \fBDH_set_flags()\fR .Sp @@ -1263,20 +1266,20 @@ There is no replacement for setting these flags. .IP \(bu 4 \&\fBDH_compute_key()\fR \fBDH_compute_key_padded()\fR .Sp -See "Deprecated low-level key exchange functions". +See "Deprecated low\-level key exchange functions". .IP \(bu 4 \&\fBDH_new()\fR, \fBDH_new_by_nid()\fR, \fBDH_free()\fR, \fBDH_up_ref()\fR .Sp -See "Deprecated low-level object creation" +See "Deprecated low\-level object creation" .IP \(bu 4 \&\fBDH_generate_key()\fR, \fBDH_generate_parameters_ex()\fR .Sp -See "Deprecated low-level key generation functions". +See "Deprecated low\-level key generation functions". .IP \(bu 4 \&\fBDH_get0_pqg()\fR, \fBDH_get0_p()\fR, \fBDH_get0_q()\fR, \fBDH_get0_g()\fR, \fBDH_get0_key()\fR, \&\fBDH_get0_priv_key()\fR, \fBDH_get0_pub_key()\fR, \fBDH_get_length()\fR, \fBDH_get_nid()\fR .Sp -See "Deprecated low-level key parameter getters" +See "Deprecated low\-level key parameter getters" .IP \(bu 4 \&\fBDH_get_1024_160()\fR, \fBDH_get_2048_224()\fR, \fBDH_get_2048_256()\fR .Sp @@ -1292,15 +1295,15 @@ Applications should use \fBEVP_PKEY_CTX_set_dh_kdf_type\fR\|(3) instead. \&\fBDH_OpenSSL()\fR, \fBDH_get_ex_data()\fR, \fBDH_set_default_method()\fR, \fBDH_set_method()\fR, \&\fBDH_set_ex_data()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides" +See "Providers are a replacement for engines and low\-level method overrides" .IP \(bu 4 \&\fBDHparams_print()\fR, \fBDHparams_print_fp()\fR .Sp -See "Deprecated low-level key printing functions" +See "Deprecated low\-level key printing functions" .IP \(bu 4 \&\fBDH_set0_key()\fR, \fBDH_set0_pqg()\fR, \fBDH_set_length()\fR .Sp -See "Deprecated low-level key parameter setters" +See "Deprecated low\-level key parameter setters" .IP \(bu 4 \&\fBDSA_bits()\fR, \fBDSA_security_bits()\fR, \fBDSA_size()\fR .Sp @@ -1314,22 +1317,22 @@ and \fBEVP_PKEY_dup\fR\|(3) instead. .IP \(bu 4 \&\fBDSA_generate_key()\fR, \fBDSA_generate_parameters_ex()\fR .Sp -See "Deprecated low-level key generation functions". +See "Deprecated low\-level key generation functions". .IP \(bu 4 \&\fBDSA_get0_engine()\fR, \fBDSA_get_default_method()\fR, \fBDSA_get_ex_data()\fR, \&\fBDSA_get_method()\fR, DSA_meth_*(), \fBDSA_new_method()\fR, \fBDSA_OpenSSL()\fR, \&\fBDSA_set_default_method()\fR, \fBDSA_set_ex_data()\fR, \fBDSA_set_method()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides". +See "Providers are a replacement for engines and low\-level method overrides". .IP \(bu 4 \&\fBDSA_get0_p()\fR, \fBDSA_get0_q()\fR, \fBDSA_get0_g()\fR, \fBDSA_get0_pqg()\fR, \fBDSA_get0_key()\fR, \&\fBDSA_get0_priv_key()\fR, \fBDSA_get0_pub_key()\fR .Sp -See "Deprecated low-level key parameter getters". +See "Deprecated low\-level key parameter getters". .IP \(bu 4 \&\fBDSA_new()\fR, \fBDSA_free()\fR, \fBDSA_up_ref()\fR .Sp -See "Deprecated low-level object creation" +See "Deprecated low\-level object creation" .IP \(bu 4 \&\fBDSAparams_dup()\fR .Sp @@ -1338,11 +1341,11 @@ and \fBEVP_PKEY_dup\fR\|(3) instead. .IP \(bu 4 \&\fBDSAparams_print()\fR, \fBDSAparams_print_fp()\fR, \fBDSA_print()\fR, \fBDSA_print_fp()\fR .Sp -See "Deprecated low-level key printing functions" +See "Deprecated low\-level key printing functions" .IP \(bu 4 \&\fBDSA_set0_key()\fR, \fBDSA_set0_pqg()\fR .Sp -See "Deprecated low-level key parameter setters" +See "Deprecated low\-level key parameter setters" .IP \(bu 4 \&\fBDSA_set_flags()\fR, \fBDSA_clear_flags()\fR, \fBDSA_test_flags()\fR .Sp @@ -1350,22 +1353,22 @@ The \fBDSA_FLAG_CACHE_MONT_P\fR flag has been deprecated without replacement. .IP \(bu 4 \&\fBDSA_sign()\fR, \fBDSA_do_sign()\fR, \fBDSA_sign_setup()\fR, \fBDSA_verify()\fR, \fBDSA_do_verify()\fR .Sp -See "Deprecated low-level signing functions". +See "Deprecated low\-level signing functions". .IP \(bu 4 \&\fBECDH_compute_key()\fR .Sp -See "Deprecated low-level key exchange functions". +See "Deprecated low\-level key exchange functions". .IP \(bu 4 \&\fBECDH_KDF_X9_62()\fR .Sp Applications may either set this using the helper function \&\fBEVP_PKEY_CTX_set_ecdh_kdf_type\fR\|(3) or by setting an \fBOSSL_PARAM\fR\|(3) using the -"kdf-type" as shown in "EXAMPLES" in \fBEVP_KEYEXCH\-ECDH\fR\|(7) +"kdf\-type" as shown in "EXAMPLES" in \fBEVP_KEYEXCH\-ECDH\fR\|(7) .IP \(bu 4 \&\fBECDSA_sign()\fR, \fBECDSA_sign_ex()\fR, \fBECDSA_sign_setup()\fR, \fBECDSA_do_sign()\fR, \&\fBECDSA_do_sign_ex()\fR, \fBECDSA_verify()\fR, \fBECDSA_do_verify()\fR .Sp -See "Deprecated low-level signing functions". +See "Deprecated low\-level signing functions". .IP \(bu 4 \&\fBECDSA_size()\fR .Sp @@ -1396,7 +1399,7 @@ named curves which OpenSSL has hardcoded lookup tables for. .IP \(bu 4 \&\fBEC_GROUP_new()\fR, \fBEC_GROUP_method_of()\fR, \fBEC_POINT_method_of()\fR .Sp -EC_METHOD is now an internal-only concept and a suitable EC_METHOD is assigned +EC_METHOD is now an internal\-only concept and a suitable EC_METHOD is assigned internally without application intervention. Users of \fBEC_GROUP_new()\fR should switch to a different suitable constructor. .IP \(bu 4 @@ -1406,7 +1409,7 @@ Applications should use \fBEVP_PKEY_can_sign\fR\|(3) instead. .IP \(bu 4 \&\fBEC_KEY_check_key()\fR .Sp -See "Deprecated low-level validation functions" +See "Deprecated low\-level validation functions" .IP \(bu 4 \&\fBEC_KEY_set_flags()\fR, \fBEC_KEY_get_flags()\fR, \fBEC_KEY_clear_flags()\fR .Sp @@ -1428,24 +1431,24 @@ There is no replacement. .IP \(bu 4 \&\fBEC_KEY_generate_key()\fR .Sp -See "Deprecated low-level key generation functions". +See "Deprecated low\-level key generation functions". .IP \(bu 4 \&\fBEC_KEY_get0_group()\fR, \fBEC_KEY_get0_private_key()\fR, \fBEC_KEY_get0_public_key()\fR, \&\fBEC_KEY_get_conv_form()\fR, \fBEC_KEY_get_enc_flags()\fR .Sp -See "Deprecated low-level key parameter getters". +See "Deprecated low\-level key parameter getters". .IP \(bu 4 \&\fBEC_KEY_get0_engine()\fR, \fBEC_KEY_get_default_method()\fR, \fBEC_KEY_get_method()\fR, \&\fBEC_KEY_new_method()\fR, \fBEC_KEY_get_ex_data()\fR, \fBEC_KEY_OpenSSL()\fR, \&\fBEC_KEY_set_ex_data()\fR, \fBEC_KEY_set_default_method()\fR, EC_KEY_METHOD_*(), \&\fBEC_KEY_set_method()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides" +See "Providers are a replacement for engines and low\-level method overrides" .IP \(bu 4 \&\fBEC_METHOD_get_field_type()\fR .Sp Use \fBEC_GROUP_get_field_type\fR\|(3) instead. -See "Providers are a replacement for engines and low-level method overrides" +See "Providers are a replacement for engines and low\-level method overrides" .IP \(bu 4 \&\fBEC_KEY_key2buf()\fR, \fBEC_KEY_oct2key()\fR, \fBEC_KEY_oct2priv()\fR, \fBEC_KEY_priv2buf()\fR, \&\fBEC_KEY_priv2oct()\fR @@ -1454,30 +1457,30 @@ There are no replacements for these. .IP \(bu 4 \&\fBEC_KEY_new()\fR, \fBEC_KEY_new_by_curve_name()\fR, \fBEC_KEY_free()\fR, \fBEC_KEY_up_ref()\fR .Sp -See "Deprecated low-level object creation" +See "Deprecated low\-level object creation" .IP \(bu 4 \&\fBEC_KEY_print()\fR, \fBEC_KEY_print_fp()\fR .Sp -See "Deprecated low-level key printing functions" +See "Deprecated low\-level key printing functions" .IP \(bu 4 \&\fBEC_KEY_set_asn1_flag()\fR, \fBEC_KEY_set_conv_form()\fR, \fBEC_KEY_set_enc_flags()\fR .Sp -See "Deprecated low-level key parameter setters". +See "Deprecated low\-level key parameter setters". .IP \(bu 4 \&\fBEC_KEY_set_group()\fR, \fBEC_KEY_set_private_key()\fR, \fBEC_KEY_set_public_key()\fR, \&\fBEC_KEY_set_public_key_affine_coordinates()\fR .Sp -See "Deprecated low-level key parameter setters". +See "Deprecated low\-level key parameter setters". .IP \(bu 4 \&\fBECParameters_print()\fR, \fBECParameters_print_fp()\fR, \fBECPKParameters_print()\fR, \&\fBECPKParameters_print_fp()\fR .Sp -See "Deprecated low-level key printing functions" +See "Deprecated low\-level key printing functions" .IP \(bu 4 \&\fBEC_POINT_bn2point()\fR, \fBEC_POINT_point2bn()\fR .Sp These functions were not particularly useful, since EC point serialization -formats are not individual big-endian integers. +formats are not individual big\-endian integers. .IP \(bu 4 \&\fBEC_POINT_get_affine_coordinates_GF2m()\fR, \fBEC_POINT_get_affine_coordinates_GFp()\fR, \&\fBEC_POINT_set_affine_coordinates_GF2m()\fR, \fBEC_POINT_set_affine_coordinates_GFp()\fR @@ -1508,7 +1511,7 @@ This function is not widely used. Applications should instead use the \&\fBENGINE_*()\fR .Sp All engine functions are deprecated. An engine should be rewritten as a provider. -See "Providers are a replacement for engines and low-level method overrides". +See "Providers are a replacement for engines and low\-level method overrides". .IP \(bu 4 \&\fBERR_load_*()\fR, \fBERR_func_error_string()\fR, \fBERR_get_error_line()\fR, \&\fBERR_get_error_line_data()\fR, \fBERR_get_state()\fR @@ -1534,7 +1537,7 @@ See \fBEVP_CIPHER_CTX_get_original_iv\fR\|(3) for further information. \&\fBEVP_CIPHER_meth_*()\fR, \fBEVP_MD_CTX_set_update_fn()\fR, \fBEVP_MD_CTX_update_fn()\fR, \&\fBEVP_MD_meth_*()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides". +See "Providers are a replacement for engines and low\-level method overrides". .IP \(bu 4 \&\fBEVP_PKEY_CTRL_PKCS7_ENCRYPT()\fR, \fBEVP_PKEY_CTRL_PKCS7_DECRYPT()\fR, \&\fBEVP_PKEY_CTRL_PKCS7_SIGN()\fR, \fBEVP_PKEY_CTRL_CMS_ENCRYPT()\fR, @@ -1546,7 +1549,7 @@ when the operation is initialized. .IP \(bu 4 \&\fBEVP_PKEY_CTX_get0_dh_kdf_ukm()\fR, \fBEVP_PKEY_CTX_get0_ecdh_kdf_ukm()\fR .Sp -See the "kdf-ukm" item in "DH key exchange parameters" in \fBEVP_KEYEXCH\-DH\fR\|(7) and +See the "kdf\-ukm" item in "DH key exchange parameters" in \fBEVP_KEYEXCH\-DH\fR\|(7) and "ECDH Key Exchange parameters" in \fBEVP_KEYEXCH\-ECDH\fR\|(7). These functions are obsolete and should not be required. .IP \(bu 4 @@ -1576,16 +1579,16 @@ See "Functions that return an internal key should be treated as read only". .IP \(bu 4 \&\fBEVP_PKEY_meth_*()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides". +See "Providers are a replacement for engines and low\-level method overrides". .IP \(bu 4 \&\fBEVP_PKEY_new_CMAC_key()\fR .Sp -See "Deprecated low-level MAC functions". +See "Deprecated low\-level MAC functions". .IP \(bu 4 \&\fBEVP_PKEY_assign()\fR, \fBEVP_PKEY_set1_DH()\fR, \fBEVP_PKEY_set1_DSA()\fR, \&\fBEVP_PKEY_set1_EC_KEY()\fR, \fBEVP_PKEY_set1_RSA()\fR .Sp -See "Deprecated low-level key object getters and setters" +See "Deprecated low\-level key object getters and setters" .IP \(bu 4 \&\fBEVP_PKEY_set1_tls_encodedpoint()\fR \fBEVP_PKEY_get1_tls_encodedpoint()\fR .Sp @@ -1598,7 +1601,7 @@ new functions. .IP \(bu 4 \&\fBEVP_PKEY_set1_engine()\fR, \fBEVP_PKEY_get0_engine()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides". +See "Providers are a replacement for engines and low\-level method overrides". .IP \(bu 4 \&\fBEVP_PKEY_set_alias_type()\fR .Sp @@ -1607,49 +1610,49 @@ See "\fBEVP_PKEY_set_alias_type()\fR method has been removed" .IP \(bu 4 \&\fBHMAC_Init_ex()\fR, \fBHMAC_Update()\fR, \fBHMAC_Final()\fR, \fBHMAC_size()\fR .Sp -See "Deprecated low-level MAC functions". +See "Deprecated low\-level MAC functions". .IP \(bu 4 \&\fBHMAC_CTX_new()\fR, \fBHMAC_CTX_free()\fR, \fBHMAC_CTX_copy()\fR, \fBHMAC_CTX_reset()\fR, \&\fBHMAC_CTX_set_flags()\fR, \fBHMAC_CTX_get_md()\fR .Sp -See "Deprecated low-level MAC functions". +See "Deprecated low\-level MAC functions". .IP \(bu 4 \&\fBi2d_DHparams()\fR, \fBi2d_DHxparams()\fR .Sp -See "Deprecated low-level key reading and writing functions" +See "Deprecated low\-level key reading and writing functions" and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3) .IP \(bu 4 \&\fBi2d_DSAparams()\fR, \fBi2d_DSAPrivateKey()\fR, \fBi2d_DSAPrivateKey_bio()\fR, \&\fBi2d_DSAPrivateKey_fp()\fR, \fBi2d_DSA_PUBKEY()\fR, \fBi2d_DSA_PUBKEY_bio()\fR, \&\fBi2d_DSA_PUBKEY_fp()\fR, \fBi2d_DSAPublicKey()\fR .Sp -See "Deprecated low-level key reading and writing functions" +See "Deprecated low\-level key reading and writing functions" and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3) .IP \(bu 4 \&\fBi2d_ECParameters()\fR, \fBi2d_ECPrivateKey()\fR, \fBi2d_ECPrivateKey_bio()\fR, \&\fBi2d_ECPrivateKey_fp()\fR, \fBi2d_EC_PUBKEY()\fR, \fBi2d_EC_PUBKEY_bio()\fR, \&\fBi2d_EC_PUBKEY_fp()\fR .Sp -See "Deprecated low-level key reading and writing functions" +See "Deprecated low\-level key reading and writing functions" and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3) .IP \(bu 4 \&\fBi2o_ECPublicKey()\fR .Sp Use \fBEVP_PKEY_get1_encoded_public_key\fR\|(3). -See "Deprecated low-level key parameter getters" +See "Deprecated low\-level key parameter getters" .IP \(bu 4 \&\fBi2d_RSAPrivateKey()\fR, \fBi2d_RSAPrivateKey_bio()\fR, \fBi2d_RSAPrivateKey_fp()\fR, \&\fBi2d_RSA_PUBKEY()\fR, \fBi2d_RSA_PUBKEY_bio()\fR, \fBi2d_RSA_PUBKEY_fp()\fR, \&\fBi2d_RSAPublicKey()\fR, \fBi2d_RSAPublicKey_bio()\fR, \fBi2d_RSAPublicKey_fp()\fR .Sp -See "Deprecated low-level key reading and writing functions" +See "Deprecated low\-level key reading and writing functions" and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3) .IP \(bu 4 \&\fBIDEA_encrypt()\fR, \fBIDEA_set_decrypt_key()\fR, \fBIDEA_set_encrypt_key()\fR, \&\fBIDEA_cbc_encrypt()\fR, \fBIDEA_cfb64_encrypt()\fR, \fBIDEA_ecb_encrypt()\fR, \&\fBIDEA_ofb64_encrypt()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". IDEA has been moved to the Legacy Provider. .IP \(bu 4 \&\fBIDEA_options()\fR @@ -1658,7 +1661,7 @@ There is no replacement. This function returned a constant string. .IP \(bu 4 \&\fBMD2()\fR, \fBMD2_Init()\fR, \fBMD2_Update()\fR, \fBMD2_Final()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". MD2 has been moved to the Legacy Provider. .IP \(bu 4 \&\fBMD2_options()\fR @@ -1667,17 +1670,17 @@ There is no replacement. This function returned a constant string. .IP \(bu 4 \&\fBMD4()\fR, \fBMD4_Init()\fR, \fBMD4_Update()\fR, \fBMD4_Final()\fR, \fBMD4_Transform()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". MD4 has been moved to the Legacy Provider. .IP \(bu 4 \&\fBMDC2()\fR, \fBMDC2_Init()\fR, \fBMDC2_Update()\fR, \fBMDC2_Final()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". MDC2 has been moved to the Legacy Provider. .IP \(bu 4 \&\fBMD5()\fR, \fBMD5_Init()\fR, \fBMD5_Update()\fR, \fBMD5_Final()\fR, \fBMD5_Transform()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". .IP \(bu 4 \&\fBNCONF_WIN32()\fR .Sp @@ -1732,11 +1735,11 @@ PEM_read_bio_DSAPrivateKey and \fBPEM_read_bio_DSA_PUBKEY()\fR, \&\fBPEM_write_bio_RSAPrivateKey()\fR, \fBPEM_write_bio_RSA_PUBKEY()\fR, \&\fBPEM_write_bio_RSAPublicKey()\fR, .Sp -See "Deprecated low-level key reading and writing functions" +See "Deprecated low\-level key reading and writing functions" .IP \(bu 4 \&\fBPKCS1_MGF1()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". .IP \(bu 4 \&\fBRAND_get_rand_method()\fR, \fBRAND_set_rand_method()\fR, \fBRAND_OpenSSL()\fR, \&\fBRAND_set_rand_engine()\fR @@ -1751,13 +1754,13 @@ See \fBRAND_set_rand_method\fR\|(3) for more details. \&\fBRC5_32_encrypt()\fR, \fBRC5_32_set_key()\fR, \fBRC5_32_decrypt()\fR, \fBRC5_32_cbc_encrypt()\fR, \&\fBRC5_32_cfb64_encrypt()\fR, \fBRC5_32_ecb_encrypt()\fR, \fBRC5_32_ofb64_encrypt()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". The Algorithms "RC2", "RC4" and "RC5" have been moved to the Legacy Provider. .IP \(bu 4 \&\fBRIPEMD160()\fR, \fBRIPEMD160_Init()\fR, \fBRIPEMD160_Update()\fR, \fBRIPEMD160_Final()\fR, \&\fBRIPEMD160_Transform()\fR .Sp -See "Deprecated low-level digest functions". +See "Deprecated low\-level digest functions". The RIPE algorithm has been moved to the Legacy Provider. .IP \(bu 4 \&\fBRSA_bits()\fR, \fBRSA_security_bits()\fR, \fBRSA_size()\fR @@ -1767,7 +1770,7 @@ Use \fBEVP_PKEY_get_bits\fR\|(3), \fBEVP_PKEY_get_security_bits\fR\|(3) and .IP \(bu 4 \&\fBRSA_check_key()\fR, \fBRSA_check_key_ex()\fR .Sp -See "Deprecated low-level validation functions" +See "Deprecated low\-level validation functions" .IP \(bu 4 \&\fBRSA_clear_flags()\fR, \fBRSA_flags()\fR, \fBRSA_set_flags()\fR, \fBRSA_test_flags()\fR, \&\fBRSA_setup_blinding()\fR, \fBRSA_blinding_off()\fR, \fBRSA_blinding_on()\fR @@ -1780,11 +1783,11 @@ All of these RSA flags have been deprecated without replacement: .IP \(bu 4 \&\fBRSA_generate_key_ex()\fR, \fBRSA_generate_multi_prime_key()\fR .Sp -See "Deprecated low-level key generation functions". +See "Deprecated low\-level key generation functions". .IP \(bu 4 \&\fBRSA_get0_engine()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides" +See "Providers are a replacement for engines and low\-level method overrides" .IP \(bu 4 \&\fBRSA_get0_crt_params()\fR, \fBRSA_get0_d()\fR, \fBRSA_get0_dmp1()\fR, \fBRSA_get0_dmq1()\fR, \&\fBRSA_get0_e()\fR, \fBRSA_get0_factors()\fR, \fBRSA_get0_iqmp()\fR, \fBRSA_get0_key()\fR, @@ -1792,15 +1795,15 @@ See "Providers are a replacement for engines and low-level method overrides" \&\fBRSA_get0_p()\fR, \fBRSA_get0_pss_params()\fR, \fBRSA_get0_q()\fR, \&\fBRSA_get_multi_prime_extra_count()\fR .Sp -See "Deprecated low-level key parameter getters" +See "Deprecated low\-level key parameter getters" .IP \(bu 4 \&\fBRSA_new()\fR, \fBRSA_free()\fR, \fBRSA_up_ref()\fR .Sp -See "Deprecated low-level object creation". +See "Deprecated low\-level object creation". .IP \(bu 4 \&\fBRSA_get_default_method()\fR, RSA_get_ex_data and \fBRSA_get_method()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides". +See "Providers are a replacement for engines and low\-level method overrides". .IP \(bu 4 \&\fBRSA_get_version()\fR .Sp @@ -1808,25 +1811,25 @@ There is no replacement. .IP \(bu 4 \&\fBRSA_meth_*()\fR, \fBRSA_new_method()\fR, RSA_null_method and \fBRSA_PKCS1_OpenSSL()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides". +See "Providers are a replacement for engines and low\-level method overrides". .IP \(bu 4 \&\fBRSA_padding_add_*()\fR, \fBRSA_padding_check_*()\fR .Sp -See "Deprecated low-level signing functions" and -"Deprecated low-level encryption functions". +See "Deprecated low\-level signing functions" and +"Deprecated low\-level encryption functions". .IP \(bu 4 \&\fBRSA_print()\fR, \fBRSA_print_fp()\fR .Sp -See "Deprecated low-level key printing functions" +See "Deprecated low\-level key printing functions" .IP \(bu 4 \&\fBRSA_public_encrypt()\fR, \fBRSA_private_decrypt()\fR .Sp -See "Deprecated low-level encryption functions" +See "Deprecated low\-level encryption functions" .IP \(bu 4 \&\fBRSA_private_encrypt()\fR, \fBRSA_public_decrypt()\fR .Sp This is equivalent to doing sign and verify recover operations (with a padding -mode of none). See "Deprecated low-level signing functions". +mode of none). See "Deprecated low\-level signing functions". .IP \(bu 4 \&\fBRSAPrivateKey_dup()\fR, \fBRSAPublicKey_dup()\fR .Sp @@ -1834,22 +1837,22 @@ There is no direct replacement. Applications may use \fBEVP_PKEY_dup\fR\|(3). .IP \(bu 4 \&\fBRSAPublicKey_it()\fR, \fBRSAPrivateKey_it()\fR .Sp -See "Deprecated low-level key reading and writing functions" +See "Deprecated low\-level key reading and writing functions" .IP \(bu 4 \&\fBRSA_set0_crt_params()\fR, \fBRSA_set0_factors()\fR, \fBRSA_set0_key()\fR, \&\fBRSA_set0_multi_prime_params()\fR .Sp -See "Deprecated low-level key parameter setters". +See "Deprecated low\-level key parameter setters". .IP \(bu 4 \&\fBRSA_set_default_method()\fR, \fBRSA_set_method()\fR, \fBRSA_set_ex_data()\fR .Sp -See "Providers are a replacement for engines and low-level method overrides" +See "Providers are a replacement for engines and low\-level method overrides" .IP \(bu 4 \&\fBRSA_sign()\fR, \fBRSA_sign_ASN1_OCTET_STRING()\fR, \fBRSA_verify()\fR, \&\fBRSA_verify_ASN1_OCTET_STRING()\fR, \fBRSA_verify_PKCS1_PSS()\fR, \&\fBRSA_verify_PKCS1_PSS_mgf1()\fR .Sp -See "Deprecated low-level signing functions". +See "Deprecated low\-level signing functions". .IP \(bu 4 \&\fBRSA_X931_derive_ex()\fR, \fBRSA_X931_generate_key_ex()\fR, \fBRSA_X931_hash_id()\fR .Sp @@ -1860,7 +1863,7 @@ See \fBOSSL_SIGNATURE_PARAM_PAD_MODE\fR. \&\fBSEED_encrypt()\fR, \fBSEED_decrypt()\fR, \fBSEED_set_key()\fR, \fBSEED_cbc_encrypt()\fR, \&\fBSEED_cfb128_encrypt()\fR, \fBSEED_ecb_encrypt()\fR, \fBSEED_ofb128_encrypt()\fR .Sp -See "Deprecated low-level encryption functions". +See "Deprecated low\-level encryption functions". The SEED algorithm has been moved to the Legacy Provider. .IP \(bu 4 \&\fBSHA1_Init()\fR, \fBSHA1_Update()\fR, \fBSHA1_Final()\fR, \fBSHA1_Transform()\fR, @@ -1869,7 +1872,7 @@ The SEED algorithm has been moved to the Legacy Provider. \&\fBSHA384_Init()\fR, \fBSHA384_Update()\fR, \fBSHA384_Final()\fR, \&\fBSHA512_Init()\fR, \fBSHA512_Update()\fR, \fBSHA512_Final()\fR, \fBSHA512_Transform()\fR .Sp -See "Deprecated low-level digest functions". +See "Deprecated low\-level digest functions". .IP \(bu 4 \&\fBSRP_Calc_A()\fR, \fBSRP_Calc_B()\fR, \fBSRP_Calc_client_key()\fR, \fBSRP_Calc_server_key()\fR, \&\fBSRP_Calc_u()\fR, \fBSRP_Calc_x()\fR, \fBSRP_check_known_gN_param()\fR, \fBSRP_create_verifier()\fR, @@ -1883,14 +1886,14 @@ There are no replacements for the SRP functions. \&\fBSSL_CTX_set_tmp_dh_callback()\fR, \fBSSL_set_tmp_dh_callback()\fR, \&\fBSSL_CTX_set_tmp_dh()\fR, \fBSSL_set_tmp_dh()\fR .Sp -These are used to set the Diffie-Hellman (DH) parameters that are to be used by +These are used to set the Diffie\-Hellman (DH) parameters that are to be used by servers requiring ephemeral DH keys. Instead applications should consider using -the built-in DH parameters that are available by calling \fBSSL_CTX_set_dh_auto\fR\|(3) +the built\-in DH parameters that are available by calling \fBSSL_CTX_set_dh_auto\fR\|(3) or \fBSSL_set_dh_auto\fR\|(3). If custom parameters are necessary then applications can use the alternative functions \fBSSL_CTX_set0_tmp_dh_pkey\fR\|(3) and \&\fBSSL_set0_tmp_dh_pkey\fR\|(3). There is no direct replacement for the "callback" functions. The callback was originally useful in order to have different -parameters for export and non-export ciphersuites. Export ciphersuites are no +parameters for export and non\-export ciphersuites. Export ciphersuites are no longer supported by OpenSSL. Use of the callback functions should be replaced by one of the other methods described above. .IP \(bu 4 @@ -1901,7 +1904,7 @@ Use the new \fBSSL_CTX_set_tlsext_ticket_key_evp_cb\fR\|(3) function instead. \&\fBWHIRLPOOL()\fR, \fBWHIRLPOOL_Init()\fR, \fBWHIRLPOOL_Update()\fR, \fBWHIRLPOOL_Final()\fR, \&\fBWHIRLPOOL_BitUpdate()\fR .Sp -See "Deprecated low-level digest functions". +See "Deprecated low\-level digest functions". The Whirlpool algorithm has been moved to the Legacy Provider. .IP \(bu 4 \&\fBX509_certificate_type()\fR @@ -1944,8 +1947,8 @@ See \fBfips_module\fR\|(7) and \fBOSSL_PROVIDER\-FIPS\fR\|(7) for details. .IX Subsection "Added options" .PP \&\fB\-provider_path\fR and \fB\-provider\fR are available to all apps and can be used -multiple times to load any providers, such as the 'legacy' provider or third -party providers. If used then the 'default' provider would also need to be +multiple times to load any providers, such as the \*(Aqlegacy\*(Aq provider or third +party providers. If used then the \*(Aqdefault\*(Aq provider would also need to be specified if required. The \fB\-provider_path\fR must be specified before the \&\fB\-provider\fR option. .PP @@ -1970,16 +1973,16 @@ The \fB\-c\fR option used by \fBopenssl x509\fR, \fBopenssl dhparam\fR, The output of Command line applications may have minor changes. These are primarily changes in capitalisation and white space. However, in some cases, there are additional differences. -For example, the DH parameters output from \fBopenssl dhparam\fR now lists 'P', -\&'Q', 'G' and 'pcounter' instead of 'prime', 'generator', 'subgroup order' and -\&'counter' respectively. +For example, the DH parameters output from \fBopenssl dhparam\fR now lists \*(AqP\*(Aq, +\&\*(AqQ\*(Aq, \*(AqG\*(Aq and \*(Aqpcounter\*(Aq instead of \*(Aqprime\*(Aq, \*(Aqgenerator\*(Aq, \*(Aqsubgroup order\*(Aq and +\&\*(Aqcounter\*(Aq respectively. .PP The \fBopenssl\fR commands that read keys, certificates, and CRLs now automatically detect the PEM or DER format of the input files so it is not necessary to explicitly specify the input format anymore. However if the input format option is used the specified format will be required. .PP -\&\fBopenssl speed\fR no longer uses low-level API calls. +\&\fBopenssl speed\fR no longer uses low\-level API calls. This implies some of the performance numbers might not be comparable with the previous releases due to higher overhead. This applies particularly to measuring performance on smaller data chunks. @@ -2036,7 +2039,7 @@ internal buffers after delivering them to the application. Note, the application is still responsible for cleansing other copies (e.g.: data received by \fBSSL_read\fR\|(3)). .IP \(bu 4 -Client-initiated renegotiation is disabled by default. +Client\-initiated renegotiation is disabled by default. .Sp To allow it, use the \fB\-client_renegotiation\fR option, the \fBSSL_OP_ALLOW_CLIENT_RENEGOTIATION\fR flag, or the \f(CW\*(C`ClientRenegotiation\*(C'\fR @@ -2050,12 +2053,12 @@ to connect to legacy peers will need to explicitly set SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL. .IP \(bu 4 -Combining the Configure options no-ec and no-dh no longer disables TLSv1.3 +Combining the Configure options no\-ec and no\-dh no longer disables TLSv1.3 .Sp Typically if OpenSSL has no EC or DH algorithms then it cannot support connections with TLSv1.3. However OpenSSL now supports "pluggable" groups through providers. Therefore third party providers may supply group -implementations even where there are no built-in ones. Attempting to create +implementations even where there are no built\-in ones. Attempting to create TLS connections in such a build without also disabling TLSv1.3 at run time or using third party provider groups may result in handshake failures. TLSv1.3 can be disabled at compile time using the "no\-tls1_3" Configure option. diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-block.7 index 0a58176e335f..94e889552870 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-block.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-block.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-QUIC-CLIENT-BLOCK 7ossl" -.TH OSSL-GUIDE-QUIC-CLIENT-BLOCK 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-QUIC-CLIENT-BLOCK 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -68,7 +71,7 @@ ossl\-guide\-quic\-client\-block This page will present various source code samples demonstrating how to write a simple blocking QUIC client application which connects to a server, sends an HTTP/1.0 request to it, and reads back the response. Note that HTTP/1.0 over -QUIC is non-standard and will not be supported by real world servers. This is +QUIC is non\-standard and will not be supported by real world servers. This is for demonstration purposes only. .PP We assume that you already have OpenSSL installed on your system; that you @@ -84,7 +87,7 @@ this one will be discussed so we also assume that you have run through and understand that tutorial. .PP For this tutorial our client will be using a single QUIC stream. A subsequent -tutorial will discuss how to write a multi-stream client (see +tutorial will discuss how to write a multi\-stream client (see \&\fBossl\-guide\-quic\-multi\-stream\fR\|(7)). .PP The complete source code for this example blocking QUIC client is available in @@ -240,14 +243,14 @@ Note the use of \fBBIO_s_datagram\fR\|(3) here as opposed to \fBBIO_s_socket\fR\ we used for our TLS client. This is again due to the fact that QUIC uses UDP instead of TCP for its transport layer. See \fBBIO_new\fR\|(3), \fBBIO_s_datagram\fR\|(3) and \fBBIO_set_fd\fR\|(3) for further information on these functions. -.SS "Setting the server's hostname" +.SS "Setting the server\*(Aqs hostname" .IX Subsection "Setting the server's hostname" -As in the TLS tutorial we need to set the server's hostname both for SNI (Server +As in the TLS tutorial we need to set the server\*(Aqs hostname both for SNI (Server Name Indication) and for certificate validation purposes. The steps for this are -identical to the TLS tutorial and won't be repeated here. +identical to the TLS tutorial and won\*(Aqt be repeated here. .SS "Setting the ALPN" .IX Subsection "Setting the ALPN" -ALPN (Application-Layer Protocol Negotiation) is a feature of TLS that enables +ALPN (Application\-Layer Protocol Negotiation) is a feature of TLS that enables the application to negotiate which protocol will be used over the connection. For example, if you intend to use HTTP/3 over the connection then the ALPN value for that is "h3" (see @@ -297,7 +300,7 @@ Note that we will need to free the \fBpeer_addr\fR value that we allocated via .IX Subsection "The handshake and application data transfer" Once initial setup of the \fBSSL\fR object is complete then we perform the handshake via \fBSSL_connect\fR\|(3) in exactly the same way as we did for the TLS -client, so we won't repeat it here. +client, so we won\*(Aqt repeat it here. .PP We can also perform data transfer using a default QUIC stream that is automatically associated with the \fBSSL\fR object for us. We can transmit data diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-non-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-non-block.7 index 12675ed4e025..5b0c7d92dac3 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-non-block.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-non-block.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-QUIC-CLIENT-NON-BLOCK 7ossl" -.TH OSSL-GUIDE-QUIC-CLIENT-NON-BLOCK 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-QUIC-CLIENT-NON-BLOCK 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,7 +93,7 @@ operations on some other connection or stream. .PP We will see later in this tutorial how to change the \fBSSL\fR object so that it has nonblocking behaviour. With a nonblocking \fBSSL\fR object, functions such as -\&\fBSSL_read_ex\fR\|(3) or \fBSSL_write_ex\fR\|(3) will return immediately with a non-fatal +\&\fBSSL_read_ex\fR\|(3) or \fBSSL_write_ex\fR\|(3) will return immediately with a non\-fatal error if they are currently unable to read or write respectively. .PP Since this page is building on the example developed on the @@ -219,7 +222,7 @@ A QUIC application that has been configured for nonblocking behaviour will need to be prepared to handle errors returned from OpenSSL I/O functions such as \&\fBSSL_read_ex\fR\|(3) or \fBSSL_write_ex\fR\|(3). Errors may be fatal for the stream (for example because the stream has been reset or because the underlying connection -has failed), or non-fatal (for example because we are trying to read from the +has failed), or non\-fatal (for example because we are trying to read from the stream but no data has not yet arrived from the peer for that stream). .PP \&\fBSSL_read_ex\fR\|(3) and \fBSSL_write_ex\fR\|(3) will return 0 to indicate an error and @@ -227,15 +230,15 @@ stream but no data has not yet arrived from the peer for that stream). an error. \fBSSL_shutdown\fR\|(3) will return a negative value to incidate an error. .PP In the event of an error an application should call \fBSSL_get_error\fR\|(3) to find -out what type of error has occurred. If the error is non-fatal and can be +out what type of error has occurred. If the error is non\-fatal and can be retried then \fBSSL_get_error\fR\|(3) will return \fBSSL_ERROR_WANT_READ\fR or \&\fBSSL_ERROR_WANT_WRITE\fR depending on whether OpenSSL wanted to read to or write from the stream but was unable to. Note that a call to \fBSSL_read_ex\fR\|(3) or \&\fBSSL_read\fR\|(3) can still generate \fBSSL_ERROR_WANT_WRITE\fR. Similarly calls to \&\fBSSL_write_ex\fR\|(3) or \fBSSL_write\fR\|(3) might generate \fBSSL_ERROR_WANT_READ\fR. .PP -Another type of non-fatal error that may occur is \fBSSL_ERROR_ZERO_RETURN\fR. This -indicates an EOF (End-Of-File) which can occur if you attempt to read data from +Another type of non\-fatal error that may occur is \fBSSL_ERROR_ZERO_RETURN\fR. This +indicates an EOF (End\-Of\-File) which can occur if you attempt to read data from an \fBSSL\fR object but the peer has indicated that it will not send any more data on the stream. In this case you may still want to write data to the stream but you will not receive any more data. @@ -313,15 +316,15 @@ OpenSSL I/O functions: .PP This function takes as arguments the \fBSSL\fR object that represents the connection, as well as the return code from the I/O function that failed. In -the event of a non-fatal failure, it waits until a retry of the I/O operation +the event of a non\-fatal failure, it waits until a retry of the I/O operation might succeed (by using the \f(CWwait_for_activity()\fR function that we developed -in the previous section). It returns 1 in the event of a non-fatal error +in the previous section). It returns 1 in the event of a non\-fatal error (except EOF), 0 in the event of EOF, or \-1 if a fatal error occurred. .SS "Creating the SSL_CTX and SSL objects" .IX Subsection "Creating the SSL_CTX and SSL objects" In order to connect to a server we must create \fBSSL_CTX\fR and \fBSSL\fR objects for this. Most of the steps to do this are the same as for a blocking client and are -explained on the \fBossl\-guide\-quic\-client\-block\fR\|(7) page. We won't repeat that +explained on the \fBossl\-guide\-quic\-client\-block\fR\|(7) page. We won\*(Aqt repeat that information here. .PP One key difference is that we must put the \fBSSL\fR object into nonblocking mode @@ -366,7 +369,7 @@ this we must use \fBOSSL_QUIC_client_thread_method\fR\|(3) when we construct the As in the demo for a blocking QUIC client we use the \fBSSL_connect\fR\|(3) function to perform the handshake with the server. Since we are using a nonblocking \&\fBSSL\fR object it is very likely that calls to this function will fail with a -non-fatal error while we are waiting for the server to respond to our handshake +non\-fatal error while we are waiting for the server to respond to our handshake messages. In such a case we must retry the same \fBSSL_connect\fR\|(3) call at a later time. In this demo we do this in a loop: .PP @@ -388,7 +391,7 @@ this stage, so such a response is treated in the same way as a fatal error. .IX Subsection "Sending and receiving data" As with the blocking QUIC client demo we use the \fBSSL_write_ex\fR\|(3) function to send data to the server. As with \fBSSL_connect\fR\|(3) above, because we are using -a nonblocking \fBSSL\fR object, this call could fail with a non-fatal error. In +a nonblocking \fBSSL\fR object, this call could fail with a non\-fatal error. In that case we should retry exactly the same \fBSSL_write_ex\fR\|(3) call again. Note that the parameters must be \fIexactly\fR the same, i.e. the same pointer to the buffer to write with the same length. You must not attempt to send different @@ -471,7 +474,7 @@ The main difference this time is that it is valid for us to receive an EOF response when trying to read data from the server. This will occur when the server closes down the connection after sending all the data in its response. .PP -In this demo we just print out all the data we've received back in the response +In this demo we just print out all the data we\*(Aqve received back in the response from the server. We continue going around the loop until we either encounter a fatal error, or we receive an EOF (indicating a graceful finish). .SS "Shutting down the connection" @@ -507,12 +510,12 @@ this: .IX Subsection "Final clean up" As with the blocking QUIC client example, once our connection is finished with we must free it. The steps to do this for this example are the same as for the -blocking example, so we won't repeat it here. +blocking example, so we won\*(Aqt repeat it here. .SH "FURTHER READING" .IX Header "FURTHER READING" See \fBossl\-guide\-quic\-client\-block\fR\|(7) to read a tutorial on how to write a blocking QUIC client. See \fBossl\-guide\-quic\-multi\-stream\fR\|(7) to see how to write -a multi-stream QUIC client. +a multi\-stream QUIC client. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBossl\-guide\-introduction\fR\|(7), \fBossl\-guide\-libraries\-introduction\fR\|(7), diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-quic-introduction.7 b/secure/lib/libcrypto/man/man7/ossl-guide-quic-introduction.7 index 42debcd957f4..365c5fff348a 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-quic-introduction.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-quic-introduction.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-QUIC-INTRODUCTION 7ossl" -.TH OSSL-GUIDE-QUIC-INTRODUCTION 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-QUIC-INTRODUCTION 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -87,19 +90,19 @@ allowing application protocols built on QUIC to create arbitrarily many bytestreams for communication between a client and server. This allows an application protocol to avoid problems where one packet of data is held up waiting on another packet being delivered (commonly referred to as -"head-of-line blocking"). It also enables an application to open additional -logical streams without requiring a round-trip exchange of packets between the +"head\-of\-line blocking"). It also enables an application to open additional +logical streams without requiring a round\-trip exchange of packets between the client and server as is required when opening an additional TLS/TCP connection. .IP HTTP/3 4 .IX Item "HTTP/3" Since QUIC is the basis of HTTP/3, support for QUIC also enables applications -to use HTTP/3 using a suitable third-party library. +to use HTTP/3 using a suitable third\-party library. .IP "Fast connection initiation" 4 .IX Item "Fast connection initiation" Future versions of OpenSSL will offer support for 0\-RTT connection initiation, allowing a connection to be initiated to a server and application data to be -transmitted without any waiting time. This is similar to TLS 1.3's 0\-RTT +transmitted without any waiting time. This is similar to TLS 1.3\*(Aqs 0\-RTT functionality but also avoids the round trip needed to open a TCP socket; thus, it is similar to a combination of TLS 1.3 0\-RTT and TCP Fast Open. .IP "Connection migration" 4 @@ -109,10 +112,10 @@ connections to seamlessly survive IP address changes. .IP "Datagram based use cases" 4 .IX Item "Datagram based use cases" Future versions of OpenSSL will offer support for the QUIC datagram extension, -allowing support for both TLS and DTLS-style use cases on a single connection. +allowing support for both TLS and DTLS\-style use cases on a single connection. .IP "Implemented as application library" 4 .IX Item "Implemented as application library" -Because most QUIC implementations, including OpenSSL's implementation, are +Because most QUIC implementations, including OpenSSL\*(Aqs implementation, are implemented as an application library rather than by an operating system, an application can gain the benefit of QUIC without needing to wait for an OS update to be deployed. Future evolutions and enhancements to the QUIC protocol @@ -120,8 +123,8 @@ can be delivered as quickly as an application can be updated without dependency on an OS update cadence. .IP "Multiplexing over a single UDP socket" 4 .IX Item "Multiplexing over a single UDP socket" -Because QUIC is UDP-based, it is possible to multiplex a QUIC connection on the -same UDP socket as some other UDP-based protocols, such as RTP. +Because QUIC is UDP\-based, it is possible to multiplex a QUIC connection on the +same UDP socket as some other UDP\-based protocols, such as RTP. .SH "QUIC TIME BASED EVENTS" .IX Header "QUIC TIME BASED EVENTS" A key difference between the TLS implementation and the QUIC implementation in @@ -169,8 +172,8 @@ QUIC introduces the concept of "streams". A stream provides a reliable mechanism for sending and receiving application data between the endpoints. The bytes transmitted are guaranteed to be received in the same order they were sent without any loss of data or reordering of the bytes. A TLS application -effectively has one bi-directional stream available to it per TLS connection. A -QUIC application can have multiple uni-directional or bi-directional streams +effectively has one bi\-directional stream available to it per TLS connection. A +QUIC application can have multiple uni\-directional or bi\-directional streams available to it for each connection. .PP In OpenSSL an \fBSSL\fR object is used to represent both connections and streams. @@ -192,7 +195,7 @@ TLS assumes "stream" type semantics for its underlying transport layer protocol by using UDP. An OpenSSL application using QUIC is responsible for creating a BIO to represent the underlying transport layer. This BIO must support datagrams and is typically \fBBIO_s_datagram\fR\|(3), but other \fBBIO\fR choices are available. -See \fBbio\fR\|(7) for an introduction to OpenSSL's \fBBIO\fR concept. +See \fBbio\fR\|(7) for an introduction to OpenSSL\*(Aqs \fBBIO\fR concept. .PP A significant difference between OpenSSL TLS applications and OpenSSL QUIC applications is the way that blocking is implemented. In TLS if your application @@ -202,7 +205,7 @@ underlying socket is configured to be nonblocking. .PP With an OpenSSL QUIC application the underlying socket must always be configured to be nonblocking. Howevever the \fBSSL\fR object will, by default, still operate -in blocking mode. So, from an application's perspective, calls to functions such +in blocking mode. So, from an application\*(Aqs perspective, calls to functions such as \fBSSL_read_ex\fR\|(3), \fBSSL_write_ex\fR\|(3) and other I/O functions will still block. OpenSSL itself provides that blocking capability for QUIC instead of the socket. If nonblocking behaviour is desired then the application must call diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-quic-multi-stream.7 b/secure/lib/libcrypto/man/man7/ossl-guide-quic-multi-stream.7 index bd22fe37d47c..538719fdad87 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-quic-multi-stream.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-quic-multi-stream.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-QUIC-MULTI-STREAM 7ossl" -.TH OSSL-GUIDE-QUIC-MULTI-STREAM 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-QUIC-MULTI-STREAM 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,12 +69,12 @@ ossl\-guide\-quic\-multi\-stream .SH INTRODUCTION .IX Header "INTRODUCTION" This page will introduce some important concepts required to write a simple -QUIC multi-stream application. It assumes a basic understanding of QUIC and how +QUIC multi\-stream application. It assumes a basic understanding of QUIC and how it is used in OpenSSL. See \fBossl\-guide\-quic\-introduction\fR\|(7) and \&\fBossl\-guide\-quic\-client\-block\fR\|(7). .SH "QUIC STREAMS" .IX Header "QUIC STREAMS" -In a QUIC multi-stream application we separate out the concepts of a QUIC +In a QUIC multi\-stream application we separate out the concepts of a QUIC "connection" and a QUIC "stream". A connection object represents the overarching details of the connection between a client and a server including all its negotiated and configured parameters. We use the \fBSSL\fR object for that in an @@ -110,15 +113,15 @@ created and associated with the \fBSSL\fR object when the application calls passes the connection \fBSSL\fR object as a parameter. .PP If a client application calls \fBSSL_write_ex\fR\|(3) or \fBSSL_write\fR\|(3) first then -(by default) the default stream will be a client-initiated bi-directional +(by default) the default stream will be a client\-initiated bi\-directional stream. If a client application calls \fBSSL_read_ex\fR\|(3) or \fBSSL_read\fR\|(3) first then the first stream initiated by the server will be used as the default -stream (whether it is bi-directional or uni-directional). +stream (whether it is bi\-directional or uni\-directional). .PP This behaviour can be controlled via the default stream mode. See \&\fBSSL_set_default_stream_mode\fR\|(3) for further details. .PP -It is recommended that new multi-stream applications should not use a default +It is recommended that new multi\-stream applications should not use a default stream at all and instead should use a separate stream \fBSSL\fR object for each stream that is used. This requires calling \fBSSL_set_default_stream_mode\fR\|(3) and setting the mode to \fBSSL_DEFAULT_STREAM_MODE_NONE\fR. @@ -127,7 +130,7 @@ and setting the mode to \fBSSL_DEFAULT_STREAM_MODE_NONE\fR. An endpoint can create a new stream by calling \fBSSL_new_stream\fR\|(3). This creates a locally initiated stream. In order to do so you must pass the QUIC connection \fBSSL\fR object as a parameter. You can also specify whether you want a -bi-directional or a uni-directional stream. +bi\-directional or a uni\-directional stream. .PP The function returns a new QUIC stream \fBSSL\fR object for sending and receiving data on that stream. @@ -147,8 +150,8 @@ accepted. To override this behaviour you must call is not relevant if the default stream has been disabled as described in "THE DEFAULT STREAM" above. .PP -Any stream may be bi-directional or uni-directional. If it is uni-directional -then the initiator can write to it but not read from it, and vice-versa for the +Any stream may be bi\-directional or uni\-directional. If it is uni\-directional +then the initiator can write to it but not read from it, and vice\-versa for the peer. You can determine what type of stream an \fBSSL\fR object represents by calling \fBSSL_get_stream_type\fR\|(3). See the man page for further details. .SH "USING A STREAM TO SEND AND RECEIVE DATA" @@ -185,14 +188,14 @@ will automatically signal STOP_SENDING to the peer. .SH "STREAMS AND CONNECTIONS" .IX Header "STREAMS AND CONNECTIONS" Given a stream object it is possible to get the \fBSSL\fR object corresponding to -the connection via a call to \fBSSL_get0_connection\fR\|(3). Multi-threaded +the connection via a call to \fBSSL_get0_connection\fR\|(3). Multi\-threaded restrictions apply so care should be taken when using the returned connection object. Specifically, if you are handling each of your stream objects in a different thread and call \fBSSL_get0_connection\fR\|(3) from within that thread then you must be careful to not to call any function that uses the connection object at the same time as one of the other threads is also using that connection object (with the exception of \fBSSL_accept_stream\fR\|(3) and -\&\fBSSL_get_accept_stream_queue_len\fR\|(3) which are thread-safe). +\&\fBSSL_get_accept_stream_queue_len\fR\|(3) which are thread\-safe). .PP A stream object does not inherit all its settings and values from its parent \&\fBSSL\fR connection object. Therefore certain function calls that are relevant to @@ -200,30 +203,30 @@ the connection as a whole will not work on a stream. For example the function \&\fBSSL_get_certificate\fR\|(3) can be used to obtain a handle on the peer certificate when called with a connection \fBSSL\fR object. When called with a stream \fBSSL\fR object it will return NULL. -.SH "SIMPLE MULTI-STREAM QUIC CLIENT EXAMPLE" +.SH "SIMPLE MULTI\-STREAM QUIC CLIENT EXAMPLE" .IX Header "SIMPLE MULTI-STREAM QUIC CLIENT EXAMPLE" This section will present various source code samples demonstrating how to write -a simple multi-stream QUIC client application which connects to a server, send +a simple multi\-stream QUIC client application which connects to a server, send some HTTP/1.0 requests to it, and read back the responses. Note that HTTP/1.0 -over QUIC is non-standard and will not be supported by real world servers. This +over QUIC is non\-standard and will not be supported by real world servers. This is for demonstration purposes only. .PP We will build on the example code for the simple blocking QUIC client that is covered on the \fBossl\-guide\-quic\-client\-block\fR\|(7) page and we assume that you are familiar with it. We will only describe the differences between the simple -blocking QUIC client and the multi-stream QUIC client. Although the example code +blocking QUIC client and the multi\-stream QUIC client. Although the example code uses blocking \fBSSL\fR objects, you can equally use nonblocking \fBSSL\fR objects. See \fBossl\-guide\-quic\-client\-non\-block\fR\|(7) for more information about writing a nonblocking QUIC client. .PP -The complete source code for this example multi-stream QUIC client is available +The complete source code for this example multi\-stream QUIC client is available in the \f(CW\*(C`demos/guide\*(C'\fR directory of the OpenSSL source distribution in the file \&\f(CW\*(C`quic\-multi\-stream.c\*(C'\fR. It is also available online at <https://github.com/openssl/openssl/blob/master/demos/guide/quic\-multi\-stream.c>. .SS "Disabling the default stream" .IX Subsection "Disabling the default stream" As discussed above in "THE DEFAULT STREAM" we will follow the recommendation -to disable the default stream for our multi-stream client. To do this we call +to disable the default stream for our multi\-stream client. To do this we call the \fBSSL_set_default_stream_mode\fR\|(3) function and pass in our connection \fBSSL\fR object and the value \fBSSL_DEFAULT_STREAM_MODE_NONE\fR. .PP @@ -241,8 +244,8 @@ object and the value \fBSSL_DEFAULT_STREAM_MODE_NONE\fR. .IX Subsection "Creating the request streams" For the purposes of this example we will create two different streams to send two different HTTP requests to the server. For the purposes of demonstration the -first of these will be a bi-directional stream and the second one will be a -uni-directional one: +first of these will be a bi\-directional stream and the second one will be a +uni\-directional one: .PP .Vb 10 \& /* @@ -305,7 +308,7 @@ the requests to each stream simultaneously. .Ve .SS "Reading data from a stream" .IX Subsection "Reading data from a stream" -In this example \fBstream1\fR is a bi-directional stream so, once we have sent the +In this example \fBstream1\fR is a bi\-directional stream so, once we have sent the request on it, we can attempt to read the response from the server back. Here we just repeatedly call \fBSSL_read_ex\fR\|(3) until that function fails (indicating either that there has been a problem, or that the peer has signalled the stream @@ -392,7 +395,7 @@ these different cases. .Ve .SS "Accepting an incoming stream" .IX Subsection "Accepting an incoming stream" -Our \fBstream2\fR object that we created above was a uni-directional stream so it +Our \fBstream2\fR object that we created above was a uni\-directional stream so it cannot be used to receive data from the server. In this hypothetical example we assume that the server initiates a new stream to send us back the data that we requested. To do that we call \fBSSL_accept_stream\fR\|(3). Since this is a @@ -420,13 +423,13 @@ return \fBNULL\fR. .Ve .PP We can now read data from the stream in the same way that we did for \fBstream1\fR -above. We won't repeat that here. +above. We won\*(Aqt repeat that here. .SS "Cleaning up the streams" .IX Subsection "Cleaning up the streams" Once we have finished using our streams we can simply free them by calling \&\fBSSL_free\fR\|(3). Optionally we could call \fBSSL_stream_conclude\fR\|(3) on them if -we want to indicate to the peer that we won't be sending them any more data, but -we don't do that in this example because we assume that the HTTP application +we want to indicate to the peer that we won\*(Aqt be sending them any more data, but +we don\*(Aqt do that in this example because we assume that the HTTP application protocol supplies sufficient information for the peer to know when we have finished sending request data. .PP diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-block.7 index 080671daef73..19355c19c1f5 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-block.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-block.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-QUIC-SERVER-BLOCK 7ossl" -.TH OSSL-GUIDE-QUIC-SERVER-BLOCK 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-QUIC-SERVER-BLOCK 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,11 +69,11 @@ ossl\-guide\-quic\-server\-block .SH "SIMPLE BLOCKING QUIC SERVER EXAMPLE" .IX Header "SIMPLE BLOCKING QUIC SERVER EXAMPLE" This page will present various source code samples demonstrating how to write a -simple, non-concurrent, QUIC "echo" server application which accepts one client +simple, non\-concurrent, QUIC "echo" server application which accepts one client connection at a time, echoing input from the client back to the same client. Once the current client disconnects, the next client connection is accepted. .PP -The server only accepts HTTP/1.0 requests, which is non-standard and will not +The server only accepts HTTP/1.0 requests, which is non\-standard and will not be supported by real world servers. This is for demonstration purposes only. .PP Both the accepting socket and client connections are "blocking". A more typical @@ -107,7 +110,7 @@ whenever you are writing a QUIC server. .Ve .PP Servers need a private key and certificate. Intermediate issuer CA -certificates are often required, and both the server (end-entity or EE) +certificates are often required, and both the server (end\-entity or EE) certificate and the issuer ("chain") certificates are most easily configured in a single "chain file". Below we load such a chain file (the EE certificate must appear first), and then load the corresponding private key, checking that @@ -178,7 +181,7 @@ the default handling. \& SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); .Ve .PP -QUIC also dictates using Application-Layer Protocol Negotiation (ALPN) to select +QUIC also dictates using Application\-Layer Protocol Negotiation (ALPN) to select an application protocol. We use \fBSSL_CTX_set_alpn_select_cb\fR\|(3) for this purpose. We can pass a callback which will be called for each connection to select an ALPN the server considers acceptable. @@ -188,7 +191,7 @@ select an ALPN the server considers acceptable. \& SSL_CTX_set_alpn_select_cb(ctx, select_alpn, NULL); .Ve .PP -In this case, we only accept "http/1.0" and "hq-interop". +In this case, we only accept "http/1.0" and "hq\-interop". .PP .Vb 8 \& /* diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-non-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-non-block.7 index 81dbaadbb609..c48a6113044e 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-non-block.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-non-block.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-QUIC-SERVER-NON-BLOCK 7ossl" -.TH OSSL-GUIDE-QUIC-SERVER-NON-BLOCK 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-QUIC-SERVER-NON-BLOCK 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,12 +69,12 @@ ossl\-guide\-quic\-server\-non\-block .SH "SIMPLE NONBLOCKING QUIC SERVER EXAMPLE" .IX Header "SIMPLE NONBLOCKING QUIC SERVER EXAMPLE" This page presents various source code samples demonstrating how to write a -simple, non-concurrent, QUIC "echo" server application which accepts one client +simple, non\-concurrent, QUIC "echo" server application which accepts one client connection at a time, echoing input from the client back to the same client. Once the current client disconnects, the next client connection is accepted. .PP -The server only accepts \f(CW\*(C`http/1.0\*(C'\fR and \f(CW\*(C`hq\-interop\*(C'\fR ALPN's and doesn't actually -implement HTTP but only does a simple echo. This is non-standard and will not +The server only accepts \f(CW\*(C`http/1.0\*(C'\fR and \f(CW\*(C`hq\-interop\*(C'\fR ALPN\*(Aqs and doesn\*(Aqt actually +implement HTTP but only does a simple echo. This is non\-standard and will not be supported by real world servers. This is for demonstration purposes only. .PP There are various methods to test this server: \fBquic\-client\-block.c\fR and @@ -116,7 +119,7 @@ whenever you are writing a QUIC server. .Ve .PP Servers need a private key and certificate. Intermediate issuer CA -certificates are often required, and both the server (end-entity or EE) +certificates are often required, and both the server (end\-entity or EE) certificate and the issuer ("chain") certificates are most easily configured in a single "chain file". Below we load such a chain file (the EE certificate must appear first), and then load the corresponding private key, checking that @@ -187,7 +190,7 @@ the default handling. \& SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); .Ve .PP -QUIC also dictates using Application-Layer Protocol Negotiation (ALPN) to select +QUIC also dictates using Application\-Layer Protocol Negotiation (ALPN) to select an application protocol. We use \fBSSL_CTX_set_alpn_select_cb\fR\|(3) for this purpose. We can pass a callback which will be called for each connection to select an ALPN the server considers acceptable. @@ -197,7 +200,7 @@ select an ALPN the server considers acceptable. \& SSL_CTX_set_alpn_select_cb(ctx, select_alpn, NULL); .Ve .PP -In this case, we only accept "http/1.0" and "hq-interop". +In this case, we only accept "http/1.0" and "hq\-interop". .PP .Vb 8 \& /* @@ -307,7 +310,7 @@ block until a connection is established. .PP The helper function wait_for_activity uses \fBselect()\fR to block until the file descriptor belonging to the passed SSL object is readable. As mentioned earlier, -a more real-world application would likely use this time to perform other tasks. +a more real\-world application would likely use this time to perform other tasks. .PP .Vb 3 \& /* Initialize the fd_set structure */ diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-block.7 index e69bde78c771..edbf9552c28c 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-block.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-block.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-TLS-CLIENT-BLOCK 7ossl" -.TH OSSL-GUIDE-TLS-CLIENT-BLOCK 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-TLS-CLIENT-BLOCK 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -73,7 +76,7 @@ We use a blocking socket for the purposes of this example. This means that attempting to read data from a socket that has no data available on it to read will block (and the function will not return), until data becomes available. For example, this can happen if we have sent our request, but we are still -waiting for the server's response. Similarly any attempts to write to a socket +waiting for the server\*(Aqs response. Similarly any attempts to write to a socket that is not able to write at the moment will block until writing is possible. .PP This blocking behaviour simplifies the implementation of a client because you do @@ -116,7 +119,7 @@ client and the server. \& } .Ve .PP -Since we are writing a client we must ensure that we verify the server's +Since we are writing a client we must ensure that we verify the server\*(Aqs certificate. We do this by calling the \fBSSL_CTX_set_verify\fR\|(3) function and pass the \fBSSL_VERIFY_PEER\fR value to it. The final argument to this function is a callback that you can optionally supply to override the default handling @@ -183,7 +186,7 @@ function and passing the \fBSSL_CTX\fR we created as an argument. .SS "Creating the socket and BIO" .IX Subsection "Creating the socket and BIO" TLS data is transmitted over an underlying transport layer. Normally a TCP -socket. It is the application's responsibility for ensuring that the socket is +socket. It is the application\*(Aqs responsibility for ensuring that the socket is created and associated with an SSL object (via a BIO). .PP Socket creation for use by a client is typically a 2 step process, i.e. @@ -320,13 +323,13 @@ freed. So, once \fBSSL_set_bio\fR\|(3) has been been called, you should not call .Vb 1 \& SSL_set_bio(ssl, bio, bio); .Ve -.SS "Setting the server's hostname" +.SS "Setting the server\*(Aqs hostname" .IX Subsection "Setting the server's hostname" We have already connected our underlying socket to the server, but the client -still needs to know the server's hostname. It uses this information for 2 key +still needs to know the server\*(Aqs hostname. It uses this information for 2 key purposes and we need to set the hostname for each one. .PP -Firstly, the server's hostname is included in the initial ClientHello message +Firstly, the server\*(Aqs hostname is included in the initial ClientHello message sent by the client. This is known as the Server Name Indication (SNI). This is important because it is common for multiple hostnames to be fronted by a single server that handles requests for all of them. In other words a single server may @@ -401,7 +404,7 @@ to concern ourselves with whether the call was successful or not. Anything else indicates that we have failed to connect to the server. .PP A common cause of failures at this stage is due to a problem verifying the -server's certificate. For example if the certificate has expired, or it is not +server\*(Aqs certificate. For example if the certificate has expired, or it is not signed by a CA in our trusted certificate store. We can use the \&\fBSSL_get_verify_result\fR\|(3) function to find out more information about the verification failure. A return value of \fBX509_V_OK\fR indicates that the @@ -470,7 +473,7 @@ server. \& printf("\en"); .Ve .PP -We use the \fBSSL_read_ex\fR\|(3) function to read the response. We don't know +We use the \fBSSL_read_ex\fR\|(3) function to read the response. We don\*(Aqt know exactly how much data we are going to receive back so we enter a loop reading blocks of data from the server and printing each block that we receive to the screen. The loop ends as soon as \fBSSL_read_ex\fR\|(3) returns 0 \- meaning that it @@ -603,15 +606,15 @@ See the page \fBossl\-guide\-tls\-introduction\fR\|(7) and check that your trust certificate store is correctly configured .IP "Unrecognised CA" 4 .IX Item "Unrecognised CA" -If the CA used by the server's certificate is not in the trusted certificate +If the CA used by the server\*(Aqs certificate is not in the trusted certificate store for the client then this will cause a verification failure during -connection. Often this can occur if the server is using a self-signed +connection. Often this can occur if the server is using a self\-signed certificate (i.e. a test certificate that has not been signed by a CA at all). .IP "Missing intermediate CAs" 4 .IX Item "Missing intermediate CAs" This is a server misconfiguration where the client has the relevant root CA in its trust store, but the server has not supplied all of the intermediate CA -certificates between that root CA and the server's own certificate. Therefore +certificates between that root CA and the server\*(Aqs own certificate. Therefore a trust chain cannot be established. .IP "Mismatched hostname" 4 .IX Item "Mismatched hostname" @@ -620,10 +623,10 @@ not match the hostname in the certificate then this will cause verification to fail. .IP "Expired certificate" 4 .IX Item "Expired certificate" -The date that the server's certificate is valid to has passed. +The date that the server\*(Aqs certificate is valid to has passed. .PP The "unable to get local issuer certificate" we saw in the example above means -that we have been unable to find the issuer of the server's certificate (or one +that we have been unable to find the issuer of the server\*(Aqs certificate (or one of its intermediate CA certificates) in our trusted certificate store (e.g. because the trusted certificate store is misconfigured, or there are missing intermediate CAs, or the issuer is simply unrecognised). diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-non-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-non-block.7 index 93b5453d6af6..d3160ba0d5e1 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-non-block.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-non-block.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-TLS-CLIENT-NON-BLOCK 7ossl" -.TH OSSL-GUIDE-TLS-CLIENT-NON-BLOCK 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-TLS-CLIENT-NON-BLOCK 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,7 +89,7 @@ to go and do other tasks whilst the socket is unable to read/write, for example updating a GUI or performing operations on some other socket. .PP With a nonblocking socket attempting to read or write to a socket that is -currently unable to read or write will return immediately with a non-fatal +currently unable to read or write will return immediately with a non\-fatal error. Although OpenSSL does the reading/writing to the socket this nonblocking behaviour is propagated up to the application so that OpenSSL I/O functions such as \fBSSL_read_ex\fR\|(3) or \fBSSL_write_ex\fR\|(3) will not block. @@ -109,7 +112,7 @@ Fortunately OpenSSL offers a portable function that will do this for you: \& } .Ve .PP -You do not have to use OpenSSL's function for this. You can of course directly +You do not have to use OpenSSL\*(Aqs function for this. You can of course directly call whatever functions that your Operating System provides for this purpose on your platform. .SS "Performing work while waiting for the socket" @@ -121,7 +124,7 @@ application the opportunity to do something else. Whatever it is that the application has to do, it must also be prepared to come back and retry the operation that it previously attempted periodically to see if it can now complete. Ideally it would only do this in the event that the state of the -underlying socket has actually changed (e.g. become readable where it wasn't +underlying socket has actually changed (e.g. become readable where it wasn\*(Aqt before), but this does not have to be the case. It can retry at any time. .PP Note that it is important that you retry exactly the same operation that you @@ -135,7 +138,7 @@ other work. In fact, for the sake of simplicity, it will do nothing except wait for the state of the socket to change. .PP We call our function \f(CWwait_for_activity()\fR because all it does is wait until -the underlying socket has become readable or writeable when it wasn't before. +the underlying socket has become readable or writeable when it wasn\*(Aqt before. .PP .Vb 4 \& static void wait_for_activity(SSL *ssl, int write) @@ -180,14 +183,14 @@ other similar function to do the same thing. \f(CW\*(C`select\*(C'\fR waits for the underlying socket(s) to become readable/writeable before returning. It also supports a "timeout" (as do most other similar functions) so in your own applications you can make use of this to periodically wake up and perform work -while waiting for the socket state to change. But we don't use that timeout +while waiting for the socket state to change. But we don\*(Aqt use that timeout capability in this example for the sake of simplicity. .SS "Handling errors from OpenSSL I/O functions" .IX Subsection "Handling errors from OpenSSL I/O functions" An application that uses a nonblocking socket will need to be prepared to handle errors returned from OpenSSL I/O functions such as \fBSSL_read_ex\fR\|(3) or \&\fBSSL_write_ex\fR\|(3). Errors may be fatal (for example because the underlying -connection has failed), or non-fatal (for example because we are trying to read +connection has failed), or non\-fatal (for example because we are trying to read from the underlying socket but the data has not yet arrived from the peer). .PP \&\fBSSL_read_ex\fR\|(3) and \fBSSL_write_ex\fR\|(3) will return 0 to indicate an error and @@ -195,7 +198,7 @@ from the underlying socket but the data has not yet arrived from the peer). an error. \fBSSL_shutdown\fR\|(3) will return a negative value to incidate an error. .PP In the event of an error an application should call \fBSSL_get_error\fR\|(3) to find -out what type of error has occurred. If the error is non-fatal and can be +out what type of error has occurred. If the error is non\-fatal and can be retried then \fBSSL_get_error\fR\|(3) will return \fBSSL_ERROR_WANT_READ\fR or \&\fBSSL_ERROR_WANT_WRITE\fR depending on whether OpenSSL wanted to read to or write from the socket but was unable to. Note that a call to \fBSSL_read_ex\fR\|(3) or @@ -204,8 +207,8 @@ may need to write protocol messages (such as to update cryptographic keys) even if the application is only trying to read data. Similarly calls to \&\fBSSL_write_ex\fR\|(3) or \fBSSL_write\fR\|(3) might generate \fBSSL_ERROR_WANT_READ\fR. .PP -Another type of non-fatal error that may occur is \fBSSL_ERROR_ZERO_RETURN\fR. This -indicates an EOF (End-Of-File) which can occur if you attempt to read data from +Another type of non\-fatal error that may occur is \fBSSL_ERROR_ZERO_RETURN\fR. This +indicates an EOF (End\-Of\-File) which can occur if you attempt to read data from an \fBSSL\fR object but the peer has indicated that it will not send any more data on it. In this case you may still want to write data to the connection but you will not receive any more data. @@ -260,21 +263,21 @@ OpenSSL I/O functions: .PP This function takes as arguments the \fBSSL\fR object that represents the connection, as well as the return code from the I/O function that failed. In -the event of a non-fatal failure, it waits until a retry of the I/O operation +the event of a non\-fatal failure, it waits until a retry of the I/O operation might succeed (by using the \f(CWwait_for_activity()\fR function that we developed -in the previous section). It returns 1 in the event of a non-fatal error +in the previous section). It returns 1 in the event of a non\-fatal error (except EOF), 0 in the event of EOF, or \-1 if a fatal error occurred. .SS "Creating the SSL_CTX and SSL objects" .IX Subsection "Creating the SSL_CTX and SSL objects" In order to connect to a server we must create \fBSSL_CTX\fR and \fBSSL\fR objects for this. The steps do this are the same as for a blocking client and are explained -on the \fBossl\-guide\-tls\-client\-block\fR\|(7) page. We won't repeat that information +on the \fBossl\-guide\-tls\-client\-block\fR\|(7) page. We won\*(Aqt repeat that information here. .SS "Performing the handshake" .IX Subsection "Performing the handshake" As in the demo for a blocking TLS client we use the \fBSSL_connect\fR\|(3) function to perform the TLS handshake with the server. Since we are using a nonblocking -socket it is very likely that calls to this function will fail with a non-fatal +socket it is very likely that calls to this function will fail with a non\-fatal error while we are waiting for the server to respond to our handshake messages. In such a case we must retry the same \fBSSL_connect\fR\|(3) call at a later time. In this demo we this in a loop: @@ -297,7 +300,7 @@ this stage, so such a response is treated in the same way as a fatal error. .IX Subsection "Sending and receiving data" As with the blocking TLS client demo we use the \fBSSL_write_ex\fR\|(3) function to send data to the server. As with \fBSSL_connect\fR\|(3) above, because we are using -a nonblocking socket, this call could fail with a non-fatal error. In that case +a nonblocking socket, this call could fail with a non\-fatal error. In that case we should retry exactly the same \fBSSL_write_ex\fR\|(3) call again. Note that the parameters must be \fIexactly\fR the same, i.e. the same pointer to the buffer to write with the same length. You must not attempt to send different data on a @@ -373,7 +376,7 @@ The main difference this time is that it is valid for us to receive an EOF response when trying to read data from the server. This will occur when the server closes down the connection after sending all the data in its response. .PP -In this demo we just print out all the data we've received back in the response +In this demo we just print out all the data we\*(Aqve received back in the response from the server. We continue going around the loop until we either encounter a fatal error, or we receive an EOF (indicating a graceful finish). .SS "Shutting down the connection" @@ -384,7 +387,7 @@ finished with it. If our application was initiating the shutdown then we would expect to see \&\fBSSL_shutdown\fR\|(3) give a return value of 0, and then we would continue to call it until we received a return value of 1 (meaning we have successfully completed -the shutdown). In this particular example we don't expect \fBSSL_shutdown()\fR to +the shutdown). In this particular example we don\*(Aqt expect \fBSSL_shutdown()\fR to return 0 because we have already received EOF from the server indicating that it has shutdown already. So we just keep calling it until \fBSSL_shutdown()\fR returns 1. Since we are using a nonblocking socket we might expect to have to retry this @@ -414,7 +417,7 @@ must call \fBSSL_get_error\fR\|(3) to work out what to do next. We use our .IX Subsection "Final clean up" As with the blocking TLS client example, once our connection is finished with we must free it. The steps to do this for this example are the same as for the -blocking example, so we won't repeat it here. +blocking example, so we won\*(Aqt repeat it here. .SH "FURTHER READING" .IX Header "FURTHER READING" See \fBossl\-guide\-tls\-client\-block\fR\|(7) to read a tutorial on how to write a diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-tls-introduction.7 b/secure/lib/libcrypto/man/man7/ossl-guide-tls-introduction.7 index 3c3000ea0020..67057790a36d 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-tls-introduction.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-tls-introduction.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-TLS-INTRODUCTION 7ossl" -.TH OSSL-GUIDE-TLS-INTRODUCTION 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-TLS-INTRODUCTION 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -78,7 +81,7 @@ the information exchanged to prevent an attacker from changing it. Finally it provides authentication so that one or both parties can be sure that they are talking to who they think they are talking to and not some imposter. .PP -Sometimes TLS is referred to by its predecessor's name SSL (Secure Sockets +Sometimes TLS is referred to by its predecessor\*(Aqs name SSL (Secure Sockets Layer). OpenSSL dates from a time when the SSL name was still in common use and hence many of the functions and names used by OpenSSL contain the "SSL" abbreviation. Nonetheless OpenSSL contains a fully fledged TLS implementation. @@ -120,7 +123,7 @@ susceptible to security problems. OpenSSL does not support SSLv2 (it was removed in OpenSSL 1.1.0). Support for SSLv3 is available as a compile time option \- but it is not built by default. Support for TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3 are all available by default -in a standard build of OpenSSL. However special run-time configuration is +in a standard build of OpenSSL. However special run\-time configuration is required in order to make TLSv1.0 and TLSv1.1 work successfully. .PP OpenSSL will always try to negotiate the highest protocol version that it has @@ -134,7 +137,7 @@ the server that it claims to be and not some imposter. In order to do this the server will send to the client a digital certificate (also commonly referred to as an X.509 certificate). The certificate contains various information about the server including its full DNS hostname. Also within the certificate is the -server's public key. The server operator will have a private key which is +server\*(Aqs public key. The server operator will have a private key which is linked to the public key and must not be published. .PP Along with the certificate the server will also send to the client proof that it @@ -146,13 +149,13 @@ possession of the correct private key. .PP The certificate that the server sends will also be signed by a Certificate Authority. The Certificate Authority (commonly known as a CA) is a third party -organisation that is responsible for verifying the information in the server's +organisation that is responsible for verifying the information in the server\*(Aqs certificate (including its DNS hostname). The CA should only sign the certificate if it has been able to confirm that the server operator does indeed have control of the server associated with its DNS hostname and that the server operator has control of the private key. .PP -In this way, if the client trusts the CA that has signed the server's +In this way, if the client trusts the CA that has signed the server\*(Aqs certificate and it can verify that the server has the right private key then it can trust that the server truly does represent the DNS hostname given in the certificate. The client must also verify that the hostname given in the @@ -165,7 +168,7 @@ of CAs that the client trusts as well as the DNS hostname for the server that this client is trying to connect to. .PP Note that it is common for certificates to be built up into a chain. For example -a server's certificate may be signed by a key owned by a an intermediate CA. +a server\*(Aqs certificate may be signed by a key owned by a an intermediate CA. That intermediate CA also has a certificate containing its public key which is in turn signed by a key owned by a root CA. The client may only trust the root CA, but if the server sends both its own certificate and the certificate for the @@ -221,7 +224,7 @@ directly in \fBOPENSSLDIR\fR. For example if \fBOPENSSLDIR\fR is "/usr/local/ssl then save it as "/usr/local/ssl/cert.pem". .PP You can also use environment variables to override the default location that -OpenSSL will look for its trusted certificate store. Set the \fBSSL_CERT_PATH\fR +OpenSSL will look for its trusted certificate store. Set the \fBSSL_CERT_DIR\fR environment variable to give the directory where OpenSSL should looks for its certificates or the \fBSSL_CERT_FILE\fR environment variable to give the name of a single file containing all of the certificates. See \fBopenssl\-env\fR\|(7) for @@ -326,7 +329,7 @@ server always sends its Finished message before the client. The client later responds with its Finished message. At this point the client has completed the handshake because it has both sent and received a Finished message. The server has sent its Finished message but the Finished message from the client may still -be in-flight, so the server is still in the handshake phase. It is even possible +be in\-flight, so the server is still in the handshake phase. It is even possible that the server will fail to complete the handshake (if it considers there is some problem with the messages sent from the client), even though the client may have already progressed to sending application data. In TLSv1.2 this can happen @@ -336,7 +339,7 @@ second. Once the handshake is complete the application data transfer phase begins. Strictly speaking there are some situations where the client can start sending application data even earlier (using the TLSv1.3 "early data" capability) \- but -we're going to skip over that for this basic introduction. +we\*(Aqre going to skip over that for this basic introduction. .PP During application data transfer the client and server can read and write data to the connection freely. The details of this are typically left to some higher @@ -368,7 +371,7 @@ See \fBossl\-guide\-quic\-introduction\fR\|(7) for an introduction to QUIC in Op \&\fBossl\-guide\-tls\-server\-block\fR\|(7), \fBossl\-guide\-quic\-introduction\fR\|(7) .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2023\-2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2023\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-tls-server-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-tls-server-block.7 index 37b35edf6209..a2db3e76f143 100644 --- a/secure/lib/libcrypto/man/man7/ossl-guide-tls-server-block.7 +++ b/secure/lib/libcrypto/man/man7/ossl-guide-tls-server-block.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL-GUIDE-TLS-SERVER-BLOCK 7ossl" -.TH OSSL-GUIDE-TLS-SERVER-BLOCK 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL-GUIDE-TLS-SERVER-BLOCK 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -66,7 +69,7 @@ ossl\-guide\-tls\-server\-block .SH "SIMPLE BLOCKING TLS SERVER EXAMPLE" .IX Header "SIMPLE BLOCKING TLS SERVER EXAMPLE" This page will present various source code samples demonstrating how to write a -simple, non-concurrent, TLS "echo" server application which accepts one client +simple, non\-concurrent, TLS "echo" server application which accepts one client connection at a time, echoing input from the client back to the same client. Once the current client disconnects, the next client connection is accepted. .PP @@ -156,7 +159,7 @@ Next we configure some option flags, see \fBSSL_CTX_set_options\fR\|(3) for deta Servers need a private key and certificate. Though anonymous ciphers (no server certificate) are possible in TLS 1.2, they are rarely applicable, and are not currently defined for TLS 1.3. Additional intermediate issuer CA -certificates are often also required, and both the server (end-entity or EE) +certificates are often also required, and both the server (end\-entity or EE) certificate and the issuer ("chain") certificates are most easily configured in a single "chain file". Below we load such a chain file (the EE certificate must appear first), and then load the corresponding private key, checking that @@ -339,7 +342,7 @@ ownership of the BIO or BIOs involved (our \fBclient_bio\fR) to the SSL handle. \& SSL_set_bio(ssl, client_bio, client_bio); .Ve .PP -And now we're ready to attempt the SSL handshake. With a blocking socket +And now we\*(Aqre ready to attempt the SSL handshake. With a blocking socket OpenSSL will perform all the read and write operations required to complete the handshake (or detect and report a failure) before returning. .PP diff --git a/secure/lib/libcrypto/man/man7/ossl_store-file.7 b/secure/lib/libcrypto/man/man7/ossl_store-file.7 index e552a97f65dc..eb3473b34015 100644 --- a/secure/lib/libcrypto/man/man7/ossl_store-file.7 +++ b/secure/lib/libcrypto/man/man7/ossl_store-file.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,52 +52,55 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_STORE-FILE 7ossl" -.TH OSSL_STORE-FILE 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_STORE-FILE 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH NAME -ossl_store\-file \- The store 'file' scheme loader +ossl_store\-file \- The store \*(Aqfile\*(Aq scheme loader .SH SYNOPSIS .IX Header "SYNOPSIS" #include <openssl/store.h> .SH DESCRIPTION .IX Header "DESCRIPTION" -Support for the 'file' scheme is built into \f(CW\*(C`libcrypto\*(C'\fR. -Since files come in all kinds of formats and content types, the 'file' +Support for the \*(Aqfile\*(Aq scheme is built into \f(CW\*(C`libcrypto\*(C'\fR. +Since files come in all kinds of formats and content types, the \*(Aqfile\*(Aq scheme has its own layer of functionality called "file handlers", which are used to try to decode diverse types of file contents. .PP In case a file is formatted as PEM, each called file handler receives -the PEM name (everything following any '\f(CW\*(C`\-\-\-\-\-BEGIN \*(C'\fR') as well as +the PEM name (everything following any \*(Aq\f(CW\*(C`\-\-\-\-\-BEGIN \*(C'\fR\*(Aq) as well as possible PEM headers, together with the decoded PEM body. Since PEM formatted files can contain more than one object, the file handlers are called upon for each such object. .PP -If the file isn't determined to be formatted as PEM, the content is +If the file isn\*(Aqt determined to be formatted as PEM, the content is loaded in raw form in its entirety and passed to the available file handlers as is, with no PEM name or headers. .PP -Each file handler is expected to handle PEM and non-PEM content as -appropriate. Some may refuse non-PEM content for the sake of +Each file handler is expected to handle PEM and non\-PEM content as +appropriate. Some may refuse non\-PEM content for the sake of determinism (for example, there are keys out in the wild that are -represented as an ASN.1 OCTET STRING. In raw form, it's not easily +represented as an ASN.1 OCTET STRING. In raw form, it\*(Aqs not easily possible to distinguish those from any other data coming as an ASN.1 OCTET STRING, so such keys would naturally be accepted as PEM files only). .SH NOTES .IX Header "NOTES" -When needed, the 'file' scheme loader will require a pass phrase by +When needed, the \*(Aqfile\*(Aq scheme loader will require a pass phrase by using the \fBUI_METHOD\fR that was passed via \fBOSSL_STORE_open()\fR. This pass phrase is expected to be UTF\-8 encoded, anything else will give an undefined result. The files made accessible through this loader are expected to be standard compliant with regards to pass phrase encoding. -Files that aren't should be re-generated with a correctly encoded pass +Files that aren\*(Aqt should be re\-generated with a correctly encoded pass phrase. See \fBpassphrase\-encoding\fR\|(7) for more information. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man7/ossl_store.7 b/secure/lib/libcrypto/man/man7/ossl_store.7 index c93274bb5e7f..aec1dad5f783 100644 --- a/secure/lib/libcrypto/man/man7/ossl_store.7 +++ b/secure/lib/libcrypto/man/man7/ossl_store.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OSSL_STORE 7ossl" -.TH OSSL_STORE 7ossl 2025-09-30 3.5.4 OpenSSL +.TH OSSL_STORE 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -84,7 +87,7 @@ from which an OpenSSL type can be retrieved. Support for a URI scheme is called a STORE "loader", and can be added dynamically from the calling application or from a loadable engine. .PP -Support for the 'file' scheme is built into \f(CW\*(C`libcrypto\*(C'\fR. +Support for the \*(Aqfile\*(Aq scheme is built into \f(CW\*(C`libcrypto\*(C'\fR. See \fBossl_store\-file\fR\|(7) for more information. .SS "UI_METHOD and pass phrases" .IX Subsection "UI_METHOD and pass phrases" diff --git a/secure/lib/libcrypto/man/man7/passphrase-encoding.7 b/secure/lib/libcrypto/man/man7/passphrase-encoding.7 index 118da77d0c6d..9fd6dca2aa4d 100644 --- a/secure/lib/libcrypto/man/man7/passphrase-encoding.7 +++ b/secure/lib/libcrypto/man/man7/passphrase-encoding.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PASSPHRASE-ENCODING 7ossl" -.TH PASSPHRASE-ENCODING 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PASSPHRASE-ENCODING 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -71,7 +74,7 @@ This manual page attempts to give an overview over how this problem is currently addressed in different parts of the OpenSSL library. .SS "The general case" .IX Subsection "The general case" -The OpenSSL library doesn't treat pass phrases in any special way as a general +The OpenSSL library doesn\*(Aqt treat pass phrases in any special way as a general rule, and trusts the application or user to choose a suitable character set and stick to that throughout the lifetime of affected objects. This means that for an object that was encrypted using a pass phrase encoded in @@ -87,7 +90,7 @@ encoded in big endian (UCS\-2 BE). .PP OpenSSL tries to adapt to this requirements in one of the following manners: .IP 1. 4 -Treats the received pass phrase as UTF\-8 encoded and tries to re-encode it to +Treats the received pass phrase as UTF\-8 encoded and tries to re\-encode it to UTF\-16 (which is the same as UCS\-2 for characters U+0000 to U+D7FF and U+E000 to U+FFFF, but becomes an expansion for any other character), or failing that, proceeds with step 2. @@ -105,13 +108,13 @@ characters in the 0x80\-0x9F range). OpenSSL versions older than 1.1.0 do variant 2 only, and that is the reason why OpenSSL still does this, to be able to read files produced with older versions. .PP -It should be noted that this approach isn't entirely fault free. +It should be noted that this approach isn\*(Aqt entirely fault free. .PP A pass phrase encoded in ISO\-8859\-2 could very well have a sequence such as 0xC3 0xAF (which is the two characters "LATIN CAPITAL LETTER A WITH BREVE" and "LATIN CAPITAL LETTER Z WITH DOT ABOVE" in ISO\-8859\-2 encoding), but would be misinterpreted as the perfectly valid UTF\-8 encoded code point U+00EF (LATIN -SMALL LETTER I WITH DIAERESIS) \fIif the pass phrase doesn't contain anything that +SMALL LETTER I WITH DIAERESIS) \fIif the pass phrase doesn\*(Aqt contain anything that would be invalid UTF\-8\fR. A pass phrase that contains this kind of byte sequence will give a different outcome in OpenSSL 1.1.0 and newer than in OpenSSL older than 1.1.0. @@ -129,7 +132,7 @@ than 1.1.0 was misinterpreted as ISO\-8859\-1 sequences. potentially protected with a pass phrase, a PIN or something else. This API stipulates that pass phrases should be UTF\-8 encoded, and that any other pass phrase encoding may give undefined results. -This API relies on the application to ensure UTF\-8 encoding, and doesn't check +This API relies on the application to ensure UTF\-8 encoding, and doesn\*(Aqt check that this is the case, so what it gets, it will also pass to the underlying loader. .SH RECOMMENDATIONS @@ -139,19 +142,19 @@ but that it may have been encoded in a different character encoding than the one used by your current input method. For example, the pass phrase may have been used at a time when your default encoding was ISO\-8859\-1 (i.e. "naïve" resulting in the byte sequence 0x6E 0x61 -0xEF 0x76 0x65), and you're now in an environment where your default encoding +0xEF 0x76 0x65), and you\*(Aqre now in an environment where your default encoding is UTF\-8 (i.e. "naïve" resulting in the byte sequence 0x6E 0x61 0xC3 0xAF 0x76 0x65). -Whenever it's mentioned that you should use a certain character encoding, it +Whenever it\*(Aqs mentioned that you should use a certain character encoding, it should be understood that you either change the input method to use the mentioned encoding when you type in your pass phrase, or use some suitable tool to convert your pass phrase from your default encoding to the target encoding. .PP -Also note that the sub-sections below discuss human readable pass phrases. +Also note that the sub\-sections below discuss human readable pass phrases. This is particularly relevant for PKCS#12 objects, where human readable pass phrases are assumed. -For other objects, it's as legitimate to use any byte sequence (such as a -sequence of bytes from \fI/dev/urandom\fR that's been saved away), which makes any +For other objects, it\*(Aqs as legitimate to use any byte sequence (such as a +sequence of bytes from \fI/dev/urandom\fR that\*(Aqs been saved away), which makes any character encoding discussion irrelevant; in such cases, simply use the same byte sequence as it is. .SS "Creating new objects" @@ -175,7 +178,7 @@ following: .IP 1. 4 Try the pass phrase that you have as it is in the character encoding of your environment. -It's possible that its byte sequence is exactly right. +It\*(Aqs possible that its byte sequence is exactly right. .IP 2. 4 Convert the pass phrase to UTF\-8 and try with the result. Specifically with PKCS#12, this should open up any object that was created @@ -189,7 +192,7 @@ U+0000 to U+00FF, which other non\-UTF\-8 character sets do not. This also takes care of the case when a UTF\-8 encoded string was used with OpenSSL older than 1.1.0. (for example, \f(CW\*(C`ï\*(C'\fR, which is 0xC3 0xAF when encoded in UTF\-8, would become 0xC3 -0x83 0xC2 0xAF when re-encoded in the naïve manner. +0x83 0xC2 0xAF when re\-encoded in the naïve manner. The conversion to BMPString would then yield 0x00 0xC3 0x00 0xA4 0x00 0x00, the erroneous/non\-compliant encoding used by OpenSSL older than 1.1.0) .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man7/property.7 b/secure/lib/libcrypto/man/man7/property.7 index 5627e529d43b..98f9f0cf021b 100644 --- a/secure/lib/libcrypto/man/man7/property.7 +++ b/secure/lib/libcrypto/man/man7/property.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROPERTY 7ossl" -.TH PROPERTY 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROPERTY 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -81,13 +84,13 @@ A \fIreserved\fR property name consists of a single C\-style identifier (except for leading underscores not being permitted), which begins with a letter and can be followed by any number of letters, numbers and underscores. -Property names are case-insensitive, but OpenSSL will only use lowercase +Property names are case\-insensitive, but OpenSSL will only use lowercase letters. .PP A \fIuser defined\fR property name is similar, but it \fBmust\fR consist of two or more C\-style identifiers, separated by periods. -The last identifier in the name can be considered the 'true' property -name, which is prefixed by some sort of 'namespace'. +The last identifier in the name can be considered the \*(Aqtrue\*(Aq property +name, which is prefixed by some sort of \*(Aqnamespace\*(Aq. Providers for example could include their name in the prefix and use property names like .PP @@ -112,7 +115,7 @@ Each implementation of an algorithm can define any number of properties. For example, the default provider defines the property \fIprovider=default\fR for all of its algorithms. -Likewise, OpenSSL's FIPS provider defines \fIprovider=fips\fR and the legacy +Likewise, OpenSSL\*(Aqs FIPS provider defines \fIprovider=fips\fR and the legacy provider defines \fIprovider=legacy\fR for all of their algorithms. .SS Queries .IX Subsection "Queries" @@ -142,7 +145,7 @@ following property name should be ignored. \&\fB"..."\fR is a quoted string. The quotes are not included in the body of the string. .IP \(bu 4 -\&\fB'...'\fR is a quoted string. +\&\fB\*(Aq...\*(Aq\fR is a quoted string. The quotes are not included in the body of the string. .SS Lookups .IX Subsection "Lookups" @@ -168,7 +171,7 @@ Where both the context and local queries include a clause with the same name, the local clause overrides the context clause. .PP It is possible for a local property query to remove a clause in the context -property query by preceding the property name with a '\-'. +property query by preceding the property name with a \*(Aq\-\*(Aq. For example, a context property query that contains "fips=yes" would normally result in implementations that have "fips=yes". .PP @@ -178,6 +181,31 @@ clause "\-fips". Note that the local property query could not use "fips=no" because that would disallow any implementations with "fips=yes" rather than not caring about the setting. +.SH "PREDEFINED NAMES" +.IX Header "PREDEFINED NAMES" +Currently known predefined names are: +.ie n .IP """provider""" 4 +.el .IP \f(CWprovider\fR 4 +.IX Item "provider" +The conventional property value is the provider\*(Aqs name. This may be different from the name returned by \fBOSSL_PROVIDER_get0_name\fR\|(3). +.Sp +It is a convention among OpenSSL provider implementations to define a property with this name. It is not mandatory to do this. +.ie n .IP """version""" 4 +.el .IP \f(CWversion\fR 4 +.IX Item "version" +The conventional property value is the provider\*(Aqs version. +.Sp +OpenSSL provider implementations do not define a property with this name. +.ie n .IP """fips""" 4 +.el .IP \f(CWfips\fR 4 +.IX Item "fips" +The conventional property value is boolean (\f(CW"yes"\fR or \f(CW"no"\fR), indication whether the implementation conforms to FIPS standards or not. +.Sp +It is a convention among OpenSSL provider implementations to define a property with this name where applicable. It is not mandatory to do this, but is strongly recommended. +.ie n .IP """output"", ""input"", ""structure""" 4 +.el .IP "\f(CWoutput\fR, \f(CWinput\fR, \f(CWstructure\fR" 4 +.IX Item "output, input, structure" +Properties with these names are used by encoders (see \fBprovider\-encoder\fR\|(7)) and decoders (see \fBprovider\-decoder\fR\|(7)). .SH SYNTAX .IX Header "SYNTAX" The lexical syntax in EBNF is given by: @@ -203,7 +231,7 @@ The flavour of EBNF being used is defined by: Properties were added in OpenSSL 3.0 .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man7/provider-asym_cipher.7 b/secure/lib/libcrypto/man/man7/provider-asym_cipher.7 index ff64f79c714f..538f95564186 100644 --- a/secure/lib/libcrypto/man/man7/provider-asym_cipher.7 +++ b/secure/lib/libcrypto/man/man7/provider-asym_cipher.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-ASYM_CIPHER 7ossl" -.TH PROVIDER-ASYM_CIPHER 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-ASYM_CIPHER 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -112,7 +115,7 @@ other related functions). .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -236,11 +239,11 @@ with the given provider side asymmetric cipher context \fIctx\fR to \fIparams\fR Any parameter settings are additional to any that were previously set. Passing NULL for \fIparams\fR should return true. .PP -Parameters currently recognised by built-in asymmetric cipher algorithms are as +Parameters currently recognised by built\-in asymmetric cipher algorithms are as follows. Not all parameters are relevant to, or are understood by all asymmetric cipher algorithms: -.IP """pad-mode"" (\fBOSSL_ASYM_CIPHER_PARAM_PAD_MODE\fR) <UTF8 string> OR <integer>" 4 +.IP """pad\-mode"" (\fBOSSL_ASYM_CIPHER_PARAM_PAD_MODE\fR) <UTF8 string> OR <integer>" 4 .IX Item """pad-mode"" (OSSL_ASYM_CIPHER_PARAM_PAD_MODE) <UTF8 string> OR <integer>" The type of padding to be used. The interpretation of this value will depend on the algorithm in use. @@ -252,10 +255,10 @@ use. .IX Item """digest"" (OSSL_ASYM_CIPHER_PARAM_DIGEST) <UTF8 string>" Gets or sets the name of the digest algorithm used by the algorithm (where applicable). -.IP """digest-props"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS\fR) <UTF8 string>" 4 +.IP """digest\-props"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS\fR) <UTF8 string>" 4 .IX Item """digest-props"" (OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS) <UTF8 string>" Gets or sets the properties to use when fetching the OAEP digest algorithm. -.IP """digest-props"" (\fBOSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS\fR) <UTF8 string>" 4 +.IP """digest\-props"" (\fBOSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS\fR) <UTF8 string>" 4 .IX Item """digest-props"" (OSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS) <UTF8 string>" Gets or sets the properties to use when fetching the cipher digest algorithm. .IP """mgf1\-digest"" (\fBOSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST\fR) <UTF8 string>" 4 @@ -265,41 +268,41 @@ is in use. .IP """mgf1\-digest\-props"" (\fBOSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS\fR) <UTF8 string>" 4 .IX Item """mgf1-digest-props"" (OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS) <UTF8 string>" Gets or sets the properties to use when fetching the MGF1 digest algorithm. -.IP """oaep-label"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\fR) <octet string ptr>" 4 +.IP """oaep\-label"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\fR) <octet string ptr>" 4 .IX Item """oaep-label"" (OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL) <octet string ptr>" Gets the OAEP label used when OAEP padding is in use. -.IP """oaep-label"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\fR) <octet string>" 4 +.IP """oaep\-label"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\fR) <octet string>" 4 .IX Item """oaep-label"" (OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL) <octet string>" Sets the OAEP label used when OAEP padding is in use. -.IP """tls-client-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4 +.IP """tls\-client\-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4 .IX Item """tls-client-version"" (OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION) <unsigned integer>" The TLS protocol version first requested by the client. -.IP """tls-negotiated-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4 +.IP """tls\-negotiated\-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4 .IX Item """tls-negotiated-version"" (OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION) <unsigned integer>" The negotiated TLS protocol version. -.IP """implicit-rejection"" (\fBOSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION\fR) <unsigned integer>" 4 +.IP """implicit\-rejection"" (\fBOSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION\fR) <unsigned integer>" 4 .IX Item """implicit-rejection"" (OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION) <unsigned integer>" Gets or sets the use of the implicit rejection mechanism for RSA PKCS#1 v1.5 decryption. When set (non zero value), the decryption API will return a deterministically random value if the PKCS#1 v1.5 padding check fails. This makes exploitation of the Bleichenbacher significantly harder, even -if the code using the RSA decryption API is not implemented in side-channel +if the code using the RSA decryption API is not implemented in side\-channel free manner. Set by default in OpenSSL providers. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling either \fBOSSL_FUNC_asym_cipher_encrypt()\fR or -\&\fBOSSL_FUNC_asym_cipher_decrypt()\fR. It may return 0 if "key-check" is set to 0. -.IP """key-check"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +\&\fBOSSL_FUNC_asym_cipher_decrypt()\fR. It may return 0 if "key\-check" is set to 0. +.IP """key\-check"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK) <integer>" If required this parameter should be set using either \&\fBOSSL_FUNC_asym_cipher_encrypt_init()\fR or \fBOSSL_FUNC_asym_cipher_decrypt_init()\fR. The default value of 1 causes an error during the init if the key is not FIPS approved (e.g. The key has a security strength of less than 112 bits). Setting -this to 0 will ignore the error and set the approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +this to 0 will ignore the error and set the approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .PP \&\fBOSSL_FUNC_asym_cipher_gettable_ctx_params()\fR and \fBOSSL_FUNC_asym_cipher_settable_ctx_params()\fR @@ -318,7 +321,7 @@ All other functions should return 1 for success or 0 on error. .SH HISTORY .IX Header "HISTORY" The provider ASYM_CIPHER interface was introduced in OpenSSL 3.0. -The Asymmetric Cipher Parameters "fips-indicator" and "key-check" +The Asymmetric Cipher Parameters "fips\-indicator" and "key\-check" were added in OpenSSL 3.4. .SH COPYRIGHT .IX Header "COPYRIGHT" diff --git a/secure/lib/libcrypto/man/man7/provider-base.7 b/secure/lib/libcrypto/man/man7/provider-base.7 index f62620469128..a1a2fee21492 100644 --- a/secure/lib/libcrypto/man/man7/provider-base.7 +++ b/secure/lib/libcrypto/man/man7/provider-base.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-BASE 7ossl" -.TH PROVIDER-BASE 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-BASE 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -202,7 +205,8 @@ For example, the "function" \fBcore_gettable_params()\fR has these: \& OSSL_FUNC_core_gettable_params(const OSSL_DISPATCH *opf); .Ve .PP -\&\fBOSSL_DISPATCH\fR\|(3) arrays are indexed by numbers that are provided as +\&\fBOSSL_DISPATCH\fR\|(3) array entries contain a \fIfunction_id\fR field that +identifies the function. The \fIfunction_id\fR numbers are provided as macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows: .PP For \fIin\fR (the \fBOSSL_DISPATCH\fR\|(3) array passed from \fIlibcrypto\fR to the @@ -296,9 +300,9 @@ freeing thread local variables. .PP \&\fBcore_get_libctx()\fR retrieves the core context in which the library object for the current provider is stored, accessible through the \fIhandle\fR. -This function is useful only for built-in providers such as the default +This function is useful only for built\-in providers such as the default provider. Never cast this to OSSL_LIB_CTX in a provider that is not -built-in as the OSSL_LIB_CTX of the library loading the provider might be +built\-in as the OSSL_LIB_CTX of the library loading the provider might be a completely different structure than the OSSL_LIB_CTX of the library the provider is linked to. Use \fBOSSL_LIB_CTX_new_child\fR\|(3) instead to obtain a proper library context that is linked to the application library context. @@ -323,7 +327,7 @@ This corresponds to the OpenSSL function \fBERR_set_debug\fR\|(3). .IX Item "core_vset_error()" sets the \fIreason\fR for the error, along with any addition data. The \fIreason\fR is a number defined by the provider and used to index -the reason strings table that's returned by +the reason strings table that\*(Aqs returned by \&\fBprovider_get_reason_strings()\fR. The additional data is given as a format string \fIfmt\fR and a set of arguments \fIargs\fR, which are treated in the same manner as with @@ -433,22 +437,22 @@ is passed in \fBbuf\fR and its length in \fBlen\fR. is passed in \fBbuf\fR and its length in \fBlen\fR. .PP \&\fBprovider_register_child_cb()\fR registers callbacks for being informed about the -loading and unloading of providers in the application's library context. -\&\fIhandle\fR is this provider's handle and \fIcbdata\fR is this provider's data +loading and unloading of providers in the application\*(Aqs library context. +\&\fIhandle\fR is this provider\*(Aqs handle and \fIcbdata\fR is this provider\*(Aqs data that will be passed back to the callbacks. It returns 1 on success or 0 otherwise. These callbacks may be called while holding locks in libcrypto. In order to avoid deadlocks the callback implementation must not be long running and must not call other OpenSSL API functions or upcalls. .PP \&\fIcreate_cb\fR is a callback that will be called when a new provider is loaded -into the application's library context. It is also called for any providers that +into the application\*(Aqs library context. It is also called for any providers that are already loaded at the point that this callback is registered. The callback is passed the handle being used for the new provider being loadded and this -provider's data in \fIcbdata\fR. It should return 1 on success or 0 on failure. +provider\*(Aqs data in \fIcbdata\fR. It should return 1 on success or 0 on failure. .PP \&\fIremove_cb\fR is a callback that will be called when a new provider is unloaded -from the application's library context. It is passed the handle being used for -the provider being unloaded and this provider's data in \fIcbdata\fR. It should +from the application\*(Aqs library context. It is passed the handle being used for +the provider being unloaded and this provider\*(Aqs data in \fIcbdata\fR. It should return 1 on success or 0 on failure. .PP \&\fIglobal_props_cb\fR is a callback that will be called when the global properties @@ -458,7 +462,7 @@ or 0 on failure. \&\fBprovider_deregister_child_cb()\fR unregisters callbacks previously registered via \&\fBprovider_register_child_cb()\fR. If \fBprovider_register_child_cb()\fR has been called then \fBprovider_deregister_child_cb()\fR should be called at or before the point that -this provider's teardown function is called. +this provider\*(Aqs teardown function is called. .PP \&\fBprovider_name()\fR returns a string giving the name of the provider identified by \&\fIhandle\fR. @@ -479,7 +483,7 @@ already loaded. It returns 1 on success or 0 on failure. .SS "Provider functions" .IX Subsection "Provider functions" \&\fBprovider_teardown()\fR is called when a provider is shut down and removed -from the core's provider store. +from the core\*(Aqs provider store. It must free the passed \fIprovctx\fR. .PP \&\fBprovider_gettable_params()\fR should return a constant array of @@ -531,12 +535,12 @@ This points to a string that should give a unique name for the provider. .IP """version"" (\fBOSSL_PROV_PARAM_VERSION\fR) <UTF8 ptr>" 4 .IX Item """version"" (OSSL_PROV_PARAM_VERSION) <UTF8 ptr>" This points to a string that is a version number associated with this provider. -OpenSSL in-built providers use OPENSSL_VERSION_STR, but this may be different +OpenSSL in\-built providers use OPENSSL_VERSION_STR, but this may be different for any third party provider. This string is for informational purposes only. .IP """buildinfo"" (\fBOSSL_PROV_PARAM_BUILDINFO\fR) <UTF8 ptr>" 4 .IX Item """buildinfo"" (OSSL_PROV_PARAM_BUILDINFO) <UTF8 ptr>" This points to a string that is a build information associated with this provider. -OpenSSL in-built providers use OPENSSL_FULL_VERSION_STR, but this may be +OpenSSL in\-built providers use OPENSSL_FULL_VERSION_STR, but this may be different for any third party provider. .IP """status"" (\fBOSSL_PROV_PARAM_STATUS\fR) <unsigned integer>" 4 .IX Item """status"" (OSSL_PROV_PARAM_STATUS) <unsigned integer>" @@ -547,14 +551,14 @@ This returns 0 if the provider has entered an error state, otherwise it returns .SS "Core parameters" .IX Subsection "Core parameters" \&\fBcore_get_params()\fR can retrieve the following core parameters for each provider: -.IP """openssl-version"" (\fBOSSL_PROV_PARAM_CORE_VERSION\fR) <UTF8 string ptr>" 4 +.IP """openssl\-version"" (\fBOSSL_PROV_PARAM_CORE_VERSION\fR) <UTF8 string ptr>" 4 .IX Item """openssl-version"" (OSSL_PROV_PARAM_CORE_VERSION) <UTF8 string ptr>" -This points to the OpenSSL libraries' full version string, i.e. the string +This points to the OpenSSL libraries\*(Aq full version string, i.e. the string expanded from the macro \fBOPENSSL_VERSION_STR\fR. -.IP """provider-name"" (\fBOSSL_PROV_PARAM_CORE_PROV_NAME\fR) <UTF8 string ptr>" 4 +.IP """provider\-name"" (\fBOSSL_PROV_PARAM_CORE_PROV_NAME\fR) <UTF8 string ptr>" 4 .IX Item """provider-name"" (OSSL_PROV_PARAM_CORE_PROV_NAME) <UTF8 string ptr>" -This points to the OpenSSL libraries' idea of what the calling provider is named. -.IP """module-filename"" (\fBOSSL_PROV_PARAM_CORE_MODULE_FILENAME\fR) <UTF8 string ptr>" 4 +This points to the OpenSSL libraries\*(Aq idea of what the calling provider is named. +.IP """module\-filename"" (\fBOSSL_PROV_PARAM_CORE_MODULE_FILENAME\fR) <UTF8 string ptr>" 4 .IX Item """module-filename"" (OSSL_PROV_PARAM_CORE_MODULE_FILENAME) <UTF8 string ptr>" This points to a string containing the full filename of the providers module file. @@ -564,7 +568,7 @@ config file are available, in dotted name form. The dotted name form is a concatenation of section names and final config command name separated by periods. .PP -For example, let's say we have the following config example: +For example, let\*(Aqs say we have the following config example: .PP .Vb 2 \& config_diagnostics = 1 @@ -607,10 +611,10 @@ For more information on handling parameters, see \fBOSSL_PARAM\fR\|(3) as Capabilities describe some of the services that a provider can offer. Applications can query the capabilities to discover those services. .PP -\fI"TLS-GROUP" Capability\fR +\fI"TLS\-GROUP" Capability\fR .IX Subsection """TLS-GROUP"" Capability" .PP -The "TLS-GROUP" capability can be queried by libssl to discover the list of +The "TLS\-GROUP" capability can be queried by libssl to discover the list of TLS groups that a provider can support. Each group supported can be used for \&\fIkey exchange\fR (KEX) or \fIkey encapsulation method\fR (KEM) during a TLS handshake. @@ -623,15 +627,15 @@ Each TLS group that a provider supports should be described via the callback passed in through the provider_get_capabilities function. Each group should have the following details supplied (all are mandatory, except \&\fBOSSL_CAPABILITY_TLS_GROUP_IS_KEM\fR): -.IP """tls-group-name"" (\fBOSSL_CAPABILITY_TLS_GROUP_NAME\fR) <UTF8 string>" 4 +.IP """tls\-group\-name"" (\fBOSSL_CAPABILITY_TLS_GROUP_NAME\fR) <UTF8 string>" 4 .IX Item """tls-group-name"" (OSSL_CAPABILITY_TLS_GROUP_NAME) <UTF8 string>" The name of the group as given in the IANA TLS Supported Groups registry <https://www.iana.org/assignments/tls\-parameters/tls\-parameters.xhtml#tls\-parameters\-8>. -.IP """tls-group-name-internal"" (\fBOSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL\fR) <UTF8 string>" 4 +.IP """tls\-group\-name\-internal"" (\fBOSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL\fR) <UTF8 string>" 4 .IX Item """tls-group-name-internal"" (OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL) <UTF8 string>" The name of the group as known by the provider. This could be the same as the -"tls-group-name", but does not have to be. -.IP """tls-group-id"" (\fBOSSL_CAPABILITY_TLS_GROUP_ID\fR) <unsigned integer>" 4 +"tls\-group\-name", but does not have to be. +.IP """tls\-group\-id"" (\fBOSSL_CAPABILITY_TLS_GROUP_ID\fR) <unsigned integer>" 4 .IX Item """tls-group-id"" (OSSL_CAPABILITY_TLS_GROUP_ID) <unsigned integer>" The TLS group id value as given in the IANA TLS Supported Groups registry. .Sp @@ -639,7 +643,7 @@ It is possible to register the same group id from within different providers. Users should note that if no property query is specified, or more than one implementation matches the property query then it is unspecified which implementation for a particular group id will be used. -.IP """tls-group-alg"" (\fBOSSL_CAPABILITY_TLS_GROUP_ALG\fR) <UTF8 string>" 4 +.IP """tls\-group\-alg"" (\fBOSSL_CAPABILITY_TLS_GROUP_ALG\fR) <UTF8 string>" 4 .IX Item """tls-group-alg"" (OSSL_CAPABILITY_TLS_GROUP_ALG) <UTF8 string>" The name of a Key Management algorithm that the provider offers and that should be used with this group. Keys created should be able to support \fIkey exchange\fR @@ -647,14 +651,14 @@ or \fIkey encapsulation method\fR (KEM), as implied by the optional \&\fBOSSL_CAPABILITY_TLS_GROUP_IS_KEM\fR flag. The algorithm must support key and parameter generation as well as the key/parameter generation parameter, \fBOSSL_PKEY_PARAM_GROUP_NAME\fR. The group -name given via "tls-group-name-internal" above will be passed via +name given via "tls\-group\-name\-internal" above will be passed via \&\fBOSSL_PKEY_PARAM_GROUP_NAME\fR when libssl wishes to generate keys/parameters. -.IP """tls-group-sec-bits"" (\fBOSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS\fR) <unsigned integer>" 4 +.IP """tls\-group\-sec\-bits"" (\fBOSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS\fR) <unsigned integer>" 4 .IX Item """tls-group-sec-bits"" (OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS) <unsigned integer>" The number of bits of security offered by keys in this group. The number of bits should be comparable with the ones given in table 2 and 3 of the NIST SP800\-57 document. -.IP """tls-group-is-kem"" (\fBOSSL_CAPABILITY_TLS_GROUP_IS_KEM\fR) <unsigned integer>" 4 +.IP """tls\-group\-is\-kem"" (\fBOSSL_CAPABILITY_TLS_GROUP_IS_KEM\fR) <unsigned integer>" 4 .IX Item """tls-group-is-kem"" (OSSL_CAPABILITY_TLS_GROUP_IS_KEM) <unsigned integer>" Boolean flag to describe if the group should be used in \fIkey exchange\fR (KEX) mode (0, default) or in \fIkey encapsulation method\fR (KEM) mode (1). @@ -662,42 +666,42 @@ mode (0, default) or in \fIkey encapsulation method\fR (KEM) mode (1). This parameter is optional: if not specified, KEX mode is assumed as the default mode for the group. .Sp -In KEX mode, in a typical Diffie-Hellman fashion, both sides execute \fIkeygen\fR +In KEX mode, in a typical Diffie\-Hellman fashion, both sides execute \fIkeygen\fR then \fIderive\fR against the peer public key. To operate in KEX mode, the group implementation must support the provider functions as described in \&\fBprovider\-keyexch\fR\|(7). .Sp In KEM mode, the client executes \fIkeygen\fR and sends its public key, the server -executes \fIencapsulate\fR using the client's public key and sends back the +executes \fIencapsulate\fR using the client\*(Aqs public key and sends back the resulting \fIciphertext\fR, finally the client executes \fIdecapsulate\fR to retrieve -the same \fIshared secret\fR generated by the server's \fIencapsulate\fR. To operate +the same \fIshared secret\fR generated by the server\*(Aqs \fIencapsulate\fR. To operate in KEM mode, the group implementation must support the provider functions as described in \fBprovider\-kem\fR\|(7). .Sp Both in KEX and KEM mode, the resulting \fIshared secret\fR is then used according to the protocol specification. -.IP """tls-min-tls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MIN_TLS\fR) <integer>" 4 +.IP """tls\-min\-tls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MIN_TLS\fR) <integer>" 4 .IX Item """tls-min-tls"" (OSSL_CAPABILITY_TLS_GROUP_MIN_TLS) <integer>" .PD 0 -.IP """tls-max-tls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MAX_TLS\fR) <integer>" 4 +.IP """tls\-max\-tls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MAX_TLS\fR) <integer>" 4 .IX Item """tls-max-tls"" (OSSL_CAPABILITY_TLS_GROUP_MAX_TLS) <integer>" -.IP """tls-min-dtls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MIN_DTLS\fR) <integer>" 4 +.IP """tls\-min\-dtls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MIN_DTLS\fR) <integer>" 4 .IX Item """tls-min-dtls"" (OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS) <integer>" -.IP """tls-max-dtls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MAX_DTLS\fR) <integer>" 4 +.IP """tls\-max\-dtls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MAX_DTLS\fR) <integer>" 4 .IX Item """tls-max-dtls"" (OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS) <integer>" .PD These parameters can be used to describe the minimum and maximum TLS and DTLS -versions supported by the group. The values equate to the on-the-wire encoding +versions supported by the group. The values equate to the on\-the\-wire encoding of the various TLS versions. For example TLSv1.3 is 0x0304 (772 decimal), and TLSv1.2 is 0x0303 (771 decimal). A 0 indicates that there is no defined minimum or maximum. A \-1 indicates that the group should not be used in that protocol. .PP -\fI"TLS-SIGALG" Capability\fR +\fI"TLS\-SIGALG" Capability\fR .IX Subsection """TLS-SIGALG"" Capability" .PP -The "TLS-SIGALG" capability can be queried by libssl to discover the list of +The "TLS\-SIGALG" capability can be queried by libssl to discover the list of TLS signature algorithms that a provider can support. Each signature supported -can be used for client\- or server-authentication in addition to the built-in +can be used for client\- or server\-authentication in addition to the built\-in signature algorithms. TLS1.3 clients can advertise the list of TLS signature algorithms they support in the signature_algorithms extension, and TLS servers can select an algorithm @@ -708,13 +712,13 @@ additional ones. Each TLS signature algorithm that a provider supports should be described via the callback passed in through the provider_get_capabilities function. Each algorithm can have the following details supplied: -.IP """iana-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_IANA_NAME\fR) <UTF8 string>" 4 +.IP """iana\-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_IANA_NAME\fR) <UTF8 string>" 4 .IX Item """iana-name"" (OSSL_CAPABILITY_TLS_SIGALG_IANA_NAME) <UTF8 string>" The name of the signature algorithm as given in the IANA TLS Signature Scheme registry as "Description": <https://www.iana.org/assignments/tls\-parameters/tls\-parameters.xhtml#tls\-signaturescheme>. This value must be supplied. -.IP """iana-code-point"" (\fBOSSL_CAPABILITY_TLS_SIGALG_CODE_POINT\fR) <unsigned integer>" 4 +.IP """iana\-code\-point"" (\fBOSSL_CAPABILITY_TLS_SIGALG_CODE_POINT\fR) <unsigned integer>" 4 .IX Item """iana-code-point"" (OSSL_CAPABILITY_TLS_SIGALG_CODE_POINT) <unsigned integer>" The TLS algorithm ID value as given in the IANA TLS SignatureScheme registry. This value must be supplied. @@ -723,66 +727,66 @@ It is possible to register the same code point from within different providers. Users should note that if no property query is specified, or more than one implementation matches the property query then it is unspecified which implementation for a particular code point will be used. -.IP """sigalg-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_NAME\fR) <UTF8 string>" 4 +.IP """sigalg\-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_NAME\fR) <UTF8 string>" 4 .IX Item """sigalg-name"" (OSSL_CAPABILITY_TLS_SIGALG_NAME) <UTF8 string>" -A name for the full (possibly composite hash-and-signature) signature +A name for the full (possibly composite hash\-and\-signature) signature algorithm. The provider may, but is not obligated to, provide a signature implementation -with this name; if it doesn't, this is assumed to be a composite of a pure +with this name; if it doesn\*(Aqt, this is assumed to be a composite of a pure signature algorithm and a hash algorithm, which must be given with the -parameters "sig-name" and "hash-name". +parameters "sig\-name" and "hash\-name". This value must be supplied. -.IP """sigalg-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_OID\fR) <UTF8 string>" 4 +.IP """sigalg\-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_OID\fR) <UTF8 string>" 4 .IX Item """sigalg-oid"" (OSSL_CAPABILITY_TLS_SIGALG_OID) <UTF8 string>" -The OID of the "sigalg-name" algorithm in canonical numeric text form. If +The OID of the "sigalg\-name" algorithm in canonical numeric text form. If this parameter is given, \fBOBJ_create()\fR will be used to create an OBJ and -a NID for this OID, using the "sigalg-name" parameter for its (short) name. -Otherwise, it's assumed to already exist in the object database, possibly +a NID for this OID, using the "sigalg\-name" parameter for its (short) name. +Otherwise, it\*(Aqs assumed to already exist in the object database, possibly done by the provider with the \fBcore_obj_create()\fR upcall. This value is optional. -.IP """sig-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_SIG_NAME\fR) <UTF8 string>" 4 +.IP """sig\-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_SIG_NAME\fR) <UTF8 string>" 4 .IX Item """sig-name"" (OSSL_CAPABILITY_TLS_SIGALG_SIG_NAME) <UTF8 string>" The name of the pure signature algorithm that is part of a composite -"sigalg-name". If "sigalg-name" is implemented by the provider, this +"sigalg\-name". If "sigalg\-name" is implemented by the provider, this parameter is redundant and must not be given. This value is optional. -.IP """sig-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_SIG_OID\fR) <UTF8 string>" 4 +.IP """sig\-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_SIG_OID\fR) <UTF8 string>" 4 .IX Item """sig-oid"" (OSSL_CAPABILITY_TLS_SIGALG_SIG_OID) <UTF8 string>" -The OID of the "sig-name" algorithm in canonical numeric text form. If +The OID of the "sig\-name" algorithm in canonical numeric text form. If this parameter is given, \fBOBJ_create()\fR will be used to create an OBJ and -a NID for this OID, using the "sig-name" parameter for its (short) name. +a NID for this OID, using the "sig\-name" parameter for its (short) name. Otherwise, it is assumed to already exist in the object database. This can be done by the provider using the \fBcore_obj_create()\fR upcall. This value is optional. -.IP """hash-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_HASH_NAME\fR) <UTF8 string>" 4 +.IP """hash\-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_HASH_NAME\fR) <UTF8 string>" 4 .IX Item """hash-name"" (OSSL_CAPABILITY_TLS_SIGALG_HASH_NAME) <UTF8 string>" -The name of the hash algorithm that is part of a composite "sigalg-name". -If "sigalg-name" is implemented by the provider, this parameter is redundant +The name of the hash algorithm that is part of a composite "sigalg\-name". +If "sigalg\-name" is implemented by the provider, this parameter is redundant and must not be given. This value is optional. -.IP """hash-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_HASH_OID\fR) <UTF8 string>" 4 +.IP """hash\-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_HASH_OID\fR) <UTF8 string>" 4 .IX Item """hash-oid"" (OSSL_CAPABILITY_TLS_SIGALG_HASH_OID) <UTF8 string>" -The OID of the "hash-name" algorithm in canonical numeric text form. If +The OID of the "hash\-name" algorithm in canonical numeric text form. If this parameter is given, \fBOBJ_create()\fR will be used to create an OBJ and -a NID for this OID, using the "hash-name" parameter for its (short) name. -Otherwise, it's assumed to already exist in the object database, possibly +a NID for this OID, using the "hash\-name" parameter for its (short) name. +Otherwise, it\*(Aqs assumed to already exist in the object database, possibly done by the provider with the \fBcore_obj_create()\fR upcall. This value is optional. -.IP """key-type"" (\fBOSSL_CAPABILITY_TLS_SIGALG_KEYTYPE\fR) <UTF8 string>" 4 +.IP """key\-type"" (\fBOSSL_CAPABILITY_TLS_SIGALG_KEYTYPE\fR) <UTF8 string>" 4 .IX Item """key-type"" (OSSL_CAPABILITY_TLS_SIGALG_KEYTYPE) <UTF8 string>" The key type of the public key of applicable certificates. If this parameter -isn't present, it's assumed to be the same as "sig-name" if that's present, -otherwise "sigalg-name". +isn\*(Aqt present, it\*(Aqs assumed to be the same as "sig\-name" if that\*(Aqs present, +otherwise "sigalg\-name". This value is optional. -.IP """key-type-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_KEYTYPE_OID\fR) <UTF8 string>" 4 +.IP """key\-type\-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_KEYTYPE_OID\fR) <UTF8 string>" 4 .IX Item """key-type-oid"" (OSSL_CAPABILITY_TLS_SIGALG_KEYTYPE_OID) <UTF8 string>" -The OID of the "key-type" in canonical numeric text form. If +The OID of the "key\-type" in canonical numeric text form. If this parameter is given, \fBOBJ_create()\fR will be used to create an OBJ and -a NID for this OID, using the "key-type" parameter for its (short) name. -Otherwise, it's assumed to already exist in the object database, possibly +a NID for this OID, using the "key\-type" parameter for its (short) name. +Otherwise, it\*(Aqs assumed to already exist in the object database, possibly done by the provider with the \fBcore_obj_create()\fR upcall. This value is optional. -.IP """sec-bits"" (\fBOSSL_CAPABILITY_TLS_SIGALG_SECURITY_BITS\fR) <unsigned integer>" 4 +.IP """sec\-bits"" (\fBOSSL_CAPABILITY_TLS_SIGALG_SECURITY_BITS\fR) <unsigned integer>" 4 .IX Item """sec-bits"" (OSSL_CAPABILITY_TLS_SIGALG_SECURITY_BITS) <unsigned integer>" The number of bits of security offered by keys of this algorithm. The number of bits should be comparable with the ones given in table 2 and 3 of the NIST @@ -792,24 +796,24 @@ defines the security strength. If the signature algorithm implements its own digest internally, this value needs to be set to properly reflect the overall security strength. This value must be supplied. -.IP """tls-min-tls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MIN_TLS\fR) <integer>" 4 +.IP """tls\-min\-tls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MIN_TLS\fR) <integer>" 4 .IX Item """tls-min-tls"" (OSSL_CAPABILITY_TLS_SIGALG_MIN_TLS) <integer>" .PD 0 -.IP """tls-max-tls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MAX_TLS\fR) <integer>" 4 +.IP """tls\-max\-tls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MAX_TLS\fR) <integer>" 4 .IX Item """tls-max-tls"" (OSSL_CAPABILITY_TLS_SIGALG_MAX_TLS) <integer>" -.IP """tls-min-dtls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS\fR) <integer>" 4 +.IP """tls\-min\-dtls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS\fR) <integer>" 4 .IX Item """tls-min-dtls"" (OSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS) <integer>" -.IP """tls-max-dtls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MAX_DTLS\fR) <integer>" 4 +.IP """tls\-max\-dtls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MAX_DTLS\fR) <integer>" 4 .IX Item """tls-max-dtls"" (OSSL_CAPABILITY_TLS_SIGALG_MAX_DTLS) <integer>" .PD These parameters can be used to describe the minimum and maximum TLS and DTLS versions supported by the signature algorithm. The values equate to the -on-the-wire encoding of the various TLS versions. For example TLSv1.3 is +on\-the\-wire encoding of the various TLS versions. For example TLSv1.3 is 0x0304 (772 decimal), and TLSv1.2 is 0x0303 (771 decimal). A 0 indicates that there is no defined minimum or maximum. A \-1 in either the min or max field indicates that the signature algorithm should not be used in that protocol. Presently, provider signature algorithms are used only with TLS 1.3, if -that's enclosed in the specified range. +that\*(Aqs enclosed in the specified range. .SH NOTES .IX Header "NOTES" The \fBcore_obj_create()\fR and \fBcore_obj_add_sigid()\fR functions were not thread safe @@ -1021,7 +1025,7 @@ and were added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/man7/provider-cipher.7 b/secure/lib/libcrypto/man/man7/provider-cipher.7 index 8e5253ee389e..38d233f0255b 100644 --- a/secure/lib/libcrypto/man/man7/provider-cipher.7 +++ b/secure/lib/libcrypto/man/man7/provider-cipher.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-CIPHER 7ossl" -.TH PROVIDER-CIPHER 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-CIPHER 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -144,7 +147,7 @@ equivalents and other related functions). .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -228,7 +231,7 @@ except that it initialises the context for a decryption operation. \&\fBOSSL_FUNC_cipher_encrypt_skey_init()\fR and \&\fBOSSL_FUNC_cipher_decrypt_skey_init()\fR are variants of \&\fBOSSL_FUNC_cipher_encrypt_init()\fR and \fBOSSL_FUNC_cipher_decrypt_init()\fR for working with -opaque objects containing provider-specific key handles instead of raw bytes. +opaque objects containing provider\-specific key handles instead of raw bytes. .PP \&\fBOSSL_FUNC_cipher_update()\fR is called to supply data to be encrypted/decrypted as part of a previously initialised cipher operation. @@ -244,7 +247,7 @@ that are not multiples of the block length. In such cases a cipher implementation will typically cache partial blocks of input data until a complete block is obtained. The pointers \fIout\fR and \fIin\fR may point to the same location, in which -case the encryption must be done in-place. If \fIout\fR and \fIin\fR point to different +case the encryption must be done in\-place. If \fIout\fR and \fIin\fR point to different locations, the requirements of \fBEVP_EncryptUpdate\fR\|(3) and \fBEVP_DecryptUpdate\fR\|(3) guarantee that the two buffers are disjoint. Similarly, the requirements of \fBEVP_EncryptUpdate\fR\|(3) and \fBEVP_DecryptUpdate\fR\|(3) @@ -276,11 +279,11 @@ amount of data stored should be put in \fI*outl\fR which should be no more than .PP \&\fBOSSL_FUNC_cipher_pipeline_encrypt_init()\fR, \fBOSSL_FUNC_cipher_pipeline_decrypt_init()\fR \&\fBOSSL_FUNC_cipher_pipeline_update()\fR, and \fBOSSL_FUNC_cipher_pipeline_final()\fR are similar to -the non-pipeline variants, but are used when the application is using cipher pipelining. +the non\-pipeline variants, but are used when the application is using cipher pipelining. The \fInumpipes\fR parameter is the number of pipes in the pipeline. The \fIiv\fR parameter is an array of buffers with IVs, each \fIivlen\fR bytes long. The \fIin\fR and \fIout\fR are arrays of buffer pointers. The \fIinl\fR and \fIoutl\fR, \fIoutsize\fR are arrays of size_t -representing corresponding buffer length as similar to the non-pipeline variants. +representing corresponding buffer length as similar to the non\-pipeline variants. All arrays are of length \fInumpipes\fR. See \fBEVP_CipherPipelineEncryptInit\fR\|(3) for more information. .SS "Cipher Parameters" @@ -310,7 +313,7 @@ with the provider side context \fIcctx\fR in its current state if it is not NULL. Otherwise, they return the parameters associated with the provider side algorithm \fIprovctx\fR. .PP -Parameters currently recognised by built-in ciphers are listed in +Parameters currently recognised by built\-in ciphers are listed in "PARAMETERS" in \fBEVP_EncryptInit\fR\|(3). Not all parameters are relevant to, or are understood by all ciphers. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man7/provider-decoder.7 b/secure/lib/libcrypto/man/man7/provider-decoder.7 index b388f23a52e3..adea234d34d0 100644 --- a/secure/lib/libcrypto/man/man7/provider-decoder.7 +++ b/secure/lib/libcrypto/man/man7/provider-decoder.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-DECODER 7ossl" -.TH PROVIDER-DECODER 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-DECODER 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -104,30 +107,30 @@ provider\-decoder \- The OSSL_DECODER library <\-> provider functions not limited to deserialization as individual decoders can also do decoding into intermediate data formats.\fR .PP -The DECODER operation is a generic method to create a provider-native +The DECODER operation is a generic method to create a provider\-native object reference or intermediate decoded data from an encoded form read from the given \fBOSSL_CORE_BIO\fR. If the caller wants to decode data from memory, it should provide a \fBBIO_s_mem\fR\|(3) \fBBIO\fR. The decoded data or object reference is passed along with eventual metadata to the \fImetadata_cb\fR as \fBOSSL_PARAM\fR\|(3) parameters. .PP -The decoder doesn't need to know more about the \fBOSSL_CORE_BIO\fR +The decoder doesn\*(Aqt need to know more about the \fBOSSL_CORE_BIO\fR pointer than being able to pass it to the appropriate BIO upcalls (see "Core functions" in \fBprovider\-base\fR\|(7)). .PP The DECODER implementation may be part of a chain, where data is passed from one to the next. For example, there may be an implementation to decode an object from PEM to DER, and another one -that decodes DER to a provider-native object. +that decodes DER to a provider\-native object. .PP The last decoding step in the decoding chain is usually supposed to create -a provider-native object referenced by an object reference. To import +a provider\-native object referenced by an object reference. To import that object into a different provider the \fBOSSL_FUNC_decoder_export_object()\fR can be called as the final step of the decoding process. .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -206,9 +209,9 @@ expected to have. .Sp This property is \fIoptional\fR. .Sp -Structures currently recognised by built-in decoders: +Structures currently recognised by built\-in decoders: .RS 4 -.IP """type-specific""" 4 +.IP """type\-specific""" 4 .IX Item """type-specific""" Type specific structure. .IP """pkcs8""" 4 @@ -222,15 +225,15 @@ Encoding of public keys according to the Subject Public Key Info of RFC 5280. .RE .PP The possible values of both these properties is open ended. A provider may -very well specify input types and structures that libcrypto doesn't know +very well specify input types and structures that libcrypto doesn\*(Aqt know anything about. .SS "Subset selections" .IX Subsection "Subset selections" Sometimes, an object has more than one subset of data that is interesting to -treat separately or together. It's possible to specify what subsets are to +treat separately or together. It\*(Aqs possible to specify what subsets are to be decoded, with a set of bits \fIselection\fR that are passed in an \fBint\fR. .PP -This set of bits depend entirely on what kind of provider-side object is +This set of bits depend entirely on what kind of provider\-side object is to be decoded. For example, those bits are assumed to be the same as those used with \fBprovider\-keymgmt\fR\|(7) (see "Key Objects" in \fBprovider\-keymgmt\fR\|(7)) when the object is an asymmetric keypair \- e.g., \fBOSSL_KEYMGMT_SELECT_PRIVATE_KEY\fR @@ -259,7 +262,7 @@ See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure used b \&\fBOSSL_FUNC_decoder_set_ctx_params()\fR and \fBOSSL_FUNC_decoder_settable_ctx_params()\fR. .SS "Export function" .IX Subsection "Export function" -When a provider-native object is created by a decoder it would be unsuitable +When a provider\-native object is created by a decoder it would be unsuitable for direct use with a foreign provider. The export function allows for exporting the object into that foreign provider if the foreign provider supports the type of the object and provides an import function. @@ -279,21 +282,21 @@ The decoding functions also take an \fBOSSL_PASSPHRASE_CALLBACK\fR\|(3) function pointer along with a pointer to application data \fIcbarg\fR, which should be used when a pass phrase prompt is needed. .PP -It's important to understand that the return value from this function is +It\*(Aqs important to understand that the return value from this function is interpreted as follows: .IP "True (1)" 4 .IX Item "True (1)" This means "carry on the decoding process", and is meaningful even though -this function couldn't decode the input into anything, because there may be +this function couldn\*(Aqt decode the input into anything, because there may be another decoder implementation that can decode it into something. .Sp -The \fIdata_cb\fR callback should never be called when this function can't +The \fIdata_cb\fR callback should never be called when this function can\*(Aqt decode the input into anything. .IP "False (0)" 4 .IX Item "False (0)" This means "stop the decoding process", and is meaningful when the input could be decoded into some sort of object that this function understands, -but further treatment of that object results into errors that won't be +but further treatment of that object results into errors that won\*(Aqt be possible for some other decoder implementation to get a different result. .PP The conditions to stop the decoding process are at the discretion of the @@ -301,14 +304,14 @@ implementation. .SS "Decoder operation parameters" .IX Subsection "Decoder operation parameters" There are currently no operation parameters currently recognised by the -built-in decoders. +built\-in decoders. .PP -Parameters currently recognised by the built-in pass phrase callback: +Parameters currently recognised by the built\-in pass phrase callback: .IP """info"" (\fBOSSL_PASSPHRASE_PARAM_INFO\fR) <UTF8 string>" 4 .IX Item """info"" (OSSL_PASSPHRASE_PARAM_INFO) <UTF8 string>" A string of information that will become part of the pass phrase prompt. This could be used to give the user information on what kind -of object it's being prompted for. +of object it\*(Aqs being prompted for. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_FUNC_decoder_newctx()\fR returns a pointer to a context, or NULL on diff --git a/secure/lib/libcrypto/man/man7/provider-digest.7 b/secure/lib/libcrypto/man/man7/provider-digest.7 index 586eda8964fb..aad836801e21 100644 --- a/secure/lib/libcrypto/man/man7/provider-digest.7 +++ b/secure/lib/libcrypto/man/man7/provider-digest.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-DIGEST 7ossl" -.TH PROVIDER-DIGEST 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-DIGEST 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -114,7 +117,7 @@ them available to applications via the API functions \fBEVP_DigestInit_ex\fR\|(3 .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -239,7 +242,7 @@ can handle, respectively. The array is based on the current state of the provider side context if \fIdctx\fR is not NULL and on the provider side algorithm \fIprovctx\fR otherwise. .PP -Parameters currently recognised by built-in digests with this function +Parameters currently recognised by built\-in digests with this function are as follows. Not all parameters are relevant to, or are understood by all digests: .IP """blocksize"" (\fBOSSL_DIGEST_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4 @@ -259,7 +262,7 @@ Diverse flags that describe exceptional behaviour for the digest: This digest method can only handle one block of input. .IP \fBEVP_MD_FLAG_XOF\fR 4 .IX Item "EVP_MD_FLAG_XOF" -This digest method is an extensible-output function (XOF). +This digest method is an extensible\-output function (XOF). .IP \fBEVP_MD_FLAG_DIGALGID_NULL\fR 4 .IX Item "EVP_MD_FLAG_DIGALGID_NULL" When setting up a DigestAlgorithmIdentifier, this flag will have the diff --git a/secure/lib/libcrypto/man/man7/provider-encoder.7 b/secure/lib/libcrypto/man/man7/provider-encoder.7 index 436f37f155ef..29aba8b62aa6 100644 --- a/secure/lib/libcrypto/man/man7/provider-encoder.7 +++ b/secure/lib/libcrypto/man/man7/provider-encoder.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-ENCODER 7ossl" -.TH PROVIDER-ENCODER 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-ENCODER 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -104,25 +107,25 @@ provider\-encoder \- The OSSL_ENCODER library <\-> provider functions \&\fIWe use the wide term "encode" in this manual. This includes but is not limited to serialization.\fR .PP -The ENCODER operation is a generic method to encode a provider-native +The ENCODER operation is a generic method to encode a provider\-native object (\fIobj_raw\fR) or an object abstraction (\fIobject_abstract\fR, see \&\fBprovider\-object\fR\|(7)) into an encoded form, and write the result to the given OSSL_CORE_BIO. If the caller wants to get the encoded stream to memory, it should provide a \fBBIO_s_mem\fR\|(3) \fBBIO\fR. .PP -The encoder doesn't need to know more about the \fBOSSL_CORE_BIO\fR +The encoder doesn\*(Aqt need to know more about the \fBOSSL_CORE_BIO\fR pointer than being able to pass it to the appropriate BIO upcalls (see "Core functions" in \fBprovider\-base\fR\|(7)). .PP The ENCODER implementation may be part of a chain, where data is passed from one to the next. For example, there may be an implementation to encode an object to DER (that object is assumed to -be provider-native and thereby passed via \fIobj_raw\fR), and another one +be provider\-native and thereby passed via \fIobj_raw\fR), and another one that encodes DER to PEM (that one would receive the DER encoding via \&\fIobj_abstract\fR). .PP The encoding using the \fBOSSL_PARAM\fR\|(3) array form allows a -encoder to be used for data that's been exported from another +encoder to be used for data that\*(Aqs been exported from another provider, and thereby allow them to exist independently of each other. .PP @@ -132,7 +135,7 @@ with the KEYMGMT provider. .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -220,22 +223,22 @@ PKCS#8 structure as part of the encoding. This property is \fIoptional\fR. .PP The possible values of both these properties is open ended. A provider may -very well specify output types and structures that libcrypto doesn't know +very well specify output types and structures that libcrypto doesn\*(Aqt know anything about. .SS "Subset selections" .IX Subsection "Subset selections" Sometimes, an object has more than one subset of data that is interesting to -treat separately or together. It's possible to specify what subsets are to +treat separately or together. It\*(Aqs possible to specify what subsets are to be encoded, with a set of bits \fIselection\fR that are passed in an \fBint\fR. .PP -This set of bits depend entirely on what kind of provider-side object is +This set of bits depend entirely on what kind of provider\-side object is passed. For example, those bits are assumed to be the same as those used with \fBprovider\-keymgmt\fR\|(7) (see "Key Objects" in \fBprovider\-keymgmt\fR\|(7)) when the object is an asymmetric keypair. .PP ENCODER implementations are free to regard the \fIselection\fR as a set of hints, but must do so with care. In the end, the output must make sense, -and if there's a corresponding decoder, the resulting decoded object must +and if there\*(Aqs a corresponding decoder, the resulting decoded object must match the original object that was encoded. .PP \&\fBOSSL_FUNC_encoder_does_selection()\fR should tell if a particular implementation @@ -261,22 +264,22 @@ See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure used b \&\fBOSSL_FUNC_encoder_set_ctx_params()\fR and \fBOSSL_FUNC_encoder_settable_ctx_params()\fR. .SS "Import functions" .IX Subsection "Import functions" -A provider-native object may be associated with a foreign provider, and may +A provider\-native object may be associated with a foreign provider, and may therefore be unsuitable for direct use with a given ENCODER implementation. -Provided that the foreign provider's implementation to handle the object has +Provided that the foreign provider\*(Aqs implementation to handle the object has a function to export that object in \fBOSSL_PARAM\fR\|(3) array form, the ENCODER implementation should be able to import that array and create a suitable -object to be passed to \fBOSSL_FUNC_encoder_encode()\fR's \fIobj_raw\fR. +object to be passed to \fBOSSL_FUNC_encoder_encode()\fR\*(Aqs \fIobj_raw\fR. .PP \&\fBOSSL_FUNC_encoder_import_object()\fR should import the subset of \fIparams\fR -given with \fIselection\fR to create a provider-native object that can be +given with \fIselection\fR to create a provider\-native object that can be passed as \fIobj_raw\fR to \fBOSSL_FUNC_encoder_encode()\fR. .PP \&\fBOSSL_FUNC_encoder_free_object()\fR should free the object that was created with \&\fBOSSL_FUNC_encoder_import_object()\fR. .SS "Encoding functions" .IX Subsection "Encoding functions" -\&\fBOSSL_FUNC_encoder_encode()\fR should take a provider-native object (in +\&\fBOSSL_FUNC_encoder_encode()\fR should take a provider\-native object (in \&\fIobj_raw\fR) or an object abstraction (in \fIobj_abstract\fR), and should output the object in encoded form to the \fBOSSL_CORE_BIO\fR. The \fIselection\fR bits, if relevant, should determine in greater detail what will be output. @@ -285,7 +288,7 @@ pointer along with a pointer to application data \fIcbarg\fR, which should be used when a pass phrase prompt is needed. .SS "Encoder operation parameters" .IX Subsection "Encoder operation parameters" -Operation parameters currently recognised by built-in encoders are as +Operation parameters currently recognised by built\-in encoders are as follows: .IP """cipher"" (\fBOSSL_ENCODER_PARAM_CIPHER\fR) <UTF8 string>" 4 .IX Item """cipher"" (OSSL_ENCODER_PARAM_CIPHER) <UTF8 string>" @@ -304,21 +307,21 @@ with the "cipher" parameter. This must be given together with the "cipher" parameter to be considered valid. .Sp -The encoding implementation isn't obligated to use this value. +The encoding implementation isn\*(Aqt obligated to use this value. However, it is recommended that implementations that do not handle property strings return an error on receiving this parameter unless its value NULL or the empty string. -.IP """save-parameters"" (\fBOSSL_ENCODER_PARAM_SAVE_PARAMETERS\fR) <integer>" 4 +.IP """save\-parameters"" (\fBOSSL_ENCODER_PARAM_SAVE_PARAMETERS\fR) <integer>" 4 .IX Item """save-parameters"" (OSSL_ENCODER_PARAM_SAVE_PARAMETERS) <integer>" If set to 0 disables saving of key domain parameters. Default is 1. It currently has an effect only on DSA keys. .PP -Parameters currently recognised by the built-in pass phrase callback: +Parameters currently recognised by the built\-in pass phrase callback: .IP """info"" (\fBOSSL_PASSPHRASE_PARAM_INFO\fR) <UTF8 string>" 4 .IX Item """info"" (OSSL_PASSPHRASE_PARAM_INFO) <UTF8 string>" A string of information that will become part of the pass phrase prompt. This could be used to give the user information on what kind -of object it's being prompted for. +of object it\*(Aqs being prompted for. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_FUNC_encoder_newctx()\fR returns a pointer to a context, or NULL on diff --git a/secure/lib/libcrypto/man/man7/provider-kdf.7 b/secure/lib/libcrypto/man/man7/provider-kdf.7 index b541d2fd392b..bf1444f82358 100644 --- a/secure/lib/libcrypto/man/man7/provider-kdf.7 +++ b/secure/lib/libcrypto/man/man7/provider-kdf.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-KDF 7ossl" -.TH PROVIDER-KDF 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-KDF 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,7 +108,7 @@ and \fBEVP_KDF_derive\fR\|(3). .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -201,7 +204,7 @@ with the provider side context \fIkctx\fR in its current state if it is not NULL. Otherwise, they return the parameters associated with the provider side algorithm \fIprovctx\fR. .PP -Parameters currently recognised by built-in KDFs are as follows. Not all +Parameters currently recognised by built\-in KDFs are as follows. Not all parameters are relevant to, or are understood by all KDFs: .IP """size"" (\fBOSSL_KDF_PARAM_SIZE\fR) <unsigned integer>" 4 .IX Item """size"" (OSSL_KDF_PARAM_SIZE) <unsigned integer>" @@ -228,7 +231,7 @@ Sets the password in the associated KDF ctx. .IX Item """mac"" (OSSL_KDF_PARAM_MAC) <UTF8 string>" .PD Sets the name of the underlying cipher, digest or MAC to be used. -It must name a suitable algorithm for the KDF that's being used. +It must name a suitable algorithm for the KDF that\*(Aqs being used. .IP """maclen"" (\fBOSSL_KDF_PARAM_MAC_SIZE\fR) <octet string>" 4 .IX Item """maclen"" (OSSL_KDF_PARAM_MAC_SIZE) <octet string>" Sets the length of the MAC in the associated KDF ctx. @@ -257,12 +260,12 @@ The checks performed are: .IX Item "- the salt length is at least 128 bits." .IP "\- the derived key length is at least 112 bits." 4 .IX Item "- the derived key length is at least 112 bits." +.PD .RE .RS 4 .RE .IP """ukm"" (\fBOSSL_KDF_PARAM_UKM\fR) <octet string>" 4 .IX Item """ukm"" (OSSL_KDF_PARAM_UKM) <octet string>" -.PD Sets an optional random string that is provided by the sender called "partyAInfo". In CMS this is the user keying material. .IP """cekalg"" (\fBOSSL_KDF_PARAM_CEK_ALG\fR) <UTF8 string>" 4 @@ -312,27 +315,27 @@ There are six supported types: .IP EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 4 .IX Item "EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV" The Initial IV from client to server. -A single char of value 65 (ASCII char 'A'). +A single char of value 65 (ASCII char \*(AqA\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 4 .IX Item "EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI" The Initial IV from server to client -A single char of value 66 (ASCII char 'B'). +A single char of value 66 (ASCII char \*(AqB\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 4 .IX Item "EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV" The Encryption Key from client to server -A single char of value 67 (ASCII char 'C'). +A single char of value 67 (ASCII char \*(AqC\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI 4 .IX Item "EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI" The Encryption Key from server to client -A single char of value 68 (ASCII char 'D'). +A single char of value 68 (ASCII char \*(AqD\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV 4 .IX Item "EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV" The Integrity Key from client to server -A single char of value 69 (ASCII char 'E'). +A single char of value 69 (ASCII char \*(AqE\*(Aq). .IP EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI 4 .IX Item "EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI" The Integrity Key from client to server -A single char of value 70 (ASCII char 'F'). +A single char of value 70 (ASCII char \*(AqF\*(Aq). .RE .RS 4 .RE @@ -357,7 +360,7 @@ success or 0 on error. array, or NULL if none is offered. .SH NOTES .IX Header "NOTES" -The KDF life-cycle is described in \fBlife_cycle\-kdf\fR\|(7). Providers should +The KDF life\-cycle is described in \fBlife_cycle\-kdf\fR\|(7). Providers should ensure that the various transitions listed there are supported. At some point the EVP layer will begin enforcing the listed transitions. .SH "SEE ALSO" diff --git a/secure/lib/libcrypto/man/man7/provider-kem.7 b/secure/lib/libcrypto/man/man7/provider-kem.7 index 3fd72509341b..279670248810 100644 --- a/secure/lib/libcrypto/man/man7/provider-kem.7 +++ b/secure/lib/libcrypto/man/man7/provider-kem.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-KEM 7ossl" -.TH PROVIDER-KEM 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-KEM 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -114,7 +117,7 @@ via the API functions \fBEVP_PKEY_encapsulate\fR\|(3), .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -244,19 +247,19 @@ the \fBOSSL_FUNC_kem_get_ctx_params()\fR and \fBOSSL_FUNC_kem_set_ctx_params()\f functions. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_KEM_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_KEM_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_KEM_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling either \fBOSSL_FUNC_kem_encapsulate()\fR or -\&\fBOSSL_FUNC_kem_decapsulate()\fR. It may return 0 if the "key-check" is set to 0. -.IP """key-check"" (\fBOSSL_KEM_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +\&\fBOSSL_FUNC_kem_decapsulate()\fR. It may return 0 if the "key\-check" is set to 0. +.IP """key\-check"" (\fBOSSL_KEM_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_KEM_PARAM_FIPS_KEY_CHECK) <integer>" If required this parameter should be set using \fBOSSL_FUNC_kem_encapsulate_init()\fR or \fBOSSL_FUNC_kem_decapsulate_init()\fR. The default value of 1 causes an error during the init if the key is not FIPS approved (e.g. The key has a security strength of less than 112 bits). Setting -this to 0 will ignore the error and set the approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +this to 0 will ignore the error and set the approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SS "Asymmetric Key Encapsulation Parameter Functions" .IX Subsection "Asymmetric Key Encapsulation Parameter Functions" @@ -270,7 +273,7 @@ with the given provider side asymmetric kem context \fIctx\fR to \fIparams\fR. Any parameter settings are additional to any that were previously set. Passing NULL for \fIparams\fR should return true. .PP -No parameters are currently recognised by built-in asymmetric kem algorithms. +No parameters are currently recognised by built\-in asymmetric kem algorithms. .PP \&\fBOSSL_FUNC_kem_gettable_ctx_params()\fR and \fBOSSL_FUNC_kem_settable_ctx_params()\fR get a constant \fBOSSL_PARAM\fR\|(3) array that describes the gettable and settable @@ -292,7 +295,7 @@ The provider KEM interface was introduced in OpenSSL 3.0. \&\fBOSSL_FUNC_kem_auth_encapsulate_init()\fR and \fBOSSL_FUNC_kem_auth_decapsulate_init()\fR were added in OpenSSL 3.2. .PP -The Asymmetric Key Encapsulation Parameters "fips-indicator" and "key-check" +The Asymmetric Key Encapsulation Parameters "fips\-indicator" and "key\-check" were added in OpenSSL 3.4. .SH COPYRIGHT .IX Header "COPYRIGHT" diff --git a/secure/lib/libcrypto/man/man7/provider-keyexch.7 b/secure/lib/libcrypto/man/man7/provider-keyexch.7 index 665fb75ba0df..b04c2f87cec3 100644 --- a/secure/lib/libcrypto/man/man7/provider-keyexch.7 +++ b/secure/lib/libcrypto/man/man7/provider-keyexch.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-KEYEXCH 7ossl" -.TH PROVIDER-KEYEXCH 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-KEYEXCH 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -106,7 +109,7 @@ other related functions). .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -174,7 +177,7 @@ The key object should have been previously generated, loaded or imported into the provider using the key management (OSSL_OP_KEYMGMT) operation (see \fBprovider\-keymgmt\fR\|(7)>. .PP -\&\fBOSSL_FUNC_keyexch_set_peer()\fR is called to supply the peer's public key (in the +\&\fBOSSL_FUNC_keyexch_set_peer()\fR is called to supply the peer\*(Aqs public key (in the \&\fIprovkey\fR parameter) to be used when deriving the shared secret. It is also passed a previously initialised key exchange context in the \fIctx\fR parameter. @@ -221,31 +224,31 @@ Notice that not all settable parameters are also gettable, and vice versa. See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure used by the \fBOSSL_FUNC_keyexch_set_ctx_params()\fR and \fBOSSL_FUNC_keyexch_get_ctx_params()\fR functions. .PP -Common parameters currently recognised by built-in key exchange algorithms are +Common parameters currently recognised by built\-in key exchange algorithms are as follows. -.IP """kdf-type"" (\fBOSSL_EXCHANGE_PARAM_KDF_TYPE\fR) <UTF8 string>" 4 +.IP """kdf\-type"" (\fBOSSL_EXCHANGE_PARAM_KDF_TYPE\fR) <UTF8 string>" 4 .IX Item """kdf-type"" (OSSL_EXCHANGE_PARAM_KDF_TYPE) <UTF8 string>" Sets or gets the Key Derivation Function type to apply within the associated key exchange ctx. -.IP """kdf-digest"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST\fR) <UTF8 string>" 4 +.IP """kdf\-digest"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST\fR) <UTF8 string>" 4 .IX Item """kdf-digest"" (OSSL_EXCHANGE_PARAM_KDF_DIGEST) <UTF8 string>" Sets or gets the Digest algorithm to be used as part of the Key Derivation Function associated with the given key exchange ctx. -.IP """kdf-digest-props"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\fR) <UTF8 string>" 4 +.IP """kdf\-digest\-props"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\fR) <UTF8 string>" 4 .IX Item """kdf-digest-props"" (OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS) <UTF8 string>" Sets properties to be used upon look up of the implementation for the selected Digest algorithm for the Key Derivation Function associated with the given key exchange ctx. -.IP """kdf-outlen"" (\fBOSSL_EXCHANGE_PARAM_KDF_OUTLEN\fR) <unsigned integer>" 4 +.IP """kdf\-outlen"" (\fBOSSL_EXCHANGE_PARAM_KDF_OUTLEN\fR) <unsigned integer>" 4 .IX Item """kdf-outlen"" (OSSL_EXCHANGE_PARAM_KDF_OUTLEN) <unsigned integer>" Sets or gets the desired size for the output of the chosen Key Derivation Function associated with the given key exchange ctx. -The length of the "kdf-outlen" parameter should not exceed that of a \fBsize_t\fR. -.IP """kdf-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string>" 4 +The length of the "kdf\-outlen" parameter should not exceed that of a \fBsize_t\fR. +.IP """kdf\-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string>" 4 .IX Item """kdf-ukm"" (OSSL_EXCHANGE_PARAM_KDF_UKM) <octet string>" Sets the User Key Material to be used as part of the selected Key Derivation Function associated with the given key exchange ctx. -.IP """kdf-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string ptr>" 4 +.IP """kdf\-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string ptr>" 4 .IX Item """kdf-ukm"" (OSSL_EXCHANGE_PARAM_KDF_UKM) <octet string ptr>" Gets a pointer to the User Key Material to be used as part of the selected Key Derivation Function associated with the given key exchange ctx. Providers @@ -254,26 +257,26 @@ is to support functionality of the deprecated \fBEVP_PKEY_CTX_get0_ecdh_kdf_ukm( and \fBEVP_PKEY_CTX_get0_dh_kdf_ukm()\fR functions. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling \fBOSSL_FUNC_keyexch_derive()\fR. It may -return 0 if either the "digest-check" or the "key-check" are set to 0. -.IP """key-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +return 0 if either the "digest\-check" or the "key\-check" are set to 0. +.IP """key\-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK) <integer>" If required this parameter should be set using \fBOSSL_FUNC_keyexch_init()\fR. The default value of 1 causes an error during the init if the key is not FIPS approved (e.g. The key has a security strength of less than 112 bits). Setting -this to 0 will ignore the error and set the approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +this to 0 will ignore the error and set the approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. -.IP """digest-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK) <integer>" If required this parameter should be set before any optional digest is set. The default value of 1 causes an error when the digest is set if the digest is not FIPS approved. Setting this to 0 will ignore the error and set the -approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -293,7 +296,7 @@ always return a constant \fBOSSL_PARAM\fR\|(3) array. .IX Header "HISTORY" The provider KEYEXCH interface was introduced in OpenSSL 3.0. .PP -The Key Exchange Parameters "fips-indicator", "key-check" and "digest-check" +The Key Exchange Parameters "fips\-indicator", "key\-check" and "digest\-check" were added in OpenSSL 3.4. .SH COPYRIGHT .IX Header "COPYRIGHT" diff --git a/secure/lib/libcrypto/man/man7/provider-keymgmt.7 b/secure/lib/libcrypto/man/man7/provider-keymgmt.7 index 655da73d2284..0791275da775 100644 --- a/secure/lib/libcrypto/man/man7/provider-keymgmt.7 +++ b/secure/lib/libcrypto/man/man7/provider-keymgmt.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-KEYMGMT 7ossl" -.TH PROVIDER-KEYMGMT 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-KEYMGMT 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -124,8 +127,8 @@ provider\-keymgmt \- The KEYMGMT library <\-> provider functions .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The KEYMGMT operation doesn't have much public visibility in OpenSSL -libraries, it's rather an internal operation that's designed to work +The KEYMGMT operation doesn\*(Aqt have much public visibility in OpenSSL +libraries, it\*(Aqs rather an internal operation that\*(Aqs designed to work in tandem with operations that use private/public key pairs. .PP Because the KEYMGMT operation shares knowledge with the operations it @@ -137,7 +140,7 @@ provider side key data for the OpenSSL library EVP_PKEY structure. .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -204,7 +207,7 @@ interface that we document here can be passed as is to other provider operations, such as \fBOP_signature_sign_init()\fR (see \&\fBprovider\-signature\fR\|(7)). .PP -With some of the KEYMGMT functions, it's possible to select a specific +With some of the KEYMGMT functions, it\*(Aqs possible to select a specific subset of data to handle, governed by the bits in a \fIselection\fR indicator. The bits are: .IP \fBOSSL_KEYMGMT_SELECT_PRIVATE_KEY\fR 4 @@ -224,7 +227,7 @@ considered. Indicating that other parameters in a key object should be considered. .Sp -Other parameters are key parameters that don't fit any other +Other parameters are key parameters that don\*(Aqt fit any other classification. In other words, this particular selector bit works as a last resort bit bucket selector. .PP @@ -250,7 +253,7 @@ Indicating that everything in a key object should be considered. The exact interpretation of those bits or how they combine is left to each function where you can specify a selector. .PP -It's left to the provider implementation to decide what is reasonable +It\*(Aqs left to the provider implementation to decide what is reasonable to do with regards to received selector bits and how to do it. Among others, an implementation of \fBOSSL_FUNC_keymgmt_match()\fR might opt to not compare the private half if it has compared the public half, @@ -341,7 +344,7 @@ must also be present, and vice versa. supported algorithm for the operation \fIoperation_id\fR. This is similar to \fBprovider_query_operation()\fR (see \fBprovider\-base\fR\|(7)), but only works as an advisory. If this function is not present, or -returns NULL, the caller is free to assume that there's an algorithm +returns NULL, the caller is free to assume that there\*(Aqs an algorithm from the same provider, of the same name as the one used to fetch the keymgmt and try to use that. .PP @@ -410,14 +413,14 @@ provider side key object with the data. .IX Subsection "Common Information Parameters" See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure. .PP -Common information parameters currently recognised by all built-in +Common information parameters currently recognised by all built\-in keymgmt algorithms are as follows: .IP """bits"" (\fBOSSL_PKEY_PARAM_BITS\fR) <integer>" 4 .IX Item """bits"" (OSSL_PKEY_PARAM_BITS) <integer>" The value should be the cryptographic length of the cryptosystem to which the key belongs, in bits. The definition of cryptographic length is specific to the key cryptosystem. -.IP """max-size"" (\fBOSSL_PKEY_PARAM_MAX_SIZE\fR) <integer>" 4 +.IP """max\-size"" (\fBOSSL_PKEY_PARAM_MAX_SIZE\fR) <integer>" 4 .IX Item """max-size"" (OSSL_PKEY_PARAM_MAX_SIZE) <integer>" The value should be the maximum size that a caller should allocate to safely store a signature (called \fIsig\fR in \fBprovider\-signature\fR\|(7)), @@ -432,28 +435,28 @@ Because an EVP_KEYMGMT method is always tightly bound to another method (signature, asymmetric cipher, key exchange, ...) and must be of the same provider, this number only needs to be synchronised with the dimensions handled in the rest of the same provider. -.IP """security-bits"" (\fBOSSL_PKEY_PARAM_SECURITY_BITS\fR) <integer>" 4 +.IP """security\-bits"" (\fBOSSL_PKEY_PARAM_SECURITY_BITS\fR) <integer>" 4 .IX Item """security-bits"" (OSSL_PKEY_PARAM_SECURITY_BITS) <integer>" The value should be the number of security bits of the given key. Bits of security is defined in SP800\-57. -.IP """mandatory-digest"" (\fBOSSL_PKEY_PARAM_MANDATORY_DIGEST\fR) <UTF8 string>" 4 +.IP """mandatory\-digest"" (\fBOSSL_PKEY_PARAM_MANDATORY_DIGEST\fR) <UTF8 string>" 4 .IX Item """mandatory-digest"" (OSSL_PKEY_PARAM_MANDATORY_DIGEST) <UTF8 string>" If there is a mandatory digest for performing a signature operation with keys from this keymgmt, this parameter should get its name as value. .Sp -When \fBEVP_PKEY_get_default_digest_name()\fR queries this parameter and it's +When \fBEVP_PKEY_get_default_digest_name()\fR queries this parameter and it\*(Aqs filled in by the implementation, its return value will be 2. .Sp If the keymgmt implementation fills in the value \f(CW""\fR or \f(CW"UNDEF"\fR, \&\fBEVP_PKEY_get_default_digest_name\fR\|(3) will place the string \f(CW"UNDEF"\fR into its argument \fImdname\fR. This signifies that no digest should be specified with the corresponding signature operation. -.IP """default-digest"" (\fBOSSL_PKEY_PARAM_DEFAULT_DIGEST\fR) <UTF8 string>" 4 +.IP """default\-digest"" (\fBOSSL_PKEY_PARAM_DEFAULT_DIGEST\fR) <UTF8 string>" 4 .IX Item """default-digest"" (OSSL_PKEY_PARAM_DEFAULT_DIGEST) <UTF8 string>" If there is a default digest for performing a signature operation with keys from this keymgmt, this parameter should get its name as value. .Sp -When \fBEVP_PKEY_get_default_digest_name\fR\|(3) queries this parameter and it's +When \fBEVP_PKEY_get_default_digest_name\fR\|(3) queries this parameter and it\*(Aqs filled in by the implementation, its return value will be 1. Note that if \&\fBOSSL_PKEY_PARAM_MANDATORY_DIGEST\fR is responded to as well, \&\fBEVP_PKEY_get_default_digest_name\fR\|(3) ignores the response to this @@ -466,28 +469,28 @@ with the corresponding signature operation, but may be specified as an option. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling \fBOSSL_FUNC_keymgmt_gen()\fR function. It may -return 0 if either the "key-check", or "sign-check" are set to 0. -.IP """key-check"" (\fBOSSL_PKEY_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +return 0 if either the "key\-check", or "sign\-check" are set to 0. +.IP """key\-check"" (\fBOSSL_PKEY_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_PKEY_PARAM_FIPS_KEY_CHECK) <integer>" If required this parameter should be set using \fBOSSL_FUNC_keymgmt_gen_set_params()\fR or \fBOSSL_FUNC_keymgmt_gen_init()\fR. The default value of 1 causes an error during the init if the key is not FIPS approved (e.g. The key has a security strength of less than 112 bits). Setting -this to 0 will ignore the error and set the approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +this to 0 will ignore the error and set the approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. -.IP """sign-check"" (\fBOSSL_PKEY_PARAM_FIPS_SIGN_CHECK\fR) <integer>" 4 +.IP """sign\-check"" (\fBOSSL_PKEY_PARAM_FIPS_SIGN_CHECK\fR) <integer>" 4 .IX Item """sign-check"" (OSSL_PKEY_PARAM_FIPS_SIGN_CHECK) <integer>" If required this parameter should be set before the \fBOSSL_FUNC_keymgmt_gen()\fR function. This value is not supported by all keygen algorithms. The default value of 1 will cause an error if the generated key is not allowed to be used for signing. -Setting this to 0 will ignore the error and set the approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +Setting this to 0 will ignore the error and set the approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -539,9 +542,9 @@ were added with OpenSSL 3.2. The functions \fBOSSL_FUNC_keymgmt_gen_get_params()\fR and \&\fBOSSL_FUNC_keymgmt_gen_gettable_params()\fR were added in OpenSSL 3.4. .PP -The parameters "sign-check" and "fips-indicator" were added in OpenSSL 3.4. +The parameters "sign\-check" and "fips\-indicator" were added in OpenSSL 3.4. .PP -Support for the \fBML-DSA\fR, \fBML-KEM\fR and \fBSLH-DSA\fR algorithms was added in OpenSSL 3.5. +Support for the \fBML\-DSA\fR, \fBML\-KEM\fR and \fBSLH\-DSA\fR algorithms was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man7/provider-mac.7 b/secure/lib/libcrypto/man/man7/provider-mac.7 index b6f824409c6a..339a336daea8 100644 --- a/secure/lib/libcrypto/man/man7/provider-mac.7 +++ b/secure/lib/libcrypto/man/man7/provider-mac.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-MAC 7ossl" -.TH PROVIDER-MAC 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-MAC 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -107,7 +110,7 @@ them available to applications via the API functions \fBEVP_MAC_init\fR\|(3), .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -174,7 +177,7 @@ This function should free any resources associated with that context. side mac context in the \fImctx\fR parameter. The \fIparams\fR are set before setting the MAC \fIkey\fR of \fIkeylen\fR bytes. .PP -\&\fBOSSL_FUNC_mac_init_skey()\fR is similar but uses an opaque provider-specific object +\&\fBOSSL_FUNC_mac_init_skey()\fR is similar but uses an opaque provider\-specific object to initialize the MAC context. .PP \&\fBOSSL_FUNC_mac_update()\fR is called to supply data for MAC computation of a previously @@ -253,30 +256,30 @@ Can be used to get the MAC block size (if supported by the algorithm). .RE .PP The OpenSSL FIPS provider may support the following parameters: -.IP """fips-indicator"" (\fBOSSL_MAC_PARAM_FIPS_APPROVED_INDICATOR\fR) <int>" 4 +.IP """fips\-indicator"" (\fBOSSL_MAC_PARAM_FIPS_APPROVED_INDICATOR\fR) <int>" 4 .IX Item """fips-indicator"" (OSSL_MAC_PARAM_FIPS_APPROVED_INDICATOR) <int>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling the final function. It may return 0 if -either "no-short-mac" or "key-check" are set to 0. -.IP """no-short-mac"" (\fBOSSL_MAC_PARAM_FIPS_NO_SHORT_MAC\fR) <integer>" 4 +either "no\-short\-mac" or "key\-check" are set to 0. +.IP """no\-short\-mac"" (\fBOSSL_MAC_PARAM_FIPS_NO_SHORT_MAC\fR) <integer>" 4 .IX Item """no-short-mac"" (OSSL_MAC_PARAM_FIPS_NO_SHORT_MAC) <integer>" If required this parameter should be set early via an init function. The default value of 1 causes an error when too short MAC output is asked for. Setting this to 0 will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. -.IP """key-check"" (\fBOSSL_MAC_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_MAC_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_MAC_PARAM_FIPS_KEY_CHECK) <integer>" If required this parameter should be set before OSSL_FUNC_mac_init. The default value of 1 causes an error when small key sizes are asked for. Setting this to 0 will ignore the error and set the approved -"fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +"fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH NOTES .IX Header "NOTES" -The MAC life-cycle is described in \fBlife_cycle\-rand\fR\|(7). Providers should +The MAC life\-cycle is described in \fBlife_cycle\-rand\fR\|(7). Providers should ensure that the various transitions listed there are supported. At some point the EVP layer will begin enforcing the listed transitions. .SH "RETURN VALUES" @@ -302,7 +305,7 @@ array, or NULL if none is offered. .SH HISTORY .IX Header "HISTORY" The provider MAC interface was introduced in OpenSSL 3.0. -The parameters "no-short-mac" and "fips-indicator" were added in OpenSSL 3.4. +The parameters "no\-short\-mac" and "fips\-indicator" were added in OpenSSL 3.4. .PP The function \fBOSSL_FUNC_mac_init_skey()\fR was introduced in OpenSSL 3.5. .SH COPYRIGHT diff --git a/secure/lib/libcrypto/man/man7/provider-object.7 b/secure/lib/libcrypto/man/man7/provider-object.7 index 82beed8d146e..34fce209c877 100644 --- a/secure/lib/libcrypto/man/man7/provider-object.7 +++ b/secure/lib/libcrypto/man/man7/provider-object.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-OBJECT 7ossl" -.TH PROVIDER-OBJECT 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-OBJECT 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -70,12 +73,12 @@ provider\-object \- A specification for a provider\-native object abstraction .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The provider-native object abstraction is a set of \fBOSSL_PARAM\fR\|(3) keys and -values that can be used to pass provider-native objects to OpenSSL library +The provider\-native object abstraction is a set of \fBOSSL_PARAM\fR\|(3) keys and +values that can be used to pass provider\-native objects to OpenSSL library code or between different provider operation implementations with the help of OpenSSL library code. .PP -The intention is that certain provider-native operations can pass any sort +The intention is that certain provider\-native operations can pass any sort of object that belong with other operations, or with OpenSSL library code. .PP An object may be passed in the following manners: @@ -84,24 +87,24 @@ An object may be passed in the following manners: .Sp This means that the \fIobject data\fR is passed as an octet string or an UTF8 string, which can be handled in diverse ways by other provided implementations. -The encoding of the object depends on the context it's used in; for example, +The encoding of the object depends on the context it\*(Aqs used in; for example, \&\fBOSSL_DECODER\fR\|(3) allows multiple encodings, depending on existing decoders. If central OpenSSL library functionality is to handle the data directly, it \&\fBmust\fR be encoded in DER for all object types except for \fBOSSL_OBJECT_NAME\fR -(see "Parameter reference" below), where it's assumed to a plain UTF8 string. +(see "Parameter reference" below), where it\*(Aqs assumed to a plain UTF8 string. .IP 2. 4 \&\fIBy reference\fR .Sp -This means that the \fIobject data\fR isn't passed directly, an \fIobject -reference\fR is passed instead. It's an octet string that only the correct +This means that the \fIobject data\fR isn\*(Aqt passed directly, an \fIobject +reference\fR is passed instead. It\*(Aqs an octet string that only the correct provider understands correctly. .PP Objects \fIby value\fR can be used by anything that handles DER encoded objects. .PP Objects \fIby reference\fR need a higher level of cooperation from the -implementation where the object originated (let's call it X) and its target -implementation (let's call it Y): +implementation where the object originated (let\*(Aqs call it X) and its target +implementation (let\*(Aqs call it Y): .IP 1. 4 \&\fIAn object loading function in the target implementation\fR .Sp @@ -120,13 +123,13 @@ using the \fIobject data type\fR as its key type (the second argument in .Sp The originating implementation (X) may have an exporter function. This exporter function can be used to export the object in \fBOSSL_PARAM\fR\|(3) form, -that can then be imported by the target implementation's imported function. +that can then be imported by the target implementation\*(Aqs imported function. .Sp -This can be used when it's not possible to fetch the target implementation +This can be used when it\*(Aqs not possible to fetch the target implementation (Y) from the same provider. .SS "Parameter reference" .IX Subsection "Parameter reference" -A provider-native object abstraction is an \fBOSSL_PARAM\fR\|(3) with a selection +A provider\-native object abstraction is an \fBOSSL_PARAM\fR\|(3) with a selection of the following parameters: .IP """data"" (\fBOSSL_OBJECT_PARAM_DATA\fR) <octet string> or <UTF8 string>" 4 .IX Item """data"" (OSSL_OBJECT_PARAM_DATA) <octet string> or <UTF8 string>" @@ -148,14 +151,14 @@ This is useful for \fBprovider\-storemgmt\fR\|(7) when a URI load results in new URIs. .IP \fBOSSL_OBJECT_PKEY\fR 4 .IX Item "OSSL_OBJECT_PKEY" -The object data is suitable as provider-native \fBEVP_PKEY\fR key data. The +The object data is suitable as provider\-native \fBEVP_PKEY\fR key data. The object data may be \fIpassed by value\fR or \fIpassed by reference\fR. .IP \fBOSSL_OBJECT_CERT\fR 4 .IX Item "OSSL_OBJECT_CERT" The object data is suitable as \fBX509\fR data. The object data for this object type can only be \fIpassed by value\fR, and should be an octet string. .Sp -Since there's no provider-native X.509 object, OpenSSL libraries that +Since there\*(Aqs no provider\-native X.509 object, OpenSSL libraries that receive this object abstraction are expected to convert the data to a \&\fBX509\fR object with \fBd2i_X509()\fR. .IP \fBOSSL_OBJECT_CRL\fR 4 @@ -163,19 +166,19 @@ receive this object abstraction are expected to convert the data to a The object data is suitable as \fBX509_CRL\fR data. The object data can only be \fIpassed by value\fR, and should be an octet string. .Sp -Since there's no provider-native X.509 CRL object, OpenSSL libraries that +Since there\*(Aqs no provider\-native X.509 CRL object, OpenSSL libraries that receive this object abstraction are expected to convert the data to a \&\fBX509_CRL\fR object with \fBd2i_X509_CRL()\fR. .RE .RS 4 .RE -.IP """data-type"" (\fBOSSL_OBJECT_PARAM_DATA_TYPE\fR) <UTF8 string>" 4 +.IP """data\-type"" (\fBOSSL_OBJECT_PARAM_DATA_TYPE\fR) <UTF8 string>" 4 .IX Item """data-type"" (OSSL_OBJECT_PARAM_DATA_TYPE) <UTF8 string>" The specific type of the object content. Legitimate values depend on the object type; if it is \fBOSSL_OBJECT_PKEY\fR, the data type is expected to be a key type suitable for fetching a \fBprovider\-keymgmt\fR\|(7) that can handle the data. -.IP """data-structure"" (\fBOSSL_OBJECT_PARAM_DATA_STRUCTURE\fR) <UTF8 string>" 4 +.IP """data\-structure"" (\fBOSSL_OBJECT_PARAM_DATA_STRUCTURE\fR) <UTF8 string>" 4 .IX Item """data-structure"" (OSSL_OBJECT_PARAM_DATA_STRUCTURE) <UTF8 string>" The outermost structure of the object content. Legitimate values depend on the object type. @@ -183,7 +186,7 @@ the object type. .IX Item """desc"" (OSSL_OBJECT_PARAM_DESC) <UTF8 string>" A human readable text that describes extra details on the object. .PP -When a provider-native object abstraction is used, it \fImust\fR contain object +When a provider\-native object abstraction is used, it \fImust\fR contain object data in at least one form (object data \fIpassed by value\fR, i.e. the "data" item, or object data \fIpassed by reference\fR, i.e. the "reference" item). Both may be present at once, in which case the OpenSSL library code that diff --git a/secure/lib/libcrypto/man/man7/provider-rand.7 b/secure/lib/libcrypto/man/man7/provider-rand.7 index cdde7ab4b46b..f7574edff290 100644 --- a/secure/lib/libcrypto/man/man7/provider-rand.7 +++ b/secure/lib/libcrypto/man/man7/provider-rand.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-RAND 7ossl" -.TH PROVIDER-RAND 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-RAND 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -229,7 +232,7 @@ associated with the provider side context \fIctx\fR in its current state if it is not NULL. Otherwise, they return the parameters associated with the provider side algorithm \fIprovctx\fR. .PP -Parameters currently recognised by built-in rands are as follows. Not all +Parameters currently recognised by built\-in rands are as follows. Not all parameters are relevant to, or are understood by all rands: .IP """state"" (\fBOSSL_RAND_PARAM_STATE\fR) <integer>" 4 .IX Item """state"" (OSSL_RAND_PARAM_STATE) <integer>" @@ -237,7 +240,7 @@ Returns the state of the random number generator. .IP """strength"" (\fBOSSL_RAND_PARAM_STRENGTH\fR) <unsigned integer>" 4 .IX Item """strength"" (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>" Returns the bit strength of the random number generator. -.IP """fips-indicator"" (\fBOSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This option is used by the OpenSSL FIPS provider and is not supported @@ -294,7 +297,7 @@ Specifies the number of times the DRBG has been seeded or reseeded. .IX Item """mac"" (OSSL_DRBG_PARAM_MAC) <UTF8 string>" .PD Sets the name of the underlying cipher, digest or MAC to be used. -It must name a suitable algorithm for the DRBG that's being used. +It must name a suitable algorithm for the DRBG that\*(Aqs being used. .IP """properties"" (\fBOSSL_DRBG_PARAM_PROPERTIES\fR) <UTF8 string>" 4 .IX Item """properties"" (OSSL_DRBG_PARAM_PROPERTIES) <UTF8 string>" Sets the properties to be queried when trying to fetch an underlying algorithm. @@ -302,18 +305,18 @@ This must be given together with the algorithm naming parameter to be considered valid. .PP The OpenSSL FIPS provider also supports the following parameters: -.IP """fips-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling \fBOSSL_FUNC_rand_generate()\fR. It may -return 0 if the "digest-check" is set to 0. -.IP """digest-check"" (\fBOSSL_DRBG_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +return 0 if the "digest\-check" is set to 0. +.IP """digest\-check"" (\fBOSSL_DRBG_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_DRBG_PARAM_FIPS_DIGEST_CHECK) <integer>" If required this parameter should be set before the digest is set. The default value of 1 causes an error when the digest is set if the digest is not FIPS approved (e.g. truncated digests). Setting this to 0 will ignore -the error and set the approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +the error and set the approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -332,7 +335,7 @@ error. All of the remaining functions should return 1 for success or 0 on error. .SH NOTES .IX Header "NOTES" -The RAND life-cycle is described in \fBlife_cycle\-rand\fR\|(7). Providers should +The RAND life\-cycle is described in \fBlife_cycle\-rand\fR\|(7). Providers should ensure that the various transitions listed there are supported. At some point the EVP layer will begin enforcing the listed transitions. .SH "SEE ALSO" @@ -345,7 +348,7 @@ the EVP layer will begin enforcing the listed transitions. .SH HISTORY .IX Header "HISTORY" The provider RAND interface was introduced in OpenSSL 3.0. -The Rand Parameters "fips-indicator" and "digest-check" were added in +The Rand Parameters "fips\-indicator" and "digest\-check" were added in OpenSSL 3.4. .SH COPYRIGHT .IX Header "COPYRIGHT" diff --git a/secure/lib/libcrypto/man/man7/provider-signature.7 b/secure/lib/libcrypto/man/man7/provider-signature.7 index acdd3bf1967e..b5521c30350d 100644 --- a/secure/lib/libcrypto/man/man7/provider-signature.7 +++ b/secure/lib/libcrypto/man/man7/provider-signature.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-SIGNATURE 7ossl" -.TH PROVIDER-SIGNATURE 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-SIGNATURE 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -168,7 +171,7 @@ and \fBEVP_PKEY_verify_recover\fR\|(3) (as well as other related functions). .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -236,28 +239,66 @@ context functions (OSSL_FUNC_signature_newctx and OSSL_FUNC_signature_freectx) a set of "signature" functions, i.e. at least one of: .IP "OSSL_FUNC_signature_sign_init and OSSL_FUNC_signature_sign" 4 .IX Item "OSSL_FUNC_signature_sign_init and OSSL_FUNC_signature_sign" -.PD 0 +Used via \fBEVP_PKEY_sign_init\fR\|(3) and \fBEVP_PKEY_sign\fR\|(3). +These functions operate on pre\-digested data (the "to be signed" or TBS value). .IP "OSSL_FUNC_signature_sign_message_init and OSSL_FUNC_signature_sign" 4 .IX Item "OSSL_FUNC_signature_sign_message_init and OSSL_FUNC_signature_sign" +Used via \fBEVP_PKEY_sign_message_init\fR\|(3) and \fBEVP_PKEY_sign\fR\|(3) when signing a complete message. +The implementation internally handles message digesting. .IP "OSSL_FUNC_signature_sign_message_init, OSSL_FUNC_signature_sign_message_update and OSSL_FUNC_signature_sign_message_final" 4 .IX Item "OSSL_FUNC_signature_sign_message_init, OSSL_FUNC_signature_sign_message_update and OSSL_FUNC_signature_sign_message_final" +Streaming variant of message signing, used via \fBEVP_PKEY_sign_message_init\fR\|(3), +\&\fBEVP_PKEY_sign_message_update\fR\|(3), and \fBEVP_PKEY_sign_message_final\fR\|(3). .IP "OSSL_FUNC_signature_verify_init and OSSL_FUNC_signature_verify" 4 .IX Item "OSSL_FUNC_signature_verify_init and OSSL_FUNC_signature_verify" +Used via \fBEVP_PKEY_verify_init\fR\|(3) and \fBEVP_PKEY_verify\fR\|(3). +These functions operate on pre\-digested data. .IP "OSSL_FUNC_signature_verify_message_init and OSSL_FUNC_signature_verify" 4 .IX Item "OSSL_FUNC_signature_verify_message_init and OSSL_FUNC_signature_verify" +Used via \fBEVP_PKEY_verify_message_init\fR\|(3) and \fBEVP_PKEY_verify\fR\|(3) when verifying a complete message. +The implementation internally handles message digesting. .IP "OSSL_FUNC_signature_verify_message_init, OSSL_FUNC_signature_verify_message_update and OSSL_FUNC_signature_verify_message_final" 4 .IX Item "OSSL_FUNC_signature_verify_message_init, OSSL_FUNC_signature_verify_message_update and OSSL_FUNC_signature_verify_message_final" +Streaming variant of message verification, used via \fBEVP_PKEY_verify_message_init\fR\|(3), +\&\fBEVP_PKEY_verify_message_update\fR\|(3), and \fBEVP_PKEY_verify_message_final\fR\|(3). .IP "OSSL_FUNC_signature_verify_recover_init and OSSL_FUNC_signature_verify_recover" 4 .IX Item "OSSL_FUNC_signature_verify_recover_init and OSSL_FUNC_signature_verify_recover" +Used via \fBEVP_PKEY_verify_recover_init\fR\|(3) and \fBEVP_PKEY_verify_recover\fR\|(3). +Applicable only to signature schemes that support signature recovery (such as RSA). .IP "OSSL_FUNC_signature_digest_sign_init, OSSL_FUNC_signature_digest_sign_update and OSSL_FUNC_signature_digest_sign_final" 4 .IX Item "OSSL_FUNC_signature_digest_sign_init, OSSL_FUNC_signature_digest_sign_update and OSSL_FUNC_signature_digest_sign_final" +Streaming digest\-sign variant, used via \fBEVP_DigestSignInit\fR\|(3), +\&\fBEVP_DigestSignUpdate\fR\|(3), and \fBEVP_DigestSignFinal\fR\|(3). .IP "OSSL_FUNC_signature_digest_verify_init, OSSL_FUNC_signature_digest_verify_update and OSSL_FUNC_signature_digest_verify_final" 4 .IX Item "OSSL_FUNC_signature_digest_verify_init, OSSL_FUNC_signature_digest_verify_update and OSSL_FUNC_signature_digest_verify_final" +Streaming digest\-verify variant, used via \fBEVP_DigestVerifyInit\fR\|(3), +\&\fBEVP_DigestVerifyUpdate\fR\|(3), and \fBEVP_DigestVerifyFinal\fR\|(3). .IP "OSSL_FUNC_signature_digest_sign_init and OSSL_FUNC_signature_digest_sign" 4 .IX Item "OSSL_FUNC_signature_digest_sign_init and OSSL_FUNC_signature_digest_sign" +One\-shot digest\-sign variant, used via \fBEVP_DigestSign\fR\|(3). .IP "OSSL_FUNC_signature_digest_verify_init and OSSL_FUNC_signature_digest_verify" 4 .IX Item "OSSL_FUNC_signature_digest_verify_init and OSSL_FUNC_signature_digest_verify" -.PD +One\-shot digest\-verify variant, used via \fBEVP_DigestVerify\fR\|(3). +.PP +\&\fBImportant Note for TLS Support:\fR For a provider signature implementation to +be usable within \fIlibssl\fR for TLS connections, it \fBmust\fR implement the +digest\-sign and digest\-verify functions +(OSSL_FUNC_signature_digest_sign_init/update/final or the one\-shot variant, and +OSSL_FUNC_signature_digest_verify_init/update/final or the one\-shot variant). +The TLS handshake code in \fIlibssl\fR specifically requires these digest functions +and will not use implementations that only provide the basic sign/verify functions +(OSSL_FUNC_signature_sign_init/sign or OSSL_FUNC_signature_verify_init/verify). +.PP +The choice of which function set to implement depends on your use case: +.IP \(bu 4 +For general\-purpose signature operations and TLS support: implement the +digest\-sign and digest\-verify functions. +.IP \(bu 4 +For operations on pre\-digested data only: implement the basic sign and verify +functions. +.IP \(bu 4 +For signature schemes with recovery capability: additionally implement the +verify\-recover functions. .PP The \fBOSSL_FUNC_signature_set_ctx_params()\fR and \&\fBOSSL_FUNC_signature_settable_ctx_params()\fR functions are optional, @@ -270,7 +311,7 @@ The \fBOSSL_FUNC_signature_dupctx()\fR function is optional. It is not yet used by OpenSSL. .PP The \fBOSSL_FUNC_signature_query_key_types()\fR function is optional. -When present, it should return a NULL-terminated array of strings +When present, it should return a NULL\-terminated array of strings indicating the key types supported by the provider for signature operations. Otherwise the signature algorithm name must match the given key or match the default signature algorithm name of the key, @@ -338,7 +379,7 @@ the provider using the key management (OSSL_OP_KEYMGMT) operation (see \&\fBOSSL_FUNC_signature_sign_message_final()\fR performs the actual signing on the data that was gathered with \fBOSSL_FUNC_signature_sign_message_update()\fR. .PP -\&\fBOSSL_FUNC_signature_sign()\fR can be used for one-shot signature calls. In that +\&\fBOSSL_FUNC_signature_sign()\fR can be used for one\-shot signature calls. In that case, \fItbs\fR is expected to be the whole message to be signed, \fItbslen\fR bytes long. .PP @@ -389,7 +430,7 @@ The signature itself must have been passed through the "signature" (\fBOSSL_SIGNATURE_PARAM_SIGNATURE\fR) Signature parameter before this function is called. .PP -\&\fBOSSL_FUNC_signature_verify()\fR can be used for one-shot verification calls. In +\&\fBOSSL_FUNC_signature_verify()\fR can be used for one\-shot verification calls. In that case, \fItbs\fR is expected to be the whole message to be verified on, \&\fItbslen\fR bytes long. .SS "Verify Recover Functions" @@ -492,12 +533,12 @@ given provider side signature context \fIctx\fR to \fIparams\fR. Any parameter settings are additional to any that were previously set. Passing NULL for \fIparams\fR should return true. .PP -Common parameters currently recognised by built-in signature algorithms are as +Common parameters currently recognised by built\-in signature algorithms are as follows. .IP """digest"" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) <UTF8 string>" 4 .IX Item """digest"" (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>" Get or sets the name of the digest algorithm used for the input to the -signature functions. It is required in order to calculate the "algorithm-id". +signature functions. It is required in order to calculate the "algorithm\-id". .IP """properties"" (\fBOSSL_SIGNATURE_PARAM_PROPERTIES\fR) <UTF8 string>" 4 .IX Item """properties"" (OSSL_SIGNATURE_PARAM_PROPERTIES) <UTF8 string>" Sets the name of the property query associated with the "digest" algorithm. @@ -505,29 +546,29 @@ NULL is used if this optional value is not set. .PP Note that when implementing a signature algorithm that gathers a full message, like RSA\-SHA256, the "digest" and "properties" parameters should not be used. -For such implementations, it's acceptable to simply ignore them if they happen +For such implementations, it\*(Aqs acceptable to simply ignore them if they happen to be passed in a call to \fBOSSL_FUNC_signature_set_ctx_params()\fR. For such implementations, however, it is not acceptable to have them in the \fBOSSL_PARAM\fR -array that's returned by \fBOSSL_FUNC_signature_settable_ctx_params()\fR. +array that\*(Aqs returned by \fBOSSL_FUNC_signature_settable_ctx_params()\fR. .IP """signature"" (\fBOSSL_SIGNATURE_PARAM_SIGNATURE\fR) <octet string>" 4 .IX Item """signature"" (OSSL_SIGNATURE_PARAM_SIGNATURE) <octet string>" Sets the signature to verify, specifically when \&\fBOSSL_FUNC_signature_verify_message_final()\fR is used. -.IP """digest-size"" (\fBOSSL_SIGNATURE_PARAM_DIGEST_SIZE\fR) <unsigned integer>" 4 +.IP """digest\-size"" (\fBOSSL_SIGNATURE_PARAM_DIGEST_SIZE\fR) <unsigned integer>" 4 .IX Item """digest-size"" (OSSL_SIGNATURE_PARAM_DIGEST_SIZE) <unsigned integer>" Gets or sets the output size of the digest algorithm used for the input to the signature functions. -The length of the "digest-size" parameter should not exceed that of a \fBsize_t\fR. -.IP """algorithm-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4 +The length of the "digest\-size" parameter should not exceed that of a \fBsize_t\fR. +.IP """algorithm\-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4 .IX Item """algorithm-id"" (OSSL_SIGNATURE_PARAM_ALGORITHM_ID) <octet string>" -Gets the DER-encoded AlgorithmIdentifier for the signature operation. +Gets the DER\-encoded AlgorithmIdentifier for the signature operation. This typically corresponds to the combination of a digest algorithm with a purely asymmetric signature algorithm, such as SHA256WithECDSA. .Sp The \fBASN1_item_sign_ctx\fR\|(3) function relies on this operation and is used by many other functions that sign ASN.1 structures such as X.509 certificates, certificate requests, and CRLs, as well as OCSP, CMP, and CMS messages. -.IP """nonce-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 +.IP """nonce\-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4 .IX Item """nonce-type"" (OSSL_SIGNATURE_PARAM_NONCE_TYPE) <unsigned integer>" Set this to 1 to use deterministic digital signature generation with ECDSA or DSA, as defined in RFC 6979 (see Section 3.2 "Generation of @@ -535,7 +576,7 @@ k"). In this case, the "digest" parameter must be explicitly set (otherwise, deterministic nonce generation will fail). Before using deterministic digital signature generation, please read RFC 6979 Section 4 "Security Considerations". The default value for -"nonce-type" is 0 and results in a random value being used for the +"nonce\-type" is 0 and results in a random value being used for the nonce \fBk\fR as defined in FIPS 186\-4 Section 6.3 "Secret Number Generation". .Sp @@ -554,51 +595,51 @@ Known answer tests can be performed if the random generator is overridden to supply known values that either pass or fail. .PP The following parameters are used by the OpenSSL FIPS provider: -.IP """fips-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 +.IP """fips\-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4 .IX Item """fips-indicator"" (OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR) <integer>" A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling either the sign or verify final functions. It may -return 0 if either the "digest-check", "key-check", or "sign-check" are set to 0. -.IP """verify-message"" (\fBOSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE\fR <integer>" 4 +return 0 if either the "digest\-check", "key\-check", or "sign\-check" are set to 0. +.IP """verify\-message"" (\fBOSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE\fR <integer>" 4 .IX Item """verify-message"" (OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE <integer>" A getter that returns 1 if a signature verification operation acted on a raw message, or 0 if it verified a predigested message. A value of 0 -indicates likely non-approved usage of the FIPS provider. This flag is +indicates likely non\-approved usage of the FIPS provider. This flag is set when any signature verification initialisation function is called. It is also set to 1 when any signing operation is performed to signify compliance. See FIPS 140\-3 IG 2.4.B for further information. -.IP """key-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 +.IP """key\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4 .IX Item """key-check"" (OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) <integer>" If required this parameter should be set early via an init function (e.g. \fBOSSL_FUNC_signature_sign_init()\fR or \fBOSSL_FUNC_signature_verify_init()\fR). The default value of 1 causes an error during the init if the key is not FIPS approved (e.g. The key has a security strength of less than 112 bits). Setting this to 0 will ignore the error and set the approved "indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. -.IP """digest-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 +.IP """digest\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4 .IX Item """digest-check"" (OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) <integer>" If required this parameter should be set before the signature digest is set. The default value of 1 causes an error when the digest is set if the digest is not FIPS approved (e.g. SHA1 is used for signing). Setting this to 0 will ignore -the error and set the approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +the error and set the approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. -.IP """sign-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK\fR) <integer>" 4 +.IP """sign\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK\fR) <integer>" 4 .IX Item """sign-check"" (OSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK) <integer>" If required this parameter should be set early via an init function. The default value of 1 causes an error when a signing algorithm is used. (This is triggered by deprecated signing algorithms). -Setting this to 0 will ignore the error and set the approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" to +Setting this to 0 will ignore the error and set the approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .IP """sign\-x931\-pad\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK\fR) <integer>" 4 .IX Item """sign-x931-pad-check"" (OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK) <integer>" If required this parameter should be set before the padding mode is set. The default value of 1 causes an error if the padding mode is set to X9.31 padding for a RSA signing operation. Setting this to 0 will ignore the error and set the -approved "fips-indicator" to 0. -This option breaks FIPS compliance if it causes the approved "fips-indicator" +approved "fips\-indicator" to 0. +This option breaks FIPS compliance if it causes the approved "fips\-indicator" to return 0. .PP \&\fBOSSL_FUNC_signature_gettable_ctx_params()\fR and \fBOSSL_FUNC_signature_settable_ctx_params()\fR get a @@ -620,8 +661,8 @@ given provider side digest signature context \fIctx\fR to \fIparams\fR. Any parameter settings are additional to any that were previously set. Passing NULL for \fIparams\fR should return true. .PP -Parameters currently recognised by built-in signature algorithms are the same -as those for built-in digest algorithms. See +Parameters currently recognised by built\-in signature algorithms are the same +as those for built\-in digest algorithms. See "Digest Parameters" in \fBprovider\-digest\fR\|(7) for further information. .PP \&\fBOSSL_FUNC_signature_gettable_md_ctx_params()\fR and \fBOSSL_FUNC_signature_settable_md_ctx_params()\fR @@ -638,10 +679,10 @@ provider side signature context, or NULL on failure. \&\fBOSSL_FUNC_signature_gettable_md_ctx_params()\fR and \fBOSSL_FUNC_signature_settable_md_ctx_params()\fR, return the gettable or settable parameters in a constant \fBOSSL_PARAM\fR\|(3) array. .PP -\&\fBOSSL_FUNC_signature_query_key_types()\fR should return a NULL-terminated array of strings. +\&\fBOSSL_FUNC_signature_query_key_types()\fR should return a NULL\-terminated array of strings. .PP All verification functions should return 1 for success, -0 for a non-matching signature, and a negative value for operation failure. +0 for a non\-matching signature, and a negative value for operation failure. .PP All other functions should return 1 for success and 0 or a negative value for failure. @@ -654,8 +695,17 @@ and 0 or a negative value for failure. .SH HISTORY .IX Header "HISTORY" The provider SIGNATURE interface was introduced in OpenSSL 3.0. -The Signature Parameters "fips-indicator", "key-check" and "digest-check" -were added in OpenSSL 3.4. +.PP +The \fBOSSL_FUNC_signature_sign_message_init()\fR, \fBOSSL_FUNC_signature_sign_message_update()\fR, +\&\fBOSSL_FUNC_signature_sign_message_final()\fR, \fBOSSL_FUNC_signature_verify_message_init()\fR, +\&\fBOSSL_FUNC_signature_verify_message_update()\fR and \fBOSSL_FUNC_signature_verify_message_final()\fR +functions were added in OpenSSL 3.4. +.PP +The Signature Parameters "fips\-indicator", "key\-check" and "digest\-check" were added in +OpenSSL 3.4. +.PP +Deterministic digital signature generation for ECDSA was added to the FIPS provider in OpenSSL +3.6. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/man7/provider-skeymgmt.7 b/secure/lib/libcrypto/man/man7/provider-skeymgmt.7 index f2898076e9c1..0c980448ab5e 100644 --- a/secure/lib/libcrypto/man/man7/provider-skeymgmt.7 +++ b/secure/lib/libcrypto/man/man7/provider-skeymgmt.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-SKEYMGMT 7ossl" -.TH PROVIDER-SKEYMGMT 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-SKEYMGMT 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -89,7 +92,7 @@ provider\-skeymgmt \- The SKEYMGMT library <\-> provider functions .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" -The SKEYMGMT operation doesn't have much public visibility in the OpenSSL +The SKEYMGMT operation doesn\*(Aqt have much public visibility in the OpenSSL libraries, rather it is an internal operation that is designed to work with operations that use opaque symmetric keys objects. .PP @@ -102,7 +105,7 @@ provider side key data for the OpenSSL library EVP_SKEY structure. .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -141,7 +144,7 @@ interface can be passed as is to other algorithms from the same provider operations, such as \fBOSSL_FUNC_mac_init_opaque()\fR (see \&\fBprovider\-mac\fR\|(7)). .PP -With the export SKEYMGMT function, it's possible to select a specific +With the export SKEYMGMT function, it\*(Aqs possible to select a specific subset of data to handle, governed by the bits in a \fIselection\fR indicator. The bits are: .IP \fBOSSL_SKEYMGMT_SELECT_SECRET_KEY\fR 4 @@ -186,22 +189,22 @@ object. be provided to the \fBOSSL_FUNC_skeymgmt_generate()\fR function. .SS "Key Object Information functions" .IX Subsection "Key Object Information functions" -\&\fBOSSL_FUNC_skeymgmt_get_key_id()\fR returns a NUL-terminated string identifying the +\&\fBOSSL_FUNC_skeymgmt_get_key_id()\fR returns a NUL\-terminated string identifying the particular key. The returned string will be freed by a call to \fBEVP_SKEY_free()\fR so callers need to copy it themselves if they want to preserve the value past the key lifetime. The purpose of this function is providing a printable string that can help users to access the specific key. The content of this string is -provider-specific. +provider\-specific. .SS "Common Import and Export Parameters" .IX Subsection "Common Import and Export Parameters" See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure. .PP -Common information parameters currently recognised by built-in +Common information parameters currently recognised by built\-in skeymgmt algorithms are as follows: -.IP """raw-bytes"" (\fBSKEY_PARAM_RAW_BYTES\fR) <octet string>" 4 +.IP """raw\-bytes"" (\fBSKEY_PARAM_RAW_BYTES\fR) <octet string>" 4 .IX Item """raw-bytes"" (SKEY_PARAM_RAW_BYTES) <octet string>" The value represents symmetric key as a byte array. -.IP """key-length"" (\fBSKEY_PARAM_KEY_LENGTH\fR) <integer>" 4 +.IP """key\-length"" (\fBSKEY_PARAM_KEY_LENGTH\fR) <integer>" 4 .IX Item """key-length"" (SKEY_PARAM_KEY_LENGTH) <integer>" The value is the byte length of the given key. .SH "RETURN VALUES" diff --git a/secure/lib/libcrypto/man/man7/provider-storemgmt.7 b/secure/lib/libcrypto/man/man7/provider-storemgmt.7 index 07fd9502430e..b3c02a5bce0f 100644 --- a/secure/lib/libcrypto/man/man7/provider-storemgmt.7 +++ b/secure/lib/libcrypto/man/man7/provider-storemgmt.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER-STOREMGMT 7ossl" -.TH PROVIDER-STOREMGMT 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER-STOREMGMT 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -101,7 +104,7 @@ The STORE operation is the provider side of the \fBossl_store\fR\|(7) API. .PP The primary responsibility of the STORE operation is to load all sorts of objects from a container indicated by URI. These objects are given -to the OpenSSL library in provider-native object abstraction form (see +to the OpenSSL library in provider\-native object abstraction form (see \&\fBprovider\-object\fR\|(7)). The OpenSSL library is then responsible for passing on that abstraction to suitable provided functions. .PP @@ -112,7 +115,7 @@ form). .PP All "functions" mentioned here are passed as function pointers between \&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via -\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's +\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider\*(Aqs \&\fBprovider_query_operation()\fR function (see "Provider Functions" in \fBprovider\-base\fR\|(7)). .PP @@ -160,7 +163,7 @@ can handle. \&\fBOSSL_FUNC_store_set_ctx_params()\fR should set additional parameters, such as what kind of data to expect, search criteria, and so on. More on those below, in "Load Parameters". Whether unrecognised parameters are an error or simply -ignored is at the implementation's discretion. +ignored is at the implementation\*(Aqs discretion. Passing NULL for \fIparams\fR should return true. .PP \&\fBOSSL_FUNC_store_load()\fR loads the next object from the URI opened by @@ -172,12 +175,12 @@ case a passphrase needs to be prompted to unlock an object, \fIpw_cb\fR should be called. .PP \&\fBOSSL_FUNC_store_eof()\fR indicates if the end of the set of objects from the -URI has been reached. When that happens, there's no point trying to do any +URI has been reached. When that happens, there\*(Aqs no point trying to do any further loading. .PP \&\fBOSSL_FUNC_store_close()\fR frees the provider side context \fIctx\fR. .PP -When a provider-native object is created by a store manager it would be unsuitable +When a provider\-native object is created by a store manager it would be unsuitable for direct use with a foreign provider. The export function allows for exporting the object to that foreign provider if the foreign provider supports the type of the object and provides an import function. @@ -243,7 +246,7 @@ alias (some call it a "friendly name"). .IX Item """properties"" (OSSL_STORE_PARAM_PROPERTIES) <utf8 string>" Property string to use when querying for algorithms such as the \fBOSSL_DECODER\fR decoder implementations. -.IP """input-type"" (\fBOSSL_STORE_PARAM_INPUT_TYPE\fR) <utf8 string>" 4 +.IP """input\-type"" (\fBOSSL_STORE_PARAM_INPUT_TYPE\fR) <utf8 string>" 4 .IX Item """input-type"" (OSSL_STORE_PARAM_INPUT_TYPE) <utf8 string>" Type of the input format as a hint to use when decoding the objects in the store. diff --git a/secure/lib/libcrypto/man/man7/provider.7 b/secure/lib/libcrypto/man/man7/provider.7 index 579aaa05c2c4..9ed1de4f14d0 100644 --- a/secure/lib/libcrypto/man/man7/provider.7 +++ b/secure/lib/libcrypto/man/man7/provider.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROVIDER 7ossl" -.TH PROVIDER 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROVIDER 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -90,11 +93,11 @@ See \fBcrypto\fR\|(7) for further details. A \fIprovider\fR offers an initialization function, as a set of base functions in the form of an \fBOSSL_DISPATCH\fR\|(3) array, and by extension, a set of \fBOSSL_ALGORITHM\fR\|(3)s (see \fBopenssl\-core.h\fR\|(7)). -It may be a dynamically loadable module, or may be built-in, in +It may be a dynamically loadable module, or may be built\-in, in OpenSSL libraries or in the application. -If it's a dynamically loadable module, the initialization function +If it\*(Aqs a dynamically loadable module, the initialization function must be named \f(CW\*(C`OSSL_provider_init\*(C'\fR and must be exported. -If it's built-in, the initialization function may have any name. +If it\*(Aqs built\-in, the initialization function may have any name. .PP The initialization function must have the following signature: .PP diff --git a/secure/lib/libcrypto/man/man7/proxy-certificates.7 b/secure/lib/libcrypto/man/man7/proxy-certificates.7 index 630d0d475fb2..b279bea268c4 100644 --- a/secure/lib/libcrypto/man/man7/proxy-certificates.7 +++ b/secure/lib/libcrypto/man/man7/proxy-certificates.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PROXY-CERTIFICATES 7ossl" -.TH PROXY-CERTIFICATES 7ossl 2025-09-30 3.5.4 OpenSSL +.TH PROXY-CERTIFICATES 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -113,7 +116,7 @@ command, with some extra extensions: \& proxyCertInfo = critical,language:id\-ppl\-anyLanguage,pathlen:1,policy:text:AB .Ve .PP -It's also possible to specify the proxy extension in a separate section: +It\*(Aqs also possible to specify the proxy extension in a separate section: .PP .Vb 1 \& proxyCertInfo = critical,@proxy_ext diff --git a/secure/lib/libcrypto/man/man7/x509.7 b/secure/lib/libcrypto/man/man7/x509.7 index 42e20227ed5a..d0f9f82ff08a 100644 --- a/secure/lib/libcrypto/man/man7/x509.7 +++ b/secure/lib/libcrypto/man/man7/x509.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "X509 7ossl" -.TH X509 7ossl 2025-09-30 3.5.4 OpenSSL +.TH X509 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -73,7 +76,7 @@ An X.509 certificate is a structured grouping of information about an individual, a device, or anything one can imagine. An X.509 CRL (certificate revocation list) is a tool to help determine if a certificate is still valid. The exact definition of those can be -found in the X.509 document from ITU-T, or in RFC3280 from PKIX. +found in the X.509 document from ITU\-T, or in RFC3280 from PKIX. In OpenSSL, the type X509 is used to express such a certificate, and the type X509_CRL is used to express a CRL. .PP @@ -86,7 +89,7 @@ X509_NAME (to express a certificate name), X509_ATTRIBUTE (to express a certificate attribute), X509_EXTENSION (to express a certificate extension) and a few more. .PP -Finally, there's the supertype X509_INFO, which can contain a CRL, a +Finally, there\*(Aqs the supertype X509_INFO, which can contain a CRL, a certificate and a corresponding private key. .PP \&\fBX509_\fR\fIXXX\fR, \fBd2i_X509_\fR\fIXXX\fR, and \fBi2d_X509_\fR\fIXXX\fR functions |