From dd9cd70237ff2143d3b63ea58050afcfbc5c80e5 Mon Sep 17 00:00:00 2001 From: Lauri Tirkkonen Date: Sun, 1 Jul 2018 20:59:50 +0300 Subject: [PATCH] update libressl to v2.7.4 --- bin/nc/nc.1 | 26 +- bin/nc/netcat.c | 89 +- bin/openssl/apps.c | 83 +- bin/openssl/apps.h | 5 +- bin/openssl/apps_posix.c | 43 +- bin/openssl/asn1pars.c | 11 +- bin/openssl/ca.c | 24 +- bin/openssl/certhash.c | 16 +- bin/openssl/ciphers.c | 6 +- bin/openssl/crl.c | 6 +- bin/openssl/crl2p7.c | 6 +- bin/openssl/dgst.c | 4 +- bin/openssl/dh.c | 10 +- bin/openssl/dhparam.c | 13 +- bin/openssl/dsa.c | 10 +- bin/openssl/dsaparam.c | 10 +- bin/openssl/ec.c | 10 +- bin/openssl/ecparam.c | 4 +- bin/openssl/enc.c | 7 +- bin/openssl/gendh.c | 10 +- bin/openssl/gendsa.c | 12 +- bin/openssl/genpkey.c | 311 +- bin/openssl/genrsa.c | 16 +- bin/openssl/nseq.c | 4 +- bin/openssl/ocsp.c | 41 +- bin/openssl/openssl.1 | 17 +- bin/openssl/openssl.c | 8 +- bin/openssl/passwd.c | 6 +- bin/openssl/pkcs12.c | 8 +- bin/openssl/pkcs7.c | 4 +- bin/openssl/pkcs8.c | 4 +- bin/openssl/pkey.c | 6 +- bin/openssl/pkeyparam.c | 4 +- bin/openssl/pkeyutl.c | 11 +- bin/openssl/prime.c | 4 +- bin/openssl/rand.c | 7 +- bin/openssl/req.c | 20 +- bin/openssl/rsa.c | 4 +- bin/openssl/rsautl.c | 4 +- bin/openssl/s_cb.c | 10 +- bin/openssl/s_client.c | 25 +- bin/openssl/s_server.c | 50 +- bin/openssl/s_socket.c | 10 +- bin/openssl/s_time.c | 22 +- bin/openssl/sess_id.c | 6 +- bin/openssl/smime.c | 15 +- bin/openssl/speed.c | 13 +- bin/openssl/spkac.c | 4 +- bin/openssl/ts.c | 30 +- bin/openssl/verify.c | 6 +- bin/openssl/x509.c | 15 +- lib/libcrypto/Makefile | 9 +- lib/libcrypto/Symbols.list | 150 + lib/libcrypto/aes/asm/aes-armv4.pl | 14 +- lib/libcrypto/aes/asm/aes-x86_64.pl | 10 +- lib/libcrypto/arc4random/getentropy_linux.c | 8 +- lib/libcrypto/arm_arch.h | 6 +- lib/libcrypto/asn1/asn1.h | 5 +- lib/libcrypto/asn1/asn1_lib.c | 8 +- lib/libcrypto/asn1/evp_asn1.c | 159 +- lib/libcrypto/asn1/x_crl.c | 42 +- lib/libcrypto/asn1/x_name.c | 15 +- lib/libcrypto/asn1/x_pubkey.c | 22 +- lib/libcrypto/asn1/x_req.c | 18 +- lib/libcrypto/asn1/x_x509.c | 18 +- lib/libcrypto/bio/b_posix.c | 4 +- lib/libcrypto/bio/b_sock.c | 25 +- lib/libcrypto/bio/bio.h | 37 +- lib/libcrypto/bio/bio_lib.c | 53 +- lib/libcrypto/bio/bio_meth.c | 147 + lib/libcrypto/bn/bn.h | 15 +- lib/libcrypto/bn/bn_const.c | 50 +- lib/libcrypto/bn/bn_lib.c | 27 +- lib/libcrypto/camellia/asm/cmll-x86_64.pl | 4 +- lib/libcrypto/cert.pem | 4156 +++++++++++++++++--- lib/libcrypto/comp/c_zlib.c | 4 +- lib/libcrypto/compat/include/sys/time.h | 28 + lib/libcrypto/compat/include/sys/types.h | 5 + lib/libcrypto/compat/include/time.h | 53 + lib/libcrypto/conf/conf_sap.c | 59 +- lib/libcrypto/crypto.h | 44 +- lib/libcrypto/crypto_init.c | 63 + lib/libcrypto/cversion.c | 28 +- lib/libcrypto/dh/dh.h | 14 +- lib/libcrypto/dh/dh_key.c | 7 +- lib/libcrypto/dh/dh_lib.c | 100 +- lib/libcrypto/dsa/dsa.h | 21 +- lib/libcrypto/dsa/dsa_asn1.c | 25 +- lib/libcrypto/dsa/dsa_lib.c | 87 +- lib/libcrypto/dsa/dsa_meth.c | 78 + lib/libcrypto/dsa/dsa_ossl.c | 7 +- lib/libcrypto/ec/ec_ameth.c | 14 +- lib/libcrypto/ec/ec_asn1.c | 28 +- lib/libcrypto/ec/ec_curve.c | 4 +- lib/libcrypto/ecdsa/ecdsa.h | 16 +- lib/libcrypto/ecdsa/ecs_asn1.c | 24 +- lib/libcrypto/ecdsa/ecs_ossl.c | 4 +- lib/libcrypto/engine/eng_all.c | 20 +- lib/libcrypto/engine/eng_lib.c | 5 +- lib/libcrypto/err/err.c | 32 +- lib/libcrypto/err/err_all.c | 18 +- lib/libcrypto/evp/c_all.c | 23 +- lib/libcrypto/evp/digest.c | 59 +- lib/libcrypto/evp/evp.h | 22 +- lib/libcrypto/evp/evp_enc.c | 48 +- lib/libcrypto/evp/names.c | 20 +- lib/libcrypto/evp/p_lib.c | 99 +- lib/libcrypto/ex_data.c | 5 +- lib/libcrypto/format-pem.pl | 8 +- lib/libcrypto/hmac/hmac.c | 56 +- lib/libcrypto/hmac/hmac.h | 7 +- lib/libcrypto/man/ACCESS_DESCRIPTION_new.3 | 12 +- lib/libcrypto/man/ASN1_OBJECT_new.3 | 7 +- lib/libcrypto/man/ASN1_STRING_TABLE_add.3 | 11 +- lib/libcrypto/man/ASN1_STRING_length.3 | 173 +- lib/libcrypto/man/ASN1_STRING_new.3 | 57 +- lib/libcrypto/man/ASN1_STRING_print_ex.3 | 33 +- lib/libcrypto/man/ASN1_TIME_set.3 | 43 +- lib/libcrypto/man/ASN1_TYPE_get.3 | 20 +- lib/libcrypto/man/ASN1_generate_nconf.3 | 7 +- lib/libcrypto/man/ASN1_item_d2i.3 | 25 +- lib/libcrypto/man/ASN1_item_new.3 | 23 +- lib/libcrypto/man/ASN1_time_parse.3 | 16 +- lib/libcrypto/man/AUTHORITY_KEYID_new.3 | 10 +- lib/libcrypto/man/BASIC_CONSTRAINTS_new.3 | 10 +- lib/libcrypto/man/BF_set_key.3 | 10 +- lib/libcrypto/man/BIO_ctrl.3 | 39 +- lib/libcrypto/man/BIO_f_base64.3 | 8 +- lib/libcrypto/man/BIO_f_buffer.3 | 16 +- lib/libcrypto/man/BIO_f_cipher.3 | 15 +- lib/libcrypto/man/BIO_f_md.3 | 12 +- lib/libcrypto/man/BIO_f_null.3 | 8 +- lib/libcrypto/man/BIO_find_type.3 | 14 +- .../man/{ASN1_OBJECT_new.3 => BIO_get_data.3} | 162 +- lib/libcrypto/man/BIO_get_ex_new_index.3 | 49 +- lib/libcrypto/man/BIO_meth_new.3 | 367 ++ lib/libcrypto/man/BIO_new.3 | 89 +- lib/libcrypto/man/BIO_printf.3 | 15 +- lib/libcrypto/man/BIO_push.3 | 10 +- lib/libcrypto/man/BIO_read.3 | 13 +- lib/libcrypto/man/BIO_s_accept.3 | 23 +- lib/libcrypto/man/BIO_s_bio.3 | 26 +- lib/libcrypto/man/BIO_s_connect.3 | 23 +- lib/libcrypto/man/BIO_s_fd.3 | 8 +- lib/libcrypto/man/BIO_s_file.3 | 23 +- lib/libcrypto/man/BIO_s_mem.3 | 41 +- lib/libcrypto/man/BIO_s_null.3 | 8 +- lib/libcrypto/man/BIO_s_socket.3 | 10 +- lib/libcrypto/man/BIO_set_callback.3 | 94 +- lib/libcrypto/man/BIO_should_retry.3 | 12 +- lib/libcrypto/man/BN_BLINDING_new.3 | 24 +- lib/libcrypto/man/BN_CTX_new.3 | 11 +- lib/libcrypto/man/BN_CTX_start.3 | 7 +- lib/libcrypto/man/BN_add.3 | 21 +- lib/libcrypto/man/BN_add_word.3 | 12 +- lib/libcrypto/man/BN_bn2bin.3 | 19 +- lib/libcrypto/man/BN_cmp.3 | 12 +- lib/libcrypto/man/BN_copy.3 | 11 +- lib/libcrypto/man/BN_generate_prime.3 | 87 +- lib/libcrypto/man/BN_get0_nist_prime_521.3 | 8 +- lib/libcrypto/man/BN_mod_inverse.3 | 12 +- lib/libcrypto/man/BN_mod_mul_montgomery.3 | 12 +- lib/libcrypto/man/BN_mod_mul_reciprocal.3 | 17 +- lib/libcrypto/man/BN_new.3 | 18 +- lib/libcrypto/man/BN_num_bytes.3 | 11 +- lib/libcrypto/man/BN_rand.3 | 19 +- lib/libcrypto/man/BN_set_bit.3 | 7 +- lib/libcrypto/man/BN_set_flags.3 | 10 +- lib/libcrypto/man/BN_set_negative.3 | 10 +- lib/libcrypto/man/BN_swap.3 | 8 +- lib/libcrypto/man/BN_zero.3 | 51 +- lib/libcrypto/man/BUF_MEM_new.3 | 20 +- lib/libcrypto/man/CONF_modules_free.3 | 11 +- lib/libcrypto/man/CONF_modules_load_file.3 | 10 +- lib/libcrypto/man/CRYPTO_get_mem_functions.3 | 8 +- lib/libcrypto/man/CRYPTO_set_ex_data.3 | 21 +- lib/libcrypto/man/CRYPTO_set_locking_callback.3 | 49 +- lib/libcrypto/man/DES_set_key.3 | 113 +- lib/libcrypto/man/DH_generate_key.3 | 8 +- lib/libcrypto/man/DH_generate_parameters.3 | 15 +- lib/libcrypto/man/DH_get0_pqg.3 | 258 ++ lib/libcrypto/man/DH_get_ex_new_index.3 | 8 +- lib/libcrypto/man/DH_new.3 | 11 +- lib/libcrypto/man/DH_set_method.3 | 7 +- lib/libcrypto/man/DH_size.3 | 36 +- lib/libcrypto/man/DIST_POINT_new.3 | 20 +- lib/libcrypto/man/DSA_SIG_new.3 | 66 +- lib/libcrypto/man/DSA_do_sign.3 | 9 +- lib/libcrypto/man/DSA_dup_DH.3 | 8 +- lib/libcrypto/man/DSA_generate_key.3 | 8 +- lib/libcrypto/man/DSA_generate_parameters.3 | 17 +- lib/libcrypto/man/DSA_get0_pqg.3 | 252 ++ lib/libcrypto/man/DSA_get_ex_new_index.3 | 7 +- .../man/{X509_REVOKED_new.3 => DSA_meth_new.3} | 176 +- lib/libcrypto/man/DSA_new.3 | 10 +- lib/libcrypto/man/DSA_set_method.3 | 8 +- lib/libcrypto/man/DSA_sign.3 | 11 +- lib/libcrypto/man/DSA_size.3 | 8 +- lib/libcrypto/man/ECDSA_SIG_new.3 | 69 +- lib/libcrypto/man/EC_GFp_simple_method.3 | 24 +- lib/libcrypto/man/EC_GROUP_copy.3 | 35 +- lib/libcrypto/man/EC_GROUP_new.3 | 23 +- lib/libcrypto/man/EC_KEY_new.3 | 43 +- lib/libcrypto/man/EC_POINT_add.3 | 23 +- lib/libcrypto/man/EC_POINT_new.3 | 33 +- lib/libcrypto/man/ERR_GET_LIB.3 | 10 +- lib/libcrypto/man/ERR_clear_error.3 | 7 +- lib/libcrypto/man/ERR_error_string.3 | 17 +- lib/libcrypto/man/ERR_get_error.3 | 14 +- lib/libcrypto/man/ERR_load_crypto_strings.3 | 12 +- lib/libcrypto/man/ERR_load_strings.3 | 12 +- lib/libcrypto/man/ERR_print_errors.3 | 11 +- lib/libcrypto/man/ERR_put_error.3 | 14 +- lib/libcrypto/man/ERR_remove_state.3 | 12 +- lib/libcrypto/man/ERR_set_mark.3 | 7 +- lib/libcrypto/man/ESS_SIGNING_CERT_new.3 | 8 +- lib/libcrypto/man/EVP_BytesToKey.3 | 8 +- lib/libcrypto/man/EVP_DigestInit.3 | 283 +- lib/libcrypto/man/EVP_DigestSignInit.3 | 10 +- lib/libcrypto/man/EVP_DigestVerifyInit.3 | 10 +- lib/libcrypto/man/EVP_EncodeInit.3 | 8 +- lib/libcrypto/man/EVP_EncryptInit.3 | 314 +- lib/libcrypto/man/EVP_OpenInit.3 | 11 +- lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 | 9 +- lib/libcrypto/man/EVP_PKEY_CTX_new.3 | 9 +- lib/libcrypto/man/EVP_PKEY_asn1_get_count.3 | 163 + lib/libcrypto/man/EVP_PKEY_asn1_new.3 | 459 +++ lib/libcrypto/man/EVP_PKEY_cmp.3 | 18 +- lib/libcrypto/man/EVP_PKEY_decrypt.3 | 25 +- lib/libcrypto/man/EVP_PKEY_derive.3 | 22 +- lib/libcrypto/man/EVP_PKEY_encrypt.3 | 11 +- .../man/EVP_PKEY_get_default_digest_nid.3 | 9 +- lib/libcrypto/man/EVP_PKEY_keygen.3 | 22 +- lib/libcrypto/man/EVP_PKEY_meth_get0_info.3 | 8 +- lib/libcrypto/man/EVP_PKEY_meth_new.3 | 551 +++ lib/libcrypto/man/EVP_PKEY_new.3 | 33 +- lib/libcrypto/man/EVP_PKEY_print_private.3 | 9 +- lib/libcrypto/man/EVP_PKEY_set1_RSA.3 | 89 +- lib/libcrypto/man/EVP_PKEY_sign.3 | 11 +- lib/libcrypto/man/EVP_PKEY_verify.3 | 28 +- lib/libcrypto/man/EVP_PKEY_verify_recover.3 | 23 +- lib/libcrypto/man/EVP_SealInit.3 | 11 +- lib/libcrypto/man/EVP_SignInit.3 | 14 +- lib/libcrypto/man/EVP_VerifyInit.3 | 10 +- lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3 | 10 +- lib/libcrypto/man/GENERAL_NAME_new.3 | 24 +- lib/libcrypto/man/HMAC.3 | 237 +- lib/libcrypto/man/MD5.3 | 83 +- lib/libcrypto/man/Makefile | 19 +- lib/libcrypto/man/NAME_CONSTRAINTS_new.3 | 12 +- lib/libcrypto/man/OBJ_nid2obj.3 | 30 +- lib/libcrypto/man/OCSP_CRLID_new.3 | 11 +- lib/libcrypto/man/OCSP_REQUEST_new.3 | 8 +- lib/libcrypto/man/OCSP_SERVICELOC_new.3 | 11 +- lib/libcrypto/man/OCSP_cert_to_id.3 | 8 +- lib/libcrypto/man/OCSP_request_add1_nonce.3 | 8 +- lib/libcrypto/man/OCSP_resp_find_status.3 | 38 +- lib/libcrypto/man/OCSP_response_status.3 | 51 +- lib/libcrypto/man/OCSP_sendreq_new.3 | 21 +- lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 | 209 +- lib/libcrypto/man/OPENSSL_cleanse.3 | 8 +- .../man/{ASN1_OBJECT_new.3 => OPENSSL_config.3} | 131 +- lib/libcrypto/man/OPENSSL_init_crypto.3 | 87 + lib/libcrypto/man/OPENSSL_load_builtin_modules.3 | 8 +- lib/libcrypto/man/OPENSSL_malloc.3 | 24 +- lib/libcrypto/man/OPENSSL_sk_new.3 | 604 +++ lib/libcrypto/man/OpenSSL_add_all_algorithms.3 | 60 +- lib/libcrypto/man/PEM_bytes_read_bio.3 | 8 +- lib/libcrypto/man/PEM_read.3 | 8 +- lib/libcrypto/man/PEM_read_bio_PrivateKey.3 | 106 +- lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3 | 7 +- lib/libcrypto/man/PKCS12_SAFEBAG_new.3 | 12 +- lib/libcrypto/man/PKCS12_create.3 | 18 +- lib/libcrypto/man/PKCS12_new.3 | 12 +- lib/libcrypto/man/PKCS12_newpass.3 | 8 +- lib/libcrypto/man/PKCS12_parse.3 | 8 +- lib/libcrypto/man/PKCS5_PBKDF2_HMAC.3 | 12 +- lib/libcrypto/man/PKCS7_decrypt.3 | 7 +- lib/libcrypto/man/PKCS7_encrypt.3 | 10 +- lib/libcrypto/man/PKCS7_new.3 | 8 +- lib/libcrypto/man/PKCS7_sign.3 | 7 +- lib/libcrypto/man/PKCS7_sign_add_signer.3 | 7 +- lib/libcrypto/man/PKCS7_verify.3 | 12 +- lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3 | 10 +- lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3 | 10 +- lib/libcrypto/man/POLICYINFO_new.3 | 26 +- lib/libcrypto/man/PROXY_POLICY_new.3 | 8 +- lib/libcrypto/man/RAND_add.3 | 28 +- lib/libcrypto/man/RAND_bytes.3 | 15 +- lib/libcrypto/man/RAND_load_file.3 | 7 +- lib/libcrypto/man/RAND_set_rand_method.3 | 7 +- lib/libcrypto/man/RC4.3 | 7 +- lib/libcrypto/man/RIPEMD160.3 | 15 +- lib/libcrypto/man/RSA_PSS_PARAMS_new.3 | 10 +- lib/libcrypto/man/RSA_blinding_on.3 | 7 +- lib/libcrypto/man/RSA_check_key.3 | 8 +- lib/libcrypto/man/RSA_generate_key.3 | 16 +- lib/libcrypto/man/RSA_get0_key.3 | 290 ++ lib/libcrypto/man/RSA_get_ex_new_index.3 | 19 +- .../man/{X509_REVOKED_new.3 => RSA_meth_new.3} | 182 +- lib/libcrypto/man/RSA_new.3 | 9 +- lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 | 10 +- lib/libcrypto/man/RSA_print.3 | 13 +- lib/libcrypto/man/RSA_private_encrypt.3 | 11 +- lib/libcrypto/man/RSA_public_encrypt.3 | 11 +- lib/libcrypto/man/RSA_set_method.3 | 50 +- lib/libcrypto/man/RSA_sign.3 | 7 +- lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 | 7 +- lib/libcrypto/man/RSA_size.3 | 39 +- lib/libcrypto/man/SHA1.3 | 11 +- lib/libcrypto/man/SMIME_read_PKCS7.3 | 7 +- lib/libcrypto/man/SMIME_write_PKCS7.3 | 7 +- lib/libcrypto/man/STACK_OF.3 | 188 + lib/libcrypto/man/SXNET_new.3 | 8 +- lib/libcrypto/man/TS_REQ_new.3 | 8 +- lib/libcrypto/man/UI_UTIL_read_pw.3 | 18 +- lib/libcrypto/man/UI_create_method.3 | 26 +- lib/libcrypto/man/UI_get_string_type.3 | 8 +- lib/libcrypto/man/UI_new.3 | 89 +- lib/libcrypto/man/X509V3_get_d2i.3 | 80 +- lib/libcrypto/man/X509_ALGOR_dup.3 | 29 +- lib/libcrypto/man/X509_ATTRIBUTE_new.3 | 10 +- lib/libcrypto/man/X509_CINF_new.3 | 18 +- lib/libcrypto/man/X509_CRL_get0_by_serial.3 | 20 +- lib/libcrypto/man/X509_CRL_new.3 | 47 +- lib/libcrypto/man/X509_EXTENSION_set_object.3 | 7 +- lib/libcrypto/man/X509_LOOKUP_hash_dir.3 | 40 +- lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 | 56 +- lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 | 17 +- lib/libcrypto/man/X509_NAME_get_index_by_NID.3 | 7 +- lib/libcrypto/man/X509_NAME_new.3 | 10 +- lib/libcrypto/man/X509_NAME_print_ex.3 | 39 +- lib/libcrypto/man/X509_OBJECT_get0_X509.3 | 236 ++ lib/libcrypto/man/X509_PUBKEY_new.3 | 54 +- lib/libcrypto/man/X509_REQ_new.3 | 12 +- lib/libcrypto/man/X509_REVOKED_new.3 | 66 +- lib/libcrypto/man/X509_SIG_new.3 | 10 +- lib/libcrypto/man/X509_STORE_CTX_get_error.3 | 68 +- .../man/X509_STORE_CTX_get_ex_new_index.3 | 7 +- lib/libcrypto/man/X509_STORE_CTX_new.3 | 120 +- lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 | 7 +- lib/libcrypto/man/X509_STORE_load_locations.3 | 11 +- .../man/{ASN1_OBJECT_new.3 => X509_STORE_new.3} | 122 +- lib/libcrypto/man/X509_STORE_set1_param.3 | 289 +- lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 | 13 +- lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 | 425 +- lib/libcrypto/man/X509_check_ca.3 | 8 +- lib/libcrypto/man/X509_check_host.3 | 8 +- lib/libcrypto/man/X509_check_issued.3 | 8 +- lib/libcrypto/man/X509_check_private_key.3 | 12 +- lib/libcrypto/man/X509_cmp_time.3 | 18 +- lib/libcrypto/man/X509_digest.3 | 21 +- lib/libcrypto/man/X509_get0_notBefore.3 | 158 + ...09_get_subject_name.3 => X509_get0_signature.3} | 186 +- lib/libcrypto/man/X509_get_pubkey.3 | 30 +- lib/libcrypto/man/X509_get_serialNumber.3 | 7 +- lib/libcrypto/man/X509_get_subject_name.3 | 22 +- lib/libcrypto/man/X509_get_version.3 | 20 +- lib/libcrypto/man/X509_new.3 | 48 +- lib/libcrypto/man/X509_sign.3 | 15 +- lib/libcrypto/man/X509_verify_cert.3 | 7 +- lib/libcrypto/man/X509v3_get_ext_by_NID.3 | 8 +- lib/libcrypto/man/crypto.3 | 9 +- lib/libcrypto/man/d2i_ASN1_NULL.3 | 10 +- lib/libcrypto/man/d2i_ASN1_OBJECT.3 | 10 +- lib/libcrypto/man/d2i_ASN1_OCTET_STRING.3 | 60 +- lib/libcrypto/man/d2i_ASN1_SEQUENCE_ANY.3 | 12 +- lib/libcrypto/man/d2i_AUTHORITY_KEYID.3 | 10 +- lib/libcrypto/man/d2i_BASIC_CONSTRAINTS.3 | 16 +- lib/libcrypto/man/d2i_DHparams.3 | 26 +- lib/libcrypto/man/d2i_DIST_POINT.3 | 28 +- lib/libcrypto/man/d2i_DSAPublicKey.3 | 35 +- lib/libcrypto/man/d2i_ECPKParameters.3 | 35 +- lib/libcrypto/man/d2i_ESS_SIGNING_CERT.3 | 8 +- lib/libcrypto/man/d2i_GENERAL_NAME.3 | 24 +- lib/libcrypto/man/d2i_OCSP_REQUEST.3 | 8 +- lib/libcrypto/man/d2i_OCSP_RESPONSE.3 | 8 +- lib/libcrypto/man/d2i_PKCS12.3 | 20 +- lib/libcrypto/man/d2i_PKCS7.3 | 32 +- lib/libcrypto/man/d2i_PKCS8PrivateKey_bio.3 | 28 +- lib/libcrypto/man/d2i_PKCS8_PRIV_KEY_INFO.3 | 17 +- lib/libcrypto/man/d2i_PKEY_USAGE_PERIOD.3 | 10 +- lib/libcrypto/man/d2i_POLICYINFO.3 | 8 +- lib/libcrypto/man/d2i_PROXY_POLICY.3 | 8 +- lib/libcrypto/man/d2i_PrivateKey.3 | 23 +- lib/libcrypto/man/d2i_RSAPublicKey.3 | 38 +- lib/libcrypto/man/d2i_TS_REQ.3 | 8 +- lib/libcrypto/man/d2i_X509.3 | 21 +- lib/libcrypto/man/d2i_X509_ALGOR.3 | 10 +- lib/libcrypto/man/d2i_X509_ATTRIBUTE.3 | 10 +- lib/libcrypto/man/d2i_X509_CRL.3 | 18 +- lib/libcrypto/man/d2i_X509_EXTENSION.3 | 16 +- lib/libcrypto/man/d2i_X509_NAME.3 | 48 +- lib/libcrypto/man/d2i_X509_REQ.3 | 16 +- lib/libcrypto/man/d2i_X509_SIG.3 | 18 +- lib/libcrypto/man/des_read_pw.3 | 8 +- lib/libcrypto/man/engine.3 | 237 +- lib/libcrypto/man/get_rfc3526_prime_8192.3 | 50 +- lib/libcrypto/man/i2d_PKCS7_bio_stream.3 | 7 +- lib/libcrypto/man/openssl.cnf.5 | 12 +- lib/libcrypto/man/x509v3.cnf.5 | 10 +- lib/libcrypto/modes/asm/ghash-armv4.pl | 2 +- lib/libcrypto/modes/gcm128.c | 16 +- lib/libcrypto/objects/obj_mac.num | 9 + lib/libcrypto/objects/objects.txt | 14 + lib/libcrypto/ocsp/ocsp.h | 3 +- lib/libcrypto/ocsp/ocsp_cl.c | 8 +- lib/libcrypto/opensslv.h | 7 +- lib/libcrypto/perlasm/x86_64-xlate.pl | 2 +- lib/libcrypto/rsa/rsa.h | 24 +- lib/libcrypto/rsa/rsa_crpt.c | 8 +- lib/libcrypto/rsa/rsa_lib.c | 116 +- lib/libcrypto/rsa/rsa_meth.c | 86 + lib/libcrypto/sha/asm/sha1-armv4-large.pl | 2 +- lib/libcrypto/sha/asm/sha256-armv4.pl | 4 +- lib/libcrypto/sha/asm/sha512-armv4.pl | 6 +- lib/libcrypto/shlib_version | 4 +- lib/libcrypto/x509/x509.h | 46 +- lib/libcrypto/x509/x509_cmp.c | 30 +- lib/libcrypto/x509/x509_lu.c | 56 +- lib/libcrypto/x509/x509_set.c | 60 +- lib/libcrypto/x509/x509_vfy.c | 44 +- lib/libcrypto/x509/x509_vfy.h | 42 +- lib/libcrypto/x509/x509_vpm.c | 6 +- lib/libcrypto/x509/x509cset.c | 39 +- lib/libcrypto/x509/x509name.c | 8 +- lib/libcrypto/x509v3/v3_utl.c | 10 +- lib/libssl/Makefile | 4 +- lib/libssl/Symbols.list | 34 +- lib/libssl/bs_cbb.c | 2 +- lib/libssl/bytestring.h | 2 +- lib/libssl/d1_both.c | 41 +- bin/openssl/apps_posix.c => lib/libssl/d1_clnt.c | 257 +- lib/libssl/d1_meth.c | 6 +- bin/openssl/apps_posix.c => lib/libssl/d1_srvr.c | 237 +- lib/libssl/man/BIO_f_ssl.3 | 61 +- lib/libssl/man/DTLSv1_listen.3 | 7 +- lib/libssl/man/Makefile | 8 +- lib/libssl/man/OPENSSL_init_ssl.3 | 61 + lib/libssl/man/PEM_read_SSL_SESSION.3 | 12 +- lib/libssl/man/SSL_CIPHER_get_name.3 | 203 +- lib/libssl/man/SSL_COMP_add_compression_method.3 | 12 +- lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 | 12 +- lib/libssl/man/SSL_CTX_add_session.3 | 10 +- lib/libssl/man/SSL_CTX_ctrl.3 | 16 +- lib/libssl/man/SSL_CTX_flush_sessions.3 | 8 +- lib/libssl/man/SSL_CTX_free.3 | 8 +- .../man/{SSL_dup.3 => SSL_CTX_get0_certificate.3} | 65 +- lib/libssl/man/SSL_CTX_get_ex_new_index.3 | 11 +- lib/libssl/man/SSL_CTX_get_verify_mode.3 | 18 +- lib/libssl/man/SSL_CTX_load_verify_locations.3 | 10 +- lib/libssl/man/SSL_CTX_new.3 | 89 +- lib/libssl/man/SSL_CTX_sess_number.3 | 23 +- lib/libssl/man/SSL_CTX_sess_set_cache_size.3 | 10 +- lib/libssl/man/SSL_CTX_sess_set_get_cb.3 | 7 +- lib/libssl/man/SSL_CTX_sessions.3 | 8 +- lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 | 16 +- lib/libssl/man/SSL_CTX_set_cert_store.3 | 13 +- lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 | 8 +- lib/libssl/man/SSL_CTX_set_cipher_list.3 | 10 +- lib/libssl/man/SSL_CTX_set_client_CA_list.3 | 12 +- lib/libssl/man/SSL_CTX_set_client_cert_cb.3 | 10 +- lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 | 12 +- lib/libssl/man/SSL_CTX_set_generate_session_id.3 | 7 +- lib/libssl/man/SSL_CTX_set_info_callback.3 | 7 +- lib/libssl/man/SSL_CTX_set_max_cert_list.3 | 9 +- lib/libssl/man/SSL_CTX_set_min_proto_version.3 | 62 +- lib/libssl/man/SSL_CTX_set_mode.3 | 12 +- lib/libssl/man/SSL_CTX_set_msg_callback.3 | 7 +- lib/libssl/man/SSL_CTX_set_options.3 | 104 +- lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 | 7 +- lib/libssl/man/SSL_CTX_set_read_ahead.3 | 17 +- lib/libssl/man/SSL_CTX_set_session_cache_mode.3 | 10 +- lib/libssl/man/SSL_CTX_set_session_id_context.3 | 11 +- lib/libssl/man/SSL_CTX_set_ssl_version.3 | 11 +- lib/libssl/man/SSL_CTX_set_timeout.3 | 10 +- .../man/SSL_CTX_set_tlsext_servername_callback.3 | 8 +- lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 | 51 +- lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 | 8 +- lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3 | 192 + lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 | 16 +- lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 | 22 +- lib/libssl/man/SSL_CTX_set_verify.3 | 24 +- lib/libssl/man/SSL_CTX_use_certificate.3 | 36 +- lib/libssl/man/SSL_SESSION_free.3 | 43 +- lib/libssl/man/SSL_SESSION_get0_peer.3 | 8 +- lib/libssl/man/SSL_SESSION_get_compress_id.3 | 10 +- lib/libssl/man/SSL_SESSION_get_ex_new_index.3 | 11 +- lib/libssl/man/SSL_SESSION_get_id.3 | 54 +- ...get_id.3 => SSL_SESSION_get_protocol_version.3} | 44 +- lib/libssl/man/SSL_SESSION_get_time.3 | 20 +- .../{SSL_set1_param.3 => SSL_SESSION_has_ticket.3} | 59 +- lib/libssl/man/SSL_SESSION_new.3 | 11 +- lib/libssl/man/SSL_SESSION_print.3 | 10 +- lib/libssl/man/SSL_SESSION_set1_id_context.3 | 38 +- lib/libssl/man/SSL_accept.3 | 8 +- lib/libssl/man/SSL_alert_type_string.3 | 7 +- lib/libssl/man/SSL_clear.3 | 8 +- lib/libssl/man/SSL_connect.3 | 8 +- lib/libssl/man/SSL_copy_session_id.3 | 7 +- lib/libssl/man/SSL_do_handshake.3 | 8 +- lib/libssl/man/SSL_dup.3 | 7 +- lib/libssl/man/SSL_dup_CA_list.3 | 7 +- lib/libssl/man/SSL_export_keying_material.3 | 8 +- lib/libssl/man/SSL_free.3 | 8 +- lib/libssl/man/SSL_get_SSL_CTX.3 | 8 +- lib/libssl/man/SSL_get_certificate.3 | 7 +- lib/libssl/man/SSL_get_ciphers.3 | 40 +- lib/libssl/man/SSL_get_client_CA_list.3 | 10 +- lib/libssl/man/SSL_get_client_random.3 | 150 + lib/libssl/man/SSL_get_current_cipher.3 | 7 +- lib/libssl/man/SSL_get_default_timeout.3 | 8 +- lib/libssl/man/SSL_get_error.3 | 7 +- .../man/SSL_get_ex_data_X509_STORE_CTX_idx.3 | 8 +- lib/libssl/man/SSL_get_ex_new_index.3 | 11 +- lib/libssl/man/SSL_get_fd.3 | 14 +- lib/libssl/man/SSL_get_peer_cert_chain.3 | 8 +- lib/libssl/man/SSL_get_peer_certificate.3 | 8 +- lib/libssl/man/SSL_get_rbio.3 | 10 +- lib/libssl/man/SSL_get_server_tmp_key.3 | 8 +- lib/libssl/man/SSL_get_session.3 | 18 +- lib/libssl/man/SSL_get_shared_ciphers.3 | 7 +- lib/libssl/man/SSL_get_state.3 | 17 +- lib/libssl/man/SSL_get_verify_result.3 | 8 +- lib/libssl/man/SSL_get_version.3 | 7 +- lib/libssl/man/SSL_library_init.3 | 16 +- lib/libssl/man/SSL_load_client_CA_file.3 | 11 +- lib/libssl/man/SSL_new.3 | 33 +- lib/libssl/man/SSL_num_renegotiations.3 | 8 +- lib/libssl/man/SSL_pending.3 | 8 +- lib/libssl/man/SSL_read.3 | 10 +- lib/libssl/man/SSL_renegotiate.3 | 15 +- lib/libssl/man/SSL_rstate_string.3 | 10 +- lib/libssl/man/SSL_session_reused.3 | 8 +- lib/libssl/man/SSL_set1_param.3 | 58 +- lib/libssl/man/SSL_set_bio.3 | 8 +- lib/libssl/man/SSL_set_connect_state.3 | 53 +- lib/libssl/man/SSL_set_fd.3 | 7 +- lib/libssl/man/SSL_set_max_send_fragment.3 | 10 +- lib/libssl/man/SSL_set_session.3 | 8 +- lib/libssl/man/SSL_set_shutdown.3 | 10 +- lib/libssl/man/SSL_set_tmp_ecdh.3 | 18 +- lib/libssl/man/SSL_set_verify_result.3 | 8 +- lib/libssl/man/SSL_shutdown.3 | 8 +- lib/libssl/man/SSL_state_string.3 | 10 +- lib/libssl/man/SSL_want.3 | 7 +- lib/libssl/man/SSL_write.3 | 8 +- lib/libssl/man/d2i_SSL_SESSION.3 | 10 +- lib/libssl/man/ssl.3 | 12 +- lib/libssl/s3_lib.c | 71 +- lib/libssl/shlib_version | 2 +- lib/libssl/ssl.h | 79 +- lib/libssl/ssl_asn1.c | 4 +- lib/libssl/ssl_both.c | 37 +- lib/libssl/ssl_ciph.c | 100 +- lib/libssl/ssl_clnt.c | 262 +- lib/libssl/ssl_err.c | 3 +- lib/libssl/ssl_init.c | 50 + lib/libssl/ssl_lib.c | 201 +- lib/libssl/ssl_locl.h | 41 +- lib/libssl/ssl_sess.c | 80 +- lib/libssl/ssl_srvr.c | 250 +- lib/libssl/ssl_tlsext.c | 194 +- lib/libssl/ssl_tlsext.h | 8 +- lib/libssl/t1_lib.c | 190 +- lib/libssl/tls1.h | 8 +- lib/libtls/Makefile | 3 +- lib/libtls/Symbols.list | 2 + lib/libtls/man/tls_config_set_session_id.3 | 42 +- lib/libtls/man/tls_conn_version.3 | 34 +- lib/libtls/man/tls_init.3 | 9 +- lib/libtls/man/tls_load_file.3 | 12 +- lib/libtls/shlib_version | 2 +- lib/libtls/tls.c | 54 +- lib/libtls/tls.h | 6 +- lib/libtls/tls_client.c | 131 +- lib/libtls/tls_config.c | 231 +- lib/libtls/tls_conninfo.c | 39 +- lib/libtls/tls_internal.h | 30 +- lib/libtls/tls_keypair.c | 178 + lib/libtls/tls_ocsp.c | 41 +- lib/libtls/tls_server.c | 42 +- lib/libtls/tls_util.c | 68 +- lib/libtls/tls_verify.c | 14 +- usr/src/pkg/manifests/library-libressl.mf | 63 +- 585 files changed, 20698 insertions(+), 4983 deletions(-) create mode 100644 lib/libcrypto/bio/bio_meth.c create mode 100644 lib/libcrypto/compat/include/sys/time.h create mode 100644 lib/libcrypto/compat/include/time.h create mode 100644 lib/libcrypto/crypto_init.c create mode 100644 lib/libcrypto/dsa/dsa_meth.c copy lib/libcrypto/man/{ASN1_OBJECT_new.3 => BIO_get_data.3} (58%) create mode 100644 lib/libcrypto/man/BIO_meth_new.3 create mode 100644 lib/libcrypto/man/DH_get0_pqg.3 create mode 100644 lib/libcrypto/man/DSA_get0_pqg.3 copy lib/libcrypto/man/{X509_REVOKED_new.3 => DSA_meth_new.3} (57%) create mode 100644 lib/libcrypto/man/EVP_PKEY_asn1_get_count.3 create mode 100644 lib/libcrypto/man/EVP_PKEY_asn1_new.3 create mode 100644 lib/libcrypto/man/EVP_PKEY_meth_new.3 copy lib/libcrypto/man/{ASN1_OBJECT_new.3 => OPENSSL_config.3} (63%) create mode 100644 lib/libcrypto/man/OPENSSL_init_crypto.3 create mode 100644 lib/libcrypto/man/OPENSSL_sk_new.3 create mode 100644 lib/libcrypto/man/RSA_get0_key.3 copy lib/libcrypto/man/{X509_REVOKED_new.3 => RSA_meth_new.3} (55%) create mode 100644 lib/libcrypto/man/STACK_OF.3 create mode 100644 lib/libcrypto/man/X509_OBJECT_get0_X509.3 copy lib/libcrypto/man/{ASN1_OBJECT_new.3 => X509_STORE_new.3} (64%) rewrite lib/libcrypto/man/X509_STORE_set1_param.3 (91%) create mode 100644 lib/libcrypto/man/X509_get0_notBefore.3 copy lib/libcrypto/man/{X509_get_subject_name.3 => X509_get0_signature.3} (53%) create mode 100644 lib/libcrypto/rsa/rsa_meth.c copy bin/openssl/apps_posix.c => lib/libssl/d1_clnt.c (63%) copy bin/openssl/apps_posix.c => lib/libssl/d1_srvr.c (65%) create mode 100644 lib/libssl/man/OPENSSL_init_ssl.3 copy lib/libssl/man/{SSL_dup.3 => SSL_CTX_get0_certificate.3} (50%) create mode 100644 lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3 copy lib/libssl/man/{SSL_SESSION_get_id.3 => SSL_SESSION_get_protocol_version.3} (72%) copy lib/libssl/man/{SSL_set1_param.3 => SSL_SESSION_has_ticket.3} (70%) create mode 100644 lib/libssl/man/SSL_get_client_random.3 create mode 100644 lib/libssl/ssl_init.c create mode 100644 lib/libtls/tls_keypair.c diff --git a/bin/nc/nc.1 b/bin/nc/nc.1 index bb3a8f7cf5..e10d385a14 100644 --- a/bin/nc/nc.1 +++ b/bin/nc/nc.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: nc.1,v 1.87 2017/07/15 18:11:47 jmc Exp $ +.\" $OpenBSD: nc.1,v 1.88 2017/11/28 16:59:10 jsing Exp $ .\" .\" Copyright (c) 1996 David Sacerdote .\" All rights reserved. @@ -25,7 +25,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 15 2017 $ +.Dd $Mdocdate: November 28 2017 $ .Dt NC 1 .Os .Sh NAME @@ -233,10 +233,6 @@ Change IPv4 TOS value or TLS options. For TLS options .Ar keyword may be one of: -.Ar tlsall , -which allows the use of all supported TLS protocols and ciphers; -.Ar tlscompat , -which allows the use of all supported TLS protocols and "compat" ciphers; .Ar noverify , which disables certificate verification; .Ar noname , @@ -246,6 +242,15 @@ which requires a client certificate on incoming connections; or .Ar muststaple , which requires the peer to provide a valid stapled OCSP response with the handshake. +The following TLS options specify a value in the form of a key=value pair: +.Ar ciphers , +which allows the supported TLS ciphers to be specified (see +.Xr tls_config_set_ciphers 3 +for further details); +.Ar protocols , +which allows the supported TLS protocols to be specified (see +.Xr tls_config_parse_protocols 3 +for further details). It is illegal to specify TLS options if not using TLS. .Pp For IPv4 TOS value @@ -497,10 +502,15 @@ the source port, with a timeout of 5 seconds: .Pp .Dl $ nc -p 31337 -w 5 host.example.com 42 .Pp +Open a TCP connection to port 443 of www.example.com, and negotiate TLS with +any supported TLS protocol version and "compat" ciphers: +.Pp +.Dl $ nc -cv -T protocols=all -T ciphers=compat www.example.com 443 +.Pp Open a TCP connection to port 443 of www.google.ca, and negotiate TLS. -Check for a different name in the certificate for validation. +Check for a different name in the certificate for validation: .Pp -.Dl $ nc -v -c -e adsf.au.doubleclick.net www.google.ca 443 +.Dl $ nc -cv -e adsf.au.doubleclick.net www.google.ca 443 .Pp Open a UDP connection to port 53 of host.example.com: .Pp diff --git a/bin/nc/netcat.c b/bin/nc/netcat.c index 72278e62fe..51c846ba05 100644 --- a/bin/nc/netcat.c +++ b/bin/nc/netcat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: netcat.c,v 1.187 2017/07/15 17:27:39 jsing Exp $ */ +/* $OpenBSD: netcat.c,v 1.190 2018/03/19 16:35:29 jsing Exp $ */ /* * Copyright (c) 2001 Eric Jackson * Copyright (c) 2015 Bob Beck. All rights reserved. @@ -68,12 +68,10 @@ #define BUFSIZE 16384 #define DEFAULT_CA_FILE "/etc/ssl/cert.pem" -#define TLS_ALL (1 << 1) -#define TLS_NOVERIFY (1 << 2) -#define TLS_NONAME (1 << 3) -#define TLS_CCERT (1 << 4) -#define TLS_MUSTSTAPLE (1 << 5) -#define TLS_COMPAT (1 << 6) +#define TLS_NOVERIFY (1 << 1) +#define TLS_NONAME (1 << 2) +#define TLS_CCERT (1 << 3) +#define TLS_MUSTSTAPLE (1 << 4) /* Command Line Options */ int dflag; /* detached, no stdin */ @@ -112,6 +110,8 @@ int tls_cachanged; /* Using non-default CA file */ int TLSopt; /* TLS options */ char *tls_expectname; /* required name in peer cert */ char *tls_expecthash; /* required hash of peer cert */ +char *tls_ciphers; /* TLS ciphers */ +char *tls_protocols; /* TLS protocols */ FILE *Zflag; /* file to save peer cert */ int recvcount, recvlimit; @@ -139,8 +139,8 @@ int unix_bind(char *, int); int unix_connect(char *); int unix_listen(char *); void set_common_sockopts(int, int); -int map_tos(char *, int *); -int map_tls(char *, int *); +int process_tos_opt(char *, int *); +int process_tls_opt(char *, int *); void save_peer_cert(struct tls *_tls_ctx, FILE *_fp); void report_connect(const struct sockaddr *, socklen_t, char *); void report_tls(struct tls *tls_ctx, char * host); @@ -165,6 +165,7 @@ main(int argc, char *argv[]) char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE]; struct tls_config *tls_cfg = NULL; struct tls *tls_ctx = NULL; + uint32_t protocols; ret = 1; socksv = 5; @@ -332,9 +333,9 @@ main(int argc, char *argv[]) case 'T': errstr = NULL; errno = 0; - if (map_tos(optarg, &Tflag)) + if (process_tls_opt(optarg, &TLSopt)) break; - if (map_tls(optarg, &TLSopt)) + if (process_tos_opt(optarg, &Tflag)) break; if (strlen(optarg) > 1 && optarg[0] == '0' && optarg[1] == 'x') @@ -412,8 +413,6 @@ main(int argc, char *argv[]) errx(1, "cannot use -c and -F"); if (TLSopt && !usetls) errx(1, "you must specify -c to use TLS options"); - if ((TLSopt & (TLS_ALL|TLS_COMPAT)) == (TLS_ALL|TLS_COMPAT)) - errx(1, "cannot use -T tlsall and -T tlscompat"); if (Cflag && !usetls) errx(1, "you must specify -c to use -C"); if (Kflag && !usetls) @@ -495,8 +494,6 @@ main(int argc, char *argv[]) } if (usetls) { - if (tls_init() == -1) - errx(1, "unable to initialize TLS"); if ((tls_cfg = tls_config_new()) == NULL) errx(1, "unable to allocate TLS config"); if (Rflag && tls_config_set_ca_file(tls_cfg, Rflag) == -1) @@ -507,14 +504,12 @@ main(int argc, char *argv[]) errx(1, "%s", tls_config_error(tls_cfg)); if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1) errx(1, "%s", tls_config_error(tls_cfg)); - if (TLSopt & (TLS_ALL|TLS_COMPAT)) { - if (tls_config_set_protocols(tls_cfg, - TLS_PROTOCOLS_ALL) != 0) - errx(1, "%s", tls_config_error(tls_cfg)); - if (tls_config_set_ciphers(tls_cfg, - (TLSopt & TLS_ALL) ? "all" : "compat") != 0) - errx(1, "%s", tls_config_error(tls_cfg)); - } + if (tls_config_parse_protocols(&protocols, tls_protocols) == -1) + errx(1, "invalid TLS protocols `%s'", tls_protocols); + if (tls_config_set_protocols(tls_cfg, protocols) == -1) + errx(1, "%s", tls_config_error(tls_cfg)); + if (tls_config_set_ciphers(tls_cfg, tls_ciphers) == -1) + errx(1, "%s", tls_config_error(tls_cfg)); if (!lflag && (TLSopt & TLS_CCERT)) errx(1, "clientcert is only valid with -l"); if (TLSopt & TLS_NONAME) @@ -573,13 +568,12 @@ main(int argc, char *argv[]) * initially to wait for a caller, then use * the regular functions to talk to the caller. */ - int rv, plen; - char buf[16384]; + int rv; + char buf[2048]; struct sockaddr_storage z; len = sizeof(z); - plen = 2048; - rv = recvfrom(s, buf, plen, MSG_PEEK, + rv = recvfrom(s, buf, sizeof(buf), MSG_PEEK, (struct sockaddr *)&z, &len); if (rv < 0) err(1, "recvfrom"); @@ -1536,7 +1530,7 @@ set_common_sockopts(int s, int af) } int -map_tos(char *s, int *val) +process_tos_opt(char *s, int *val) { /* DiffServ Codepoints and other TOS mappings */ const struct toskeywords { @@ -1584,24 +1578,41 @@ map_tos(char *s, int *val) } int -map_tls(char *s, int *val) +process_tls_opt(char *s, int *flags) { + size_t len; + char *v; + const struct tlskeywords { const char *keyword; - int val; + int flag; + char **value; } *t, tlskeywords[] = { - { "tlsall", TLS_ALL }, - { "noverify", TLS_NOVERIFY }, - { "noname", TLS_NONAME }, - { "clientcert", TLS_CCERT}, - { "muststaple", TLS_MUSTSTAPLE}, - { "tlscompat", TLS_COMPAT }, - { NULL, -1 }, + { "ciphers", -1, &tls_ciphers }, + { "clientcert", TLS_CCERT, NULL }, + { "muststaple", TLS_MUSTSTAPLE, NULL }, + { "noverify", TLS_NOVERIFY, NULL }, + { "noname", TLS_NONAME, NULL }, + { "protocols", -1, &tls_protocols }, + { NULL, -1, NULL }, }; + len = strlen(s); + if ((v = strchr(s, '=')) != NULL) { + len = v - s; + v++; + } + for (t = tlskeywords; t->keyword != NULL; t++) { - if (strcmp(s, t->keyword) == 0) { - *val |= t->val; + if (strlen(t->keyword) == len && + strncmp(s, t->keyword, len) == 0) { + if (t->value != NULL) { + if (v == NULL) + errx(1, "invalid tls value `%s'", s); + *t->value = v; + } else { + *flags |= t->flag; + } return 1; } } diff --git a/bin/openssl/apps.c b/bin/openssl/apps.c index a63bbf9c13..90baf65a9f 100644 --- a/bin/openssl/apps.c +++ b/bin/openssl/apps.c @@ -1,4 +1,4 @@ -/* $OpenBSD: apps.c,v 1.44 2017/08/12 21:04:33 jsing Exp $ */ +/* $OpenBSD: apps.c,v 1.47 2018/02/07 08:57:25 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -583,9 +583,8 @@ load_pkcs12(BIO *err, BIO *in, const char *desc, pem_password_cb *pem_cb, } ret = PKCS12_parse(p12, pass, pkey, cert, ca); -die: - if (p12) - PKCS12_free(p12); + die: + PKCS12_free(p12); return ret; } @@ -643,7 +642,7 @@ load_cert(BIO *err, const char *file, int format, const char *pass, goto end; } -end: + end: if (x == NULL) { BIO_printf(err, "unable to load certificate\n"); ERR_print_errors(err); @@ -706,7 +705,7 @@ load_key(BIO *err, const char *file, int format, int maybe_stdin, BIO_printf(err, "bad input format specified for key file\n"); goto end; } -end: + end: BIO_free(key); if (pkey == NULL) { BIO_printf(err, "unable to load %s\n", key_descrip); @@ -783,7 +782,7 @@ load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, goto end; } -end: + end: BIO_free(key); if (pkey == NULL) BIO_printf(err, "unable to load %s\n", key_descrip); @@ -828,7 +827,7 @@ load_netscape_key(BIO *err, BIO *key, const char *file, EVP_PKEY_set1_RSA(pkey, rsa); return pkey; -error: + error: BUF_MEM_free(buf); EVP_PKEY_free(pkey); return NULL; @@ -899,9 +898,8 @@ load_certs_crls(BIO *err, const char *file, int format, const char *pass, if (pcrls && sk_X509_CRL_num(*pcrls) > 0) rv = 1; -end: - if (xis) - sk_X509_INFO_pop_free(xis, X509_INFO_free); + end: + sk_X509_INFO_pop_free(xis, X509_INFO_free); if (rv == 0) { if (pcerts) { @@ -1066,7 +1064,7 @@ copy_extensions(X509 *x, X509_REQ *req, int copy_type) ret = 1; -end: + end: sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); return ret; @@ -1181,7 +1179,7 @@ setup_verify(BIO *bp, char *CAfile, char *CApath) ERR_clear_error(); return store; -end: + end: X509_STORE_free(store); return NULL; } @@ -1310,11 +1308,9 @@ load_serial(char *serialfile, int create, ASN1_INTEGER **retai) ai = NULL; } -err: - if (in != NULL) - BIO_free(in); - if (ai != NULL) - ASN1_INTEGER_free(ai); + err: + BIO_free(in); + ASN1_INTEGER_free(ai); return (ret); } @@ -1358,11 +1354,9 @@ save_serial(char *serialfile, char *suffix, BIGNUM *serial, ai = NULL; } -err: - if (out != NULL) - BIO_free_all(out); - if (ai != NULL) - ASN1_INTEGER_free(ai); + err: + BIO_free_all(out); + ASN1_INTEGER_free(ai); return (ret); } @@ -1405,7 +1399,7 @@ rotate_serial(char *serialfile, char *new_suffix, char *old_suffix) } return 1; -err: + err: return 0; } @@ -1430,8 +1424,8 @@ rand_serial(BIGNUM *b, ASN1_INTEGER *ai) ret = 1; -error: - if (!b) + error: + if (b != btmp) BN_free(btmp); return ret; @@ -1496,13 +1490,10 @@ load_index(char *dbfile, DB_ATTR *db_attr) } } -err: - if (dbattr_conf) - NCONF_free(dbattr_conf); - if (tmpdb) - TXT_DB_free(tmpdb); - if (in) - BIO_free_all(in); + err: + NCONF_free(dbattr_conf); + TXT_DB_free(tmpdb); + BIO_free_all(in); return retdb; } @@ -1572,7 +1563,7 @@ save_index(const char *file, const char *suffix, CA_DB *db) return 1; -err: + err: return 0; } @@ -1667,7 +1658,7 @@ rotate_index(const char *dbfile, const char *new_suffix, const char *old_suffix) } return 1; -err: + err: return 0; } @@ -1675,8 +1666,7 @@ void free_index(CA_DB *db) { if (db) { - if (db->db) - TXT_DB_free(db->db); + TXT_DB_free(db->db); free(db); } } @@ -1831,11 +1821,11 @@ parse_name(char *subject, long chtype, int multirdn) } goto done; -error: + error: X509_NAME_free(name); name = NULL; -done: + done: free(ne_values); free(ne_types); free(mval); @@ -1945,8 +1935,7 @@ args_verify(char ***pargs, int *pargc, int *badarg, BIO *err, return 0; if (*badarg) { - if (*pm) - X509_VERIFY_PARAM_free(*pm); + X509_VERIFY_PARAM_free(*pm); *pm = NULL; goto end; } @@ -1970,7 +1959,7 @@ args_verify(char ***pargs, int *pargc, int *badarg, BIO *err, if (at_time) X509_VERIFY_PARAM_set_time(*pm, at_time); -end: + end: (*pargs)++; if (pargc) @@ -2075,8 +2064,8 @@ policies_print(BIO *out, X509_STORE_CTX *ctx) nodes_print(out, "Authority", X509_policy_tree_get0_policies(tree)); nodes_print(out, "User", X509_policy_tree_get0_user_policies(tree)); - if (free_out) - BIO_free(out); + + BIO_free(out); } /* @@ -2316,17 +2305,17 @@ options_parse(int argc, char **argv, struct option *opts, char **unnamed, } } -done: + done: if (argsused != NULL) *argsused = i; return (0); -toomany: + toomany: fprintf(stderr, "too many arguments\n"); return (1); -unknown: + unknown: fprintf(stderr, "unknown option '%s'\n", arg); return (1); } diff --git a/bin/openssl/apps.h b/bin/openssl/apps.h index 4276e533f7..d02169b8aa 100644 --- a/bin/openssl/apps.h +++ b/bin/openssl/apps.h @@ -1,4 +1,4 @@ -/* $OpenBSD: apps.h,v 1.19 2016/08/30 14:34:59 deraadt Exp $ */ +/* $OpenBSD: apps.h,v 1.20 2017/12/05 15:02:06 jca Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -279,7 +279,8 @@ int app_isdir(const char *); #define TM_START 0 #define TM_STOP 1 -double app_tminterval (int stop, int usertime); +double app_timer_real(int stop); +double app_timer_user(int stop); #define OPENSSL_NO_SSL_INTERN diff --git a/bin/openssl/apps_posix.c b/bin/openssl/apps_posix.c index 67cd465088..502919c0a2 100644 --- a/bin/openssl/apps_posix.c +++ b/bin/openssl/apps_posix.c @@ -116,31 +116,42 @@ * Functions that need to be overridden by non-POSIX operating systems. */ -#include +#include +#include -#include +#include #include "apps.h" double -app_tminterval(int stop, int usertime) +app_timer_real(int stop) { - double ret = 0; - struct tms rus; - clock_t now = times(&rus); - static clock_t tmstart; + static struct timespec start; + struct timespec elapsed, now; - if (usertime) - now = rus.tms_utime; - - if (stop == TM_START) - tmstart = now; - else { - long int tck = sysconf(_SC_CLK_TCK); - ret = (now - tmstart) / (double) tck; + clock_gettime(CLOCK_MONOTONIC, &now); + if (stop) { + timespecsub(&now, &start, &elapsed); + return elapsed.tv_sec + elapsed.tv_nsec / 1000000000.0; } + start = now; + return 0.0; +} + +double +app_timer_user(int stop) +{ + static struct timeval start; + struct timeval elapsed; + struct rusage now; - return (ret); + getrusage(RUSAGE_SELF, &now); + if (stop) { + timersub(&now.ru_utime, &start, &elapsed); + return elapsed.tv_sec + elapsed.tv_usec / 1000000.0; + } + start = now.ru_utime; + return 0.0; } int diff --git a/bin/openssl/asn1pars.c b/bin/openssl/asn1pars.c index fe66b35937..a17584e8a3 100644 --- a/bin/openssl/asn1pars.c +++ b/bin/openssl/asn1pars.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1pars.c,v 1.7 2017/01/20 08:57:11 deraadt Exp $ */ +/* $OpenBSD: asn1pars.c,v 1.9 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -408,7 +408,7 @@ asn1parse_main(int argc, char **argv) goto end; } ret = 0; -end: + end: BIO_free(derout); BIO_free(in); BIO_free_all(out); @@ -416,8 +416,7 @@ end: if (ret != 0) ERR_print_errors(bio_err); BUF_MEM_free(buf); - if (at != NULL) - ASN1_TYPE_free(at); + ASN1_TYPE_free(at); sk_OPENSSL_STRING_free(asn1pars_config.osk); OBJ_cleanup(); @@ -465,7 +464,7 @@ do_generate(BIO * bio, char *genstr, char *genconf, BUF_MEM * buf) ASN1_TYPE_free(atyp); return len; -conferr: + conferr: if (errline > 0) BIO_printf(bio, "Error on line %ld of config file '%s'\n", @@ -473,7 +472,7 @@ conferr: else BIO_printf(bio, "Error loading config file '%s'\n", genconf); -err: + err: NCONF_free(cnf); ASN1_TYPE_free(atyp); diff --git a/bin/openssl/ca.c b/bin/openssl/ca.c index 5414a921d4..2e79849572 100644 --- a/bin/openssl/ca.c +++ b/bin/openssl/ca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ca.c,v 1.25 2017/05/08 21:12:36 beck Exp $ */ +/* $OpenBSD: ca.c,v 1.26 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -497,7 +497,7 @@ ca_main(int argc, char **argv) rev_type = REV_CA_COMPROMISE; } else { -bad: + bad: if (errstr) BIO_printf(bio_err, "invalid argument %s: %s\n", *argv, errstr); @@ -1310,7 +1310,7 @@ bad: /*****************************************************************/ ret = 0; -err: + err: free(tofree); BIO_free_all(Cout); @@ -1407,7 +1407,7 @@ certify(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509, verbose, req, ext_sect, lconf, certopt, nameopt, default_op, ext_copy, selfsign); -err: + err: if (req != NULL) X509_REQ_free(req); if (in != NULL) @@ -1464,7 +1464,7 @@ certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509, verbose, rreq, ext_sect, lconf, certopt, nameopt, default_op, ext_copy, 0); -err: + err: if (rreq != NULL) X509_REQ_free(rreq); if (req != NULL) @@ -1969,7 +1969,7 @@ again2: goto err; } ok = 1; -err: + err: for (i = 0; i < DB_NUMBER; i++) free(row[i]); @@ -2126,7 +2126,7 @@ certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509, verbose, req, ext_sect, lconf, certopt, nameopt, default_op, ext_copy, 0); -err: + err: if (req != NULL) X509_REQ_free(req); if (parms != NULL) @@ -2248,7 +2248,7 @@ do_revoke(X509 * x509, CA_DB * db, int type, char *value) } ok = 1; -err: + err: for (i = 0; i < DB_NUMBER; i++) free(row[i]); @@ -2320,7 +2320,7 @@ get_certificate_status(const char *serial, CA_DB * db) ok = -1; } -err: + err: for (i = 0; i < DB_NUMBER; i++) free(row[i]); @@ -2383,7 +2383,7 @@ do_updatedb(CA_DB * db) } } -err: + err: ASN1_UTCTIME_free(a_tm); free(a_tm_s); @@ -2534,7 +2534,7 @@ make_revoked(X509_REVOKED * rev, const char *str) else ret = 1; -err: + err: free(tmp); ASN1_OBJECT_free(hold); @@ -2681,7 +2681,7 @@ unpack_revinfo(ASN1_TIME ** prevtm, int *preason, ASN1_OBJECT ** phold, ret = 1; -err: + err: free(tmp); if (!phold) diff --git a/bin/openssl/certhash.c b/bin/openssl/certhash.c index fdd719ea48..5838f0209b 100644 --- a/bin/openssl/certhash.c +++ b/bin/openssl/certhash.c @@ -285,11 +285,11 @@ hashinfo_from_linkname(const char *linkname, const char *target) goto done; -err: + err: hashinfo_free(hi); hi = NULL; -done: + done: free(l); return (hi); @@ -318,7 +318,7 @@ certhash_cert(BIO *bio, const char *filename) hi = hashinfo(filename, hash, fingerprint); -err: + err: X509_free(cert); return (hi); @@ -347,7 +347,7 @@ certhash_crl(BIO *bio, const char *filename) hi = hashinfo(filename, hash, fingerprint); -err: + err: X509_CRL_free(crl); return (hi); @@ -371,7 +371,7 @@ certhash_addlink(struct hashinfo **links, struct hashinfo *hi) return (0); -err: + err: hashinfo_free(link); return (-1); } @@ -545,7 +545,7 @@ certhash_file(struct dirent *dep, struct hashinfo **certs, ret = 0; -err: + err: BIO_free(bio); return (ret); @@ -622,10 +622,10 @@ certhash_directory(const char *path) goto done; -err: + err: ret = 1; -done: + done: hashinfo_chain_free(certs); hashinfo_chain_free(crls); hashinfo_chain_free(links); diff --git a/bin/openssl/ciphers.c b/bin/openssl/ciphers.c index 72e12a3aae..2b8ad5ba85 100644 --- a/bin/openssl/ciphers.c +++ b/bin/openssl/ciphers.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ciphers.c,v 1.8 2015/10/17 15:00:11 doug Exp $ */ +/* $OpenBSD: ciphers.c,v 1.9 2018/02/07 05:47:55 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -140,11 +140,11 @@ ciphers_main(int argc, char **argv) goto done; -err: + err: ERR_print_errors_fp(stderr); rv = 1; -done: + done: SSL_CTX_free(ssl_ctx); SSL_free(ssl); diff --git a/bin/openssl/crl.c b/bin/openssl/crl.c index bb7ff62775..645b16ea54 100644 --- a/bin/openssl/crl.c +++ b/bin/openssl/crl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: crl.c,v 1.10 2017/01/20 08:57:11 deraadt Exp $ */ +/* $OpenBSD: crl.c,v 1.11 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -424,7 +424,7 @@ crl_main(int argc, char **argv) } ret = 0; -end: + end: BIO_free_all(out); BIO_free_all(bio_out); bio_out = NULL; @@ -471,7 +471,7 @@ load_crl(char *infile, int format) goto end; } -end: + end: BIO_free(in); return (x); } diff --git a/bin/openssl/crl2p7.c b/bin/openssl/crl2p7.c index 9fceee8098..a9c48a3da0 100644 --- a/bin/openssl/crl2p7.c +++ b/bin/openssl/crl2p7.c @@ -1,4 +1,4 @@ -/* $OpenBSD: crl2p7.c,v 1.7 2017/01/20 08:57:11 deraadt Exp $ */ +/* $OpenBSD: crl2p7.c,v 1.8 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -277,7 +277,7 @@ crl2pkcs7_main(int argc, char **argv) } ret = 0; -end: + end: if (in != NULL) BIO_free(in); if (out != NULL) @@ -323,7 +323,7 @@ add_certs_from_file(STACK_OF(X509) *stack, char *certfile) ret = count; -end: + end: /* never need to free x */ if (in != NULL) BIO_free(in); diff --git a/bin/openssl/dgst.c b/bin/openssl/dgst.c index bcc9f1c761..0bd8d66fc8 100644 --- a/bin/openssl/dgst.c +++ b/bin/openssl/dgst.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dgst.c,v 1.11 2017/04/18 02:15:50 deraadt Exp $ */ +/* $OpenBSD: dgst.c,v 1.12 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -447,7 +447,7 @@ mac_end: } } -end: + end: freezero(buf, BUFSIZE); if (in != NULL) BIO_free(in); diff --git a/bin/openssl/dh.c b/bin/openssl/dh.c index eb51b4b12f..827ca9c7ea 100644 --- a/bin/openssl/dh.c +++ b/bin/openssl/dh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.c,v 1.9 2017/01/20 08:57:11 deraadt Exp $ */ +/* $OpenBSD: dh.c,v 1.11 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -288,12 +288,10 @@ dh_main(int argc, char **argv) } ret = 0; -end: + end: BIO_free(in); - if (out != NULL) - BIO_free_all(out); - if (dh != NULL) - DH_free(dh); + BIO_free_all(out); + DH_free(dh); return (ret); } diff --git a/bin/openssl/dhparam.c b/bin/openssl/dhparam.c index 7c3bfb44c8..f27a5c9e81 100644 --- a/bin/openssl/dhparam.c +++ b/bin/openssl/dhparam.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dhparam.c,v 1.9 2017/01/20 08:57:11 deraadt Exp $ */ +/* $OpenBSD: dhparam.c,v 1.11 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -292,8 +292,7 @@ dhparam_main(int argc, char **argv) BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n", num); if (!dsa || !DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL, &cb)) { - if (dsa) - DSA_free(dsa); + DSA_free(dsa); ERR_print_errors(bio_err); goto end; } @@ -467,12 +466,10 @@ dhparam_main(int argc, char **argv) } ret = 0; -end: + end: BIO_free(in); - if (out != NULL) - BIO_free_all(out); - if (dh != NULL) - DH_free(dh); + BIO_free_all(out); + DH_free(dh); return (ret); } diff --git a/bin/openssl/dsa.c b/bin/openssl/dsa.c index 5e0301c734..0b99dedca6 100644 --- a/bin/openssl/dsa.c +++ b/bin/openssl/dsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa.c,v 1.9 2017/01/20 08:57:11 deraadt Exp $ */ +/* $OpenBSD: dsa.c,v 1.11 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -360,12 +360,10 @@ dsa_main(int argc, char **argv) ERR_print_errors(bio_err); } else ret = 0; -end: + end: BIO_free(in); - if (out != NULL) - BIO_free_all(out); - if (dsa != NULL) - DSA_free(dsa); + BIO_free_all(out); + DSA_free(dsa); free(passin); free(passout); diff --git a/bin/openssl/dsaparam.c b/bin/openssl/dsaparam.c index 46efd5d453..8b189cf559 100644 --- a/bin/openssl/dsaparam.c +++ b/bin/openssl/dsaparam.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsaparam.c,v 1.8 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: dsaparam.c,v 1.10 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -338,12 +338,10 @@ dsaparam_main(int argc, char **argv) } ret = 0; -end: + end: BIO_free(in); - if (out != NULL) - BIO_free_all(out); - if (dsa != NULL) - DSA_free(dsa); + BIO_free_all(out); + DSA_free(dsa); return (ret); } diff --git a/bin/openssl/ec.c b/bin/openssl/ec.c index e557990cb9..f2dad6dfef 100644 --- a/bin/openssl/ec.c +++ b/bin/openssl/ec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec.c,v 1.9 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: ec.c,v 1.11 2018/02/07 05:47:55 jsing Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -392,12 +392,10 @@ ec_main(int argc, char **argv) ERR_print_errors(bio_err); } else ret = 0; -end: + end: BIO_free(in); - if (out) - BIO_free_all(out); - if (eckey) - EC_KEY_free(eckey); + BIO_free_all(out); + EC_KEY_free(eckey); free(passin); free(passout); diff --git a/bin/openssl/ecparam.c b/bin/openssl/ecparam.c index 6c497bd355..b1e52fadaf 100644 --- a/bin/openssl/ecparam.c +++ b/bin/openssl/ecparam.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecparam.c,v 1.16 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: ecparam.c,v 1.17 2018/02/07 05:47:55 jsing Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -572,7 +572,7 @@ ecparam_main(int argc, char **argv) } ret = 0; -end: + end: BN_free(ec_p); BN_free(ec_a); BN_free(ec_b); diff --git a/bin/openssl/enc.c b/bin/openssl/enc.c index 195dc2fc44..3908160170 100644 --- a/bin/openssl/enc.c +++ b/bin/openssl/enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: enc.c,v 1.12 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: enc.c,v 1.14 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -717,13 +717,12 @@ enc_main(int argc, char **argv) BIO_printf(bio_err, "bytes read :%8ld\n", BIO_number_read(in)); BIO_printf(bio_err, "bytes written:%8ld\n", BIO_number_written(out)); } -end: + end: ERR_print_errors(bio_err); free(strbuf); free(buff); BIO_free(in); - if (out != NULL) - BIO_free_all(out); + BIO_free_all(out); BIO_free(benc); BIO_free(b64); #ifdef ZLIB diff --git a/bin/openssl/gendh.c b/bin/openssl/gendh.c index 7c037f44e1..18ff504e44 100644 --- a/bin/openssl/gendh.c +++ b/bin/openssl/gendh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gendh.c,v 1.8 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: gendh.c,v 1.10 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -186,13 +186,11 @@ gendh_main(int argc, char **argv) if (!PEM_write_bio_DHparams(out, dh)) goto end; ret = 0; -end: + end: if (ret != 0) ERR_print_errors(bio_err); - if (out != NULL) - BIO_free_all(out); - if (dh != NULL) - DH_free(dh); + BIO_free_all(out); + DH_free(dh); return (ret); } diff --git a/bin/openssl/gendsa.c b/bin/openssl/gendsa.c index 5aeb294e7f..3197e7be7c 100644 --- a/bin/openssl/gendsa.c +++ b/bin/openssl/gendsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gendsa.c,v 1.8 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: gendsa.c,v 1.10 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -143,7 +143,7 @@ gendsa_main(int argc, char **argv) } if (dsaparams == NULL) { -bad: + bad: BIO_printf(bio_err, "usage: gendsa [args] dsaparam-file\n"); BIO_printf(bio_err, " -out file - output the key to 'file'\n"); #ifndef OPENSSL_NO_DES @@ -202,14 +202,12 @@ bad: if (!PEM_write_bio_DSAPrivateKey(out, dsa, enc, NULL, 0, NULL, passout)) goto end; ret = 0; -end: + end: if (ret != 0) ERR_print_errors(bio_err); BIO_free(in); - if (out != NULL) - BIO_free_all(out); - if (dsa != NULL) - DSA_free(dsa); + BIO_free_all(out); + DSA_free(dsa); free(passout); return (ret); diff --git a/bin/openssl/genpkey.c b/bin/openssl/genpkey.c index cae7eacd4e..ef16a5e0da 100644 --- a/bin/openssl/genpkey.c +++ b/bin/openssl/genpkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: genpkey.c,v 1.9 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: genpkey.c,v 1.12 2018/02/08 11:17:44 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006 */ @@ -65,27 +65,165 @@ #include #include -static int -init_keygen_file(BIO * err, EVP_PKEY_CTX ** pctx, const char *file); +static int init_keygen_file(BIO * err, EVP_PKEY_CTX **pctx, const char *file); static int genpkey_cb(EVP_PKEY_CTX * ctx); +struct { + const EVP_CIPHER *cipher; + EVP_PKEY_CTX **ctx; + int do_param; + char *outfile; + int outformat; + char *passarg; + int text; +} genpkey_config; + +static int +genpkey_opt_algorithm(char *arg) +{ + if (!init_gen_str(bio_err, genpkey_config.ctx, arg, + genpkey_config.do_param)) + return (1); + + return (0); +} + +static int +genpkey_opt_cipher(int argc, char **argv, int *argsused) +{ + char *name = argv[0]; + + if (*name++ != '-') + return (1); + + if (genpkey_config.do_param == 1) + return (1); + + if (strcmp(name, "none") == 0) { + genpkey_config.cipher = NULL; + *argsused = 1; + return (0); + } + + if ((genpkey_config.cipher = EVP_get_cipherbyname(name)) != NULL) { + *argsused = 1; + return (0); + } + + return (1); +} + +static int +genpkey_opt_paramfile(char *arg) +{ + if (genpkey_config.do_param == 1) + return (1); + if (!init_keygen_file(bio_err, genpkey_config.ctx, arg)) + return (1); + + return (0); +} + +static int +genpkey_opt_pkeyopt(char *arg) +{ + if (*genpkey_config.ctx == NULL) { + BIO_puts(bio_err, "No keytype specified\n"); + return (1); + } + + if (pkey_ctrl_string(*genpkey_config.ctx, arg) <= 0) { + BIO_puts(bio_err, "parameter setting error\n"); + ERR_print_errors(bio_err); + return (1); + } + + return (0); +} + +struct option genpkey_options[] = { + { + .name = "algorithm", + .argname = "name", + .desc = "Public key algorithm to use (must precede -pkeyopt)", + .type = OPTION_ARG_FUNC, + .opt.argfunc = genpkey_opt_algorithm, + }, + { + .name = "genparam", + .desc = "Generate a set of parameters instead of a private key", + .type = OPTION_FLAG, + .opt.flag = &genpkey_config.do_param, + }, + { + .name = "out", + .argname = "file", + .desc = "Output file to write to (default stdout)", + .type = OPTION_ARG, + .opt.arg = &genpkey_config.outfile, + }, + { + .name = "outform", + .argname = "format", + .desc = "Output format (DER or PEM)", + .type = OPTION_ARG_FORMAT, + .opt.value = &genpkey_config.outformat, + }, + { + .name = "paramfile", + .argname = "file", + .desc = "File to load public key algorithm parameters from\n" + "(must precede -pkeyopt)", + .type = OPTION_ARG_FUNC, + .opt.argfunc = genpkey_opt_paramfile, + }, + { + .name = "pass", + .argname = "arg", + .desc = "Output file password source", + .type = OPTION_ARG, + .opt.arg = &genpkey_config.passarg, + }, + { + .name = "pkeyopt", + .argname = "opt:value", + .desc = "Set public key algorithm option to the given value", + .type = OPTION_ARG_FUNC, + .opt.argfunc = genpkey_opt_pkeyopt, + }, + { + .name = "text", + .desc = "Print the private/public key in human readable form", + .type = OPTION_FLAG, + .opt.flag = &genpkey_config.text, + }, + { + .name = NULL, + .type = OPTION_ARGV_FUNC, + .opt.argvfunc = genpkey_opt_cipher, + }, + {NULL}, +}; + +static void +genpkey_usage() +{ + fprintf(stderr, + "usage: genpkey [-algorithm alg] [cipher] [-genparam] [-out file]\n" + " [-outform der | pem] [-paramfile file] [-pass arg]\n" + " [-pkeyopt opt:value] [-text]\n\n"); + options_usage(genpkey_options); +} + int genpkey_main(int argc, char **argv) { - char **args, *outfile = NULL; - char *passarg = NULL; BIO *in = NULL, *out = NULL; - const EVP_CIPHER *cipher = NULL; - int outformat; - int text = 0; - EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *pkey = NULL; char *pass = NULL; - int badarg = 0; int ret = 1, rv; - int do_param = 0; - if (single_execution) { if (pledge("stdio cpath wpath rpath tty", NULL) == -1) { perror("pledge"); @@ -93,98 +231,29 @@ genpkey_main(int argc, char **argv) } } - outformat = FORMAT_PEM; - - args = argv + 1; - while (!badarg && *args && *args[0] == '-') { - if (!strcmp(*args, "-outform")) { - if (args[1]) { - args++; - outformat = str2fmt(*args); - } else - badarg = 1; - } else if (!strcmp(*args, "-pass")) { - if (!args[1]) - goto bad; - passarg = *(++args); - } - else if (!strcmp(*args, "-paramfile")) { - if (!args[1]) - goto bad; - args++; - if (do_param == 1) - goto bad; - if (!init_keygen_file(bio_err, &ctx, *args)) - goto end; - } else if (!strcmp(*args, "-out")) { - if (args[1]) { - args++; - outfile = *args; - } else - badarg = 1; - } else if (strcmp(*args, "-algorithm") == 0) { - if (!args[1]) - goto bad; - if (!init_gen_str(bio_err, &ctx, *(++args), do_param)) - goto end; - } else if (strcmp(*args, "-pkeyopt") == 0) { - if (!args[1]) - goto bad; - if (!ctx) { - BIO_puts(bio_err, "No keytype specified\n"); - goto bad; - } else if (pkey_ctrl_string(ctx, *(++args)) <= 0) { - BIO_puts(bio_err, "parameter setting error\n"); - ERR_print_errors(bio_err); - goto end; - } - } else if (strcmp(*args, "-genparam") == 0) { - if (ctx) - goto bad; - do_param = 1; - } else if (strcmp(*args, "-text") == 0) - text = 1; - else { - cipher = EVP_get_cipherbyname(*args + 1); - if (!cipher) { - BIO_printf(bio_err, "Unknown cipher %s\n", - *args + 1); - badarg = 1; - } - if (do_param == 1) - badarg = 1; - } - args++; + memset(&genpkey_config, 0, sizeof(genpkey_config)); + genpkey_config.ctx = &ctx; + genpkey_config.outformat = FORMAT_PEM; + + if (options_parse(argc, argv, genpkey_options, NULL, NULL) != 0) { + genpkey_usage(); + goto end; } - if (!ctx) - badarg = 1; - - if (badarg) { -bad: - BIO_printf(bio_err, "Usage: genpkey [options]\n"); - BIO_printf(bio_err, "where options may be\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, "-outform X output format (DER or PEM)\n"); - BIO_printf(bio_err, "-pass arg output file pass phrase source\n"); - BIO_printf(bio_err, "- use cipher to encrypt the key\n"); - BIO_printf(bio_err, "-paramfile file parameters file\n"); - BIO_printf(bio_err, "-algorithm alg the public key algorithm\n"); - BIO_printf(bio_err, "-pkeyopt opt:value set the public key algorithm option \n" - " to value \n"); - BIO_printf(bio_err, "-genparam generate parameters, not key\n"); - BIO_printf(bio_err, "-text print the in text\n"); - BIO_printf(bio_err, "NB: options order may be important! See the manual page.\n"); + if (ctx == NULL) { + genpkey_usage(); goto end; } - if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) { + + if (!app_passwd(bio_err, genpkey_config.passarg, NULL, &pass, NULL)) { BIO_puts(bio_err, "Error getting password\n"); goto end; } - if (outfile) { - if (!(out = BIO_new_file(outfile, "wb"))) { - BIO_printf(bio_err, - "Can't open output file %s\n", outfile); + if (genpkey_config.outfile != NULL) { + if ((out = BIO_new_file(genpkey_config.outfile, "wb")) == + NULL) { + BIO_printf(bio_err, "Can't open output file %s\n", + genpkey_config.outfile); goto end; } } else { @@ -194,7 +263,7 @@ bad: EVP_PKEY_CTX_set_cb(ctx, genpkey_cb); EVP_PKEY_CTX_set_app_data(ctx, bio_err); - if (do_param) { + if (genpkey_config.do_param) { if (EVP_PKEY_paramgen(ctx, &pkey) <= 0) { BIO_puts(bio_err, "Error generating parameters\n"); ERR_print_errors(bio_err); @@ -208,12 +277,12 @@ bad: } } - if (do_param) + if (genpkey_config.do_param) rv = PEM_write_bio_Parameters(out, pkey); - else if (outformat == FORMAT_PEM) - rv = PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0, - NULL, pass); - else if (outformat == FORMAT_ASN1) + else if (genpkey_config.outformat == FORMAT_PEM) + rv = PEM_write_bio_PrivateKey(out, pkey, genpkey_config.cipher, + NULL, 0, NULL, pass); + else if (genpkey_config.outformat == FORMAT_ASN1) rv = i2d_PrivateKey_bio(out, pkey); else { BIO_printf(bio_err, "Bad format specified for key\n"); @@ -224,8 +293,8 @@ bad: BIO_puts(bio_err, "Error writing key\n"); ERR_print_errors(bio_err); } - if (text) { - if (do_param) + if (genpkey_config.text) { + if (genpkey_config.do_param) rv = EVP_PKEY_print_params(out, pkey, 0, NULL); else rv = EVP_PKEY_print_private(out, pkey, 0, NULL); @@ -237,13 +306,10 @@ bad: } ret = 0; -end: - if (pkey) - EVP_PKEY_free(pkey); - if (ctx) - EVP_PKEY_CTX_free(ctx); - if (out) - BIO_free_all(out); + end: + EVP_PKEY_free(pkey); + EVP_PKEY_CTX_free(ctx); + BIO_free_all(out); BIO_free(in); free(pass); @@ -251,8 +317,7 @@ end: } static int -init_keygen_file(BIO * err, EVP_PKEY_CTX ** pctx, - const char *file) +init_keygen_file(BIO * err, EVP_PKEY_CTX ** pctx, const char *file) { BIO *pbio; EVP_PKEY *pkey = NULL; @@ -282,23 +347,20 @@ init_keygen_file(BIO * err, EVP_PKEY_CTX ** pctx, *pctx = ctx; return 1; -err: + err: BIO_puts(err, "Error initializing context\n"); ERR_print_errors(err); - if (ctx) - EVP_PKEY_CTX_free(ctx); - if (pkey) - EVP_PKEY_free(pkey); + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); return 0; } int -init_gen_str(BIO * err, EVP_PKEY_CTX ** pctx, - const char *algname, int do_param) +init_gen_str(BIO * err, EVP_PKEY_CTX ** pctx, const char *algname, int do_param) { - EVP_PKEY_CTX *ctx = NULL; const EVP_PKEY_ASN1_METHOD *ameth; + EVP_PKEY_CTX *ctx = NULL; int pkey_id; if (*pctx) { @@ -329,11 +391,10 @@ init_gen_str(BIO * err, EVP_PKEY_CTX ** pctx, *pctx = ctx; return 1; -err: + err: BIO_printf(err, "Error initializing %s context\n", algname); ERR_print_errors(err); - if (ctx) - EVP_PKEY_CTX_free(ctx); + EVP_PKEY_CTX_free(ctx); return 0; } diff --git a/bin/openssl/genrsa.c b/bin/openssl/genrsa.c index 4fa5747b28..fdcd0c1105 100644 --- a/bin/openssl/genrsa.c +++ b/bin/openssl/genrsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: genrsa.c,v 1.9 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: genrsa.c,v 1.11 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -165,7 +165,7 @@ genrsa_main(int argc, char **argv) argc--; } if ((argc >= 1) && ((sscanf(*argv, "%d", &num) == 0) || (num < 0))) { -bad: + bad: BIO_printf(bio_err, "usage: genrsa [args] [numbits]\n"); BIO_printf(bio_err, " -des encrypt the generated key with DES in cbc mode\n"); BIO_printf(bio_err, " -des3 encrypt the generated key with DES in ede cbc mode (168 bit key)\n"); @@ -233,14 +233,12 @@ bad: } ret = 0; -err: - if (bn) - BN_free(bn); - if (rsa) - RSA_free(rsa); - if (out) - BIO_free_all(out); + err: + BN_free(bn); + RSA_free(rsa); + BIO_free_all(out); free(passout); + if (ret != 0) ERR_print_errors(bio_err); diff --git a/bin/openssl/nseq.c b/bin/openssl/nseq.c index 4669147416..d50bace12f 100644 --- a/bin/openssl/nseq.c +++ b/bin/openssl/nseq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nseq.c,v 1.7 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: nseq.c,v 1.8 2018/02/07 05:47:55 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -167,7 +167,7 @@ nseq_main(int argc, char **argv) PEM_write_bio_X509(out, x509); } ret = 0; -end: + end: BIO_free(in); BIO_free_all(out); NETSCAPE_CERT_SEQUENCE_free(seq); diff --git a/bin/openssl/ocsp.c b/bin/openssl/ocsp.c index 64eeef8e5c..04a719bf40 100644 --- a/bin/openssl/ocsp.c +++ b/bin/openssl/ocsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp.c,v 1.12 2017/01/21 09:29:09 deraadt Exp $ */ +/* $OpenBSD: ocsp.c,v 1.15 2018/02/07 05:49:36 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -106,7 +106,7 @@ int ocsp_main(int argc, char **argv) { char **args; - char *host = NULL, *port = NULL, *path = "/"; + char *host = NULL, *port = NULL, *path = NULL; char *reqin = NULL, *respin = NULL; char *reqout = NULL, *respout = NULL; char *signfile = NULL, *keyfile = NULL; @@ -177,7 +177,8 @@ ocsp_main(int argc, char **argv) } else badarg = 1; } else if (!strcmp(*args, "-url")) { - if (args[1]) { + if (args[1] && host == NULL && port == NULL && + path == NULL) { args++; if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl)) { BIO_printf(bio_err, "Error parsing URL\n"); @@ -186,13 +187,13 @@ ocsp_main(int argc, char **argv) } else badarg = 1; } else if (!strcmp(*args, "-host")) { - if (args[1]) { + if (args[1] && use_ssl == -1) { args++; host = *args; } else badarg = 1; } else if (!strcmp(*args, "-port")) { - if (args[1]) { + if (args[1] && use_ssl == -1) { args++; port = *args; } else @@ -331,7 +332,7 @@ ocsp_main(int argc, char **argv) } else badarg = 1; } else if (!strcmp(*args, "-path")) { - if (args[1]) { + if (args[1] && use_ssl == -1) { args++; path = *args; } else @@ -629,7 +630,7 @@ redo_accept: if (cbio) send_ocsp_response(cbio, resp); } else if (host) { - resp = process_responder(bio_err, req, host, path, + resp = process_responder(bio_err, req, host, path ? path : "/", port, use_ssl, headers, req_timeout); if (!resp) goto end; @@ -731,7 +732,7 @@ done_resp: ret = 0; -end: + end: ERR_print_errors(bio_err); X509_free(signer); X509_STORE_free(store); @@ -782,7 +783,7 @@ add_ocsp_cert(OCSP_REQUEST ** req, X509 * cert, const EVP_MD * cert_id_md, X509 goto err; return 1; -err: + err: BIO_printf(bio_err, "Error Creating OCSP request\n"); return 0; } @@ -818,7 +819,7 @@ add_ocsp_serial(OCSP_REQUEST ** req, char *serial, const EVP_MD * cert_id_md, X5 goto err; return 1; -err: + err: BIO_printf(bio_err, "Error Creating OCSP request\n"); return 0; } @@ -925,8 +926,7 @@ make_ocsp_response(OCSP_RESPONSE ** resp, OCSP_REQUEST * req, CA_DB * db, NULL); goto end; } - if (ca_id) - OCSP_CERTID_free(ca_id); + OCSP_CERTID_free(ca_id); ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca); /* Is this request about our CA? */ @@ -976,7 +976,7 @@ make_ocsp_response(OCSP_RESPONSE ** resp, OCSP_REQUEST * req, CA_DB * db, *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs); -end: + end: ASN1_TIME_free(thisupd); ASN1_TIME_free(nextupd); OCSP_CERTID_free(ca_id); @@ -1029,7 +1029,7 @@ init_responder(char *port) } return acbio; -err: + err: BIO_free_all(acbio); BIO_free(bufbio); return NULL; @@ -1172,9 +1172,8 @@ query_responder(BIO * err, BIO * cbio, char *path, break; } } -err: - if (ctx) - OCSP_REQ_CTX_free(ctx); + err: + OCSP_REQ_CTX_free(ctx); return rsp; } @@ -1209,11 +1208,9 @@ process_responder(BIO * err, OCSP_REQUEST * req, resp = query_responder(err, cbio, path, headers, req, req_timeout); if (!resp) BIO_printf(bio_err, "Error querying OCSP responder\n"); -end: - if (cbio) - BIO_free_all(cbio); - if (ctx) - SSL_CTX_free(ctx); + end: + BIO_free_all(cbio); + SSL_CTX_free(ctx); return resp; } diff --git a/bin/openssl/openssl.1 b/bin/openssl/openssl.1 index 58f88d021f..ce01e06a84 100644 --- a/bin/openssl/openssl.1 +++ b/bin/openssl/openssl.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.1,v 1.86 2017/08/28 17:50:58 jsing Exp $ +.\" $OpenBSD: openssl.1,v 1.89 2018/03/22 19:24:18 jmc Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" @@ -112,7 +112,7 @@ .\" .\" OPENSSL .\" -.Dd $Mdocdate: August 28 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt OPENSSL 1 .Os .Sh NAME @@ -360,8 +360,8 @@ Specify an alternative configuration file. The number of days to certify the certificate for. .It Fl enddate Ar date Set the expiry date. -The format of the date is YYMMDDHHMMSSZ -.Pq the same as an ASN.1 UTCTime structure . +The format of the date is [YY]YYMMDDHHMMSSZ, +with all four year digits required for dates from 2050 onwards. .It Fl extensions Ar section The section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to @@ -492,8 +492,8 @@ then it can be preceded by a number and a A single self-signed certificate to be signed by the CA. .It Fl startdate Ar date Set the start date. -The format of the date is YYMMDDHHMMSSZ -.Pq the same as an ASN.1 UTCTime structure . +The format of the date is [YY]YYMMDDHHMMSSZ, +with all four year digits required for dates from 2050 onwards. .It Fl status Ar serial Show the status of the certificate with serial number .Ar serial . @@ -3404,7 +3404,7 @@ These are compiled into .Nm openssl and include the usual values such as .Cm commonName , countryName , localityName , organizationName , -.Cm organizationUnitName , stateOrProvinceName . +.Cm organizationalUnitName , stateOrProvinceName . Additionally, .Cm emailAddress is included as well as @@ -3578,6 +3578,7 @@ Verify the input data and output the recovered data. .Op Fl crlf .Op Fl debug .Op Fl extended_crl +.Op Fl groups .Op Fl ign_eof .Op Fl ignore_critical .Op Fl issuer_checks @@ -3691,6 +3692,8 @@ Translate a line feed from the terminal into CR+LF, as required by some servers. .It Fl debug Print extensive debugging information, including a hex dump of all traffic. +.It Fl groups Ar ecgroups +Specify a colon-separated list of permitted EC curve groups. .It Fl ign_eof Inhibit shutting down the connection when end of file is reached in the input. .It Fl key Ar keyfile diff --git a/bin/openssl/openssl.c b/bin/openssl/openssl.c index 346b1d83c7..b3e85d63ba 100644 --- a/bin/openssl/openssl.c +++ b/bin/openssl/openssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: openssl.c,v 1.25 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: openssl.c,v 1.26 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -385,7 +385,7 @@ lock_dbg_cb(int mode, int type, const char *file, int line) goto err; } -err: + err: if (errstr) { /* we cannot use bio_err here */ fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n", @@ -560,7 +560,7 @@ main(int argc, char **argv) BIO_printf(bio_err, "bad exit\n"); ret = 1; -end: + end: free(to_free); if (config != NULL) { @@ -707,7 +707,7 @@ do_cmd(LHASH_OF(FUNCTION) * prog, int argc, char *argv[]) BIO_printf(bio_err, "\n\n"); ret = 0; } -end: + end: return (ret); } diff --git a/bin/openssl/passwd.c b/bin/openssl/passwd.c index af5360448c..428f75a7ca 100644 --- a/bin/openssl/passwd.c +++ b/bin/openssl/passwd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: passwd.c,v 1.8 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: passwd.c,v 1.9 2018/02/07 05:47:55 jsing Exp $ */ #if defined OPENSSL_NO_MD5 #define NO_MD5CRYPT_1 @@ -273,7 +273,7 @@ passwd_main(int argc, char **argv) } ret = 0; -err: + err: ERR_print_errors(bio_err); free(salt_malloc); @@ -477,7 +477,7 @@ do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, BIO_printf(out, "%s\n", hash); return 1; -err: + err: return 0; } #else diff --git a/bin/openssl/pkcs12.c b/bin/openssl/pkcs12.c index 69d2d0a950..2e852cebc7 100644 --- a/bin/openssl/pkcs12.c +++ b/bin/openssl/pkcs12.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pkcs12.c,v 1.9 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: pkcs12.c,v 1.10 2018/02/07 05:47:55 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -584,7 +584,7 @@ export_end: goto end; } ret = 0; -end: + end: if (p12) PKCS12_free(p12); BIO_free(in); @@ -637,7 +637,7 @@ dump_certs_keys_p12(BIO * out, PKCS12 * p12, char *pass, } ret = 1; -err: + err: if (asafes) sk_PKCS7_pop_free(asafes, PKCS7_free); @@ -768,7 +768,7 @@ get_cert_chain(X509 * cert, X509_STORE * store, STACK_OF(X509) ** chain) goto err; } else chn = X509_STORE_CTX_get1_chain(&store_ctx); -err: + err: X509_STORE_CTX_cleanup(&store_ctx); *chain = chn; diff --git a/bin/openssl/pkcs7.c b/bin/openssl/pkcs7.c index 32d1682ff1..f1edc9e489 100644 --- a/bin/openssl/pkcs7.c +++ b/bin/openssl/pkcs7.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pkcs7.c,v 1.9 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: pkcs7.c,v 1.10 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -277,7 +277,7 @@ pkcs7_main(int argc, char **argv) } } ret = 0; -end: + end: if (p7 != NULL) PKCS7_free(p7); if (in != NULL) diff --git a/bin/openssl/pkcs8.c b/bin/openssl/pkcs8.c index 5d1c2023af..a0dac88772 100644 --- a/bin/openssl/pkcs8.c +++ b/bin/openssl/pkcs8.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pkcs8.c,v 1.10 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: pkcs8.c,v 1.11 2018/02/07 05:47:55 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999-2004. */ @@ -406,7 +406,7 @@ pkcs8_main(int argc, char **argv) } ret = 0; -end: + end: X509_SIG_free(p8); PKCS8_PRIV_KEY_INFO_free(p8inf); EVP_PKEY_free(pkey); diff --git a/bin/openssl/pkey.c b/bin/openssl/pkey.c index e91bc79090..49782317ee 100644 --- a/bin/openssl/pkey.c +++ b/bin/openssl/pkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pkey.c,v 1.9 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: pkey.c,v 1.10 2018/02/07 05:47:55 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006 */ @@ -149,7 +149,7 @@ pkey_main(int argc, char **argv) } if (badarg) { -bad: + bad: BIO_printf(bio_err, "Usage pkey [options]\n"); BIO_printf(bio_err, "where options are\n"); BIO_printf(bio_err, "-in file input file\n"); @@ -209,7 +209,7 @@ bad: } ret = 0; -end: + end: EVP_PKEY_free(pkey); BIO_free_all(out); BIO_free(in); diff --git a/bin/openssl/pkeyparam.c b/bin/openssl/pkeyparam.c index 698c105141..51ea2b55fb 100644 --- a/bin/openssl/pkeyparam.c +++ b/bin/openssl/pkeyparam.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pkeyparam.c,v 1.10 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: pkeyparam.c,v 1.11 2018/02/07 05:47:55 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006 */ @@ -165,7 +165,7 @@ pkeyparam_main(int argc, char **argv) ret = 0; -end: + end: EVP_PKEY_free(pkey); BIO_free_all(out); BIO_free(in); diff --git a/bin/openssl/pkeyutl.c b/bin/openssl/pkeyutl.c index 4752b4c79a..87a9eeb6f5 100644 --- a/bin/openssl/pkeyutl.c +++ b/bin/openssl/pkeyutl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pkeyutl.c,v 1.11 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: pkeyutl.c,v 1.14 2018/02/07 05:47:55 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -95,7 +95,7 @@ pkeyutl_main(int argc, char **argv) int keysize = -1; unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL; - size_t buf_outlen; + size_t buf_outlen = 0; int buf_inlen = 0, siglen = -1; int ret = 1, rv = -1; @@ -309,9 +309,8 @@ pkeyutl_main(int argc, char **argv) else BIO_write(out, buf_out, buf_outlen); -end: - if (ctx) - EVP_PKEY_CTX_free(ctx); + end: + EVP_PKEY_CTX_free(ctx); BIO_free(in); BIO_free_all(out); free(buf_in); @@ -428,7 +427,7 @@ init_ctx(int *pkeysize, EVP_PKEY_CTX_free(ctx); ctx = NULL; } -end: + end: free(passin); diff --git a/bin/openssl/prime.c b/bin/openssl/prime.c index c9bf33bff9..280ccef5fc 100644 --- a/bin/openssl/prime.c +++ b/bin/openssl/prime.c @@ -1,4 +1,4 @@ -/* $OpenBSD: prime.c,v 1.10 2015/10/17 15:00:11 doug Exp $ */ +/* $OpenBSD: prime.c,v 1.11 2018/02/07 05:47:55 jsing Exp $ */ /* ==================================================================== * Copyright (c) 2004 The OpenSSL Project. All rights reserved. * @@ -191,7 +191,7 @@ prime_main(int argc, char **argv) ret = 0; -end: + end: BN_free(bn); BIO_free_all(bio_out); diff --git a/bin/openssl/rand.c b/bin/openssl/rand.c index 04105bc46e..0f91dde8b4 100644 --- a/bin/openssl/rand.c +++ b/bin/openssl/rand.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rand.c,v 1.11 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: rand.c,v 1.13 2018/02/07 05:47:55 jsing Exp $ */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * @@ -176,10 +176,9 @@ rand_main(int argc, char **argv) ret = 0; -err: + err: ERR_print_errors(bio_err); - if (out) - BIO_free_all(out); + BIO_free_all(out); return (ret); } diff --git a/bin/openssl/req.c b/bin/openssl/req.c index 352e38b226..c5cae4df89 100644 --- a/bin/openssl/req.c +++ b/bin/openssl/req.c @@ -1,4 +1,4 @@ -/* $OpenBSD: req.c,v 1.14 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: req.c,v 1.15 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -340,7 +340,7 @@ req_main(int argc, char **argv) } if (badops) { -bad: + bad: BIO_printf(bio_err, "%s [options] outfile\n", prog); BIO_printf(bio_err, "where options are\n"); BIO_printf(bio_err, " -inform arg input format - DER or PEM\n"); @@ -591,7 +591,7 @@ bad: cipher = NULL; i = 0; -loop: + loop: if (!PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0, NULL, passout)) { if ((ERR_GET_REASON(ERR_peek_error()) == @@ -858,7 +858,7 @@ loop: } } ex = 0; -end: + end: if (ex) { ERR_print_errors(bio_err); } @@ -943,7 +943,7 @@ make_REQ(X509_REQ * req, EVP_PKEY * pkey, char *subj, int multirdn, goto err; ret = 1; -err: + err: return (ret); } @@ -996,7 +996,7 @@ prompt_info(X509_REQ * req, } if (sk_CONF_VALUE_num(dn_sk)) { i = -1; -start: for (;;) { + start: for (;;) { int ret; i++; if (sk_CONF_VALUE_num(dn_sk) <= i) @@ -1214,7 +1214,7 @@ add_DN_object(X509_NAME * n, char *text, const char *def, char *value, { int i, ret = 0; char buf[1024]; -start: + start: if (!batch) BIO_printf(bio_err, "%s [%s]:", text, def); (void) BIO_flush(bio_err); @@ -1255,7 +1255,7 @@ start: (unsigned char *) buf, -1, -1, mval)) goto err; ret = 1; -err: + err: return (ret); } @@ -1267,7 +1267,7 @@ add_attribute_object(X509_REQ * req, char *text, const char *def, int i; static char buf[1024]; -start: + start: if (!batch) BIO_printf(bio_err, "%s [%s]:", text, def); (void) BIO_flush(bio_err); @@ -1312,7 +1312,7 @@ start: goto err; } return (1); -err: + err: return (0); } diff --git a/bin/openssl/rsa.c b/bin/openssl/rsa.c index 7ad1da13b2..09fe8ef0d6 100644 --- a/bin/openssl/rsa.c +++ b/bin/openssl/rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa.c,v 1.9 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: rsa.c,v 1.10 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -439,7 +439,7 @@ rsa_main(int argc, char **argv) } else ret = 0; -end: + end: BIO_free_all(out); RSA_free(rsa); free(passin); diff --git a/bin/openssl/rsautl.c b/bin/openssl/rsautl.c index 1c22e5df0f..1e420b391d 100644 --- a/bin/openssl/rsautl.c +++ b/bin/openssl/rsautl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsautl.c,v 1.12 2017/08/28 17:50:58 jsing Exp $ */ +/* $OpenBSD: rsautl.c,v 1.13 2018/02/07 05:47:55 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -297,7 +297,7 @@ rsautl_main(int argc, char **argv) else BIO_write(out, rsa_out, rsa_outlen); -end: + end: RSA_free(rsa); BIO_free(in); BIO_free_all(out); diff --git a/bin/openssl/s_cb.c b/bin/openssl/s_cb.c index 73c4953c62..b25118c030 100644 --- a/bin/openssl/s_cb.c +++ b/bin/openssl/s_cb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_cb.c,v 1.8 2017/08/12 21:04:33 jsing Exp $ */ +/* $OpenBSD: s_cb.c,v 1.9 2018/01/15 11:02:07 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -732,6 +732,14 @@ tlsext_cb(SSL * s, int client_server, int type, unsigned char *data, int len, extname = "renegotiation info"; break; + case TLSEXT_TYPE_application_layer_protocol_negotiation: + extname = "application layer protocol negotiation"; + break; + + case TLSEXT_TYPE_padding: + extname = "TLS padding"; + break; + default: extname = "unknown"; break; diff --git a/bin/openssl/s_client.c b/bin/openssl/s_client.c index f81d1a61bb..b66997ee50 100644 --- a/bin/openssl/s_client.c +++ b/bin/openssl/s_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_client.c,v 1.33 2017/08/12 21:04:33 jsing Exp $ */ +/* $OpenBSD: s_client.c,v 1.36 2018/02/11 20:03:10 jmc Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -592,7 +592,7 @@ s_client_main(int argc, char **argv) goto bad; } if (badop) { -bad: + bad: if (errstr) BIO_printf(bio_err, "invalid argument %s: %s\n", *argv, errstr); @@ -859,7 +859,7 @@ re_start: BIO_free(fbio); if (!foundit) BIO_printf(bio_err, - "didn't found starttls in server response," + "didn't find starttls in server response," " try anyway...\n"); BIO_printf(sbio, "STARTTLS\r\n"); BIO_read(sbio, sbuf, BUFSIZZ); @@ -1200,27 +1200,23 @@ re_start: } ret = 0; -shut: + shut: if (in_init) print_stuff(bio_c_out, con, full_log); SSL_shutdown(con); shutdown(SSL_get_fd(con), SHUT_RD); close(SSL_get_fd(con)); -end: + end: if (con != NULL) { if (prexit != 0) print_stuff(bio_c_out, con, 1); SSL_free(con); } - if (ctx != NULL) - SSL_CTX_free(ctx); - if (cert) - X509_free(cert); - if (key) - EVP_PKEY_free(key); + SSL_CTX_free(ctx); + X509_free(cert); + EVP_PKEY_free(key); free(pass); - if (vpm) - X509_VERIFY_PARAM_free(vpm); + X509_VERIFY_PARAM_free(vpm); freezero(cbuf, BUFSIZZ); freezero(sbuf, BUFSIZZ); freezero(mbuf, BUFSIZZ); @@ -1405,8 +1401,7 @@ print_stuff(BIO * bio, SSL * s, int full) } } BIO_printf(bio, "---\n"); - if (peer != NULL) - X509_free(peer); + X509_free(peer); /* flush, or debugging output gets mixed with http response */ (void) BIO_flush(bio); } diff --git a/bin/openssl/s_server.c b/bin/openssl/s_server.c index 7254109fba..4bdafaf682 100644 --- a/bin/openssl/s_server.c +++ b/bin/openssl/s_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_server.c,v 1.27 2017/08/12 21:04:33 jsing Exp $ */ +/* $OpenBSD: s_server.c,v 1.30 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -404,7 +404,7 @@ cert_status_cb(SSL * s, void *arg) { tlsextstatusctx *srctx = arg; BIO *err = srctx->err; - char *host, *port, *path; + char *host = NULL, *port = NULL, *path = NULL; int use_ssl; unsigned char *rspder = NULL; int rspderlen; @@ -487,7 +487,7 @@ cert_status_cb(SSL * s, void *arg) OCSP_RESPONSE_print(err, resp, 2); } ret = SSL_TLSEXT_ERR_OK; -done: + done: if (ret != SSL_TLSEXT_ERR_OK) ERR_print_errors(err); if (aia) { @@ -503,7 +503,7 @@ done: if (resp) OCSP_RESPONSE_free(resp); return ret; -err: + err: ret = SSL_TLSEXT_ERR_ALERT_FATAL; goto done; } @@ -858,7 +858,7 @@ s_server_main(int argc, char *argv[]) argv++; } if (badop) { -bad: + bad: if (errstr) BIO_printf(bio_err, "invalid argument %s: %s\n", *argv, errstr); @@ -1198,30 +1198,21 @@ bad: do_server(port, socket_type, &accept_socket, sv_body, context); print_stats(bio_s_out, ctx); ret = 0; -end: - if (ctx != NULL) - SSL_CTX_free(ctx); - if (s_cert) - X509_free(s_cert); - if (s_dcert) - X509_free(s_dcert); - if (s_key) - EVP_PKEY_free(s_key); - if (s_dkey) - EVP_PKEY_free(s_dkey); + end: + SSL_CTX_free(ctx); + X509_free(s_cert); + X509_free(s_dcert); + EVP_PKEY_free(s_key); + EVP_PKEY_free(s_dkey); free(pass); free(dpass); - if (vpm) - X509_VERIFY_PARAM_free(vpm); + X509_VERIFY_PARAM_free(vpm); free(tlscstatp.host); free(tlscstatp.port); free(tlscstatp.path); - if (ctx2 != NULL) - SSL_CTX_free(ctx2); - if (s_cert2) - X509_free(s_cert2); - if (s_key2) - EVP_PKEY_free(s_key2); + SSL_CTX_free(ctx2); + X509_free(s_cert2); + EVP_PKEY_free(s_key2); free(alpn_ctx.data); if (bio_s_out != NULL) { BIO_free(bio_s_out); @@ -1549,7 +1540,7 @@ sv_body(char *hostname, int s, unsigned char *context) } } } -err: + err: if (con != NULL) { BIO_printf(bio_s_out, "shutting down SSL\n"); SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); @@ -1664,7 +1655,7 @@ load_dh_param(const char *dhfile) if ((bio = BIO_new_file(dhfile, "r")) == NULL) goto err; ret = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); -err: + err: BIO_free(bio); return (ret); } @@ -1949,18 +1940,17 @@ www_body(char *hostname, int s, unsigned char *context) } else break; } -end: + end: /* make sure we re-use sessions */ SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); -err: + err: if (ret >= 0) BIO_printf(bio_s_out, "ACCEPT\n"); free(buf); - if (io != NULL) - BIO_free_all(io); + BIO_free_all(io); /* if (ssl_bio != NULL) BIO_free(ssl_bio);*/ return (ret); } diff --git a/bin/openssl/s_socket.c b/bin/openssl/s_socket.c index 869211de73..d3aff1b3bb 100644 --- a/bin/openssl/s_socket.c +++ b/bin/openssl/s_socket.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_socket.c,v 1.8 2015/09/10 02:23:29 lteo Exp $ */ +/* $OpenBSD: s_socket.c,v 1.9 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -122,7 +122,7 @@ init_client(int *sock, char *host, char *port, int type, int af) } perror("connect"); -out: + out: if (s != -1) close(s); freeaddrinfo(ai_top); @@ -210,7 +210,7 @@ init_server_long(int *sock, int port, char *ip, int type) goto err; *sock = s; ret = 1; -err: + err: if ((ret == 0) && (s != -1)) { shutdown(s, SHUT_RD); close(s); @@ -233,7 +233,7 @@ do_accept(int acc_sock, int *sock, char **host) socklen_t len; /* struct linger ling; */ -redoit: + redoit: memset((char *) &from, 0, sizeof(from)); len = sizeof(from); @@ -285,7 +285,7 @@ redoit: } } -end: + end: *sock = ret; return (1); } diff --git a/bin/openssl/s_time.c b/bin/openssl/s_time.c index 3644e108f8..ed89160b23 100644 --- a/bin/openssl/s_time.c +++ b/bin/openssl/s_time.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_time.c,v 1.17 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: s_time.c,v 1.23 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -88,7 +88,6 @@ #define SECONDS 30 extern int verify_depth; -extern int verify_error; static void s_time_usage(void); static SSL *doConnection(SSL * scon); @@ -233,9 +232,9 @@ s_time_usage(void) #define STOP 1 static double -tm_Time_F(int s) +tm_Time_F(int op) { - return app_tminterval(s, 1); + return app_timer_user(op); } /*********************************************************************** @@ -254,7 +253,7 @@ s_time_main(int argc, char **argv) int ver; if (single_execution) { - if (pledge("stdio rpath inet", NULL) == -1) { + if (pledge("stdio rpath inet dns", NULL) == -1) { perror("pledge"); exit(1); } @@ -354,8 +353,6 @@ s_time_main(int argc, char **argv) SSL_RECEIVED_SHUTDOWN); else SSL_shutdown(scon); - shutdown(SSL_get_fd(scon), SHUT_RDWR); - close(SSL_get_fd(scon)); nConn += 1; if (SSL_session_reused(scon)) @@ -391,7 +388,7 @@ s_time_main(int argc, char **argv) * over */ -next: + next: if (!(s_time_config.perform & 2)) goto end; printf("\n\nNow timing with session id reuse.\n"); @@ -416,8 +413,6 @@ next: SSL_RECEIVED_SHUTDOWN); else SSL_shutdown(scon); - shutdown(SSL_get_fd(scon), SHUT_RDWR); - close(SSL_get_fd(scon)); nConn = 0; totalTime = 0.0; @@ -450,8 +445,6 @@ next: SSL_RECEIVED_SHUTDOWN); else SSL_shutdown(scon); - shutdown(SSL_get_fd(scon), SHUT_RDWR); - close(SSL_get_fd(scon)); nConn += 1; if (SSL_session_reused(scon)) @@ -479,9 +472,8 @@ next: bytes_read / nConn); ret = 0; -end: - if (scon != NULL) - SSL_free(scon); + end: + SSL_free(scon); if (tm_ctx != NULL) { SSL_CTX_free(tm_ctx); diff --git a/bin/openssl/sess_id.c b/bin/openssl/sess_id.c index 3670f5404f..e739d99d94 100644 --- a/bin/openssl/sess_id.c +++ b/bin/openssl/sess_id.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sess_id.c,v 1.8 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: sess_id.c,v 1.9 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -249,7 +249,7 @@ sess_id_main(int argc, char **argv) } ret = 0; -end: + end: BIO_free_all(out); SSL_SESSION_free(x); @@ -289,7 +289,7 @@ load_sess_id(char *infile, int format) ERR_print_errors(bio_err); goto end; } -end: + end: BIO_free(in); return (x); } diff --git a/bin/openssl/smime.c b/bin/openssl/smime.c index 847ee133b6..e8f5201e1b 100644 --- a/bin/openssl/smime.c +++ b/bin/openssl/smime.c @@ -1,4 +1,4 @@ -/* $OpenBSD: smime.c,v 1.8 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: smime.c,v 1.10 2018/02/07 05:47:55 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -342,7 +342,7 @@ smime_main(int argc, char **argv) badarg = 1; if (badarg) { -argerr: + argerr: BIO_printf(bio_err, "Usage smime [options] cert.pem ...\n"); BIO_printf(bio_err, "where options are\n"); BIO_printf(bio_err, "-encrypt encrypt message\n"); @@ -620,17 +620,14 @@ argerr: } } ret = 0; -end: + end: if (ret) ERR_print_errors(bio_err); sk_X509_pop_free(encerts, X509_free); sk_X509_pop_free(other, X509_free); - if (vpm) - X509_VERIFY_PARAM_free(vpm); - if (sksigners) - sk_OPENSSL_STRING_free(sksigners); - if (skkeys) - sk_OPENSSL_STRING_free(skkeys); + X509_VERIFY_PARAM_free(vpm); + sk_OPENSSL_STRING_free(sksigners); + sk_OPENSSL_STRING_free(skkeys); X509_STORE_free(store); X509_free(cert); X509_free(recip); diff --git a/bin/openssl/speed.c b/bin/openssl/speed.c index 0ca87687bd..a21f67b5cf 100644 --- a/bin/openssl/speed.c +++ b/bin/openssl/speed.c @@ -1,4 +1,4 @@ -/* $OpenBSD: speed.c,v 1.19 2016/08/22 04:33:07 deraadt Exp $ */ +/* $OpenBSD: speed.c,v 1.22 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -202,7 +202,10 @@ sig_done(int sig) static double Time_F(int s) { - return app_tminterval(s, usertime); + if (usertime) + return app_timer_user(s); + else + return app_timer_real(s); } @@ -538,7 +541,7 @@ speed_main(int argc, char **argv) doit[D_EVP] = 1; } else if (argc > 0 && !strcmp(*argv, "-decrypt")) { decrypt = 1; - j--; /* Otherwise, -elapsed gets confused with an + j--; /* Otherwise, -decrypt gets confused with an * algorithm. */ } else if ((argc > 0) && (strcmp(*argv, "-multi") == 0)) { @@ -553,7 +556,7 @@ speed_main(int argc, char **argv) BIO_printf(bio_err, "bad multi count: %s", errstr); goto end; } - j--; /* Otherwise, -mr gets confused with an + j--; /* Otherwise, -multi gets confused with an * algorithm. */ } else if (argc > 0 && !strcmp(*argv, "-mr")) { @@ -1894,7 +1897,7 @@ show_res: mret = 0; -end: + end: ERR_print_errors(bio_err); free(buf); free(buf2); diff --git a/bin/openssl/spkac.c b/bin/openssl/spkac.c index 77f3e3479c..549a220589 100644 --- a/bin/openssl/spkac.c +++ b/bin/openssl/spkac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: spkac.c,v 1.9 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: spkac.c,v 1.10 2018/02/07 05:47:55 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. Based on an original idea by Massimiliano Pala * (madwolf@openca.org). @@ -301,7 +301,7 @@ spkac_main(int argc, char **argv) ret = 0; -end: + end: NCONF_free(conf); NETSCAPE_SPKI_free(spki); BIO_free(in); diff --git a/bin/openssl/ts.c b/bin/openssl/ts.c index 28462430a2..cac10d0d3f 100644 --- a/bin/openssl/ts.c +++ b/bin/openssl/ts.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts.c,v 1.14 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: ts.c,v 1.15 2018/02/07 05:47:55 jsing Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2002. */ @@ -301,7 +301,7 @@ ts_main(int argc, char **argv) goto cleanup; -usage: + usage: BIO_printf(bio_err, "usage:\n" "ts -query [-config configfile] " "[-data file_to_hash] [-digest digest_bytes]" @@ -322,7 +322,7 @@ usage: "-CApath ca_path -CAfile ca_file.pem " "-untrusted cert_file.pem\n"); -cleanup: + cleanup: /* Clean up. */ NCONF_free(conf); free(password); @@ -435,7 +435,7 @@ query_command(const char *data, char *digest, const EVP_MD * md, ret = 1; -end: + end: ERR_print_errors(bio_err); /* Clean up. */ @@ -521,7 +521,7 @@ create_query(BIO * data_bio, char *digest, const EVP_MD * md, ret = 1; -err: + err: if (!ret) { TS_REQ_free(ts_req); ts_req = NULL; @@ -574,7 +574,7 @@ create_digest(BIO * input, char *digest, const EVP_MD * md, } return md_value_len; -err: + err: return 0; } @@ -605,7 +605,7 @@ create_nonce(int bits) return nonce; -err: + err: BIO_printf(bio_err, "could not create nonce\n"); ASN1_INTEGER_free(nonce); return NULL; @@ -680,7 +680,7 @@ reply_command(CONF * conf, char *section, char *queryfile, ret = 1; -end: + end: ERR_print_errors(bio_err); /* Clean up. */ @@ -728,7 +728,7 @@ read_PKCS7(BIO * in_bio) tst_info = NULL; /* Ownership is lost. */ ret = 1; -end: + end: PKCS7_free(token); TS_TST_INFO_free(tst_info); if (!ret) { @@ -813,7 +813,7 @@ create_response(CONF * conf, const char *section, goto end; ret = 1; -end: + end: if (!ret) { TS_RESP_free(response); response = NULL; @@ -876,7 +876,7 @@ next_serial(const char *serialfile) goto err; } ret = 1; -err: + err: if (!ret) { ASN1_INTEGER_free(serial); serial = NULL; @@ -899,7 +899,7 @@ save_ts_serial(const char *serialfile, ASN1_INTEGER * serial) if (BIO_puts(out, "\n") <= 0) goto err; ret = 1; -err: + err: if (!ret) BIO_printf(bio_err, "could not save serial number to %s\n", serialfile); @@ -941,7 +941,7 @@ verify_command(char *data, char *digest, char *queryfile, char *in, TS_RESP_verify_token(verify_ctx, token) : TS_RESP_verify_response(verify_ctx, response); -end: + end: printf("Verification: "); if (ret) printf("OK\n"); @@ -1012,7 +1012,7 @@ create_verify_ctx(char *data, char *digest, char *queryfile, char *ca_path, goto err; ret = 1; -err: + err: if (!ret) { TS_VERIFY_CTX_free(ctx); ctx = NULL; @@ -1064,7 +1064,7 @@ create_cert_store(char *ca_path, char *ca_file) } } return cert_ctx; -err: + err: X509_STORE_free(cert_ctx); return NULL; } diff --git a/bin/openssl/verify.c b/bin/openssl/verify.c index d9b5ef9795..f616e3c440 100644 --- a/bin/openssl/verify.c +++ b/bin/openssl/verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: verify.c,v 1.6 2015/10/17 15:00:11 doug Exp $ */ +/* $OpenBSD: verify.c,v 1.7 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -201,7 +201,7 @@ verify_main(int argc, char **argv) ret = -1; } -end: + end: if (ret == 1) { BIO_printf(bio_err, "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); BIO_printf(bio_err, " [-attime timestamp]"); @@ -259,7 +259,7 @@ check(X509_STORE * ctx, char *file, STACK_OF(X509) * uchain, ret = 0; -end: + end: if (i > 0) { fprintf(stdout, "OK\n"); ret = 1; diff --git a/bin/openssl/x509.c b/bin/openssl/x509.c index f43b015684..84aeed3c07 100644 --- a/bin/openssl/x509.c +++ b/bin/openssl/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.14 2017/01/20 08:57:12 deraadt Exp $ */ +/* $OpenBSD: x509.c,v 1.16 2018/02/07 05:47:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -429,7 +429,7 @@ x509_main(int argc, char **argv) } if (badops) { -bad: + bad: for (pp = x509_usage; (*pp != NULL); pp++) BIO_printf(bio_err, "%s", *pp); goto end; @@ -905,7 +905,7 @@ bad: } ret = 0; -end: + end: OBJ_cleanup(); NCONF_free(extconf); BIO_free_all(out); @@ -916,8 +916,7 @@ end: X509_free(xca); EVP_PKEY_free(Upkey); EVP_PKEY_free(CApkey); - if (sigopts) - sk_OPENSSL_STRING_free(sigopts); + sk_OPENSSL_STRING_free(sigopts); X509_REQ_free(rq); ASN1_INTEGER_free(sno); sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); @@ -964,7 +963,7 @@ x509_load_serial(char *CAfile, char *serialfile, int create) if (!save_serial(buf, NULL, serial, &bs)) goto end; -end: + end: free(buf); BN_free(serial); @@ -1037,7 +1036,7 @@ x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x, if (!do_X509_sign(bio_err, x, pkey, digest, sigopts)) goto end; ret = 1; -end: + end: X509_STORE_CTX_cleanup(&xsc); if (!ret) ERR_print_errors(bio_err); @@ -1123,7 +1122,7 @@ sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, goto err; return 1; -err: + err: ERR_print_errors(bio_err); return 0; } diff --git a/lib/libcrypto/Makefile b/lib/libcrypto/Makefile index cf4a1aed04..c46687f294 100644 --- a/lib/libcrypto/Makefile +++ b/lib/libcrypto/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.23 2017/08/28 17:41:59 jsing Exp $ +# $OpenBSD: Makefile,v 1.27 2018/03/17 16:20:01 beck Exp $ LIB= crypto LIBREBUILD=y @@ -33,7 +33,7 @@ SYMBOL_LIST= ${.CURDIR}/Symbols.list # crypto/ SRCS+= cryptlib.c malloc-wrapper.c mem_dbg.c cversion.c ex_data.c cpt_err.c SRCS+= o_time.c o_str.c o_init.c -SRCS+= mem_clr.c +SRCS+= mem_clr.c crypto_init.c # aes/ SRCS+= aes_misc.c aes_ecb.c aes_cfb.c aes_ofb.c @@ -60,7 +60,7 @@ SRCS+= a_time_tm.c SRCS+= bf_skey.c bf_ecb.c bf_cfb64.c bf_ofb64.c # bio/ -SRCS+= bio_lib.c bio_cb.c bio_err.c +SRCS+= bio_lib.c bio_cb.c bio_err.c bio_meth.c SRCS+= bss_mem.c bss_null.c bss_fd.c SRCS+= bss_file.c bss_sock.c bss_conn.c SRCS+= bf_null.c bf_buff.c b_print.c b_dump.c @@ -113,6 +113,7 @@ SRCS+= dh_ameth.c dh_pmeth.c dh_prn.c # dsa/ SRCS+= dsa_gen.c dsa_key.c dsa_lib.c dsa_asn1.c dsa_vrf.c dsa_sign.c SRCS+= dsa_err.c dsa_ossl.c dsa_depr.c dsa_ameth.c dsa_pmeth.c dsa_prn.c +SRCS+= dsa_meth.c # dso/ SRCS+= dso_dlfcn.c dso_err.c dso_lib.c dso_null.c @@ -223,7 +224,7 @@ SRCS+= rmd_dgst.c rmd_one.c SRCS+= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_saos.c rsa_err.c SRCS+= rsa_pk1.c rsa_none.c rsa_oaep.c rsa_chk.c SRCS+= rsa_pss.c rsa_x931.c rsa_asn1.c rsa_depr.c rsa_ameth.c rsa_prn.c -SRCS+= rsa_pmeth.c rsa_crpt.c +SRCS+= rsa_pmeth.c rsa_crpt.c rsa_meth.c # sha/ SRCS+= sha1dgst.c sha1_one.c sha256.c sha512.c diff --git a/lib/libcrypto/Symbols.list b/lib/libcrypto/Symbols.list index d8e38c8f04..eb22f62278 100644 --- a/lib/libcrypto/Symbols.list +++ b/lib/libcrypto/Symbols.list @@ -104,6 +104,7 @@ ASN1_STRING_copy ASN1_STRING_data ASN1_STRING_dup ASN1_STRING_free +ASN1_STRING_get0_data ASN1_STRING_get_default_mask ASN1_STRING_length ASN1_STRING_length_set @@ -275,16 +276,37 @@ BIO_free_all BIO_get_accept_socket BIO_get_callback BIO_get_callback_arg +BIO_get_data BIO_get_ex_data BIO_get_ex_new_index BIO_get_host_ip +BIO_get_new_index BIO_get_port BIO_get_retry_BIO BIO_get_retry_reason +BIO_get_shutdown BIO_gethostbyname BIO_gets BIO_indent BIO_int_ctrl +BIO_meth_free +BIO_meth_get_callback_ctrl +BIO_meth_get_create +BIO_meth_get_ctrl +BIO_meth_get_destroy +BIO_meth_get_gets +BIO_meth_get_puts +BIO_meth_get_read +BIO_meth_get_write +BIO_meth_new +BIO_meth_set_callback_ctrl +BIO_meth_set_create +BIO_meth_set_ctrl +BIO_meth_set_destroy +BIO_meth_set_gets +BIO_meth_set_puts +BIO_meth_set_read +BIO_meth_set_write BIO_method_name BIO_method_type BIO_new @@ -326,8 +348,11 @@ BIO_set BIO_set_callback BIO_set_callback_arg BIO_set_cipher +BIO_set_data BIO_set_ex_data BIO_set_flags +BIO_set_init +BIO_set_shutdown BIO_set_tcp_ndelay BIO_snprintf BIO_sock_cleanup @@ -338,6 +363,7 @@ BIO_sock_should_retry BIO_socket_ioctl BIO_socket_nbio BIO_test_flags +BIO_up_ref BIO_vfree BIO_vprintf BIO_vsnprintf @@ -362,6 +388,9 @@ BN_CTX_init BN_CTX_new BN_CTX_start BN_GENCB_call +BN_GENCB_free +BN_GENCB_get_arg +BN_GENCB_new BN_GF2m_add BN_GF2m_arr2poly BN_GF2m_mod @@ -425,6 +454,14 @@ BN_get0_nist_prime_256 BN_get0_nist_prime_384 BN_get0_nist_prime_521 BN_get_params +BN_get_rfc2409_prime_1024 +BN_get_rfc2409_prime_768 +BN_get_rfc3526_prime_1536 +BN_get_rfc3526_prime_2048 +BN_get_rfc3526_prime_3072 +BN_get_rfc3526_prime_4096 +BN_get_rfc3526_prime_6144 +BN_get_rfc3526_prime_8192 BN_get_word BN_hex2bn BN_init @@ -728,22 +765,32 @@ DES_string_to_2keys DES_string_to_key DES_xcbc_encrypt DH_OpenSSL +DH_bits DH_check DH_check_pub_key +DH_clear_flags DH_compute_key DH_free DH_generate_key DH_generate_parameters DH_generate_parameters_ex +DH_get0_engine +DH_get0_key +DH_get0_pqg DH_get_default_method DH_get_ex_data DH_get_ex_new_index DH_new DH_new_method +DH_set0_key +DH_set0_pqg DH_set_default_method DH_set_ex_data +DH_set_flags +DH_set_length DH_set_method DH_size +DH_test_flags DH_up_ref DHparams_dup DHparams_it @@ -766,8 +813,11 @@ DSAPrivateKey_it DSAPublicKey_it DSA_OpenSSL DSA_SIG_free +DSA_SIG_get0 DSA_SIG_it DSA_SIG_new +DSA_SIG_set0 +DSA_clear_flags DSA_do_sign DSA_do_verify DSA_dup_DH @@ -775,19 +825,31 @@ DSA_free DSA_generate_key DSA_generate_parameters DSA_generate_parameters_ex +DSA_get0_engine +DSA_get0_key +DSA_get0_pqg DSA_get_default_method DSA_get_ex_data DSA_get_ex_new_index +DSA_meth_dup +DSA_meth_free +DSA_meth_new +DSA_meth_set_finish +DSA_meth_set_sign DSA_new DSA_new_method DSA_print DSA_print_fp +DSA_set0_key +DSA_set0_pqg DSA_set_default_method DSA_set_ex_data +DSA_set_flags DSA_set_method DSA_sign DSA_sign_setup DSA_size +DSA_test_flags DSA_up_ref DSA_verify DSAparams_dup @@ -829,8 +891,10 @@ ECDH_set_method ECDH_size ECDSA_OpenSSL ECDSA_SIG_free +ECDSA_SIG_get0 ECDSA_SIG_it ECDSA_SIG_new +ECDSA_SIG_set0 ECDSA_do_sign ECDSA_do_sign_ex ECDSA_do_verify @@ -1203,6 +1267,7 @@ EVP_CIPHER_CTX_key_length EVP_CIPHER_CTX_new EVP_CIPHER_CTX_nid EVP_CIPHER_CTX_rand_key +EVP_CIPHER_CTX_reset EVP_CIPHER_CTX_set_app_data EVP_CIPHER_CTX_set_flags EVP_CIPHER_CTX_set_key_length @@ -1261,8 +1326,11 @@ EVP_MD_CTX_copy_ex EVP_MD_CTX_create EVP_MD_CTX_ctrl EVP_MD_CTX_destroy +EVP_MD_CTX_free EVP_MD_CTX_init EVP_MD_CTX_md +EVP_MD_CTX_new +EVP_MD_CTX_reset EVP_MD_CTX_set_flags EVP_MD_CTX_test_flags EVP_MD_block_size @@ -1336,6 +1404,10 @@ EVP_PKEY_encrypt_init EVP_PKEY_encrypt_old EVP_PKEY_free EVP_PKEY_get0 +EVP_PKEY_get0_DH +EVP_PKEY_get0_DSA +EVP_PKEY_get0_EC_KEY +EVP_PKEY_get0_RSA EVP_PKEY_get0_asn1 EVP_PKEY_get1_DH EVP_PKEY_get1_DSA @@ -1388,6 +1460,7 @@ EVP_PKEY_sign EVP_PKEY_sign_init EVP_PKEY_size EVP_PKEY_type +EVP_PKEY_up_ref EVP_PKEY_verify EVP_PKEY_verify_init EVP_PKEY_verify_recover @@ -1587,7 +1660,11 @@ HKDF_extract HMAC HMAC_CTX_cleanup HMAC_CTX_copy +HMAC_CTX_free +HMAC_CTX_get_md HMAC_CTX_init +HMAC_CTX_new +HMAC_CTX_reset HMAC_CTX_set_flags HMAC_Final HMAC_Init @@ -1761,6 +1838,7 @@ OCSP_SINGLERESP_add1_ext_i2d OCSP_SINGLERESP_add_ext OCSP_SINGLERESP_delete_ext OCSP_SINGLERESP_free +OCSP_SINGLERESP_get0_id OCSP_SINGLERESP_get1_ext_d2i OCSP_SINGLERESP_get_ext OCSP_SINGLERESP_get_ext_by_NID @@ -1820,6 +1898,7 @@ OPENSSL_cpu_caps OPENSSL_cpuid_setup OPENSSL_ia32cap_P OPENSSL_init +OPENSSL_init_crypto OPENSSL_load_builtin_modules OPENSSL_no_config OPENSSL_strcasecmp @@ -1832,6 +1911,8 @@ OTHERNAME_new OpenSSLDie OpenSSL_add_all_ciphers OpenSSL_add_all_digests +OpenSSL_version +OpenSSL_version_num PBE2PARAM_free PBE2PARAM_it PBE2PARAM_new @@ -2174,17 +2255,28 @@ RSA_PSS_PARAMS_free RSA_PSS_PARAMS_it RSA_PSS_PARAMS_new RSA_X931_hash_id +RSA_bits RSA_blinding_off RSA_blinding_on RSA_check_key +RSA_clear_flags RSA_flags RSA_free RSA_generate_key RSA_generate_key_ex +RSA_get0_crt_params +RSA_get0_factors +RSA_get0_key RSA_get_default_method RSA_get_ex_data RSA_get_ex_new_index RSA_get_method +RSA_meth_dup +RSA_meth_free +RSA_meth_new +RSA_meth_set_finish +RSA_meth_set_priv_dec +RSA_meth_set_priv_enc RSA_new RSA_new_method RSA_padding_add_PKCS1_OAEP @@ -2205,13 +2297,18 @@ RSA_private_decrypt RSA_private_encrypt RSA_public_decrypt RSA_public_encrypt +RSA_set0_crt_params +RSA_set0_factors +RSA_set0_key RSA_set_default_method RSA_set_ex_data +RSA_set_flags RSA_set_method RSA_setup_blinding RSA_sign RSA_sign_ASN1_OCTET_STRING RSA_size +RSA_test_flags RSA_up_ref RSA_verify RSA_verify_ASN1_OCTET_STRING @@ -2570,6 +2667,10 @@ X509_CRL_dup X509_CRL_free X509_CRL_get0_by_cert X509_CRL_get0_by_serial +X509_CRL_get0_extensions +X509_CRL_get0_lastUpdate +X509_CRL_get0_nextUpdate +X509_CRL_get0_signature X509_CRL_get_ext X509_CRL_get_ext_by_NID X509_CRL_get_ext_by_OBJ @@ -2577,11 +2678,14 @@ X509_CRL_get_ext_by_critical X509_CRL_get_ext_count X509_CRL_get_ext_d2i X509_CRL_get_meth_data +X509_CRL_get_signature_nid X509_CRL_it X509_CRL_match X509_CRL_new X509_CRL_print X509_CRL_print_fp +X509_CRL_set1_lastUpdate +X509_CRL_set1_nextUpdate X509_CRL_set_default_method X509_CRL_set_issuer_name X509_CRL_set_lastUpdate @@ -2591,6 +2695,7 @@ X509_CRL_set_version X509_CRL_sign X509_CRL_sign_ctx X509_CRL_sort +X509_CRL_up_ref X509_CRL_verify X509_EXTENSIONS_it X509_EXTENSION_create_by_NID @@ -2629,6 +2734,7 @@ X509_NAME_ENTRY_get_data X509_NAME_ENTRY_get_object X509_NAME_ENTRY_it X509_NAME_ENTRY_new +X509_NAME_ENTRY_set X509_NAME_ENTRY_set_data X509_NAME_ENTRY_set_object X509_NAME_INTERNAL_it @@ -2642,6 +2748,7 @@ X509_NAME_digest X509_NAME_dup X509_NAME_entry_count X509_NAME_free +X509_NAME_get0_der X509_NAME_get_entry X509_NAME_get_index_by_NID X509_NAME_get_index_by_OBJ @@ -2657,6 +2764,9 @@ X509_NAME_print_ex X509_NAME_print_ex_fp X509_NAME_set X509_OBJECT_free_contents +X509_OBJECT_get0_X509 +X509_OBJECT_get0_X509_CRL +X509_OBJECT_get_type X509_OBJECT_idx_by_subject X509_OBJECT_retrieve_by_subject X509_OBJECT_retrieve_match @@ -2666,6 +2776,7 @@ X509_PKEY_new X509_POLICY_NODE_print X509_PUBKEY_free X509_PUBKEY_get +X509_PUBKEY_get0 X509_PUBKEY_get0_param X509_PUBKEY_it X509_PUBKEY_new @@ -2697,6 +2808,7 @@ X509_REQ_digest X509_REQ_dup X509_REQ_extension_nid X509_REQ_free +X509_REQ_get0_signature X509_REQ_get1_email X509_REQ_get_attr X509_REQ_get_attr_by_NID @@ -2705,6 +2817,7 @@ X509_REQ_get_attr_count X509_REQ_get_extension_nids X509_REQ_get_extensions X509_REQ_get_pubkey +X509_REQ_get_signature_nid X509_REQ_it X509_REQ_new X509_REQ_print @@ -2721,7 +2834,11 @@ X509_REQ_verify X509_REVOKED_add1_ext_i2d X509_REVOKED_add_ext X509_REVOKED_delete_ext +X509_REVOKED_dup X509_REVOKED_free +X509_REVOKED_get0_extensions +X509_REVOKED_get0_revocationDate +X509_REVOKED_get0_serialNumber X509_REVOKED_get_ext X509_REVOKED_get_ext_by_NID X509_REVOKED_get_ext_by_OBJ @@ -2737,11 +2854,15 @@ X509_SIG_it X509_SIG_new X509_STORE_CTX_cleanup X509_STORE_CTX_free +X509_STORE_CTX_get0_cert +X509_STORE_CTX_get0_chain X509_STORE_CTX_get0_current_crl X509_STORE_CTX_get0_current_issuer X509_STORE_CTX_get0_param X509_STORE_CTX_get0_parent_ctx X509_STORE_CTX_get0_policy_tree +X509_STORE_CTX_get0_store +X509_STORE_CTX_get0_untrusted X509_STORE_CTX_get1_chain X509_STORE_CTX_get1_issuer X509_STORE_CTX_get_chain @@ -2756,6 +2877,8 @@ X509_STORE_CTX_new X509_STORE_CTX_purpose_inherit X509_STORE_CTX_set0_crls X509_STORE_CTX_set0_param +X509_STORE_CTX_set0_trusted_stack +X509_STORE_CTX_set0_untrusted X509_STORE_CTX_set_cert X509_STORE_CTX_set_chain X509_STORE_CTX_set_default @@ -2772,19 +2895,24 @@ X509_STORE_add_cert X509_STORE_add_crl X509_STORE_add_lookup X509_STORE_free +X509_STORE_get0_objects +X509_STORE_get0_param X509_STORE_get1_certs X509_STORE_get1_crls X509_STORE_get_by_subject +X509_STORE_get_ex_data X509_STORE_load_locations X509_STORE_load_mem X509_STORE_new X509_STORE_set1_param X509_STORE_set_default_paths X509_STORE_set_depth +X509_STORE_set_ex_data X509_STORE_set_flags X509_STORE_set_purpose X509_STORE_set_trust X509_STORE_set_verify_cb +X509_STORE_up_ref X509_TRUST_add X509_TRUST_cleanup X509_TRUST_get0 @@ -2800,18 +2928,28 @@ X509_VAL_it X509_VAL_new X509_VERIFY_PARAM_add0_policy X509_VERIFY_PARAM_add0_table +X509_VERIFY_PARAM_add1_host X509_VERIFY_PARAM_clear_flags X509_VERIFY_PARAM_free +X509_VERIFY_PARAM_get0 +X509_VERIFY_PARAM_get0_name +X509_VERIFY_PARAM_get0_peername +X509_VERIFY_PARAM_get_count X509_VERIFY_PARAM_get_depth X509_VERIFY_PARAM_get_flags X509_VERIFY_PARAM_inherit X509_VERIFY_PARAM_lookup X509_VERIFY_PARAM_new X509_VERIFY_PARAM_set1 +X509_VERIFY_PARAM_set1_email +X509_VERIFY_PARAM_set1_host +X509_VERIFY_PARAM_set1_ip +X509_VERIFY_PARAM_set1_ip_asc X509_VERIFY_PARAM_set1_name X509_VERIFY_PARAM_set1_policies X509_VERIFY_PARAM_set_depth X509_VERIFY_PARAM_set_flags +X509_VERIFY_PARAM_set_hostflags X509_VERIFY_PARAM_set_purpose X509_VERIFY_PARAM_set_time X509_VERIFY_PARAM_set_trust @@ -2823,6 +2961,7 @@ X509_add_ext X509_alias_get0 X509_alias_set1 X509_certificate_type +X509_chain_up_ref X509_check_akid X509_check_ca X509_check_email @@ -2843,7 +2982,13 @@ X509_email_free X509_find_by_issuer_and_serial X509_find_by_subject X509_free +X509_get0_extensions +X509_get0_notAfter +X509_get0_notBefore +X509_get0_pubkey X509_get0_pubkey_bitstr +X509_get0_signature +X509_get0_tbs_sigalg X509_get1_email X509_get1_ocsp X509_get_default_cert_area @@ -2864,7 +3009,10 @@ X509_get_issuer_name X509_get_pubkey X509_get_pubkey_parameters X509_get_serialNumber +X509_get_signature_nid X509_get_subject_name +X509_getm_notAfter +X509_getm_notBefore X509_gmtime_adj X509_issuer_and_serial_cmp X509_issuer_and_serial_hash @@ -2896,6 +3044,8 @@ X509_print_ex_fp X509_print_fp X509_pubkey_digest X509_reject_clear +X509_set1_notAfter +X509_set1_notBefore X509_set_ex_data X509_set_issuer_name X509_set_notAfter diff --git a/lib/libcrypto/aes/asm/aes-armv4.pl b/lib/libcrypto/aes/asm/aes-armv4.pl index 717cc1ed7f..1cb9586d4b 100644 --- a/lib/libcrypto/aes/asm/aes-armv4.pl +++ b/lib/libcrypto/aes/asm/aes-armv4.pl @@ -172,7 +172,7 @@ AES_encrypt: mov $rounds,r0 @ inp mov $key,r2 sub $tbl,r3,#AES_encrypt-AES_Te @ Te -#if __ARM_ARCH__<7 +#if __ARM_ARCH__<7 || defined(__STRICT_ALIGNMENT) ldrb $s0,[$rounds,#3] @ load input data in endian-neutral ldrb $t1,[$rounds,#2] @ manner... ldrb $t2,[$rounds,#1] @@ -216,7 +216,7 @@ AES_encrypt: bl _armv4_AES_encrypt ldr $rounds,[sp],#4 @ pop out -#if __ARM_ARCH__>=7 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) #ifdef __ARMEL__ rev $s0,$s0 rev $s1,$s1 @@ -432,7 +432,7 @@ _armv4_AES_set_encrypt_key: mov lr,r1 @ bits mov $key,r2 @ key -#if __ARM_ARCH__<7 +#if __ARM_ARCH__<7 || defined(__STRICT_ALIGNMENT) ldrb $s0,[$rounds,#3] @ load input data in endian-neutral ldrb $t1,[$rounds,#2] @ manner... ldrb $t2,[$rounds,#1] @@ -517,7 +517,7 @@ _armv4_AES_set_encrypt_key: b .Ldone .Lnot128: -#if __ARM_ARCH__<7 +#if __ARM_ARCH__<7 || defined(__STRICT_ALIGNMENT) ldrb $i2,[$rounds,#19] ldrb $t1,[$rounds,#18] ldrb $t2,[$rounds,#17] @@ -588,7 +588,7 @@ _armv4_AES_set_encrypt_key: b .L192_loop .Lnot192: -#if __ARM_ARCH__<7 +#if __ARM_ARCH__<7 || defined(__STRICT_ALIGNMENT) ldrb $i2,[$rounds,#27] ldrb $t1,[$rounds,#26] ldrb $t2,[$rounds,#25] @@ -888,7 +888,7 @@ AES_decrypt: mov $rounds,r0 @ inp mov $key,r2 sub $tbl,r3,#AES_decrypt-AES_Td @ Td -#if __ARM_ARCH__<7 +#if __ARM_ARCH__<7 || defined(__STRICT_ALIGNMENT) ldrb $s0,[$rounds,#3] @ load input data in endian-neutral ldrb $t1,[$rounds,#2] @ manner... ldrb $t2,[$rounds,#1] @@ -932,7 +932,7 @@ AES_decrypt: bl _armv4_AES_decrypt ldr $rounds,[sp],#4 @ pop out -#if __ARM_ARCH__>=7 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) #ifdef __ARMEL__ rev $s0,$s0 rev $s1,$s1 diff --git a/lib/libcrypto/aes/asm/aes-x86_64.pl b/lib/libcrypto/aes/asm/aes-x86_64.pl index c37fd55648..9072f603a9 100755 --- a/lib/libcrypto/aes/asm/aes-x86_64.pl +++ b/lib/libcrypto/aes/asm/aes-x86_64.pl @@ -352,7 +352,7 @@ ___ ___ } $code.=<<___; - .byte 0xf3,0xc3 # rep ret + retq .size _x86_64_AES_encrypt,.-_x86_64_AES_encrypt ___ @@ -580,7 +580,7 @@ $code.=<<___; xor 4($key),$s1 xor 8($key),$s2 xor 12($key),$s3 - .byte 0xf3,0xc3 # rep ret + retq .size _x86_64_AES_encrypt_compact,.-_x86_64_AES_encrypt_compact ___ @@ -925,7 +925,7 @@ ___ ___ } $code.=<<___; - .byte 0xf3,0xc3 # rep ret + retq .size _x86_64_AES_decrypt,.-_x86_64_AES_decrypt ___ @@ -1179,7 +1179,7 @@ $code.=<<___; xor 4($key),$s1 xor 8($key),$s2 xor 12($key),$s3 - .byte 0xf3,0xc3 # rep ret + retq .size _x86_64_AES_decrypt_compact,.-_x86_64_AES_decrypt_compact ___ @@ -1496,7 +1496,7 @@ $code.=<<___; .Lbadpointer: mov \$-1,%rax .Lexit: - .byte 0xf3,0xc3 # rep ret + retq .size _x86_64_AES_set_encrypt_key,.-_x86_64_AES_set_encrypt_key ___ diff --git a/lib/libcrypto/arc4random/getentropy_linux.c b/lib/libcrypto/arc4random/getentropy_linux.c index a845239eb3..408d7fda34 100644 --- a/lib/libcrypto/arc4random/getentropy_linux.c +++ b/lib/libcrypto/arc4random/getentropy_linux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: getentropy_linux.c,v 1.44 2017/04/29 18:43:31 beck Exp $ */ +/* $OpenBSD: getentropy_linux.c,v 1.45 2018/03/13 22:53:28 bcook Exp $ */ /* * Copyright (c) 2014 Theo de Raadt @@ -74,7 +74,7 @@ int getentropy(void *buf, size_t len); static int gotdata(char *buf, size_t len); -#ifdef SYS_getrandom +#if defined(SYS_getrandom) && defined(GRND_NONBLOCK) static int getentropy_getrandom(void *buf, size_t len); #endif static int getentropy_urandom(void *buf, size_t len); @@ -94,7 +94,7 @@ getentropy(void *buf, size_t len) return (-1); } -#ifdef SYS_getrandom +#if defined(SYS_getrandom) && defined(GRND_NONBLOCK) /* * Try descriptor-less getrandom(), in non-blocking mode. * @@ -193,7 +193,7 @@ gotdata(char *buf, size_t len) return (0); } -#ifdef SYS_getrandom +#if defined(SYS_getrandom) && defined(GRND_NONBLOCK) static int getentropy_getrandom(void *buf, size_t len) { diff --git a/lib/libcrypto/arm_arch.h b/lib/libcrypto/arm_arch.h index 3304be81ab..8b8a05b5f7 100644 --- a/lib/libcrypto/arm_arch.h +++ b/lib/libcrypto/arm_arch.h @@ -1,4 +1,4 @@ -/* $OpenBSD: arm_arch.h,v 1.7 2015/06/29 06:40:06 jsg Exp $ */ +/* $OpenBSD: arm_arch.h,v 1.8 2018/01/07 12:35:52 kettenis Exp $ */ #ifndef __ARM_ARCH_H__ #define __ARM_ARCH_H__ @@ -44,4 +44,8 @@ extern unsigned int OPENSSL_armcap_P; #define ARMV7_NEON (1<<0) #endif +#if defined(__OpenBSD__) +#define __STRICT_ALIGNMENT +#endif + #endif diff --git a/lib/libcrypto/asn1/asn1.h b/lib/libcrypto/asn1/asn1.h index da16d5c529..6fc4cd7527 100644 --- a/lib/libcrypto/asn1/asn1.h +++ b/lib/libcrypto/asn1/asn1.h @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1.h,v 1.43 2017/05/06 17:12:59 beck Exp $ */ +/* $OpenBSD: asn1.h,v 1.44 2018/02/14 16:46:04 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -784,7 +784,8 @@ void ASN1_STRING_set0(ASN1_STRING *str, void *data, int len); int ASN1_STRING_length(const ASN1_STRING *x); void ASN1_STRING_length_set(ASN1_STRING *x, int n); int ASN1_STRING_type(ASN1_STRING *x); -unsigned char * ASN1_STRING_data(ASN1_STRING *x); +unsigned char *ASN1_STRING_data(ASN1_STRING *x); +const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x); ASN1_BIT_STRING *ASN1_BIT_STRING_new(void); void ASN1_BIT_STRING_free(ASN1_BIT_STRING *a); diff --git a/lib/libcrypto/asn1/asn1_lib.c b/lib/libcrypto/asn1/asn1_lib.c index 852644a781..970102c213 100644 --- a/lib/libcrypto/asn1/asn1_lib.c +++ b/lib/libcrypto/asn1/asn1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_lib.c,v 1.39 2017/05/02 03:59:44 deraadt Exp $ */ +/* $OpenBSD: asn1_lib.c,v 1.40 2018/02/14 16:46:04 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -484,3 +484,9 @@ ASN1_STRING_data(ASN1_STRING *x) { return (x->data); } + +const unsigned char * +ASN1_STRING_get0_data(const ASN1_STRING *x) +{ + return (x->data); +} diff --git a/lib/libcrypto/asn1/evp_asn1.c b/lib/libcrypto/asn1/evp_asn1.c index 83228bb5d2..5f74da1546 100644 --- a/lib/libcrypto/asn1/evp_asn1.c +++ b/lib/libcrypto/asn1/evp_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_asn1.c,v 1.19 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: evp_asn1.c,v 1.20 2017/11/28 16:51:21 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -60,7 +60,7 @@ #include #include -#include +#include #include int @@ -78,7 +78,6 @@ ASN1_TYPE_set_octetstring(ASN1_TYPE *a, unsigned char *data, int len) return (1); } -/* int max_len: for returned value */ int ASN1_TYPE_get_octetstring(ASN1_TYPE *a, unsigned char *data, int max_len) { @@ -100,101 +99,99 @@ ASN1_TYPE_get_octetstring(ASN1_TYPE *a, unsigned char *data, int max_len) return (ret); } +typedef struct { + ASN1_INTEGER *num; + ASN1_OCTET_STRING *value; +} ASN1_int_octetstring; + +static const ASN1_TEMPLATE ASN1_INT_OCTETSTRING_seq_tt[] = { + { + .offset = offsetof(ASN1_int_octetstring, num), + .field_name = "num", + .item = &ASN1_INTEGER_it, + }, + { + .offset = offsetof(ASN1_int_octetstring, value), + .field_name = "value", + .item = &ASN1_OCTET_STRING_it, + }, +}; + +const ASN1_ITEM ASN1_INT_OCTETSTRING_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = ASN1_INT_OCTETSTRING_seq_tt, + .tcount = sizeof(ASN1_INT_OCTETSTRING_seq_tt) / sizeof(ASN1_TEMPLATE), + .size = sizeof(ASN1_int_octetstring), + .sname = "ASN1_INT_OCTETSTRING", +}; + int -ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data, +ASN1_TYPE_set_int_octetstring(ASN1_TYPE *at, long num, unsigned char *data, int len) { - int n, size; - ASN1_OCTET_STRING os, *osp; - ASN1_INTEGER in; - unsigned char *p; - unsigned char buf[32]; /* when they have 256bit longs, - * I'll be in trouble */ - in.data = buf; - in.length = 32; - os.data = data; - os.type = V_ASN1_OCTET_STRING; - os.length = len; - ASN1_INTEGER_set(&in, num); - n = i2d_ASN1_INTEGER(&in, NULL); - n += i2d_ASN1_bytes((ASN1_STRING *)&os, NULL, V_ASN1_OCTET_STRING, - V_ASN1_UNIVERSAL); - - size = ASN1_object_size(1, n, V_ASN1_SEQUENCE); - - if ((osp = ASN1_STRING_new()) == NULL) - return (0); - /* Grow the 'string' */ - if (!ASN1_STRING_set(osp, NULL, size)) { - ASN1_STRING_free(osp); - return (0); - } + ASN1_int_octetstring *ios; + ASN1_STRING *sp = NULL; + int ret = 0; - ASN1_STRING_length_set(osp, size); - p = ASN1_STRING_data(osp); + if ((ios = (ASN1_int_octetstring *)ASN1_item_new( + &ASN1_INT_OCTETSTRING_it)) == NULL) + goto err; + if ((ios->num = ASN1_INTEGER_new()) == NULL) + goto err; + if (!ASN1_INTEGER_set(ios->num, num)) + goto err; + if ((ios->value = ASN1_OCTET_STRING_new()) == NULL) + goto err; + if (!ASN1_OCTET_STRING_set(ios->value, data, len)) + goto err; - ASN1_put_object(&p, 1,n, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); - i2d_ASN1_INTEGER(&in, &p); - i2d_ASN1_bytes((ASN1_STRING *)&os, &p, V_ASN1_OCTET_STRING, - V_ASN1_UNIVERSAL); + if ((sp = ASN1_item_pack(ios, &ASN1_INT_OCTETSTRING_it, NULL)) == NULL) + goto err; - ASN1_TYPE_set(a, V_ASN1_SEQUENCE, osp); - return (1); + ASN1_TYPE_set(at, V_ASN1_SEQUENCE, sp); + sp = NULL; + + ret = 1; + + err: + ASN1_item_free((ASN1_VALUE *)ios, &ASN1_INT_OCTETSTRING_it); + ASN1_STRING_free(sp); + + return ret; } -/* we return the actual length..., num may be missing, in which - * case, set it to zero */ -/* int max_len: for returned value */ int -ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a, long *num, unsigned char *data, +ASN1_TYPE_get_int_octetstring(ASN1_TYPE *at, long *num, unsigned char *data, int max_len) { - int ret = -1, n; - ASN1_INTEGER *ai = NULL; - ASN1_OCTET_STRING *os = NULL; - const unsigned char *p; - long length; - ASN1_const_CTX c; - - if ((a->type != V_ASN1_SEQUENCE) || (a->value.sequence == NULL)) { - goto err; - } - p = ASN1_STRING_data(a->value.sequence); - length = ASN1_STRING_length(a->value.sequence); + ASN1_STRING *sp = at->value.sequence; + ASN1_int_octetstring *ios = NULL; + int ret = -1; + int len; - c.pp = &p; - c.p = p; - c.max = p + length; - c.error = ASN1_R_DATA_IS_WRONG; - - M_ASN1_D2I_start_sequence(); - c.q = c.p; - if ((ai = d2i_ASN1_INTEGER(NULL, &c.p, c.slen)) == NULL) - goto err; - c.slen -= (c.p - c.q); - c.q = c.p; - if ((os = d2i_ASN1_OCTET_STRING(NULL, &c.p, c.slen)) == NULL) + if (at->type != V_ASN1_SEQUENCE || sp == NULL) goto err; - c.slen -= (c.p - c.q); - if (!M_ASN1_D2I_end_sequence()) + + if ((ios = ASN1_item_unpack(sp, &ASN1_INT_OCTETSTRING_it)) == NULL) goto err; if (num != NULL) - *num = ASN1_INTEGER_get(ai); + *num = ASN1_INTEGER_get(ios->num); + if (data != NULL) { + len = ASN1_STRING_length(ios->value); + if (len > max_len) + len = max_len; + memcpy(data, ASN1_STRING_data(ios->value), len); + } - ret = ASN1_STRING_length(os); - if (max_len > ret) - n = ret; - else - n = max_len; + ret = ASN1_STRING_length(ios->value); + + err: + ASN1_item_free((ASN1_VALUE *)ios, &ASN1_INT_OCTETSTRING_it); - if (data != NULL) - memcpy(data, ASN1_STRING_data(os), n); - if (0) { -err: + if (ret == -1) ASN1error(ASN1_R_DATA_IS_WRONG); - } - ASN1_OCTET_STRING_free(os); - ASN1_INTEGER_free(ai); - return (ret); + + return ret; } diff --git a/lib/libcrypto/asn1/x_crl.c b/lib/libcrypto/asn1/x_crl.c index d8f24ca10b..e0e6cc8863 100644 --- a/lib/libcrypto/asn1/x_crl.c +++ b/lib/libcrypto/asn1/x_crl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_crl.c,v 1.27 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: x_crl.c,v 1.30 2018/03/17 14:33:20 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -462,6 +462,12 @@ X509_REVOKED_free(X509_REVOKED *a) ASN1_item_free((ASN1_VALUE *)a, &X509_REVOKED_it); } +X509_REVOKED * +X509_REVOKED_dup(X509_REVOKED *a) +{ + return ASN1_item_dup(&X509_REVOKED_it, a); +} + X509_CRL_INFO * d2i_X509_CRL_INFO(X509_CRL_INFO **a, const unsigned char **in, long len) { @@ -685,3 +691,37 @@ X509_CRL_get_meth_data(X509_CRL *crl) { return crl->meth_data; } + +int +X509_CRL_get_signature_nid(const X509_CRL *crl) +{ + return OBJ_obj2nid(crl->sig_alg->algorithm); +} + +const STACK_OF(X509_EXTENSION) * +X509_CRL_get0_extensions(const X509_CRL *crl) +{ + return crl->crl->extensions; +} + +const ASN1_TIME * +X509_CRL_get0_lastUpdate(const X509_CRL *crl) +{ + return crl->crl->lastUpdate; +} + +const ASN1_TIME * +X509_CRL_get0_nextUpdate(const X509_CRL *crl) +{ + return crl->crl->nextUpdate; +} + +void +X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig, + const X509_ALGOR **palg) +{ + if (psig != NULL) + *psig = crl->signature; + if (palg != NULL) + *palg = crl->sig_alg; +} diff --git a/lib/libcrypto/asn1/x_name.c b/lib/libcrypto/asn1/x_name.c index 30fef39fb7..4bf184252f 100644 --- a/lib/libcrypto/asn1/x_name.c +++ b/lib/libcrypto/asn1/x_name.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_name.c,v 1.33 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: x_name.c,v 1.34 2018/02/20 17:09:20 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -640,3 +640,16 @@ X509_NAME_set(X509_NAME **xn, X509_NAME *name) } return (*xn != NULL); } + +int +X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder, size_t *pderlen) +{ + /* Make sure encoding is valid. */ + if (i2d_X509_NAME(nm, NULL) <= 0) + return 0; + if (pder != NULL) + *pder = (unsigned char *)nm->bytes->data; + if (pderlen != NULL) + *pderlen = nm->bytes->length; + return 1; +} diff --git a/lib/libcrypto/asn1/x_pubkey.c b/lib/libcrypto/asn1/x_pubkey.c index 738507bbb6..ea67419cb2 100644 --- a/lib/libcrypto/asn1/x_pubkey.c +++ b/lib/libcrypto/asn1/x_pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_pubkey.c,v 1.26 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: x_pubkey.c,v 1.27 2018/03/17 14:55:39 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -175,17 +175,15 @@ error: } EVP_PKEY * -X509_PUBKEY_get(X509_PUBKEY *key) +X509_PUBKEY_get0(X509_PUBKEY *key) { EVP_PKEY *ret = NULL; if (key == NULL) goto error; - if (key->pkey != NULL) { - CRYPTO_add(&key->pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); + if (key->pkey != NULL) return key->pkey; - } if (key->public_key == NULL) goto error; @@ -220,7 +218,6 @@ X509_PUBKEY_get(X509_PUBKEY *key) key->pkey = ret; CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); } - CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY); return ret; @@ -229,6 +226,19 @@ error: return (NULL); } +EVP_PKEY * +X509_PUBKEY_get(X509_PUBKEY *key) +{ + EVP_PKEY *pkey; + + if ((pkey = X509_PUBKEY_get0(key)) == NULL) + return (NULL); + + CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); + + return pkey; +} + /* Now two pseudo ASN1 routines that take an EVP_PKEY structure * and encode or decode as X509_PUBKEY */ diff --git a/lib/libcrypto/asn1/x_req.c b/lib/libcrypto/asn1/x_req.c index 5ffa11e2dd..eb5210aef6 100644 --- a/lib/libcrypto/asn1/x_req.c +++ b/lib/libcrypto/asn1/x_req.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_req.c,v 1.15 2015/02/11 04:00:39 jsing Exp $ */ +/* $OpenBSD: x_req.c,v 1.17 2018/02/22 16:50:30 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -225,3 +225,19 @@ X509_REQ_dup(X509_REQ *x) { return ASN1_item_dup(&X509_REQ_it, x); } + +int +X509_REQ_get_signature_nid(const X509_REQ *req) +{ + return OBJ_obj2nid(req->sig_alg->algorithm); +} + +void +X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig, + const X509_ALGOR **palg) +{ + if (psig != NULL) + *psig = req->signature; + if (palg != NULL) + *palg = req->sig_alg; +} diff --git a/lib/libcrypto/asn1/x_x509.c b/lib/libcrypto/asn1/x_x509.c index 168c2c0fcd..6a56a795c0 100644 --- a/lib/libcrypto/asn1/x_x509.c +++ b/lib/libcrypto/asn1/x_x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_x509.c,v 1.24 2015/03/19 14:00:22 tedu Exp $ */ +/* $OpenBSD: x_x509.c,v 1.26 2018/02/17 15:50:42 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -344,3 +344,19 @@ i2d_X509_AUX(X509 *a, unsigned char **pp) length += i2d_X509_CERT_AUX(a->aux, pp); return length; } + +void +X509_get0_signature(const ASN1_BIT_STRING **psig, const X509_ALGOR **palg, + const X509 *x) +{ + if (psig != NULL) + *psig = x->signature; + if (palg != NULL) + *palg = x->sig_alg; +} + +int +X509_get_signature_nid(const X509 *x) +{ + return OBJ_obj2nid(x->sig_alg->algorithm); +} diff --git a/lib/libcrypto/bio/b_posix.c b/lib/libcrypto/bio/b_posix.c index a850bc6aea..aed51bd717 100644 --- a/lib/libcrypto/bio/b_posix.c +++ b/lib/libcrypto/bio/b_posix.c @@ -1,4 +1,4 @@ -/* $OpenBSD: b_posix.c,v 1.1 2014/12/03 22:14:38 bcook Exp $ */ +/* $OpenBSD: b_posix.c,v 1.2 2018/03/17 16:20:01 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -68,6 +68,8 @@ int BIO_sock_init(void) { + if (!OPENSSL_init_crypto(0, NULL)) /* XXX do we need this? */ + return (0); return (1); } diff --git a/lib/libcrypto/bio/b_sock.c b/lib/libcrypto/bio/b_sock.c index 48f39838b3..152b080902 100644 --- a/lib/libcrypto/bio/b_sock.c +++ b/lib/libcrypto/bio/b_sock.c @@ -1,4 +1,4 @@ -/* $OpenBSD: b_sock.c,v 1.67 2017/04/30 17:54:11 beck Exp $ */ +/* $OpenBSD: b_sock.c,v 1.69 2018/02/07 00:52:05 bluhm Exp $ */ /* * Copyright (c) 2017 Bob Beck * @@ -134,16 +134,18 @@ BIO_get_accept_socket(char *host, int bind_mode) p = NULL; h = str; if ((p = strrchr(str, ':')) == NULL) { - BIOerror(BIO_R_NO_PORT_SPECIFIED); - goto err; - } - *p++ = '\0'; - if (*p == '\0') { - BIOerror(BIO_R_NO_PORT_SPECIFIED); - goto err; - } - if (*h == '\0' || strcmp(h, "*") == 0) + /* A string without a colon is treated as a port. */ + p = str; h = NULL; + } else { + *p++ = '\0'; + if (*p == '\0') { + BIOerror(BIO_R_NO_PORT_SPECIFIED); + goto err; + } + if (*h == '\0' || strcmp(h, "*") == 0) + h = NULL; + } if ((error = getaddrinfo(h, p, &hints, &res)) != 0) { ERR_asprintf_error_data("getaddrinfo: '%s:%s': %s'", h, p, @@ -184,7 +186,8 @@ BIO_get_accept_socket(char *host, int bind_mode) err: free(str); - freeaddrinfo(res); + if (res != NULL) + freeaddrinfo(res); if ((ret == 0) && (s != -1)) { close(s); s = -1; diff --git a/lib/libcrypto/bio/bio.h b/lib/libcrypto/bio/bio.h index faca125544..d0e2f3550c 100644 --- a/lib/libcrypto/bio/bio.h +++ b/lib/libcrypto/bio/bio.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bio.h,v 1.30 2017/04/06 18:25:38 deraadt Exp $ */ +/* $OpenBSD: bio.h,v 1.40 2018/03/17 15:05:55 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -103,6 +103,12 @@ extern "C" { #define BIO_TYPE_FILTER 0x0200 #define BIO_TYPE_SOURCE_SINK 0x0400 +/* + * BIO_TYPE_START is the first user-allocated BIO type. No pre-defined type, + * flag bits aside, may exceed this value. + */ +#define BIO_TYPE_START 128 + /* BIO_FILENAME_READ|BIO_CLOSE to open or close on free. * BIO_set_fp(in,stdin,BIO_NOCLOSE); */ #define BIO_NOCLOSE 0x00 @@ -264,6 +270,7 @@ const char * BIO_method_name(const BIO *b); int BIO_method_type(const BIO *b); typedef void bio_info_cb(struct bio_st *, int, const char *, int, long, long); +typedef int BIO_info_cb(BIO *, int, int); typedef struct bio_method_st { int type; @@ -327,6 +334,27 @@ typedef struct bio_f_buffer_ctx_struct { /* Prefix and suffix callback in ASN1 BIO */ typedef int asn1_ps_func(BIO *b, unsigned char **pbuf, int *plen, void *parg); +/* BIO_METHOD accessors */ +BIO_METHOD *BIO_meth_new(int type, const char *name); +void BIO_meth_free(BIO_METHOD *biom); +int (*BIO_meth_get_write(BIO_METHOD *biom))(BIO *, const char *, int); +int BIO_meth_set_write(BIO_METHOD *biom, + int (*write)(BIO *, const char *, int)); +int (*BIO_meth_get_read(BIO_METHOD *biom))(BIO *, char *, int); +int BIO_meth_set_read(BIO_METHOD *biom, int (*read)(BIO *, char *, int)); +int (*BIO_meth_get_puts(BIO_METHOD *biom))(BIO *, const char *); +int BIO_meth_set_puts(BIO_METHOD *biom, int (*puts)(BIO *, const char *)); +int (*BIO_meth_get_gets(BIO_METHOD *biom))(BIO *, char *, int); +int BIO_meth_set_gets(BIO_METHOD *biom, int (*gets)(BIO *, char *, int)); +long (*BIO_meth_get_ctrl(BIO_METHOD *biom))(BIO *, int, long, void *); +int BIO_meth_set_ctrl(BIO_METHOD *biom, long (*ctrl)(BIO *, int, long, void *)); +int (*BIO_meth_get_create(BIO_METHOD *biom))(BIO *); +int BIO_meth_set_create(BIO_METHOD *biom, int (*create)(BIO *)); +int (*BIO_meth_get_destroy(BIO_METHOD *biom))(BIO *); +int BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy)(BIO *)); +long (*BIO_meth_get_callback_ctrl(BIO_METHOD *biom))(BIO *, int, BIO_info_cb *); +int BIO_meth_set_callback_ctrl(BIO_METHOD *biom, + long (*callback_ctrl)(BIO *, int, BIO_info_cb *)); /* connect BIO stuff */ #define BIO_CONN_S_BEFORE 1 @@ -568,6 +596,7 @@ int BIO_asn1_get_suffix(BIO *b, asn1_ps_func **psuffix, asn1_ps_func **psuffix_free); +int BIO_get_new_index(void); BIO_METHOD *BIO_s_file(void ); BIO *BIO_new_file(const char *filename, const char *mode); BIO *BIO_new_fp(FILE *stream, int close_flag); @@ -575,6 +604,12 @@ BIO *BIO_new_fp(FILE *stream, int close_flag); BIO * BIO_new(BIO_METHOD *type); int BIO_set(BIO *a, BIO_METHOD *type); int BIO_free(BIO *a); +int BIO_up_ref(BIO *bio); +void *BIO_get_data(BIO *a); +void BIO_set_data(BIO *a, void *ptr); +void BIO_set_init(BIO *a, int init); +int BIO_get_shutdown(BIO *a); +void BIO_set_shutdown(BIO *a, int shut); void BIO_vfree(BIO *a); int BIO_read(BIO *b, void *data, int len) __attribute__((__bounded__(__buffer__,2,3))); diff --git a/lib/libcrypto/bio/bio_lib.c b/lib/libcrypto/bio/bio_lib.c index 86ccbdc202..ddab542881 100644 --- a/lib/libcrypto/bio/bio_lib.c +++ b/lib/libcrypto/bio/bio_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_lib.c,v 1.23 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: bio_lib.c,v 1.27 2018/02/22 16:38:43 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -64,6 +64,20 @@ #include #include +int +BIO_get_new_index(void) +{ + static int bio_type_index = BIO_TYPE_START; + int index; + + /* The index will collide with the BIO flag bits if it exceeds 255. */ + index = CRYPTO_add(&bio_type_index, 1, CRYPTO_LOCK_BIO); + if (index > 255) + return -1; + + return index; +} + BIO * BIO_new(BIO_METHOD *method) { @@ -137,6 +151,43 @@ BIO_vfree(BIO *a) BIO_free(a); } +int +BIO_up_ref(BIO *bio) +{ + int refs = CRYPTO_add(&bio->references, 1, CRYPTO_LOCK_BIO); + return (refs > 1) ? 1 : 0; +} + +void * +BIO_get_data(BIO *a) +{ + return (a->ptr); +} + +void +BIO_set_data(BIO *a, void *ptr) +{ + a->ptr = ptr; +} + +void +BIO_set_init(BIO *a, int init) +{ + a->init = init; +} + +int +BIO_get_shutdown(BIO *a) +{ + return (a->shutdown); +} + +void +BIO_set_shutdown(BIO *a, int shut) +{ + a->shutdown = shut; +} + void BIO_clear_flags(BIO *b, int flags) { diff --git a/lib/libcrypto/bio/bio_meth.c b/lib/libcrypto/bio/bio_meth.c new file mode 100644 index 0000000000..c795c3f231 --- /dev/null +++ b/lib/libcrypto/bio/bio_meth.c @@ -0,0 +1,147 @@ +/* $OpenBSD: bio_meth.c,v 1.5 2018/02/20 18:51:35 tb Exp $ */ +/* + * Copyright (c) 2018 Theo Buehler + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include + +BIO_METHOD * +BIO_meth_new(int type, const char *name) +{ + BIO_METHOD *biom; + + if ((biom = calloc(1, sizeof(*biom))) == NULL) + return NULL; + + biom->type = type; + biom->name = name; + + return biom; +} + +void +BIO_meth_free(BIO_METHOD *biom) +{ + free(biom); +} + +int +(*BIO_meth_get_write(BIO_METHOD *biom))(BIO *, const char *, int) +{ + return biom->bwrite; +} + +int +BIO_meth_set_write(BIO_METHOD *biom, int (*write)(BIO *, const char *, int)) +{ + biom->bwrite = write; + return 1; +} + +int +(*BIO_meth_get_read(BIO_METHOD *biom))(BIO *, char *, int) +{ + return biom->bread; +} + +int +BIO_meth_set_read(BIO_METHOD *biom, int (*read)(BIO *, char *, int)) +{ + biom->bread = read; + return 1; +} + +int +(*BIO_meth_get_puts(BIO_METHOD *biom))(BIO *, const char *) +{ + return biom->bputs; +} + +int +BIO_meth_set_puts(BIO_METHOD *biom, int (*puts)(BIO *, const char *)) +{ + biom->bputs = puts; + return 1; +} + +int +(*BIO_meth_get_gets(BIO_METHOD *biom))(BIO *, char *, int) +{ + return biom->bgets; +} + +int +BIO_meth_set_gets(BIO_METHOD *biom, int (*gets)(BIO *, char *, int)) +{ + biom->bgets = gets; + return 1; +} + +long +(*BIO_meth_get_ctrl(BIO_METHOD *biom))(BIO *, int, long, void *) +{ + return biom->ctrl; +} + +int +BIO_meth_set_ctrl(BIO_METHOD *biom, long (*ctrl)(BIO *, int, long, void *)) +{ + biom->ctrl = ctrl; + return 1; +} + +int +(*BIO_meth_get_create(BIO_METHOD *biom))(BIO *) +{ + return biom->create; +} + +int +BIO_meth_set_create(BIO_METHOD *biom, int (*create)(BIO *)) +{ + biom->create = create; + return 1; +} + +int +(*BIO_meth_get_destroy(BIO_METHOD *biom))(BIO *) +{ + return biom->destroy; +} + +int +BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy)(BIO *)) +{ + biom->destroy = destroy; + return 1; +} + +long +(*BIO_meth_get_callback_ctrl(BIO_METHOD *biom))(BIO *, int, BIO_info_cb *) +{ + return + (long (*)(BIO *, int, BIO_info_cb *))biom->callback_ctrl; /* XXX */ +} + +int +BIO_meth_set_callback_ctrl(BIO_METHOD *biom, + long (*callback_ctrl)(BIO *, int, BIO_info_cb *)) +{ + biom->callback_ctrl = + (long (*)(BIO *, int, bio_info_cb *))callback_ctrl; /* XXX */ + return 1; +} diff --git a/lib/libcrypto/bn/bn.h b/lib/libcrypto/bn/bn.h index 0dde08a368..cd94e39345 100644 --- a/lib/libcrypto/bn/bn.h +++ b/lib/libcrypto/bn/bn.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bn.h,v 1.36 2017/01/25 06:15:44 beck Exp $ */ +/* $OpenBSD: bn.h,v 1.38 2018/02/20 17:13:14 jsing Exp $ */ /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -285,6 +285,11 @@ struct bn_gencb_st { int (*cb_2)(int, int, BN_GENCB *); } cb; }; + +BN_GENCB *BN_GENCB_new(void); +void BN_GENCB_free(BN_GENCB *cb); +void *BN_GENCB_get_arg(BN_GENCB *cb); + /* Wrapper function to make using BN_GENCB easier, */ int BN_GENCB_call(BN_GENCB *cb, int a, int b); /* Macro to populate a BN_GENCB structure with an "old"-style callback */ @@ -628,6 +633,8 @@ const BIGNUM *BN_get0_nist_prime_521(void); /* Primes from RFC 2409 */ BIGNUM *get_rfc2409_prime_768(BIGNUM *bn); BIGNUM *get_rfc2409_prime_1024(BIGNUM *bn); +BIGNUM *BN_get_rfc2409_prime_768(BIGNUM *bn); +BIGNUM *BN_get_rfc2409_prime_1024(BIGNUM *bn); /* Primes from RFC 3526 */ BIGNUM *get_rfc3526_prime_1536(BIGNUM *bn); @@ -636,6 +643,12 @@ BIGNUM *get_rfc3526_prime_3072(BIGNUM *bn); BIGNUM *get_rfc3526_prime_4096(BIGNUM *bn); BIGNUM *get_rfc3526_prime_6144(BIGNUM *bn); BIGNUM *get_rfc3526_prime_8192(BIGNUM *bn); +BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *bn); +BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *bn); +BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *bn); +BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn); +BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn); +BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn); /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes diff --git a/lib/libcrypto/bn/bn_const.c b/lib/libcrypto/bn/bn_const.c index 4be9f4f791..0ceff9160d 100644 --- a/lib/libcrypto/bn/bn_const.c +++ b/lib/libcrypto/bn/bn_const.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_const.c,v 1.4 2014/06/12 15:49:28 deraadt Exp $ */ +/* $OpenBSD: bn_const.c,v 1.5 2018/02/20 17:02:30 jsing Exp $ */ /* Insert boilerplate */ #include @@ -27,6 +27,12 @@ get_rfc2409_prime_768(BIGNUM *bn) return BN_bin2bn(RFC2409_PRIME_768, sizeof(RFC2409_PRIME_768), bn); } +BIGNUM * +BN_get_rfc2409_prime_768(BIGNUM *bn) +{ + return get_rfc2409_prime_768(bn); +} + /* "Second Oakley Default Group" from RFC2409, section 6.2. * * The prime is: 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }. @@ -54,6 +60,12 @@ get_rfc2409_prime_1024(BIGNUM *bn) return BN_bin2bn(RFC2409_PRIME_1024, sizeof(RFC2409_PRIME_1024), bn); } +BIGNUM * +BN_get_rfc2409_prime_1024(BIGNUM *bn) +{ + return get_rfc2409_prime_1024(bn); +} + /* "1536-bit MODP Group" from RFC3526, Section 2. * * The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 } @@ -86,6 +98,12 @@ get_rfc3526_prime_1536(BIGNUM *bn) return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), bn); } +BIGNUM * +BN_get_rfc3526_prime_1536(BIGNUM *bn) +{ + return get_rfc3526_prime_1536(bn); +} + /* "2048-bit MODP Group" from RFC3526, Section 3. * * The prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 } @@ -123,6 +141,12 @@ get_rfc3526_prime_2048(BIGNUM *bn) return BN_bin2bn(RFC3526_PRIME_2048, sizeof(RFC3526_PRIME_2048), bn); } +BIGNUM * +BN_get_rfc3526_prime_2048(BIGNUM *bn) +{ + return get_rfc3526_prime_2048(bn); +} + /* "3072-bit MODP Group" from RFC3526, Section 4. * * The prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 } @@ -170,6 +194,12 @@ get_rfc3526_prime_3072(BIGNUM *bn) return BN_bin2bn(RFC3526_PRIME_3072, sizeof(RFC3526_PRIME_3072), bn); } +BIGNUM * +BN_get_rfc3526_prime_3072(BIGNUM *bn) +{ + return get_rfc3526_prime_3072(bn); +} + /* "4096-bit MODP Group" from RFC3526, Section 5. * * The prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 } @@ -228,6 +258,12 @@ get_rfc3526_prime_4096(BIGNUM *bn) return BN_bin2bn(RFC3526_PRIME_4096, sizeof(RFC3526_PRIME_4096), bn); } +BIGNUM * +BN_get_rfc3526_prime_4096(BIGNUM *bn) +{ + return get_rfc3526_prime_4096(bn); +} + /* "6144-bit MODP Group" from RFC3526, Section 6. * * The prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 } @@ -307,6 +343,12 @@ get_rfc3526_prime_6144(BIGNUM *bn) return BN_bin2bn(RFC3526_PRIME_6144, sizeof(RFC3526_PRIME_6144), bn); } +BIGNUM * +BN_get_rfc3526_prime_6144(BIGNUM *bn) +{ + return get_rfc3526_prime_6144(bn); +} + /* "8192-bit MODP Group" from RFC3526, Section 7. * * The prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 } @@ -407,3 +449,9 @@ get_rfc3526_prime_8192(BIGNUM *bn) }; return BN_bin2bn(RFC3526_PRIME_8192, sizeof(RFC3526_PRIME_8192), bn); } + +BIGNUM * +BN_get_rfc3526_prime_8192(BIGNUM *bn) +{ + return get_rfc3526_prime_8192(bn); +} diff --git a/lib/libcrypto/bn/bn_lib.c b/lib/libcrypto/bn/bn_lib.c index 8aeeb5304f..ffb5ee7c2e 100644 --- a/lib/libcrypto/bn/bn_lib.c +++ b/lib/libcrypto/bn/bn_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_lib.c,v 1.38 2017/05/02 03:59:44 deraadt Exp $ */ +/* $OpenBSD: bn_lib.c,v 1.39 2018/02/20 17:13:14 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -888,3 +888,28 @@ BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) } #undef BN_CONSTTIME_SWAP } + +BN_GENCB * +BN_GENCB_new(void) +{ + BN_GENCB *cb; + + if ((cb = calloc(1, sizeof(*cb))) == NULL) + return NULL; + + return cb; +} + +void +BN_GENCB_free(BN_GENCB *cb) +{ + if (cb == NULL) + return; + free(cb); +} + +void * +BN_GENCB_get_arg(BN_GENCB *cb) +{ + return cb->arg; +} diff --git a/lib/libcrypto/camellia/asm/cmll-x86_64.pl b/lib/libcrypto/camellia/asm/cmll-x86_64.pl index a171c654b2..df6bf11a28 100644 --- a/lib/libcrypto/camellia/asm/cmll-x86_64.pl +++ b/lib/libcrypto/camellia/asm/cmll-x86_64.pl @@ -218,7 +218,7 @@ $code.=<<___; mov $t2,@S[2] mov $t3,@S[3] - .byte 0xf3,0xc3 # rep ret + retq .size _x86_64_Camellia_encrypt,.-_x86_64_Camellia_encrypt # V1.x API @@ -329,7 +329,7 @@ $code.=<<___; mov $t0,@S[2] mov $t1,@S[3] - .byte 0xf3,0xc3 # rep ret + retq .size _x86_64_Camellia_decrypt,.-_x86_64_Camellia_decrypt ___ diff --git a/lib/libcrypto/cert.pem b/lib/libcrypto/cert.pem index ff33c4125e..301fc8dc35 100644 --- a/lib/libcrypto/cert.pem +++ b/lib/libcrypto/cert.pem @@ -1,4 +1,352 @@ -# $OpenBSD: cert.pem,v 1.15 2017/02/24 10:42:00 sthen Exp $ +# $OpenBSD: cert.pem,v 1.16 2018/03/21 15:26:09 sthen Exp $ +### /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068 + +=== /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6047274297262753887 (0x53ec3beefbb2485f) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: May 20 08:38:15 2009 GMT + Not After : Dec 31 08:38:15 2030 GMT + Subject: C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:1 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 65:CD:EB:AB:35:1E:00:3E:7E:D5:74:C0:1C:B4:73:47:0E:1A:64:2F + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + CPS: http://www.firmaprofesional.com/cps + User Notice: + Explicit Text: + +SHA1 Fingerprint=AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA +SHA256 Fingerprint=04:04:80:28:BF:1F:28:64:D4:8F:9A:D4:D8:32:94:36:6A:82:88:56:55:3F:3B:14:30:3F:90:14:7F:5D:40:EF +-----BEGIN CERTIFICATE----- +MIIGFDCCA/ygAwIBAgIIU+w77vuySF8wDQYJKoZIhvcNAQEFBQAwUTELMAkGA1UE +BhMCRVMxQjBABgNVBAMMOUF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uIEZpcm1h +cHJvZmVzaW9uYWwgQ0lGIEE2MjYzNDA2ODAeFw0wOTA1MjAwODM4MTVaFw0zMDEy +MzEwODM4MTVaMFExCzAJBgNVBAYTAkVTMUIwQAYDVQQDDDlBdXRvcmlkYWQgZGUg +Q2VydGlmaWNhY2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBBNjI2MzQwNjgwggIi +MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDKlmuO6vj78aI14H9M2uDDUtd9 +thDIAl6zQyrET2qyyhxdKJp4ERppWVevtSBC5IsP5t9bpgOSL/UR5GLXMnE42QQM +cas9UX4PB99jBVzpv5RvwSmCwLTaUbDBPLutN0pcyvFLNg4kq7/DhHf9qFD0sefG +L9ItWY16Ck6WaVICqjaY7Pz6FIMMNx/Jkjd/14Et5cS54D40/mf0PmbR0/RAz15i +NA9wBj4gGFrO93IbJWyTdBSTo3OxDqqHECNZXyAFGUftaI6SEspd/NYrspI8IM/h +X68gvqB2f3bl7BqGYTM+53u0P6APjqK5am+5hyZvQWyIplD9amML9ZMWGxmPsu2b +m8mQ9QEM3xk9Dz44I8kvjwzRAv4bVdZO0I08r0+k8/6vKtMFnXkIoctXMbScyJCy +Z/QYFpM6/EfY0XiWMR+6KwxfXZmtY4laJCB22N/9q06mIqqdXuYnin1oKaPnirja +EbsXLZmdEyRG98Xi2J+Of8ePdG1asuhy9azuJBCtLxTa/y2aRnFHvkLfuwHb9H/T +KI8xWVvTyQKmtFLKbpf7Q8UIJm+K9Lv9nyiqDdVF8xM6HdjAeI9BZzwelGSuewvF +6NkBiDkal4ZkQdU7hwxu+g/GvUgUvzlN1J5Bto+WHWOWk9mVBngxaJ43BjuAiUVh +OSPHG0SjFeUc+JIwuwIDAQABo4HvMIHsMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYD +VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRlzeurNR4APn7VdMActHNHDhpkLzCBpgYD +VR0gBIGeMIGbMIGYBgRVHSAAMIGPMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LmZp +cm1hcHJvZmVzaW9uYWwuY29tL2NwczBcBggrBgEFBQcCAjBQHk4AUABhAHMAZQBv +ACAAZABlACAAbABhACAAQgBvAG4AYQBuAG8AdgBhACAANAA3ACAAQgBhAHIAYwBl +AGwAbwBuAGEAIAAwADgAMAAxADcwDQYJKoZIhvcNAQEFBQADggIBABd9oPm03cXF +661LJLWhAqvdpYhKsg9VSytXjDvlMd3+xDLx51tkljYyGOylMnfX40S2wBEqgLk9 +am58m9Ot/MPWo+ZkKXzR4Tgegiv/J2Wv+xYVxC5xhOW1//qkR71kMrv2JYSiJ0L1 +ILDCExARzRAVukKQKtJE4ZYm6zFIEv0q2skGz3QeqUvVhyj5eTSSPi5E6PaPT481 +PyWzOdxjKpBrIF/EUhJOlywqrJ2X3kjyo2bbwtKDlaZmp54lD+kLM5FlClrD2VQS +3a/DTg4fJl4N3LON7NWBcN7STyQF82xO9UxJZo3R/9ILJUFI/lGExkKvgATP0H5k +SeTy36LssUzAKh3ntLFlosS88Zj0qnAHY7S42jtM+kAiMFsRpvAFDsYCA0irhpuF +3dvd6qJ2gHN99ZwExEWN57kci57q13XRcrHedUTnQn3iV2t93Jm8PYMo6oCTjcVM +ZcFwgbg4/EMxsvYDNEeyrPsiBsse3RdHHF9mudMaotoRsaS8I8nkvof/uZS2+F0g +StRf571oe2XyFR7SOqkt6dhrJKyXWERHrVkY8SFlcN7ONGCoQPHzPKTDKCOM/icz +Q0CgFzzr6juwcqajuUpLXhZI9LK8yIySxZ2frHI2vDSANGupi5LAuBft7HZT9SQB +jLMi6Et8Vcad+qMUu2WFbm5PEn4KPJ2V +-----END CERTIFICATE----- + +### AC Camerfirma S.A. + +=== /C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Chambers of Commerce Root - 2008 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 11806822484801597146 (0xa3da427ea4b1aeda) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Aug 1 12:29:50 2008 GMT + Not After : Jul 31 12:29:50 2038 GMT + Subject: C=EU, L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:12 + X509v3 Subject Key Identifier: + F9:24:AC:0F:B2:B5:F8:79:C0:FA:60:88:1B:C4:D9:4D:02:9E:17:19 + X509v3 Authority Key Identifier: + keyid:F9:24:AC:0F:B2:B5:F8:79:C0:FA:60:88:1B:C4:D9:4D:02:9E:17:19 + DirName:/C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Chambers of Commerce Root - 2008 + serial:A3:DA:42:7E:A4:B1:AE:DA + + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + CPS: http://policy.camerfirma.com + +SHA1 Fingerprint=78:6A:74:AC:76:AB:14:7F:9C:6A:30:50:BA:9E:A8:7E:FE:9A:CE:3C +SHA256 Fingerprint=06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0 +-----BEGIN CERTIFICATE----- +MIIHTzCCBTegAwIBAgIJAKPaQn6ksa7aMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYD +VQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBhZGRyZXNzIGF0 +IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJQTgyNzQzMjg3 +MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xKTAnBgNVBAMTIENoYW1iZXJz +IG9mIENvbW1lcmNlIFJvb3QgLSAyMDA4MB4XDTA4MDgwMTEyMjk1MFoXDTM4MDcz +MTEyMjk1MFowga4xCzAJBgNVBAYTAkVVMUMwQQYDVQQHEzpNYWRyaWQgKHNlZSBj +dXJyZW50IGFkZHJlc3MgYXQgd3d3LmNhbWVyZmlybWEuY29tL2FkZHJlc3MpMRIw +EAYDVQQFEwlBODI3NDMyODcxGzAZBgNVBAoTEkFDIENhbWVyZmlybWEgUy5BLjEp +MCcGA1UEAxMgQ2hhbWJlcnMgb2YgQ29tbWVyY2UgUm9vdCAtIDIwMDgwggIiMA0G +CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCvAMtwNyuAWko6bHiUfaN/Gh/2NdW9 +28sNRHI+JrKQUrpjOyhYb6WzbZSm891kDFX29ufyIiKAXuFixrYp4YFs8r/lfTJq +VKAyGVn+H4vXPWCGhSRv4xGzdz4gljUha7MI2XAuZPeEklPWDrCQiorjh40G072Q +DuKZoRuGDtqaCrsLYVAGUvGef3bsyw/QHg3PmTA9HMRFEFis1tPo1+XqxQEHd9ZR +5gN/ikilTWh1uem8nk4ZcfUyS5xtYBkL+8ydddy/Js2Pk3g5eXNeJQ7KXOt3EgfL +ZEFHcpOrUMPrCXZkNNI5t3YRCQ12RcSprj1qr7V9ZS+UWBDsXHyvfuK2GNnQm05a +Sd+pZgvMPMZ4fKecHePOjlO+Bd5gD2vlGts/4+EhySnB8esHnFIbAURRPHsl18Tl +UlRdJQfKFiC4reRB7noI/plvg6aRArBsNlVq5331lubKgdaX8ZSD6e2wsWsSaR6s ++12pxZjptFtYer49okQ6Y1nUCyXeG0+95QGezdIp1Z8XGQpvvwyQ0wlf2eOKNcx5 +Wk0ZN5K3xMGtr/R5JJqyAQuxr1yW84Ay+1w9mPGgP0revq+ULtlVmhduYJ1jbLhj +ya6BXBg14JC7vjxPNyK5fuvPnnchpj04gftI2jE9K+OJ9dC1vX7gUMQSibMjmhAx +hduub+84Mxh2EQIDAQABo4IBbDCCAWgwEgYDVR0TAQH/BAgwBgEB/wIBDDAdBgNV +HQ4EFgQU+SSsD7K1+HnA+mCIG8TZTQKeFxkwgeMGA1UdIwSB2zCB2IAU+SSsD7K1 ++HnA+mCIG8TZTQKeFxmhgbSkgbEwga4xCzAJBgNVBAYTAkVVMUMwQQYDVQQHEzpN +YWRyaWQgKHNlZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3LmNhbWVyZmlybWEuY29t +L2FkZHJlc3MpMRIwEAYDVQQFEwlBODI3NDMyODcxGzAZBgNVBAoTEkFDIENhbWVy +ZmlybWEgUy5BLjEpMCcGA1UEAxMgQ2hhbWJlcnMgb2YgQ29tbWVyY2UgUm9vdCAt +IDIwMDiCCQCj2kJ+pLGu2jAOBgNVHQ8BAf8EBAMCAQYwPQYDVR0gBDYwNDAyBgRV +HSAAMCowKAYIKwYBBQUHAgEWHGh0dHA6Ly9wb2xpY3kuY2FtZXJmaXJtYS5jb20w +DQYJKoZIhvcNAQEFBQADggIBAJASryI1wqM58C7e6bXpeHxIvj99RZJe6dqxGfwW +PJ+0W2aeaufDuV2I6A+tzyMP3iU6XsxPpcG1Lawk0lgH3qLPaYRgM+gQDROpI9CF +5Y57pp49chNyM/WqfcZjHwj0/gF/JM8rLFQJ3uIrbZLGOU8W6jx+ekbURWpGqOt1 +glanq6B8aBMz9p0w8G8nOSQjKpD9kCk18pPfNKXG9/jvjA9iSnyu0/VU+I22mlaH +FoI6M6taIgj3grrqLuBHmrS1RaMFO9ncLkVAO+rcf+g769HsJtg1pDDFOqxXnrN2 +pSB7+R5KBWIBpih1YJeSDW4+TTdDDZIVnBgizVGZoCkaPF+KMjNbMMeJL0eYD6MD +xvbxrN8y8NmBGuScvfaAFPDRLLmF9dijscilIeUcE5fuDr3fKanvNFNb0+RqE4QG +tjICxFKuItLcsiFCGtpA8CnJ7AoMXOLQusxI0zcKzBIKinmwPQN/aUv0NCB9szTq +jktk9T79syNnFQ0EuPAtwQlRPLJsFfClI9eDdOTlLsn+mCdCxqvGnrDQWzilm1De +fhiYtUU79nm06PcaewaD+9CL2rvHvRirCG88gGtAPxkZumWK5r7VXNM21+9AUiRg +OGcEMeyP84LG3rlV8zsxkVrctQgVrXYlCg17LofiDKYGvCYQbTed7N14jHyAxfDZ +d0jQ +-----END CERTIFICATE----- +=== /C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Global Chambersign Root - 2008 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 14541511773111788494 (0xc9cdd3e9d57d23ce) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Aug 1 12:31:40 2008 GMT + Not After : Jul 31 12:31:40 2038 GMT + Subject: C=EU, L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:12 + X509v3 Subject Key Identifier: + B9:09:CA:9C:1E:DB:D3:6C:3A:6B:AE:ED:54:F1:5B:93:06:35:2E:5E + X509v3 Authority Key Identifier: + keyid:B9:09:CA:9C:1E:DB:D3:6C:3A:6B:AE:ED:54:F1:5B:93:06:35:2E:5E + DirName:/C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Global Chambersign Root - 2008 + serial:C9:CD:D3:E9:D5:7D:23:CE + + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + CPS: http://policy.camerfirma.com + +SHA1 Fingerprint=4A:BD:EE:EC:95:0D:35:9C:89:AE:C7:52:A1:2C:5B:29:F6:D6:AA:0C +SHA256 Fingerprint=13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA +-----BEGIN CERTIFICATE----- +MIIHSTCCBTGgAwIBAgIJAMnN0+nVfSPOMA0GCSqGSIb3DQEBBQUAMIGsMQswCQYD +VQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBhZGRyZXNzIGF0 +IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJQTgyNzQzMjg3 +MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xJzAlBgNVBAMTHkdsb2JhbCBD +aGFtYmVyc2lnbiBSb290IC0gMjAwODAeFw0wODA4MDExMjMxNDBaFw0zODA3MzEx +MjMxNDBaMIGsMQswCQYDVQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUgY3Vy +cmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAG +A1UEBRMJQTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xJzAl +BgNVBAMTHkdsb2JhbCBDaGFtYmVyc2lnbiBSb290IC0gMjAwODCCAiIwDQYJKoZI +hvcNAQEBBQADggIPADCCAgoCggIBAMDfVtPkOpt2RbQT2//BthmLN0EYlVJH6xed +KYiONWwGMi5HYvNJBL99RDaxccy9Wglz1dmFRP+RVyXfXjaOcNFccUMd2drvXNL7 +G706tcuto8xEpw2uIRU/uXpbknXYpBI4iRmKt4DS4jJvVpyR1ogQC7N0ZJJ0YPP2 +zxhPYLIj0Mc7zmFLmY/CDNBAspjcDahOo7kKrmCgrUVSY7pmvWjg+b4aqIG7HkF4 +ddPB/gBVsIdU6CeQNR1MM62X/JcumIS/LMmjv9GYERTtY/jKmIhYF5ntRQOXfjyG +HoiMvvKRhI9lNNgATH23MRdaKXoKGCQwoze1eqkBfSbW+Q6OWfH9GzO1KTsXO0G2 +Id3UwD2ln58fQ1DJu7xsepeY7s2MH/ucUa6LcL0nn3HAa6x9kGbo1106DbDVwo3V +yJ2dwW3Q0L9R5OP4wzg2rtandeavhENdk5IMagfeOx2YItaswTXbo6Al/3K1dh3e +beksZixShNBFks4c5eUzHdwHU1SjqoI7mjcv3N2gZOnm3b2u/GSFHTynyQbehP9r +6GsaPMWis0L7iwk+XwhSx2LE1AVxv8Rk5Pihg+g+EpuoHtQ2TS9x9o0o9oOpE9Jh +wZG7SMA0j0GMS0zbaRL/UJScIINZc+18ofLx/d33SdNDWKBWY8o9PeU1VlnpDsog +zCtLkykPAgMBAAGjggFqMIIBZjASBgNVHRMBAf8ECDAGAQH/AgEMMB0GA1UdDgQW +BBS5CcqcHtvTbDprru1U8VuTBjUuXjCB4QYDVR0jBIHZMIHWgBS5CcqcHtvTbDpr +ru1U8VuTBjUuXqGBsqSBrzCBrDELMAkGA1UEBhMCRVUxQzBBBgNVBAcTOk1hZHJp +ZCAoc2VlIGN1cnJlbnQgYWRkcmVzcyBhdCB3d3cuY2FtZXJmaXJtYS5jb20vYWRk +cmVzcykxEjAQBgNVBAUTCUE4Mjc0MzI4NzEbMBkGA1UEChMSQUMgQ2FtZXJmaXJt +YSBTLkEuMScwJQYDVQQDEx5HbG9iYWwgQ2hhbWJlcnNpZ24gUm9vdCAtIDIwMDiC +CQDJzdPp1X0jzjAOBgNVHQ8BAf8EBAMCAQYwPQYDVR0gBDYwNDAyBgRVHSAAMCow +KAYIKwYBBQUHAgEWHGh0dHA6Ly9wb2xpY3kuY2FtZXJmaXJtYS5jb20wDQYJKoZI +hvcNAQEFBQADggIBAICIf3DekijZBZRG/5BXqfEv3xoNa/p8DhxJJHkn2EaqbylZ +UohwEurdPfWbU1Rv4WCiqAm57OtZfMY18dwY6fFn5a+6ReAJ3spED8IXDneRRXoz +X1+WLGiLwUePmJs9wOzL9dWCkoQ10b42OFZyMVtHLaoXpGNR6woBrX/sdZ7LoR/x +fxKxueRkf2fWIyr0uDldmOghp+G9PUIadJpwr2hsUF1Jz//7Dl3mLEfXgTpZALVz +a2Mg9jFFCDkO9HB+QHBaP9BrQql0PSgvAm11cpUJjUhjxsYjV5KTXjXBjfkK9yyd +Yhz2rXzdpjEetrHHfoUm+qRqtdpjMNHvkzeyZi99Bffnt0uYlDXA2TopwZ2yUDMd +SqlapskD7+3056huirRXhOukP9DuqqqHW2Pok+JrqNS4cnhrG+055F3Lm6qH1U9O +AP7Zap88MQ8oAgF9mOinsKJknnn4SPIVqczmyETrP3iZ8ntxPjzxmKfFGBI/5rso +M0LpRQp8bfKGeS/Fghl9CYl8slR2iK7ewfPM4W7bMdaTrpmg7yVqc5iJWzouE4ge +v8CSlDQb4ye3ix5vQv/n6TebUB0tovkC7stYWDpxvGjjqsGvHCgfotwjZT+B6q6Z +09gwzxMNTxXJhLynSC34MCN32EZLeW32jO06f2ARePTpm67VVMB0gNELQp/B +-----END CERTIFICATE----- + +### ACCV + +=== /CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6828503384748696800 (0x5ec3b7a6437fa4e0) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: May 5 09:37:37 2011 GMT + Not After : Dec 31 09:37:37 2030 GMT + Subject: CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES + X509v3 extensions: + Authority Information Access: + CA Issuers - URI:http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt + OCSP - URI:http://ocsp.accv.es + + X509v3 Subject Key Identifier: + D2:87:B4:E3:DF:37:27:93:55:F6:56:EA:81:E5:36:CC:8C:1E:3F:BD + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Authority Key Identifier: + keyid:D2:87:B4:E3:DF:37:27:93:55:F6:56:EA:81:E5:36:CC:8C:1E:3F:BD + + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + User Notice: + Explicit Text: + CPS: http://www.accv.es/legislacion_c.htm + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl + + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Alternative Name: + email:accv@accv.es +SHA1 Fingerprint=93:05:7A:88:15:C6:4F:CE:88:2F:FA:91:16:52:28:78:BC:53:64:17 +SHA256 Fingerprint=9A:6E:C0:12:E1:A7:DA:9D:BE:34:19:4D:47:8A:D7:C0:DB:18:22:FB:07:1D:F1:29:81:49:6E:D1:04:38:41:13 +-----BEGIN CERTIFICATE----- +MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE +AwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQsw +CQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIxEjAQ +BgNVBAMMCUFDQ1ZSQUlaMTEQMA4GA1UECwwHUEtJQUNDVjENMAsGA1UECgwEQUND +VjELMAkGA1UEBhMCRVMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCb +qau/YUqXry+XZpp0X9DZlv3P4uRm7x8fRzPCRKPfmt4ftVTdFXxpNRFvu8gMjmoY +HtiP2Ra8EEg2XPBjs5BaXCQ316PWywlxufEBcoSwfdtNgM3802/J+Nq2DoLSRYWo +G2ioPej0RGy9ocLLA76MPhMAhN9KSMDjIgro6TenGEyxCQ0jVn8ETdkXhBilyNpA +lHPrzg5XPAOBOp0KoVdDaaxXbXmQeOW1tDvYvEyNKKGno6e6Ak4l0Squ7a4DIrhr +IA8wKFSVf+DuzgpmndFALW4ir50awQUZ0m/A8p/4e7MCQvtQqR0tkw8jq8bBD5L/ +0KIV9VMJcRz/RROE5iZe+OCIHAr8Fraocwa48GOEAqDGWuzndN9wrqODJerWx5eH +k6fGioozl2A3ED6XPm4pFdahD9GILBKfb6qkxkLrQaLjlUPTAYVtjrs78yM2x/47 +4KElB0iryYl0/wiPgL/AlmXz7uxLaL2diMMxs0Dx6M/2OLuc5NF/1OVYm3z61PMO +m3WR5LpSLhl+0fXNWhn8ugb2+1KoS5kE3fj5tItQo05iifCHJPqDQsGH+tUtKSpa +cXpkatcnYGMN285J9Y0fkIkyF/hzQ7jSWpOGYdbhdQrqeWZ2iE9x6wQl1gpaepPl +uUsXQA+xtrn13k/c4LOsOxFwYIRKQ26ZIMApcQrAZQIDAQABo4ICyzCCAscwfQYI +KwYBBQUHAQEEcTBvMEwGCCsGAQUFBzAChkBodHRwOi8vd3d3LmFjY3YuZXMvZmls +ZWFkbWluL0FyY2hpdm9zL2NlcnRpZmljYWRvcy9yYWl6YWNjdjEuY3J0MB8GCCsG +AQUFBzABhhNodHRwOi8vb2NzcC5hY2N2LmVzMB0GA1UdDgQWBBTSh7Tj3zcnk1X2 +VuqB5TbMjB4/vTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNKHtOPfNyeT +VfZW6oHlNsyMHj+9MIIBcwYDVR0gBIIBajCCAWYwggFiBgRVHSAAMIIBWDCCASIG +CCsGAQUFBwICMIIBFB6CARAAQQB1AHQAbwByAGkAZABhAGQAIABkAGUAIABDAGUA +cgB0AGkAZgBpAGMAYQBjAGkA8wBuACAAUgBhAO0AegAgAGQAZQAgAGwAYQAgAEEA +QwBDAFYAIAAoAEEAZwBlAG4AYwBpAGEAIABkAGUAIABUAGUAYwBuAG8AbABvAGcA +7QBhACAAeQAgAEMAZQByAHQAaQBmAGkAYwBhAGMAaQDzAG4AIABFAGwAZQBjAHQA +cgDzAG4AaQBjAGEALAAgAEMASQBGACAAUQA0ADYAMAAxADEANQA2AEUAKQAuACAA +QwBQAFMAIABlAG4AIABoAHQAdABwADoALwAvAHcAdwB3AC4AYQBjAGMAdgAuAGUA +czAwBggrBgEFBQcCARYkaHR0cDovL3d3dy5hY2N2LmVzL2xlZ2lzbGFjaW9uX2Mu +aHRtMFUGA1UdHwROMEwwSqBIoEaGRGh0dHA6Ly93d3cuYWNjdi5lcy9maWxlYWRt +aW4vQXJjaGl2b3MvY2VydGlmaWNhZG9zL3JhaXphY2N2MV9kZXIuY3JsMA4GA1Ud +DwEB/wQEAwIBBjAXBgNVHREEEDAOgQxhY2N2QGFjY3YuZXMwDQYJKoZIhvcNAQEF +BQADggIBAJcxAp/n/UNnSEQU5CmH7UwoZtCPNdpNYbdKl02125DgBS4OxnnQ8pdp +D70ER9m+27Up2pvZrqmZ1dM8MJP1jaGo/AaNRPTKFpV8M9xii6g3+CfYCS0b78gU +JyCpZET/LtZ1qmxNYEAZSUNUY9rizLpm5U9EelvZaoErQNV/+QEnWCzI7UiRfD+m +AM/EKXMRNt6GGT6d7hmKG9Ww7Y49nCrADdg9ZuM8Db3VlFzi4qc1GwQA9j9ajepD +vV+JHanBsMyZ4k0ACtrJJ1vnE5Bc5PUzolVt3OAJTS+xJlsndQAJxGJ3KQhfnlms +tn6tn1QwIgPBHnFk/vk4CpYY3QIUrCPLBhwepH2NDd4nQeit2hW3sCPdK6jT2iWH +7ehVRE2I9DZ+hJp4rPcOVkkO1jMl1oRQQmwgEh0q1b688nCBpHBgvgW1m54ERL5h +I6zppSSMEYCUWqKiuUnSwdzRp+0xESyeGabu4VXhwOrPDYTkF7eifKXeVSUG7szA +h1xA2syVP1XgNce4hL60Xc16gwFy7ofmXx2utYXGJt/mwZrpHgJHnyqobalbz+xF +d3+YJ5oyXSrjhO7FmGYvliAd3djDJ9ew+f7Zfc3Qn48LFFhRny+Lwzgt3uiP1o2H +pPVWQxaZLPSkVrQ0uGE3ycJYgBugl6H8WY3pEfbRD0tVNEYqi4Y7 +-----END CERTIFICATE----- + +### Actalis S.p.A./03358520967 + +=== /C=IT/L=Milan/O=Actalis S.p.A./03358520967/CN=Actalis Authentication Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6271844772424770508 (0x570a119742c4e3cc) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Sep 22 11:22:02 2011 GMT + Not After : Sep 22 11:22:02 2030 GMT + Subject: C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA + X509v3 extensions: + X509v3 Subject Key Identifier: + 52:D8:88:3A:C8:9F:78:66:ED:89:F3:7B:38:70:94:C9:02:02:36:D0 + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Authority Key Identifier: + keyid:52:D8:88:3A:C8:9F:78:66:ED:89:F3:7B:38:70:94:C9:02:02:36:D0 + + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=F3:73:B3:87:06:5A:28:84:8A:F2:F3:4A:CE:19:2B:DD:C7:8E:9C:AC +SHA256 Fingerprint=55:92:60:84:EC:96:3A:64:B9:6E:2A:BE:01:CE:0B:A8:6A:64:FB:FE:BC:C7:AA:B5:AF:C1:55:B3:7F:D7:60:66 +-----BEGIN CERTIFICATE----- +MIIFuzCCA6OgAwIBAgIIVwoRl0LE48wwDQYJKoZIhvcNAQELBQAwazELMAkGA1UE +BhMCSVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w +MzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290 +IENBMB4XDTExMDkyMjExMjIwMloXDTMwMDkyMjExMjIwMlowazELMAkGA1UEBhMC +SVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1 +ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290IENB +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp8bEpSmkLO/lGMWwUKNv +UTufClrJwkg4CsIcoBh/kbWHuUA/3R1oHwiD1S0eiKD4j1aPbZkCkpAW1V8IbInX +4ay8IMKx4INRimlNAJZaby/ARH6jDuSRzVju3PvHHkVH3Se5CAGfpiEd9UEtL0z9 +KK3giq0itFZljoZUj5NDKd45RnijMCO6zfB9E1fAXdKDa0hMxKufgFpbOr3JpyI/ +gCczWw63igxdBzcIy2zSekciRDXFzMwujt0q7bd9Zg1fYVEiVRvjRuPjPdA1Yprb +rxTIW6HMiRvhMCb8oJsfgadHHwTrozmSBp+Z07/T6k9QnBn+locePGX2oxgkg4YQ +51Q+qDp2JE+BIcXjDwL4k5RHILv+1A7TaLndxHqEguNTVHnd25zS8gebLra8Pu2F +be8lEfKXGkJh90qX6IuxEAf6ZYGyojnP9zz/GPvG8VqLWeICrHuS0E4UT1lF9gxe +KF+w6D9Fz8+vm2/7hNN3WpVvrJSEnu68wEqPSpP4RCHiMUVhUE4Q2OM1fEwZtN4F +v6MGn8i1zeQf1xcGDXqVdFUNaBr8EBtiZJ1t4JWgw5QHVw0U5r0F+7if5t+L4sbn +fpb2U8WANFAoWPASUHEXMLrmeGO89LKtmyuy/uE5jF66CyCU3nuDuP/jVo23Eek7 +jPKxwV2dpAtMK9myGPW1n0sCAwEAAaNjMGEwHQYDVR0OBBYEFFLYiDrIn3hm7Ynz +ezhwlMkCAjbQMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiIOsifeGbt +ifN7OHCUyQICNtAwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAL +e3KHwGCmSUyIWOYdiPcUZEim2FgKDk8TNd81HdTtBjHIgT5q1d07GjLukD0R0i70 +jsNjLiNmsGe+b7bAEzlgqqI0JZN1Ut6nna0Oh4lScWoWPBkdg/iaKWW+9D+a2fDz +WochcYBNy+A4mz+7+uAwTc+G02UQGRjRlwKxK3JCaKygvU5a2hi/a5iB0P2avl4V +SM0RFbnAKVy06Ij3Pjaut2L9HmLecHgQHEhb2rykOLpn7VU+Xlff1ANATIGk0k9j +pwlCCRT8AKnCgHNPLsBA2RF7SOp6AsDT6ygBJlh0wcBzIm2Tlf05fbsq4/aC4yyX +X04fkZT6/iyj2HYauE2yOE+b+h1IYHkm4vP9qdCa6HCPSXrW5b0KDtst842/6+Ok +fcvHlXHo2qN8xcL4dJIEG4aspCJTQLas/kx2z/uUMsA1n3Y/buWQbqCmJqK4LL7R +K4X9p2jIugErsWx0Hbhzlefut8cl8ABMALJ+tguLHPPAUJ4lueAI3jZm/zel0btU +ZCzJJ7VLkn5l/9Mt4blOvH+kQSGQQXemOR/qnuOf0GZvBeyqdn6/axag67XH/JJU +LysRJyU3eExRarDzzFhdFPFqSBX/wge2sY0PjlxQRrM9vwGYT7JZVEc+NHt4bVaT +LnPqZih4zR0Uv6CPLy64Lo7yFIrM6bV8+2ydDKXhlg== +-----END CERTIFICATE----- ### AddTrust AB @@ -51,150 +399,487 @@ Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -----END CERTIFICATE----- -=== /C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Class 1 CA Root + +### AffirmTrust + +=== /C=US/O=AffirmTrust/CN=AffirmTrust Commercial Certificate: Data: Version: 3 (0x2) - Serial Number: 1 (0x1) + Serial Number: 8608355977964138876 (0x7777062726a9b17c) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jan 29 14:06:06 2010 GMT + Not After : Dec 31 14:06:06 2030 GMT + Subject: C=US, O=AffirmTrust, CN=AffirmTrust Commercial + X509v3 extensions: + X509v3 Subject Key Identifier: + 9D:93:C6:53:8B:5E:CA:AF:3F:9F:1E:0F:E5:99:95:BC:24:F6:94:8F + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=F9:B5:B6:32:45:5F:9C:BE:EC:57:5F:80:DC:E9:6E:2C:C7:B2:78:B7 +SHA256 Fingerprint=03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7 +-----BEGIN CERTIFICATE----- +MIIDTDCCAjSgAwIBAgIId3cGJyapsXwwDQYJKoZIhvcNAQELBQAwRDELMAkGA1UE +BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVz +dCBDb21tZXJjaWFsMB4XDTEwMDEyOTE0MDYwNloXDTMwMTIzMTE0MDYwNlowRDEL +MAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZp +cm1UcnVzdCBDb21tZXJjaWFsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA9htPZwcroRX1BiLLHwGy43NFBkRJLLtJJRTWzsO3qyxPxkEylFf6EqdbDuKP +Hx6GGaeqtS25Xw2Kwq+FNXkyLbscYjfysVtKPcrNcV/pQr6U6Mje+SJIZMblq8Yr +ba0F8PrVC8+a5fBQpIs7R6UjW3p6+DM/uO+Zl+MgwdYoic+U+7lF7eNAFxHUdPAL +MeIrJmqbTFeurCA+ukV6BfO9m2kVrn1OIGPENXY6BwLJN/3HR+7o8XYdcxXyl6S1 +yHp52UKqK39c/s4mT6NmgTWvRLpUHhwwMmWd5jyTXlBOeuM61G7MGvv50jeuJCqr +VwMiKA1JdX+3KNp1v47j3A55MQIDAQABo0IwQDAdBgNVHQ4EFgQUnZPGU4teyq8/ +nx4P5ZmVvCT2lI8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJ +KoZIhvcNAQELBQADggEBAFis9AQOzcAN/wr91LoWXym9e2iZWEnStB03TX8nfUYG +XUPGhi4+c7ImfU+TqbbEKpqrIZcUsd6M06uJFdhrJNTxFq7YpFzUf1GO7RgBsZNj +vbz4YYCanrHOQnDiqX0GJX0nof5v7LMeJNrjS1UaADs1tDvZ110w/YETifLCBivt +Z8SOyUOyXGsViQK8YvxO8rUzqrJv0wqiUOP2O+guRMLbZjipM1ZI8W0bM40NjD9g +N53Tym1+NH4Nn3J2ixufcv1SNUFFApYvHLKac0khsUlHRUe072o0EclNmsxZt9YC +nlpOZbWUrhvfKbAW8b8Angc6F2S1BLUjIZkKlTuXfO8= +-----END CERTIFICATE----- +=== /C=US/O=AffirmTrust/CN=AffirmTrust Networking +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 8957382827206547757 (0x7c4f04391cd4992d) Signature Algorithm: sha1WithRSAEncryption Validity - Not Before: May 30 10:38:31 2000 GMT - Not After : May 30 10:38:31 2020 GMT - Subject: C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Class 1 CA Root + Not Before: Jan 29 14:08:24 2010 GMT + Not After : Dec 31 14:08:24 2030 GMT + Subject: C=US, O=AffirmTrust, CN=AffirmTrust Networking X509v3 extensions: X509v3 Subject Key Identifier: - 95:B1:B4:F0:94:B6:BD:C7:DA:D1:11:09:21:BE:C1:AF:49:FD:10:7B - X509v3 Key Usage: + 07:1F:D2:E7:9C:DA:C2:6E:A2:40:B4:B0:7A:50:10:50:74:C4:C8:BD + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical Certificate Sign, CRL Sign +SHA1 Fingerprint=29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F +SHA256 Fingerprint=0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0:B4:1B +-----BEGIN CERTIFICATE----- +MIIDTDCCAjSgAwIBAgIIfE8EORzUmS0wDQYJKoZIhvcNAQEFBQAwRDELMAkGA1UE +BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVz +dCBOZXR3b3JraW5nMB4XDTEwMDEyOTE0MDgyNFoXDTMwMTIzMTE0MDgyNFowRDEL +MAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZp +cm1UcnVzdCBOZXR3b3JraW5nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAtITMMxcua5Rsa2FSoOujz3mUTOWUgJnLVWREZY9nZOIG41w3SfYvm4SEHi3y +YJ0wTsyEheIszx6e/jarM3c1RNg1lho9Nuh6DtjVR6FqaYvZ/Ls6rnla1fTWcbua +kCNrmreIdIcMHl+5ni36q1Mr3Lt2PpNMCAiMHqIjHNRqrSK6mQEubWXLviRmVSRL +QESxG9fhwoXA3hA/Pe24/PHxI1Pcv2WXb9n5QHGNfb2V1M6+oF4nI979ptAmDgAp +6zxG8D1gvz9Q0twmQVGeFDdCBKNwV6gbh+0t+nvujArjqWaJGctB+d1ENmHP4ndG +yH329JKBNv3bNPFyfvMMFr20FQIDAQABo0IwQDAdBgNVHQ4EFgQUBx/S55zawm6i +QLSwelAQUHTEyL0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJ +KoZIhvcNAQEFBQADggEBAIlXshZ6qML91tmbmzTCnLQyFE2npN/svqe++EPbkTfO +tDIuUFUaNU52Q3Eg75N3ThVwLofDwR1t3Mu1J9QsVtFSUzpE0nPIxBsFZVpikpzu +QY0x2+c06lkh1QF612S4ZDnNye2v7UsDSKegmQGA3GWjNq5lWUhPgkvIZfFXHeVZ +Lgo/bNjR9eUJtGxUAArgFU2HdW23WJZa3W3SAKD0m0i+wzekujbgfIeFlxoVot4u +olu9rxj5kFDNcFn4J2dHy8egBzp90SxdbBk6ZrV9/ZFvgrG+CJPbFEfxojfHRZ48 +x3evZKiT3/Zpg4Jg8klCNO1aAFSFHBY2kgxc+qatv9s= +-----END CERTIFICATE----- +=== /C=US/O=AffirmTrust/CN=AffirmTrust Premium +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7893706540734352110 (0x6d8c1446b1a60aee) + Signature Algorithm: sha384WithRSAEncryption + Validity + Not Before: Jan 29 14:10:36 2010 GMT + Not After : Dec 31 14:10:36 2040 GMT + Subject: C=US, O=AffirmTrust, CN=AffirmTrust Premium + X509v3 extensions: + X509v3 Subject Key Identifier: + 9D:C0:67:A6:0C:22:D9:26:F5:45:AB:A6:65:52:11:27:D8:45:AC:63 X509v3 Basic Constraints: critical CA:TRUE - X509v3 Authority Key Identifier: - keyid:95:B1:B4:F0:94:B6:BD:C7:DA:D1:11:09:21:BE:C1:AF:49:FD:10:7B - DirName:/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Class 1 CA Root - serial:01 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=D8:A6:33:2C:E0:03:6F:B1:85:F6:63:4F:7D:6A:06:65:26:32:28:27 +SHA256 Fingerprint=70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A +-----BEGIN CERTIFICATE----- +MIIFRjCCAy6gAwIBAgIIbYwURrGmCu4wDQYJKoZIhvcNAQEMBQAwQTELMAkGA1UE +BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MRwwGgYDVQQDDBNBZmZpcm1UcnVz +dCBQcmVtaXVtMB4XDTEwMDEyOTE0MTAzNloXDTQwMTIzMTE0MTAzNlowQTELMAkG +A1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MRwwGgYDVQQDDBNBZmZpcm1U +cnVzdCBQcmVtaXVtMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxBLf +qV/+Qd3d9Z+K4/as4Tx4mrzY8H96oDMq3I0gW64tb+eT2TZwamjPjlGjhVtnBKAQ +JG9dKILBl1fYSCkTtuG+kU3fhQxTGJoeJKJPj/CihQvL9Cl/0qRY7iZNyaqoe5rZ ++jjeRFcV5fiMyNlI4g0WJx0eyIOFJbe6qlVBzAMiSy2RjYvmia9mx+n/K+k8rNrS +s8PhaJyJ+HoAVt70VZVs+7pk3WKL3wt3MutizCaam7uqYoNMtAZ6MMgpv+0GTZe5 +HMQxK9VfvFMSF5yZVylmd2EhMQcuJUmdGPLu8ytxjLW6OQdJd/zvLpKQBY0tL3d7 +70O/Nbua2Plzpyzy0FfuKE4mX4+QaAkvuPjcBukumj5Rp9EixAqnOEhss/n/fauG +V+O61oV4d7pD6kh/9ti+I20ev9E2bFhc8e6kGVQa9QPSdubhjL08s9NIS+LI+H+S +qHZGnEJlPqQewQcDWkYtuJfzt9WyVSHvutxMAJf7FJUnM7/oQ0dG0giZFmA7mn7S +5u046uwBHjxIVkkJx0w3AJ6IDsBz4W9m6XJHMD4Q5QsDyZpCAGzFlH5hxIrff4Ia +C1nEWTJ3s7xgaVY5/bQGeyzWZDbZvUjthB9+pSKPKrhC9IK31FOQeE4tGv2Bb0TX +OwF0lkLgAOIua+rF7nKsu7/+6qqo+Nz2snmKtmcCAwEAAaNCMEAwHQYDVR0OBBYE +FJ3AZ6YMItkm9UWrpmVSESfYRaxjMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/ +BAQDAgEGMA0GCSqGSIb3DQEBDAUAA4ICAQCzV00QYk465KzquByvMiPIs0laUZx2 +KI15qldGF9X1Uva3ROgIRL8YhNILgM3FEv0AVQVhh0HctSSePMTYyPtwni94loMg +Nt58D2kTiKV1NpgIpsbfrM7jWNa3Pt668+s0QNiigfV4Py/VpfzZotReBA4Xrf5B +8OWycvpEgjNC6C1Y91aMYj+6QrCcDFx+LmUmXFNPALJ4fqENmS2NuB2OosSw/WDQ +MKSOyARiqcTtNd56l+0OOF6SL5Nwpamcb6d9Ex1+xghIsV5n61EIJenmJWtSKZGc +0jlzCFfemQa0W50QBuHCAKi4HEoCChTQwUHK+4w1IX2COPKpVJEZNZOUbWo6xbLQ +u4mGk+ibyQ86p3q4ofB4Rvr8Ny/lioTz3/4E2aFooC8k4gmVBtWVyuEklut89pMF +u+1z6S3RdTnX5yTb2E5fQ4+e0BQ5v1VwSJlXMbSc7kqYA5YwH2AG7hsj/oFgIxpH +YoWlzBk0gG+zrBrjn/B7SK3VAdlntqlyk+otZrWyuOQ9PLLvTIzq6we/qzWaVYa8 +GKa1qF60g2xraUDTn9zxw2lrueFtCfTxqlB2Cnp9ehehVZZCmTEJ3WARjQUwfuaO +RtGdFNrHF+QFlozEJLUbzxQHskD4o55BhrwE0GuWyCqANP2/7waj3VjFhT0+j/6e +KeC2uAloGRwYQw== +-----END CERTIFICATE----- +=== /C=US/O=AffirmTrust/CN=AffirmTrust Premium ECC +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 8401224907861490260 (0x7497258ac73f7a54) + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Jan 29 14:20:24 2010 GMT + Not After : Dec 31 14:20:24 2040 GMT + Subject: C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC + X509v3 extensions: + X509v3 Subject Key Identifier: + 9A:AF:29:7A:C0:11:35:35:26:51:30:00:C3:6A:FE:40:D5:AE:D6:3C + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=B8:23:6B:00:2F:1D:16:86:53:01:55:6C:11:A4:37:CA:EB:FF:C3:BB +SHA256 Fingerprint=BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23 +-----BEGIN CERTIFICATE----- +MIIB/jCCAYWgAwIBAgIIdJclisc/elQwCgYIKoZIzj0EAwMwRTELMAkGA1UEBhMC +VVMxFDASBgNVBAoMC0FmZmlybVRydXN0MSAwHgYDVQQDDBdBZmZpcm1UcnVzdCBQ +cmVtaXVtIEVDQzAeFw0xMDAxMjkxNDIwMjRaFw00MDEyMzExNDIwMjRaMEUxCzAJ +BgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEgMB4GA1UEAwwXQWZmaXJt +VHJ1c3QgUHJlbWl1bSBFQ0MwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNMF4bFZ0D +0KF5Nbc6PJJ6yhUczWLznCZcBz3lVPqj1swS6vQUX+iOGasvLkjmrBhDeKzQN8O9 +ss0s5kfiGuZjuD0uL3jET9v0D6RoTFVya5UdThhClXjMNzyR4ptlKymjQjBAMB0G +A1UdDgQWBBSaryl6wBE1NSZRMADDav5A1a7WPDAPBgNVHRMBAf8EBTADAQH/MA4G +A1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNnADBkAjAXCfOHiFBar8jAQr9HX/Vs +aobgxCd05DhT1wV/GzTjxi+zygk8N53X57hG8f2h4nECMEJZh0PUUd+60wkyWs6I +flc9nF9Ca/UHLbXwgpP5WW+uZPpY5Yse42O+tYHNbwKMeQ== +-----END CERTIFICATE----- -SHA1 Fingerprint=CC:AB:0E:A0:4C:23:01:D6:69:7B:DD:37:9F:CD:12:EB:24:E3:94:9D -SHA256 Fingerprint=8C:72:09:27:9A:C0:4E:27:5E:16:D0:7F:D3:B7:75:E8:01:54:B5:96:80:46:E3:1F:52:DD:25:76:63:24:E9:A7 ------BEGIN CERTIFICATE----- -MIIEGDCCAwCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJTRTEU -MBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3 -b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwHhcNMDAwNTMw -MTAzODMxWhcNMjAwNTMwMTAzODMxWjBlMQswCQYDVQQGEwJTRTEUMBIGA1UEChML -QWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYD -VQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQCWltQhSWDia+hBBwzexODcEyPNwTXH+9ZOEQpnXvUGW2ul -CDtbKRY654eyNAbFvAWlA3yCyykQruGIgb3WntP+LVbBFc7jJp0VLhD7Bo8wBN6n -tGO0/7Gcrjyvd7ZWxbWroulpOj0OM3kyP3CCkplhbY0wCI9xP6ZIVxn4JdxLZlyl -dI+Yrsj5wAYi56xz36Uu+1LcsRVlIPo1Zmne3yzxbrww2ywkEtvrNTVokMsAsJch -PXQhI2U0K7t4WaPW4XY5mqRJjox0r26kmqPZm9I4XJuiGMx1I4S+6+JNM3GOGvDC -+Mcdoq0Dlyz4zyXG9rgkMbFjXZJ/Y/AlyVMuH79NAgMBAAGjgdIwgc8wHQYDVR0O -BBYEFJWxtPCUtr3H2tERCSG+wa9J/RB7MAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8E -BTADAQH/MIGPBgNVHSMEgYcwgYSAFJWxtPCUtr3H2tERCSG+wa9J/RB7oWmkZzBl -MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFk -ZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENB -IFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBACxtZBsfzQ3duQH6lmM0MkhHma6X -7f1yFqZzR1r0693p9db7RcwpiURdv0Y5PejuvE1Uhh4dbOMXJ0PhiVYrqW9yTkkz -43J8KiOavD7/KCrto/8cI7pDVwlnTUtiBi34/2ydYB7YHEt9tTEv2dB8Xfjea4MY -eDdXL+gzB2ffHsdrKpV2ro9Xo/D0UrSpUwjP4E/TelOL/bscVjby/rK25Xa71SJl -pz/+0WatC7xrmYbvP33zGDLKe8bjq2RGlfgmadlVg3sslgf/WSxEo8bl6ancoWOA -WiFeIc9TVPC6b4nbqKqVz4vjccweGyBECMB6tkD9xOQ14R0WHNC8K47Wcdk= ------END CERTIFICATE----- -=== /C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Public CA Root +### Agencia Catalana de Certificacio (NIF Q-0801176-I) + +=== /C=ES/O=Agencia Catalana de Certificacio (NIF Q-0801176-I)/OU=Serveis Publics de Certificacio/OU=Vegeu https://www.catcert.net/verarrel (c)03/OU=Jerarquia Entitats de Certificacio Catalanes/CN=EC-ACC Certificate: Data: Version: 3 (0x2) - Serial Number: 1 (0x1) + Serial Number: + (Negative)11:d4:c2:14:2b:de:21:eb:57:9d:53:fb:0c:22:3b:ff Signature Algorithm: sha1WithRSAEncryption Validity - Not Before: May 30 10:41:50 2000 GMT - Not After : May 30 10:41:50 2020 GMT - Subject: C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Public CA Root + Not Before: Jan 7 23:00:00 2003 GMT + Not After : Jan 7 22:59:59 2031 GMT + Subject: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC X509v3 extensions: - X509v3 Subject Key Identifier: - 81:3E:37:D8:92:B0:1F:77:9F:5C:B4:AB:73:AA:E7:F6:34:60:2F:FA - X509v3 Key Usage: + X509v3 Subject Alternative Name: + email:ec_acc@catcert.net + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + A0:C3:8B:44:AA:37:A5:45:BF:97:80:5A:D1:F1:78:A2:9B:E9:5D:8D + X509v3 Certificate Policies: + Policy: 1.3.6.1.4.1.15096.1.3.1.10 + CPS: https://www.catcert.net/verarrel + User Notice: + Explicit Text: Vegeu https://www.catcert.net/verarrel + +SHA1 Fingerprint=28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8 +SHA256 Fingerprint=88:49:7F:01:60:2F:31:54:24:6A:E2:8C:4D:5A:EF:10:F1:D8:7E:BB:76:62:6F:4A:E0:B7:F9:5B:A7:96:87:99 +-----BEGIN CERTIFICATE----- +MIIFVjCCBD6gAwIBAgIQ7is969Qh3hSoYqwE893EATANBgkqhkiG9w0BAQUFADCB +8zELMAkGA1UEBhMCRVMxOzA5BgNVBAoTMkFnZW5jaWEgQ2F0YWxhbmEgZGUgQ2Vy +dGlmaWNhY2lvIChOSUYgUS0wODAxMTc2LUkpMSgwJgYDVQQLEx9TZXJ2ZWlzIFB1 +YmxpY3MgZGUgQ2VydGlmaWNhY2lvMTUwMwYDVQQLEyxWZWdldSBodHRwczovL3d3 +dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbCAoYykwMzE1MDMGA1UECxMsSmVyYXJxdWlh +IEVudGl0YXRzIGRlIENlcnRpZmljYWNpbyBDYXRhbGFuZXMxDzANBgNVBAMTBkVD +LUFDQzAeFw0wMzAxMDcyMzAwMDBaFw0zMTAxMDcyMjU5NTlaMIHzMQswCQYDVQQG +EwJFUzE7MDkGA1UEChMyQWdlbmNpYSBDYXRhbGFuYSBkZSBDZXJ0aWZpY2FjaW8g +KE5JRiBRLTA4MDExNzYtSSkxKDAmBgNVBAsTH1NlcnZlaXMgUHVibGljcyBkZSBD +ZXJ0aWZpY2FjaW8xNTAzBgNVBAsTLFZlZ2V1IGh0dHBzOi8vd3d3LmNhdGNlcnQu +bmV0L3ZlcmFycmVsIChjKTAzMTUwMwYDVQQLEyxKZXJhcnF1aWEgRW50aXRhdHMg +ZGUgQ2VydGlmaWNhY2lvIENhdGFsYW5lczEPMA0GA1UEAxMGRUMtQUNDMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsyLHT+KXQpWIR4NA9h0X84NzJB5R +85iKw5K4/0CQBXCHYMkAqbWUZRkiFRfCQ2xmRJoNBD45b6VLeqpjt4pEndljkYRm +4CgPukLjbo73FCeTae6RDqNfDrHrZqJyTxIThmV6PttPB/SnCWDaOkKZx7J/sxaV +HMf5NLWUhdWZXqBIoH7nF2W4onW4HvPlQn2v7fOKSGRdghST2MDk/7NQcvJ29rNd +QlB50JQ+awwAvthrDk4q7D7SzIKiGGUzE3eeml0aE9jD2z3Il3rucO2n5nzbcc8t +lGLfbdb1OL4/pYUKGbio2Al1QnDE6u/LDsg0qBIimAy4E5S2S+zw0JDnJwIDAQAB +o4HjMIHgMB0GA1UdEQQWMBSBEmVjX2FjY0BjYXRjZXJ0Lm5ldDAPBgNVHRMBAf8E +BTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUoMOLRKo3pUW/l4Ba0fF4 +opvpXY0wfwYDVR0gBHgwdjB0BgsrBgEEAfV4AQMBCjBlMCwGCCsGAQUFBwIBFiBo +dHRwczovL3d3dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbDA1BggrBgEFBQcCAjApGidW +ZWdldSBodHRwczovL3d3dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbCAwDQYJKoZIhvcN +AQEFBQADggEBAKBIW4IB9k1IuDlVNZyAelOZ1Vr/sXE7zDkJlF7W2u++AVtd0x7Y +/X1PzaBB4DSTv8vihpw3kpBWHNzrKQXlxJ7HNd+KDM3FIUPpqojlNcAZQmNaAl6k +SBg6hW/cnbw/nZzBh7h6YQjpdwt/cKt63dmXLGQehb+8dJahw3oS7AwaboMMPOhy +Rp/7SNVel+axofjk70YllJyJ22k4vuxcDlbHZVHlUIiIv0LVKz3l+bqeLrPK9HOS +Agu+TGbrIP65y7WZf+a2E/rKS03Z7lNGBjvGTq2TWoF+bCpLagVFjPIhpDGQh2xl +nJ2lYJU6Un/10asIbvPuW/mIPX64b24D5EI= +-----END CERTIFICATE----- + +### Amazon + +=== /C=US/O=Amazon/CN=Amazon Root CA 1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: May 26 00:00:00 2015 GMT + Not After : Jan 17 00:00:00 2038 GMT + Subject: C=US, O=Amazon, CN=Amazon Root CA 1 + X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE - X509v3 Authority Key Identifier: - keyid:81:3E:37:D8:92:B0:1F:77:9F:5C:B4:AB:73:AA:E7:F6:34:60:2F:FA - DirName:/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Public CA Root - serial:01 + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 84:18:CC:85:34:EC:BC:0C:94:94:2E:08:59:9C:C7:B2:10:4E:0A:08 +SHA1 Fingerprint=8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16 +SHA256 Fingerprint=8E:CD:E6:88:4F:3D:87:B1:12:5B:A3:1A:C3:FC:B1:3D:70:16:DE:7F:57:CC:90:4F:E1:CB:97:C6:AE:98:19:6E +-----BEGIN CERTIFICATE----- +MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF +ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 +b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL +MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv +b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj +ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM +9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw +IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6 +VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L +93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm +jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA +A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI +U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs +N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv +o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU +5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy +rqXRfboQnoZsG4q5WTP468SQvvG5 +-----END CERTIFICATE----- +=== /C=US/O=Amazon/CN=Amazon Root CA 2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 06:6c:9f:d2:96:35:86:9f:0a:0f:e5:86:78:f8:5b:26:bb:8a:37 + Signature Algorithm: sha384WithRSAEncryption + Validity + Not Before: May 26 00:00:00 2015 GMT + Not After : May 26 00:00:00 2040 GMT + Subject: C=US, O=Amazon, CN=Amazon Root CA 2 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + B0:0C:F0:4C:30:F4:05:58:02:48:FD:33:E5:52:AF:4B:84:E3:66:52 +SHA1 Fingerprint=5A:8C:EF:45:D7:A6:98:59:76:7A:8C:8B:44:96:B5:78:CF:47:4B:1A +SHA256 Fingerprint=1B:A5:B2:AA:8C:65:40:1A:82:96:01:18:F8:0B:EC:4F:62:30:4D:83:CE:C4:71:3A:19:C3:9C:01:1E:A4:6D:B4 +-----BEGIN CERTIFICATE----- +MIIFQTCCAymgAwIBAgITBmyf0pY1hp8KD+WGePhbJruKNzANBgkqhkiG9w0BAQwF +ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 +b24gUm9vdCBDQSAyMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTEL +MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv +b3QgQ0EgMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK2Wny2cSkxK +gXlRmeyKy2tgURO8TW0G/LAIjd0ZEGrHJgw12MBvIITplLGbhQPDW9tK6Mj4kHbZ +W0/jTOgGNk3Mmqw9DJArktQGGWCsN0R5hYGCrVo34A3MnaZMUnbqQ523BNFQ9lXg +1dKmSYXpN+nKfq5clU1Imj+uIFptiJXZNLhSGkOQsL9sBbm2eLfq0OQ6PBJTYv9K +8nu+NQWpEjTj82R0Yiw9AElaKP4yRLuH3WUnAnE72kr3H9rN9yFVkE8P7K6C4Z9r +2UXTu/Bfh+08LDmG2j/e7HJV63mjrdvdfLC6HM783k81ds8P+HgfajZRRidhW+me +z/CiVX18JYpvL7TFz4QuK/0NURBs+18bvBt+xa47mAExkv8LV/SasrlX6avvDXbR +8O70zoan4G7ptGmh32n2M8ZpLpcTnqWHsFcQgTfJU7O7f/aS0ZzQGPSSbtqDT6Zj +mUyl+17vIWR6IF9sZIUVyzfpYgwLKhbcAS4y2j5L9Z469hdAlO+ekQiG+r5jqFoz +7Mt0Q5X5bGlSNscpb/xVA1wf+5+9R+vnSUeVC06JIglJ4PVhHvG/LopyboBZ/1c6 ++XUyo05f7O0oYtlNc/LMgRdg7c3r3NunysV+Ar3yVAhU/bQtCSwXVEqY0VThUWcI +0u1ufm8/0i2BWSlmy5A5lREedCf+3euvAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMB +Af8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSwDPBMMPQFWAJI/TPlUq9LhONm +UjANBgkqhkiG9w0BAQwFAAOCAgEAqqiAjw54o+Ci1M3m9Zh6O+oAA7CXDpO8Wqj2 +LIxyh6mx/H9z/WNxeKWHWc8w4Q0QshNabYL1auaAn6AFC2jkR2vHat+2/XcycuUY ++gn0oJMsXdKMdYV2ZZAMA3m3MSNjrXiDCYZohMr/+c8mmpJ5581LxedhpxfL86kS +k5Nrp+gvU5LEYFiwzAJRGFuFjWJZY7attN6a+yb3ACfAXVU3dJnJUH/jWS5E4ywl +7uxMMne0nxrpS10gxdr9HIcWxkPo1LsmmkVwXqkLN1PiRnsn/eBG8om3zEK2yygm +btmlyTrIQRNg91CMFa6ybRoVGld45pIq2WWQgj9sAq+uEjonljYE1x2igGOpm/Hl +urR8FLBOybEfdF849lHqm/osohHUqS0nGkWxr7JOcQ3AWEbWaQbLU8uz/mtBzUF+ +fUwPfHJ5elnNXkoOrJupmHN5fLT0zLm4BwyydFy4x2+IoZCn9Kr5v2c69BoVYh63 +n749sSmvZ6ES8lgQGVMDMBu4Gon2nL2XA46jCfMdiyHxtN/kHNGfZQIG6lzWE7OE +76KlXIx3KadowGuuQNKotOrN8I1LOJwZmhsoVLiJkO/KdYE+HvJkJMcYr07/R54H +9jVlpNMKVv/1F2Rs76giJUmTtt8AF9pYfl3uxRuw0dFfIRDH+fO6AgonB8Xx1sfT +4PsJYGw= +-----END CERTIFICATE----- +=== /C=US/O=Amazon/CN=Amazon Root CA 3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 06:6c:9f:d5:74:97:36:66:3f:3b:0b:9a:d9:e8:9e:76:03:f2:4a + Signature Algorithm: ecdsa-with-SHA256 + Validity + Not Before: May 26 00:00:00 2015 GMT + Not After : May 26 00:00:00 2040 GMT + Subject: C=US, O=Amazon, CN=Amazon Root CA 3 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + AB:B6:DB:D7:06:9E:37:AC:30:86:07:91:70:C7:9C:C4:19:B1:78:C0 +SHA1 Fingerprint=0D:44:DD:8C:3C:8C:1A:1A:58:75:64:81:E9:0F:2E:2A:FF:B3:D2:6E +SHA256 Fingerprint=18:CE:6C:FE:7B:F1:4E:60:B2:E3:47:B8:DF:E8:68:CB:31:D0:2E:BB:3A:DA:27:15:69:F5:03:43:B4:6D:B3:A4 +-----BEGIN CERTIFICATE----- +MIIBtjCCAVugAwIBAgITBmyf1XSXNmY/Owua2eiedgPySjAKBggqhkjOPQQDAjA5 +MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g +Um9vdCBDQSAzMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG +A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3Qg +Q0EgMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCmXp8ZBf8ANm+gBG1bG8lKl +ui2yEujSLtf6ycXYqm0fc4E7O5hrOXwzpcVOho6AF2hiRVd9RFgdszflZwjrZt6j +QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSr +ttvXBp43rDCGB5Fwx5zEGbF4wDAKBggqhkjOPQQDAgNJADBGAiEA4IWSoxe3jfkr +BqWTrBqYaGFy+uGh0PsceGCmQ5nFuMQCIQCcAu/xlJyzlvnrxir4tiz+OpAUFteM +YyRIHN8wfdVoOw== +-----END CERTIFICATE----- +=== /C=US/O=Amazon/CN=Amazon Root CA 4 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 06:6c:9f:d7:c1:bb:10:4c:29:43:e5:71:7b:7b:2c:c8:1a:c1:0e + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: May 26 00:00:00 2015 GMT + Not After : May 26 00:00:00 2040 GMT + Subject: C=US, O=Amazon, CN=Amazon Root CA 4 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + D3:EC:C7:3A:65:6E:CC:E1:DA:76:9A:56:FB:9C:F3:86:6D:57:E5:81 +SHA1 Fingerprint=F6:10:84:07:D6:F8:BB:67:98:0C:C2:E2:44:C2:EB:AE:1C:EF:63:BE +SHA256 Fingerprint=E3:5D:28:41:9E:D0:20:25:CF:A6:90:38:CD:62:39:62:45:8D:A5:C6:95:FB:DE:A3:C2:2B:0B:FB:25:89:70:92 +-----BEGIN CERTIFICATE----- +MIIB8jCCAXigAwIBAgITBmyf18G7EEwpQ+Vxe3ssyBrBDjAKBggqhkjOPQQDAzA5 +MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g +Um9vdCBDQSA0MB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG +A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3Qg +Q0EgNDB2MBAGByqGSM49AgEGBSuBBAAiA2IABNKrijdPo1MN/sGKe0uoe0ZLY7Bi +9i0b2whxIdIA6GO9mif78DluXeo9pcmBqqNbIJhFXRbb/egQbeOc4OO9X4Ri83Bk +M6DLJC9wuoihKqB1+IGuYgbEgds5bimwHvouXKNCMEAwDwYDVR0TAQH/BAUwAwEB +/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFNPsxzplbszh2naaVvuc84ZtV+WB +MAoGCCqGSM49BAMDA2gAMGUCMDqLIfG9fhGt0O9Yli/W651+kI0rz2ZVwyzjKKlw +CkcO8DdZEv8tmZQoTipPNU0zWgIxAOp1AE47xDqUEpHJWEadIRNyp4iciuRMStuW +1KyLa2tJElMzrdfkviT8tQp21KW8EA== +-----END CERTIFICATE----- + +### AS Sertifitseerimiskeskus -SHA1 Fingerprint=2A:B6:28:48:5E:78:FB:F3:AD:9E:79:10:DD:6B:DF:99:72:2C:96:E5 -SHA256 Fingerprint=07:91:CA:07:49:B2:07:82:AA:D3:C7:D7:BD:0C:DF:C9:48:58:35:84:3E:B2:D7:99:60:09:CE:43:AB:6C:69:27 ------BEGIN CERTIFICATE----- -MIIEFTCCAv2gAwIBAgIBATANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJTRTEU -MBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3 -b3JrMSAwHgYDVQQDExdBZGRUcnVzdCBQdWJsaWMgQ0EgUm9vdDAeFw0wMDA1MzAx -MDQxNTBaFw0yMDA1MzAxMDQxNTBaMGQxCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtB -ZGRUcnVzdCBBQjEdMBsGA1UECxMUQWRkVHJ1c3QgVFRQIE5ldHdvcmsxIDAeBgNV -BAMTF0FkZFRydXN0IFB1YmxpYyBDQSBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEA6Rowj4OIFMEg2Dybjxt+A3S72mnTRqX4jsIMEZBRpS9mVEBV -6tsfSlbunyNu9DnLoblv8n75XYcmYZ4c+OLspoH4IcUkzBEMP9smcnrHAZcHF/nX -GCwwfQ56HmIexkvA/X1id9NEHif2P0tEs7c42TkfYNVRknMDtABp4/MUTu7R3AnP -dzRGULD4EfL+OHn3Bzn+UZKXC1sIXzSGAa2Il+tmzV7R/9x98oTaunet3IAIx6eH -1lWfl2royBFkuucZKT8Rs3iQhCBSWxHveNCD9tVIkNAwHM+A+WD+eeSI8t0A65RF -62WUaUC6wNW0uLp9BBGo6zEFlpROWCGOn9Bg/QIDAQABo4HRMIHOMB0GA1UdDgQW -BBSBPjfYkrAfd59ctKtzquf2NGAv+jALBgNVHQ8EBAMCAQYwDwYDVR0TAQH/BAUw -AwEB/zCBjgYDVR0jBIGGMIGDgBSBPjfYkrAfd59ctKtzquf2NGAv+qFopGYwZDEL -MAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMR0wGwYDVQQLExRBZGRU -cnVzdCBUVFAgTmV0d29yazEgMB4GA1UEAxMXQWRkVHJ1c3QgUHVibGljIENBIFJv -b3SCAQEwDQYJKoZIhvcNAQEFBQADggEBAAP3FUr4JNojVhaTdt02KLmuG7jD8WS6 -IBh4lSknVwW8fCr0uVFV2ocC3g8WFzH4qnkuCRO7r7IgGRLlk/lL+YPoRNWyQSW/ -iHVv/xD8SlTQX/D67zZzfRs2RcYhbbQVuE7PnFylPVoAjgbjPGsye/Kf8Lb93/Ao -GEjwxrzQvzSAlsJKsW2Ox5BF3i9nrEUEo3rcVZLJR2bYGozH7ZxOmuASu7VqTITh -4SINhwBk/ox9Yjllpu9CtoAlEmEBqCQTcAARJl/6NVDFSMwGR+gn2HCNX2TmoUQm -XiLsks3/QppEIW1cxeMiHV9HEufOX1362KqxMy3ZdvJOOjMMK7MtkAY= ------END CERTIFICATE----- -=== /C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Qualified CA Root +=== /C=EE/O=AS Sertifitseerimiskeskus/CN=EE Certification Centre Root CA/emailAddress=pki@sk.ee Certificate: Data: Version: 3 (0x2) - Serial Number: 1 (0x1) + Serial Number: + 54:80:f9:a0:73:ed:3f:00:4c:ca:89:d8:e3:71:e6:4a Signature Algorithm: sha1WithRSAEncryption Validity - Not Before: May 30 10:44:50 2000 GMT - Not After : May 30 10:44:50 2020 GMT - Subject: C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Qualified CA Root + Not Before: Oct 30 10:10:30 2010 GMT + Not After : Dec 17 23:59:59 2030 GMT + Subject: C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA/emailAddress=pki@sk.ee X509v3 extensions: - X509v3 Subject Key Identifier: - 39:95:8B:62:8B:5C:C9:D4:80:BA:58:0F:97:3F:15:08:43:CC:98:A7 - X509v3 Key Usage: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 12:F2:5A:3E:EA:56:1C:BF:CD:06:AC:F1:F1:25:C9:A9:4B:D4:14:99 + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication, Code Signing, E-mail Protection, Time Stamping, OCSP Signing +SHA1 Fingerprint=C9:A8:B9:E7:55:80:5E:58:E3:53:77:A7:25:EB:AF:C3:7B:27:CC:D7 +SHA256 Fingerprint=3E:84:BA:43:42:90:85:16:E7:75:73:C0:99:2F:09:79:CA:08:4E:46:85:68:1F:F1:95:CC:BA:8A:22:9B:8A:76 +-----BEGIN CERTIFICATE----- +MIIEAzCCAuugAwIBAgIQVID5oHPtPwBMyonY43HmSjANBgkqhkiG9w0BAQUFADB1 +MQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1 +czEoMCYGA1UEAwwfRUUgQ2VydGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYG +CSqGSIb3DQEJARYJcGtpQHNrLmVlMCIYDzIwMTAxMDMwMTAxMDMwWhgPMjAzMDEy +MTcyMzU5NTlaMHUxCzAJBgNVBAYTAkVFMSIwIAYDVQQKDBlBUyBTZXJ0aWZpdHNl +ZXJpbWlza2Vza3VzMSgwJgYDVQQDDB9FRSBDZXJ0aWZpY2F0aW9uIENlbnRyZSBS +b290IENBMRgwFgYJKoZIhvcNAQkBFglwa2lAc2suZWUwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDIIMDs4MVLqwd4lfNE7vsLDP90jmG7sWLqI9iroWUy +euuOF0+W2Ap7kaJjbMeMTC55v6kF/GlclY1i+blw7cNRfdCT5mzrMEvhvH2/UpvO +bntl8jixwKIy72KyaOBhU8E2lf/slLo2rpwcpzIP5Xy0xm90/XsY6KxX7QYgSzIw +WFv9zajmofxwvI6Sc9uXp3whrj3B9UiHbCe9nyV0gVWw93X2PaRka9ZP585ArQ/d +MtO8ihJTmMmJ+xAdTX7Nfh9WDSFwhfYggx/2uh8Ej+p3iDXE/+pOoYtNP2MbRMNE +1CV2yreN1x5KZmTNXMWcg+HCCIia7E6j8T4cLNlsHaFLAgMBAAGjgYowgYcwDwYD +VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBLyWj7qVhy/ +zQas8fElyalL1BSZMEUGA1UdJQQ+MDwGCCsGAQUFBwMCBggrBgEFBQcDAQYIKwYB +BQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQEF +BQADggEBAHv25MANqhlHt01Xo/6tu7Fq1Q+e2+RjxY6hUFaTlrg4wCQiZrxTFGGV +v9DHKpY5P30osxBAIWrEr7BSdxjhlthWXePdNl4dp1BUoMUq5KqMlIpPnTX/dqQG +E5Gion0ARD9V04I8GtVbvFZMIi5GQ4okQC3zErg7cBqklrkar4dBGmoYDQZPxz5u +uSlNDUmJEYcyW+ZLBMjkXOZ0c5RdFpgTlf7727FE5TpwrDdr5rMzcijJs1eg9gIW +iAYLtqZLICjU3j2LrTcFU3T+bsy8QxdxXvnFzBqpYe73dgzzcvRyrc9yAjYHR8/v +GVCJYMzpJJUPwssd8m92kMfMdcGWxZ0= +-----END CERTIFICATE----- + +### Atos + +=== /CN=Atos TrustedRoot 2011/O=Atos/C=DE +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6643877497813316402 (0x5c33cb622c5fb332) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jul 7 14:58:30 2011 GMT + Not After : Dec 31 23:59:59 2030 GMT + Subject: CN=Atos TrustedRoot 2011, O=Atos, C=DE + X509v3 extensions: + X509v3 Subject Key Identifier: + A7:A5:06:B1:2C:A6:09:60:EE:D1:97:E9:70:AE:BC:3B:19:6C:DB:21 X509v3 Basic Constraints: critical CA:TRUE X509v3 Authority Key Identifier: - keyid:39:95:8B:62:8B:5C:C9:D4:80:BA:58:0F:97:3F:15:08:43:CC:98:A7 - DirName:/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Qualified CA Root - serial:01 + keyid:A7:A5:06:B1:2C:A6:09:60:EE:D1:97:E9:70:AE:BC:3B:19:6C:DB:21 + + X509v3 Certificate Policies: + Policy: 1.3.6.1.4.1.6189.3.4.1.1 -SHA1 Fingerprint=4D:23:78:EC:91:95:39:B5:00:7F:75:8F:03:3B:21:1E:C5:4D:8B:CF -SHA256 Fingerprint=80:95:21:08:05:DB:4B:BC:35:5E:44:28:D8:FD:6E:C2:CD:E3:AB:5F:B9:7A:99:42:98:8E:B8:F4:DC:D0:60:16 ------BEGIN CERTIFICATE----- -MIIEHjCCAwagAwIBAgIBATANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJTRTEU -MBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3 -b3JrMSMwIQYDVQQDExpBZGRUcnVzdCBRdWFsaWZpZWQgQ0EgUm9vdDAeFw0wMDA1 -MzAxMDQ0NTBaFw0yMDA1MzAxMDQ0NTBaMGcxCzAJBgNVBAYTAlNFMRQwEgYDVQQK -EwtBZGRUcnVzdCBBQjEdMBsGA1UECxMUQWRkVHJ1c3QgVFRQIE5ldHdvcmsxIzAh -BgNVBAMTGkFkZFRydXN0IFF1YWxpZmllZCBDQSBSb290MIIBIjANBgkqhkiG9w0B -AQEFAAOCAQ8AMIIBCgKCAQEA5B6a/twJWoekn0e+EV+vhDTbYjx5eLfpMLXsDBwq -xBb/4Oxx64r1EW7tTw2R0hIYLUkVAcKkIhPHEWT/IhKauY5cLwjPcWqzZwFZ8V1G -87B4pfYOQnrjfxvM0PC3KP0q6p6zsLkEqv32x7SxuCqg+1jxGaBvcCV+PmlKfw8i -2O+tCBGaKZnhqkRFmhJePp1tUvznoD1oL/BLcHwTOK28FSXx1s6rosAx1i+f4P8U -WfyEk9mHfExUE+uf0S0R+Bg6Ot4l2ffTQO2kBhLEO+GRwVY18BTcZTYJbqukB8c1 -0cIDMzZbdSZtQvESa0NvS3GU+jQd7RNuyoB/mC9suWXY6QIDAQABo4HUMIHRMB0G -A1UdDgQWBBQ5lYtii1zJ1IC6WA+XPxUIQ8yYpzALBgNVHQ8EBAMCAQYwDwYDVR0T -AQH/BAUwAwEB/zCBkQYDVR0jBIGJMIGGgBQ5lYtii1zJ1IC6WA+XPxUIQ8yYp6Fr -pGkwZzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMR0wGwYDVQQL -ExRBZGRUcnVzdCBUVFAgTmV0d29yazEjMCEGA1UEAxMaQWRkVHJ1c3QgUXVhbGlm -aWVkIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBABmrder4i2VhlRO6aQTv -hsoToMeqT2QbPxj2qC0sVY8FtzDqQmodwCVRLae/DLPt7wh/bDxGGuoYQ992zPlm -hpwsaPXpF/gxsxjE1kh9I0xowX67ARRvxdlu3rsEQmr49lx95dr6h+sNNVJn0J6X -dgWTP5XHAeZpVTh/EGGZyeNfpso+gmNIquIISD6q8rKFYqa0p9m9N5xotS1WfbC3 -P6CxB9bpT9zeRXEwMn8bLgn5v1Kh7sKAPgZcLlVAwRv1cEWw3F369nJad9Jjzc9Y -iQBCYz95OdBEsIJuQRno3eDBiFrRHnGTHyQwdOUeqN48Jzd/g66ed8/wMLH/S5no -xqE= + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=2B:B1:F5:3E:55:0C:1D:C5:F1:D4:E6:B7:6A:46:4B:55:06:02:AC:21 +SHA256 Fingerprint=F3:56:BE:A2:44:B7:A9:1E:B3:5D:53:CA:9A:D7:86:4A:CE:01:8E:2D:35:D5:F8:F9:6D:DF:68:A6:F4:1A:A4:74 +-----BEGIN CERTIFICATE----- +MIIDdzCCAl+gAwIBAgIIXDPLYixfszIwDQYJKoZIhvcNAQELBQAwPDEeMBwGA1UE +AwwVQXRvcyBUcnVzdGVkUm9vdCAyMDExMQ0wCwYDVQQKDARBdG9zMQswCQYDVQQG +EwJERTAeFw0xMTA3MDcxNDU4MzBaFw0zMDEyMzEyMzU5NTlaMDwxHjAcBgNVBAMM +FUF0b3MgVHJ1c3RlZFJvb3QgMjAxMTENMAsGA1UECgwEQXRvczELMAkGA1UEBhMC +REUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVhTuXbyo7LjvPpvMp +Nb7PGKw+qtn4TaA+Gke5vJrf8v7MPkfoepbCJI419KkM/IL9bcFyYie96mvr54rM +VD6QUM+A1JX76LWC1BTFtqlVJVfbsVD2sGBkWXppzwO3bw2+yj5vdHLqqjAqc2K+ +SZFhyBH+DgMq92og3AIVDV4VavzjgsG1xZ1kCWyjWZgHJ8cblithdHFsQ/H3NYkQ +4J7sVaE3IqKHBAUsR320HLliKWYoyrfhk/WklAOZuXCFteZI6o1Q/NnezG8HDt0L +cp2AMBYHlT8oDv3FdU9T1nSatCQujgKRz3bFmx5VdJx4IbHwLfELn8LVlhgf8FQi +eowHAgMBAAGjfTB7MB0GA1UdDgQWBBSnpQaxLKYJYO7Rl+lwrrw7GWzbITAPBgNV +HRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFKelBrEspglg7tGX6XCuvDsZbNshMBgG +A1UdIAQRMA8wDQYLKwYBBAGwLQMEAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3 +DQEBCwUAA4IBAQAmdzTblEiGKkGdLD4GkGDEjKwLVLgfuXvTBznk+j57sj1O7Z8j +vZfza1zv7v1Apt+hk6EKhqzvINB5Ab149xnYJDE0BAGmuhWawyfc2E8PzBhj/5kP +DpFrdRbhIfzYJsdHt6bPWHJxfrrhTZVHO8mvbaG0weyJ9rQPOLXiZNwlz6bb65pc +maHFCN795trV1lpFDMS3wrUU77QR/w4VtfX128a961qn8FYiqTxlVMYVqL2Gns2D +lmh6cYGJ4Qvh6hEbaAjMaZ7snkGeRDImeuKHCnE96+RapNLbxc3G3mB/ufNPRJLv +KrcYPqcZ2Qt9sTdBQrC6YB3y/gkRsPCHe6ed -----END CERTIFICATE----- ### Baltimore @@ -240,6 +925,166 @@ ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp -----END CERTIFICATE----- +### Buypass AS-983163327 + +=== /C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Oct 26 08:38:03 2010 GMT + Not After : Oct 26 08:38:03 2040 GMT + Subject: C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + C9:80:77:E0:62:92:82:F5:46:9C:F3:BA:F7:4C:C3:DE:B8:A3:AD:39 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=49:0A:75:74:DE:87:0A:47:FE:58:EE:F6:C7:6B:EB:C6:0B:12:40:99 +SHA256 Fingerprint=9A:11:40:25:19:7C:5B:B9:5D:94:E6:3D:55:CD:43:79:08:47:B6:46:B2:3C:DF:11:AD:A4:A0:0E:FF:15:FB:48 +-----BEGIN CERTIFICATE----- +MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd +MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg +Q2xhc3MgMiBSb290IENBMB4XDTEwMTAyNjA4MzgwM1oXDTQwMTAyNjA4MzgwM1ow +TjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MSAw +HgYDVQQDDBdCdXlwYXNzIENsYXNzIDIgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEB +BQADggIPADCCAgoCggIBANfHXvfBB9R3+0Mh9PT1aeTuMgHbo4Yf5FkNuud1g1Lr +6hxhFUi7HQfKjK6w3Jad6sNgkoaCKHOcVgb/S2TwDCo3SbXlzwx87vFKu3MwZfPV +L4O2fuPn9Z6rYPnT8Z2SdIrkHJasW4DptfQxh6NR/Md+oW+OU3fUl8FVM5I+GC91 +1K2GScuVr1QGbNgGE41b/+EmGVnAJLqBcXmQRFBoJJRfuLMR8SlBYaNByyM21cHx +MlAQTn/0hpPshNOOvEu/XAFOBz3cFIqUCqTqc/sLUegTBxj6DvEr0VQVfTzh97QZ +QmdiXnfgolXsttlpF9U6r0TtSsWe5HonfOV116rLJeffawrbD02TTqigzXsu8lkB +arcNuAeBfos4GzjmCleZPe4h6KP1DBbdi+w0jpwqHAAVF41og9JwnxgIzRFo1clr +Us3ERo/ctfPYV3Me6ZQ5BL/T3jjetFPsaRyifsSP5BtwrfKi+fv3FmRmaZ9JUaLi +FRhnBkp/1Wy1TbMz4GHrXb7pmA8y1x1LPC5aAVKRCfLf6o3YBkBjqhHk/sM3nhRS +P/TizPJhk9H9Z2vXUq6/aKtAQ6BXNVN48FP4YUIHZMbXb5tMOA1jrGKvNouicwoN +9SG9dKpN6nIDSdvHXx1iY8f93ZHsM+71bbRuMGjeyNYmsHVee7QHIJihdjK4TWxP +AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMmAd+BikoL1Rpzz +uvdMw964o605MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAU18h +9bqwOlI5LJKwbADJ784g7wbylp7ppHR/ehb8t/W2+xUbP6umwHJdELFx7rxP462s +A20ucS6vxOOto70MEae0/0qyexAQH6dXQbLArvQsWdZHEIjzIVEpMMpghq9Gqx3t +OluwlN5E40EIosHsHdb9T7bWR9AUC8rmyrV7d35BH16Dx7aMOZawP5aBQW9gkOLo ++fsicdl9sz1Gv7SEr5AcD48Saq/v7h56rgJKihcrdv6sVIkkLE8/trKnToyokZf7 +KcZ7XC25y2a2t6hbElGFtQl+Ynhw/qlqYLYdDnkM/crqJIByw5c/8nerQyIKx+u2 +DISCLIBrQYoIwOula9+ZEsuK1V6ADJHgJgg2SMX6OBE1/yWDLfJ6v9r9jv6ly0Us +H8SIU653DtmadsWOLB2jutXsMq7Aqqz30XpN69QH4kj3Io6wpJ9qzo6ysmD0oyLQ +I+uUWnpp3Q+/QFesa1lQ2aOZ4W7+jQF5JyMV3pKdewlNWudLSDBaGOYKbeaP4NK7 +5t98biGCwWg5TbSYWGZizEqQXsP6JwSxeRV0mcy+rSDeJmAc61ZRpqPq5KM/p/9h +3PFaTWwyI0PurKju7koSCTxdccK+efrCh2gdC/1cacwG0Jp9VJkqyTkaGa9LKkPz +Y11aWOIv4x3kqdbQCtCev9eBCfHJxyYNrJgWVqA= +-----END CERTIFICATE----- +=== /C=NO/O=Buypass AS-983163327/CN=Buypass Class 3 Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Oct 26 08:28:58 2010 GMT + Not After : Oct 26 08:28:58 2040 GMT + Subject: C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 47:B8:CD:FF:E5:6F:EE:F8:B2:EC:2F:4E:0E:F9:25:B0:8E:3C:6B:C3 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=DA:FA:F7:FA:66:84:EC:06:8F:14:50:BD:C7:C2:81:A5:BC:A9:64:57 +SHA256 Fingerprint=ED:F7:EB:BC:A2:7A:2A:38:4D:38:7B:7D:40:10:C6:66:E2:ED:B4:84:3E:4C:29:B4:AE:1D:5B:93:32:E6:B2:4D +-----BEGIN CERTIFICATE----- +MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd +MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg +Q2xhc3MgMyBSb290IENBMB4XDTEwMTAyNjA4Mjg1OFoXDTQwMTAyNjA4Mjg1OFow +TjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MSAw +HgYDVQQDDBdCdXlwYXNzIENsYXNzIDMgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEB +BQADggIPADCCAgoCggIBAKXaCpUWUOOV8l6ddjEGMnqb8RB2uACatVI2zSRHsJ8Y +ZLya9vrVediQYkwiL944PdbgqOkcLNt4EemOaFEVcsfzM4fkoF0LXOBXByow9c3E +N3coTRiR5r/VUv1xLXA+58bEiuPwKAv0dpihi4dVsjoT/Lc+JzeOIuOoTyrvYLs9 +tznDDgFHmV0ST9tD+leh7fmdvhFHJlsTmKtdFoqwNxxXnUX/iJY2v7vKB3tvh2PX +0DJq1l1sDPGzbjniazEuOQAnFN44wOwZZoYS6J1yFhNkUsepNxz9gjDthBgd9K5c +/3ATAOux9TN6S9ZV+AWNS2mw9bMoNlwUxFFzTWsL8TQH2xc519woe2v1n/MuwU8X +KhDzzMro6/1rqy6any2CbgTUUgGTLT2G/H783+9CHaZr77kgxve9oKeV/afmiSTY +zIw0bOIjL9kSGiG5VZFvC5F5GQytQIgLcOJ60g7YaEi7ghM5EFjp2CoHxhLbWNvS +O1UQRwUVZ2J+GGOmRj8JDlQyXr8NYnon74Do29lLBlo3WiXQCBJ31G8JUJc9yB3D +34xFMFbG02SrZvPAXpacw8Tvw3xrizp5f7NJzz3iiZ+gMEuFuZyUJHmPfWupRWgP +K9Dx2hzLabjKSWJtyNBjYt1gD1iqj6G8BaVmos8bdrKEZLFMOVLAMLrwjEsCsLa3 +AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEe4zf/lb+74suwv +Tg75JbCOPGvDMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAACAj +QTUEkMJAYmDv4jVM1z+s4jSQuKFvdvoWFqRINyzpkMLyPPgKn9iB5btb2iUspKdV +cSQy9sgL8rxq+JOssgfCX5/bzMiKqr5qb+FJEMwx14C7u8jYog5kV+qi9cKpMRXS +IGrs/CIBKM+GuIAeqcwRpTzyFrNHnfzSgCHEy9BHcEGhyoMZCCxt8l13nIoUE9Q2 +HJLw5QY33KbmkJs4j1xrG0aGQ0JfPgEHU1RdZX33inOhmlRaHylDFCfChQ+1iHsa +O5S3HWCntZznKWlXWpuTekMwGwPXYshApqr8ZORK15FTAaggiG6cX0S5y2CBNOxv +033aSF/rtJC8LakcC6wc1aJoIIAE1vyxjy+7SjENSoYc6+I2KSb12tjE8nVhz36u +dmNKekBlk4f4HoCMhuWG1o8O/FMsYOgWYRqiPkN7zTlgVGr18okmAWiDSKIz6MkE +kbIRNBE+6tBDGR8Dk5AM/1E9V/RBbuHLoL7ryWPNbczk+DaqaJ3tvV2XcEQNtg41 +3OEMXbugUZTLfhbrES+jkkXITHHZvMmZUldGL1DPvTVp9D0VzgalLA8+9oG6lLvD +u79leNKGef9JOxqDDPDeeOzI8k1MGt6CKfjBWtrt7uYnXuhF0J0cUahoq0Tj0Itq +4/g7u9xN12TyUb7mqqta6THuBrxzvxNiCp/HuZc= +-----END CERTIFICATE----- + +### Certinomis + +=== /C=FR/O=Certinomis/OU=0002 433998903/CN=Certinomis - Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Oct 21 09:17:18 2013 GMT + Not After : Oct 21 09:17:18 2033 GMT + Subject: C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Root CA + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + EF:91:4C:F5:A5:C3:30:E8:2F:08:EA:D3:71:22:A4:92:68:78:74:D9 + X509v3 Authority Key Identifier: + keyid:EF:91:4C:F5:A5:C3:30:E8:2F:08:EA:D3:71:22:A4:92:68:78:74:D9 + +SHA1 Fingerprint=9D:70:BB:01:A5:A4:A0:18:11:2E:F7:1C:01:B9:32:C5:34:E7:88:A8 +SHA256 Fingerprint=2A:99:F5:BC:11:74:B7:3C:BB:1D:62:08:84:E0:1C:34:E5:1C:CB:39:78:DA:12:5F:0E:33:26:88:83:BF:41:58 +-----BEGIN CERTIFICATE----- +MIIFkjCCA3qgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJGUjET +MBEGA1UEChMKQ2VydGlub21pczEXMBUGA1UECxMOMDAwMiA0MzM5OTg5MDMxHTAb +BgNVBAMTFENlcnRpbm9taXMgLSBSb290IENBMB4XDTEzMTAyMTA5MTcxOFoXDTMz +MTAyMTA5MTcxOFowWjELMAkGA1UEBhMCRlIxEzARBgNVBAoTCkNlcnRpbm9taXMx +FzAVBgNVBAsTDjAwMDIgNDMzOTk4OTAzMR0wGwYDVQQDExRDZXJ0aW5vbWlzIC0g +Um9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANTMCQosP5L2 +fxSeC5yaah1AMGT9qt8OHgZbn1CF6s2Nq0Nn3rD6foCWnoR4kkjW4znuzuRZWJfl +LieY6pOod5tK8O90gC3rMB+12ceAnGInkYjwSond3IjmFPnVAy//ldu9n+ws+hQV +WZUKxkd8aRi5pwP5ynapz8dvtF4F/u7BUrJ1Mofs7SlmO/NKFoL21prbcpjp3vDF +TKWrteoB4owuZH9kb/2jJZOLyKIOSY008B/sWEUuNKqEUL3nskoTuLAPrjhdsKkb +5nPJWqHZZkCqqU2mNAKthH6yI8H7KsZn9DS2sJVqM09xRLWtwHkziOC/7aOgFLSc +CbAK42C++PhmiM1b8XcF4LVzbsF9Ri6OSyemzTUK/eVNfaoqoynHWmgE6OXWk6Ri +wsXm9E/G+Z8ajYJJGYrKWUM66A0ywfRMEwNvbqY/kXPLynNvEiCL7sCCeN5LLsJJ +wx3tFvYk9CcbXFcx3FXuqB5vbKziRcxXV4p1VxngtViZSTYxPDMBbRZKzbgqg4SG +m/lg0h9tkQPTYKbVPZrdd5A9NaSfD171UkRpucC63M9933zZxKyGIjK8e2uR73r4 +F2iw4lNVYC2vPsKD2NkJK/DAZNuHi5HMkesE/Xa0lZrmFAYb1TQdvtj/dBxThZng +WVJKYe2InmtJiUZ+IFrZ50rlau7SZRFDAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIB +BjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTvkUz1pcMw6C8I6tNxIqSSaHh0 +2TAfBgNVHSMEGDAWgBTvkUz1pcMw6C8I6tNxIqSSaHh02TANBgkqhkiG9w0BAQsF +AAOCAgEAfj1U2iJdGlg+O1QnurrMyOMaauo++RLrVl89UM7g6kgmJs95Vn6RHJk/ +0KGRHCwPT5iVWVO90CLYiF2cN/z7ZMF4jIuaYAnq1fohX9B0ZedQxb8uuQsLrbWw +F6YSjNRieOpWauwK0kDDPAUwPk2Ut59KA9N9J0u2/kTO+hkzGm2kQtHdzMjI1xZS +g081lLMSVX3l4kLr5JyTCcBMWwerx20RoFAXlCOotQqSD7J6wWAsOMwaplv/8gzj +qh8c3LigkyfeY+N/IZ865Z764BNqdeuWXGKRlI5nU7aJ+BIJy29SWwNyhlCVCNSN +h4YVH5Uk2KRvms6knZtt0rJ2BobGVgjF6wnaNsIbW0G+YSrjcOa4pvi2WsS9Iff/ +ql+hbHY5ZtbqTFXhADObE5hjyW/QASAJN1LnDE8+zbz1X5YnpyACleAu6AdBBR8V +btaw5BngDwKTACdyxYvRVB9dSsNAl35VpnzBMwQUAR1JIGkLGZOdblgi90AMRgwj +Y/M50n92Uaf0yKHxDHYiI0ZSKS3io0EHVmmY0gUJvGnHWmHNj4FgFU2A3ZDifcRQ +8ow7bkrHxuaAKzyBvBGAFhAn1/DNP3nMcyrDflOR1m749fPH0FFNjkulW+YZFzvW +gQncItzujrnEj1PhZ7szuIgVRs/taTX/dQ1G885x4cVrhkIGuUE= +-----END CERTIFICATE----- + ### Certplus === /C=FR/O=Certplus/CN=Certplus Root CA G1 @@ -370,176 +1215,173 @@ ltAS+DXSCHh6tlJw/W/uz7kRy1134ezpfgSN1sxvc0NXYKwzCkTsA18cgCSR5aiR VhKC9+Ar9NuuYS6JEI1rbLqzAr3VNsVINyPi8Fo3UjMXEuLRYE2+L0ER4/YXJQyL kcAbmXuZVg2v7tK8R1fjeUl7NIknJITesezpWE7+Tt9avkGtrAjFGA7v0lPubNCd EgETjdyAYveVqUSISnFOYFWe2yMZeVYHDD9jC1yw4r5+FfyUM1hBOHTE4Y+L3yas -H7WLO7dDWWuwJKZtkIvEcupdM5i3y95ee++U8Rs+yskhwcWYAqqi9lt3m/V+llU0 -HGdpwPFC40es/CgcZlUCAwEAAaOBjDCBiTAPBgNVHRMECDAGAQH/AgEKMAsGA1Ud -DwQEAwIBBjAdBgNVHQ4EFgQU43Mt38sOKAze3bOkynm4jrvoMIkwEQYJYIZIAYb4 -QgEBBAQDAgEGMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly93d3cuY2VydHBsdXMu -Y29tL0NSTC9jbGFzczIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCnVM+IRBnL39R/ -AN9WM2K191EBkOvDP9GIROkkXe/nFL0gt5o8AP5tn9uQ3Nf0YtaLcF3n5QRIqWh8 -yfFC82x/xXp8HVGIutIKPidd3i1RTtMTZGnkLuPT55sJmabglZvOGtd/vjzOUrMR -FcEPF80Du5wlFbqidon8BvEY0JNLDnyCt6X09l/+7UCmnYR0ObncHoUW2ikbhiMA -ybuJfm6AiB4vFLQDJKgybwOaRywwvlbGp0ICcBvqQNi6BQNwB6SW//1IMwrh3KWB -kJtN3X3n57LNXMhqlfil9o3EXXgIvnsG1knPGTZQIy4I5p4FTUcY1Rbpsda2ENW7 -l7+ijrRU ------END CERTIFICATE----- - -### Comodo CA Limited - -=== /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1 (0x1) - Signature Algorithm: sha1WithRSAEncryption - Validity - Not Before: Jan 1 00:00:00 2004 GMT - Not After : Dec 31 23:59:59 2028 GMT - Subject: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services - X509v3 extensions: - X509v3 Subject Key Identifier: - A0:11:0A:23:3E:96:F1:07:EC:E2:AF:29:EF:82:A5:7F:D0:30:A4:B4 - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 CRL Distribution Points: - - Full Name: - URI:http://crl.comodoca.com/AAACertificateServices.crl - - Full Name: - URI:http://crl.comodo.net/AAACertificateServices.crl - -SHA1 Fingerprint=D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49 -SHA256 Fingerprint=D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4 ------BEGIN CERTIFICATE----- -MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb -MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow -GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj -YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL -MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE -BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM -GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP -ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua -BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe -3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4 -YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR -rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm -ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU -oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF -MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v -QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t -b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF -AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q -GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz -Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2 -G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi -l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3 -smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg== +H7WLO7dDWWuwJKZtkIvEcupdM5i3y95ee++U8Rs+yskhwcWYAqqi9lt3m/V+llU0 +HGdpwPFC40es/CgcZlUCAwEAAaOBjDCBiTAPBgNVHRMECDAGAQH/AgEKMAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQU43Mt38sOKAze3bOkynm4jrvoMIkwEQYJYIZIAYb4 +QgEBBAQDAgEGMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly93d3cuY2VydHBsdXMu +Y29tL0NSTC9jbGFzczIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCnVM+IRBnL39R/ +AN9WM2K191EBkOvDP9GIROkkXe/nFL0gt5o8AP5tn9uQ3Nf0YtaLcF3n5QRIqWh8 +yfFC82x/xXp8HVGIutIKPidd3i1RTtMTZGnkLuPT55sJmabglZvOGtd/vjzOUrMR +FcEPF80Du5wlFbqidon8BvEY0JNLDnyCt6X09l/+7UCmnYR0ObncHoUW2ikbhiMA +ybuJfm6AiB4vFLQDJKgybwOaRywwvlbGp0ICcBvqQNi6BQNwB6SW//1IMwrh3KWB +kJtN3X3n57LNXMhqlfil9o3EXXgIvnsG1knPGTZQIy4I5p4FTUcY1Rbpsda2ENW7 +l7+ijrRU -----END CERTIFICATE----- -=== /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=Secure Certificate Services + +### certSIGN + +=== /C=RO/O=certSIGN/OU=certSIGN ROOT CA Certificate: Data: Version: 3 (0x2) - Serial Number: 1 (0x1) + Serial Number: 35210227249154 (0x200605167002) Signature Algorithm: sha1WithRSAEncryption Validity - Not Before: Jan 1 00:00:00 2004 GMT - Not After : Dec 31 23:59:59 2028 GMT - Subject: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Secure Certificate Services + Not Before: Jul 4 17:20:04 2006 GMT + Not After : Jul 4 17:20:04 2031 GMT + Subject: C=RO, O=certSIGN, OU=certSIGN ROOT CA X509v3 extensions: - X509v3 Subject Key Identifier: - 3C:D8:93:88:C2:C0:82:09:CC:01:99:06:93:20:E9:9E:70:09:63:4F - X509v3 Key Usage: critical - Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE - X509v3 CRL Distribution Points: + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + E0:8C:9B:DB:25:49:B3:F1:7C:86:D6:B2:42:87:0B:D0:6B:A0:D9:E4 +SHA1 Fingerprint=FA:B7:EE:36:97:26:62:FB:2D:B0:2A:F6:BF:03:FD:E8:7C:4B:2F:9B +SHA256 Fingerprint=EA:A9:62:C4:FA:4A:6B:AF:EB:E4:15:19:6D:35:1C:CD:88:8D:4F:53:F3:FA:8A:E6:D7:C4:66:A9:4E:60:42:BB +-----BEGIN CERTIFICATE----- +MIIDODCCAiCgAwIBAgIGIAYFFnACMA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNVBAYT +AlJPMREwDwYDVQQKEwhjZXJ0U0lHTjEZMBcGA1UECxMQY2VydFNJR04gUk9PVCBD +QTAeFw0wNjA3MDQxNzIwMDRaFw0zMTA3MDQxNzIwMDRaMDsxCzAJBgNVBAYTAlJP +MREwDwYDVQQKEwhjZXJ0U0lHTjEZMBcGA1UECxMQY2VydFNJR04gUk9PVCBDQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALczuX7IJUqOtdu0KBuqV5Do +0SLTZLrTk+jUrIZhQGpgV2hUhE28alQCBf/fm5oqrl0Hj0rDKH/v+yv6efHHrfAQ +UySQi2bJqIirr1qjAOm+ukbuW3N7LBeCgV5iLKECZbO9xSsAfsT8AzNXDe3i+s5d +RdY4zTW2ssHQnIFKquSyAVwdj1+ZxLGt24gh65AIgoDzMKND5pCCrlUoSe1b16kQ +OA7+j0xbm0bqQfWwCHTD0IgztnzXdN/chNFDDnU5oSVAKOp4yw4sLjmdjItuFhwv +JoIQ4uNllAoEwF73XVv4EOLQunpL+943AAAaWyjj0pxzPjKHmKHJUS/X3qwzs08C +AwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0O +BBYEFOCMm9slSbPxfIbWskKHC9BroNnkMA0GCSqGSIb3DQEBBQUAA4IBAQA+0hyJ +LjX8+HXd5n9liPRyTMks1zJO890ZeUe9jjtbkw9QSSQTaxQGcu8J06Gh40CEyecY +MnQ8SG4Pn0vU9x7Tk4ZkVJdjclDVVc/6IJMCopvDI5NOFlV2oHB5bc0hH88vLbwZ +44gx+FkagQnIl6Z0x2DEW8xXjrJ1/RsCCdtZb3KTafcxQdaIOL+Hsr0Wefmq5L6I +Jd1hJyMctTEHBDa0GpC9oHRxUIltvBTjD4au8as+x6AJzKNI0eDbZOeStc+vckNw +i/nDhDwTqn6Sm1dTk/pwwpEOMfmbZ13pljheX7NzTogVZ96edhBiIL5VaZVDADlN +9u6wWk5JRFRYX0KD +-----END CERTIFICATE----- - Full Name: - URI:http://crl.comodoca.com/SecureCertificateServices.crl +### China Financial Certification Authority - Full Name: - URI:http://crl.comodo.net/SecureCertificateServices.crl +=== /C=CN/O=China Financial Certification Authority/CN=CFCA EV ROOT +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 407555286 (0x184accd6) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Aug 8 03:07:01 2012 GMT + Not After : Dec 31 03:07:01 2029 GMT + Subject: C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:E3:FE:2D:FD:28:D0:0B:B5:BA:B6:A2:C4:BF:06:AA:05:8C:93:FB:2F -SHA1 Fingerprint=4A:65:D5:F4:1D:EF:39:B8:B8:90:4A:4A:D3:64:81:33:CF:C7:A1:D1 -SHA256 Fingerprint=BD:81:CE:3B:4F:65:91:D1:1A:67:B5:FC:7A:47:FD:EF:25:52:1B:F9:AA:4E:18:B9:E3:DF:2E:34:A7:80:3B:E8 + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + E3:FE:2D:FD:28:D0:0B:B5:BA:B6:A2:C4:BF:06:AA:05:8C:93:FB:2F +SHA1 Fingerprint=E2:B8:29:4B:55:84:AB:6B:58:C2:90:46:6C:AC:3F:B8:39:8F:84:83 +SHA256 Fingerprint=5C:C3:D7:8E:4E:1D:5E:45:54:7A:04:E6:87:3E:64:F9:0C:F9:53:6D:1C:CC:2E:F8:00:F3:55:C4:C5:FD:70:FD -----BEGIN CERTIFICATE----- -MIIEPzCCAyegAwIBAgIBATANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJHQjEb -MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow -GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEkMCIGA1UEAwwbU2VjdXJlIENlcnRp -ZmljYXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVow -fjELMAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G -A1UEBwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxJDAiBgNV -BAMMG1NlY3VyZSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAMBxM4KK0HDrc4eCQNUd5MvJDkKQ+d40uaG6EfQlhfPM -cm3ye5drswfxdySRXyWP9nQ95IDC+DwN879A6vfIUtFyb+/Iq0G4bi4XKpVpDM3S -HpR7LZQdqnXXs5jLrLxkU0C8j6ysNstcrbvd4JQX7NFc0L/vpZXJkMWwrPsbQ996 -CF23uPJAGysnnlDOXmWCiIxe004MeuoIkbY2qitC++rCoznl2yY4rYsK7hljxxwk -3wN42ubqwUcaCwtGCd0C/N7Lh1/XMGNooa7cMqG6vv5Eq2i2pRcV/b3Vp6ea5EQz -6YiO/O1R65NxTq0B50SOqy3LqP4BSUjwwN3HaNiS/j0CAwEAAaOBxzCBxDAdBgNV -HQ4EFgQUPNiTiMLAggnMAZkGkyDpnnAJY08wDgYDVR0PAQH/BAQDAgEGMA8GA1Ud -EwEB/wQFMAMBAf8wgYEGA1UdHwR6MHgwO6A5oDeGNWh0dHA6Ly9jcmwuY29tb2Rv -Y2EuY29tL1NlY3VyZUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDmgN6A1hjNodHRw -Oi8vY3JsLmNvbW9kby5uZXQvU2VjdXJlQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmww -DQYJKoZIhvcNAQEFBQADggEBAIcBbSMdflsXfcFhMs+P5/OKlFlm4J4oqF7Tt/Q0 -5qo5spcWxYJvMqTpjOev/e/C6LlLqqP05tqNZSH7uoDrJiiFGv45jN5bBAS0VPmj -Z55B+glSzAVIqMk/IQQezkhr/IXownuvf7fM+F86/TXGDe+X3EyrEeFryzHRbPtI -gKvcnDe4IRRLDXE97IMzbtFuMhbsmMcWi1mmNKsFVy2T96oTy9IT4rcuO81rUBcJ -aD61JlfutuC23bkpgHl9j6PwpCikFcSF9CfUa7/lXORlAnZUtOM3ZiTTGWHIUhDl -izeauan5Hb/qmZJhlv8BzaFfDbxxvA6sCx1HRR3B7Hzs/Sk= ------END CERTIFICATE----- -=== /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=Trusted Certificate Services +MIIFjTCCA3WgAwIBAgIEGErM1jANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJD +TjEwMC4GA1UECgwnQ2hpbmEgRmluYW5jaWFsIENlcnRpZmljYXRpb24gQXV0aG9y +aXR5MRUwEwYDVQQDDAxDRkNBIEVWIFJPT1QwHhcNMTIwODA4MDMwNzAxWhcNMjkx +MjMxMDMwNzAxWjBWMQswCQYDVQQGEwJDTjEwMC4GA1UECgwnQ2hpbmEgRmluYW5j +aWFsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRUwEwYDVQQDDAxDRkNBIEVWIFJP +T1QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXXWvNED8fBVnVBU03 +sQ7smCuOFR36k0sXgiFxEFLXUWRwFsJVaU2OFW2fvwwbwuCjZ9YMrM8irq93VCpL +TIpTUnrD7i7es3ElweldPe6hL6P3KjzJIx1qqx2hp/Hz7KDVRM8Vz3IvHWOX6Jn5 +/ZOkVIBMUtRSqy5J35DNuF++P96hyk0g1CXohClTt7GIH//62pCfCqktQT+x8Rgp +7hZZLDRJGqgG16iI0gNyejLi6mhNbiyWZXvKWfry4t3uMCz7zEasxGPrb382KzRz +EpR/38wmnvFyXVBlWY9ps4deMm/DGIq1lY+wejfeWkU7xzbh72fROdOXW3NiGUgt +hxwG+3SYIElz8AXSG7Ggo7cbcNOIabla1jj0Ytwli3i/+Oh+uFzJlU9fpy25IGvP +a931DfSCt/SyZi4QKPaXWnuWFo8BGS1sbn85WAZkgwGDg8NNkt0yxoekN+kWzqot +aK8KgWU6cMGbrU1tVMoqLUuFG7OA5nBFDWteNfB/O7ic5ARwiRIlk9oKmSJgamNg +TnYGmE69g60dWIolhdLHZR4tjsbftsbhf4oEIRUpdPA+nJCdDC7xij5aqgwJHsfV +PKPtl8MeNPo4+QgO48BdK4PRVmrJtqhUUy54Mmc9gn900PvhtgVguXDbjgv5E1hv +cWAQUhC5wUEJ73IfZzF4/5YFjQIDAQABo2MwYTAfBgNVHSMEGDAWgBTj/i39KNAL +tbq2osS/BqoFjJP7LzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAd +BgNVHQ4EFgQU4/4t/SjQC7W6tqLEvwaqBYyT+y8wDQYJKoZIhvcNAQELBQADggIB +ACXGumvrh8vegjmWPfBEp2uEcwPenStPuiB/vHiyz5ewG5zz13ku9Ui20vsXiObT +ej/tUxPQ4i9qecsAIyjmHjdXNYmEwnZPNDatZ8POQQaIxffu2Bq41gt/UP+TqhdL +jOztUmCypAbqTuv0axn96/Ua4CUqmtzHQTb3yHQFhDmVOdYLO6Qn+gjYXB74BGBS +ESgoA//vU2YApUo0FmZ8/Qmkrp5nGm9BC2sGE5uPhnEFtC+NiWYzKXZUmhH4J/qy +P5Hgzg0b8zAarb8iXRvTvyUFTeGSGn+ZnzxEk8rUQElsgIfXBDrDMlI1Dlb4pd19 +xIsNER9Tyx6yF7Zod1rg1MvIB671Oi6ON7fQAUtDKXeMOZePglr4UeWJoBjnaH9d +Ci77o0cOPaYjesYBx4/IXr9tgFa+iiS6M+qf4TIRnvHST4D2G0CvOJ4RUHlzEhLN +5mydLIhyPDCBBpEi6lmt2hkuIsKNuYyH4Ga8cyNfIWRjgEj1oDwYPZTISEEdQLpe +/v5WOaHIz16eGWRGENoXkbcFgKyLmZJ956LYBws2J+dIeWCKw9cTXPhyQN9Ky8+Z +AAoACxGV2lZFA4gKn2fQ1XmxqI1AbQ3CekD6819kR5LLU7m7Wc5P/dAVUwHY3+vZ +5nbv0CO7O6l5s9UCKc2Jo5YPSjXnTkLAdc0Hz+Ys63su +-----END CERTIFICATE----- + +### Chunghwa Telecom Co., Ltd. + +=== /C=TW/O=Chunghwa Telecom Co., Ltd./OU=ePKI Root Certification Authority Certificate: Data: Version: 3 (0x2) - Serial Number: 1 (0x1) + Serial Number: + 15:c8:bd:65:47:5c:af:b8:97:00:5e:e4:06:d2:bc:9d Signature Algorithm: sha1WithRSAEncryption Validity - Not Before: Jan 1 00:00:00 2004 GMT - Not After : Dec 31 23:59:59 2028 GMT - Subject: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Trusted Certificate Services + Not Before: Dec 20 02:31:27 2004 GMT + Not After : Dec 20 02:31:27 2034 GMT + Subject: C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority X509v3 extensions: X509v3 Subject Key Identifier: - C5:7B:58:BD:ED:DA:25:69:D2:F7:59:16:A8:B3:32:C0:7B:27:5B:F4 - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Basic Constraints: critical + 1E:0C:F7:B6:67:F2:E1:92:26:09:45:C0:55:39:2E:77:3F:42:4A:A2 + X509v3 Basic Constraints: CA:TRUE - X509v3 CRL Distribution Points: - - Full Name: - URI:http://crl.comodoca.com/TrustedCertificateServices.crl - - Full Name: - URI:http://crl.comodo.net/TrustedCertificateServices.crl - -SHA1 Fingerprint=E1:9F:E3:0E:8B:84:60:9E:80:9B:17:0D:72:A8:C5:BA:6E:14:09:BD -SHA256 Fingerprint=3F:06:E5:56:81:D4:96:F5:BE:16:9E:B5:38:9F:9F:2B:8F:F6:1E:17:08:DF:68:81:72:48:49:CD:5D:27:CB:69 + setCext-hashedRoot: + 0/0-...0...+......0...g*.....E... +V|.[x....S..... +SHA1 Fingerprint=67:65:0D:F1:7E:8E:7E:5B:82:40:A4:F4:56:4B:CF:E2:3D:69:C6:F0 +SHA256 Fingerprint=C0:A6:F4:DC:63:A2:4B:FD:CF:54:EF:2A:6A:08:2A:0A:72:DE:35:80:3E:2F:F5:FF:52:7A:E5:D8:72:06:DF:D5 -----BEGIN CERTIFICATE----- -MIIEQzCCAyugAwIBAgIBATANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJHQjEb -MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow -GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDElMCMGA1UEAwwcVHJ1c3RlZCBDZXJ0 -aWZpY2F0ZSBTZXJ2aWNlczAeFw0wNDAxMDEwMDAwMDBaFw0yODEyMzEyMzU5NTla -MH8xCzAJBgNVBAYTAkdCMRswGQYDVQQIDBJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO -BgNVBAcMB1NhbGZvcmQxGjAYBgNVBAoMEUNvbW9kbyBDQSBMaW1pdGVkMSUwIwYD -VQQDDBxUcnVzdGVkIENlcnRpZmljYXRlIFNlcnZpY2VzMIIBIjANBgkqhkiG9w0B -AQEFAAOCAQ8AMIIBCgKCAQEA33FvNlhTWvI2VFeAxHQIIO0Yfyod5jWaHiWsnOWW -fnJSoBVC21ndZHoa0Lh73TkVvFVIxO06AOoxEbrycXQaZ7jPM8yoMa+j49d/vzMt -TGo87IvDktJTdyR0nAducPy9C1t2ul/y/9c3S0pgePfw+spwtOpZqqPOSC+pw7IL -fhdyFgymBwwbOM/JYrc/oJOlh0Hyt3BAd9i+FHzjqMB6juljatEPmsbS9Is6FARW -1O24zG71++IsWL1/T2sr92AkWCTOJu80kTrV44HQsvAEAtdbtz6SrGsSivnkBbA7 -kUlcsutT6vifR4buv5XAwAaf0lteERv0xwQ1KdJVXOTt6wIDAQABo4HJMIHGMB0G -A1UdDgQWBBTFe1i97doladL3WRaoszLAeydb9DAOBgNVHQ8BAf8EBAMCAQYwDwYD -VR0TAQH/BAUwAwEB/zCBgwYDVR0fBHwwejA8oDqgOIY2aHR0cDovL2NybC5jb21v -ZG9jYS5jb20vVHJ1c3RlZENlcnRpZmljYXRlU2VydmljZXMuY3JsMDqgOKA2hjRo -dHRwOi8vY3JsLmNvbW9kby5uZXQvVHJ1c3RlZENlcnRpZmljYXRlU2VydmljZXMu -Y3JsMA0GCSqGSIb3DQEBBQUAA4IBAQDIk4E7ibSvuIQSTI3S8NtwuleGFTQQuS9/ -HrCoiWChisJ3DFBKmwCL2Iv0QeLQg4pKHBQGsKNoBXAxMKdTmw7pSqBYaWcOrp32 -pSxBvzwGa+RZzG0Q8ZZvH9/0BAKkn0U+yNj6NkZEUD+Cl5EfKNsYEYwq5GWDVxIS -jBc/lDb+XbDABHcTuPQV1T84zJQ6VdCsmPW6AF/ghhmBeC8owH7TzEIK9a5QoNE+ -xqFx7D+gIIxmOom0jtTYsU0lR+4viMi14QVFwL4Ucd56/Y57fU0IlqUSc/Atyjcn -dBInTMu2l+nZrghtWjlA3QVHdWpaIbOjGM9O9y5Xt5hwXsjEeLBi +MIIFsDCCA5igAwIBAgIQFci9ZUdcr7iXAF7kBtK8nTANBgkqhkiG9w0BAQUFADBe +MQswCQYDVQQGEwJUVzEjMCEGA1UECgwaQ2h1bmdod2EgVGVsZWNvbSBDby4sIEx0 +ZC4xKjAoBgNVBAsMIWVQS0kgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe +Fw0wNDEyMjAwMjMxMjdaFw0zNDEyMjAwMjMxMjdaMF4xCzAJBgNVBAYTAlRXMSMw +IQYDVQQKDBpDaHVuZ2h3YSBUZWxlY29tIENvLiwgTHRkLjEqMCgGA1UECwwhZVBL +SSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEF +AAOCAg8AMIICCgKCAgEA4SUP7o3biDN1Z82tH306Tm2d0y8U82N0ywEhajfqhFAH +SyZbCUNsIZ5qyNUD9WBpj8zwIuQf5/dqIjG3LBXy4P4AakP/h2XGtRrBp0xtInAh +ijHyl3SJCRImHJ7K2RKilTza6We/CKBk49ZCt0Xvl/T29de1ShUCWH2YWEtgvM3X +DZoTM1PRYfl61dd4s5oz9wCGzh1NlDivqOx4UXCKXBCDUSH3ET00hl7lSM2XgYI1 +TBnsZfZrxQWh7kcT1rMhJ5QQCtkkO7q+RBNGMD+XPNjX12ruOzjjK9SXDrkb5wdJ +fzcq+Xd4z1TtW0ado4AOkUPB1ltfFLqfpo0kR0BZv3I4sjZsN/+Z0V0OWQqraffA +sgRFelQArr5T9rXn4fg8ozHSqf4hUmTFpmfwdQcGlBSBVcYn5AGPF8Fqcde+S/uU +WH1+ETOxQvdibBjWzwloPn9s9h6PYq2lY9sJpx8iQkEeb5mKPtf5P0B6ebClAZLS +nT0IFaUQAS2zMnaolQ2zepr7BxB4EW/hj8e6DyUadCrlHJhBmd8hh+iVBmoKs2pH +dmX2Os+PYhcZewoozRrSgx4hxyy/vv9haLdnG7t4TY3OZ+XkwY63I2binZB1NJip +NiuKmpS5nezMirH4JYlcWrYvjB9teSSnUmjDhDXiZo1jDiVN1Rmy5nk3pyKdVDEC +AwEAAaNqMGgwHQYDVR0OBBYEFB4M97Zn8uGSJglFwFU5Lnc/QkqiMAwGA1UdEwQF +MAMBAf8wOQYEZyoHAAQxMC8wLQIBADAJBgUrDgMCGgUAMAcGBWcqAwAABBRFsMLH +ClZ87lt4DJX5GFPBphzYEDANBgkqhkiG9w0BAQUFAAOCAgEACbODU1kBPpVJufGB +uvl2ICO1J2B01GqZNF5sAFPZn/KmsSQHRGoqxqWOeBLoR9lYGxMqXnmbnwoqZ6Yl +PwZpVnPDimZI+ymBV3QGypzqKOg4ZyYr8dW1P2WT+DZdjo2NQCCHGervJ8A9tDkP +JXtoUHRVnAxZfVo9QZQlUgjgRywVMRnVvwdVxrsStZf0X4OFunHB2WyBEXYKCrC/ +gpf36j36+uwtqSiUO1bd0lEursC9CBWMd1I0ltabrNMdjmEPNXubrjlpC2JgQCA2 +j6/7Nu4tCEoduL+bXPjqpRugc6bY+G7gMwRfaKonh+3ZwZCc7b3jajWvY9+rGNm6 +5ulK6lCKD2GTHuItGeIwlDWSXQ62B68ZgI9HkFFLLk3dheLSClIKF5r8GrBQAuUB +o2M3IUxExJtRmREOc5wGj1QupyheRDmHVi03vYVElOEMSyycw5KFNGHLD7ibSkNS +/jQ6fbjpKdx2qcgw+BRxgMYeNkh0IkFch4LoGHGLQYlE535YW6i4jRPpp2zDR+2z +Gp1iro2C6pSe3VkQw63d4k3jMdXH7OjysP6SHhYKGvzZ8/gntsm+HbRsZJB/9OTE +W9c3rkIO3aQab3yIVMUWbuF6aC74Or8NpDyJO3inTmODBCEIZ43ygknQW/2xzQ+D +hNQ+IIX3Sj0rnP0qCglN6oH4EZw= -----END CERTIFICATE----- ### COMODO CA Limited @@ -685,6 +1527,221 @@ QOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk527RH89elWsn2/x20Kk4yl NVOFBkpdn627G190 -----END CERTIFICATE----- +### Comodo CA Limited + +=== /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Jan 1 00:00:00 2004 GMT + Not After : Dec 31 23:59:59 2028 GMT + Subject: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services + X509v3 extensions: + X509v3 Subject Key Identifier: + A0:11:0A:23:3E:96:F1:07:EC:E2:AF:29:EF:82:A5:7F:D0:30:A4:B4 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 CRL Distribution Points: + + Full Name: + URI:http://crl.comodoca.com/AAACertificateServices.crl + + Full Name: + URI:http://crl.comodo.net/AAACertificateServices.crl + +SHA1 Fingerprint=D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49 +SHA256 Fingerprint=D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4 +-----BEGIN CERTIFICATE----- +MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb +MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow +GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj +YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL +MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE +BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM +GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua +BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe +3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4 +YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR +rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm +ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU +oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF +MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v +QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t +b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF +AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q +GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz +Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2 +G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi +l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3 +smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg== +-----END CERTIFICATE----- + +### Cybertrust, Inc + +=== /O=Cybertrust, Inc/CN=Cybertrust Global Root +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 04:00:00:00:00:01:0f:85:aa:2d:48 + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Dec 15 08:00:00 2006 GMT + Not After : Dec 15 08:00:00 2021 GMT + Subject: O=Cybertrust, Inc, CN=Cybertrust Global Root + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + B6:08:7B:0D:7A:CC:AC:20:4C:86:56:32:5E:CF:AB:6E:85:2D:70:57 + X509v3 CRL Distribution Points: + + Full Name: + URI:http://www2.public-trust.com/crl/ct/ctroot.crl + + X509v3 Authority Key Identifier: + keyid:B6:08:7B:0D:7A:CC:AC:20:4C:86:56:32:5E:CF:AB:6E:85:2D:70:57 + +SHA1 Fingerprint=5F:43:E5:B1:BF:F8:78:8C:AC:1C:C7:CA:4A:9A:C6:22:2B:CC:34:C6 +SHA256 Fingerprint=96:0A:DF:00:63:E9:63:56:75:0C:29:65:DD:0A:08:67:DA:0B:9C:BD:6E:77:71:4A:EA:FB:23:49:AB:39:3D:A3 +-----BEGIN CERTIFICATE----- +MIIDoTCCAomgAwIBAgILBAAAAAABD4WqLUgwDQYJKoZIhvcNAQEFBQAwOzEYMBYG +A1UEChMPQ3liZXJ0cnVzdCwgSW5jMR8wHQYDVQQDExZDeWJlcnRydXN0IEdsb2Jh +bCBSb290MB4XDTA2MTIxNTA4MDAwMFoXDTIxMTIxNTA4MDAwMFowOzEYMBYGA1UE +ChMPQ3liZXJ0cnVzdCwgSW5jMR8wHQYDVQQDExZDeWJlcnRydXN0IEdsb2JhbCBS +b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+Mi8vRRQZhP/8NN5 +7CPytxrHjoXxEnOmGaoQ25yiZXRadz5RfVb23CO21O1fWLE3TdVJDm71aofW0ozS +J8bi/zafmGWgE07GKmSb1ZASzxQG9Dvj1Ci+6A74q05IlG2OlTEQXO2iLb3VOm2y +HLtgwEZLAfVJrn5GitB0jaEMAs7u/OePuGtm839EAL9mJRQr3RAwHQeWP032a7iP +t3sMpTjr3kfb1V05/Iin89cqdPHoWqI7n1C6poxFNcJQZZXcY4Lv3b93TZxiyWNz +FtApD0mpSPCzqrdsxacwOUBdrsTiXSZT8M4cIwhhqJQZugRiQOwfOHB3EgZxpzAY +XSUnpQIDAQABo4GlMIGiMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/ +MB0GA1UdDgQWBBS2CHsNesysIEyGVjJez6tuhS1wVzA/BgNVHR8EODA2MDSgMqAw +hi5odHRwOi8vd3d3Mi5wdWJsaWMtdHJ1c3QuY29tL2NybC9jdC9jdHJvb3QuY3Js +MB8GA1UdIwQYMBaAFLYIew16zKwgTIZWMl7Pq26FLXBXMA0GCSqGSIb3DQEBBQUA +A4IBAQBW7wojoFROlZfJ+InaRcHUowAl9B8Tq7ejhVhpwjCt2BWKLePJzYFa+HMj +Wqd8BfP9IjsO0QbE2zZMcwSO5bAi5MXzLqXZI+O4Tkogp24CJJ8iYGd7ix1yCcUx +XOl5n4BHPa2hCwcUPUf/A2kaDAtE52Mlp3+yybh2hO0j9n0Hq0V+09+zv+mKts2o +omcrUtW3ZfA5TGOgkXmTUg9U3YO7n9GPp1Nzw8v/MOx8BLjYRB+TX3EJIrduPuoc +A06dGiBh+4E37F78CkWr1+cXVdCg6mCbpvbjjFspwgZgFJ0tl0ypkxWdYcQBX0jW +WL1WMRJOEcgh4LMRkWXbtKaIOM5V +-----END CERTIFICATE----- + +### D-Trust GmbH + +=== /C=DE/O=D-Trust GmbH/CN=D-TRUST Root Class 3 CA 2 2009 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 623603 (0x983f3) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Nov 5 08:35:58 2009 GMT + Not After : Nov 5 08:35:58 2029 GMT + Subject: C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + FD:DA:14:C4:9F:30:DE:21:BD:1E:42:39:FC:AB:63:23:49:E0:F1:84 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 CRL Distribution Points: + + Full Name: + URI:ldap://directory.d-trust.net/CN=D-TRUST%20Root%20Class%203%20CA%202%202009,O=D-Trust%20GmbH,C=DE?certificaterevocationlist + + Full Name: + URI:http://www.d-trust.net/crl/d-trust_root_class_3_ca_2_2009.crl + +SHA1 Fingerprint=58:E8:AB:B0:36:15:33:FB:80:F7:9B:1B:6D:29:D3:FF:8D:5F:00:F0 +SHA256 Fingerprint=49:E7:A4:42:AC:F0:EA:62:87:05:00:54:B5:25:64:B6:50:E4:F4:9E:42:E3:48:D6:AA:38:E0:39:E9:57:B1:C1 +-----BEGIN CERTIFICATE----- +MIIEMzCCAxugAwIBAgIDCYPzMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNVBAYTAkRF +MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxJzAlBgNVBAMMHkQtVFJVU1QgUm9vdCBD +bGFzcyAzIENBIDIgMjAwOTAeFw0wOTExMDUwODM1NThaFw0yOTExMDUwODM1NTha +ME0xCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxJzAlBgNVBAMM +HkQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgMjAwOTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBANOySs96R+91myP6Oi/WUEWJNTrGa9v+2wBoqOADER03 +UAifTUpolDWzU9GUY6cgVq/eUXjsKj3zSEhQPgrfRlWLJ23DEE0NkVJD2IfgXU42 +tSHKXzlABF9bfsyjxiupQB7ZNoTWSPOSHjRGICTBpFGOShrvUD9pXRl/RcPHAY9R +ySPocq60vFYJfxLLHLGvKZAKyVXMD9O0Gu1HNVpK7ZxzBCHQqr0ME7UAyiZsxGsM +lFqVlNpQmvH/pStmMaTJOKDfHR+4CS7zp+hnUquVH+BGPtikw8paxTGA6Eian5Rp +/hnd2HN8gcqW3o7tszIFZYQ05ub9VxC1X3a/L7AQDcUCAwEAAaOCARowggEWMA8G +A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFP3aFMSfMN4hvR5COfyrYyNJ4PGEMA4G +A1UdDwEB/wQEAwIBBjCB0wYDVR0fBIHLMIHIMIGAoH6gfIZ6bGRhcDovL2RpcmVj +dG9yeS5kLXRydXN0Lm5ldC9DTj1ELVRSVVNUJTIwUm9vdCUyMENsYXNzJTIwMyUy +MENBJTIwMiUyMDIwMDksTz1ELVRydXN0JTIwR21iSCxDPURFP2NlcnRpZmljYXRl +cmV2b2NhdGlvbmxpc3QwQ6BBoD+GPWh0dHA6Ly93d3cuZC10cnVzdC5uZXQvY3Js +L2QtdHJ1c3Rfcm9vdF9jbGFzc18zX2NhXzJfMjAwOS5jcmwwDQYJKoZIhvcNAQEL +BQADggEBAH+X2zDI36ScfSF6gHDOFBJpiBSVYEQBrLLpME+bUMJm2H6NMLVwMeni +acfzcNsgFYbQDfC+rAF1hM5+n02/t2A7nPPKHeJeaNijnZflQGDSNiH+0LS4F9p0 +o3/U37CYAqxva2ssJSRyoWXuJVrl5jLn8t+rSfrzkGkj2wTZ51xY/GXUl77M/C4K +zCUqNQT4YJEVdT1B/yMfGchs64JTBKbkTCJNjYy6zltz7GRUUG3RnFX7acM2w4y8 +PIWmawomDeCTmGCufsYkl4phX5GOZpIJhzbNi5stPvZR1FDUWSi9g/LMKHtThm3Y +Johw1+qRzT65ysCQblrGXnRl11z+o+I= +-----END CERTIFICATE----- +=== /C=DE/O=D-Trust GmbH/CN=D-TRUST Root Class 3 CA 2 EV 2009 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 623604 (0x983f4) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Nov 5 08:50:46 2009 GMT + Not After : Nov 5 08:50:46 2029 GMT + Subject: C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + D3:94:8A:4C:62:13:2A:19:2E:CC:AF:72:8A:7D:36:D7:9A:1C:DC:67 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 CRL Distribution Points: + + Full Name: + URI:ldap://directory.d-trust.net/CN=D-TRUST%20Root%20Class%203%20CA%202%20EV%202009,O=D-Trust%20GmbH,C=DE?certificaterevocationlist + + Full Name: + URI:http://www.d-trust.net/crl/d-trust_root_class_3_ca_2_ev_2009.crl + +SHA1 Fingerprint=96:C9:1B:0B:95:B4:10:98:42:FA:D0:D8:22:79:FE:60:FA:B9:16:83 +SHA256 Fingerprint=EE:C5:49:6B:98:8C:E9:86:25:B9:34:09:2E:EC:29:08:BE:D0:B0:F3:16:C2:D4:73:0C:84:EA:F1:F3:D3:48:81 +-----BEGIN CERTIFICATE----- +MIIEQzCCAyugAwIBAgIDCYP0MA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNVBAYTAkRF +MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMMIUQtVFJVU1QgUm9vdCBD +bGFzcyAzIENBIDIgRVYgMjAwOTAeFw0wOTExMDUwODUwNDZaFw0yOTExMDUwODUw +NDZaMFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNV +BAMMIUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAwOTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAJnxhDRwui+3MKCOvXwEz75ivJn9gpfSegpn +ljgJ9hBOlSJzmY3aFS3nBfwZcyK3jpgAvDw9rKFs+9Z5JUut8Mxk2og+KbgPCdM0 +3TP1YtHhzRnp7hhPTFiu4h7WDFsVWtg6uMQYZB7jM7K1iXdODL/ZlGsTl28So/6Z +qQTMFexgaDbtCHu39b+T7WYxg4zGcTSHThfqr4uRjRxWQa4iN1438h3Z0S0NL2lR +p75mpoo6Kr3HGrHhFPC+Oh25z1uxav60sUYgovseO3Dvk5h9jHOW8sXvhXCtKSb8 +HgQ+HKDYD8tSg2J87otTlZCpV6LqYQXY+U3EJ/pure3511H3a6UCAwEAAaOCASQw +ggEgMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNOUikxiEyoZLsyvcop9Ntea +HNxnMA4GA1UdDwEB/wQEAwIBBjCB3QYDVR0fBIHVMIHSMIGHoIGEoIGBhn9sZGFw +Oi8vZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBSb290JTIwQ2xh +c3MlMjAzJTIwQ0ElMjAyJTIwRVYlMjAyMDA5LE89RC1UcnVzdCUyMEdtYkgsQz1E +RT9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0MEagRKBChkBodHRwOi8vd3d3LmQt +dHJ1c3QubmV0L2NybC9kLXRydXN0X3Jvb3RfY2xhc3NfM19jYV8yX2V2XzIwMDku +Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQA07XtaPKSUiO8aEXUHL7P+PPoeUSbrh/Yp +3uDx1MYkCenBz1UbtDDZzhr+BlGmFaQt77JLvyAoJUnRpjZ3NOhk31KxEcdzes05 +nsKtjHEh8lprr988TlWvsoRlFIm5d8sqMb7Po23Pb0iUMkZv53GMoKaEGTcH8gNF +CSuGdXzfX2lXANtu2KZyIktQ1HWYVt+3GP9DQ1CuekR78HlR10M9p9OB0/DJT7na +xpeG0ILD5EJt/rDiZE4OJudANCa1CInXCGNjOCd1HjPqbqjdn5lPdE2BiYBL3ZqX +KVwvvoFBuYz/6n1gBp7N1z3TLqMVvKjmJuVvw9y4AyHqnxbxLFS1 +-----END CERTIFICATE----- + ### Deutsche Telekom AG === /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 @@ -729,6 +1786,57 @@ xbrYNuSD7Odlt79jWvNGr4GUN9RBjNYj1h7P9WgbRGOiWrqnNVmh5XAFmw4jV5mU Cm26OWMohpLzGITY+9HPBVZkVw== -----END CERTIFICATE----- +### Dhimyotis + +=== /C=FR/O=Dhimyotis/CN=Certigna +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 18364802974209362175 (0xfedce3010fc948ff) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Jun 29 15:13:05 2007 GMT + Not After : Jun 29 15:13:05 2027 GMT + Subject: C=FR, O=Dhimyotis, CN=Certigna + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 1A:ED:FE:41:39:90:B4:24:59:BE:01:F2:52:D5:45:F6:5A:39:DC:11 + X509v3 Authority Key Identifier: + keyid:1A:ED:FE:41:39:90:B4:24:59:BE:01:F2:52:D5:45:F6:5A:39:DC:11 + DirName:/C=FR/O=Dhimyotis/CN=Certigna + serial:FE:DC:E3:01:0F:C9:48:FF + + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + Netscape Cert Type: + SSL CA, S/MIME CA, Object Signing CA +SHA1 Fingerprint=B1:2E:13:63:45:86:A4:6F:1A:B2:60:68:37:58:2D:C4:AC:FD:94:97 +SHA256 Fingerprint=E3:B6:A2:DB:2E:D7:CE:48:84:2F:7A:C5:32:41:C7:B7:1D:54:14:4B:FB:40:C1:1F:3F:1D:0B:42:F5:EE:A1:2D +-----BEGIN CERTIFICATE----- +MIIDqDCCApCgAwIBAgIJAP7c4wEPyUj/MA0GCSqGSIb3DQEBBQUAMDQxCzAJBgNV +BAYTAkZSMRIwEAYDVQQKDAlEaGlteW90aXMxETAPBgNVBAMMCENlcnRpZ25hMB4X +DTA3MDYyOTE1MTMwNVoXDTI3MDYyOTE1MTMwNVowNDELMAkGA1UEBhMCRlIxEjAQ +BgNVBAoMCURoaW15b3RpczERMA8GA1UEAwwIQ2VydGlnbmEwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDIaPHJ1tazNHUmgh7stL7qXOEm7RFHYeGifBZ4 +QCHkYJ5ayGPhxLGWkv8YbWkj4Sti993iNi+RB7lIzw7sebYs5zRLcAglozyHGxny +gQcPOJAZ0xH+hrTy0V4eHpbNgGzOOzGTtvKg0KmVEn2lmsxryIRWijOp5yIVUxbw +zBfsV1/pogqYCd7jX5xv3EjjhQsVWqa6n6xI4wmy9/Qy3l40vhx4XUJbzg4ij02Q +130yGLMLLGq/jj8UEYkgDncUtT2UCIf3JR7VsmAA7G8qKCVuKj4YYxclPz5EIBb2 +JsglrgVKtOdjLPOMFlN+XPsRGgjBRmKfIrjxwo1p3Po6WAbfAgMBAAGjgbwwgbkw +DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUGu3+QTmQtCRZvgHyUtVF9lo53BEw +ZAYDVR0jBF0wW4AUGu3+QTmQtCRZvgHyUtVF9lo53BGhOKQ2MDQxCzAJBgNVBAYT +AkZSMRIwEAYDVQQKDAlEaGlteW90aXMxETAPBgNVBAMMCENlcnRpZ25hggkA/tzj +AQ/JSP8wDgYDVR0PAQH/BAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIABzANBgkqhkiG +9w0BAQUFAAOCAQEAhQMeknH2Qq/ho2Ge6/PAD/Kl1NqV5ta+aDY9fm4fTIrv0Q8h +bV6lUmPOEvjvKtpv6zf+EwLHyzs+ImvaYS5/1HI93TDhHkxAGYwP15zRgzB7mFnc +fca5DClMoTOi62c6ZYTTluLtdkVwj7Ur3vkj1kluPBS1xp81HlDQwY9qcEQCYsuu +HWhBp6pX6FOqB9IG9tUUBguRA3UsbHK1YZWaDYu5Def131TN3ubY1gkIl2PlwS6w +t0QmwCbAr1UwnjvVNioZBPRcHv/PLLf/0P2HQBHVESO7SMAhqaQoLf0V+LBOK/Qw +WyH8EZE0vkHve52Xdf+XlcCWWC/qu0bXu+TZLg== +-----END CERTIFICATE----- + ### DigiCert Inc === /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA @@ -1074,100 +2182,161 @@ r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1 gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+ -----END CERTIFICATE----- -### Digital Signature Trust +### Digital Signature Trust Co. -=== /C=US/O=Digital Signature Trust/OU=DST ACES/CN=DST ACES CA X6 +=== /O=Digital Signature Trust Co./CN=DST Root CA X3 Certificate: Data: Version: 3 (0x2) Serial Number: - 0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9 + 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b Signature Algorithm: sha1WithRSAEncryption Validity - Not Before: Nov 20 21:19:58 2003 GMT - Not After : Nov 20 21:19:58 2017 GMT - Subject: C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6 + Not Before: Sep 30 21:12:19 2000 GMT + Not After : Sep 30 14:01:15 2021 GMT + Subject: O=Digital Signature Trust Co., CN=DST Root CA X3 X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical - Digital Signature, Non Repudiation, Certificate Sign, CRL Sign - X509v3 Subject Alternative Name: - email:pki-ops@trustdst.com - X509v3 Certificate Policies: - Policy: 2.16.840.1.101.3.2.1.1.1 - CPS: http://www.trustdst.com/certificates/policy/ACES-index.html - - X509v3 Subject Key Identifier: - 09:72:06:4E:18:43:0F:E5:D6:CC:C3:6A:8B:31:7B:78:8F:A8:83:B8 -SHA1 Fingerprint=40:54:DA:6F:1C:3F:40:74:AC:ED:0F:EC:CD:DB:79:D1:53:FB:90:1D -SHA256 Fingerprint=76:7C:95:5A:76:41:2C:89:AF:68:8E:90:A1:C7:0F:55:6C:FD:6B:60:25:DB:EA:10:41:6D:7E:B6:83:1F:8C:40 ------BEGIN CERTIFICATE----- -MIIECTCCAvGgAwIBAgIQDV6ZCtadt3js2AdWO4YV2TANBgkqhkiG9w0BAQUFADBb -MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3Qx -ETAPBgNVBAsTCERTVCBBQ0VTMRcwFQYDVQQDEw5EU1QgQUNFUyBDQSBYNjAeFw0w -MzExMjAyMTE5NThaFw0xNzExMjAyMTE5NThaMFsxCzAJBgNVBAYTAlVTMSAwHgYD -VQQKExdEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdDERMA8GA1UECxMIRFNUIEFDRVMx -FzAVBgNVBAMTDkRTVCBBQ0VTIENBIFg2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEAuT31LMmU3HWKlV1j6IR3dma5WZFcRt2SPp/5DgO0PWGSvSMmtWPu -ktKe1jzIDZBfZIGxqAgNTNj50wUoUrQBJcWVHAx+PhCEdc/BGZFjz+iokYi5Q1K7 -gLFViYsx+tC3dr5BPTCapCIlF3PoHuLTrCq9Wzgh1SpL11V94zpVvddtawJXa+ZH -fAjIgrrep4c9oW24MFbCswKBXy314powGCi4ZtPLAZZv6opFVdbgnf9nKxcCpk4a -ahELfrd755jWjHZvwTvbUJN+5dCOHze4vbrGn2zpfDPyMjwmR/onJALJfh1biEIT -ajV8fTXpLmaRcpPVMibEdPVTo7NdmvYJywIDAQABo4HIMIHFMA8GA1UdEwEB/wQF -MAMBAf8wDgYDVR0PAQH/BAQDAgHGMB8GA1UdEQQYMBaBFHBraS1vcHNAdHJ1c3Rk -c3QuY29tMGIGA1UdIARbMFkwVwYKYIZIAWUDAgEBATBJMEcGCCsGAQUFBwIBFjto -dHRwOi8vd3d3LnRydXN0ZHN0LmNvbS9jZXJ0aWZpY2F0ZXMvcG9saWN5L0FDRVMt -aW5kZXguaHRtbDAdBgNVHQ4EFgQUCXIGThhDD+XWzMNqizF7eI+og7gwDQYJKoZI -hvcNAQEFBQADggEBAKPYjtay284F5zLNAdMEA+V25FYrnJmQ6AgwbN99Pe7lv7Uk -QIRJ4dEorsTCOlMwiPH1d25Ryvr/ma8kXxug/fKshMrfqfBfBC6tFr8hlxCBPeP/ -h40y3JTlR4peahPJlJU90u7INJXQgNStMgiAVDzgvVJT11J8smk/f3rPanTK+gQq -nExaBqXpIK1FZg9p8d2/6eMyi/rgwYZNcjwu2JN4Cir42NInPRmJX1p7ijvMDNpR -rscL9yuwNwXsvFcj4jjSm2jzVhKIT0J8uDHEtdvkyCE06UgRNe76x5JXxZ805Mf2 -9w4LTJxoeHtxMcfrHuBnQfO3oKfN5XozNmr6mis= + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 +SHA1 Fingerprint=DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13 +SHA256 Fingerprint=06:87:26:03:31:A7:24:03:D9:09:F1:05:E6:9B:CF:0D:32:E1:BD:24:93:FF:C6:D9:20:6D:11:BC:D6:77:07:39 +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow +PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD +Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O +rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq +OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b +xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw +7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD +aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV +HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG +SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 +ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr +AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz +R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 +JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo +Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE----- -### Digital Signature Trust Co. +### Disig a.s. -=== /O=Digital Signature Trust Co./CN=DST Root CA X3 +=== /C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2 Certificate: Data: Version: 3 (0x2) - Serial Number: - 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b - Signature Algorithm: sha1WithRSAEncryption + Serial Number: 10572350602393338211 (0x92b888dbb08ac163) + Signature Algorithm: sha256WithRSAEncryption Validity - Not Before: Sep 30 21:12:19 2000 GMT - Not After : Sep 30 14:01:15 2021 GMT - Subject: O=Digital Signature Trust Co., CN=DST Root CA X3 + Not Before: Jul 19 09:15:30 2012 GMT + Not After : Jul 19 09:15:30 2042 GMT + Subject: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + B5:99:F8:AF:B0:94:F5:E3:20:D6:0A:AD:CE:4E:56:A4:2E:6E:42:ED +SHA1 Fingerprint=B5:61:EB:EA:A4:DE:E4:25:4B:69:1A:98:A5:57:47:C2:34:C7:D9:71 +SHA256 Fingerprint=E2:3D:4A:03:6D:7B:70:E9:F5:95:B1:42:20:79:D2:B9:1E:DF:BB:1F:B6:51:A0:63:3E:AA:8A:9D:C5:F8:07:03 +-----BEGIN CERTIFICATE----- +MIIFaTCCA1GgAwIBAgIJAJK4iNuwisFjMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV +BAYTAlNLMRMwEQYDVQQHEwpCcmF0aXNsYXZhMRMwEQYDVQQKEwpEaXNpZyBhLnMu +MRkwFwYDVQQDExBDQSBEaXNpZyBSb290IFIyMB4XDTEyMDcxOTA5MTUzMFoXDTQy +MDcxOTA5MTUzMFowUjELMAkGA1UEBhMCU0sxEzARBgNVBAcTCkJyYXRpc2xhdmEx +EzARBgNVBAoTCkRpc2lnIGEucy4xGTAXBgNVBAMTEENBIERpc2lnIFJvb3QgUjIw +ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCio8QACdaFXS1tFPbCw3Oe +NcJxVX6B+6tGUODBfEl45qt5WDza/3wcn9iXAng+a0EE6UG9vgMsRfYvZNSrXaNH +PWSb6WiaxswbP7q+sos0Ai6YVRn8jG+qX9pMzk0DIaPY0jSTVpbLTAwAFjxfGs3I +x2ymrdMxp7zo5eFm1tL7A7RBZckQrg4FY8aAamkw/dLukO8NJ9+flXP04SXabBbe +QTg06ov80egEFGEtQX6sx3dOy1FU+16SGBsEWmjGycT6txOgmLcRK7fWV8x8nhfR +yyX+hk4kLlYMeE2eARKmK6cBZW58Yh2EhN/qwGu1pSqVg8NTEQxzHQuyRpDRQjrO +QG6Vrf/GlK1ul4SOfW+eioANSW1z4nuSHsPzwfPrLgVv2RvPN3YEyLRa5Beny912 +H9AZdugsBbPWnDTYltxhh5EF5EQIM8HauQhl1K6yNg3ruji6DOWbnuuNZt2Zz9aJ +QfYEkoopKW1rOhzndX0CcQ7zwOe9yxndnWCywmZgtrEE7snmhrmaZkCo5xHtgUUD +i/ZnWejBBhG93c+AAk9lQHhcR1DIm+YfgXvkRKhbhZri3lrVx/k6RGZL5DJUfORs +nLMOPReisjQS1n6yqEm70XooQL6iFh/f5DcfEXP7kAplQ6INfPgGAVUzfbANuPT1 +rqVCV3w2EYx7XsQDnYx5nQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud +DwEB/wQEAwIBBjAdBgNVHQ4EFgQUtZn4r7CU9eMg1gqtzk5WpC5uQu0wDQYJKoZI +hvcNAQELBQADggIBACYGXnDnZTPIgm7ZnBc6G3pmsgH2eDtpXi/q/075KMOYKmFM +tCQSin1tERT3nLXK5ryeJ45MGcipvXrA1zYObYVybqjGom32+nNjf7xueQgcnYqf +GopTpti72TVVsRHFqQOzVju5hJMiXn7B9hJSi+osZ7z+Nkz1uM/Rs0mSO9MpDpkb +lvdhuDvEK7Z4bLQjb/D907JedR+Zlais9trhxTF7+9FGs9K8Z7RiVLoJ92Owk6Ka ++elSLotgEqv89WBW7xBci8QaQtyDW2QOy7W81k/BfDxujRNt+3vrMNDcTa/F1bal +TFtxyegxvug4BkihGuLq0t4SOVga/4AOgnXmt8kHbA7v/zjxmHHEt38OFdAlab0i +nSvtBfZGR6ztwPDUO+Ls7pZbkBNOHlY667DvlruWIxG68kOGdGSVyCh13x01utI3 +gzhTODY7z2zp+WsO0PsE6E9312UBeIYMej4hYvF/Y3EMyZ9E26gnonW+boE+18Dr +G5gPcFw0sorMwIUY6256s/daoQe/qUKS82Ail+QUoQebTnbAjn39pCXHR+3/H3Os +zMOl6W8KjptlwlCFtaOgUxLMVYdh84GuEEZhvUQhuMI9dM9+JDX6HAcOmz0iyu8x +L4ysEr3vQCj8KWefshNPZiTEUxnpHikV7+ZtsH8tZ/3zbBt1RqPlShfppNcL +-----END CERTIFICATE----- + +### E-Tu\U011Fra EBG Bili\U015Fim Teknolojileri ve Hizmetleri A.\U015E. + +=== /C=TR/L=Ankara/O=E-Tu\xC4\x9Fra EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E./OU=E-Tugra Sertifikasyon Merkezi/CN=E-Tugra Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7667447206703254355 (0x6a683e9c519bcb53) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Mar 5 12:09:48 2013 GMT + Not After : Mar 3 12:09:48 2023 GMT + Subject: C=TR, L=Ankara, O=E-Tu\xC4\x9Fra EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority X509v3 extensions: + X509v3 Subject Key Identifier: + 2E:E3:DB:B2:49:D0:9C:54:79:5C:FA:27:2A:FE:CC:4E:D2:E8:4E:54 X509v3 Basic Constraints: critical CA:TRUE + X509v3 Authority Key Identifier: + keyid:2E:E3:DB:B2:49:D0:9C:54:79:5C:FA:27:2A:FE:CC:4E:D2:E8:4E:54 + X509v3 Key Usage: critical Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 -SHA1 Fingerprint=DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13 -SHA256 Fingerprint=06:87:26:03:31:A7:24:03:D9:09:F1:05:E6:9B:CF:0D:32:E1:BD:24:93:FF:C6:D9:20:6D:11:BC:D6:77:07:39 +SHA1 Fingerprint=51:C6:E7:08:49:06:6E:F3:92:D4:5C:A0:0D:6D:A3:62:8F:C3:52:39 +SHA256 Fingerprint=B0:BF:D5:2B:B0:D7:D9:BD:92:BF:5D:4D:C1:3D:A2:55:C0:2C:54:2F:37:83:65:EA:89:39:11:F5:5E:55:F2:3C -----BEGIN CERTIFICATE----- -MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow -PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD -Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O -rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq -OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b -xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw -7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD -aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV -HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG -SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 -ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr -AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz -R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 -JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo -Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ +MIIGSzCCBDOgAwIBAgIIamg+nFGby1MwDQYJKoZIhvcNAQELBQAwgbIxCzAJBgNV +BAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBC +aWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhpem1ldGxlcmkgQS7Fni4xJjAkBgNV +BAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBNZXJrZXppMSgwJgYDVQQDDB9FLVR1 +Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEzMDMwNTEyMDk0OFoXDTIz +MDMwMzEyMDk0OFowgbIxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+ +BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhp +em1ldGxlcmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBN +ZXJrZXppMSgwJgYDVQQDDB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4vU/kwVRHoViVF56C/UY +B4Oufq9899SKa6VjQzm5S/fDxmSJPZQuVIBSOTkHS0vdhQd2h8y/L5VMzH2nPbxH +D5hw+IyFHnSOkm0bQNGZDbt1bsipa5rAhDGvykPL6ys06I+XawGb1Q5KCKpbknSF +Q9OArqGIW66z6l7LFpp3RMih9lRozt6Plyu6W0ACDGQXwLWTzeHxE2bODHnv0ZEo +q1+gElIwcxmOj+GMB6LDu0rw6h8VqO4lzKRG+Bsi77MOQ7osJLjFLFzUHPhdZL3D +k14opz8n8Y4e0ypQBaNV2cvnOVPAmJ6MVGKLJrD3fY185MaeZkJVgkfnsliNZvcH +fC425lAcP9tDJMW/hkd5s3kc91r0E+xs+D/iWR+V7kI+ua2oMoVJl0b+SzGPWsut +dEcf6ZG33ygEIqDUD13ieU/qbIWGvaimzuT6w+Gzrt48Ue7LE3wBf4QOXVGUnhMM +ti6lTPk5cDZvlsouDERVxcr6XQKj39ZkjFqzAQqptQpHF//vkUAqjqFGOjGY5RH8 +zLtJVor8udBhmm9lbObDyz51Sf6Pp+KJxWfXnUYTTjF2OySznhFlhqt/7x3U+Lzn +rFpct1pHXFXOVbQicVtbC/DP3KBhZOqp12gKY6fgDT+gr9Oq0n7vUaDmUStVkhUX +U8u3Zg5mTPj5dUyQ5xJwx0UCAwEAAaNjMGEwHQYDVR0OBBYEFC7j27JJ0JxUeVz6 +Jyr+zE7S6E5UMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAULuPbsknQnFR5 +XPonKv7MTtLoTlQwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAF +Nzr0TbdF4kV1JI+2d1LoHNgQk2Xz8lkGpD4eKexd0dCrfOAKkEh47U6YA5n+KGCR +HTAduGN8qOY1tfrTYXbm1gdLymmasoR6d5NFFxWfJNCYExL/u6Au/U5Mh/jOXKqY +GwXgAEZKgoClM4so3O0409/lPun++1ndYYRP0lSWE2ETPo+Aab6TR7U1Q9Jauz1c +77NCR807VRMGsAnb/WP2OogKmW9+4c4bU2pEZiNRCHu8W1Ki/QY3OEBhj0qWuJA3 ++GbHeJAAFS6LrVE1Uweoa2iu+U48BybNCAVwzDk/dr2l02cmAYamU9JgO3xDf1WK +vJUawSg5TB9D0pH0clmKuVb8P7Sd2nCcdlqMQ1DujjByTd//SffGqWfZbawCEeI6 +FiWnWAjLb1NBnEg4R2gz0dfHj9R0IdTDBZB6/86WiLEVKV0jq9BgoRJP3vQXzTLl +yb/IQ639Lo7xr+L0mPoSHyDYwKcMhcWQ9DstliaxLL5Mq+ux0orJ23gTDx4JnW2P +AJ8C2sH6H3p6CcRK5ogql5+Ji/03X186zjhZhkuvcQu02PJwT58yE+Owp1fl2tpD +y4Q08ijE6m30Ku/Ba3ba+367hTzSU8JNvnHhRdH9I2cNE3X7z2VnIp2usAnRCf8d +NL/+I5c30jn6PQ0GC7TbO6Orb1wdtn7os4I07QZcJA== -----END CERTIFICATE----- ### Entrust, Inc. @@ -1355,6 +2524,65 @@ bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er fF6adulZkMV8gzURZVE= -----END CERTIFICATE----- +### FNMT-RCM + +=== /C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 5d:93:8d:30:67:36:c8:06:1d:1a:c7:54:84:69:07 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Oct 29 15:59:56 2008 GMT + Not After : Jan 1 00:00:00 2030 GMT + Subject: C=ES, O=FNMT-RCM, OU=AC RAIZ FNMT-RCM + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + F7:7D:C5:FD:C4:E8:9A:1B:77:64:A7:F5:1D:A0:CC:BF:87:60:9A:6D + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + CPS: http://www.cert.fnmt.es/dpcs/ + +SHA1 Fingerprint=EC:50:35:07:B2:15:C4:95:62:19:E2:A8:9A:5B:42:99:2C:4C:2C:20 +SHA256 Fingerprint=EB:C5:57:0C:29:01:8C:4D:67:B1:AA:12:7B:AF:12:F7:03:B4:61:1E:BC:17:B7:DA:B5:57:38:94:17:9B:93:FA +-----BEGIN CERTIFICATE----- +MIIFgzCCA2ugAwIBAgIPXZONMGc2yAYdGsdUhGkHMA0GCSqGSIb3DQEBCwUAMDsx +CzAJBgNVBAYTAkVTMREwDwYDVQQKDAhGTk1ULVJDTTEZMBcGA1UECwwQQUMgUkFJ +WiBGTk1ULVJDTTAeFw0wODEwMjkxNTU5NTZaFw0zMDAxMDEwMDAwMDBaMDsxCzAJ +BgNVBAYTAkVTMREwDwYDVQQKDAhGTk1ULVJDTTEZMBcGA1UECwwQQUMgUkFJWiBG +Tk1ULVJDTTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALpxgHpMhm5/ +yBNtwMZ9HACXjywMI7sQmkCpGreHiPibVmr75nuOi5KOpyVdWRHbNi63URcfqQgf +BBckWKo3Shjf5TnUV/3XwSyRAZHiItQDwFj8d0fsjz50Q7qsNI1NOHZnjrDIbzAz +WHFctPVrbtQBULgTfmxKo0nRIBnuvMApGGWn3v7v3QqQIecaZ5JCEJhfTzC8PhxF +tBDXaEAUwED653cXeuYLj2VbPNmaUtu1vZ5Gzz3rkQUCwJaydkxNEJY7kvqcfw+Z +374jNUUeAlz+taibmSXaXvMiwzn15Cou08YfxGyqxRxqAQVKL9LFwag0Jl1mpdIC +IfkYtwb1TplvqKtMUejPUBjFd8g5CSxJkjKZqLsXF3mwWsXmo8RZZUc1g16p6DUL +mbvkzSDGm0oGObVo/CK67lWMK07q87Hj/LaZmtVC+nFNCM+HHmpxffnTtOmlcYF7 +wk5HlqX2doWjKI/pgG6BU6VtX7hI+cL5NqYuSf+4lsKMB7ObiFj86xsc3i1w4peS +MKGJ47xVqCfWS+2QrYv6YyVZLag13cqXM7zlzced0ezvXg5KkAYmY6252TUtB7p2 +ZSysV4999AeU14ECll2jB0nVetBX+RvnU0Z1qrB5QstocQjpYL05ac70r8NWQMet +UqIJ5G+GR4of6ygnXYMgrwTJbFaai0b1AgMBAAGjgYMwgYAwDwYDVR0TAQH/BAUw +AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPd9xf3E6Jobd2Sn9R2gzL+H +YJptMD4GA1UdIAQ3MDUwMwYEVR0gADArMCkGCCsGAQUFBwIBFh1odHRwOi8vd3d3 +LmNlcnQuZm5tdC5lcy9kcGNzLzANBgkqhkiG9w0BAQsFAAOCAgEAB5BK3/MjTvDD +nFFlm5wioooMhfNzKWtN/gHiqQxjAb8EZ6WdmF/9ARP67Jpi6Yb+tmLSbkyU+8B1 +RXxlDPiyN8+sD8+Nb/kZ94/sHvJwnvDKuO+3/3Y3dlv2bojzr2IyIpMNOmqOFGYM +LVN0V2Ue1bLdI4E7pWYjJ2cJj+F3qkPNZVEI7VFY/uY5+ctHhKQV8Xa7pO6kO8Rf +77IzlhEYt8llvhjho6Tc+hj507wTmzl6NLrTQfv6MooqtyuGC2mDOL7Nii4LcK2N +JpLuHvUBKwrZ1pebbuCoGRw6IYsMHkCtA+fdZn71uSANA+iW+YJF1DngoABd15jm +fZ5nc8OaKveri6E6FO80vFIOiZiaBECEHX5FaZNXzuvO+FB8TxxuBEOb+dY7Ixjp +6o7RTUaN8Tvkasq6+yO3m/qZASlaWFot4/nUbQ4mrcFuNLwy+AwF+mWj2zs3gyLp +1txyM/1d8iC9djwj2ij3+RvrWWTV3F9yfiD8zYm1kGdNYno/Tq0dwzn+evQoFt9B +9kiABdcPUXmsEKvU7ANm5mqwujGSQkBqvjrTcuFqN1W8rB2Vt2lh8kORdOag0wok +RqEIr9baRRmW1FMdW4R58MD3R++Lj8UGrp1MYp3/RgT408m2ECVAdf4WqslKYIYv +uu8wd+RU4riEmViAqhOLUTpPSPaLtrM= +-----END CERTIFICATE----- + ### GeoTrust Inc. === /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA @@ -1397,49 +2625,6 @@ PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV 5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw== -----END CERTIFICATE----- -=== /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1 (0x1) - Signature Algorithm: sha1WithRSAEncryption - Validity - Not Before: Mar 4 05:00:00 2004 GMT - Not After : Mar 4 05:00:00 2019 GMT - Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2 - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Subject Key Identifier: - 71:38:36:F2:02:31:53:47:2B:6E:BA:65:46:A9:10:15:58:20:05:09 - X509v3 Authority Key Identifier: - keyid:71:38:36:F2:02:31:53:47:2B:6E:BA:65:46:A9:10:15:58:20:05:09 - - X509v3 Key Usage: critical - Digital Signature, Certificate Sign, CRL Sign -SHA1 Fingerprint=A9:E9:78:08:14:37:58:88:F2:05:19:B0:6D:2B:0D:2B:60:16:90:7D -SHA256 Fingerprint=CA:2D:82:A0:86:77:07:2F:8A:B6:76:4F:F0:35:67:6C:FE:3E:5E:32:5E:01:21:72:DF:3F:92:09:6D:B7:9B:85 ------BEGIN CERTIFICATE----- -MIIDZjCCAk6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBEMQswCQYDVQQGEwJVUzEW -MBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMUR2VvVHJ1c3QgR2xvYmFs -IENBIDIwHhcNMDQwMzA0MDUwMDAwWhcNMTkwMzA0MDUwMDAwWjBEMQswCQYDVQQG -EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMUR2VvVHJ1c3Qg -R2xvYmFsIENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvPE1A -PRDfO1MA4Wf+lGAVPoWI8YkNkMgoI5kF6CsgncbzYEbYwbLVjDHZ3CB5JIG/NTL8 -Y2nbsSpr7iFY8gjpeMtvy/wWUsiRxP89c96xPqfCfWbB9X5SJBri1WeR0IIQ13hL -TytCOb1kLUCgsBDTOEhGiKEMuzozKmKY+wCdE1l/bztyqu6mD4b5BWHqZ38MN5aL -5mkWRxHCJ1kDs6ZgwiFAVvqgx306E+PsV8ez1q6diYD3Aecs9pYrEw15LNnA5IZ7 -S4wMcoKK+xfNAGw6EzywhIdLFnopsk/bHdQL82Y3vdj2V7teJHq4PIu5+pIaGoSe -2HSPqht/XvT+RSIhAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE -FHE4NvICMVNHK266ZUapEBVYIAUJMB8GA1UdIwQYMBaAFHE4NvICMVNHK266ZUap -EBVYIAUJMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQUFAAOCAQEAA/e1K6td -EPx7srJerJsOflN4WT5CBP51o62sgU7XAotexC3IUnbHLB/8gTKY0UvGkpMzNTEv -/NgdRN3ggX+d6YvhZJFiCzkIjKx0nVnZellSlxG5FntvRdOW2TF9AjYPnDtuzywN -A0ZF66D0f0hExghAzN4bcLUprbqLOzRldRtxIR0sFAqwlpW41uryZfspuk/qkZN0 -abby/+Ea0AzRdoXLiiW9l14sbxWZJue2Kf8i7MkCx1YAzUm5s2x7UwQa4qjJqhIF -I8LO57sEAszAR6LkxCkvW0VXiVHuPOtSCP8HNR6fNWpHSlaY0VqFH4z1Ir+rzoPz -4iIprn2DQKi6bA== ------END CERTIFICATE----- === /C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority Certificate: Data: @@ -1919,6 +3104,408 @@ LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI 4uJEvlz36hz1 -----END CERTIFICATE----- +### Government Root Certification Authority + +=== /C=TW/O=Government Root Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6 + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Dec 5 13:23:33 2002 GMT + Not After : Dec 5 13:23:33 2032 GMT + Subject: C=TW, O=Government Root Certification Authority + X509v3 extensions: + X509v3 Subject Key Identifier: + CC:CC:EF:CC:29:60:A4:3B:B1:92:B6:3C:FA:32:62:8F:AC:25:15:3B + X509v3 Basic Constraints: + CA:TRUE + setCext-hashedRoot: + 0/0-...0...+......0...g*........"...(6....2.1:.Qe +SHA1 Fingerprint=F4:8B:11:BF:DE:AB:BE:94:54:20:71:E6:41:DE:6B:BE:88:2B:40:B9 +SHA256 Fingerprint=76:00:29:5E:EF:E8:5B:9E:1F:D6:24:DB:76:06:2A:AA:AE:59:81:8A:54:D2:77:4C:D4:C0:B2:C0:11:31:E1:B3 +-----BEGIN CERTIFICATE----- +MIIFcjCCA1qgAwIBAgIQH51ZWtcvwgZEpYAIaeNe9jANBgkqhkiG9w0BAQUFADA/ +MQswCQYDVQQGEwJUVzEwMC4GA1UECgwnR292ZXJubWVudCBSb290IENlcnRpZmlj +YXRpb24gQXV0aG9yaXR5MB4XDTAyMTIwNTEzMjMzM1oXDTMyMTIwNTEzMjMzM1ow +PzELMAkGA1UEBhMCVFcxMDAuBgNVBAoMJ0dvdmVybm1lbnQgUm9vdCBDZXJ0aWZp +Y2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB +AJoluOzMonWoe/fOW1mKydGGEghU7Jzy50b2iPN86aXfTEc2pBsBHH8eV4qNw8XR +IePaJD9IK/ufLqGU5ywck9G/GwGHU5nOp/UKIXZ3/6m3xnOUT0b3EEk3+qhZSV1q +gQdW8or5BtD3cCJNtLdBuTK4sfCxw5w/cP1T3YGq2GN49thTbqGsaoQkclSGxtKy +yhwOeYHWtXBiCAEuTk8O1RGvqa/lmr/czIdtJuTJV6L7lvnM4T9TjGxMfptTCAts +F/tnyMKtsc2AtJfcdgEWFelq16TheEfOhtX7MfP6Mb40qij7cEwdScevLJ1tZqa2 +jWR+tSBqnTuBto9AAGdLiYa4zGX+FVPpBMHWXx1E1wovJ5pGfaENda1UhhXcSTvx +ls4Pm6Dso3pdvtUqdULle96ltqqvKKyskKw4t9VoNSZ63Pc78/1Fm9G7Q3hub/FC +VGqY8A2tl+lSXunVanLeavcbYBT0peS2cWeqH+riTcFCQP5nRhc4L0c/cZyu5SHK +YS1tB6iEfC3uUSXxY5Ce/eFXiGvviiNtsea9P63RPZYLhY3Naye7twWb7LuRqQoH +EgKXTiCQ8P8NHuJBO9NAOueNXdpm5AKwB1KYXA6OM5zCppX7VRluTI6uSw+9wThN +Xo+EHWbNxWCWtFJaBYmOlXqYwZE8lSOyDvR5tMl8wUohAgMBAAGjajBoMB0GA1Ud +DgQWBBTMzO/MKWCkO7GStjz6MmKPrCUVOzAMBgNVHRMEBTADAQH/MDkGBGcqBwAE +MTAvMC0CAQAwCQYFKw4DAhoFADAHBgVnKgMAAAQUA5vwIhP/lSg209yewDL7MTqK +UWUwDQYJKoZIhvcNAQEFBQADggIBAECASvomyc5eMN1PhnR2WPWus4MzeKR6dBcZ +TulStbngCnRiqmjKeKBMmo4sIy7VahIkv9Ro04rQ2JyftB8M3jh+Vzj8jeJPXgyf +qzvS/3WXy6TjZwj/5cAWtUgBfen5Cv8b5Wppv3ghqMKnI6mGq3ZW6A4M9hPdKmaK +ZEk9GhiHkASfQlK3T8v+R0F2Ne//AHY2RTKbxkaFXeIksB7jSJaYV0eUVXoPQbFE +JPPB/hprv4j9wabak2BegUqZIJxIZhm1AHlUD7gsL0u8qV1bYH+Mh6XgUmMqvtg7 +hUAV/h62ZT/FS9p+tXo1KaMuephgIqP0fSdOLeq0dDzpD6QzDxARvBMB1uUO07+1 +EqLhRSPAzAhuYbeJq4PjJB7mXQfnHyA+z2fI56wwbSdLaG5LKlwCCDTb+HbkZ6Mm +nD+iMsJKxYEYMRBWqoTvLQr/uB930r+lWKBi5NdLkXWNiYCYfm3LU05er/ayl4WX +udpVBrkk7tfGOB5jGxI7leFYrPLfhNVfmS8NVVvmONsuP3LpSIXLuykTjx44Vbnz +ssQwmSNOXfJIoRIM3BKQCZBUkQM8R+XVyWXgt0t97EfTsws+rZ7QdAAO671RrcDe +LMDDav7v3Aun+kbfYNucpllQdSNpc5Oy+fwC00fmcc4QAu4njIT/rEUNE1yDMuAl +pYYsfPQS +-----END CERTIFICATE----- + +### GUANG DONG CERTIFICATE AUTHORITY CO.,LTD. + +=== /C=CN/O=GUANG DONG CERTIFICATE AUTHORITY CO.,LTD./CN=GDCA TrustAUTH R5 ROOT +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 9009899650740120186 (0x7d0997fef047ea7a) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Nov 26 05:13:15 2014 GMT + Not After : Dec 31 15:59:59 2040 GMT + Subject: C=CN, O=GUANG DONG CERTIFICATE AUTHORITY CO.,LTD., CN=GDCA TrustAUTH R5 ROOT + X509v3 extensions: + X509v3 Subject Key Identifier: + E2:C9:40:9F:4D:CE:E8:9A:A1:7C:CF:0E:3F:65:C5:29:88:6A:19:51 + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=0F:36:38:5B:81:1A:25:C3:9B:31:4E:83:CA:E9:34:66:70:CC:74:B4 +SHA256 Fingerprint=BF:FF:8F:D0:44:33:48:7D:6A:8A:A6:0C:1A:29:76:7A:9F:C2:BB:B0:5E:42:0F:71:3A:13:B9:92:89:1D:38:93 +-----BEGIN CERTIFICATE----- +MIIFiDCCA3CgAwIBAgIIfQmX/vBH6nowDQYJKoZIhvcNAQELBQAwYjELMAkGA1UE +BhMCQ04xMjAwBgNVBAoMKUdVQU5HIERPTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZ +IENPLixMVEQuMR8wHQYDVQQDDBZHRENBIFRydXN0QVVUSCBSNSBST09UMB4XDTE0 +MTEyNjA1MTMxNVoXDTQwMTIzMTE1NTk1OVowYjELMAkGA1UEBhMCQ04xMjAwBgNV +BAoMKUdVQU5HIERPTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZIENPLixMVEQuMR8w +HQYDVQQDDBZHRENBIFRydXN0QVVUSCBSNSBST09UMIICIjANBgkqhkiG9w0BAQEF +AAOCAg8AMIICCgKCAgEA2aMW8Mh0dHeb7zMNOwZ+Vfy1YI92hhJCfVZmPoiC7XJj +Dp6L3TQsAlFRwxn9WVSEyfFrs0yw6ehGXTjGoqcuEVe6ghWinI9tsJlKCvLriXBj +TnnEt1u9ol2x8kECK62pOqPseQrsXzrj/e+APK00mxqriCZ7VqKChh/rNYmDf1+u +KU49tm7srsHwJ5uu4/Ts765/94Y9cnrrpftZTqfrlYwiOXnhLQiPzLyRuEH3FMEj +qcOtmkVEs7LXLM3GKeJQEK5cy4KOFxg2fZfmiJqwTTQJ9Cy5WmYqsBebnh52nUpm +MUHfP/vFBu8btn4aRjb3ZGM74zkYI+dndRTVdVeSN72+ahsmUPI2JgaQxXABZG12 +ZuGR224HwGGALrIuL4xwp9E7PLOR5G62xDtw8mySlwnNR30YwPO7ng/Wi64HtloP +zgsMR6flPri9fcebNaBhlzpBdRfMK5Z3KpIhHtmVdiBnaM8Nvd/WHwlqmuLMc3Gk +L30SgLdTMEZeS1SZD2fJpcjyIMGC7J0R38IC+xo70e0gmu9lZJIQDSri3nDxGGeC +jGHeuLzRL5z7D9Ar7Rt2ueQ5Vfj4oR24qoAATILnsn8JuLwwoC8N9VKejveSswoA +HQBUlwbgsQfZxw9cZX08bVlX5O2ljelAU58VS6Bx9hoh49pwBiFYFIeFd3mqgnkC +AwEAAaNCMEAwHQYDVR0OBBYEFOLJQJ9NzuiaoXzPDj9lxSmIahlRMA8GA1UdEwEB +/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQDRSVfg +p8xoWLoBDysZzY2wYUWsEe1jUGn4H3++Fo/9nesLqjJHdtJnJO29fDMylyrHBYZm +DRd9FBUb1Ov9H5r2XpdptxolpAqzkT9fNqyL7FeoPueBihhXOYV0GkLH6VsTX4/5 +COmSdI31R9KrO9b7eGZONn356ZLpBN79SWP8bfsUcZNnL0dKt7n/HipzcEYwv1ry +L3ml4Y0M2fmyYzeMN2WFcGpcWwlyua1jPLHd+PwyvzeG5LuOmCd+uh8W4XAR8gPf +JWIyJyYYMoSf/wA6E7qaTfRPuBRwIrHKK5DOKcFw9C+df/KQHtZa37dG/OaG+svg +IHZ6uqbL9XzeYqWxi+7egmaKTjowHz+Ay60nugxe19CxVsp3cbK1daFQqUBDF8Io +2c9Si1vIY9RCPqAzekYu9wogRlR+ak8x8YF+QnQ4ZXMn7sZ8uI7XpTrXmKGcjBBV +09tL7ECQ8s1uV9JiDnxXk7Gnbc2dg7sq5+W2O3FYrf3RRbxake5TFW/TRQl1brqQ +XR4EzzffHqhmsYzmIGrv/EhOdJhCrylvLmrH+33RZjEizIYAfmaDDEL0vTSSwxrq +T8p+ck0LcIymSLumoRT2+1hEmRSuqguTaaApJUqlyyvdimYHFngVV3Eb7PVHhPOe +MTd61X8kreS8/f3MboPoDKi3QWwH3b08hpcv0g== +-----END CERTIFICATE----- + +### Hellenic Academic and Research Institutions Cert. Authority + +=== /C=GR/L=Athens/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions ECC RootCA 2015 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: ecdsa-with-SHA256 + Validity + Not Before: Jul 7 10:37:12 2015 GMT + Not After : Jun 30 10:37:12 2040 GMT + Subject: C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions ECC RootCA 2015 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + B4:22:0B:82:99:24:01:0E:9C:BB:E4:0E:FD:BF:FB:97:20:93:99:2A +SHA1 Fingerprint=9F:F1:71:8D:92:D5:9A:F3:7D:74:97:B4:BC:6F:84:68:0B:BA:B6:66 +SHA256 Fingerprint=44:B5:45:AA:8A:25:E6:5A:73:CA:15:DC:27:FC:36:D2:4C:1C:B9:95:3A:06:65:39:B1:15:82:DC:48:7B:48:33 +-----BEGIN CERTIFICATE----- +MIICwzCCAkqgAwIBAgIBADAKBggqhkjOPQQDAjCBqjELMAkGA1UEBhMCR1IxDzAN +BgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl +c2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxRDBCBgNVBAMTO0hl +bGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgRUNDIFJv +b3RDQSAyMDE1MB4XDTE1MDcwNzEwMzcxMloXDTQwMDYzMDEwMzcxMlowgaoxCzAJ +BgNVBAYTAkdSMQ8wDQYDVQQHEwZBdGhlbnMxRDBCBgNVBAoTO0hlbGxlbmljIEFj +YWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ2VydC4gQXV0aG9yaXR5 +MUQwQgYDVQQDEztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0 +dXRpb25zIEVDQyBSb290Q0EgMjAxNTB2MBAGByqGSM49AgEGBSuBBAAiA2IABJKg +QehLgoRc4vgxEZmGZE4JJS+dQS8KrjVPdJWyUWRrjWvmP3CV8AVER6ZyOFB2lQJa +jq4onvktTpnvLEhvTCUp6NFxW98dwXU3tNf6e3pCnGoKVlp8aQuqgAkkbH7BRqNC +MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFLQi +C4KZJAEOnLvkDv2/+5cgk5kqMAoGCCqGSM49BAMCA2cAMGQCMGfOFmI4oqxiRaep +lSTAGiecMjvAwNW6qef4BENThe5SId6d9SWDPp5YSy/XZxMOIQIwBeF1Ad5o7Sof +TUwJCA3sS61kFyjndc5FZXIhF8siQQ6ME5g4mlRtm8rifOoCWCKR +-----END CERTIFICATE----- +=== /C=GR/L=Athens/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions RootCA 2015 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jul 7 10:11:21 2015 GMT + Not After : Jun 30 10:11:21 2040 GMT + Subject: C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2015 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 71:15:67:C8:C8:C9:BD:75:5D:72:D0:38:18:6A:9D:F3:71:24:54:0B +SHA1 Fingerprint=01:0C:06:95:A6:98:19:14:FF:BF:5F:C6:B0:B6:95:EA:29:E9:12:A6 +SHA256 Fingerprint=A0:40:92:9A:02:CE:53:B4:AC:F4:F2:FF:C6:98:1C:E4:49:6F:75:5E:6D:45:FE:0B:2A:69:2B:CD:52:52:3F:36 +-----BEGIN CERTIFICATE----- +MIIGCzCCA/OgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBpjELMAkGA1UEBhMCR1Ix +DzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5k +IFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxQDA+BgNVBAMT +N0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgUm9v +dENBIDIwMTUwHhcNMTUwNzA3MTAxMTIxWhcNNDAwNjMwMTAxMTIxWjCBpjELMAkG +A1UEBhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNh +ZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkx +QDA+BgNVBAMTN0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1 +dGlvbnMgUm9vdENBIDIwMTUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC +AQDC+Kk/G4n8PDwEXT2QNrCROnk8ZlrvbTkBSRq0t89/TSNTt5AA4xMqKKYx8ZEA +4yjsriFBzh/a/X0SWwGDD7mwX5nh8hKDgE0GPt+sr+ehiGsxr/CL0BgzuNtFajT0 +AoAkKAoCFZVedioNmToUW/bLy1O8E00BiDeUJRtCvCLYjqOWXjrZMts+6PAQZe10 +4S+nfK8nNLspfZu2zwnI5dMK/IhlZXQK3HMcXM1AsRzUtoSMTFDPaI6oWa7CJ06C +ojXdFPQf/7J31Ycvqm59JCfnxssm5uX+Zwdj2EUN3TpZZTlYepKZcj2chF6IIbjV +9Cz82XBST3i4vTwri5WY9bPRaM8gFH5MXF/ni+X1NYEZN9cRCLdmvtNKzoNXADrD +gfgXy5I2XdGj2HUb4Ysn6npIQf1FGQatJ5lOwXBH3bWfgVMS5bGMSF0xQxfjjMZ6 +Y5ZLKTBOhE5iGV48zpeQpX8B653g+IuJ3SWYPZK2fu/Z8VFRfS0myGlZYeCsargq +NhEEelC9MoS+L9xy1dcdFkfkR2YgP/SWxa+OAXqlD3pk9Q0Yh9muiNX6hME6wGko +LfINaFGq46V3xqSQDqE3izEjR8EJCOtu93ib14L8hCCZSRm2Ekax+0VVFqmjZayc +Bw/qa9wfLgZy7IaIEuQt218FL+TwA9MmM+eAws1CoRc0CwIDAQABo0IwQDAPBgNV +HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUcRVnyMjJvXVd +ctA4GGqd83EkVAswDQYJKoZIhvcNAQELBQADggIBAHW7bVRLqhBYRjTyYtcWNl0I +XtVsyIe9tC5G8jH4fOpCtZMWVdyhDBKg2mF+D1hYc2Ryx+hFjtyp8iY/xnmMsVMI +M4GwVhO+5lFc2JsKT0ucVlMC6U/2DWDqTUJV6HwbISHTGzrMd/K4kPFox/la/vot +9L/J9UUbzjgQKjeKeaO04wlshYaT/4mWJ3iBj2fjRnRUjtkNaeJK9E10A/+yd+2V +Z5fkscWrv2oj6NSU4kQoYsRL4vDY4ilrGnB+JGGTe08DMiUNRSQrlrRGar9KC/ea +j8GsGsVn82800vpzY4zvFrCopEYq+OsS7HK07/grfoxSwIuEVPkvPuNVqNxmsdnh +X9izjFk0WaSrT2y7HxjbdavYy5LNlDhhDgcGH0tGEPEVvo2FXDtKK4F5D7Rpn0lQ +l033DlZdwJVqwjbDG2jJ9SrcR5q+ss7FJej6A7na+RZukYT1HCjI/CbM1xyQVqdf +bzoEvM14iQuODy+jqk+iGxI9FghAD/FGTNeqewjBCvVtJ94Cj8rDtSvK6evIIVM4 +pcw72Hc3MKJP2W/R8kCtQXoXxdZKNYm3QdV8hn9VTYNKpXMgwDqvkPGaJI7ZjnHK +e7iG2rKPmT4dEw0SEe7Uq/DpFXYC5ODfqiAeW2GFZECpkJcNrVPSWh2HagCXZWK0 +vm9qp/UsQu0yrbYhnr68 +-----END CERTIFICATE----- +=== /C=GR/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions RootCA 2011 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Dec 6 13:49:52 2011 GMT + Not After : Dec 1 13:49:52 2031 GMT + Subject: C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + A6:91:42:FD:13:61:4A:23:9E:08:A4:29:E5:D8:13:04:23:EE:41:25 + X509v3 Name Constraints: + Permitted: + DNS:.gr + DNS:.eu + DNS:.edu + DNS:.org + email:.gr + email:.eu + email:.edu + email:.org + +SHA1 Fingerprint=FE:45:65:9B:79:03:5B:98:A1:61:B5:51:2E:AC:DA:58:09:48:22:4D +SHA256 Fingerprint=BC:10:4F:15:A4:8B:E7:09:DC:A5:42:A7:E1:D4:B9:DF:6F:05:45:27:E8:02:EA:A9:2D:59:54:44:25:8A:FE:71 +-----BEGIN CERTIFICATE----- +MIIEMTCCAxmgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBlTELMAkGA1UEBhMCR1Ix +RDBCBgNVBAoTO0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1 +dGlvbnMgQ2VydC4gQXV0aG9yaXR5MUAwPgYDVQQDEzdIZWxsZW5pYyBBY2FkZW1p +YyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIFJvb3RDQSAyMDExMB4XDTExMTIw +NjEzNDk1MloXDTMxMTIwMTEzNDk1MlowgZUxCzAJBgNVBAYTAkdSMUQwQgYDVQQK +EztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIENl +cnQuIEF1dGhvcml0eTFAMD4GA1UEAxM3SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl +c2VhcmNoIEluc3RpdHV0aW9ucyBSb290Q0EgMjAxMTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAKlTAOMupvaO+mDYLZU++CwqVE7NuYRhlFhPjz2L5EPz +dYmNUeTDN9KKiE15HrcS3UN4SoqS5tdI1Q+kOilENbgH9mgdVc04UfCMJDGFr4PJ +fel3r+0ae50X+bOdOFAPplp5kYCvN66m0zH7tSYJnTxa71HFK9+WXesyHgLacEns +bgzImjeN9/E2YEsmLIKe0HjzDQ9jpFEw4fkrJxIH2Oq9GGKYsFk3fb7u8yBRQlqD +75O6aRXxYp2fmTmCobd0LovUxQt7L/DICto9eQqakxylKHJzkUOap9FNhYS5qXSP +FEDH3N6sQWRstBmbAmNtJGSPRLIl6s5ddAxjMlyNh+UCAwEAAaOBiTCBhjAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUppFC/RNhSiOeCKQp +5dgTBCPuQSUwRwYDVR0eBEAwPqA8MAWCAy5ncjAFggMuZXUwBoIELmVkdTAGggQu +b3JnMAWBAy5ncjAFgQMuZXUwBoEELmVkdTAGgQQub3JnMA0GCSqGSIb3DQEBBQUA +A4IBAQAf73lB4XtuP7KMhjdCSk4cNx6NZrokgclPEg8hwAOXhiVtXdMiKahsog2p +6z0GW5k6x8zDmjR/qw7IThzh+uTczQ2+vyT+bOdrwg3IBp5OjWEopmr95fZi6hg8 +TqBTnbI6nOulnJEWtk2C4AwFSKls9cz4y51JtPACpf1wA+2KIaWuE4ZJwzNzvoc7 +dIsXRSZMFpGD/md9zU1jZ/rzAxKWeAaNsWftjj++n08C9bMJL/NMh98qy5V8Acys +Nnq/onN694/BtZqhFLKPM58N7yLcZnuEvUUXBj08yrl3NI/K6s8/MT7jiOOASSXI +l7WdmplNsDz4SgCbZN2fOUvRJ9e4 +-----END CERTIFICATE----- + +### Hongkong Post + +=== /C=HK/O=Hongkong Post/CN=Hongkong Post Root CA 1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1000 (0x3e8) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: May 15 05:13:14 2003 GMT + Not After : May 15 04:52:29 2023 GMT + Subject: C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:3 + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Certificate Sign, CRL Sign +SHA1 Fingerprint=D6:DA:A8:20:8D:09:D2:15:4D:24:B5:2F:CB:34:6E:B2:58:B2:8A:58 +SHA256 Fingerprint=F9:E6:7D:33:6C:51:00:2A:C0:54:C6:32:02:2D:66:DD:A2:E7:E3:FF:F1:0A:D0:61:ED:31:D8:BB:B4:10:CF:B2 +-----BEGIN CERTIFICATE----- +MIIDMDCCAhigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCSEsx +FjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3Qg +Um9vdCBDQSAxMB4XDTAzMDUxNTA1MTMxNFoXDTIzMDUxNTA0NTIyOVowRzELMAkG +A1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdr +b25nIFBvc3QgUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEArP84tulmAknjorThkPlAj3n54r15/gK97iSSHSL22oVyaf7XPwnU3ZG1ApzQ +jVrhVcNQhrkpJsLj2aDxaQMoIIBFIi1WpztUlVYiWR8o3x8gPW2iNr4joLFutbEn +PzlTCeqrauh0ssJlXI6/fMN4hM2eFvz1Lk8gKgifd/PFHsSaUmYeSF7jEAaPIpjh +ZY4bXSNmO7ilMlHIhqqhqZ5/dpTCpmy3QfDVyAY45tQM4vM7TG1QjMSDJ8EThFk9 +nnV0ttgCXjqQesBCNnLsak3c78QA3xMYV18meMjWCnl3v/evt3a5pQuEF10Q6m/h +q5URX208o1xNg1vysxmKgIsLhwIDAQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgED +MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEADkbVPK7ih9legYsC +mEEIjEy82tvuJxuC52pF7BaLT4Wg87JwvVqWuspube5Gi27nKi6Wsxkz67SfqLI3 +7piol7Yutmcn1KZJ/RyTZXaeQi/cImyaT/JaFTmxcdcrUehtHJjA2Sr0oYJ71clB +oiMBdDhViw+5LmeiIAQ32pwL0xch4I+XeTRvhEgCIDMb5jREn5Fw9IBehEPCKdJs +EhTkYY2sEJCehFC78JZvRZ+K88psT/oROhUVRsPNH4NbLUES7VBnQRM9IauUiqpO +fMGx+6fWtScvl6tu4B3i0RwsH0Ti/L6RoZz71ilTc4afU9hDDl3WY4JxHYB0yvbi +AmvZWg== +-----END CERTIFICATE----- + +### IdenTrust + +=== /C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0a:01:42:80:00:00:01:45:23:c8:44:b5:00:00:00:02 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jan 16 18:12:23 2014 GMT + Not After : Jan 16 18:12:23 2034 GMT + Subject: C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + ED:44:19:C0:D3:F0:06:8B:EE:A4:7B:BE:42:E7:26:54:C8:8E:36:76 +SHA1 Fingerprint=DF:71:7E:AA:4A:D9:4E:C9:55:84:99:60:2D:48:DE:5F:BC:F0:3A:25 +SHA256 Fingerprint=5D:56:49:9B:E4:D2:E0:8B:CF:CA:D0:8A:3E:38:72:3D:50:50:3B:DE:70:69:48:E4:2F:55:60:30:19:E5:28:AE +-----BEGIN CERTIFICATE----- +MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK +MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu +VHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQw +MTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScw +JQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqG +SIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT +3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU ++ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gp +S0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1 +bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi +T0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCL +vYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjK +Vsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZK +dHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHT +c+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hv +l7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5N +iGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB +/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQAD +ggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH +6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwt +LRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93 +nAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3 ++wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRK +W2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pT +AwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLq +l1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG +4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZ +mUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A +7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H +-----END CERTIFICATE----- +=== /C=US/O=IdenTrust/CN=IdenTrust Public Sector Root CA 1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0a:01:42:80:00:00:01:45:23:cf:46:7c:00:00:00:02 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jan 16 17:53:32 2014 GMT + Not After : Jan 16 17:53:32 2034 GMT + Subject: C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + E3:71:E0:9E:D8:A7:42:D9:DB:71:91:6B:94:93:EB:C3:A3:D1:14:A3 +SHA1 Fingerprint=BA:29:41:60:77:98:3F:F4:F3:EF:F2:31:05:3B:2E:EA:6D:4D:45:FD +SHA256 Fingerprint=30:D0:89:5A:9A:44:8A:26:20:91:63:55:22:D1:F5:20:10:B5:86:7A:CA:E1:2C:78:EF:95:8F:D4:F4:38:9F:2F +-----BEGIN CERTIFICATE----- +MIIFZjCCA06gAwIBAgIQCgFCgAAAAUUjz0Z8AAAAAjANBgkqhkiG9w0BAQsFADBN +MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MSowKAYDVQQDEyFJZGVu +VHJ1c3QgUHVibGljIFNlY3RvciBSb290IENBIDEwHhcNMTQwMTE2MTc1MzMyWhcN +MzQwMTE2MTc1MzMyWjBNMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0 +MSowKAYDVQQDEyFJZGVuVHJ1c3QgUHVibGljIFNlY3RvciBSb290IENBIDEwggIi +MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2IpT8pEiv6EdrCvsnduTyP4o7 +ekosMSqMjbCpwzFrqHd2hCa2rIFCDQjrVVi7evi8ZX3yoG2LqEfpYnYeEe4IFNGy +RBb06tD6Hi9e28tzQa68ALBKK0CyrOE7S8ItneShm+waOh7wCLPQ5CQ1B5+ctMlS +bdsHyo+1W/CD80/HLaXIrcuVIKQxKFdYWuSNG5qrng0M8gozOSI5Cpcu81N3uURF +/YTLNiCBWS2ab21ISGHKTN9T0a9SvESfqy9rg3LvdYDaBjMbXcjaY8ZNzaxmMc3R +3j6HEDbhuaR672BQssvKplbgN6+rNBM5Jeg5ZuSYeqoSmJxZZoY+rfGwyj4GD3vw +EUs3oERte8uojHH01bWRNszwFcYr3lEXsZdMUD2xlVl8BX0tIdUAvwFnol57plzy +9yLxkA2T26pEUWbMfXYD62qoKjgZl3YNa4ph+bz27nb9cCvdKTz4Ch5bQhyLVi9V +GxyhLrXHFub4qjySjmm2AcG1hp2JDws4lFTo6tyePSW8Uybt1as5qsVATFSrsrTZ +2fjXctscvG29ZV/viDUqZi/u9rNl8DONfJhBaUYPQxxp+pu10GFqzcpL2UyQRqsV +WaFHVCkugyhfHMKiq3IXAAaOReyL4jM9f9oZRORicsPfIsbyVtTdX5Vy7W1f90gD +W/3FKqD2cyOEEBsB5wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/ +BAUwAwEB/zAdBgNVHQ4EFgQU43HgntinQtnbcZFrlJPrw6PRFKMwDQYJKoZIhvcN +AQELBQADggIBAEf63QqwEZE4rU1d9+UOl1QZgkiHVIyqZJnYWv6IAcVYpZmxI1Qj +t2odIFflAWJBF9MJ23XLblSQdf4an4EKwt3X9wnQW3IV5B4Jaj0z8yGa5hV+rVHV +DRDtfULAj+7AmgjVQdZcDiFpboBhDhXAuM/FSRJSzL46zNQuOAXeNf0fb7iAaJg9 +TaDKQGXSc3z1i9kKlT/YPyNtGtEqJBnZhbMX73huqVjRI9PHE+1yJX9dsXNw0H8G +lwmEKYBhHfpe/3OsoOOJuBxxFcbeMX8S3OFtm6/n6J91eEyrRjuazr8FGF1NFTwW +mhlQBJqymm9li1JfPFgEKCXAZmExfrngdbkaqIHWchezxQMxNRF4eKLg6TCMf4Df +WN88uieW4oA0beOY02QnrEh+KHdcxiVhJfiFDGX6xDIvpZgF5PgLZxYWxoK4Mhn5 ++bl53B/N66+rDt0b20XkeucC4pVd/GnwU2lhlXV5C15V5jgclKlZM57IcXR5f1GJ +tshquDDIajjDbp7hNxbqBWJMWxJH7ae0s1hWx0nzfxJoCTFx8G34Tkf71oXuxVhA +GaQdp/lLQzfcaFpPz+vCZHTetBXZ9FRUGi8c15dxVJCO2SCdUyt/q4/i6jC8UDfv +8Ue1fXwsBOxonbRJRBD0ckscZOf85muQ3Wl9af0AVqW3rLatt8o+Ae+c +-----END CERTIFICATE----- + ### Internet Security Research Group === /C=US/O=Internet Security Research Group/CN=ISRG Root X1 @@ -1973,6 +3560,266 @@ mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= -----END CERTIFICATE----- +### IZENPE S.A. + +=== /C=ES/O=IZENPE S.A./CN=Izenpe.com +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + b0:b7:5a:16:48:5f:bf:e1:cb:f5:8b:d7:19:e6:7d + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Dec 13 13:08:28 2007 GMT + Not After : Dec 13 08:27:25 2037 GMT + Subject: C=ES, O=IZENPE S.A., CN=Izenpe.com + X509v3 extensions: + X509v3 Subject Alternative Name: + email:info@izenpe.com, DirName:/O=IZENPE S.A. - CIF A01337260-RMerc.Vitoria-Gasteiz T1055 F62 S8/street=Avda del Mediterraneo Etorbidea 14 - 01010 Vitoria-Gasteiz + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 1D:1C:65:0E:A8:F2:25:7B:B4:91:CF:E4:B1:B1:E6:BD:55:74:6C:05 +SHA1 Fingerprint=2F:78:3D:25:52:18:A7:4A:65:39:71:B5:2C:A2:9C:45:15:6F:E9:19 +SHA256 Fingerprint=25:30:CC:8E:98:32:15:02:BA:D9:6F:9B:1F:BA:1B:09:9E:2D:29:9E:0F:45:48:BB:91:4F:36:3B:C0:D4:53:1F +-----BEGIN CERTIFICATE----- +MIIF8TCCA9mgAwIBAgIQALC3WhZIX7/hy/WL1xnmfTANBgkqhkiG9w0BAQsFADA4 +MQswCQYDVQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6 +ZW5wZS5jb20wHhcNMDcxMjEzMTMwODI4WhcNMzcxMjEzMDgyNzI1WjA4MQswCQYD +VQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6ZW5wZS5j +b20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJ03rKDx6sp4boFmVq +scIbRTJxldn+EFvMr+eleQGPicPK8lVx93e+d5TzcqQsRNiekpsUOqHnJJAKClaO +xdgmlOHZSOEtPtoKct2jmRXagaKH9HtuJneJWK3W6wyyQXpzbm3benhB6QiIEn6H +LmYRY2xU+zydcsC8Lv/Ct90NduM61/e0aL6i9eOBbsFGb12N4E3GVFWJGjMxCrFX +uaOKmMPsOzTFlUFpfnXCPCDFYbpRR6AgkJOhkEvzTnyFRVSa0QUmQbC1TR0zvsQD +yCV8wXDbO/QJLVQnSKwv4cSsPsjLkkxTOTcj7NMB+eAJRE1NZMDhDVqHIrytG6P+ +JrUV86f8hBnp7KGItERphIPzidF0BqnMC9bC3ieFUCbKF7jJeodWLBoBHmy+E60Q +rLUk9TiRodZL2vG70t5HtfG8gfZZa88ZU+mNFctKy6lvROUbQc/hhqfK0GqfvEyN +BjNaooXlkDWgYlwWTvDjovoDGrQscbNYLN57C9saD+veIR8GdwYDsMnvmfzAuU8L +hij+0rnq49qlw0dpEuDb8PYZi+17cNcC1u2HGCgsBCRMd+RIihrGO5rUD8r6ddIB +QFqNeb+Lz0vPqhbBleStTIo+F5HUsWLlguWABKQDfo2/2n+iD5dPDNMN+9fR5XJ+ +HMh3/1uaD7euBUbl8agW7EekFwIDAQABo4H2MIHzMIGwBgNVHREEgagwgaWBD2lu +Zm9AaXplbnBlLmNvbaSBkTCBjjFHMEUGA1UECgw+SVpFTlBFIFMuQS4gLSBDSUYg +QTAxMzM3MjYwLVJNZXJjLlZpdG9yaWEtR2FzdGVpeiBUMTA1NSBGNjIgUzgxQzBB +BgNVBAkMOkF2ZGEgZGVsIE1lZGl0ZXJyYW5lbyBFdG9yYmlkZWEgMTQgLSAwMTAx +MCBWaXRvcmlhLUdhc3RlaXowDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AQYwHQYDVR0OBBYEFB0cZQ6o8iV7tJHP5LGx5r1VdGwFMA0GCSqGSIb3DQEBCwUA +A4ICAQB4pgwWSp9MiDrAyw6lFn2fuUhfGI8NYjb2zRlrrKvV9pF9rnHzP7MOeIWb +laQnIUdCSnxIOvVFfLMMjlF4rJUT3sb9fbgakEyrkgPH7UIBzg/YsfqikuFgba56 +awmqxinuaElnMIAkejEWOVt+8Rwu3WwJrfIxwYJOubv5vr8qhT/AQKM6WfxZSzwo +JNu0FXWuDYi6LnPAvViH5ULy617uHjAimcs30cQhbIHsvm0m5hzkQiCeR7Csg1lw +LDXWrzY0tM07+DKo7+N4ifuNRSzanLh+QBxh5z6ikixL8s36mLYp//Pye6kfLqCT +VyvehQP5aTfLnnhqBbTFMXiJ7HqnheG5ezzevh55hM6fcA5ZwjUukCox2eRFekGk +LhObNA5me0mrZJfQRsN5nXJQY6aYWwa9SG3YOYNw6DXwBdGqvOPbyALqfP2C2sJb +UjWumDqtujWTI6cfSN01RpiyEGjkpTHCClguGYEQyVB1/OpaFs4R1+7vUIgtYf8/ +QnMFlEPVjjxOAToZpR9GTnfQXeWBIiGH/pR9hNiTrdZoQ0iy2+tzJOeRf1SktoA+ +naM8THLCV8Sg1Mw4J87VBp6iSNnpn86CcDaTmjvfliHjWbcM2pE38P1ZWrOZyGls +QyYBNWNgVYkDOnXYukrZVP/u3oDYLdE41V4tC5h9Pmzb/CaIxw== +-----END CERTIFICATE----- + +### Japan Certification Services, Inc. + +=== /C=JP/O=Japan Certification Services, Inc./CN=SecureSign RootCA11 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Apr 8 04:56:47 2009 GMT + Not After : Apr 8 04:56:47 2029 GMT + Subject: C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA11 + X509v3 extensions: + X509v3 Subject Key Identifier: + 5B:F8:4D:4F:B2:A5:86:D4:3A:D2:F1:63:9A:A0:BE:09:F6:57:B7:DE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=3B:C4:9F:48:F8:F3:73:A0:9C:1E:BD:F8:5B:B1:C3:65:C7:D8:11:B3 +SHA256 Fingerprint=BF:0F:EE:FB:9E:3A:58:1A:D5:F9:E9:DB:75:89:98:57:43:D2:61:08:5C:4D:31:4F:6F:5D:72:59:AA:42:16:12 +-----BEGIN CERTIFICATE----- +MIIDbTCCAlWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJKUDEr +MCkGA1UEChMiSmFwYW4gQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcywgSW5jLjEcMBoG +A1UEAxMTU2VjdXJlU2lnbiBSb290Q0ExMTAeFw0wOTA0MDgwNDU2NDdaFw0yOTA0 +MDgwNDU2NDdaMFgxCzAJBgNVBAYTAkpQMSswKQYDVQQKEyJKYXBhbiBDZXJ0aWZp +Y2F0aW9uIFNlcnZpY2VzLCBJbmMuMRwwGgYDVQQDExNTZWN1cmVTaWduIFJvb3RD +QTExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/XeqpRyQBTvLTJsz +i1oURaTnkBbR31fSIRCkF/3frNYfp+TbfPfs37gD2pRY/V1yfIw/XwFndBWW4wI8 +h9uuywGOwvNmxoVF9ALGOrVisq/6nL+k5tSAMJjzDbaTj6nU2DbysPyKyiyhFTOV +MdrAG/LuYpmGYz+/3ZMqg6h2uRMft85OQoWPIucuGvKVCbIFtUROd6EgvanyTgp9 +UK31BQ1FT0Zx/Sg+U/sE2C3XZR1KG/rPO7AxmjVuyIsG0wCR8pQIZUyxNAYAeoni +8McDWc/V1uinMrPmmECGxc0nEovMe863ETxiYAcjPitAbpSACW22s293bzUIUPsC +h8U+iQIDAQABo0IwQDAdBgNVHQ4EFgQUW/hNT7KlhtQ60vFjmqC+CfZXt94wDgYD +VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB +AKChOBZmLqdWHyGcBvod7bkixTgm2E5P7KN/ed5GIaGHd48HCJqypMWvDzKYC3xm +KbabfSVSSUOrTC4rbnpwrxYO4wJs+0LmGJ1F2FXI6Dvd5+H0LgscNFxsWEr7jIhQ +X5Ucv+2rIrVls4W6ng+4reV6G4pQOh29Dbx7VFALuUKvVaAYga1lme++5Jy/xIWr +QbJUb9wlze144o4MjQlJ3WN7WmmWAiGovVJZ6X01y8hSyn+B/tlr0/cR7SXf+Of5 +pPpyl4RTDaXQMhhRdlkUbA/r7F+AjHVDg8OFmP9Mni0N5HeDk061lgeLKBObjBmN +QSdJQO7e5iNEOdyhIta6A/I= +-----END CERTIFICATE----- + +### Krajowa Izba Rozliczeniowa S.A. + +=== /C=PL/O=Krajowa Izba Rozliczeniowa S.A./CN=SZAFIR ROOT CA2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3e:8a:5d:07:ec:55:d2:32:d5:b7:e3:b6:5f:01:eb:2d:dc:e4:d6:e4 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Oct 19 07:43:30 2015 GMT + Not After : Oct 19 07:43:30 2035 GMT + Subject: C=PL, O=Krajowa Izba Rozliczeniowa S.A., CN=SZAFIR ROOT CA2 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 2E:16:A9:4A:18:B5:CB:CC:F5:6F:50:F3:23:5F:F8:5D:E7:AC:F0:C8 +SHA1 Fingerprint=E2:52:FA:95:3F:ED:DB:24:60:BD:6E:28:F3:9C:CC:CF:5E:B3:3F:DE +SHA256 Fingerprint=A1:33:9D:33:28:1A:0B:56:E5:57:D3:D3:2B:1C:E7:F9:36:7E:B0:94:BD:5F:A7:2A:7E:50:04:C8:DE:D7:CA:FE +-----BEGIN CERTIFICATE----- +MIIDcjCCAlqgAwIBAgIUPopdB+xV0jLVt+O2XwHrLdzk1uQwDQYJKoZIhvcNAQEL +BQAwUTELMAkGA1UEBhMCUEwxKDAmBgNVBAoMH0tyYWpvd2EgSXpiYSBSb3psaWN6 +ZW5pb3dhIFMuQS4xGDAWBgNVBAMMD1NaQUZJUiBST09UIENBMjAeFw0xNTEwMTkw +NzQzMzBaFw0zNTEwMTkwNzQzMzBaMFExCzAJBgNVBAYTAlBMMSgwJgYDVQQKDB9L +cmFqb3dhIEl6YmEgUm96bGljemVuaW93YSBTLkEuMRgwFgYDVQQDDA9TWkFGSVIg +Uk9PVCBDQTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3vD5QqEvN +QLXOYeeWyrSh2gwisPq1e3YAd4wLz32ohswmUeQgPYUM1ljj5/QqGJ3a0a4m7utT +3PSQ1hNKDJA8w/Ta0o4NkjrcsbH/ON7Dui1fgLkCvUqdGw+0w8LBZwPd3BucPbOw +3gAeqDRHu5rr/gsUvTaE2g0gv/pby6kWIK05YO4vdbbnl5z5Pv1+TW9NL++IDWr6 +3fE9biCloBK0TXC5ztdyO4mTp4CEHCdJckm1/zuVnsHMyAHs6A6KCpbns6aH5db5 +BSsNl0BwPLqsdVqc1U2dAgrSS5tmS0YHF2Wtn2yIANwiieDhZNRnvDF5YTy7ykHN +XGoAyDw4jlivAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD +AgEGMB0GA1UdDgQWBBQuFqlKGLXLzPVvUPMjX/hd56zwyDANBgkqhkiG9w0BAQsF +AAOCAQEAtXP4A9xZWx126aMqe5Aosk3AM0+qmrHUuOQn/6mWmc5G4G18TKI4pAZw +8PRBEew/R40/cof5O/2kbytTAOD/OblqBw7rHRz2onKQy4I9EYKL0rufKq8h5mOG +nXkZ7/e7DDWQw4rtTw/1zBLZpD67oPwglV9PJi8RI4NOdQcPv5vRtB3pEAT+ymCP +oky4rc/hkA/NrgrHXXu3UNLUYfrVFdvXn4dRVOul4+vJhaAlIDf7js4MNIThPIGy +d05DpYhfhmehPea0XGG2Ptv+tyjFogeutcrKjSoS75ftwjCkySp6+/NNIxuZMzSg +LvWpCz/UXeHPhJ/iGcJfitYgHuNztw== +-----END CERTIFICATE----- + +### LuxTrust S.A. + +=== /C=LU/O=LuxTrust S.A./CN=LuxTrust Global Root 2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0a:7e:a6:df:4b:44:9e:da:6a:24:85:9e:e6:b8:15:d3:16:7f:bb:b1 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Mar 5 13:21:57 2015 GMT + Not After : Mar 5 13:21:57 2035 GMT + Subject: C=LU, O=LuxTrust S.A., CN=LuxTrust Global Root 2 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Certificate Policies: + Policy: 1.3.171.1.1.1.10 + CPS: https://repository.luxtrust.lu + + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:FF:18:28:76:F9:48:05:2C:A1:AE:F1:2B:1B:2B:B2:53:F8:4B:7C:B3 + + X509v3 Subject Key Identifier: + FF:18:28:76:F9:48:05:2C:A1:AE:F1:2B:1B:2B:B2:53:F8:4B:7C:B3 +SHA1 Fingerprint=1E:0E:56:19:0A:D1:8B:25:98:B2:04:44:FF:66:8A:04:17:99:5F:3F +SHA256 Fingerprint=54:45:5F:71:29:C2:0B:14:47:C4:18:F9:97:16:8F:24:C5:8F:C5:02:3B:F5:DA:5B:E2:EB:6E:1D:D8:90:2E:D5 +-----BEGIN CERTIFICATE----- +MIIFwzCCA6ugAwIBAgIUCn6m30tEntpqJIWe5rgV0xZ/u7EwDQYJKoZIhvcNAQEL +BQAwRjELMAkGA1UEBhMCTFUxFjAUBgNVBAoMDUx1eFRydXN0IFMuQS4xHzAdBgNV +BAMMFkx1eFRydXN0IEdsb2JhbCBSb290IDIwHhcNMTUwMzA1MTMyMTU3WhcNMzUw +MzA1MTMyMTU3WjBGMQswCQYDVQQGEwJMVTEWMBQGA1UECgwNTHV4VHJ1c3QgUy5B +LjEfMB0GA1UEAwwWTHV4VHJ1c3QgR2xvYmFsIFJvb3QgMjCCAiIwDQYJKoZIhvcN +AQEBBQADggIPADCCAgoCggIBANeFl78RmOnwYoNMPIf5U2o3C/IPPIfOb9wmKb3F +ibrJgz337spbxm1Jc7TJRqMbNBM/wYlFV/TZsfs2ZUv7COJIcRHIbjuend+JZTem +hfY7RBi2xjcwYkSSl2l9QjAk5A0MiWtj3sXh306pFGxT4GHO9hcvHTy95iJMHZP1 +EMShduxq3sVs35a0VkBCwGKSMKEtFZSg0iAGCW5qbeXrt77U8PEVfIvmTroTzEsn +Xpk8F12PgX8zPU/TPxvsXD/wPEx1bvKm1Z3aLQdjAsZy6ZS8TEmVT4hSyNvoaYL4 +zDRbIvCGp4m9SAptZoFtyMhk+wHh9OHe2Z7d21vUKpkmFRseTJIpgp7VkoGSQXAZ +96Tlk0u8d2cx3Rz9MXANF5kM+Qw5GSoXtTBxVdUPrljhPS80m8+f9niFwpN6cj5m +j5wWEWCPnolvZ77gR1o7DJpni89Gxq44o/KnvObWhWszJHAiS8sIm7vI+AIpHb4g +DEa/a4ebsypmQjVGbKq6rfmYe+lQVRQxv7HaLe2ArWgk+2mr2HETMOZns4dA/Yl+ +8kPREd8vZS9kzl8UubG/Mb2HeFpZZYiq/FkySIbWTLkpS5XTdvN3JW1CHDiDTf2j +X5t/Lax5Gw5CMZdjpPuKadUiDTSQMC6otOBttpSsvItO13D8xTiOZCXhTTmQzsmH +hFhxAgMBAAGjgagwgaUwDwYDVR0TAQH/BAUwAwEB/zBCBgNVHSAEOzA5MDcGByuB +KwEBAQowLDAqBggrBgEFBQcCARYeaHR0cHM6Ly9yZXBvc2l0b3J5Lmx1eHRydXN0 +Lmx1MA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBT/GCh2+UgFLKGu8SsbK7JT ++Et8szAdBgNVHQ4EFgQU/xgodvlIBSyhrvErGyuyU/hLfLMwDQYJKoZIhvcNAQEL +BQADggIBAGoZFO1uecEsh9QNcH7X9njJCwROxLHOk3D+sFTAMs2ZMGQXvw/l4jP9 +BzZAcg4atmpZ1gDlaCDdLnINH2pkMSCEfUmmWjfrRcmF9dTHF5kH5ptV5AzoqbTO +jFu1EVzPig4N1qx3gf4ynCSecs5U89BvolbW7MM3LGVYvlcAGvI1+ut7MV3CwRI9 +loGIlonBWVx65n9wNOeD4rHh4bhY79SV5GCc8JaXcozrhAIuZY+kt9J/Z93I055c +qqmkoCUUBpvsT34tC38ddfEz2O3OuHVtPlu5mB0xDVbYQw8wkbIEa91WvpWAVWe+ +2M2D2RjuLg+GLZKecBPs3lHJQ3gCpU3I+V/EkVhGFndadKpAvAefMLmx9xIX3eP/ +JEAdemrRTxgKqpAd60Ae36EeRJIQmvKN4dFLRp7oRUKX6kWZ8+xm1QL68qZKJKre +zrnK+T+Tb/mjuuqlPpmt/f97mfVl7vBZKGfXkJWkE4SphMHozs51k2MavDzq1WQf +LSoSOcbDWjLtR5EWDrw4wVDej8oqkDQc7kGUnF4ZLvhFSZl0kbAEb+MEWrGrKqv+ +x9CWttrhSmQGbmBNvUJO/3jaJMobtNeWOWyu8Q6qp31IiyBMz2TWuJdGsE7RKlY6 +oJO9r4Ak4Ap+58rVyuiFVdw2KuGUaJPHZnJED4AhMmwlxyOAgwrr +-----END CERTIFICATE----- + +### Microsec Ltd. + +=== /C=HU/L=Budapest/O=Microsec Ltd./CN=Microsec e-Szigno Root CA 2009/emailAddress=info@e-szigno.hu +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 14014712776195784473 (0xc27e43044e473f19) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jun 16 11:30:18 2009 GMT + Not After : Dec 30 11:30:18 2029 GMT + Subject: C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009/emailAddress=info@e-szigno.hu + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + CB:0F:C6:DF:42:43:CC:3D:CB:B5:48:23:A1:1A:7A:A6:2A:BB:34:68 + X509v3 Authority Key Identifier: + keyid:CB:0F:C6:DF:42:43:CC:3D:CB:B5:48:23:A1:1A:7A:A6:2A:BB:34:68 + + X509v3 Subject Alternative Name: + email:info@e-szigno.hu +SHA1 Fingerprint=89:DF:74:FE:5C:F4:0F:4A:80:F9:E3:37:7D:54:DA:91:E1:01:31:8E +SHA256 Fingerprint=3C:5F:81:FE:A5:FA:B8:2C:64:BF:A2:EA:EC:AF:CD:E8:E0:77:FC:86:20:A7:CA:E5:37:16:3D:F3:6E:DB:F3:78 +-----BEGIN CERTIFICATE----- +MIIECjCCAvKgAwIBAgIJAMJ+QwRORz8ZMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYD +VQQGEwJIVTERMA8GA1UEBwwIQnVkYXBlc3QxFjAUBgNVBAoMDU1pY3Jvc2VjIEx0 +ZC4xJzAlBgNVBAMMHk1pY3Jvc2VjIGUtU3ppZ25vIFJvb3QgQ0EgMjAwOTEfMB0G +CSqGSIb3DQEJARYQaW5mb0BlLXN6aWduby5odTAeFw0wOTA2MTYxMTMwMThaFw0y +OTEyMzAxMTMwMThaMIGCMQswCQYDVQQGEwJIVTERMA8GA1UEBwwIQnVkYXBlc3Qx +FjAUBgNVBAoMDU1pY3Jvc2VjIEx0ZC4xJzAlBgNVBAMMHk1pY3Jvc2VjIGUtU3pp +Z25vIFJvb3QgQ0EgMjAwOTEfMB0GCSqGSIb3DQEJARYQaW5mb0BlLXN6aWduby5o +dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOn4j/NjrdqG2KfgQvvP +kd6mJviZpWNwrZuuyjNAfW2WbqEORO7hE52UQlKavXWFdCyoDh2Tthi3jCyoz/tc +cbna7P7ofo/kLx2yqHWH2Leh5TvPmUpG0IMZfcChEhyVbUr02MelTTMuhTlAdX4U +fIASmFDHQWe4oIBhVKZsTh/gnQ4H6cm6M+f+wFUoLAKApxn1ntxVUwOXewdI/5n7 +N4okxFnMUBBjjqqpGrCEGob5X7uxUG6k0QrM1XF+H6cbfPVTbiJfyyvm1HxdrtbC +xkzlBQHZ7Vf8wSN5/PrIJIOV87VqUQHQd9bpEqH5GoP7ghu5sJf0dgYzQ0mg/wu1 ++rUCAwEAAaOBgDB+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G +A1UdDgQWBBTLD8bfQkPMPcu1SCOhGnqmKrs0aDAfBgNVHSMEGDAWgBTLD8bfQkPM +Pcu1SCOhGnqmKrs0aDAbBgNVHREEFDASgRBpbmZvQGUtc3ppZ25vLmh1MA0GCSqG +SIb3DQEBCwUAA4IBAQDJ0Q5eLtXMs3w+y/w9/w0olZMEyL/azXm4Q5DwpL7v8u8h +mLzU1F0G9u5C7DBsoKqpyvGvivo/C3NqPuouQH4frlRheesuCDfXI/OMn74dseGk +ddug4lQUsbocKaQY9hK6ohQU4zE1yED/t+AFdlfBHFny+L/k7SViXITwfn4fs775 +tyERzAMBVnCnEJIeGzSBHq2cGsMEPO0CYdYeBvNfOofyK/FFh+U9rNHHV4S9a67c +2Pm2G2JwCz02yULyMtd6YebS2z3PyKnJm9zbWETXbzivf3jTo60adbocwTZ8jx5t +HMN1Rq41Bab2XD0h7lbwyYIiLXpUq3DDfSJlgnCW +-----END CERTIFICATE----- + ### NetLock Kft. === /C=HU/L=Budapest/O=NetLock Kft./OU=Tan\xC3\xBAs\xC3\xADtv\xC3\xA1nykiad\xC3\xB3k (Certification Services)/CN=NetLock Arany (Class Gold) F\xC5\x91tan\xC3\xBAs\xC3\xADtv\xC3\xA1ny @@ -2070,6 +3917,156 @@ wKeI8lN3s2Berq4o2jUsbzRF0ybh3uxbTydrFny9RAQYgrOJeRcQcT16ohZO9QHN pGxlaKFJdlxDydi8NmdspZS11My5vWo1ViHe2MPr+8ukYEywVaCge1ey -----END CERTIFICATE----- +### OpenTrust + +=== /C=FR/O=OpenTrust/CN=OpenTrust Root CA G1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 11:20:b3:90:55:39:7d:7f:36:6d:64:c2:a7:9f:6b:63:8e:67 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: May 26 08:45:50 2014 GMT + Not After : Jan 15 00:00:00 2038 GMT + Subject: C=FR, O=OpenTrust, CN=OpenTrust Root CA G1 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 97:46:21:57:21:35:DA:36:55:C7:F3:F1:37:70:E5:08:F6:93:29:B6 + X509v3 Authority Key Identifier: + keyid:97:46:21:57:21:35:DA:36:55:C7:F3:F1:37:70:E5:08:F6:93:29:B6 + +SHA1 Fingerprint=79:91:E8:34:F7:E2:EE:DD:08:95:01:52:E9:55:2D:14:E9:58:D5:7E +SHA256 Fingerprint=56:C7:71:28:D9:8C:18:D9:1B:4C:FD:FF:BC:25:EE:91:03:D4:75:8E:A2:AB:AD:82:6A:90:F3:45:7D:46:0E:B4 +-----BEGIN CERTIFICATE----- +MIIFbzCCA1egAwIBAgISESCzkFU5fX82bWTCp59rY45nMA0GCSqGSIb3DQEBCwUA +MEAxCzAJBgNVBAYTAkZSMRIwEAYDVQQKDAlPcGVuVHJ1c3QxHTAbBgNVBAMMFE9w +ZW5UcnVzdCBSb290IENBIEcxMB4XDTE0MDUyNjA4NDU1MFoXDTM4MDExNTAwMDAw +MFowQDELMAkGA1UEBhMCRlIxEjAQBgNVBAoMCU9wZW5UcnVzdDEdMBsGA1UEAwwU +T3BlblRydXN0IFJvb3QgQ0EgRzEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +AoICAQD4eUbalsUwXopxAy1wpLuwxQjczeY1wICkES3d5oeuXT2R0odsN7faYp6b +wiTXj/HbpqbfRm9RpnHLPhsxZ2L3EVs0J9V5ToybWL0iEA1cJwzdMOWo010hOHQX +/uMftk87ay3bfWAfjH1MBcLrARYVmBSO0ZB3Ij/swjm4eTrwSSTilZHcYTSSjFR0 +77F9jAHiOH3BX2pfJLKOYheteSCtqx234LSWSE9mQxAGFiQD4eCcjsZGT44ameGP +uY4zbGneWK2gDqdkVBFpRGZPTBKnjix9xNRbxQA0MMHZmf4yzgeEtE7NCv82TWLx +p2NX5Ntqp66/K7nJ5rInieV+mhxNaMbBGN4zK1FGSxyO9z0M+Yo0FMT7MzUj8czx +Kselu7Cizv5Ta01BG2Yospb6p64KTrk5M0ScdMGTHPjgniQlQ/GbI4Kq3ywgsNw2 +TgOzfALU5nsaqocTvz6hdLubDuHAk5/XpGbKuxs74zD0M1mKB3IDVedzagMxbm+W +G+Oin6+Sx+31QrclTDsTBM8clq8cIqPQqwWyTBIjUtz9GVsnnB47ev1CI9sjgBPw +vFEVVJSmdz7QdFG9URQIOTfLHzSpMJ1ShC5VkLG631UAC9hWLbFJSXKAqWLXwPYY +EQRVzXR7z2FwefR7LFxckvzluFqrTJOVoSfupb7PcSNCupt2LQIDAQABo2MwYTAO +BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUl0YhVyE1 +2jZVx/PxN3DlCPaTKbYwHwYDVR0jBBgwFoAUl0YhVyE12jZVx/PxN3DlCPaTKbYw +DQYJKoZIhvcNAQELBQADggIBAB3dAmB84DWn5ph76kTOZ0BP8pNuZtQ5iSas000E +PLuHIT839HEl2ku6q5aCgZG27dmxpGWX4m9kWaSW7mDKHyP7Rbr/jyTwyqkxf3kf +gLMtMrpkZ2CvuVnN35pJ06iCsfmYlIrM4LvgBBuZYLFGZdwIorJGnkSI6pN+VxbS +FXJfLkur1J1juONI5f6ELlgKn0Md/rcYkoZDSw6cMoYsYPXpSOqV7XAp8dUv/TW0 +V8/bhUiZucJvbI/NeJWsZCj9VrDDb8O+WVLhX4SPgPL0DTatdrOjteFkdjpY3H1P +XlZs5VVZV6Xf8YpmMIzUUmI4d7S+KNfKNsSbBfD4Fdvb8e80nR14SohWZ25g/4/I +i+GOvUKpMwpZQhISKvqxnUOOBZuZ2mKtVzazHbYNeS2WuOvyDEsMpZTGMKcmGS3t +TAZQMPH9WD25SxdfGbRqhFS0OE85og2WaMMolP3tLR9Ka0OWLpABEPs4poEL0L91 +09S5zvE/bw4cHjdx5RiHdRk/ULlepEU0rbDK5uUTdg8xFKmOLZTW1YVNcxVPS/Ky +Pu1svf0OnWZzsD2097+o4BGkxK51CUpjAEggpsadCwmKtODmzj7HPiY46SvepghJ +AwSQiumPv+i2tCqjI40cHLI5kqiPAlxAOXXUc0ECd97N4EOH1uS6SsNsEn/+KuYj +1oxx +-----END CERTIFICATE----- +=== /C=FR/O=OpenTrust/CN=OpenTrust Root CA G2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 11:20:a1:69:1b:bf:bd:b9:bd:52:96:8f:23:e8:48:bf:26:11 + Signature Algorithm: sha512WithRSAEncryption + Validity + Not Before: May 26 00:00:00 2014 GMT + Not After : Jan 15 00:00:00 2038 GMT + Subject: C=FR, O=OpenTrust, CN=OpenTrust Root CA G2 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 6A:39:FA:42:22:F7:E6:89:00:4D:5E:7D:33:83:CB:B8:6E:77:86:AF + X509v3 Authority Key Identifier: + keyid:6A:39:FA:42:22:F7:E6:89:00:4D:5E:7D:33:83:CB:B8:6E:77:86:AF + +SHA1 Fingerprint=79:5F:88:60:C5:AB:7C:3D:92:E6:CB:F4:8D:E1:45:CD:11:EF:60:0B +SHA256 Fingerprint=27:99:58:29:FE:6A:75:15:C1:BF:E8:48:F9:C4:76:1D:B1:6C:22:59:29:25:7B:F4:0D:08:94:F2:9E:A8:BA:F2 +-----BEGIN CERTIFICATE----- +MIIFbzCCA1egAwIBAgISESChaRu/vbm9UpaPI+hIvyYRMA0GCSqGSIb3DQEBDQUA +MEAxCzAJBgNVBAYTAkZSMRIwEAYDVQQKDAlPcGVuVHJ1c3QxHTAbBgNVBAMMFE9w +ZW5UcnVzdCBSb290IENBIEcyMB4XDTE0MDUyNjAwMDAwMFoXDTM4MDExNTAwMDAw +MFowQDELMAkGA1UEBhMCRlIxEjAQBgNVBAoMCU9wZW5UcnVzdDEdMBsGA1UEAwwU +T3BlblRydXN0IFJvb3QgQ0EgRzIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +AoICAQDMtlelM5QQgTJT32F+D3Y5z1zCU3UdSXqWON2ic2rxb95eolq5cSG+Ntmh +/LzubKh8NBpxGuga2F8ORAbtp+Dz0mEL4DKiltE48MLaARf85KxP6O6JHnSrT78e +CbY2albz4e6WiWYkBuTNQjpK3eCasMSCRbP+yatcfD7J6xcvDH1urqWPyKwlCm/6 +1UWY0jUJ9gNDlP7ZvyCVeYCYitmJNbtRG6Q3ffyZO6v/v6wNj0OxmXsWEH4db0fE +FY8ElggGQgT4hNYdvJGmQr5J1WqIP7wtUdGejeBSzFfdNTVY27SPJIjki9/ca1TS +gSuyzpJLHB9G+h3Ykst2Z7UJmQnlrBcUVXDGPKBWCgOz3GIZ38i1MH/1PCZ1Eb3X +G7OHngevZXHloM8apwkQHZOJZlvoPGIytbU6bumFAYueQ4xncyhZW+vj3CzMpSZy +YhK05pyDRPZRpOLAeiRXyg6lPzq1O4vldu5w5pLeFlwoW5cZJ5L+epJUzpM5ChaH +vGOz9bGTXOBut9Dq+WIyiET7vycotjCVXRIouZW+j1MY5aIYFuJWpLIsEPUdN6b4 +t/bQWVyJ98LVtZR00dX+G7bw5tYee9I8y6jj9RjzIR9u701oBnstXW5DiabA+aC/ +gh7PU3+06yzbXfZqfUAkBXKJOAGTy3HCOV0GEfZvePg3DTmEJwIDAQABo2MwYTAO +BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUajn6QiL3 +5okATV59M4PLuG53hq8wHwYDVR0jBBgwFoAUajn6QiL35okATV59M4PLuG53hq8w +DQYJKoZIhvcNAQENBQADggIBAJjLq0A85TMCl38th6aP1F5Kr7ge57tx+4BkJamz +Gj5oXScmp7oq4fBXgwpkTx4idBvpkF/wrM//T2h6OKQQbA2xx6R3gBi2oihEdqc0 +nXGEL8pZ0keImUEiyTCYYW49qKgFbdEfwFFEVn8nNQLdXpgKQuswv42hm1GqO+qT +RmTFAHneIWv2V6CG1wZy7HBGS4tz3aAhdT7cHcCP009zHIXZ/n9iyJVvttN7jLpT +wm+bREx50B1ws9efAvSyB7DH5fitIw6mVskpEndI2S9G/Tvw/HRwkqWOOAgfZDC2 +t0v7NqwQjqBSM2OdAzVWxWm9xiNaJ5T2pBL4LTM8oValX9YZ6e18CL13zSdkzJTa +TkZQh+D5wVOAHrut+0dSixv9ovneDiK3PTNZbNTe9ZUGMg1RGUFcPk8G97krgCf2 +o6p6fAbhQ8MTOWIaNr3gKC6UAuQpLmBVrkA9sHSSXvAgZJY/X0VdiLWK2gKgW0VU +3jg9CcCoSmVGFvyqv1ROTVu+OEO3KMqLM6oaJbolXCkvW0pujOotnCr2BXbgd5eA +iN1nE28daCSLT7d0geX0YJ96Vdc+N9oWaz53rK4YcJUIeSkDiv7BO7M/Gg+kO14f +WKGVyasvc0rQLW6aWQ9VGHgtPFGml4vmu7JwqkwR3v98KzfUetF3NI/n+UL3PIEM +S1IK +-----END CERTIFICATE----- +=== /C=FR/O=OpenTrust/CN=OpenTrust Root CA G3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 11:20:e6:f8:4c:fc:24:b0:be:05:40:ac:da:83:1b:34:60:3f + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: May 26 00:00:00 2014 GMT + Not After : Jan 15 00:00:00 2038 GMT + Subject: C=FR, O=OpenTrust, CN=OpenTrust Root CA G3 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 47:77:C3:14:8B:62:39:0C:C9:6F:E1:50:4D:D0:10:58:DC:95:88:6D + X509v3 Authority Key Identifier: + keyid:47:77:C3:14:8B:62:39:0C:C9:6F:E1:50:4D:D0:10:58:DC:95:88:6D + +SHA1 Fingerprint=6E:26:64:F3:56:BF:34:55:BF:D1:93:3F:7C:01:DE:D8:13:DA:8A:A6 +SHA256 Fingerprint=B7:C3:62:31:70:6E:81:07:8C:36:7C:B8:96:19:8F:1E:32:08:DD:92:69:49:DD:8F:57:09:A4:10:F7:5B:62:92 +-----BEGIN CERTIFICATE----- +MIICITCCAaagAwIBAgISESDm+Ez8JLC+BUCs2oMbNGA/MAoGCCqGSM49BAMDMEAx +CzAJBgNVBAYTAkZSMRIwEAYDVQQKDAlPcGVuVHJ1c3QxHTAbBgNVBAMMFE9wZW5U +cnVzdCBSb290IENBIEczMB4XDTE0MDUyNjAwMDAwMFoXDTM4MDExNTAwMDAwMFow +QDELMAkGA1UEBhMCRlIxEjAQBgNVBAoMCU9wZW5UcnVzdDEdMBsGA1UEAwwUT3Bl +blRydXN0IFJvb3QgQ0EgRzMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARK7liuTcpm +3gY6oxH84Bjwbhy6LTAMidnW7ptzg6kjFYwvWYpa3RTqnVkrQ7cG7DK2uu5Bta1d +oYXM6h0UZqNnfkbilPPntlahFVmhTzeXuSIevRHr9LIfXsMUmuXZl5mjYzBhMA4G +A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRHd8MUi2I5 +DMlv4VBN0BBY3JWIbTAfBgNVHSMEGDAWgBRHd8MUi2I5DMlv4VBN0BBY3JWIbTAK +BggqhkjOPQQDAwNpADBmAjEAj6jcnboMBBf6Fek9LykBl7+BFjNAk2z8+e2AcG+q +j9uEwov1NcoG3GRvaBbhj5G5AjEA2Euly8LQCGzpGPta3U1fJAuwACEl74+nBCZx +4nxp5V2a+EEfOzmTk51V6s2N8fvB +-----END CERTIFICATE----- + ### QuoVadis Limited === /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 1 G3 @@ -2420,46 +4417,6 @@ SnQ2+Q== ### SECOM Trust Systems CO.,LTD. -=== /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1 -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 0 (0x0) - Signature Algorithm: sha1WithRSAEncryption - Validity - Not Before: Jun 6 02:12:32 2007 GMT - Not After : Jun 6 02:12:32 2037 GMT - Subject: C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication EV RootCA1 - X509v3 extensions: - X509v3 Subject Key Identifier: - 35:4A:F5:4D:AF:3F:D7:82:38:AC:AB:71:65:17:75:8C:9D:55:93:E6 - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Basic Constraints: critical - CA:TRUE -SHA1 Fingerprint=FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86:65:64:7D -SHA256 Fingerprint=A2:2D:BA:68:1E:97:37:6E:2D:39:7D:72:8A:AE:3A:9B:62:96:B9:FD:BA:60:BC:2E:11:F6:47:F2:C6:75:FB:37 ------BEGIN CERTIFICATE----- -MIIDfTCCAmWgAwIBAgIBADANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJKUDEl -MCMGA1UEChMcU0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEqMCgGA1UECxMh -U2VjdXJpdHkgQ29tbXVuaWNhdGlvbiBFViBSb290Q0ExMB4XDTA3MDYwNjAyMTIz -MloXDTM3MDYwNjAyMTIzMlowYDELMAkGA1UEBhMCSlAxJTAjBgNVBAoTHFNFQ09N -IFRydXN0IFN5c3RlbXMgQ08uLExURC4xKjAoBgNVBAsTIVNlY3VyaXR5IENvbW11 -bmljYXRpb24gRVYgUm9vdENBMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBALx/7FebJOD+nLpCeamIivqA4PUHKUPqjgo0No0c+qe1OXj/l3X3L+SqawSE -RMqm4miO/VVQYg+kcQ7OBzgtQoVQrTyWb4vVog7P3kmJPdZkLjjlHmy1V4qe70gO -zXppFodEtZDkBp2uoQSXWHnvIEqCa4wiv+wfD+mEce3xDuS4GBPMVjZd0ZoeUWs5 -bmB2iDQL87PRsJ3KYeJkHcFGB7hj3R4zZbOOCVVSPbW9/wfrrWFVGCypaZhKqkDF -MxRldAD5kd6vA0jFQFTcD4SQaCDFkpbcLuUCRarAX1T4bepJz11sS6/vmsJWXMY1 -VkJqMF/Cq/biPT+zyRGPMUzXn0kCAwEAAaNCMEAwHQYDVR0OBBYEFDVK9U2vP9eC -OKyrcWUXdYydVZPmMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0G -CSqGSIb3DQEBBQUAA4IBAQCoh+ns+EBnXcPBZsdAS5f8hxOQWsTvoMpfi7ent/HW -tWS3irO4G8za+6xmiEHO6Pzk2x6Ipu0nUBsCMCRGef4Eh3CXQHPRwMFXGZpppSeZ -q51ihPZRwSzJIxXYKLerJRO1RuGGAv8mjMSIkh1W/hln8lXkgKNrnKt34VFxDSDb -EJrbvXZ5B3eZKK2aXtqxT0QsNY6llsf9g/BYxnnWmHyojf6GPgcWkuF75x3sM3Z+ -Qi5KhfmRiWiEA4Glm5q+4zfFVKtWOxgtQaQM+ELbmaDgcm+7XeEWT1MKZPlO9L9O -VL14bIjqv5wTJMJwaaJ/D8g8rQjJsJhAoyrniIPtd490 ------END CERTIFICATE----- === /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 Certificate: Data: @@ -2510,37 +4467,535 @@ Certificate: Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Validity - Not Before: Sep 30 04:20:49 2003 GMT - Not After : Sep 30 04:20:49 2023 GMT - Subject: C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1 + Not Before: Sep 30 04:20:49 2003 GMT + Not After : Sep 30 04:20:49 2023 GMT + Subject: C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1 + X509v3 extensions: + X509v3 Subject Key Identifier: + A0:73:49:99:68:DC:85:5B:65:E3:9B:28:2F:57:9F:BD:33:BC:07:48 + X509v3 Key Usage: + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=36:B1:2B:49:F9:81:9E:D7:4C:9E:BC:38:0F:C6:56:8F:5D:AC:B2:F7 +SHA256 Fingerprint=E7:5E:72:ED:9F:56:0E:EC:6E:B4:80:00:73:A4:3F:C3:AD:19:19:5A:39:22:82:01:78:95:97:4A:99:02:6B:6C +-----BEGIN CERTIFICATE----- +MIIDWjCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJKUDEY +MBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYDVQQLEx5TZWN1cml0eSBDb21t +dW5pY2F0aW9uIFJvb3RDQTEwHhcNMDMwOTMwMDQyMDQ5WhcNMjMwOTMwMDQyMDQ5 +WjBQMQswCQYDVQQGEwJKUDEYMBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYD +VQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTEwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCzs/5/022x7xZ8V6UMbXaKL0u/ZPtM7orw8yl8 +9f/uKuDp6bpbZCKamm8sOiZpUQWZJtzVHGpxxpp9Hp3dfGzGjGdnSj74cbAZJ6kJ +DKaVv0uMDPpVmDvY6CKhS3E4eayXkmmziX7qIWgGmBSWh9JhNrxtJ1aeV+7AwFb9 +Ms+k2Y7CI9eNqPPYJayX5HA49LY6tJ07lyZDo6G8SVlyTCMwhwFY9k6+HGhWZq/N +QV3Is00qVUarH9oe4kA92819uZKAnDfdDJZkndwi92SL32HeFZRSFaB9UslLqCHJ +xrHty8OVYNEP8Ktw+N/LTX7s1vqr2b1/VPKl6Xn62dZ2JChzAgMBAAGjPzA9MB0G +A1UdDgQWBBSgc0mZaNyFW2XjmygvV5+9M7wHSDALBgNVHQ8EBAMCAQYwDwYDVR0T +AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAaECpqLvkT115swW1F7NgE+vG +kl3g0dNq/vu+m22/xwVtWSDEHPC32oRYAmP6SBbvT6UL90qY8j+eG61Ha2POCEfr +Uj94nK9NrvjVT8+amCoQQTlSxN3Zmw7vkwGusi7KaEIkQmywszo+zenaSMQVy+n5 +Bw+SUEmK3TGXX8npN6o7WWWXlDLJs58+OmJYxUmtYg5xpTKqL8aJdkNAExNnPaJU +JRDL8Try2frbSVa7pv6nQTXD4IhhyYjH3zYQIphZ6rBK+1YWc26sTfcioU+tHXot +RSflMMFe8toTyyVCUZVHA4xsIcx0Qu1T/zOLjw9XARYvz6buyXAiFL39vmwLAw== +-----END CERTIFICATE----- + +### SecureTrust Corporation + +=== /C=US/O=SecureTrust Corporation/CN=Secure Global CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 07:56:22:a4:e8:d4:8a:89:4d:f4:13:c8:f0:f8:ea:a5 + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Nov 7 19:42:28 2006 GMT + Not After : Dec 31 19:52:06 2029 GMT + Subject: C=US, O=SecureTrust Corporation, CN=Secure Global CA + X509v3 extensions: + 1.3.6.1.4.1.311.20.2: + ...C.A + X509v3 Key Usage: + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + AF:44:04:C2:41:7E:48:83:DB:4E:39:02:EC:EC:84:7A:E6:CE:C9:A4 + X509v3 CRL Distribution Points: + + Full Name: + URI:http://crl.securetrust.com/SGCA.crl + + 1.3.6.1.4.1.311.21.1: + ... +SHA1 Fingerprint=3A:44:73:5A:E5:81:90:1F:24:86:61:46:1E:3B:9C:C4:5F:F5:3A:1B +SHA256 Fingerprint=42:00:F5:04:3A:C8:59:0E:BB:52:7D:20:9E:D1:50:30:29:FB:CB:D4:1C:A1:B5:06:EC:27:F1:5A:DE:7D:AC:69 +-----BEGIN CERTIFICATE----- +MIIDvDCCAqSgAwIBAgIQB1YipOjUiolN9BPI8PjqpTANBgkqhkiG9w0BAQUFADBK +MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24x +GTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwHhcNMDYxMTA3MTk0MjI4WhcNMjkx +MjMxMTk1MjA2WjBKMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3Qg +Q29ycG9yYXRpb24xGTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvNS7YrGxVaQZx5RNoJLNP2MwhR/jxYDiJ +iQPpvepeRlMJ3Fz1Wuj3RSoC6zFh1ykzTM7HfAo3fg+6MpjhHZevj8fcyTiW89sa +/FHtaMbQbqR8JNGuQsiWUGMu4P51/pinX0kuleM5M2SOHqRfkNJnPLLZ/kG5VacJ +jnIFHovdRIWCQtBJwB1g8NEXLJXr9qXBkqPFwqcIYA1gBBCWeZ4WNOaptvolRTnI +HmX5k/Wq8VLcmZg9pYYaDDUz+kulBAYVHDGA76oYa8J719rO+TMg1fW9ajMtgQT7 +sFzUnKPiXB3jqUJ1XnvUd+85VLrJChgbEplJL4hL/VBi0XPnj3pDAgMBAAGjgZ0w +gZowEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQF +MAMBAf8wHQYDVR0OBBYEFK9EBMJBfkiD2045AuzshHrmzsmkMDQGA1UdHwQtMCsw +KaAnoCWGI2h0dHA6Ly9jcmwuc2VjdXJldHJ1c3QuY29tL1NHQ0EuY3JsMBAGCSsG +AQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQBjGghAfaReUw132HquHw0L +URYD7xh8yOOvaliTFGCRsoTciE6+OYo68+aCiV0BN7OrJKQVDpI1WkpEXk5X+nXO +H0jOZvQ8QCaSmGwb7iRGDBezUqXbpZGRzzfTb+cnCDpOGR86p1hcF895P4vkp9Mm +I50mD1hp/Ed+stCNi5O/KU9DaXR2Z0vPB4zmAve14bRDtUstFJ/53CYNv6ZHdAbY +iNE6KTCEztI5gGIbqMdXSbxqVVFnFUq+NQfk1XWYN3kwFNspnWzFacxHVaIw98xc +f8LDmBxrThaA63p4ZUWiABqvDA1VZDRIuJK58bRQKfJPIx/abKwfROHdI3hRW8cW +-----END CERTIFICATE----- +=== /C=US/O=SecureTrust Corporation/CN=SecureTrust CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0c:f0:8e:5c:08:16:a5:ad:42:7f:f0:eb:27:18:59:d0 + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Nov 7 19:31:18 2006 GMT + Not After : Dec 31 19:40:55 2029 GMT + Subject: C=US, O=SecureTrust Corporation, CN=SecureTrust CA + X509v3 extensions: + 1.3.6.1.4.1.311.20.2: + ...C.A + X509v3 Key Usage: + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 42:32:B6:16:FA:04:FD:FE:5D:4B:7A:C3:FD:F7:4C:40:1D:5A:43:AF + X509v3 CRL Distribution Points: + + Full Name: + URI:http://crl.securetrust.com/STCA.crl + + 1.3.6.1.4.1.311.21.1: + ... +SHA1 Fingerprint=87:82:C6:C3:04:35:3B:CF:D2:96:92:D2:59:3E:7D:44:D9:34:FF:11 +SHA256 Fingerprint=F1:C1:B5:0A:E5:A2:0D:D8:03:0E:C9:F6:BC:24:82:3D:D3:67:B5:25:57:59:B4:E7:1B:61:FC:E9:F7:37:5D:73 +-----BEGIN CERTIFICATE----- +MIIDuDCCAqCgAwIBAgIQDPCOXAgWpa1Cf/DrJxhZ0DANBgkqhkiG9w0BAQUFADBI +MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24x +FzAVBgNVBAMTDlNlY3VyZVRydXN0IENBMB4XDTA2MTEwNzE5MzExOFoXDTI5MTIz +MTE5NDA1NVowSDELMAkGA1UEBhMCVVMxIDAeBgNVBAoTF1NlY3VyZVRydXN0IENv +cnBvcmF0aW9uMRcwFQYDVQQDEw5TZWN1cmVUcnVzdCBDQTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAKukgeWVzfX2FI7CT8rU4niVWJxB4Q2ZQCQXOZEz +Zum+4YOvYlyJ0fwkW2Gz4BERQRwdbvC4u/jep4G6pkjGnx29vo6pQT64lO0pGtSO +0gMdA+9tDWccV9cGrcrI9f4Or2YlSASWC12juhbDCE/RRvgUXPLIXgGZbf2IzIao +wW8xQmxSPmjL8xk037uHGFaAJsTQ3MBv396gwpEWoGQRS0S8Hvbn+mPeZqx2pHGj +7DaUaHp3pLHnDi+BeuK1cobvomuL8A/b01k/unK8RCSc43Oz969XL0Imnal0ugBS +8kvNU3xHCzaFDmapCJcWNFfBZveA4+1wVMeT4C4oFVmHursCAwEAAaOBnTCBmjAT +BgkrBgEEAYI3FAIEBh4EAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB +/zAdBgNVHQ4EFgQUQjK2FvoE/f5dS3rD/fdMQB1aQ68wNAYDVR0fBC0wKzApoCeg +JYYjaHR0cDovL2NybC5zZWN1cmV0cnVzdC5jb20vU1RDQS5jcmwwEAYJKwYBBAGC +NxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBADDtT0rhWDpSclu1pqNlGKa7UTt3 +6Z3q059c4EVlew3KW+JwULKUBRSuSceNQQcSc5R+DCMh/bwQf2AQWnL1mA6s7Ll/ +3XpvXdMc9P+IBWlCqQVxyLesJugutIxq/3HcuLHfmbx8IVQr5Fiiu1cprp6poxkm +D5kuCLDv/WnPmRoJjeOnnyvJNjR7JLN4TJUXpAYmHrZkUjZfYGfZnMUFdAvnZyPS +CPyI6a6Lf+Ew9Dd+/cYy2i2eRDAwbO4H3tI0/NL/QPZL9GZGBlSm8jIKYyYwa5vR +3ItHuuG51WLQoqD0ZwV4KWMabwTW+MZMo5qxN7SN5ShLHZ4swrhovO0C7jE= +-----END CERTIFICATE----- + +### Sonera + +=== /C=FI/O=Sonera/CN=Sonera Class2 CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 29 (0x1d) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Apr 6 07:29:40 2001 GMT + Not After : Apr 6 07:29:40 2021 GMT + Subject: C=FI, O=Sonera, CN=Sonera Class2 CA + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 4A:A0:AA:58:84:D3:5E:3C + X509v3 Key Usage: + Certificate Sign, CRL Sign +SHA1 Fingerprint=37:F7:6D:E6:07:7C:90:C5:B1:3E:93:1A:B7:41:10:B4:F2:E4:9A:27 +SHA256 Fingerprint=79:08:B4:03:14:C1:38:10:0B:51:8D:07:35:80:7F:FB:FC:F8:51:8A:00:95:33:71:05:BA:38:6B:15:3D:D9:27 +-----BEGIN CERTIFICATE----- +MIIDIDCCAgigAwIBAgIBHTANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEP +MA0GA1UEChMGU29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MyIENBMB4XDTAx +MDQwNjA3Mjk0MFoXDTIxMDQwNjA3Mjk0MFowOTELMAkGA1UEBhMCRkkxDzANBgNV +BAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJhIENsYXNzMiBDQTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAJAXSjWdyvANlsdE+hY3/Ei9vX+ALTU74W+o +Z6m/AxxNjG8yR9VBaKQTBME1DJqEQ/xcHf+Js+gXGM2RX/uJ4+q/Tl18GybTdXnt +5oTjV+WtKcT0OijnpXuENmmz/V52vaMtmdOQTiMofRhj8VQ7Jp12W5dCsv+u8E7s +3TmVToMGf+dJQMjFAbJUWmYdPfz56TwKnoG4cPABi+QjVHzIrviQHgCWctRUz2Ej +vOr7nQKV0ba5cTppCD8PtOFCx4j1P5iop7oc4HFx71hXgVB6XGt0Rg6DA5jDjqhu +8nYybieDwnPz3BjotJPqdURrBGAgcVeHnfO+oJAjPYok4doh28MCAwEAAaMzMDEw +DwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQISqCqWITTXjwwCwYDVR0PBAQDAgEG +MA0GCSqGSIb3DQEBBQUAA4IBAQBazof5FnIVV0sd2ZvnoiYw7JNn39Yt0jSv9zil +zqsWuasvfDXLrNAPtEwr/IDva4yRXzZ299uzGxnq9LIR/WFxRL8oszodv7ND6J+/ +3DEIcbCdjdY0RzKQxmUk96BKfARzjzlvF4xytb1LyHr4e4PDKE6cCepnP7JnBBvD +FNr450kkkdAdavphOe9r5yF1BgfYErQhIHBCcYHaPJo2vqZbDWpsmh+Re/n570K6 +Tk6ezAyNlNzZRZxe7EJQY670XcSxEtzKO6gunRRaBXW37Ndj4ro1tgQIkejanZz2 +ZrUYrAqmVCY0M9IbwdR/GjqOC6oybtv8TyWf2TLHllpwrN9M +-----END CERTIFICATE----- + +### SSL Corporation + +=== /C=US/ST=Texas/L=Houston/O=SSL Corporation/CN=SSL.com EV Root Certification Authority ECC +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3182246526754555285 (0x2c299c5b16ed0595) + Signature Algorithm: ecdsa-with-SHA256 + Validity + Not Before: Feb 12 18:15:23 2016 GMT + Not After : Feb 12 18:15:23 2041 GMT + Subject: C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com EV Root Certification Authority ECC + X509v3 extensions: + X509v3 Subject Key Identifier: + 5B:CA:5E:E5:DE:D2:81:AA:CD:A8:2D:64:51:B6:D9:72:9B:97:E6:4F + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Authority Key Identifier: + keyid:5B:CA:5E:E5:DE:D2:81:AA:CD:A8:2D:64:51:B6:D9:72:9B:97:E6:4F + + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=4C:DD:51:A3:D1:F5:20:32:14:B0:C6:C5:32:23:03:91:C7:46:42:6D +SHA256 Fingerprint=22:A2:C1:F7:BD:ED:70:4C:C1:E7:01:B5:F4:08:C3:10:88:0F:E9:56:B5:DE:2A:4A:44:F9:9C:87:3A:25:A7:C8 +-----BEGIN CERTIFICATE----- +MIIClDCCAhqgAwIBAgIILCmcWxbtBZUwCgYIKoZIzj0EAwIwfzELMAkGA1UEBhMC +VVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9T +U0wgQ29ycG9yYXRpb24xNDAyBgNVBAMMK1NTTC5jb20gRVYgUm9vdCBDZXJ0aWZp +Y2F0aW9uIEF1dGhvcml0eSBFQ0MwHhcNMTYwMjEyMTgxNTIzWhcNNDEwMjEyMTgx +NTIzWjB/MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hv +dXN0b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjE0MDIGA1UEAwwrU1NMLmNv +bSBFViBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IEVDQzB2MBAGByqGSM49 +AgEGBSuBBAAiA2IABKoSR5CYG/vvw0AHgyBO8TCCogbR8pKGYfL2IWjKAMTH6kMA +VIbc/R/fALhBYlzccBYy3h+Z1MzFB8gIH2EWB1E9fVwHU+M1OIzfzZ/ZLg1Kthku +WnBaBu2+8KGwytAJKaNjMGEwHQYDVR0OBBYEFFvKXuXe0oGqzagtZFG22XKbl+ZP +MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUW8pe5d7SgarNqC1kUbbZcpuX +5k8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA2gAMGUCMQCK5kCJN+vp1RPZ +ytRrJPOwPYdGWBrssd9v+1a6cGvHOMzosYxPD/fxZ3YOg9AeUY8CMD32IygmTMZg +h5Mmm7I1HrrW9zzRHM76JTymGoEVW/MSD2zuZYrJh6j5B+BimoxcSg== +-----END CERTIFICATE----- +=== /C=US/ST=Texas/L=Houston/O=SSL Corporation/CN=SSL.com EV Root Certification Authority RSA R2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6248227494352943350 (0x56b629cd34bc78f6) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: May 31 18:14:37 2017 GMT + Not After : May 30 18:14:37 2042 GMT + Subject: C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com EV Root Certification Authority RSA R2 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Authority Key Identifier: + keyid:F9:60:BB:D4:E3:D5:34:F6:B8:F5:06:80:25:A7:73:DB:46:69:A8:9E + + X509v3 Subject Key Identifier: + F9:60:BB:D4:E3:D5:34:F6:B8:F5:06:80:25:A7:73:DB:46:69:A8:9E + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=74:3A:F0:52:9B:D0:32:A0:F4:4A:83:CD:D4:BA:A9:7B:7C:2E:C4:9A +SHA256 Fingerprint=2E:7B:F1:6C:C2:24:85:A7:BB:E2:AA:86:96:75:07:61:B0:AE:39:BE:3B:2F:E9:D0:CC:6D:4E:F7:34:91:42:5C +-----BEGIN CERTIFICATE----- +MIIF6zCCA9OgAwIBAgIIVrYpzTS8ePYwDQYJKoZIhvcNAQELBQAwgYIxCzAJBgNV +BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4GA1UEBwwHSG91c3RvbjEYMBYGA1UE +CgwPU1NMIENvcnBvcmF0aW9uMTcwNQYDVQQDDC5TU0wuY29tIEVWIFJvb3QgQ2Vy +dGlmaWNhdGlvbiBBdXRob3JpdHkgUlNBIFIyMB4XDTE3MDUzMTE4MTQzN1oXDTQy +MDUzMDE4MTQzN1owgYIxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4G +A1UEBwwHSG91c3RvbjEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMTcwNQYDVQQD +DC5TU0wuY29tIEVWIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUlNBIFIy +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjzZlQOHWTcDXtOlG2mvq +M0fNTPl9fb69LT3w23jhhqXZuglXaO1XPqDQCEGD5yhBJB/jchXQARr7XnAjssuf +OePPxU7Gkm0mxnu7s9onnQqG6YE3Bf7wcXHswxzpY6IXFJ3vG2fThVUCAtZJycxa +4bH3bzKfydQ7iEGonL3Lq9ttewkfokxykNorCPzPPFTOZw+oz12WGQvE43LrrdF9 +HSfvkusQv1vrO6/PgN3B0pYEW3p+pKk8OHakYo6gOV7qd89dAFmPZiw+B6KjBSYR +aZfqhbcPlgtLyEDhULouisv3D5oi53+aNxPN8k0TayHRwMwi8qFG9kRpnMphNQcA +b9ZhCBHqurj26bNg5U257J8UZslXWNvNh2n4ioYSA0e/ZhN2rHd9NCSFg83XqpyQ +Gp8hLH94t2S42Oim9HizVcuE0jLEeK6jj2HdzghTreyI/BXkmg3mnxp3zkyPuBQV +PWKchjgGAGYS5Fl2WlPAApiiECtoRHuOec4zSnaqW4EWG7WK2NAAe15itAnWhmMO +pgWVSbooi4iTsjQc2KRVbrcc0N6ZVTsj9CLg+SlmJuwgUHfbSguPvuUCYHBBXtSu +UDkiFCbLsjtzdFVHB3mBOagwE0TlBIqulhMlQg+5U8Sb/M3kHN48+qvWBkofZ6aY +MBzdLNvcGJVXZsb/XItW9XcCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNV +HSMEGDAWgBT5YLvU49U09rj1BoAlp3PbRmmonjAdBgNVHQ4EFgQU+WC71OPVNPa4 +9QaAJadz20ZpqJ4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQBW +s47LCp1Jjr+kxJG7ZhcFUZh1++VQLHqe8RT6q9OKPv+RKY9ji9i0qVQBDb6Thi/5 +Sm3HXvVX+cpVHBK+Rw82xd9qt9t1wkclf7nxY/hoLVUE0fKNsKTPvDxeH3jnpaAg +cLAExbf3cqfeIg29MyVGjGSSJuM+LmOW2puMPfgYCdcDzH2GguDKBAdRUNf/ktUM +79qGn5nX67evaOI5JpS6aLe/g9Pqemc9YmeuJeVy6OLk7K4S9ksrPJ/psEDzOFSz +/bdoyNrGj1E8svuR3Bznm53htw1yj+KkxKl4+esUrMZDBcJlOSgYAsOCsp0FvmXt +ll9ldDz7CTUue5wT/RsPXcdtgTpWD8w74a8CLyKsRspGPKAcTNZEtF4uXBVmCeEm +Kf7GUmG6sXP/wwyc5WxqlD8UykAWlYTzWamsX0xhk23RO8yilQwipmdnRC652dKK +QbNmC1r7fSOl8hqw/96bg5Qu0T/fkreRrwU7ZcegbLHNYhLDkBvjJc40vG93drEQ +w/cFGsDWr3RiSBd3kmmQYRzelYB0VI8YHMPzA9C/pEN1hlMYegouCRw2n5H9gooi +S9EOUCXdywMMF8mDAAhONU2Ki+3wApRmLER/y5UnlhetCTCstnEXbosX9hwJ1C07 +mKVx01QT2WDz9UtmT/rx7iASjbSsV7FFY6GsdqnC+w== +-----END CERTIFICATE----- +=== /C=US/ST=Texas/L=Houston/O=SSL Corporation/CN=SSL.com Root Certification Authority ECC +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 8495723813297216424 (0x75e6dfcbc1685ba8) + Signature Algorithm: ecdsa-with-SHA256 + Validity + Not Before: Feb 12 18:14:03 2016 GMT + Not After : Feb 12 18:14:03 2041 GMT + Subject: C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com Root Certification Authority ECC + X509v3 extensions: + X509v3 Subject Key Identifier: + 82:D1:85:73:30:E7:35:04:D3:8E:02:92:FB:E5:A4:D1:C4:21:E8:CD + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Authority Key Identifier: + keyid:82:D1:85:73:30:E7:35:04:D3:8E:02:92:FB:E5:A4:D1:C4:21:E8:CD + + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=C3:19:7C:39:24:E6:54:AF:1B:C4:AB:20:95:7A:E2:C3:0E:13:02:6A +SHA256 Fingerprint=34:17:BB:06:CC:60:07:DA:1B:96:1C:92:0B:8A:B4:CE:3F:AD:82:0E:4A:A3:0B:9A:CB:C4:A7:4E:BD:CE:BC:65 +-----BEGIN CERTIFICATE----- +MIICjTCCAhSgAwIBAgIIdebfy8FoW6gwCgYIKoZIzj0EAwIwfDELMAkGA1UEBhMC +VVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9T +U0wgQ29ycG9yYXRpb24xMTAvBgNVBAMMKFNTTC5jb20gUm9vdCBDZXJ0aWZpY2F0 +aW9uIEF1dGhvcml0eSBFQ0MwHhcNMTYwMjEyMTgxNDAzWhcNNDEwMjEyMTgxNDAz +WjB8MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0 +b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NMLmNvbSBS +b290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IEVDQzB2MBAGByqGSM49AgEGBSuB +BAAiA2IABEVuqVDEpiM2nl8ojRfLliJkP9x6jh3MCLOicSS6jkm5BBtHllirLZXI +7Z4INcgn64mMU1jrYor+8FsPazFSY0E7ic3s7LaNGdM0B9y7xgZ/wkWV7Mt/qCPg +CemB+vNH06NjMGEwHQYDVR0OBBYEFILRhXMw5zUE044CkvvlpNHEIejNMA8GA1Ud +EwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUgtGFczDnNQTTjgKS++Wk0cQh6M0wDgYD +VR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA2cAMGQCMG/n61kRpGDPYbCWe+0F+S8T +kdzt5fxQaxFGRrMcIQBiu77D5+jNB5n5DQtdcj7EqgIwH7y6C+IwJPt8bYBVCpk+ +gA0z5Wajs6O7pdWLjwkspl1+4vAHCGht0nxpbl/f5Wpl +-----END CERTIFICATE----- +=== /C=US/ST=Texas/L=Houston/O=SSL Corporation/CN=SSL.com Root Certification Authority RSA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 8875640296558310041 (0x7b2c9bd316803299) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Feb 12 17:39:39 2016 GMT + Not After : Feb 12 17:39:39 2041 GMT + Subject: C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com Root Certification Authority RSA + X509v3 extensions: + X509v3 Subject Key Identifier: + DD:04:09:07:A2:F5:7A:7D:52:53:12:92:95:EE:38:80:25:0D:A6:59 + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Authority Key Identifier: + keyid:DD:04:09:07:A2:F5:7A:7D:52:53:12:92:95:EE:38:80:25:0D:A6:59 + + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=B7:AB:33:08:D1:EA:44:77:BA:14:80:12:5A:6F:BD:A9:36:49:0C:BB +SHA256 Fingerprint=85:66:6A:56:2E:E0:BE:5C:E9:25:C1:D8:89:0A:6F:76:A8:7E:C1:6D:4D:7D:5F:29:EA:74:19:CF:20:12:3B:69 +-----BEGIN CERTIFICATE----- +MIIF3TCCA8WgAwIBAgIIeyyb0xaAMpkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCVVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQK +DA9TU0wgQ29ycG9yYXRpb24xMTAvBgNVBAMMKFNTTC5jb20gUm9vdCBDZXJ0aWZp +Y2F0aW9uIEF1dGhvcml0eSBSU0EwHhcNMTYwMjEyMTczOTM5WhcNNDEwMjEyMTcz +OTM5WjB8MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hv +dXN0b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NMLmNv +bSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFJTQTCCAiIwDQYJKoZIhvcN +AQEBBQADggIPADCCAgoCggIBAPkP3aMrfcvQKv7sZ4Wm5y4bunfh4/WvpOz6Sl2R +xFdHaxh3a3by/ZPkPQ/CFp4LZsNWlJ4Xg4XOVu/yFv0AYvUiCVToZRdOQbngT0aX +qhvIuG5iXmmxX9sqAn78bMrzQdjt0Oj8P2FI7bADFB0QDksZ4LtO7IZl/zbzXmcC +C52GVWH9ejjt/uIZALdvoVBidXQ8oPrIJZK0bnoix/geoeOy3ZExqysdBP+lSgQ3 +6YWkMyv94tZVNHwZpEpox7Ko07fKoZOI68GXvIz5HdkihCR0xwQ9aqkpk8zruFvh +/l8lqjRYyMEjVJ0bmBHDOJx+PYZspQ9AhnwC9FwCTyjLrnGfDzrIM/4RJTXq/LrF +YD3ZfBjVsqnTdXgDciLKOsMf7yzlLqn6niy2UUb9rwPW6mBo6oUWNmuF6R7As93E +JNyAKoFBbZQ+yODJgUEAnl6/f8UImKIYLEJAs/lvOCdLToD0PYFH4Ih86hzOtXVc +US4cK38acijnALXRdMbX5J+tB5O2UzU1/Dfkw/ZdFr4hc96SCvigY2q8lpJqPvi8 +ZVWb3vUNiSYE/CUapiVpy8JtynziWV+XrOvvLsi81xtZPCvM8hnIk2snYxnP/Okm ++Mpxm3+T/jRnhE6Z6/yzeAkzcLpmpnbtG3PrGqUNxCITIJRWCk4sbE6x/c+cCbqi +M+2HAgMBAAGjYzBhMB0GA1UdDgQWBBTdBAkHovV6fVJTEpKV7jiAJQ2mWTAPBgNV +HRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFN0ECQei9Xp9UlMSkpXuOIAlDaZZMA4G +A1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAIBgRlCn7Jp0cHh5wYfGV +cpNxJK1ok1iOMq8bs3AD/CUrdIWQPXhq9LmLpZc7tRiRux6n+UBbkflVma8eEdBc +Hadm47GUBwwyOabqG7B52B2ccETjit3E+ZUfijhDPwGFpUenPUayvOUiaPd7nNgs +PgohyC0zrL/FgZkxdMF1ccW+sfAjRfSda/wZY52jvATGGAslu1OJD7OAUN5F7kR/ +q5R4ZJjT9ijdh9hwZXT7DrkT66cPYakylszeu+1jTBi7qUD3oFRuIIhxdRjqerQ0 +cuAjJ3dctpDqhiVAq+8zD8ufgr6iIPv2tS0a5sKFsXQP+8hlAqRSAUfdSSLBv9jr +a6x+3uxjMxW3IwiPxg+NQVrdjsW5j+VFP3jbutIbQLH+cU0/4IGiul607BXgk90I +H37hVZkLId6Tngr75qNJvTYw/ud3sqB1l7UtgYgXZSD32pAAn8lSzDLKNXz1PQ/Y +K9f1JmzJBjSWFupwWRoyeXkLtoh/D1JIPb9s2KJELtFOt3JY04kTlf5Eq/jXixtu +nLwsoFvVagCvXzfh1foQC5ichucmj87w7G6KVwuA406ywKBjYZC6VWg3dGq2ktuf +oYYitmUnDuy2n0Jg5GfCtdpBC8TTi2EbvPofkSvXRAdeuims2cXp71NIWuuA8ShY +Ic2wBlX7Jz9TkHCpBB5XJ7k= +-----END CERTIFICATE----- + +### Staat der Nederlanden + +=== /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden EV Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 10000013 (0x98968d) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Dec 8 11:19:29 2010 GMT + Not After : Dec 8 11:10:28 2022 GMT + Subject: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + FE:AB:00:90:98:9E:24:FC:A9:CC:1A:8A:FB:27:B8:BF:30:6E:A8:3B +SHA1 Fingerprint=76:E2:7E:C1:4F:DB:82:C1:C0:A6:75:B5:05:BE:3D:29:B4:ED:DB:BB +SHA256 Fingerprint=4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A +-----BEGIN CERTIFICATE----- +MIIFcDCCA1igAwIBAgIEAJiWjTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJO +TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFh +dCBkZXIgTmVkZXJsYW5kZW4gRVYgUm9vdCBDQTAeFw0xMDEyMDgxMTE5MjlaFw0y +MjEyMDgxMTEwMjhaMFgxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIg +TmVkZXJsYW5kZW4xKTAnBgNVBAMMIFN0YWF0IGRlciBOZWRlcmxhbmRlbiBFViBS +b290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA48d+ifkkSzrS +M4M1LGns3Amk41GoJSt5uAg94JG6hIXGhaTK5skuU6TJJB79VWZxXSzFYGgEt9nC +UiY4iKTWO0Cmws0/zZiTs1QUWJZV1VD+hq2kY39ch/aO5ieSZxeSAgMs3NZmdO3d +Z//BYY1jTw+bbRcwJu+r0h8QoPnFfxZpgQNH7R5ojXKhTbImxrpsX23Wr9GxE46p +rfNeaXUmGD5BKyF/7otdBwadQ8QpCiv8Kj6GyzyDOvnJDdrFmeK8eEEzduG/L13l +pJhQDBXd4Pqcfzho0LKmeqfRMb1+ilgnQ7O6M5HTp5gVXJrm0w912fxBmJc+qiXb +j5IusHsMX/FjqTf5m3VpTCgmJdrV8hJwRVXj33NeN/UhbJCONVrJ0yPr08C+eKxC +KFhmpUZtcALXEPlLVPxdhkqHz3/KRawRWrUgUY0viEeXOcDPusBCAUCZSCELa6fS +/ZbV0b5GnUngC6agIk440ME8MLxwjyx1zNDFjFE7PZQIZCZhfbnDZY8UnCHQqv0X +cgOPvZuM5l5Tnrmd74K74bzickFbIZTTRTeU0d8JOV3nI6qaHcptqAqGhYqCvkIH +1vI4gnPah1vlPNOePqc7nvQDs/nxfRN0Av+7oeX6AHkcpmZBiFxgV6YuCcS6/ZrP +px9Aw7vMWgpVSzs4dlG4Y4uElBbmVvMCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB +/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP6rAJCYniT8qcwaivsnuL8wbqg7 +MA0GCSqGSIb3DQEBCwUAA4ICAQDPdyxuVr5Os7aEAJSrR8kN0nbHhp8dB9O2tLsI +eK9p0gtJ3jPFrK3CiAJ9Brc1AsFgyb/E6JTe1NOpEyVa/m6irn0F3H3zbPB+po3u +2dfOWBfoqSmuc0iH55vKbimhZF8ZE/euBhD/UcabTVUlT5OZEAFTdfETzsemQUHS +v4ilf0X8rLiltTMMgsT7B/Zq5SWEXwbKwYY5EdtYzXc7LMJMD16a4/CrPmEbUCTC +wPTxGfARKbalGAKb12NMcIxHowNDXLldRqANb/9Zjr7dn3LDWyvfjFvO5QxGbJKy +CqNMVEIYFRIYvdr8unRu/8G2oGTYqV9Vrp9canaW2HNnh/tNf1zuacpzEPuKqf2e +vTY4SUmH9A4U8OmHuD+nT3pajnnUk+S7aFKErGzp85hwVXIy+TSrK0m1zSBi5Dp6 +Z2Orltxtrpfs/J92VoguZs9btsmksNcFuuEnL5O7Jiqik7Ab846+HUCjuTaPPoIa +Gl6I6lD4WeKDRikL40Rc4ZW2aZCaFG+XroHPaO+Zmr615+F/+PoTRxZMzG0IQOeL +eG9QgkRQP2YGiqtDhFZKDyAthg710tvSeopLzaXoTvFeJiUBWSOgftL2fiFX1ye8 +FVdMpEbB4IMeDExNH08GGeL5qPQ6gqGyeUN51q1veieQA6TqJIc/2b3Z6fJfUEkc +7uzXLg== +-----END CERTIFICATE----- +=== /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 10000012 (0x98968c) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Mar 26 11:18:17 2008 GMT + Not After : Mar 25 11:03:10 2020 GMT + Subject: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G2 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + CPS: http://www.pkioverheid.nl/policies/root-policy-G2 + + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 91:68:32:87:15:1D:89:E2:B5:F1:AC:36:28:34:8D:0B:7C:62:88:EB +SHA1 Fingerprint=59:AF:82:79:91:86:C7:B4:75:07:CB:CF:03:57:46:EB:04:DD:B7:16 +SHA256 Fingerprint=66:8C:83:94:7D:A6:3B:72:4B:EC:E1:74:3C:31:A0:E6:AE:D0:DB:8E:C5:B3:1B:E3:77:BB:78:4F:91:B6:71:6F +-----BEGIN CERTIFICATE----- +MIIFyjCCA7KgAwIBAgIEAJiWjDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJO +TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSswKQYDVQQDDCJTdGFh +dCBkZXIgTmVkZXJsYW5kZW4gUm9vdCBDQSAtIEcyMB4XDTA4MDMyNjExMTgxN1oX +DTIwMDMyNTExMDMxMFowWjELMAkGA1UEBhMCTkwxHjAcBgNVBAoMFVN0YWF0IGRl +ciBOZWRlcmxhbmRlbjErMCkGA1UEAwwiU3RhYXQgZGVyIE5lZGVybGFuZGVuIFJv +b3QgQ0EgLSBHMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMVZ5291 +qj5LnLW4rJ4L5PnZyqtdj7U5EILXr1HgO+EASGrP2uEGQxGZqhQlEq0i6ABtQ8Sp +uOUfiUtnvWFI7/3S4GCI5bkYYCjDdyutsDeqN95kWSpGV+RLufg3fNU254DBtvPU +Z5uW6M7XxgpT0GtJlvOjCwV3SPcl5XCsMBQgJeN/dVrlSPhOewMHBPqCYYdu8DvE +pMfQ9XQ+pV0aCPKbJdL2rAQmPlU6Yiile7Iwr/g3wtG61jj99O9JMDeZJiFIhQGp +5Rbn3JBV3w/oOM2ZNyFPXfUib2rFEhZgF1XyZWampzCROME4HYYEhLoaJXhena/M +UGDWE4dS7WMfbWV9whUYdMrhfmQpjHLYFhN9C0lK8SgbIHRrxT3dsKpICT0ugpTN +GmXZK4iambwYfp/ufWZ8Pr2UuIHOzZgweMFvZ9C+X+Bo7d7iscksWXiSqt8rYGPy +5V6548r6f1CGPqI0GAwJaCgRHOThuVw+R7oyPxjMW4T182t0xHJ04eOLoEq9jWYv +6q012iDTiIJh8BIitrzQ1aTsr1SIJSQ8p22xcik/Plemf1WvbibG/ufMQFxRRIEK +eN5KzlW/HdXZt1bv8Hb/C3m1r737qWmRRpdogBQ2HbN/uymYNqUg+oJgYjOk7Na6 +B6duxc8UpufWkjTYgfX8HV2qXB72o007uPc5AgMBAAGjgZcwgZQwDwYDVR0TAQH/ +BAUwAwEB/zBSBgNVHSAESzBJMEcGBFUdIAAwPzA9BggrBgEFBQcCARYxaHR0cDov +L3d3dy5wa2lvdmVyaGVpZC5ubC9wb2xpY2llcy9yb290LXBvbGljeS1HMjAOBgNV +HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJFoMocVHYnitfGsNig0jQt8YojrMA0GCSqG +SIb3DQEBCwUAA4ICAQCoQUpnKpKBglBu4dfYszk78wIVCVBR7y29JHuIhjv5tLyS +CZa59sCrI2AGeYwRTlHSeYAz+51IvuxBQ4EffkdAHOV6CMqqi3WtFMTC6GY8ggen +5ieCWxjmD27ZUD6KQhgpxrRW/FYQoAUXvQwjf/ST7ZwaUb7dRUG/kSS0H4zpX897 +IZmflZ85OkYcbPnNe5yQzSipx6lVu6xiNGI1E0sUOlWDuYaNkqbG9AclVMwWVxJK +gnjIFNkXgiYtXSAfea7+1HAWFpWD2DU5/1JddRwWxRNVz0fMdWVSSt7wsKfkCpYL ++63C4iWEst3kvX5ZbJvw8NjnyvLplzh+ib7M+zkXYT9y2zqR2GUBGR2tUKRXCnxL +vJxxcypFURmFzI79R6d0lR2o0a9OF7FpJsKqeFdbxU2n5Z4FF5TKsl+gSRiNNOkm +bEgeqmiSBeGCc1qb3AdbCG19ndeNIdn8FCCqwkXfP+cAslHkwvgFuXkajDTznlvk +N1trSt8sV4pAWja63XVECDdCcAz+3F4hoKOKwJCcaNpQ5kUQR3i2TtJlycM33+FC +Y7BXN0Ute4qcvwXqZVUz9zkQxSgqIXobisQk+T8VyJoVIPVVYpbtbZNQvOSqeK3Z +ywplh6ZmwcSBo3c6WB4L7oOLnR7SUqTMHW+wmG2UMbX4cQrcufx9MmDm66+KAQ== +-----END CERTIFICATE----- +=== /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 10003001 (0x98a239) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Nov 14 11:28:42 2013 GMT + Not After : Nov 13 23:00:00 2028 GMT + Subject: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3 X509v3 extensions: - X509v3 Subject Key Identifier: - A0:73:49:99:68:DC:85:5B:65:E3:9B:28:2F:57:9F:BD:33:BC:07:48 - X509v3 Key Usage: - Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE -SHA1 Fingerprint=36:B1:2B:49:F9:81:9E:D7:4C:9E:BC:38:0F:C6:56:8F:5D:AC:B2:F7 -SHA256 Fingerprint=E7:5E:72:ED:9F:56:0E:EC:6E:B4:80:00:73:A4:3F:C3:AD:19:19:5A:39:22:82:01:78:95:97:4A:99:02:6B:6C + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 54:AD:FA:C7:92:57:AE:CA:35:9C:2E:12:FB:E4:BA:5D:20:DC:94:57 +SHA1 Fingerprint=D8:EB:6B:41:51:92:59:E0:F3:E7:85:00:C0:3D:B6:88:97:C9:EE:FC +SHA256 Fingerprint=3C:4F:B0:B9:5A:B8:B3:00:32:F4:32:B8:6F:53:5F:E1:72:C1:85:D0:FD:39:86:58:37:CF:36:18:7F:A6:F4:28 -----BEGIN CERTIFICATE----- -MIIDWjCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJKUDEY -MBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYDVQQLEx5TZWN1cml0eSBDb21t -dW5pY2F0aW9uIFJvb3RDQTEwHhcNMDMwOTMwMDQyMDQ5WhcNMjMwOTMwMDQyMDQ5 -WjBQMQswCQYDVQQGEwJKUDEYMBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYD -VQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTEwggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQCzs/5/022x7xZ8V6UMbXaKL0u/ZPtM7orw8yl8 -9f/uKuDp6bpbZCKamm8sOiZpUQWZJtzVHGpxxpp9Hp3dfGzGjGdnSj74cbAZJ6kJ -DKaVv0uMDPpVmDvY6CKhS3E4eayXkmmziX7qIWgGmBSWh9JhNrxtJ1aeV+7AwFb9 -Ms+k2Y7CI9eNqPPYJayX5HA49LY6tJ07lyZDo6G8SVlyTCMwhwFY9k6+HGhWZq/N -QV3Is00qVUarH9oe4kA92819uZKAnDfdDJZkndwi92SL32HeFZRSFaB9UslLqCHJ -xrHty8OVYNEP8Ktw+N/LTX7s1vqr2b1/VPKl6Xn62dZ2JChzAgMBAAGjPzA9MB0G -A1UdDgQWBBSgc0mZaNyFW2XjmygvV5+9M7wHSDALBgNVHQ8EBAMCAQYwDwYDVR0T -AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAaECpqLvkT115swW1F7NgE+vG -kl3g0dNq/vu+m22/xwVtWSDEHPC32oRYAmP6SBbvT6UL90qY8j+eG61Ha2POCEfr -Uj94nK9NrvjVT8+amCoQQTlSxN3Zmw7vkwGusi7KaEIkQmywszo+zenaSMQVy+n5 -Bw+SUEmK3TGXX8npN6o7WWWXlDLJs58+OmJYxUmtYg5xpTKqL8aJdkNAExNnPaJU -JRDL8Try2frbSVa7pv6nQTXD4IhhyYjH3zYQIphZ6rBK+1YWc26sTfcioU+tHXot -RSflMMFe8toTyyVCUZVHA4xsIcx0Qu1T/zOLjw9XARYvz6buyXAiFL39vmwLAw== +MIIFdDCCA1ygAwIBAgIEAJiiOTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJO +TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSswKQYDVQQDDCJTdGFh +dCBkZXIgTmVkZXJsYW5kZW4gUm9vdCBDQSAtIEczMB4XDTEzMTExNDExMjg0MloX +DTI4MTExMzIzMDAwMFowWjELMAkGA1UEBhMCTkwxHjAcBgNVBAoMFVN0YWF0IGRl +ciBOZWRlcmxhbmRlbjErMCkGA1UEAwwiU3RhYXQgZGVyIE5lZGVybGFuZGVuIFJv +b3QgQ0EgLSBHMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL4yolQP +cPssXFnrbMSkUeiFKrPMSjTysF/zDsccPVMeiAho2G89rcKezIJnByeHaHE6n3WW +IkYFsO2tx1ueKt6c/DrGlaf1F2cY5y9JCAxcz+bMNO14+1Cx3Gsy8KL+tjzk7FqX +xz8ecAgwoNzFs21v0IJyEavSgWhZghe3eJJg+szeP4TrjTgzkApyI/o1zCZxMdFy +KJLZWyNtZrVtB0LrpjPOktvA9mxjeM3KTj215VKb8b475lRgsGYeCasH/lSJEULR +9yS6YHgamPfJEf0WwTUaVHXvQ9Plrk7O53vDxk5hUUurmkVLoR9BvUhTFXFkC4az +5S6+zqQbwSmEorXLCCN2QyIkHxcE1G6cxvx/K2Ya7Irl1s9N9WMJtxU51nus6+N8 +6U78dULI7ViVDAZCopz35HCz33JvWjdAidiFpNfxC95DGdRKWCyMijmev4SH8RY7 +Ngzp07TKbBlBUgmhHbBqv4LvcFEhMtwFdozL92TkA1CvjJFnq8Xy7ljY3r735zHP +bMk7ccHViLVlvMDoFxcHErVc0qsgk7TmgoNwNsXNo42ti+yjwUOH5kPiNL6VizXt +BznaqB16nzaeErAMZRKQFWDZJkBE41ZgpRDUajz9QdwOWke275dhdU/Z/seyHdTt +XUmzqWrLZoQT1Vyg3N9udwbRcXXIV2+vD3dbAgMBAAGjQjBAMA8GA1UdEwEB/wQF +MAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRUrfrHkleuyjWcLhL75Lpd +INyUVzANBgkqhkiG9w0BAQsFAAOCAgEAMJmdBTLIXg47mAE6iqTnB/d6+Oea31BD +U5cqPco8R5gu4RV78ZLzYdqQJRZlwJ9UXQ4DO1t3ApyEtg2YXzTdO2PCwyiBwpwp +LiniyMMB8jPqKqrMCQj3ZWfGzd/TtiunvczRDnBfuCPRy5FOCvTIeuXZYzbB1N/8 +Ipf3YF3qKS9Ysr1YvY2WTxB1v0h7PVGHoTx0IsL8B3+A3MSs/mrBcDCw6Y5p4ixp +gZQJut3+TcCDjJRYwEYgr5wfAvg1VUkvRtTA8KCWAg8zxXHzniN9lLf9OtMJgwYh +/WA9rjLA0u6NpvDntIJ8CsxwyXmA+P5M9zWEGYox+wrZ13+b8KKaa8MFSu1BYBQw +0aoRQm7TIwIEC8Zl3d1Sd9qBa7Ko+gE4uZbqKmxnl4mUnrzhVNXkanjvSr0rmj1A +fsbAddJu+2gw7OyLnflJNZoaLNmzlTnVHpL3prllL+U9bTpITAjc5CgSKL59NVzq +4BZ+Extq1z7XnvwtdbLBFNUjA9tbbws+eC8N3jONFrdI54OagQ97wUNNVQQXOEpR +1VmiiXTTn74eS9fGbbeIJG9gkaSChVtWQbzQRKtqE77RLFi3EjNYsjdj3BP1lB0/ +QFH1T/U67cjF68IeHRaVesd+QnGTbksVtzDfqu1XhUisHWrdOWnk4Xl4vs4Fv6EM +94B7IWcnMFk= -----END CERTIFICATE----- ### Starfield Technologies, Inc. @@ -2677,137 +5132,6 @@ iEDPfUYd/x7H4c7/I9vG+o1VTqkC50cRRj70/b17KSa7qWFiNyi2LSr2EIZkyXCn sSi6 -----END CERTIFICATE----- -### StartCom Ltd. - -=== /C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2 -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 59 (0x3b) - Signature Algorithm: sha256WithRSAEncryption - Validity - Not Before: Jan 1 01:00:01 2010 GMT - Not After : Dec 31 23:59:01 2039 GMT - Subject: C=IL, O=StartCom Ltd., CN=StartCom Certification Authority G2 - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - 4B:C5:B4:40:6B:AD:1C:B3:A5:1C:65:6E:46:36:89:87:05:0C:0E:B6 -SHA1 Fingerprint=31:F1:FD:68:22:63:20:EE:C6:3B:3F:9D:EA:4A:3E:53:7C:7C:39:17 -SHA256 Fingerprint=C7:BA:65:67:DE:93:A7:98:AE:1F:AA:79:1E:71:2D:37:8F:AE:1F:93:C4:39:7F:EA:44:1B:B7:CB:E6:FD:59:95 ------BEGIN CERTIFICATE----- -MIIFYzCCA0ugAwIBAgIBOzANBgkqhkiG9w0BAQsFADBTMQswCQYDVQQGEwJJTDEW -MBQGA1UEChMNU3RhcnRDb20gTHRkLjEsMCoGA1UEAxMjU3RhcnRDb20gQ2VydGlm -aWNhdGlvbiBBdXRob3JpdHkgRzIwHhcNMTAwMTAxMDEwMDAxWhcNMzkxMjMxMjM1 -OTAxWjBTMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEsMCoG -A1UEAxMjU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgRzIwggIiMA0G -CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2iTZbB7cgNr2Cu+EWIAOVeq8Oo1XJ -JZlKxdBWQYeQTSFgpBSHO839sj60ZwNq7eEPS8CRhXBF4EKe3ikj1AENoBB5uNsD -vfOpL9HG4A/LnooUCri99lZi8cVytjIl2bLzvWXFDSxu1ZJvGIsAQRSCb0AgJnoo -D/Uefyf3lLE3PbfHkffiAez9lInhzG7TNtYKGXmu1zSCZf98Qru23QumNK9LYP5/ -Q0kGi4xDuFby2X8hQxfqp0iVAXV16iulQ5XqFYSdCI0mblWbq9zSOdIxHWDirMxW -RST1HFSr7obdljKF+ExP6JV2tgXdNiNnvP8V4so75qbsO+wmETRIjfaAKxojAuuK -HDp2KntWFhxyKrOq42ClAJ8Em+JvHhRYW6Vsi1g8w7pOOlz34ZYrPu8HvKTlXcxN -nw3h3Kq74W4a7I/htkxNeXJdFzULHdfBR9qWJODQcqhaX2YtENwvKhOuJv4KHBnM -0D4LnMgJLvlblnpHnOl68wVQdJVznjAJ85eCXuaPOQgeWeU1FEIT/wCc976qUM/i -UUjXuG+v+E5+M5iSFGI6dWPPe/regjupuznixL0sAA7IF6wT700ljtizkC+p2il9 -Ha90OrInwMEePnWjFqmveiJdnxMaz6eg6+OGCtP95paV1yPIN93EfKo2rJgaErHg -TuixO/XWb/Ew1wIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIBBjAdBgNVHQ4EFgQUS8W0QGutHLOlHGVuRjaJhwUMDrYwDQYJKoZIhvcNAQEL -BQADggIBAHNXPyzVlTJ+N9uWkusZXn5T50HsEbZH77Xe7XRcxfGOSeD8bpkTzZ+K -2s06Ctg6Wgk/XzTQLwPSZh0avZyQN8gMjgdalEVGKua+etqhqaRpEpKwfTbURIfX -UfEpY9Z1zRbkJ4kd+MIySP3bmdCPX1R0zKxnNBFi2QwKN4fRoxdIjtIXHfbX/dtl -6/2o1PXWT6RbdejF0mCy2wl+JYt7ulKSnj7oxXehPOBKc2thz4bcQ///If4jXSRK -9dNtD2IEBVeC2m6kMyV5Sy5UGYvMLD0w6dEG/+gyRr61M3Z3qAFdlsHB1b6uJcDJ -HgoJIIihDsnzb02CVAAgp9KP5DlUFy6NHrgbuxu9mk47EDTcnIhT76IxW1hPkWLI -wpqazRVdOKnWvvgTtZ8SafJQYqz7Fzf07rh1Z2AQ+4NQ+US1dZxAF7L+/XldblhY -XzD8AK6vM8EOTmy6p6ahfzLbOOCxchcKK5HsamMm7YnUeMx0HgX4a/6ManY5Ka5l -IxKVCCIcl85bBu4M4ru8H0ST9tg4RQUh7eStqxK2A6RCLi3ECToDZ2mEmuFZkIoo -hdVddLHRDiBYmxOlsGOm7XtH/UVVMKTumtTm4ofvmMkyghEpIrwACjFeLQ/Ajulr -so8uBtjRkcfGEvRM/TAXw8HaOFvjqermobp573PYtlNXLfbQ4ddI ------END CERTIFICATE----- -=== /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 45 (0x2d) - Signature Algorithm: sha256WithRSAEncryption - Validity - Not Before: Sep 17 19:46:37 2006 GMT - Not After : Sep 17 19:46:36 2036 GMT - Subject: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - 4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2 - X509v3 Authority Key Identifier: - keyid:4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2 - - X509v3 Certificate Policies: - Policy: 1.3.6.1.4.1.23223.1.1.1 - CPS: http://www.startssl.com/policy.pdf - CPS: http://www.startssl.com/intermediate.pdf - User Notice: - Organization: Start Commercial (StartCom) Ltd. - Number: 1 - Explicit Text: Limited Liability, read the section *Legal Limitations* of the StartCom Certification Authority Policy available at http://www.startssl.com/policy.pdf - - Netscape Cert Type: - SSL CA, S/MIME CA, Object Signing CA - Netscape Comment: - StartCom Free SSL Certification Authority -SHA1 Fingerprint=A3:F1:33:3F:E2:42:BF:CF:C5:D1:4E:8F:39:42:98:40:68:10:D1:A0 -SHA256 Fingerprint=E1:78:90:EE:09:A3:FB:F4:F4:8B:9C:41:4A:17:D6:37:B7:A5:06:47:E9:BC:75:23:22:72:7F:CC:17:42:A9:11 ------BEGIN CERTIFICATE----- -MIIHhzCCBW+gAwIBAgIBLTANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJJTDEW -MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg -Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh -dGlvbiBBdXRob3JpdHkwHhcNMDYwOTE3MTk0NjM3WhcNMzYwOTE3MTk0NjM2WjB9 -MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi -U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh -cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUA -A4ICDwAwggIKAoICAQDBiNsJvGxGfHiflXu1M5DycmLWwTYgIiRezul38kMKogZk -pMyONvg45iPwbm2xPN1yo4UcodM9tDMr0y+v/uqwQVlntsQGfQqedIXWeUyAN3rf -OQVSWff0G0ZDpNKFhdLDcfN1YjS6LIp/Ho/u7TTQEceWzVI9ujPW3U3eCztKS5/C -Ji/6tRYccjV3yjxd5srhJosaNnZcAdt0FCX+7bWgiA/deMotHweXMAEtcnn6RtYT -Kqi5pquDSR3l8u/d5AGOGAqPY1MWhWKpDhk6zLVmpsJrdAfkK+F2PrRt2PZE4XNi -HzvEvqBTViVsUQn3qqvKv3b9bZvzndu/PWa8DFaqr5hIlTpL36dYUNk4dalb6kMM -Av+Z6+hsTXBbKWWc3apdzK8BMewM69KN6Oqce+Zu9ydmDBpI125C4z/eIT574Q1w -+2OqqGwaVLRcJXrJosmLFqa7LH4XXgVNWG4SHQHuEhANxjJ/GP/89PrNbpHoNkm+ -Gkhpi8KWTRoSsmkXwQqQ1vp5Iki/untp+HDH+no32NgN0nZPV/+Qt+OR0t3vwmC3 -Zzrd/qqc8NSLf3Iizsafl7b4r4qgEKjZ+xjGtrVcUjyJthkqcwEKDwOzEmDyei+B -26Nu/yYwl/WL3YlXtq09s68rxbd2AvCl1iuahhQqcvbjM4xdCUsT37uMdBNSSwID -AQABo4ICEDCCAgwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD -VR0OBBYEFE4L7xqkQFulF2mHMMo0aEPQQa7yMB8GA1UdIwQYMBaAFE4L7xqkQFul -F2mHMMo0aEPQQa7yMIIBWgYDVR0gBIIBUTCCAU0wggFJBgsrBgEEAYG1NwEBATCC -ATgwLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5w -ZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2ludGVybWVk -aWF0ZS5wZGYwgc8GCCsGAQUFBwICMIHCMCcWIFN0YXJ0IENvbW1lcmNpYWwgKFN0 -YXJ0Q29tKSBMdGQuMAMCAQEagZZMaW1pdGVkIExpYWJpbGl0eSwgcmVhZCB0aGUg -c2VjdGlvbiAqTGVnYWwgTGltaXRhdGlvbnMqIG9mIHRoZSBTdGFydENvbSBDZXJ0 -aWZpY2F0aW9uIEF1dGhvcml0eSBQb2xpY3kgYXZhaWxhYmxlIGF0IGh0dHA6Ly93 -d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwEQYJYIZIAYb4QgEBBAQDAgAHMDgG -CWCGSAGG+EIBDQQrFilTdGFydENvbSBGcmVlIFNTTCBDZXJ0aWZpY2F0aW9uIEF1 -dGhvcml0eTANBgkqhkiG9w0BAQsFAAOCAgEAjo/n3JR5fPGFf59Jb2vKXfuM/gTF -wWLRfUKKvFO3lANmMD+x5wqnUCBVJX92ehQN6wQOQOY+2IirByeDqXWmN3PH/UvS -Ta0XQMhGvjt/UfzDtgUx3M2FIk5xt/JxXrAaxrqTi3iSSoX4eA+D/i+tLPfkpLst -0OcNOrg+zvZ49q5HJMqjNTbOx8aHmNrs++myziebiMMEofYLWWivydsQD032ZGNc -pRJvkrKTlMeIFw6Ttn5ii5B/q06f/ON1FE8qMt9bDeD1e5MNq6HPh+GlBEXoPBKl -CcWw0bdT82AUuoVpaiF8H3VhFyAXe2w7QSlc4axa0c2Mm+tgHRns9+Ww2vl5GKVF -P0lDV9LdJNUso/2RjSe15esUBppMeyG7Oq0wBhjA2MFrLH9ZXF2RsXAiV+uKa0hK -1Q8p7MZAwC+ITGgBF3f0JBlPvfrhsiAhS90a2Cl9qrjeVOwhVYBsHvUwyKMQ5bLm -KhQxw4UtjJixhlpPiVktucf3HMiKf8CdBUrmQk9io20ppB+Fq9vlgcitKj1MXVuE -JnHEhV5xJMqlG2zYYdMa4FTbzrqpMrUi9nNBCV24F10OD5mQ1kfabwo6YigUZ4LZ -8dCAWZvLMdibD4x3TrVoivJs9iQOLWxwxXPR3hTQcY+203sC9uO41Alua551hDnm -fyWl8kgAwKQB2j8= ------END CERTIFICATE----- - ### SwissSign AG === /C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2 @@ -3016,6 +5340,197 @@ e9eiPZaGzPImNC1qkp2aGtAw4l1OBLBfiyB+d8E9lYLRRpo7PHi4b6HQDWSieB4p TpPDpFQUWw== -----END CERTIFICATE----- +### T\DCRKTRUST Bilgi \U0130leti\U015Fim ve Bili\U015Fim G\FCvenli\U011Fi Hizmetleri A.\U015E. + +=== /C=TR/L=Ankara/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E./CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 H5 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 156233699172481 (0x8e17fe242081) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Apr 30 08:07:01 2013 GMT + Not After : Apr 28 08:07:01 2023 GMT + Subject: C=TR, L=Ankara, O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E., CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 H5 + X509v3 extensions: + X509v3 Subject Key Identifier: + 56:99:07:1E:D3:AC:0C:69:64:B4:0C:50:47:DE:43:2C:BE:20:C0:FB + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=C4:18:F6:4D:46:D1:DF:00:3D:27:30:13:72:43:A9:12:11:C6:75:FB +SHA256 Fingerprint=49:35:1B:90:34:44:C1:85:CC:DC:5C:69:3D:24:D8:55:5C:B2:08:D6:A8:14:13:07:69:9F:4A:F0:63:19:9D:78 +-----BEGIN CERTIFICATE----- +MIIEJzCCAw+gAwIBAgIHAI4X/iQggTANBgkqhkiG9w0BAQsFADCBsTELMAkGA1UE +BhMCVFIxDzANBgNVBAcMBkFua2FyYTFNMEsGA1UECgxEVMOcUktUUlVTVCBCaWxn +aSDEsGxldGnFn2ltIHZlIEJpbGnFn2ltIEfDvHZlbmxpxJ9pIEhpem1ldGxlcmkg +QS7Fni4xQjBABgNVBAMMOVTDnFJLVFJVU1QgRWxla3Ryb25payBTZXJ0aWZpa2Eg +SGl6bWV0IFNhxJ9sYXnEsWPEsXPEsSBINTAeFw0xMzA0MzAwODA3MDFaFw0yMzA0 +MjgwODA3MDFaMIGxMQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMU0wSwYD +VQQKDERUw5xSS1RSVVNUIEJpbGdpIMSwbGV0acWfaW0gdmUgQmlsacWfaW0gR8O8 +dmVubGnEn2kgSGl6bWV0bGVyaSBBLsWeLjFCMEAGA1UEAww5VMOcUktUUlVTVCBF +bGVrdHJvbmlrIFNlcnRpZmlrYSBIaXptZXQgU2HEn2xhecSxY8Sxc8SxIEg1MIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApCUZ4WWe60ghUEoI5RHwWrom +/4NZzkQqL/7hzmAD/I0Dpe3/a6i6zDQGn1k19uwsu537jVJp45wnEFPzpALFp/kR +Gml1bsMdi9GYjZOHp3GXDSHHmflS0yxjXVW86B8BSLlg/kJK9siArs1mep5Fimh3 +4khon6La8eHBEJ/rPCmBp+EyCNSgBbGM+42WAA4+Jd9ThiI7/PS98wl+d+yG6w8z +5UNP9FR1bSmZLmZaQ9/LXMrI5Tjxfjs1nQ/0xVqhzPMggCTTV+wVunUlm+hkS7M0 +hO8EuPbJbKoCPrZV4jI3X/xml1/N1p7HIL9Nxqw/dV8c7TKcfGkAaZHjIxhT6QID +AQABo0IwQDAdBgNVHQ4EFgQUVpkHHtOsDGlktAxQR95DLL4gwPswDgYDVR0PAQH/ +BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJ5FdnsX +SDLyOIspve6WSk6BGLFRRyDN0GSxDsnZAdkJzsiZ3GglE9Rc8qPoBP5yCccLqh0l +VX6Wmle3usURehnmp349hQ71+S4pL+f5bFgWV1Al9j4uPqrtd3GqqpmWRgqujuwq +URawXs3qZwQcWDD1YIq9pr1N5Za0/EKJAWv2cMhQOQwt1WbZyNKzMrcbGW3LM/nf +peYVhDfwwvJllpKQd/Ct9JDpEXjXk4nAPQu6KfTomZ1yju2dL+6SfaHx/126M2CF +Yv4HAqGEVka+lgqaE9chTLd8B59OTj+RdPsnnRHM3eaxynFNExc5JsUpISuTKWqW ++qtB4Uu2NQvAmxU= +-----END CERTIFICATE----- + +### TAIWAN-CA + +=== /C=TW/O=TAIWAN-CA/OU=Root CA/CN=TWCA Global Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3262 (0xcbe) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jun 27 06:28:33 2012 GMT + Not After : Dec 31 15:59:59 2030 GMT + Subject: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=9C:BB:48:53:F6:A4:F6:D3:52:A4:E8:32:52:55:60:13:F5:AD:AF:65 +SHA256 Fingerprint=59:76:90:07:F7:68:5D:0F:CD:50:87:2F:9F:95:D5:75:5A:5B:2B:45:7D:81:F3:69:2B:61:0A:98:67:2F:0E:1B +-----BEGIN CERTIFICATE----- +MIIFQTCCAymgAwIBAgICDL4wDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVFcx +EjAQBgNVBAoTCVRBSVdBTi1DQTEQMA4GA1UECxMHUm9vdCBDQTEcMBoGA1UEAxMT +VFdDQSBHbG9iYWwgUm9vdCBDQTAeFw0xMjA2MjcwNjI4MzNaFw0zMDEyMzExNTU5 +NTlaMFExCzAJBgNVBAYTAlRXMRIwEAYDVQQKEwlUQUlXQU4tQ0ExEDAOBgNVBAsT +B1Jvb3QgQ0ExHDAaBgNVBAMTE1RXQ0EgR2xvYmFsIFJvb3QgQ0EwggIiMA0GCSqG +SIb3DQEBAQUAA4ICDwAwggIKAoICAQCwBdvI64zEbooh745NnHEKH1Jw7W2CnJfF +10xORUnLQEK1EjRsGcJ0pDFfhQKX7EMzClPSnIyOt7h52yvVavKOZsTuKwEHktSz +0ALfUPZVr2YOy+BHYC8rMjk1Ujoog/h7FsYYuGLWRyWRzvAZEk2tY/XTP3VfKfCh +MBwqoJimFb3u/Rk28OKRQ4/6ytYQJ0lM793B8YVwm8rqqFpD/G2Gb3PpN0Wp8DbH +zIh1HrtsBv+baz4X7GGqcXzGHaL3SekVtTzWoWH1EfcFbx39Eb7QMAfCKbAJTibc +46KokWofwpFFiFzlmLhxpRUZyXx1EcxwdE8tmx2RRP1WKKD+u4ZqyPpcC1jcxkt2 +yKsi2XMPpfRaAok/T54igu6idFMqPVMnaR1sjjIsZAAmY2E2TqNGtz99sy2sbZCi +laLOz9qC5wc0GZbpuCGqKX6mOL6OKUohZnkfs8O1CWfe1tQHRvMq2uYiN2DLgbYP +oA/pyJV/v1WRBXrPPRXAb94JlAGD1zQbzECl8LibZ9WYkTunhHiVJqRaCPgrdLQA +BDzfuBSO6N+pjWxnkjMdwLfS7JLIvgm/LCkFbwJrnu+8vyq8W8BQj0FwcYeyTbcE +qYSjMq+u7msXi7Kx/mzhkIyIqJdIzshNy/MGz19qCkKxHh53L46g5pIOBvwFItIm +4TFRfTLcDwIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAgEAXzSBdu+WHdXltdkCY4QWwa6gcFGn90xHNcgL +1yg9iXHZqjNB6hQbbCEAwGxCGX6faVsgQt+i0trEfJdLjbDorMjupWkEmQqSpqsn +LhpNgb+E1HAerUf+/UqdM+DyucRFCCEK2mlpc3INvjT+lIutwx4116KD7+U4x6WF +H6vPNOw/KP4M8VeGTslV9xzU2KV9Bnpv1d8Q34FOIWWxtuEXeZVFBs5fzNxGiWNo +RI2T9GRwoD2dKAXDOXC4Ynsg/eTb6QihuJ49CcdP+yz4k3ZB3lLg4VfSnQO8d57+ +nile98FRYB/e2guyLXW3Q0iT5/Z5xoRdgFlglPx4mI88k1HtQJAH32RjJMtOcQWh +15QaiDLxInQirqWm2BJpTGCjAu4r7NRjkgtevi92a6O2JryPA9gK8kxkRr05YuWW +6zRjESjMlfGt7+/cgFhI6Uu46mWs6fyAtbXIRfmswZ/ZuepiiI7E8UuDEq3mi4TW +nsLrgxifarsbJGAzcMzs9zLzXNl5fe+epP7JI8Mk7hWSsT2RTyaGvWZzJBPqpK5j +wa19hAM8EHiGG3njxPPyBJUgriOCxLM6AGK/5jYk4Ve6xx6QddVfP5VhK8E7zeWz +aGHQRiapIVJpLesux+t3zqY6tQMzT3bR51xUAV3LePTJDL/PEo4XLSNolOer/qmy +KwbQBM0= +-----END CERTIFICATE----- +=== /C=TW/O=TAIWAN-CA/OU=Root CA/CN=TWCA Root Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Aug 28 07:24:33 2008 GMT + Not After : Dec 31 15:59:59 2030 GMT + Subject: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 6A:38:5B:26:8D:DE:8B:5A:F2:4F:7A:54:83:19:18:E3:08:35:A6:BA +SHA1 Fingerprint=CF:9E:87:6D:D3:EB:FC:42:26:97:A3:B5:A3:7A:A0:76:A9:06:23:48 +SHA256 Fingerprint=BF:D8:8F:E1:10:1C:41:AE:3E:80:1B:F8:BE:56:35:0E:E9:BA:D1:A6:B9:BD:51:5E:DC:5C:6D:5B:87:11:AC:44 +-----BEGIN CERTIFICATE----- +MIIDezCCAmOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJUVzES +MBAGA1UECgwJVEFJV0FOLUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFU +V0NBIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDgwODI4MDcyNDMz +WhcNMzAxMjMxMTU1OTU5WjBfMQswCQYDVQQGEwJUVzESMBAGA1UECgwJVEFJV0FO +LUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFUV0NBIFJvb3QgQ2VydGlm +aWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQCwfnK4pAOU5qfeCTiRShFAh6d8WWQUe7UREN3+v9XAu1bihSX0NXIP+FPQQeFE +AcK0HMMxQhZHhTMidrIKbw/lJVBPhYa+v5guEGcevhEFhgWQxFnQfHgQsIBct+HH +K3XLfJ+utdGdIzdjp9xCoi2SBBtQwXu4PhvJVgSLL1KbralW6cH/ralYhzC2gfeX +RfwZVzsrb+RH9JlF/h3x+JejiB03HFyP4HYlmlD4oFT/RJB2I9IyxsOrBr/8+7/z +rX2SYgJbKdM1o5OaQ2RgXbL6Mv87BK9NQGr5x+PvI/1ry+UPizgN7gr8/g+YnzAx +3WxSZfmLgb4i4RxYA7qRG4kHAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqOFsmjd6LWvJPelSDGRjjCDWmujANBgkq +hkiG9w0BAQUFAAOCAQEAPNV3PdrfibqHDAhUaiBQkr6wQT25JmSDCi/oQMCXKCeC +MErJk/9q56YAf4lCmtYR5VPOL8zy2gXE/uJQxDqGfczafhAJO5I1KlOy/usrBdls +XebQ79NqZp4VKIV66IIArB6nCWlWQtNoURi+VJq/REG6Sb4gumlc7rh3zc5sH62D +lhh9DrUUOYTxKOkto557HnpyWoOzeW/vtPzQCqVYT0bf+215WfKEIlKuD8z7fDvn +aspHYcN6+NOSBB+4IIThNlQWx0DeO4pz3N/GCUzf7Nr/1FNCocnyYh0igzyXxfkZ +YiesZSLX0zzG5Y6yU8xJzrww/nsOM5D77dIUkR8Hrw== +-----END CERTIFICATE----- + +### TeliaSonera + +=== /O=TeliaSonera/CN=TeliaSonera Root CA v1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 95:be:16:a0:f7:2e:46:f1:7b:39:82:72:fa:8b:cd:96 + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Oct 18 12:00:50 2007 GMT + Not After : Oct 18 12:00:50 2032 GMT + Subject: O=TeliaSonera, CN=TeliaSonera Root CA v1 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + F0:8F:59:38:00:B3:F5:8F:9A:96:0C:D5:EB:FA:7B:AA:17:E8:13:12 +SHA1 Fingerprint=43:13:BB:96:F1:D5:86:9B:C1:4E:6A:92:F6:CF:F6:34:69:87:82:37 +SHA256 Fingerprint=DD:69:36:FE:21:F8:F0:77:C1:23:A1:A5:21:C1:22:24:F7:22:55:B7:3E:03:A7:26:06:93:E8:A2:4B:0F:A3:89 +-----BEGIN CERTIFICATE----- +MIIFODCCAyCgAwIBAgIRAJW+FqD3LkbxezmCcvqLzZYwDQYJKoZIhvcNAQEFBQAw +NzEUMBIGA1UECgwLVGVsaWFTb25lcmExHzAdBgNVBAMMFlRlbGlhU29uZXJhIFJv +b3QgQ0EgdjEwHhcNMDcxMDE4MTIwMDUwWhcNMzIxMDE4MTIwMDUwWjA3MRQwEgYD +VQQKDAtUZWxpYVNvbmVyYTEfMB0GA1UEAwwWVGVsaWFTb25lcmEgUm9vdCBDQSB2 +MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMK+6yfwIaPzaSZVfp3F +VRaRXP3vIb9TgHot0pGMYzHw7CTww6XScnwQbfQ3t+XmfHnqjLWCi65ItqwA3GV1 +7CpNX8GH9SBlK4GoRz6JI5UwFpB/6FcHSOcZrr9FZ7E3GwYq/t75rH2D+1665I+X +Z75Ljo1kB1c4VWk0Nj0TSO9P4tNmHqTPGrdeNjPUtAa9GAH9d4RQAEX1jF3oI7x+ +/jXh7VB7qTCNGdMJjmhnXb88lxhTuylixcpecsHHltTbLaC0H2kD7OriUPEMPPCs +81Mt8Bz17Ww5OXOAFshSsCPN4D7c3TxHoLs1iuKYaIu+5b9y7tL6pe0S7fyYGKkm +dtwoSxAgHNN/Fnct7W+A90m7UwW7XWjH1Mh1Fj+JWov3F0fUTPHSiXk+TT2YqGHe +Oh7S+F4D4MHJHIzTjU3TlTazN19jY5szFPAtJmtTfImMMsJu7D0hADnJoWjiUIMu +sDor8zagrC/kb2HCUQk5PotTubtn2txTuXZZNp1D5SDgPTJghSJRt8czu90VL6R4 +pgd7gUY2BIbdeTXHlSw7sKMXNeVzH7RcWe/a6hBle3rQf5+ztCo3O3CLm1u5K7fs +slESl1MpWtTwEhDcTwK7EpIvYtQ/aUN8Ddb8WHUBiJ1YFkveupD/RwGJBmr2X7KQ +arMCpgKIv7NHfirZ1fpoeDVNAgMBAAGjPzA9MA8GA1UdEwEB/wQFMAMBAf8wCwYD +VR0PBAQDAgEGMB0GA1UdDgQWBBTwj1k4ALP1j5qWDNXr+nuqF+gTEjANBgkqhkiG +9w0BAQUFAAOCAgEAvuRcYk4k9AwI//DTDGjkk0kiP0Qnb7tt3oNmzqjMDfz1mgbl +dxSR651Be5kqhOX//CHBXfDkH1e3damhXwIm/9fH907eT/j3HEbAek9ALCI18Bmx +0GtnLLCo4MBANzX2hFxc469CeP6nyQ1Q6g2EdvZR74NTxnr/DlZJLo961gzmJ1Tj +TQpgcmLNkQfWpb/ImWvtxBnmq0wROMVvMeJuScg/doAmAyYp4Db29iBT4xdwNBed +Y2gea+zDTYa4EzAvXUYNR0PVG6pZDrlcjQZIrXSHX8f8MVRBE+LHIQ6e4B4N4cB7 +Q4WQxYpYxmUKeFfyxiMPAdkgS94P+5KFdSpcc41teyWRyu5FrgZLAMzTsVlQ2jqI +OylDRl6XK1TOU2+NSueW+r9xDkKLfP0ooNBIytrEgUy7onOTJsjrDNYmiLbAJM+7 +vVvrdX3pCI6GMyx5dwlppYn8s3CQh3aP0yK7Qs69cwsgJirQmz1wHiRszYd2qReW +t88NkvuOGKmYSdGe/mBEciG5Ge3C9THxOUiIkCR1VBatzvT4aRRkOfujuLpwQMcn +HL/EVlP6Y2XQ8xwOFvVrhlhNGNTkDY6lnVuR3HYkUD/GKvvZt5y11ubQ2egZixVx +SK236thZiNSQvxaz2emsWWFUyBy6ysHK4bkgTI86k4mloMy/0/Z1pHWWbVY= +-----END CERTIFICATE----- + ### thawte, Inc. === /C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G2 @@ -3286,95 +5801,253 @@ VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG jjxDah2nGN59PRbxYvnKkKj9 -----END CERTIFICATE----- -=== /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware + +### TrustCor Systems S. de R.L. + +=== /C=PA/ST=Panama/L=Panama City/O=TrustCor Systems S. de R.L./OU=TrustCor Certificate Authority/CN=TrustCor ECA-1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 9548242946988625984 (0x84822c5f1c62d040) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Feb 4 12:32:33 2016 GMT + Not After : Dec 31 17:28:07 2029 GMT + Subject: C=PA, ST=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor ECA-1 + X509v3 extensions: + X509v3 Subject Key Identifier: + 44:9E:48:F5:CC:6D:48:D4:A0:4B:7F:FE:59:24:2F:83:97:99:9A:86 + X509v3 Authority Key Identifier: + keyid:44:9E:48:F5:CC:6D:48:D4:A0:4B:7F:FE:59:24:2F:83:97:99:9A:86 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=58:D1:DF:95:95:67:6B:63:C0:F0:5B:1C:17:4D:8B:84:0B:C8:78:BD +SHA256 Fingerprint=5A:88:5D:B1:9C:01:D9:12:C5:75:93:88:93:8C:AF:BB:DF:03:1A:B2:D4:8E:91:EE:15:58:9B:42:97:1D:03:9C +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIJAISCLF8cYtBAMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYD +VQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEk +MCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5U +cnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFzAVBgNVBAMMDlRydXN0Q29y +IEVDQS0xMB4XDTE2MDIwNDEyMzIzM1oXDTI5MTIzMTE3MjgwN1owgZwxCzAJBgNV +BAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQw +IgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRy +dXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOVHJ1c3RDb3Ig +RUNBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPj+ARtZ+odnbb +3w9U73NjKYKtR8aja+3+XzP4Q1HpGjORMRegdMTUpwHmspI+ap3tDvl0mEDTPwOA +BoJA6LHip1GnHYMma6ve+heRK9jGrB6xnhkB1Zem6g23xFUfJ3zSCNV2HykVh0A5 +3ThFEXXQmqc04L/NyFIduUd+Dbi7xgz2c1cWWn5DkR9VOsZtRASqnKmcp0yJF4Ou +owReUoCLHhIlERnXDH19MURB6tuvsBzvgdAsxZohmz3tQjtQJvLsznFhBmIhVE5/ +wZ0+fyCMgMsq2JdiyIMzkX2woloPV+g7zPIlstR8L+xNxqE6FXrntl019fZISjZF +ZtS6mFjBAgMBAAGjYzBhMB0GA1UdDgQWBBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAf +BgNVHSMEGDAWgBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAPBgNVHRMBAf8EBTADAQH/ +MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEABT41XBVwm8nHc2Fv +civUwo/yQ10CzsSUuZQRg2dd4mdsdXa/uwyqNsatR5Nj3B5+1t4u/ukZMjgDfxT2 +AHMsWbEhBuH7rBiVDKP/mZb3Kyeb1STMHd3BOuCYRLDE5D53sXOpZCz2HAF8P11F +hcCF5yWPldwX8zyfGm6wyuMdKulMY/okYWLW2n62HGz1Ah3UKt1VkOsqEUc8Ll50 +soIipX1TH0XsJ5F95yIW6MBoNtjG8U+ARDL54dHRHareqKucBK+tIA5kmE2la8BI +WJZpTdwHjFGTot+fDz2LYLSCjaoITmJF4PkL0uDgPFveXHEnJcLmA4GLEFPjx1Wi +tJ/X5g== +-----END CERTIFICATE----- +=== /C=PA/ST=Panama/L=Panama City/O=TrustCor Systems S. de R.L./OU=TrustCor Certificate Authority/CN=TrustCor RootCert CA-1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 15752444095811006489 (0xda9bec71f303b019) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Feb 4 12:32:16 2016 GMT + Not After : Dec 31 17:23:16 2029 GMT + Subject: C=PA, ST=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor RootCert CA-1 + X509v3 extensions: + X509v3 Subject Key Identifier: + EE:6B:49:3C:7A:3F:0D:E3:B1:09:B7:8A:C8:AB:19:9F:73:33:50:E7 + X509v3 Authority Key Identifier: + keyid:EE:6B:49:3C:7A:3F:0D:E3:B1:09:B7:8A:C8:AB:19:9F:73:33:50:E7 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=FF:BD:CD:E7:82:C8:43:5E:3C:6F:26:86:5C:CA:A8:3A:45:5B:C3:0A +SHA256 Fingerprint=D4:0E:9C:86:CD:8F:E4:68:C1:77:69:59:F4:9E:A7:74:FA:54:86:84:B6:C4:06:F3:90:92:61:F4:DC:E2:57:5C +-----BEGIN CERTIFICATE----- +MIIEMDCCAxigAwIBAgIJANqb7HHzA7AZMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYD +VQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEk +MCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5U +cnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRydXN0Q29y +IFJvb3RDZXJ0IENBLTEwHhcNMTYwMjA0MTIzMjE2WhcNMjkxMjMxMTcyMzE2WjCB +pDELMAkGA1UEBhMCUEExDzANBgNVBAgMBlBhbmFtYTEUMBIGA1UEBwwLUGFuYW1h +IENpdHkxJDAiBgNVBAoMG1RydXN0Q29yIFN5c3RlbXMgUy4gZGUgUi5MLjEnMCUG +A1UECwweVHJ1c3RDb3IgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR8wHQYDVQQDDBZU +cnVzdENvciBSb290Q2VydCBDQS0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAv463leLCJhJrMxnHQFgKq1mqjQCj/IDHUHuO1CAmujIS2CNUSSUQIpid +RtLByZ5OGy4sDjjzGiVoHKZaBeYei0i/mJZ0PmnK6bV4pQa81QBeCQryJ3pS/C3V +seq0iWEk8xoT26nPUu0MJLq5nux+AHT6k61sKZKuUbS701e/s/OojZz0JEsq1pme +9J7+wH5COucLlVPat2gOkEz7cD+PSiyU8ybdY2mplNgQTsVHCJCZGxdNuWxu72CV +EY4hgLW9oHPY0LJ3xEXqWib7ZnZ2+AYfYW0PVcWDtxBWcgYHpfOxGgMFZA6dWorW +hnAbJN7+KIor0Gqw/Hqi3LJ5DotlDwIDAQABo2MwYTAdBgNVHQ4EFgQU7mtJPHo/ +DeOxCbeKyKsZn3MzUOcwHwYDVR0jBBgwFoAU7mtJPHo/DeOxCbeKyKsZn3MzUOcw +DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQAD +ggEBACUY1JGPE+6PHh0RU9otRCkZoB5rMZ5NDp6tPVxBb5UrJKF5mDo4Nvu7Zp5I +/5CQ7z3UuJu0h3U/IJvOcs+hVcFNZKIZBqEHMwwLKeXx6quj7LUKdJDHfXLy11yf +ke+Ri7fc7Waiz45mO7yfOgLgJ90WmMCV1Aqk5IGadZQ1nJBfiDcGrVmVCrDRZ9MZ +yonnMlo2HD6CqFqTvsbQZJG2z9m2GM/bftJlo6bEjhcxwft+dtvTheNYsnd6djts +L1Ac59v2Z3kf9YKVmgenFK+P3CghZwnS1k1aHBkcjndcw5QkPTJrS37UeJSDvjdN +zl/HHk484IkzlQsPpTLWPFp5LBk= +-----END CERTIFICATE----- +=== /C=PA/ST=Panama/L=Panama City/O=TrustCor Systems S. de R.L./OU=TrustCor Certificate Authority/CN=TrustCor RootCert CA-2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2711694510199101698 (0x25a1dfca33cb5902) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Feb 4 12:32:23 2016 GMT + Not After : Dec 31 17:26:39 2034 GMT + Subject: C=PA, ST=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor RootCert CA-2 + X509v3 extensions: + X509v3 Subject Key Identifier: + D9:FE:21:40:6E:94:9E:BC:9B:3D:9C:7D:98:20:19:E5:8C:30:62:B2 + X509v3 Authority Key Identifier: + keyid:D9:FE:21:40:6E:94:9E:BC:9B:3D:9C:7D:98:20:19:E5:8C:30:62:B2 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=B8:BE:6D:CB:56:F1:55:B9:63:D4:12:CA:4E:06:34:C7:94:B2:1C:C0 +SHA256 Fingerprint=07:53:E9:40:37:8C:1B:D5:E3:83:6E:39:5D:AE:A5:CB:83:9E:50:46:F1:BD:0E:AE:19:51:CF:10:FE:C7:C9:65 +-----BEGIN CERTIFICATE----- +MIIGLzCCBBegAwIBAgIIJaHfyjPLWQIwDQYJKoZIhvcNAQELBQAwgaQxCzAJBgNV +BAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQw +IgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRy +dXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWVHJ1c3RDb3Ig +Um9vdENlcnQgQ0EtMjAeFw0xNjAyMDQxMjMyMjNaFw0zNDEyMzExNzI2MzlaMIGk +MQswCQYDVQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEg +Q2l0eTEkMCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYD +VQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRy +dXN0Q29yIFJvb3RDZXJ0IENBLTIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +AoICAQCnIG7CKqJiJJWQdsg4foDSq8GbZQWU9MEKENUCrO2fk8eHyLAnK0IMPQo+ +QVqedd2NyuCb7GgypGmSaIwLgQ5WoD4a3SwlFIIvl9NkRvRUqdw6VC0xK5mC8tkq +1+9xALgxpL56JAfDQiDyitSSBBtlVkxs1Pu2YVpHI7TYabS3OtB0PAx1oYxOdqHp +2yqlO/rOsP9+aij9JxzIsekp8VduZLTQwRVtDr4uDkbIXvRR/u8OYzo7cbrPb1nK +DOObXUm4TOJXsZiKQlecdu/vvdFoqNL0Cbt3Nb4lggjEFixEIFapRBF37120Hape +az6LMvYHL1cEksr1/p3C6eizjkxLAjHZ5DxIgif3GIJ2SDpxsROhOdUuxTTCHWKF +3wP+TfSvPd9cW436cOGlfifHhi5qjxLGhF5DUVCcGZt45vz27Ud+ez1m7xMTiF88 +oWP7+ayHNZ/zgp6kPwqcMWmLmaSISo5uZk3vFsQPeSghYA2FFn3XVDjxklb9tTNM +g9zXEJ9L/cb4Qr26fHMC4P99zVvh1Kxhe1fVSntb1IVYJ12/+CtgrKAmrhQhJ8Z3 +mjOAPF5GP/fDsaOGM8boXg25NSyqRsGFAnWAoOsk+xWq5Gd/bnc/9ASKL3x74xdh +8N0JqSDIvgmk0H5Ew7IwSjiqqewYmgeCK9u4nBit2uBGF6zPXQIDAQABo2MwYTAd +BgNVHQ4EFgQU2f4hQG6UnrybPZx9mCAZ5YwwYrIwHwYDVR0jBBgwFoAU2f4hQG6U +nrybPZx9mCAZ5YwwYrIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYw +DQYJKoZIhvcNAQELBQADggIBAJ5Fngw7tu/hOsh80QA9z+LqBrWyOrsGS2h60COX +dKcs8AjYeVrXWoSK2BKaG9l9XE1wxaX5q+WjiYndAfrs3fnpkpfbsEZC89NiqpX+ +MWcUaViQCqoL7jcjx1BRtPV+nuN79+TMQjItSQzL/0kMmx40/W5ulop5A7Zv2wnL +/V9lFDfhOPXzYRZY5LVtDQsEGz9QLX+zx3oaFoBg+Iof6Rsqxvm6ARppv9JYx1RX +CI/hOWB3S6xZhBqI8d3LT3jX5+EzLfzuQfogsL7L9ziUwOHQhQ+77Sxzq+3+knYa +ZH9bDTMJBzN7Bj8RpFxwPIXAz+OQqIN3+tvmxYxoZxBnpVIt8MSZj3+/0WvitUfW +2dCFmU2Umw9Lje4AWkcdEQOsQRivh7dvDDqPys/cA8GiCcjl/YBeyGBCARsaU1q7 +N6a3vLqE6R5sGtRk2tRD/pOLS/IseRYQ1JMLiI+h2IYURpFHmygk71dSTlxCnKr3 +Sewn6EAes6aJInKc9Q0ztFijMDvd1GpUk74aTfOTlPf8hAs/hCBcNANExdqtvArB +As8e5ZTZ845b2EzwnexhF7sUMlQMAimTHpKG9n/v55IFDlndmQguLvqcAFLTxWYp +5KeXRKQOKIETNcX2b2TmQcTVL8w0RSXPQQCWPUouwpaYT05KnJe32x+SMsj/D1Fu +1uwJ +-----END CERTIFICATE----- + +### Trustis Limited + +=== /C=GB/O=Trustis Limited/OU=Trustis FPS Root CA Certificate: Data: Version: 3 (0x2) Serial Number: - 44:be:0c:8b:50:00:24:b4:11:d3:36:2a:fe:65:0a:fd + 1b:1f:ad:b6:20:f9:24:d3:36:6b:f7:c7:f1:8c:a0:59 Signature Algorithm: sha1WithRSAEncryption Validity - Not Before: Jul 9 18:10:42 1999 GMT - Not After : Jul 9 18:19:22 2019 GMT - Subject: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware + Not Before: Dec 23 12:14:06 2003 GMT + Not After : Jan 21 11:36:54 2024 GMT + Subject: C=GB, O=Trustis Limited, OU=Trustis FPS Root CA X509v3 extensions: - X509v3 Key Usage: - Digital Signature, Non Repudiation, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE + X509v3 Authority Key Identifier: + keyid:BA:FA:71:25:79:8B:57:41:25:21:86:0B:71:EB:B2:64:0E:8B:21:67 + X509v3 Subject Key Identifier: - A1:72:5F:26:1B:28:98:43:95:5D:07:37:D5:85:96:9D:4B:D2:C3:45 - X509v3 CRL Distribution Points: + BA:FA:71:25:79:8B:57:41:25:21:86:0B:71:EB:B2:64:0E:8B:21:67 +SHA1 Fingerprint=3B:C0:38:0B:33:C3:F6:A6:0C:86:15:22:93:D9:DF:F5:4B:81:C0:04 +SHA256 Fingerprint=C1:B4:82:99:AB:A5:20:8F:E9:63:0A:CE:55:CA:68:A0:3E:DA:5A:51:9C:88:02:A0:D3:A6:73:BE:8F:8E:55:7D +-----BEGIN CERTIFICATE----- +MIIDZzCCAk+gAwIBAgIQGx+ttiD5JNM2a/fH8YygWTANBgkqhkiG9w0BAQUFADBF +MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPVHJ1c3RpcyBMaW1pdGVkMRwwGgYDVQQL +ExNUcnVzdGlzIEZQUyBSb290IENBMB4XDTAzMTIyMzEyMTQwNloXDTI0MDEyMTEx +MzY1NFowRTELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1RydXN0aXMgTGltaXRlZDEc +MBoGA1UECxMTVHJ1c3RpcyBGUFMgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAMVQe547NdDfxIzNjpvto8A2mfRC6qc+gIMPpqdZh8mQRUN+ +AOqGeSoDvT03mYlmt+WKVoaTnGhLaASMk5MCPjDSNzoiYYkchU59j9WvezX2fihH +iTHcDnlkH5nSW7r+f2C/revnPDgpai/lkQtV/+xvWNUtyd5MZnGPDNcE2gfmHhjj +vSkCqPoc4Vu5g6hBSLwacY3nYuUtsuvffM/bq1rKMfFMIvMFE/eC+XN5DL7XSxzA +0RU8k0Fk0ea+IxciAIleH2ulrG6nS4zto3Lmr2NNL4XSFDWaLk6M6jKYKIahkQlB +OrTh4/L68MkKokHdqeMDx4gVOxzUGpTXn2RZEm0CAwEAAaNTMFEwDwYDVR0TAQH/ +BAUwAwEB/zAfBgNVHSMEGDAWgBS6+nEleYtXQSUhhgtx67JkDoshZzAdBgNVHQ4E +FgQUuvpxJXmLV0ElIYYLceuyZA6LIWcwDQYJKoZIhvcNAQEFBQADggEBAH5Y//01 +GX2cGE+esCu8jowU/yyg2kdbw++BLa8F6nRIW/M+TgfHbcWzk88iNVy2P3UnXwmW +zaD+vkAMXBJV+JOCyinpXj9WV4s4NvdFGkwozZ5BuO1WTISkQMi4sKUraXAEasP4 +1BIy+Q7DsdwyhEQsb8tGD+pmQQ9P8Vilpg0ND2HepZ5dfWWhPBfnqFVO76DH7cZE +f1T1o+CP8HxVIo8ptoGj4W1OLBuAZ+ytIJ8MYmHVl/9D7S3B2l0pKoU/rGXuhg8F +jZBf3+6f9L/uHfuY5H+QK4R4EA5sSVPvFVtlRkpdr7r7OnIdzfYliB6XzCGcKQEN +ZetX2fNXlrtIzYE= +-----END CERTIFICATE----- - Full Name: - URI:http://crl.usertrust.com/UTN-USERFirst-Hardware.crl +### Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK - X509v3 Extended Key Usage: - TLS Web Server Authentication, IPSec End System, IPSec Tunnel, IPSec User -SHA1 Fingerprint=04:83:ED:33:99:AC:36:08:05:87:22:ED:BC:5E:46:00:E3:BE:F9:D7 -SHA256 Fingerprint=6E:A5:47:41:D0:04:66:7E:ED:1B:48:16:63:4A:A3:A7:9E:6E:4B:96:95:0F:82:79:DA:FC:8D:9B:D8:81:21:37 ------BEGIN CERTIFICATE----- -MIIEdDCCA1ygAwIBAgIQRL4Mi1AAJLQR0zYq/mUK/TANBgkqhkiG9w0BAQUFADCB -lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug -Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho -dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt -SGFyZHdhcmUwHhcNOTkwNzA5MTgxMDQyWhcNMTkwNzA5MTgxOTIyWjCBlzELMAkG -A1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEe -MBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8v -d3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3QtSGFyZHdh -cmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx98M4P7Sof885glFn -0G2f0v9Y8+efK+wNiVSZuTiZFvfgIXlIwrthdBKWHTxqctU8EGc6Oe0rE81m65UJ -M6Rsl7HoxuzBdXmcRl6Nq9Bq/bkqVRcQVLMZ8Jr28bFdtqdt++BxF2uiiPsA3/4a -MXcMmgF6sTLjKwEHOG7DpV4jvEWbe1DByTCP2+UretNb+zNAHqDVmBe8i4fDidNd -oI6yqqr2jmmIBsX6iSHzCJ1pLgkzmykNRg+MzEk0sGlRvfkGzWitZky8PqxhvQqI -DsjfPe58BEydCl5rkdbux+0ojatNh4lz0G6k0B4WixThdkQDf2Os5M1JnMWS9Ksy -oUhbAgMBAAGjgbkwgbYwCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYD -VR0OBBYEFKFyXyYbKJhDlV0HN9WFlp1L0sNFMEQGA1UdHwQ9MDswOaA3oDWGM2h0 -dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9VVE4tVVNFUkZpcnN0LUhhcmR3YXJlLmNy -bDAxBgNVHSUEKjAoBggrBgEFBQcDAQYIKwYBBQUHAwUGCCsGAQUFBwMGBggrBgEF -BQcDBzANBgkqhkiG9w0BAQUFAAOCAQEARxkP3nTGmZev/K0oXnWO6y1n7k57K9cM -//bey1WiCuFMVGWTYGufEpytXoMs61quwOQt9ABjHbjAbPLPSbtNk28Gpgoiskli -CE7/yMgUsogWXecB5BKV5UU0s4tpvc+0hY91UZ59Ojg6FEgSxvunOxqNDYJAB+gE -CJChicsZUN/KHAG8HQQZexB2lzvukJDKxA4fFm517zP4029bHpbj4HR3dHuKom4t -3XbWOTCC8KucUvIqx69JXn7HaOWCgchqJ/kniCrVWFCVH/A7HFe7fRQ5YiuayZSS -KqMiDP+JJn1fIytH1xUdqWqeUQ0qUZ6B+dQ7XnASfxAynB67nfhmqA== ------END CERTIFICATE----- - -### Unizeto Sp. z o.o. - -=== /C=PL/O=Unizeto Sp. z o.o./CN=Certum CA -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 65568 (0x10020) - Signature Algorithm: sha1WithRSAEncryption +=== /C=TR/L=Gebze - Kocaeli/O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK/OU=Kamu Sertifikasyon Merkezi - Kamu SM/CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption Validity - Not Before: Jun 11 10:46:39 2002 GMT - Not After : Jun 11 10:46:39 2027 GMT - Subject: C=PL, O=Unizeto Sp. z o.o., CN=Certum CA + Not Before: Nov 25 08:25:55 2013 GMT + Not After : Oct 25 08:25:55 2043 GMT + Subject: C=TR, L=Gebze - Kocaeli, O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK, OU=Kamu Sertifikasyon Merkezi - Kamu SM, CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 X509v3 extensions: + X509v3 Subject Key Identifier: + 65:3F:C7:8A:86:C6:3C:DD:3C:54:5C:35:F8:3A:ED:52:0C:47:57:C8 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE -SHA1 Fingerprint=62:52:DC:40:F7:11:43:A2:2F:DE:9E:F7:34:8E:06:42:51:B1:81:18 -SHA256 Fingerprint=D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24 +SHA1 Fingerprint=31:43:64:9B:EC:CE:27:EC:ED:3A:3F:0B:8F:0D:E4:E8:91:DD:EE:CA +SHA256 Fingerprint=46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16 -----BEGIN CERTIFICATE----- -MIIDDDCCAfSgAwIBAgIDAQAgMA0GCSqGSIb3DQEBBQUAMD4xCzAJBgNVBAYTAlBM -MRswGQYDVQQKExJVbml6ZXRvIFNwLiB6IG8uby4xEjAQBgNVBAMTCUNlcnR1bSBD -QTAeFw0wMjA2MTExMDQ2MzlaFw0yNzA2MTExMDQ2MzlaMD4xCzAJBgNVBAYTAlBM -MRswGQYDVQQKExJVbml6ZXRvIFNwLiB6IG8uby4xEjAQBgNVBAMTCUNlcnR1bSBD -QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM6xwS7TT3zNJc4YPk/E -jG+AanPIW1H4m9LcuwBcsaD8dQPugfCI7iNS6eYVM42sLQnFdvkrOYCJ5JdLkKWo -ePhzQ3ukYbDYWMzhbGZ+nPMJXlVjhNWo7/OxLjBos8Q82KxujZlakE403Daaj4GI -ULdtlkIJ89eVgw1BS7Bqa/j8D35in2fE7SZfECYPCE/wpFcozo+47UX2bu4lXapu -Ob7kky/ZR6By6/qmW6/KUz/iDsaWVhFu9+lmqSbYf5VT7QqFiLpPKaVCjF62/IUg -AKpoC6EahQGcxEZjgoi2IrHu/qpGWX7PNSzVttpd90gzFFS269lvzs2I1qsb2pY7 -HVkCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEA -uI3O7+cUus/usESSbLQ5PqKEbq24IXfS1HeCh+YgQYHu4vgRt2PRFze+GXYkHAQa -TOs9qmdvLdTN/mUxcMUbpgIKumB7bVjCmkn+YzILa+M6wKyrO7Do0wlRjBCDxjTg -xSvgGrZgFCdsMneMvLJymM/NzD+5yCRCFNZX/OYmQ6kd5YCQzgNUKD73P9P4Te1q -CjqTE5s7FCMTY5w/0YcneeVMUeMBrYVdGjux1XMQpNPyvG5k9VpWkKjHDkx0Dy5x -O/fIR/RpbxXyEV6DHpx8Uq79AtoSqFlnGNu8cN2bsWntgM6JQEhqDjXKKWYVIZQs -6GAqm4VKQPNriiTsBhYscw== +MIIEYzCCA0ugAwIBAgIBATANBgkqhkiG9w0BAQsFADCB0jELMAkGA1UEBhMCVFIx +GDAWBgNVBAcTD0dlYnplIC0gS29jYWVsaTFCMEAGA1UEChM5VHVya2l5ZSBCaWxp +bXNlbCB2ZSBUZWtub2xvamlrIEFyYXN0aXJtYSBLdXJ1bXUgLSBUVUJJVEFLMS0w +KwYDVQQLEyRLYW11IFNlcnRpZmlrYXN5b24gTWVya2V6aSAtIEthbXUgU00xNjA0 +BgNVBAMTLVRVQklUQUsgS2FtdSBTTSBTU0wgS29rIFNlcnRpZmlrYXNpIC0gU3Vy +dW0gMTAeFw0xMzExMjUwODI1NTVaFw00MzEwMjUwODI1NTVaMIHSMQswCQYDVQQG +EwJUUjEYMBYGA1UEBxMPR2ViemUgLSBLb2NhZWxpMUIwQAYDVQQKEzlUdXJraXll +IEJpbGltc2VsIHZlIFRla25vbG9qaWsgQXJhc3Rpcm1hIEt1cnVtdSAtIFRVQklU +QUsxLTArBgNVBAsTJEthbXUgU2VydGlmaWthc3lvbiBNZXJrZXppIC0gS2FtdSBT +TTE2MDQGA1UEAxMtVFVCSVRBSyBLYW11IFNNIFNTTCBLb2sgU2VydGlmaWthc2kg +LSBTdXJ1bSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr3UwM6q7 +a9OZLBI3hNmNe5eA027n/5tQlT6QlVZC1xl8JoSNkvoBHToP4mQ4t4y86Ij5iySr +LqP1N+RAjhgleYN1Hzv/bKjFxlb4tO2KRKOrbEz8HdDc72i9z+SqzvBV96I01INr +N3wcwv61A+xXzry0tcXtAA9TNypN9E8Mg/uGz8v+jE69h/mniyFXnHrfA2eJLJ2X +YacQuFWQfw4tJzh03+f92k4S400VIgLI4OD8D62K18lUUMw7D8oWgITQUVbDjlZ/ +iSIzL+aFCr2lqBs23tPcLG07xxO9WSMs5uWk99gL7eqQQESolbuT1dCANLZGeA4f +AJNG4e7p+exPFwIDAQABo0IwQDAdBgNVHQ4EFgQUZT/HiobGPN08VFw1+DrtUgxH +V8gwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL +BQADggEBACo/4fEyjq7hmFxLXs9rHmoJ0iKpEsdeV31zVmSAhHqT5Am5EM2fKifh +AHe+SMg1qIGf5LgsyX8OsNJLN13qudULXjS99HMpw+0mFZx+CFOKWI3QSyjfwbPf +IPP54+M638yclNhOT8NrF7f3cuitZjO1JVOr4PhMqZ398g26rrnZqsZr+ZO7rqu4 +lzwDGrpDxpa5RXI4s6ehlj2Re37AIVNMh+3yC1SVUZPVIqUNivGTDj5UDrDYyU7c +8jEyVupk+eq1nRZmQnLzf9OxMUP8pI4X8W0jq5Rm+K37DwhuJi1/FwcJsoz7UMCf +lo3Ptv0AnVoUmr8CRPXBwp8iXqIPoeM= -----END CERTIFICATE----- ### Unizeto Technologies S.A. @@ -3657,3 +6330,198 @@ BxHw1dvd5Yzw1TKwg+ZX4o+/vqGqvz0dtdQ46tewXDpPaj+PwGZsY6rp2aQW9IHR lRQOfc2VNNnSj3BzgXucfr2YYdhFh5iQxeuGMMY1v/D/w1WIg0vvBZIGcfK4mJO3 7M2CYfE45k+XmCpajQ== -----END CERTIFICATE----- + +### VISA + +=== /C=US/O=VISA/OU=Visa International Service Association/CN=Visa eCommerce Root +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62 + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Jun 26 02:18:36 2002 GMT + Not After : Jun 24 00:16:12 2022 GMT + Subject: C=US, O=VISA, OU=Visa International Service Association, CN=Visa eCommerce Root + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 15:38:83:0F:3F:2C:3F:70:33:1E:CD:46:FE:07:8C:20:E0:D7:C3:B7 +SHA1 Fingerprint=70:17:9B:86:8C:00:A4:FA:60:91:52:22:3F:9F:3E:32:BD:E0:05:62 +SHA256 Fingerprint=69:FA:C9:BD:55:FB:0A:C7:8D:53:BB:EE:5C:F1:D5:97:98:9F:D0:AA:AB:20:A2:51:51:BD:F1:73:3E:E7:D1:22 +-----BEGIN CERTIFICATE----- +MIIDojCCAoqgAwIBAgIQE4Y1TR0/BvLB+WUF1ZAcYjANBgkqhkiG9w0BAQUFADBr +MQswCQYDVQQGEwJVUzENMAsGA1UEChMEVklTQTEvMC0GA1UECxMmVmlzYSBJbnRl +cm5hdGlvbmFsIFNlcnZpY2UgQXNzb2NpYXRpb24xHDAaBgNVBAMTE1Zpc2EgZUNv +bW1lcmNlIFJvb3QwHhcNMDIwNjI2MDIxODM2WhcNMjIwNjI0MDAxNjEyWjBrMQsw +CQYDVQQGEwJVUzENMAsGA1UEChMEVklTQTEvMC0GA1UECxMmVmlzYSBJbnRlcm5h +dGlvbmFsIFNlcnZpY2UgQXNzb2NpYXRpb24xHDAaBgNVBAMTE1Zpc2EgZUNvbW1l +cmNlIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvV95WHm6h +2mCxlCfLF9sHP4CFT8icttD0b0/Pmdjh28JIXDqsOTPHH2qLJj0rNfVIsZHBAk4E +lpF7sDPwsRROEW+1QK8bRaVK7362rPKgH1g/EkZgPI2h4H3PVz4zHvtH8aoVlwdV +ZqW1LS7YgFmypw23RuwhY/81q6UCzyr0TP579ZRdhE2o8mCP2w4lPJ9zcc+U30rq +299yOIzzlr3xF7zSujtFWsan9sYXiwGd/BmoKoMWuDpI/k4+oKsGGelT84ATB+0t +vz8KPFUgOSwsAGl0lUq8ILKpeeUYiZGo3BxN77t+Nwtd/jmliFKMAGzsGHxBvfaL +dXe6YJ2E5/4tAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD +AgEGMB0GA1UdDgQWBBQVOIMPPyw/cDMezUb+B4wg4NfDtzANBgkqhkiG9w0BAQUF +AAOCAQEAX/FBfXxcCLkr4NWSR/pnXKUTwwMhmytMiUbPWU3J/qVAtmPN3XEolWcR +zCSs00Rsca4BIGsDoo8Ytyk6feUWYFN4PMCvFYP3j1IzJL1kk5fui/fbGKhtcbP3 +LBfQdCVp9/5rPJS+TUtBjE7ic9DjkCJzQ83z7+pzzkWKsKZJ/0x9nXGIxHYdkFsd +7v3M9+79YKWxehZx0RbQfBI8bGmX265fOZpwLwU8GUYEmSA20GBuYQa7FkKMcPcw +++DbZqMAAb3mLNqRX6BGi01qnD093QVG/na/oAo85ADmJ7f/hC3euiInlhBx6yLt +398znM/jra6O1I7mT1GvFpLgXPYHDw== +-----END CERTIFICATE----- + +### WISeKey + +=== /C=CH/O=WISeKey/OU=Copyright (c) 2005/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GA CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 41:3d:72:c7:f4:6b:1f:81:43:7d:f1:d2:28:54:df:9a + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Dec 11 16:03:44 2005 GMT + Not After : Dec 11 16:09:51 2037 GMT + Subject: C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GA CA + X509v3 extensions: + X509v3 Key Usage: + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + B3:03:7E:AE:36:BC:B0:79:D1:DC:94:26:B6:11:BE:21:B2:69:86:94 + 1.3.6.1.4.1.311.21.1: + ... +SHA1 Fingerprint=59:22:A1:E1:5A:EA:16:35:21:F8:98:39:6A:46:46:B0:44:1B:0F:A9 +SHA256 Fingerprint=41:C9:23:86:6A:B4:CA:D6:B7:AD:57:80:81:58:2E:02:07:97:A6:CB:DF:4F:FF:78:CE:83:96:B3:89:37:D7:F5 +-----BEGIN CERTIFICATE----- +MIID8TCCAtmgAwIBAgIQQT1yx/RrH4FDffHSKFTfmjANBgkqhkiG9w0BAQUFADCB +ijELMAkGA1UEBhMCQ0gxEDAOBgNVBAoTB1dJU2VLZXkxGzAZBgNVBAsTEkNvcHly +aWdodCAoYykgMjAwNTEiMCAGA1UECxMZT0lTVEUgRm91bmRhdGlvbiBFbmRvcnNl +ZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9iYWwgUm9vdCBHQSBDQTAeFw0w +NTEyMTExNjAzNDRaFw0zNzEyMTExNjA5NTFaMIGKMQswCQYDVQQGEwJDSDEQMA4G +A1UEChMHV0lTZUtleTEbMBkGA1UECxMSQ29weXJpZ2h0IChjKSAyMDA1MSIwIAYD +VQQLExlPSVNURSBGb3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBX +SVNlS2V5IEdsb2JhbCBSb290IEdBIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAy0+zAJs9Nt350UlqaxBJH+zYK7LG+DKBKUOVTJoZIyEVRd7jyBxR +VVuuk+g3/ytr6dTqvirdqFEr12bDYVxgAsj1znJ7O7jyTmUIms2kahnBAbtzptf2 +w93NvKSLtZlhuAGio9RN1AU9ka34tAhxZK9w8RxrfvbDd50kc3vkDIzh2TbhmYsF +mQvtRTEJysIA2/dyoJaqlYfQjse2YXMNdmaM3Bu0Y6Kff5MTMPGhJ9vZ/yxViJGg +4E8HsChWjBgbl0SOid3gF27nKu+POQoxhILYQBRJLnpB5Kf+42TMwVlxSywhp1t9 +4B3RLoGbw9ho972WG6xwsRYUC9tguSYBBQIDAQABo1EwTzALBgNVHQ8EBAMCAYYw +DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUswN+rja8sHnR3JQmthG+IbJphpQw +EAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAEuh/wuHbrP5wUOx +SPMowB0uyQlB+pQAHKSkq0lPjz0e701vvbyk9vImMMkQyh2I+3QZH4VFvbBsUfk2 +ftv1TDI6QU9bR8/oCy22xBmddMVHxjtqD6wU2zz0c5ypBd8A3HR4+vg1YFkCExh8 +vPtNsCBtQ7tgMHpnM1zFmdH4LTlSc/uMqpclXHLZCB6rTjzjgTGfA6b7wP4piFXa +hNVQA7bihKOmNqoROgHhGEvWRGizPflTdISzRpFGlgC3gCy24eMQ4tui5yiPAZZi +Fj4A4xylNoEYokxSdsARo27mHbrjWr42U8U+dY+GaSlYU7Wcu2+fXMUY7N0v4ZjJ +/L7fCg0= +-----END CERTIFICATE----- +=== /C=CH/O=WISeKey/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GB CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 76:b1:20:52:74:f0:85:87:46:b3:f8:23:1a:f6:c2:c0 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Dec 1 15:00:32 2014 GMT + Not After : Dec 1 15:10:31 2039 GMT + Subject: C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA + X509v3 extensions: + X509v3 Key Usage: + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 35:0F:C8:36:63:5E:E2:A3:EC:F9:3B:66:15:CE:51:52:E3:91:9A:3D + 1.3.6.1.4.1.311.21.1: + ... +SHA1 Fingerprint=0F:F9:40:76:18:D3:D7:6A:4B:98:F0:A8:35:9E:0C:FD:27:AC:CC:ED +SHA256 Fingerprint=6B:9C:08:E8:6E:B0:F7:67:CF:AD:65:CD:98:B6:21:49:E5:49:4A:67:F5:84:5E:7B:D1:ED:01:9F:27:B8:6B:D6 +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIQdrEgUnTwhYdGs/gjGvbCwDANBgkqhkiG9w0BAQsFADBt +MQswCQYDVQQGEwJDSDEQMA4GA1UEChMHV0lTZUtleTEiMCAGA1UECxMZT0lTVEUg +Rm91bmRhdGlvbiBFbmRvcnNlZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9i +YWwgUm9vdCBHQiBDQTAeFw0xNDEyMDExNTAwMzJaFw0zOTEyMDExNTEwMzFaMG0x +CzAJBgNVBAYTAkNIMRAwDgYDVQQKEwdXSVNlS2V5MSIwIAYDVQQLExlPSVNURSBG +b3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNlS2V5IEdsb2Jh +bCBSb290IEdCIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2Be3 +HEokKtaXscriHvt9OO+Y9bI5mE4nuBFde9IllIiCFSZqGzG7qFshISvYD06fWvGx +WuR51jIjK+FTzJlFXHtPrby/h0oLS5daqPZI7H17Dc0hBt+eFf1Biki3IPShehtX +1F1Q/7pn2COZH8g/497/b1t3sWtuuMlk9+HKQUYOKXHQuSP8yYFfTvdv37+ErXNk +u7dCjmn21HYdfp2nuFeKUWdy19SouJVUQHMD9ur06/4oQnc/nSMbsrY9gBQHTC5P +99UKFg29ZkM3fiNDecNAhvVMKdqOmq0NpQSHiB6F4+lT1ZvIiwNjeOvgGUpuuy9r +M2RYk61pv48b74JIxwIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw +AwEB/zAdBgNVHQ4EFgQUNQ/INmNe4qPs+TtmFc5RUuORmj0wEAYJKwYBBAGCNxUB +BAMCAQAwDQYJKoZIhvcNAQELBQADggEBAEBM+4eymYGQfp3FsLAmzYh7KzKNbrgh +cViXfa43FK8+5/ea4n32cZiZBKpDdHij40lhPnOMTZTg+XHEthYOU3gf1qKHLwI5 +gSk8rxWYITD+KJAAjNHhy/peyP34EEY7onhCkRd0VQreUGdNZtGn//3ZwLWoo4rO +ZvUPQ82nK1d7Y0Zqqi5S2PTt4W2tKZB4SLrhI6qjiey1q5bAtEuiHZeeevJuQHHf +aPFlTc58Bd9TZaml8LGXBHAVRgOY1NK/VLSgWH1Sb9pWJmLU2NuJMW8c8CLC02Ic +Nc1MaRVUGpCY3useX8p3x8uOPUNpnJpY0CQ73xtAln41rYHHTnG6iBM= +-----END CERTIFICATE----- + +### XRamp Security Services Inc + +=== /C=US/OU=www.xrampsecurity.com/O=XRamp Security Services Inc/CN=XRamp Global Certification Authority +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad + Signature Algorithm: sha1WithRSAEncryption + Validity + Not Before: Nov 1 17:14:04 2004 GMT + Not After : Jan 1 05:37:19 2035 GMT + Subject: C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority + X509v3 extensions: + 1.3.6.1.4.1.311.20.2: + ...C.A + X509v3 Key Usage: + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + C6:4F:A2:3D:06:63:84:09:9C:CE:62:E4:04:AC:8D:5C:B5:E9:B6:1B + X509v3 CRL Distribution Points: + + Full Name: + URI:http://crl.xrampsecurity.com/XGCA.crl + + 1.3.6.1.4.1.311.21.1: + ... +SHA1 Fingerprint=B8:01:86:D1:EB:9C:86:A5:41:04:CF:30:54:F3:4C:52:B7:E5:58:C6 +SHA256 Fingerprint=CE:CD:DC:90:50:99:D8:DA:DF:C5:B1:D2:09:B7:37:CB:E2:C1:8C:FB:2C:10:C0:FF:0B:CF:0D:32:86:FC:1A:A2 +-----BEGIN CERTIFICATE----- +MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCB +gjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk +MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRY +UmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQxMTAxMTcx +NDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3 +dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2Vy +dmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB +dXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS6 +38eMpSe2OAtp87ZOqCwuIR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCP +KZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMxfoArtYzAQDsRhtDLooY2YKTVMIJt2W7Q +DxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FEzG+gSqmUsE3a56k0enI4 +qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqsAxcZZPRa +JSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNVi +PvryxS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0P +BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASs +jVy16bYbMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0 +eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEwDQYJKoZIhvcNAQEFBQAD +ggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc/Kh4ZzXxHfAR +vbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt +qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLa +IR9NmXmd4c8nnxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSy +i6mx5O+aGtA9aZnuqCij4Tyz8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQ +O+7ETPTsJ3xCwnR8gooJybQDJbw= +-----END CERTIFICATE----- diff --git a/lib/libcrypto/comp/c_zlib.c b/lib/libcrypto/comp/c_zlib.c index 1802cffd99..0cdbb205a4 100644 --- a/lib/libcrypto/comp/c_zlib.c +++ b/lib/libcrypto/comp/c_zlib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: c_zlib.c,v 1.19 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: c_zlib.c,v 1.20 2018/03/17 16:20:01 beck Exp $ */ #include #include #include @@ -191,6 +191,8 @@ COMP_zlib(void) if (zlib_stateful_ex_idx == -1) goto err; } + if (!OPENSSL_init_crypto(0, NULL)) + goto err; meth = &zlib_stateful_method; } diff --git a/lib/libcrypto/compat/include/sys/time.h b/lib/libcrypto/compat/include/sys/time.h new file mode 100644 index 0000000000..76428c190d --- /dev/null +++ b/lib/libcrypto/compat/include/sys/time.h @@ -0,0 +1,28 @@ +/* + * Public domain + * sys/time.h compatibility shim + */ + +#ifndef LIBCRYPTOCOMPAT_SYS_TIME_H +#define LIBCRYPTOCOMPAT_SYS_TIME_H + +#ifdef _MSC_VER +#include +int gettimeofday(struct timeval *tp, void *tzp); +#else +#include_next +#endif + +#ifndef timersub +#define timersub(tvp, uvp, vvp) \ + do { \ + (vvp)->tv_sec = (tvp)->tv_sec - (uvp)->tv_sec; \ + (vvp)->tv_usec = (tvp)->tv_usec - (uvp)->tv_usec; \ + if ((vvp)->tv_usec < 0) { \ + (vvp)->tv_sec--; \ + (vvp)->tv_usec += 1000000; \ + } \ + } while (0) +#endif + +#endif diff --git a/lib/libcrypto/compat/include/sys/types.h b/lib/libcrypto/compat/include/sys/types.h index dcd8067ee1..2107119b56 100644 --- a/lib/libcrypto/compat/include/sys/types.h +++ b/lib/libcrypto/compat/include/sys/types.h @@ -20,12 +20,17 @@ #ifdef __MINGW32__ #include <_bsd_types.h> +typedef uint32_t in_addr_t; +typedef uint32_t uid_t; #endif #ifdef _MSC_VER typedef unsigned char u_char; typedef unsigned short u_short; typedef unsigned int u_int; +typedef uint32_t in_addr_t; +typedef uint32_t mode_t; +typedef uint32_t uid_t; #include typedef SSIZE_T ssize_t; diff --git a/lib/libcrypto/compat/include/time.h b/lib/libcrypto/compat/include/time.h new file mode 100644 index 0000000000..dc460ef04e --- /dev/null +++ b/lib/libcrypto/compat/include/time.h @@ -0,0 +1,53 @@ +/* + * Public domain + * sys/time.h compatibility shim + */ + +#ifdef _MSC_VER +#if _MSC_VER >= 1900 +#include <../ucrt/time.h> +#else +#include <../include/time.h> +#endif +#else +#include_next +#endif + +#ifndef LIBCRYPTOCOMPAT_TIME_H +#define LIBCRYPTOCOMPAT_TIME_H + +#ifdef _WIN32 +struct tm *__gmtime_r(const time_t * t, struct tm * tm); +#define gmtime_r(tp, tm) __gmtime_r(tp, tm) +#endif + +#ifndef HAVE_TIMEGM +time_t timegm(struct tm *tm); +#endif + +#ifndef CLOCK_MONOTONIC +#define CLOCK_MONOTONIC CLOCK_REALTIME +#endif + +#ifndef CLOCK_REALTIME +#define CLOCK_REALTIME 0 +#endif + +#ifndef HAVE_CLOCK_GETTIME +typedef int clockid_t; +int clock_gettime(clockid_t clock_id, struct timespec *tp); +#endif + +#ifndef timespecsub +#define timespecsub(tsp, usp, vsp) \ + do { \ + (vsp)->tv_sec = (tsp)->tv_sec - (usp)->tv_sec; \ + (vsp)->tv_nsec = (tsp)->tv_nsec - (usp)->tv_nsec; \ + if ((vsp)->tv_nsec < 0) { \ + (vsp)->tv_sec--; \ + (vsp)->tv_nsec += 1000000000L; \ + } \ + } while (0) +#endif + +#endif diff --git a/lib/libcrypto/conf/conf_sap.c b/lib/libcrypto/conf/conf_sap.c index a29acea7c1..827cf96e74 100644 --- a/lib/libcrypto/conf/conf_sap.c +++ b/lib/libcrypto/conf/conf_sap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: conf_sap.c,v 1.11 2015/02/11 03:19:37 doug Exp $ */ +/* $OpenBSD: conf_sap.c,v 1.14 2018/03/19 03:56:08 beck Exp $ */ /* Written by Stephen Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -56,6 +56,7 @@ * */ +#include #include #include @@ -75,14 +76,13 @@ * unless this is overridden by calling OPENSSL_no_config() */ -static int openssl_configured = 0; +static pthread_once_t openssl_configured = PTHREAD_ONCE_INIT; -void -OPENSSL_config(const char *config_name) -{ - if (openssl_configured) - return; +static const char *openssl_config_name; +static void +OPENSSL_config_internal(void) +{ OPENSSL_load_builtin_modules(); #ifndef OPENSSL_NO_ENGINE /* Need to load ENGINEs */ @@ -91,7 +91,7 @@ OPENSSL_config(const char *config_name) /* Add others here? */ ERR_clear_error(); - if (CONF_modules_load_file(NULL, config_name, + if (CONF_modules_load_file(NULL, openssl_config_name, CONF_MFLAGS_DEFAULT_SECTION|CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) { BIO *bio_err; ERR_load_crypto_strings(); @@ -106,8 +106,49 @@ OPENSSL_config(const char *config_name) return; } +int +OpenSSL_config(const char *config_name) +{ + /* Don't override if NULL */ + /* + * Note - multiple threads calling this with *different* config names + * is probably not advisable. One thread will win, but you don't know + * if it will be the same thread as wins the pthread_once. + */ + if (config_name != NULL) + openssl_config_name = config_name; + + if (OPENSSL_init_crypto(0, NULL) == 0) + return 0; + + if (pthread_once(&openssl_configured, OPENSSL_config_internal) != 0) + return 0; + + return 1; +} + +void +OPENSSL_config(const char *config_name) +{ + (void) OpenSSL_config(config_name); +} + +static void +OPENSSL_no_config_internal(void) +{ +} + +int +OpenSSL_no_config(void) +{ + if (pthread_once(&openssl_configured, OPENSSL_no_config_internal) != 0) + return 0; + + return 1; +} + void OPENSSL_no_config(void) { - openssl_configured = 1; + (void) OpenSSL_no_config(); } diff --git a/lib/libcrypto/crypto.h b/lib/libcrypto/crypto.h index 068415f693..67e06a1509 100644 --- a/lib/libcrypto/crypto.h +++ b/lib/libcrypto/crypto.h @@ -1,4 +1,4 @@ -/* $OpenBSD: crypto.h,v 1.41 2017/04/29 21:48:43 jsing Exp $ */ +/* $OpenBSD: crypto.h,v 1.45 2018/03/19 03:35:38 beck Exp $ */ /* ==================================================================== * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * @@ -330,6 +330,14 @@ int CRYPTO_is_mem_check_on(void); CRYPTO_malloc_locked((int)num,__FILE__,__LINE__) #define OPENSSL_free_locked(addr) CRYPTO_free_locked(addr) +const char *OpenSSL_version(int type); +#define OPENSSL_VERSION 0 +#define OPENSSL_CFLAGS 1 +#define OPENSSL_BUILT_ON 2 +#define OPENSSL_PLATFORM 3 +#define OPENSSL_DIR 4 +#define OPENSSL_ENGINES_DIR 5 +unsigned long OpenSSL_version_num(void); const char *SSLeay_version(int type); unsigned long SSLeay(void); @@ -534,6 +542,40 @@ void ERR_load_CRYPTO_strings(void); #define CRYPTO_R_FIPS_MODE_NOT_SUPPORTED 101 #define CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK 100 +/* + * OpenSSL compatible OPENSSL_INIT options. + */ + +#define OPENSSL_INIT_NO_LOAD_CONFIG 0x00000001L +#define OPENSSL_INIT_LOAD_CONFIG 0x00000002L + +/* LibreSSL specific */ +#define _OPENSSL_INIT_FLAG_NOOP 0x80000000L + +/* + * These are provided for compatibiliy, but have no effect + * on how LibreSSL is initialized. + */ +#define OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS _OPENSSL_INIT_FLAG_NOOP +#define OPENSSL_INIT_LOAD_CRYPTO_STRINGS _OPENSSL_INIT_FLAG_NOOP +#define OPENSSL_INIT_ADD_ALL_CIPHERS _OPENSSL_INIT_FLAG_NOOP +#define OPENSSL_INIT_ADD_ALL_DIGESTS _OPENSSL_INIT_FLAG_NOOP +#define OPENSSL_INIT_NO_ADD_ALL_CIPHERS _OPENSSL_INIT_FLAG_NOOP +#define OPENSSL_INIT_NO_ADD_ALL_DIGESTS _OPENSSL_INIT_FLAG_NOOP +#define OPENSSL_INIT_ASYNC _OPENSSL_INIT_FLAG_NOOP +#define OPENSSL_INIT_ENGINE_RDRAND _OPENSSL_INIT_FLAG_NOOP +#define OPENSSL_INIT_ENGINE_DYNAMIC _OPENSSL_INIT_FLAG_NOOP +#define OPENSSL_INIT_ENGINE_OPENSSL _OPENSSL_INIT_FLAG_NOOP +#define OPENSSL_INIT_ENGINE_CRYPTODEV _OPENSSL_INIT_FLAG_NOOP +#define OPENSSL_INIT_ENGINE_CAPI _OPENSSL_INIT_FLAG_NOOP +#define OPENSSL_INIT_ENGINE_PADLOCK _OPENSSL_INIT_FLAG_NOOP +#define OPENSSL_INIT_ENGINE_AFALG _OPENSSL_INIT_FLAG_NOOP +#define OPENSSL_INIT_reserved_internal _OPENSSL_INIT_FLAG_NOOP +#define OPENSSL_INIT_ATFORK _OPENSSL_INIT_FLAG_NOOP +#define OPENSSL_INIT_ENGINE_ALL_BUILTIN _OPENSSL_INIT_FLAG_NOOP + +int OPENSSL_init_crypto(uint64_t opts, const void *settings); + #ifdef __cplusplus } #endif diff --git a/lib/libcrypto/crypto_init.c b/lib/libcrypto/crypto_init.c new file mode 100644 index 0000000000..08fb55ffd5 --- /dev/null +++ b/lib/libcrypto/crypto_init.c @@ -0,0 +1,63 @@ +/* + * Copyright (c) 2018 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* OpenSSL style init */ + +#include +#include + +#include +#include +#include +#include +#include "cryptlib.h" + +int OpenSSL_config(const char *); +int OpenSSL_no_config(void); + +static pthread_t crypto_init_thread; + +static void +OPENSSL_init_crypto_internal(void) +{ + crypto_init_thread = pthread_self(); + OPENSSL_cpuid_setup(); + ERR_load_crypto_strings(); + OpenSSL_add_all_ciphers(); + OpenSSL_add_all_digests(); +} + +int +OPENSSL_init_crypto(uint64_t opts, const void *settings) +{ + static pthread_once_t once = PTHREAD_ONCE_INIT; + + if (pthread_equal(pthread_self(), crypto_init_thread)) + return 1; /* don't recurse */ + + if (pthread_once(&once, OPENSSL_init_crypto_internal) != 0) + return 0; + + if ((opts & OPENSSL_INIT_NO_LOAD_CONFIG) && + (OpenSSL_no_config() == 0)) + return 0; + + if ((opts & OPENSSL_INIT_LOAD_CONFIG) && + (OpenSSL_config(NULL) == 0)) + return 0; + + return 1; +} diff --git a/lib/libcrypto/cversion.c b/lib/libcrypto/cversion.c index 7ffa80ec26..2d4460d10d 100644 --- a/lib/libcrypto/cversion.c +++ b/lib/libcrypto/cversion.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cversion.c,v 1.15 2014/07/11 11:42:28 jsing Exp $ */ +/* $OpenBSD: cversion.c,v 1.17 2018/02/17 06:56:12 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -84,3 +84,29 @@ SSLeay(void) { return (SSLEAY_VERSION_NUMBER); } + +const char * +OpenSSL_version(int t) +{ + switch (t) { + case OPENSSL_VERSION: + return OPENSSL_VERSION_TEXT; + case OPENSSL_BUILT_ON: + return("built on: date not available"); + case OPENSSL_CFLAGS: + return("compiler: information not available"); + case OPENSSL_PLATFORM: + return("platform: information not available"); + case OPENSSL_DIR: + return "OPENSSLDIR: \"" OPENSSLDIR "\""; + case OPENSSL_ENGINES_DIR: + return "ENGINESDIR: N/A"; + } + return("not available"); +} + +unsigned long +OpenSSL_version_num(void) +{ + return SSLeay(); +} diff --git a/lib/libcrypto/dh/dh.h b/lib/libcrypto/dh/dh.h index 920af3b92d..082b50254d 100644 --- a/lib/libcrypto/dh/dh.h +++ b/lib/libcrypto/dh/dh.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.h,v 1.18 2016/11/04 18:35:30 jsing Exp $ */ +/* $OpenBSD: dh.h,v 1.25 2018/02/22 16:41:04 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -183,11 +183,23 @@ DH * DH_new(void); void DH_free(DH *dh); int DH_up_ref(DH *dh); int DH_size(const DH *dh); +int DH_bits(const DH *dh); int DH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); int DH_set_ex_data(DH *d, int idx, void *arg); void *DH_get_ex_data(DH *d, int idx); +ENGINE *DH_get0_engine(DH *d); +void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, + const BIGNUM **g); +int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); +void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key); +int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); +void DH_clear_flags(DH *dh, int flags); +int DH_test_flags(const DH *dh, int flags); +void DH_set_flags(DH *dh, int flags); +int DH_set_length(DH *dh, long length); + /* Deprecated version */ #ifndef OPENSSL_NO_DEPRECATED DH * DH_generate_parameters(int prime_len,int generator, diff --git a/lib/libcrypto/dh/dh_key.c b/lib/libcrypto/dh/dh_key.c index 63d38771c3..d79e98e785 100644 --- a/lib/libcrypto/dh/dh_key.c +++ b/lib/libcrypto/dh/dh_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh_key.c,v 1.27 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: dh_key.c,v 1.27.2.1 2018/06/13 15:13:30 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -108,6 +108,11 @@ generate_key(DH *dh) BN_MONT_CTX *mont = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL; + if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { + DHerror(DH_R_MODULUS_TOO_LARGE); + return 0; + } + ctx = BN_CTX_new(); if (ctx == NULL) goto err; diff --git a/lib/libcrypto/dh/dh_lib.c b/lib/libcrypto/dh/dh_lib.c index d45dc17168..2153b42a3b 100644 --- a/lib/libcrypto/dh/dh_lib.c +++ b/lib/libcrypto/dh/dh_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh_lib.c,v 1.22 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: dh_lib.c,v 1.30.2.1 2018/05/02 16:57:35 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include #include #include @@ -239,3 +240,100 @@ DH_size(const DH *dh) { return BN_num_bytes(dh->p); } + +int +DH_bits(const DH *dh) +{ + return BN_num_bits(dh->p); +} + +ENGINE * +DH_get0_engine(DH *dh) +{ + return dh->engine; +} + +void +DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) +{ + if (p != NULL) + *p = dh->p; + if (q != NULL) + *q = dh->q; + if (g != NULL) + *g = dh->g; +} + +int +DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) +{ + if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL)) + return 0; + + if (p != NULL) { + BN_free(dh->p); + dh->p = p; + } + if (q != NULL) { + BN_free(dh->q); + dh->q = q; + } + if (g != NULL) { + BN_free(dh->g); + dh->g = g; + } + + return 1; +} + +void +DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) +{ + if (pub_key != NULL) + *pub_key = dh->pub_key; + if (priv_key != NULL) + *priv_key = dh->priv_key; +} + +int +DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) +{ + if (pub_key != NULL) { + BN_free(dh->pub_key); + dh->pub_key = pub_key; + } + if (priv_key != NULL) { + BN_free(dh->priv_key); + dh->priv_key = priv_key; + } + + return 1; +} + +void +DH_clear_flags(DH *dh, int flags) +{ + dh->flags &= ~flags; +} + +int +DH_test_flags(const DH *dh, int flags) +{ + return dh->flags & flags; +} + +void +DH_set_flags(DH *dh, int flags) +{ + dh->flags |= flags; +} + +int +DH_set_length(DH *dh, long length) +{ + if (length < 0 || length > INT_MAX) + return 0; + + dh->length = length; + return 1; +} diff --git a/lib/libcrypto/dsa/dsa.h b/lib/libcrypto/dsa/dsa.h index 6ddd4c35d5..61bfc2b466 100644 --- a/lib/libcrypto/dsa/dsa.h +++ b/lib/libcrypto/dsa/dsa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa.h,v 1.22 2016/11/04 18:35:30 jsing Exp $ */ +/* $OpenBSD: dsa.h,v 1.30 2018/03/17 15:19:12 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -183,6 +183,8 @@ DSA_SIG * DSA_SIG_new(void); void DSA_SIG_free(DSA_SIG *a); int i2d_DSA_SIG(const DSA_SIG *a, unsigned char **pp); DSA_SIG * d2i_DSA_SIG(DSA_SIG **v, const unsigned char **pp, long length); +void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); +int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s); DSA_SIG * DSA_do_sign(const unsigned char *dgst,int dlen,DSA *dsa); int DSA_do_verify(const unsigned char *dgst,int dgst_len, @@ -257,6 +259,23 @@ int DSA_print_fp(FILE *bp, const DSA *x, int off); DH *DSA_dup_DH(const DSA *r); #endif +void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, + const BIGNUM **g); +int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g); +void DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key); +int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key); +void DSA_clear_flags(DSA *d, int flags); +int DSA_test_flags(const DSA *d, int flags); +void DSA_set_flags(DSA *d, int flags); +ENGINE *DSA_get0_engine(DSA *d); + +DSA_METHOD *DSA_meth_new(const char *name, int flags); +void DSA_meth_free(DSA_METHOD *meth); +DSA_METHOD *DSA_meth_dup(const DSA_METHOD *meth); +int DSA_meth_set_sign(DSA_METHOD *meth, + DSA_SIG *(*sign)(const unsigned char *, int, DSA *)); +int DSA_meth_set_finish(DSA_METHOD *meth, int (*finish)(DSA *)); + #define EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, nbits) \ EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \ EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, nbits, NULL) diff --git a/lib/libcrypto/dsa/dsa_asn1.c b/lib/libcrypto/dsa/dsa_asn1.c index f7dfaf1d9c..aac67dbd03 100644 --- a/lib/libcrypto/dsa/dsa_asn1.c +++ b/lib/libcrypto/dsa/dsa_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_asn1.c,v 1.20 2017/05/02 03:59:44 deraadt Exp $ */ +/* $OpenBSD: dsa_asn1.c,v 1.21 2018/02/20 17:48:35 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -133,6 +133,29 @@ i2d_DSA_SIG(const DSA_SIG *a, unsigned char **out) return ASN1_item_i2d((ASN1_VALUE *)a, out, &DSA_SIG_it); } +void +DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) +{ + if (pr != NULL) + *pr = sig->r; + if (ps != NULL) + *ps = sig->s; +} + +int +DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) +{ + if (r == NULL || s == NULL) + return 0; + + BN_clear_free(sig->r); + sig->r = r; + BN_clear_free(sig->s); + sig->s = s; + + return 1; +} + /* Override the default free and new methods */ static int dsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) diff --git a/lib/libcrypto/dsa/dsa_lib.c b/lib/libcrypto/dsa/dsa_lib.c index 58af74889c..8190d07348 100644 --- a/lib/libcrypto/dsa/dsa_lib.c +++ b/lib/libcrypto/dsa/dsa_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_lib.c,v 1.23 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: dsa_lib.c,v 1.28 2018/02/20 17:52:27 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -303,3 +303,88 @@ err: return NULL; } #endif + +void +DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) +{ + if (p != NULL) + *p = d->p; + if (q != NULL) + *q = d->q; + if (g != NULL) + *g = d->g; +} + +int +DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) +{ + if ((d->p == NULL && p == NULL) || (d->q == NULL && q == NULL) || + (d->g == NULL && g == NULL)) + return 0; + + if (p != NULL) { + BN_free(d->p); + d->p = p; + } + if (q != NULL) { + BN_free(d->q); + d->q = q; + } + if (g != NULL) { + BN_free(d->g); + d->g = g; + } + + return 1; +} + +void +DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key) +{ + if (pub_key != NULL) + *pub_key = d->pub_key; + if (priv_key != NULL) + *priv_key = d->priv_key; +} + +int +DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) +{ + if (d->pub_key == NULL && pub_key == NULL) + return 0; + + if (pub_key != NULL) { + BN_free(d->pub_key); + d->pub_key = pub_key; + } + if (priv_key != NULL) { + BN_free(d->priv_key); + d->priv_key = priv_key; + } + + return 1; +} + +void +DSA_clear_flags(DSA *d, int flags) +{ + d->flags &= ~flags; +} + +int +DSA_test_flags(const DSA *d, int flags) +{ + return d->flags & flags; +} + +void +DSA_set_flags(DSA *d, int flags) +{ + d->flags |= flags; +} + +ENGINE * +DSA_get0_engine(DSA *d) +{ + return d->engine; +} diff --git a/lib/libcrypto/dsa/dsa_meth.c b/lib/libcrypto/dsa/dsa_meth.c new file mode 100644 index 0000000000..e6f043f830 --- /dev/null +++ b/lib/libcrypto/dsa/dsa_meth.c @@ -0,0 +1,78 @@ +/* $OpenBSD: dsa_meth.c,v 1.1 2018/03/17 15:19:12 tb Exp $ */ +/* + * Copyright (c) 2018 Theo Buehler + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include + +#include +#include + +DSA_METHOD * +DSA_meth_new(const char *name, int flags) +{ + DSA_METHOD *meth; + + if ((meth = calloc(1, sizeof(*meth))) == NULL) + return NULL; + if ((meth->name = strdup(name)) == NULL) { + free(meth); + return NULL; + } + meth->flags = flags; + + return meth; +} + +void +DSA_meth_free(DSA_METHOD *meth) +{ + if (meth != NULL) { + free((char *)meth->name); + free(meth); + } +} + +DSA_METHOD * +DSA_meth_dup(const DSA_METHOD *meth) +{ + DSA_METHOD *copy; + + if ((copy = calloc(1, sizeof(*copy))) == NULL) + return NULL; + memcpy(copy, meth, sizeof(*copy)); + if ((copy->name = strdup(meth->name)) == NULL) { + free(copy); + return NULL; + } + + return copy; +} + +int +DSA_meth_set_sign(DSA_METHOD *meth, + DSA_SIG *(*sign)(const unsigned char *, int, DSA *)) +{ + meth->dsa_do_sign = sign; + return 1; +} + +int +DSA_meth_set_finish(DSA_METHOD *meth, int (*finish)(DSA *)) +{ + meth->finish = finish; + return 1; +} diff --git a/lib/libcrypto/dsa/dsa_ossl.c b/lib/libcrypto/dsa/dsa_ossl.c index f1013fe547..4e75512df8 100644 --- a/lib/libcrypto/dsa/dsa_ossl.c +++ b/lib/libcrypto/dsa/dsa_ossl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_ossl.c,v 1.30 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: dsa_ossl.c,v 1.30.2.1 2018/06/13 15:08:08 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -142,11 +142,8 @@ redo: /* Compute s = inv(k) (m + xr) mod q */ if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx)) /* s = xr */ goto err; - if (!BN_add(s, &xr, &m)) /* s = m + xr */ + if (!BN_mod_add(s, &xr, &m, dsa->q, ctx)) /* s = m + xr */ goto err; - if (BN_cmp(s, dsa->q) > 0) - if (!BN_sub(s, s, dsa->q)) - goto err; if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) goto err; diff --git a/lib/libcrypto/ec/ec_ameth.c b/lib/libcrypto/ec/ec_ameth.c index 8d0cdb733b..0932f1e3c9 100644 --- a/lib/libcrypto/ec/ec_ameth.c +++ b/lib/libcrypto/ec/ec_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_ameth.c,v 1.18 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ec_ameth.c,v 1.19 2018/03/12 13:14:21 inoguchi Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -433,13 +433,15 @@ do_EC_KEY_print(BIO * bp, const EC_KEY * x, int off, int ktype) } if (ktype > 0) { public_key = EC_KEY_get0_public_key(x); - if ((pub_key = EC_POINT_point2bn(group, public_key, + if (public_key != NULL) { + if ((pub_key = EC_POINT_point2bn(group, public_key, EC_KEY_get_conv_form(x), NULL, ctx)) == NULL) { - reason = ERR_R_EC_LIB; - goto err; + reason = ERR_R_EC_LIB; + goto err; + } + if (pub_key) + buf_len = (size_t) BN_num_bytes(pub_key); } - if (pub_key) - buf_len = (size_t) BN_num_bytes(pub_key); } if (ktype == 2) { priv_key = EC_KEY_get0_private_key(x); diff --git a/lib/libcrypto/ec/ec_asn1.c b/lib/libcrypto/ec/ec_asn1.c index b64b7e14d3..381addfcf6 100644 --- a/lib/libcrypto/ec/ec_asn1.c +++ b/lib/libcrypto/ec/ec_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_asn1.c,v 1.24 2017/05/26 16:32:14 jsing Exp $ */ +/* $OpenBSD: ec_asn1.c,v 1.25 2018/03/12 13:14:21 inoguchi Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -1380,17 +1380,18 @@ d2i_ECPrivateKey(EC_KEY ** a, const unsigned char **in, long len) goto err; } + if (ret->pub_key) + EC_POINT_clear_free(ret->pub_key); + ret->pub_key = EC_POINT_new(ret->group); + if (ret->pub_key == NULL) { + ECerror(ERR_R_EC_LIB); + goto err; + } + if (priv_key->publicKey) { const unsigned char *pub_oct; size_t pub_oct_len; - EC_POINT_clear_free(ret->pub_key); - ret->pub_key = EC_POINT_new(ret->group); - if (ret->pub_key == NULL) { - ECerror(ERR_R_EC_LIB); - goto err; - } - pub_oct = ASN1_STRING_data(priv_key->publicKey); pub_oct_len = ASN1_STRING_length(priv_key->publicKey); if (pub_oct == NULL || pub_oct_len <= 0) { @@ -1405,6 +1406,14 @@ d2i_ECPrivateKey(EC_KEY ** a, const unsigned char **in, long len) ECerror(ERR_R_EC_LIB); goto err; } + } else { + if (!EC_POINT_mul(ret->group, ret->pub_key, ret->priv_key, + NULL, NULL, NULL)) { + ECerror(ERR_R_EC_LIB); + goto err; + } + /* Remember the original private-key-only encoding. */ + ret->enc_flag |= EC_PKEY_NO_PUBKEY; } EC_PRIVATEKEY_free(priv_key); @@ -1429,7 +1438,8 @@ i2d_ECPrivateKey(EC_KEY * a, unsigned char **out) size_t buf_len = 0, tmp_len; EC_PRIVATEKEY *priv_key = NULL; - if (a == NULL || a->group == NULL || a->priv_key == NULL) { + if (a == NULL || a->group == NULL || a->priv_key == NULL || + (!(a->enc_flag & EC_PKEY_NO_PUBKEY) && a->pub_key == NULL)) { ECerror(ERR_R_PASSED_NULL_PARAMETER); goto err; } diff --git a/lib/libcrypto/ec/ec_curve.c b/lib/libcrypto/ec/ec_curve.c index 1ee2a7c8e8..d4f6c28d1e 100644 --- a/lib/libcrypto/ec/ec_curve.c +++ b/lib/libcrypto/ec/ec_curve.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_curve.c,v 1.15 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ec_curve.c,v 1.16 2018/03/16 12:31:09 mpi Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -2135,7 +2135,7 @@ static const struct { } }; -/* IPSec curves */ +/* IPsec curves */ /* NOTE: The of curves over a extension field of non prime degree * is not recommended (Weil-descent). * As the group order is not a prime this curve is not suitable diff --git a/lib/libcrypto/ecdsa/ecdsa.h b/lib/libcrypto/ecdsa/ecdsa.h index 530ab265bb..9c53230a88 100644 --- a/lib/libcrypto/ecdsa/ecdsa.h +++ b/lib/libcrypto/ecdsa/ecdsa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ecdsa.h,v 1.4 2015/02/08 13:35:06 jsing Exp $ */ +/* $OpenBSD: ecdsa.h,v 1.5 2018/03/17 15:24:44 tb Exp $ */ /** * \file crypto/ecdsa/ecdsa.h Include file for the OpenSSL ECDSA functions * \author Written by Nils Larsch for the OpenSSL project @@ -133,6 +133,20 @@ int i2d_ECDSA_SIG(const ECDSA_SIG *sig, unsigned char **pp); */ ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **sig, const unsigned char **pp, long len); +/** Accessor for r and s fields of ECDSA_SIG + * \param sig pointer to ECDSA_SIG pointer + * \param pr pointer to BIGNUM pointer for r (may be NULL) + * \param ps pointer to BIGNUM pointer for s (may be NULL) + */ +void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); + +/** Setter for r and s fields of ECDSA_SIG + * \param sig pointer to ECDSA_SIG pointer + * \param r pointer to BIGNUM for r (may be NULL) + * \param s pointer to BIGNUM for s (may be NULL) + */ +int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); + /** Computes the ECDSA signature of the given hash value using * the supplied private key and returns the created signature. * \param dgst pointer to the hash value diff --git a/lib/libcrypto/ecdsa/ecs_asn1.c b/lib/libcrypto/ecdsa/ecs_asn1.c index 725fe44a36..e463858669 100644 --- a/lib/libcrypto/ecdsa/ecs_asn1.c +++ b/lib/libcrypto/ecdsa/ecs_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecs_asn1.c,v 1.8 2015/10/16 15:15:39 jsing Exp $ */ +/* $OpenBSD: ecs_asn1.c,v 1.9 2018/03/17 15:24:44 tb Exp $ */ /* ==================================================================== * Copyright (c) 2000-2002 The OpenSSL Project. All rights reserved. * @@ -113,3 +113,25 @@ ECDSA_SIG_free(ECDSA_SIG *a) { ASN1_item_free((ASN1_VALUE *)a, &ECDSA_SIG_it); } + +void +ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) +{ + if (pr != NULL) + *pr = sig->r; + if (ps != NULL) + *ps = sig->s; +} + +int +ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) +{ + if (r == NULL || s == NULL) + return 0; + + BN_clear_free(sig->r); + BN_clear_free(sig->s); + sig->r = r; + sig->s = s; + return 1; +} diff --git a/lib/libcrypto/ecdsa/ecs_ossl.c b/lib/libcrypto/ecdsa/ecs_ossl.c index c7f4bcbe03..09f3bf8416 100644 --- a/lib/libcrypto/ecdsa/ecs_ossl.c +++ b/lib/libcrypto/ecdsa/ecs_ossl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecs_ossl.c,v 1.9 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ecs_ossl.c,v 1.9.2.1 2018/06/13 15:08:08 jsing Exp $ */ /* * Written by Nils Larsch for the OpenSSL project */ @@ -273,7 +273,7 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, ECDSAerror(ERR_R_BN_LIB); goto err; } - if (!BN_mod_add_quick(s, tmp, m, order)) { + if (!BN_mod_add(s, tmp, m, order, ctx)) { ECDSAerror(ERR_R_BN_LIB); goto err; } diff --git a/lib/libcrypto/engine/eng_all.c b/lib/libcrypto/engine/eng_all.c index 7640cf7fcd..403ca6865d 100644 --- a/lib/libcrypto/engine/eng_all.c +++ b/lib/libcrypto/engine/eng_all.c @@ -1,4 +1,4 @@ -/* $OpenBSD: eng_all.c,v 1.29 2015/07/19 22:34:27 doug Exp $ */ +/* $OpenBSD: eng_all.c,v 1.30 2018/03/17 16:20:01 beck Exp $ */ /* Written by Richard Levitte for the OpenSSL * project 2000. */ @@ -56,17 +56,16 @@ * */ +#include + #include #include "cryptlib.h" #include "eng_int.h" void -ENGINE_load_builtin_engines(void) +ENGINE_load_builtin_engines_internal(void) { - /* Some ENGINEs need this */ - OPENSSL_cpuid_setup(); - #ifndef OPENSSL_NO_STATIC_ENGINE #ifndef OPENSSL_NO_HW #ifndef OPENSSL_NO_HW_PADLOCK @@ -76,3 +75,14 @@ ENGINE_load_builtin_engines(void) #endif ENGINE_register_all_complete(); } + +void +ENGINE_load_builtin_engines(void) +{ + static pthread_once_t once = PTHREAD_ONCE_INIT; + + /* Prayer and clean living lets you ignore errors, OpenSSL style */ + (void) OPENSSL_init_crypto(0, NULL); + + (void) pthread_once(&once, ENGINE_load_builtin_engines_internal); +} diff --git a/lib/libcrypto/engine/eng_lib.c b/lib/libcrypto/engine/eng_lib.c index d2da29fe69..11ad771109 100644 --- a/lib/libcrypto/engine/eng_lib.c +++ b/lib/libcrypto/engine/eng_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: eng_lib.c,v 1.12 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: eng_lib.c,v 1.13 2018/03/17 16:20:01 beck Exp $ */ /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL * project 2000. */ @@ -70,6 +70,9 @@ ENGINE_new(void) { ENGINE *ret; + if (!OPENSSL_init_crypto(0, NULL)) + return NULL; + ret = malloc(sizeof(ENGINE)); if (ret == NULL) { ENGINEerror(ERR_R_MALLOC_FAILURE); diff --git a/lib/libcrypto/err/err.c b/lib/libcrypto/err/err.c index ffe25bf465..320078da66 100644 --- a/lib/libcrypto/err/err.c +++ b/lib/libcrypto/err/err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: err.c,v 1.45 2017/02/20 23:21:19 beck Exp $ */ +/* $OpenBSD: err.c,v 1.46 2018/03/17 16:20:01 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -109,6 +109,7 @@ * */ +#include #include #include #include @@ -282,6 +283,8 @@ static LHASH_OF(ERR_STATE) *int_thread_hash = NULL; static int int_thread_hash_references = 0; static int int_err_library_number = ERR_LIB_USER; +static pthread_t err_init_thread; + /* Internal function that checks whether "err_fns" is set and if not, sets it to * the defaults. */ static void @@ -650,8 +653,9 @@ ERR_STATE_free(ERR_STATE *s) } void -ERR_load_ERR_strings(void) +ERR_load_ERR_strings_internal(void) { + err_init_thread = pthread_self(); err_fns_check(); #ifndef OPENSSL_NO_ERR err_load_strings(0, ERR_str_libraries); @@ -662,6 +666,21 @@ ERR_load_ERR_strings(void) #endif } + +void +ERR_load_ERR_strings(void) +{ + static pthread_once_t once = PTHREAD_ONCE_INIT; + + if (pthread_equal(pthread_self(), err_init_thread)) + return; /* don't recurse */ + + /* Prayer and clean living lets you ignore errors, OpenSSL style */ + (void) OPENSSL_init_crypto(0, NULL); + + (void) pthread_once(&once, ERR_load_ERR_strings_internal); +} + static void err_load_strings(int lib, ERR_STRING_DATA *str) { @@ -683,6 +702,9 @@ ERR_load_strings(int lib, ERR_STRING_DATA *str) void ERR_unload_strings(int lib, ERR_STRING_DATA *str) { + /* Prayer and clean living lets you ignore errors, OpenSSL style */ + (void) OPENSSL_init_crypto(0, NULL); + while (str->error) { if (lib) str->error |= ERR_PACK(lib, 0, 0); @@ -694,6 +716,9 @@ ERR_unload_strings(int lib, ERR_STRING_DATA *str) void ERR_free_strings(void) { + /* Prayer and clean living lets you ignore errors, OpenSSL style */ + (void) OPENSSL_init_crypto(0, NULL); + err_fns_check(); ERRFN(err_del)(); } @@ -953,6 +978,9 @@ ERR_lib_error_string(unsigned long e) ERR_STRING_DATA d, *p; unsigned long l; + if (!OPENSSL_init_crypto(0, NULL)) + return NULL; + err_fns_check(); l = ERR_GET_LIB(e); d.error = ERR_PACK(l, 0, 0); diff --git a/lib/libcrypto/err/err_all.c b/lib/libcrypto/err/err_all.c index 40009cbe88..24de3c9c15 100644 --- a/lib/libcrypto/err/err_all.c +++ b/lib/libcrypto/err/err_all.c @@ -1,4 +1,4 @@ -/* $OpenBSD: err_all.c,v 1.23 2016/10/19 16:49:11 jsing Exp $ */ +/* $OpenBSD: err_all.c,v 1.24 2018/03/17 16:20:01 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include #include #include @@ -103,11 +104,13 @@ #include #endif -void -ERR_load_crypto_strings(void) +void ERR_load_ERR_strings_internal(void); + +static void +ERR_load_crypto_strings_internal(void) { #ifndef OPENSSL_NO_ERR - ERR_load_ERR_strings(); /* include error strings for SYSerr */ + ERR_load_ERR_strings_internal(); /* include error strings for SYSerr */ ERR_load_BN_strings(); #ifndef OPENSSL_NO_RSA ERR_load_RSA_strings(); @@ -153,3 +156,10 @@ ERR_load_crypto_strings(void) #endif #endif } + +void +ERR_load_crypto_strings(void) +{ + static pthread_once_t loaded = PTHREAD_ONCE_INIT; + (void) pthread_once(&loaded, ERR_load_crypto_strings_internal); +} diff --git a/lib/libcrypto/evp/c_all.c b/lib/libcrypto/evp/c_all.c index 8ab93fece8..87657eded3 100644 --- a/lib/libcrypto/evp/c_all.c +++ b/lib/libcrypto/evp/c_all.c @@ -1,4 +1,4 @@ -/* $OpenBSD: c_all.c,v 1.21 2017/03/01 13:53:58 jsing Exp $ */ +/* $OpenBSD: c_all.c,v 1.22 2018/03/17 16:20:01 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -57,6 +57,7 @@ */ #include +#include #include @@ -66,8 +67,8 @@ #include "cryptlib.h" -void -OpenSSL_add_all_ciphers(void) +static void +OpenSSL_add_all_ciphers_internal(void) { #ifndef OPENSSL_NO_DES EVP_add_cipher(EVP_des_cfb()); @@ -226,7 +227,14 @@ OpenSSL_add_all_ciphers(void) } void -OpenSSL_add_all_digests(void) +OpenSSL_add_all_ciphers(void) +{ + static pthread_once_t add_all_ciphers_once = PTHREAD_ONCE_INIT; + (void) pthread_once(&add_all_ciphers_once, OpenSSL_add_all_ciphers_internal); +} + +static void +OpenSSL_add_all_digests_internal(void) { #ifndef OPENSSL_NO_MD4 EVP_add_digest(EVP_md4()); @@ -284,6 +292,13 @@ OpenSSL_add_all_digests(void) } void +OpenSSL_add_all_digests(void) +{ + static pthread_once_t add_all_digests_once = PTHREAD_ONCE_INIT; + (void) pthread_once(&add_all_digests_once, OpenSSL_add_all_digests_internal); +} + +void OPENSSL_add_all_algorithms_noconf(void) { OPENSSL_cpuid_setup(); diff --git a/lib/libcrypto/evp/digest.c b/lib/libcrypto/evp/digest.c index 7471c1e822..b69a928ab8 100644 --- a/lib/libcrypto/evp/digest.c +++ b/lib/libcrypto/evp/digest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: digest.c,v 1.28 2017/05/02 03:59:44 deraadt Exp $ */ +/* $OpenBSD: digest.c,v 1.29 2018/02/17 14:55:31 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -122,18 +122,6 @@ #include #endif -void -EVP_MD_CTX_init(EVP_MD_CTX *ctx) -{ - memset(ctx, 0, sizeof *ctx); -} - -EVP_MD_CTX * -EVP_MD_CTX_create(void) -{ - return calloc(1, sizeof(EVP_MD_CTX)); -} - int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type) { @@ -339,20 +327,53 @@ EVP_Digest(const void *data, size_t count, return ret; } +EVP_MD_CTX * +EVP_MD_CTX_new(void) +{ + return calloc(1, sizeof(EVP_MD_CTX)); +} + +void +EVP_MD_CTX_free(EVP_MD_CTX *ctx) +{ + if (ctx == NULL) + return; + + EVP_MD_CTX_cleanup(ctx); + + free(ctx); +} + +void +EVP_MD_CTX_init(EVP_MD_CTX *ctx) +{ + memset(ctx, 0, sizeof(*ctx)); +} + +int +EVP_MD_CTX_reset(EVP_MD_CTX *ctx) +{ + return EVP_MD_CTX_cleanup(ctx); +} + +EVP_MD_CTX * +EVP_MD_CTX_create(void) +{ + return EVP_MD_CTX_new(); +} + void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) { - if (ctx) { - EVP_MD_CTX_cleanup(ctx); - free(ctx); - } + EVP_MD_CTX_free(ctx); } /* This call frees resources associated with the context */ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) { - /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final, + /* + * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, * because sometimes only copies of the context are ever finalised. */ if (ctx->digest && ctx->digest->cleanup && @@ -368,7 +389,7 @@ EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) * functional reference we held for this reason. */ ENGINE_finish(ctx->engine); #endif - memset(ctx, 0, sizeof *ctx); + memset(ctx, 0, sizeof(*ctx)); return 1; } diff --git a/lib/libcrypto/evp/evp.h b/lib/libcrypto/evp/evp.h index 853abe6b8e..e12e771cc5 100644 --- a/lib/libcrypto/evp/evp.h +++ b/lib/libcrypto/evp/evp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: evp.h,v 1.53 2017/08/28 17:48:02 jsing Exp $ */ +/* $OpenBSD: evp.h,v 1.58 2018/02/20 18:05:28 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -535,15 +535,19 @@ int EVP_Cipher(EVP_CIPHER_CTX *c, unsigned char *out, const unsigned char *in, #define EVP_delete_digest_alias(alias) \ OBJ_NAME_remove(alias,OBJ_NAME_TYPE_MD_METH|OBJ_NAME_ALIAS); +EVP_MD_CTX *EVP_MD_CTX_new(void); +void EVP_MD_CTX_free(EVP_MD_CTX *ctx); void EVP_MD_CTX_init(EVP_MD_CTX *ctx); -int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx); +int EVP_MD_CTX_reset(EVP_MD_CTX *ctx); EVP_MD_CTX *EVP_MD_CTX_create(void); void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx); +int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx); int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in); void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags); void EVP_MD_CTX_clear_flags(EVP_MD_CTX *ctx, int flags); int EVP_MD_CTX_ctrl(EVP_MD_CTX *ctx, int type, int arg, void *ptr); int EVP_MD_CTX_test_flags(const EVP_MD_CTX *ctx, int flags); + int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl); int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s); @@ -640,6 +644,7 @@ void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a); int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a); EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void); void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *a); +int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *a); int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen); int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *c, int pad); int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr); @@ -870,23 +875,27 @@ void *EVP_PKEY_get0(EVP_PKEY *pkey); #ifndef OPENSSL_NO_RSA struct rsa_st; -int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, struct rsa_st *key); +struct rsa_st *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); struct rsa_st *EVP_PKEY_get1_RSA(EVP_PKEY *pkey); +int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, struct rsa_st *key); #endif #ifndef OPENSSL_NO_DSA struct dsa_st; -int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, struct dsa_st *key); +struct dsa_st *EVP_PKEY_get0_DSA(EVP_PKEY *pkey); struct dsa_st *EVP_PKEY_get1_DSA(EVP_PKEY *pkey); +int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, struct dsa_st *key); #endif #ifndef OPENSSL_NO_DH struct dh_st; -int EVP_PKEY_set1_DH(EVP_PKEY *pkey, struct dh_st *key); +struct dh_st *EVP_PKEY_get0_DH(EVP_PKEY *pkey); struct dh_st *EVP_PKEY_get1_DH(EVP_PKEY *pkey); +int EVP_PKEY_set1_DH(EVP_PKEY *pkey, struct dh_st *key); #endif #ifndef OPENSSL_NO_EC struct ec_key_st; -int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, struct ec_key_st *key); +struct ec_key_st *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey); struct ec_key_st *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey); +int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, struct ec_key_st *key); #endif #ifndef OPENSSL_NO_GOST struct gost_key_st; @@ -894,6 +903,7 @@ struct gost_key_st; EVP_PKEY *EVP_PKEY_new(void); void EVP_PKEY_free(EVP_PKEY *pkey); +int EVP_PKEY_up_ref(EVP_PKEY *pkey); EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp, long length); diff --git a/lib/libcrypto/evp/evp_enc.c b/lib/libcrypto/evp/evp_enc.c index d0a5eb2d5f..de7c690ca7 100644 --- a/lib/libcrypto/evp/evp_enc.c +++ b/lib/libcrypto/evp/evp_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_enc.c,v 1.36 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: evp_enc.c,v 1.38 2018/02/17 16:54:08 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -75,18 +75,6 @@ #define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl) -void -EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) -{ - memset(ctx, 0, sizeof(EVP_CIPHER_CTX)); -} - -EVP_CIPHER_CTX * -EVP_CIPHER_CTX_new(void) -{ - return calloc(1, sizeof(EVP_CIPHER_CTX)); -} - int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, const unsigned char *key, const unsigned char *iv, int enc) @@ -258,7 +246,7 @@ EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) } __warn_references(EVP_CipherFinal, - "warning: EVP_CipherFinal is often misused, please use EVP_CipherFinal_ex and EVP_CIPHER_CTX_cleanup"); + "EVP_CipherFinal is often misused, please use EVP_CipherFinal_ex and EVP_CIPHER_CTX_cleanup"); int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) @@ -368,7 +356,7 @@ EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, } __warn_references(EVP_EncryptFinal, - "warning: EVP_EncryptFinal is often misused, please use EVP_EncryptFinal_ex and EVP_CIPHER_CTX_cleanup"); + "EVP_EncryptFinal is often misused, please use EVP_EncryptFinal_ex and EVP_CIPHER_CTX_cleanup"); int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) @@ -483,7 +471,7 @@ EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, } __warn_references(EVP_DecryptFinal, - "warning: EVP_DecryptFinal is often misused, please use EVP_DecryptFinal_ex and EVP_CIPHER_CTX_cleanup"); + "EVP_DecryptFinal is often misused, please use EVP_DecryptFinal_ex and EVP_CIPHER_CTX_cleanup"); int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) @@ -548,13 +536,33 @@ EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) return (1); } +EVP_CIPHER_CTX * +EVP_CIPHER_CTX_new(void) +{ + return calloc(1, sizeof(EVP_CIPHER_CTX)); +} + void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) { - if (ctx) { - EVP_CIPHER_CTX_cleanup(ctx); - free(ctx); - } + if (ctx == NULL) + return; + + EVP_CIPHER_CTX_cleanup(ctx); + + free(ctx); +} + +void +EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) +{ + memset(ctx, 0, sizeof(EVP_CIPHER_CTX)); +} + +int +EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *a) +{ + return EVP_CIPHER_CTX_cleanup(a); } int diff --git a/lib/libcrypto/evp/names.c b/lib/libcrypto/evp/names.c index ebaa3a2f6f..dfcf9ee225 100644 --- a/lib/libcrypto/evp/names.c +++ b/lib/libcrypto/evp/names.c @@ -1,4 +1,4 @@ -/* $OpenBSD: names.c,v 1.13 2017/04/29 21:48:44 jsing Exp $ */ +/* $OpenBSD: names.c,v 1.14 2018/03/17 16:20:01 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -113,6 +113,9 @@ EVP_get_cipherbyname(const char *name) { const EVP_CIPHER *cp; + if (!OPENSSL_init_crypto(0, NULL)) + return NULL; + cp = (const EVP_CIPHER *)OBJ_NAME_get(name, OBJ_NAME_TYPE_CIPHER_METH); return (cp); } @@ -122,6 +125,9 @@ EVP_get_digestbyname(const char *name) { const EVP_MD *cp; + if (!OPENSSL_init_crypto(0, NULL)) + return NULL; + cp = (const EVP_MD *)OBJ_NAME_get(name, OBJ_NAME_TYPE_MD_METH); return (cp); } @@ -167,6 +173,9 @@ EVP_CIPHER_do_all(void (*fn)(const EVP_CIPHER *ciph, const char *from, { struct doall_cipher dc; + /* Prayer and clean living lets you ignore errors, OpenSSL style */ + (void) OPENSSL_init_crypto(0, NULL); + dc.fn = fn; dc.arg = arg; OBJ_NAME_do_all(OBJ_NAME_TYPE_CIPHER_METH, do_all_cipher_fn, &dc); @@ -178,6 +187,9 @@ EVP_CIPHER_do_all_sorted(void (*fn)(const EVP_CIPHER *ciph, const char *from, { struct doall_cipher dc; + /* Prayer and clean living lets you ignore errors, OpenSSL style */ + (void) OPENSSL_init_crypto(0, NULL); + dc.fn = fn; dc.arg = arg; OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, @@ -207,6 +219,9 @@ EVP_MD_do_all(void (*fn)(const EVP_MD *md, const char *from, const char *to, { struct doall_md dc; + /* Prayer and clean living lets you ignore errors, OpenSSL style */ + (void) OPENSSL_init_crypto(0, NULL); + dc.fn = fn; dc.arg = arg; OBJ_NAME_do_all(OBJ_NAME_TYPE_MD_METH, do_all_md_fn, &dc); @@ -218,6 +233,9 @@ EVP_MD_do_all_sorted(void (*fn)(const EVP_MD *md, { struct doall_md dc; + /* Prayer and clean living lets you ignore errors, OpenSSL style */ + (void) OPENSSL_init_crypto(0, NULL); + dc.fn = fn; dc.arg = arg; OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_MD_METH, do_all_md_fn, &dc); diff --git a/lib/libcrypto/evp/p_lib.c b/lib/libcrypto/evp/p_lib.c index 0d4cd26d45..811fe0c86d 100644 --- a/lib/libcrypto/evp/p_lib.c +++ b/lib/libcrypto/evp/p_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p_lib.c,v 1.17 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: p_lib.c,v 1.20 2018/02/20 18:05:28 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -204,6 +204,13 @@ EVP_PKEY_new(void) return (ret); } +int +EVP_PKEY_up_ref(EVP_PKEY *pkey) +{ + int refs = CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); + return ((refs > 1) ? 1 : 0); +} + /* Setup a public key ASN1 method and ENGINE from a NID or a string. * If pkey is NULL just return 1 or 0 if the algorithm exists. */ @@ -279,13 +286,14 @@ EVP_PKEY_get0(EVP_PKEY *pkey) } #ifndef OPENSSL_NO_RSA -int -EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key) +RSA * +EVP_PKEY_get0_RSA(EVP_PKEY *pkey) { - int ret = EVP_PKEY_assign_RSA(pkey, key); - if (ret) - RSA_up_ref(key); - return ret; + if (pkey->type != EVP_PKEY_RSA) { + EVPerror(EVP_R_EXPECTING_AN_RSA_KEY); + return NULL; + } + return pkey->pkey.rsa; } RSA * @@ -298,17 +306,27 @@ EVP_PKEY_get1_RSA(EVP_PKEY *pkey) RSA_up_ref(pkey->pkey.rsa); return pkey->pkey.rsa; } -#endif -#ifndef OPENSSL_NO_DSA int -EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key) +EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key) { - int ret = EVP_PKEY_assign_DSA(pkey, key); - if (ret) - DSA_up_ref(key); + int ret = EVP_PKEY_assign_RSA(pkey, key); + if (ret != 0) + RSA_up_ref(key); return ret; } +#endif + +#ifndef OPENSSL_NO_DSA +DSA * +EVP_PKEY_get0_DSA(EVP_PKEY *pkey) +{ + if (pkey->type != EVP_PKEY_DSA) { + EVPerror(EVP_R_EXPECTING_A_DSA_KEY); + return NULL; + } + return pkey->pkey.dsa; +} DSA * EVP_PKEY_get1_DSA(EVP_PKEY *pkey) @@ -320,18 +338,27 @@ EVP_PKEY_get1_DSA(EVP_PKEY *pkey) DSA_up_ref(pkey->pkey.dsa); return pkey->pkey.dsa; } -#endif - -#ifndef OPENSSL_NO_EC int -EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key) +EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key) { - int ret = EVP_PKEY_assign_EC_KEY(pkey, key); - if (ret) - EC_KEY_up_ref(key); + int ret = EVP_PKEY_assign_DSA(pkey, key); + if (ret != 0) + DSA_up_ref(key); return ret; } +#endif + +#ifndef OPENSSL_NO_EC +EC_KEY * +EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey) +{ + if (pkey->type != EVP_PKEY_EC) { + EVPerror(EVP_R_EXPECTING_A_EC_KEY); + return NULL; + } + return pkey->pkey.ec; +} EC_KEY * EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey) @@ -343,18 +370,27 @@ EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey) EC_KEY_up_ref(pkey->pkey.ec); return pkey->pkey.ec; } + +int +EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key) +{ + int ret = EVP_PKEY_assign_EC_KEY(pkey, key); + if (ret != 0) + EC_KEY_up_ref(key); + return ret; +} #endif #ifndef OPENSSL_NO_DH - -int -EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key) +DH * +EVP_PKEY_get0_DH(EVP_PKEY *pkey) { - int ret = EVP_PKEY_assign_DH(pkey, key); - if (ret) - DH_up_ref(key); - return ret; + if (pkey->type != EVP_PKEY_DH) { + EVPerror(EVP_R_EXPECTING_A_DH_KEY); + return NULL; + } + return pkey->pkey.dh; } DH * @@ -367,6 +403,15 @@ EVP_PKEY_get1_DH(EVP_PKEY *pkey) DH_up_ref(pkey->pkey.dh); return pkey->pkey.dh; } + +int +EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key) +{ + int ret = EVP_PKEY_assign_DH(pkey, key); + if (ret != 0) + DH_up_ref(key); + return ret; +} #endif int diff --git a/lib/libcrypto/ex_data.c b/lib/libcrypto/ex_data.c index 63885af3af..b1e3913662 100644 --- a/lib/libcrypto/ex_data.c +++ b/lib/libcrypto/ex_data.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ex_data.c,v 1.19 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: ex_data.c,v 1.20 2018/03/17 16:20:01 beck Exp $ */ /* * Overhaul notes; @@ -312,6 +312,8 @@ def_get_class(int class_index) EX_CLASS_ITEM d, *p, *gen; EX_DATA_CHECK(return NULL;) d.class_index = class_index; + if (!OPENSSL_init_crypto(0, NULL)) + return NULL; CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA); p = lh_EX_CLASS_ITEM_retrieve(ex_data, &d); if (!p) { @@ -500,6 +502,7 @@ int_free_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad) EX_CLASS_ITEM *item; void *ptr; CRYPTO_EX_DATA_FUNCS **storage = NULL; + if ((item = def_get_class(class_index)) == NULL) return; CRYPTO_r_lock(CRYPTO_LOCK_EX_DATA); diff --git a/lib/libcrypto/format-pem.pl b/lib/libcrypto/format-pem.pl index 6c689d4978..556178eb30 100644 --- a/lib/libcrypto/format-pem.pl +++ b/lib/libcrypto/format-pem.pl @@ -1,5 +1,5 @@ #!/usr/bin/perl -# $OpenBSD: format-pem.pl,v 1.1 2016/12/15 10:23:21 sthen Exp $ +# $OpenBSD: format-pem.pl,v 1.2 2018/03/21 15:23:53 sthen Exp $ # # Copyright (c) 2016 Stuart Henderson # @@ -50,7 +50,11 @@ while(<>) { if ($issuer ne $subj); my $o = `openssl x509 -in $t -noout -nameopt sep_multiline,use_quote,esc_msb -subject`; - $o =~ s/.*O=([^\n]*).*/$1/sm; + if ($o =~ /O=/) { + $o =~ s/.*O=([^\n]*).*/$1/sm; + } else { + $o = $subj; + } if (eval {require Date::Parse;1;}) { my $startdate = `openssl x509 -in $t -startdate -noout`; diff --git a/lib/libcrypto/hmac/hmac.c b/lib/libcrypto/hmac/hmac.c index 84917662ca..7bf17eed96 100644 --- a/lib/libcrypto/hmac/hmac.c +++ b/lib/libcrypto/hmac/hmac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hmac.c,v 1.24 2017/03/03 10:39:07 inoguchi Exp $ */ +/* $OpenBSD: hmac.c,v 1.25 2018/02/17 14:53:58 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -171,6 +171,38 @@ err: return 0; } +HMAC_CTX * +HMAC_CTX_new(void) +{ + HMAC_CTX *ctx; + + if ((ctx = calloc(1, sizeof(*ctx))) == NULL) + return NULL; + + HMAC_CTX_init(ctx); + + return ctx; +} + +void +HMAC_CTX_free(HMAC_CTX *ctx) +{ + if (ctx == NULL) + return; + + HMAC_CTX_cleanup(ctx); + + free(ctx); +} + +int +HMAC_CTX_reset(HMAC_CTX *ctx) +{ + HMAC_CTX_cleanup(ctx); + HMAC_CTX_init(ctx); + return 1; +} + void HMAC_CTX_init(HMAC_CTX *ctx) { @@ -206,6 +238,20 @@ HMAC_CTX_cleanup(HMAC_CTX *ctx) explicit_bzero(ctx, sizeof(*ctx)); } +void +HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags) +{ + EVP_MD_CTX_set_flags(&ctx->i_ctx, flags); + EVP_MD_CTX_set_flags(&ctx->o_ctx, flags); + EVP_MD_CTX_set_flags(&ctx->md_ctx, flags); +} + +const EVP_MD * +HMAC_CTX_get_md(const HMAC_CTX *ctx) +{ + return ctx->md; +} + unsigned char * HMAC(const EVP_MD *evp_md, const void *key, int key_len, const unsigned char *d, size_t n, unsigned char *md, unsigned int *md_len) @@ -228,11 +274,3 @@ err: HMAC_CTX_cleanup(&c); return NULL; } - -void -HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags) -{ - EVP_MD_CTX_set_flags(&ctx->i_ctx, flags); - EVP_MD_CTX_set_flags(&ctx->o_ctx, flags); - EVP_MD_CTX_set_flags(&ctx->md_ctx, flags); -} diff --git a/lib/libcrypto/hmac/hmac.h b/lib/libcrypto/hmac/hmac.h index f3418b3cb7..e787c62ac8 100644 --- a/lib/libcrypto/hmac/hmac.h +++ b/lib/libcrypto/hmac/hmac.h @@ -1,4 +1,4 @@ -/* $OpenBSD: hmac.h,v 1.12 2014/06/21 13:39:46 jsing Exp $ */ +/* $OpenBSD: hmac.h,v 1.13 2018/02/17 14:53:59 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -83,8 +83,10 @@ typedef struct hmac_ctx_st { #define HMAC_size(e) (EVP_MD_size((e)->md)) - +HMAC_CTX *HMAC_CTX_new(void); +void HMAC_CTX_free(HMAC_CTX *ctx); void HMAC_CTX_init(HMAC_CTX *ctx); +int HMAC_CTX_reset(HMAC_CTX *ctx); void HMAC_CTX_cleanup(HMAC_CTX *ctx); #define HMAC_cleanup(ctx) HMAC_CTX_cleanup(ctx) /* deprecated */ @@ -100,6 +102,7 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len, int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx); void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags); +const EVP_MD *HMAC_CTX_get_md(const HMAC_CTX *ctx); #ifdef __cplusplus } diff --git a/lib/libcrypto/man/ACCESS_DESCRIPTION_new.3 b/lib/libcrypto/man/ACCESS_DESCRIPTION_new.3 index a7d894ae49..2c0a67134c 100644 --- a/lib/libcrypto/man/ACCESS_DESCRIPTION_new.3 +++ b/lib/libcrypto/man/ACCESS_DESCRIPTION_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ACCESS_DESCRIPTION_new.3,v 1.3 2016/12/28 18:31:33 jmc Exp $ +.\" $OpenBSD: ACCESS_DESCRIPTION_new.3,v 1.4 2018/03/22 16:06:33 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt ACCESS_DESCRIPTION_NEW 3 .Os .Sh NAME @@ -140,3 +140,11 @@ RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol .Pp RFC 3161: Internet X.509 Public Key Infrastructure Time-Stamp Protocol +.Sh HISTORY +.Fn ACCESS_DESCRIPTION_new , +.Fn ACCESS_DESCRIPTION_free , +.Fn AUTHORITY_INFO_ACCESS_new , +and +.Fn AUTHORITY_INFO_ACCESS_free +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . diff --git a/lib/libcrypto/man/ASN1_OBJECT_new.3 b/lib/libcrypto/man/ASN1_OBJECT_new.3 index e7c3540b3a..489bbaf5e1 100644 --- a/lib/libcrypto/man/ASN1_OBJECT_new.3 +++ b/lib/libcrypto/man/ASN1_OBJECT_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ASN1_OBJECT_new.3,v 1.8 2017/01/04 05:14:51 schwarze Exp $ +.\" $OpenBSD: ASN1_OBJECT_new.3,v 1.9 2018/03/20 18:35:13 schwarze Exp $ .\" OpenSSL 99d63d4 Mar 19 12:28:58 2016 -0400 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 4 2017 $ +.Dd $Mdocdate: March 20 2018 $ .Dt ASN1_OBJECT_NEW 3 .Os .Sh NAME @@ -137,4 +137,5 @@ Otherwise it returns a pointer to the new object. .Fn ASN1_OBJECT_new and .Fn ASN1_OBJECT_free -are available in all versions of SSLeay and OpenSSL. +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/ASN1_STRING_TABLE_add.3 b/lib/libcrypto/man/ASN1_STRING_TABLE_add.3 index 964f7204d0..cf5741e987 100644 --- a/lib/libcrypto/man/ASN1_STRING_TABLE_add.3 +++ b/lib/libcrypto/man/ASN1_STRING_TABLE_add.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ASN1_STRING_TABLE_add.3,v 1.2 2017/08/20 18:06:42 jmc Exp $ +.\" $OpenBSD: ASN1_STRING_TABLE_add.3,v 1.3 2018/03/22 16:06:33 schwarze Exp $ .\" OpenSSL ASN1_STRING_TABLE_add.pod 7b608d08 Jul 27 01:18:50 2017 +0800 .\" .\" Copyright (c) 2017 Ingo Schwarze @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 20 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt ASN1_STRING_TABLE_ADD 3 .Os .Sh NAME @@ -88,5 +88,12 @@ if nothing is found. .Xr ASN1_OBJECT_new 3 , .Xr ERR_get_error 3 , .Xr OBJ_nid2obj 3 +.Sh HISTORY +.Fn ASN1_STRING_TABLE_add , +.Fn ASN1_STRING_TABLE_get , +and +.Fn ASN1_STRING_TABLE_cleanup +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . .Sh BUGS Most aspects of the semantics considerably differ from OpenSSL. diff --git a/lib/libcrypto/man/ASN1_STRING_length.3 b/lib/libcrypto/man/ASN1_STRING_length.3 index 2c797481d7..7e10d131fd 100644 --- a/lib/libcrypto/man/ASN1_STRING_length.3 +++ b/lib/libcrypto/man/ASN1_STRING_length.3 @@ -1,8 +1,25 @@ -.\" $OpenBSD: ASN1_STRING_length.3,v 1.6 2016/12/25 22:15:10 schwarze Exp $ -.\" OpenSSL 99d63d46 Tue Jun 21 07:03:34 2016 -0400 +.\" $OpenBSD: ASN1_STRING_length.3,v 1.13 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" -.\" This file was written by Dr. Stephen Henson. -.\" Copyright (c) 2002, 2006, 2013, 2015, 2016 The OpenSSL Project. +.\" This file is a derived work. +.\" The changes are covered by the following Copyright and license: +.\" +.\" Copyright (c) 2018 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" The original file was written by Dr. Stephen Henson. +.\" Copyright (c) 2002, 2006, 2013, 2015, 2016, 2017 The OpenSSL Project. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -49,13 +66,14 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt ASN1_STRING_LENGTH 3 .Os .Sh NAME .Nm ASN1_STRING_cmp , .Nm ASN1_STRING_data , .Nm ASN1_STRING_dup , +.Nm ASN1_STRING_get0_data , .Nm ASN1_STRING_length , .Nm ASN1_STRING_length_set , .Nm ASN1_STRING_set , @@ -77,6 +95,10 @@ .Fo ASN1_STRING_dup .Fa "ASN1_STRING *a" .Fc +.Ft const unsigned char * +.Fo ASN1_STRING_get0_data +.Fa "const ASN1_STRING *x" +.Fc .Ft int .Fo ASN1_STRING_length .Fa "ASN1_STRING *x" @@ -107,27 +129,33 @@ These functions manipulate structures. .Pp .Fn ASN1_STRING_cmp -compares +compares the type, the length, and the content of .Fa a and -.Fa b -and returns 0 if the two are identical. -The string types and the content are compared. +.Fa b . .Pp .Fn ASN1_STRING_data -returns an internal pointer to the data of -.Fa x . -Since this is an internal pointer, it should -.Em not -be freed or modified in any way. +is similar to +.Fn ASN1_STRING_get0_data +except that the returned value is not constant. +This function is deprecated. +Applications should use +.Fn ASN1_STRING_get0_data +instead. .Pp .Fn ASN1_STRING_dup -returns a copy of the structure +copies .Fa a . .Pp -.Fn ASN1_STRING_length -returns the length of the content of +.Fn ASN1_STRING_get0_data +returns an internal pointer to the data of .Fa x . +It should not be freed or modified in any way. +.Pp +.Fn ASN1_STRING_length +returns the length attribute of +.Fa x , +measured in bytes. .Pp .Fn ASN1_STRING_length_set sets the length attribute of @@ -139,39 +167,46 @@ It may put into an inconsistent internal state. .Pp .Fn ASN1_STRING_set -sets the data of the string +sets the length attribute of .Fa str -to the buffer +to +.Fa len +and copies that number of bytes from .Fa data -of length +into +.Fa str . +If +.Fa len +is -1, then +.Fn strlen data +is used instead of .Fa len . -The supplied data is copied. If +.Fa data +is +.Dv NULL , +the content of +.Fa str +remains uninitialized; that is not considered an error unless .Fa len -is -1 then the length is determined by -.Fn strlen data . +is negative. .Pp .Fn ASN1_STRING_to_UTF8 converts the string .Fa in -to UTF8 format. +to UTF-8 format. The converted data is copied into a newly allocated buffer -.Fa out . -The length of -.Fa out -is returned or a negative error code. +.Pf * Fa out . The buffer -.Fa out +.Pf * Fa out should be freed using .Xr free 3 . .Pp .Fn ASN1_STRING_type returns the type of -.Fa x , -using standard constants such as -.Dv V_ASN1_OCTET_STRING . +.Fa x . .Pp -Almost all ASN.1 types in OpenSSL are represented as +Almost all ASN.1 types are represented as .Vt ASN1_STRING structures. Other types such as @@ -198,19 +233,83 @@ types: the relevant INTEGER or ENUMERATED utility functions should be used instead. .Pp In general it cannot be assumed that the data returned by +.Fn ASN1_STRING_get0_data +and .Fn ASN1_STRING_data is NUL terminated, and it may contain embedded NUL characters. -The actual format of the data will depend on the actual string type itself: +The format of the data depends on the string type: for example for an .Vt IA5String -the data will be ASCII, for a +the data contains ASCII characters, a .Vt BMPString two bytes per character in big endian format, and a .Vt UTF8String -will be in UTF8 format. +UTF-8 characters. .Pp -Similar care should be take to ensure the data is in the correct format +Similar care should be taken to ensure the data is in the correct format when calling .Fn ASN1_STRING_set . +.Sh RETURN VALUES +.Fn ASN1_STRING_cmp +returns 0 if the type, the length, and the content of +.Fa a +and +.Fa b +agree, or a non-zero value otherwise. +In contrast to +.Xr strcmp 3 , +the sign of the return value does not indicate lexicographical ordering. +.Pp +.Fn ASN1_STRING_data +and +.Fn ASN1_STRING_get0_data +return an internal pointer to the data of +.Fa x . +.Pp +.Fn ASN1_STRING_dup +returns a pointer to a newly allocated +.Vt ASN1_STRING +structure or +.Dv NULL +if an error occurred. +.Pp +.Fn ASN1_STRING_length +returns a number of bytes. +.Pp +.Fn ASN1_STRING_set +returns 1 on success or 0 on failure. +.Pp +.Fn ASN1_STRING_to_UTF8 +returns the number of bytes in the output buffer +.Pf * Fa out , +or a negative number if an error occurred. +.Pp +.Fn ASN1_STRING_type +returns an integer constant, for example +.Dv V_ASN1_OCTET_STRING . .Sh SEE ALSO .Xr ERR_get_error 3 +.Sh HISTORY +.Fn ASN1_STRING_cmp , +.Fn ASN1_STRING_data , +.Fn ASN1_STRING_dup , +.Fn ASN1_STRING_set , +and +.Fn ASN1_STRING_type +appeared in SSLeay 0.8.1b or earlier. +.Fn ASN1_STRING_length +first appeared in SSLeay 0.9.0. +All these functions have been available since +.Ox 2.4 . +.Pp +.Fn ASN1_STRING_length_set +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . +.Pp +.Fn ASN1_STRING_to_UTF8 +first appeared in OpenSSL 0.9.6 and has been available since +.Ox 2.9 . +.Pp +.Fn ASN1_STRING_get0_data +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/ASN1_STRING_new.3 b/lib/libcrypto/man/ASN1_STRING_new.3 index 589fbb120d..2072622706 100644 --- a/lib/libcrypto/man/ASN1_STRING_new.3 +++ b/lib/libcrypto/man/ASN1_STRING_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ASN1_STRING_new.3,v 1.10 2017/01/07 23:15:37 schwarze Exp $ +.\" $OpenBSD: ASN1_STRING_new.3,v 1.14 2018/03/21 17:57:48 schwarze Exp $ .\" OpenSSL 99d63d46 Tue Mar 24 07:52:24 2015 -0400 .\" .\" Copyright (c) 2017 Ingo Schwarze @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: January 7 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt ASN1_STRING_NEW 3 .Os .Sh NAME @@ -206,6 +206,59 @@ if an error occurs. .Xr ASN1_TIME_set 3 , .Xr d2i_ASN1_OCTET_STRING 3 , .Xr ERR_get_error 3 +.Sh HISTORY +.Fn ASN1_STRING_new , +.Fn ASN1_STRING_type_new , +.Fn ASN1_STRING_free , +.Fn ASN1_OCTET_STRING_new , +.Fn ASN1_OCTET_STRING_free , +.Fn ASN1_BIT_STRING_new , +.Fn ASN1_BIT_STRING_free , +.Fn ASN1_INTEGER_new , +.Fn ASN1_INTEGER_free , +.Fn ASN1_IA5STRING_new , +.Fn ASN1_IA5STRING_free , +.Fn ASN1_UNIVERSALSTRING_new , +.Fn ASN1_UNIVERSALSTRING_free , +.Fn ASN1_GENERALSTRING_new , +.Fn ASN1_GENERALSTRING_free , +.Fn ASN1_T61STRING_new , +.Fn ASN1_T61STRING_free , +.Fn ASN1_PRINTABLESTRING_new , +.Fn ASN1_PRINTABLESTRING_free , +.Fn ASN1_PRINTABLE_new , +.Fn ASN1_PRINTABLE_free , +.Fn ASN1_UTCTIME_new , +and +.Fn ASN1_UTCTIME_free +appeared in SSLeay 0.8.1b or earlier. +.Fn ASN1_BMPSTRING_new , +.Fn ASN1_BMPSTRING_free , +.Fn ASN1_GENERALIZEDTIME_new , +and +.Fn ASN1_GENERALIZEDTIME_free +first appeared in SSLeay 0.9.0. +All these functions have been available since +.Ox 2.4 . +.Pp +.Fn ASN1_ENUMERATED_new , +.Fn ASN1_ENUMERATED_free , +.Fn ASN1_TIME_new , +and +.Fn ASN1_TIME_free +first appeared in OpenSSL 0.9.2b. +.Fn ASN1_UTF8STRING_new , +.Fn ASN1_UTF8STRING_free , +.Fn ASN1_VISIBLESTRING_new , +.Fn ASN1_VISIBLESTRING_free , +.Fn DIRECTORYSTRING_new , +.Fn DIRECTORYSTRING_free , +.Fn DISPLAYTEXT_new , +and +.Fn DISPLAYTEXT_free +first appeared in OpenSSL 0.9.3. +These functions have been available since +.Ox 2.6 . .Sh BUGS .Vt ASN1_OCTET_STRING , .Vt ASN1_BIT_STRING , diff --git a/lib/libcrypto/man/ASN1_STRING_print_ex.3 b/lib/libcrypto/man/ASN1_STRING_print_ex.3 index 74ddc9703c..a246bbb93b 100644 --- a/lib/libcrypto/man/ASN1_STRING_print_ex.3 +++ b/lib/libcrypto/man/ASN1_STRING_print_ex.3 @@ -1,6 +1,6 @@ -.\" $OpenBSD: ASN1_STRING_print_ex.3,v 1.8 2017/08/20 15:44:22 schwarze Exp $ -.\" OpenSSL ASN1_STRING_print_ex.pod a95d7574 Jul 2 12:16:38 2017 -0400 -.\" OpenSSL ASN1_STRING_print_ex.pod bb9ad09e Jun 6 00:43:05 2016 -0400 +.\" $OpenBSD: ASN1_STRING_print_ex.3,v 1.12 2018/03/22 17:11:04 schwarze Exp $ +.\" full merge up to: OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400 +.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" .\" This file was written by Dr. Stephen Henson. .\" Copyright (c) 2002, 2004, 2007, 2013, 2016, 2017 The OpenSSL Project. @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 20 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt ASN1_STRING_PRINT_EX 3 .Os .Sh NAME @@ -208,5 +208,30 @@ It is equivalent to .Dv ASN1_STRFLGS_UTF8_CONVERT | .Dv ASN1_STRFLGS_DUMP_UNKNOWN | .Dv ASN1_STRFLGS_DUMP_DER . +.Sh RETURN VALUES +.Fn ASN1_STRING_print_ex +and +.Fn ASN1_STRING_print_ex_fp +return the number of characters written or \-1 if an error occurred. +.Pp +.Fn ASN1_STRING_print +returns 1 on success or 0 on error. +.Pp +.Fn ASN1_tag2str +returns a static string. .Sh SEE ALSO .Xr X509_NAME_print_ex 3 +.Sh HISTORY +.Fn ASN1_STRING_print +appeared in SSLeay 0.8.1b or earlier and has been available since +.Ox 2.4 . +.Pp +.Fn ASN1_tag2str +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . +.Pp +.Fn ASN1_STRING_print_ex +and +.Fn ASN1_STRING_print_ex_fp +first appeared in OpenSSL 0.9.6 and have been available since +.Ox 2.9 . diff --git a/lib/libcrypto/man/ASN1_TIME_set.3 b/lib/libcrypto/man/ASN1_TIME_set.3 index 5fc6edb3db..3d218745b3 100644 --- a/lib/libcrypto/man/ASN1_TIME_set.3 +++ b/lib/libcrypto/man/ASN1_TIME_set.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ASN1_TIME_set.3,v 1.3 2017/08/20 17:16:40 schwarze Exp $ +.\" $OpenBSD: ASN1_TIME_set.3,v 1.10 2018/03/23 23:18:17 schwarze Exp $ .\" OpenSSL ASN1_TIME_set.pod cf37aaa3 Aug 4 11:24:03 2017 +1000 .\" OpenSSL ASN1_TIME_set.pod e9b77246 Jan 20 19:58:49 2017 +0100 .\" @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 20 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt ASN1_TIME_SET 3 .Os .Sh NAME @@ -396,8 +396,43 @@ ASN1_STRING_free(tm); BIO_free(b); .Ed .Sh HISTORY -.Fn ASN1_TIME_cmp_time_t -first appeared in OpenSSL 1.1.1. +.Fn ASN1_UTCTIME_set , +.Fn ASN1_UTCTIME_check , +and +.Fn ASN1_UTCTIME_print +appeared in SSLeay 0.8.1b or earlier. +.Fn ASN1_UTCTIME_set_string +first appeared in SSLeay 0.9.0. +All these functions have been available since +.Ox 2.4 . +.Pp +.Fn ASN1_TIME_set , +.Fn ASN1_GENERALIZEDTIME_set , +.Fn ASN1_GENERALIZEDTIME_set_string , +.Fn ASN1_GENERALIZEDTIME_check , +.Fn ASN1_TIME_print , +and +.Fn ASN1_GENERALIZEDTIME_print +first appeared in OpenSSL 0.9.2b and have been available since +.Ox 2.6 . +.Pp +.Fn ASN1_UTCTIME_cmp_time_t +first appeared in OpenSSL 0.9.6 and has been available since +.Ox 2.9 . +.Pp +.Fn ASN1_TIME_check +and +.Fn ASN1_TIME_to_generalizedtime +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . +.Pp +.Fn ASN1_TIME_adj , +.Fn ASN1_UTCTIME_adj , +.Fn ASN1_GENERALIZEDTIME_adj , +and +.Fn ASN1_TIME_set_string +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . .Sh CAVEATS Some applications add offset times directly to a .Vt time_t diff --git a/lib/libcrypto/man/ASN1_TYPE_get.3 b/lib/libcrypto/man/ASN1_TYPE_get.3 index 47ea1cdfc6..aae3bc8ee4 100644 --- a/lib/libcrypto/man/ASN1_TYPE_get.3 +++ b/lib/libcrypto/man/ASN1_TYPE_get.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ASN1_TYPE_get.3,v 1.3 2017/01/03 20:15:47 schwarze Exp $ +.\" $OpenBSD: ASN1_TYPE_get.3,v 1.6 2018/03/23 02:20:16 schwarze Exp $ .\" OpenSSL 99d63d46 Mon Jun 6 00:43:05 2016 -0400 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 3 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt ASN1_TYPE_GET 3 .Os .Sh NAME @@ -278,3 +278,19 @@ returns 0 for a match or non-zero for a mismatch. .Xr ASN1_STRING_dup 3 , .Xr d2i_ASN1_TYPE 3 , .Xr OBJ_dup 3 +.Sh HISTORY +.Fn ASN1_TYPE_new , +.Fn ASN1_TYPE_free , +.Fn ASN1_TYPE_get , +and +.Fn ASN1_TYPE_set +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp +.Fn ASN1_TYPE_set1 +first appeared in OpenSSL 0.9.8h and has been available since +.Ox 4.5 . +.Pp +.Fn ASN1_TYPE_cmp +first appeared in OpenSSL 0.9.8zd and has been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/ASN1_generate_nconf.3 b/lib/libcrypto/man/ASN1_generate_nconf.3 index 5e1ba0a817..cc0e6fc060 100644 --- a/lib/libcrypto/man/ASN1_generate_nconf.3 +++ b/lib/libcrypto/man/ASN1_generate_nconf.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ASN1_generate_nconf.3,v 1.9 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: ASN1_generate_nconf.3,v 1.10 2018/03/23 00:09:11 schwarze Exp $ .\" OpenSSL 05ea606a Fri May 20 20:52:46 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson. @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt ASN1_GENERATE_NCONF 3 .Os .Sh NAME @@ -389,4 +389,5 @@ e=INTEGER:0x010001 .Fn ASN1_generate_nconf and .Fn ASN1_generate_v3 -were added to OpenSSL 0.9.8. +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . diff --git a/lib/libcrypto/man/ASN1_item_d2i.3 b/lib/libcrypto/man/ASN1_item_d2i.3 index 4bdaf4bad4..1dce2d23c2 100644 --- a/lib/libcrypto/man/ASN1_item_d2i.3 +++ b/lib/libcrypto/man/ASN1_item_d2i.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ASN1_item_d2i.3,v 1.4 2017/01/03 23:56:50 schwarze Exp $ +.\" $OpenBSD: ASN1_item_d2i.3,v 1.7 2018/03/23 04:34:23 schwarze Exp $ .\" OpenSSL doc/man3/d2i_X509.pod b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 3 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt ASN1_ITEM_D2I 3 .Os .Sh NAME @@ -363,6 +363,27 @@ if (d2i_X509(&x, &p, len) == NULL) .Sh SEE ALSO .Xr ASN1_item_new 3 , .Xr ASN1_TYPE_new 3 +.Sh HISTORY +.Fn d2i_ASN1_TYPE +and +.Fn i2d_ASN1_TYPE +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp +.Fn ASN1_item_d2i , +.Fn ASN1_item_d2i_bio , +.Fn ASN1_item_d2i_fp , +.Fn ASN1_item_i2d , +.Fn ASN1_item_i2d_bio , +.Fn ASN1_item_i2d_fp , +and +.Fn ASN1_item_dup +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . +.Pp +.Fn ASN1_item_print +first appeared in OpenSSL 1.0.0 and has been available since +.Ox 4.9 . .Sh CAVEATS If the type described by .Fa it diff --git a/lib/libcrypto/man/ASN1_item_new.3 b/lib/libcrypto/man/ASN1_item_new.3 index e679815751..259deaca56 100644 --- a/lib/libcrypto/man/ASN1_item_new.3 +++ b/lib/libcrypto/man/ASN1_item_new.3 @@ -1,6 +1,6 @@ -.\" $OpenBSD: ASN1_item_new.3,v 1.2 2017/01/03 20:15:47 schwarze Exp $ +.\" $OpenBSD: ASN1_item_new.3,v 1.4 2018/03/22 21:08:22 schwarze Exp $ .\" -.\" Copyright (c) 2016 Ingo Schwarze +.\" Copyright (c) 2016, 2018 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: January 3 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt ASN1_ITEM_NEW 3 .Os .Sh NAME @@ -38,8 +38,17 @@ allocates and initializes an empty ASN.1 value of the type described by the global static object .Fa it . .Pp +If the item type described by +.Fa it +is reference counted, +.Fn ASN1_item_free +decrements the reference count of +.Fa val_in . +Otherwise, or if the reference count reaches 0, .Fn ASN1_item_free -frees an ASN.1 value of the type described by +frees +.Fa val_in , +assuming that it is of the type described by .Fa it . If the true type of .Fa val_in @@ -98,6 +107,12 @@ if an error occurs. .Xr ASN1_TYPE_new 3 , .Xr d2i_ASN1_NULL 3 , .Xr OBJ_nid2obj 3 +.Sh HISTORY +.Fn ASN1_item_new +and +.Fn ASN1_item_free +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . .Sh BUGS The .Vt ASN1_VALUE diff --git a/lib/libcrypto/man/ASN1_time_parse.3 b/lib/libcrypto/man/ASN1_time_parse.3 index 9109cbd748..8604e18123 100644 --- a/lib/libcrypto/man/ASN1_time_parse.3 +++ b/lib/libcrypto/man/ASN1_time_parse.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ASN1_time_parse.3,v 1.5 2017/05/06 18:07:46 jmc Exp $ +.\" $OpenBSD: ASN1_time_parse.3,v 1.7 2018/03/23 23:18:17 schwarze Exp $ .\" .\" Copyright (c) 2016 Bob Beck .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: May 6 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt ASN1_TIME_PARSE 3 .Os .Sh NAME @@ -73,7 +73,7 @@ sets the structure .Fa s to the time represented by the -.Vt strict tm +.Vt struct tm value pointed to by .Fa tm . If @@ -125,3 +125,13 @@ returns a pointer to an structure or .Dv NULL if an error occurred. +.Sh HISTORY +.Fn ASN1_time_parse +and +.Fn ASN1_time_tm_cmp +first appeared in +.Ox 6.1 +and +.Fn ASN1_TIME_set_tm +in +.Ox 6.2 . diff --git a/lib/libcrypto/man/AUTHORITY_KEYID_new.3 b/lib/libcrypto/man/AUTHORITY_KEYID_new.3 index 94d6e14abb..846be074ec 100644 --- a/lib/libcrypto/man/AUTHORITY_KEYID_new.3 +++ b/lib/libcrypto/man/AUTHORITY_KEYID_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: AUTHORITY_KEYID_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: AUTHORITY_KEYID_new.3,v 1.3 2018/03/21 16:09:51 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt AUTHORITY_KEYID_NEW 3 .Os .Sh NAME @@ -64,3 +64,9 @@ section 4.2.1.1: Certificate Extensions: Authority Key Identifier .It section 5.2.1: CRL Extensions: Authority Key Identifier .El +.Sh HISTORY +.Fn AUTHORITY_KEYID_new +and +.Fn AUTHORITY_KEYID_free +first appeared in OpenSSL 0.9.2b and have been available since +.Ox 2.6 . diff --git a/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3 b/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3 index c133bb1c35..edc3f54484 100644 --- a/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3 +++ b/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BASIC_CONSTRAINTS_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: BASIC_CONSTRAINTS_new.3,v 1.3 2018/03/21 16:09:51 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt BASIC_CONSTRAINTS_NEW 3 .Os .Sh NAME @@ -78,3 +78,9 @@ section 4.2.1.9: Basic Constraints .It section 6.1: Basic Path Validation .El +.Sh HISTORY +.Fn BASIC_CONSTRAINTS_new +and +.Fn BASIC_CONSTRAINTS_free +first appeared in OpenSSL 0.9.2b and have been available since +.Ox 2.6 . diff --git a/lib/libcrypto/man/BF_set_key.3 b/lib/libcrypto/man/BF_set_key.3 index ef5c7764b8..7c75a17c69 100644 --- a/lib/libcrypto/man/BF_set_key.3 +++ b/lib/libcrypto/man/BF_set_key.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BF_set_key.3,v 1.5 2016/11/11 01:20:53 schwarze Exp $ +.\" $OpenBSD: BF_set_key.3,v 1.7 2018/03/21 05:49:43 schwarze Exp $ .\" OpenSSL 99d63d46 Jul 19 09:27:53 2016 -0400 .\" .\" This file was written by Richard Levitte . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 11 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt BF_SET_KEY 3 .Os .Sh NAME @@ -258,4 +258,8 @@ Be aware that these functions take each 32-bit chunk in host-byte order, which is little-endian on little-endian platforms and big-endian on big-endian ones. .Sh HISTORY -The Blowfish functions are available in all versions of SSLeay and OpenSSL. +This Blowfish implementation first appeared in SSLeay 0.6.6. +.Fn BF_decrypt +first appeared in SSLeay 0.9.0. +All these functions have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/BIO_ctrl.3 b/lib/libcrypto/man/BIO_ctrl.3 index 7d1c5da600..a32ed80da7 100644 --- a/lib/libcrypto/man/BIO_ctrl.3 +++ b/lib/libcrypto/man/BIO_ctrl.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_ctrl.3,v 1.7 2017/08/01 14:57:03 schwarze Exp $ +.\" $OpenBSD: BIO_ctrl.3,v 1.13 2018/03/22 16:06:33 schwarze Exp $ .\" OpenSSL b055fceb Thu Oct 20 09:56:18 2016 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 1 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt BIO_CTRL 3 .Os .Sh NAME @@ -308,7 +308,42 @@ Source/sink BIOs return an 0 if they do not recognize the .Fn BIO_ctrl operation. .Sh SEE ALSO +.Xr BIO_meth_new 3 , .Xr BIO_new 3 +.Sh HISTORY +.Fn BIO_ctrl , +.Fn BIO_reset , +.Fn BIO_flush , +.Fn BIO_eof , +.Fn BIO_set_close , +.Fn BIO_get_close , +.Fn BIO_pending , +and +.Fn BIO_wpending +appeared in SSLeay 0.8.1b or earlier. +.Fn BIO_ptr_ctrl , +.Fn BIO_int_ctrl , +.Fn BIO_get_info_callback +and +.Fn BIO_set_info_callback +first appeared in SSLeay 0.9.0. +All these functions have been available since +.Ox 2.4 . +.Pp +.Fn BIO_seek +and +.Fn BIO_tell +first appeared in SSLeay 0.9.1. +.Fn BIO_ctrl_pending +and +.Fn BIO_ctrl_wpending +first appeared in OpenSSL 0.9.4. +These functions have been available since +.Ox 2.6 . +.Pp +.Fn BIO_callback_ctrl +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . .Sh BUGS Some of the return values are ambiguous and care should be taken. In particular a return value of 0 can be returned if an operation diff --git a/lib/libcrypto/man/BIO_f_base64.3 b/lib/libcrypto/man/BIO_f_base64.3 index a3bf74c4fe..f2c489e04b 100644 --- a/lib/libcrypto/man/BIO_f_base64.3 +++ b/lib/libcrypto/man/BIO_f_base64.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_f_base64.3,v 1.7 2017/01/06 03:45:57 schwarze Exp $ +.\" $OpenBSD: BIO_f_base64.3,v 1.8 2018/03/20 23:56:07 schwarze Exp $ .\" OpenSSL fc1d88f0 Wed Jul 2 22:42:40 2014 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 6 2017 $ +.Dd $Mdocdate: March 20 2018 $ .Dt BIO_F_BASE64 3 .Os .Sh NAME @@ -122,6 +122,10 @@ BIO_free_all(b64); .Ed .Sh SEE ALSO .Xr BIO_new 3 +.Sh HISTORY +.Fn BIO_f_base64 +appeared in SSLeay 0.8.1b or earlier and has been available since +.Ox 2.4 . .Sh BUGS The ambiguity of EOF in base64-encoded data can cause additional data following the base64-encoded block to be misinterpreted. diff --git a/lib/libcrypto/man/BIO_f_buffer.3 b/lib/libcrypto/man/BIO_f_buffer.3 index a51aafd804..d21089250c 100644 --- a/lib/libcrypto/man/BIO_f_buffer.3 +++ b/lib/libcrypto/man/BIO_f_buffer.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_f_buffer.3,v 1.6 2016/12/06 12:24:33 schwarze Exp $ +.\" $OpenBSD: BIO_f_buffer.3,v 1.8 2018/03/21 06:09:37 schwarze Exp $ .\" OpenSSL 9b86974e Mar 19 12:32:14 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt BIO_F_BUFFER 3 .Os .Sh NAME @@ -180,3 +180,15 @@ returns 1 if the data was set correctly or 0 if there was an error. .Xr BIO_new 3 , .Xr BIO_pop 3 , .Xr BIO_reset 3 +.Sh HISTORY +.Fn BIO_f_buffer , +.Fn BIO_get_buffer_num_lines , +.Fn BIO_set_read_buffer_size , +.Fn BIO_set_write_buffer_size , +and +.Fn BIO_set_buffer_size +appeared in SSLeay 0.8.1b or earlier. +.Fn BIO_set_buffer_read_data +first appeared in SSLeay 0.9.0. +All these functions have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/BIO_f_cipher.3 b/lib/libcrypto/man/BIO_f_cipher.3 index c2f3972845..5e1ad82122 100644 --- a/lib/libcrypto/man/BIO_f_cipher.3 +++ b/lib/libcrypto/man/BIO_f_cipher.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_f_cipher.3,v 1.6 2016/12/06 14:45:08 schwarze Exp $ +.\" $OpenBSD: BIO_f_cipher.3,v 1.8 2018/03/21 09:03:49 schwarze Exp $ .\" OpenSSL 186bb907 Apr 13 11:05:13 2015 -0700 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt BIO_F_CIPHER 3 .Os .Sh NAME @@ -162,3 +162,14 @@ returns 1 for a successful decrypt and 0 for failure. currently always returns 1. .Sh SEE ALSO .Xr BIO_new 3 +.Sh HISTORY +.Fn BIO_f_cipher , +.Fn BIO_set_cipher , +and +.Fn BIO_get_cipher_status +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp +.Fn BIO_get_cipher_ctx +first appeared in SSLeay 0.9.1 and has been available since +.Ox 2.6 . diff --git a/lib/libcrypto/man/BIO_f_md.3 b/lib/libcrypto/man/BIO_f_md.3 index e522381862..80f9cf434d 100644 --- a/lib/libcrypto/man/BIO_f_md.3 +++ b/lib/libcrypto/man/BIO_f_md.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_f_md.3,v 1.7 2017/01/07 08:46:13 jmc Exp $ +.\" $OpenBSD: BIO_f_md.3,v 1.8 2018/03/20 23:56:07 schwarze Exp $ .\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 7 2017 $ +.Dd $Mdocdate: March 20 2018 $ .Dt BIO_F_MD 3 .Os .Sh NAME @@ -246,6 +246,14 @@ BIO_free_all(bio); .Sh SEE ALSO .Xr BIO_new 3 .Sh HISTORY +.Fn BIO_f_md , +.Fn BIO_set_md , +.Fn BIO_get_md , +and +.Fn BIO_get_md_ctx +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp Before OpenSSL 1.0.0, the call to .Fn BIO_get_md_ctx would only work if the diff --git a/lib/libcrypto/man/BIO_f_null.3 b/lib/libcrypto/man/BIO_f_null.3 index f66e2acc2c..9b4ca7276b 100644 --- a/lib/libcrypto/man/BIO_f_null.3 +++ b/lib/libcrypto/man/BIO_f_null.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_f_null.3,v 1.6 2016/12/06 14:45:08 schwarze Exp $ +.\" $OpenBSD: BIO_f_null.3,v 1.7 2018/03/20 19:33:16 schwarze Exp $ .\" OpenSSL e117a890 Sep 14 12:14:41 2000 +0000 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt BIO_F_NULL 3 .Os .Sh NAME @@ -74,3 +74,7 @@ behaves just as though the BIO was not there. returns the null filter BIO method. .Sh SEE ALSO .Xr BIO_new 3 +.Sh HISTORY +.Fn BIO_f_null +appeared in SSLeay 0.8.1b or earlier and has been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/BIO_find_type.3 b/lib/libcrypto/man/BIO_find_type.3 index ba1abc6ba4..4026d45dd3 100644 --- a/lib/libcrypto/man/BIO_find_type.3 +++ b/lib/libcrypto/man/BIO_find_type.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_find_type.3,v 1.6 2016/12/06 14:45:08 schwarze Exp $ +.\" $OpenBSD: BIO_find_type.3,v 1.8 2018/03/22 17:11:04 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt BIO_FIND_TYPE 3 .Os .Sh NAME @@ -155,6 +155,16 @@ do { .Ed .Sh SEE ALSO .Xr BIO_new 3 +.Sh HISTORY +.Fn BIO_find_type +and +.Fn BIO_method_type +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp +.Fn BIO_next +first appeared in OpenSSL 0.9.6 and has been available since +.Ox 2.9 . .Sh BUGS .Fn BIO_find_type in OpenSSL 0.9.5a and earlier could not be safely passed a diff --git a/lib/libcrypto/man/ASN1_OBJECT_new.3 b/lib/libcrypto/man/BIO_get_data.3 similarity index 58% copy from lib/libcrypto/man/ASN1_OBJECT_new.3 copy to lib/libcrypto/man/BIO_get_data.3 index e7c3540b3a..70944255e4 100644 --- a/lib/libcrypto/man/ASN1_OBJECT_new.3 +++ b/lib/libcrypto/man/BIO_get_data.3 @@ -1,10 +1,10 @@ -.\" $OpenBSD: ASN1_OBJECT_new.3,v 1.8 2017/01/04 05:14:51 schwarze Exp $ -.\" OpenSSL 99d63d4 Mar 19 12:28:58 2016 -0400 +.\" $OpenBSD: BIO_get_data.3,v 1.3 2018/03/23 23:18:17 schwarze Exp $ +.\" selective merge up to: OpenSSL e90fc053 Jul 15 09:39:45 2017 -0400 .\" .\" This file is a derived work. .\" The changes are covered by the following Copyright and license: .\" -.\" Copyright (c) 2017 Ingo Schwarze +.\" Copyright (c) 2018 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -18,8 +18,8 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.\" The original file was written by Dr. Stephen Henson. -.\" Copyright (c) 2002, 2006 The OpenSSL Project. All rights reserved. +.\" The original file was written by Matt Caswell . +.\" Copyright (c) 2016 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -65,76 +65,112 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 4 2017 $ -.Dt ASN1_OBJECT_NEW 3 +.Dd $Mdocdate: March 23 2018 $ +.Dt BIO_GET_DATA 3 .Os .Sh NAME -.Nm ASN1_OBJECT_new , -.Nm ASN1_OBJECT_free -.Nd ASN.1 object identifiers +.Nm BIO_set_data , +.Nm BIO_get_data , +.Nm BIO_set_init , +.Nm BIO_set_shutdown , +.Nm BIO_get_shutdown +.Nd manage BIO state information .Sh SYNOPSIS -.In openssl/asn1.h -.Ft ASN1_OBJECT * -.Fo ASN1_OBJECT_new -.Fa void +.In openssl/bio.h +.Ft void +.Fo BIO_set_data +.Fa "BIO *a" +.Fa "void *ptr" +.Fc +.Ft void * +.Fo BIO_get_data +.Fa "BIO *a" +.Fc +.Ft void +.Fo BIO_set_init +.Fa "BIO *a" +.Fa "int init" .Fc .Ft void -.Fo ASN1_OBJECT_free -.Fa "ASN1_OBJECT *a" +.Fo BIO_set_shutdown +.Fa "BIO *a" +.Fa "int shutdown" +.Fc +.Ft int +.Fo BIO_get_shutdown +.Fa "BIO *a" .Fc .Sh DESCRIPTION -.Fn ASN1_OBJECT_new -allocates and initializes an empty -.Vt ASN1_OBJECT -object, representing an ASN.1 OBJECT IDENTIFIER. -It can hold a short name, a long name, a numeric identifier (NID), -and a sequence of integers identifying a node in the International -Object Identifier tree as specified in ITU-T recommendation X.660. -The new object is marked as dynamically allocated. -.Pp -Application programs normally use utility functions like -.Xr OBJ_nid2obj 3 -rather than using -.Fn ASN1_OBJECT_new -directly. +These functions are mainly useful when implementing a custom BIO. .Pp -.Fn ASN1_OBJECT_free -has the following effects: -.Pp -All data contained in -.Fa a -that is marked as dynamically allocated is freed, -and the respective fields of -.Fa a -become empty. -Contained data not marked as dynamically allocated remains intact. +The +.Fn BIO_set_data +function associates the custom data pointed to by +.Fa ptr +with the +.Fa "BIO a" . +This data can subsequently be retrieved via a call to +.Fn BIO_get_data . +This can be used by custom BIOs for storing implementation specific +information. .Pp -If the object -.Fa a -itself is marked as dynamically allocated, it is freed. -Otherwise, the pointer +The +.Fn BIO_set_init +function sets the +.Fa init +flag in .Fa a -remains valid. +to the specified value. +A non-zero value indicates that initialisation is complete, +whilst zero indicates that it is not. +Often initialisation will complete +during initial construction of the BIO. +For some BIOs however, initialisation may not be complete until +additional steps have been taken, for example through calling custom +ctrls. .Pp -If -.Fa a -is a -.Dv NULL -pointer or if neither the object itself nor any of its content -is marked as dynamically allocated, no action occurs. +The +.Fn BIO_set_shutdown +and +.Fn BIO_get_shutdown +functions are low-level interfaces to forcefully set and get the +.Fa shutdown +flag of +.Fa a , +circumventing type-dependent sanity checks, +exclusively intended for implementing a new BIO type. +The +.Fa shutdown +argument must be either +.Dv BIO_CLOSE +or +.Dv BIO_NOCLOSE . +When merely using a +.Vt BIO +object, call +.Xr BIO_set_close 3 +and +.Xr BIO_get_close 3 +instead. .Sh RETURN VALUES -If the allocation fails, -.Fn ASN1_OBJECT_new -returns +.Fn BIO_get_data +returns a pointer to the implementation specific custom data associated +with +.Fa a , +or .Dv NULL -and sets an error code that can be obtained by -.Xr ERR_get_error 3 . -Otherwise it returns a pointer to the new object. +if none is set. +.Pp +.Fn BIO_get_shutdown +returns the value previously set with +.Fn BIO_set_shutdown +or with +.Xr BIO_set_close 3 . .Sh SEE ALSO -.Xr d2i_ASN1_OBJECT 3 , -.Xr OBJ_nid2obj 3 +.Xr BIO_meth_new 3 , +.Xr BIO_new 3 , +.Xr BIO_set_close 3 .Sh HISTORY -.Fn ASN1_OBJECT_new -and -.Fn ASN1_OBJECT_free -are available in all versions of SSLeay and OpenSSL. +These functions first appeared in OpenSSL 1.1.0 +and have been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/BIO_get_ex_new_index.3 b/lib/libcrypto/man/BIO_get_ex_new_index.3 index b4b9fa082e..ad7c5a308c 100644 --- a/lib/libcrypto/man/BIO_get_ex_new_index.3 +++ b/lib/libcrypto/man/BIO_get_ex_new_index.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: BIO_get_ex_new_index.3,v 1.3 2017/01/06 20:35:23 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 +.\" $OpenBSD: BIO_get_ex_new_index.3,v 1.8 2018/03/23 00:09:11 schwarze Exp $ +.\" full merge up to: OpenSSL a970b14f Jul 31 18:58:40 2017 -0400 +.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" .\" This file was written by Rich Salz . .\" Copyright (c) 2015, 2016 The OpenSSL Project. All rights reserved. @@ -48,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 6 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt BIO_GET_EX_NEW_INDEX 3 .Os .Sh NAME @@ -119,6 +120,48 @@ is a function that calls with an offset into the opaque exdata part of the .Vt TYPE object. +.Sh RETURN VALUES +.Fn TYPE_get_new_ex_index +returns a new index on success or \-1 on error. +.Pp +.Fn TYPE_set_ex_data +returns 1 on success or 0 on error. +.Pp +.Fn TYPE_get_ex_data +returns the application data or +.Dv NULL +if an error occurred. .Sh SEE ALSO .Xr CRYPTO_get_ex_new_index 3 , .Xr RSA_get_ex_new_index 3 +.Sh HISTORY +.Fn BIO_get_ex_new_index , +.Fn BIO_set_ex_data , +and +.Fn BIO_get_ex_data +first appeared in SSLeay 0.9.0 and have been available since +.Ox 2.4 . +.Pp +.Fn X509_get_ex_new_index , +.Fn X509_set_ex_data , +and +.Fn X509_get_ex_data +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . +.Pp +.Fn UI_get_ex_new_index , +.Fn UI_set_ex_data , +and +.Fn UI_get_ex_data +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . +.Pp +.Fn ECDH_get_ex_new_index , +.Fn ECDH_set_ex_data , +.Fn ECDH_get_ex_data , +.Fn ECDSA_get_ex_new_index , +.Fn ECDSA_set_ex_data , +and +.Fn ECDSA_get_ex_data +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . diff --git a/lib/libcrypto/man/BIO_meth_new.3 b/lib/libcrypto/man/BIO_meth_new.3 new file mode 100644 index 0000000000..75d5ff23db --- /dev/null +++ b/lib/libcrypto/man/BIO_meth_new.3 @@ -0,0 +1,367 @@ +.\" $OpenBSD: BIO_meth_new.3,v 1.4 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 +.\" +.\" This file is a derived work. +.\" The changes are covered by the following Copyright and license: +.\" +.\" Copyright (c) 2018 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" The original file was written by Matt Caswell +.\" Copyright (c) 2016 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: March 23 2018 $ +.Dt BIO_METH_NEW 3 +.Os +.Sh NAME +.Nm BIO_get_new_index , +.Nm BIO_meth_new , +.Nm BIO_meth_free , +.Nm BIO_meth_get_write , +.Nm BIO_meth_set_write , +.Nm BIO_meth_get_read , +.Nm BIO_meth_set_read , +.Nm BIO_meth_get_puts , +.Nm BIO_meth_set_puts , +.Nm BIO_meth_get_gets , +.Nm BIO_meth_set_gets , +.Nm BIO_meth_get_ctrl , +.Nm BIO_meth_set_ctrl , +.Nm BIO_meth_get_create , +.Nm BIO_meth_set_create , +.Nm BIO_meth_get_destroy , +.Nm BIO_meth_set_destroy , +.Nm BIO_meth_get_callback_ctrl , +.Nm BIO_meth_set_callback_ctrl +.Nd manipulate BIO_METHOD structures +.Sh SYNOPSIS +.In openssl/bio.h +.Ft int +.Fn BIO_get_new_index void +.Ft BIO_METHOD * +.Fo BIO_meth_new +.Fa "int type" +.Fa "const char *name" +.Fc +.Ft void +.Fo BIO_meth_free +.Fa "BIO_METHOD *biom" +.Fc +.Ft int +.Fn "(*BIO_meth_get_write(BIO_METHOD *biom))" "BIO *" "const char *" int +.Ft int +.Fo BIO_meth_set_write +.Fa "BIO_METHOD *biom" +.Fa "int (*write)(BIO *, const char *, int)" +.Fc +.Ft int +.Fn "(*BIO_meth_get_read(BIO_METHOD *biom))" "BIO *" "char *" int +.Ft int +.Fo BIO_meth_set_read +.Fa "BIO_METHOD *biom" +.Fa "int (*read)(BIO *, char *, int)" +.Fc +.Ft int +.Fn "(*BIO_meth_get_puts(BIO_METHOD *biom))" "BIO *" "const char *" +.Ft int +.Fo BIO_meth_set_puts +.Fa "BIO_METHOD *biom" +.Fa "int (*puts)(BIO *, const char *)" +.Fc +.Ft int +.Fn "(*BIO_meth_get_gets(BIO_METHOD *biom))" "BIO *" "char *" int +.Ft int +.Fo BIO_meth_set_gets +.Fa "BIO_METHOD *biom" +.Fa "int (*gets)(BIO *, char *, int)" +.Fc +.Ft long +.Fn "(*BIO_meth_get_ctrl(BIO_METHOD *biom))" "BIO *" int long "void *" +.Ft int +.Fo BIO_meth_set_ctrl +.Fa "BIO_METHOD *biom" +.Fa "long (*ctrl)(BIO *, int, long, void *)" +.Fc +.Ft int +.Fn "(*BIO_meth_get_create(BIO_METHOD *biom))" "BIO *" +.Ft int +.Fo BIO_meth_set_create +.Fa "BIO_METHOD *biom" +.Fa "int (*create)(BIO *)" +.Fc +.Ft int +.Fn "(*BIO_meth_get_destroy(BIO_METHOD *biom))" "BIO *" +.Ft int +.Fo BIO_meth_set_destroy +.Fa "BIO_METHOD *biom" +.Fa "int (*destroy)(BIO *)" +.Fc +.Ft long +.Fo "(*BIO_meth_get_callback_ctrl(BIO_METHOD *biom))" +.Fa "BIO *" +.Fa int +.Fa "BIO_info_cb *" +.Fc +.Ft int +.Fo BIO_meth_set_callback_ctrl +.Fa "BIO_METHOD *biom" +.Fa "long (*callback_ctrl)(BIO *, int, BIO_info_cb *)" +.Fc +.Sh DESCRIPTION +The +.Vt BIO_METHOD +structure stores function pointers implementing a +.Vt BIO +type. +See +.Xr BIO_new 3 +for more information about +.Vt BIO +objects. +.Pp +.Fn BIO_meth_new +creates a new +.Vt BIO_METHOD +structure. +It requires a unique integer +.Fa type ; +use +.Fn BIO_get_new_index +to get the value for +.Fa type . +Currently, the user can only create up to 127 different BIO types, and +.Fa type +is limited to the range 129\(en255. +The +.Fa name +pointer is stored in the structure and will not be freed by +.Fn BIO_meth_free . +.Pp +The standard BIO types are listed in +.In openssl/bio.h . +Some examples include +.Dv BIO_TYPE_BUFFER +and +.Dv BIO_TYPE_CIPHER . +The +.Fa type +of filter BIOs should have the +.Dv BIO_TYPE_FILTER +bit set. +Source/sink BIOs should have the +.Dv BIO_TYPE_SOURCE_SINK +bit set. +File descriptor based BIOs (e.g. socket, fd, connect, accept etc.\&) +should additionally have the +.Dv BIO_TYPE_DESCRIPTOR +bit set. +See +.Xr BIO_find_type 3 +for more information. +.Pp +.Fn BIO_meth_free +is an alias for +.Xr free 3 . +.Pp +.Fn BIO_meth_get_write , +.Fn BIO_meth_set_write , +.Fn BIO_meth_get_read , +and +.Fn BIO_meth_set_read +get and set the functions +.Fa write +and +.Fa read +used for writing and reading arbitrary length data to and from the +.Vt BIO . +These functions are called from +.Xr BIO_write 3 +and +.Xr BIO_read 3 , +respectively. +The parameters and return values of +.Fa write +and +.Fa read +have the same meaning as for +.Xr BIO_write 3 +and +.Xr BIO_read 3 . +.Pp +.Fn BIO_meth_get_puts +and +.Fn BIO_meth_set_puts +get and set the function +.Fa puts +used for writing a NUL-terminated string to the +.Vt BIO . +This function is called from +.Xr BIO_puts 3 . +The parameters and the return value of +.Fa puts +have the same meaning as for +.Xr BIO_puts 3 . +.Pp +.Fn BIO_meth_get_gets +and +.Fn BIO_meth_set_gets +get and set the function +.Fa gets +used for reading a line of data from the +.Vt BIO . +This function is called from +.Xr BIO_gets 3 . +The parameters and the return value of +.Fa gets +have the same meaning as for +.Xr BIO_gets 3 . +.Pp +.Fn BIO_meth_get_ctrl +and +.Fn BIO_meth_set_ctrl +get and set the function +.Fa ctrl +used for processing control messages in the +.Vt BIO . +This function is called from +.Xr BIO_ctrl 3 . +The parameters and return value of +.Fa ctrl +have the same meaning as for +.Xr BIO_ctrl 3 . +.Pp +.Fn BIO_meth_get_create +and +.Fn BIO_meth_set_create +get and set a function +.Fa create +used while initializing a new instance of the +.Vt BIO . +This function is called from +.Xr BIO_new 3 . +The +.Xr BIO_new 3 +function allocates the memory for the new +.Vt BIO , +and a pointer to this newly allocated structure is passed +as the parameter to +.Fa create . +.Pp +.Fn BIO_meth_get_destroy +and +.Fn BIO_meth_set_destroy +get and set a function +.Fa destroy +used while destroying an instance of a +.Vt BIO . +This function is called from +.Xr BIO_free 3 . +A pointer to the +.Vt BIO +to be destroyed is passed as the parameter. +The +.Fa destroy +function is intended to perform clean-up specific to the +.Vt BIO +.Fa type . +The memory for the +.Vt BIO +itself must not be freed by this function. +.Pp +.Fn BIO_meth_get_callback_ctrl +and +.Fn BIO_meth_set_callback_ctrl +get and set the function +.Fa callback_ctrl +used for processing callback control messages in the +.Vt BIO . +This function is called from +.Xr BIO_callback_ctrl 3 . +The parameters and return value of +.Fa callback_ctrl +have the same meaning as for +.Xr BIO_callback_ctrl 3 . +.Sh RETURN VALUES +.Fn BIO_get_new_index +returns the new BIO type value or \-1 if an error occurs. +.Pp +.Fn BIO_meth_new +returns the new +.Vt BIO_METHOD +structure or +.Dv NULL +if an error occurs. +.Pp +The +.Fn BIO_meth_set_* +functions return 1 on success or 0 on error. +Currently, they cannot fail. +.Pp +The +.Fn BIO_meth_get_* +functions return function pointers. +.Sh SEE ALSO +.Xr BIO_ctrl 3 , +.Xr BIO_find_type 3 , +.Xr BIO_new 3 , +.Xr BIO_read 3 +.Sh HISTORY +These functions first appeared in OpenSSL 1.1.0 +and have been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/BIO_new.3 b/lib/libcrypto/man/BIO_new.3 index 356986d76d..36acc3d9fe 100644 --- a/lib/libcrypto/man/BIO_new.3 +++ b/lib/libcrypto/man/BIO_new.3 @@ -1,6 +1,9 @@ -.\" $OpenBSD: BIO_new.3,v 1.8 2017/03/25 17:15:59 schwarze Exp $ -.\" OpenSSL doc/man3/BIO_new.pod ca3a82c3 Mar 25 11:31:18 2015 -0400 -.\" OpenSSL doc/man7/bio.pod a9c85cea Nov 11 09:33:55 2016 +0100 +.\" $OpenBSD: BIO_new.3,v 1.14 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: +.\" OpenSSL man3/BIO_new.pod fb46be03 Feb 26 11:51:31 2016 +0000 +.\" OpenSSL man7/bio.pod 631c37be Dec 12 16:56:50 2017 +0100 +.\" partial merge up to: +.\" OpenSSL man3/BIO_new.pod e9b77246 Jan 20 19:58:49 2017 +0100 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2000, 2015, 2016 The OpenSSL Project. All rights reserved. @@ -49,11 +52,12 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 25 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt BIO_NEW 3 .Os .Sh NAME .Nm BIO_new , +.Nm BIO_up_ref , .Nm BIO_set , .Nm BIO_free , .Nm BIO_vfree , @@ -66,6 +70,10 @@ .Fa "BIO_METHOD *type" .Fc .Ft int +.Fo BIO_up_ref +.Fa "BIO *a" +.Fc +.Ft int .Fo BIO_set .Fa "BIO *a" .Fa "BIO_METHOD *type" @@ -95,7 +103,8 @@ The function constructs a new .Vt BIO using the method -.Fa type . +.Fa type +and sets its reference count to 1. There are two groups of BIO types, source/sink BIOs and filter BIOs. .Pp Source/sink BIOs provide input or consume output. @@ -106,8 +115,8 @@ or to the application, forming a chain of BIOs. The data may be left unmodified (for example by a message digest BIO) or translated (for example by an encryption BIO). The effect of a filter BIO may change according to the I/O operation -it is performing: for example an encryption BIO will encrypt data -if it is written to and decrypt data if it is read from. +it is performing: for example an encryption BIO encrypts data +if it is written to and decrypts data if it is read from. .Pp Some BIOs (such as memory BIOs) can be used immediately after calling .Fn BIO_new . @@ -124,13 +133,33 @@ the methods for source/sink BIOs are called and those for filter BIOs .Fn BIO_f_* . .Pp +.Fn BIO_up_ref +increments the reference count of +.Fa a +by 1. +.Pp .Fn BIO_set -sets the method of an already existing BIO. +is a deprecated function to initialize an unused +.Vt BIO +structure located in static memory or on the stack, +to set its method to +.Fa type , +and to set its reference count to 1. +It must not be called on +.Vt BIO +objects created with +.Fn BIO_new , +nor on objects that were already used. .Pp .Fn BIO_free and .Fn BIO_vfree -destruct a single BIO, which may also have some effect on the +decrement the reference count of +.Fa a +by 1, and if the refenece count reaches 0, they destruct the single +.Vt BIO +.Fa a , +which may also have some effect on the underlying I/O structure, for example it may close the file being referred to under certain circumstances. If @@ -140,11 +169,26 @@ is a pointer, no action occurs. If .Fn BIO_free -is called on a BIO chain, it will only destruct one BIO, +is called on a BIO chain, it destructs at most one BIO, resulting in a memory leak. .Pp .Fn BIO_free_all -destructs an entire BIO chain. +calls +.Fn BIO_free +on +.Fa a +and on all following +.Vt BIO +objects in the chain. +As soon as the reference count of a +.Vt BIO +is still non-zero after calling +.Fn BIO_free +on it, the function +.Fn BIO_free_all +returns right away and refrains from freeing the remaining +.Vt BIO +objects in the chain. It does not halt if an error occurs destructing an individual BIO in the chain. If @@ -174,7 +218,8 @@ object or .Dv NULL on failure. .Pp -.Fn BIO_set +.Fn BIO_up_ref , +.Fn BIO_set , and .Fn BIO_free return 1 for success or 0 for failure. @@ -192,6 +237,7 @@ Create a memory BIO: .Xr BIO_f_ssl 3 , .Xr BIO_find_type 3 , .Xr BIO_get_ex_new_index 3 , +.Xr BIO_meth_new 3 , .Xr BIO_printf 3 , .Xr BIO_push 3 , .Xr BIO_read 3 , @@ -205,3 +251,22 @@ Create a memory BIO: .Xr BIO_s_socket 3 , .Xr BIO_set_callback 3 , .Xr BIO_should_retry 3 +.Sh HISTORY +.Fn BIO_new +and +.Fn BIO_free +first appeared in SSLeay 0.6.0. +.Fn BIO_set +and +.Fn BIO_free_all +appeared in SSLeay 0.8.1b or earlier. +All these functions have been available since +.Ox 2.4 . +.Pp +.Fn BIO_vfree +first appeared in OpenSSL 0.9.6 and has been available since +.Ox 2.9 . +.Pp +.Fn BIO_up_ref +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/BIO_printf.3 b/lib/libcrypto/man/BIO_printf.3 index ebc1cc726e..838b771be7 100644 --- a/lib/libcrypto/man/BIO_printf.3 +++ b/lib/libcrypto/man/BIO_printf.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_printf.3,v 1.1 2017/03/25 17:15:59 schwarze Exp $ +.\" $OpenBSD: BIO_printf.3,v 1.3 2018/03/22 17:11:04 schwarze Exp $ .\" OpenSSL 2ca2e917 Mon Mar 20 16:25:22 2017 -0400 .\" .\" Copyright (c) 2017 Ingo Schwarze @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: March 25 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt BIO_PRINTF 3 .Os .Sh NAME @@ -84,3 +84,14 @@ also return -1 if is too small to hold the complete output. .Sh SEE ALSO .Xr BIO_new 3 +.Sh HISTORY +.Fn BIO_printf +first appeared in SSLeay 0.6.5 and has been available since +.Ox 2.4 . +.Pp +.Fn BIO_vprintf , +.Fn BIO_snprintf , +and +.Fn BIO_vsnprintf +first appeared in OpenSSL 0.9.6 and have been available since +.Ox 2.9 . diff --git a/lib/libcrypto/man/BIO_push.3 b/lib/libcrypto/man/BIO_push.3 index 5b9e94123f..d107e0d35f 100644 --- a/lib/libcrypto/man/BIO_push.3 +++ b/lib/libcrypto/man/BIO_push.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_push.3,v 1.5 2016/12/06 12:54:19 schwarze Exp $ +.\" $OpenBSD: BIO_push.3,v 1.6 2018/03/20 19:33:16 schwarze Exp $ .\" OpenSSL doc/man3/BIO_push.pod 76ed5a42 Jun 29 13:38:55 2014 +0100 .\" OpenSSL doc/man7/bio.pod a9c85cea Nov 11 09:33:55 2016 +0100 .\" @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt BIO_PUSH 3 .Os .Sh NAME @@ -176,3 +176,9 @@ as before. .Xr BIO_find_type 3 , .Xr BIO_new 3 , .Xr BIO_read 3 +.Sh HISTORY +.Fn BIO_push +and +.Fn BIO_pop +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/BIO_read.3 b/lib/libcrypto/man/BIO_read.3 index 2da3728237..8551a96667 100644 --- a/lib/libcrypto/man/BIO_read.3 +++ b/lib/libcrypto/man/BIO_read.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_read.3,v 1.5 2016/12/06 14:45:08 schwarze Exp $ +.\" $OpenBSD: BIO_read.3,v 1.7 2018/03/20 19:33:16 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt BIO_READ 3 .Os .Sh NAME @@ -165,5 +165,14 @@ In particular when the source/sink is non-blocking or of a certain type it may merely be an indication that no data is currently available and that the application should retry the operation later. .Sh SEE ALSO +.Xr BIO_meth_new 3 , .Xr BIO_new 3 , .Xr BIO_should_retry 3 +.Sh HISTORY +.Fn BIO_read , +.Fn BIO_gets , +.Fn BIO_write , +and +.Fn BIO_puts +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/BIO_s_accept.3 b/lib/libcrypto/man/BIO_s_accept.3 index e3193f6fd4..a37db94564 100644 --- a/lib/libcrypto/man/BIO_s_accept.3 +++ b/lib/libcrypto/man/BIO_s_accept.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_s_accept.3,v 1.5 2016/12/06 14:45:08 schwarze Exp $ +.\" $OpenBSD: BIO_s_accept.3,v 1.8 2018/03/21 09:03:49 schwarze Exp $ .\" OpenSSL c03726ca Thu Aug 27 12:28:08 2015 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt BIO_S_ACCEPT 3 .Os .Sh NAME @@ -354,3 +354,22 @@ BIO_free(cbio2); .Ed .Sh SEE ALSO .Xr BIO_new 3 +.Sh HISTORY +.Fn BIO_s_accept , +.Fn BIO_set_accept_port , +.Fn BIO_new_accept , +.Fn BIO_set_nbio_accept , +.Fn BIO_set_accept_bios , +and +.Fn BIO_do_accept +appeared in SSLeay 0.8.1b or earlier. +.Fn BIO_get_accept_port +first appeared in SSLeay 0.9.0. +All these functions have been available since +.Ox 2.4 . +.Pp +.Fn BIO_set_bind_mode +and +.Fn BIO_get_bind_mode +first appeared in SSLeay 0.9.1 and have been available since +.Ox 2.6 . diff --git a/lib/libcrypto/man/BIO_s_bio.3 b/lib/libcrypto/man/BIO_s_bio.3 index 065a8bae08..f808939701 100644 --- a/lib/libcrypto/man/BIO_s_bio.3 +++ b/lib/libcrypto/man/BIO_s_bio.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_s_bio.3,v 1.9 2017/01/06 02:29:18 schwarze Exp $ +.\" $OpenBSD: BIO_s_bio.3,v 1.12 2018/03/22 17:11:04 schwarze Exp $ .\" OpenSSL c03726ca Aug 27 12:28:08 2015 -0400 .\" .\" This file was written by @@ -53,7 +53,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 6 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt BIO_S_BIO 3 .Os .Sh NAME @@ -360,6 +360,28 @@ SSL operations can successfully be continued. .Xr BIO_should_retry 3 , .Xr ssl 3 , .Xr SSL_set_bio 3 +.Sh HISTORY +.Fn BIO_s_bio , +.Fn BIO_make_bio_pair , +.Fn BIO_destroy_bio_pair , +.Fn BIO_set_write_buf_size , +.Fn BIO_get_write_buf_size , +.Fn BIO_new_bio_pair , +.Fn BIO_get_write_guarantee , +.Fn BIO_ctrl_get_write_guarantee , +.Fn BIO_get_read_request , +and +.Fn BIO_ctrl_reset_read_request +first appeared in OpenSSL 0.9.4 and have been available since +.Ox 2.6 . +.Pp +.Fn BIO_ctrl_reset_read_request +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . +.Pp +.Fn BIO_shutdown_wr +first appeared in OpenSSL 0.9.6 and has been available since +.Ox 2.9 . .Sh CAVEATS As the data is buffered, SSL operations may return with an .Dv ERROR_SSL_WANT_READ diff --git a/lib/libcrypto/man/BIO_s_connect.3 b/lib/libcrypto/man/BIO_s_connect.3 index bde10e4b20..66cfff0daa 100644 --- a/lib/libcrypto/man/BIO_s_connect.3 +++ b/lib/libcrypto/man/BIO_s_connect.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_s_connect.3,v 1.6 2016/12/20 23:14:37 beck Exp $ +.\" $OpenBSD: BIO_s_connect.3,v 1.8 2018/03/21 06:09:37 schwarze Exp $ .\" OpenSSL 186bb907 Apr 13 11:05:13 2015 -0700 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 20 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt BIO_S_CONNECT 3 .Os .Sh NAME @@ -369,3 +369,22 @@ BIO_free(out); .Ed .Sh SEE ALSO .Xr BIO_new 3 +.Sh HISTORY +.Fn BIO_s_connect , +.Fn BIO_new_connect , +.Fn BIO_set_nbio , +and +.Fn BIO_do_connect +appeared in SSLeay 0.8.1b or earlier. +.Fn BIO_set_conn_hostname , +.Fn BIO_set_conn_port , +.Fn BIO_set_conn_ip , +.Fn BIO_set_conn_int_port , +.Fn BIO_get_conn_hostname , +.Fn BIO_get_conn_port , +.Fn BIO_get_conn_ip , +and +.Fn BIO_get_conn_int_port +first appeared in SSLeay 0.9.0. +All these functions have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/BIO_s_fd.3 b/lib/libcrypto/man/BIO_s_fd.3 index 20b460ba96..9bc492d79d 100644 --- a/lib/libcrypto/man/BIO_s_fd.3 +++ b/lib/libcrypto/man/BIO_s_fd.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_s_fd.3,v 1.6 2016/12/06 14:45:08 schwarze Exp $ +.\" $OpenBSD: BIO_s_fd.3,v 1.7 2018/03/20 19:33:16 schwarze Exp $ .\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt BIO_S_FD 3 .Os .Sh NAME @@ -194,3 +194,7 @@ BIO_free(out); .Xr BIO_read 3 , .Xr BIO_s_socket 3 , .Xr BIO_seek 3 +.Sh HISTORY +These functions appeared in SSLeay 0.8.1b or earlier +and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/BIO_s_file.3 b/lib/libcrypto/man/BIO_s_file.3 index 323763d838..ba4b714e9e 100644 --- a/lib/libcrypto/man/BIO_s_file.3 +++ b/lib/libcrypto/man/BIO_s_file.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_s_file.3,v 1.5 2016/12/06 14:45:08 schwarze Exp $ +.\" $OpenBSD: BIO_s_file.3,v 1.8 2018/03/21 09:03:49 schwarze Exp $ .\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt BIO_S_FILE 3 .Os .Sh NAME @@ -285,6 +285,25 @@ BIO_free(out); .Xr BIO_new 3 , .Xr BIO_read 3 , .Xr BIO_seek 3 +.Sh HISTORY +.Fn BIO_s_file +and +.Fn BIO_set_fp +first appeared in SSLeay 0.6.0. +.Fn BIO_new_file , +.Fn BIO_new_fp , +.Fn BIO_get_fp , +.Fn BIO_read_filename , +.Fn BIO_write_filename , +and +.Fn BIO_append_filename +appeared in SSLeay 0.8.1b or earlier. +All these functions have been available since +.Ox 2.4 . +.Pp +.Fn BIO_rw_filename +first appeared in SSLeay 0.9.1 and has been available since +.Ox 2.6 . .Sh BUGS .Xr BIO_reset 3 and diff --git a/lib/libcrypto/man/BIO_s_mem.3 b/lib/libcrypto/man/BIO_s_mem.3 index bdbedc0f28..857dc85519 100644 --- a/lib/libcrypto/man/BIO_s_mem.3 +++ b/lib/libcrypto/man/BIO_s_mem.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: BIO_s_mem.3,v 1.5 2016/12/06 14:45:08 schwarze Exp $ -.\" OpenSSL 8711efb4 Mon Apr 20 11:33:12 2009 +0000 +.\" $OpenBSD: BIO_s_mem.3,v 1.9 2018/03/22 16:06:33 schwarze Exp $ +.\" full merge up to: OpenSSL 8711efb4 Mon Apr 20 11:33:12 2009 +0000 +.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2000 The OpenSSL Project. All rights reserved. @@ -48,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt BIO_S_MEM 3 .Os .Sh NAME @@ -206,6 +207,23 @@ the operation can be very slow. The use of a read only memory BIO avoids this problem. If the BIO must be read/write then adding a buffering BIO to the chain will speed up the process. +.Sh RETURN VALUES +.Fn BIO_s_mem +returns a pointer to a static object. +.Pp +.Fn BIO_set_mem_eof_return , +.Fn BIO_get_mem_data , +.Fn BIO_set_mem_buf , +and +.Fn BIO_get_mem_ptr +return 1 on success or a value less than or equal to 0 if an error occurred. +.Pp +.Fn BIO_new_mem_buf +returns a newly allocated +.Vt BIO +object on success or +.Dv NULL +on error. .Sh EXAMPLES Create a memory BIO and write some data to it: .Bd -literal -offset indent @@ -232,6 +250,23 @@ BIO_free(mem); .Ed .Sh SEE ALSO .Xr BIO_new 3 +.Sh HISTORY +.Fn BIO_s_mem , +.Fn BIO_set_mem_buf , +and +.Fn BIO_get_mem_ptr +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp +.Fn BIO_set_mem_eof_return +and +.Fn BIO_get_mem_data +first appeared in SSLeay 0.9.1 and have been available since +.Ox 2.6 . +.Pp +.Fn BIO_new_mem_buf +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . .Sh BUGS There should be an option to set the maximum size of a memory BIO. .Pp diff --git a/lib/libcrypto/man/BIO_s_null.3 b/lib/libcrypto/man/BIO_s_null.3 index 7e68b594dc..dcdcd8c4ab 100644 --- a/lib/libcrypto/man/BIO_s_null.3 +++ b/lib/libcrypto/man/BIO_s_null.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_s_null.3,v 1.5 2016/12/06 14:45:08 schwarze Exp $ +.\" $OpenBSD: BIO_s_null.3,v 1.6 2018/03/20 19:33:16 schwarze Exp $ .\" OpenSSL e117a890 Sep 14 12:14:41 2000 +0000 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt BIO_S_NULL 3 .Os .Sh NAME @@ -82,3 +82,7 @@ this can be achieved by adding a null sink BIO to the end of the chain. returns the null sink BIO method. .Sh SEE ALSO .Xr BIO_new 3 +.Sh HISTORY +.Fn BIO_s_null +appeared in SSLeay 0.8.1b or earlier and has been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/BIO_s_socket.3 b/lib/libcrypto/man/BIO_s_socket.3 index 1fc7ce3dbc..3adc280a5e 100644 --- a/lib/libcrypto/man/BIO_s_socket.3 +++ b/lib/libcrypto/man/BIO_s_socket.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BIO_s_socket.3,v 1.6 2016/12/06 14:45:08 schwarze Exp $ +.\" $OpenBSD: BIO_s_socket.3,v 1.7 2018/03/20 19:33:16 schwarze Exp $ .\" OpenSSL bbdc9c98 Oct 19 22:02:21 2000 +0000 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt BIO_S_SOCKET 3 .Os .Sh NAME @@ -107,3 +107,9 @@ if an error occurred. .Sh SEE ALSO .Xr BIO_get_fd 3 , .Xr BIO_new 3 +.Sh HISTORY +.Fn BIO_s_socket +and +.Fn BIO_new_socket +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/BIO_set_callback.3 b/lib/libcrypto/man/BIO_set_callback.3 index 4209c0818e..ed21ae3ad9 100644 --- a/lib/libcrypto/man/BIO_set_callback.3 +++ b/lib/libcrypto/man/BIO_set_callback.3 @@ -1,8 +1,26 @@ -.\" $OpenBSD: BIO_set_callback.3,v 1.5 2016/12/06 14:45:08 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: BIO_set_callback.3,v 1.7 2018/03/20 19:33:16 schwarze Exp $ +.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" -.\" This file was written by Dr. Stephen Henson . -.\" Copyright (c) 2000, 2016 The OpenSSL Project. All rights reserved. +.\" This file is a derived work. +.\" The changes are covered by the following Copyright and license: +.\" +.\" Copyright (c) 2018 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" The original file was written by Dr. Stephen Henson . +.\" Copyright (c) 2000, 2016, 2017 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,7 +66,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt BIO_SET_CALLBACK 3 .Os .Sh NAME @@ -141,20 +159,37 @@ depends on the value of .Fa oper (i.e. the operation being performed). .Pp +When +.Fa oper +does not include +.Dv BIO_CB_RETURN , +i.e. when the callback is invoked before an operation, +the value passed into the callback via +.Fa ret +is always 1. +In this case, if the callback returns a negative value, the library +aborts the requested operation and instead returns the negative +return value from the callback to the application. +If the callback returns a non-negative value, that return value is +ignored by the library, and the operation is performed normally. +.Pp +When +.Fa oper +includes +.Dv BIO_CB_RETURN , +i.e. when the callback is invoked after an operation, +the value passed into the callback via .Fa ret -is the return value that would be returned to the application +is the return value that the operation would return to the application if no callback were present. -The actual value returned is the return value of the callback itself. -In the case of callbacks called before the actual BIO operation, -1 is placed in -.Fa ret . -If the return value is not positive, it will be immediately returned to -the application and the BIO operation will not be performed. +When a callback is present, the operation only passes this value +to the callback and instead of it returns the return value of the +callback to the application. .Pp The callback should normally simply return .Fa ret -when it has finished processing, unless it specifically wishes -to modify the value returned to the application. +when it has finished processing, unless it specifically wishes to +abort the operation or to modify the value returned to the application. .Ss Callback operations .Bl -tag -width Ds .It Fn BIO_free b @@ -186,6 +221,33 @@ is called before the call and .Fn callback b BIO_CB_CTRL|BIO_CB_RETURN parg oper larg ret after. .El +.Sh RETURN VALUES +.Fn BIO_get_callback +returns a pointer to the function +.Fa cb +previously installed with +.Fn BIO_set_callback , +or +.Dv NULL +if no callback was installed. +.Pp +.Fn BIO_get_callback_arg +returns a pointer to the +.Fa arg +previously set with +.Fn BIO_set_callback_arg , +or +.Dv NULL +if no such argument was set. +.Pp +.Fn BIO_debug_callback +returns +.Fa ret +if the bit +.Dv BIO_CB_RETURN +is set in +.Fa cmd , +or 1 otherwise. .Sh EXAMPLES The .Fn BIO_debug_callback @@ -194,3 +256,7 @@ Its source is in the file .Pa crypto/bio/bio_cb.c . .Sh SEE ALSO .Xr BIO_new 3 +.Sh HISTORY +These functions appeared in SSLeay 0.8.1b or earlier +and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/BIO_should_retry.3 b/lib/libcrypto/man/BIO_should_retry.3 index 601bb997a7..f37bfe2c67 100644 --- a/lib/libcrypto/man/BIO_should_retry.3 +++ b/lib/libcrypto/man/BIO_should_retry.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: BIO_should_retry.3,v 1.5 2016/12/06 14:45:08 schwarze Exp $ -.\" OpenSSL 60e24554 Apr 6 14:45:18 2010 +0000 +.\" $OpenBSD: BIO_should_retry.3,v 1.7 2018/03/20 19:33:16 schwarze Exp $ +.\" full merge up to: OpenSSL 60e24554 Apr 6 14:45:18 2010 +0000 +.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2000, 2010, 2016 The OpenSSL Project. All rights reserved. @@ -48,11 +49,10 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt BIO_SHOULD_RETRY 3 .Os .Sh NAME -.Nm BIO_should_retry , .Nm BIO_should_read , .Nm BIO_should_write , .Nm BIO_should_io_special , @@ -214,6 +214,10 @@ and use a timeout on the .Sh SEE ALSO .Xr BIO_new 3 , .Xr BIO_read 3 +.Sh HISTORY +These functions appeared in SSLeay 0.8.1b or earlier +and have been available since +.Ox 2.4 . .Sh BUGS The OpenSSL ASN.1 functions cannot gracefully deal with non-blocking I/O: they cannot retry after a partial read or write. diff --git a/lib/libcrypto/man/BN_BLINDING_new.3 b/lib/libcrypto/man/BN_BLINDING_new.3 index 00b55f54ea..04c5cfa351 100644 --- a/lib/libcrypto/man/BN_BLINDING_new.3 +++ b/lib/libcrypto/man/BN_BLINDING_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_BLINDING_new.3,v 1.6 2016/12/10 21:13:25 schwarze Exp $ +.\" $OpenBSD: BN_BLINDING_new.3,v 1.10 2018/03/23 23:18:17 schwarze Exp $ .\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 .\" .\" This file was written by Nils Larsch . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt BN_BLINDING_NEW 3 .Os .Sh NAME @@ -304,20 +304,28 @@ on error. .Sh SEE ALSO .Xr BN_new 3 .Sh HISTORY -.Fn BN_BLINDING_thread_id -was first introduced in OpenSSL 1.0.0, and it deprecates -.Fn BN_BLINDING_set_thread_id +.Fn BN_BLINDING_new , +.Fn BN_BLINDING_free , +.Fn BN_BLINDING_update , +.Fn BN_BLINDING_convert , and -.Fn BN_BLINDING_get_thread_id . +.Fn BN_BLINDING_invert +first appeared in SSLeay 0.9.0 and have been available since +.Ox 2.4 . .Pp .Fn BN_BLINDING_convert_ex , .Fn BN_BLINDIND_invert_ex , .Fn BN_BLINDING_get_thread_id , .Fn BN_BLINDING_set_thread_id , +.Fn BN_BLINDING_get_flags , .Fn BN_BLINDING_set_flags , -.Fn BN_BLINDING_get_flags and .Fn BN_BLINDING_create_param -were first introduced in OpenSSL 0.9.8. +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . +.Pp +.Fn BN_BLINDING_thread_id +first appeared in OpenSSL 1.0.0 and has been available since +.Ox 4.9 . .Sh AUTHORS .An Nils Larsch Aq Mt nils@openssl.org diff --git a/lib/libcrypto/man/BN_CTX_new.3 b/lib/libcrypto/man/BN_CTX_new.3 index c450848697..2d721329a2 100644 --- a/lib/libcrypto/man/BN_CTX_new.3 +++ b/lib/libcrypto/man/BN_CTX_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_CTX_new.3,v 1.5 2016/12/10 21:13:25 schwarze Exp $ +.\" $OpenBSD: BN_CTX_new.3,v 1.7 2018/03/21 09:03:49 schwarze Exp $ .\" OpenSSL aafbe1cc Jun 12 23:42:08 2013 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt BN_CTX_NEW 3 .Os .Sh NAME @@ -136,6 +136,9 @@ and sets an error code that can be obtained by .Fn BN_CTX_new and .Fn BN_CTX_free -are available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp .Fn BN_CTX_init -was added in SSLeay 0.9.1b. +first appeared in SSLeay 0.9.1 and has been available since +.Ox 2.6 . diff --git a/lib/libcrypto/man/BN_CTX_start.3 b/lib/libcrypto/man/BN_CTX_start.3 index 2b48d892e5..f4f10b8b0c 100644 --- a/lib/libcrypto/man/BN_CTX_start.3 +++ b/lib/libcrypto/man/BN_CTX_start.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_CTX_start.3,v 1.6 2016/12/10 21:13:25 schwarze Exp $ +.\" $OpenBSD: BN_CTX_start.3,v 1.7 2018/03/22 16:06:33 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt BN_CTX_START 3 .Os .Sh NAME @@ -128,4 +128,5 @@ In case of an error, an error code is set which can be obtained by .Fn BN_CTX_get , and .Fn BN_CTX_end -were added in OpenSSL 0.9.5. +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . diff --git a/lib/libcrypto/man/BN_add.3 b/lib/libcrypto/man/BN_add.3 index a275dbfe95..3fb9c8ab78 100644 --- a/lib/libcrypto/man/BN_add.3 +++ b/lib/libcrypto/man/BN_add.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_add.3,v 1.7 2017/01/30 01:29:31 schwarze Exp $ +.\" $OpenBSD: BN_add.3,v 1.11 2018/03/22 21:08:22 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 30 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt BN_ADD 3 .Os .Sh NAME @@ -389,6 +389,7 @@ The error codes can be obtained by .Sh HISTORY .Fn BN_add , .Fn BN_sub , +.Fn BN_mul , .Fn BN_sqr , .Fn BN_div , .Fn BN_mod , @@ -396,17 +397,23 @@ The error codes can be obtained by .Fn BN_mod_exp , and .Fn BN_gcd -are available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8. +.Fn BN_exp +first appeared in SSLeay 0.9.0. +All these functions have been available since +.Ox 2.4 . +.Pp The .Fa ctx argument to .Fn BN_mul -was added in SSLeay 0.9.1b. -.Fn BN_exp -appeared in SSLeay 0.9.0. +was added in SSLeay 0.9.1 and +.Ox 2.6 . +.Pp .Fn BN_nnmod , .Fn BN_mod_add , .Fn BN_mod_sub , and .Fn BN_mod_sqr -were added in OpenSSL 0.9.7. +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/BN_add_word.3 b/lib/libcrypto/man/BN_add_word.3 index e0a4b30170..9bbc8104b4 100644 --- a/lib/libcrypto/man/BN_add_word.3 +++ b/lib/libcrypto/man/BN_add_word.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_add_word.3,v 1.5 2016/12/10 21:13:25 schwarze Exp $ +.\" $OpenBSD: BN_add_word.3,v 1.7 2018/03/21 06:26:31 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt BN_ADD_WORD 3 .Os .Sh NAME @@ -158,13 +158,15 @@ if an error occurred. .Fn BN_add_word and .Fn BN_mod_word -are available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8. .Fn BN_div_word -was added in SSLeay 0.8, and +first appeared in SSLeay 0.8. .Fn BN_sub_word and .Fn BN_mul_word -in SSLeay 0.9.0. +first appeared in SSLeay 0.9.0. +All these functions have been available since +.Ox 2.4 . .Pp Before 0.9.8a, the return value for .Fn BN_div_word diff --git a/lib/libcrypto/man/BN_bn2bin.3 b/lib/libcrypto/man/BN_bn2bin.3 index 2ff597a557..a12a33e301 100644 --- a/lib/libcrypto/man/BN_bn2bin.3 +++ b/lib/libcrypto/man/BN_bn2bin.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_bn2bin.3,v 1.6 2017/01/25 16:12:45 schwarze Exp $ +.\" $OpenBSD: BN_bn2bin.3,v 1.10 2018/03/23 23:18:17 schwarze Exp $ .\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 25 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt BN_BN2BIN 3 .Os .Sh NAME @@ -301,11 +301,10 @@ The error codes can be obtained by .Sh HISTORY .Fn BN_bn2bin , .Fn BN_bin2bn , -.Fn BN_print_fp , +.Fn BN_print , and -.Fn BN_print -are available in all versions of SSLeay and OpenSSL. -.Pp +.Fn BN_print_fp +appeared before SSLeay 0.8. .Fn BN_bn2hex , .Fn BN_bn2dec , .Fn BN_hex2bn , @@ -313,4 +312,10 @@ are available in all versions of SSLeay and OpenSSL. .Fn BN_bn2mpi , and .Fn BN_mpi2bn -were added in SSLeay 0.9.0. +first appeared in SSLeay 0.9.0. +All these functions have been available since +.Ox 2.4 . +.Pp +.Fn BN_asc2bin +first appeared in OpenSSL 1.0.0 and has been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/BN_cmp.3 b/lib/libcrypto/man/BN_cmp.3 index bd79c905d7..6be8fd4854 100644 --- a/lib/libcrypto/man/BN_cmp.3 +++ b/lib/libcrypto/man/BN_cmp.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_cmp.3,v 1.4 2016/12/10 21:13:25 schwarze Exp $ +.\" $OpenBSD: BN_cmp.3,v 1.5 2018/03/20 20:26:23 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt BN_CMP 3 .Os .Sh NAME @@ -141,9 +141,11 @@ return 1 if the condition is true, 0 otherwise. .Fn BN_cmp , .Fn BN_ucmp , .Fn BN_is_zero , -.Fn BN_is_one +.Fn BN_is_one , and .Fn BN_is_word -are available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8. .Fn BN_is_odd -was added in SSLeay 0.8. +first appeared in SSLeay 0.8. +All these functions have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/BN_copy.3 b/lib/libcrypto/man/BN_copy.3 index 398cf1f8ec..addbaca5a3 100644 --- a/lib/libcrypto/man/BN_copy.3 +++ b/lib/libcrypto/man/BN_copy.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_copy.3,v 1.6 2017/01/30 01:29:31 schwarze Exp $ +.\" $OpenBSD: BN_copy.3,v 1.8 2018/03/22 22:07:12 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 30 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt BN_COPY 3 .Os .Sh NAME @@ -156,4 +156,9 @@ The error codes can be obtained by .Fn BN_copy and .Fn BN_dup -are available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn BN_with_flags +first appeared in OpenSSL 0.9.7h and has been available since +.Ox 4.0 . diff --git a/lib/libcrypto/man/BN_generate_prime.3 b/lib/libcrypto/man/BN_generate_prime.3 index 5d4f931a04..9dc922cd8a 100644 --- a/lib/libcrypto/man/BN_generate_prime.3 +++ b/lib/libcrypto/man/BN_generate_prime.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: BN_generate_prime.3,v 1.6 2017/01/07 05:06:22 schwarze Exp $ -.\" OpenSSL 2afb29b4 Aug 14 16:47:13 2014 -0400 +.\" $OpenBSD: BN_generate_prime.3,v 1.13 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL b3696a55 Sep 2 09:35:50 2017 -0400 .\" .\" This file was written by Ulf Moeller .\" Bodo Moeller , and Matt Caswell . @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 7 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt BN_GENERATE_PRIME 3 .Os .Sh NAME @@ -58,8 +58,11 @@ .Nm BN_is_prime_ex , .Nm BN_is_prime_fasttest_ex , .Nm BN_GENCB_call , +.Nm BN_GENCB_new , +.Nm BN_GENCB_free , .Nm BN_GENCB_set_old , .Nm BN_GENCB_set , +.Nm BN_GENCB_get_arg , .Nm BN_generate_prime , .Nm BN_is_prime , .Nm BN_is_prime_fasttest @@ -96,6 +99,12 @@ .Fa "int a" .Fa "int b" .Fc +.Ft BN_GENCB * +.Fn BN_GENCB_new void +.Ft void +.Fo BN_GENCB_free +.Fa "BN_GENCB *cb" +.Fc .Ft void .Fo BN_GENCB_set_old .Fa "BN_GENCB *gencb" @@ -108,6 +117,10 @@ .Fa "int (*callback)(int, int, BN_GENCB *)" .Fa "void *cb_arg" .Fc +.Ft void * +.Fo BN_GENCB_get_arg +.Fa "BN_GENCB *cb" +.Fc .Pp Deprecated: .Pp @@ -260,9 +273,16 @@ structures that are supported: "new" style and "old" style. New programs should prefer the "new" style, whilst the "old" style is provided for backwards compatibility purposes. .Pp +A +.Vt BN_GENCB +structure should be created through a call to +.Fn BN_GENCB_new +and freed through a call to +.Fn BN_GENCB_free . +.Pp For "new" style callbacks a .Vt BN_GENCB -structure should be initialised with a call to the macro +structure should be initialised with a call to .Fn BN_GENCB_set , where .Fa gencb @@ -276,7 +296,7 @@ and is a .Vt void * . "Old" style callbacks are the same except they are initialised with a -call to the macro +call to .Fn BN_GENCB_set_old and .Fa callback @@ -291,6 +311,15 @@ for new style callbacks or .Fn callback a b cb_arg for old style. .Pp +It is possible to obtain the argument associated with a +.Vt BN_GENCB +structure (set via a call to +.Fn BN_GENCB_set +or +.Fn BN_GENCB_set_old ) +using +.Fn BN_GENCB_get_arg . +.Pp .Fn BN_generate_prime (deprecated) works in the same way as .Fn BN_generate_prime_ex @@ -326,6 +355,18 @@ returns the prime number on success, .Dv NULL otherwise. .Pp +.Fn BN_GENCB_new +returns a pointer to a +.Vt BN_GENCB +structure on success, or +.Dv NULL +otherwise. +.Pp +.Fn BN_GENCB_get_arg +returns the argument previously associated with a +.Vt BN_GENCB +structure. +.Pp Callback functions should return 1 on success or 0 on error. .Pp The error codes can be obtained by @@ -335,17 +376,39 @@ The error codes can be obtained by .Xr ERR_get_error 3 , .Xr RAND_bytes 3 .Sh HISTORY -The -.Fa cb_arg -arguments to .Fn BN_generate_prime -and to +and .Fn BN_is_prime -were added in SSLeay 0.9.0. +appeared before SSLeay 0.8 and had their +.Fa cb_arg +argument added in SSLeay 0.9.0. +These two functions have been available since +.Ox 2.4 . +.Pp The .Fa ret argument to .Fn BN_generate_prime -was added in SSLeay 0.9.1. +was added in SSLeay 0.9.1 and +.Ox 2.6 . +.Pp .Fn BN_is_prime_fasttest -was added in OpenSSL 0.9.5. +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . +.Pp +.Fn BN_generate_prime_ex , +.Fn BN_is_prime_ex , +.Fn BN_is_prime_fasttest_ex , +.Fn BN_GENCB_call , +.Fn BN_GENCB_set_old , +and +.Fn BN_GENCB_set +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . +.Pp +.Fn BN_GENCB_new , +.Fn BN_GENCB_free , +and +.Fn BN_GENCB_get_arg +first appeared in OpenSSL 1.1.0 and have been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/BN_get0_nist_prime_521.3 b/lib/libcrypto/man/BN_get0_nist_prime_521.3 index 74edc77a8f..eb95c42210 100644 --- a/lib/libcrypto/man/BN_get0_nist_prime_521.3 +++ b/lib/libcrypto/man/BN_get0_nist_prime_521.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_get0_nist_prime_521.3,v 1.4 2016/12/11 10:00:30 jmc Exp $ +.\" $OpenBSD: BN_get0_nist_prime_521.3,v 1.5 2018/03/23 00:09:11 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Rich Salz . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt BN_GET0_NIST_PRIME_521 3 .Os .Sh NAME @@ -83,3 +83,7 @@ functions return a for the specific NIST prime curve (e.g. P-256). .Sh SEE ALSO .Xr BN_new 3 +.Sh HISTORY +These functions first appeared in OpenSSL 0.9.8 +and have been available since +.Ox 4.5 . diff --git a/lib/libcrypto/man/BN_mod_inverse.3 b/lib/libcrypto/man/BN_mod_inverse.3 index f407fa71e8..6fb371cf24 100644 --- a/lib/libcrypto/man/BN_mod_inverse.3 +++ b/lib/libcrypto/man/BN_mod_inverse.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_mod_inverse.3,v 1.6 2017/01/30 01:29:31 schwarze Exp $ +.\" $OpenBSD: BN_mod_inverse.3,v 1.8 2018/03/21 09:03:49 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 30 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt BN_MOD_INVERSE 3 .Os .Sh NAME @@ -106,4 +106,10 @@ The error codes can be obtained by .Xr BN_set_flags 3 .Sh HISTORY .Fn BN_mod_inverse -is available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . +.Pp +The +.Fa r +argument was added in SSLeay 0.9.1 and +.Ox 2.6 . diff --git a/lib/libcrypto/man/BN_mod_mul_montgomery.3 b/lib/libcrypto/man/BN_mod_mul_montgomery.3 index 60791d4bf2..4f898fef16 100644 --- a/lib/libcrypto/man/BN_mod_mul_montgomery.3 +++ b/lib/libcrypto/man/BN_mod_mul_montgomery.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_mod_mul_montgomery.3,v 1.7 2017/01/30 07:51:27 jmc Exp $ +.\" $OpenBSD: BN_mod_mul_montgomery.3,v 1.10 2018/03/23 23:18:17 schwarze Exp $ .\" OpenSSL 6859cf74 Sep 25 13:33:28 2002 +0000 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 30 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt BN_MOD_MUL_MONTGOMERY 3 .Os .Sh NAME @@ -222,15 +222,17 @@ The error codes can be obtained by .Fn BN_MONT_CTX_free , .Fn BN_MONT_CTX_set , .Fn BN_mod_mul_montgomery , -.Fn BN_from_montgomery +.Fn BN_from_montgomery , and .Fn BN_to_montgomery -are available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . .Pp .Fn BN_MONT_CTX_init and .Fn BN_MONT_CTX_copy -were added in SSLeay 0.9.1b. +first appeared in SSLeay 0.9.1 and have been available since +.Ox 2.6 . .Sh CAVEATS .Fn BN_MONT_CTX_init must not be called on a context that was used previously, or diff --git a/lib/libcrypto/man/BN_mod_mul_reciprocal.3 b/lib/libcrypto/man/BN_mod_mul_reciprocal.3 index f2e2ac2987..ef030e4c6f 100644 --- a/lib/libcrypto/man/BN_mod_mul_reciprocal.3 +++ b/lib/libcrypto/man/BN_mod_mul_reciprocal.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_mod_mul_reciprocal.3,v 1.7 2017/01/30 07:51:27 jmc Exp $ +.\" $OpenBSD: BN_mod_mul_reciprocal.3,v 1.9 2018/03/21 09:03:49 schwarze Exp $ .\" OpenSSL 6859cf74 Sep 25 13:33:28 2002 +0000 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 30 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt BN_MOD_MUL_RECIPROCAL 3 .Os .Sh NAME @@ -190,6 +190,10 @@ The error codes can be obtained by .Xr BN_CTX_new 3 , .Xr BN_new 3 .Sh HISTORY +.Fn BN_mod_mul_reciprocal +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . +.Pp .Vt BN_RECP_CTX was added in SSLeay 0.9.0. Before that, a function @@ -197,6 +201,15 @@ Before that, a function was used instead, and the .Fn BN_mod_mul_reciprocal arguments were different. +.Pp +.Fn BN_RECP_CTX_new , +.Fn BN_RECP_CTX_init , +.Fn BN_RECP_CTX_free , +.Fn BN_RECP_CTX_set , +and +.Fn BN_div_recp +first appeared in SSLeay 0.9.1 and have been available since +.Ox 2.6 . .Sh CAVEATS .Fn BN_RECP_CTX_init must not be called on a context that was used previously, or diff --git a/lib/libcrypto/man/BN_new.3 b/lib/libcrypto/man/BN_new.3 index 8122e32f79..4dd131a573 100644 --- a/lib/libcrypto/man/BN_new.3 +++ b/lib/libcrypto/man/BN_new.3 @@ -1,6 +1,7 @@ -.\" $OpenBSD: BN_new.3,v 1.9 2017/01/30 07:51:27 jmc Exp $ -.\" OpenSSL doc/man3/BN_new.pod 2457c19d Mar 6 08:43:36 2004 +0000 -.\" OpenSSL doc/man7/bn.pod 05ea606a May 20 20:52:46 2016 -0400 +.\" $OpenBSD: BN_new.3,v 1.12 2018/03/21 09:03:49 schwarze Exp $ +.\" full merge up to: OpenSSL man3/BN_new 2457c19d Mar 6 08:43:36 2004 +0000 +.\" selective merge up to: man3/BN_new 681acb31 Sep 29 13:10:34 2017 +0200 +.\" full merge up to: OpenSSL man7/bn 05ea606a May 20 20:52:46 2016 -0400 .\" .\" This file was written by Ulf Moeller . .\" Copyright (c) 2000, 2004 The OpenSSL Project. All rights reserved. @@ -49,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 30 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt BN_NEW 3 .Os .Sh NAME @@ -101,7 +102,7 @@ or accessed directly. .Fn BN_new allocates and initializes a .Vt BIGNUM -structure. +structure, in particular setting the value to zero. .Pp .Fn BN_init initializes an existing uninitialized @@ -165,9 +166,12 @@ and sets an error code that can be obtained by .Fn BN_free , and .Fn BN_clear_free -are available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp .Fn BN_init -was added in SSLeay 0.9.1b. +first appeared in SSLeay 0.9.1 and has been available since +.Ox 2.6 . .Sh CAVEATS .Fn BN_init must not be called on a diff --git a/lib/libcrypto/man/BN_num_bytes.3 b/lib/libcrypto/man/BN_num_bytes.3 index 96538950cb..a95f47f9d9 100644 --- a/lib/libcrypto/man/BN_num_bytes.3 +++ b/lib/libcrypto/man/BN_num_bytes.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_num_bytes.3,v 1.5 2016/12/10 21:13:25 schwarze Exp $ +.\" $OpenBSD: BN_num_bytes.3,v 1.6 2018/03/20 20:26:23 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt BN_NUM_BYTES 3 .Os .Sh NAME @@ -120,8 +120,5 @@ The size. .Xr DSA_size 3 , .Xr RSA_size 3 .Sh HISTORY -.Fn BN_num_bytes , -.Fn BN_num_bits , -and -.Fn BN_num_bits_word -are available in all versions of SSLeay and OpenSSL. +These functions appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/BN_rand.3 b/lib/libcrypto/man/BN_rand.3 index b2cb315436..5e8ac5966c 100644 --- a/lib/libcrypto/man/BN_rand.3 +++ b/lib/libcrypto/man/BN_rand.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_rand.3,v 1.6 2016/12/10 21:13:25 schwarze Exp $ +.\" $OpenBSD: BN_rand.3,v 1.10 2018/03/22 17:38:08 schwarze Exp $ .\" OpenSSL 05ea606a May 20 20:52:46 2016 -0400 .\" .\" This file was written by Ulf Moeller . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt BN_RAND 3 .Os .Sh NAME @@ -139,13 +139,20 @@ The error codes can be obtained by .Xr RAND_bytes 3 .Sh HISTORY .Fn BN_rand -is available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . +.Pp .Fn BN_pseudo_rand -was added in OpenSSL 0.9.5. +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . +.Pp The .Fa top == -1 case and the function .Fn BN_rand_range -were added in OpenSSL 0.9.6a. +first appeared in OpenSSL 0.9.6a and have been available since +.Ox 3.0 . +.Pp .Fn BN_pseudo_rand_range -was added in OpenSSL 0.9.6c. +first appeared in OpenSSL 0.9.6c and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/BN_set_bit.3 b/lib/libcrypto/man/BN_set_bit.3 index 077ca69ce0..edaa41d245 100644 --- a/lib/libcrypto/man/BN_set_bit.3 +++ b/lib/libcrypto/man/BN_set_bit.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_set_bit.3,v 1.5 2016/12/10 21:13:25 schwarze Exp $ +.\" $OpenBSD: BN_set_bit.3,v 1.6 2018/03/20 20:26:23 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt BN_SET_BIT 3 .Os .Sh NAME @@ -212,4 +212,5 @@ The error codes can be obtained by .Fn BN_rshift , and .Fn BN_rshift1 -are available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/BN_set_flags.3 b/lib/libcrypto/man/BN_set_flags.3 index 27649fd074..a998037534 100644 --- a/lib/libcrypto/man/BN_set_flags.3 +++ b/lib/libcrypto/man/BN_set_flags.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_set_flags.3,v 1.1 2017/01/30 01:29:31 schwarze Exp $ +.\" $OpenBSD: BN_set_flags.3,v 1.2 2018/03/21 09:03:49 schwarze Exp $ .\" .\" Copyright (c) 2017 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: January 30 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt BN_SET_FLAGS 3 .Os .Sh NAME @@ -138,6 +138,12 @@ returns zero or more of the above constants, OR'ed together. .Xr BN_mod_inverse 3 , .Xr BN_new 3 , .Xr BN_with_flags 3 +.Sh HISTORY +.Fn BN_set_flags +and +.Fn BN_get_flags +first appeared in SSLeay 0.9.1 and have been available since +.Ox 2.6 . .Sh CAVEATS No public interface exists to clear a flag once it is set. So think twice before using diff --git a/lib/libcrypto/man/BN_set_negative.3 b/lib/libcrypto/man/BN_set_negative.3 index 29cb2d95cf..69927c1bb1 100644 --- a/lib/libcrypto/man/BN_set_negative.3 +++ b/lib/libcrypto/man/BN_set_negative.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_set_negative.3,v 1.3 2016/12/10 21:13:25 schwarze Exp $ +.\" $OpenBSD: BN_set_negative.3,v 1.4 2018/03/23 00:09:11 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt BN_SET_NEGATIVE 3 .Os .Sh NAME @@ -55,3 +55,9 @@ is negative or 0 otherwise. .Xr BN_new 3 , .Xr BN_set_bit 3 , .Xr BN_zero 3 +.Sh HISTORY +.Fn BN_set_negative +and +.Fn BN_is_negative +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . diff --git a/lib/libcrypto/man/BN_swap.3 b/lib/libcrypto/man/BN_swap.3 index 087ca490da..db9082d7ef 100644 --- a/lib/libcrypto/man/BN_swap.3 +++ b/lib/libcrypto/man/BN_swap.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_swap.3,v 1.4 2016/12/10 21:13:25 schwarze Exp $ +.\" $OpenBSD: BN_swap.3,v 1.5 2018/03/22 21:08:22 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Bodo Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt BN_SWAP 3 .Os .Sh NAME @@ -70,4 +70,6 @@ and .Sh SEE ALSO .Xr BN_new 3 .Sh HISTORY -BN_swap was added in OpenSSL 0.9.7. +.Fn BN_swap +first appeared in OpenSSL 0.9.7 and has been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/BN_zero.3 b/lib/libcrypto/man/BN_zero.3 index 49d08717e4..388c35fbc6 100644 --- a/lib/libcrypto/man/BN_zero.3 +++ b/lib/libcrypto/man/BN_zero.3 @@ -1,8 +1,10 @@ -.\" $OpenBSD: BN_zero.3,v 1.6 2016/12/10 21:13:25 schwarze Exp $ -.\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 +.\" $OpenBSD: BN_zero.3,v 1.8 2018/03/20 20:26:23 schwarze Exp $ +.\" full merge up to: OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 +.\" selective merge up to: OpenSSL b713c4ff Jan 22 14:41:09 2018 -0500 .\" .\" This file was written by Ulf Moeller . -.\" Copyright (c) 2000, 2001, 2002 The OpenSSL Project. All rights reserved. +.\" Copyright (c) 2000, 2001, 2002, 2018 The OpenSSL Project. +.\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt BN_ZERO 3 .Os .Sh NAME @@ -75,13 +77,17 @@ .Ft int .Fo BN_set_word .Fa "BIGNUM *a" -.Fa "unsigned long w" +.Fa "BN_ULONG w" .Fc -.Ft unsigned long +.Ft BN_ULONG .Fo BN_get_word .Fa "BIGNUM *a" .Fc .Sh DESCRIPTION +.Vt BN_ULONG +is a macro that expands to an unsigned integral type optimized +for the most efficient implementation on the local platform. +.Pp .Fn BN_zero , .Fn BN_one , and @@ -100,21 +106,15 @@ are macros. returns a .Vt BIGNUM constant of value 1. -This constant is useful for use in comparisons and assignment. -.Pp -.Fn BN_get_word -returns -.Fa a -if it can be represented as an -.Vt unsigned long . +This constant is useful for comparisons and assignments. .Sh RETURN VALUES .Fn BN_get_word returns the value .Fa a , -or 0xffffffffL if +or a number with all bits set if .Fa a -cannot be represented as an -.Vt unsigned long . +cannot be represented as a +.Vt BN_ULONG . .Pp .Fn BN_zero , .Fn BN_one , @@ -133,11 +133,13 @@ returns the constant. .Fn BN_one , and .Fn BN_set_word -are available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8. .Fn BN_value_one and .Fn BN_get_word -were added in SSLeay 0.8. +first appeared in SSLeay 0.8. +All these functions have been available since +.Ox 2.4 . .Pp .Fn BN_value_one was changed to return a true @@ -146,8 +148,13 @@ in OpenSSL 0.9.7. .Sh BUGS Someone might change the constant. .Pp -If a +If the value of a .Vt BIGNUM -is equal to 0xffffffffL; it can be represented as an -.Vt unsigned long -but this value is also returned on error. +is equal to a +.Vt BN_ULONG +with all bits set, the return value of +.Fn BN_get_word +collides with return value used to indicate errors. +.Pp +.Vt BN_ULONG +should probably be a typedef rather than a macro. diff --git a/lib/libcrypto/man/BUF_MEM_new.3 b/lib/libcrypto/man/BUF_MEM_new.3 index 70d2fe09a0..d51e3d3c92 100644 --- a/lib/libcrypto/man/BUF_MEM_new.3 +++ b/lib/libcrypto/man/BUF_MEM_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BUF_MEM_new.3,v 1.11 2017/05/08 04:16:05 jsing Exp $ +.\" $OpenBSD: BUF_MEM_new.3,v 1.14 2018/03/23 04:34:23 schwarze Exp $ .\" OpenSSL doc/crypto/buffer.pod 18edda0f Sep 20 03:28:54 2000 +0000 .\" not merged: 74924dcb, 58e3457a, 21b0fa91, 7644a9ae .\" OpenSSL doc/crypto/BUF_MEM_new.pod 53934822 Jun 9 16:39:19 2016 -0400 @@ -52,7 +52,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 8 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt BUF_MEM_NEW 3 .Os .Sh NAME @@ -187,9 +187,19 @@ return zero on error or the new size (i.e.\& .Xr BIO_new 3 .Sh HISTORY .Fn BUF_MEM_new , -.Fn BUF_MEM_free +.Fn BUF_MEM_free , and .Fn BUF_MEM_grow -are available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8. .Fn BUF_strdup -was added in SSLeay 0.8. +first appeared in SSLeay 0.8. +All these functions have been available since +.Ox 2.4 . +.Pp +.Fn BUF_MEM_grow_clean +first appeared in OpenSSL 0.9.7 and has been available since +.Ox 3.2 . +.Pp +.Fn BUF_reverse +first appeared in OpenSSL 1.0.0 and has been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/CONF_modules_free.3 b/lib/libcrypto/man/CONF_modules_free.3 index 465cc05527..be5f64d1e1 100644 --- a/lib/libcrypto/man/CONF_modules_free.3 +++ b/lib/libcrypto/man/CONF_modules_free.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CONF_modules_free.3,v 1.4 2016/11/20 19:45:17 schwarze Exp $ +.\" $OpenBSD: CONF_modules_free.3,v 1.5 2018/03/22 21:08:22 schwarze Exp $ .\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 20 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt CONF_MODULES_FREE 3 .Os .Sh NAME @@ -96,7 +96,8 @@ is 1, all modules, including builtin modules, will be unloaded. .Xr OPENSSL_config 3 .Sh HISTORY .Fn CONF_modules_free , -.Fn CONF_modules_unload , +.Fn CONF_modules_finish , and -.Fn CONF_modules_finish -first appeared in OpenSSL 0.9.7. +.Fn CONF_modules_unload +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/CONF_modules_load_file.3 b/lib/libcrypto/man/CONF_modules_load_file.3 index 620787b4f1..900108fad4 100644 --- a/lib/libcrypto/man/CONF_modules_load_file.3 +++ b/lib/libcrypto/man/CONF_modules_load_file.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CONF_modules_load_file.3,v 1.5 2016/12/11 18:06:09 schwarze Exp $ +.\" $OpenBSD: CONF_modules_load_file.3,v 1.7 2018/03/22 21:08:22 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt CONF_MODULES_LOAD_FILE 3 .Os .Sh NAME @@ -219,9 +219,11 @@ if (fp == NULL) { .Sh SEE ALSO .Xr CONF_modules_free 3 , .Xr ERR 3 , -.Xr OPENSSL_config 3 +.Xr OPENSSL_config 3 , +.Xr OPENSSL_init_crypto 3 .Sh HISTORY .Fn CONF_modules_load_file and .Fn CONF_modules_load -first appeared in OpenSSL 0.9.7. +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/CRYPTO_get_mem_functions.3 b/lib/libcrypto/man/CRYPTO_get_mem_functions.3 index 04c0ffadc2..ba6bcc6404 100644 --- a/lib/libcrypto/man/CRYPTO_get_mem_functions.3 +++ b/lib/libcrypto/man/CRYPTO_get_mem_functions.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CRYPTO_get_mem_functions.3,v 1.3 2017/08/20 19:45:19 schwarze Exp $ +.\" $OpenBSD: CRYPTO_get_mem_functions.3,v 1.4 2018/03/20 21:27:32 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 20 2017 $ +.Dd $Mdocdate: March 20 2018 $ .Dt CRYPTO_GET_MEM_FUNCTIONS 3 .Os .Sh NAME @@ -90,3 +90,7 @@ always returns 0. .Fn CRYPTO_mem_ctrl always returns .Dv CRYPTO_MEM_CHECK_OFF . +.Sh HISTORY +These functions appeared in SSLeay 0.8.1b or earlier +and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/CRYPTO_set_ex_data.3 b/lib/libcrypto/man/CRYPTO_set_ex_data.3 index 0e96e22e4b..9de936d20a 100644 --- a/lib/libcrypto/man/CRYPTO_set_ex_data.3 +++ b/lib/libcrypto/man/CRYPTO_set_ex_data.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CRYPTO_set_ex_data.3,v 1.7 2017/01/06 20:35:23 schwarze Exp $ +.\" $OpenBSD: CRYPTO_set_ex_data.3,v 1.9 2018/03/22 16:06:33 schwarze Exp $ .\" OpenSSL CRYPTO_get_ex_new_index.pod 35cb565a Nov 19 15:49:30 2015 -0500 .\" .\" This file was written by Dr. Stephen Henson . @@ -98,7 +98,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 6 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt CRYPTO_SET_EX_DATA 3 .Os .Sh NAME @@ -391,7 +391,18 @@ On failure an error code can be obtained from .Xr RSA_get_ex_new_index 3 , .Xr X509_STORE_CTX_get_ex_new_index 3 .Sh HISTORY -.Fn CRYPTO_set_ex_data +.Fn CRYPTO_get_ex_new_index , +.Fn CRYPTO_set_ex_data , +.Fn CRYPTO_get_ex_data , +.Fn CRYPTO_free_ex_data , and -.Fn CRYPTO_get_ex_data -have been available since SSLeay 0.9.0. +.Fn CRYPTO_new_ex_data +first appeared in SSLeay 0.9.0 and have been available since +.Ox 2.4 . +.Pp +.Fn CRYPTO_EX_new , +.Fn CRYPTO_EX_free , +and +.Fn CRYPTO_EX_dup +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . diff --git a/lib/libcrypto/man/CRYPTO_set_locking_callback.3 b/lib/libcrypto/man/CRYPTO_set_locking_callback.3 index 70518c7453..364648c5ec 100644 --- a/lib/libcrypto/man/CRYPTO_set_locking_callback.3 +++ b/lib/libcrypto/man/CRYPTO_set_locking_callback.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: CRYPTO_set_locking_callback.3,v 1.5 2016/11/23 16:28:23 schwarze Exp $ +.\" $OpenBSD: CRYPTO_set_locking_callback.3,v 1.9 2018/03/23 04:34:23 schwarze Exp $ .\" OpenSSL doc/crypto/threads.pod fb552ac6 Sep 30 23:43:01 2009 +0000 .\" .\" This file was written by Ulf Moeller , @@ -51,7 +51,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 23 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt CRYPTO_SET_LOCKING_CALLBACK 3 .Os .Sh NAME @@ -364,17 +364,38 @@ shows examples of the callback functions on Solaris, Irix and Win32. .Sh SEE ALSO .Xr crypto 3 .Sh HISTORY -.Fn CRYPTO_set_locking_callback -is available in all versions of SSLeay and OpenSSL. +.Fn CRYPTO_set_locking_callback , +.Fn CRYPTO_lock , +.Fn CRYPTO_w_lock , +.Fn CRYPTO_w_unlock , +.Fn CRYPTO_r_lock , +.Fn CRYPTO_r_unlock , +and +.Fn CRYPTO_add +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp .Fn CRYPTO_num_locks -was added in OpenSSL 0.9.4. -All functions dealing with dynamic locks were added in OpenSSL 0.9.5b-dev. -.Vt CRYPTO_THREADID -and associated functions were introduced in OpenSSL 1.0.0 to replace -(actually, deprecate) the previous -.Fn CRYPTO_set_id_callback , -.Fn CRYPTO_get_id_callback , +first appeared in OpenSSL 0.9.4 and have been available since +.Ox 2.6 . +.Pp +.Fn CRYPTO_set_dynlock_create_callback , +.Fn CRYPTO_set_dynlock_lock_callback , +.Fn CRYPTO_set_dynlock_destroy_callback , +.Fn CRYPTO_get_new_dynlockid , +and +.Fn CRYPTO_destroy_dynlockid +first appeared in OpenSSL 0.9.6 and have been available since +.Ox 2.9 . +.Pp +.Fn CRYPTO_THREADID_set_numeric , +.Fn CRYPTO_THREADID_set_pointer , +.Fn CRYPTO_THREADID_set_callback , +.Fn CRYPTO_THREADID_get_callback , +.Fn CRYPTO_THREADID_current , +.Fn CRYPTO_THREADID_cmp , +.Fn CRYPTO_THREADID_cpy , and -.Fn CRYPTO_thread_id -functions which assumed thread IDs to always be represented by -.Vt unsigned long . +.Fn CRYPTO_THREADID_hash +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/DES_set_key.3 b/lib/libcrypto/man/DES_set_key.3 index 0a9e7381bc..d0f0fd3f62 100644 --- a/lib/libcrypto/man/DES_set_key.3 +++ b/lib/libcrypto/man/DES_set_key.3 @@ -1,12 +1,13 @@ -.\" $OpenBSD: DES_set_key.3,v 1.7 2017/02/09 03:43:05 dtucker Exp $ -.\" OpenSSL c7497f34 Aug 14 10:50:26 2014 -0400 +.\" $OpenBSD: DES_set_key.3,v 1.11 2018/03/22 21:08:22 schwarze Exp $ +.\" full merge up to: +.\" OpenSSL man3/DES_random_key 61f805c1 Jan 16 01:01:46 2018 +0800 .\" .\" -------------------------------------------------------------------------- .\" Major patches to this file were contributed by .\" Ulf Moeller , Ben Laurie , .\" and Richard Levitte . .\" -------------------------------------------------------------------------- -.\" Copyright (c) 2000, 2001 The OpenSSL Project. All rights reserved. +.\" Copyright (c) 2000, 2001, 2017 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -114,7 +115,7 @@ .\" copied and put under another distribution licence .\" [including the GNU Public Licence.] .\" -.Dd $Mdocdate: February 9 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt DES_SET_KEY 3 .Os .Sh NAME @@ -456,9 +457,6 @@ sets the parity of the passed .Fa key to odd. .Pp -.Fn DES_is_weak_key -returns 1 if the passed key is a weak key or 0 if it is ok. -.Pp The following routines mostly operate on an input and output stream of .Vt DES_cblock Ns s . .Pp @@ -666,12 +664,16 @@ The following are DES-based transformations: is a fast version of the Unix .Xr crypt 3 function. +The +.Fa salt +must be two ASCII characters. +This version is different from the normal crypt in that the third +parameter is the buffer that the return value is written into. +It needs to be at least 14 bytes long. +The fourteenth byte is set to NUL. This version takes only a small amount of space relative to other fast crypt implementations. -This is different to the normal crypt in that the third parameter is the -buffer that the return value is written into. -It needs to be at least 14 bytes long. -This function is thread safe, unlike the normal crypt. +It is thread safe, unlike the normal crypt. .Pp .Fn DES_crypt is a faster replacement for the normal system @@ -746,6 +748,31 @@ If set to If set to .Dv DES_CBC_MODE DES_cbc_encrypt is used. +.Sh RETURN VALUES +.Fn DES_set_key , +.Fn DES_key_sched , +and +.Fn DES_set_key_checked +return 0 on success or a negative value on error. +.Pp +.Fn DES_is_weak_key +returns 1 if the passed key is a weak key or 0 if it is ok. +.Pp +.Fn DES_cbc_cksum +and +.Fn DES_quad_cksum +return a 4-byte integer representing the last 4 bytes of the checksum +of the input. +.Pp +.Fn DES_fcrypt +returns a pointer to the caller-provided buffer +.Fa ret , +and +.Fn DES_crypt +returns a pointer to a static buffer. +Both are allowed to return +.Dv NULL +to indicate failure, but currently, they cannot fail. .Sh SEE ALSO .Xr crypt 3 , .Xr RAND_bytes 3 @@ -759,26 +786,58 @@ ANSI X3.106 The DES library was initially written to be source code compatible with the MIT Kerberos library. .Sh HISTORY -In OpenSSL 0.9.7, all des_ functions were renamed to DES_ to avoid -clashes with older versions of libdes. +Versions of +.Fn DES_random_key , +.Fn DES_set_key , +.Fn DES_key_sched , +.Fn DES_set_odd_parity , +.Fn DES_is_weak_key , +.Fn DES_ecb_encrypt , +.Fn DES_ecb2_encrypt , +.Fn DES_ecb3_encrypt , +.Fn DES_ncbc_encrypt , +.Fn DES_cfb_encrypt , +.Fn DES_ofb_encrypt , +.Fn DES_pcbc_encrypt , +.Fn DES_cfb64_encrypt , +.Fn DES_ofb64_encrypt , +.Fn DES_xcbc_encrypt , +.Fn DES_ede2_cbc_encrypt , +.Fn DES_ede2_cfb64_encrypt , +.Fn DES_ede2_ofb64_encrypt , +.Fn DES_ede3_cbc_encrypt , +.Fn DES_ede3_cfb64_encrypt , +.Fn DES_ede3_ofb64_encrypt , +.Fn DES_cbc_cksum , +.Fn DES_quad_cksum , +.Fn DES_string_to_key , +.Fn DES_string_to_2keys , +.Fn DES_fcrypt , +.Fn DES_crypt , +.Fn DES_enc_read , +and +.Fn DES_enc_write +with lower case names starting with +.Sy des_ +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . .Pp +Versions of .Fn DES_set_key_checked and .Fn DES_set_key_unchecked -were added in OpenSSL 0.9.5. -.Pp -.Fn des_generate_random_block , -.Fn des_init_random_number_generator , -.Fn des_new_random_key , -.Fn des_set_random_generator_seed , -.Fn des_set_sequence_number , -and -.Fn des_rand_data 3 -are used in newer versions of Kerberos but are not implemented here. -.Pp -.Fn DES_random_key -generated cryptographically weak random data in SSLeay and in OpenSSL -prior version 0.9.5, as well as in the original MIT library. +with lower case names starting with +.Sy des_ +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . +.Pp +In OpenSSL 0.9.7 and +.Ox 3.2 , +all +.Sy des_ +functions were renamed to +.Sy DES_ +to avoid clashes with older versions of libdes. .Sh AUTHORS .An Eric Young Aq Mt eay@cryptsoft.com .Sh CAVEATS diff --git a/lib/libcrypto/man/DH_generate_key.3 b/lib/libcrypto/man/DH_generate_key.3 index 870cfdeff9..74d3ec7052 100644 --- a/lib/libcrypto/man/DH_generate_key.3 +++ b/lib/libcrypto/man/DH_generate_key.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: DH_generate_key.3,v 1.6 2016/12/10 22:22:59 schwarze Exp $ +.\" $OpenBSD: DH_generate_key.3,v 1.8 2018/03/20 22:22:10 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt DH_GENERATE_KEY 3 .Os .Sh NAME @@ -110,6 +110,7 @@ returns the size of the shared secret on success, or -1 on error. The error codes can be obtained by .Xr ERR_get_error 3 . .Sh SEE ALSO +.Xr DH_get0_key 3 , .Xr DH_new 3 , .Xr DH_size 3 , .Xr ERR_get_error 3 , @@ -118,4 +119,5 @@ The error codes can be obtained by .Fn DH_generate_key and .Fn DH_compute_key -are available in all versions of SSLeay and OpenSSL. +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/DH_generate_parameters.3 b/lib/libcrypto/man/DH_generate_parameters.3 index a13699d072..477f65d01c 100644 --- a/lib/libcrypto/man/DH_generate_parameters.3 +++ b/lib/libcrypto/man/DH_generate_parameters.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: DH_generate_parameters.3,v 1.7 2017/06/10 13:10:52 schwarze Exp $ +.\" $OpenBSD: DH_generate_parameters.3,v 1.10 2018/03/23 23:18:17 schwarze Exp $ .\" OpenSSL 05ea606a May 20 20:52:46 2016 -0400 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 10 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt DH_GENERATE_PARAMETERS 3 .Os .Sh NAME @@ -146,12 +146,17 @@ if the parameter generation fails. The error codes can be obtained by .Xr ERR_get_error 3 . .Sh SEE ALSO +.Xr DH_get0_pqg 3 , .Xr DH_new 3 , .Xr ERR_get_error 3 , .Xr RAND_bytes 3 .Sh HISTORY .Fn DH_check -is available in all versions of SSLeay and OpenSSL. +and +.Fn DH_generate_parameters +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp The .Fa cb_arg argument to @@ -162,6 +167,10 @@ In versions before OpenSSL 0.9.5, .Dv DH_CHECK_P_NOT_STRONG_PRIME is used instead of .Dv DH_CHECK_P_NOT_SAFE_PRIME . +.Pp +.Fn DH_generate_parameters_ex +first appeared in OpenSSL 0.9.8 and has been available since +.Ox 4.5 . .Sh CAVEATS .Fn DH_generate_parameters_ex and diff --git a/lib/libcrypto/man/DH_get0_pqg.3 b/lib/libcrypto/man/DH_get0_pqg.3 new file mode 100644 index 0000000000..cff96243b2 --- /dev/null +++ b/lib/libcrypto/man/DH_get0_pqg.3 @@ -0,0 +1,258 @@ +.\" $OpenBSD: DH_get0_pqg.3,v 1.4 2018/03/23 23:18:17 schwarze Exp $ +.\" selective merge up to: OpenSSL 7966101e Sep 18 11:58:24 2017 -0400 +.\" +.\" This file was written by Matt Caswell . +.\" Copyright (c) 2016 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: March 23 2018 $ +.Dt DH_GET0_PQG 3 +.Os +.Sh NAME +.Nm DH_get0_pqg , +.Nm DH_set0_pqg , +.Nm DH_get0_key , +.Nm DH_set0_key , +.Nm DH_clear_flags , +.Nm DH_test_flags , +.Nm DH_set_flags , +.Nm DH_get0_engine , +.Nm DH_set_length +.Nd get data from and set data in a DH object +.Sh SYNOPSIS +.In openssl/dh.h +.Ft void +.Fo DH_get0_pqg +.Fa "const DH *dh" +.Fa "const BIGNUM **p" +.Fa "const BIGNUM **q" +.Fa "const BIGNUM **g" +.Fc +.Ft int +.Fo DH_set0_pqg +.Fa "DH *dh" +.Fa "BIGNUM *p" +.Fa "BIGNUM *q" +.Fa "BIGNUM *g" +.Fc +.Ft void +.Fo DH_get0_key +.Fa "const DH *dh" +.Fa "const BIGNUM **pub_key" +.Fa "const BIGNUM **priv_key" +.Fc +.Ft int +.Fo DH_set0_key +.Fa "DH *dh" +.Fa "BIGNUM *pub_key" +.Fa "BIGNUM *priv_key" +.Fc +.Ft void +.Fo DH_clear_flags +.Fa "DH *dh" +.Fa "int flags" +.Fc +.Ft int +.Fo DH_test_flags +.Fa "const DH *dh" +.Fa "int flags" +.Fc +.Ft void +.Fo DH_set_flags +.Fa "DH *dh" +.Fa "int flags" +.Fc +.Ft ENGINE * +.Fo DH_get0_engine +.Fa "DH *d" +.Fc +.Ft int +.Fo DH_set_length +.Fa "DH *dh" +.Fa "long length" +.Fc +.Sh DESCRIPTION +A +.Vt DH +object contains the parameters +.Fa p , +.Fa g , +and optionally +.Fa q . +It also contains a public key +.Fa pub_key +and an optional private key +.Fa priv_key . +.Pp +The +.Fa p , +.Fa q , +and +.Fa g +parameters can be obtained by calling +.Fn DH_get0_pqg . +If the parameters have not yet been set, then +.Pf * Fa p , +.Pf * Fa q , +and +.Pf * Fa g +are set to +.Dv NULL . +Otherwise, they are set to pointers to the internal representations +of the values that should not be freed by the application. +.Pp +The +.Fa p , +.Fa q , +and +.Fa g +values can be set by calling +.Fn DH_set0_pqg . +Calling this function transfers the memory management of the values to +.Fa dh , +and therefore they should not be freed by the caller. +The +.Fa q +argument may be +.Dv NULL . +.Pp +The +.Fn DH_get0_key +function stores pointers to the internal representations +of the public key in +.Pf * Fa pub_key +and to the private key in +.Pf * Fa priv_key . +Either may be +.Dv NULL +if it has not yet been set. +If the private key has been set, then the public key must be. +.Pp +The public and private key values can be set using +.Fn DH_set0_key . +Either parameter may be +.Dv NULL , +which means the corresponding +.Vt DH +field is left untouched. +This function transfers the memory management of the key values to +.Fa dh , +and therefore they should not be freed by the caller. +.Pp +Values retrieved with +.Fn DH_get0_pqg +and +.Fn DH_get0_key +are owned by the +.Vt DH +object and may therefore not be passed to +.Fn DH_set0_pqg +or +.Fn DH_set0_key . +If needed, duplicate the received values using +.Xr BN_dup 3 +and pass the duplicates. +.Pp +.Fn DH_clear_flags +clears the specified +.Fa flags +in +.Fa dh . +.Fn DH_test_flags +tests the +.Fa flags +in +.Fa dh . +.Fn DH_set_flags +sets the +.Fa flags +in +.Fa dh ; +any flags already set remain set. +For all three functions, multiple flags can be passed in one call, +OR'ed together bitwise. +.Pp +.Fn DH_set_length +sets the optional length attribute of +.Fa dh , +indicating the length of the secret exponent (private key) in bits. +If the length attribute is non-zero, it is used, otherwise it is ignored. +.Sh RETURN VALUES +.Fn DH_set0_pqg , +.Fn DH_set0_key , +and +.Fn DH_set_length +return 1 on success or 0 on failure. +.Pp +.Fn DH_test_flags +return those of the given +.Fa flags +currently set in +.Fa dh +or 0 if none of the given +.Fa flags +are set. +.Pp +.Fn DH_get0_engine +returns a pointer to the +.Vt ENGINE +used by the +.Vt DH +object +.Fa dh , +or +.Dv NULL +if no engine was set for this object. +.Sh SEE ALSO +.Xr DH_generate_key 3 , +.Xr DH_generate_parameters 3 , +.Xr DH_new 3 , +.Xr DH_size 3 , +.Xr DHparams_print 3 +.Sh HISTORY +These functions first appeared in OpenSSL 1.1.0 +and have been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/DH_get_ex_new_index.3 b/lib/libcrypto/man/DH_get_ex_new_index.3 index 7f3f0e7765..81a0aff8ec 100644 --- a/lib/libcrypto/man/DH_get_ex_new_index.3 +++ b/lib/libcrypto/man/DH_get_ex_new_index.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: DH_get_ex_new_index.3,v 1.4 2016/12/10 22:22:59 schwarze Exp $ +.\" $OpenBSD: DH_get_ex_new_index.3,v 1.5 2018/03/23 23:18:17 schwarze Exp $ .\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt DH_GET_EX_NEW_INDEX 3 .Os .Sh NAME @@ -94,4 +94,6 @@ and .Fn DH_set_ex_data , and .Fn DH_get_ex_data -are available since OpenSSL 0.9.5. +first appeared in OpenSSL 0.9.5 +and have been available since +.Ox 2.7 . diff --git a/lib/libcrypto/man/DH_new.3 b/lib/libcrypto/man/DH_new.3 index 28f1888c01..19ee49c1a8 100644 --- a/lib/libcrypto/man/DH_new.3 +++ b/lib/libcrypto/man/DH_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: DH_new.3,v 1.4 2016/12/10 22:30:54 schwarze Exp $ +.\" $OpenBSD: DH_new.3,v 1.6 2018/03/20 22:22:10 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt DH_NEW 3 .Os .Sh NAME @@ -94,14 +94,17 @@ Otherwise it returns a pointer to the newly allocated structure. .Xr d2i_DHparams 3 , .Xr DH_generate_key 3 , .Xr DH_generate_parameters 3 , +.Xr DH_get0_pqg 3 , .Xr DH_get_ex_new_index 3 , .Xr DH_set_method 3 , .Xr DH_size 3 , .Xr DHparams_print 3 , .Xr DSA_dup_DH 3 , -.Xr ERR_get_error 3 +.Xr ERR_get_error 3 , +.Xr EVP_PKEY_set1_DH 3 .Sh HISTORY .Fn DH_new and .Fn DH_free -are available in all versions of SSLeay and OpenSSL. +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/DH_set_method.3 b/lib/libcrypto/man/DH_set_method.3 index 31d9b54ca7..77d1616445 100644 --- a/lib/libcrypto/man/DH_set_method.3 +++ b/lib/libcrypto/man/DH_set_method.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: DH_set_method.3,v 1.5 2016/12/10 22:22:59 schwarze Exp $ +.\" $OpenBSD: DH_set_method.3,v 1.6 2018/03/22 16:06:33 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt DH_SET_METHOD 3 .Os .Sh NAME @@ -227,7 +227,8 @@ Otherwise it returns a pointer to the newly allocated structure. .Fn DH_new_method and .Fn DH_OpenSSL -were added in OpenSSL 0.9.4. +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . .Sh CAVEATS As of version 0.9.7, .Vt DH_METHOD diff --git a/lib/libcrypto/man/DH_size.3 b/lib/libcrypto/man/DH_size.3 index ea59035734..24ca50f8a5 100644 --- a/lib/libcrypto/man/DH_size.3 +++ b/lib/libcrypto/man/DH_size.3 @@ -1,8 +1,9 @@ -.\" $OpenBSD: DH_size.3,v 1.4 2016/12/10 22:22:59 schwarze Exp $ -.\" OpenSSL 4d524e10 Feb 24 11:55:57 2000 +0000 +.\" $OpenBSD: DH_size.3,v 1.8 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" -.\" This file was written by Ulf Moeller . -.\" Copyright (c) 2000 The OpenSSL Project. All rights reserved. +.\" This file was written by Ulf Moeller +.\" and Kurt Roeckx . +.\" Copyright (c) 2000, 2015 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,35 +49,48 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt DH_SIZE 3 .Os .Sh NAME -.Nm DH_size +.Nm DH_size , +.Nm DH_bits .Nd get Diffie-Hellman prime size .Sh SYNOPSIS .In openssl/dh.h .Ft int .Fo DH_size -.Fa "DH *dh" +.Fa "const DH *dh" +.Fc +.Ft int +.Fo DH_bits +.Fa "const DH *dh" .Fc .Sh DESCRIPTION -This function returns the Diffie-Hellman size in bytes. +.Fn DH_size +returns the Diffie-Hellman prime size in bytes. It can be used to determine how much memory must be allocated for the shared secret computed by .Xr DH_compute_key 3 . .Pp +.Fn DH_bits +returns the number of significant bits in the key. +.Pp .Fa dh and .Fa dh->p must not be .Dv NULL . -.Sh RETURN VALUES -The size in bytes. .Sh SEE ALSO .Xr BN_num_bytes 3 , .Xr DH_generate_key 3 , +.Xr DH_get0_key 3 , .Xr DH_new 3 .Sh HISTORY .Fn DH_size -is available in all versions of SSLeay and OpenSSL. +appeared in SSLeay 0.8.1b or earlier and has been available since +.Ox 2.4 . +.Pp +.Fn DH_bits +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/DIST_POINT_new.3 b/lib/libcrypto/man/DIST_POINT_new.3 index bbd4855e11..f97b6d5b55 100644 --- a/lib/libcrypto/man/DIST_POINT_new.3 +++ b/lib/libcrypto/man/DIST_POINT_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: DIST_POINT_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: DIST_POINT_new.3,v 1.4 2018/03/23 04:34:23 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt DIST_POINT_NEW 3 .Os .Sh NAME @@ -135,3 +135,19 @@ section 4.2.1.13: CRL Distribution Points .It section 5.2.5: Issuing Distribution Point .El +.Sh HISTORY +.Fn DIST_POINT_new , +.Fn DIST_POINT_free , +.Fn CRL_DIST_POINTS_new , +.Fn CRL_DIST_POINTS_free , +.Fn DIST_POINT_NAME_new , +and +.Fn DIST_POINT_NAME_free +first appeared in OpenSSL 0.9.3 and have been available since +.Ox 2.6 . +.Pp +.Fn ISSUING_DIST_POINT_new +and +.Fn ISSUING_DIST_POINT_free +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/DSA_SIG_new.3 b/lib/libcrypto/man/DSA_SIG_new.3 index 4b114f4a11..33f2586bc4 100644 --- a/lib/libcrypto/man/DSA_SIG_new.3 +++ b/lib/libcrypto/man/DSA_SIG_new.3 @@ -1,8 +1,10 @@ -.\" $OpenBSD: DSA_SIG_new.3,v 1.4 2016/12/10 22:47:49 schwarze Exp $ -.\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 +.\" $OpenBSD: DSA_SIG_new.3,v 1.7 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" -.\" This file was written by Ulf Moeller . -.\" Copyright (c) 2000 The OpenSSL Project. All rights reserved. +.\" This file was written by Ulf Moeller , +.\" Dr. Stephen Henson , and +.\" TJ Saunders . +.\" Copyright (c) 2000, 2016 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,24 +50,38 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt DSA_SIG_NEW 3 .Os .Sh NAME .Nm DSA_SIG_new , -.Nm DSA_SIG_free -.Nd allocate and free DSA signature objects +.Nm DSA_SIG_free , +.Nm DSA_SIG_get0 , +.Nm DSA_SIG_set0 +.Nd manipulate DSA signature objects .Sh SYNOPSIS .In openssl/dsa.h .Ft DSA_SIG * .Fn DSA_SIG_new void .Ft void .Fo DSA_SIG_free -.Fa "DSA_SIG *a" +.Fa "DSA_SIG *sig" +.Fc +.Ft void +.Fo DSA_SIG_get0 +.Fa "const DSA_SIG *sig" +.Fa "const BIGNUM **r" +.Fa "const BIGNUM **s" +.Fc +.Ft int +.Fo DSA_SIG_set0 +.Fa "DSA_SIG *sig" +.Fa "BIGNUM *r" +.Fa "BIGNUM *s" .Fc .Sh DESCRIPTION .Fn DSA_SIG_new -allocates and initializes a +allocates an empty .Vt DSA_SIG structure. .Pp @@ -75,10 +91,28 @@ frees the structure and its components. The values are erased before the memory is returned to the system. If -.Fa a +.Fa sig is a .Dv NULL pointer, no action occurs. +.Pp +.Fn DSA_SIG_get0 +retrieves internal pointers to the +.Fa r +and +.Fa s +values contained in +.Fa sig . +.Pp +The +.Fa r +and +.Fa s +values can be set by calling +.Fn DSA_SIG_set0 . +Calling this function transfers the memory management of the values to +.Fa sig , +and therefore they should not be freed by the caller. .Sh RETURN VALUES If the allocation fails, .Fn DSA_SIG_new @@ -87,6 +121,9 @@ returns and sets an error code that can be obtained by .Xr ERR_get_error 3 . Otherwise it returns a pointer to the newly allocated structure. +.Pp +.Fn DSA_SIG_set0 +returns 1 on success or 0 on failure. .Sh SEE ALSO .Xr DSA_do_sign 3 , .Xr DSA_new 3 , @@ -95,4 +132,11 @@ Otherwise it returns a pointer to the newly allocated structure. .Fn DSA_SIG_new and .Fn DSA_SIG_free -were added in OpenSSL 0.9.3. +first appeared in OpenSSL 0.9.3 and have been available since +.Ox 2.6 . +.Pp +.Fn DSA_SIG_get0 +and +.Fn DSA_SIG_set0 +first appeared in OpenSSL 1.1.0 and have been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/DSA_do_sign.3 b/lib/libcrypto/man/DSA_do_sign.3 index c229c2b629..454cb44478 100644 --- a/lib/libcrypto/man/DSA_do_sign.3 +++ b/lib/libcrypto/man/DSA_do_sign.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: DSA_do_sign.3,v 1.5 2016/12/10 22:47:49 schwarze Exp $ +.\" $OpenBSD: DSA_do_sign.3,v 1.8 2018/03/21 17:57:48 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt DSA_DO_SIGN 3 .Os .Sh NAME @@ -106,6 +106,8 @@ and -1 on error. The error codes can be obtained by .Xr ERR_get_error 3 . .Sh SEE ALSO +.Xr DSA_get0_key 3 , +.Xr DSA_meth_set_sign 3 , .Xr DSA_new 3 , .Xr DSA_SIG_new 3 , .Xr DSA_sign 3 , @@ -115,4 +117,5 @@ The error codes can be obtained by .Fn DSA_do_sign and .Fn DSA_do_verify -were added in OpenSSL 0.9.3. +first appeared in OpenSSL 0.9.3 and have been available since +.Ox 2.6 . diff --git a/lib/libcrypto/man/DSA_dup_DH.3 b/lib/libcrypto/man/DSA_dup_DH.3 index a1a67640c5..a7b4f3ec6d 100644 --- a/lib/libcrypto/man/DSA_dup_DH.3 +++ b/lib/libcrypto/man/DSA_dup_DH.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: DSA_dup_DH.3,v 1.5 2016/12/10 22:47:49 schwarze Exp $ +.\" $OpenBSD: DSA_dup_DH.3,v 1.7 2018/03/21 21:18:08 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt DSA_DUP_DH 3 .Os .Sh NAME @@ -82,10 +82,12 @@ The error codes can be obtained by .Xr ERR_get_error 3 . .Sh SEE ALSO .Xr DH_new 3 , +.Xr DSA_get0_pqg 3 , .Xr DSA_new 3 , .Xr ERR_get_error 3 .Sh HISTORY .Fn DSA_dup_DH -was added in OpenSSL 0.9.4. +first appeared in OpenSSL 0.9.4 and has been available since +.Ox 2.6 . .Sh CAVEATS Be careful to avoid small subgroup attacks when using this. diff --git a/lib/libcrypto/man/DSA_generate_key.3 b/lib/libcrypto/man/DSA_generate_key.3 index f9a1681cff..b830385625 100644 --- a/lib/libcrypto/man/DSA_generate_key.3 +++ b/lib/libcrypto/man/DSA_generate_key.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: DSA_generate_key.3,v 1.5 2016/12/10 22:47:49 schwarze Exp $ +.\" $OpenBSD: DSA_generate_key.3,v 1.7 2018/03/20 22:37:32 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt DSA_GENERATE_KEY 3 .Os .Sh NAME @@ -76,9 +76,11 @@ The error codes can be obtained by .Xr ERR_get_error 3 . .Sh SEE ALSO .Xr DSA_generate_parameters 3 , +.Xr DSA_get0_key 3 , .Xr DSA_new 3 , .Xr ERR_get_error 3 , .Xr RAND_bytes 3 .Sh HISTORY .Fn DSA_generate_key -is available since SSLeay 0.8. +first appeared in SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/DSA_generate_parameters.3 b/lib/libcrypto/man/DSA_generate_parameters.3 index e6e6d90dce..3d124462ca 100644 --- a/lib/libcrypto/man/DSA_generate_parameters.3 +++ b/lib/libcrypto/man/DSA_generate_parameters.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: DSA_generate_parameters.3,v 1.5 2016/12/10 22:47:49 schwarze Exp $ +.\" $OpenBSD: DSA_generate_parameters.3,v 1.9 2018/03/23 00:09:11 schwarze Exp $ .\" OpenSSL 9b86974e Aug 7 22:14:47 2015 -0400 .\" .\" This file was written by Ulf Moeller , @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt DSA_GENERATE_PARAMETERS 3 .Os .Sh NAME @@ -198,15 +198,18 @@ The error codes can be obtained by .Xr ERR_get_error 3 . .Sh SEE ALSO .Xr BN_generate_prime 3 , +.Xr DSA_get0_pqg 3 , .Xr DSA_new 3 , .Xr ERR_get_error 3 , .Xr RAND_bytes 3 .Sh HISTORY .Fn DSA_generate_parameters -appeared in SSLeay 0.8. -The +first appeared in SSLeay 0.8 and had its .Fa cb_arg -argument was added in SSLeay 0.9.0. +argument added in SSLeay 0.9.0. +It has been available since +.Ox 2.4 . +.Pp In versions up to OpenSSL 0.9.4, .Fn callback 1 ...\& was called in the inner loop of the Miller-Rabin test whenever it @@ -217,5 +220,9 @@ did not reveal how many witnesses had been tested); since OpenSSL 0.9.5, is called as in .Xr BN_is_prime 3 , i.e. once for each witness. +.Pp +.Fn DSA_generate_parameters_ex +first appeared in OpenSSL 0.9.8 and has been available since +.Ox 4.5 . .Sh BUGS Seed lengths > 20 are not supported. diff --git a/lib/libcrypto/man/DSA_get0_pqg.3 b/lib/libcrypto/man/DSA_get0_pqg.3 new file mode 100644 index 0000000000..56d57066be --- /dev/null +++ b/lib/libcrypto/man/DSA_get0_pqg.3 @@ -0,0 +1,252 @@ +.\" $OpenBSD: DSA_get0_pqg.3,v 1.4 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL e90fc053 Jul 15 09:39:45 2017 -0400 +.\" +.\" This file was written by Matt Caswell . +.\" Copyright (c) 2016 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: March 23 2018 $ +.Dt DSA_GET0_PQG 3 +.Os +.Sh NAME +.Nm DSA_get0_pqg , +.Nm DSA_set0_pqg , +.Nm DSA_get0_key , +.Nm DSA_set0_key , +.Nm DSA_clear_flags , +.Nm DSA_test_flags , +.Nm DSA_set_flags , +.Nm DSA_get0_engine +.Nd get data from and set data in a DSA object +.Sh SYNOPSIS +.In openssl/dsa.h +.Ft void +.Fo DSA_get0_pqg +.Fa "const DSA *d" +.Fa "const BIGNUM **p" +.Fa "const BIGNUM **q" +.Fa "const BIGNUM **g" +.Fc +.Ft int +.Fo DSA_set0_pqg +.Fa "DSA *d" +.Fa "BIGNUM *p" +.Fa "BIGNUM *q" +.Fa "BIGNUM *g" +.Fc +.Ft void +.Fo DSA_get0_key +.Fa "const DSA *d" +.Fa "const BIGNUM **pub_key" +.Fa "const BIGNUM **priv_key" +.Fc +.Ft int +.Fo DSA_set0_key +.Fa "DSA *d" +.Fa "BIGNUM *pub_key" +.Fa "BIGNUM *priv_key" +.Fc +.Ft void +.Fo DSA_clear_flags +.Fa "DSA *d" +.Fa "int flags" +.Fc +.Ft int +.Fo DSA_test_flags +.Fa "const DSA *d" +.Fa "int flags" +.Fc +.Ft void +.Fo DSA_set_flags +.Fa "DSA *d" +.Fa "int flags" +.Fc +.Ft ENGINE * +.Fo DSA_get0_engine +.Fa "DSA *d" +.Fc +.Sh DESCRIPTION +A +.Vt DSA +object contains the parameters +.Fa p , +.Fa q , +and +.Fa g . +It also contains a public key +.Fa pub_key +and an optional private key +.Fa priv_key . +.Pp +The +.Fa p , +.Fa q , +and +.Fa g +parameters can be obtained by calling +.Fn DSA_get0_pqg . +If the parameters have not yet been set, then +.Pf * Fa p , +.Pf * Fa q , +and +.Pf * Fa g +are set to +.Dv NULL . +Otherwise, they are set to pointers to the internal representations +of the values that should not be freed by the application. +.Pp +The +.Fa p , +.Fa q , +and +.Fa g +values can be set by calling +.Fn DSA_set0_pqg . +Calling this function transfers the memory management of the values to +.Fa d , +and therefore they should not be freed by the caller. +.Pp +The +.Fn DSA_get0_key +function stores pointers to the internal representations +of the public key in +.Pf * Fa pub_key +and to the private key in +.Pf * Fa priv_key . +Either may be +.Dv NULL +if it has not yet been set. +If the private key has been set, then the public key must be. +.Pp +The public and private key values can be set using +.Fn DSA_set0_key . +The public key must be +.Pf non- Dv NULL +the first time this function is called on a given +.Vt DSA +object. +The private key may be +.Dv NULL . +On subsequent calls, either may be +.Dv NULL , +which means the corresponding +.Vt DSA +field is left untouched. +.Fn DSA_set0_key +transfers the memory management of the key values to +.Fa d , +and therefore they should not be freed by the caller. +.Pp +Values retrieved with +.Fn DSA_get0_pqg +and +.Fn DSA_get0_key +are owned by the +.Vt DSA +object and may therefore not be passed to +.Fn DSA_set0_pqg +or +.Fn DSA_set0_key . +If needed, duplicate the received values using +.Xr BN_dup 3 +and pass the duplicates. +.Pp +.Fn DSA_clear_flags +clears the specified +.Fa flags +in +.Fa d . +.Fn DSA_test_flags +tests the +.Fa flags +in +.Fa d . +.Fn DSA_set_flags +sets the +.Fa flags +in +.Fa d ; +any flags already set remain set. +For all three functions, multiple flags can be passed in one call, +OR'ed together bitwise. +.Sh RETURN VALUES +.Fn DSA_set0_pqg +and +.Fn DSA_set0_key +return 1 on success or 0 on failure. +.Pp +.Fn DSA_test_flags +returns those of the given +.Fa flags +currently set in +.Fa d +or 0 if none of the given +.Fa flags +are set. +.Pp +.Fn DSA_get0_engine +returns a pointer to the +.Vt ENGINE +used by the +.Vt DSA +object +Fa d , +or +.Dv NULL +if no engine was set for this object. +.Sh SEE ALSO +.Xr DSA_do_sign 3 , +.Xr DSA_dup_DH 3 , +.Xr DSA_generate_key 3 , +.Xr DSA_generate_parameters 3 , +.Xr DSA_new 3 , +.Xr DSA_print 3 , +.Xr DSA_sign 3 , +.Xr DSA_size 3 +.Sh HISTORY +These functions first appeared in OpenSSL 1.1.0 +and have been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/DSA_get_ex_new_index.3 b/lib/libcrypto/man/DSA_get_ex_new_index.3 index 70235184ce..8fe055f337 100644 --- a/lib/libcrypto/man/DSA_get_ex_new_index.3 +++ b/lib/libcrypto/man/DSA_get_ex_new_index.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: DSA_get_ex_new_index.3,v 1.4 2016/12/10 22:47:49 schwarze Exp $ +.\" $OpenBSD: DSA_get_ex_new_index.3,v 1.5 2018/03/22 16:06:33 schwarze Exp $ .\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt DSA_GET_EX_NEW_INDEX 3 .Os .Sh NAME @@ -94,4 +94,5 @@ and .Fn DSA_set_ex_data , and .Fn DSA_get_ex_data -are available since OpenSSL 0.9.5. +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . diff --git a/lib/libcrypto/man/X509_REVOKED_new.3 b/lib/libcrypto/man/DSA_meth_new.3 similarity index 57% copy from lib/libcrypto/man/X509_REVOKED_new.3 copy to lib/libcrypto/man/DSA_meth_new.3 index f06075fcc2..41f4382422 100644 --- a/lib/libcrypto/man/X509_REVOKED_new.3 +++ b/lib/libcrypto/man/DSA_meth_new.3 @@ -1,10 +1,10 @@ -.\" $OpenBSD: X509_REVOKED_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $ -.\" OpenSSL X509_CRL_get0_by_serial.pod 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: DSA_meth_new.3,v 1.1 2018/03/18 13:06:36 schwarze Exp $ +.\" selective merge up to: OpenSSL a970b14f Jul 31 18:58:40 2017 -0400 .\" .\" This file is a derived work. .\" The changes are covered by the following Copyright and license: .\" -.\" Copyright (c) 2016 Ingo Schwarze +.\" Copyright (c) 2018 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -18,8 +18,8 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.\" The original file was written by Dr. Stephen Henson . -.\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. +.\" The original file was written by Matt Caswell . +.\" Copyright (c) 2016 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -65,83 +65,119 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 25 2016 $ -.Dt X509_REVOKED_NEW 3 +.Dd $Mdocdate: March 18 2018 $ +.Dt DSA_METH_NEW 3 .Os .Sh NAME -.Nm X509_REVOKED_new , -.Nm X509_REVOKED_free , -.Nm X509_REVOKED_set_serialNumber , -.Nm X509_REVOKED_set_revocationDate -.Nd create and change an X.509 CRL revoked entry +.Nm DSA_meth_new , +.Nm DSA_meth_free , +.Nm DSA_meth_dup , +.Nm DSA_meth_set_sign , +.Nm DSA_meth_set_finish +.Nd build up DSA methods .Sh SYNOPSIS -.In openssl/x509.h -.Ft X509_REVOKED * -.Fn X509_REVOKED_new void +.In openssl/dsa.h +.Ft DSA_METHOD * +.Fo DSA_meth_new +.Fa "const char *name" +.Fa "int flags" +.Fc .Ft void -.Fn X509_REVOKED_free "X509_REVOKED *r" +.Fo DSA_meth_free +.Fa "DSA_METHOD *meth" +.Fc +.Ft DSA_METHOD * +.Fo DSA_meth_dup +.Fa "const DSA_METHOD *meth" +.Fc .Ft int -.Fo X509_REVOKED_set_serialNumber -.Fa "X509_REVOKED *r" -.Fa "ASN1_INTEGER *serial" +.Fo DSA_meth_set_sign +.Fa "DSA_METHOD *meth" +.Fa "DSA_SIG *(*sign)(const unsigned char *, int, DSA *)" .Fc .Ft int -.Fo X509_REVOKED_set_revocationDate -.Fa "X509_REVOKED *r" -.Fa "ASN1_TIME *tm" +.Fo DSA_meth_set_finish +.Fa "DSA_METHOD *meth" +.Fa "int (*finish)(DSA *)" .Fc .Sh DESCRIPTION -.Fn X509_REVOKED_new -allocates and initializes an empty -.Vt X509_REVOKED -object, representing one of the elements of -the revokedCertificates field of the ASN.1 -.Vt TBSCertList -structure defined in RFC 5280 section 5.1. -It is used by -.Vt X509_CRL -objects and can hold information about one revoked certificate -including issuer names, serial number, revocation date, and revocation -reason. +The +.Vt DSA_METHOD +structure holds function pinters for custom DSA implementations. .Pp -.Fn X509_REVOKED_free -frees -.Fa r . +.Fn DSA_meth_new +creates a new +.Vt DSA_METHOD +structure. +A copy of the NUL-terminated +.Fa name +is stored in the new +.Vt DSA_METHOD +object. +Any new +.Vt DSA +object constructed from this +.Vt DSA_METHOD +will have the given +.Fa flags +set by default. .Pp -.Fn X509_REVOKED_set_serialNumber -sets the serial number of -.Fa r -to -.Fa serial . -The supplied -.Fa serial -pointer is not used internally so it should be freed up after use. +.Fn DSA_meth_dup +creates a deep copy of +.Fa meth . +This might be useful for creating a new +.Vt DSA_METHOD +based on an existing one, but with some differences. .Pp -.Fn X509_REVOKED_set_revocationDate -sets the revocation date of -.Fa r -to -.Fa tm . -The supplied -.Fa tm -pointer is not used internally so it should be freed up after use. -.Sh RETURN VALUES -.Fn X509_REVOKED_new -returns the new -.Vt X509_REVOKED -object or -.Dv NULL -if an error occurs. +.Fn DSA_meth_free +destroys +.Fa meth +and frees any memory associated with it. .Pp -.Fn X509_REVOKED_set_serialNumber +.Fn DSA_meth_set_sign +sets the function used for creating a DSA signature. +This function will be called from +.Xr DSA_do_sign 3 +and indirectly from +.Xr DSA_sign 3 . +The parameters of +.Fa sign +have the same meaning as for +.Xr DSA_do_sign 3 . +.Pp +.Fn DSA_meth_set_finish +sets an optional function for destroying a +.Vt DSA +object. +Unless +.Fa finish +is +.Dv NULL , +it will be called from +.Xr DSA_free 3 . +It takes the same argument +and is intended to do DSA implementation specific cleanup. +The memory used by the +.Vt DSA +object itself should not be freed by the +.Fa finish +function. +.Sh RETURN VALUES +.Fn DSA_meth_new and -.Fn X509_REVOKED_set_revocationDate -return 1 for success or 0 for failure. +.Fn DSA_meth_dup +return the newly allocated DSA_METHOD object or NULL on failure. +.Pp +All +.Fn DSA_meth_set_* +functions return 1 on success or 0 on failure. .Sh SEE ALSO -.Xr d2i_X509_CRL 3 , -.Xr ERR_get_error 3 , -.Xr PEM_read_X509_CRL 3 , -.Xr X509_CRL_get0_by_serial 3 -.Sh STANDARDS -RFC 5280: Internet X.509 Public Key Infrastructure Certificate and -Certificate Revocation List (CRL) Profile, section 5.1: CRL Fields +.Xr DSA_do_sign 3 , +.Xr DSA_new 3 , +.Xr DSA_set_method 3 , +.Xr DSA_SIG_new 3 , +.Xr DSA_sign 3 +.Sh HISTORY +These functions first appeared in OpenSSL 1.1.0 +and have been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/DSA_new.3 b/lib/libcrypto/man/DSA_new.3 index c7339ceff1..c763be54b8 100644 --- a/lib/libcrypto/man/DSA_new.3 +++ b/lib/libcrypto/man/DSA_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: DSA_new.3,v 1.5 2016/12/11 09:57:57 jmc Exp $ +.\" $OpenBSD: DSA_new.3,v 1.8 2018/03/20 22:37:32 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt DSA_NEW 3 .Os .Sh NAME @@ -99,7 +99,9 @@ Otherwise it returns a pointer to the newly allocated structure. .Xr DSA_dup_DH 3 , .Xr DSA_generate_key 3 , .Xr DSA_generate_parameters 3 , +.Xr DSA_get0_pqg 3 , .Xr DSA_get_ex_new_index 3 , +.Xr DSA_meth_new 3 , .Xr DSA_print 3 , .Xr DSA_set_method 3 , .Xr DSA_SIG_new 3 , @@ -107,6 +109,7 @@ Otherwise it returns a pointer to the newly allocated structure. .Xr DSA_size 3 , .Xr engine 3 , .Xr ERR_get_error 3 , +.Xr EVP_PKEY_set1_DSA 3 , .Xr RSA_new 3 .Sh STANDARDS US Federal Information Processing Standard FIPS 186 (Digital Signature @@ -115,4 +118,5 @@ Standard, DSS), ANSI X9.30 .Fn DSA_new and .Fn DSA_free -are available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/DSA_set_method.3 b/lib/libcrypto/man/DSA_set_method.3 index 344ec7c9b0..f54c392097 100644 --- a/lib/libcrypto/man/DSA_set_method.3 +++ b/lib/libcrypto/man/DSA_set_method.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: DSA_set_method.3,v 1.6 2016/12/10 22:47:49 schwarze Exp $ +.\" $OpenBSD: DSA_set_method.3,v 1.8 2018/03/22 16:06:33 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt DSA_SET_METHOD 3 .Os .Sh NAME @@ -223,6 +223,7 @@ and sets an error code that can be obtained by if the allocation fails. Otherwise it returns a pointer to the newly allocated structure. .Sh SEE ALSO +.Xr DSA_meth_new 3 , .Xr DSA_new 3 .Sh HISTORY .Fn DSA_set_default_method , @@ -231,7 +232,8 @@ Otherwise it returns a pointer to the newly allocated structure. .Fn DSA_new_method , and .Fn DSA_OpenSSL -were added in OpenSSL 0.9.4. +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . .Sh CAVEATS As of version 0.9.7, DSA_METHOD implementations are grouped together with other algorithmic APIs (e.g. RSA_METHOD, EVP_CIPHER) in diff --git a/lib/libcrypto/man/DSA_sign.3 b/lib/libcrypto/man/DSA_sign.3 index 8c85127681..2a7e1fb490 100644 --- a/lib/libcrypto/man/DSA_sign.3 +++ b/lib/libcrypto/man/DSA_sign.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: DSA_sign.3,v 1.5 2016/12/10 22:47:49 schwarze Exp $ +.\" $OpenBSD: DSA_sign.3,v 1.7 2018/03/20 22:37:32 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt DSA_SIGN 3 .Os .Sh NAME @@ -157,6 +157,7 @@ The error codes can be obtained by .Xr ERR_get_error 3 . .Sh SEE ALSO .Xr DSA_do_sign 3 , +.Xr DSA_get0_key 3 , .Xr DSA_new 3 , .Xr ERR_get_error 3 , .Xr RAND_bytes 3 @@ -167,6 +168,8 @@ Standard, DSS), ANSI X9.30 .Fn DSA_sign and .Fn DSA_verify -are available in all versions of SSLeay. +appeared before SSLeay 0.8. .Fn DSA_sign_setup -was added in SSLeay 0.8. +first appeared in SSLeay 0.8. +All these functions have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/DSA_size.3 b/lib/libcrypto/man/DSA_size.3 index 373b142c79..74f7d979b6 100644 --- a/lib/libcrypto/man/DSA_size.3 +++ b/lib/libcrypto/man/DSA_size.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: DSA_size.3,v 1.4 2016/12/10 22:47:49 schwarze Exp $ +.\" $OpenBSD: DSA_size.3,v 1.6 2018/03/20 22:37:32 schwarze Exp $ .\" OpenSSL 05ea606a May 20 20:52:46 2016 -0400 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt DSA_SIZE 3 .Os .Sh NAME @@ -72,8 +72,10 @@ must not be .Sh RETURN VALUES The size in bytes. .Sh SEE ALSO +.Xr DSA_get0_pqg 3 , .Xr DSA_new 3 , .Xr DSA_sign 3 .Sh HISTORY .Fn DSA_size -is available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/ECDSA_SIG_new.3 b/lib/libcrypto/man/ECDSA_SIG_new.3 index da3d3fe0d1..7a6fa4fa78 100644 --- a/lib/libcrypto/man/ECDSA_SIG_new.3 +++ b/lib/libcrypto/man/ECDSA_SIG_new.3 @@ -1,8 +1,8 @@ -.\" $OpenBSD: ECDSA_SIG_new.3,v 1.8 2017/01/06 20:35:23 schwarze Exp $ -.\" OpenSSL e6390aca Jul 21 10:06:03 2015 -0400 +.\" $OpenBSD: ECDSA_SIG_new.3,v 1.11 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 .\" .\" This file was written by Nils Larsch . -.\" Copyright (c) 2004, 2005, 2012, 2013 The OpenSSL Project. +.\" Copyright (c) 2004, 2005, 2013, 2016 The OpenSSL Project. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -49,12 +49,14 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 6 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt ECDSA_SIG_NEW 3 .Os .Sh NAME .Nm ECDSA_SIG_new , .Nm ECDSA_SIG_free , +.Nm ECDSA_SIG_get0 , +.Nm ECDSA_SIG_set0 , .Nm i2d_ECDSA_SIG , .Nm d2i_ECDSA_SIG , .Nm ECDSA_size , @@ -80,6 +82,18 @@ .Fo ECDSA_SIG_free .Fa "ECDSA_SIG *sig" .Fc +.Ft void +.Fo ECDSA_SIG_get0 +.Fa "const ECDSA_SIG *sig" +.Fa "const BIGNUM **r" +.Fa "const BIGNUM **s" +.Fc +.Ft int +.Fo ECDSA_SIG_set0 +.Fa "ECDSA_SIG *sig" +.Fa "BIGNUM *r" +.Fa "BIGNUM *s" +.Fc .Ft int .Fo i2d_ECDSA_SIG .Fa "const ECDSA_SIG *sig" @@ -210,6 +224,26 @@ frees the structure .Fa sig . .Pp +.Fn ECDSA_SIG_get0 +retrieves internal pointers the +.Fa r +and +.Fa s +values contained in +.Fa sig . +.Pp +.Fn ECDSA_SIG_set0 +sets the +.Fa r +and +.Fa s +values in +.Fa sig . +Calling this function transfers the memory management of the values to +.Fa sig . +Therefore, the values that have been passed in +should not be freed by the caller. +.Pp .Fn i2d_ECDSA_SIG creates the DER encoding of the ECDSA signature .Fa sig @@ -345,6 +379,7 @@ using the public key .Fn ECDSA_size returns the maximum length signature or 0 on error. .Pp +.Fn ECDSA_SIG_set0 , .Fn ECDSA_sign , .Fn ECDSA_sign_ex , and @@ -448,7 +483,31 @@ if (ret == -1) { ANSI X9.62, US Federal Information Processing Standard FIPS 186-2 (Digital Signature Standard, DSS) .Sh HISTORY -The ECDSA implementation was first introduced in OpenSSL 0.9.8. +.Fn ECDSA_SIG_new , +.Fn ECDSA_SIG_free , +.Fn i2d_ECDSA_SIG , +.Fn d2i_ECDSA_SIG , +.Fn ECDSA_size , +.Fn ECDSA_sign_setup , +.Fn ECDSA_sign , +.Fn ECDSA_sign_ex , +.Fn ECDSA_verify , +.Fn ECDSA_do_sign , +.Fn ECDSA_do_sign_ex , +.Fn ECDSA_do_verify , +.Fn ECDSA_OpenSSL , +.Fn ECDSA_get_default_method , +.Fn ECDSA_set_default_method , +and +.Fn ECDSA_set_method +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . +.Pp +.Fn ECDSA_SIG_get0 +and +.Fn ECDSA_SIG_set0 +first appeared in OpenSSL 1.1.0 and have been available since +.Ox 6.3 . .Sh AUTHORS .An Nils Larsch for the OpenSSL project. diff --git a/lib/libcrypto/man/EC_GFp_simple_method.3 b/lib/libcrypto/man/EC_GFp_simple_method.3 index 7f08e707f5..ad5268fa92 100644 --- a/lib/libcrypto/man/EC_GFp_simple_method.3 +++ b/lib/libcrypto/man/EC_GFp_simple_method.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EC_GFp_simple_method.3,v 1.6 2016/12/11 14:22:43 schwarze Exp $ +.\" $OpenBSD: EC_GFp_simple_method.3,v 1.9 2018/03/23 05:48:56 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Matt Caswell . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EC_GFP_SIMPLE_METHOD 3 .Os .Sh NAME @@ -159,3 +159,23 @@ structure supports. .Xr EC_KEY_new 3 , .Xr EC_POINT_add 3 , .Xr EC_POINT_new 3 +.Sh HISTORY +.Fn EC_GFp_simple_method +and +.Fn EC_GFp_mont_method +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . +.Pp +.Fn EC_GFp_nist_method , +.Fn EC_GF2m_simple_method , +and +.Fn EC_METHOD_get_field_type +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . +.Pp +.Fn EC_GFp_nistp224_method , +.Fn EC_GFp_nistp256_method , +and +.Fn EC_GFp_nistp521_method +first appeared in OpenSSL 1.0.1 and have been available since +.Ox 5.3 . diff --git a/lib/libcrypto/man/EC_GROUP_copy.3 b/lib/libcrypto/man/EC_GROUP_copy.3 index d857a21929..bdbd72c2cc 100644 --- a/lib/libcrypto/man/EC_GROUP_copy.3 +++ b/lib/libcrypto/man/EC_GROUP_copy.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EC_GROUP_copy.3,v 1.7 2016/12/11 14:22:43 schwarze Exp $ +.\" $OpenBSD: EC_GROUP_copy.3,v 1.10 2018/03/23 23:18:17 schwarze Exp $ .\" OpenSSL aafbe1cc Jun 12 23:42:08 2013 +0100 .\" .\" This file was written by Matt Caswell . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EC_GROUP_COPY 3 .Os .Sh NAME @@ -485,3 +485,34 @@ Alternatively in the event of an error a 0 is returned. .Xr EC_KEY_new 3 , .Xr EC_POINT_add 3 , .Xr EC_POINT_new 3 +.Sh HISTORY +.Fn EC_GROUP_copy , +.Fn EC_GROUP_method_of , +.Fn EC_GROUP_set_generator , +.Fn EC_GROUP_get0_generator , +.Fn EC_GROUP_get_order , +and +.Fn EC_GROUP_get_cofactor +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . +.Pp +.Fn EC_GROUP_dup , +.Fn EC_GROUP_set_curve_name , +.Fn EC_GROUP_get_curve_name , +.Fn EC_GROUP_set_asn1_flag , +.Fn EC_GROUP_get_asn1_flag , +.Fn EC_GROUP_set_point_conversion_form , +.Fn EC_GROUP_get_point_conversion_form , +.Fn EC_GROUP_get0_seed , +.Fn EC_GROUP_get_seed_len , +.Fn EC_GROUP_set_seed , +.Fn EC_GROUP_get_degree , +.Fn EC_GROUP_check , +.Fn EC_GROUP_check_discriminant , +.Fn EC_GROUP_cmp , +.Fn EC_GROUP_get_basis_type , +.Fn EC_GROUP_get_trinomial_basis , +and +.Fn EC_GROUP_get_pentanomial_basis +first appeared in OpenSSL 0.9.8 and has been available since +.Ox 4.5 . diff --git a/lib/libcrypto/man/EC_GROUP_new.3 b/lib/libcrypto/man/EC_GROUP_new.3 index f1227da759..beba8ce72a 100644 --- a/lib/libcrypto/man/EC_GROUP_new.3 +++ b/lib/libcrypto/man/EC_GROUP_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EC_GROUP_new.3,v 1.6 2016/12/11 14:22:43 schwarze Exp $ +.\" $OpenBSD: EC_GROUP_new.3,v 1.8 2018/03/23 00:09:11 schwarze Exp $ .\" OpenSSL 9b86974e Mon Aug 17 15:21:33 2015 -0400 .\" .\" This file was written by Matt Caswell . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EC_GROUP_NEW 3 .Os .Sh NAME @@ -306,3 +306,22 @@ return 1 on success or 0 on error. .Xr EC_POINT_add 3 , .Xr EC_POINT_new 3 , .Xr ECDSA_SIG_new 3 +.Sh HISTORY +.Fn EC_GROUP_new , +.Fn EC_GROUP_free , +.Fn EC_GROUP_clear_free , +.Fn EC_GROUP_new_curve_GFp , +.Fn EC_GROUP_set_curve_GFp , +and +.Fn EC_GROUP_get_curve_GFp +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . +.Pp +.Fn EC_GROUP_new_curve_GF2m , +.Fn EC_GROUP_new_by_curve_name , +.Fn EC_GROUP_set_curve_GF2m , +.Fn EC_GROUP_get_curve_GF2m , +and +.Fn EC_get_builtin_curves +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . diff --git a/lib/libcrypto/man/EC_KEY_new.3 b/lib/libcrypto/man/EC_KEY_new.3 index 742be773ee..c77233b4ee 100644 --- a/lib/libcrypto/man/EC_KEY_new.3 +++ b/lib/libcrypto/man/EC_KEY_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EC_KEY_new.3,v 1.8 2016/12/11 14:22:43 schwarze Exp $ +.\" $OpenBSD: EC_KEY_new.3,v 1.13 2018/03/23 23:18:17 schwarze Exp $ .\" OpenSSL d900a015 Oct 8 14:40:42 2015 +0200 .\" .\" This file was written by Matt Caswell . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EC_KEY_NEW 3 .Os .Sh NAME @@ -524,4 +524,41 @@ returns the point_conversion_form for the .Xr EC_GROUP_new 3 , .Xr EC_POINT_add 3 , .Xr EC_POINT_new 3 , -.Xr ECDSA_SIG_new 3 +.Xr ECDSA_SIG_new 3 , +.Xr EVP_PKEY_set1_EC_KEY 3 +.Sh HISTORY +.Fn EC_KEY_new , +.Fn EC_KEY_new_by_curve_name , +.Fn EC_KEY_free , +.Fn EC_KEY_copy , +.Fn EC_KEY_dup , +.Fn EC_KEY_up_ref , +.Fn EC_KEY_get0_group , +.Fn EC_KEY_set_group , +.Fn EC_KEY_get0_private_key , +.Fn EC_KEY_set_private_key , +.Fn EC_KEY_get0_public_key , +.Fn EC_KEY_set_public_key , +.Fn EC_KEY_get_enc_flags , +.Fn EC_KEY_set_enc_flags , +.Fn EC_KEY_get_conv_form , +.Fn EC_KEY_set_conv_form , +.Fn EC_KEY_get_key_method_data , +.Fn EC_KEY_insert_key_method_data , +.Fn EC_KEY_set_asn1_flag , +.Fn EC_KEY_precompute_mult , +.Fn EC_KEY_generate_key , +.Fn EC_KEY_check_key , +.Fn EC_KEY_print , +and +.Fn EC_KEY_print_fp +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . +.Pp +.Fn EC_KEY_get_flags , +.Fn EC_KEY_set_flags , +.Fn EC_KEY_clear_flags , +and +.Fn EC_KEY_set_public_key_affine_coordinates +first appeared in OpenSSL 1.0.1 and have been available since +.Ox 5.3 . diff --git a/lib/libcrypto/man/EC_POINT_add.3 b/lib/libcrypto/man/EC_POINT_add.3 index dd3d58056a..c58f4016a9 100644 --- a/lib/libcrypto/man/EC_POINT_add.3 +++ b/lib/libcrypto/man/EC_POINT_add.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EC_POINT_add.3,v 1.6 2016/12/11 14:22:43 schwarze Exp $ +.\" $OpenBSD: EC_POINT_add.3,v 1.8 2018/03/23 00:09:11 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Matt Caswell . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EC_POINT_ADD 3 .Os .Sh NAME @@ -271,3 +271,22 @@ returns 1 if a precomputation has been done or 0 if not. .Xr EC_GROUP_new 3 , .Xr EC_KEY_new 3 , .Xr EC_POINT_new 3 +.Sh HISTORY +.Fn EC_POINT_add , +.Fn EC_POINT_dbl , +.Fn EC_POINT_invert , +.Fn EC_POINT_is_at_infinity , +.Fn EC_POINT_is_on_curve , +.Fn EC_POINT_cmp , +.Fn EC_POINT_make_affine , +.Fn EC_POINTs_make_affine , +.Fn EC_POINTs_mul , +.Fn EC_POINT_mul , +and +.Fn EC_GROUP_precompute_mult +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . +.Pp +.Fn EC_GROUP_have_precompute_mult +first appeared in OpenSSL 0.9.8 and has been available since +.Ox 4.5 . diff --git a/lib/libcrypto/man/EC_POINT_new.3 b/lib/libcrypto/man/EC_POINT_new.3 index 1e09208ffa..77023403b9 100644 --- a/lib/libcrypto/man/EC_POINT_new.3 +++ b/lib/libcrypto/man/EC_POINT_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EC_POINT_new.3,v 1.6 2016/12/11 14:22:43 schwarze Exp $ +.\" $OpenBSD: EC_POINT_new.3,v 1.8 2018/03/23 00:09:11 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Matt Caswell . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EC_POINT_NEW 3 .Os .Sh NAME @@ -470,3 +470,32 @@ on error. .Xr EC_GROUP_new 3 , .Xr EC_KEY_new 3 , .Xr EC_POINT_add 3 +.Sh HISTORY +.Fn EC_POINT_new , +.Fn EC_POINT_free , +.Fn EC_POINT_clear_free , +.Fn EC_POINT_copy , +.Fn EC_POINT_method_of , +.Fn EC_POINT_set_to_infinity , +.Fn EC_POINT_set_affine_coordinates_GFp , +.Fn EC_POINT_get_affine_coordinates_GFp , +.Fn EC_POINT_set_Jprojective_coordinates_GFp , +.Fn EC_POINT_get_Jprojective_coordinates_GFp , +.Fn EC_POINT_set_compressed_coordinates_GFp , +.Fn EC_POINT_point2oct , +and +.Fn EC_POINT_oct2point +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . +.Pp +.Fn EC_POINT_dup , +.Fn EC_POINT_set_affine_coordinates_GF2m , +.Fn EC_POINT_get_affine_coordinates_GF2m , +.Fn EC_POINT_set_compressed_coordinates_GF2m , +.Fn EC_POINT_point2bn , +.Fn EC_POINT_bn2point , +.Fn EC_POINT_point2hex , +and +.Fn EC_POINT_hex2point +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . diff --git a/lib/libcrypto/man/ERR_GET_LIB.3 b/lib/libcrypto/man/ERR_GET_LIB.3 index 03f56c09f6..b43f731ba8 100644 --- a/lib/libcrypto/man/ERR_GET_LIB.3 +++ b/lib/libcrypto/man/ERR_GET_LIB.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ERR_GET_LIB.3,v 1.5 2016/12/16 08:53:30 schwarze Exp $ +.\" $OpenBSD: ERR_GET_LIB.3,v 1.6 2018/03/20 22:56:38 schwarze Exp $ .\" OpenSSL doc/man3/ERR_GET_LIB.pod 3dfda1a6 Dec 12 11:14:40 2016 -0500 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 16 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt ERR_GET_LIB 3 .Os .Sh NAME @@ -119,6 +119,8 @@ returns non-zero if the error is fatal or 0 otherwise. .Sh HISTORY .Fn ERR_GET_LIB , .Fn ERR_GET_FUNC , +.Fn ERR_GET_REASON , and -.Fn ERR_GET_REASON -are available in all versions of SSLeay and OpenSSL. +.Fn ERR_FATAL_ERROR +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/ERR_clear_error.3 b/lib/libcrypto/man/ERR_clear_error.3 index 7ad4a4ed5e..89d4f320a4 100644 --- a/lib/libcrypto/man/ERR_clear_error.3 +++ b/lib/libcrypto/man/ERR_clear_error.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ERR_clear_error.3,v 1.3 2016/11/23 17:58:42 schwarze Exp $ +.\" $OpenBSD: ERR_clear_error.3,v 1.4 2018/03/20 22:56:38 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 23 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt ERR_CLEAR_ERROR 3 .Os .Sh NAME @@ -66,4 +66,5 @@ empties the current thread's error queue. .Xr ERR_get_error 3 .Sh HISTORY .Fn ERR_clear_error -is available in all versions of SSLeay and OpenSSL. +appeared in SSLeay 0.8.1b or earlier and has been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/ERR_error_string.3 b/lib/libcrypto/man/ERR_error_string.3 index 48f323025e..1587be1bbd 100644 --- a/lib/libcrypto/man/ERR_error_string.3 +++ b/lib/libcrypto/man/ERR_error_string.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ERR_error_string.3,v 1.4 2016/11/23 17:55:31 schwarze Exp $ +.\" $OpenBSD: ERR_error_string.3,v 1.6 2018/03/23 23:18:17 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 23 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt ERR_ERROR_STRING 3 .Os .Sh NAME @@ -163,7 +163,14 @@ if none is registered for the error code. .Xr ERR_print_errors 3 , .Xr SSL_load_error_strings 3 .Sh HISTORY -.Fn ERR_error_string -is available in all versions of SSLeay and OpenSSL. +.Fn ERR_error_string , +.Fn ERR_lib_error_string , +.Fn ERR_func_error_string , +and +.Fn ERR_reason_error_string +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp .Fn ERR_error_string_n -was added in OpenSSL 0.9.6. +first appeared in OpenSSL 0.9.6 and has been available since +.Ox 2.9 . diff --git a/lib/libcrypto/man/ERR_get_error.3 b/lib/libcrypto/man/ERR_get_error.3 index 361d7ab746..a8ab16b713 100644 --- a/lib/libcrypto/man/ERR_get_error.3 +++ b/lib/libcrypto/man/ERR_get_error.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ERR_get_error.3,v 1.4 2016/11/23 17:59:29 schwarze Exp $ +.\" $OpenBSD: ERR_get_error.3,v 1.7 2018/03/22 21:08:22 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 23 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt ERR_GET_ERROR 3 .Os .Sh NAME @@ -173,13 +173,17 @@ The error code, or 0 if there is no error in the queue. .Fn ERR_get_error_line , and .Fn ERR_peek_error_line -are available in all versions of SSLeay and OpenSSL. +appeared in SSLeay 0.8.1b or earlier. .Fn ERR_get_error_line_data and .Fn ERR_peek_error_line_data -were added in SSLeay 0.9.0. +first appeared in SSLeay 0.9.0. +All these functions have been available since +.Ox 2.4 . +.Pp .Fn ERR_peek_last_error , .Fn ERR_peek_last_error_line , and .Fn ERR_peek_last_error_line_data -were added in OpenSSL 0.9.7. +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/ERR_load_crypto_strings.3 b/lib/libcrypto/man/ERR_load_crypto_strings.3 index 812258f60a..2f1af112c3 100644 --- a/lib/libcrypto/man/ERR_load_crypto_strings.3 +++ b/lib/libcrypto/man/ERR_load_crypto_strings.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ERR_load_crypto_strings.3,v 1.5 2017/01/26 04:37:08 schwarze Exp $ +.\" $OpenBSD: ERR_load_crypto_strings.3,v 1.6 2018/03/20 20:26:23 schwarze Exp $ .\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 26 2017 $ +.Dd $Mdocdate: March 20 2018 $ .Dt ERR_LOAD_CRYPTO_STRINGS 3 .Os .Sh NAME @@ -120,10 +120,12 @@ frees all previously loaded error strings. .Xr ERR_error_string 3 .Sh HISTORY .Fn ERR_load_crypto_strings , -.Fn SSL_load_error_strings , +.Fn ERR_free_strings , +.Fn ERR_load_BN_strings , and -.Fn ERR_free_strings -are available in all versions of SSLeay and OpenSSL. +.Fn SSL_load_error_strings +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . .Sh BUGS Even though the error strings are already compiled into the object code of the library as static strings, these functions store them diff --git a/lib/libcrypto/man/ERR_load_strings.3 b/lib/libcrypto/man/ERR_load_strings.3 index 74fd989bf3..a4470be735 100644 --- a/lib/libcrypto/man/ERR_load_strings.3 +++ b/lib/libcrypto/man/ERR_load_strings.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ERR_load_strings.3,v 1.4 2016/11/23 17:59:29 schwarze Exp $ +.\" $OpenBSD: ERR_load_strings.3,v 1.6 2018/03/21 06:44:51 schwarze Exp $ .\" OpenSSL 05ea606a May 20 20:52:46 2016 -0400 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 23 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt ERR_LOAD_STRINGS 3 .Os .Sh NAME @@ -107,9 +107,11 @@ returns a new library number. .Sh SEE ALSO .Xr ERR 3 .Sh HISTORY -.Fn ERR_load_error_strings +.Fn ERR_load_strings and .Fn ERR_PACK -are available in all versions of SSLeay and OpenSSL. +appeared in SSLeay 0.8.1b or earlier. .Fn ERR_get_next_error_library -was added in SSLeay 0.9.0. +first appeared in SSLeay 0.9.0. +These functions have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/ERR_print_errors.3 b/lib/libcrypto/man/ERR_print_errors.3 index aedc65d616..cf65d2384b 100644 --- a/lib/libcrypto/man/ERR_print_errors.3 +++ b/lib/libcrypto/man/ERR_print_errors.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ERR_print_errors.3,v 1.4 2016/11/23 17:56:36 schwarze Exp $ +.\" $OpenBSD: ERR_print_errors.3,v 1.6 2018/03/22 21:08:22 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller , @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 23 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt ERR_PRINT_ERRORS 3 .Os .Sh NAME @@ -118,4 +118,9 @@ return no values. .Fn ERR_print_errors and .Fn ERR_print_errors_fp -are available in all versions of SSLeay and OpenSSL. +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp +.Fn ERR_print_errors_cb +first appeared in OpenSSL 0.9.7 and has been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/ERR_put_error.3 b/lib/libcrypto/man/ERR_put_error.3 index 3011e16df4..3651503144 100644 --- a/lib/libcrypto/man/ERR_put_error.3 +++ b/lib/libcrypto/man/ERR_put_error.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ERR_put_error.3,v 1.5 2017/02/20 23:21:19 beck Exp $ +.\" $OpenBSD: ERR_put_error.3,v 1.8 2018/03/23 05:48:56 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: February 20 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt ERR_PUT_ERROR 3 .Os .Sh NAME @@ -147,6 +147,12 @@ macro. .Xr ERR_load_strings 3 .Sh HISTORY .Fn ERR_put_error -is available in all versions of SSLeay and OpenSSL. +appeared in SSLeay 0.8.1b or earlier. .Fn ERR_add_error_data -was added in SSLeay 0.9.0. +first appeared in SSLeay 0.9.0. +These functions have been available since +.Ox 2.4 . +.Pp +.Fn ERR_add_error_vdata +first appeared in OpenSSL 1.0.1 and has been available since +.Ox 5.3 . diff --git a/lib/libcrypto/man/ERR_remove_state.3 b/lib/libcrypto/man/ERR_remove_state.3 index 7fd63aa07b..c667bd5eea 100644 --- a/lib/libcrypto/man/ERR_remove_state.3 +++ b/lib/libcrypto/man/ERR_remove_state.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ERR_remove_state.3,v 1.3 2016/11/23 17:59:29 schwarze Exp $ +.\" $OpenBSD: ERR_remove_state.3,v 1.5 2018/03/23 04:34:23 schwarze Exp $ .\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 .\" .\" This file was written by Ulf Moeller and @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 23 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt ERR_REMOVE_STATE 3 .Os .Sh NAME @@ -101,8 +101,12 @@ return no value. .Xr ERR 3 .Sh HISTORY .Fn ERR_remove_state -is available in all versions of SSLeay and OpenSSL. -It was deprecated in OpenSSL 1.0.0 when +appeared in SSLeay 0.8.1b or earlier and has been available since +.Ox 2.4 . +.Pp +It was deprecated in OpenSSL 1.0.0 and +.Ox 4.9 +when .Fn ERR_remove_thread_state was introduced and thread IDs were introduced to identify threads instead of diff --git a/lib/libcrypto/man/ERR_set_mark.3 b/lib/libcrypto/man/ERR_set_mark.3 index bc8e115fd1..2f3486d8c0 100644 --- a/lib/libcrypto/man/ERR_set_mark.3 +++ b/lib/libcrypto/man/ERR_set_mark.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ERR_set_mark.3,v 1.3 2016/11/23 17:59:29 schwarze Exp $ +.\" $OpenBSD: ERR_set_mark.3,v 1.4 2018/03/23 00:09:11 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Richard Levitte . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 23 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt ERR_SET_MARK 3 .Os .Sh NAME @@ -82,4 +82,5 @@ the stack became empty, otherwise 1. .Fn ERR_set_mark and .Fn ERR_pop_to_mark -were added in OpenSSL 0.9.8. +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . diff --git a/lib/libcrypto/man/ESS_SIGNING_CERT_new.3 b/lib/libcrypto/man/ESS_SIGNING_CERT_new.3 index ae23b46c15..6b5199dce1 100644 --- a/lib/libcrypto/man/ESS_SIGNING_CERT_new.3 +++ b/lib/libcrypto/man/ESS_SIGNING_CERT_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ESS_SIGNING_CERT_new.3,v 1.3 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: ESS_SIGNING_CERT_new.3,v 1.4 2018/03/23 04:34:23 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt ESS_SIGNING_CERT_NEW 3 .Os .Sh NAME @@ -109,3 +109,7 @@ Signing Certificate Attribute Definition Version 1 according to RFC 2634, not the Signing Certificate Attribute Definition Version 2 according to RFC 5035. +.Sh HISTORY +These functions first appeared in OpenSSL 1.0.0 +and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/EVP_BytesToKey.3 b/lib/libcrypto/man/EVP_BytesToKey.3 index b7656481db..9aafc84f4b 100644 --- a/lib/libcrypto/man/EVP_BytesToKey.3 +++ b/lib/libcrypto/man/EVP_BytesToKey.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_BytesToKey.3,v 1.5 2016/11/24 00:20:36 schwarze Exp $ +.\" $OpenBSD: EVP_BytesToKey.3,v 1.6 2018/03/20 23:56:07 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 24 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt EVP_BYTESTOKEY 3 .Os .Sh NAME @@ -138,3 +138,7 @@ returns the size of the derived key in bytes or 0 on error. .Xr EVP_EncryptInit 3 , .Xr PKCS5_PBKDF2_HMAC 3 , .Xr RAND_bytes 3 +.Sh HISTORY +.Fn EVP_BytesToKey +appeared in SSLeay 0.8.1b or earlier and has been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/EVP_DigestInit.3 b/lib/libcrypto/man/EVP_DigestInit.3 index c327164bc0..98a06183d3 100644 --- a/lib/libcrypto/man/EVP_DigestInit.3 +++ b/lib/libcrypto/man/EVP_DigestInit.3 @@ -1,8 +1,9 @@ -.\" $OpenBSD: EVP_DigestInit.3,v 1.6 2017/03/25 17:54:04 schwarze Exp $ -.\" OpenSSL d2a56999 Sep 24 13:37:16 2016 +0200 -.\" OpenSSL 7f572e95 Dec 2 13:57:04 2015 +0000 +.\" $OpenBSD: EVP_DigestInit.3,v 1.14 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL 7f572e95 Dec 2 13:57:04 2015 +0000 +.\" selective merge up to: OpenSSL a95d7574 Jul 2 12:16:38 2017 -0400 .\" -.\" This file was written by Dr. Stephen Henson . +.\" This file was written by Dr. Stephen Henson +.\" and Richard Levitte . .\" Copyright (c) 2000-2004, 2009, 2012-2016 The OpenSSL Project. .\" All rights reserved. .\" @@ -50,18 +51,21 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 25 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EVP_DIGESTINIT 3 .Os .Sh NAME +.Nm EVP_MD_CTX_new , +.Nm EVP_MD_CTX_reset , +.Nm EVP_MD_CTX_free , .Nm EVP_MD_CTX_init , .Nm EVP_MD_CTX_create , +.Nm EVP_MD_CTX_cleanup , +.Nm EVP_MD_CTX_destroy , .Nm EVP_MD_CTX_ctrl , .Nm EVP_DigestInit_ex , .Nm EVP_DigestUpdate , .Nm EVP_DigestFinal_ex , -.Nm EVP_MD_CTX_cleanup , -.Nm EVP_MD_CTX_destroy , .Nm EVP_MD_CTX_copy_ex , .Nm EVP_DigestInit , .Nm EVP_DigestFinal , @@ -76,7 +80,6 @@ .Nm EVP_MD_CTX_block_size , .Nm EVP_MD_CTX_type , .Nm EVP_md_null , -.Nm EVP_md2 , .Nm EVP_md5 , .Nm EVP_md5_sha1 , .Nm EVP_sha1 , @@ -93,13 +96,31 @@ .Nd EVP digest routines .Sh SYNOPSIS .In openssl/evp.h +.Ft EVP_MD_CTX * +.Fn EVP_MD_CTX_new void +.Ft int +.Fo EVP_MD_CTX_reset +.Fa "EVP_MD_CTX *ctx" +.Fc +.Ft void +.Fo EVP_MD_CTX_free +.Fa "EVP_MD_CTX *ctx" +.Fc .Ft void .Fo EVP_MD_CTX_init .Fa "EVP_MD_CTX *ctx" .Fc .Ft EVP_MD_CTX * .Fn EVP_MD_CTX_create void +.Ft int +.Fo EVP_MD_CTX_cleanup +.Fa "EVP_MD_CTX *ctx" +.Fc .Ft void +.Fo EVP_MD_CTX_destroy +.Fa "EVP_MD_CTX *ctx" +.Fc +.Ft int .Fo EVP_MD_CTX_ctrl .Fa "EVP_MD_CTX *ctx" .Fa "int cmd" @@ -125,14 +146,6 @@ .Fa "unsigned int *s" .Fc .Ft int -.Fo EVP_MD_CTX_cleanup -.Fa "EVP_MD_CTX *ctx" -.Fc -.Ft void -.Fo EVP_MD_CTX_destroy -.Fa "EVP_MD_CTX *ctx" -.Fc -.Ft int .Fo EVP_MD_CTX_copy_ex .Fa "EVP_MD_CTX *out" .Fa "const EVP_MD_CTX *in" @@ -189,8 +202,6 @@ .Ft const EVP_MD * .Fn EVP_md_null void .Ft const EVP_MD * -.Fn EVP_md2 void -.Ft const EVP_MD * .Fn EVP_md5 void .Ft const EVP_MD * .Fn EVP_md5_sha1 void @@ -223,29 +234,57 @@ .Fa "const ASN1_OBJECT *o" .Fc .Sh DESCRIPTION -The EVP digest routines are a high level interface to message digests. +The EVP digest routines are a high level interface to message digests +and should be used instead of the cipher-specific functions. +.Pp +.Fn EVP_MD_CTX_new +allocates a new, empty digest context. +.Pp +.Fn EVP_MD_CTX_reset +cleans up +.Fa ctx +and resets it to the state it had after +.Fn EVP_MD_CTX_new , +such that it can be reused. +It is also suitable for digest contexts on the stack that were +used and are no longer needed. +.Pp +.Fn EVP_MD_CTX_free +cleans up +.Fa ctx +and frees the space allocated to it. .Pp .Fn EVP_MD_CTX_init -initializes the digest context -.Fa ctx . +is a deprecated function to clear a digest context on the stack +before use. +Do not use it on a digest context returned from +.Fn EVP_MD_CTX_new +or one one that was already used. .Pp -.Fn EVP_MD_CTX_create -allocates, initializes, and returns a digest context. +.Fn EVP_MD_CTX_create , +.Fn EVP_MD_CTX_cleanup , +and +.Fn EVP_MD_CTX_destroy +are deprecated aliases for +.Fn EVP_MD_CTX_new , +.Fn EVP_MD_CTX_reset , +and +.Fn EVP_MD_CTX_free , +respectively. .Pp .Fn EVP_MD_CTX_ctrl performs digest-specific control actions on the context .Fa ctx . .Pp .Fn EVP_DigestInit_ex -sets up digest context +sets up the digest context .Fa ctx to use a digest .Fa type from .Vt ENGINE .Fa impl . -.Fa ctx -must be initialized before calling this function. +The .Fa type will typically be supplied by a function such as .Fn EVP_sha1 . @@ -256,6 +295,11 @@ is then the default implementation of digest .Fa type is used. +If +.Fa ctx +points to an unused object on the stack, it must be initialized with +.Fn EVP_MD_CTX_init +before calling this function. .Pp .Fn EVP_DigestUpdate hashes @@ -291,18 +335,6 @@ can be made, but .Fn EVP_DigestInit_ex can be called to initialize a new digest operation. .Pp -.Fn EVP_MD_CTX_cleanup -cleans up the digest context -.Fa ctx . -It should be called after a digest context is no longer needed. -.Pp -.Fn EVP_MD_CTX_destroy -cleans up the digest context -.Fa ctx -and frees up the space allocated to it. -It should be called only on a context created using -.Fn EVP_MD_CTX_create . -.Pp .Fn EVP_MD_CTX_copy_ex can be used to copy the message digest state from .Fa in @@ -310,30 +342,36 @@ to .Fa out . This is useful if large amounts of data are to be hashed which only differ in the last few bytes. +If .Fa out -must be initialized before calling this function. +points to an unused object on the stack, it must be initialized with +.Fn EVP_MD_CTX_init +before calling this function. .Pp .Fn EVP_DigestInit -behaves in the same way as +is a deprecated function behaving like .Fn EVP_DigestInit_ex -except the passed context -.Fa ctx -does not have to be initialized, and it always uses the default digest -implementation. +except that it always uses the default digest implementation +and that it requires +.Fn EVP_MD_CTX_reset +before it can be used on a context that was already used. .Pp .Fn EVP_DigestFinal -is similar to +is a deprecated function behaving like .Fn EVP_DigestFinal_ex -except the digest context +except that the digest context .Fa ctx -is automatically cleaned up. +is automatically cleaned up after use by calling +.Fn EVP_MD_CTX_reset +internally. .Pp .Fn EVP_MD_CTX_copy -is similar to +is a deprecated function behaving like .Fn EVP_MD_CTX_copy_ex -except the destination -.Fa out -does not have to be initialized. +except that it requires +.Fn EVP_MD_CTX_reset +before a context that was already used can be passed as +.Fa out . .Pp .Fn EVP_MD_size and @@ -366,12 +404,6 @@ returns .Dv NID_sha1 . This function is normally used when setting ASN.1 OIDs. .Pp -.Fn EVP_MD_CTX_md -returns the -.Vt EVP_MD -structure corresponding to the passed -.Vt EVP_MD_CTX . -.Pp .Fn EVP_MD_pkey_type returns the NID of the public key signing algorithm associated with this digest. @@ -382,7 +414,6 @@ is associated with RSA so this will return Since digests and signature algorithms are no longer linked this function is only retained for compatibility reasons. .Pp -.Fn EVP_md2 , .Fn EVP_md5 , .Fn EVP_sha1 , .Fn EVP_sha224 , @@ -393,7 +424,7 @@ and .Fn EVP_ripemd160 return .Vt EVP_MD -structures for the MD2, MD5, SHA1, SHA224, SHA256, SHA384, SHA512 and +structures for the MD5, SHA1, SHA224, SHA256, SHA384, SHA512 and RIPEMD160 digest algorithms respectively. .Pp .Fn EVP_md5_sha1 @@ -465,40 +496,37 @@ because they can efficiently reuse a digest context instead of initializing and cleaning it up on each call and allow non-default implementations of digests to be specified. .Pp -In OpenSSL 0.9.7 and later if digest contexts are not cleaned up after -use memory leaks will occur. -.Pp -Stack allocation of +If digest contexts are not cleaned up after use, memory leaks will occur. +.Sh RETURN VALUES +.Fn EVP_MD_CTX_new +and +.Fn EVP_MD_CTX_create +return the new .Vt EVP_MD_CTX -structures is common, for example: -.Bd -literal -offset indent -EVP_MD_CTX mctx; -EVP_MD_CTX_init(&mctx); -.Ed +object or +.Dv NULL +for failure. +.Pp +.Fn EVP_MD_CTX_reset +and +.Fn EVP_MD_CTX_cleanup +always return 1. .Pp -This will cause binary compatibility issues if the size of -.Vt EVP_MD_CTX -structure changes (this will only happen with a major release of OpenSSL). -Applications wishing to avoid this should use -.Fn EVP_MD_CTX_create -instead: -.Bd -literal -offset indent -EVP_MD_CTX *mctx; -mctx = EVP_MD_CTX_create(); -.Ed -.Sh RETURN VALUES .Fn EVP_MD_CTX_ctrl , .Fn EVP_DigestInit_ex , .Fn EVP_DigestUpdate , .Fn EVP_DigestFinal_ex , +.Fn EVP_MD_CTX_copy_ex , +.Fn EVP_DigestInit , +.Fn EVP_DigestFinal , and -.Fn EVP_MD_CTX_copy_ex +.Fn EVP_MD_CTX_copy return 1 for success or 0 for failure. .Pp .Fn EVP_MD_type , .Fn EVP_MD_pkey_type , and -.Fn EVP_MD_type +.Fn EVP_MD_CTX_type return the NID of the corresponding OBJECT IDENTIFIER or .Dv NID_undef if none exists. @@ -510,8 +538,19 @@ and .Fn EVP_MD_CTX_block_size return the digest or block size in bytes. .Pp +.Fn EVP_MD_CTX_md +returns the +.Vt EVP_MD +object used by +.Fa ctx , +or +.Dv NULL +if +.Fa ctx +is +.Dv NULL . +.Pp .Fn EVP_md_null , -.Fn EVP_md2 , .Fn EVP_md5 , .Fn EVP_md5_sha1 , .Fn EVP_sha1 , @@ -562,17 +601,19 @@ main(int argc, char *argv[]) exit(1); } - mdctx = EVP_MD_CTX_create(); + mdctx = EVP_MD_CTX_new(); EVP_DigestInit_ex(mdctx, md, NULL); EVP_DigestUpdate(mdctx, mess1, strlen(mess1)); EVP_DigestUpdate(mdctx, mess2, strlen(mess2)); EVP_DigestFinal_ex(mdctx, md_value, &md_len); - EVP_MD_CTX_destroy(mdctx); + EVP_MD_CTX_free(mdctx); printf("Digest is: "); for(i = 0; i < md_len; i++) printf("%02x", md_value[i]); printf("\en"); + + return 0; } .Ed .Sh SEE ALSO @@ -580,31 +621,72 @@ main(int argc, char *argv[]) .Sh HISTORY .Fn EVP_DigestInit , .Fn EVP_DigestUpdate , +.Fn EVP_DigestFinal , +.Dv EVP_MAX_MD_SIZE , +.Fn EVP_MD_type , +.Fn EVP_MD_pkey_type , +.Fn EVP_MD_size , +.Fn EVP_MD_CTX_size , +.Fn EVP_MD_CTX_type , +.Fn EVP_md_null , +.Fn EVP_md5 , +.Fn EVP_sha1 , +.Fn EVP_dss , +.Fn EVP_dss1 , +.Fn EVP_get_digestbyname , +.Fn EVP_get_digestbynid , and -.Fn EVP_DigestFinal -are available in all versions of SSLeay and OpenSSL. +.Fn EVP_get_digestbyobj +appeared in SSLeay 0.8.1b or earlier. +.Fn EVP_MD_block_size , +.Fn EVP_MD_CTX_size , +.Fn EVP_MD_CTX_block_size , +.Fn EVP_rc4_40 , +.Fn EVP_rc2_40_cbc , +and +.Fn EVP_ripemd160 +first appeared in SSLeay 0.9.0. +All these functions have been available since +.Ox 2.4 . +.Pp +.Fn EVP_MD_CTX_copy +first appeared in OpenSSL 0.9.2b and has been available since +.Ox 2.6 . +.Pp +.Fn EVP_MD_CTX_md +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . .Pp .Fn EVP_MD_CTX_init , .Fn EVP_MD_CTX_create , -.Fn EVP_MD_CTX_copy_ex , .Fn EVP_MD_CTX_cleanup , .Fn EVP_MD_CTX_destroy , .Fn EVP_DigestInit_ex , +.Fn EVP_DigestFinal_ex , and -.Fn EVP_DigestFinal_ex -were added in OpenSSL 0.9.7. +.Fn EVP_MD_CTX_copy_ex +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . .Pp -.Fn EVP_md_null , -.Fn EVP_md2 , -.Fn EVP_md5 , -.Fn EVP_sha1 , -.Fn EVP_dss , -.Fn EVP_dss1 , +.Fn EVP_sha224 , +.Fn EVP_sha256 , +.Fn EVP_sha384 , and -.Fn EVP_ripemd160 -were changed to return truly const -.Vt EVP_MD -pointers in OpenSSL 0.9.7. +.Fn EVP_sha512 +first appeared in OpenSSL 0.8.7h and have been available since +.Ox 4.0 . +.Pp +.Fn EVP_MD_CTX_ctrl +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 5.7 . +.Pp +.Fn EVP_MD_CTX_new , +.Fn EVP_MD_CTX_reset , +.Fn EVP_MD_CTX_free , +and +.Fn EVP_md5_sha1 +first appeared in OpenSSL 1.1.0 and have been available since +.Ox 6.3 . .Pp The link between digests and signing algorithms was fixed in OpenSSL 1.0 and later, so now @@ -612,6 +694,3 @@ and later, so now can be used with RSA and DSA; there is no need to use .Fn EVP_dss1 any more. -.Pp -OpenSSL 1.0 and later does not include the MD2 digest algorithm in the -default configuration due to its security weaknesses. diff --git a/lib/libcrypto/man/EVP_DigestSignInit.3 b/lib/libcrypto/man/EVP_DigestSignInit.3 index 26a56cad2b..bd750bf5a7 100644 --- a/lib/libcrypto/man/EVP_DigestSignInit.3 +++ b/lib/libcrypto/man/EVP_DigestSignInit.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_DigestSignInit.3,v 1.3 2016/11/26 17:38:55 schwarze Exp $ +.\" $OpenBSD: EVP_DigestSignInit.3,v 1.5 2018/03/23 04:34:23 schwarze Exp $ .\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 26 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EVP_DIGESTSIGNINIT 3 .Os .Sh NAME @@ -194,10 +194,12 @@ The error codes can be obtained from .Xr ERR 3 , .Xr evp 3 , .Xr EVP_DigestInit 3 , -.Xr EVP_DigestVerifyInit 3 +.Xr EVP_DigestVerifyInit 3 , +.Xr EVP_PKEY_meth_set_signctx 3 .Sh HISTORY .Fn EVP_DigestSignInit , .Fn EVP_DigestSignUpdate , and .Fn EVP_DigestSignFinal -were first added to OpenSSL 1.0.0. +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/EVP_DigestVerifyInit.3 b/lib/libcrypto/man/EVP_DigestVerifyInit.3 index e92b21fd4e..91a8ca8f33 100644 --- a/lib/libcrypto/man/EVP_DigestVerifyInit.3 +++ b/lib/libcrypto/man/EVP_DigestVerifyInit.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_DigestVerifyInit.3,v 1.3 2016/11/26 17:40:58 schwarze Exp $ +.\" $OpenBSD: EVP_DigestVerifyInit.3,v 1.5 2018/03/23 04:34:23 schwarze Exp $ .\" OpenSSL fb552ac6 Sep 30 23:43:01 2009 +0000 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 26 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EVP_DIGESTVERIFYINIT 3 .Os .Sh NAME @@ -175,10 +175,12 @@ The error codes can be obtained from .Xr ERR 3 , .Xr evp 3 , .Xr EVP_DigestInit 3 , -.Xr EVP_DigestSignInit 3 +.Xr EVP_DigestSignInit 3 , +.Xr EVP_PKEY_meth_set_verifyctx 3 .Sh HISTORY .Fn EVP_DigestVerifyInit , .Fn EVP_DigestVerifyUpdate , and .Fn EVP_DigestVerifyFinal -were first added to OpenSSL 1.0.0. +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/EVP_EncodeInit.3 b/lib/libcrypto/man/EVP_EncodeInit.3 index 66bdcc1c1f..8ab5485adb 100644 --- a/lib/libcrypto/man/EVP_EncodeInit.3 +++ b/lib/libcrypto/man/EVP_EncodeInit.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_EncodeInit.3,v 1.2 2016/11/26 19:16:58 jmc Exp $ +.\" $OpenBSD: EVP_EncodeInit.3,v 1.3 2018/03/20 23:56:07 schwarze Exp $ .\" OpenSSL f430ba31 Jun 19 19:39:01 2016 +0200 .\" .\" This file was written by Matt Caswell . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 26 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt EVP_ENCODEINIT 3 .Os .Sh NAME @@ -293,3 +293,7 @@ returns -1 on error or 1 on success. returns the length of the data decoded or -1 on error. .Sh SEE ALSO .Xr evp 3 +.Sh HISTORY +These functions appeared in SSLeay 0.8.1b or earlier +and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/EVP_EncryptInit.3 b/lib/libcrypto/man/EVP_EncryptInit.3 index 478e80839e..775b9c4214 100644 --- a/lib/libcrypto/man/EVP_EncryptInit.3 +++ b/lib/libcrypto/man/EVP_EncryptInit.3 @@ -1,8 +1,9 @@ -.\" $OpenBSD: EVP_EncryptInit.3,v 1.6 2017/08/20 18:41:39 schwarze Exp $ -.\" OpenSSL EVP_EncryptInit.pod 519a5d1e Jun 27 17:38:25 2017 -0700 -.\" OpenSSL EVP_EncryptInit.pod 5211e094 Nov 11 14:39:11 2014 -0800 +.\" $OpenBSD: EVP_EncryptInit.3,v 1.19 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800 +.\" selective merge up to: OpenSSL 5c5eb286 Dec 5 00:36:43 2017 +0100 .\" -.\" This file was written by Dr. Stephen Henson . +.\" This file was written by Dr. Stephen Henson +.\" and Richard Levitte . .\" Copyright (c) 2000-2002, 2005, 2012-2016 The OpenSSL Project. .\" All rights reserved. .\" @@ -50,11 +51,13 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 20 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EVP_ENCRYPTINIT 3 .Os .Sh NAME .Nm EVP_CIPHER_CTX_new , +.Nm EVP_CIPHER_CTX_reset , +.Nm EVP_CIPHER_CTX_cleanup , .Nm EVP_CIPHER_CTX_init , .Nm EVP_CIPHER_CTX_free , .Nm EVP_EncryptInit_ex , @@ -75,7 +78,7 @@ .Nm EVP_CIPHER_CTX_set_padding , .Nm EVP_CIPHER_CTX_set_key_length , .Nm EVP_CIPHER_CTX_ctrl , -.Nm EVP_CIPHER_CTX_cleanup , +.Nm EVP_CIPHER_CTX_rand_key , .Nm EVP_get_cipherbyname , .Nm EVP_get_cipherbynid , .Nm EVP_get_cipherbyobj , @@ -153,16 +156,20 @@ .Nm EVP_aes_256_ccm , .Nm EVP_aes_128_cbc_hmac_sha1 , .Nm EVP_aes_256_cbc_hmac_sha1 , -.Nm EVP_rc5_32_12_16_cbc , -.Nm EVP_rc5_32_12_16_cfb , -.Nm EVP_rc5_32_12_16_ecb , -.Nm EVP_rc5_32_12_16_ofb , .Nm EVP_chacha20 .Nd EVP cipher routines .Sh SYNOPSIS .In openssl/evp.h .Ft EVP_CIPHER_CTX * .Fn EVP_CIPHER_CTX_new void +.Ft int +.Fo EVP_CIPHER_CTX_reset +.Fa "EVP_CIPHER_CTX *ctx" +.Fc +.Ft int +.Fo EVP_CIPHER_CTX_cleanup +.Fa "EVP_CIPHER_CTX *ctx" +.Fc .Ft void .Fo EVP_CIPHER_CTX_init .Fa "EVP_CIPHER_CTX *ctx" @@ -184,7 +191,7 @@ .Fa "EVP_CIPHER_CTX *ctx" .Fa "unsigned char *out" .Fa "int *outl" -.Fa "unsigned char *in" +.Fa "const unsigned char *in" .Fa "int inl" .Fc .Ft int @@ -206,7 +213,7 @@ .Fa "EVP_CIPHER_CTX *ctx" .Fa "unsigned char *out" .Fa "int *outl" -.Fa "unsigned char *in" +.Fa "const unsigned char *in" .Fa "int inl" .Fc .Ft int @@ -296,8 +303,9 @@ .Fa "void *ptr" .Fc .Ft int -.Fo EVP_CIPHER_CTX_cleanup +.Fo EVP_CIPHER_CTX_rand_key .Fa "EVP_CIPHER_CTX *ctx" +.Fa "unsigned char *key" .Fc .Ft const EVP_CIPHER * .Fo EVP_get_cipherbyname @@ -395,15 +403,35 @@ The EVP cipher routines are a high level interface to certain symmetric ciphers. .Pp .Fn EVP_CIPHER_CTX_new -creates a cipher context. +creates a new, empty cipher context. +.Pp +.Fn EVP_CIPHER_CTX_reset +clears all information from +.Fa ctx +and frees all allocated memory associated with it, except the +.Fa ctx +object itself, such that it can be reused for another series of calls to +.Fn EVP_CipherInit , +.Fn EVP_CipherUpdate , +and +.Fn EVP_CipherFinal . +It is also suitable for cipher contexts on the stack that were used +and are no longer needed. +.Fn EVP_CIPHER_CTX_cleanup +is a deprecated alias for +.Fn EVP_CIPHER_CTX_reset . .Pp .Fn EVP_CIPHER_CTX_init -initializes the cipher context -.Fa ctx . +is a deprecated function to clear a cipher context on the stack +before use. +Do not use it on a cipher context returned from +.Fn EVP_CIPHER_CTX_new +or one one that was already used. .Pp .Fn EVP_CIPHER_CTX_free -clears all information from a cipher context and frees up any -allocated memory associate with it, including +clears all information from +.Fa ctx +and frees all allocated memory associated with it, including .Fa ctx itself. This function should be called after all operations using a cipher @@ -422,8 +450,11 @@ for encryption with cipher from .Vt ENGINE .Fa impl . +If .Fa ctx -must be initialized before calling this function. +points to an unused object on the stack, it must be initialized with +.Fn EVP_MD_CTX_init +before calling this function. .Fa type is normally supplied by a function such as .Fn EVP_aes_256_cbc . @@ -518,25 +549,19 @@ the value unchanged (the actual value of .Fa enc being supplied in a previous call). .Pp -.Fn EVP_CIPHER_CTX_cleanup -clears all information from a cipher context and free up any allocated -memory associated with it. -It should be called after all operations using a cipher are complete so -sensitive information does not remain in memory. -.Pp .Fn EVP_EncryptInit , .Fn EVP_DecryptInit , and .Fn EVP_CipherInit -behave in a similar way to +are deprecated functions behaving like .Fn EVP_EncryptInit_ex , .Fn EVP_DecryptInit_ex , and .Fn EVP_CipherInit_ex -except the -.Fa ctx -parameter does not need to be initialized and they always use the -default cipher implementation. +except that they always use the default cipher implementation +and that they require +.Fn EVP_CIPHER_CTX_reset +before they can be used on a context that was already used. .Pp .Fn EVP_EncryptFinal , .Fn EVP_DecryptFinal , @@ -550,7 +575,9 @@ and In previous releases of OpenSSL, they also used to clean up the .Fa ctx , but this is no longer done and -.Fn EVP_CIPHER_CTX_cleanup +.Fn EVP_CIPHER_CTX_reset +or +.Fn EVP_CIPHER_CTX_free must be called to free any context resources. .Pp .Fn EVP_get_cipherbyname , @@ -661,8 +688,10 @@ return the block cipher mode: .Dv EVP_CIPH_ECB_MODE , .Dv EVP_CIPH_CBC_MODE , .Dv EVP_CIPH_CFB_MODE , +.Dv EVP_CIPH_OFB_MODE , +.Dv EVP_CIPH_CTR_MODE , or -.Dv EVP_CIPH_OFB_MODE . +.Dv EVP_CIPH_XTS_MODE . If the cipher is a stream cipher then .Dv EVP_CIPH_STREAM_CIPHER is returned. @@ -704,8 +733,19 @@ the RC2 effective key length is not supported). .Pp .Fn EVP_CIPHER_CTX_ctrl allows various cipher specific parameters to be determined and set. -Currently only the RC2 effective key length and the number of rounds of -RC5 can be set. +Currently only the RC2 effective key length can be set. +.Pp +.Fn EVP_CIPHER_CTX_rand_key +generates a random key of the appropriate length based on the cipher +context. +The +.Vt EVP_CIPHER +can provide its own random key generation routine to support keys +of a specific form. +The +.Fa key +argument must point to a buffer at least as big as the value returned by +.Fn EVP_CIPHER_CTX_key_length . .Pp Where possible the EVP interface to symmetric ciphers should be used in preference to the low level interfaces. @@ -762,28 +802,30 @@ for success or .Dv NULL for failure. .Pp +.Fn EVP_CIPHER_CTX_reset , +.Fn EVP_CIPHER_CTX_cleanup , .Fn EVP_EncryptInit_ex , .Fn EVP_EncryptUpdate , +.Fn EVP_EncryptFinal_ex , +.Fn EVP_DecryptInit_ex , +.Fn EVP_DecryptUpdate , +.Fn EVP_DecryptFinal_ex , +.Fn EVP_CipherInit_ex , +.Fn EVP_CipherUpdate , +.Fn EVP_CipherFinal_ex , +.Fn EVP_EncryptInit , +.Fn EVP_EncryptFinal , +.Fn EVP_DecryptInit , +.Fn EVP_DecryptFinal , +.Fn EVP_CipherInit , +.Fn EVP_CipherFinal , +.Fn EVP_CIPHER_CTX_set_key_length , and -.Fn EVP_EncryptFinal_ex -return 1 for success and 0 for failure. -.Pp -.Fn EVP_DecryptInit_ex -and -.Fn EVP_DecryptUpdate -return 1 for success and 0 for failure. -.Fn EVP_DecryptFinal_ex -returns 0 if the decrypt failed or 1 for success. -.Pp -.Fn EVP_CipherInit_ex -and -.Fn EVP_CipherUpdate -return 1 for success and 0 for failure. -.Fn EVP_CipherFinal_ex -returns 0 for a decryption failure or 1 for success. +.Fn EVP_CIPHER_CTX_rand_key +return 1 for success or 0 for failure. .Pp -.Fn EVP_CIPHER_CTX_cleanup -returns 1 for success and 0 for failure. +.Fn EVP_CIPHER_CTX_set_padding +always returns 1. .Pp .Fn EVP_get_cipherbyname , .Fn EVP_get_cipherbynid , @@ -810,9 +852,6 @@ and .Fn EVP_CIPHER_CTX_key_length return the key length. .Pp -.Fn EVP_CIPHER_CTX_set_padding -always returns 1. -.Pp .Fn EVP_CIPHER_iv_length and .Fn EVP_CIPHER_CTX_iv_length @@ -941,16 +980,6 @@ This is a variable key length cipher. CAST encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key length cipher. .It Xo -.Fn EVP_rc5_32_12_16_cbc , -.Fn EVP_rc5_32_12_16_ecb , -.Fn EVP_rc5_32_12_16_cfb , -.Fn EVP_rc5_32_12_16_ofb -.Xc -RC5 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. -This is a variable key length cipher with an additional "number of -rounds" parameter. -By default the key length is set to 128 bits and 12 rounds. -.It Xo .Fn EVP_aes_128_gcm , .Fn EVP_aes_192_gcm , .Fn EVP_aes_256_gcm @@ -1080,10 +1109,11 @@ do_crypt(char *outfile) const char intext[] = "Some Crypto Text"; EVP_CIPHER_CTX *ctx; FILE *out; - EVP_CIPHER_CTX_init(&ctx); - EVP_EncryptInit_ex(&ctx, EVP_bf_cbc(), NULL, key, iv); - if (!EVP_EncryptUpdate(&ctx, outbuf, &outlen, intext, + ctx = EVP_CIPHER_CTX_new(); + EVP_EncryptInit_ex(ctx, EVP_bf_cbc(), NULL, key, iv); + + if (!EVP_EncryptUpdate(ctx, outbuf, &outlen, intext, strlen(intext))) { /* Error */ EVP_CIPHER_CTX_free(ctx); @@ -1093,13 +1123,13 @@ do_crypt(char *outfile) * Buffer passed to EVP_EncryptFinal() must be after data just * encrypted to avoid overwriting it. */ - if (!EVP_EncryptFinal_ex(&ctx, outbuf + outlen, &tmplen)) { + if (!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen)) { /* Error */ EVP_CIPHER_CTX_free(ctx); return 0; } outlen += tmplen; - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); /* * Need binary mode for fopen because encrypted data is * binary data. Also cannot use strlen() on it because @@ -1125,56 +1155,133 @@ openssl bf -in cipher.bin -K 000102030405060708090A0B0C0D0E0F \e -iv 0102030405060708 -d .Ed .Pp -General encryption, decryption function example using FILE I/O and RC2 -with an 80-bit key: +General encryption, decryption function example using FILE I/O and AES128 +with an 128-bit key: .Bd -literal int do_crypt(FILE *in, FILE *out, int do_encrypt) { /* Allow enough space in output buffer for additional block */ - inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH]; + unsigned char inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH]; int inlen, outlen; + EVP_CIPHER_CTX *ctx; + /* * Bogus key and IV: we'd normally set these from * another source. */ - unsigned char key[] = "0123456789"; - unsigned char iv[] = "12345678"; + unsigned char key[] = "0123456789abcdeF"; + unsigned char iv[] = "1234567887654321"; - /* Don't set key or IV because we will modify the parameters */ - EVP_CIPHER_CTX_init(&ctx); - EVP_CipherInit_ex(&ctx, EVP_rc2(), NULL, NULL, NULL, do_encrypt); - EVP_CIPHER_CTX_set_key_length(&ctx, 10); - /* We finished modifying parameters so now we can set key and IV */ - EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, do_encrypt); + ctx = EVP_CIPHER_CTX_new(); + EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, NULL, NULL, + do_encrypt); + EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, do_encrypt); - for(;;) { + for (;;) { inlen = fread(inbuf, 1, 1024, in); if (inlen <= 0) break; - if (!EVP_CipherUpdate(&ctx, outbuf, &outlen, inbuf, + if (!EVP_CipherUpdate(ctx, outbuf, &outlen, inbuf, inlen)) { /* Error */ - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); return 0; } fwrite(outbuf, 1, outlen, out); } - if (!EVP_CipherFinal_ex(&ctx, outbuf, &outlen)) { + if (!EVP_CipherFinal_ex(ctx, outbuf, &outlen)) { /* Error */ - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); return 0; } fwrite(outbuf, 1, outlen, out); - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); return 1; } .Ed .Sh SEE ALSO .Xr evp 3 .Sh HISTORY +.Fn EVP_CIPHER_CTX_cleanup , +.Fn EVP_EncryptInit , +.Fn EVP_EncryptUpdate , +.Fn EVP_EncryptFinal , +.Fn EVP_DecryptInit , +.Fn EVP_DecryptUpdate , +.Fn EVP_DecryptFinal , +.Fn EVP_CipherInit , +.Fn EVP_CipherUpdate , +.Fn EVP_CipherFinal , +.Fn EVP_get_cipherbyname , +.Fn EVP_get_cipherbynid , +.Fn EVP_get_cipherbyobj , +.Fn EVP_CIPHER_nid , +.Fn EVP_CIPHER_block_size , +.Fn EVP_CIPHER_key_length , +.Fn EVP_CIPHER_iv_length , +.Fn EVP_CIPHER_CTX_cipher , +.Fn EVP_CIPHER_CTX_nid , +.Fn EVP_CIPHER_CTX_block_size , +.Fn EVP_CIPHER_CTX_key_length , +.Fn EVP_CIPHER_CTX_iv_length , +.Fn EVP_CIPHER_CTX_get_app_data , +.Fn EVP_CIPHER_CTX_set_app_data , +.Fn EVP_enc_null , +.Fn EVP_des_cbc , +.Fn EVP_des_ecb , +.Fn EVP_des_cfb , +.Fn EVP_des_ofb , +.Fn EVP_des_ede_cbc , +.Fn EVP_des_ede , +.Fn EVP_des_ede_ofb , +.Fn EVP_des_ede_cfb , +.Fn EVP_des_ede3_cbc , +.Fn EVP_des_ede3 , +.Fn EVP_des_ede3_ofb , +.Fn EVP_des_ede3_cfb , +.Fn EVP_desx_cbc , +.Fn EVP_rc4 , +.Fn EVP_idea_cbc , +.Fn EVP_idea_ecb , +.Fn EVP_idea_cfb , +.Fn EVP_idea_ofb , +.Fn EVP_rc2_cbc , +.Fn EVP_rc2_ecb , +.Fn EVP_rc2_cfb , +.Fn EVP_rc2_ofb , +.Fn EVP_bf_cbc , +.Fn EVP_bf_ecb , +.Fn EVP_bf_cfb , +and +.Fn EVP_bf_ofb +appeared in SSLeay 0.8.1b or earlier. .Fn EVP_CIPHER_CTX_init , +.Fn EVP_CIPHER_param_to_asn1 , +and +.Fn EVP_CIPHER_asn1_to_param +first appeared in SSLeay 0.9.0. +All these functions have been available since +.Ox 2.4 . +.Pp +.Fn EVP_rc2_64_cbc +first appeared in SSL_eay 0.9.1. +.Fn EVP_CIPHER_CTX_type +first appeared in OpenSSL 0.9.3. +These functions and have been available since +.Ox 2.6 . +.Pp +.Fn EVP_CIPHER_CTX_set_key_length , +.Fn EVP_CIPHER_CTX_ctrl , +.Fn EVP_CIPHER_flags , +.Fn EVP_CIPHER_mode , +.Fn EVP_CIPHER_CTX_flags , +and +.Fn EVP_CIPHER_CTX_mode +first appeared in OpenSSL 0.9.6 and have been available since +.Ox 2.9 . +.Pp .Fn EVP_EncryptInit_ex , .Fn EVP_EncryptFinal_ex , .Fn EVP_DecryptInit_ex , @@ -1183,12 +1290,35 @@ do_crypt(FILE *in, FILE *out, int do_encrypt) .Fn EVP_CipherFinal_ex , and .Fn EVP_CIPHER_CTX_set_padding -appeared in OpenSSL 0.9.7. -.Sh BUGS -For RC5 the number of rounds can currently only be set to 8, 12 or 16. -This is a limitation of the current RC5 code rather than the EVP -interface. +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . +.Pp +.Fn EVP_CIPHER_CTX_rand_key +first appeared in OpenSSL 0.9.8. +.Fn EVP_CIPHER_CTX_new +and +.Fn EVP_CIPHER_CTX_free +first appeared in OpenSSL 0.9.8b. +These functions have been available since +.Ox 4.5 . .Pp +.Fn EVP_rc4_hmac_md5 , +.Fn EVP_aes_128_gcm , +.Fn EVP_aes_192_gcm , +.Fn EVP_aes_256_gcm , +.Fn EVP_aes_128_ccm , +.Fn EVP_aes_192_ccm , +.Fn EVP_aes_256_ccm , +.Fn EVP_aes_128_cbc_hmac_sha1 , +and +.Fn EVP_aes_256_cbc_hmac_sha1 +first appeared in OpenSSL 1.0.1 and have been available since +.Ox 5.3 . +.Pp +.Fn EVP_CIPHER_CTX_reset +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . +.Sh BUGS .Dv EVP_MAX_KEY_LENGTH and .Dv EVP_MAX_IV_LENGTH diff --git a/lib/libcrypto/man/EVP_OpenInit.3 b/lib/libcrypto/man/EVP_OpenInit.3 index f442bd5c47..99dc7f28da 100644 --- a/lib/libcrypto/man/EVP_OpenInit.3 +++ b/lib/libcrypto/man/EVP_OpenInit.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_OpenInit.3,v 1.5 2016/11/26 20:55:26 schwarze Exp $ +.\" $OpenBSD: EVP_OpenInit.3,v 1.6 2018/03/20 23:56:07 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 26 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt EVP_OPENINIT 3 .Os .Sh NAME @@ -146,3 +146,10 @@ returns 0 if the decrypt failed or 1 for success. .Xr EVP_EncryptInit 3 , .Xr EVP_SealInit 3 , .Xr RAND_bytes 3 +.Sh HISTORY +.Fn EVP_OpenInit , +.Fn EVP_OpenUpdate , +and +.Fn EVP_OpenFinal +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 b/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 index b65ea0d5d3..8462da6d46 100644 --- a/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 +++ b/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_PKEY_CTX_ctrl.3,v 1.8 2017/08/28 17:41:59 jsing Exp $ +.\" $OpenBSD: EVP_PKEY_CTX_ctrl.3,v 1.11 2018/03/23 23:18:17 schwarze Exp $ .\" OpenSSL EVP_PKEY_CTX_ctrl.pod 1722496f Jun 8 15:18:38 2017 -0400 .\" OpenSSL EVP_PKEY_CTX_ctrl.pod e03af178 Dec 11 17:05:57 2014 -0500 .\" @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 28 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EVP_PKEY_CTX_CTRL 3 .Os .Sh NAME @@ -284,8 +284,11 @@ supported by the public key algorithm. .Xr EVP_PKEY_encrypt 3 , .Xr EVP_PKEY_get_default_digest_nid 3 , .Xr EVP_PKEY_keygen 3 , +.Xr EVP_PKEY_meth_set_ctrl 3 , .Xr EVP_PKEY_sign 3 , .Xr EVP_PKEY_verify 3 , .Xr EVP_PKEY_verify_recover 3 .Sh HISTORY -These functions were first added to OpenSSL 1.0.0. +These functions first appeared in OpenSSL 1.0.0 +and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/EVP_PKEY_CTX_new.3 b/lib/libcrypto/man/EVP_PKEY_CTX_new.3 index 72c0e36d5e..1cb7242027 100644 --- a/lib/libcrypto/man/EVP_PKEY_CTX_new.3 +++ b/lib/libcrypto/man/EVP_PKEY_CTX_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_PKEY_CTX_new.3,v 1.5 2017/04/10 17:45:06 schwarze Exp $ +.\" $OpenBSD: EVP_PKEY_CTX_new.3,v 1.7 2018/03/23 04:34:23 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EVP_PKEY_CTX_NEW 3 .Os .Sh NAME @@ -123,10 +123,13 @@ structure or .Dv NULL if an error occurred. .Sh SEE ALSO +.Xr EVP_PKEY_meth_set_init 3 , .Xr EVP_PKEY_new 3 , .Xr X25519 3 .Sh HISTORY -These functions were first added to OpenSSL 1.0.0. +These functions first appeared in OpenSSL 1.0.0 +and have been available since +.Ox 4.9 . .Sh CAVEATS The .Vt EVP_PKEY_CTX diff --git a/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3 b/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3 new file mode 100644 index 0000000000..5e3901e601 --- /dev/null +++ b/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3 @@ -0,0 +1,163 @@ +.\" $OpenBSD: EVP_PKEY_asn1_get_count.3,v 1.2 2018/03/23 04:34:23 schwarze Exp $ +.\" full merge up to: OpenSSL 751148e2 Oct 27 00:11:11 2017 +0200 +.\" +.\" This file was written by Richard Levitte . +.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: March 23 2018 $ +.Dt EVP_PKEY_ASN1_GET_COUNT 3 +.Os +.Sh NAME +.Nm EVP_PKEY_asn1_get_count , +.Nm EVP_PKEY_asn1_get0 , +.Nm EVP_PKEY_asn1_find , +.Nm EVP_PKEY_asn1_find_str , +.Nm EVP_PKEY_asn1_get0_info +.Nd enumerate public key ASN.1 methods +.Sh SYNOPSIS +.In openssl/evp.h +.Ft int +.Fn EVP_PKEY_asn1_get_count void +.Ft const EVP_PKEY_ASN1_METHOD * +.Fo EVP_PKEY_asn1_get0 +.Fa "int idx" +.Fc +.Ft const EVP_PKEY_ASN1_METHOD * +.Fo EVP_PKEY_asn1_find +.Fa "ENGINE **pe" +.Fa "int type" +.Fc +.Ft const EVP_PKEY_ASN1_METHOD * +.Fo EVP_PKEY_asn1_find_str +.Fa "ENGINE **pe" +.Fa "const char *str" +.Fa "int len" +.Fc +.Ft int +.Fo EVP_PKEY_asn1_get0_info +.Fa "int *ppkey_id" +.Fa "int *pkey_base_id" +.Fa "int *ppkey_flags" +.Fa "const char **pinfo" +.Fa "const char **ppem_str" +.Fa "const EVP_PKEY_ASN1_METHOD *ameth" +.Fc +.Sh DESCRIPTION +.Fn EVP_PKEY_asn1_get_count +returns a count of the number of public key ASN.1 methods available. +It includes standard methods and any methods added by the application. +.Pp +.Fn EVP_PKEY_asn1_get0 +returns the public key ASN.1 method +.Fa idx . +The value of +.Fa idx +must be in the range from zero to +.Fn EVP_PKEY_asn1_get_count +\- 1. +.Pp +.Fn EVP_PKEY_asn1_find +looks up the method with NID +.Fa type . +If +.Fa pe +is not +.Dv NULL , +it first looks for an engine implementing a method for the NID +.Fa type . +If one is found, +.Pf * Fa pe +is set to that engine and the method from that engine is returned instead. +.Pp +.Fn EVP_PKEY_asn1_find_str +looks up the method with PEM type string +.Fa str . +Just like +.Fn EVP_PKEY_asn1_find , +if +.Fa pe +is not +.Dv NULL , +methods from engines are preferred. +.Pp +.Fn EVP_PKEY_asn1_get0_info +retrieves the public key ID, the base public key ID (both NIDs), any flags, +the method description and the PEM type string associated with the public +key ASN.1 method +.Sy *ameth . +.Pp +.Fn EVP_PKEY_asn1_get_count , +.Fn EVP_PKEY_asn1_get0 , +.Fn EVP_PKEY_asn1_find +and +.Fn EVP_PKEY_asn1_find_str +are not thread safe, but as long as all +.Vt EVP_PKEY_ASN1_METHOD +objects are added before the application gets threaded, using them is +safe. +See +.Xr EVP_PKEY_asn1_add0 3 . +.Sh RETURN VALUES +.Fn EVP_PKEY_asn1_get_count +returns the number of available public key methods. +.Pp +.Fn EVP_PKEY_asn1_get0 +returns a public key method or +.Dv NULL +if +.Fa idx +is out of range. +.Pp +.Fn EVP_PKEY_asn1_get0_info +returns 1 on success or 0 on failure. +.Sh SEE ALSO +.Xr EVP_PKEY_asn1_add0 3 , +.Xr EVP_PKEY_asn1_new 3 +.Sh HISTORY +These functions first appeared in OpenSSL 1.0.0 +and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/EVP_PKEY_asn1_new.3 b/lib/libcrypto/man/EVP_PKEY_asn1_new.3 new file mode 100644 index 0000000000..a0839bd16a --- /dev/null +++ b/lib/libcrypto/man/EVP_PKEY_asn1_new.3 @@ -0,0 +1,459 @@ +.\" $OpenBSD: EVP_PKEY_asn1_new.3,v 1.2 2018/03/23 04:34:23 schwarze Exp $ +.\" selective merge up to: +.\" OpenSSL man3/EVP_PKEY_ASN1_METHOD b0004708 Nov 1 00:45:24 2017 +0800 +.\" +.\" This file was written by Richard Levitte +.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: March 23 2018 $ +.Dt EVP_PKEY_ASN1_METHOD 3 +.Os +.Sh NAME +.Nm EVP_PKEY_asn1_new , +.Nm EVP_PKEY_asn1_copy , +.Nm EVP_PKEY_asn1_free , +.Nm EVP_PKEY_asn1_add0 , +.Nm EVP_PKEY_asn1_add_alias , +.Nm EVP_PKEY_asn1_set_public , +.Nm EVP_PKEY_asn1_set_private , +.Nm EVP_PKEY_asn1_set_param , +.Nm EVP_PKEY_asn1_set_free , +.Nm EVP_PKEY_asn1_set_ctrl +.Nd manipulating and registering an EVP_PKEY_ASN1_METHOD structure +.Sh SYNOPSIS +.In openssl/evp.h +.Ft EVP_PKEY_ASN1_METHOD * +.Fo EVP_PKEY_asn1_new +.Fa "int id" +.Fa "int flags" +.Fa "const char *pem_str" +.Fa "const char *info" +.Fc +.Ft void +.Fo EVP_PKEY_asn1_copy +.Fa "EVP_PKEY_ASN1_METHOD *dst" +.Fa "const EVP_PKEY_ASN1_METHOD *src" +.Fc +.Ft void +.Fo EVP_PKEY_asn1_free +.Fa "EVP_PKEY_ASN1_METHOD *ameth" +.Fc +.Ft int +.Fo EVP_PKEY_asn1_add0 +.Fa "const EVP_PKEY_ASN1_METHOD *ameth" +.Fc +.Ft int +.Fo EVP_PKEY_asn1_add_alias +.Fa "int to" +.Fa "int from" +.Fc +.Ft void +.Fo EVP_PKEY_asn1_set_public +.Fa "EVP_PKEY_ASN1_METHOD *ameth" +.Fa "int (*pub_decode)(EVP_PKEY *pk, X509_PUBKEY *pub)" +.Fa "int (*pub_encode)(X509_PUBKEY *pub, const EVP_PKEY *pk)" +.Fa "int (*pub_cmp)(const EVP_PKEY *a, const EVP_PKEY *b)" +.Fa "int (*pub_print)(BIO *out, const EVP_PKEY *pkey, int indent,\ + ASN1_PCTX *pctx)" +.Fa "int (*pkey_size)(const EVP_PKEY *pk)" +.Fa "int (*pkey_bits)(const EVP_PKEY *pk)" +.Fc +.Ft void +.Fo EVP_PKEY_asn1_set_private +.Fa "EVP_PKEY_ASN1_METHOD *ameth" +.Fa "int (*priv_decode)(EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO *p8inf)" +.Fa "int (*priv_encode)(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pk)" +.Fa "int (*priv_print)(BIO *out, const EVP_PKEY *pkey, int indent,\ + ASN1_PCTX *pctx)" +.Fc +.Ft void +.Fo EVP_PKEY_asn1_set_param +.Fa "EVP_PKEY_ASN1_METHOD *ameth" +.Fa "int (*param_decode)(EVP_PKEY *pkey, const unsigned char **pder,\ + int derlen)" +.Fa "int (*param_encode)(const EVP_PKEY *pkey, unsigned char **pder)" +.Fa "int (*param_missing)(const EVP_PKEY *pk)" +.Fa "int (*param_copy)(EVP_PKEY *to, const EVP_PKEY *from)" +.Fa "int (*param_cmp)(const EVP_PKEY *a, const EVP_PKEY *b)" +.Fa "int (*param_print)(BIO *out, const EVP_PKEY *pkey, int indent,\ + ASN1_PCTX *pctx)" +.Fc +.Ft void +.Fo EVP_PKEY_asn1_set_free +.Fa "EVP_PKEY_ASN1_METHOD *ameth" +.Fa "void (*pkey_free)(EVP_PKEY *pkey)" +.Fc +.Ft void +.Fo EVP_PKEY_asn1_set_ctrl +.Fa "EVP_PKEY_ASN1_METHOD *ameth" +.Fa "int (*pkey_ctrl)(EVP_PKEY *pkey, int op, long arg1, void *arg2)" +.Fc +.Sh DESCRIPTION +.Vt EVP_PKEY_ASN1_METHOD +is a structure which holds a set of ASN.1 conversion, printing and +information methods for a specific public key algorithm. +.Pp +There are two places where the +.Vt EVP_PKEY_ASN1_METHOD +objects are stored: one is a built-in array representing the standard +methods for different algorithms, and the other one is a stack of +user-defined application-specific methods, which can be manipulated by +using +.Fn EVP_PKEY_asn1_add0 . +.Ss Methods +The methods are the underlying implementations of a particular public +key algorithm present by the +.Vt EVP_PKEY +object. +.Bd -unfilled +.Ft int Fo (*pub_decode) +.Fa "EVP_PKEY *pk" +.Fa "X509_PUBKEY *pub" +.Fc +.Ft int Fo (*pub_encode) +.Fa "X509_PUBKEY *pub" +.Fa "const EVP_PKEY *pk" +.Fc +.Ft int Fo (*pub_cmp) +.Fa "const EVP_PKEY *a" +.Fa "const EVP_PKEY *b" +.Fc +.Ft int Fo (*pub_print) +.Fa "BIO *out" +.Fa "const EVP_PKEY *pkey" +.Fa "int indent" +.Fa "ASN1_PCTX *pctx" +.Fc +.Ed +.Pp +The +.Fn pub_decode +and +.Fn pub_encode +methods are called to decode and encode +.Vt X509_PUBKEY +ASN.1 parameters to and from +.Fa pk . +They must return 0 on error and 1 on success. +They are called by +.Xr X509_PUBKEY_get 3 +and +.Xr X509_PUBKEY_set 3 . +.Pp +The +.Fn pub_cmp +method is called when two public keys are compared. +It must return 1 when the keys are equal and 0 otherwise. +It is called by +.Xr EVP_PKEY_cmp 3 . +.Pp +The +.Fn pub_print +method is called to print a public key in humanly readable text to +.Fa out , +indented +.Fa indent +spaces. +It must return 0 on error and 1 on success. +It is called by +.Xr EVP_PKEY_print_public 3 . +.Bd -unfilled +.Ft int Fo (*priv_decode) +.Fa "EVP_PKEY *pk" +.Fa "const PKCS8_PRIV_KEY_INFO *p8inf" +.Fc +.Ft int Fo (*priv_encode) +.Fa "PKCS8_PRIV_KEY_INFO *p8" +.Fa "const EVP_PKEY *pk" +.Fc +.Ft int Fo (*priv_print) +.Fa "BIO *out" +.Fa "const EVP_PKEY *pkey" +.Fa "int indent" +.Fa "ASN1_PCTX *pctx" +.Fc +.Ed +.Pp +The +.Fn priv_decode +and +.Fn priv_encode +methods are called to decode and encode +.Vt PKCS8_PRIV_KEY_INFO +form private key to and from +.Fa pk . +They must return 0 on error, 1 on success. +They are called by +.Fn EVP_PKCS82PKEY +and +.Fn EVP_PKEY2PKCS8 . +.Pp +The +.Fn priv_print +method is called to print a private key in humanly readable text to +.Fa out , +indented +.Fa indent +spaces. +It must return 0 on error and 1 on success. +It is called by +.Xr EVP_PKEY_print_private 3 . +.Bd -unfilled +.Ft int Fn (*pkey_size) "const EVP_PKEY *pk" +.Ft int Fn (*pkey_bits) "const EVP_PKEY *pk"; +.Ed +.Pp +The +.Fn pkey_size +method returns the key size in bytes. +It is called by +.Xr EVP_PKEY_size 3 . +.Pp +The +.Fn pkey_bits +method returns the key size in bits. +It's called by +.Fn EVP_PKEY_bits . +.Bd -unfilled +.Ft int Fo (*param_decode) +.Fa "EVP_PKEY *pkey" +.Fa "const unsigned char **pder" +.Fa "int derlen" +.Fc +.Ft int Fo (*param_encode) +.Fa "const EVP_PKEY *pkey" +.Fa "unsigned char **pder" +.Fc +.Ft int Fo (*param_missing) +.Fa "const EVP_PKEY *pk" +.Fc +.Ft int Fo (*param_copy) +.Fa "EVP_PKEY *to" +.Fa "const EVP_PKEY *from" +.Fc +.Ft int Fo (*param_cmp) +.Fa "const EVP_PKEY *a" +.Fa "const EVP_PKEY *b" +.Fc +.Ft int Fo (*param_print) +.Fa "BIO *out" +.Fa "const EVP_PKEY *pkey" +.Fa "int indent" +.Fa "ASN1_PCTX *pctx" +.Fc +.Ed +.Pp +The +.Fn param_decode +and +.Fn param_encode +methods are called to decode and encode DER formatted parameters to and from +.Fa pk . +They must return 0 on error and 1 on success. +They are called by +.Fn PEM_read_bio_Parameters . +.Pp +The +.Fn param_missing +method returns 0 if a key parameter is missing or otherwise 1. +It is called by +.Xr EVP_PKEY_missing_parameters 3 . +.Pp +The +.Fn param_copy +method copies key parameters from +.Fa from +to +.Fa to . +It must return 0 on error and 1 on success. +It is called by +.Xr EVP_PKEY_copy_parameters 3 . +.Pp +The +.Fn param_cmp +method compares the parameters of the keys +.Fa a +and +.Fa b . +It must return 1 when the keys are equal, 0 when not equal, and a +negative number on error. +It is called by +.Xr EVP_PKEY_cmp_parameters 3 . +.Pp +The +.Fn param_print +method prints the private key parameters in humanly readable text to +.Fa out , +indented +.Fa indent +spaces. +It must return 0 on error and 1 on success. +It is called by +.Xr EVP_PKEY_print_params 3 . +.Bd -unfilled +.Ft void Fn (*pkey_free) "EVP_PKEY *pkey" +.Ed +.Pp +The +.Fn pkey_free +method helps freeing the internals of +.Fa pkey . +It is called by +.Xr EVP_PKEY_free 3 , +.Fn EVP_PKEY_set_type , +.Fn EVP_PKEY_set_type_str , +and +.Fn EVP_PKEY_assign . +.Bd -unfilled +.Ft int Fo (*pkey_ctrl) +.Fa "EVP_PKEY *pkey" +.Fa "int op" +.Fa "long arg1" +.Fa "void *arg2" +.Fc +.Ed +.Pp +The +.Fn pkey_ctrl +method adds extra algorithm specific control. +It is called by +.Xr EVP_PKEY_get_default_digest_nid 3 , +.Fn PKCS7_SIGNER_INFO_set , +.Fn PKCS7_RECIP_INFO_set , +and other functions. +.Ss Functions +.Fn EVP_PKEY_asn1_new +creates and returns a new +.Vt EVP_PKEY_ASN1_METHOD +object, and associates the given +.Fa id , +.Fa flags , +.Fa pem_str +and +.Fa info . +.Fa id +is a NID, +.Fa pem_str +is the PEM type string, +.Fa info +is a descriptive string. +If +.Dv ASN1_PKEY_SIGPARAM_NULL +is set in +.Fa flags , +the signature algorithm parameters are given the type +.Dv V_ASN1_NULL +by default, otherwise they will be given the type +.Dv V_ASN1_UNDEF +(i.e. the parameter is omitted). +See +.Xr X509_ALGOR_set0 3 +for more information. +.Pp +.Fn EVP_PKEY_asn1_copy +copies an +.Vt EVP_PKEY_ASN1_METHOD +object from +.Fa src +to +.Fa dst . +This function is not thread safe, it is recommended to only use this when +initializing the application. +.Pp +.Fn EVP_PKEY_asn1_free +frees an existing +.Vt EVP_PKEY_ASN1_METHOD +pointed by +.Fa ameth . +.Pp +.Fn EVP_PKEY_asn1_add0 +adds +.Fa ameth +to the user defined stack of methods unless another +.Vt EVP_PKEY_ASN1_METHOD +with the same NID is already there. +This function is not thread safe, it is recommended to only use this when +initializing the application. +.Pp +.Fn EVP_PKEY_asn1_add_alias +creates an alias with the NID +.Fa to +for the +.Vt EVP_PKEY_ASN1_METHOD +with NID +.Fa from +unless another +.Vt EVP_PKEY_ASN1_METHOD +with the same NID is already added. +This function is not thread safe, it's recommended to only use this when +initializing the application. +.Pp +.Fn EVP_PKEY_asn1_set_public , +.Fn EVP_PKEY_asn1_set_private , +.Fn EVP_PKEY_asn1_set_param , +.Fn EVP_PKEY_asn1_set_free , +and +.Fn EVP_PKEY_asn1_set_ctrl +set the diverse methods of the given +.Vt EVP_PKEY_ASN1_METHOD +object. +.Sh RETURN VALUES +.Fn EVP_PKEY_asn1_new +returns a pointer to an +.Vt EVP_PKEY_ASN1_METHOD +object or +.Dv NULL +on error. +.Pp +.Fn EVP_PKEY_asn1_add0 +and +.Fn EVP_PKEY_asn1_add_alias +return 0 on error or 1 on success. +.Sh HISTORY +These functions first appeared in OpenSSL 1.0.0 +and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/EVP_PKEY_cmp.3 b/lib/libcrypto/man/EVP_PKEY_cmp.3 index c583cecf64..28484c9022 100644 --- a/lib/libcrypto/man/EVP_PKEY_cmp.3 +++ b/lib/libcrypto/man/EVP_PKEY_cmp.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_PKEY_cmp.3,v 1.4 2016/11/27 15:22:39 schwarze Exp $ +.\" $OpenBSD: EVP_PKEY_cmp.3,v 1.8 2018/03/23 00:09:11 schwarze Exp $ .\" OpenSSL 05ea606a May 20 20:52:46 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 27 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EVP_PKEY_CMP 3 .Os .Sh NAME @@ -141,5 +141,19 @@ and return 1 if the keys match, 0 if they don't match, -1 if the key types are different and -2 if the operation is not supported. .Sh SEE ALSO +.Xr EVP_PKEY_asn1_set_public 3 , .Xr EVP_PKEY_CTX_new 3 , .Xr EVP_PKEY_keygen 3 +.Sh HISTORY +.Fn EVP_PKEY_missing_parameters +and +.Fn EVP_PKEY_copy_parameters +appeared in SSLeay 0.8.1b or earlier. +.Fn EVP_PKEY_cmp_parameters +first appeared in SSLeay 0.9.0. +These functions have been available since +.Ox 2.4 . +.Pp +.Fn EVP_PKEY_cmp +first appeared in OpenSSL 0.9.8 and has been available since +.Ox 4.5 . diff --git a/lib/libcrypto/man/EVP_PKEY_decrypt.3 b/lib/libcrypto/man/EVP_PKEY_decrypt.3 index 485fafb538..cdae726c42 100644 --- a/lib/libcrypto/man/EVP_PKEY_decrypt.3 +++ b/lib/libcrypto/man/EVP_PKEY_decrypt.3 @@ -1,8 +1,9 @@ -.\" $OpenBSD: EVP_PKEY_decrypt.3,v 1.4 2016/11/27 15:27:19 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: EVP_PKEY_decrypt.3,v 1.7 2018/03/23 04:34:23 schwarze Exp $ +.\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100 .\" .\" This file was written by Dr. Stephen Henson . -.\" Copyright (c) 2006, 2009, 2013 The OpenSSL Project. All rights reserved. +.\" Copyright (c) 2006, 2009, 2013, 2018 The OpenSSL Project. +.\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 27 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EVP_PKEY_DECRYPT 3 .Os .Sh NAME @@ -129,13 +130,16 @@ Decrypt data using OAEP (for RSA keys): #include EVP_PKEY_CTX *ctx; +ENGINE *eng; unsigned char *out, *in; size_t outlen, inlen; EVP_PKEY *key; -/* NB: assumes key in, inlen are already set up - * and that key is an RSA private key + +/* + * Assumes that key, eng, in, and inlen are already set up + * and that key is an RSA private key. */ -ctx = EVP_PKEY_CTX_new(key); +ctx = EVP_PKEY_CTX_new(key, eng); if (!ctx) /* Error occurred */ if (EVP_PKEY_decrypt_init(ctx) <= 0) @@ -161,8 +165,13 @@ if (EVP_PKEY_decrypt(ctx, out, &outlen, in, inlen) <= 0) .Xr EVP_PKEY_CTX_new 3 , .Xr EVP_PKEY_derive 3 , .Xr EVP_PKEY_encrypt 3 , +.Xr EVP_PKEY_meth_set_decrypt 3 , .Xr EVP_PKEY_sign 3 , .Xr EVP_PKEY_verify 3 , .Xr EVP_PKEY_verify_recover 3 .Sh HISTORY -These functions were first added to OpenSSL 1.0.0. +.Fn EVP_PKEY_decrypt_init +and +.Fn EVP_PKEY_decrypt +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/EVP_PKEY_derive.3 b/lib/libcrypto/man/EVP_PKEY_derive.3 index b8c4c4d610..574b6b9b9d 100644 --- a/lib/libcrypto/man/EVP_PKEY_derive.3 +++ b/lib/libcrypto/man/EVP_PKEY_derive.3 @@ -1,8 +1,9 @@ -.\" $OpenBSD: EVP_PKEY_derive.3,v 1.5 2017/04/10 17:45:06 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: EVP_PKEY_derive.3,v 1.8 2018/03/23 04:34:23 schwarze Exp $ +.\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100 .\" .\" This file was written by Dr. Stephen Henson . -.\" Copyright (c) 2006, 2009, 2013 The OpenSSL Project. All rights reserved. +.\" Copyright (c) 2006, 2009, 2013, 2018 The OpenSSL Project. +.\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EVP_PKEY_DERIVE 3 .Os .Sh NAME @@ -132,12 +133,13 @@ Derive shared secret (for example DH or EC keys): #include EVP_PKEY_CTX *ctx; +ENGINE *eng; unsigned char *skey; size_t skeylen; EVP_PKEY *pkey, *peerkey; -/* NB: assumes pkey, peerkey have been already set up */ -ctx = EVP_PKEY_CTX_new(pkey); +/* Assumes that pkey, eng, and peerkey have already been set up. */ +ctx = EVP_PKEY_CTX_new(pkey, eng); if (!ctx) /* Error occurred */ if (EVP_PKEY_derive_init(ctx) <= 0) @@ -163,9 +165,15 @@ if (EVP_PKEY_derive(ctx, skey, &skeylen) <= 0) .Xr EVP_PKEY_CTX_new 3 , .Xr EVP_PKEY_decrypt 3 , .Xr EVP_PKEY_encrypt 3 , +.Xr EVP_PKEY_meth_set_derive 3 , .Xr EVP_PKEY_sign 3 , .Xr EVP_PKEY_verify 3 , .Xr EVP_PKEY_verify_recover 3 , .Xr X25519 3 .Sh HISTORY -These functions were first added to OpenSSL 1.0.0. +.Fn EVP_PKEY_derive_init , +.Fn EVP_PKEY_derive_set_peer , +and +.Fn EVP_PKEY_derive +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/EVP_PKEY_encrypt.3 b/lib/libcrypto/man/EVP_PKEY_encrypt.3 index 7309c3478b..a627c2abb6 100644 --- a/lib/libcrypto/man/EVP_PKEY_encrypt.3 +++ b/lib/libcrypto/man/EVP_PKEY_encrypt.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_PKEY_encrypt.3,v 1.4 2016/11/27 15:23:29 schwarze Exp $ +.\" $OpenBSD: EVP_PKEY_encrypt.3,v 1.6 2018/03/23 04:34:23 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 27 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EVP_PKEY_ENCRYPT 3 .Os .Sh NAME @@ -172,8 +172,13 @@ if (EVP_PKEY_encrypt(ctx, out, &outlen, in, inlen) <= 0) .Xr EVP_PKEY_CTX_new 3 , .Xr EVP_PKEY_decrypt 3 , .Xr EVP_PKEY_derive 3 , +.Xr EVP_PKEY_meth_set_encrypt 3 , .Xr EVP_PKEY_sign 3 , .Xr EVP_PKEY_verify 3 , .Xr EVP_PKEY_verify_recover 3 .Sh HISTORY -These functions were first added to OpenSSL 1.0.0. +.Fn EVP_PKEY_encrypt_init +and +.Fn EVP_PKEY_encrypt +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/EVP_PKEY_get_default_digest_nid.3 b/lib/libcrypto/man/EVP_PKEY_get_default_digest_nid.3 index 906cdb7002..9b0c30108e 100644 --- a/lib/libcrypto/man/EVP_PKEY_get_default_digest_nid.3 +++ b/lib/libcrypto/man/EVP_PKEY_get_default_digest_nid.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_PKEY_get_default_digest_nid.3,v 1.2 2016/11/27 15:27:19 schwarze Exp $ +.\" $OpenBSD: EVP_PKEY_get_default_digest_nid.3,v 1.4 2018/03/23 04:34:23 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 27 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EVP_PKEY_GET_DEFAULT_DIGEST_NID 3 .Os .Sh NAME @@ -81,10 +81,13 @@ It returns 0 or a negative value for failure. In particular, a return value of -2 indicates the operation is not supported by the public key algorithm. .Sh SEE ALSO +.Xr EVP_PKEY_asn1_set_ctrl 3 , .Xr EVP_PKEY_CTX_ctrl 3 , .Xr EVP_PKEY_CTX_new 3 , .Xr EVP_PKEY_sign 3 , .Xr EVP_PKEY_verify 3 , .Xr EVP_PKEY_verify_recover 3 .Sh HISTORY -This function was first added to OpenSSL 1.0.0. +.Fn EVP_PKEY_get_default_digest_nid +first appeared in OpenSSL 1.0.0 and has been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/EVP_PKEY_keygen.3 b/lib/libcrypto/man/EVP_PKEY_keygen.3 index a05e19f80e..6173a1c438 100644 --- a/lib/libcrypto/man/EVP_PKEY_keygen.3 +++ b/lib/libcrypto/man/EVP_PKEY_keygen.3 @@ -1,8 +1,10 @@ -.\" $OpenBSD: EVP_PKEY_keygen.3,v 1.6 2017/08/01 14:57:03 schwarze Exp $ -.\" OpenSSL 99d63d466 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: EVP_PKEY_keygen.3,v 1.9 2018/03/23 04:34:23 schwarze Exp $ +.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 +.\" selective merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100 .\" .\" This file was written by Dr. Stephen Henson . -.\" Copyright (c) 2006, 2009, 2013, 2015, 2016 The OpenSSL Project. All rights reserved. +.\" Copyright (c) 2006, 2009, 2013, 2015, 2016, 2018 The OpenSSL Project. +.\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 1 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EVP_PKEY_KEYGEN 3 .Os .Sh NAME @@ -215,6 +217,7 @@ Generate a 2048-bit RSA key: EVP_PKEY_CTX *ctx; EVP_PKEY *pkey = NULL; + ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); if (!ctx) /* Error occurred */ @@ -234,9 +237,11 @@ Generate a key from a set of parameters: #include EVP_PKEY_CTX *ctx; +ENGINE *eng; EVP_PKEY *pkey = NULL, *param; -/* Assumed param is set up already */ -ctx = EVP_PKEY_CTX_new(param); + +/* Assumes that param and eng are already set up. */ +ctx = EVP_PKEY_CTX_new(param, eng); if (!ctx) /* Error occurred */ if (EVP_PKEY_keygen_init(ctx) <= 0) @@ -279,9 +284,12 @@ genpkey_cb(EVP_PKEY_CTX *ctx) .Xr EVP_PKEY_decrypt 3 , .Xr EVP_PKEY_derive 3 , .Xr EVP_PKEY_encrypt 3 , +.Xr EVP_PKEY_meth_set_keygen 3 , .Xr EVP_PKEY_sign 3 , .Xr EVP_PKEY_verify 3 , .Xr EVP_PKEY_verify_recover 3 , .Xr X25519 3 .Sh HISTORY -These functions were first added to OpenSSL 1.0.0. +These functions first appeared in OpenSSL 1.0.0 +and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/EVP_PKEY_meth_get0_info.3 b/lib/libcrypto/man/EVP_PKEY_meth_get0_info.3 index a5d8ad92b3..eef35fad5c 100644 --- a/lib/libcrypto/man/EVP_PKEY_meth_get0_info.3 +++ b/lib/libcrypto/man/EVP_PKEY_meth_get0_info.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_PKEY_meth_get0_info.3,v 1.1 2017/08/20 19:21:20 schwarze Exp $ +.\" $OpenBSD: EVP_PKEY_meth_get0_info.3,v 1.2 2018/03/23 05:48:56 schwarze Exp $ .\" OpenSSL EVP_PKEY_meth_get_count.pod 6a2da303 Aug 9 11:25:19 2017 -0400 .\" OpenSSL EVP_PKEY_meth_get_count.pod 48ed9c23 Jul 25 17:48:26 2017 +0100 .\" @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 20 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EVP_PKEY_METH_GET0_INFO 3 .Os .Sh NAME @@ -71,3 +71,7 @@ public key method .Pf * Fa meth . .Sh SEE ALSO .Xr EVP_PKEY_new 3 +.Sh HISTORY +.Fn EVP_PKEY_meth_get0_info +first appeared in OpenSSL 1.0.1 and has been available since +.Ox 5.3 . diff --git a/lib/libcrypto/man/EVP_PKEY_meth_new.3 b/lib/libcrypto/man/EVP_PKEY_meth_new.3 new file mode 100644 index 0000000000..a3c5884488 --- /dev/null +++ b/lib/libcrypto/man/EVP_PKEY_meth_new.3 @@ -0,0 +1,551 @@ +.\" $OpenBSD: EVP_PKEY_meth_new.3,v 1.3 2018/03/23 05:48:56 schwarze Exp $ +.\" selective merge up to: OpenSSL 43f985fd Aug 21 11:47:17 2017 -0400 +.\" +.\" This file was written by Paul Yang +.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: March 23 2018 $ +.Dt EVP_PKEY_METH_NEW 3 +.Os +.Sh NAME +.Nm EVP_PKEY_meth_new , +.Nm EVP_PKEY_meth_free , +.Nm EVP_PKEY_meth_copy , +.Nm EVP_PKEY_meth_find , +.Nm EVP_PKEY_meth_add0 , +.Nm EVP_PKEY_meth_set_init , +.Nm EVP_PKEY_meth_set_copy , +.Nm EVP_PKEY_meth_set_cleanup , +.Nm EVP_PKEY_meth_set_paramgen , +.Nm EVP_PKEY_meth_set_keygen , +.Nm EVP_PKEY_meth_set_sign , +.Nm EVP_PKEY_meth_set_verify , +.Nm EVP_PKEY_meth_set_verify_recover , +.Nm EVP_PKEY_meth_set_signctx , +.Nm EVP_PKEY_meth_set_verifyctx , +.Nm EVP_PKEY_meth_set_encrypt , +.Nm EVP_PKEY_meth_set_decrypt , +.Nm EVP_PKEY_meth_set_derive , +.Nm EVP_PKEY_meth_set_ctrl +.Nd manipulate an EVP_PKEY_METHOD structure +.Sh SYNOPSIS +.In openssl/evp.h +.Ft EVP_PKEY_METHOD * +.Fo EVP_PKEY_meth_new +.Fa "int id" +.Fa "int flags" +.Fc +.Ft void +.Fo EVP_PKEY_meth_free +.Fa "EVP_PKEY_METHOD *pmeth" +.Fc +.Ft void +.Fo EVP_PKEY_meth_copy +.Fa "EVP_PKEY_METHOD *dst" +.Fa "const EVP_PKEY_METHOD *src" +.Fc +.Ft const EVP_PKEY_METHOD * +.Fo EVP_PKEY_meth_find +.Fa "int type" +.Fc +.Ft int +.Fo EVP_PKEY_meth_add0 +.Fa "const EVP_PKEY_METHOD *pmeth" +.Fc +.Ft void +.Fo EVP_PKEY_meth_set_init +.Fa "EVP_PKEY_METHOD *pmeth" +.Fa "int (*init)(EVP_PKEY_CTX *ctx)" +.Fc +.Ft void +.Fo EVP_PKEY_meth_set_copy +.Fa "EVP_PKEY_METHOD *pmeth" +.Fa "int (*copy)(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)" +.Fc +.Ft void +.Fo EVP_PKEY_meth_set_cleanup +.Fa "EVP_PKEY_METHOD *pmeth" +.Fa "void (*cleanup)(EVP_PKEY_CTX *ctx)" +.Fc +.Ft void +.Fo EVP_PKEY_meth_set_paramgen +.Fa "EVP_PKEY_METHOD *pmeth" +.Fa "int (*paramgen_init)(EVP_PKEY_CTX *ctx)" +.Fa "int (*paramgen)(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)" +.Fc +.Ft void +.Fo EVP_PKEY_meth_set_keygen +.Fa "EVP_PKEY_METHOD *pmeth" +.Fa "int (*keygen_init)(EVP_PKEY_CTX *ctx)" +.Fa "int (*keygen)(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)" +.Fc +.Ft void +.Fo EVP_PKEY_meth_set_sign +.Fa "EVP_PKEY_METHOD *pmeth" +.Fa "int (*sign_init)(EVP_PKEY_CTX *ctx)" +.Fa "int (*sign)(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,\ + const unsigned char *tbs, size_t tbslen)" +.Fc +.Ft void +.Fo EVP_PKEY_meth_set_verify +.Fa "EVP_PKEY_METHOD *pmeth" +.Fa "int (*verify_init)(EVP_PKEY_CTX *ctx)" +.Fa "int (*verify)(EVP_PKEY_CTX *ctx, const unsigned char *sig,\ + size_t siglen, const unsigned char *tbs, size_t tbslen)" +.Fc +.Ft void +.Fo EVP_PKEY_meth_set_verify_recover +.Fa "EVP_PKEY_METHOD *pmeth" +.Fa "int (*verify_recover_init)(EVP_PKEY_CTX *ctx)" +.Fa "int (*verify_recover)(EVP_PKEY_CTX *ctx, unsigned char *sig,\ + size_t *siglen, const unsigned char *tbs, size_t tbslen)" +.Fc +.Ft void +.Fo EVP_PKEY_meth_set_signctx +.Fa "EVP_PKEY_METHOD *pmeth" +.Fa "int (*signctx_init)(EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx)" +.Fa "int (*signctx)(EVP_PKEY_CTX *ctx, unsigned char *sig,\ + size_t *siglen, EVP_MD_CTX *mctx)" +.Fc +.Ft void +.Fo EVP_PKEY_meth_set_verifyctx +.Fa "EVP_PKEY_METHOD *pmeth" +.Fa "int (*verifyctx_init)(EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx)" +.Fa "int (*verifyctx)(EVP_PKEY_CTX *ctx, const unsigned char *sig,\ + int siglen, EVP_MD_CTX *mctx)" +.Fc +.Ft void +.Fo EVP_PKEY_meth_set_encrypt +.Fa "EVP_PKEY_METHOD *pmeth" +.Fa "int (*encrypt_init)(EVP_PKEY_CTX *ctx)" +.Fa "int (*encryptfn)(EVP_PKEY_CTX *ctx, unsigned char *out,\ + size_t *outlen, const unsigned char *in, size_t inlen)" +.Fc +.Ft void +.Fo EVP_PKEY_meth_set_decrypt +.Fa "EVP_PKEY_METHOD *pmeth" +.Fa "int (*decrypt_init)(EVP_PKEY_CTX *ctx)" +.Fa "int (*decrypt)(EVP_PKEY_CTX *ctx, unsigned char *out,\ + size_t *outlen, const unsigned char *in, size_t inlen)" +.Fc +.Ft void +.Fo EVP_PKEY_meth_set_derive +.Fa "EVP_PKEY_METHOD *pmeth" +.Fa "int (*derive_init)(EVP_PKEY_CTX *ctx)" +.Fa "int (*derive)(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)" +.Fc +.Ft void +.Fo EVP_PKEY_meth_set_ctrl +.Fa "EVP_PKEY_METHOD *pmeth" +.Fa "int (*ctrl)(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)" +.Fa "int (*ctrl_str)(EVP_PKEY_CTX *ctx, const char *type, const char *value)" +.Fc +.Sh DESCRIPTION +The +.Vt EVP_PKEY_METHOD +structure holds a set of methods +for a specific public key cryptographic algorithm. +Those methods perform tasks such as generating keys, signing, verifying, +encrypting, decrypting, and so on. +.Pp +There are two places where the +.Vt EVP_PKEY_METHOD +objects are stored: one is a built-in static array representing the +standard methods for different algorithms, and the other one is a stack +of user-defined application-specific methods, which can be manipulated +with +.Fn EVP_PKEY_meth_add0 . +.Pp +The +.Vt EVP_PKEY_METHOD +objects are usually referenced by +.Vt EVP_PKEY_CTX +objects. +.Ss Methods +The methods implement the particular public key algorithm represented by the +.Vt EVP_PKEY_CTX +object. +.Bd -unfilled +.Ft int Fn (*init) "EVP_PKEY_CTX *ctx" +.Ft int Fn (*copy) "EVP_PKEY_CTX *dst" "EVP_PKEY_CTX *src" +.Ft void Fn (*cleanup) "EVP_PKEY_CTX *ctx" +.Ed +.Pp +The +.Fn init +method is called by +.Xr EVP_PKEY_CTX_new 3 +and +.Xr EVP_PKEY_CTX_new_id 3 +to initialize the algorithm-specific data when a new +.Vt EVP_PKEY_CTX +is created. +The +.Fn cleanup +method is called by +.Xr EVP_PKEY_CTX_free 3 +when an +.Vt EVP_PKEY_CTX +is freed. +The +.Fn copy +method is called by +.Xr EVP_PKEY_CTX_dup 3 +when an +.Vt EVP_PKEY_CTX +is duplicated. +.Bd -unfilled +.Ft int Fn (*paramgen_init) "EVP_PKEY_CTX *ctx" +.Ft int Fn (*paramgen) "EVP_PKEY_CTX *ctx" "EVP_PKEY *pkey" +.Ed +.Pp +The +.Fn paramgen_init +and +.Fn paramgen +methods deal with key parameter generation. +They are called by +.Xr EVP_PKEY_paramgen_init 3 +and +.Xr EVP_PKEY_paramgen 3 +to handle the parameter generation process. +.Bd -unfilled +.Ft int Fn (*keygen_init) "EVP_PKEY_CTX *ctx" +.Ft int Fn (*keygen) "EVP_PKEY_CTX *ctx" "EVP_PKEY *pkey" +.Ed +.Pp +The +.Fn keygen_init +and +.Fn keygen +methods are used to generate a key for the specified algorithm. +They are called by +.Xr EVP_PKEY_keygen_init 3 +and +.Xr EVP_PKEY_keygen 3 . +.Bd -unfilled +.Ft int Fn (*sign_init) "EVP_PKEY_CTX *ctx" +.Ft int Fo (*sign) +.Fa "EVP_PKEY_CTX *ctx" +.Fa "unsigned char *sig" +.Fa "size_t *siglen" +.Fa "const unsigned char *tbs" +.Fa "size_t tbslen" +.Fc +.Ed +.Pp +The +.Fn sign_init +and +.Fn sign +methods are used to generate the signature of a piece of data using a +private key. +They are called by +.Xr EVP_PKEY_sign_init 3 +and +.Xr EVP_PKEY_sign 3 . +.Bd -unfilled +.Ft int Fn (*verify_init) "EVP_PKEY_CTX *ctx" +.Ft int Fo (*verify) +.Fa "EVP_PKEY_CTX *ctx" +.Fa "const unsigned char *sig" +.Fa "size_t siglen" +.Fa "const unsigned char *tbs" +.Fa "size_t tbslen" +.Fc +.Ed +.Pp +The +.Fn verify_init +and +.Fn verify +methods are used to verify whether a signature is valid. +They are called by +.Xr EVP_PKEY_verify_init 3 +and +.Xr EVP_PKEY_verify 3 . +.Bd -unfilled +.Ft int Fn (*verify_recover_init) "EVP_PKEY_CTX *ctx" +.Ft int Fo (*verify_recover) +.Fa "EVP_PKEY_CTX *ctx" +.Fa "unsigned char *rout" +.Fa "size_t *routlen" +.Fa "const unsigned char *sig" +.Fa "size_t siglen" +.Fc +.Ed +.Pp +The +.Fn verify_recover_init +and +.Fn verify_recover +methods are used to verify a signature and then recover the digest from +the signature (for instance, a signature that was generated by the RSA +signing algorithm). +They are called by +.Xr EVP_PKEY_verify_recover_init 3 +and +.Xr EVP_PKEY_verify_recover 3 . +.Bd -unfilled +.Ft int Fn (*signctx_init) "EVP_PKEY_CTX *ctx" "EVP_MD_CTX *mctx" +.Ft int Fo (*signctx) +.Fa "EVP_PKEY_CTX *ctx" +.Fa "unsigned char *sig" +.Fa "size_t *siglen" +.Fa "EVP_MD_CTX *mctx" +.Fc +.Ed +.Pp +The +.Fn signctx_init +and +.Fn signctx +methods are used to sign a digest represented by an +.Vt EVP_MD_CTX +object. +They are called by the +.Xr EVP_DigestSignInit 3 +functions. +.Bd -unfilled +.Ft int Fn (*verifyctx_init) "EVP_PKEY_CTX *ctx" "EVP_MD_CTX *mctx" +.Ft int Fo (*verifyctx) +.Fa "EVP_PKEY_CTX *ctx" +.Fa "const unsigned char *sig" +.Fa "int siglen" +.Fa "EVP_MD_CTX *mctx" +.Fc +.Ed +.Pp +The +.Fn verifyctx_init +and +.Fn verifyctx +methods are used to verify a signature against the data in an +.Vt EVP_MD_CTX +object. +They are called by the +.Xr EVP_DigestVerifyInit 3 +functions. +.Bd -unfilled +.Ft int Fn (*encrypt_init) "EVP_PKEY_CTX *ctx" +.Ft int Fo (*encrypt) +.Fa "EVP_PKEY_CTX *ctx" +.Fa "unsigned char *out" +.Fa "size_t *outlen" +.Fa "const unsigned char *in" +.Fa "size_t inlen" +.Fc +.Ed +.Pp +The +.Fn encrypt_init +and +.Fn encrypt +methods are used to encrypt a piece of data. +They are called by +.Xr EVP_PKEY_encrypt_init 3 +and +.Xr EVP_PKEY_encrypt 3 . +.Bd -unfilled +.Ft int Fn (*decrypt_init) "EVP_PKEY_CTX *ctx" +.Ft int Fo (*decrypt) +.Fa "EVP_PKEY_CTX *ctx" +.Fa "unsigned char *out" +.Fa "size_t *outlen" +.Fa "const unsigned char *in" +.Fa "size_t inlen" +.Fc +.Ed +.Pp +The +.Fn decrypt_init +and +.Fn decrypt +methods are used to decrypt a piece of data. +They are called by +.Xr EVP_PKEY_decrypt_init 3 +and +.Xr EVP_PKEY_decrypt 3 . +.Bd -unfilled +.Ft int Fn (*derive_init) "EVP_PKEY_CTX *ctx" +.Ft int Fo (*derive) +.Fa "EVP_PKEY_CTX *ctx" +.Fa "unsigned char *key" +.Fa "size_t *keylen" +.Fc +.Ed +.Pp +The +.Fn derive_init +and +.Fn derive +methods are used to derive the shared secret from a public key algorithm +(for instance, the DH algorithm). +They are called by +.Xr EVP_PKEY_derive_init 3 +and +.Xr EVP_PKEY_derive 3 . +.Bd -unfilled +.Ft int Fo (*ctrl) +.Fa "EVP_PKEY_CTX *ctx" +.Fa "int type" +.Fa "int p1" +.Fa "void *p2" +.Fc +.Ft int Fo (*ctrl_str) +.Fa "EVP_PKEY_CTX *ctx" +.Fa "const char *type" +.Fa "const char *value" +.Fc +.Ed +.Pp +The +.Fn ctrl +and +.Fn ctrl_str +methods are used to adjust algorithm-specific settings. +See +.Xr EVP_PKEY_CTX_ctrl 3 +for details. +.Ss Functions +.Fn EVP_PKEY_meth_new +creates a new +.Vt EVP_PKEY_METHOD +object with the given +.Fa id +and +.Fa flags . +The following flags are supported: +.Bl -tag -width Ds +.It Dv EVP_PKEY_FLAG_AUTOARGLEN +Automatically calculate the maximum size of the output buffer +in corresponding EVP methods by the EVP framework. +Thus the implementations of these methods don't need to care about +handling the case of returning output buffer size by themselves. +For details on the output buffer size, refer to +.Xr EVP_PKEY_sign 3 . +.It Dv EVP_PKEY_FLAG_SIGCTX_CUSTOM +Indicate that the +.Fn signctx +method of an +.Vt EVP_PKEY_METHOD +is always called by the EVP framework while doing a digest signing +operation by calling +.Xr EVP_DigestSignFinal 3 . +.El +.Pp +.Fn EVP_PKEY_meth_free +frees +.Fa pmeth . +.Pp +.Fn EVP_PKEY_meth_copy +copies +.Fa src +to +.Fa dst . +.Pp +.Fn EVP_PKEY_meth_find +finds an +.Vt EVP_PKEY_METHOD +object with the given +.Fa id . +This function first searches through the user-defined method objects and +then through the built-in objects. +.Pp +.Fn EVP_PKEY_meth_add0 +adds +.Fa pmeth +to the stack of user defined methods. +.Pp +The +.Fn EVP_PKEY_meth_set_* +functions set the corresponding fields of +.Fa pmeth +to the arguments passed. +.Sh RETURN VALUES +.Fn EVP_PKEY_meth_new +returns a pointer to a new +.Vt EVP_PKEY_METHOD +object or +.Dv NULL +on error. +.Pp +.Fn EVP_PKEY_meth_find +returns a pointer to the found +.Vt EVP_PKEY_METHOD +object or +.Dv NULL +if no matching object is found. +.Pp +.Fn EVP_PKEY_meth_add0 +returns 1 if the method is added successfully or 0 if an error occurred. +.Sh HISTORY +.Fn EVP_PKEY_meth_new , +.Fn EVP_PKEY_meth_free , +.Fn EVP_PKEY_meth_find , +.Fn EVP_PKEY_meth_add0 , +.Fn EVP_PKEY_meth_set_init , +.Fn EVP_PKEY_meth_set_copy , +.Fn EVP_PKEY_meth_set_cleanup , +.Fn EVP_PKEY_meth_set_paramgen , +.Fn EVP_PKEY_meth_set_keygen , +.Fn EVP_PKEY_meth_set_sign , +.Fn EVP_PKEY_meth_set_verify , +.Fn EVP_PKEY_meth_set_verify_recover , +.Fn EVP_PKEY_meth_set_signctx , +.Fn EVP_PKEY_meth_set_verifyctx , +.Fn EVP_PKEY_meth_set_encrypt , +.Fn EVP_PKEY_meth_set_decrypt , +.Fn EVP_PKEY_meth_set_derive , +and +.Fn EVP_PKEY_meth_set_ctrl +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . +.Pp +.Fn EVP_PKEY_meth_copy +first appeared in OpenSSL 1.0.1 and has been available since +.Ox 5.3 . diff --git a/lib/libcrypto/man/EVP_PKEY_new.3 b/lib/libcrypto/man/EVP_PKEY_new.3 index 636df7dffc..ed286ecb31 100644 --- a/lib/libcrypto/man/EVP_PKEY_new.3 +++ b/lib/libcrypto/man/EVP_PKEY_new.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: EVP_PKEY_new.3,v 1.3 2016/11/27 15:24:27 schwarze Exp $ -.\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 +.\" $OpenBSD: EVP_PKEY_new.3,v 1.7 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL 99d63d42 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2002 The OpenSSL Project. All rights reserved. @@ -48,17 +48,22 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 27 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EVP_PKEY_NEW 3 .Os .Sh NAME .Nm EVP_PKEY_new , +.Nm EVP_PKEY_up_ref , .Nm EVP_PKEY_free .Nd private key allocation functions .Sh SYNOPSIS .In openssl/evp.h .Ft EVP_PKEY * .Fn EVP_PKEY_new void +.Ft int +.Fo EVP_PKEY_up_ref +.Fa "EVP_PKEY *key" +.Fc .Ft void .Fo EVP_PKEY_free .Fa "EVP_PKEY *key" @@ -74,12 +79,19 @@ The function allocates an empty .Vt EVP_PKEY structure. +The reference count is set to 1. To add a private key to it, use the functions described in .Xr EVP_PKEY_set1_RSA 3 . .Pp +.Fn EVP_PKEY_up_ref +increments the reference count of +.Fa key +by 1. +.Pp .Fn EVP_PKEY_free -frees up the private key -.Fa key . +decrements the reference count of +.Fa key +by 1, and if the reference count reaches zero, frees it up. If .Fa key is a @@ -92,10 +104,19 @@ returns either the newly allocated structure or .Dv NULL if an error occurred. +.Pp +.Fn EVP_PKEY_up_ref +returns 1 for success or 0 for failure. .Sh SEE ALSO +.Xr EVP_PKEY_asn1_set_free 3 , .Xr EVP_PKEY_set1_RSA 3 .Sh HISTORY .Fn EVP_PKEY_new and .Fn EVP_PKEY_free -exist in all versions of OpenSSL. +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp +.Fn EVP_PKEY_up_ref +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/EVP_PKEY_print_private.3 b/lib/libcrypto/man/EVP_PKEY_print_private.3 index a5e4879f34..48e0c55e5e 100644 --- a/lib/libcrypto/man/EVP_PKEY_print_private.3 +++ b/lib/libcrypto/man/EVP_PKEY_print_private.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_PKEY_print_private.3,v 1.4 2016/11/27 15:27:19 schwarze Exp $ +.\" $OpenBSD: EVP_PKEY_print_private.3,v 1.6 2018/03/23 04:34:23 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 27 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EVP_PKEY_PRINT_PRIVATE 3 .Os .Sh NAME @@ -120,7 +120,10 @@ failure. In particular, a return value of -2 indicates the operation is not supported by the public key algorithm. .Sh SEE ALSO +.Xr EVP_PKEY_asn1_set_public 3 , .Xr EVP_PKEY_CTX_new 3 , .Xr EVP_PKEY_keygen 3 .Sh HISTORY -These functions were first added to OpenSSL 1.0.0. +These functions first appeared in OpenSSL 1.0.0 +and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/EVP_PKEY_set1_RSA.3 b/lib/libcrypto/man/EVP_PKEY_set1_RSA.3 index 851184ae3c..6682ea5154 100644 --- a/lib/libcrypto/man/EVP_PKEY_set1_RSA.3 +++ b/lib/libcrypto/man/EVP_PKEY_set1_RSA.3 @@ -1,8 +1,9 @@ -.\" $OpenBSD: EVP_PKEY_set1_RSA.3,v 1.5 2016/12/11 12:21:48 schwarze Exp $ -.\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 +.\" $OpenBSD: EVP_PKEY_set1_RSA.3,v 1.12 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400 +.\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . -.\" Copyright (c) 2002, 2014, 2016 The OpenSSL Project. All rights reserved. +.\" Copyright (c) 2002, 2015, 2016 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EVP_PKEY_SET1_RSA 3 .Os .Sh NAME @@ -60,6 +61,10 @@ .Nm EVP_PKEY_get1_DSA , .Nm EVP_PKEY_get1_DH , .Nm EVP_PKEY_get1_EC_KEY , +.Nm EVP_PKEY_get0_RSA , +.Nm EVP_PKEY_get0_DSA , +.Nm EVP_PKEY_get0_DH , +.Nm EVP_PKEY_get0_EC_KEY , .Nm EVP_PKEY_assign_RSA , .Nm EVP_PKEY_assign_DSA , .Nm EVP_PKEY_assign_DH , @@ -106,6 +111,22 @@ .Fo EVP_PKEY_get1_EC_KEY .Fa "EVP_PKEY *pkey" .Fc +.Ft RSA * +.Fo EVP_PKEY_get0_RSA +.Fa "EVP_PKEY *pkey" +.Fc +.Ft DSA * +.Fo EVP_PKEY_get0_DSA +.Fa "EVP_PKEY *pkey" +.Fc +.Ft DH * +.Fo EVP_PKEY_get0_DH +.Fa "EVP_PKEY *pkey" +.Fc +.Ft EC_KEY * +.Fo EVP_PKEY_get0_EC_KEY +.Fa "EVP_PKEY *pkey" +.Fc .Ft int .Fo EVP_PKEY_assign_RSA .Fa "EVP_PKEY *pkey" @@ -155,11 +176,19 @@ to and .Fn EVP_PKEY_get1_EC_KEY return the key referenced in -.Fa pkey -or +.Fa pkey , +incrementing its reference count by 1, or .Dv NULL if the key is not of the correct type. .Pp +.Fn EVP_PKEY_get0_RSA , +.Fn EVP_PKEY_get0_DSA , +.Fn EVP_PKEY_get0_DH , +and +.Fn EVP_PKEY_get0_EC_KEY +are identical except that they do not increment the reference count. +Consequently, the returned key must not be freed by the caller. +.Pp .Fn EVP_PKEY_assign_RSA , .Fn EVP_PKEY_assign_DSA , .Fn EVP_PKEY_assign_DH , @@ -235,8 +264,12 @@ return 1 for success or 0 for failure. .Fn EVP_PKEY_get1_RSA , .Fn EVP_PKEY_get1_DSA , .Fn EVP_PKEY_get1_DH , +.Fn EVP_PKEY_get1_EC_KEY , +.Fn EVP_PKEY_get0_RSA , +.Fn EVP_PKEY_get0_DSA , +.Fn EVP_PKEY_get0_DH , and -.Fn EVP_PKEY_get1_EC_KEY +.Fn EVP_PKEY_get0_EC_KEY return the referenced key or .Dv NULL if an error occurred. @@ -258,5 +291,47 @@ return a key type or .Dv EVP_PKEY_NONE ) on error. .Sh SEE ALSO +.Xr DH_new 3 , +.Xr DSA_new 3 , +.Xr EC_KEY_new 3 , .Xr EVP_PKEY_new 3 , .Xr RSA_new 3 +.Sh HISTORY +.Fn EVP_PKEY_assign_RSA , +.Fn EVP_PKEY_assign_DSA , +.Fn EVP_PKEY_assign_DH , +and +.Fn EVP_PKEY_type +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp +.Fn EVP_PKEY_set1_RSA , +.Fn EVP_PKEY_set1_DSA , +.Fn EVP_PKEY_set1_DH , +.Fn EVP_PKEY_get1_RSA , +.Fn EVP_PKEY_get1_DSA , +and +.Fn EVP_PKEY_get1_DH +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . +.Pp +.Fn EVP_PKEY_set1_EC_KEY , +.Fn EVP_PKEY_get1_EC_KEY , +and +.Fn EVP_PKEY_assign_EC_KEY +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . +.Pp +.Fn EVP_PKEY_id +and +.Fn EVP_PKEY_base_id +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . +.Pp +.Fn EVP_PKEY_get0_RSA , +.Fn EVP_PKEY_get0_DSA , +.Fn EVP_PKEY_get0_DH , +and +.Fn EVP_PKEY_get0_EC_KEY +first appeared in OpenSSL 1.1.0 and have been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/EVP_PKEY_sign.3 b/lib/libcrypto/man/EVP_PKEY_sign.3 index d7812186f3..efbea950c9 100644 --- a/lib/libcrypto/man/EVP_PKEY_sign.3 +++ b/lib/libcrypto/man/EVP_PKEY_sign.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_PKEY_sign.3,v 1.5 2017/01/06 02:43:14 schwarze Exp $ +.\" $OpenBSD: EVP_PKEY_sign.3,v 1.7 2018/03/23 04:34:23 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 6 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EVP_PKEY_SIGN 3 .Os .Sh NAME @@ -180,7 +180,12 @@ if (EVP_PKEY_sign(ctx, sig, &siglen, md, mdlen) <= 0) .Xr EVP_PKEY_decrypt 3 , .Xr EVP_PKEY_derive 3 , .Xr EVP_PKEY_encrypt 3 , +.Xr EVP_PKEY_meth_set_sign 3 , .Xr EVP_PKEY_verify 3 , .Xr EVP_PKEY_verify_recover 3 .Sh HISTORY -These functions were first added to OpenSSL 1.0.0. +.Fn EVP_PKEY_sign_init +and +.Fn EVP_PKEY_sign +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/EVP_PKEY_verify.3 b/lib/libcrypto/man/EVP_PKEY_verify.3 index b1739b2faa..c4d983320a 100644 --- a/lib/libcrypto/man/EVP_PKEY_verify.3 +++ b/lib/libcrypto/man/EVP_PKEY_verify.3 @@ -1,8 +1,8 @@ -.\" $OpenBSD: EVP_PKEY_verify.3,v 1.4 2016/11/27 15:27:19 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: EVP_PKEY_verify.3,v 1.7 2018/03/23 04:34:23 schwarze Exp $ +.\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100 .\" .\" This file was written by Dr. Stephen Henson . -.\" Copyright (c) 2006, 2009, 2010, 2013 The OpenSSL Project. +.\" Copyright (c) 2006, 2009, 2010, 2013, 2018 The OpenSSL Project. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 27 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EVP_PKEY_VERIFY 3 .Os .Sh NAME @@ -129,10 +129,12 @@ EVP_PKEY_CTX *ctx; unsigned char *md, *sig; size_t mdlen, siglen; EVP_PKEY *verify_key; -/* NB: assumes verify_key, sig, siglen md and mdlen are already set up - * and that verify_key is an RSA public key + +/* + * Assumes that verify_key, sig, siglen, md, and mdlen are already set up + * and that verify_key is an RSA public key. */ -ctx = EVP_PKEY_CTX_new(verify_key); +ctx = EVP_PKEY_CTX_new(verify_key, NULL); if (!ctx) /* Error occurred */ if (EVP_PKEY_verify_init(ctx) <= 0) @@ -145,8 +147,9 @@ if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) /* Perform operation */ ret = EVP_PKEY_verify(ctx, sig, siglen, md, mdlen); -/* ret == 1 indicates success, 0 verify failure and < 0 for some - * other error. +/* + * ret == 1 indicates success, 0 verify failure, + * and < 0 some other error. */ .Ed .Sh SEE ALSO @@ -154,7 +157,12 @@ ret = EVP_PKEY_verify(ctx, sig, siglen, md, mdlen); .Xr EVP_PKEY_decrypt 3 , .Xr EVP_PKEY_derive 3 , .Xr EVP_PKEY_encrypt 3 , +.Xr EVP_PKEY_meth_set_verify 3 , .Xr EVP_PKEY_sign 3 , .Xr EVP_PKEY_verify_recover 3 .Sh HISTORY -These functions were first added to OpenSSL 1.0.0. +.Fn EVP_PKEY_verify_init +and +.Fn EVP_PKEY_verify +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/EVP_PKEY_verify_recover.3 b/lib/libcrypto/man/EVP_PKEY_verify_recover.3 index ae3eb0ef14..3a55faccd2 100644 --- a/lib/libcrypto/man/EVP_PKEY_verify_recover.3 +++ b/lib/libcrypto/man/EVP_PKEY_verify_recover.3 @@ -1,8 +1,8 @@ -.\" $OpenBSD: EVP_PKEY_verify_recover.3,v 1.6 2017/01/06 02:43:14 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: EVP_PKEY_verify_recover.3,v 1.9 2018/03/23 04:34:23 schwarze Exp $ +.\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100 .\" .\" This file was written by Dr. Stephen Henson . -.\" Copyright (c) 2006, 2009, 2010, 2013 The OpenSSL Project. +.\" Copyright (c) 2006, 2009, 2010, 2013, 2018 The OpenSSL Project. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 6 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt EVP_PKEY_VERIFY_RECOVER 3 .Os .Sh NAME @@ -144,10 +144,12 @@ EVP_PKEY_CTX *ctx; unsigned char *rout, *sig; size_t routlen, siglen; EVP_PKEY *verify_key; -/* NB: assumes verify_key, sig and siglen are already set up - * and that verify_key is an RSA public key + +/* + * Assumes that verify_key, sig, and siglen are already set up + * and that verify_key is an RSA public key. */ -ctx = EVP_PKEY_CTX_new(verify_key); +ctx = EVP_PKEY_CTX_new(verify_key, NULL); if (!ctx) /* Error occurred */ if (EVP_PKEY_verify_recover_init(ctx) <= 0) @@ -176,7 +178,12 @@ if (EVP_PKEY_verify_recover(ctx, rout, &routlen, sig, siglen) <= 0) .Xr EVP_PKEY_decrypt 3 , .Xr EVP_PKEY_derive 3 , .Xr EVP_PKEY_encrypt 3 , +.Xr EVP_PKEY_meth_set_verify_recover 3 , .Xr EVP_PKEY_sign 3 , .Xr EVP_PKEY_verify 3 .Sh HISTORY -These functions were first added to OpenSSL 1.0.0. +.Fn EVP_PKEY_verify_recover_init +and +.Fn EVP_PKEY_verify_recover +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/EVP_SealInit.3 b/lib/libcrypto/man/EVP_SealInit.3 index bbd1add74a..d8d2b5719a 100644 --- a/lib/libcrypto/man/EVP_SealInit.3 +++ b/lib/libcrypto/man/EVP_SealInit.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_SealInit.3,v 1.5 2016/11/26 20:55:26 schwarze Exp $ +.\" $OpenBSD: EVP_SealInit.3,v 1.6 2018/03/20 23:56:07 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 26 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt EVP_SEALINIT 3 .Os .Sh NAME @@ -178,5 +178,12 @@ return 1 for success and 0 for failure. .Xr EVP_OpenInit 3 , .Xr RAND_bytes 3 .Sh HISTORY +.Fn EVP_SealInit , +.Fn EVP_SealUpdate , +and +.Fn EVP_SealFinal +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp .Fn EVP_SealFinal did not return a value before OpenSSL 0.9.7. diff --git a/lib/libcrypto/man/EVP_SignInit.3 b/lib/libcrypto/man/EVP_SignInit.3 index 1751ca594e..1c75e332aa 100644 --- a/lib/libcrypto/man/EVP_SignInit.3 +++ b/lib/libcrypto/man/EVP_SignInit.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_SignInit.3,v 1.4 2016/11/26 20:55:26 schwarze Exp $ +.\" $OpenBSD: EVP_SignInit.3,v 1.7 2018/03/22 21:08:22 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 26 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt EVP_SIGNINIT 3 .Os .Sh NAME @@ -188,16 +188,20 @@ The error codes can be obtained by .Xr ERR 3 , .Xr evp 3 , .Xr EVP_DigestInit 3 , +.Xr EVP_PKEY_asn1_set_public 3 , .Xr EVP_VerifyInit 3 .Sh HISTORY .Fn EVP_SignInit , .Fn EVP_SignUpdate , +.Fn EVP_SignFinal , and -.Fn EVP_SignFinal -are available in all versions of SSLeay and OpenSSL. +.Fn EVP_PKEY_size +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . .Pp .Fn EVP_SignInit_ex -was added in OpenSSL 0.9.7. +first appeared in OpenSSL 0.9.7 and has been available since +.Ox 3.2 . .Sh BUGS Older versions of this documentation wrongly stated that calls to .Fn EVP_SignUpdate diff --git a/lib/libcrypto/man/EVP_VerifyInit.3 b/lib/libcrypto/man/EVP_VerifyInit.3 index 2f8a7a1b53..701054479d 100644 --- a/lib/libcrypto/man/EVP_VerifyInit.3 +++ b/lib/libcrypto/man/EVP_VerifyInit.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_VerifyInit.3,v 1.4 2016/11/26 20:55:26 schwarze Exp $ +.\" $OpenBSD: EVP_VerifyInit.3,v 1.6 2018/03/22 21:08:22 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 26 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt EVP_VERIFYINIT 3 .Os .Sh NAME @@ -173,10 +173,12 @@ The error codes can be obtained by .Fn EVP_VerifyUpdate , and .Fn EVP_VerifyFinal -are available in all versions of SSLeay and OpenSSL. +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . .Pp .Fn EVP_VerifyInit_ex -was added in OpenSSL 0.9.7. +first appeared in OpenSSL 0.9.7 and has been available since +.Ox 3.2 . .Sh BUGS Older versions of this documentation wrongly stated that calls to .Fn EVP_VerifyUpdate diff --git a/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3 b/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3 index 8910fb58f8..d06c76c5dd 100644 --- a/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3 +++ b/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EXTENDED_KEY_USAGE_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: EXTENDED_KEY_USAGE_new.3,v 1.3 2018/03/22 21:08:22 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt EXTENDED_KEY_USAGE_NEW 3 .Os .Sh NAME @@ -73,3 +73,9 @@ section 4.2.1.3: Key Usage .It section 4.2.1.12: Extended Key Usage .El +.Sh HISTORY +.Fn EXTENDED_KEY_USAGE_new +and +.Fn EXTENDED_KEY_USAGE_free +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/GENERAL_NAME_new.3 b/lib/libcrypto/man/GENERAL_NAME_new.3 index a5537323ae..671b5440f9 100644 --- a/lib/libcrypto/man/GENERAL_NAME_new.3 +++ b/lib/libcrypto/man/GENERAL_NAME_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: GENERAL_NAME_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: GENERAL_NAME_new.3,v 1.5 2018/03/22 21:08:22 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt GENERAL_NAME_NEW 3 .Os .Sh NAME @@ -142,3 +142,23 @@ if an error occurs. RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, section 4.2: Certificate Extensions +.Sh HISTORY +.Fn GENERAL_NAME_new , +.Fn GENERAL_NAME_free , +.Fn GENERAL_NAMES_new , +and +.Fn GENERAL_NAMES_free +first appeared in OpenSSL 0.9.2b and have been available since +.Ox 2.6 . +.Pp +.Fn OTHERNAME_new +and +.Fn OTHERNAME_free +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . +.Pp +.Fn EDIPARTYNAME_new +and +.Fn EDIPARTYNAME_free +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/HMAC.3 b/lib/libcrypto/man/HMAC.3 index 595d5ed5ce..1f855dc17d 100644 --- a/lib/libcrypto/man/HMAC.3 +++ b/lib/libcrypto/man/HMAC.3 @@ -1,9 +1,12 @@ -.\" $OpenBSD: HMAC.3,v 1.7 2017/08/01 14:57:03 schwarze Exp $ -.\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 +.\" $OpenBSD: HMAC.3,v 1.13 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL crypto/hmac a528d4f0 Oct 27 13:40:11 2015 -0400 +.\" selective merge up to: OpenSSL man3/HMAC b3696a55 Sep 2 09:35:50 2017 -0400 .\" -.\" This file was written by Ulf Moeller . -.\" Copyright (c) 2000-2002, 2006, 2008, 2009, 2013, 2016 The OpenSSL Project. -.\" All rights reserved. +.\" This file was written by Ulf Moeller , +.\" Richard Levitte , and +.\" Matt Caswell . +.\" Copyright (c) 2000-2002, 2006, 2008, 2009, 2013, 2015, 2016 +.\" The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -49,20 +52,24 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 1 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt HMAC 3 .Os .Sh NAME .Nm HMAC , +.Nm HMAC_CTX_new , +.Nm HMAC_CTX_reset , +.Nm HMAC_CTX_free , .Nm HMAC_CTX_init , -.Nm HMAC_Init , +.Nm HMAC_CTX_cleanup , +.Nm HMAC_cleanup , .Nm HMAC_Init_ex , +.Nm HMAC_Init , .Nm HMAC_Update , .Nm HMAC_Final , -.Nm HMAC_CTX_cleanup , -.Nm HMAC_cleanup , .Nm HMAC_CTX_copy , .Nm HMAC_CTX_set_flags , +.Nm HMAC_CTX_get_md , .Nm HMAC_size .Nd HMAC message authentication code .Sh SYNOPSIS @@ -77,24 +84,42 @@ .Fa "unsigned char *md" .Fa "unsigned int *md_len" .Fc +.Ft HMAC_CTX * +.Fn HMAC_CTX_new void +.Ft int +.Fo HMAC_CTX_reset +.Fa "HMAC_CTX *ctx" +.Fc +.Ft void +.Fo HMAC_CTX_free +.Fa "HMAC_CTX *ctx" +.Fc .Ft void .Fo HMAC_CTX_init .Fa "HMAC_CTX *ctx" .Fc +.Ft void +.Fo HMAC_CTX_cleanup +.Fa "HMAC_CTX *ctx" +.Fc +.Ft void +.Fo HMAC_cleanup +.Fa "HMAC_CTX *ctx" +.Fc .Ft int -.Fo HMAC_Init +.Fo HMAC_Init_ex .Fa "HMAC_CTX *ctx" .Fa "const void *key" .Fa "int key_len" .Fa "const EVP_MD *md" +.Fa "ENGINE *impl" .Fc .Ft int -.Fo HMAC_Init_ex +.Fo HMAC_Init .Fa "HMAC_CTX *ctx" .Fa "const void *key" .Fa "int key_len" .Fa "const EVP_MD *md" -.Fa "ENGINE *impl" .Fc .Ft int .Fo HMAC_Update @@ -108,14 +133,6 @@ .Fa "unsigned char *md" .Fa "unsigned int *len" .Fc -.Ft void -.Fo HMAC_CTX_cleanup -.Fa "HMAC_CTX *ctx" -.Fc -.Ft void -.Fo HMAC_cleanup -.Fa "HMAC_CTX *ctx" -.Fc .Ft int .Fo HMAC_CTX_copy .Fa "HMAC_CTX *dctx" @@ -126,6 +143,10 @@ .Fa "HMAC_CTX *ctx" .Fa "unsigned long flags" .Fc +.Ft const EVP_MD * +.Fo HMAC_CTX_get_md +.Fa "const HMAC_CTX *ctx" +.Fc .Ft size_t .Fo HMAC_size .Fa "const HMAC_CTX *e" @@ -158,7 +179,7 @@ If .Fa md is .Dv NULL , -the digest is placed in a static array. +the digest is placed in a static array, which is not thread safe. The size of the output is placed in .Fa md_len , unless it is @@ -170,19 +191,48 @@ can be .Xr EVP_ripemd160 3 , etc. .Pp +.Fn HMAC_CTX_new +allocates and initializes a new +.Vt HMAC_CTX +object. +.Pp +.Fn HMAC_CTX_reset +zeroes and re-initializes +.Fa ctx +and associated resources, making it suitable for new computations +as if it was deleted with +.Fn HMAC_CTX_free +and newly created with +.Fn HMAC_CTX_new . +.Pp +.Fn HMAC_CTX_free +erases the key and other data from +.Fa ctx , +releases any associated resources, and finally frees +.Fa ctx +itself. +.Pp .Fn HMAC_CTX_init -initialises a +is a deprecated function to initialize an empty .Vt HMAC_CTX -before first use. -It must be called. +object, similar to +.Fn CTX_new +but without the allocation. +Calling it is required for static objects and objects on the stack +before using them. .Pp .Fn HMAC_CTX_cleanup -erases the key and other data from the -.Vt HMAC_CTX -and releases any associated resources. -It must be called when an -.Vt HMAC_CTX -is no longer required. +is a deprecated function to erase the key and other data from +.Fa ctx +and release any associated resources, similar to +.Fn HMAC_CTX_free +but without freeing +.Fa ctx +itself. +Calling it is required for static objects and objects on the stack +that were initialized with +.Fn HMAC_CTX_init +and are no longer needed. .Pp .Fn HMAC_cleanup is an alias for @@ -193,39 +243,66 @@ It is deprecated and implemented as a macro. The following functions may be used if the message is not completely stored in memory: .Pp -.Fn HMAC_Init -initializes a -.Vt HMAC_CTX -structure to use the hash function -.Fa evp_md -and the key -.Fa key -which is -.Fa key_len -bytes long. -It is deprecated and only included for backward compatibility with -OpenSSL 0.9.6b. -.Pp .Fn HMAC_Init_ex -initializes or reuses a -.Vt HMAC_CTX -structure to use the function +sets up or reuses +.Fa ctx +to use the hash function .Fa evp_md -and key +and the key .Fa key . Either can be .Dv NULL , -in which case the existing one will be reused. +in which case the existing one is reused. +The +.Fa ctx +must have been created with +.Fn HMAC_CTX_new +or initialized with .Fn HMAC_CTX_init -must have been called before the first use of an -.Vt HMAC_CTX -in this function. -.Sy N.B. -.Fn HMAC_Init -had this undocumented behaviour in previous versions of OpenSSL - -failure to switch to +before the first use in this function. +If .Fn HMAC_Init_ex -in programs that expect it will cause them to stop working. +is called with a +.Dv NULL +.Fa key +but +.Fa evp_md +is neither +.Dv NULL +nor the same as the previous digest used by +.Fa ctx , +then an error is returned because reuse of an existing key with a +different digest is not supported. +.Pp +.Fn HMAC_Init +is a deprecated wrapper around +.Fn HMAC_Init_ex . +If called with both +.Fa key +and +.Fa md , +it calls +.Fn HMAC_CTX_init +first, which only makes sense for an empty, uninitialized +.Fa ctx , +but not for one already initialized with +.Fn HMAC_CTX_new +or +.Fn HMAC_CTX_init . +If +.Fa key +or +.Fa md +is +.Dv NULL , +it does not call +.Fn HMAC_CTX_init ; +so in this case, +.Fa ctx +already needs to be initialized with +.Fn HMAC_CTX_new +or +.Fn HMAC_CTX_init . .Pp .Fn HMAC_Update can be called repeatedly with chunks of the message to be authenticated @@ -260,6 +337,14 @@ returns a pointer to the message authentication code or .Dv NULL if an error occurred. .Pp +.Fn HMAC_CTX_new +returns a pointer to the new +.Vt HMAC_CTX +object or +.Dv NULL +if an error occurred. +.Pp +.Fn HMAC_CTX_reset , .Fn HMAC_Init_ex , .Fn HMAC_Update , .Fn HMAC_Final , @@ -267,6 +352,15 @@ and .Fn HMAC_CTX_copy return 1 for success or 0 if an error occurred. .Pp +.Fn HMAC_CTX_get_md +returns the message digest that was previously set for +.Fa ctx +with +.Fn HMAC_Init_ex , +or +.Dv NULL +if none was set. +.Pp .Fn HMAC_size returns the length in bytes of the underlying hash function output or 0 on error. @@ -276,21 +370,34 @@ or 0 on error. RFC 2104 .Sh HISTORY .Fn HMAC , +.Fn HMAC_cleanup , .Fn HMAC_Init , .Fn HMAC_Update , .Fn HMAC_Final , and -.Fn HMAC_cleanup -are available since SSLeay 0.9.0. +.Fn HMAC_size +first appeared in SSLeay 0.9.0 and have been available since +.Ox 2.4 . .Pp .Fn HMAC_CTX_init , -.Fn HMAC_Init_ex , +.Fn HMAC_CTX_cleanup , and -.Fn HMAC_CTX_cleanup -are available since OpenSSL 0.9.7. +.Fn HMAC_Init_ex +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . .Pp -.Fn HMAC_Init_ex , -.Fn HMAC_Update , +.Fn HMAC_CTX_set_flags +first appeared in OpenSSL 0.9.7f and have been available since +.Ox 3.8 . +.Pp +.Fn HMAC_CTX_copy +first appeared in OpenSSL 1.0.0 and has been available since +.Ox 4.9 . +.Pp +.Fn HMAC_CTX_new , +.Fn HMAC_CTX_reset , +.Fn HMAC_CTX_free , and -.Fn HMAC_Final -did not return values in versions of OpenSSL before 1.0.0. +.Fn HMAC_CTX_get_md +first appeared in OpenSSL 1.1.0 and have been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/MD5.3 b/lib/libcrypto/man/MD5.3 index 1f5fe37ef9..d216c84803 100644 --- a/lib/libcrypto/man/MD5.3 +++ b/lib/libcrypto/man/MD5.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: MD5.3,v 1.4 2016/11/27 16:20:15 schwarze Exp $ +.\" $OpenBSD: MD5.3,v 1.7 2018/03/22 17:11:04 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Ulf Moeller and @@ -49,46 +49,20 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 27 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt MD5 3 .Os .Sh NAME -.Nm MD2 , .Nm MD4 , .Nm MD5 , -.Nm MD2_Init , -.Nm MD2_Update , -.Nm MD2_Final , .Nm MD4_Init , .Nm MD4_Update , .Nm MD4_Final , .Nm MD5_Init , .Nm MD5_Update , .Nm MD5_Final -.Nd MD2, MD4, and MD5 hash functions +.Nd MD4 and MD5 hash functions .Sh SYNOPSIS -.In openssl/md2.h -.Ft unsigned char * -.Fo MD2 -.Fa "const unsigned char *d" -.Fa "unsigned long n" -.Fa "unsigned char *md" -.Fc -.Ft int -.Fo MD2_Init -.Fa "MD2_CTX *c" -.Fc -.Ft int -.Fo MD2_Update -.Fa "MD2_CTX *c" -.Fa "const unsigned char *data" -.Fa "unsigned long len" -.Fc -.Ft int -.Fo MD2_Final -.Fa "unsigned char *md" -.Fa "MD2_CTX *c" -.Fc .In openssl/md4.h .Ft unsigned char * .Fo MD4 @@ -134,23 +108,20 @@ .Fa "MD5_CTX *c" .Fc .Sh DESCRIPTION -MD2, MD4, and MD5 are cryptographic hash functions with a 128-bit +MD4 and MD5 are cryptographic hash functions with a 128-bit output. .Pp -.Fn MD2 , -.Fn MD4 , +.Fn MD4 and .Fn MD5 -compute the MD2, MD4, and MD5 message digest of the +compute the MD4 and MD5 message digest of the .Fa n bytes at .Fa d and place it in .Fa md , which must have space for -.Dv MD2_DIGEST_LENGTH No == -.Dv MD4_DIGEST_LENGTH No == -.Dv MD5_DIGEST_LENGTH No == 16 +.Dv MD4_DIGEST_LENGTH No == Dv MD5_DIGEST_LENGTH No == 16 bytes of output. If .Fa md @@ -161,49 +132,40 @@ the digest is placed in a static array. The following functions may be used if the message is not completely stored in memory: .Pp -.Fn MD2_Init +.Fn MD5_Init initializes a -.Vt MD2_CTX +.Vt MD5_CTX structure. .Pp -.Fn MD2_Update +.Fn MD5_Update can be called repeatedly with chunks of the message to be hashed .Pq Fa len No bytes at Fa data . .Pp -.Fn MD2_Final +.Fn MD5_Final places the message digest in .Fa md , which must have space for -.Dv MD2_DIGEST_LENGTH No == 16 +.Dv MD5_DIGEST_LENGTH No == 16 bytes of output, and erases the -.Vt MD2_CTX . +.Vt MD5_CTX . .Pp .Fn MD4_Init , .Fn MD4_Update , -.Fn MD4_Final , -.Fn MD5_Init , -.Fn MD5_Update , and -.Fn MD5_Final +.Fn MD4_Final are analogous using an .Vt MD4_CTX -and -.Vt MD5_CTX structure. .Pp Applications should use the higher level functions .Xr EVP_DigestInit 3 etc. instead of calling these hash functions directly. .Sh RETURN VALUES -.Fn MD2 , -.Fn MD4 , +.Fn MD4 and .Fn MD5 return pointers to the hash value. .Pp -.Fn MD2_Init , -.Fn MD2_Update , -.Fn MD2_Final , .Fn MD4_Init , .Fn MD4_Update , .Fn MD4_Final , @@ -215,21 +177,20 @@ return 1 for success or 0 otherwise. .Sh SEE ALSO .Xr EVP_DigestInit 3 .Sh STANDARDS -RFC 1319, RFC 1320, RFC 1321 +RFC 1320, RFC 1321 .Sh HISTORY -.Fn MD2 , -.Fn MD2_Init , -.Fn MD2_Update , -.Fn MD2_Final , .Fn MD5 , .Fn MD5_Init , .Fn MD5_Update , and .Fn MD5_Final -are available in all versions of SSLeay and OpenSSL. +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . .Pp .Fn MD4 , .Fn MD4_Init , +.Fn MD4_Update , and -.Fn MD4_Update -are available in OpenSSL 0.9.6 and above. +.Fn MD4_Final +first appeared in OpenSSL 0.9.6 and have been available since +.Ox 2.9 . diff --git a/lib/libcrypto/man/Makefile b/lib/libcrypto/man/Makefile index 0e1adf13f9..1dd11c8469 100644 --- a/lib/libcrypto/man/Makefile +++ b/lib/libcrypto/man/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.124 2017/08/20 23:18:53 schwarze Exp $ +# $OpenBSD: Makefile,v 1.138 2018/03/18 13:06:36 schwarze Exp $ .include @@ -25,7 +25,9 @@ MAN= \ BIO_f_md.3 \ BIO_f_null.3 \ BIO_find_type.3 \ + BIO_get_data.3 \ BIO_get_ex_new_index.3 \ + BIO_meth_new.3 \ BIO_new.3 \ BIO_printf.3 \ BIO_push.3 \ @@ -71,6 +73,7 @@ MAN= \ DH_generate_key.3 \ DH_generate_parameters.3 \ DH_get_ex_new_index.3 \ + DH_get0_pqg.3 \ DH_new.3 \ DH_set_method.3 \ DH_size.3 \ @@ -81,6 +84,8 @@ MAN= \ DSA_generate_key.3 \ DSA_generate_parameters.3 \ DSA_get_ex_new_index.3 \ + DSA_get0_pqg.3 \ + DSA_meth_new.3 \ DSA_new.3 \ DSA_set_method.3 \ DSA_sign.3 \ @@ -113,6 +118,8 @@ MAN= \ EVP_EncodeInit.3 \ EVP_EncryptInit.3 \ EVP_OpenInit.3 \ + EVP_PKEY_asn1_new.3 \ + EVP_PKEY_asn1_get_count.3 \ EVP_PKEY_CTX_ctrl.3 \ EVP_PKEY_CTX_new.3 \ EVP_PKEY_cmp.3 \ @@ -122,6 +129,7 @@ MAN= \ EVP_PKEY_get_default_digest_nid.3 \ EVP_PKEY_keygen.3 \ EVP_PKEY_meth_get0_info.3 \ + EVP_PKEY_meth_new.3 \ EVP_PKEY_new.3 \ EVP_PKEY_print_private.3 \ EVP_PKEY_set1_RSA.3 \ @@ -148,8 +156,10 @@ MAN= \ OPENSSL_VERSION_NUMBER.3 \ OPENSSL_cleanse.3 \ OPENSSL_config.3 \ + OPENSSL_init_crypto.3 \ OPENSSL_load_builtin_modules.3 \ OPENSSL_malloc.3 \ + OPENSSL_sk_new.3 \ OpenSSL_add_all_algorithms.3 \ PEM_bytes_read_bio.3 \ PEM_read.3 \ @@ -182,6 +192,8 @@ MAN= \ RSA_check_key.3 \ RSA_generate_key.3 \ RSA_get_ex_new_index.3 \ + RSA_get0_key.3 \ + RSA_meth_new.3 \ RSA_new.3 \ RSA_padding_add_PKCS1_type_1.3 \ RSA_print.3 \ @@ -194,6 +206,7 @@ MAN= \ SHA1.3 \ SMIME_read_PKCS7.3 \ SMIME_write_PKCS7.3 \ + STACK_OF.3 \ SXNET_new.3 \ TS_REQ_new.3 \ UI_UTIL_read_pw.3 \ @@ -214,6 +227,7 @@ MAN= \ X509_NAME_get_index_by_NID.3 \ X509_NAME_new.3 \ X509_NAME_print_ex.3 \ + X509_OBJECT_get0_X509.3 \ X509_PUBKEY_new.3 \ X509_REQ_new.3 \ X509_REVOKED_new.3 \ @@ -223,6 +237,7 @@ MAN= \ X509_STORE_CTX_new.3 \ X509_STORE_CTX_set_verify_cb.3 \ X509_STORE_load_locations.3 \ + X509_STORE_new.3 \ X509_STORE_set_verify_cb_func.3 \ X509_STORE_set1_param.3 \ X509_VERIFY_PARAM_set_flags.3 \ @@ -236,6 +251,8 @@ MAN= \ X509_get_serialNumber.3 \ X509_get_subject_name.3 \ X509_get_version.3 \ + X509_get0_notBefore.3 \ + X509_get0_signature.3 \ X509_new.3 \ X509_sign.3 \ X509_verify_cert.3 \ diff --git a/lib/libcrypto/man/NAME_CONSTRAINTS_new.3 b/lib/libcrypto/man/NAME_CONSTRAINTS_new.3 index 5ef737cb4e..db64e14ce4 100644 --- a/lib/libcrypto/man/NAME_CONSTRAINTS_new.3 +++ b/lib/libcrypto/man/NAME_CONSTRAINTS_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: NAME_CONSTRAINTS_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: NAME_CONSTRAINTS_new.3,v 1.3 2018/03/23 00:09:11 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt NAME_CONSTRAINTS_NEW 3 .Os .Sh NAME @@ -87,3 +87,11 @@ if an error occurs. RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, section 4.2.1.10: Name Constraints +.Sh HISTORY +.Fn NAME_CONSTRAINTS_new , +.Fn NAME_CONSTRAINTS_free , +.Fn GENERAL_SUBTREE_new , +and +.Fn GENERAL_SUBTREE_free +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . diff --git a/lib/libcrypto/man/OBJ_nid2obj.3 b/lib/libcrypto/man/OBJ_nid2obj.3 index 5fa3e6fa7a..68ad643549 100644 --- a/lib/libcrypto/man/OBJ_nid2obj.3 +++ b/lib/libcrypto/man/OBJ_nid2obj.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: OBJ_nid2obj.3,v 1.5 2017/01/04 05:14:51 schwarze Exp $ +.\" $OpenBSD: OBJ_nid2obj.3,v 1.10 2018/03/21 21:18:08 schwarze Exp $ .\" OpenSSL c264592d May 14 11:28:00 2006 +0000 .\" .\" This file is a derived work. @@ -66,7 +66,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 4 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt OBJ_NID2OBJ 3 .Os .Sh NAME @@ -369,6 +369,32 @@ obj = OBJ_txt2obj("1.2.3.4", 1); .Ed .Sh SEE ALSO .Xr ERR_get_error 3 +.Sh HISTORY +.Fn OBJ_nid2obj , +.Fn OBJ_nid2ln , +.Fn OBJ_nid2sn , +.Fn OBJ_obj2nid , +.Fn OBJ_ln2nid , +.Fn OBJ_sn2nid , +.Fn OBJ_txt2nid , +.Fn OBJ_cmp , +.Fn OBJ_dup , +and +.Fn OBJ_cleanup +appeared in SSLeay 0.8.1b or earlier. +.Fn OBJ_create +and +.Fn i2t_ASN1_OBJECT +first appeared in SSLeay 0.9.0. +All these functions have been available since +.Ox 2.4 . +.Pp +.Fn OBJ_txt2obj +first appeared in OpenSSL 0.9.2b. +.Fn OBJ_obj2txt +first appeared in OpenSSL 0.9.4. +Both functions have been available since +.Ox 2.6 . .Sh BUGS .Fn OBJ_obj2txt is awkward and messy to use: it doesn't follow the convention of other diff --git a/lib/libcrypto/man/OCSP_CRLID_new.3 b/lib/libcrypto/man/OCSP_CRLID_new.3 index 450b57c93e..0eebec5f92 100644 --- a/lib/libcrypto/man/OCSP_CRLID_new.3 +++ b/lib/libcrypto/man/OCSP_CRLID_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: OCSP_CRLID_new.3,v 1.3 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: OCSP_CRLID_new.3,v 1.4 2018/03/22 21:08:22 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt OCSP_CRLID_NEW 3 .Os .Sh NAME @@ -97,6 +97,13 @@ if an error occurred. .Sh STANDARDS RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol, section 4.4.2: CRL References +.Sh HISTORY +.Fn OCSP_CRLID_new , +.Fn OCSP_CRLID_free , +and +.Fn OCSP_crlID_new +first appeared in OpenSSL 0.9.7 and has been available since +.Ox 3.2 . .Sh CAVEATS The function names .Fn OCSP_CRLID_new diff --git a/lib/libcrypto/man/OCSP_REQUEST_new.3 b/lib/libcrypto/man/OCSP_REQUEST_new.3 index 664a750665..8f3f56b6c4 100644 --- a/lib/libcrypto/man/OCSP_REQUEST_new.3 +++ b/lib/libcrypto/man/OCSP_REQUEST_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: OCSP_REQUEST_new.3,v 1.7 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: OCSP_REQUEST_new.3,v 1.8 2018/03/22 21:08:22 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt OCSP_REQUEST_NEW 3 .Os .Sh NAME @@ -317,3 +317,7 @@ OCSP_REQUEST_free(req); .Sh STANDARDS RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol, section 4.1: Request Syntax +.Sh HISTORY +These functions first appeared in OpenSSL 0.9.7 +and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/OCSP_SERVICELOC_new.3 b/lib/libcrypto/man/OCSP_SERVICELOC_new.3 index 5f42c781fd..6900493f0e 100644 --- a/lib/libcrypto/man/OCSP_SERVICELOC_new.3 +++ b/lib/libcrypto/man/OCSP_SERVICELOC_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: OCSP_SERVICELOC_new.3,v 1.5 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: OCSP_SERVICELOC_new.3,v 1.6 2018/03/22 21:08:22 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt OCSP_SERVICELOC_NEW 3 .Os .Sh NAME @@ -99,3 +99,10 @@ if an error occurred. .Sh STANDARDS RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol, section 4.4.6: Service Locator +.Sh HISTORY +.Fn OCSP_SERVICELOC_new , +.Fn OCSP_SERVICELOC_free , +and +.Fn OCSP_url_svcloc_new +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/OCSP_cert_to_id.3 b/lib/libcrypto/man/OCSP_cert_to_id.3 index 77559ba469..0ccb4412df 100644 --- a/lib/libcrypto/man/OCSP_cert_to_id.3 +++ b/lib/libcrypto/man/OCSP_cert_to_id.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: OCSP_cert_to_id.3,v 1.6 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: OCSP_cert_to_id.3,v 1.7 2018/03/22 21:08:22 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt OCSP_CERT_TO_ID 3 .Os .Sh NAME @@ -224,3 +224,7 @@ returns 1 for success or 0 for failure. .Sh STANDARDS RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol, section 4: Details of the Protocol +.Sh HISTORY +These functions first appeared in OpenSSL 0.9.7 +and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/OCSP_request_add1_nonce.3 b/lib/libcrypto/man/OCSP_request_add1_nonce.3 index 9b7f999c53..036c937c61 100644 --- a/lib/libcrypto/man/OCSP_request_add1_nonce.3 +++ b/lib/libcrypto/man/OCSP_request_add1_nonce.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: OCSP_request_add1_nonce.3,v 1.3 2016/12/06 14:54:55 schwarze Exp $ +.\" $OpenBSD: OCSP_request_add1_nonce.3,v 1.4 2018/03/22 21:08:22 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt OCSP_REQUEST_ADD1_NONCE 3 .Os .Sh NAME @@ -157,3 +157,7 @@ only: this will happen if the responder doesn't support nonces. .Xr OCSP_resp_find_status 3 , .Xr OCSP_response_status 3 , .Xr OCSP_sendreq_new 3 +.Sh HISTORY +These functions first appeared in OpenSSL 0.9.7 +and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/OCSP_resp_find_status.3 b/lib/libcrypto/man/OCSP_resp_find_status.3 index d06540d716..1c4da4e99e 100644 --- a/lib/libcrypto/man/OCSP_resp_find_status.3 +++ b/lib/libcrypto/man/OCSP_resp_find_status.3 @@ -1,10 +1,10 @@ -.\" $OpenBSD: OCSP_resp_find_status.3,v 1.5 2016/12/25 22:15:10 schwarze Exp $ -.\" OpenSSL c952780c Jun 21 07:03:34 2016 -0400 +.\" $OpenBSD: OCSP_resp_find_status.3,v 1.8 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL c952780c Jun 21 07:03:34 2016 -0400 .\" .\" This file is a derived work. .\" The changes are covered by the following Copyright and license: .\" -.\" Copyright (c) 2016 Ingo Schwarze +.\" Copyright (c) 2016, 2018 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt OCSP_RESP_FIND_STATUS 3 .Os .Sh NAME @@ -79,6 +79,7 @@ .Nm OCSP_resp_count , .Nm OCSP_resp_get0 , .Nm OCSP_resp_find , +.Nm OCSP_SINGLERESP_get0_id , .Nm OCSP_single_get0_status , .Nm OCSP_check_validity .Nd OCSP response utility functions @@ -121,6 +122,10 @@ .Fa "OCSP_CERTID *id" .Fa "int last" .Fc +.Ft const OCSP_CERTID * +.Fo OCSP_SINGLERESP_get0_id +.Fa "const OCSP_SINGLERESP *single" +.Fc .Ft int .Fo OCSP_single_get0_status .Fa "OCSP_SINGLERESP *single" @@ -362,6 +367,11 @@ in .Fa id was not found. .Pp +.Fn OCSP_SINGLERESP_get0_id +returns an internal pointer to the certificate ID object used by +.Fa single ; +the returned pointer should not be freed by the caller. +.Pp .Fn OCSP_single_get0_status returns the status of .Fa single @@ -376,3 +386,23 @@ or -1 if an error occurred. .Sh STANDARDS RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol, section 4.2: Response Syntax +.Sh HISTORY +.Fn OCSP_SINGLERESP_new , +.Fn OCSP_SINGLERESP_free , +.Fn OCSP_CERTSTATUS_new , +.Fn OCSP_CERTSTATUS_free , +.Fn OCSP_REVOKEDINFO_new , +.Fn OCSP_REVOKEDINFO_free , +.Fn OCSP_resp_find_status , +.Fn OCSP_resp_count , +.Fn OCSP_resp_get0 , +.Fn OCSP_resp_find , +.Fn OCSP_single_get0_status , +and +.Fn OCSP_check_validity +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . +.Pp +.Fn OCSP_SINGLERESP_get0_id +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/OCSP_response_status.3 b/lib/libcrypto/man/OCSP_response_status.3 index 1ffa8a728e..d720500f61 100644 --- a/lib/libcrypto/man/OCSP_response_status.3 +++ b/lib/libcrypto/man/OCSP_response_status.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: OCSP_response_status.3,v 1.4 2016/12/25 22:15:10 schwarze Exp $ -.\" OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400 +.\" $OpenBSD: OCSP_response_status.3,v 1.6 2018/03/22 21:08:22 schwarze Exp $ +.\" full merge up to: OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400 +.\" selective merge up to: OpenSSL e23ac625 Jan 24 12:27:19 2018 -0500 .\" .\" This file is a derived work. .\" The changes are covered by the following Copyright and license: @@ -19,7 +20,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .\" The original file was written by Dr. Stephen Henson . -.\" Copyright (c) 2014, 2016 The OpenSSL Project. All rights reserved. +.\" Copyright (c) 2014, 2016, 2018 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -65,7 +66,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt OCSP_RESPONSE_STATUS 3 .Os .Sh NAME @@ -81,7 +82,8 @@ .Nm OCSP_RESPID_free , .Nm OCSP_response_create , .Nm OCSP_response_status , -.Nm OCSP_response_get1_basic +.Nm OCSP_response_get1_basic , +.Nm OCSP_basic_sign .Nd OCSP response functions .Sh SYNOPSIS .In openssl/ocsp.h @@ -118,6 +120,15 @@ .Fo OCSP_response_get1_basic .Fa "OCSP_RESPONSE *resp" .Fc +.Ft int +.Fo OCSP_basic_sign +.Fa "OCSP_BASICRESP *bs" +.Fa "X509 *signer" +.Fa "EVP_PKEY *key" +.Fa "const EVP_MD *dgst" +.Fa "STACK_OF(X509) *certs" +.Fa "unsigned long flags" +.Fc .Sh DESCRIPTION .Fn OCSP_RESPONSE_new allocates and initializes an empty @@ -206,6 +217,29 @@ object contained in .Fa resp . It is only called if the status of a response is .Dv OCSP_RESPONSE_STATUS_SUCCESSFUL . +.Pp +.Fn OCSP_basic_sign +signs the OCSP response +.Fa bs +using the certificate +.Fa signer , +the private key +.Fa key , +the digest +.Fa dgst , +and the additional certificates +.Fa certs . +If the +.Fa flags +option +.Dv OCSP_NOCERTS +is set, then no certificates will be included in the request. +If the +.Fa flags +option +.Dv OCSP_RESPID_KEY +is set, then the responder is identified by key ID +rather than by name. .Sh RETURN VALUES .Fn OCSP_RESPONSE_new and @@ -240,6 +274,9 @@ if an error occurred. .Pp .Fn OCSP_response_status returns a status value. +.Pp +.Fn OCSP_basic_sign +return 1 on success or 0 on failure. .Sh SEE ALSO .Xr OCSP_cert_to_id 3 , .Xr OCSP_request_add1_nonce 3 , @@ -249,3 +286,7 @@ returns a status value. .Sh STANDARDS RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol, section 4.2: Response Syntax +.Sh HISTORY +These functions first appeared in OpenSSL 0.9.7 +and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/OCSP_sendreq_new.3 b/lib/libcrypto/man/OCSP_sendreq_new.3 index 5900ac046b..42cb4159df 100644 --- a/lib/libcrypto/man/OCSP_sendreq_new.3 +++ b/lib/libcrypto/man/OCSP_sendreq_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: OCSP_sendreq_new.3,v 1.4 2017/07/06 15:42:04 schwarze Exp $ +.\" $OpenBSD: OCSP_sendreq_new.3,v 1.7 2018/03/23 04:34:23 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 6 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt OCSP_SENDREQ_NEW 3 .Os .Sh NAME @@ -228,6 +228,23 @@ Add a Host header for .Xr OCSP_REQUEST_new 3 , .Xr OCSP_resp_find_status 3 , .Xr OCSP_response_status 3 +.Sh HISTORY +.Fn OCSP_sendreq_bio +first appeared in OpenSSL 0.9.7 and has been available since +.Ox 3.2 . +.Pp +.Fn OCSP_sendreq_new , +.Fn OCSP_sendreq_nbio , +and +.Fn OCSP_REQ_CTX_free +first appeared in OpenSSL 0.9.8h and have been available since +.Ox 4.5 . +.Pp +.Fn OCSP_REQ_CTX_add1_header +and +.Fn OCSP_REQ_CTX_set1_req +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . .Sh CAVEATS These functions only perform a minimal HTTP query to a responder. If an application wishes to support more advanced features, it diff --git a/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 b/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 index 7c792f745a..46f8083ab3 100644 --- a/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 +++ b/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 @@ -1,9 +1,28 @@ -.\" $OpenBSD: OPENSSL_VERSION_NUMBER.3,v 1.3 2016/11/28 14:51:03 schwarze Exp $ -.\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 +.\" $OpenBSD: OPENSSL_VERSION_NUMBER.3,v 1.9 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL 1f13ad31 Dec 25 17:50:39 2017 +0800 .\" -.\" This file was written by Ulf Moeller and -.\" Richard Levitte . -.\" Copyright (c) 2000, 2002, 2014 The OpenSSL Project. All rights reserved. +.\" This file is a derived work. +.\" The changes are covered by the following Copyright and license: +.\" +.\" Copyright (c) 2017, 2018 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" The original file was written by Ulf Moeller , +.\" Richard Levitte , and +.\" Bodo Moeller . +.\" Copyright (c) 2000, 2002, 2015, 2016, 2017 The OpenSSL Project. +.\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -49,18 +68,30 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 28 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt OPENSSL_VERSION_NUMBER 3 .Os .Sh NAME .Nm OPENSSL_VERSION_NUMBER , +.Nm LIBRESSL_VERSION_NUMBER , +.Nm LIBRESSL_VERSION_TEXT , +.Nm OpenSSL_version_num , +.Nm OpenSSL_version , .Nm SSLeay , .Nm SSLeay_version .Nd get OpenSSL version number .Sh SYNOPSIS .In openssl/opensslv.h -.Fd #define OPENSSL_VERSION_NUMBER 0xnnnnnnnnnL +.Fd #define OPENSSL_VERSION_NUMBER 0x020000000L +.Fd #define LIBRESSL_VERSION_NUMBER 0x02nnnn00fL +.Fd #define LIBRESSL_VERSION_TEXT \(dqLibreSSL 2.n.n\(dq .In openssl/crypto.h +.Ft unsigned long +.Fn OpenSSL_version_num void +.Ft const char * +.Fo OpenSSL_version +.Fa "int t" +.Fc .Ft long .Fn SSLeay void .Ft const char * @@ -69,22 +100,35 @@ .Fc .Sh DESCRIPTION .Dv OPENSSL_VERSION_NUMBER -is a numeric release version identifier. +and +.Dv LIBRESSL_VERSION_NUMBER +are numeric release version identifiers. The first two digits contain the major release number, the third and fourth digits the minor release number, -the fifth and sixth digits the fix release number, -the seventh and eight digits the patch release number. -The final digit is 0 for development, 1 to e for betas 1 to 14, or f +and the fifth and sixth digits the fix release number. +For OpenSSL, the seventh and eight digits contain the patch release number +and the final digit is 0 for development, 1 to e for betas 1 to 14, or f for release. +For LibreSSL, +.Dv OPENSSL_VERSION_NUMBER +is always 0x020000000, +and +.Dv LIBRESSL_VERSION_NUMBER +always ends with 00f. .Pp For example: .Bd -literal -offset indent +OPENSSL_VERSION_NUMBER: 0x000906000 == 0.9.6 dev 0x000906023 == 0.9.6b beta 3 0x00090605f == 0.9.6e release +0x020000000 == 2.0.0 for any version of LibreSSL + +LIBRESSL_VERSION_NUMBER: +0x02070000f == LibreSSL 2.7.0 .Ed .Pp -Versions prior to 0.9.3 had identifiers < 0x0930. +OpenSSL versions prior to 0.9.3 had identifiers < 0x0930. For versions between 0.9.3 and 0.9.5, the seventh digit was 1 for release and 0 otherwise, and the eighth and ninth digits were the patch release number. @@ -95,53 +139,138 @@ For example: 0x000905000 == 0.9.5 dev .Ed .Pp -Version 0.9.5a had an interim interpretation that is like the current +OpenSSL version 0.9.5a had an interim interpretation that is like the current one, except the patch level got the highest bit set, to keep continuity. The number was therefore 0x0090581f. .Pp -For backward compatibility, SSLEAY_VERSION_NUMBER is also defined. -.Pp -.Fn SSLeay -returns this number. -The return value can be compared to the macro to make sure that the -correct version of the library has been loaded, especially when using -DLLs on Windows systems. +.Fn OpenSSL_version_num +returns +.Dv OPENSSL_VERSION_NUMBER . .Pp -.Fn SSLeay_version +.Fn OpenSSL_version returns different strings depending on .Fa t : .Bl -tag -width Ds -.It Dv SSLEAY_VERSION -The text variant of the version number and the release date. -For example, "OpenSSL 0.9.5a 1 Apr 2000". -.It Dv SSLEAY_CFLAGS +.It Dv OPENSSL_VERSION +The text variant of the version number. +For OpenSSL, it is followed by the release date, for example +.Qq OpenSSL 0.9.5a 1 Apr 2000 . +For LibreSSL, +.Dv LIBRESSL_VERSION_TEXT +is returned. +.It Dv OPENSSL_CFLAGS The compiler flags set for the compilation process in the form -"compiler: ..." if available or "compiler: information not available" +.Qq compiler: ... +if available or +.Qq compiler: information not available +otherwise. +LibreSSL never provides compiler information. +.It Dv OPENSSL_BUILT_ON +The date of the build process in the form +.Qq built on: ... +if available or +.Qq built on: date not available otherwise. -.It Dv SSLEAY_BUILT_ON -The date of the build process in the form "built on: ..." if available -or "built on: date not available" otherwise. -.It Dv SSLEAY_PLATFORM -The "Configure" target of the library build in the form "platform: ..." -if available or "platform: information not available" otherwise. -.It Dv SSLEAY_DIR -The "OPENSSLDIR" setting of the library build in the form "OPENSSLDIR: -"..."" if available or "OPENSSLDIR: N/A" otherwise. +LibreSSL never provides information on the build date. +.It Dv OPENSSL_PLATFORM +The Configure target of the library build in the form +.Qq platform: ... +if available or +.Qq platform: information not available +otherwise. +LibreSSL never provides platform information. +.It Dv OPENSSL_DIR +The +.Dv OPENSSLDIR +setting of the library build in the form +.Qq OPENSSLDIR: Qq ... +if available or +.Qq OPENSSLDIR: N/A +otherwise. +For LibreSSL, the default is +.Qq OPENSSLDIR: Qq /etc/ssl . +.It Dv OPENSSL_ENGINES_DIR +The +.Dv ENGINESDIR +setting of the library build in the form +.Qq ENGINESDIR: Qq ... +if available or +.Qq ENGINESDIR: N/A +otherwise. +LibreSSL never provides or uses an +.Dv ENGINESDIR . .El .Pp For an unknown .Fa t , -the text "not available" is returned. +the text +.Qq not available +is returned. +.Pp +For backward compatibility, +.Dv SSLEAY_VERSION_NUMBER +is an alias for +.Dv OPENSSL_VERSION_NUMBER +and +.Fn SSLeay +for +.Dv OpenSSL_version_num . +The legacy function +.Fn SSLeay_version +is similar to +.Fn OpenSSL_version +except that it takes arguments +.Dv SSLEAY_VERSION , +.Dv SSLEAY_CFLAGS , +.Dv SSLEAY_BUILT_ON , +.Dv SSLEAY_PLATFORM , +and +.Dv SSLEAY_DIR +which expand to +.Em other +numerical values than the corresponding +.Dv OPENSSL_* +macros. .Sh RETURN VALUES -The version number. +.Fn OpenSSL_version_num +and +.Fn SSLeay +return a constant version number. +.Pp +.Fn OpenSSL_version +and +.Fn SSLeay_version +return pointers to static strings. .Sh SEE ALSO .Xr crypto 3 .Sh HISTORY -.Fn SSLeay +.Fn SSLeay , +.Fn SSLeay_version , and .Dv SSLEAY_VERSION_NUMBER -are available in all versions of SSLeay and OpenSSL. +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp .Dv OPENSSL_VERSION_NUMBER -is available in all versions of OpenSSL. +first appeared in the first OpenSSL release, OpenSSL 0.9.1c, +and has been available since +.Ox 2.6 . +.Pp .Dv SSLEAY_DIR was added in OpenSSL 0.9.7. +.Pp +.Dv LIBRESSL_VERSION_NUMBER +first appeared in LibreSSL 2.0.0 and +.Ox 5.6 +and got its final format in LibreSSL 2.3.2 and +.Ox 5.9 . +.Dv LIBRESSL_VERSION_TEXT +first appeared in LibreSSL 2.2.2 and +.Ox 5.8 . +.Pp +.Fn OpenSSL_version_num +and +.Fn OpenSSL_version +first appeared in OpenSSL 1.1.0 +and have been available since LibreSSL 2.7.1 and +.Ox 6.3 . diff --git a/lib/libcrypto/man/OPENSSL_cleanse.3 b/lib/libcrypto/man/OPENSSL_cleanse.3 index ec84e83b3e..87da3fb96d 100644 --- a/lib/libcrypto/man/OPENSSL_cleanse.3 +++ b/lib/libcrypto/man/OPENSSL_cleanse.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: OPENSSL_cleanse.3,v 1.2 2016/11/29 21:29:19 jmc Exp $ +.\" $OpenBSD: OPENSSL_cleanse.3,v 1.3 2018/03/22 18:05:00 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: November 29 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt OPENSSL_CLEANSE 3 .Os .Sh NAME @@ -34,3 +34,7 @@ It is provided purely for compatibility with legacy application code. .Fn OPENSSL_cleanse has the same semantics as, and is a wrapper around, .Xr explicit_bzero 3 . +.Sh HISTORY +.Fn OPENSSL_cleanse +first appeared in OpenSSL 0.9.6h and has been available since +.Ox 3.4 . diff --git a/lib/libcrypto/man/ASN1_OBJECT_new.3 b/lib/libcrypto/man/OPENSSL_config.3 similarity index 63% copy from lib/libcrypto/man/ASN1_OBJECT_new.3 copy to lib/libcrypto/man/OPENSSL_config.3 index e7c3540b3a..3114e6c086 100644 --- a/lib/libcrypto/man/ASN1_OBJECT_new.3 +++ b/lib/libcrypto/man/OPENSSL_config.3 @@ -1,10 +1,10 @@ -.\" $OpenBSD: ASN1_OBJECT_new.3,v 1.8 2017/01/04 05:14:51 schwarze Exp $ -.\" OpenSSL 99d63d4 Mar 19 12:28:58 2016 -0400 +.\" $OpenBSD: OPENSSL_config.3,v 1.10 2018/03/22 21:08:22 schwarze Exp $ +.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file is a derived work. .\" The changes are covered by the following Copyright and license: .\" -.\" Copyright (c) 2017 Ingo Schwarze +.\" Copyright (c) 2018 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -18,8 +18,8 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.\" The original file was written by Dr. Stephen Henson. -.\" Copyright (c) 2002, 2006 The OpenSSL Project. All rights reserved. +.\" The original file was written by Dr. Stephen Henson . +.\" Copyright (c) 2004 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -65,76 +65,77 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 4 2017 $ -.Dt ASN1_OBJECT_NEW 3 +.Dd $Mdocdate: March 22 2018 $ +.Dt OPENSSL_CONFIG 3 .Os .Sh NAME -.Nm ASN1_OBJECT_new , -.Nm ASN1_OBJECT_free -.Nd ASN.1 object identifiers +.Nm OPENSSL_config , +.Nm OPENSSL_no_config +.Nd simple crypto and ssl library configuration .Sh SYNOPSIS -.In openssl/asn1.h -.Ft ASN1_OBJECT * -.Fo ASN1_OBJECT_new -.Fa void -.Fc +.In openssl/conf.h .Ft void -.Fo ASN1_OBJECT_free -.Fa "ASN1_OBJECT *a" +.Fo OPENSSL_config +.Fa "const char *appname" .Fc +.Ft void +.Fn OPENSSL_no_config void .Sh DESCRIPTION -.Fn ASN1_OBJECT_new -allocates and initializes an empty -.Vt ASN1_OBJECT -object, representing an ASN.1 OBJECT IDENTIFIER. -It can hold a short name, a long name, a numeric identifier (NID), -and a sequence of integers identifying a node in the International -Object Identifier tree as specified in ITU-T recommendation X.660. -The new object is marked as dynamically allocated. -.Pp -Application programs normally use utility functions like -.Xr OBJ_nid2obj 3 -rather than using -.Fn ASN1_OBJECT_new -directly. +.Fn OPENSSL_config +initializes the crypto library with +.Xr OPENSSL_init_crypto 3 +and then calls +.Xr OPENSSL_load_builtin_modules 3 , +.Xr ENGINE_load_builtin_engines 3 , +and +.Xr CONF_modules_load_file 3 +with the standard configuration file and the given +.Fa appname . +If +.Fa appname +is +.Dv NULL , +then the default name +.Sy openssl_conf +is used. +Any errors are ignored. +Further calls to +.Fn OPENSSL_config +have no effect. .Pp -.Fn ASN1_OBJECT_free -has the following effects: +.Fn OPENSSL_no_config +has no effect except that later calls to +.Fn OPENSSL_config +will be ignored. .Pp -All data contained in -.Fa a -that is marked as dynamically allocated is freed, -and the respective fields of -.Fa a -become empty. -Contained data not marked as dynamically allocated remains intact. +Calling these functions is optional. +All required initialization of the crypto libraries happens +automatically when needed. .Pp -If the object -.Fa a -itself is marked as dynamically allocated, it is freed. -Otherwise, the pointer -.Fa a -remains valid. +If an application is compiled with the preprocessor symbol +.Dv OPENSSL_LOAD_CONF +#define'd, +.Xr OpenSSL_add_all_algorithms 3 +automatically calls +.Fn OPENSSL_config . .Pp -If -.Fa a -is a -.Dv NULL -pointer or if neither the object itself nor any of its content -is marked as dynamically allocated, no action occurs. -.Sh RETURN VALUES -If the allocation fails, -.Fn ASN1_OBJECT_new -returns -.Dv NULL -and sets an error code that can be obtained by -.Xr ERR_get_error 3 . -Otherwise it returns a pointer to the new object. +Applications should free up configuration at application closedown by +calling +.Xr CONF_modules_free 3 . +.Sh FILES +.Bl -tag -width /etc/ssl/openssl.cnf -compact +.It Pa /etc/ssl/openssl.cnf +standard configuration file +.El .Sh SEE ALSO -.Xr d2i_ASN1_OBJECT 3 , -.Xr OBJ_nid2obj 3 +.Xr CONF_modules_free 3 , +.Xr CONF_modules_load_file 3 , +.Xr OPENSSL_init_crypto 3 , +.Xr OPENSSL_load_builtin_modules 3 , +.Xr openssl.cnf 5 .Sh HISTORY -.Fn ASN1_OBJECT_new +.Fn OPENSSL_config and -.Fn ASN1_OBJECT_free -are available in all versions of SSLeay and OpenSSL. +.Fn OPENSSL_no_config +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/OPENSSL_init_crypto.3 b/lib/libcrypto/man/OPENSSL_init_crypto.3 new file mode 100644 index 0000000000..3a532550ae --- /dev/null +++ b/lib/libcrypto/man/OPENSSL_init_crypto.3 @@ -0,0 +1,87 @@ +.\" $OpenBSD: OPENSSL_init_crypto.3,v 1.3 2018/03/23 23:18:17 schwarze Exp $ +.\" Copyright (c) 2018 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: March 23 2018 $ +.Dt OPENSSL_INIT_CRYPTO 3 +.Os +.Sh NAME +.Nm OPENSSL_init_crypto +.Nd initialise the crypto library +.Sh SYNOPSIS +.In openssl/crypto.h +.Ft int +.Fo OPENSSL_init_crypto +.Fa "uint64_t options" +.Fa "const void *dummy" +.Fc +.Sh DESCRIPTION +If +.Fn OPENSSL_init_crypto +is called before any other crypto or ssl functions, the crypto +library is initialised by allocating various internal resources. +.Pp +The following +.Fa options +are supported: +.Bl -tag -width Ds +.It Dv OPENSSL_INIT_LOAD_CONFIG +At the end of the initialization, call +.Xr OPENSSL_config 3 +with a +.Dv NULL +argument, loading the default configuration file. +.It Dv OPENSSL_INIT_NO_LOAD_CONFIG +Ignore any later calls to +.Xr OPENSSL_config 3 . +.El +.Pp +The other +.Fa options +flags defined by OpenSSL are all ignored by LibreSSL. +The +.Fa dummy +argument has no effect. +.Pp +Calling this function is almost never useful because it is internally +called with an +.Fa options +argument of 0 by those functions in the crypto and ssl libraries +that require it. +It is safest to assume that any function may do so. +.Pp +If this function is called more than once, none of the calls except +the first one have any effect. +.Sh RETURN VALUES +.Fn OPENSSL_init_crypto +is intended to return 1 on success or 0 on error. +.Sh SEE ALSO +.Xr CONF_modules_load_file 3 , +.Xr OPENSSL_config 3 , +.Xr OPENSSL_init_ssl 3 , +.Xr OPENSSL_load_builtin_modules 3 , +.Xr openssl.cnf 5 +.Sh HISTORY +.Fn OPENSSL_init_crypto +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . +.Sh BUGS +.Fn OPENSSL_init_crypto +silently ignores almost all kinds of errors. +In particular, if memory allocation fails, initialisation is likely +to remain incomplete, the library may be in an inconsistent internal +state, but the return value will usually indicate success anyway. +There is no way for the application program to find out whether +library initialisation is actually complete, nor to get back to a +consistent state if it isn't. diff --git a/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 b/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 index d853bce099..fd9e656bce 100644 --- a/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 +++ b/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: OPENSSL_load_builtin_modules.3,v 1.4 2016/11/28 15:08:58 schwarze Exp $ +.\" $OpenBSD: OPENSSL_load_builtin_modules.3,v 1.5 2018/03/22 21:08:22 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 28 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt OPENSSL_LOAD_BUILTIN_MODULES 3 .Os .Sh NAME @@ -98,4 +98,6 @@ new modules are added. .Sh SEE ALSO .Xr OPENSSL_config 3 .Sh HISTORY -These functions first appeared in OpenSSL 0.9.7. +These functions first appeared in OpenSSL 0.9.7 +and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/OPENSSL_malloc.3 b/lib/libcrypto/man/OPENSSL_malloc.3 index 5b841f1aac..ae5e9c904f 100644 --- a/lib/libcrypto/man/OPENSSL_malloc.3 +++ b/lib/libcrypto/man/OPENSSL_malloc.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: OPENSSL_malloc.3,v 1.4 2016/11/29 21:29:19 jmc Exp $ +.\" $OpenBSD: OPENSSL_malloc.3,v 1.7 2018/03/23 02:20:16 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: November 29 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt OPENSSL_MALLOC 3 .Os .Sh NAME @@ -86,3 +86,23 @@ functions. .Sh RETURN VALUES These functions return the same type and value as the corresponding standard functions. +.Sh HISTORY +.Fn CRYPTO_malloc , +.Fn CRYPTO_realloc , +and +.Fn CRYPTO_free +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp +.Fn OPENSSL_malloc , +.Fn OPENSSL_realloc , +and +.Fn OPENSSL_free +first appeared in OpenSSL 0.9.6 and have been available since +.Ox 2.9 . +.Pp +.Fn CRYPTO_strdup +and +.Fn OPENSSL_strdup +first appeared in OpenSSL 0.9.8j and have been available since +.Ox 4.5 . diff --git a/lib/libcrypto/man/OPENSSL_sk_new.3 b/lib/libcrypto/man/OPENSSL_sk_new.3 new file mode 100644 index 0000000000..e625f3398e --- /dev/null +++ b/lib/libcrypto/man/OPENSSL_sk_new.3 @@ -0,0 +1,604 @@ +.\" $OpenBSD: OPENSSL_sk_new.3,v 1.7 2018/03/23 00:09:11 schwarze Exp $ +.\" +.\" Copyright (c) 2018 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: March 23 2018 $ +.Dt OPENSSL_SK_NEW 3 +.Os +.Sh NAME +.Nm sk_new_null , +.Nm sk_new , +.Nm sk_set_cmp_func , +.Nm sk_dup , +.Nm sk_free , +.Nm sk_pop_free , +.Nm sk_num , +.Nm sk_value , +.Nm sk_find , +.Nm sk_find_ex , +.Nm sk_sort , +.Nm sk_is_sorted , +.Nm sk_push , +.Nm sk_unshift , +.Nm sk_insert , +.Nm sk_set , +.Nm sk_pop , +.Nm sk_shift , +.Nm sk_delete , +.Nm sk_delete_ptr , +.Nm sk_zero +.Nd variable-sized arrays of void pointers, called OpenSSL stacks +.Sh SYNOPSIS +.In openssl/stack.h +.Ft _STACK * +.Fn sk_new_null void +.Ft _STACK * +.Fo sk_new +.Fa "int (*compfunc)(const void *, const void *)" +.Fc +.Ft old_function_pointer +.Fo sk_set_cmp_func +.Fa "_STACK *stack" +.Fa "int (*compfunc)(const void *, const void *)" +.Fc +.Ft _STACK * +.Fo sk_dup +.Fa "_STACK *stack" +.Fc +.Ft void +.Fo sk_free +.Fa "_STACK *stack" +.Fc +.Ft void +.Fo sk_pop_free +.Fa "_STACK *stack" +.Fa "void (*freefunc)(void *)" +.Fc +.Ft int +.Fo sk_num +.Fa "const _STACK *stack" +.Fc +.Ft void * +.Fo sk_value +.Fa "const _STACK *stack" +.Fa "int index" +.Fc +.Ft int +.Fo sk_find +.Fa "_STACK *stack" +.Fa "void *wanted" +.Fc +.Ft int +.Fo sk_find_ex +.Fa "_STACK *stack" +.Fa "void *wanted" +.Fc +.Ft void +.Fo sk_sort +.Fa "_STACK *stack" +.Fc +.Ft int +.Fo sk_is_sorted +.Fa "const _STACK *stack" +.Fc +.Ft int +.Fo sk_push +.Fa "_STACK *stack" +.Fa "void *new_item" +.Fc +.Ft int +.Fo sk_unshift +.Fa "_STACK *stack" +.Fa "void *new_item" +.Fc +.Ft int +.Fo sk_insert +.Fa "_STACK *stack" +.Fa "void *new_item" +.Fa "int index" +.Fc +.Ft void * +.Fo sk_set +.Fa "_STACK *stack" +.Fa "int index" +.Fa "void *new_item" +.Fc +.Ft void * +.Fo sk_pop +.Fa "_STACK *stack" +.Fc +.Ft void * +.Fo sk_shift +.Fa "_STACK *stack" +.Fc +.Ft void * +.Fo sk_delete +.Fa "_STACK *stack" +.Fa "int index" +.Fc +.Ft void * +.Fo sk_delete_ptr +.Fa "_STACK *stack" +.Fa "void *wanted" +.Fc +.Ft void +.Fo sk_zero +.Fa "_STACK *stack" +.Fc +.Sh DESCRIPTION +OpenSSL introduced an idiosyncratic concept of variable sized arrays +of pointers and somewhat misleadingly called such an array a +.Dq stack . +Intrinsically, and as documented in this manual page, OpenSSL stacks +are not type safe but only handle +.Vt void * +function arguments and return values. +.Pp +OpenSSL also provides a fragile, unusually complicated system of +macro-generates wrappers that offers superficial type safety at the +expense of extensive obfuscation, implemented using large amounts +of autogenerated code involving exceedingly ugly, nested +.Xr cpp 1 +macros; see the +.Xr STACK_OF 3 +manual page for details. +.Pp +The fundamental data type is the +.Vt _STACK +structure. +It stores a variable number of void pointers +and remembers the number of pointers currently stored. +It can optionally hold a pointer to a comparison function. +As long as no comparison function is installed, the order of pointers +is meaningful; as soon as a comparison function is installed, it +becomes ill-defined. +.Pp +.Fn sk_new_null +allocates and initializes a new, empty stack. +.Fn sk_new +is identical except that it also installs +.Fa compfunc +as the comparison function for the new stack object. +.Fn sk_set_cmp_func +installs +.Fa compfunc +for the existing +.Fa stack . +The +.Fa compfunc +is allowed to be +.Dv NULL , +but the +.Fa stack +is not. +.Pp +.Fn sk_dup +creates a shallow copy of the given +.Fa stack , +which must not be a +.Dv NULL +pointer. +It neither copies the objects pointed to from the stack nor +increases their reference counts, but merely copies the pointers. +Extreme care must be taken in order to avoid freeing the memory twice, +for example by calling +.Fn sk_free +on one copy and only calling +.Fn sk_pop_free +on the other. +.Pp +.Fn sk_free +frees the given +.Fa stack . +It does not free any of the pointers stored on the stack. +Unless these pointers are merely copies of pointers owned by +other objects, they must be freed before calling +.Fn sk_free , +in order to avoid leaking memory. +If +.Fa stack +is a +.Dv NULL +pointer, no action occurs. +.Pp +.Fn sk_pop_free +is severely misnamed. +It does not at all do what one would expect from a function called +.Dq pop . +Instead, it does the same as +.Fn sk_free , +except that it also calls the function +.Fa freefunc +on each of the pointers contained in the +.Fa stack . +If the calls to +.Fa freefunc +are intended to free the memory in use by the objects on the stack, +ensure that no other pointers to the same objects remain elsewhere. +.Pp +.Fn sk_find +searches the +.Fa stack +for the +.Fa wanted +pointer. +If the +.Fa stack +contains more than one copy of the +.Fa wanted +pointer, only the first match is found. +If a comparison function is installed for the stack, the stack is +first sorted with +.Fn sk_sort , +and instead of comparing pointers, two pointers are considered to match +if the comparison function returns 0. +.Pp +.Fn sk_find_ex +is identical to +.Fn sk_find +except that if the +.Fa stack +is not empty but no match is found, +the index of some pointer considered closest to +.Fa wanted +is returned. +.Pp +.Fn sk_sort +sorts the +.Fa stack +using +.Xr qsort 3 +and the installed comparison function. +If +.Fa stack +is a +.Dv NULL +pointer or already considered sorted, no action occurs. +This function can only be called if a comparison function is installed. +.Pp +.Fn sk_is_sorted +reports whether the +.Fa stack +is considered sorted. +Calling +.Fn sk_new_null +or +.Fn sk_new , +successfuly calling +.Fn sk_push , +.Fn sk_unshift , +or +.Fn sk_insert , +or changing the comparison function sets the state to unsorted. +If a comparison function is installed, calling +.Fn sk_sort , +.Fn sk_find , +or +.Fn sk_find_ex +sets the state to sorted. +.Pp +.Fn sk_push +pushes +.Fa new_item +onto the end of the +.Fa stack , +increasing the number of pointers by 1. +If +.Fa stack +is a +.Dv NULL +pointer, no action occurs. +.Pp +.Fn sk_unshift +inserts +.Fa new_item +at the beginning of the +.Fa stack , +such that it gets the index 0. +The number of pointers increases by 1. +If +.Fa stack +is a +.Dv NULL +pointer, no action occurs. +.Pp +.Fn sk_insert +inserts the +.Fa new_item +into the +.Fa stack +such that it gets the given +.Fa index . +If +.Fa index +is less than 0 or greater than or equal to +.Fn sk_num stack , +the effect is the same as for +.Fn sk_push . +If +.Fa stack +is a +.Dv NULL +pointer, no action occurs. +.Pp +.Fn sk_set +replaces the pointer with the given +.Fa index +on the +.Fa stack +with the +.Fa new_item . +The old pointer is not freed, +which may leak memory if no copy of it exists elsewhere. +If +.Fa stack +is a +.Dv NULL +pointer or if +.Fa index +is less than 0 or greater than or equal to +.Fn sk_num stack , +no action occurs. +.Pp +.Fn sk_pop +and +.Fn sk_shift +remove the pointer with the highest or lowest index from the +.Fa stack , +respectively, reducing the number of pointers by 1. +If +.Fa stack +is a +.Dv NULL +pointer or if it is empty, no action occurs. +.Pp +.Fn sk_delete +removes the pointer with the given +.Fa index +from the +.Fa stack , +reducing the number of pointers by 1. +If +.Fa stack +is a +.Dv NULL +pointer or the +.Fa index +is less than 0 or greater than or equal to +.Fn sk_num stack , +no action occurs. +.Pp +.Fn sk_delete_ptr +removes the +.Fa wanted +pointer from the +.Fa stack , +reducing the number of pointers by 1 if it is found. +It never uses a comparison function +but only compares pointers themselves. +The +.Fa stack +pointer must not be +.Dv NULL . +.Pp +.Fn sk_zero +removes all pointers from the +.Fa stack . +It does not free any of the pointers. +Unless these pointers are merely copies of pointers owned by other +objects, they must be freed before calling +.Fn sk_zero , +in order to avoid leaking memory. +If +.Fa stack +is a +.Dv NULL +pointer, no action occurs. +.Sh RETURN VALUES +.Fn sk_new_null , +.Fn sk_new , +and +.Fn sk_dup +return a pointer to the newly allocated stack object or +.Dv NULL +if insufficient memory is available. +.Pp +.Fn sk_set_cmp_func +returns a pointer to the comparison function +that was previously installed for the +.Fa stack +or +.Dv NULL +if none was installed. +.Pp +.Fn sk_num +returns the number of pointers currently stored on the +.Fa stack , +or \-1 if +.Fa stack +is a +.Dv NULL +pointer. +.Pp +.Fn sk_value +returns the pointer with the given +.Fa index +from the +.Fa stack , +or +.Dv NULL +if +.Fa stack +is a +.Dv NULL +pointer or if the +.Fa index +is less than 0 or greater than or equal to +.Fn sk_num stack . +.Pp +.Fn sk_find +returns the lowest index considered to match or \-1 if +.Fa stack +is a +.Dv NULL +pointer or if no match is found. +.Pp +.Fn sk_find_ex +returns some index or \-1 if +.Fa stack +is a +.Dv NULL +pointer or empty. +.Pp +.Fn sk_is_sorted +returns 1 if the +.Fa stack +is considered sorted or if it is a +.Dv NULL +pointer, or 0 otherwise. +.Pp +.Fn sk_push , +.Fn sk_unshift , +and +.Fn sk_insert +return the new number of pointers on the +.Fa stack +or 0 if +.Fa stack +is a +.Dv NULL +pointer or if memory allocation fails. +.Pp +.Fn sk_set +returns +.Fa new_item +or +.Dv NULL +if +.Fa stack +is a +.Dv NULL +pointer or if the +.Fa index +is less than 0 or greater than or equal to +.Fn sk_num stack . +.Pp +.Fn sk_pop +and +.Fn sk_shift +return the deleted pointer or +.Dv NULL +if +.Fa stack +is a +.Dv NULL +pointer or if it is empty. +.Pp +.Fn sk_delete +returns the deleted pointer or +.Dv NULL +if +.Fa stack +is a +.Dv NULL +pointer or if the +.Fa index +is less than 0 or greater than or equal to +.Fn sk_num stack . +.Pp +.Fn sk_delete_ptr +returns +.Fa wanted +or +.Dv NULL +if it is not found. +.Sh HISTORY +.Fn sk_new_null , +.Fn sk_new , +.Fn sk_set_cmp_func , +.Fn sk_dup , +.Fn sk_free , +.Fn sk_pop_free , +.Fn sk_num , +.Fn sk_value , +.Fn sk_find , +.Fn sk_push , +.Fn sk_unshift , +.Fn sk_insert , +.Fn sk_pop , +.Fn sk_shift , +.Fn sk_delete , +.Fn sk_delete_ptr , +and +.Fn sk_zero +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp +.Fn sk_set +first appeared in OpenSSL 0.9.3. +.Fn sk_sort +first appeared in OpenSSL 0.9.4. +Both functions have been available since +.Ox 2.6 . +.Pp +.Fn sk_new_null +first appeared in OpenSSL 0.9.6 and has been available since +.Ox 2.9 . +.Pp +.Fn sk_is_sorted +first appeared in OpenSSL 0.9.7e and has been available since +.Ox 3.8 . +.Pp +.Fn sk_find_ex +first appeared in OpenSSL 0.9.8 and has been available since +.Ox 4.5 . +.Sh BUGS +.Fn sk_set +does not set the state of the +.Fa stack +to unsorted. +This can cause wrong results from subsequent +.Fn sk_find +and +.Fn sk_find_ex . +.Pp +Even if a comparison function is installed, empty stacks and +stacks containing a single pointer are sometimes considered +sorted and sometimes considered unsorted. +.Pp +If a comparison function is installed, the concept of +.Dq first match +in +.Fn sk_find +and +.Fn sk_find_ex +is ill-defined because +.Xr qsort 3 +is not a stable sorting function. +It is probably best to only assume that they return an arbitrary match. +.Pp +The concept of +.Dq closest +for +.Fn sk_find_ex +is even less clearly defined. +The match may sometimes be smaller and sometimes larger than +.Fa wanted , +even if both smaller and larger pointers exist in the +.Fa stack . +Besides, it is again ill-defined +which of several pointers that compare equal is selected. +It is probably best to not assume anything about the selection +for cases where there is no match. diff --git a/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 b/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 index 270298cb85..6cc4a2770c 100644 --- a/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 +++ b/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: OpenSSL_add_all_algorithms.3,v 1.4 2016/11/28 16:40:27 schwarze Exp $ -.\" OpenSSL f672aee4 Feb 9 11:52:40 2016 -0500 +.\" $OpenBSD: OpenSSL_add_all_algorithms.3,v 1.6 2018/03/22 16:06:33 schwarze Exp $ +.\" full merge up to: OpenSSL b3696a55 Sep 2 09:35:50 2017 -0400 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2000, 2003, 2013 The OpenSSL Project. All rights reserved. @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 28 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt OPENSSL_ADD_ALL_ALGORITHMS 3 .Os .Sh NAME @@ -68,6 +68,11 @@ .Ft void .Fn EVP_cleanup void .Sh DESCRIPTION +These functions are deprecated. +It is never useful for any application program +to call any of them explicitly. +The library automatically calls them internally whenever needed. +.Pp OpenSSL keeps an internal table of digest algorithms and ciphers. It uses this table to look up ciphers via functions such as .Xr EVP_get_cipherbyname 3 . @@ -82,38 +87,33 @@ adds all digest algorithms to the table. adds all encryption algorithms to the table including password based encryption algorithms. .Pp -.Fn EVP_cleanup -removes all ciphers and digests from the table. +If any of the above functions is called more than once, +only the first call has an effect. .Pp -A typical application will call -.Fn OpenSSL_add_all_algorithms -initially and .Fn EVP_cleanup -before exiting. -.Pp -An application does not need to add algorithms to use them explicitly, -for example by -.Xr EVP_sha1 3 . -It just needs to add them if it (or any of the functions it calls) needs -to look up algorithms. -.Pp -The cipher and digest lookup functions are used in many parts of the -library. -If the table is not initialized, several functions will misbehave and -complain they cannot find algorithms. -This includes the PEM, PKCS#12, SSL and S/MIME libraries. -This is a common query in the OpenSSL mailing lists. -.Pp -Calling -.Fn OpenSSL_add_all_algorithms -links in all algorithms: as a result a statically linked executable can -be quite large. -If this is important, it is possible to just add the required ciphers and -digests. +removes all ciphers and digests from the table. .Sh SEE ALSO .Xr evp 3 , .Xr EVP_DigestInit 3 , -.Xr EVP_EncryptInit 3 +.Xr EVP_EncryptInit 3 , +.Xr OPENSSL_config 3 , +.Xr OPENSSL_init_crypto 3 +.Sh HISTORY +.Fn EVP_cleanup +and precursor functions +.Fn SSLeay_add_all_algorithms , +.Fn SSLeay_add_all_ciphers , +and +.Fn SSLeay_add_all_digests +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp +.Fn OpenSSL_add_all_algorithms , +.Fn OpenSSL_add_all_ciphers , +and +.Fn OpenSSL_add_all_digests +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . .Sh BUGS Although the functions do not return error codes, it is possible for them to fail. diff --git a/lib/libcrypto/man/PEM_bytes_read_bio.3 b/lib/libcrypto/man/PEM_bytes_read_bio.3 index d706a8ad8e..b3cb143cf6 100644 --- a/lib/libcrypto/man/PEM_bytes_read_bio.3 +++ b/lib/libcrypto/man/PEM_bytes_read_bio.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PEM_bytes_read_bio.3,v 1.1 2017/08/20 20:15:13 schwarze Exp $ +.\" $OpenBSD: PEM_bytes_read_bio.3,v 1.2 2018/03/22 21:08:22 schwarze Exp $ .\" OpenSSL PEM_bytes_read_bio.pod 7671342e Feb 29 15:47:12 2016 -0600 .\" .\" This file was written by Benjamin Kaduk . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 20 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt PEM_BYTES_READ_BIO 3 .Os .Sh NAME @@ -110,3 +110,7 @@ returns 1 for success or 0 for failure. .Sh SEE ALSO .Xr PEM_read 3 , .Xr PEM_read_bio_PrivateKey 3 +.Sh HISTORY +.Fn PEM_bytes_read_bio +first appeared in OpenSSL 0.9.7 and has been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/PEM_read.3 b/lib/libcrypto/man/PEM_read.3 index 6fe41bd7f1..f234bc6588 100644 --- a/lib/libcrypto/man/PEM_read.3 +++ b/lib/libcrypto/man/PEM_read.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PEM_read.3,v 1.3 2017/08/20 20:15:13 schwarze Exp $ +.\" $OpenBSD: PEM_read.3,v 1.4 2018/03/21 00:37:32 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Viktor Dukhovni @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 20 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt PEM_READ 3 .Os .Sh NAME @@ -282,3 +282,7 @@ is likely meaningless if these functions fail. .Xr ERR_peek_last_error 3 , .Xr PEM_bytes_read_bio 3 , .Xr PEM_read_bio_PrivateKey 3 +.Sh HISTORY +These functions appeared in SSLeay 0.8.1b or earlier +and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/PEM_read_bio_PrivateKey.3 b/lib/libcrypto/man/PEM_read_bio_PrivateKey.3 index ec8f81c47f..0dc167929c 100644 --- a/lib/libcrypto/man/PEM_read_bio_PrivateKey.3 +++ b/lib/libcrypto/man/PEM_read_bio_PrivateKey.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PEM_read_bio_PrivateKey.3,v 1.8 2017/08/20 20:15:13 schwarze Exp $ +.\" $OpenBSD: PEM_read_bio_PrivateKey.3,v 1.12 2018/03/23 00:09:11 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 20 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt PEM_READ_BIO_PRIVATEKEY 3 .Os .Sh NAME @@ -1216,6 +1216,108 @@ pass_cb(char *buf, int size, int rwflag, void *u) .Xr BIO_new 3 , .Xr PEM_bytes_read_bio 3 , .Xr PEM_read 3 +.Sh HISTORY +.Fn PEM_read_bio_PrivateKey , +.Fn PEM_read_PrivateKey , +.Fn PEM_write_bio_PrivateKey , +.Fn PEM_write_PrivateKey , +.Fn PEM_read_bio_RSAPrivateKey , +.Fn PEM_read_RSAPrivateKey , +.Fn PEM_write_bio_RSAPrivateKey , +.Fn PEM_write_RSAPrivateKey , +.Fn PEM_read_bio_RSAPublicKey , +.Fn PEM_read_RSAPublicKey , +.Fn PEM_write_bio_RSAPublicKey , +.Fn PEM_write_RSAPublicKey , +.Fn PEM_read_bio_DSAPrivateKey , +.Fn PEM_read_DSAPrivateKey , +.Fn PEM_write_bio_DSAPrivateKey , +.Fn PEM_write_DSAPrivateKey , +.Fn PEM_read_bio_DSAparams , +.Fn PEM_read_DSAparams , +.Fn PEM_write_bio_DSAparams , +.Fn PEM_write_DSAparams , +.Fn PEM_read_bio_DHparams , +.Fn PEM_read_DHparams , +.Fn PEM_write_bio_DHparams , +.Fn PEM_write_DHparams , +.Fn PEM_read_bio_X509 , +.Fn PEM_read_X509 , +.Fn PEM_write_bio_X509 , +.Fn PEM_write_X509 , +.Fn PEM_read_bio_X509_REQ , +.Fn PEM_read_X509_REQ , +.Fn PEM_write_bio_X509_REQ , +.Fn PEM_write_X509_REQ , +.Fn PEM_read_bio_X509_CRL , +.Fn PEM_read_X509_CRL , +.Fn PEM_write_bio_X509_CRL , +.Fn PEM_write_X509_CRL , +.Fn PEM_read_bio_PKCS7 , +.Fn PEM_read_PKCS7 , +.Fn PEM_write_bio_PKCS7 , +and +.Fn PEM_write_PKCS7 +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp +.Fn PEM_write_bio_PKCS8PrivateKey , +.Fn PEM_write_PKCS8PrivateKey , +.Fn PEM_read_bio_PKCS8 , +.Fn PEM_read_PKCS8 , +.Fn PEM_write_bio_PKCS8 , +.Fn PEM_write_PKCS8 , +.Fn PEM_read_bio_PKCS8_PRIV_KEY_INFO , +.Fn PEM_read_PKCS8_PRIV_KEY_INFO , +.Fn PEM_write_bio_PKCS8_PRIV_KEY_INFO , +.Fn PEM_write_PKCS8_PRIV_KEY_INFO , +.Fn PEM_read_bio_NETSCAPE_CERT_SEQUENCE , +.Fn PEM_read_NETSCAPE_CERT_SEQUENCE , +.Fn PEM_write_bio_NETSCAPE_CERT_SEQUENCE , +and +.Fn PEM_write_NETSCAPE_CERT_SEQUENCE , +first appeared in OpenSSL 0.9.4 and have been available since +.Ox 2.6 . +.Pp +.Fn PEM_write_bio_PKCS8PrivateKey_nid , +.Fn PEM_write_PKCS8PrivateKey_nid , +.Fn PEM_read_bio_PUBKEY , +.Fn PEM_read_PUBKEY , +.Fn PEM_write_bio_PUBKEY , +.Fn PEM_write_PUBKEY , +.Fn PEM_read_bio_RSA_PUBKEY , +.Fn PEM_read_RSA_PUBKEY , +.Fn PEM_write_bio_RSA_PUBKEY , +.Fn PEM_write_RSA_PUBKEY , +.Fn PEM_read_bio_DSA_PUBKEY , +.Fn PEM_read_DSA_PUBKEY , +.Fn PEM_write_bio_DSA_PUBKEY , +.Fn PEM_write_DSA_PUBKEY , +.Fn PEM_write_bio_X509_REQ_NEW , +.Fn PEM_write_X509_REQ_NEW , +.Fn PEM_read_bio_X509_AUX , +.Fn PEM_read_X509_AUX , +.Fn PEM_write_bio_X509_AUX , +and +.Fn PEM_write_X509_AUX +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . +.Pp +.Fn PEM_read_bio_ECPKParameters , +.Fn PEM_read_ECPKParameters , +.Fn PEM_write_bio_ECPKParameters , +.Fn PEM_write_ECPKParameters , +.Fn PEM_read_bio_ECPrivateKey , +.Fn PEM_read_ECPrivateKey , +.Fn PEM_write_bio_ECPrivateKey , +.Fn PEM_write_ECPrivateKey , +.Fn PEM_read_bio_EC_PUBKEY , +.Fn PEM_read_EC_PUBKEY , +.Fn PEM_write_bio_EC_PUBKEY , +and +.Fn PEM_write_EC_PUBKEY +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . .Sh CAVEATS A frequent cause of problems is attempting to use the PEM routines like this: diff --git a/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3 b/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3 index e90ed5522b..30bab9f0f7 100644 --- a/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3 +++ b/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PEM_write_bio_PKCS7_stream.3,v 1.7 2016/12/14 21:22:06 jmc Exp $ +.\" $OpenBSD: PEM_write_bio_PKCS7_stream.3,v 1.8 2018/03/23 04:34:23 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 14 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt PEM_WRITE_BIO_PKCS7_STREAM 3 .Os .Sh NAME @@ -85,4 +85,5 @@ returns 1 for success or 0 for failure. .Xr SMIME_write_PKCS7 3 .Sh HISTORY .Fn PEM_write_bio_PKCS7_stream -was added to OpenSSL 1.0.0. +first appeared in OpenSSL 1.0.0 and has been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/PKCS12_SAFEBAG_new.3 b/lib/libcrypto/man/PKCS12_SAFEBAG_new.3 index 603c27bed1..d174babddb 100644 --- a/lib/libcrypto/man/PKCS12_SAFEBAG_new.3 +++ b/lib/libcrypto/man/PKCS12_SAFEBAG_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PKCS12_SAFEBAG_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: PKCS12_SAFEBAG_new.3,v 1.3 2018/03/21 17:57:48 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt PKCS12_SAFEBAG_NEW 3 .Os .Sh NAME @@ -93,3 +93,11 @@ if an error occurs. .Sh STANDARDS RFC 7292: PKCS #12: Personal Information Exchange Syntax, section 4.2: The SafeBag Type +.Sh HISTORY +.Fn PKCS12_SAFEBAG_new , +.Fn PKCS12_SAFEBAG_free , +.Fn PKCS12_BAGS_new , +and +.Fn PKCS12_BAGS_free +first appeared in OpenSSL 0.9.3 and have been available since +.Ox 2.6 . diff --git a/lib/libcrypto/man/PKCS12_create.3 b/lib/libcrypto/man/PKCS12_create.3 index 162ff7cf68..1241655ad5 100644 --- a/lib/libcrypto/man/PKCS12_create.3 +++ b/lib/libcrypto/man/PKCS12_create.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: PKCS12_create.3,v 1.4 2016/11/28 22:41:38 schwarze Exp $ -.\" OpenSSL 05ea606a May 20 20:52:46 2016 -0400 +.\" $OpenBSD: PKCS12_create.3,v 1.6 2018/03/21 17:57:48 schwarze Exp $ +.\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400 +.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2002, 2015 The OpenSSL Project. All rights reserved. @@ -48,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 28 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt PKCS12_CREATE 3 .Os .Sh NAME @@ -154,10 +155,19 @@ then this will be used for the corresponding or .Sy localKeyID in the PKCS12 structure. +.Sh RETURN VALUES +.Fn PKCS12_create +returns a valid +.Vt PKCS12 +structure or +.Dv NULL +if an error occurred. .Sh SEE ALSO .Xr d2i_PKCS12 3 .Sh HISTORY -PKCS12_create was added in OpenSSL 0.9.3. +.Fn PKCS12_create +first appeared in OpenSSL 0.9.3 and has been available since +.Ox 2.6 . .Pp Before OpenSSL 0.9.8, neither .Fa pkey diff --git a/lib/libcrypto/man/PKCS12_new.3 b/lib/libcrypto/man/PKCS12_new.3 index 0f54048724..29080b672f 100644 --- a/lib/libcrypto/man/PKCS12_new.3 +++ b/lib/libcrypto/man/PKCS12_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PKCS12_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: PKCS12_new.3,v 1.3 2018/03/21 17:57:48 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt PKCS12_NEW 3 .Os .Sh NAME @@ -88,3 +88,11 @@ if an error occurs. .Xr X509_SIG_new 3 .Sh STANDARDS RFC 7292: PKCS #12: Personal Information Exchange Syntax +.Sh HISTORY +.Fn PKCS12_new , +.Fn PKCS12_free , +.Fn PKCS12_MAC_DATA_new , +and +.Fn PKCS12_MAC_DATA_free +first appeared in OpenSSL 0.9.3 and have been available since +.Ox 2.6 . diff --git a/lib/libcrypto/man/PKCS12_newpass.3 b/lib/libcrypto/man/PKCS12_newpass.3 index b651a575ba..48e4060c91 100644 --- a/lib/libcrypto/man/PKCS12_newpass.3 +++ b/lib/libcrypto/man/PKCS12_newpass.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PKCS12_newpass.3,v 1.1 2016/11/28 23:02:16 schwarze Exp $ +.\" $OpenBSD: PKCS12_newpass.3,v 1.2 2018/03/22 16:06:33 schwarze Exp $ .\" OpenSSL c95a8b4e May 5 14:26:26 2016 +0100 .\" .\" This file was written by Jeffrey Walton . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 28 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt PKCS12_NEWPASS 3 .Os .Sh NAME @@ -149,6 +149,10 @@ int main(int argc, char **argv) .Sh SEE ALSO .Xr ERR_get_error 3 , .Xr PKCS12_create 3 +.Sh HISTORY +.Fn PKCS12_newpass +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . .Sh BUGS The password format is a NUL terminated ASCII string which is converted to Unicode form internally. diff --git a/lib/libcrypto/man/PKCS12_parse.3 b/lib/libcrypto/man/PKCS12_parse.3 index 1caa1a7f23..51e78d9430 100644 --- a/lib/libcrypto/man/PKCS12_parse.3 +++ b/lib/libcrypto/man/PKCS12_parse.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PKCS12_parse.3,v 1.4 2016/11/28 22:41:38 schwarze Exp $ +.\" $OpenBSD: PKCS12_parse.3,v 1.5 2018/03/21 17:57:48 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 28 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt PKCS12_PARSE 3 .Os .Sh NAME @@ -121,7 +121,9 @@ The error can be obtained from .Sh SEE ALSO .Xr d2i_PKCS12 3 .Sh HISTORY -PKCS12_parse was added in OpenSSL 0.9.3. +.Fn PKCS12_parse +first appeared in OpenSSL 0.9.3 and has been available since +.Ox 2.6 . .Sh BUGS Only a single private key and corresponding certificate is returned by this function. diff --git a/lib/libcrypto/man/PKCS5_PBKDF2_HMAC.3 b/lib/libcrypto/man/PKCS5_PBKDF2_HMAC.3 index 5b79d7b2f2..b6dc639682 100644 --- a/lib/libcrypto/man/PKCS5_PBKDF2_HMAC.3 +++ b/lib/libcrypto/man/PKCS5_PBKDF2_HMAC.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PKCS5_PBKDF2_HMAC.3,v 1.4 2016/11/28 23:27:55 schwarze Exp $ +.\" $OpenBSD: PKCS5_PBKDF2_HMAC.3,v 1.6 2018/03/23 04:34:23 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Jeffrey Walton . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 28 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt PKCS5_PBKDF2_HMAC 3 .Os .Sh NAME @@ -154,3 +154,11 @@ return 1 on success or 0 on error. .Xr evp 3 , .Xr EVP_BytesToKey 3 , .Xr RAND_bytes 3 +.Sh HISTORY +.Fn PKCS5_PBKDF2_HMAC_SHA1 +first appeared in OpenSSL 0.9.4 and has been available since +.Ox 2.6 . +.Pp +.Fn PKCS5_PBKDF2_HMAC +first appeared in OpenSSL 1.0.0 and has been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/PKCS7_decrypt.3 b/lib/libcrypto/man/PKCS7_decrypt.3 index 234d76357a..1a3ba7c67d 100644 --- a/lib/libcrypto/man/PKCS7_decrypt.3 +++ b/lib/libcrypto/man/PKCS7_decrypt.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PKCS7_decrypt.3,v 1.6 2016/12/13 15:00:22 schwarze Exp $ +.\" $OpenBSD: PKCS7_decrypt.3,v 1.7 2018/03/22 16:06:33 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 13 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt PKCS7_DECRYPT 3 .Os .Sh NAME @@ -107,7 +107,8 @@ The error can be obtained from .Xr PKCS7_new 3 .Sh HISTORY .Fn PKCS7_decrypt -was added to OpenSSL 0.9.5. +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . .Sh BUGS .Fn PKCS7_decrypt must be passed the correct recipient key and certificate. diff --git a/lib/libcrypto/man/PKCS7_encrypt.3 b/lib/libcrypto/man/PKCS7_encrypt.3 index 8934191af6..a8717d3104 100644 --- a/lib/libcrypto/man/PKCS7_encrypt.3 +++ b/lib/libcrypto/man/PKCS7_encrypt.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PKCS7_encrypt.3,v 1.6 2017/01/12 16:13:51 jmc Exp $ +.\" $OpenBSD: PKCS7_encrypt.3,v 1.8 2018/03/23 23:18:17 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 12 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt PKCS7_ENCRYPT 3 .Os .Sh NAME @@ -158,8 +158,10 @@ The error can be obtained from .Xr PKCS7_decrypt 3 , .Xr PKCS7_new 3 .Sh HISTORY -.Xr PKCS7_decrypt 3 -was added to OpenSSL 0.9.5. +.Fn PKCS7_encrypt +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . +.Pp The .Dv PKCS7_STREAM flag was first supported in OpenSSL 1.0.0. diff --git a/lib/libcrypto/man/PKCS7_new.3 b/lib/libcrypto/man/PKCS7_new.3 index 7f8cffd881..7094b08345 100644 --- a/lib/libcrypto/man/PKCS7_new.3 +++ b/lib/libcrypto/man/PKCS7_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PKCS7_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: PKCS7_new.3,v 1.3 2018/03/21 00:54:31 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt PKCS7_NEW 3 .Os .Sh NAME @@ -253,3 +253,7 @@ frees .Xr SMIME_write_PKCS7 3 .Sh STANDARDS RFC 2315: PKCS #7: Cryptographic Message Syntax Version 1.5 +.Sh HISTORY +These functions appeared in SSLeay 0.8.1b or earlier +and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/PKCS7_sign.3 b/lib/libcrypto/man/PKCS7_sign.3 index fc836d5d33..aea1a265c2 100644 --- a/lib/libcrypto/man/PKCS7_sign.3 +++ b/lib/libcrypto/man/PKCS7_sign.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PKCS7_sign.3,v 1.7 2017/01/12 16:13:51 jmc Exp $ +.\" $OpenBSD: PKCS7_sign.3,v 1.8 2018/03/22 16:06:33 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 12 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt PKCS7_SIGN 3 .Os .Sh NAME @@ -232,7 +232,8 @@ The error can be obtained from .Xr PKCS7_verify 3 .Sh HISTORY .Fn PKCS7_sign -was added to OpenSSL 0.9.5. +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . .Pp The .Dv PKCS7_PARTIAL diff --git a/lib/libcrypto/man/PKCS7_sign_add_signer.3 b/lib/libcrypto/man/PKCS7_sign_add_signer.3 index d486321043..72c82c8ae1 100644 --- a/lib/libcrypto/man/PKCS7_sign_add_signer.3 +++ b/lib/libcrypto/man/PKCS7_sign_add_signer.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PKCS7_sign_add_signer.3,v 1.7 2017/01/06 18:21:55 schwarze Exp $ +.\" $OpenBSD: PKCS7_sign_add_signer.3,v 1.8 2018/03/23 04:34:23 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 6 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt PKCS7_SIGN_ADD_SIGNER 3 .Os .Sh NAME @@ -176,4 +176,5 @@ if an error occurs. .Xr PKCS7_sign 3 .Sh HISTORY .Fn PKCS7_sign_add_signer -was added to OpenSSL 1.0.0. +first appeared in OpenSSL 1.0.0 and has been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/PKCS7_verify.3 b/lib/libcrypto/man/PKCS7_verify.3 index f046a0b84b..e800c90c54 100644 --- a/lib/libcrypto/man/PKCS7_verify.3 +++ b/lib/libcrypto/man/PKCS7_verify.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PKCS7_verify.3,v 1.5 2016/12/13 15:00:22 schwarze Exp $ +.\" $OpenBSD: PKCS7_verify.3,v 1.7 2018/03/22 16:06:33 schwarze Exp $ .\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 13 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt PKCS7_VERIFY 3 .Os .Sh NAME @@ -226,10 +226,14 @@ The error can be obtained from .Sh SEE ALSO .Xr ERR_get_error 3 , .Xr PKCS7_new 3 , -.Xr PKCS7_sign 3 +.Xr PKCS7_sign 3 , +.Xr X509_STORE_new 3 .Sh HISTORY .Fn PKCS7_verify -was added to OpenSSL 0.9.5 . +and +.Fn PKCS7_get0_signers +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . .Sh BUGS The trusted certificate store is not searched for the signer's certificate. diff --git a/lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3 b/lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3 index 8c6dba3514..030799271a 100644 --- a/lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3 +++ b/lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PKCS8_PRIV_KEY_INFO_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: PKCS8_PRIV_KEY_INFO_new.3,v 1.3 2018/03/21 17:57:48 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt PKCS8_PRIV_KEY_INFO_NEW 3 .Os .Sh NAME @@ -54,3 +54,9 @@ if an error occurs. .Xr X509_ATTRIBUTE_new 3 .Sh STANDARDS RFC 5208: PKCS#8: Private-Key Information Syntax Specification +.Sh HISTORY +.Fn PKCS8_PRIV_KEY_INFO_new +and +.Fn PKCS8_PRIV_KEY_INFO_free +first appeared in OpenSSL 0.9.3 and have been available since +.Ox 2.6 . diff --git a/lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3 b/lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3 index 888859b1e6..2c32bdae55 100644 --- a/lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3 +++ b/lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PKEY_USAGE_PERIOD_new.3,v 1.3 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: PKEY_USAGE_PERIOD_new.3,v 1.4 2018/03/21 16:09:51 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt PKEY_USAGE_PERIOD_NEW 3 .Os .Sh NAME @@ -65,3 +65,9 @@ in RFC 3280, which specified the certificate extension but deprecated its use, was removed. Use of this ISO standard extension is neither deprecated nor recommended for use in the Internet PKI." +.Sh HISTORY +.Fn PKEY_USAGE_PERIOD_new +and +.Fn PKEY_USAGE_PERIOD_free +first appeared in OpenSSL 0.9.2b and have been available since +.Ox 2.6 . diff --git a/lib/libcrypto/man/POLICYINFO_new.3 b/lib/libcrypto/man/POLICYINFO_new.3 index e746759a93..7dab0a5621 100644 --- a/lib/libcrypto/man/POLICYINFO_new.3 +++ b/lib/libcrypto/man/POLICYINFO_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: POLICYINFO_new.3,v 1.3 2016/12/28 20:29:15 schwarze Exp $ +.\" $OpenBSD: POLICYINFO_new.3,v 1.5 2018/03/23 00:09:11 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt POLICYINFO_NEW 3 .Os .Sh NAME @@ -189,6 +189,28 @@ section 4.2.1.5: Policy Mappings .It section 4.2.1.11: Policy Constraints .El +.Sh HISTORY +.Fn POLICYINFO_new , +.Fn POLICYINFO_free , +.Fn CERTIFICATEPOLICIES_new , +.Fn CERTIFICATEPOLICIES_free , +.Fn POLICYQUALINFO_new , +.Fn POLICYQUALINFO_free , +.Fn USERNOTICE_new , +.Fn USERNOTICE_free , +.Fn NOTICEREF_new , +and +.Fn NOTICEREF_free +first appeared in OpenSSL 0.9.3 and have been available since +.Ox 2.6 . +.Pp +.Fn POLICY_MAPPING_new , +.Fn POLICY_MAPPING_free , +.Fn POLICY_CONSTRAINTS_new , +and +.Fn POLICY_CONSTRAINTS_free +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . .Sh BUGS This is a lot of nested data structures, but most of them are designed to have almost no effect. diff --git a/lib/libcrypto/man/PROXY_POLICY_new.3 b/lib/libcrypto/man/PROXY_POLICY_new.3 index 387ee3fb7f..c35537164a 100644 --- a/lib/libcrypto/man/PROXY_POLICY_new.3 +++ b/lib/libcrypto/man/PROXY_POLICY_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PROXY_POLICY_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: PROXY_POLICY_new.3,v 1.3 2018/03/22 22:07:12 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt PROXY_POLICY_NEW 3 .Os .Sh NAME @@ -89,3 +89,7 @@ if an error occurs. .Sh STANDARDS RFC 3820: Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile +.Sh HISTORY +These functions first appeared in OpenSSL 0.9.7g +and have been available since +.Ox 3.8 . diff --git a/lib/libcrypto/man/RAND_add.3 b/lib/libcrypto/man/RAND_add.3 index 10ab096508..7fd955dde6 100644 --- a/lib/libcrypto/man/RAND_add.3 +++ b/lib/libcrypto/man/RAND_add.3 @@ -1,4 +1,5 @@ -.\" $OpenBSD: RAND_add.3,v 1.5 2016/12/15 06:52:02 jmc Exp $ +.\" $OpenBSD: RAND_add.3,v 1.9 2018/03/23 23:18:17 schwarze Exp $ +.\" content checked up to: OpenSSL c16de9d8 Aug 31 23:16:22 2017 +0200 .\" .\" Copyright (c) 2014 Miod Vallat .\" @@ -14,12 +15,13 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 15 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt RAND_ADD 3 .Os .Sh NAME .Nm RAND_add , .Nm RAND_cleanup , +.Nm RAND_poll , .Nm RAND_seed , .Nm RAND_status .Nd manipulate the PRNG state @@ -33,6 +35,8 @@ .Fc .Ft void .Fn RAND_cleanup void +.Ft int +.Fn RAND_poll void .Ft void .Fo RAND_seed .Fa "const void *buf" @@ -47,5 +51,23 @@ generator to be controlled by external sources. They are kept for ABI compatibility but are no longer functional, and should not be used in new programs. .Sh RETURN VALUES +.Fn RAND_poll +and +.Fn RAND_status +always return 1. +.Sh HISTORY +.Fn RAND_cleanup +and +.Fn RAND_seed +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp +.Fn RAND_add +and .Fn RAND_status -always returns 1. +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . +.Pp +.Fn RAND_poll +first appeared in OpenSSL 0.9.6 and has been available since +.Ox 2.9 . diff --git a/lib/libcrypto/man/RAND_bytes.3 b/lib/libcrypto/man/RAND_bytes.3 index 7884736927..29dcc0aaa2 100644 --- a/lib/libcrypto/man/RAND_bytes.3 +++ b/lib/libcrypto/man/RAND_bytes.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RAND_bytes.3,v 1.3 2016/11/29 00:26:23 schwarze Exp $ +.\" $OpenBSD: RAND_bytes.3,v 1.5 2018/03/22 16:06:33 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 29 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt RAND_BYTES 3 .Os .Sh NAME @@ -98,8 +98,11 @@ returns 1. returns 1. .Sh HISTORY .Fn RAND_bytes -is available in all versions of SSLeay and OpenSSL. -It has a return -value since OpenSSL 0.9.5. +appeared in SSLeay 0.8.1b or earlier and has been available since +.Ox 2.4 . +It has a return value since OpenSSL 0.9.5 and +.Ox 2.7 . +.Pp .Fn RAND_pseudo_bytes -was added in OpenSSL 0.9.5. +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . diff --git a/lib/libcrypto/man/RAND_load_file.3 b/lib/libcrypto/man/RAND_load_file.3 index 96724730f0..2378b79a21 100644 --- a/lib/libcrypto/man/RAND_load_file.3 +++ b/lib/libcrypto/man/RAND_load_file.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RAND_load_file.3,v 1.4 2016/11/29 00:45:36 schwarze Exp $ +.\" $OpenBSD: RAND_load_file.3,v 1.5 2018/03/21 01:02:06 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 29 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt RAND_LOAD_FILE 3 .Os .Sh NAME @@ -115,4 +115,5 @@ on error. .Fn RAND_write_file , and .Fn RAND_file_name -are available in all versions of SSLeay and OpenSSL. +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/RAND_set_rand_method.3 b/lib/libcrypto/man/RAND_set_rand_method.3 index 6f99335166..d94d794daf 100644 --- a/lib/libcrypto/man/RAND_set_rand_method.3 +++ b/lib/libcrypto/man/RAND_set_rand_method.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RAND_set_rand_method.3,v 1.3 2016/11/29 00:07:45 schwarze Exp $ +.\" $OpenBSD: RAND_set_rand_method.3,v 1.4 2018/03/21 09:03:49 schwarze Exp $ .\" .\" Copyright (c) 2014 Miod Vallat .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: November 29 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt RAND_SET_RAND_METHOD 3 .Os .Sh NAME @@ -51,4 +51,5 @@ always return .Fn RAND_get_rand_method , and .Fn RAND_SSLeay -are available in all versions of OpenSSL. +first appeared in SSLeay 0.9.1 and have been available since +.Ox 2.6 . diff --git a/lib/libcrypto/man/RC4.3 b/lib/libcrypto/man/RC4.3 index 5bd1043530..4c73a02110 100644 --- a/lib/libcrypto/man/RC4.3 +++ b/lib/libcrypto/man/RC4.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RC4.3,v 1.4 2016/11/29 14:51:09 schwarze Exp $ +.\" $OpenBSD: RC4.3,v 1.5 2018/03/21 01:05:25 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 29 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt RC4 3 .Os .Sh NAME @@ -124,6 +124,7 @@ do not return values. .Fn RC4_set_key and .Fn RC4 -are available in all versions of SSLeay and OpenSSL. +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . .Sh BUGS This cipher is broken and should no longer be used. diff --git a/lib/libcrypto/man/RIPEMD160.3 b/lib/libcrypto/man/RIPEMD160.3 index 51787b0cfa..46c84e5941 100644 --- a/lib/libcrypto/man/RIPEMD160.3 +++ b/lib/libcrypto/man/RIPEMD160.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: RIPEMD160.3,v 1.4 2016/11/29 14:51:09 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: RIPEMD160.3,v 1.6 2018/03/21 07:16:31 schwarze Exp $ +.\" full merge up to: OpenSSL bbda8ce9 Oct 31 15:43:01 2017 +0800 .\" .\" This file was written by Ulf Moeller . .\" Copyright (c) 2000, 2006, 2014 The OpenSSL Project. All rights reserved. @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 29 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt RIPEMD160 3 .Os .Sh NAME @@ -136,11 +136,16 @@ return 1 for success or 0 otherwise. .Xr EVP_DigestInit 3 , .Xr HMAC 3 .Sh STANDARDS -ISO/IEC 10118-3 (draft) (??) +.Bd -unfilled +ISO/IEC 10118-3:2004/Cor 1:2011 +Hash-functions \(em Part 3: Dedicated hash-functions +Clause 7: RIPEMD-160 +.Ed .Sh HISTORY .Fn RIPEMD160 , .Fn RIPEMD160_Init , .Fn RIPEMD160_Update , and .Fn RIPEMD160_Final -are available since SSLeay 0.9.0. +first appeared in SSLeay 0.9.0 and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/RSA_PSS_PARAMS_new.3 b/lib/libcrypto/man/RSA_PSS_PARAMS_new.3 index 25a1c25ed3..c0a88dd2a0 100644 --- a/lib/libcrypto/man/RSA_PSS_PARAMS_new.3 +++ b/lib/libcrypto/man/RSA_PSS_PARAMS_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RSA_PSS_PARAMS_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: RSA_PSS_PARAMS_new.3,v 1.3 2018/03/23 05:48:56 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt RSA_PSS_PARAMS_NEW 3 .Os .Sh NAME @@ -51,3 +51,9 @@ if an error occurs. .Xr X509_sign 3 .Sh STANDARDS RFC 8017: PKCS#1: RSA Cryptography Specifications Version 2.2 +.Sh HISTORY +.Fn RSA_PSS_PARAMS_new +and +.Fn RSA_PSS_PARAMS_free +first appeared in OpenSSL 1.0.1 and have been available since +.Ox 5.3 . diff --git a/lib/libcrypto/man/RSA_blinding_on.3 b/lib/libcrypto/man/RSA_blinding_on.3 index 456b09a751..75b5cace06 100644 --- a/lib/libcrypto/man/RSA_blinding_on.3 +++ b/lib/libcrypto/man/RSA_blinding_on.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RSA_blinding_on.3,v 1.4 2016/12/11 12:21:48 schwarze Exp $ +.\" $OpenBSD: RSA_blinding_on.3,v 1.5 2018/03/21 07:25:59 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt RSA_BLINDING_ON 3 .Os .Sh NAME @@ -93,4 +93,5 @@ returns 1 on success, and 0 if an error occurred. .Fn RSA_blinding_on and .Fn RSA_blinding_off -appeared in SSLeay 0.9.0. +first appeared in SSLeay 0.9.0 and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/RSA_check_key.3 b/lib/libcrypto/man/RSA_check_key.3 index cfce0bbbf8..8426b6f3cc 100644 --- a/lib/libcrypto/man/RSA_check_key.3 +++ b/lib/libcrypto/man/RSA_check_key.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RSA_check_key.3,v 1.4 2016/12/11 12:21:48 schwarze Exp $ +.\" $OpenBSD: RSA_check_key.3,v 1.6 2018/03/21 21:18:08 schwarze Exp $ .\" OpenSSL 6859cf74 Sep 25 13:33:28 2002 +0000 .\" .\" This file was written by Ulf Moeller and @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt RSA_CHECK_KEY 3 .Os .Sh NAME @@ -126,10 +126,12 @@ obtained using .Sh SEE ALSO .Xr BN_is_prime_ex 3 , .Xr ERR_get_error 3 , +.Xr RSA_get0_key 3 , .Xr RSA_new 3 .Sh HISTORY .Fn RSA_check_key -appeared in OpenSSL 0.9.4. +first appeared in OpenSSL 0.9.4 and has been available since +.Ox 2.6 . .Sh BUGS A method of verifying the RSA key using opaque RSA API functions might need to be considered. diff --git a/lib/libcrypto/man/RSA_generate_key.3 b/lib/libcrypto/man/RSA_generate_key.3 index 838b10e2a9..3461b86512 100644 --- a/lib/libcrypto/man/RSA_generate_key.3 +++ b/lib/libcrypto/man/RSA_generate_key.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RSA_generate_key.3,v 1.6 2017/03/25 18:08:48 schwarze Exp $ +.\" $OpenBSD: RSA_generate_key.3,v 1.10 2018/03/23 00:09:11 schwarze Exp $ .\" OpenSSL RSA_generate_key.pod bb6c5e7f Feb 5 10:29:22 2017 -0500 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 25 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt RSA_GENERATE_KEY 3 .Os .Sh NAME @@ -143,11 +143,19 @@ The error codes can be obtained by .Sh SEE ALSO .Xr BN_generate_prime 3 , .Xr ERR_get_error 3 , +.Xr RSA_get0_key 3 , .Xr RSA_new 3 .Sh HISTORY -The +.Fn RSA_generate_key +appeared before SSLeay 0.8 and had its .Fa cb_arg -argument was added in SSLeay 0.9.0. +argument added in SSLeay 0.9.0. +It has been available since +.Ox 2.4 . +.Pp +.Fn RSA_generate_key_ex +first appeared in OpenSSL 0.9.8 and has been available since +.Ox 4.5 . .Sh BUGS .Fn BN_GENCB_call cb 2 x is used with two different meanings. diff --git a/lib/libcrypto/man/RSA_get0_key.3 b/lib/libcrypto/man/RSA_get0_key.3 new file mode 100644 index 0000000000..3e6f75a906 --- /dev/null +++ b/lib/libcrypto/man/RSA_get0_key.3 @@ -0,0 +1,290 @@ +.\" $OpenBSD: RSA_get0_key.3,v 1.4 2018/03/23 23:18:17 schwarze Exp $ +.\" selective merge up to: OpenSSL 665d899f Aug 2 02:19:43 2017 +0800 +.\" +.\" This file was written by Richard Levitte +.\" Copyright (c) 2016 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: March 23 2018 $ +.Dt RSA_GET0_KEY 3 +.Os +.Sh NAME +.Nm RSA_get0_key , +.Nm RSA_set0_key , +.Nm RSA_get0_factors , +.Nm RSA_set0_factors , +.Nm RSA_get0_crt_params , +.Nm RSA_set0_crt_params , +.Nm RSA_clear_flags , +.Nm RSA_test_flags , +.Nm RSA_set_flags +.Nd get and set data in an RSA object +.Sh SYNOPSIS +.In openssl/rsa.h +.Ft void +.Fo RSA_get0_key +.Fa "const RSA *r" +.Fa "const BIGNUM **n" +.Fa "const BIGNUM **e" +.Fa "const BIGNUM **d" +.Fc +.Ft int +.Fo RSA_set0_key +.Fa "RSA *r" +.Fa "BIGNUM *n" +.Fa "BIGNUM *e" +.Fa "BIGNUM *d" +.Fc +.Ft void +.Fo RSA_get0_factors +.Fa "const RSA *r" +.Fa "const BIGNUM **p" +.Fa "const BIGNUM **q" +.Fc +.Ft int +.Fo RSA_set0_factors +.Fa "RSA *r" +.Fa "BIGNUM *p" +.Fa "BIGNUM *q" +.Fc +.Ft void +.Fo RSA_get0_crt_params +.Fa "const RSA *r" +.Fa "const BIGNUM **dmp1" +.Fa "const BIGNUM **dmq1" +.Fa "const BIGNUM **iqmp" +.Fc +.Ft int +.Fo RSA_set0_crt_params +.Fa "RSA *r" +.Fa "BIGNUM *dmp1" +.Fa "BIGNUM *dmq1" +.Fa "BIGNUM *iqmp" +.Fc +.Ft void +.Fo RSA_clear_flags +.Fa "RSA *r" +.Fa "int flags" +.Fc +.Ft int +.Fo RSA_test_flags +.Fa "const RSA *r" +.Fa "int flags" +.Fc +.Ft void +.Fo RSA_set_flags +.Fa "RSA *r" +.Fa "int flags" +.Fc +.Sh DESCRIPTION +An +.Vt RSA +object contains the components for the public and private key. +.Fa n +is the modulus common to both public and private key, +.Fa e +is the public exponent and +.Fa d +is the private exponent. +.Fa p , +.Fa q , +.Fa dmp1 , +.Fa dmq1 , +and +.Fa iqmp +are the factors for the second representation of a private key +(see PKCS#1 section 3 Key Types), where +.Fa p +and +.Fa q +are the first and second factor of +.Fa n . +.Fa dmp1 , +.Fa dmq1 , +and +.Fa iqmp +are the exponents and coefficient for CRT calculations. +.Pp +The +.Fa n , +.Fa e , +and +.Fa d +parameters can be obtained by calling +.Fn RSA_get0_key . +If they have not been set yet, then +.Pf * Fa n , +.Pf * Fa e , +and +.Pf * Fa d +are set to +.Dv NULL . +Otherwise, they are set to pointers to the internal representations +of the values that should not be freed by the caller. +.Pp +The +.Fa n , +.Fa e , +and +.Fa d +parameter values can be set by calling +.Fn RSA_set0_key . +The values +.Fa n +and +.Fa e +must be +.Pf non- Dv NULL +the first time this function is called on a given +.Vt RSA +object. +The value +.Fa d +may be +.Dv NULL . +On subsequent calls, any of these values may be +.Dv NULL , +which means that the corresponding field is left untouched. +Calling this function transfers the memory management of the values to +the RSA object. +Therefore, the values that have been passed in +should not be freed by the caller. +.Pp +In a similar fashion, the +.Fa p +and +.Fa q +parameters can be obtained and set with +.Fn RSA_get0_factors +and +.Fn RSA_set0_factors , +and the +.Fa dmp1 , +.Fa dmq1 , +and +.Fa iqmp +parameters can be obtained and set with +.Fn RSA_get0_crt_params +and +.Fn RSA_set0_crt_params . +.Pp +For +.Fn RSA_get0_key , +.Fn RSA_get0_factors , +and +.Fn RSA_get0_crt_params , +.Dv NULL +value +.Vt BIGNUM ** +output arguments are permitted. +The functions +ignore +.Dv NULL +arguments but return values for other, +.Pf non- Dv NULL , +arguments. +.Pp +Values retrieved with +.Fn RSA_get0_key , +.Fn RSA_get0_factors , +and +.Fn RSA_get0_crt_params +are owned by the +.Vt RSA +object used in the call and may therefore +.Em not +be passed to +.Fn RSA_set0_key , +.Fn RSA_set0_factors , +or +.Fn RSA_set0_crt_params . +If needed, duplicate the received value using +.Xr BN_dup 3 +and pass the duplicate. +.Pp +.Fn RSA_clear_flags +clears the specified +.Fa flags +in +.Fa r . +.Fn RSA_test_flags +tests the +.Fa flags +in +.Fa r . +.Fn RSA_set_flags +sets the +.Fa flags +in +.Fa r ; +any flags already set remain set. +For all three functions, multiple flags can be passed in one call, +OR'ed together bitwise. +.Sh RETURN VALUES +.Fn RSA_set0_key , +.Fn RSA_set0_factors , +and +.Fn RSA_set0_crt_params +return 1 on success or 0 on failure. +.Pp +.Fn RSA_test_flags +returns those of the given +.Fa flags +currently set in +.Fa r +or 0 if none of the given +.Fa flags +are set. +.Sh SEE ALSO +.Xr RSA_check_key 3 , +.Xr RSA_generate_key 3 , +.Xr RSA_new 3 , +.Xr RSA_print 3 , +.Xr RSA_size 3 +.Sh HISTORY +These functions first appeared in OpenSSL 1.1.0 +and have been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/RSA_get_ex_new_index.3 b/lib/libcrypto/man/RSA_get_ex_new_index.3 index a5331e6ab1..cf3d3f6fd7 100644 --- a/lib/libcrypto/man/RSA_get_ex_new_index.3 +++ b/lib/libcrypto/man/RSA_get_ex_new_index.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RSA_get_ex_new_index.3,v 1.7 2017/08/01 14:57:03 schwarze Exp $ +.\" $OpenBSD: RSA_get_ex_new_index.3,v 1.10 2018/03/23 23:18:17 schwarze Exp $ .\" OpenSSL 35cb565a Nov 19 15:49:30 2015 -0500 .\" .\" This file was written by Ulf Moeller and @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 1 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt RSA_GET_EX_NEW_INDEX 3 .Os .Sh NAME @@ -81,6 +81,7 @@ .Fa "RSA *r" .Fa "int idx" .Fc +.In openssl/crypto.h .Ft typedef int .Fo CRYPTO_EX_new .Fa "void *parent" @@ -265,13 +266,15 @@ On failure an error code can be obtained from .Xr DH_set_ex_data 3 , .Xr DSA_set_ex_data 3 , .Xr RSA_new 3 , -.Xr X509_STORE_CTX_set_ex_data 3 +.Xr SSL_CTX_set_ex_data 3 , +.Xr SSL_SESSION_set_ex_data 3 , +.Xr SSL_set_ex_data 3 , +.Xr X509_STORE_CTX_set_ex_data 3 , +.Xr X509_STORE_set_ex_data 3 .Sh HISTORY -.Fn RSA_get_ex_new_index , -.Fn RSA_set_ex_data , -and -.Fn RSA_get_ex_data -are available since SSLeay 0.9.0. +These functions first appeared in SSLeay 0.9.0 +and have been available since +.Ox 2.4 . .Sh BUGS .Fa dup_func is currently never called. diff --git a/lib/libcrypto/man/X509_REVOKED_new.3 b/lib/libcrypto/man/RSA_meth_new.3 similarity index 55% copy from lib/libcrypto/man/X509_REVOKED_new.3 copy to lib/libcrypto/man/RSA_meth_new.3 index f06075fcc2..ae3ca88adb 100644 --- a/lib/libcrypto/man/X509_REVOKED_new.3 +++ b/lib/libcrypto/man/RSA_meth_new.3 @@ -1,10 +1,10 @@ -.\" $OpenBSD: X509_REVOKED_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $ -.\" OpenSSL X509_CRL_get0_by_serial.pod 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: RSA_meth_new.3,v 1.1 2018/03/18 13:06:36 schwarze Exp $ +.\" selective merge up to: OpenSSL a970b14f Jul 31 18:58:40 2017 -0400 .\" .\" This file is a derived work. .\" The changes are covered by the following Copyright and license: .\" -.\" Copyright (c) 2016 Ingo Schwarze +.\" Copyright (c) 2018 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -18,8 +18,8 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.\" The original file was written by Dr. Stephen Henson . -.\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. +.\" The original file was written by Richard Levitte . +.\" Copyright (c) 2016 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -65,83 +65,129 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 25 2016 $ -.Dt X509_REVOKED_NEW 3 +.Dd $Mdocdate: March 18 2018 $ +.Dt RSA_METH_NEW 3 .Os .Sh NAME -.Nm X509_REVOKED_new , -.Nm X509_REVOKED_free , -.Nm X509_REVOKED_set_serialNumber , -.Nm X509_REVOKED_set_revocationDate -.Nd create and change an X.509 CRL revoked entry +.Nm RSA_meth_new , +.Nm RSA_meth_free , +.Nm RSA_meth_dup , +.Nm RSA_meth_set_finish , +.Nm RSA_meth_set_priv_enc , +.Nm RSA_meth_set_priv_dec +.Nd build up RSA methods .Sh SYNOPSIS -.In openssl/x509.h -.Ft X509_REVOKED * -.Fn X509_REVOKED_new void +.In openssl/rsa.h +.Ft RSA_METHOD * +.Fo RSA_meth_new +.Fa "const char *name" +.Fa "int flags" +.Fc .Ft void -.Fn X509_REVOKED_free "X509_REVOKED *r" +.Fo RSA_meth_free +.Fa "RSA_METHOD *meth" +.Fc +.Ft RSA_METHOD * +.Fo RSA_meth_dup +.Fa "const RSA_METHOD *meth" +.Fc .Ft int -.Fo X509_REVOKED_set_serialNumber -.Fa "X509_REVOKED *r" -.Fa "ASN1_INTEGER *serial" +.Fo RSA_meth_set_finish +.Fa "RSA_METHOD *meth" +.Fa "int (*finish)(RSA *rsa)" .Fc .Ft int -.Fo X509_REVOKED_set_revocationDate -.Fa "X509_REVOKED *r" -.Fa "ASN1_TIME *tm" +.Fo RSA_meth_set_priv_enc +.Fa "RSA_METHOD *meth" +.Fa "int (*priv_enc)(int flen, const unsigned char *from,\ + unsigned char *to, RSA *rsa, int padding)" +.Fc +.Ft int +.Fo RSA_meth_set_priv_dec +.Fa "RSA_METHOD *meth" +.Fa "int (*priv_dec)(int flen, const unsigned char *from,\ + unsigned char *to, RSA *rsa, int padding)" .Fc .Sh DESCRIPTION -.Fn X509_REVOKED_new -allocates and initializes an empty -.Vt X509_REVOKED -object, representing one of the elements of -the revokedCertificates field of the ASN.1 -.Vt TBSCertList -structure defined in RFC 5280 section 5.1. -It is used by -.Vt X509_CRL -objects and can hold information about one revoked certificate -including issuer names, serial number, revocation date, and revocation -reason. +The +.Vt RSA_METHOD +structure holds function pointers for custom RSA implementations. +.Pp +.Fn RSA_meth_new +creates a new +.Vt RSA_METHOD +structure. +A copy of the NUL-terminated +.Fa name +is stored in the new +.Vt RSA_METHOD +object. +Any new +.Vt RSA +object constructed from this +.Vt RSA_METHOD +will have the given +.Fa flags +set by default. .Pp -.Fn X509_REVOKED_free -frees -.Fa r . +.Fn RSA_meth_dup +creates a deep copy of +.Fa meth . +This might be useful for creating a new +.Vt RSA_METHOD +based on an existing one, but with some differences. .Pp -.Fn X509_REVOKED_set_serialNumber -sets the serial number of -.Fa r -to -.Fa serial . -The supplied -.Fa serial -pointer is not used internally so it should be freed up after use. +.Fn RSA_meth_free +destroys +.Fa meth +and frees any memory associated with it. .Pp -.Fn X509_REVOKED_set_revocationDate -sets the revocation date of -.Fa r -to -.Fa tm . -The supplied -.Fa tm -pointer is not used internally so it should be freed up after use. +.Fn RSA_meth_set_finish +sets an optional function for destroying an +.Vt RSA +object. +Unless +.Fa finish +is +.Dv NULL , +it will be called from +.Xr RSA_free 3 . +It takes the same argument +and is intended to do RSA implementation specific cleanup. +The memory used by the +.Vt RSA +object itself should not be freed by the +.Fa finish +function. +.Pp +.Fn RSA_meth_set_priv_enc +and +.Fn RSA_meth_set_priv_dec +set the functions used for private key encryption and decryption. +These functions will be called from +.Xr RSA_private_decrypt 3 +and +.Xr RSA_private_encrypt 3 +and take the same parameters as those. .Sh RETURN VALUES -.Fn X509_REVOKED_new -returns the new -.Vt X509_REVOKED +.Fn RSA_meth_new +and +.Fn RSA_meth_dup +return the newly allocated +.Vt RSA_METHOD object or .Dv NULL -if an error occurs. +on failure. .Pp -.Fn X509_REVOKED_set_serialNumber -and -.Fn X509_REVOKED_set_revocationDate -return 1 for success or 0 for failure. +All +.Fn RSA_meth_set_* +functions return 1 on success or 0 on failure. .Sh SEE ALSO -.Xr d2i_X509_CRL 3 , -.Xr ERR_get_error 3 , -.Xr PEM_read_X509_CRL 3 , -.Xr X509_CRL_get0_by_serial 3 -.Sh STANDARDS -RFC 5280: Internet X.509 Public Key Infrastructure Certificate and -Certificate Revocation List (CRL) Profile, section 5.1: CRL Fields +.Xr RSA_new 3 , +.Xr RSA_private_decrypt 3 , +.Xr RSA_private_encrypt 3 , +.Xr RSA_set_method 3 +.Sh HISTORY +These functions first appeared in OpenSSL 1.1.0 +and have been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/RSA_new.3 b/lib/libcrypto/man/RSA_new.3 index 9e43f03f1d..58ddf5a773 100644 --- a/lib/libcrypto/man/RSA_new.3 +++ b/lib/libcrypto/man/RSA_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RSA_new.3,v 1.4 2016/12/11 12:52:28 schwarze Exp $ +.\" $OpenBSD: RSA_new.3,v 1.7 2018/03/21 01:27:25 schwarze Exp $ .\" OpenSSL doc/man3/RSA_new.pod 99d63d46 Oct 26 13:56:48 2016 -0400 .\" OpenSSL doc/crypto/rsa.pod 35d2e327 Jun 3 16:19:49 2016 -0400 .\" @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt RSA_NEW 3 .Os .Sh NAME @@ -160,7 +160,9 @@ Otherwise it returns a pointer to the newly allocated structure. .Xr RSA_blinding_on 3 , .Xr RSA_check_key 3 , .Xr RSA_generate_key 3 , +.Xr RSA_get0_key 3 , .Xr RSA_get_ex_new_index 3 , +.Xr RSA_meth_new 3 , .Xr RSA_padding_add_PKCS1_type_1 3 , .Xr RSA_print 3 , .Xr RSA_private_encrypt 3 , @@ -177,4 +179,5 @@ RSA was covered by a US patent which expired in September 2000. .Fn RSA_new and .Fn RSA_free -are available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 b/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 index 2d67440355..e7c3a2a624 100644 --- a/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 +++ b/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RSA_padding_add_PKCS1_type_1.3,v 1.6 2017/08/28 17:41:59 jsing Exp $ +.\" $OpenBSD: RSA_padding_add_PKCS1_type_1.3,v 1.8 2018/03/21 16:09:51 schwarze Exp $ .\" OpenSSL 1e3f62a3 Jul 17 16:47:13 2017 +0200 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 28 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt RSA_PADDING_ADD_PKCS1_TYPE_1 3 .Os .Sh NAME @@ -219,12 +219,14 @@ Error codes can be obtained by calling .Fn RSA_padding_add_none , and .Fn RSA_padding_check_none -appeared in SSLeay 0.9.0. +first appeared in SSLeay 0.9.0 and have been available since +.Ox 2.4 . .Pp .Fn RSA_padding_add_PKCS1_OAEP and .Fn RSA_padding_check_PKCS1_OAEP -were added in OpenSSL 0.9.2b. +first appeared in OpenSSL 0.9.2b and have been available since +.Ox 2.6 . .Sh BUGS The .Fn RSA_padding_check_PKCS1_type_2 diff --git a/lib/libcrypto/man/RSA_print.3 b/lib/libcrypto/man/RSA_print.3 index de53af64dc..4368242e6b 100644 --- a/lib/libcrypto/man/RSA_print.3 +++ b/lib/libcrypto/man/RSA_print.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RSA_print.3,v 1.5 2016/12/11 12:21:48 schwarze Exp $ +.\" $OpenBSD: RSA_print.3,v 1.7 2018/03/20 22:22:10 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt RSA_PRINT 3 .Os .Sh NAME @@ -123,6 +123,9 @@ spaces. These functions return 1 on success or 0 on error. .Sh SEE ALSO .Xr BN_bn2bin 3 , +.Xr DH_get0_pqg 3 , +.Xr DSA_get0_pqg 3 , +.Xr RSA_get0_key 3 , .Xr RSA_new 3 .Sh HISTORY .Fn RSA_print , @@ -132,8 +135,10 @@ These functions return 1 on success or 0 on error. .Fn DHparams_print , and .Fn DHparams_print_fp -are available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8. .Fn DSAparams_print and .Fn DSAparams_print_fp -were added in SSLeay 0.8. +first appeared in SSLeay 0.8. +All these functions have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/RSA_private_encrypt.3 b/lib/libcrypto/man/RSA_private_encrypt.3 index 385c11694e..34c0535ddc 100644 --- a/lib/libcrypto/man/RSA_private_encrypt.3 +++ b/lib/libcrypto/man/RSA_private_encrypt.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RSA_private_encrypt.3,v 1.6 2017/03/25 18:14:17 schwarze Exp $ +.\" $OpenBSD: RSA_private_encrypt.3,v 1.8 2018/03/21 01:27:25 schwarze Exp $ .\" OpenSSL RSA_private_encrypt.pod b41f6b64 Mar 10 15:49:04 2017 +0000 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 25 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt RSA_PRIVATE_ENCRYPT 3 .Os .Sh NAME @@ -136,10 +136,17 @@ On error, -1 is returned; the error codes can be obtained by .Xr ERR_get_error 3 . .Sh SEE ALSO .Xr ERR_get_error 3 , +.Xr RSA_meth_set_priv_enc 3 , .Xr RSA_new 3 , .Xr RSA_sign 3 , .Xr RSA_verify 3 .Sh HISTORY +.Fn RSA_private_encrypt +and +.Fn RSA_public_decrypt +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp The .Fa padding argument was added in SSLeay 0.8. diff --git a/lib/libcrypto/man/RSA_public_encrypt.3 b/lib/libcrypto/man/RSA_public_encrypt.3 index be90fb12d8..de62d816b2 100644 --- a/lib/libcrypto/man/RSA_public_encrypt.3 +++ b/lib/libcrypto/man/RSA_public_encrypt.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RSA_public_encrypt.3,v 1.8 2017/08/28 17:41:59 jsing Exp $ +.\" $OpenBSD: RSA_public_encrypt.3,v 1.10 2018/03/21 01:27:25 schwarze Exp $ .\" OpenSSL RSA_public_encrypt.pod 1e3f62a3 Jul 17 16:47:13 2017 +0200 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 28 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt RSA_PUBLIC_ENCRYPT 3 .Os .Sh NAME @@ -143,11 +143,18 @@ On error, -1 is returned; the error codes can be obtained by .Xr ERR_get_error 3 . .Sh SEE ALSO .Xr ERR_get_error 3 , +.Xr RSA_meth_set_priv_dec 3 , .Xr RSA_new 3 , .Xr RSA_size 3 .Sh STANDARDS SSL, PKCS #1 v2.0 .Sh HISTORY +.Fn RSA_public_encrypt +and +.Fn RSA_private_decrypt +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp The .Fa padding argument was added in SSLeay 0.8. diff --git a/lib/libcrypto/man/RSA_set_method.3 b/lib/libcrypto/man/RSA_set_method.3 index f9ec19f97b..e54e7b5d7e 100644 --- a/lib/libcrypto/man/RSA_set_method.3 +++ b/lib/libcrypto/man/RSA_set_method.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RSA_set_method.3,v 1.5 2016/12/11 12:21:48 schwarze Exp $ +.\" $OpenBSD: RSA_set_method.3,v 1.10 2018/03/22 16:06:33 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Ulf Moeller @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt RSA_SET_METHOD 3 .Os .Sh NAME @@ -61,9 +61,7 @@ .Nm RSA_PKCS1_SSLeay , .Nm RSA_null_method , .Nm RSA_flags , -.Nm RSA_new_method , -.Nm RSA_get_default_openssl_method , -.Nm RSA_set_default_openssl_method +.Nm RSA_new_method .Nd select RSA method .Sh SYNOPSIS .In openssl/rsa.h @@ -300,12 +298,20 @@ and sets an error code that can be obtained by if the allocation fails. Otherwise it returns a pointer to the newly allocated structure. .Sh SEE ALSO +.Xr RSA_meth_new 3 , .Xr RSA_new 3 .Sh HISTORY +.Fn RSA_PKCS1_SSLeay +appeared before SSLeay 0.8. .Fn RSA_new_method and .Fn RSA_set_default_method -appeared in SSLeay 0.8. +first appeared in SSLeay 0.8. +.Fn RSA_flags +first appeared in SSLeay 0.9.0. +These functions have been available since +.Ox 2.4 . +.Pp .Fn RSA_get_default_method , .Fn RSA_set_method , and @@ -316,34 +322,12 @@ and .Fa rsa_verify components of .Vt RSA_METHOD -were added in OpenSSL 0.9.4. +first appeared in OpenSSL 0.9.4 and have been available since +.Ox 2.6 . .Pp -.Fn RSA_set_default_openssl_method -and -.Fn RSA_get_default_openssl_method -replaced -.Fn RSA_set_default_method -and -.Fn RSA_get_default_method -respectively, and -.Fn RSA_set_method -and -.Fn RSA_new_method -were altered to use -.Vt ENGINE Ns s -rather than -.Vt RSA_METHOD Ns s -during development of the -.Xr engine 3 -version of OpenSSL 0.9.6. -For 0.9.7, the handling of defaults in the -.Xr engine 3 -API was restructured so that this change was reversed, and behaviour -of the other functions resembled more closely the previous behaviour. -The behaviour of defaults in the -.Xr engine 3 -API now transparently overrides the behaviour of defaults in the -RSA API without requiring changing these function prototypes. +.Fn RSA_null_method +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . .Sh CAVEATS As of version 0.9.7, .Vt RSA_METHOD diff --git a/lib/libcrypto/man/RSA_sign.3 b/lib/libcrypto/man/RSA_sign.3 index c523f2750a..5c874cb39a 100644 --- a/lib/libcrypto/man/RSA_sign.3 +++ b/lib/libcrypto/man/RSA_sign.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RSA_sign.3,v 1.4 2016/12/11 12:21:48 schwarze Exp $ +.\" $OpenBSD: RSA_sign.3,v 1.5 2018/03/21 01:27:25 schwarze Exp $ .\" OpenSSL aa90ca11 Aug 20 15:48:56 2016 -0400 .\" .\" This file was written by Ulf Moeller . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt RSA_SIGN 3 .Os .Sh NAME @@ -142,4 +142,5 @@ SSL, PKCS #1 v2.0 .Fn RSA_sign and .Fn RSA_verify -are available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 b/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 index 22dfe96c8b..b9cff10994 100644 --- a/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 +++ b/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: RSA_sign_ASN1_OCTET_STRING.3,v 1.4 2016/12/11 12:21:48 schwarze Exp $ +.\" $OpenBSD: RSA_sign_ASN1_OCTET_STRING.3,v 1.5 2018/03/21 01:27:25 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt RSA_SIGN_ASN1_OCTET_STRING 3 .Os .Sh NAME @@ -126,6 +126,7 @@ The error codes can be obtained by .Fn RSA_sign_ASN1_OCTET_STRING and .Fn RSA_verify_ASN1_OCTET_STRING -were added in SSLeay 0.8. +first appeared in SSLeay 0.8 and have been available since +.Ox 2.4 . .Sh BUGS These functions serve no recognizable purpose. diff --git a/lib/libcrypto/man/RSA_size.3 b/lib/libcrypto/man/RSA_size.3 index fdd105158c..f99979bb76 100644 --- a/lib/libcrypto/man/RSA_size.3 +++ b/lib/libcrypto/man/RSA_size.3 @@ -1,7 +1,8 @@ -.\" $OpenBSD: RSA_size.3,v 1.4 2016/12/11 12:21:48 schwarze Exp $ -.\" OpenSSL 5bf73873 Aug 5 16:27:01 2002 +0000 +.\" $OpenBSD: RSA_size.3,v 1.8 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" -.\" This file was written by Ulf Moeller . +.\" This file was written by Ulf Moeller and +.\" Kurt Roeckx . .\" Copyright (c) 2000, 2002, 2015 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -48,22 +49,31 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt RSA_SIZE 3 .Os .Sh NAME -.Nm RSA_size -.Nd get RSA modulus size +.Nm RSA_size , +.Nm RSA_bits +.Nd get the RSA modulus size .Sh SYNOPSIS .In openssl/rsa.h .Ft int .Fo RSA_size .Fa "const RSA *rsa" .Fc +.Ft int +.Fo RSA_bits +.Fa "const RSA *rsa" +.Fc .Sh DESCRIPTION -This function returns the RSA modulus size in bytes. -It can be used to determine how much memory must be allocated for an RSA -encrypted value. +.Fn RSA_size +returns the RSA modulus size in bytes. +It can be used to determine how much memory must be allocated for +an RSA encrypted value. +.Pp +.Fn RSA_bits +returns the number of significant bits. .Pp .Fa rsa and @@ -71,9 +81,16 @@ and must not be .Dv NULL . .Sh RETURN VALUES -The size in bytes. +The size. .Sh SEE ALSO +.Xr BN_num_bits 3 , +.Xr RSA_get0_key 3 , .Xr RSA_new 3 .Sh HISTORY .Fn RSA_size -is available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . +.Pp +.Fn RSA_bits +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/SHA1.3 b/lib/libcrypto/man/SHA1.3 index 48676aa89f..74fc3380e7 100644 --- a/lib/libcrypto/man/SHA1.3 +++ b/lib/libcrypto/man/SHA1.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SHA1.3,v 1.4 2016/12/02 19:28:41 jmc Exp $ +.\" $OpenBSD: SHA1.3,v 1.6 2018/03/23 00:09:11 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Ulf Moeller and @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 2 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt SHA1 3 .Os .Sh NAME @@ -268,4 +268,9 @@ PUB 180-1 (Secure Hash Standard), ANSI X9.30 .Fn SHA1_Update , and .Fn SHA1_Final -are available in all versions of SSLeay and OpenSSL. +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp +The other functions first appeared in OpenSSL 0.9.8 +and have been available since +.Ox 4.5 . diff --git a/lib/libcrypto/man/SMIME_read_PKCS7.3 b/lib/libcrypto/man/SMIME_read_PKCS7.3 index a7cfc8733e..417d97bef3 100644 --- a/lib/libcrypto/man/SMIME_read_PKCS7.3 +++ b/lib/libcrypto/man/SMIME_read_PKCS7.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SMIME_read_PKCS7.3,v 1.5 2017/01/06 02:37:05 schwarze Exp $ +.\" $OpenBSD: SMIME_read_PKCS7.3,v 1.6 2018/03/22 16:06:33 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 6 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt SMIME_READ_PKCS7 3 .Os .Sh NAME @@ -129,7 +129,8 @@ The error can be obtained from .Xr SMIME_write_PKCS7 3 .Sh HISTORY .Fn SMIME_read_PKCS7 -was added to OpenSSL 0.9.5. +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . .Sh BUGS The MIME parser used by .Fn SMIME_read_PKCS7 diff --git a/lib/libcrypto/man/SMIME_write_PKCS7.3 b/lib/libcrypto/man/SMIME_write_PKCS7.3 index a6cff4e76e..a0a15763a1 100644 --- a/lib/libcrypto/man/SMIME_write_PKCS7.3 +++ b/lib/libcrypto/man/SMIME_write_PKCS7.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SMIME_write_PKCS7.3,v 1.4 2016/12/13 15:00:22 schwarze Exp $ +.\" $OpenBSD: SMIME_write_PKCS7.3,v 1.5 2018/03/22 16:06:33 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 13 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt SMIME_WRITE_PKCS7 3 .Os .Sh NAME @@ -137,7 +137,8 @@ returns 1 for success or 0 for failure. .Xr SMIME_read_PKCS7 3 .Sh HISTORY .Fn SMIME_write_PKCS7 -was added to OpenSSL 0.9.5. +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . .Sh BUGS .Fn SMIME_write_PKCS7 always base64 encodes PKCS#7 structures. diff --git a/lib/libcrypto/man/STACK_OF.3 b/lib/libcrypto/man/STACK_OF.3 new file mode 100644 index 0000000000..4cea8248ed --- /dev/null +++ b/lib/libcrypto/man/STACK_OF.3 @@ -0,0 +1,188 @@ +.\" $OpenBSD: STACK_OF.3,v 1.2 2018/03/21 17:57:48 schwarze Exp $ +.\" +.\" Copyright (c) 2018 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: March 21 2018 $ +.Dt STACK_OF 3 +.Os +.Sh NAME +.Nm STACK_OF +.Nd variable-sized arrays of pointers, called OpenSSL stacks +.Sh SYNOPSIS +.In openssl/safestack.h +.Fn STACK_OF type +.Sh DESCRIPTION +The +.In openssl/safestack.h +header provides a fragile, unusually complicated system of +macro-generated wrappers around the functions described in the +.Xr OPENSSL_sk_new 3 +manual page. +It is intended to implement superficially type-safe variable-sized +arrays of pointers, somewhat misleadingly called +.Dq stacks +by OpenSSL. +Due to the excessive number of API functions, it is impossible to +properly document this system. +In particular, calling +.Xr man 1 +for any of the functions operating on stacks cannot yield any result. +.Pp +Unfortunately, application programs can hardly avoid using the concept +because several important OpenSSL APIs rely on it; see the +.Sx SEE ALSO +section for examples. +Even though both pages are more complicated than any manual page +ought to be, using the concept safely requires a complete understanding +of all the details in both this manual page and in +.Xr OPENSSL_sk_new 3 . +.Pp +The +.Fn STACK_OF +macro takes a +.Fa type +name as its argument, typically the name of a type +that has been defined as an alias for a specific +.Vt struct +type using a +.Sy typedef +declaration. +It expands to an incomplete +.Vt struct +type which is intended to represent a +.Dq stack +of objects of the given +.Fa type . +That type does not actually exist, so it is not possible to define, +for example, an automatic variable +.Ql STACK_OF(X509) my_certificates ; +it is only possible to define pointers to stacks, for example +.Ql STACK_OF(X509) *my_certificates . +The only way such pointers can ever be used is by wrapper functions +casting them to the type +.Vt _STACK * +described in +.Xr OPENSSL_sk_new 3 . +.Pp +For a considerable number of types, OpenSSL provides one wrapper +function for each function described in +.Xr OPENSSL_sk_new 3 . +The names of these wrapper functions are usually constructed by +inserting the name of the type and an underscore after the +.Sq sk_ +prefix of the function name. +Usually, where the real functions take +.Vt void * +arguments, the wrappers take pointers to the +.Fa type +in questions, and where the real functions take +.Vt _STACK * +arguments, the wrappers take pointers to +.Fn STACK_OF type . +The same applies to return values. +Various exceptions to all this exist, but the above applies to +all the types listed below. +.Pp +Using the above may make sense for the following types because +public API functions exist that take stacks of these types as +arguments or return them: +.Vt ACCESS_DESCRIPTION , +.Vt ASN1_INTEGER , +.Vt ASN1_OBJECT , +.Vt ASN1_TYPE , +.Vt ASN1_UTF8STRING , +.Vt CONF_VALUE , +.Vt DIST_POINT , +.Vt GENERAL_NAME , +.Vt GENERAL_SUBTREE , +.Vt PKCS12_SAFEBAG , +.Vt PKCS7 , +.Vt PKCS7_RECIP_INFO , +.Vt PKCS7_SIGNER_INFO , +.Vt POLICY_MAPPING , +.Vt POLICYINFO , +.Vt POLICYQUALINFO , +.Vt X509 , +.Vt X509_ALGOR , +.Vt X509_ATTRIBUTE , +.Vt X509_CRL , +.Vt X509_EXTENSION , +.Vt X509_INFO , +.Vt X509_OBJECT , +.Vt X509_POLICY_NODE , +.Vt X509_PURPOSE , +.Vt X509_REVOKED . +.Pp +Even though the OpenSSL headers declare wrapper functions for many +more types and even though the OpenSSL documentation says that users +can declare their own stack types, using +.Fn STACK_OF +with any type not listed here is strongly discouraged. +For other types, there may be subtle, undocumented differences +in syntax and semantics, and attempting to declare custom stack +types is very error prone; using plain C arrays of pointers to +the desired type is much simpler and less dangerous. +.Sh EXAMPLES +The following program creates a certificate object, puts two +pointers to it on a stack, and uses +.Xr X509_free 3 +to clean up properly: +.Bd -literal +#include +#include +#include + +int +main(void) +{ + STACK_OF(X509) *stack; + X509 *x; + + if ((stack = sk_X509_new_null()) == NULL) + err(1, NULL); + if ((x = X509_new()) == NULL) + err(1, NULL); + if (sk_X509_push(stack, x) == 0) + err(1, NULL); + if (X509_up_ref(x) == 0) + errx(1, "X509_up_ref failed"); + if (sk_X509_push(stack, x) == 0) + err(1, NULL); + printf("%d pointers: %p, %p\en", sk_X509_num(stack), + sk_X509_value(stack, 0), sk_X509_value(stack, 1)); + sk_X509_pop_free(stack, X509_free); + + return 0; +} +.Ed +.Pp +The output looks similar to: +.Pp +.Dl 2 pointers: 0x4693ff24c00, 0x4693ff24c00 +.Sh SEE ALSO +.Xr OCSP_request_sign 3 , +.Xr PKCS12_parse 3 , +.Xr PKCS7_encrypt 3 , +.Xr SSL_CTX_set_client_CA_list 3 , +.Xr SSL_get_ciphers 3 , +.Xr SSL_get_peer_cert_chain 3 , +.Xr SSL_load_client_CA_file 3 , +.Xr X509_CRL_get_REVOKED 3 , +.Xr X509_STORE_CTX_get0_chain 3 +.Sh HISTORY +The +.Fn STACK_OF +macro first appeared in OpenSSL 0.9.3 and has been available since +.Ox 2.6 . diff --git a/lib/libcrypto/man/SXNET_new.3 b/lib/libcrypto/man/SXNET_new.3 index cf6f692748..9a723be203 100644 --- a/lib/libcrypto/man/SXNET_new.3 +++ b/lib/libcrypto/man/SXNET_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SXNET_new.3,v 1.2 2016/12/28 20:36:33 schwarze Exp $ +.\" $OpenBSD: SXNET_new.3,v 1.3 2018/03/21 17:57:48 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SXNET_NEW 3 .Os .Sh NAME @@ -117,6 +117,10 @@ if an error occurs. .%C South Africa .%D 1998 .Re +.Sh HISTORY +These functions first appeared in OpenSSL 0.9.3 +and have been available since +.Ox 2.6 . .Sh BUGS This manual page does not explain what the extension actually does because no authoritative information was found online so far. diff --git a/lib/libcrypto/man/TS_REQ_new.3 b/lib/libcrypto/man/TS_REQ_new.3 index 35da948436..0bd1c4ede6 100644 --- a/lib/libcrypto/man/TS_REQ_new.3 +++ b/lib/libcrypto/man/TS_REQ_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: TS_REQ_new.3,v 1.4 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: TS_REQ_new.3,v 1.5 2018/03/23 04:34:23 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt TS_REQ_NEW 3 .Os .Sh NAME @@ -175,3 +175,7 @@ Version 2 according to RFC 5035, but the current implementation only supports the Signing Certificate Attribute Definition Version 1 according to RFC 2634, and hence only supports RFC 3161, but not RFC 5816 functionality. +.Sh HISTORY +These functions first appeared in OpenSSL 1.0.0 +and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/UI_UTIL_read_pw.3 b/lib/libcrypto/man/UI_UTIL_read_pw.3 index b2d69c455e..aa3cefe8dd 100644 --- a/lib/libcrypto/man/UI_UTIL_read_pw.3 +++ b/lib/libcrypto/man/UI_UTIL_read_pw.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: UI_UTIL_read_pw.3,v 1.1 2017/03/26 00:06:10 schwarze Exp $ -.\" OpenSSL UI_UTIL_read_pw.pod 23103a52 Jan 12 15:17:42 2017 +0100 +.\" $OpenBSD: UI_UTIL_read_pw.3,v 1.3 2018/03/22 21:08:22 schwarze Exp $ +.\" full merge up to: OpenSSL 23103a52 Jan 12 15:17:42 2017 +0100 +.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" .\" This file was written by Richard Levitte . .\" Copyright (c) 2017 The OpenSSL Project. All rights reserved. @@ -48,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 26 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt UI_UTIL_READ_PW 3 .Os .Sh NAME @@ -91,5 +92,16 @@ does the same as but takes an external buffer .Fa buff for the verification passphrase. +.Sh RETURN VALUES +.Fn UI_UTIL_read_pw_string +and +.Fn UI_UTIL_read_pw +return 0 on success or a negative value on error. .Sh SEE ALSO .Xr UI_new 3 +.Sh HISTORY +.Fn UI_UTIL_read_pw +and +.Fn UI_UTIL_read_pw_string +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/UI_create_method.3 b/lib/libcrypto/man/UI_create_method.3 index 2ce3a99829..c0cb87396e 100644 --- a/lib/libcrypto/man/UI_create_method.3 +++ b/lib/libcrypto/man/UI_create_method.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: UI_create_method.3,v 1.2 2017/03/26 12:31:27 jmc Exp $ +.\" $OpenBSD: UI_create_method.3,v 1.4 2018/03/23 04:34:23 schwarze Exp $ .\" OpenSSL UI_create_method.pod 8e3d46e5 Mar 11 10:51:04 2017 +0100 .\" .\" This file was written by Richard Levitte . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 26 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt UI_CREATE_METHOD 3 .Os .Sh NAME @@ -260,3 +260,25 @@ or otherwise .Sh SEE ALSO .Xr UI_get_string_type 3 , .Xr UI_new 3 +.Sh HISTORY +.Fn UI_create_method , +.Fn UI_destroy_method , +.Fn UI_method_set_opener , +.Fn UI_method_set_writer , +.Fn UI_method_set_flusher , +.Fn UI_method_set_reader , +.Fn UI_method_set_closer , +.Fn UI_method_get_opener , +.Fn UI_method_get_writer , +.Fn UI_method_get_flusher , +.Fn UI_method_get_reader , +and +.Fn UI_method_get_closer +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . +.Pp +.Fn UI_method_set_prompt_constructor +and +.Fn UI_method_get_prompt_constructor +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/UI_get_string_type.3 b/lib/libcrypto/man/UI_get_string_type.3 index 05bc8227d6..bc0449a90e 100644 --- a/lib/libcrypto/man/UI_get_string_type.3 +++ b/lib/libcrypto/man/UI_get_string_type.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: UI_get_string_type.3,v 1.3 2017/08/20 22:24:30 schwarze Exp $ +.\" $OpenBSD: UI_get_string_type.3,v 1.4 2018/03/22 21:08:22 schwarze Exp $ .\" OpenSSL UI_STRING.pod e9c9971b Jul 1 18:28:50 2017 +0200 .\" .\" This file was written by Richard Levitte @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 20 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt UI_GET_STRING_TYPE 3 .Os .Sh NAME @@ -275,3 +275,7 @@ or or -1 on error. .Sh SEE ALSO .Xr UI_new 3 +.Sh HISTORY +These functions first appeared in OpenSSL 0.9.7 +and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/UI_new.3 b/lib/libcrypto/man/UI_new.3 index 2b0ce5b557..86a2581c99 100644 --- a/lib/libcrypto/man/UI_new.3 +++ b/lib/libcrypto/man/UI_new.3 @@ -1,6 +1,6 @@ -.\" $OpenBSD: UI_new.3,v 1.6 2017/03/26 00:06:10 schwarze Exp $ -.\" OpenSSL UI_new.pod 5469600e Mar 11 00:51:53 2017 +0100 -.\" OpenSSL UI_new.pod 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: UI_new.3,v 1.8 2018/03/22 21:08:22 schwarze Exp $ +.\" full merge up to: OpenSSL 78b19e90 Jan 11 00:12:01 2017 +0100 +.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" .\" This file was written by Richard Levitte . .\" Copyright (c) 2001, 2016, 2017 The OpenSSL Project. All rights reserved. @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 26 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt UI_NEW 3 .Os .Sh NAME @@ -292,8 +292,8 @@ When done with this UI, it should be freed using .Fn UI_free . .Pp .Fn UI_OpenSSL -returns the built-in UI method (note: not the default one, since -the default can be changed. +returns the built-in UI method (note: not necessarily the default one, +since the default can be changed. See further on). This method is the most machine/OS dependent part of OpenSSL and normally generates the most problems when porting. @@ -381,7 +381,7 @@ whatever string and may include encodings that will be processed by the other method functions. .Pp .Fn UI_add_user_data -adds a piece of memory for the method to use at any time. +adds a user data pointer for the method to use at any time. The builtin UI method doesn't care about this info. Note that several calls to this function doesn't add data - the previous blob is replaced with the one given as argument. @@ -418,6 +418,8 @@ can be used again or not. .Pp .Fn UI_set_default_method changes the default UI method to the one given. +This function is not thread-safe and should not be called at the +same time as other OpenSSL functions. .Pp .Fn UI_get_default_method returns a pointer to the current default UI method. @@ -429,13 +431,84 @@ returns the UI method associated with a given .Fn UI_set_method changes the UI method associated with a given .Fa ui . +.Sh RETURN VALUES +.Fn UI_new +and +.Fn UI_new_method +return a valid +.Vt UI +structure or +.Dv NULL +if an error occurred. +.Pp +.Fn UI_add_input_string , +.Fn UI_dup_input_string , +.Fn UI_add_verify_string , +.Fn UI_dup_verify_string , +.Fn UI_add_input_boolean , +.Fn UI_dup_input_boolean , +.Fn UI_add_info_string , +.Fn UI_dup_info_string , +.Fn UI_add_error_string , +and +.Fn UI_dup_error_string +return a positive number on success or a number +less than or equal to zero otherwise. +.Pp +.Fn UI_construct_prompt +and +.Fn UI_get0_result +return a string or +.Dv NULL +if an error occurred. +.Pp +.Fn UI_add_user_data +and +.Fn UI_get0_user_data +return a pointer to the user data that was contained in +.Fa ui +before the call. +In particular, +.Dv NULL +is a valid return value. +.Pp +.Fn UI_process +returns 0 on success or a negative value on error. +.Pp +.Fn UI_ctrl +returns a mask on success or \-1 on error. +.Pp +.Fn UI_get_default_method +and +.Fn UI_OpenSSL +always return a pointer to a valid +.Vt UI_METHOD +structure. +.Pp +.Fn UI_get_method +and +.Fn UI_set_method +return a pointer to the +.Vt UI_METHOD +structure that is installed in +.Fa ui +after the call. +The OpenSSL documentation says that they can fail and return +.Dv NULL , +but currently, this can only happen when and after +.Fn UI_set_method +is called with an explicit +.Dv NULL +argument. .Sh SEE ALSO .Xr des_read_pw 3 , .Xr UI_create_method 3 , .Xr UI_get_string_type 3 , .Xr UI_UTIL_read_pw 3 .Sh HISTORY -The UI section was first introduced in OpenSSL 0.9.7. +These functions first appeared in OpenSSL 0.9.7 +and have been available since +.Ox 3.2 . .Sh AUTHORS .An Richard Levitte Aq Mt richard@levitte.org for the OpenSSL project. diff --git a/lib/libcrypto/man/X509V3_get_d2i.3 b/lib/libcrypto/man/X509V3_get_d2i.3 index 9ba4572a6b..91883669d8 100644 --- a/lib/libcrypto/man/X509V3_get_d2i.3 +++ b/lib/libcrypto/man/X509V3_get_d2i.3 @@ -1,8 +1,9 @@ -.\" $OpenBSD: X509V3_get_d2i.3,v 1.6 2017/07/05 11:43:09 schwarze Exp $ -.\" OpenSSL 047dd81e Jul 4 23:03:17 2014 +0100 +.\" $OpenBSD: X509V3_get_d2i.3,v 1.14 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL ff7fbfd5 Nov 2 11:52:01 2015 +0000 +.\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . -.\" Copyright (c) 2014, 2016 The OpenSSL Project. All rights reserved. +.\" Copyright (c) 2014, 2015, 2016 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 5 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt X509V3_GET_D2I 3 .Os .Sh NAME @@ -61,7 +62,10 @@ .Nm X509_CRL_get_ext_d2i , .Nm X509_CRL_add1_ext_i2d , .Nm X509_REVOKED_get_ext_d2i , -.Nm X509_REVOKED_add1_ext_i2d +.Nm X509_REVOKED_add1_ext_i2d , +.Nm X509_get0_extensions , +.Nm X509_CRL_get0_extensions , +.Nm X509_REVOKED_get0_extensions .Nd X509 extension decode and encode functions .Sh SYNOPSIS .In openssl/x509v3.h @@ -135,6 +139,18 @@ .Fa "int crit" .Fa "unsigned long flags" .Fc +.Ft const STACK_OF(X509_EXTENSION) * +.Fo X509_get0_extensions +.Fa "const X509 *x" +.Fc +.Ft const STACK_OF(X509_EXTENSION) * +.Fo X509_CRL_get0_extensions +.Fa "const X509_CRL *crl" +.Fc +.Ft const STACK_OF(X509_EXTENSION) * +.Fo X509_REVOKED_get0_extensions +.Fa "const X509_REVOKED *r" +.Fc .Sh DESCRIPTION .Fn X509V3_get_d2i looks for an extension with OID @@ -204,7 +220,7 @@ operate on the extensions of certificate and are otherwise identical to .Fn X509V3_get_d2i and -.Fn X509V3_add1_i2d 3 . +.Fn X509V3_add1_i2d . .Pp .Fn X509_CRL_get_ext_d2i and @@ -214,7 +230,7 @@ operate on the extensions of CRL and are otherwise identical to .Fn X509V3_get_d2i and -.Fn X509V3_add1_i2d 3 . +.Fn X509V3_add1_i2d . .Pp .Fn X509_REVOKED_get_ext_d2i and @@ -226,7 +242,14 @@ structure (i.e. for CRL entry extensions), and are otherwise identical to .Fn X509V3_get_d2i and -.Fn X509V3_add1_i2d 3 . +.Fn X509V3_add1_i2d . +.Pp +.Fn X509_get0_extensions , +.Fn X509_CRL_get0_extensions , +and +.Fn X509_REVOKED_get0_extensions +return a stack of all the extensions of a certificate, a CRL, +or a CRL entry, respectively. .Pp In almost all cases an extension can occur at most once and multiple occurrences is an error. @@ -363,6 +386,14 @@ if an error occurs. returns 1 if the operation is successful, 0 if it fails due to a non-fatal error (extension not found, already exists, cannot be encoded), or -1 due to a fatal error such as a memory allocation failure. +.Pp +.Fn X509_get0_extensions , +.Fn X509_CRL_get0_extensions , +and +.Fn X509_REVOKED_get0_extensions +return a stack of extensions, or +.Dv NULL +if no extensions are present. .Sh SEE ALSO .Xr d2i_X509 3 , .Xr d2i_X509_EXTENSION 3 , @@ -372,4 +403,35 @@ or -1 due to a fatal error such as a memory allocation failure. .Xr X509_get_pubkey 3 , .Xr X509_get_subject_name 3 , .Xr X509_get_version 3 , -.Xr X509_new 3 +.Xr X509_new 3 , +.Xr X509_REVOKED_new 3 +.Sh HISTORY +.Fn X509V3_EXT_d2i +first appeared in OpenSSL 0.9.2b. +.Fn X509V3_EXT_i2d +first appeared in OpenSSL 0.9.3. +Both functions have been available since +.Ox 2.6 . +.Pp +.Fn X509V3_get_d2i , +.Fn X509_get_ext_d2i , +.Fn X509_CRL_get_ext_d2i , +and +.Fn X509_REVOKED_get_ext_d2i +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . +.Pp +.Fn X509V3_add1_i2d , +.Fn X509_add1_ext_i2d , +.Fn X509_CRL_add1_ext_i2d , +and +.Fn X509_REVOKED_add1_ext_i2d +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . +.Pp +.Fn X509_get0_extensions , +.Fn X509_CRL_get0_extensions , +and +.Fn X509_REVOKED_get0_extensions +first appeared in OpenSSL 1.1.0 and have been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/X509_ALGOR_dup.3 b/lib/libcrypto/man/X509_ALGOR_dup.3 index b1a28e11ba..c85dbd1d32 100644 --- a/lib/libcrypto/man/X509_ALGOR_dup.3 +++ b/lib/libcrypto/man/X509_ALGOR_dup.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_ALGOR_dup.3,v 1.5 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: X509_ALGOR_dup.3,v 1.11 2018/03/23 05:48:56 schwarze Exp $ .\" OpenSSL 4692340e Jun 7 15:49:08 2016 -0400 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt X509_ALGOR_DUP 3 .Os .Sh NAME @@ -207,7 +207,32 @@ have identical encodings or non-zero otherwise. .Sh SEE ALSO .Xr ASN1_TYPE_set 3 , .Xr d2i_X509_ALGOR 3 , +.Xr X509_get0_signature 3 , .Xr X509_PUBKEY_get0_param 3 .Sh STANDARDS RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile +.Sh HISTORY +.Fn X509_ALGOR_new +and +.Fn X509_ALGOR_free +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn X509_ALGOR_dup +first appeared in SSLeay 0.9.1 and has been avialable since +.Ox 2.6 . +.Pp +.Fn X509_ALGOR_set0 +and +.Fn X509_ALGOR_get0 +first appeared in OpenSSL 0.9.8h and have been available since +.Ox 4.5 . +.Pp +.Fn X509_ALGOR_cmp +first appeared in OpenSSL 0.9.8zd and 1.0.0p and has been available since +.Ox 4.9 . +.Pp +.Fn X509_ALGOR_set_md +first appeared in OpenSSL 1.0.1 and has been available since +.Ox 5.3 . diff --git a/lib/libcrypto/man/X509_ATTRIBUTE_new.3 b/lib/libcrypto/man/X509_ATTRIBUTE_new.3 index 776c4b17ce..a6ce900a55 100644 --- a/lib/libcrypto/man/X509_ATTRIBUTE_new.3 +++ b/lib/libcrypto/man/X509_ATTRIBUTE_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_ATTRIBUTE_new.3,v 1.4 2016/12/28 20:29:15 schwarze Exp $ +.\" $OpenBSD: X509_ATTRIBUTE_new.3,v 1.5 2018/03/21 03:16:08 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt X509_ATTRIBUTE_NEW 3 .Os .Sh NAME @@ -88,6 +88,12 @@ Private-Key Information Syntax Specification RFC 7292: PKCS #12: Personal Information Exchange Syntax, section 4.2: The SafeBag Type .El +.Sh HISTORY +.Fn X509_ATTRIBUTE_new +and +.Fn X509_ATTRIBUTE_free +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . .Sh BUGS A data type designed to hold arbitrary data is an oxymoron. .Pp diff --git a/lib/libcrypto/man/X509_CINF_new.3 b/lib/libcrypto/man/X509_CINF_new.3 index 7ac86b6d36..eb18d66ffc 100644 --- a/lib/libcrypto/man/X509_CINF_new.3 +++ b/lib/libcrypto/man/X509_CINF_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_CINF_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: X509_CINF_new.3,v 1.4 2018/03/22 16:06:33 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt X509_CINF_NEW 3 .Os .Sh NAME @@ -97,3 +97,17 @@ if an error occurs. .Sh STANDARDS RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile +.Sh HISTORY +.Fn X509_CINF_new , +.Fn X509_CINF_free , +.Fn X509_VAL_new , +and +.Fn X509_VAL_free +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn X509_CERT_AUX_new +and +.Fn X509_CERT_AUX_free +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . diff --git a/lib/libcrypto/man/X509_CRL_get0_by_serial.3 b/lib/libcrypto/man/X509_CRL_get0_by_serial.3 index b5d8c8d9d5..d1580e1d5b 100644 --- a/lib/libcrypto/man/X509_CRL_get0_by_serial.3 +++ b/lib/libcrypto/man/X509_CRL_get0_by_serial.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_CRL_get0_by_serial.3,v 1.5 2017/03/25 18:35:33 schwarze Exp $ +.\" $OpenBSD: X509_CRL_get0_by_serial.3,v 1.8 2018/03/23 04:34:23 schwarze Exp $ .\" OpenSSL X509_CRL_get0_by_serial.pod cdd6c8c5 Mar 20 12:29:37 2017 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 25 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt X509_CRL_GET0_BY_SERIAL 3 .Os .Sh NAME @@ -157,3 +157,19 @@ returns a STACK of revoked entries. .Xr X509_CRL_get_version 3 , .Xr X509_REVOKED_new 3 , .Xr X509V3_get_d2i 3 +.Sh HISTORY +.Fn X509_CRL_get_REVOKED +first appeared in OpenSSL 0.9.2b and has been available since +.Ox 2.6 . +.Pp +.Fn X509_CRL_add0_revoked +and +.Fn X509_CRL_sort +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . +.Pp +.Fn X509_CRL_get0_by_serial +and +.Fn X509_CRL_get0_by_cert +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/X509_CRL_new.3 b/lib/libcrypto/man/X509_CRL_new.3 index 2f35b100cb..2f824bff91 100644 --- a/lib/libcrypto/man/X509_CRL_new.3 +++ b/lib/libcrypto/man/X509_CRL_new.3 @@ -1,6 +1,6 @@ -.\" $OpenBSD: X509_CRL_new.3,v 1.3 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: X509_CRL_new.3,v 1.6 2018/03/23 23:18:17 schwarze Exp $ .\" -.\" Copyright (c) 2016 Ingo Schwarze +.\" Copyright (c) 2016, 2018 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,11 +14,13 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt X509_CRL_NEW 3 .Os .Sh NAME .Nm X509_CRL_new , +.Nm X509_CRL_dup , +.Nm X509_CRL_up_ref , .Nm X509_CRL_free , .Nm X509_CRL_INFO_new , .Nm X509_CRL_INFO_free @@ -27,6 +29,10 @@ .In openssl/x509.h .Ft X509_CRL * .Fn X509_CRL_new void +.Ft X509_CRL * +.Fn X509_CRL_dup "X509_CRL *crl" +.Ft int +.Fn X509_CRL_up_ref "X509_CRL *crl" .Ft void .Fn X509_CRL_free "X509_CRL *crl" .Ft X509_CRL_INFO * @@ -44,8 +50,22 @@ It can hold a pointer to an .Vt X509_CRL_INFO object discussed below together with a cryptographic signature and information about the signature algorithm used. +The reference count is set to 1. +.Pp +.Fn X509_CRL_dup +creates a deep copy of +.Fa crl . +.Pp +.Fn X509_CRL_up_ref +increments the reference count of +.Fa crl +by 1. +.Pp .Fn X509_CRL_free -frees +decrements the reference count of +.Fa crl +by 1. +If the reference count reaches 0, it frees .Fa crl . .Pp .Fn X509_CRL_INFO_new @@ -63,7 +83,8 @@ list is due, and optional extensions. frees .Fa crl_info . .Sh RETURN VALUES -.Fn X509_CRL_new +.Fn X509_CRL_new , +.Fn X509_CRL_dup , and .Fn X509_CRL_INFO_new return the new @@ -73,6 +94,9 @@ or object, respectively, or .Dv NULL if an error occurs. +.Pp +.Fn X509_CRL_up_ref +returns 1 on success or 0 on error. .Sh SEE ALSO .Xr ACCESS_DESCRIPTION_new 3 , .Xr AUTHORITY_KEYID_new 3 , @@ -94,3 +118,16 @@ if an error occurs. RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, section 5: CRL and CRL Extensions Profile +.Sh HISTORY +.Fn X509_CRL_new , +.Fn X509_CRL_dup , +.Fn X509_CRL_free , +.Fn X509_CRL_INFO_new , +and +.Fn X509_CRL_INFO_free +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn X509_CRL_up_ref +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/X509_EXTENSION_set_object.3 b/lib/libcrypto/man/X509_EXTENSION_set_object.3 index f0df3392b8..ff59a6424d 100644 --- a/lib/libcrypto/man/X509_EXTENSION_set_object.3 +++ b/lib/libcrypto/man/X509_EXTENSION_set_object.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_EXTENSION_set_object.3,v 1.6 2016/12/28 13:45:30 schwarze Exp $ +.\" $OpenBSD: X509_EXTENSION_set_object.3,v 1.7 2018/03/21 03:16:08 schwarze Exp $ .\" OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt X509_EXTENSION_SET_OBJECT 3 .Os .Sh NAME @@ -286,3 +286,6 @@ pointer. .Sh STANDARDS RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile +.Sh HISTORY +These functions appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/X509_LOOKUP_hash_dir.3 b/lib/libcrypto/man/X509_LOOKUP_hash_dir.3 index cfa8f0dc78..61924eb5d8 100644 --- a/lib/libcrypto/man/X509_LOOKUP_hash_dir.3 +++ b/lib/libcrypto/man/X509_LOOKUP_hash_dir.3 @@ -1,9 +1,9 @@ -.\" $OpenBSD: X509_LOOKUP_hash_dir.3,v 1.3 2017/01/06 22:46:06 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: X509_LOOKUP_hash_dir.3,v 1.7 2018/03/22 16:06:33 schwarze Exp $ +.\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" .\" This file was written by Victor B. Wagner .\" and Claus Assmann. -.\" Copyright (c) 2015, 2016 The OpenSSL Project. All rights reserved. +.\" Copyright (c) 2015, 2016, 2017 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 6 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt X509_LOOKUP_HASH_DIR 3 .Os .Sh NAME @@ -141,9 +141,6 @@ filename causes these functions to load the default certificate store file (see .Xr X509_STORE_set_default_paths 3 ) . .Pp -These functions return the number of objects loaded from file or 0 -in case of error. -.Pp Both methods support adding several certificate locations into one .Sy X509_STORE . .Pp @@ -211,8 +208,37 @@ sequence number greater than that of the already cached CRL. Note that the hash algorithm used for subject name hashing changed in OpenSSL 1.0.0, and all certificate stores have to be rehashed when moving from OpenSSL 0.9.8 to 1.0.0. +.Sh RETURN VALUES +.Fn X509_LOOKUP_hash_dir +and +.Fn X509_LOOKUP_file +always return a pointer to a static +.Vt X509_LOOKUP_METHOD +structure. +.Pp +.Fn X509_load_cert_file , +.Fn X509_load_crl_file , +and +.Fn X509_load_cert_crl_file +return the number of objects loaded from the +.Fa file +or 0 on error. .Sh SEE ALSO .Xr d2i_X509_bio 3 , .Xr PEM_read_PrivateKey 3 , .Xr SSL_CTX_load_verify_locations 3 , .Xr X509_STORE_load_locations 3 +.Sh HISTORY +.Fn X509_LOOKUP_hash_dir , +.Fn X509_LOOKUP_file , +and +.Fn X509_load_cert_file +appeared before SSLeay 0.8. +.Fn X509_load_crl_file +first appeared in SSLeay 0.9.0. +These functions have been available since +.Ox 2.4 . +.Pp +.Fn X509_load_cert_crl_file +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . diff --git a/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 b/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 index e11a4b7708..49ce32ec11 100644 --- a/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 +++ b/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: X509_NAME_ENTRY_get_object.3,v 1.6 2016/12/25 22:15:10 schwarze Exp $ -.\" OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400 +.\" $OpenBSD: X509_NAME_ENTRY_get_object.3,v 1.9 2018/03/22 16:06:33 schwarze Exp $ +.\" full merge up to: OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400 +.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" .\" This file is a derived work. .\" The changes are covered by the following Copyright and license: @@ -19,7 +20,8 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .\" The original file was written by Dr. Stephen Henson . -.\" Copyright (c) 2002, 2005, 2006 The OpenSSL Project. All rights reserved. +.\" Copyright (c) 2002, 2005, 2006, 2017 The OpenSSL Project. +.\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -65,7 +67,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt X509_NAME_ENTRY_GET_OBJECT 3 .Os .Sh NAME @@ -220,6 +222,36 @@ but in the case of .Fn X509_NAME_ENTRY_set_data the field type must be set first so the relevant field information can be looked up internally. +.Sh RETURN VALUES +.Fn X509_NAME_ENTRY_new , +.Fn X509_NAME_ENTRY_create_by_txt , +.Fn X509_NAME_ENTRY_create_by_NID , +and +.Fn X509_NAME_ENTRY_create_by_OBJ +return a valid +.Vt X509_NAME_ENTRY +structure on success or +.Dv NULL +if an error occurred. +.Pp +.Fn X509_NAME_ENTRY_get_object +returns a valid +.Vt ASN1_OBJECT +structure if it is set or +.Dv NULL +if an error occurred. +.Pp +.Fn X509_NAME_ENTRY_get_data +returns a valid +.Vt ASN1_STRING +structure if it is set or +.Dv NULL +if an error occurred. +.Pp +.Fn X509_NAME_ENTRY_set_object +and +.Fn X509_NAME_ENTRY_set_data +return 1 on success or 0 on error. .Sh SEE ALSO .Xr ERR_get_error 3 , .Xr OBJ_nid2obj 3 , @@ -233,3 +265,19 @@ Certificate Revocation List (CRL) Profile ITU-T Recommendation X.501, also known as ISO/IEC 9594-2: Information Technology Open Systems Interconnection The Directory: Models, section 9.3: Relative distinguished name +.Sh HISTORY +.Fn X509_NAME_ENTRY_new , +.Fn X509_NAME_ENTRY_free , +.Fn X509_NAME_ENTRY_get_object , +.Fn X509_NAME_ENTRY_get_data , +.Fn X509_NAME_ENTRY_set_object , +.Fn X509_NAME_ENTRY_set_data , +.Fn X509_NAME_ENTRY_create_by_NID , +and +.Fn X509_NAME_ENTRY_create_by_OBJ +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn X509_NAME_ENTRY_create_by_txt +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . diff --git a/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 b/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 index a2a9314c07..c70c7b73d5 100644 --- a/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 +++ b/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_NAME_add_entry_by_txt.3,v 1.7 2017/01/06 03:00:56 schwarze Exp $ +.\" $OpenBSD: X509_NAME_add_entry_by_txt.3,v 1.9 2018/03/22 16:06:33 schwarze Exp $ .\" OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 6 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt X509_NAME_ADD_ENTRY_BY_TXT 3 .Os .Sh NAME @@ -255,6 +255,19 @@ if (!X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, .Xr ERR_get_error 3 , .Xr X509_NAME_get_index_by_NID 3 , .Xr X509_NAME_new 3 +.Sh HISTORY +.Fn X509_NAME_add_entry +and +.Fn X509_NAME_delete_entry +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn X509_NAME_add_entry_by_txt , +.Fn X509_NAME_add_entry_by_OBJ , +and +.Fn X509_NAME_add_entry_by_NID +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . .Sh BUGS .Fa type can still be set to diff --git a/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 b/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 index b6571ccc1d..f80e08bf69 100644 --- a/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 +++ b/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_NAME_get_index_by_NID.3,v 1.6 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: X509_NAME_get_index_by_NID.3,v 1.7 2018/03/21 03:16:08 schwarze Exp $ .\" OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt X509_NAME_GET_INDEX_BY_NID 3 .Os .Sh NAME @@ -227,6 +227,9 @@ for (;;) { .Xr d2i_X509_NAME 3 , .Xr ERR_get_error 3 , .Xr X509_NAME_new 3 +.Sh HISTORY +These functions appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . .Sh CAVEATS .Fn X509_NAME_get_text_by_NID and diff --git a/lib/libcrypto/man/X509_NAME_new.3 b/lib/libcrypto/man/X509_NAME_new.3 index c4efab7784..27ab03dfab 100644 --- a/lib/libcrypto/man/X509_NAME_new.3 +++ b/lib/libcrypto/man/X509_NAME_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_NAME_new.3,v 1.3 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: X509_NAME_new.3,v 1.4 2018/03/21 03:16:08 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt X509_NAME_NEW 3 .Os .Sh NAME @@ -86,3 +86,9 @@ Certificate Revocation List (CRL) Profile ITU-T Recommendation X.501, also known as ISO/IEC 9594-2: Information Technology \(en Open Systems Interconnection \(en The Directory: Models, section 9: Names +.Sh HISTORY +.Fn X509_NAME_new +and +.Fn X509_NAME_free +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/X509_NAME_print_ex.3 b/lib/libcrypto/man/X509_NAME_print_ex.3 index 1342a200ad..6b91ff5d66 100644 --- a/lib/libcrypto/man/X509_NAME_print_ex.3 +++ b/lib/libcrypto/man/X509_NAME_print_ex.3 @@ -1,8 +1,9 @@ -.\" $OpenBSD: X509_NAME_print_ex.3,v 1.6 2016/12/25 22:15:10 schwarze Exp $ -.\" OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400 +.\" $OpenBSD: X509_NAME_print_ex.3,v 1.9 2018/03/22 17:11:04 schwarze Exp $ +.\" full merge up to: OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400 +.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" .\" This file was written by Dr. Stephen Henson . -.\" Copyright (c) 2002, 2004, 2007, 2016 The OpenSSL Project. +.\" Copyright (c) 2002, 2004, 2007, 2016, 2017 The OpenSSL Project. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -49,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt X509_NAME_PRINT_EX 3 .Os .Sh NAME @@ -248,8 +249,38 @@ uses a format identical to in fact it calls .Fn X509_NAME_print internally. +.Sh RETURN VALUES +.Fn X509_NAME_print_ex +and +.Fn X509_NAME_print_ex_fp +return 1 on success or 0 on error if +.Dv XN_FLAG_COMPAT +is set in +.Fa flags . +Otherwise, they return the number of printed bytes including the +indentation or \-1 on error. +.Pp +.Fn X509_NAME_oneline +returns a valid string on success or +.Dv NULL +on error. +.Pp +.Fn X509_NAME_print +returns 1 on success or 0 on error. .Sh SEE ALSO .Xr ASN1_STRING_print_ex 3 , .Xr d2i_X509_NAME 3 , .Xr X509_NAME_get_index_by_NID 3 , .Xr X509_NAME_new 3 +.Sh HISTORY +.Fn X509_NAME_oneline +and +.Fn X509_NAME_print +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn X509_NAME_print_ex +and +.Fn X509_NAME_print_ex_fp +first appeared in OpenSSL 0.9.6 and have been available since +.Ox 2.9 . diff --git a/lib/libcrypto/man/X509_OBJECT_get0_X509.3 b/lib/libcrypto/man/X509_OBJECT_get0_X509.3 new file mode 100644 index 0000000000..0119b91e1e --- /dev/null +++ b/lib/libcrypto/man/X509_OBJECT_get0_X509.3 @@ -0,0 +1,236 @@ +.\" $OpenBSD: X509_OBJECT_get0_X509.3,v 1.5 2018/03/23 23:18:17 schwarze Exp $ +.\" Copyright (c) 2018 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: March 23 2018 $ +.Dt X509_OBJECT_GET0_X509 3 +.Os +.Sh NAME +.Nm X509_OBJECT_up_ref_count , +.Nm X509_OBJECT_free_contents , +.Nm X509_OBJECT_get0_X509 , +.Nm X509_OBJECT_get0_X509_CRL , +.Nm X509_OBJECT_idx_by_subject , +.Nm X509_OBJECT_retrieve_by_subject , +.Nm X509_OBJECT_retrieve_match +.Nd certificate, CRL, private key, and string wrapper for certificate stores +.Sh SYNOPSIS +.In openssl/x509_vfy.h +.Ft void +.Fo X509_OBJECT_up_ref_count +.Fa "X509_OBJECT *obj" +.Fc +.Ft void +.Fo X509_OBJECT_free_contents +.Fa "X509_OBJECT *obj" +.Fc +.Ft X509 * +.Fo X509_OBJECT_get0_X509 +.Fa "const X509_OBJECT *obj" +.Fc +.Ft X509_CRL * +.Fo X509_OBJECT_get0_X509_CRL +.Fa "X509_OBJECT *obj" +.Fc +.Ft int +.Fo X509_OBJECT_idx_by_subject +.Fa "STACK_OF(X509_OBJECT) *stack" +.Fa "int type" +.Fa "X509_NAME *name" +.Fc +.Ft X509_OBJECT * +.Fo X509_OBJECT_retrieve_by_subject +.Fa "STACK_OF(X509_OBJECT) *stack" +.Fa "int type" +.Fa "X509_NAME *name" +.Fc +.Ft X509_OBJECT * +.Fo X509_OBJECT_retrieve_match +.Fa "STACK_OF(X509_OBJECT) *stack" +.Fa "X509_OBJECT *obj" +.Fc +.Sh DESCRIPTION +The +.Vt X509_OBJECT +structure is a shallow wrapper around one +.Vt X509 +certificate object, one +.Vt X509_CRL +certificate revocation list object, one +.Vt EVP_PKEY +private key object, or one +.Vt char * +string. +It also remembers which type of object it contains at any given time. +.Pp +Each +.Vt X509_STORE +object uses one stack of +.Vt X509_OBJECT +structures as its main storage area. +.Pp +If +.Fa obj +contains an +.Vt X509 +certificate or an +.Vt X509_CRL +certificate revocation list, +.Fn X509_OBJECT_up_ref_count +increments the reference count of that inner object by 1. +Otherwise, no action occurs. +.Pp +If +.Fa obj +contains an +.Vt X509 +certificate, +.Fn X509_OBJECT_free_contents +calls +.Xr X509_free 3 +on that inner object. +If +.Fa obj +contains an +.Vt X509_CRL +certificate revocation list, it calls +.Xr X509_CRL_free 3 +on that inner list. +Otherwise, no action occurs. +.Fn X509_OBJECT_free_contents +does not free +.Fa obj +itself. +.Pp +If +.Fa type +is +.Dv X509_LU_X509 , +.Fn X509_OBJECT_idx_by_subject +and +.Fn X509_OBJECT_retrieve_by_subject +search the given +.Fa stack +for a certificate with the subject +.Fa name . +If +.Fa type +is +.Dv X509_LU_CRL , +they search for a certificate revocation list with the issuer +.Fa name +instead. +.Pp +If +.Fa obj +contains a certificate, +.Fn X509_OBJECT_retrieve_match +searches the given +.Fa stack +for a certificate with a matching subject name; +if it contains a certificate revocation list, it searches for a +certificate revocation list with a matching issuer name instead; +otherwise, it searches for an +.Vt X509_OBJECT +with a matching type. +.Sh RETURN VALUES +.Fn X509_OBJECT_get0_X509 +returns an internal pointer to the certificate contained in +.Fa obj +or +.Dv NULL +if +.Fa obj +is +.Dv NULL +or contains no certificate. +.Pp +.Fn X509_OBJECT_get0_X509_CRL +returns an internal pointer to the certificate revocation list contained in +.Fa obj +or +.Dv NULL +if +.Fa obj +is +.Dv NULL +or contains no certificate revocation list. +.Pp +.Fn X509_OBJECT_idx_by_subject +returns the zero-based index of the first matching certificate +or revocation list in the +.Fa stack +or \-1 if +.Fa type +is neither +.Dv X509_LU_X509 +nor +.Dv X509_LU_CRL +or if no match is found. +.Pp +.Fn X509_OBJECT_retrieve_by_subject +returns the first matching certificate or revocation list in the +.Fa stack +or +.Dv NULL +if +.Fa type +is neither +.Dv X509_LU_X509 +nor +.Dv X509_LU_CRL +or if no match is found. +.Pp +.Fn X509_OBJECT_retrieve_match +returns the first mathching +.Vt X509_OBJECT +or +.Dv NULL +if +.Fa stack +or +.Fa obj +is +.Dv NULL +or no match is found. +.Sh SEE ALSO +.Xr X509_STORE_get0_objects 3 , +.Xr X509_STORE_load_locations 3 , +.Xr X509_STORE_new 3 +.\" The type X509_OBJECT is also used +.\" by the following undocumented public functions: +.\" X509_STORE_get_by_subject +.\" X509_LOOKUP_by_subject +.\" X509_LOOKUP_by_issuer_serial +.\" X509_LOOKUP_by_fingerprint +.\" X509_LOOKUP_by_alias +.Sh HISTORY +.Fn X509_OBJECT_up_ref_count +and +.Fn X509_OBJECT_free_contents +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn X509_OBJECT_idx_by_subject , +.Fn X509_OBJECT_retrieve_by_subject , +and +.Fn X509_OBJECT_retrieve_match +first appeared in OpenSSL 0.9.6 and have been available since +.Ox 2.9 . +.Pp +.Fn X509_OBJECT_get0_X509 +and +.Fn X509_OBJECT_get0_X509_CRL +first appeared in OpenSSL 1.1.0 and have been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/X509_PUBKEY_new.3 b/lib/libcrypto/man/X509_PUBKEY_new.3 index 7ed3e68b2e..077f6f7d0e 100644 --- a/lib/libcrypto/man/X509_PUBKEY_new.3 +++ b/lib/libcrypto/man/X509_PUBKEY_new.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: X509_PUBKEY_new.3,v 1.5 2016/12/28 14:06:06 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: X509_PUBKEY_new.3,v 1.12 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2016 The OpenSSL Project. All rights reserved. @@ -48,13 +48,14 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt X509_PUBKEY_NEW 3 .Os .Sh NAME .Nm X509_PUBKEY_new , .Nm X509_PUBKEY_free , .Nm X509_PUBKEY_set , +.Nm X509_PUBKEY_get0 , .Nm X509_PUBKEY_get , .Nm d2i_PUBKEY , .Nm i2d_PUBKEY , @@ -79,6 +80,10 @@ .Fa "EVP_PKEY *pkey" .Fc .Ft EVP_PKEY * +.Fo X509_PUBKEY_get0 +.Fa "X509_PUBKEY *key" +.Fc +.Ft EVP_PKEY * .Fo X509_PUBKEY_get .Fa "X509_PUBKEY *key" .Fc @@ -167,10 +172,15 @@ is not .Dv NULL , any existing public key structure will be freed. .Pp -.Fn X509_PUBKEY_get +.Fn X509_PUBKEY_get0 returns the public key contained in .Fa key . -The reference +The returned value is an internal pointer which must not be freed after use. +.Pp +.Fn X509_PUBKEY_get +is similar to +.Fn X509_PUBKEY_get0 +except that the reference count on the returned key is incremented so it must be freed using .Xr EVP_PKEY_free 3 after use. @@ -240,6 +250,7 @@ and sets an error code that can be obtained by .Xr ERR_get_error 3 . Otherwise it returns a pointer to the newly allocated structure. .Pp +.Fn X509_PUBKEY_get0 , .Fn X509_PUBKEY_get , .Fn d2i_PUBKEY , .Fn d2i_PUBKEY_bio , @@ -265,8 +276,41 @@ return 1 for success and 0 if an error occurred. .Sh SEE ALSO .Xr d2i_X509 3 , .Xr ERR_get_error 3 , +.Xr EVP_PKEY_asn1_set_public 3 , .Xr X509_ALGOR_new 3 , .Xr X509_get_pubkey 3 .Sh STANDARDS RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile +.Sh HISTORY +.Fn X509_PUBKEY_new , +.Fn X509_PUBKEY_free , +.Fn X509_PUBKEY_set , +and +.Fn X509_PUBKEY_get +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn d2i_PUBKEY +and +.Fn i2d_PUBKEY +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . +.Pp +.Fn d2i_PUBKEY_bio , +.Fn d2i_PUBKEY_fp , +.Fn i2d_PUBKEY_fp , +and +.Fn i2d_PUBKEY_bio +first appeared in OpenSSL 0.9.6 and have been available since +.Ox 2.9 . +.Pp +.Fn X509_PUBKEY_set0_param +and +.Fn X509_PUBKEY_get0_param +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . +.Pp +.Fn X509_PUBKEY_get0 +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/X509_REQ_new.3 b/lib/libcrypto/man/X509_REQ_new.3 index 76da125898..baa31a6c8c 100644 --- a/lib/libcrypto/man/X509_REQ_new.3 +++ b/lib/libcrypto/man/X509_REQ_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_REQ_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: X509_REQ_new.3,v 1.3 2018/03/21 03:16:08 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt X509_REQ_NEW 3 .Os .Sh NAME @@ -82,3 +82,11 @@ if an error occurs. .Xr X509_REQ_sign 3 .Sh STANDARDS RFC 2986: PKCS #10: Certification Request Syntax Specification +.Sh HISTORY +.Fn X509_REQ_new , +.Fn X509_REQ_free , +.Fn X509_REQ_INFO_new , +and +.Fn X509_REQ_INFO_free +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/X509_REVOKED_new.3 b/lib/libcrypto/man/X509_REVOKED_new.3 index f06075fcc2..65d3470b40 100644 --- a/lib/libcrypto/man/X509_REVOKED_new.3 +++ b/lib/libcrypto/man/X509_REVOKED_new.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: X509_REVOKED_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $ -.\" OpenSSL X509_CRL_get0_by_serial.pod 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: X509_REVOKED_new.3,v 1.8 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: +.\" OpenSSL man3/X509_CRL_get0_by_serial cdd6c8c5 Mar 20 12:29:37 2017 +0100 .\" .\" This file is a derived work. .\" The changes are covered by the following Copyright and license: @@ -65,21 +66,36 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt X509_REVOKED_NEW 3 .Os .Sh NAME .Nm X509_REVOKED_new , +.Nm X509_REVOKED_dup , .Nm X509_REVOKED_free , +.Nm X509_REVOKED_get0_serialNumber , +.Nm X509_REVOKED_get0_revocationDate , .Nm X509_REVOKED_set_serialNumber , .Nm X509_REVOKED_set_revocationDate -.Nd create and change an X.509 CRL revoked entry +.Nd create, change, and inspect an X.509 CRL revoked entry .Sh SYNOPSIS .In openssl/x509.h .Ft X509_REVOKED * .Fn X509_REVOKED_new void +.Ft X509_REVOKED * +.Fo X509_REVOKED_dup +.Fa "X509_REVOKED *r" +.Fc .Ft void .Fn X509_REVOKED_free "X509_REVOKED *r" +.Ft const ASN1_INTEGER * +.Fo X509_REVOKED_get0_serialNumber +.Fa "const X509_REVOKED *r" +.Fc +.Ft const ASN1_TIME * +.Fo X509_REVOKED_get0_revocationDate +.Fa "const X509_REVOKED *r" +.Fc .Ft int .Fo X509_REVOKED_set_serialNumber .Fa "X509_REVOKED *r" @@ -104,6 +120,10 @@ objects and can hold information about one revoked certificate including issuer names, serial number, revocation date, and revocation reason. .Pp +.Fn X509_REVOKED_dup +creates a deep copy of +.Fa r . +.Pp .Fn X509_REVOKED_free frees .Fa r . @@ -127,12 +147,22 @@ The supplied pointer is not used internally so it should be freed up after use. .Sh RETURN VALUES .Fn X509_REVOKED_new -returns the new +and +.Fn X509_REVOKED_dup +return the new .Vt X509_REVOKED object or .Dv NULL if an error occurs. .Pp +.Fn X509_REVOKED_get0_serialNumber +returns an internal pointer to the serial number of +.Fa r . +.Pp +.Fn X509_REVOKED_get0_revocationDate +returns an internal pointer to the revocation date of +.Fa r . +.Pp .Fn X509_REVOKED_set_serialNumber and .Fn X509_REVOKED_set_revocationDate @@ -141,7 +171,31 @@ return 1 for success or 0 for failure. .Xr d2i_X509_CRL 3 , .Xr ERR_get_error 3 , .Xr PEM_read_X509_CRL 3 , -.Xr X509_CRL_get0_by_serial 3 +.Xr X509_CRL_get0_by_serial 3 , +.Xr X509_EXTENSION_new 3 , +.Xr X509_REVOKED_get_ext 3 , +.Xr X509_REVOKED_get_ext_d2i 3 .Sh STANDARDS RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, section 5.1: CRL Fields +.Sh HISTORY +.Fn X509_REVOKED_new +and +.Fn X509_REVOKED_free +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn X509_REVOKED_set_serialNumber +and +.Fn X509_REVOKED_set_revocationDate +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . +.Pp +.Fn X509_REVOKED_dup +first appeared in OpenSSL 1.0.2. +.Fn X509_REVOKED_get0_serialNumber +and +.Fn X509_REVOKED_get0_revocationDate +first appeared in OpenSSL 1.1.0. +These functions have been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/X509_SIG_new.3 b/lib/libcrypto/man/X509_SIG_new.3 index 6d41ababc6..ee96861519 100644 --- a/lib/libcrypto/man/X509_SIG_new.3 +++ b/lib/libcrypto/man/X509_SIG_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_SIG_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $ +.\" $OpenBSD: X509_SIG_new.3,v 1.3 2018/03/21 03:16:08 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt X509_SIG_NEW 3 .Os .Sh NAME @@ -59,3 +59,9 @@ section 9: Signed-data content type .Pp RFC 8017: PKCS #1: RSA Cryptography Specifications, section 9: Encoding Methods for Signatures +.Sh HISTORY +.Fn X509_SIG_new +and +.Fn X509_SIG_free +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/X509_STORE_CTX_get_error.3 b/lib/libcrypto/man/X509_STORE_CTX_get_error.3 index 3a871ef307..6d575139d5 100644 --- a/lib/libcrypto/man/X509_STORE_CTX_get_error.3 +++ b/lib/libcrypto/man/X509_STORE_CTX_get_error.3 @@ -1,5 +1,9 @@ -.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.5 2016/12/25 22:15:10 schwarze Exp $ -.\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 +.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.10 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: +.\" OpenSSL crypto/X509_STORE_CTX_get_error f0e0fd51 Apr 14 23:59:26 2016 -0400 +.\" selective merge up to: +.\" OpenSSL man3/X509_STORE_CTX_get_error 2947af32 Nov 19 00:10:05 2016 +0100 +.\" OpenSSL man3/X509_STORE_CTX_new 7643a172 Apr 21 13:35:51 2017 +0200 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2009, 2013, 2015, 2016 The OpenSSL Project. @@ -49,7 +53,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt X509_STORE_CTX_GET_ERROR 3 .Os .Sh NAME @@ -57,6 +61,8 @@ .Nm X509_STORE_CTX_set_error , .Nm X509_STORE_CTX_get_error_depth , .Nm X509_STORE_CTX_get_current_cert , +.Nm X509_STORE_CTX_get0_cert , +.Nm X509_STORE_CTX_get0_chain , .Nm X509_STORE_CTX_get1_chain , .Nm X509_verify_cert_error_string .Nd get or set certificate verification status information @@ -79,6 +85,14 @@ .Fo X509_STORE_CTX_get_current_cert .Fa "X509_STORE_CTX *ctx" .Fc +.Ft X509 * +.Fo X509_STORE_CTX_get0_cert +.Fa "X509_STORE_CTX *ctx" +.Fc +.Ft STACK_OF(X509) * +.Fo X509_STORE_CTX_get0_chain +.Fa "X509_STORE_CTX *ctx" +.Fc .Ft STACK_OF(X509) * .Fo X509_STORE_CTX_get1_chain .Fa "X509_STORE_CTX *ctx" @@ -122,19 +136,19 @@ which caused the error or .Dv NULL if no certificate is relevant. .Pp -.Fn X509_STORE_CTX_get1_chain -returns a complete validate chain if a previous call to +.Fn X509_STORE_CTX_get0_chain +returns an internal pointer to a complete validate chain +if a previous call to .Xr X509_verify_cert 3 -is successful. +was successful. If the call to .Xr X509_verify_cert 3 -is -.Sy not -successful, the returned chain may be incomplete or invalid. -The returned chain persists after the +was not successful, the returned chain may be incomplete or invalid. +.Fn X509_STORE_CTX_get1_chain +returns a deep copy of the same chain which persists even after the .Fa ctx structure is freed. -When it is no longer needed, it should be freed up using +When it is no longer needed, it should be freed using .Fn sk_X509_pop_free chain X509_free . .Pp .Fn X509_verify_cert_error_string @@ -172,6 +186,17 @@ returns the certificate which caused the error or .Dv NULL if no certificate is relevant to the error. .Pp +.Fn X509_STORE_CTX_get0_cert +retrieves an internal pointer to the certificate being verified by +.Fa ctx . +.Pp +.Fn X509_STORE_CTX_get0_chain +and +.Fn X509_STORE_CTX_get1_chain +return a pointer to a stack of certificates or +.Dv NULL +if an error occurs. +.Pp .Fn X509_verify_cert_error_string returns a human readable error string for verification error .Fa n . @@ -346,4 +371,25 @@ An application specific error. This will never be returned unless explicitly set by an application. .El .Sh SEE ALSO +.Xr X509_STORE_CTX_new 3 , +.Xr X509_up_ref 3 , .Xr X509_verify_cert 3 +.Sh HISTORY +.Fn X509_STORE_CTX_get_error , +.Fn X509_STORE_CTX_set_error , +.Fn X509_STORE_CTX_get_error_depth , +.Fn X509_STORE_CTX_get_current_cert , +and +.Fn X509_verify_cert_error_string +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn X509_STORE_CTX_get1_chain +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . +.Pp +.Fn X509_STORE_CTX_get0_cert +and +.Fn X509_STORE_CTX_get0_chain +first appeared in OpenSSL 1.1.0 and have been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3 b/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3 index a900b8e7fa..658bc97097 100644 --- a/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3 +++ b/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_STORE_CTX_get_ex_new_index.3,v 1.3 2016/12/10 20:13:59 schwarze Exp $ +.\" $OpenBSD: X509_STORE_CTX_get_ex_new_index.3,v 1.4 2018/03/21 07:41:44 schwarze Exp $ .\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt X509_STORE_CTX_GET_EX_NEW_INDEX 3 .Os .Sh NAME @@ -101,4 +101,5 @@ structure. .Fn X509_STORE_CTX_set_ex_data , and .Fn X509_STORE_CTX_get_ex_data -are available since OpenSSL 0.9.5. +first appeared in SSLeay 0.9.0 and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/X509_STORE_CTX_new.3 b/lib/libcrypto/man/X509_STORE_CTX_new.3 index 50e50fd5ad..501e2b0e78 100644 --- a/lib/libcrypto/man/X509_STORE_CTX_new.3 +++ b/lib/libcrypto/man/X509_STORE_CTX_new.3 @@ -1,8 +1,10 @@ -.\" $OpenBSD: X509_STORE_CTX_new.3,v 1.5 2017/01/07 03:01:44 schwarze Exp $ -.\" OpenSSL 186bb907 Apr 13 11:05:13 2015 -0700 +.\" $OpenBSD: X509_STORE_CTX_new.3,v 1.17 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL 186bb907 Apr 13 11:05:13 2015 -0700 +.\" selective merge up to: OpenSSL 7643a172 Apr 21 13:35:51 2017 +0200 .\" -.\" This file was written by Dr. Stephen Henson . -.\" Copyright (c) 2009, 2015 The OpenSSL Project. All rights reserved. +.\" This file was written by Dr. Stephen Henson +.\" and Rich Salz . +.\" Copyright (c) 2009, 2015, 2016 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 7 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt X509_STORE_CTX_NEW 3 .Os .Sh NAME @@ -56,12 +58,17 @@ .Nm X509_STORE_CTX_cleanup , .Nm X509_STORE_CTX_free , .Nm X509_STORE_CTX_init , +.Nm X509_STORE_CTX_get0_store , +.Nm X509_STORE_CTX_set0_trusted_stack , .Nm X509_STORE_CTX_trusted_stack , .Nm X509_STORE_CTX_set_cert , +.\" X509_STORE_CTX_get0_chain moved to X509_STORE_CTX_get_error(3) .Nm X509_STORE_CTX_set_chain , .Nm X509_STORE_CTX_set0_crls , .Nm X509_STORE_CTX_get0_param , .Nm X509_STORE_CTX_set0_param , +.Nm X509_STORE_CTX_get0_untrusted , +.Nm X509_STORE_CTX_set0_untrusted , .Nm X509_STORE_CTX_set_default .Nd X509_STORE_CTX initialisation .Sh SYNOPSIS @@ -83,6 +90,15 @@ .Fa "X509 *x509" .Fa "STACK_OF(X509) *chain" .Fc +.Ft X509_STORE * +.Fo X509_STORE_CTX_get0_store +.Fa "X509_STORE_CTX *ctx" +.Fc +.Ft void +.Fo X509_STORE_CTX_set0_trusted_stack +.Fa "X509_STORE_CTX *ctx" +.Fa "STACK_OF(X509) *sk" +.Fc .Ft void .Fo X509_STORE_CTX_trusted_stack .Fa "X509_STORE_CTX *ctx" @@ -117,6 +133,15 @@ .Fa "X509_STORE_CTX *ctx" .Fa "const char *name" .Fc +.Ft STACK_OF(X509)* +.Fo X509_STORE_CTX_get0_untrusted +.Fa "X509_STORE_CTX *ctx" +.Fc +.Ft void +.Fo X509_STORE_CTX_set0_untrusted +.Fa "X509_STORE_CTX *ctx" +.Fa "STACK_OF(X509) *sk" +.Fc .Sh DESCRIPTION These functions initialise an .Vt X509_STORE_CTX @@ -166,7 +191,13 @@ and parameters can be .Dv NULL . .Pp -.Fn X509_STORE_CTX_trusted_stack +.Fn X509_STORE_CTX_get0_store +returns an internal pointer to the trusted certificate +.Fa store +that was set with +.Fn X509_STORE_CTX_init . +.Pp +.Fn X509_STORE_CTX_set0_trusted_stack sets the set of trusted certificates of .Fa ctx to @@ -174,6 +205,9 @@ to This is an alternative way of specifying trusted certificates instead of using an .Vt X509_STORE . +.Fn X509_STORE_CTX_trusted_stack +is a deprecated alias for +.Fn X509_STORE_CTX_set0_trusted_stack . .Pp .Fn X509_STORE_CTX_set_cert sets the certificate to be verified in @@ -213,10 +247,22 @@ should not be used. looks up and sets the default verification method to .Fa name . This uses the function -.Fn X509_VERIFY_PARAM_lookup +.Xr X509_VERIFY_PARAM_lookup 3 to find an appropriate set of parameters from .Fa name . .Pp +.Fn X509_STORE_CTX_get0_untrusted +retrieves an internal pointer +to the stack of untrusted certificates associated with +.Fa ctx . +.Pp +.Fn X509_STORE_CTX_set0_untrusted +sets the internal pointer +to the stack of untrusted certificates associated with +.Fa ctx +to +.Fa sk . +.Pp The certificates and CRLs in a store are used internally and should .Sy not be freed up until after the associated @@ -250,6 +296,13 @@ if an error occurred. .Fn X509_STORE_CTX_init returns 1 for success or 0 if an error occurred. .Pp +.Fn X509_STORE_CTX_get0_store +returns a pointer to the trusted certificate store or +.Dv NULL +if +.Fa ctx +was not initialised. +.Pp .Fn X509_STORE_CTX_get0_param returns a pointer to an .Vt X509_VERIFY_PARAM @@ -257,24 +310,53 @@ structure or .Dv NULL if an error occurred. .Pp -.Fn X509_STORE_CTX_cleanup , -.Fn X509_STORE_CTX_free , -.Fn X509_STORE_CTX_trusted_stack , -.Fn X509_STORE_CTX_set_cert , -.Fn X509_STORE_CTX_set_chain , -.Fn X509_STORE_CTX_set0_crls , -and -.Fn X509_STORE_CTX_set0_param -do not return values. -.Pp .Fn X509_STORE_CTX_set_default returns 1 for success or 0 if an error occurred. +.Pp +.Fn X509_STORE_CTX_get0_untrusted +returns an internal pointer. .Sh SEE ALSO +.Xr X509_STORE_CTX_get_error 3 , +.Xr X509_STORE_new 3 , +.Xr X509_STORE_set1_param 3 , .Xr X509_verify_cert 3 , .Xr X509_VERIFY_PARAM_set_flags 3 .Sh HISTORY -.Fn X509_STORE_CTX_set0_crls -was first added to OpenSSL 1.0.0. +.Fn X509_STORE_CTX_cleanup , +.Fn X509_STORE_CTX_init , +.Fn X509_STORE_CTX_set_cert , +and +.Fn X509_STORE_CTX_set_chain +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn X509_STORE_CTX_new +and +.Fn X509_STORE_CTX_free +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . +.Pp +.Fn X509_STORE_CTX_trusted_stack +first appeared in OpenSSL 0.9.6 and has been available since +.Ox 2.9 . +.Pp +.Fn X509_STORE_CTX_set0_crls , +.Fn X509_STORE_CTX_get0_param , +.Fn X509_STORE_CTX_set0_param , +and +.Fn X509_STORE_CTX_set_default +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . +.Pp +.Fn X509_STORE_CTX_get0_store +first appeared in OpenSSL 1.0.2. +.Fn X509_STORE_CTX_set0_trusted_stack , +.Fn X509_STORE_CTX_get0_untrusted , +and +.Fn X509_STORE_CTX_set0_untrusted +first appeared in OpenSSL 1.1.0. +These functions have been available since +.Ox 6.3 . .Sh BUGS The certificates and CRLs in a context are used internally and should .Sy not diff --git a/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 b/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 index e6cdb32434..0af222fbea 100644 --- a/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 +++ b/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_STORE_CTX_set_verify_cb.3,v 1.3 2016/12/05 13:39:33 schwarze Exp $ +.\" $OpenBSD: X509_STORE_CTX_set_verify_cb.3,v 1.4 2018/03/22 17:38:08 schwarze Exp $ .\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 5 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt X509_STORE_CTX_SET_VERIFY_CB 3 .Os .Sh NAME @@ -224,7 +224,8 @@ verify_callback(int ok, X509_STORE_CTX *ctx) .Xr X509_STORE_set_verify_cb_func 3 .Sh HISTORY .Fn X509_STORE_CTX_set_verify_cb -is available in all versions of SSLeay and OpenSSL. +first appeared in OpenSSL 0.9.6c and has been available since +.Ox 3.2 . .Sh CAVEATS In general a verification callback should .Sy NOT diff --git a/lib/libcrypto/man/X509_STORE_load_locations.3 b/lib/libcrypto/man/X509_STORE_load_locations.3 index 8f1f41feac..9b42ce8f4d 100644 --- a/lib/libcrypto/man/X509_STORE_load_locations.3 +++ b/lib/libcrypto/man/X509_STORE_load_locations.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_STORE_load_locations.3,v 1.2 2017/01/07 08:46:13 jmc Exp $ +.\" $OpenBSD: X509_STORE_load_locations.3,v 1.4 2018/03/21 03:28:40 schwarze Exp $ .\" .\" Copyright (c) 2017 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: January 7 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt X509_STORE_LOAD_LOCATIONS 3 .Os .Sh NAME @@ -105,8 +105,15 @@ default directory for .Sh SEE ALSO .Xr SSL_CTX_load_verify_locations 3 , .Xr X509_LOOKUP_hash_dir 3 , +.Xr X509_STORE_new 3 , .Xr X509_STORE_set1_param 3 , .Xr X509_STORE_set_verify_cb 3 +.Sh HISTORY +.Fn X509_STORE_load_locations +and +.Fn X509_STORE_set_default_paths +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . .Sh BUGS By the time that adding a directory is found to have failed, the file and some other directories may already have been successfully loaded, diff --git a/lib/libcrypto/man/ASN1_OBJECT_new.3 b/lib/libcrypto/man/X509_STORE_new.3 similarity index 64% copy from lib/libcrypto/man/ASN1_OBJECT_new.3 copy to lib/libcrypto/man/X509_STORE_new.3 index e7c3540b3a..d450ec1f95 100644 --- a/lib/libcrypto/man/ASN1_OBJECT_new.3 +++ b/lib/libcrypto/man/X509_STORE_new.3 @@ -1,10 +1,11 @@ -.\" $OpenBSD: ASN1_OBJECT_new.3,v 1.8 2017/01/04 05:14:51 schwarze Exp $ -.\" OpenSSL 99d63d4 Mar 19 12:28:58 2016 -0400 +.\" $OpenBSD: X509_STORE_new.3,v 1.3 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400 +.\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file is a derived work. .\" The changes are covered by the following Copyright and license: .\" -.\" Copyright (c) 2017 Ingo Schwarze +.\" Copyright (c) 2018 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -18,8 +19,9 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.\" The original file was written by Dr. Stephen Henson. -.\" Copyright (c) 2002, 2006 The OpenSSL Project. All rights reserved. +.\" The original file was written by +.\" Alessandro Ghedini . +.\" Copyright (c) 2016 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -65,76 +67,74 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 4 2017 $ -.Dt ASN1_OBJECT_NEW 3 +.Dd $Mdocdate: March 23 2018 $ +.Dt X509_STORE_NEW 3 .Os .Sh NAME -.Nm ASN1_OBJECT_new , -.Nm ASN1_OBJECT_free -.Nd ASN.1 object identifiers +.Nm X509_STORE_new , +.Nm X509_STORE_up_ref , +.Nm X509_STORE_free +.Nd allocate and free X.509 certificate stores .Sh SYNOPSIS -.In openssl/asn1.h -.Ft ASN1_OBJECT * -.Fo ASN1_OBJECT_new -.Fa void +.In openssl/x509_vfy.h +.Ft X509_STORE * +.Fn X509_STORE_new void +.Ft int +.Fo X509_STORE_up_ref +.Fa "X509_STORE *store" .Fc .Ft void -.Fo ASN1_OBJECT_free -.Fa "ASN1_OBJECT *a" +.Fo X509_STORE_free +.Fa "X509_STORE *store" .Fc .Sh DESCRIPTION -.Fn ASN1_OBJECT_new -allocates and initializes an empty -.Vt ASN1_OBJECT -object, representing an ASN.1 OBJECT IDENTIFIER. -It can hold a short name, a long name, a numeric identifier (NID), -and a sequence of integers identifying a node in the International -Object Identifier tree as specified in ITU-T recommendation X.660. -The new object is marked as dynamically allocated. +.Fn X509_STORE_new +allocates and initializes an empty X.509 certificate store +and sets its reference count to 1. .Pp -Application programs normally use utility functions like -.Xr OBJ_nid2obj 3 -rather than using -.Fn ASN1_OBJECT_new -directly. -.Pp -.Fn ASN1_OBJECT_free -has the following effects: -.Pp -All data contained in -.Fa a -that is marked as dynamically allocated is freed, -and the respective fields of -.Fa a -become empty. -Contained data not marked as dynamically allocated remains intact. -.Pp -If the object -.Fa a -itself is marked as dynamically allocated, it is freed. -Otherwise, the pointer -.Fa a -remains valid. +.Fn X509_STORE_up_ref +increments the reference count of +.Fa store +by 1. .Pp +.Fn X509_STORE_free +decrements the reference count of +.Fa store +by 1. +If the reference count reaches 0, +all resources used by the store, including all certificates +contained in it, are released and +.Fa store +itself is freed. If -.Fa a +.Fa store is a .Dv NULL -pointer or if neither the object itself nor any of its content -is marked as dynamically allocated, no action occurs. +pointer, no action occurs. .Sh RETURN VALUES -If the allocation fails, -.Fn ASN1_OBJECT_new -returns +.Fn X509_STORE_new +returns a newly created +.Vt X509_STORE +object or .Dv NULL -and sets an error code that can be obtained by -.Xr ERR_get_error 3 . -Otherwise it returns a pointer to the new object. +if an error occurs. +.Pp +.Fn X509_STORE_up_ref +returns 1 for success and 0 for failure. .Sh SEE ALSO -.Xr d2i_ASN1_OBJECT 3 , -.Xr OBJ_nid2obj 3 +.Xr PKCS7_verify 3 , +.Xr SSL_CTX_set_cert_store 3 , +.Xr X509_STORE_CTX_new 3 , +.Xr X509_STORE_load_locations 3 , +.Xr X509_STORE_set1_param 3 , +.Xr X509_STORE_set_verify_cb 3 .Sh HISTORY -.Fn ASN1_OBJECT_new +.Fn X509_STORE_new and -.Fn ASN1_OBJECT_free -are available in all versions of SSLeay and OpenSSL. +.Fn X509_STORE_free +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn X509_STORE_up_ref +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/X509_STORE_set1_param.3 b/lib/libcrypto/man/X509_STORE_set1_param.3 dissimilarity index 91% index 000058515e..d444eaf4f7 100644 --- a/lib/libcrypto/man/X509_STORE_set1_param.3 +++ b/lib/libcrypto/man/X509_STORE_set1_param.3 @@ -1,72 +1,217 @@ -.\" $OpenBSD: X509_STORE_set1_param.3,v 1.3 2017/01/06 22:46:06 schwarze Exp $ -.\" OpenSSL 99d63d46 -.\" -.\" This file was written by Christian Heimes . -.\" Copyright (c) 2016 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: January 6 2017 $ -.Dt X509_STORE_SET1_PARAM 3 -.Os -.Sh NAME -.Nm X509_STORE_set1_param -.Nd set X509_STORE verification parameters -.Sh SYNOPSIS -.In openssl/x509_vfy.h -.Ft int -.Fo X509_STORE_set1_param -.Fa "X509_STORE *ctx" -.Fa "X509_VERIFY_PARAM *pm" -.Fc -.Sh DESCRIPTION -.Fn X509_STORE_set1_param -sets the verification parameters to -.Fa pm -for -.Fa ctx . -.Sh RETURN VALUES -.Fn X509_STORE_set1_param -returns 1 for success and 0 for failure. +.\" $OpenBSD: X509_STORE_set1_param.3,v 1.12 2018/03/23 23:18:17 schwarze Exp $ +.\" content checked up to: +.\" OpenSSL man3/X509_STORE_get0_param e90fc053 Jul 15 09:39:45 2017 -0400 +.\" +.\" Copyright (c) 2018 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: March 23 2018 $ +.Dt X509_STORE_SET1_PARAM 3 +.Os +.Sh NAME +.Nm X509_STORE_set1_param , +.Nm X509_STORE_set_flags , +.Nm X509_STORE_set_purpose , +.Nm X509_STORE_set_trust , +.Nm X509_STORE_set_depth , +.Nm X509_STORE_add_cert , +.Nm X509_STORE_add_crl , +.Nm X509_STORE_get0_objects , +.Nm X509_STORE_get_ex_new_index , +.Nm X509_STORE_set_ex_data , +.Nm X509_STORE_get_ex_data +.Nd get and set X509_STORE data +.Sh SYNOPSIS +.In openssl/x509_vfy.h +.Ft int +.Fo X509_STORE_set1_param +.Fa "X509_STORE *store" +.Fa "X509_VERIFY_PARAM *pm" +.Fc +.Ft int +.Fo X509_STORE_set_flags +.Fa "X509_STORE *store" +.Fa "unsigned long flags" +.Fc +.Ft int +.Fo X509_STORE_set_purpose +.Fa "X509_STORE *store" +.Fa "int purpose" +.Fc +.Ft int +.Fo X509_STORE_set_trust +.Fa "X509_STORE *store" +.Fa "int trust" +.Fc +.Ft int +.Fo X509_STORE_set_depth +.Fa "X509_STORE *store" +.Fa "int depth" +.Fc +.Ft int +.Fo X509_STORE_add_cert +.Fa "X509_STORE *store" +.Fa "X509 *x" +.Fc +.Ft int +.Fo X509_STORE_add_crl +.Fa "X509_STORE *store" +.Fa "X509_CRL *crl" +.Fc +.Ft STACK_OF(X509_OBJECT) * +.Fo X509_STORE_get0_objects +.Fa "X509_STORE *store" +.Fc +.Ft int +.Fo X509_STORE_get_ex_new_index +.Fa "long argl" +.Fa "void *argp" +.Fa "CRYPTO_EX_new *new_func" +.Fa "CRYPTO_EX_dup *dup_func" +.Fa "CRYPTO_EX_free *free_func" +.Fc +.Ft int +.Fo X509_STORE_set_ex_data +.Fa "X509_STORE *store" +.Fa "int idx" +.Fa "void *arg" +.Fc +.Ft void * +.Fo X509_STORE_get_ex_data +.Fa "X509_STORE *store" +.Fa "int idx" +.Fc +.Sh DESCRIPTION +.Fn X509_STORE_set1_param +copies the verification parameters from +.Fa pm +into the verification parameter object contained in the +.Fa store . +.Pp +.Fn X509_VERIFY_PARAM_set_flags , +.Fn X509_STORE_set_purpose , +.Fn X509_STORE_set_trust , +and +.Fn X509_STORE_set_depth +call +.Fn X509_VERIFY_PARAM_set_flags , +.Fn X509_VERIFY_PARAM_set_purpose , +.Fn X509_VERIFY_PARAM_set_trust , +and +.Fn X509_VERIFY_PARAM_set_depth +on the verification parameter object contained in the +.Fa store . +.Pp +.Fn X509_STORE_add_cert +and +.Fn X509_STORE_add_crl +add the certificate +.Fa x +or the certificate revocation list +.Fa crl +to the +.Fa store , +increasing its reference count by 1 in case of success. +.Pp +.Fn X509_STORE_get_ex_new_index , +.Fn X509_STORE_set_ex_data , +and +.Fn X509_STORE_get_ex_data +handle application specific data in +.Vt X509_STORE +objects. +Their usage is identical to that of +.Xr RSA_get_ex_new_index 3 , +.Xr RSA_set_ex_data 3 , +and +.Xr RSA_get_ex_data 3 . +.Sh RETURN VALUES +.Fn X509_STORE_set1_param , +.Fn X509_STORE_set_purpose , +.Fn X509_STORE_set_trust , +and +.Fn X509_STORE_set_ex_data +return 1 for success or 0 for failure. +.Pp +.Fn X509_STORE_set_flags +and +.Fn X509_STORE_set_depth +always return 1, indicating success. +.Pp +.Fn X509_STORE_add_cert +and +.Fn X509_STORE_add_crl +return 1 for success or 0 for failure. +For example, they fail if +.Fa x +or +.Fa crl +is a +.Dv NULL +pointer, if a certificate with the same subject name as +.Fa x +or a revocation list with the same issuer name as +.Fa crl +are already contained in the +.Fa store , +or if memory allocation fails. +.Pp +.Fn X509_STORE_get0_objects +returns an internal pointer to the stack of certificates, revocation lists, +and private keys contained in the +.Fa store . +The returned pointer must not be freed by the calling application. +.Pp +.Fn X509_STORE_get_ex_new_index +returns a new index or \-1 on failure. +.Pp +.Fn X509_STORE_get_ex_data +returns the application data or +.Dv NULL +on failure. +.Sh SEE ALSO +.Xr SSL_set1_param 3 , +.Xr X509_OBJECT_get0_X509 3 , +.Xr X509_STORE_CTX_set0_param 3 , +.Xr X509_STORE_load_locations 3 , +.Xr X509_STORE_new 3 , +.Xr X509_VERIFY_PARAM_set_flags 3 +.Sh HISTORY +.Fn X509_STORE_add_cert +appeared before SSLeay 0.8. +.Fn X509_STORE_add_crl +first appeared in SSLeay 0.9.0. +These functions have been available since +.Ox 2.4 . +.Pp +.Fn X509_STORE_set_flags , +.Fn X509_STORE_set_purpose , +and +.Fn X509_STORE_set_trust +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . +.Pp +.Fn X509_STORE_set1_param +and +.Fn X509_STORE_set_depth +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . +.Pp +.Fn X509_STORE_get0_objects , +.Fn X509_STORE_get_ex_new_index , +.Fn X509_STORE_set_ex_data , +and +.Fn X509_STORE_get_ex_data +first appeared in OpenSSL 1.1.0 and have been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 b/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 index 3baccfba77..03ec907fb3 100644 --- a/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 +++ b/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_STORE_set_verify_cb_func.3,v 1.4 2016/12/10 20:34:57 schwarze Exp $ +.\" $OpenBSD: X509_STORE_set_verify_cb_func.3,v 1.7 2018/03/23 23:18:17 schwarze Exp $ .\" OpenSSL 05ea606a May 20 20:52:46 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt X509_STORE_SET_VERIFY_CB_FUNC 3 .Os .Sh NAME @@ -92,13 +92,16 @@ and .Fn X509_STORE_set_verify_cb_func do not return a value. .Sh SEE ALSO -.Xr X509_STORE_CTX_set_verify_cb 3 +.Xr X509_STORE_CTX_set_verify_cb 3 , +.Xr X509_STORE_new 3 .Sh HISTORY .Fn X509_STORE_set_verify_cb_func -is available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . .Pp .Fn X509_STORE_set_verify_cb -was added to OpenSSL 1.0.0. +first appeared in OpenSSL 1.0.0 and has been available since +.Ox 4.9 . .Sh BUGS The macro version of this function was the only one available before OpenSSL 1.0.0. diff --git a/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 index bb9b0e127b..4f3261c975 100644 --- a/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 +++ b/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 @@ -1,8 +1,28 @@ -.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.5 2017/01/06 21:30:27 schwarze Exp $ -.\" OpenSSL 2b4ffc65 Dec 23 19:28:30 2013 +0100 +.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.12 2018/03/23 14:26:40 schwarze Exp $ +.\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500 +.\" selective merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100 .\" -.\" This file was written by Dr. Stephen Henson . -.\" Copyright (c) 2009, 2013 The OpenSSL Project. All rights reserved. +.\" This file is a derived work. +.\" The changes are covered by the following Copyright and license: +.\" +.\" Copyright (c) 2018 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" The original file was written by Dr. Stephen Henson +.\" and Viktor Dukhovni . +.\" Copyright (c) 2009, 2013, 2014, 2015, 2016, 2017 The OpenSSL Project. +.\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,10 +68,14 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 6 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt X509_VERIFY_PARAM_SET_FLAGS 3 .Os .Sh NAME +.Nm X509_VERIFY_PARAM_new , +.Nm X509_VERIFY_PARAM_free , +.Nm X509_VERIFY_PARAM_get0_name , +.Nm X509_VERIFY_PARAM_set1_name , .Nm X509_VERIFY_PARAM_set_flags , .Nm X509_VERIFY_PARAM_clear_flags , .Nm X509_VERIFY_PARAM_get_flags , @@ -61,10 +85,39 @@ .Nm X509_VERIFY_PARAM_add0_policy , .Nm X509_VERIFY_PARAM_set1_policies , .Nm X509_VERIFY_PARAM_set_depth , -.Nm X509_VERIFY_PARAM_get_depth +.Nm X509_VERIFY_PARAM_get_depth , +.Nm X509_VERIFY_PARAM_set1_host , +.Nm X509_VERIFY_PARAM_add1_host , +.Nm X509_VERIFY_PARAM_set_hostflags , +.Nm X509_VERIFY_PARAM_get0_peername , +.Nm X509_VERIFY_PARAM_set1_email , +.Nm X509_VERIFY_PARAM_set1_ip , +.Nm X509_VERIFY_PARAM_set1_ip_asc , +.Nm X509_VERIFY_PARAM_add0_table , +.Nm X509_VERIFY_PARAM_lookup , +.Nm X509_VERIFY_PARAM_get_count , +.Nm X509_VERIFY_PARAM_get0 , +.Nm X509_VERIFY_PARAM_table_cleanup .Nd X509 verification parameters .Sh SYNOPSIS .In openssl/x509_vfy.h +.Ft X509_VERIFY_PARAM * +.Fo X509_VERIFY_PARAM_new +.Fa void +.Fc +.Ft void +.Fo X509_VERIFY_PARAM_free +.Fa "X509_VERIFY_PARAM *param" +.Fc +.Ft const char * +.Fo X509_VERIFY_PARAM_get0_name +.Fa "const X509_VERIFY_PARAM *param" +.Fc +.Ft int +.Fo X509_VERIFY_PARAM_set1_name +.Fa "X509_VERIFY_PARAM *param" +.Fa "const char *name" +.Fc .Ft int .Fo X509_VERIFY_PARAM_set_flags .Fa "X509_VERIFY_PARAM *param" @@ -113,14 +166,112 @@ .Fo X509_VERIFY_PARAM_get_depth .Fa "const X509_VERIFY_PARAM *param" .Fc +.Ft int +.Fo X509_VERIFY_PARAM_set1_host +.Fa "X509_VERIFY_PARAM *param" +.Fa "const char *name" +.Fa "size_t namelen" +.Fc +.Ft int +.Fo X509_VERIFY_PARAM_add1_host +.Fa "X509_VERIFY_PARAM *param" +.Fa "const char *name" +.Fa "size_t namelen" +.Fc +.Ft void +.Fo X509_VERIFY_PARAM_set_hostflags +.Fa "X509_VERIFY_PARAM *param" +.Fa "unsigned int flags" +.Fc +.Ft char * +.Fo X509_VERIFY_PARAM_get0_peername +.Fa "X509_VERIFY_PARAM *param" +.Fc +.Ft int +.Fo X509_VERIFY_PARAM_set1_email +.Fa "X509_VERIFY_PARAM *param" +.Fa "const char *email" +.Fa "size_t emaillen" +.Fc +.Ft int +.Fo X509_VERIFY_PARAM_set1_ip +.Fa "X509_VERIFY_PARAM *param" +.Fa "const unsigned char *ip" +.Fa "size_t iplen" +.Fc +.Ft int +.Fo X509_VERIFY_PARAM_set1_ip_asc +.Fa "X509_VERIFY_PARAM *param" +.Fa "const char *ipasc" +.Fc +.Ft int +.Fo X509_VERIFY_PARAM_add0_table +.Fa "X509_VERIFY_PARAM *param" +.Fc +.Ft const X509_VERIFY_PARAM * +.Fo X509_VERIFY_PARAM_lookup +.Fa "const char *name" +.Fc +.Ft int +.Fo X509_VERIFY_PARAM_get_count +.Fa void +.Fc +.Ft const X509_VERIFY_PARAM * +.Fo X509_VERIFY_PARAM_get0 +.Fa "int id" +.Fc +.Ft void +.Fo X509_VERIFY_PARAM_table_cleanup +.Fa void +.Fc .Sh DESCRIPTION -These functions manipulate the +These functions manipulate an .Vt X509_VERIFY_PARAM -structure associated with a certificate verification operation. +object associated with a certificate verification operation. +.Pp +.Fn X509_VERIFY_PARAM_new +allocates and initializes an empty +.Vt X509_VERIFY_PARAM +object. +.Pp +.Fn X509_VERIFY_PARAM_free +clears all data contained in +.Fa param +and releases all memory used by it. +If +.Fa param +is a +.Dv NULL +pointer, no action occurs. +.Pp +.Fn X509_VERIFY_PARAM_get0_name +returns the name of the given +.Fa param +object, usually describing its purpose, for example +.Qq default , +.Qq pkcs7 , +.Qq smime_sign , +.Qq ssl_client , +or +.Qq ssl_server . +For user-defined objects, the returned pointer may be +.Dv NULL +even if the object is otherwise valid. +.Pp +.Fn X509_VERIFY_PARAM_set1_name +sets the name of +.Fa param +to a copy of +.Fa name , +or to +.Dv NULL +if +.Fa name +is +.Dv NULL . .Pp -The .Fn X509_VERIFY_PARAM_set_flags -function sets the flags in +sets the flags in .Fa param by OR'ing it with .Fa flags . @@ -182,26 +333,186 @@ sets the maximum verification depth to .Fa depth . That is the maximum number of untrusted CA certificates that can appear in a chain. +.Pp +.Fn X509_VERIFY_PARAM_set1_host +sets the expected DNS hostname to +.Fa name +clearing any previously specified host name or names. +If +.Fa name +is +.Dv NULL +or empty, the list of hostnames is cleared, and name checks are not +performed on the peer certificate. +If +.Fa name +is NUL-terminated, +.Fa namelen +may be zero, otherwise +.Fa namelen +must be set to the length of +.Fa name . +When a hostname is specified, certificate verification automatically +invokes +.Xr X509_check_host 3 +with flags equal to the +.Fa flags +argument given to +.Fn X509_VERIFY_PARAM_set_hostflags +(default zero). +.Pp +.Fn X509_VERIFY_PARAM_add1_host +adds +.Fa name +as an additional reference identifier that can match the peer's +certificate. +Any previous names set via +.Fn X509_VERIFY_PARAM_set1_host +and +.Fn X509_VERIFY_PARAM_add1_host +are retained. +No change is made if +.Fa name +is +.Dv NULL +or empty. +When multiple names are configured, the peer is considered verified when +any name matches. +.Pp +.Fn X509_VERIFY_PARAM_get0_peername +returns the DNS hostname or subject CommonName from the peer certificate +that matched one of the reference identifiers. +When wildcard matching is not disabled, or when a reference identifier +specifies a parent domain (starts with ".") rather than a hostname, the +peer name may be a wildcard name or a sub-domain of the reference +identifier respectively. +.Pp +.Fn X509_VERIFY_PARAM_set1_email +sets the expected RFC822 email address to +.Fa email . +If +.Fa email +is NUL-terminated, +.Fa emaillen +may be zero, otherwise +.Fa emaillen +must be set to the length of +.Fa email . +When an email address is specified, certificate verification +automatically invokes +.Xr X509_check_email 3 . +.Pp +.Fn X509_VERIFY_PARAM_set1_ip +sets the expected IP address to +.Fa ip . +The +.Fa ip +argument is in binary format, in network byte-order, and +.Fa iplen +must be set to 4 for IPv4 and 16 for IPv6. +When an IP address is specified, +certificate verification automatically invokes +.Xr X509_check_ip 3 . +.Pp +.Fn X509_VERIFY_PARAM_set1_ip_asc +sets the expected IP address to +.Fa ipasc . +The +.Fa ipasc +argument is a NUL-terminal ASCII string: +dotted decimal quad for IPv4 and colon-separated hexadecimal for IPv6. +The condensed "::" notation is supported for IPv6 addresses. +.Pp +.Fn X509_VERIFY_PARAM_add0_table +adds +.Fa param +to a static list of +.Vt X509_VERIFY_PARAM +objects maintained by the library. +This function is extremely dangerous because contrary to the name +of the function, if the list already contains an object that happens +to have the same name, that old object is not only silently removed +from the list, but also silently freed, which may silently invalidate +various pointers existing elsewhere in the program. +.Pp +.Fn X509_VERIFY_PARAM_lookup +searches this list for an object of the given +.Fa name . +If no match is found, the predefined objects built-in to the library +are also inspected. +.Pp +.Fn X509_VERIFY_PARAM_get_count +returns the sum of the number of objects on this list and the number +of predefined objects built-in to the library. +Note that this is not necessarily the total number of +.Vt X509_VERIFY_PARAM +objects existing in the program because there may be additional such +objects that were never added to the list. +.Pp +.Fn X509_VERIFY_PARAM_get0 +accesses predefined and user-defined objects using +.Fa id +as an index, useful for looping over objects without knowing their names. +An argument less than the number of predefined objects selects +one of the predefined objects; a higher argument selects an object +from the list. +.Pp +.Fn X509_VERIFY_PARAM_table_cleanup +deletes all objects from this list. +It is extremely dangerous because it also invalidates all data that +was contained in all objects that were on the list and because it +frees all these objects, which may invalidate various pointers +existing elsewhere in the program. .Sh RETURN VALUES +.Fn X509_VERIFY_PARAM_new +returns a pointer to the new object, or +.Dv NULL +on allocation failure. +.Pp +.Fn X509_VERIFY_PARAM_set1_name , .Fn X509_VERIFY_PARAM_set_flags , .Fn X509_VERIFY_PARAM_clear_flags , .Fn X509_VERIFY_PARAM_set_purpose , .Fn X509_VERIFY_PARAM_set_trust , .Fn X509_VERIFY_PARAM_add0_policy , +.Fn X509_VERIFY_PARAM_set1_policies , +.Fn X509_VERIFY_PARAM_set1_host , +.Fn X509_VERIFY_PARAM_add1_host , +.Fn X509_VERIFY_PARAM_set1_email , +.Fn X509_VERIFY_PARAM_set1_ip , +.Fn X509_VERIFY_PARAM_set1_ip_asc , and -.Fn X509_VERIFY_PARAM_set1_policies +.Fn X509_VERIFY_PARAM_add0_table return 1 for success or 0 for failure. .Pp .Fn X509_VERIFY_PARAM_get_flags returns the current verification flags. .Pp -.Fn X509_VERIFY_PARAM_set_time -and -.Fn X509_VERIFY_PARAM_set_depth -do not return values. -.Pp .Fn X509_VERIFY_PARAM_get_depth returns the current verification depth. +.Pp +.Fn X509_VERIFY_PARAM_get0_name +and +.Fn X509_VERIFY_PARAM_get0_peername +return pointers to strings that are only valid +during the lifetime of the given +.Fa param +object and that must not be freed by the application program. +.Pp +.Fn X509_VERIFY_PARAM_lookup +and +.Fn X509_VERIFY_PARAM_get0 +return a pointer to an existing built-in or user-defined object, or +.Dv NULL +if no object with the given +.Fa name +is found, or if +.Fa id +is at least +.Fn X509_VERIFY_PARAM_get_count . +.Pp +.Fn X509_VERIFY_PARAM_get_count +returns a number of objects. .Sh VERIFICATION FLAGS The verification flags consists of zero or more of the following flags OR'ed together. @@ -288,6 +599,46 @@ If this flag is set then additional status codes will be sent to the verification callback and it .Sy must be prepared to handle such cases without assuming they are hard errors. +.Pp +When +.Dv X509_V_FLAG_TRUSTED_FIRST +is set, construction of the certificate chain in +.Xr X509_verify_cert 3 +will search the trust store for issuer certificates before searching the +provided untrusted certificates. +Local issuer certificates are often more likely to satisfy local +security requirements and lead to a locally trusted root. +This is especially important when some certificates in the trust store +have explicit trust settings; see the trust settings options of the +.Cm x509 +command in +.Xr openssl 1 . +.Pp +The +.Dv X509_V_FLAG_NO_ALT_CHAINS +flag suppresses checking for alternative chains. +By default, unless +.Dv X509_V_FLAG_TRUSTED_FIRST +is set, when building a certificate chain, if the first certificate +chain found is not trusted, then OpenSSL will attempt to replace +untrusted certificates supplied by the peer with certificates from the +trust store to see if an alternative chain can be found that is trusted. +.Pp +The +.Dv X509_V_FLAG_PARTIAL_CHAIN +flag causes intermediate certificates in the trust store to be treated +as trust-anchors, in the same way as the self-signed root CA +certificates. +This makes it possible to trust certificates issued by an intermediate +CA without having to trust its ancestor root CA. +.Pp +The +.Dv X509_V_FLAG_NO_CHECK_TIME +flag suppresses checking the validity period of certificates and CRLs +against the current time. +If +.Fn X509_VERIFY_PARAM_set_time +is used to specify a verification time, the check is not suppressed. .Sh EXAMPLES Enable CRL checking when performing certificate verification during SSL connections associated with an @@ -296,13 +647,55 @@ structure .Fa ctx : .Bd -literal -offset indent X509_VERIFY_PARAM *param; + param = X509_VERIFY_PARAM_new(); X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); SSL_CTX_set1_param(ctx, param); X509_VERIFY_PARAM_free(param); .Ed .Sh SEE ALSO +.Xr SSL_set1_param 3 , +.Xr X509_check_host 3 , +.Xr X509_STORE_CTX_set0_param 3 , +.Xr X509_STORE_set1_param 3 , .Xr X509_verify_cert 3 +.Sh HISTORY +.Fn X509_VERIFY_PARAM_new , +.Fn X509_VERIFY_PARAM_free , +.Fn X509_VERIFY_PARAM_set1_name , +.Fn X509_VERIFY_PARAM_set_flags , +.Fn X509_VERIFY_PARAM_set_purpose , +.Fn X509_VERIFY_PARAM_set_trust , +.Fn X509_VERIFY_PARAM_set_time , +.Fn X509_VERIFY_PARAM_add0_policy , +.Fn X509_VERIFY_PARAM_set1_policies , +.Fn X509_VERIFY_PARAM_set_depth , +.Fn X509_VERIFY_PARAM_get_depth , +.Fn X509_VERIFY_PARAM_add0_table , +.Fn X509_VERIFY_PARAM_lookup , +and +.Fn X509_VERIFY_PARAM_table_cleanup +first appeared in OpenSSL 0.9.8. +.Fn X509_VERIFY_PARAM_clear_flags +and +.Fn X509_VERIFY_PARAM_get_flags +first appeared in OpenSSL 0.9.8a. +All these functions have been available since +.Ox 4.5 . +.Pp +.Fn X509_VERIFY_PARAM_get0_name +.Fn X509_VERIFY_PARAM_set1_host , +.Fn X509_VERIFY_PARAM_add1_host , +.Fn X509_VERIFY_PARAM_set_hostflags , +.Fn X509_VERIFY_PARAM_get0_peername , +.Fn X509_VERIFY_PARAM_set1_email , +.Fn X509_VERIFY_PARAM_set1_ip , +.Fn X509_VERIFY_PARAM_set1_ip_asc , +.Fn X509_VERIFY_PARAM_get_count , +and +.Fn X509_VERIFY_PARAM_get0 +first appeared in OpenSSL 1.0.2 and have been available since +.Ox 6.3 . .Sh BUGS Delta CRL checking is currently primitive. Only a single delta can be used and (partly due to limitations of diff --git a/lib/libcrypto/man/X509_check_ca.3 b/lib/libcrypto/man/X509_check_ca.3 index ee894ac445..0e7b7662b7 100644 --- a/lib/libcrypto/man/X509_check_ca.3 +++ b/lib/libcrypto/man/X509_check_ca.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_check_ca.3,v 1.3 2017/01/06 19:19:54 schwarze Exp $ +.\" $OpenBSD: X509_check_ca.3,v 1.4 2018/03/22 22:07:12 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Victor B. Wagner . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 6 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt X509_CHECK_CA 3 .Os .Sh NAME @@ -90,3 +90,7 @@ that it is a CA certificate .Sh SEE ALSO .Xr X509_check_issued 3 , .Xr X509_verify_cert 3 +.Sh HISTORY +.Fn X509_check_ca +first appeared in OpenSSL 0.9.7f and has been available since +.Ox 3.8 . diff --git a/lib/libcrypto/man/X509_check_host.3 b/lib/libcrypto/man/X509_check_host.3 index 5990670acb..f811f21884 100644 --- a/lib/libcrypto/man/X509_check_host.3 +++ b/lib/libcrypto/man/X509_check_host.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_check_host.3,v 1.2 2016/12/05 16:38:24 jmc Exp $ +.\" $OpenBSD: X509_check_host.3,v 1.3 2018/03/23 14:26:40 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Florian Weimer and @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 5 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt X509_CHECK_HOST 3 .Os .Sh NAME @@ -233,4 +233,6 @@ returns -2 if the provided .Fa name contains embedded NUL bytes. .Sh HISTORY -These functions were added in OpenSSL 1.0.2. +These functions first appeared in OpenSSL 1.0.2 +and have been available since +.Ox 6.1 . diff --git a/lib/libcrypto/man/X509_check_issued.3 b/lib/libcrypto/man/X509_check_issued.3 index a6696123ac..393f3949b5 100644 --- a/lib/libcrypto/man/X509_check_issued.3 +++ b/lib/libcrypto/man/X509_check_issued.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_check_issued.3,v 1.2 2016/12/05 16:38:24 jmc Exp $ +.\" $OpenBSD: X509_check_issued.3,v 1.3 2018/03/22 17:11:04 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Victor B. Wagner . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 5 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt X509_CHECK_ISSUED 3 .Os .Sh NAME @@ -102,3 +102,7 @@ constant to indicate an error. .Sh SEE ALSO .Xr X509_check_ca 3 , .Xr X509_verify_cert 3 +.Sh HISTORY +.Fn X509_check_issued +first appeared in OpenSSL 0.9.6 and has been available since +.Ox 2.9 . diff --git a/lib/libcrypto/man/X509_check_private_key.3 b/lib/libcrypto/man/X509_check_private_key.3 index 76192fece4..1a48478194 100644 --- a/lib/libcrypto/man/X509_check_private_key.3 +++ b/lib/libcrypto/man/X509_check_private_key.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_check_private_key.3,v 1.1 2017/08/20 23:18:53 schwarze Exp $ +.\" $OpenBSD: X509_check_private_key.3,v 1.3 2018/03/23 00:09:11 schwarze Exp $ .\" OpenSSL X509_check_private_key.pod 09ddb878 Jun 5 03:56:07 2017 +0800 .\" .\" Copyright (c) 2017 Ingo Schwarze @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 20 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt X509_CHECK_PRIVATE_KEY 3 .Os .Sh NAME @@ -61,3 +61,11 @@ On error or mismatch, a reason code can be obtained using .Xr ERR_get_error 3 . .Sh SEE ALSO .Xr SSL_check_private_key 3 +.Sh HISTORY +.Fn X509_check_private_key +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . +.Pp +.Fn X509_REQ_check_private_key +first appeared in OpenSSL 0.9.8 and has been available since +.Ox 4.5 . diff --git a/lib/libcrypto/man/X509_cmp_time.3 b/lib/libcrypto/man/X509_cmp_time.3 index 53ed122824..5a8922efd1 100644 --- a/lib/libcrypto/man/X509_cmp_time.3 +++ b/lib/libcrypto/man/X509_cmp_time.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_cmp_time.3,v 1.4 2017/04/10 17:14:44 schwarze Exp $ +.\" $OpenBSD: X509_cmp_time.3,v 1.7 2018/03/23 04:34:23 schwarze Exp $ .\" OpenSSL X509_cmp_time.pod 24053693 Mar 28 14:27:37 2017 +0200 .\" .\" This file was written by Emilia Kasper @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt X509_CMP_TIME 3 .Os .Sh NAME @@ -137,3 +137,17 @@ on error. .Sh SEE ALSO .Xr ASN1_time_parse 3 , .Xr time 3 +.Sh HISTORY +.Fn X509_cmp_current_time +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . +.Pp +.Fn X509_cmp_time +and +.Fn X509_time_adj +first appeared in OpenSSL 0.9.6 and have been available since +.Ox 2.9 . +.Pp +.Fn X509_time_adj_ex +first appeared in OpenSSL 1.0.0 and has been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/X509_digest.3 b/lib/libcrypto/man/X509_digest.3 index eae69ea770..24a5e6239d 100644 --- a/lib/libcrypto/man/X509_digest.3 +++ b/lib/libcrypto/man/X509_digest.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_digest.3,v 1.1 2017/03/25 22:21:21 schwarze Exp $ +.\" $OpenBSD: X509_digest.3,v 1.5 2018/03/22 21:08:22 schwarze Exp $ .\" OpenSSL X509_digest.pod 3ba4dac6 Mar 23 13:04:52 2017 -0400 .\" .\" This file was written by Rich Salz @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 25 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt X509_DIGEST 3 .Os .Sh NAME @@ -131,3 +131,20 @@ points to a place where the digest size will be stored. These functions return 1 for success or 0 for failure. .Sh SEE ALSO .Xr EVP_get_digestbyname 3 +.Sh HISTORY +.Fn X509_digest , +.Fn X509_NAME_digest , +and +.Fn PKCS7_ISSUER_AND_SERIAL_digest +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn X509_CRL_digest +and +.Fn X509_REQ_digest +first appeared in OpenSSL 0.9.6 and have been available since +.Ox 2.9 . +.Pp +.Fn X509_pubkey_digest +first appeared in OpenSSL 0.9.7 and has been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/X509_get0_notBefore.3 b/lib/libcrypto/man/X509_get0_notBefore.3 new file mode 100644 index 0000000000..334f70e599 --- /dev/null +++ b/lib/libcrypto/man/X509_get0_notBefore.3 @@ -0,0 +1,158 @@ +.\" $OpenBSD: X509_get0_notBefore.3,v 1.4 2018/03/23 23:18:17 schwarze Exp $ +.\" content checked up to: OpenSSL 27b138e9 May 19 00:16:38 2017 +0000 +.\" +.\" Copyright (c) 2018 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: March 23 2018 $ +.Dt X509_GET0_NOTBEFORE 3 +.Os +.Sh NAME +.Nm X509_get0_notBefore , +.Nm X509_get0_notAfter , +.Nm X509_getm_notBefore , +.Nm X509_getm_notAfter , +.Nm X509_CRL_get0_lastUpdate , +.Nm X509_CRL_get0_nextUpdate , +.Nm X509_set1_notBefore , +.Nm X509_set1_notAfter , +.Nm X509_CRL_set1_lastUpdate , +.Nm X509_CRL_set1_nextUpdate +.Nd get and set certificate and CRL validity dates +.Sh SYNOPSIS +.In openssl/x509.h +.Ft const ASN1_TIME * +.Fo X509_get0_notBefore +.Fa "const X509 *x" +.Fc +.Ft const ASN1_TIME * +.Fo X509_get0_notAfter +.Fa "const X509 *x" +.Fc +.Ft ASN1_TIME * +.Fo X509_getm_notBefore +.Fa "const X509 *x" +.Fc +.Ft ASN1_TIME * +.Fo X509_getm_notAfter +.Fa "const X509 *x" +.Fc +.Ft ASN1_TIME * +.Fo X509_CRL_get0_lastUpdate +.Fa "const X509_CRL *crl" +.Fc +.Ft ASN1_TIME * +.Fo X509_CRL_get0_nextUpdate +.Fa "const X509_CRL *crl" +.Fc +.Ft int +.Fo X509_set1_notBefore +.Fa "X509 *x" +.Fa "const ASN1_TIME *tm" +.Fc +.Ft int +.Fo X509_set1_notAfter +.Fa "X509 *x" +.Fa "const ASN1_TIME *tm" +.Fc +.Ft int +.Fo X509_CRL_set1_lastUpdate +.Fa "X509_CRL *crl" +.Fa "const ASN1_TIME *tm" +.Fc +.Ft int +.Fo X509_CRL_set1_nextUpdate +.Fa "X509_CRL *crl" +.Fa "const ASN1_TIME *tm" +.Fc +.Sh DESCRIPTION +.Fn X509_getm_notBefore +and +.Fn X509_getm_notAfter +return pointers to the +.Fa notBefore +and +.Fa notAfter +fields of the validity period of the certificate +.Fa x , +respectively. +.Pp +.Fn X509_get0_notBefore +and +.Fn X509_get0_notAfter +are identical except for the const qualifier on the return type. +.Pp +.Fn X509_CRL_get0_lastUpdate +and +.Fn X509_CRL_get0_nextUpdate +return pointers to the +.Fa lastUpdate +and +.Fa nextUpdate +fields of +.Fa crl . +.Pp +.Fn X509_set1_notBefore , +.Fn X509_set1_notAfter , +.Fn X509_CRL_set1_lastUpdate , +and +.Fn X509_CRL_set1_nextUpdate +set the +.Fa notBefore , +.Fa notAfter , +.Fa lastUpdate , +or +.Fa nextUpdate +field of +.Fa x +or +.Fa crl , +respectively, to a deep copy of +.Fa tm +and free the +.Vt ASN1_TIME +value that they replace. +.Sh RETURN VALUES +.Fn X509_get0_notBefore , +.Fn X509_get0_notAfter , +.Fn X509_getm_notBefore , +.Fn X509_getm_notAfter , +.Fn X509_CRL_get0_lastUpdate , +and +.Fn X509_CRL_get0_nextUpdate +return internal pointers which must not be freed by the application, or +.Dv NULL +if the requested fields are not available. +.Pp +.Fn X509_set1_notBefore , +.Fn X509_set1_notAfter , +.Fn X509_CRL_set1_lastUpdate , +and +.Fn X509_CRL_set1_nextUpdate +return 1 on success or 0 on failure. +.Sh SEE ALSO +.Xr ASN1_TIME_set 3 , +.Xr ASN1_TIME_set_tm 3 , +.Xr X509_cmp_time 3 , +.Xr X509_CRL_get0_by_serial 3 , +.Xr X509_CRL_new 3 , +.Xr X509_get_subject_name 3 , +.Xr X509_new 3 , +.Xr X509_sign 3 , +.Xr X509_VAL_new 3 , +.Xr X509_verify_cert 3 +.Sh HISTORY +These functions first appeared in OpenSSL 1.1.0 +and have been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/X509_get_subject_name.3 b/lib/libcrypto/man/X509_get0_signature.3 similarity index 53% copy from lib/libcrypto/man/X509_get_subject_name.3 copy to lib/libcrypto/man/X509_get0_signature.3 index 0fb2624fe3..a0982f2193 100644 --- a/lib/libcrypto/man/X509_get_subject_name.3 +++ b/lib/libcrypto/man/X509_get0_signature.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: X509_get_subject_name.3,v 1.2 2016/12/14 16:20:28 schwarze Exp $ -.\" OpenSSL 0ad69cd6 Jun 14 23:02:16 2016 +0200 +.\" $OpenBSD: X509_get0_signature.3,v 1.5 2018/03/23 23:18:17 schwarze Exp $ +.\" selective merge up to: +.\" OpenSSL man3/X509_get0_signature 2f7a2520 Apr 25 17:28:08 2017 +0100 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. @@ -48,123 +49,114 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 14 2016 $ -.Dt X509_GET_SUBJECT_NAME 3 +.Dd $Mdocdate: March 23 2018 $ +.Dt X509_GET0_SIGNATURE 3 .Os .Sh NAME -.Nm X509_get_subject_name , -.Nm X509_set_subject_name , -.Nm X509_get_issuer_name , -.Nm X509_set_issuer_name , -.Nm X509_REQ_get_subject_name , -.Nm X509_REQ_set_subject_name , -.Nm X509_CRL_get_issuer , -.Nm X509_CRL_set_issuer_name -.Nd get and set issuer or subject names +.Nm X509_get0_signature , +.Nm X509_REQ_get0_signature , +.Nm X509_CRL_get0_signature , +.Nm X509_get0_tbs_sigalg , +.Nm X509_get_signature_nid , +.Nm X509_REQ_get_signature_nid , +.Nm X509_CRL_get_signature_nid +.Nd signature information .Sh SYNOPSIS .In openssl/x509.h -.Ft X509_NAME * -.Fo X509_get_subject_name -.Fa "X509 *x" +.Ft void +.Fo X509_get0_signature +.Fa "const ASN1_BIT_STRING **psig" +.Fa "const X509_ALGOR **palg" +.Fa "const X509 *x" .Fc -.Ft int -.Fo X509_set_subject_name -.Fa "X509 *x" -.Fa "X509_NAME *name" +.Ft void +.Fo X509_REQ_get0_signature +.Fa "const X509_REQ *req" +.Fa "const ASN1_BIT_STRING **psig" +.Fa "const X509_ALGOR **palg" .Fc -.Ft X509_NAME * -.Fo X509_get_issuer_name -.Fa "X509 *x" +.Ft void +.Fo X509_CRL_get0_signature +.Fa "const X509_CRL *crl" +.Fa "const ASN1_BIT_STRING **psig" +.Fa "const X509_ALGOR **palg" +.Fc +.Ft const X509_ALGOR * +.Fo X509_get0_tbs_sigalg +.Fa "const X509 *x" .Fc .Ft int -.Fo X509_set_issuer_name -.Fa "X509 *x" -.Fa "X509_NAME *name" +.Fo X509_get_signature_nid +.Fa "const X509 *x" .Fc -.Ft X509_NAME * -.Fo X509_REQ_get_subject_name +.Ft int +.Fo X509_REQ_get_signature_nid .Fa "const X509_REQ *req" .Fc .Ft int -.Fo X509_REQ_set_subject_name -.Fa "X509_REQ *req" -.Fa "X509_NAME *name" -.Fc -.Ft X509_NAME * -.Fo X509_CRL_get_issuer +.Fo X509_CRL_get_signature_nid .Fa "const X509_CRL *crl" .Fc -.Ft int -.Fo X509_CRL_set_issuer_name -.Fa "X509_CRL *x" -.Fa "X509_NAME *name" -.Fc .Sh DESCRIPTION -.Fn X509_get_subject_name -returns the subject name of certificate -.Fa x . -The returned value is an internal pointer which must not be freed. -.Pp -.Fn X509_set_subject_name -sets the issuer name of certificate -.Fa x -to -.Fa name . -The -.Fa name -parameter is copied internally and should be freed up when it is no -longer needed. -.Pp -.Fn X509_get_issuer_name -and -.Fn X509_set_issuer_name -are identical to -.Fn X509_get_subject_name +.Fn X509_get0_signature , +.Fn X509_REQ_get0_signature , and -.Fn X509_set_subject_name -except that they get and set the issuer name of +.Fn X509_CRL_get0_signature +set +.Pf * Fa psig +to the signature and +.Pf * Fa palg +to the signature algorithm of +.Fa x , +.Fa req , +or +.Fa crl , +respectively. +.Fn X509_get0_tbs_sigalg +returns the signature algorithm in the signed portion of .Fa x . +The values returned are internal pointers +that must not be freed by the caller. .Pp -Similarly -.Fn X509_REQ_get_subject_name , -.Fn X509_REQ_set_subject_name , -.Fn X509_CRL_get_issuer , +.Fn X509_get_signature_nid , +.Fn X509_REQ_get_signature_nid , and -.Fn X509_CRL_set_issuer_name -get or set the subject or issuer names of certificate requests -of CRLs, respectively. +.Fn X509_CRL_get_signature_nid +return the NID corresponding to the signature algorithm of +.Fa x , +.Fa req , +or +.Fa crl , +respectively. .Pp -.Fn X509_REQ_get_subject_name -and -.Fn X509_CRL_get_issuer -are implemented as macros. -.Sh RETURN VALUES -.Fn X509_get_subject_name , -.Fn X509_get_issuer_name , -.Fn X509_REQ_get_subject_name , -and -.Fn X509_CRL_get_issuer -return a pointer to an -.Vt X509_NAME -object. -.Pp -.Fn X509_set_subject_name , -.Fn X509_set_issuer_name , -.Fn X509_REQ_set_subject_name , -and -.Fn X509_CRL_set_issuer_name -return 1 for success or 0 for failure. +These functions provide lower level access to the signature +for cases where an application wishes to analyse or generate a +signature in a form where +.Xr X509_sign 3 +is not appropriate, for example in a non-standard or unsupported format. .Sh SEE ALSO -.Xr d2i_X509_NAME 3 , -.Xr ERR_get_error 3 , +.Xr OBJ_obj2nid 3 , +.Xr X509_ALGOR_new 3 , .Xr X509_CRL_get0_by_serial 3 , +.Xr X509_CRL_new 3 , .Xr X509_get_pubkey 3 , -.Xr X509_NAME_add_entry_by_txt 3 , -.Xr X509_NAME_ENTRY_get_object 3 , -.Xr X509_NAME_get_index_by_NID 3 , -.Xr X509_NAME_new 3 , -.Xr X509_NAME_print_ex 3 , +.Xr X509_get_subject_name 3 , +.Xr X509_get_version 3 , .Xr X509_new 3 , +.Xr X509_REQ_new 3 , .Xr X509_sign 3 , -.Xr X509_verify_cert 3 , -.Xr X509V3_get_d2i 3 +.Xr X509_verify_cert 3 +.Sh HISTORY +.Fn X509_get0_signature +and +.Fn X509_get_signature_nid +first appeared in OpenSSL 1.0.2. +.Fn X509_REQ_get0_signature , +.Fn X509_CRL_get0_signature , +.Fn X509_get0_tbs_sigalg , +.Fn X509_REQ_get_signature_nid , +and +.Fn X509_CRL_get_signature_nid +first appeared in OpenSSL 1.1.0. +All these functions have been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/X509_get_pubkey.3 b/lib/libcrypto/man/X509_get_pubkey.3 index 8948f5cfda..e84ff0b18a 100644 --- a/lib/libcrypto/man/X509_get_pubkey.3 +++ b/lib/libcrypto/man/X509_get_pubkey.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: X509_get_pubkey.3,v 1.1 2016/12/05 18:24:08 schwarze Exp $ -.\" OpenSSL e7fabc5e Sep 7 13:41:20 2015 +0100 +.\" $OpenBSD: X509_get_pubkey.3,v 1.4 2018/03/23 23:18:17 schwarze Exp $ +.\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. @@ -48,11 +48,12 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 5 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt X509_GET_PUBKEY 3 .Os .Sh NAME .Nm X509_get_pubkey , +.Nm X509_get0_pubkey , .Nm X509_set_pubkey , .Nm X509_get_X509_PUBKEY , .Nm X509_REQ_get_pubkey , @@ -64,6 +65,10 @@ .Fo X509_get_pubkey .Fa "X509 *x" .Fc +.Ft EVP_PKEY * +.Fo X509_get0_pubkey +.Fa "const X509 *x" +.Fc .Ft int .Fo X509_set_pubkey .Fa "X509 *x" @@ -90,6 +95,11 @@ If successful it returns the public key as an .Vt EVP_PKEY pointer with its reference count incremented: this means the returned key must be freed up after use. +.Fn X509_get0_pubkey +is similar except that it does not increment the reference count +of the returned +.Vt EVP_PKEY , +so it must not be freed up after use. .Pp .Fn X509_get_X509_PUBKEY returns an internal pointer to the @@ -122,6 +132,7 @@ Subsequent calls return the cached structure with its reference count incremented to improve performance. .Sh RETURN VALUES .Fn X509_get_pubkey , +.Fn X509_get0_pubkey , .Fn X509_get_X509_PUBKEY , and .Fn X509_REQ_get_pubkey @@ -145,3 +156,16 @@ return 1 for success or 0 for failure. .Xr X509_sign 3 , .Xr X509_verify_cert 3 , .Xr X509V3_get_d2i 3 +.Sh HISTORY +.Fn X509_get_pubkey , +.Fn X509_set_pubkey , +.Fn X509_get_X509_PUBKEY , +.Fn X509_REQ_get_pubkey , +and +.Fn X509_REQ_set_pubkey +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn X509_get0_pubkey +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/X509_get_serialNumber.3 b/lib/libcrypto/man/X509_get_serialNumber.3 index 9f2b14ec10..fcc01a1389 100644 --- a/lib/libcrypto/man/X509_get_serialNumber.3 +++ b/lib/libcrypto/man/X509_get_serialNumber.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_get_serialNumber.3,v 1.1 2016/12/05 18:24:08 schwarze Exp $ +.\" $OpenBSD: X509_get_serialNumber.3,v 1.2 2018/03/21 03:16:08 schwarze Exp $ .\" OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 5 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt X509_GET_SERIALNUMBER 3 .Os .Sh NAME @@ -109,4 +109,5 @@ returns 1 for success and 0 for failure. .Fn X509_get_serialNumber and .Fn X509_set_serialNumber -are available in all versions of OpenSSL. +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/X509_get_subject_name.3 b/lib/libcrypto/man/X509_get_subject_name.3 index 0fb2624fe3..89012ba370 100644 --- a/lib/libcrypto/man/X509_get_subject_name.3 +++ b/lib/libcrypto/man/X509_get_subject_name.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_get_subject_name.3,v 1.2 2016/12/14 16:20:28 schwarze Exp $ +.\" $OpenBSD: X509_get_subject_name.3,v 1.5 2018/03/22 21:08:22 schwarze Exp $ .\" OpenSSL 0ad69cd6 Jun 14 23:02:16 2016 +0200 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 14 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt X509_GET_SUBJECT_NAME 3 .Os .Sh NAME @@ -168,3 +168,21 @@ return 1 for success or 0 for failure. .Xr X509_sign 3 , .Xr X509_verify_cert 3 , .Xr X509V3_get_d2i 3 +.Sh HISTORY +.Fn X509_get_subject_name , +.Fn X509_set_subject_name , +.Fn X509_get_issuer_name , +.Fn X509_set_issuer_name , +.Fn X509_REQ_get_subject_name , +and +.Fn X509_REQ_set_subject_name +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn X509_CRL_get_issuer +first appeared in OpenSSL 0.9.2b and has been available since +.Ox 2.6 . +.Pp +.Fn X509_CRL_set_issuer_name +first appeared in OpenSSL 0.9.7 and has been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/X509_get_version.3 b/lib/libcrypto/man/X509_get_version.3 index 6e35f3df31..0e238a9eb1 100644 --- a/lib/libcrypto/man/X509_get_version.3 +++ b/lib/libcrypto/man/X509_get_version.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_get_version.3,v 1.1 2016/12/05 18:24:08 schwarze Exp $ +.\" $OpenBSD: X509_get_version.3,v 1.4 2018/03/22 21:08:22 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 5 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt X509_GET_VERSION 3 .Os .Sh NAME @@ -147,3 +147,19 @@ return 1 for success or 0 for failure. .Xr X509_sign 3 , .Xr X509_verify_cert 3 , .Xr X509V3_get_d2i 3 +.Sh HISTORY +.Fn X509_get_version , +.Fn X509_set_version , +.Fn X509_REQ_get_version , +and +.Fn X509_REQ_set_version +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn X509_CRL_get_version +first appeared in OpenSSL 0.9.2b and has been available since +.Ox 2.6 . +.Pp +.Fn X509_CRL_set_version +first appeared in OpenSSL 0.9.7 and has been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/X509_new.3 b/lib/libcrypto/man/X509_new.3 index dbf82bc974..4bfc430549 100644 --- a/lib/libcrypto/man/X509_new.3 +++ b/lib/libcrypto/man/X509_new.3 @@ -1,8 +1,9 @@ -.\" $OpenBSD: X509_new.3,v 1.10 2016/12/25 22:15:10 schwarze Exp $ -.\" OpenSSL 3a59ad98 Dec 11 00:36:06 2015 +0000 +.\" $OpenBSD: X509_new.3,v 1.14 2018/03/23 23:18:17 schwarze Exp $ +.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . -.\" Copyright (c) 2002, 2006, 2015 The OpenSSL Project. All rights reserved. +.\" Copyright (c) 2002, 2006, 2015, 2016 The OpenSSL Project. +.\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,13 +49,14 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt X509_NEW 3 .Os .Sh NAME .Nm X509_new , .Nm X509_free , -.Nm X509_up_ref +.Nm X509_up_ref , +.Nm X509_chain_up_ref .Nd X.509 certificate object .Sh SYNOPSIS .In openssl/x509.h @@ -68,6 +70,10 @@ .Fo X509_up_ref .Fa "X509 *a" .Fc +.Ft STACK_OF(X509) * +.Fo X509_chain_up_ref +.Fa "STACK_OF(X509) *chain" +.Fc .Sh DESCRIPTION .Fn X509_new allocates and initializes an empty @@ -93,12 +99,24 @@ pointer, no action occurs. .Pp .Fn X509_up_ref increments the reference count of -.Fa a . +.Fa a +by 1. This function is useful if a certificate structure is being used by several different operations each of which will free it up after use: this avoids the need to duplicate the entire certificate structure. .Pp +.Fn X509_chain_up_ref +performs a shallow copy of the given +.Fa chain +using +.Fn sk_X509_dup +and increments the reference count of each contained certificate +by 1. +Its purpose is similar to +.Fn X509_up_ref : +The returned chain persists after the original is freed. +.Pp The object .Vt X509_INFO , which can hold a certificate, the corresponding private key, @@ -114,6 +132,13 @@ Otherwise it returns a pointer to the newly allocated structure. .Pp .Fn X509_up_ref returns 1 for success or 0 for failure. +.Pp +.Fn X509_chain_up_ref +returns the copy of the +.Fa chain +or +.Dv NULL +if an error occurs. .Sh SEE ALSO .Xr AUTHORITY_KEYID_new 3 , .Xr BASIC_CONSTRAINTS_new 3 , @@ -133,7 +158,16 @@ Certificate Revocation List (CRL) Profile .Fn X509_new and .Fn X509_free -are available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn X509_up_ref +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.1 . +.Pp +.Fn X509_chain_up_ref +first appeared in OpenSSL 1.0.2 and has been available since +.Ox 6.3 . .Sh BUGS The X.509 public key infrastructure and its data types contain too many design bugs to list them. diff --git a/lib/libcrypto/man/X509_sign.3 b/lib/libcrypto/man/X509_sign.3 index 2680f0b095..5341da6dc9 100644 --- a/lib/libcrypto/man/X509_sign.3 +++ b/lib/libcrypto/man/X509_sign.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_sign.3,v 1.1 2016/12/05 18:24:08 schwarze Exp $ +.\" $OpenBSD: X509_sign.3,v 1.4 2018/03/23 23:18:17 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 5 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt X509_SIGN 3 .Os .Sh NAME @@ -190,13 +190,18 @@ some other error occurred, then -1 is returned. .Xr X509V3_get_d2i 3 .Sh HISTORY .Fn X509_sign , +.Fn X509_verify , .Fn X509_REQ_sign , +.Fn X509_REQ_verify , +.Fn X509_CRL_sign , and -.Fn X509_CRL_sign -are available in all versions of OpenSSL. +.Fn X509_CRL_verify +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . .Pp .Fn X509_sign_ctx , .Fn X509_REQ_sign_ctx , and .Fn X509_CRL_sign_ctx -were first added to OpenSSL 1.0.1. +first appeared in OpenSSL 1.0.1 and have been available since +.Ox 5.3 . diff --git a/lib/libcrypto/man/X509_verify_cert.3 b/lib/libcrypto/man/X509_verify_cert.3 index a930910e03..fda351809b 100644 --- a/lib/libcrypto/man/X509_verify_cert.3 +++ b/lib/libcrypto/man/X509_verify_cert.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_verify_cert.3,v 1.5 2017/01/03 06:29:04 beck Exp $ +.\" $OpenBSD: X509_verify_cert.3,v 1.6 2018/03/21 03:16:08 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 3 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt X509_VERIFY_CERT 3 .Os .Sh NAME @@ -83,7 +83,8 @@ using .Xr X509_STORE_CTX_get_error 3 .Sh HISTORY .Fn X509_verify_cert -is available in all versions of SSLeay and OpenSSL. +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . .Sh BUGS This function uses the header .In openssl/x509.h diff --git a/lib/libcrypto/man/X509v3_get_ext_by_NID.3 b/lib/libcrypto/man/X509v3_get_ext_by_NID.3 index b5e1981797..93517a5d28 100644 --- a/lib/libcrypto/man/X509v3_get_ext_by_NID.3 +++ b/lib/libcrypto/man/X509v3_get_ext_by_NID.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509v3_get_ext_by_NID.3,v 1.4 2017/07/05 11:43:09 schwarze Exp $ +.\" $OpenBSD: X509v3_get_ext_by_NID.3,v 1.6 2018/03/21 03:16:08 schwarze Exp $ .\" OpenSSL c952780c Jun 21 07:03:34 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 5 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt X509V3_GET_EXT_BY_NID 3 .Os .Sh NAME @@ -385,4 +385,8 @@ returns a stack of extensions or on error. .Sh SEE ALSO .Xr X509_EXTENSION_new 3 , +.Xr X509_REVOKED_new 3 , .Xr X509V3_get_d2i 3 +.Sh HISTORY +These functions appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/crypto.3 b/lib/libcrypto/man/crypto.3 index 2bba237ad6..cbc8f1169c 100644 --- a/lib/libcrypto/man/crypto.3 +++ b/lib/libcrypto/man/crypto.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: crypto.3,v 1.16 2017/01/07 08:46:13 jmc Exp $ +.\" $OpenBSD: crypto.3,v 1.18 2018/02/27 20:43:41 schwarze Exp $ .\" OpenSSL a9c85cea Nov 11 09:33:55 2016 +0100 .\" .\" This file was written by Ulf Moeller and @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 7 2017 $ +.Dd $Mdocdate: February 27 2018 $ .Dt CRYPTO 3 .Os .Sh NAME @@ -63,8 +63,8 @@ implementations of TLS and S/MIME, and they have also been used to implement SSH, OpenPGP, and other cryptographic standards. .Pp .Sy Symmetric ciphers -including AES, Blowfish, CAST, Chacha20, IDEA, DES, RC2, RC4, and -RC5 are provided by the generic interface +including AES, Blowfish, CAST, Chacha20, IDEA, DES, RC2, and RC4 +are provided by the generic interface .Xr EVP_EncryptInit 3 . Low-level stand-alone interfaces include .Xr BF_set_key 3 , @@ -89,7 +89,6 @@ and .Sy Authentication codes and hash functions offered include .Xr HMAC 3 , -.Xr MD2 3 , .Xr MD4 3 , .Xr MD5 3 , .Xr RIPEMD160 3 , diff --git a/lib/libcrypto/man/d2i_ASN1_NULL.3 b/lib/libcrypto/man/d2i_ASN1_NULL.3 index 8efcee69f3..498f191a95 100644 --- a/lib/libcrypto/man/d2i_ASN1_NULL.3 +++ b/lib/libcrypto/man/d2i_ASN1_NULL.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_ASN1_NULL.3,v 1.1 2016/12/29 17:42:54 schwarze Exp $ +.\" $OpenBSD: d2i_ASN1_NULL.3,v 1.2 2018/03/22 16:06:33 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 29 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt D2I_ASN1_NULL 3 .Os .Sh NAME @@ -82,3 +82,9 @@ Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER), section 8.8: Encoding of null value +.Sh HISTORY +.Fn d2i_ASN1_NULL +and +.Fn i2d_ASN1_NULL +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . diff --git a/lib/libcrypto/man/d2i_ASN1_OBJECT.3 b/lib/libcrypto/man/d2i_ASN1_OBJECT.3 index 33cc93c0d9..687f97efef 100644 --- a/lib/libcrypto/man/d2i_ASN1_OBJECT.3 +++ b/lib/libcrypto/man/d2i_ASN1_OBJECT.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_ASN1_OBJECT.3,v 1.6 2017/01/05 08:24:38 jmc Exp $ +.\" $OpenBSD: d2i_ASN1_OBJECT.3,v 1.7 2018/03/20 18:35:13 schwarze Exp $ .\" OpenSSL 05ea606a May 20 20:52:46 2016 -0400 .\" .\" Copyright (c) 2017 Ingo Schwarze @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: January 5 2017 $ +.Dd $Mdocdate: March 20 2018 $ .Dt D2I_ASN1_OBJECT 3 .Os .Sh NAME @@ -74,6 +74,12 @@ or a value <= 0 if an error occurs. .Xr ASN1_item_d2i 3 , .Xr ASN1_OBJECT_new 3 , .Xr OBJ_nid2obj 3 +.Sh HISTORY +.Fn d2i_ASN1_OBJECT +and +.Fn i2d_ASN1_OBJECT +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . .Sh CAVEATS .Fn d2i_ASN1_OBJECT never sets the long and short names of the object, not even if the diff --git a/lib/libcrypto/man/d2i_ASN1_OCTET_STRING.3 b/lib/libcrypto/man/d2i_ASN1_OCTET_STRING.3 index 86ab27b342..451d5cdd77 100644 --- a/lib/libcrypto/man/d2i_ASN1_OCTET_STRING.3 +++ b/lib/libcrypto/man/d2i_ASN1_OCTET_STRING.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_ASN1_OCTET_STRING.3,v 1.5 2017/08/01 14:57:03 schwarze Exp $ +.\" $OpenBSD: d2i_ASN1_OCTET_STRING.3,v 1.11 2018/03/23 23:18:17 schwarze Exp $ .\" .\" Copyright (c) 2017 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 1 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt D2I_ASN1_OCTET_STRING 3 .Os .Sh NAME @@ -384,3 +384,59 @@ Specification of basic notation .Pp RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile +.Sh HISTORY +.Fn d2i_ASN1_OCTET_STRING , +.Fn i2d_ASN1_OCTET_STRING , +.Fn d2i_ASN1_BIT_STRING , +.Fn i2d_ASN1_BIT_STRING , +.Fn d2i_ASN1_INTEGER , +.Fn i2d_ASN1_INTEGER , +.Fn d2i_ASN1_IA5STRING , +.Fn i2d_ASN1_IA5STRING , +.Fn d2i_ASN1_T61STRING , +.Fn d2i_ASN1_PRINTABLESTRING , +.Fn d2i_ASN1_PRINTABLE , +.Fn i2d_ASN1_PRINTABLE , +.Fn d2i_ASN1_UTCTIME , +and +.Fn i2d_ASN1_UTCTIME +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp +.Fn d2i_ASN1_BMPSTRING +and +.Fn i2d_ASN1_BMPSTRING +first appeared in SSLeay 0.9.1. +.Fn d2i_ASN1_ENUMERATED , +.Fn i2d_ASN1_ENUMERATED , +.Fn d2i_ASN1_GENERALIZEDTIME , +.Fn i2d_ASN1_GENERALIZEDTIME , +.Fn d2i_ASN1_TIME , +and +.Fn i2d_ASN1_TIME +first appeared in OpenSSL 0.9.2b. +.Fn d2i_ASN1_UINTEGER , +.Fn d2i_ASN1_UTF8STRING , +.Fn i2d_ASN1_UTF8STRING , +.Fn d2i_ASN1_VISIBLESTRING , +.Fn i2d_ASN1_VISIBLESTRING , +.Fn d2i_DIRECTORYSTRING , +.Fn i2d_DIRECTORYSTRING , +.Fn d2i_DISPLAYTEXT +and +.Fn i2d_DISPLAYTEXT +first appeared in OpenSSL 0.9.3. +These functions have been available since +.Ox 2.6 . +.Pp +.Fn i2d_ASN1_PRINTABLESTRING +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . +.Pp +.Fn d2i_ASN1_UNIVERSALSTRING , +.Fn i2d_ASN1_UNIVERSALSTRING , +.Fn d2i_ASN1_GENERALSTRING , +and +.Fn i2d_ASN1_GENERALSTRING +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/d2i_ASN1_SEQUENCE_ANY.3 b/lib/libcrypto/man/d2i_ASN1_SEQUENCE_ANY.3 index f3ab6d98b5..0c4b6d728c 100644 --- a/lib/libcrypto/man/d2i_ASN1_SEQUENCE_ANY.3 +++ b/lib/libcrypto/man/d2i_ASN1_SEQUENCE_ANY.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_ASN1_SEQUENCE_ANY.3,v 1.1 2017/01/04 21:14:26 schwarze Exp $ +.\" $OpenBSD: d2i_ASN1_SEQUENCE_ANY.3,v 1.2 2018/03/23 04:34:23 schwarze Exp $ .\" .\" Copyright (c) 2017 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: January 4 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt D2I_ASN1_SEQUENCE_ANY 3 .Os .Sh NAME @@ -83,3 +83,11 @@ occurs. .Sh SEE ALSO .Xr ASN1_item_d2i 3 , .Xr ASN1_TYPE_new 3 +.Sh HISTORY +.Fn d2i_ASN1_SEQUENCE_ANY , +.Fn i2d_ASN1_SEQUENCE_ANY , +.Fn d2i_ASN1_SET_ANY , +and +.Fn i2d_ASN1_SET_ANY +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/d2i_AUTHORITY_KEYID.3 b/lib/libcrypto/man/d2i_AUTHORITY_KEYID.3 index 2f46454d8b..413f41e179 100644 --- a/lib/libcrypto/man/d2i_AUTHORITY_KEYID.3 +++ b/lib/libcrypto/man/d2i_AUTHORITY_KEYID.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_AUTHORITY_KEYID.3,v 1.1 2016/12/28 20:36:33 schwarze Exp $ +.\" $OpenBSD: d2i_AUTHORITY_KEYID.3,v 1.2 2018/03/21 16:09:51 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt D2I_AUTHORITY_KEYID 3 .Os .Sh NAME @@ -67,3 +67,9 @@ section 4.2.1.1: Certificate Extensions: Authority Key Identifier .It section 5.2.1: CRL Extensions: Authority Key Identifier .El +.Sh HISTORY +.Fn d2i_AUTHORITY_KEYID +and +.Fn i2d_AUTHORITY_KEYID +first appeared in OpenSSL 0.9.2b and have been available since +.Ox 2.6 . diff --git a/lib/libcrypto/man/d2i_BASIC_CONSTRAINTS.3 b/lib/libcrypto/man/d2i_BASIC_CONSTRAINTS.3 index 968541627f..2964a1f90e 100644 --- a/lib/libcrypto/man/d2i_BASIC_CONSTRAINTS.3 +++ b/lib/libcrypto/man/d2i_BASIC_CONSTRAINTS.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_BASIC_CONSTRAINTS.3,v 1.1 2016/12/28 20:36:33 schwarze Exp $ +.\" $OpenBSD: d2i_BASIC_CONSTRAINTS.3,v 1.3 2018/03/22 21:08:22 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt D2I_BASIC_CONSTRAINTS 3 .Os .Sh NAME @@ -92,3 +92,15 @@ if an error occurs. .Sh STANDARDS RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile +.Sh HISTORY +.Fn d2i_BASIC_CONSTRAINTS +and +.Fn i2d_BASIC_CONSTRAINTS +first appeared in OpenSSL 0.9.2b and have been available since +.Ox 2.6 . +.Pp +.Fn d2i_EXTENDED_KEY_USAGE +and +.Fn i2d_EXTENDED_KEY_USAGE +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/d2i_DHparams.3 b/lib/libcrypto/man/d2i_DHparams.3 index b345af68ab..0a216dc507 100644 --- a/lib/libcrypto/man/d2i_DHparams.3 +++ b/lib/libcrypto/man/d2i_DHparams.3 @@ -1,9 +1,10 @@ -.\" $OpenBSD: d2i_DHparams.3,v 1.5 2016/12/10 22:22:59 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: d2i_DHparams.3,v 1.7 2018/03/20 22:22:10 schwarze Exp $ +.\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" .\" This file was written by Ulf Moeller and .\" Dr. Stephen Henson . -.\" Copyright (c) 2000, 2002, 2015 The OpenSSL Project. All rights reserved. +.\" Copyright (c) 2000, 2002, 2015, 2017 The OpenSSL Project. +.\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -49,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 20 2018 $ .Dt D2I_DHPARAMS 3 .Os .Sh NAME @@ -76,6 +77,23 @@ They otherwise behave in a way similar to .Xr d2i_X509 3 and .Xr i2d_X509 3 . +.Sh RETURN VALUES +.Fn d2i_DHparams +returns a +.Vt DH +object or +.Dv NULL +if an error occurs. +.Pp +.Fn i2d_DHparams +returns the number of bytes successfully encoded or a value <= 0 +if an error occurs. .Sh SEE ALSO .Xr d2i_X509 3 , .Xr DH_new 3 +.Sh HISTORY +.Fn d2i_DHparams +and +.Fn i2d_DHparams +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/d2i_DIST_POINT.3 b/lib/libcrypto/man/d2i_DIST_POINT.3 index 8862d33635..34bdb26fb4 100644 --- a/lib/libcrypto/man/d2i_DIST_POINT.3 +++ b/lib/libcrypto/man/d2i_DIST_POINT.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_DIST_POINT.3,v 1.1 2016/12/28 20:36:33 schwarze Exp $ +.\" $OpenBSD: d2i_DIST_POINT.3,v 1.4 2018/03/23 04:34:23 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt D2I_DIST_POINT 3 .Os .Sh NAME @@ -175,3 +175,27 @@ if an error occurs. .Sh STANDARDS RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile +.Sh HISTORY +.Fn d2i_DIST_POINT , +.Fn i2d_DIST_POINT , +.Fn d2i_CRL_DIST_POINTS , +.Fn i2d_CRL_DIST_POINTS , +.Fn d2i_DIST_POINT_NAME , +and +.Fn i2d_DIST_POINT_NAME +first appeared in OpenSSL 0.9.3 and have been available since +.Ox 2.6 . +.Pp +.Fn d2i_ACCESS_DESCRIPTION , +.Fn i2d_ACCESS_DESCRIPTION , +.Fn d2i_AUTHORITY_INFO_ACCESS , +and +.Fn i2d_AUTHORITY_INFO_ACCESS +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . +.Pp +.Fn d2i_ISSUING_DIST_POINT +and +.Fn i2d_ISSUING_DIST_POINT +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/d2i_DSAPublicKey.3 b/lib/libcrypto/man/d2i_DSAPublicKey.3 index 660159b376..103954c924 100644 --- a/lib/libcrypto/man/d2i_DSAPublicKey.3 +++ b/lib/libcrypto/man/d2i_DSAPublicKey.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_DSAPublicKey.3,v 1.8 2016/12/25 14:38:55 schwarze Exp $ +.\" $OpenBSD: d2i_DSAPublicKey.3,v 1.12 2018/03/22 16:06:33 schwarze Exp $ .\" OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt D2I_DSAPUBLICKEY 3 .Os .Sh NAME @@ -334,3 +334,34 @@ section 2.2.2: DSA Signature Algorithm .It section 2.3.2: DSA Signature Keys .El +.Sh HISTORY +.Fn d2i_DSAPublicKey , +.Fn i2d_DSAPublicKey , +.Fn d2i_DSAPrivateKey , +.Fn i2d_DSAPrivateKey , +.Fn d2i_DSAPrivateKey_bio , +.Fn d2i_DSAPrivateKey_fp , +.Fn i2d_DSAPrivateKey_bio , +.Fn i2d_DSAPrivateKey_fp , +.Fn d2i_DSAparams , +.Fn i2d_DSAparams , +and +.Fn DSAparams_dup +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn d2i_DSA_SIG +and +.Fn i2d_DSA_SIG +first appeared in OpenSSL 0.9.3 and have been available since +.Ox 2.6 . +.Pp +.Fn d2i_DSA_PUBKEY , +.Fn i2d_DSA_PUBKEY , +.Fn d2i_DSA_PUBKEY_bio , +.Fn d2i_DSA_PUBKEY_fp , +.Fn i2d_DSA_PUBKEY_bio , +and +.Fn i2d_DSA_PUBKEY_fp +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . diff --git a/lib/libcrypto/man/d2i_ECPKParameters.3 b/lib/libcrypto/man/d2i_ECPKParameters.3 index 6557d75d58..3637786b6b 100644 --- a/lib/libcrypto/man/d2i_ECPKParameters.3 +++ b/lib/libcrypto/man/d2i_ECPKParameters.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_ECPKParameters.3,v 1.10 2017/08/01 14:57:03 schwarze Exp $ +.\" $OpenBSD: d2i_ECPKParameters.3,v 1.11 2018/03/23 00:09:11 schwarze Exp $ .\" OpenSSL 05ea606a May 20 20:52:46 2016 -0400 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 1 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt D2I_ECPKPARAMETERS 3 .Os .Sh NAME @@ -434,3 +434,34 @@ Private-Key Information Syntax Specification RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, section 4.1: Basic Certificate Fields +.Sh HISTORY +.Fn d2i_ECPKParameters , +.Fn i2d_ECPKParameters , +.Fn d2i_ECPKParameters_bio , +.Fn i2d_ECPKParameters_bio , +.Fn d2i_ECPKParameters_fP , +.Fn i2d_ECPKParameters_fp , +.Fn d2i_ECParameters , +.Fn i2d_ECParameters , +.Fn ECParameters_dup , +.Fn d2i_ECPrivateKey , +.Fn i2d_ECPrivateKey , +.Fn d2i_ECPrivateKey_bio , +.Fn i2d_ECPrivateKey_bio , +.Fn d2i_ECPrivateKey_fp , +.Fn i2d_ECPrivateKey_fp , +.Fn o2i_ECPublicKey , +.Fn i2o_ECPublicKey , +.Fn ECPKParameters_print , +.Fn ECPKParameters_print_fp , +.Fn ECParameters_print , +.Fn ECParameters_print_fp , +.Fn d2i_EC_PUBKEY , +.Fn i2d_EC_PUBKEY , +.Fn d2i_EC_PUBKEY_bio , +.Fn i2d_EC_PUBKEY_bio , +.Fn d2i_EC_PUBKEY_fp , +and +.Fn i2d_EC_PUBKEY_fp +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . diff --git a/lib/libcrypto/man/d2i_ESS_SIGNING_CERT.3 b/lib/libcrypto/man/d2i_ESS_SIGNING_CERT.3 index 31c3cc8e2b..c1d61d3b5e 100644 --- a/lib/libcrypto/man/d2i_ESS_SIGNING_CERT.3 +++ b/lib/libcrypto/man/d2i_ESS_SIGNING_CERT.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_ESS_SIGNING_CERT.3,v 1.1 2016/12/27 20:56:18 schwarze Exp $ +.\" $OpenBSD: d2i_ESS_SIGNING_CERT.3,v 1.2 2018/03/23 04:34:23 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 27 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt D2I_ESS_SIGNING_CERT 3 .Os .Sh NAME @@ -112,3 +112,7 @@ if an error occurs. .Sh STANDARDS RFC 2634: Enhanced Security Services for S/MIME, section 5: Signing Certificate Attribute +.Sh HISTORY +These functions first appeared in OpenSSL 1.0.0 +and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/d2i_GENERAL_NAME.3 b/lib/libcrypto/man/d2i_GENERAL_NAME.3 index 0340d1e51c..bfdcc6c67c 100644 --- a/lib/libcrypto/man/d2i_GENERAL_NAME.3 +++ b/lib/libcrypto/man/d2i_GENERAL_NAME.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_GENERAL_NAME.3,v 1.1 2016/12/28 20:36:33 schwarze Exp $ +.\" $OpenBSD: d2i_GENERAL_NAME.3,v 1.4 2018/03/22 21:08:22 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt D2I_GENERAL_NAME 3 .Os .Sh NAME @@ -138,3 +138,23 @@ if an error occurs. RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, section 4.2: Certificate Extensions +.Sh HISTORY +.Fn d2i_GENERAL_NAME , +.Fn i2d_GENERAL_NAME , +.Fn d2i_GENERAL_NAMES , +and +.Fn i2d_GENERAL_NAMES +first appeared in OpenSSL 0.9.2b and have been available since +.Ox 2.6 . +.Pp +.Fn d2i_OTHERNAME +and +.Fn i2d_OTHERNAME +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . +.Pp +.Fn d2i_EDIPARTYNAME +and +.Fn i2d_EDIPARTYNAME +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/d2i_OCSP_REQUEST.3 b/lib/libcrypto/man/d2i_OCSP_REQUEST.3 index 3f6320a155..cc07bd7d61 100644 --- a/lib/libcrypto/man/d2i_OCSP_REQUEST.3 +++ b/lib/libcrypto/man/d2i_OCSP_REQUEST.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_OCSP_REQUEST.3,v 1.1 2016/12/27 22:06:55 schwarze Exp $ +.\" $OpenBSD: d2i_OCSP_REQUEST.3,v 1.2 2018/03/22 21:08:22 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 27 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt D2I_OCSP_REQUEST 3 .Os .Sh NAME @@ -175,3 +175,7 @@ if an error occurs. .Sh STANDARDS RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol, section 4.1: Request Syntax +.Sh HISTORY +These functions first appeared in OpenSSL 0.9.7 +and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/d2i_OCSP_RESPONSE.3 b/lib/libcrypto/man/d2i_OCSP_RESPONSE.3 index bdc54913d1..72db8ab063 100644 --- a/lib/libcrypto/man/d2i_OCSP_RESPONSE.3 +++ b/lib/libcrypto/man/d2i_OCSP_RESPONSE.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_OCSP_RESPONSE.3,v 1.1 2016/12/27 22:06:55 schwarze Exp $ +.\" $OpenBSD: d2i_OCSP_RESPONSE.3,v 1.2 2018/03/22 21:08:22 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 27 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt D2I_OCSP_RESPONSE 3 .Os .Sh NAME @@ -241,3 +241,7 @@ if an error occurs. .Sh STANDARDS RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol, section 4.2: Response Syntax +.Sh HISTORY +These functions first appeared in OpenSSL 0.9.7 +and have been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/d2i_PKCS12.3 b/lib/libcrypto/man/d2i_PKCS12.3 index 5b1513002b..55272d1f36 100644 --- a/lib/libcrypto/man/d2i_PKCS12.3 +++ b/lib/libcrypto/man/d2i_PKCS12.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_PKCS12.3,v 1.1 2016/12/26 18:04:45 schwarze Exp $ +.\" $OpenBSD: d2i_PKCS12.3,v 1.2 2018/03/21 17:57:48 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 26 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt D2I_PKCS12 3 .Os .Sh NAME @@ -184,3 +184,19 @@ return 1 for success or 0 if an error occurs. .Xr PKCS12_SAFEBAG_new 3 .Sh STANDARDS RFC 7292: PKCS #12: Personal Information Exchange Syntax +.Sh HISTORY +.Fn d2i_PKCS12 , +.Fn i2d_PKCS12 , +.Fn d2i_PKCS12_bio , +.Fn i2d_PKCS12_bio , +.Fn d2i_PKCS12_fp , +.Fn i2d_PKCS12_fp , +.Fn d2i_PKCS12_MAC_DATA , +.Fn i2d_PKCS12_MAC_DATA , +.Fn d2i_PKCS12_SAFEBAG , +.Fn i2d_PKCS12_SAFEBAG , +.Fn d2i_PKCS12_BAGS , +and +.Fn i2d_PKCS12_BAGS +first appeared in OpenSSL 0.9.3 and have been available since +.Ox 2.6 . diff --git a/lib/libcrypto/man/d2i_PKCS7.3 b/lib/libcrypto/man/d2i_PKCS7.3 index f728ba0b2e..cb00bf2a0c 100644 --- a/lib/libcrypto/man/d2i_PKCS7.3 +++ b/lib/libcrypto/man/d2i_PKCS7.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_PKCS7.3,v 1.4 2016/12/27 13:10:26 schwarze Exp $ +.\" $OpenBSD: d2i_PKCS7.3,v 1.5 2018/03/21 00:54:31 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 27 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt D2I_PKCS7 3 .Os .Sh NAME @@ -324,3 +324,31 @@ return 1 for success or 0 if an error occurs. .Xr SMIME_write_PKCS7 3 .Sh STANDARDS RFC 2315: PKCS #7: Cryptographic Message Syntax Version 1.5 +.Sh HISTORY +.Fn d2i_PKCS7 , +.Fn i2d_PKCS7 , +.Fn d2i_PKCS7_bio , +.Fn i2d_PKCS7_bio , +.Fn d2i_PKCS7_fp , +.Fn i2d_PKCS7_fp , +.Fn d2i_PKCS7_DIGEST , +.Fn i2d_PKCS7_DIGEST , +.Fn d2i_PKCS7_ENCRYPT , +.Fn i2d_PKCS7_ENCRYPT , +.Fn d2i_PKCS7_ENC_CONTENT , +.Fn i2d_PKCS7_ENC_CONTENT , +.Fn d2i_PKCS7_ENVELOPE , +.Fn i2d_PKCS7_ENVELOPE , +.Fn d2i_PKCS7_ISSUER_AND_SERIAL , +.Fn i2d_PKCS7_ISSUER_AND_SERIAL , +.Fn d2i_PKCS7_RECIP_INFO , +.Fn i2d_PKCS7_RECIP_INFO , +.Fn d2i_PKCS7_SIGNED , +.Fn i2d_PKCS7_SIGNED , +.Fn d2i_PKCS7_SIGNER_INFO , +.Fn i2d_PKCS7_SIGNER_INFO , +.Fn d2i_PKCS7_SIGN_ENVELOPE , +and +.Fn i2d_PKCS7_SIGN_ENVELOPE +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/d2i_PKCS8PrivateKey_bio.3 b/lib/libcrypto/man/d2i_PKCS8PrivateKey_bio.3 index 1fe8503824..9ac275e2a6 100644 --- a/lib/libcrypto/man/d2i_PKCS8PrivateKey_bio.3 +++ b/lib/libcrypto/man/d2i_PKCS8PrivateKey_bio.3 @@ -1,8 +1,8 @@ -.\" $OpenBSD: d2i_PKCS8PrivateKey_bio.3,v 1.8 2017/01/07 17:27:15 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: d2i_PKCS8PrivateKey_bio.3,v 1.10 2018/03/22 16:06:33 schwarze Exp $ +.\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" .\" This file was written by Dr. Stephen Henson . -.\" Copyright (c) 2002, 2016 The OpenSSL Project. All rights reserved. +.\" Copyright (c) 2002, 2016, 2017 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 7 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt D2I_PKCS8PRIVATEKEY_BIO 3 .Os .Sh NAME @@ -144,10 +144,30 @@ by converting the buffers to memory BIOs; see .Xr BIO_s_mem 3 for details. +.Sh RETURN VALUES +.Fn d2i_PKCS8PrivateKey_bio +and +.Fn d2i_PKCS8PrivateKey_fp +return a +.Vt EVP_PKEY +object or +.Dv NULL +if an error occurs. +.Pp +.Fn i2d_PKCS8PrivateKey_bio , +.Fn i2d_PKCS8PrivateKey_fp , +.Fn i2d_PKCS8PrivateKey_nid_bio , +and +.Fn i2d_PKCS8PrivateKey_nid_fp +return 1 on success or 0 on error. .Sh SEE ALSO .Xr d2i_X509_SIG 3 , .Xr PEM_write_PKCS8PrivateKey 3 , .Xr PKCS8_PRIV_KEY_INFO_new 3 +.Sh HISTORY +These functions first appeared in OpenSSL 0.9.5 +and have been available since +.Ox 2.7 . .Sh CAVEATS Do not confuse these functions with .Xr i2d_PKCS8PrivateKeyInfo_bio 3 diff --git a/lib/libcrypto/man/d2i_PKCS8_PRIV_KEY_INFO.3 b/lib/libcrypto/man/d2i_PKCS8_PRIV_KEY_INFO.3 index 2ee7d807df..1ac0f2c308 100644 --- a/lib/libcrypto/man/d2i_PKCS8_PRIV_KEY_INFO.3 +++ b/lib/libcrypto/man/d2i_PKCS8_PRIV_KEY_INFO.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_PKCS8_PRIV_KEY_INFO.3,v 1.1 2016/12/28 00:55:05 schwarze Exp $ +.\" $OpenBSD: d2i_PKCS8_PRIV_KEY_INFO.3,v 1.3 2018/03/21 21:18:08 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt D2I_PKCS8_PRIV_KEY_INFO 3 .Os .Sh NAME @@ -112,3 +112,16 @@ return 1 for success or 0 if an error occurs. .Xr PKCS8_PRIV_KEY_INFO_new 3 .Sh STANDARDS RFC 5208: PKCS#8: Private-Key Information Syntax Specification +.Sh HISTORY +.Fn d2i_PKCS8_PRIV_KEY_INFO +and +.Fn i2d_PKCS8_PRIV_KEY_INFO +first appeared in OpenSSL 0.9.3. +.Fn d2i_PKCS8_PRIV_KEY_INFO_bio , +.Fn i2d_PKCS8_PRIV_KEY_INFO_bio , +.Fn d2i_PKCS8_PRIV_KEY_INFO_fp , +and +.Fn i2d_PKCS8_PRIV_KEY_INFO_fp +first appeared in OpenSSL 0.9.4. +All these functions have been available since +.Ox 2.6 . diff --git a/lib/libcrypto/man/d2i_PKEY_USAGE_PERIOD.3 b/lib/libcrypto/man/d2i_PKEY_USAGE_PERIOD.3 index 547b77970d..df8639264c 100644 --- a/lib/libcrypto/man/d2i_PKEY_USAGE_PERIOD.3 +++ b/lib/libcrypto/man/d2i_PKEY_USAGE_PERIOD.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_PKEY_USAGE_PERIOD.3,v 1.1 2016/12/28 20:36:33 schwarze Exp $ +.\" $OpenBSD: d2i_PKEY_USAGE_PERIOD.3,v 1.2 2018/03/21 16:09:51 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt D2I_PKEY_USAGE_PERIOD 3 .Os .Sh NAME @@ -66,3 +66,9 @@ section 4.2.1.4: Private Key Usage Period RFC 3280 was obsoleted by RFC 5280; see .Xr PKEY_USAGE_PERIOD_new 3 for details. +.Sh HISTORY +.Fn d2i_PKEY_USAGE_PERIOD +and +.Fn i2d_PKEY_USAGE_PERIOD +first appeared in OpenSSL 0.9.2b and have been available since +.Ox 2.6 . diff --git a/lib/libcrypto/man/d2i_POLICYINFO.3 b/lib/libcrypto/man/d2i_POLICYINFO.3 index 6a93059bc2..bae78b17c7 100644 --- a/lib/libcrypto/man/d2i_POLICYINFO.3 +++ b/lib/libcrypto/man/d2i_POLICYINFO.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_POLICYINFO.3,v 1.1 2016/12/28 20:36:33 schwarze Exp $ +.\" $OpenBSD: d2i_POLICYINFO.3,v 1.2 2018/03/21 17:57:48 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt D2I_POLICYINFO 3 .Os .Sh NAME @@ -159,3 +159,7 @@ if an error occurs. RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, section 4.2.1.4: Certificate Policies +.Sh HISTORY +These functions first appeared in OpenSSL 0.9.3 +and have been available since +.Ox 2.6 . diff --git a/lib/libcrypto/man/d2i_PROXY_POLICY.3 b/lib/libcrypto/man/d2i_PROXY_POLICY.3 index 0c447b1034..794c6edcec 100644 --- a/lib/libcrypto/man/d2i_PROXY_POLICY.3 +++ b/lib/libcrypto/man/d2i_PROXY_POLICY.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_PROXY_POLICY.3,v 1.1 2016/12/28 20:36:33 schwarze Exp $ +.\" $OpenBSD: d2i_PROXY_POLICY.3,v 1.2 2018/03/22 22:07:12 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt D2I_PROXY_POLICY 3 .Os .Sh NAME @@ -91,3 +91,7 @@ if an error occurs. .Sh STANDARDS RFC 3820: Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile +.Sh HISTORY +These functions first appeared in OpenSSL 0.9.7g +and have been available since +.Ox 3.8 . diff --git a/lib/libcrypto/man/d2i_PrivateKey.3 b/lib/libcrypto/man/d2i_PrivateKey.3 index caf7479289..7a2824bc57 100644 --- a/lib/libcrypto/man/d2i_PrivateKey.3 +++ b/lib/libcrypto/man/d2i_PrivateKey.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_PrivateKey.3,v 1.5 2016/12/28 01:38:16 schwarze Exp $ +.\" $OpenBSD: d2i_PrivateKey.3,v 1.7 2018/03/22 16:06:33 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt D2I_PRIVATEKEY 3 .Os .Sh NAME @@ -265,3 +265,22 @@ For all functions, the error code can be obtained by calling .Sh STANDARDS RFC 5208: Public-Key Cryptography Standards (PKCS) #8: Private-Key Information Syntax Specification +.Sh HISTORY +.Fn d2i_PrivateKey , +.Fn i2d_PrivateKey , +.Fn d2i_PublicKey , +and +.Fn i2d_PublicKey +appeared in SSLeay 0.8.1b or earlier and have been available since +.Ox 2.4 . +.Pp +.Fn d2i_AutoPrivateKey , +.Fn d2i_PrivateKey_bio , +.Fn i2d_PrivateKey_bio , +.Fn d2i_PrivateKey_fp , +.Fn i2d_PrivateKey_fp , +.Fn i2d_PKCS8PrivateKeyInfo_bio , +and +.Fn i2d_PKCS8PrivateKeyInfo_fp +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . diff --git a/lib/libcrypto/man/d2i_RSAPublicKey.3 b/lib/libcrypto/man/d2i_RSAPublicKey.3 index c5264a610b..a98fd44018 100644 --- a/lib/libcrypto/man/d2i_RSAPublicKey.3 +++ b/lib/libcrypto/man/d2i_RSAPublicKey.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_RSAPublicKey.3,v 1.9 2016/12/26 17:19:23 schwarze Exp $ +.\" $OpenBSD: d2i_RSAPublicKey.3,v 1.12 2018/03/23 05:48:56 schwarze Exp $ .\" OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400 .\" .\" This file is a derived work. @@ -67,7 +67,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 26 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt D2I_RSAPUBLICKEY 3 .Os .Sh NAME @@ -348,3 +348,37 @@ RFC 8017: PKCS #1: RSA Cryptography Specifications RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, section 4.1: Basic Certificate Fields +.Sh HISTORY +.Fn d2i_RSAPublicKey , +.Fn i2d_RSAPublicKey , +.Fn d2i_RSAPrivateKey , +.Fn i2d_RSAPrivateKey , +.Fn d2i_Netscape_RSA , +.Fn i2d_Netscape_RSA , +.Fn d2i_RSAPublicKey_bio , +.Fn d2i_RSAPublicKey_fp , +.Fn i2d_RSAPublicKey_bio , +.Fn i2d_RSAPublicKey_fp , +.Fn d2i_RSAPrivateKey_bio , +.Fn d2i_RSAPrivateKey_fp , +.Fn i2d_RSAPrivateKey_bio , +and +.Fn i2d_RSAPrivateKey_fp +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn d2i_RSA_PUBKEY , +.Fn i2d_RSA_PUBKEY , +.Fn d2i_RSA_PUBKEY_bio , +.Fn d2i_RSA_PUBKEY_fp , +.Fn i2d_RSA_PUBKEY_bio , +and +.Fn i2d_RSA_PUBKEY_fp +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . +.Pp +.Fn d2i_RSA_PSS_PARAMS +and +.Fn i2d_RSA_PSS_PARAMS +first appeared in OpenSSL 1.0.1 and have been available since +.Ox 5.3 . diff --git a/lib/libcrypto/man/d2i_TS_REQ.3 b/lib/libcrypto/man/d2i_TS_REQ.3 index 7841843c5f..9f7c860fa1 100644 --- a/lib/libcrypto/man/d2i_TS_REQ.3 +++ b/lib/libcrypto/man/d2i_TS_REQ.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_TS_REQ.3,v 1.1 2016/12/27 20:56:18 schwarze Exp $ +.\" $OpenBSD: d2i_TS_REQ.3,v 1.2 2018/03/23 04:34:23 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 27 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt D2I_TS_REQ 3 .Os .Sh NAME @@ -327,3 +327,7 @@ return 1 for success or 0 if an error occurs. .Xr TS_REQ_new 3 .Sh STANDARDS RFC 3161: Internet X.509 Public Key Infrastructure Time-Stamp Protocol +.Sh HISTORY +These functions first appeared in OpenSSL 1.0.0 +and have been available since +.Ox 4.9 . diff --git a/lib/libcrypto/man/d2i_X509.3 b/lib/libcrypto/man/d2i_X509.3 index 1ade0a42a8..9c80fcdb75 100644 --- a/lib/libcrypto/man/d2i_X509.3 +++ b/lib/libcrypto/man/d2i_X509.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_X509.3,v 1.6 2016/12/28 03:56:35 schwarze Exp $ +.\" $OpenBSD: d2i_X509.3,v 1.8 2018/03/22 16:06:33 schwarze Exp $ .\" OpenSSL 94480b57 Sep 12 23:34:41 2009 +0000 .\" .\" This file is a derived work. @@ -66,7 +66,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt D2I_X509 3 .Os .Sh NAME @@ -275,6 +275,19 @@ Certificate Revocation List (CRL) Profile .Fn d2i_X509_bio , .Fn d2i_X509_fp , .Fn i2d_X509_bio , +.Fn i2d_X509_fp , +.Fn d2i_X509_CINF , +.Fn i2d_X509_CINF , +.Fn d2i_X509_VAL , and -.Fn i2d_X509_fp -are available in all versions of SSLeay and OpenSSL. +.Fn i2d_X509_VAL +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn d2i_X509_AUX , +.Fn i2d_X509_AUX , +.Fn d2i_X509_CERT_AUX , +and +.Fn i2d_X509_CERT_AUX +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . diff --git a/lib/libcrypto/man/d2i_X509_ALGOR.3 b/lib/libcrypto/man/d2i_X509_ALGOR.3 index dcae72adf4..0d5ad2c459 100644 --- a/lib/libcrypto/man/d2i_X509_ALGOR.3 +++ b/lib/libcrypto/man/d2i_X509_ALGOR.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_X509_ALGOR.3,v 1.7 2016/12/28 14:17:47 schwarze Exp $ +.\" $OpenBSD: d2i_X509_ALGOR.3,v 1.8 2018/03/21 03:16:08 schwarze Exp $ .\" OpenSSL 186bb907 Apr 13 11:05:13 2015 -0700 .\" .\" Copyright (c) 2016 Ingo Schwarze @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt D2I_X509_ALGOR 3 .Os .Sh NAME @@ -50,3 +50,9 @@ For details about the semantics, examples, caveats, and bugs, see .Sh STANDARDS RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile +.Sh HISTORY +.Fn d2i_X509_ALGOR +and +.Fn i2d_X509_ALGOR +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/d2i_X509_ATTRIBUTE.3 b/lib/libcrypto/man/d2i_X509_ATTRIBUTE.3 index c8a17571e2..5d913928a2 100644 --- a/lib/libcrypto/man/d2i_X509_ATTRIBUTE.3 +++ b/lib/libcrypto/man/d2i_X509_ATTRIBUTE.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_X509_ATTRIBUTE.3,v 1.1 2016/12/28 13:45:30 schwarze Exp $ +.\" $OpenBSD: d2i_X509_ATTRIBUTE.3,v 1.2 2018/03/21 03:16:08 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt D2I_X509_ATTRIBUTE 3 .Os .Sh NAME @@ -68,3 +68,9 @@ if an error occurs. ITU-T Recommendation X.501, also known as ISO/IEC 9594-2: Information Technology Open Systems Interconnection The Directory: Models, section 8.2: Overall structure +.Sh HISTORY +.Fn d2i_X509_ATTRIBUTE +and +.Fn i2d_X509_ATTRIBUTE +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/d2i_X509_CRL.3 b/lib/libcrypto/man/d2i_X509_CRL.3 index 398af4cda4..aa023848f7 100644 --- a/lib/libcrypto/man/d2i_X509_CRL.3 +++ b/lib/libcrypto/man/d2i_X509_CRL.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_X509_CRL.3,v 1.5 2016/12/28 14:59:39 schwarze Exp $ +.\" $OpenBSD: d2i_X509_CRL.3,v 1.6 2018/03/21 03:16:08 schwarze Exp $ .\" OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400 .\" .\" Copyright (c) 2016 Ingo Schwarze @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt D2I_X509_CRL 3 .Os .Sh NAME @@ -129,3 +129,17 @@ structure. RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, section 5: CRL and CRL Extensions Profile +.Sh HISTORY +.Fn d2i_X509_CRL , +.Fn i2d_X509_CRL , +.Fn d2i_X509_CRL_bio , +.Fn d2i_X509_CRL_fp , +.Fn i2d_X509_CRL_bio , +.Fn i2d_X509_CRL_fp , +.Fn d2i_X509_CRL_INFO , +.Fn i2d_X509_CRL_INFO , +.Fn d2i_X509_REVOKED , +and +.Fn i2d_X509_REVOKED +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/d2i_X509_EXTENSION.3 b/lib/libcrypto/man/d2i_X509_EXTENSION.3 index 8b31e2c667..046ef29e78 100644 --- a/lib/libcrypto/man/d2i_X509_EXTENSION.3 +++ b/lib/libcrypto/man/d2i_X509_EXTENSION.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_X509_EXTENSION.3,v 1.1 2016/12/28 13:45:30 schwarze Exp $ +.\" $OpenBSD: d2i_X509_EXTENSION.3,v 1.3 2018/03/23 01:05:50 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt D2I_X509_EXTENSION 3 .Os .Sh NAME @@ -90,3 +90,15 @@ if an error occurs. .Sh STANDARDS RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile +.Sh HISTORY +.Fn d2i_X509_EXTENSION +and +.Fn i2d_X509_EXTENSION +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn d2i_X509_EXTENSIONS +and +.Fn i2d_X509_EXTENSIONS +first appeared in OpenSSL 0.9.8h and have been available since +.Ox 4.5 . diff --git a/lib/libcrypto/man/d2i_X509_NAME.3 b/lib/libcrypto/man/d2i_X509_NAME.3 index 3dd337c430..063a72edeb 100644 --- a/lib/libcrypto/man/d2i_X509_NAME.3 +++ b/lib/libcrypto/man/d2i_X509_NAME.3 @@ -1,7 +1,9 @@ -.\" $OpenBSD: d2i_X509_NAME.3,v 1.10 2017/01/07 08:46:13 jmc Exp $ -.\" OpenSSL d900a015 Oct 8 14:40:42 2015 +0200 +.\" $OpenBSD: d2i_X509_NAME.3,v 1.13 2018/03/23 23:18:17 schwarze Exp $ +.\" checked up to: +.\" OpenSSL crypto/d2i_X509_NAME 4692340e Jun 7 15:49:08 2016 -0400 and +.\" OpenSSL man3/X509_NAME_get0_der 99d63d46 Oct 26 13:56:48 2016 -0400 .\" -.\" Copyright (c) 2016, 2017 Ingo Schwarze +.\" Copyright (c) 2016, 2017, 2018 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -15,12 +17,13 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: January 7 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt D2I_X509_NAME 3 .Os .Sh NAME .Nm d2i_X509_NAME , .Nm i2d_X509_NAME , +.Nm X509_NAME_get0_der , .Nm X509_NAME_dup , .Nm X509_NAME_hash , .Nm d2i_X509_NAME_ENTRY , @@ -28,7 +31,7 @@ .Nm X509_NAME_ENTRY_dup .\" In the following line, "X.501" and "Name" are not typos. .\" The "Name" type is defined in X.501, not in X.509. -.\" The type in called "Name" with capital "N", not "name". +.\" The type is called "Name" with capital "N", not "name". .Nd decode and encode X.501 Name objects .Sh SYNOPSIS .In openssl/x509.h @@ -43,6 +46,12 @@ .Fa "X509_NAME *val_in" .Fa "unsigned char **der_out" .Fc +.Ft int +.Fo X509_NAME_get0_der +.Fa "X509_NAME *val_in" +.Fa "const unsigned char **der_out" +.Fa "size_t *out_len" +.Fc .Ft X509_NAME * .Fo X509_NAME_dup .Fa "X509_NAME *val_in" @@ -80,6 +89,17 @@ decode and encode an ASN.1 .Vt Name structure defined in RFC 5280 section 4.1.2.4. .Pp +.Fn X509_NAME_get0_der +is a variant of +.Fn i2d_X509_NAME +that does not copy the encoded output but instead returns a pointer +to the internally cached DER-encoded version of the name. +Also, it does not return the length of the output in bytes, +but instead stores it in +.Fa out_len . +If the cached encoded form happens to be out of date, both functions +update it before copying it or returning a pointer to it. +.Pp .Fn X509_NAME_dup copies .Fa val_in @@ -121,6 +141,9 @@ object or .Dv NULL if an error occurs. .Pp +.Fn X509_NAME_get0_der +returns 1 on success or 0 if an error occurs. +.Pp .Fn X509_NAME_hash returns the hash value or 0 if an error occurs. .Pp @@ -151,3 +174,18 @@ ITU-T Recommendation X.690, also known as ISO/IEC 8825-1: Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). +.Sh HISTORY +.Fn d2i_X509_NAME , +.Fn i2d_X509_NAME , +.Fn X509_NAME_dup , +.Fn X509_NAME_hash , +.Fn d2i_X509_NAME_ENTRY , +.Fn i2d_X509_NAME_ENTRY , +and +.Fn X509_NAME_ENTRY_dup +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn X509_NAME_get0_der +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . diff --git a/lib/libcrypto/man/d2i_X509_REQ.3 b/lib/libcrypto/man/d2i_X509_REQ.3 index e3e537fb51..3030ac6664 100644 --- a/lib/libcrypto/man/d2i_X509_REQ.3 +++ b/lib/libcrypto/man/d2i_X509_REQ.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_X509_REQ.3,v 1.5 2016/12/28 15:18:05 schwarze Exp $ +.\" $OpenBSD: d2i_X509_REQ.3,v 1.6 2018/03/21 03:16:08 schwarze Exp $ .\" OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400 .\" .\" Copyright (c) 2016 Ingo Schwarze @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt D2I_X509_REQ 3 .Os .Sh NAME @@ -134,3 +134,15 @@ return 1 for success or 0 if an error occurs. .Xr X509_REQ_new 3 .Sh STANDARDS RFC 2986: PKCS #10: Certification Request Syntax Specification +.Sh HISTORY +.Fn d2i_X509_REQ , +.Fn i2d_X509_REQ , +.Fn d2i_X509_REQ_bio , +.Fn d2i_X509_REQ_fp , +.Fn i2d_X509_REQ_bio , +.Fn i2d_X509_REQ_fp , +.Fn d2i_X509_REQ_INFO , +and +.Fn i2d_X509_REQ_INFO +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libcrypto/man/d2i_X509_SIG.3 b/lib/libcrypto/man/d2i_X509_SIG.3 index bf050ce23d..2f512d3174 100644 --- a/lib/libcrypto/man/d2i_X509_SIG.3 +++ b/lib/libcrypto/man/d2i_X509_SIG.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_X509_SIG.3,v 1.6 2016/12/28 02:48:59 schwarze Exp $ +.\" $OpenBSD: d2i_X509_SIG.3,v 1.8 2018/03/21 21:18:08 schwarze Exp $ .\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 .\" .\" Copyright (c) 2016 Ingo Schwarze @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 28 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt D2I_X509_SIG 3 .Os .Sh NAME @@ -123,6 +123,20 @@ section 9: Signed-data content type .Pp RFC 8017: PKCS #1: RSA Cryptography Specifications, section 9: Encoding Methods for Signatures +.Sh HISTORY +.Fn d2i_X509_SIG +and +.Fn i2d_X509_SIG +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn d2i_PKCS8_bio , +.Fn i2d_PKCS8_bio , +.Fn d2i_PKCS8_fp , +and +.Fn i2d_PKCS8_fp +first appeared in OpenSSL 0.9.4 and have been available since +.Ox 2.6 . .Sh BUGS .Fn d2i_PKCS8_bio , .Fn i2d_PKCS8_bio , diff --git a/lib/libcrypto/man/des_read_pw.3 b/lib/libcrypto/man/des_read_pw.3 index e772d0a65a..a7060d6efa 100644 --- a/lib/libcrypto/man/des_read_pw.3 +++ b/lib/libcrypto/man/des_read_pw.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: des_read_pw.3,v 1.6 2017/01/06 17:17:29 schwarze Exp $ +.\" $OpenBSD: des_read_pw.3,v 1.7 2018/03/20 22:06:59 schwarze Exp $ .\" OpenSSL doc/crypto/ui_compat.pod May 14 11:28:00 2006 +0000 .\" OpenSSL doc/crypto/des.pod 2a9aca32 Oct 25 08:44:10 2001 +0000 .\" @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 6 2017 $ +.Dd $Mdocdate: March 20 2018 $ .Dt DES_READ_PW 3 .Os .Sh NAME @@ -130,6 +130,10 @@ is functionally similar to .Fn des_read_pw_string . .Sh SEE ALSO .Xr UI_new 3 +.Sh HISTORY +These functions appeared in SSLeay 0.8.1b or earlier +and have been available since +.Ox 2.4 . .Sh AUTHORS .An Richard Levitte Aq Mt richard@levitte.org for the OpenSSL project. diff --git a/lib/libcrypto/man/engine.3 b/lib/libcrypto/man/engine.3 index a8ef6a8951..d0b83d7745 100644 --- a/lib/libcrypto/man/engine.3 +++ b/lib/libcrypto/man/engine.3 @@ -1,8 +1,10 @@ -.\" $OpenBSD: engine.3,v 1.10 2017/01/06 20:35:23 schwarze Exp $ -.\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 +.\" $OpenBSD: engine.3,v 1.13 2018/03/22 21:08:22 schwarze Exp $ +.\" full merge up to: OpenSSL crypto/engine e6390aca Jul 21 10:06:03 2015 -0400 +.\" selective merge up to: man3/ENGINE_add 1f13ad31 Dec 25 17:50:39 2017 +0800 .\" -.\" This file was written by Geoff Thorpe . -.\" Copyright (c) 2002, 2004, 2007, 2015 The OpenSSL Project. +.\" This file was written by Geoff Thorpe +.\" with contributions from Paul Yang . +.\" Copyright (c) 2002, 2004, 2007, 2015, 2017 The OpenSSL Project. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -49,20 +51,122 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 6 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt ENGINE 3 .Os .Sh NAME -.Nm ENGINE_add , -.Nm ENGINE_by_id , -.Nm ENGINE_finish , .Nm ENGINE_get_first , .Nm ENGINE_get_last , .Nm ENGINE_get_next , .Nm ENGINE_get_prev , +.Nm ENGINE_add , +.Nm ENGINE_remove , +.Nm ENGINE_by_id , .Nm ENGINE_init , +.Nm ENGINE_finish , +.Nm ENGINE_load_openssl , +.Nm ENGINE_load_dynamic , +.Nm ENGINE_load_cryptodev , .Nm ENGINE_load_builtin_engines , -.Nm ENGINE_remove +.Nm ENGINE_cleanup , +.Nm ENGINE_get_default_RSA , +.Nm ENGINE_get_default_DSA , +.Nm ENGINE_get_default_ECDH , +.Nm ENGINE_get_default_ECDSA , +.Nm ENGINE_get_default_DH , +.Nm ENGINE_get_default_RAND , +.Nm ENGINE_get_cipher_engine , +.Nm ENGINE_get_digest_engine , +.Nm ENGINE_set_default_RSA , +.Nm ENGINE_set_default_DSA , +.Nm ENGINE_set_default_ECDH , +.Nm ENGINE_set_default_ECDSA , +.Nm ENGINE_set_default_DH , +.Nm ENGINE_set_default_RAND , +.Nm ENGINE_set_default_ciphers , +.Nm ENGINE_set_default_digests , +.Nm ENGINE_set_default_string , +.Nm ENGINE_set_default , +.Nm ENGINE_get_table_flags , +.Nm ENGINE_set_table_flags , +.Nm ENGINE_register_RSA , +.Nm ENGINE_unregister_RSA , +.Nm ENGINE_register_all_RSA , +.Nm ENGINE_register_DSA , +.Nm ENGINE_unregister_DSA , +.Nm ENGINE_register_all_DSA , +.Nm ENGINE_register_ECDH , +.Nm ENGINE_unregister_ECDH , +.Nm ENGINE_register_all_ECDH , +.Nm ENGINE_register_ECDSA , +.Nm ENGINE_unregister_ECDSA , +.Nm ENGINE_register_all_ECDSA , +.Nm ENGINE_register_DH , +.Nm ENGINE_unregister_DH , +.Nm ENGINE_register_all_DH , +.Nm ENGINE_register_RAND , +.Nm ENGINE_unregister_RAND , +.Nm ENGINE_register_all_RAND , +.Nm ENGINE_register_STORE , +.Nm ENGINE_unregister_STORE , +.Nm ENGINE_register_all_STORE , +.Nm ENGINE_register_ciphers , +.Nm ENGINE_unregister_ciphers , +.Nm ENGINE_register_all_ciphers , +.Nm ENGINE_register_digests , +.Nm ENGINE_unregister_digests , +.Nm ENGINE_register_all_digests , +.Nm ENGINE_register_complete , +.Nm ENGINE_register_all_complete , +.Nm ENGINE_ctrl , +.Nm ENGINE_cmd_is_executable , +.Nm ENGINE_ctrl_cmd , +.Nm ENGINE_ctrl_cmd_string , +.Nm ENGINE_new , +.Nm ENGINE_free , +.Nm ENGINE_up_ref , +.Nm ENGINE_set_id , +.Nm ENGINE_set_name , +.Nm ENGINE_set_RSA , +.Nm ENGINE_set_DSA , +.Nm ENGINE_set_ECDH , +.Nm ENGINE_set_ECDSA , +.Nm ENGINE_set_DH , +.Nm ENGINE_set_RAND , +.Nm ENGINE_set_STORE , +.Nm ENGINE_set_destroy_function , +.Nm ENGINE_set_init_function , +.Nm ENGINE_set_finish_function , +.Nm ENGINE_set_ctrl_function , +.Nm ENGINE_set_load_privkey_function , +.Nm ENGINE_set_load_pubkey_function , +.Nm ENGINE_set_ciphers , +.Nm ENGINE_set_digests , +.Nm ENGINE_set_flags , +.Nm ENGINE_set_cmd_defns , +.Nm ENGINE_get_id , +.Nm ENGINE_get_name , +.Nm ENGINE_get_RSA , +.Nm ENGINE_get_DSA , +.Nm ENGINE_get_ECDH , +.Nm ENGINE_get_ECDSA , +.Nm ENGINE_get_DH , +.Nm ENGINE_get_RAND , +.Nm ENGINE_get_STORE , +.Nm ENGINE_get_destroy_function , +.Nm ENGINE_get_init_function , +.Nm ENGINE_get_finish_function , +.Nm ENGINE_get_ctrl_function , +.Nm ENGINE_get_load_privkey_function , +.Nm ENGINE_get_load_pubkey_function , +.Nm ENGINE_get_ciphers , +.Nm ENGINE_get_digests , +.Nm ENGINE_get_cipher , +.Nm ENGINE_get_digest , +.Nm ENGINE_get_flags , +.Nm ENGINE_get_cmd_defns , +.Nm ENGINE_load_private_key , +.Nm ENGINE_load_public_key .Nd ENGINE cryptographic module support .Sh SYNOPSIS .In openssl/engine.h @@ -1197,9 +1301,124 @@ to see if they implement "FOO_GET_VENDOR_LOGO_GIF" - and .Vt ENGINE could therefore decide whether or not to support this "foo"-specific extension). +.Sh RETURN VALUES +.Fn ENGINE_get_first , +.Fn ENGINE_get_last , +.Fn ENGINE_get_next , +.Fn ENGINE_get_prev , +.Fn ENGINE_by_id , +.Fn ENGINE_get_cipher_engine , +.Fn ENGINE_get_digest_engine , +.Fn ENGINE_new , +and all +.Fn ENGINE_get_default_* +functions return a valid +.Vt ENGINE +structure or +.Dv NULL +if an error occurred. +.Pp +.Fn ENGINE_add , +.Fn ENGINE_remove , +.Fn ENGINE_init , +.Fn ENGINE_finish , +.Fn ENGINE_ctrl_cmd , +.Fn ENGINE_ctrl_cmd_string , +.Fn ENGINE_free , +.Fn ENGINE_up_ref , +and all +.Fn ENGINE_set_* +and +.Fn ENGINE_register_* +functions return 1 on success or 0 on error. +.Pp +.Fn ENGINE_get_table_flags +returns an unsigned integer value representing the global table +flags which are used to control the registration behaviour of +.Vt ENGINE +implementations. +.Pp +For +.Fn ENGINE_ctrl , +positive return values indicate success and negative return values +indicate failure. +The meaning of a zero return value depends on the particular +.Fa cmd +and may indicate both success and failure, which is pathetic. +.Pp +.Fn ENGINE_cmd_is_executable +returns 1 if +.Fa cmd +is executable or 0 otherwise. +.Pp +.Fn ENGINE_get_id +and +.Fn ENGINE_get_name +return a pointer to an internal string representing the identifier +and the name of +.Fa e , +respectively. +.Pp +.Fn ENGINE_get_RSA , +.Fn ENGINE_get_DSA , +.Fn ENGINE_get_DH , +.Fn ENGINE_get_RAND , +and +.Fn ENGINE_get_STORE +return a method structure for the respective algorithm. +.Pp +.Fn ENGINE_get_destroy_function , +.Fn ENGINE_get_init_function , +.Fn ENGINE_get_finish_function , +.Fn ENGINE_get_ctrl_function , +.Fn ENGINE_get_load_privkey_function , +.Fn ENGINE_get_load_pubkey_function , +.Fn ENGINE_get_ciphers , +and +.Fn ENGINE_get_digests +return a function pointer to the respective callback. +.Pp +.Fn ENGINE_get_cipher +returns a valid +.Vt EVP_CIPHER +structure on success or +.Dv NULL +if an error occurred. +.Pp +.Fn ENGINE_get_digest +returns a valid +.Vt EVP_MD +structure on success or +.Dv NULL +if an error occurred. +.Pp +.Fn ENGINE_get_flags +returns an integer representing the flags +which are used to control various behaviours of an +.Vt ENGINE . +.Pp +.Fn ENGINE_get_cmd_defns +returns an +.Vt ENGINE_CMD_DEFN +structure or +.Dv NULL +if none is set. +.Pp +.Fn ENGINE_load_private_key +and +.Fn ENGINE_load_public_key +return a valid +.Vt EVP_PKEY +structure on success or +.Dv NULL +if an error occurred. .Sh SEE ALSO .Xr DH_new 3 , .Xr DSA_new 3 , .Xr ENGINE_add_conf_module 3 , .Xr ENGINE_set_ex_data 3 , .Xr RSA_new 3 +.Sh HISTORY +The engine API first appeared in OpenSSL 0.9.7 +and has been available since +.Ox 3.2 . diff --git a/lib/libcrypto/man/get_rfc3526_prime_8192.3 b/lib/libcrypto/man/get_rfc3526_prime_8192.3 index e9bbd915ab..b26e28be9a 100644 --- a/lib/libcrypto/man/get_rfc3526_prime_8192.3 +++ b/lib/libcrypto/man/get_rfc3526_prime_8192.3 @@ -1,4 +1,5 @@ -.\" $OpenBSD: get_rfc3526_prime_8192.3,v 1.1 2017/01/31 05:40:26 schwarze Exp $ +.\" $OpenBSD: get_rfc3526_prime_8192.3,v 1.4 2018/03/23 23:18:17 schwarze Exp $ +.\" checked up to: OpenSSL DH_get_1024_160 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" Copyright (c) 2017 Ingo Schwarze .\" @@ -14,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: January 31 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt GET_RFC3526_PRIME_8192 3 .Os .Sh NAME @@ -25,7 +26,14 @@ .Nm get_rfc3526_prime_3072 , .Nm get_rfc3526_prime_4096 , .Nm get_rfc3526_prime_6144 , -.Nm get_rfc3526_prime_8192 +.Nm get_rfc3526_prime_8192 , +.Nm BN_get_rfc2409_prime_768 , +.Nm BN_get_rfc2409_prime_1024 , +.Nm BN_get_rfc3526_prime_2048 , +.Nm BN_get_rfc3526_prime_3072 , +.Nm BN_get_rfc3526_prime_4096 , +.Nm BN_get_rfc3526_prime_6144 , +.Nm BN_get_rfc3526_prime_8192 .Nd standard moduli for Diffie-Hellmann key exchange .Sh SYNOPSIS .In openssl/bn.h @@ -45,10 +53,29 @@ .Fn get_rfc3526_prime_6144 "BIGNUM *bn" .Ft BIGNUM * .Fn get_rfc3526_prime_8192 "BIGNUM *bn" +.Ft BIGNUM * +.Fn BN_get_rfc2409_prime_768 "BIGNUM *bn" +.Ft BIGNUM * +.Fn BN_get_rfc2409_prime_1024 "BIGNUM *bn" +.Ft BIGNUM * +.Fn BN_get_rfc3526_prime_1536 "BIGNUM *bn" +.Ft BIGNUM * +.Fn BN_get_rfc3526_prime_2048 "BIGNUM *bn" +.Ft BIGNUM * +.Fn BN_get_rfc3526_prime_3072 "BIGNUM *bn" +.Ft BIGNUM * +.Fn BN_get_rfc3526_prime_4096 "BIGNUM *bn" +.Ft BIGNUM * +.Fn BN_get_rfc3526_prime_6144 "BIGNUM *bn" +.Ft BIGNUM * +.Fn BN_get_rfc3526_prime_8192 "BIGNUM *bn" .Sh DESCRIPTION Each of these functions returns one specific constant Sophie Germain prime number .Fa p . +The names with the prefix +.Sq BN_ +are aliases for the names without that prefix. .Pp If .Fa bn @@ -124,6 +151,23 @@ information about these numbers. .Pp RFC 3526, "More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)", defines the other six numbers. +.Sh HISTORY +.Fn get_rfc2409_prime_768 , +.Fn get_rfc2409_prime_1024 , +.Fn get_rfc3526_prime_1536 , +.Fn get_rfc3526_prime_2048 , +.Fn get_rfc3526_prime_3072 , +.Fn get_rfc3526_prime_4096 , +.Fn get_rfc3526_prime_6144 , +and +.Fn get_rfc3526_prime_8192 +first appeared in OpenSSL 0.9.8a and have been available since +.Ox 4.5 . +.Pp +The +.Sy BN_ +aliases first appeared in OpenSSL 1.1.0 and have been available since +.Ox 6.3 . .Sh CAVEATS As all the memory needed for storing the numbers is dynamically allocated, the diff --git a/lib/libcrypto/man/i2d_PKCS7_bio_stream.3 b/lib/libcrypto/man/i2d_PKCS7_bio_stream.3 index 97adbde176..463d861bec 100644 --- a/lib/libcrypto/man/i2d_PKCS7_bio_stream.3 +++ b/lib/libcrypto/man/i2d_PKCS7_bio_stream.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: i2d_PKCS7_bio_stream.3,v 1.6 2016/12/13 15:00:22 schwarze Exp $ +.\" $OpenBSD: i2d_PKCS7_bio_stream.3,v 1.7 2018/03/23 04:34:23 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 13 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt I2D_PKCS7_BIO_STREAM 3 .Os .Sh NAME @@ -86,7 +86,8 @@ returns 1 for success or 0 for failure. .Xr SMIME_write_PKCS7 3 .Sh HISTORY .Fn i2d_PKCS7_bio_stream -was added to OpenSSL 1.0.0. +first appeared in OpenSSL 1.0.0 and has been available since +.Ox 4.9 . .Sh BUGS The prefix "i2d" is arguably wrong because the function outputs BER format. diff --git a/lib/libcrypto/man/openssl.cnf.5 b/lib/libcrypto/man/openssl.cnf.5 index de21a5d973..d95ccdcfbf 100644 --- a/lib/libcrypto/man/openssl.cnf.5 +++ b/lib/libcrypto/man/openssl.cnf.5 @@ -1,8 +1,9 @@ -.\" $OpenBSD: openssl.cnf.5,v 1.3 2017/07/06 15:42:04 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: openssl.cnf.5,v 1.4 2018/02/16 18:21:57 schwarze Exp $ +.\" full merge up to: OpenSSL man5/config b53338cb Feb 28 12:30:28 2017 +0100 +.\" selective merge up to: OpenSSL a8c5ed81 Jul 18 13:57:25 2017 -0400 .\" .\" This file was written by Dr. Stephen Henson . -.\" Copyright (c) 1999, 2000, 2004, 2013, 2015, 2016 The OpenSSL Project. +.\" Copyright (c) 1999, 2000, 2004, 2013, 2015, 2016, 2017 The OpenSSL Project. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -49,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 6 2017 $ +.Dd $Mdocdate: February 16 2018 $ .Dt OPENSSL.CNF 5 .Os .Sh NAME @@ -169,6 +170,8 @@ which is used by the utility. Other applications may use an alternative name such as .Sy myapplication_conf . +All library configuration lines appear in the default section +at the start of the configuration file. .Pp The configuration section should consist of a set of name value pairs which contain specific module configuration information. @@ -182,6 +185,7 @@ configuration section containing configuration module specific information. For example: .Bd -literal -offset indent +# The following line must be in the default section. openssl_conf = openssl_init [openssl_init] diff --git a/lib/libcrypto/man/x509v3.cnf.5 b/lib/libcrypto/man/x509v3.cnf.5 index 19608697e3..fcdf06301a 100644 --- a/lib/libcrypto/man/x509v3.cnf.5 +++ b/lib/libcrypto/man/x509v3.cnf.5 @@ -1,5 +1,7 @@ -.\" $OpenBSD: x509v3.cnf.5,v 1.3 2016/12/25 22:15:10 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: x509v3.cnf.5,v 1.4 2018/02/16 18:48:55 schwarze Exp $ +.\" full merge up to: +.\" OpenSSL man5/x509v3_config a41815f0 Mar 17 18:43:53 2017 -0700 +.\" selective merge up to: OpenSSL 36cf10cf Oct 4 02:11:08 2017 -0400 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2004, 2006, 2013, 2014, 2015, 2016 The OpenSSL Project. @@ -49,7 +51,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 25 2016 $ +.Dd $Mdocdate: February 16 2018 $ .Dt X509V3.CNF 5 .Os .Sh NAME @@ -318,7 +320,7 @@ option that will copy all the subject alternative name values from the issuer certificate (if possible). Example: .Pp -.Dl issuserAltName = issuer:copy +.Dl issuerAltName = issuer:copy .Ss Authority info access The authority information access extension gives details about how to access certain information relating to the CA. diff --git a/lib/libcrypto/modes/asm/ghash-armv4.pl b/lib/libcrypto/modes/asm/ghash-armv4.pl index 4f8372d897..2d57806b46 100644 --- a/lib/libcrypto/modes/asm/ghash-armv4.pl +++ b/lib/libcrypto/modes/asm/ghash-armv4.pl @@ -319,7 +319,7 @@ sub Dhi() { shift=~m|q([1]?[0-9])|?"d".($1*2+1):""; } sub Q() { shift=~m|d([1-3]?[02468])|?"q".($1/2):""; } $code.=<<___; -#if __ARM_ARCH__>=7 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) .fpu neon .global gcm_gmult_neon diff --git a/lib/libcrypto/modes/gcm128.c b/lib/libcrypto/modes/gcm128.c index 69b1dd4f49..74362e6adc 100644 --- a/lib/libcrypto/modes/gcm128.c +++ b/lib/libcrypto/modes/gcm128.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gcm128.c,v 1.20 2017/09/03 13:07:34 inoguchi Exp $ */ +/* $OpenBSD: gcm128.c,v 1.22 2018/01/24 23:03:37 kettenis Exp $ */ /* ==================================================================== * Copyright (c) 2010 The OpenSSL Project. All rights reserved. * @@ -661,7 +661,7 @@ void gcm_ghash_4bit_x86(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len # endif # elif defined(__arm__) || defined(__arm) # include "arm_arch.h" -# if __ARM_ARCH__>=7 +# if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) # define GHASH_ASM_ARM # define GCM_FUNCREF_4BIT void gcm_gmult_neon(u64 Xi[2],const u128 Htable[16]); @@ -1515,13 +1515,15 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx,const unsigned char *tag, alen = BSWAP8(alen); clen = BSWAP8(clen); #else - u8 *p = ctx->len.c; + { + u8 *p = ctx->len.c; - ctx->len.u[0] = alen; - ctx->len.u[1] = clen; + ctx->len.u[0] = alen; + ctx->len.u[1] = clen; - alen = (u64)GETU32(p) <<32|GETU32(p+4); - clen = (u64)GETU32(p+8)<<32|GETU32(p+12); + alen = (u64)GETU32(p) <<32|GETU32(p+4); + clen = (u64)GETU32(p+8)<<32|GETU32(p+12); + } #endif #endif diff --git a/lib/libcrypto/objects/obj_mac.num b/lib/libcrypto/objects/obj_mac.num index 3214090a3a..8efb233308 100644 --- a/lib/libcrypto/objects/obj_mac.num +++ b/lib/libcrypto/objects/obj_mac.num @@ -956,3 +956,12 @@ Ed448ph 955 jurisdictionLocalityName 956 jurisdictionStateOrProvinceName 957 jurisdictionCountryName 958 +kx_rsa 959 +kx_ecdhe 960 +kx_dhe 961 +kx_gost 962 +auth_rsa 963 +auth_ecdsa 964 +auth_gost01 965 +auth_null 966 +chacha20_poly1305 967 diff --git a/lib/libcrypto/objects/objects.txt b/lib/libcrypto/objects/objects.txt index 6efabf7dee..24a6fd345b 100644 --- a/lib/libcrypto/objects/objects.txt +++ b/lib/libcrypto/objects/objects.txt @@ -1320,6 +1320,8 @@ brainpool 1 14 : brainpoolP512t1 !Cname chacha20 : ChaCha : chacha + : ChaCha20-Poly1305 : chacha20-poly1305 + : gost89-ecb : gost89-cbc @@ -1343,3 +1345,15 @@ tc26 1 3 3 : id-tc26-signwithdigest-gost3410-2012-512 : GOST R 34.11-2012 with 1 3 101 113 : Ed448 1 3 101 114 : Ed25519ph 1 3 101 115 : Ed448ph + +# TLS cipher suite key exchange + : KxRSA : kx-rsa + : KxECDHE : kx-ecdhe + : KxDHE : kx-dhe + : KxGOST : kx-gost + +# TLS cipher suite authentication + : AuthRSA : auth-rsa + : AuthECDSA : auth-ecdsa + : AuthGOST01 : auth-gost01 + : AuthNULL : auth-null diff --git a/lib/libcrypto/ocsp/ocsp.h b/lib/libcrypto/ocsp/ocsp.h index e3fa6f5a3d..b2c4367f83 100644 --- a/lib/libcrypto/ocsp/ocsp.h +++ b/lib/libcrypto/ocsp/ocsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp.h,v 1.11 2016/12/30 16:19:04 jsing Exp $ */ +/* $OpenBSD: ocsp.h,v 1.12 2018/03/17 14:44:34 jsing Exp $ */ /* Written by Tom Titchener for the OpenSSL * project. */ @@ -511,6 +511,7 @@ int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit, unsigned long flags); int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc); +const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *x); OCSP_SINGLERESP *OCSP_SINGLERESP_new(void); void OCSP_SINGLERESP_free(OCSP_SINGLERESP *a); diff --git a/lib/libcrypto/ocsp/ocsp_cl.c b/lib/libcrypto/ocsp/ocsp_cl.c index 04ea6866a5..c2cd9da09a 100644 --- a/lib/libcrypto/ocsp/ocsp_cl.c +++ b/lib/libcrypto/ocsp/ocsp_cl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_cl.c,v 1.14 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ocsp_cl.c,v 1.15 2018/03/17 14:44:34 jsing Exp $ */ /* Written by Tom Titchener for the OpenSSL * project. */ @@ -390,3 +390,9 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, return 1; } + +const OCSP_CERTID * +OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single) +{ + return single->certId; +} diff --git a/lib/libcrypto/opensslv.h b/lib/libcrypto/opensslv.h index c8dd39d574..c882e09a32 100644 --- a/lib/libcrypto/opensslv.h +++ b/lib/libcrypto/opensslv.h @@ -1,10 +1,11 @@ -/* $OpenBSD: opensslv.h,v 1.43.4.1 2017/12/11 10:50:37 bcook Exp $ */ +/* $OpenBSD: opensslv.h,v 1.46.2.2 2018/06/13 14:54:17 bcook Exp $ */ #ifndef HEADER_OPENSSLV_H #define HEADER_OPENSSLV_H /* These will change with each release of LibreSSL-portable */ -#define LIBRESSL_VERSION_NUMBER 0x2060400fL -#define LIBRESSL_VERSION_TEXT "LibreSSL 2.6.4" +#define LIBRESSL_VERSION_NUMBER 0x2070400fL +/* ^ Patch starts here */ +#define LIBRESSL_VERSION_TEXT "LibreSSL 2.7.4" /* These will never change */ #define OPENSSL_VERSION_NUMBER 0x20000000L diff --git a/lib/libcrypto/perlasm/x86_64-xlate.pl b/lib/libcrypto/perlasm/x86_64-xlate.pl index 9f1e3ac99a..b10a27b58e 100755 --- a/lib/libcrypto/perlasm/x86_64-xlate.pl +++ b/lib/libcrypto/perlasm/x86_64-xlate.pl @@ -149,7 +149,7 @@ my %globals; $epilogue = "movq 8(%rsp),%rdi\n\t" . "movq 16(%rsp),%rsi\n\t"; } - $epilogue . ".byte 0xf3,0xc3"; + $epilogue . "retq"; } elsif ($self->{op} eq "call" && !$elf && $current_segment eq ".init") { ".p2align\t3\n\t.quad"; } else { diff --git a/lib/libcrypto/rsa/rsa.h b/lib/libcrypto/rsa/rsa.h index 7476a1164a..23929aafb9 100644 --- a/lib/libcrypto/rsa/rsa.h +++ b/lib/libcrypto/rsa/rsa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa.h,v 1.31 2017/08/30 16:07:35 jsing Exp $ */ +/* $OpenBSD: rsa.h,v 1.38 2018/03/17 15:12:56 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -256,6 +256,7 @@ struct rsa_st { RSA *RSA_new(void); RSA *RSA_new_method(ENGINE *engine); +int RSA_bits(const RSA *rsa); int RSA_size(const RSA *rsa); /* Deprecated version */ @@ -395,6 +396,18 @@ int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, int RSA_set_ex_data(RSA *r, int idx, void *arg); void *RSA_get_ex_data(const RSA *r, int idx); +void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, + const BIGNUM **d); +int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); +void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, + const BIGNUM **iqmp); +int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); +void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); +int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); +void RSA_clear_flags(RSA *r, int flags); +int RSA_test_flags(const RSA *r, int flags); +void RSA_set_flags(RSA *r, int flags); + RSA *RSAPublicKey_dup(RSA *rsa); RSA *RSAPrivateKey_dup(RSA *rsa); @@ -417,6 +430,15 @@ RSA *RSAPrivateKey_dup(RSA *rsa); */ #define RSA_FLAG_CHECKED 0x0800 +RSA_METHOD *RSA_meth_new(const char *name, int flags); +void RSA_meth_free(RSA_METHOD *meth); +RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth); +int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen, + const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); +int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen, + const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); +int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa)); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. diff --git a/lib/libcrypto/rsa/rsa_crpt.c b/lib/libcrypto/rsa/rsa_crpt.c index f0c925602f..a646ded4a7 100644 --- a/lib/libcrypto/rsa/rsa_crpt.c +++ b/lib/libcrypto/rsa/rsa_crpt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_crpt.c,v 1.18 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: rsa_crpt.c,v 1.19 2018/02/18 12:52:13 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -73,6 +73,12 @@ #endif int +RSA_bits(const RSA *r) +{ + return BN_num_bits(r->n); +} + +int RSA_size(const RSA *r) { return BN_num_bytes(r->n); diff --git a/lib/libcrypto/rsa/rsa_lib.c b/lib/libcrypto/rsa/rsa_lib.c index 31ea418427..544846f825 100644 --- a/lib/libcrypto/rsa/rsa_lib.c +++ b/lib/libcrypto/rsa/rsa_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_lib.c,v 1.31 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: rsa_lib.c,v 1.36 2018/02/20 17:42:32 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -256,3 +256,117 @@ RSA_get_ex_data(const RSA *r, int idx) { return CRYPTO_get_ex_data(&r->ex_data, idx); } + +void +RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) +{ + if (n != NULL) + *n = r->n; + if (e != NULL) + *e = r->e; + if (d != NULL) + *d = r->d; +} + +int +RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) +{ + if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) + return 0; + + if (n != NULL) { + BN_free(r->n); + r->n = n; + } + if (e != NULL) { + BN_free(r->e); + r->e = e; + } + if (d != NULL) { + BN_free(r->d); + r->d = d; + } + + return 1; +} + +void +RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, + const BIGNUM **iqmp) +{ + if (dmp1 != NULL) + *dmp1 = r->dmp1; + if (dmq1 != NULL) + *dmq1 = r->dmq1; + if (iqmp != NULL) + *iqmp = r->iqmp; +} + +int +RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) +{ + if ((r->dmp1 == NULL && dmp1 == NULL) || + (r->dmq1 == NULL && dmq1 == NULL) || + (r->iqmp == NULL && iqmp == NULL)) + return 0; + + if (dmp1 != NULL) { + BN_free(r->dmp1); + r->dmp1 = dmp1; + } + if (dmq1 != NULL) { + BN_free(r->dmq1); + r->dmq1 = dmq1; + } + if (iqmp != NULL) { + BN_free(r->iqmp); + r->iqmp = iqmp; + } + + return 1; +} + +void +RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) +{ + if (p != NULL) + *p = r->p; + if (q != NULL) + *q = r->q; +} + +int +RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) +{ + if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) + return 0; + + if (p != NULL) { + BN_free(r->p); + r->p = p; + } + if (q != NULL) { + BN_free(r->q); + r->q = q; + } + + return 1; +} + +void +RSA_clear_flags(RSA *r, int flags) +{ + r->flags &= ~flags; +} + +int +RSA_test_flags(const RSA *r, int flags) +{ + return r->flags & flags; +} + +void +RSA_set_flags(RSA *r, int flags) +{ + r->flags |= flags; +} diff --git a/lib/libcrypto/rsa/rsa_meth.c b/lib/libcrypto/rsa/rsa_meth.c new file mode 100644 index 0000000000..0e52799a38 --- /dev/null +++ b/lib/libcrypto/rsa/rsa_meth.c @@ -0,0 +1,86 @@ +/* $OpenBSD: rsa_meth.c,v 1.1 2018/03/17 15:12:56 tb Exp $ */ +/* + * Copyright (c) 2018 Theo Buehler + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include + +#include +#include + +RSA_METHOD * +RSA_meth_new(const char *name, int flags) +{ + RSA_METHOD *meth; + + if ((meth = calloc(1, sizeof(*meth))) == NULL) + return NULL; + if ((meth->name = strdup(name)) == NULL) { + free(meth); + return NULL; + } + meth->flags = flags; + + return meth; +} + +void +RSA_meth_free(RSA_METHOD *meth) +{ + if (meth != NULL) { + free((char *)meth->name); + free(meth); + } +} + +RSA_METHOD * +RSA_meth_dup(const RSA_METHOD *meth) +{ + RSA_METHOD *copy; + + if ((copy = calloc(1, sizeof(*copy))) == NULL) + return NULL; + memcpy(copy, meth, sizeof(*copy)); + if ((copy->name = strdup(meth->name)) == NULL) { + free(copy); + return NULL; + } + + return copy; +} + +int +RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen, + const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) +{ + meth->rsa_priv_enc = priv_enc; + return 1; +} + +int +RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen, + const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) +{ + meth->rsa_priv_dec = priv_dec; + return 1; +} + +int +RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa)) +{ + meth->finish = finish; + return 1; +} diff --git a/lib/libcrypto/sha/asm/sha1-armv4-large.pl b/lib/libcrypto/sha/asm/sha1-armv4-large.pl index 33da3e0e3c..8f0cdaf83c 100644 --- a/lib/libcrypto/sha/asm/sha1-armv4-large.pl +++ b/lib/libcrypto/sha/asm/sha1-armv4-large.pl @@ -95,7 +95,7 @@ ___ sub BODY_00_15 { my ($a,$b,$c,$d,$e)=@_; $code.=<<___; -#if __ARM_ARCH__<7 +#if __ARM_ARCH__<7 || defined(__STRICT_ALIGNMENT) ldrb $t1,[$inp,#2] ldrb $t0,[$inp,#3] ldrb $t2,[$inp,#1] diff --git a/lib/libcrypto/sha/asm/sha256-armv4.pl b/lib/libcrypto/sha/asm/sha256-armv4.pl index 9c84e8d93c..292520731c 100644 --- a/lib/libcrypto/sha/asm/sha256-armv4.pl +++ b/lib/libcrypto/sha/asm/sha256-armv4.pl @@ -51,7 +51,7 @@ sub BODY_00_15 { my ($i,$a,$b,$c,$d,$e,$f,$g,$h) = @_; $code.=<<___ if ($i<16); -#if __ARM_ARCH__>=7 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) ldr $T1,[$inp],#4 #else ldrb $T1,[$inp,#3] @ $i @@ -70,7 +70,7 @@ $code.=<<___; eor $t1,$f,$g #if $i>=16 add $T1,$T1,$t3 @ from BODY_16_xx -#elif __ARM_ARCH__>=7 && defined(__ARMEL__) +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) rev $T1,$T1 #endif #if $i==15 diff --git a/lib/libcrypto/sha/asm/sha512-armv4.pl b/lib/libcrypto/sha/asm/sha512-armv4.pl index 7faf37b147..a247a00c2b 100644 --- a/lib/libcrypto/sha/asm/sha512-armv4.pl +++ b/lib/libcrypto/sha/asm/sha512-armv4.pl @@ -229,7 +229,7 @@ WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817) sha512_block_data_order: sub r3,pc,#8 @ sha512_block_data_order add $len,$inp,$len,lsl#7 @ len to point at the end of inp -#if __ARM_ARCH__>=7 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) ldr r12,.LOPENSSL_armcap ldr r12,[r3,r12] @ OPENSSL_armcap_P tst r12,#1 @@ -270,7 +270,7 @@ sha512_block_data_order: str $Thi,[sp,#$Foff+4] .L00_15: -#if __ARM_ARCH__<7 +#if __ARM_ARCH__<7 || defined(__STRICT_ALIGNMENT) ldrb $Tlo,[$inp,#7] ldrb $t0, [$inp,#6] ldrb $t1, [$inp,#5] @@ -533,7 +533,7 @@ ___ } $code.=<<___; -#if __ARM_ARCH__>=7 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) .fpu neon .align 4 diff --git a/lib/libcrypto/shlib_version b/lib/libcrypto/shlib_version index 704efc3027..c5b8a2505c 100644 --- a/lib/libcrypto/shlib_version +++ b/lib/libcrypto/shlib_version @@ -1,3 +1,3 @@ # Don't forget to give libssl and libtls the same type of bump! -major=42 -minor=0 +major=43 +minor=1 diff --git a/lib/libcrypto/x509/x509.h b/lib/libcrypto/x509/x509.h index 056b6d118c..5ccaf41114 100644 --- a/lib/libcrypto/x509/x509.h +++ b/lib/libcrypto/x509/x509.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.h,v 1.26 2016/12/27 16:05:57 jsing Exp $ */ +/* $OpenBSD: x509.h,v 1.44 2018/03/17 15:28:27 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -606,6 +606,20 @@ extern "C" { #define X509_CRL_get_issuer(x) ((x)->crl->issuer) #define X509_CRL_get_REVOKED(x) ((x)->crl->revoked) +int X509_CRL_up_ref(X509_CRL *x); +int X509_CRL_get_signature_nid(const X509_CRL *crl); + +const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl); +const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl); +const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl); +void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig, + const X509_ALGOR **palg); + +int X509_REQ_get_signature_nid(const X509_REQ *req); + +void X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig, + const X509_ALGOR **palg); + void X509_CRL_set_default_method(const X509_CRL_METHOD *meth); X509_CRL_METHOD *X509_CRL_METHOD_new( int (*crl_init)(X509_CRL *crl), @@ -750,6 +764,7 @@ void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md); int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b); X509_NAME *X509_NAME_dup(X509_NAME *xn); +int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder, size_t *pderlen); X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne); int X509_cmp_time(const ASN1_TIME *s, time_t *t); @@ -791,6 +806,7 @@ extern const ASN1_ITEM X509_PUBKEY_it; int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey); EVP_PKEY * X509_PUBKEY_get(X509_PUBKEY *key); +EVP_PKEY * X509_PUBKEY_get0(X509_PUBKEY *key); int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain); int i2d_PUBKEY(EVP_PKEY *a,unsigned char **pp); @@ -887,6 +903,9 @@ int X509_set_ex_data(X509 *r, int idx, void *arg); void *X509_get_ex_data(X509 *r, int idx); int i2d_X509_AUX(X509 *a,unsigned char **pp); X509 * d2i_X509_AUX(X509 **a,const unsigned char **pp,long length); +void X509_get0_signature(const ASN1_BIT_STRING **psig, + const X509_ALGOR **palg, const X509 *x); +int X509_get_signature_nid(const X509 *x); int X509_alias_set1(X509 *x, unsigned char *name, int len); int X509_keyid_set1(X509 *x, unsigned char *id, int len); @@ -901,14 +920,17 @@ void X509_reject_clear(X509 *x); X509_REVOKED *X509_REVOKED_new(void); void X509_REVOKED_free(X509_REVOKED *a); +X509_REVOKED *X509_REVOKED_dup(X509_REVOKED *a); X509_REVOKED *d2i_X509_REVOKED(X509_REVOKED **a, const unsigned char **in, long len); int i2d_X509_REVOKED(X509_REVOKED *a, unsigned char **out); extern const ASN1_ITEM X509_REVOKED_it; + X509_CRL_INFO *X509_CRL_INFO_new(void); void X509_CRL_INFO_free(X509_CRL_INFO *a); X509_CRL_INFO *d2i_X509_CRL_INFO(X509_CRL_INFO **a, const unsigned char **in, long len); int i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **out); extern const ASN1_ITEM X509_CRL_INFO_it; + X509_CRL *X509_CRL_new(void); void X509_CRL_free(X509_CRL *a); X509_CRL *d2i_X509_CRL(X509_CRL **a, const unsigned char **in, long len); @@ -958,7 +980,9 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it, ASN1_BIT_STRING *signature, void *asn, EVP_MD_CTX *ctx); #endif -int X509_set_version(X509 *x,long version); +const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x); +const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x); +int X509_set_version(X509 *x, long version); int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial); ASN1_INTEGER * X509_get_serialNumber(X509 *x); int X509_set_issuer_name(X509 *x, X509_NAME *name); @@ -966,10 +990,17 @@ X509_NAME * X509_get_issuer_name(X509 *a); int X509_set_subject_name(X509 *x, X509_NAME *name); X509_NAME * X509_get_subject_name(X509 *a); int X509_set_notBefore(X509 *x, const ASN1_TIME *tm); +int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm); int X509_set_notAfter(X509 *x, const ASN1_TIME *tm); +int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm); +const ASN1_TIME *X509_get0_notBefore(const X509 *x); +ASN1_TIME *X509_getm_notBefore(const X509 *x); +const ASN1_TIME *X509_get0_notAfter(const X509 *x); +ASN1_TIME *X509_getm_notAfter(const X509 *x); int X509_set_pubkey(X509 *x, EVP_PKEY *pkey); EVP_PKEY * X509_get_pubkey(X509 *x); -ASN1_BIT_STRING * X509_get0_pubkey_bitstr(const X509 *x); +EVP_PKEY * X509_get0_pubkey(X509 *x); +ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x); int X509_certificate_type(X509 *x,EVP_PKEY *pubkey /* optional */); int X509_REQ_set_version(X509_REQ *x,long version); @@ -1004,11 +1035,16 @@ int X509_REQ_add1_attr_by_txt(X509_REQ *req, int X509_CRL_set_version(X509_CRL *x, long version); int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name); int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm); +int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm); int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm); +int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm); int X509_CRL_sort(X509_CRL *crl); -int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial); +const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *x); +const ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOKED *x); +const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(const X509_REVOKED *x); int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm); +int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial); int X509_REQ_check_private_key(X509_REQ *x509,EVP_PKEY *pkey); @@ -1087,6 +1123,7 @@ int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, const unsigned char *bytes, int len); ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne); ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne); +int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne); int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x); int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, @@ -1275,6 +1312,7 @@ char *X509_TRUST_get0_name(X509_TRUST *xp); int X509_TRUST_get_trust(X509_TRUST *xp); int X509_up_ref(X509 *x); +STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain); /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes diff --git a/lib/libcrypto/x509/x509_cmp.c b/lib/libcrypto/x509/x509_cmp.c index 72fbef1544..ab0dbcba39 100644 --- a/lib/libcrypto/x509/x509_cmp.c +++ b/lib/libcrypto/x509/x509_cmp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_cmp.c,v 1.27 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_cmp.c,v 1.30 2018/03/17 14:57:23 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -321,11 +321,19 @@ X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name) EVP_PKEY * X509_get_pubkey(X509 *x) { - if ((x == NULL) || (x->cert_info == NULL)) + if (x == NULL || x->cert_info == NULL) return (NULL); return (X509_PUBKEY_get(x->cert_info->key)); } +EVP_PKEY * +X509_get0_pubkey(X509 *x) +{ + if (x == NULL || x->cert_info == NULL) + return (NULL); + return (X509_PUBKEY_get0(x->cert_info->key)); +} + ASN1_BIT_STRING * X509_get0_pubkey_bitstr(const X509 *x) { @@ -364,3 +372,21 @@ X509_check_private_key(X509 *x, EVP_PKEY *k) return 1; return 0; } + +/* + * Not strictly speaking an "up_ref" as a STACK doesn't have a reference + * count but it has the same effect by duping the STACK and upping the ref of + * each X509 structure. + */ +STACK_OF(X509) * +X509_chain_up_ref(STACK_OF(X509) *chain) +{ + STACK_OF(X509) *ret; + size_t i; + + ret = sk_X509_dup(chain); + for (i = 0; i < sk_X509_num(ret); i++) + X509_up_ref(sk_X509_value(ret, i)); + + return ret; +} diff --git a/lib/libcrypto/x509/x509_lu.c b/lib/libcrypto/x509/x509_lu.c index 6cde29fefc..742eb4d2bf 100644 --- a/lib/libcrypto/x509/x509_lu.c +++ b/lib/libcrypto/x509/x509_lu.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_lu.c,v 1.23 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_lu.c,v 1.28 2018/03/17 15:43:32 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -268,6 +268,13 @@ X509_STORE_free(X509_STORE *vfy) free(vfy); } +int +X509_STORE_up_ref(X509_STORE *x) +{ + int refs = CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_STORE); + return (refs > 1) ? 1 : 0; +} + X509_LOOKUP * X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m) { @@ -451,6 +458,12 @@ X509_OBJECT_up_ref_count(X509_OBJECT *a) } } +int +X509_OBJECT_get_type(const X509_OBJECT *a) +{ + return a->type; +} + void X509_OBJECT_free_contents(X509_OBJECT *a) { @@ -526,6 +539,22 @@ X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type, return sk_X509_OBJECT_value(h, idx); } +X509 * +X509_OBJECT_get0_X509(const X509_OBJECT *xo) +{ + if (xo != NULL && xo->type == X509_LU_X509) + return xo->data.x509; + return NULL; +} + +X509_CRL * +X509_OBJECT_get0_X509_CRL(X509_OBJECT *xo) +{ + if (xo != NULL && xo->type == X509_LU_CRL) + return xo->data.crl; + return NULL; +} + STACK_OF(X509) * X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) { @@ -649,7 +678,6 @@ X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x) return NULL; } - /* Try to get issuer certificate from store. Due to limitations * of the API this can only retrieve a single certificate matching * a given subject name. However it will fill the cache with all @@ -726,6 +754,24 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) return ret; } +STACK_OF(X509_OBJECT) * +X509_STORE_get0_objects(X509_STORE *xs) +{ + return xs->objs; +} + +void * +X509_STORE_get_ex_data(X509_STORE *xs, int idx) +{ + return CRYPTO_get_ex_data(&xs->ex_data, idx); +} + +int +X509_STORE_set_ex_data(X509_STORE *xs, int idx, void *data) +{ + return CRYPTO_set_ex_data(&xs->ex_data, idx, data); +} + int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags) { @@ -757,6 +803,12 @@ X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param) return X509_VERIFY_PARAM_set1(ctx->param, param); } +X509_VERIFY_PARAM * +X509_STORE_get0_param(X509_STORE *ctx) +{ + return ctx->param; +} + void X509_STORE_set_verify_cb(X509_STORE *ctx, int (*verify_cb)(int, X509_STORE_CTX *)) diff --git a/lib/libcrypto/x509/x509_set.c b/lib/libcrypto/x509/x509_set.c index aeaf161024..becdaf6ce5 100644 --- a/lib/libcrypto/x509/x509_set.c +++ b/lib/libcrypto/x509/x509_set.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_set.c,v 1.12 2015/09/30 17:49:59 jsing Exp $ */ +/* $OpenBSD: x509_set.c,v 1.16 2018/02/22 17:09:28 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,6 +63,18 @@ #include #include +const STACK_OF(X509_EXTENSION) * +X509_get0_extensions(const X509 *x) +{ + return x->cert_info->extensions; +} + +const X509_ALGOR * +X509_get0_tbs_sigalg(const X509 *x) +{ + return x->cert_info->signature; +} + int X509_set_version(X509 *x, long version) { @@ -104,17 +116,31 @@ X509_set_issuer_name(X509 *x, X509_NAME *name) int X509_set_subject_name(X509 *x, X509_NAME *name) { - if ((x == NULL) || (x->cert_info == NULL)) + if (x == NULL || x->cert_info == NULL) return (0); return (X509_NAME_set(&x->cert_info->subject, name)); } +const ASN1_TIME * +X509_get0_notBefore(const X509 *x) +{ + return X509_getm_notBefore(x); +} + +ASN1_TIME * +X509_getm_notBefore(const X509 *x) +{ + if (x == NULL || x->cert_info == NULL || x->cert_info->validity == NULL) + return (NULL); + return x->cert_info->validity->notBefore; +} + int X509_set_notBefore(X509 *x, const ASN1_TIME *tm) { ASN1_TIME *in; - if ((x == NULL) || (x->cert_info->validity == NULL)) + if (x == NULL || x->cert_info->validity == NULL) return (0); in = x->cert_info->validity->notBefore; if (in != tm) { @@ -128,11 +154,31 @@ X509_set_notBefore(X509 *x, const ASN1_TIME *tm) } int +X509_set1_notBefore(X509 *x, const ASN1_TIME *tm) +{ + return X509_set_notBefore(x, tm); +} + +const ASN1_TIME * +X509_get0_notAfter(const X509 *x) +{ + return X509_getm_notAfter(x); +} + +ASN1_TIME * +X509_getm_notAfter(const X509 *x) +{ + if (x == NULL || x->cert_info == NULL || x->cert_info->validity == NULL) + return (NULL); + return x->cert_info->validity->notAfter; +} + +int X509_set_notAfter(X509 *x, const ASN1_TIME *tm) { ASN1_TIME *in; - if ((x == NULL) || (x->cert_info->validity == NULL)) + if (x == NULL || x->cert_info->validity == NULL) return (0); in = x->cert_info->validity->notAfter; if (in != tm) { @@ -146,6 +192,12 @@ X509_set_notAfter(X509 *x, const ASN1_TIME *tm) } int +X509_set1_notAfter(X509 *x, const ASN1_TIME *tm) +{ + return X509_set_notAfter(x, tm); +} + +int X509_set_pubkey(X509 *x, EVP_PKEY *pkey) { if ((x == NULL) || (x->cert_info == NULL)) diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index 8efff680c1..c8ccae5029 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.66 2017/08/27 01:39:26 beck Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.68 2018/02/22 17:11:30 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2023,12 +2023,20 @@ X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) return ctx->current_cert; } -STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) +STACK_OF(X509) * +X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) { return ctx->chain; } -STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) +STACK_OF(X509) * +X509_STORE_CTX_get0_chain(X509_STORE_CTX *xs) +{ + return xs->chain; +} + +STACK_OF(X509) * +X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) { int i; X509 *x; @@ -2061,6 +2069,12 @@ X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) return ctx->parent; } +X509_STORE * +X509_STORE_CTX_get0_store(X509_STORE_CTX *xs) +{ + return xs->ctx; +} + void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) { @@ -2302,6 +2316,12 @@ X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) } void +X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) +{ + X509_STORE_CTX_trusted_stack(ctx, sk); +} + +void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) { if (ctx->cleanup) @@ -2349,6 +2369,24 @@ X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, ctx->verify_cb = verify_cb; } +X509 * +X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) +{ + return ctx->cert; +} + +STACK_OF(X509) * +X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx) +{ + return ctx->untrusted; +} + +void +X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) +{ + ctx->untrusted = sk; +} + X509_POLICY_TREE * X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) { diff --git a/lib/libcrypto/x509/x509_vfy.h b/lib/libcrypto/x509/x509_vfy.h index b58d49d2e1..9e0730b014 100644 --- a/lib/libcrypto/x509/x509_vfy.h +++ b/lib/libcrypto/x509/x509_vfy.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.h,v 1.18 2016/12/21 15:15:45 jsing Exp $ */ +/* $OpenBSD: x509_vfy.h,v 1.27 2018/03/20 15:26:22 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -425,16 +425,29 @@ int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,int type,X509_NAME *name); X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x); void X509_OBJECT_up_ref_count(X509_OBJECT *a); +int X509_OBJECT_get_type(const X509_OBJECT *a); void X509_OBJECT_free_contents(X509_OBJECT *a); -X509_STORE *X509_STORE_new(void ); -void X509_STORE_free(X509_STORE *v); +X509 *X509_OBJECT_get0_X509(const X509_OBJECT *xo); +X509_CRL *X509_OBJECT_get0_X509_CRL(X509_OBJECT *xo); +X509_STORE *X509_STORE_new(void); +void X509_STORE_free(X509_STORE *v); +int X509_STORE_up_ref(X509_STORE *x); STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *st, X509_NAME *nm); STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *st, X509_NAME *nm); +STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *xs); +void *X509_STORE_get_ex_data(X509_STORE *xs, int idx); +int X509_STORE_set_ex_data(X509_STORE *xs, int idx, void *data); + +#define X509_STORE_get_ex_new_index(l, p, newf, dupf, freef) \ + CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE, (l), (p), \ + (newf), (dupf), (freef)) + int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags); int X509_STORE_set_purpose(X509_STORE *ctx, int purpose); int X509_STORE_set_trust(X509_STORE *ctx, int trust); int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *pm); +X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx); void X509_STORE_set_verify_cb(X509_STORE *ctx, int (*verify_cb)(int, X509_STORE_CTX *)); @@ -446,7 +459,13 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); void X509_STORE_CTX_free(X509_STORE_CTX *ctx); int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, STACK_OF(X509) *chain); +X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx); +STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *xs); +X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *xs); +STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx); +void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); +void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx); X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m); @@ -512,7 +531,7 @@ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t); void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *)); - + X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx); int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx); @@ -542,6 +561,21 @@ int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, STACK_OF(ASN1_OBJECT) *policies); int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); +int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, const char *name, + size_t namelen); +int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, const char *name, + size_t namelen); +void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, + unsigned int flags); +char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param); +int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const char *email, + size_t emaillen); +int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, const unsigned char *ip, + size_t iplen); +int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc); +const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param); +const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id); +int X509_VERIFY_PARAM_get_count(void); int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param); const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name); diff --git a/lib/libcrypto/x509/x509_vpm.c b/lib/libcrypto/x509/x509_vpm.c index 3482227477..0897137697 100644 --- a/lib/libcrypto/x509/x509_vpm.c +++ b/lib/libcrypto/x509/x509_vpm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vpm.c,v 1.15 2016/12/21 15:15:45 jsing Exp $ */ +/* $OpenBSD: x509_vpm.c,v 1.17 2018/03/22 15:54:46 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -101,11 +101,11 @@ sk_deep_copy(void *sk_void, void *copy_func_void, void *free_func_void) void *(*copy_func)(void *) = copy_func_void; void (*free_func)(void *) = free_func_void; _STACK *ret = sk_dup(sk); + size_t i; if (ret == NULL) return NULL; - size_t i; for (i = 0; i < ret->num; i++) { if (ret->data[i] == NULL) continue; @@ -130,6 +130,8 @@ int_x509_param_set_hosts(X509_VERIFY_PARAM_ID *id, int mode, { char *copy; + if (name != NULL && namelen == 0) + namelen = strlen(name); /* * Refuse names with embedded NUL bytes. * XXX: Do we need to push an error onto the error stack? diff --git a/lib/libcrypto/x509/x509cset.c b/lib/libcrypto/x509/x509cset.c index afc1f0f2b3..182dd8a954 100644 --- a/lib/libcrypto/x509/x509cset.c +++ b/lib/libcrypto/x509/x509cset.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509cset.c,v 1.11 2015/09/30 17:49:59 jsing Exp $ */ +/* $OpenBSD: x509cset.c,v 1.14 2018/02/22 17:01:44 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -64,6 +64,13 @@ #include int +X509_CRL_up_ref(X509_CRL *x) +{ + int refs = CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL); + return (refs > 1) ? 1 : 0; +} + +int X509_CRL_set_version(X509_CRL *x, long version) { if (x == NULL) @@ -102,6 +109,12 @@ X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm) } int +X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm) +{ + return X509_CRL_set_lastUpdate(x, tm); +} + +int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm) { ASN1_TIME *in; @@ -120,6 +133,12 @@ X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm) } int +X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm) +{ + return X509_CRL_set_nextUpdate(x, tm); +} + +int X509_CRL_sort(X509_CRL *c) { int i; @@ -136,6 +155,24 @@ X509_CRL_sort(X509_CRL *c) return 1; } +const STACK_OF(X509_EXTENSION) * +X509_REVOKED_get0_extensions(const X509_REVOKED *x) +{ + return x->extensions; +} + +const ASN1_TIME * +X509_REVOKED_get0_revocationDate(const X509_REVOKED *x) +{ + return x->revocationDate; +} + +const ASN1_INTEGER * +X509_REVOKED_get0_serialNumber(const X509_REVOKED *x) +{ + return x->serialNumber; +} + int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm) { diff --git a/lib/libcrypto/x509/x509name.c b/lib/libcrypto/x509/x509name.c index ef242ce0a5..2ca1a76b64 100644 --- a/lib/libcrypto/x509/x509name.c +++ b/lib/libcrypto/x509/x509name.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509name.c,v 1.14 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509name.c,v 1.15 2018/03/17 15:28:27 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -405,3 +405,9 @@ X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne) return (NULL); return (ne->value); } + +int +X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne) +{ + return (ne->set); +} diff --git a/lib/libcrypto/x509v3/v3_utl.c b/lib/libcrypto/x509v3/v3_utl.c index 04c789922b..67ecc81a44 100644 --- a/lib/libcrypto/x509v3/v3_utl.c +++ b/lib/libcrypto/x509v3/v3_utl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_utl.c,v 1.26 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: v3_utl.c,v 1.27 2018/03/20 16:16:59 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -1015,7 +1015,9 @@ int X509_check_host(X509 *x, const char *chk, size_t chklen, { if (chk == NULL) return -2; - if (memchr(chk, '\0', chklen)) + if (chklen == 0) + chklen = strlen(chk); + else if (memchr(chk, '\0', chklen)) return -2; return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername); } @@ -1025,7 +1027,9 @@ int X509_check_email(X509 *x, const char *chk, size_t chklen, { if (chk == NULL) return -2; - if (memchr(chk, '\0', chklen)) + if (chklen == 0) + chklen = strlen(chk); + else if (memchr(chk, '\0', chklen)) return -2; return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL); } diff --git a/lib/libssl/Makefile b/lib/libssl/Makefile index 140e74fb9c..9c486722ce 100644 --- a/lib/libssl/Makefile +++ b/lib/libssl/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.38 2017/08/13 19:42:33 doug Exp $ +# $OpenBSD: Makefile,v 1.39 2018/03/17 16:20:01 beck Exp $ .include .ifndef NOMAN @@ -33,7 +33,7 @@ SRCS= \ ssl_ciph.c ssl_stat.c ssl_rsa.c \ ssl_asn1.c ssl_txt.c ssl_algs.c \ bio_ssl.c ssl_err.c \ - ssl_packet.c ssl_tlsext.c ssl_versions.c pqueue.c + ssl_packet.c ssl_tlsext.c ssl_versions.c pqueue.c ssl_init.c SRCS+= s3_cbc.c SRCS+= bs_ber.c bs_cbb.c bs_cbs.c diff --git a/lib/libssl/Symbols.list b/lib/libssl/Symbols.list index e147ff873d..c66024e21d 100644 --- a/lib/libssl/Symbols.list +++ b/lib/libssl/Symbols.list @@ -39,13 +39,18 @@ ERR_load_SSL_strings /* general API */ SSL_CIPHER_description +SSL_CIPHER_get_auth_nid SSL_CIPHER_get_bits SSL_CIPHER_get_by_id SSL_CIPHER_get_by_value +SSL_CIPHER_get_cipher_nid +SSL_CIPHER_get_digest_nid SSL_CIPHER_get_id +SSL_CIPHER_get_kx_nid SSL_CIPHER_get_name SSL_CIPHER_get_value SSL_CIPHER_get_version +SSL_CIPHER_is_aead SSL_COMP_add_compression_method SSL_COMP_get_compression_methods SSL_COMP_get_name @@ -56,12 +61,19 @@ SSL_CTX_check_private_key SSL_CTX_ctrl SSL_CTX_flush_sessions SSL_CTX_free +SSL_CTX_get0_certificate +SSL_CTX_get0_param SSL_CTX_get_cert_store +SSL_CTX_get_ciphers SSL_CTX_get_client_CA_list SSL_CTX_get_client_cert_cb +SSL_CTX_get_default_passwd_cb +SSL_CTX_get_default_passwd_cb_userdata SSL_CTX_get_ex_data SSL_CTX_get_ex_new_index SSL_CTX_get_info_callback +SSL_CTX_get_max_proto_version +SSL_CTX_get_min_proto_version SSL_CTX_get_quiet_shutdown SSL_CTX_get_timeout SSL_CTX_get_verify_callback @@ -97,8 +109,8 @@ SSL_CTX_set_default_verify_paths SSL_CTX_set_ex_data SSL_CTX_set_generate_session_id SSL_CTX_set_info_callback -SSL_CTX_set_min_proto_version SSL_CTX_set_max_proto_version +SSL_CTX_set_min_proto_version SSL_CTX_set_msg_callback SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_protos_advertised_cb @@ -114,6 +126,7 @@ SSL_CTX_set_tmp_rsa_callback SSL_CTX_set_trust SSL_CTX_set_verify SSL_CTX_set_verify_depth +SSL_CTX_up_ref SSL_CTX_use_PrivateKey SSL_CTX_use_PrivateKey_ASN1 SSL_CTX_use_PrivateKey_file @@ -126,20 +139,27 @@ SSL_CTX_use_certificate_chain_file SSL_CTX_use_certificate_chain_mem SSL_CTX_use_certificate_file SSL_SESSION_free +SSL_SESSION_get0_id_context SSL_SESSION_get0_peer SSL_SESSION_get_compress_id SSL_SESSION_get_ex_data SSL_SESSION_get_ex_new_index SSL_SESSION_get_id +SSL_SESSION_get_master_key +SSL_SESSION_get_protocol_version +SSL_SESSION_get_ticket_lifetime_hint SSL_SESSION_get_time SSL_SESSION_get_timeout +SSL_SESSION_has_ticket SSL_SESSION_new SSL_SESSION_print SSL_SESSION_print_fp +SSL_SESSION_set1_id SSL_SESSION_set1_id_context SSL_SESSION_set_ex_data SSL_SESSION_set_time SSL_SESSION_set_timeout +SSL_SESSION_up_ref SSL_accept SSL_add_client_CA SSL_add_dir_cert_subjects_to_stack @@ -162,12 +182,14 @@ SSL_export_keying_material SSL_free SSL_get0_alpn_selected SSL_get0_next_proto_negotiated +SSL_get0_param SSL_get1_session SSL_get_SSL_CTX SSL_get_certificate SSL_get_cipher_list SSL_get_ciphers SSL_get_client_CA_list +SSL_get_client_random SSL_get_current_cipher SSL_get_current_compression SSL_get_current_expansion @@ -179,6 +201,8 @@ SSL_get_ex_new_index SSL_get_fd SSL_get_finished SSL_get_info_callback +SSL_get_max_proto_version +SSL_get_min_proto_version SSL_get_peer_cert_chain SSL_get_peer_certificate SSL_get_peer_finished @@ -188,6 +212,7 @@ SSL_get_rbio SSL_get_read_ahead SSL_get_rfd SSL_get_selected_srtp_profile +SSL_get_server_random SSL_get_servername SSL_get_servername_type SSL_get_session @@ -203,6 +228,7 @@ SSL_get_version SSL_get_wbio SSL_get_wfd SSL_has_matching_session_id +SSL_is_server SSL_library_init SSL_load_client_CA_file SSL_load_error_strings @@ -231,8 +257,8 @@ SSL_set_ex_data SSL_set_fd SSL_set_generate_session_id SSL_set_info_callback -SSL_set_min_proto_version SSL_set_max_proto_version +SSL_set_min_proto_version SSL_set_msg_callback SSL_set_purpose SSL_set_quiet_shutdown @@ -259,6 +285,7 @@ SSL_shutdown SSL_state SSL_state_string SSL_state_string_long +SSL_up_ref SSL_use_PrivateKey SSL_use_PrivateKey_ASN1 SSL_use_PrivateKey_file @@ -272,3 +299,6 @@ SSL_version SSL_version_str SSL_want SSL_write + +/* OpenSSL compatible init */ +OPENSSL_init_ssl diff --git a/lib/libssl/bs_cbb.c b/lib/libssl/bs_cbb.c index 1c02eaf0be..bf7de3fd33 100644 --- a/lib/libssl/bs_cbb.c +++ b/lib/libssl/bs_cbb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bs_cbb.c,v 1.17.4.1 2017/12/09 13:43:25 jsing Exp $ */ +/* $OpenBSD: bs_cbb.c,v 1.18 2017/11/28 16:34:20 jsing Exp $ */ /* * Copyright (c) 2014, Google Inc. * diff --git a/lib/libssl/bytestring.h b/lib/libssl/bytestring.h index 42d3d5d6d1..2e89a5791a 100644 --- a/lib/libssl/bytestring.h +++ b/lib/libssl/bytestring.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bytestring.h,v 1.15.6.1 2017/12/09 13:43:25 jsing Exp $ */ +/* $OpenBSD: bytestring.h,v 1.16 2017/11/28 16:34:20 jsing Exp $ */ /* * Copyright (c) 2014, Google Inc. * diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c index 6b86cfc03e..42f8cbd537 100644 --- a/lib/libssl/d1_both.c +++ b/lib/libssl/d1_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_both.c,v 1.51 2017/05/07 04:22:24 beck Exp $ */ +/* $OpenBSD: d1_both.c,v 1.52 2017/10/08 16:24:02 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -162,9 +162,6 @@ static unsigned int dtls1_guess_mtu(unsigned int curr_mtu); static void dtls1_fix_message_header(SSL *s, unsigned long frag_off, unsigned long frag_len); static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p); -static void dtls1_set_message_header_int(SSL *s, unsigned char mt, - unsigned long len, unsigned short seq_num, unsigned long frag_off, - unsigned long frag_len); static long dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok); @@ -895,40 +892,6 @@ f_err: return (-1); } -/* - * for these 2 messages, we need to - * ssl->enc_read_ctx re-init - * ssl->s3->internal->read_sequence zero - * ssl->s3->internal->read_mac_secret re-init - * ssl->session->read_sym_enc assign - * ssl->session->read_hash assign - */ -int -dtls1_send_change_cipher_spec(SSL *s, int a, int b) -{ - unsigned char *p; - - if (S3I(s)->hs.state == a) { - p = (unsigned char *)s->internal->init_buf->data; - *p++=SSL3_MT_CCS; - D1I(s)->handshake_write_seq = D1I(s)->next_handshake_write_seq; - s->internal->init_num = DTLS1_CCS_HEADER_LENGTH; - - s->internal->init_off = 0; - - dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, - D1I(s)->handshake_write_seq, 0, 0); - - /* buffer the message to handle re-xmits */ - dtls1_buffer_message(s, 1); - - S3I(s)->hs.state = b; - } - - /* SSL3_ST_CW_CHANGE_B */ - return (dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC)); -} - int dtls1_read_failed(SSL *s, int code) { @@ -1182,7 +1145,7 @@ dtls1_set_message_header(SSL *s, unsigned char mt, unsigned long len, } /* don't actually do the writing, wait till the MTU has been retrieved */ -static void +void dtls1_set_message_header_int(SSL *s, unsigned char mt, unsigned long len, unsigned short seq_num, unsigned long frag_off, unsigned long frag_len) { diff --git a/bin/openssl/apps_posix.c b/lib/libssl/d1_clnt.c similarity index 63% copy from bin/openssl/apps_posix.c copy to lib/libssl/d1_clnt.c index 67cd465088..f3a7e5ff22 100644 --- a/bin/openssl/apps_posix.c +++ b/lib/libssl/d1_clnt.c @@ -1,3 +1,61 @@ +/* $OpenBSD: d1_clnt.c,v 1.79 2017/10/10 15:13:26 jsing Exp $ */ +/* + * DTLS implementation written by Nagendra Modadugu + * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. + */ +/* ==================================================================== + * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -54,111 +112,122 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ -/* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* - * Functions that need to be overridden by non-POSIX operating systems. - */ +#include +#include -#include +#include "ssl_locl.h" -#include +#include +#include +#include +#include +#include +#include -#include "apps.h" +#include "bytestring.h" -double -app_tminterval(int stop, int usertime) -{ - double ret = 0; - struct tms rus; - clock_t now = times(&rus); - static clock_t tmstart; - - if (usertime) - now = rus.tms_utime; - - if (stop == TM_START) - tmstart = now; - else { - long int tck = sysconf(_SC_CLK_TCK); - ret = (now - tmstart) / (double) tck; - } +static const SSL_METHOD_INTERNAL DTLSv1_client_method_internal_data = { + .version = DTLS1_VERSION, + .min_version = DTLS1_VERSION, + .max_version = DTLS1_VERSION, + .ssl_new = dtls1_new, + .ssl_clear = dtls1_clear, + .ssl_free = dtls1_free, + .ssl_accept = ssl_undefined_function, + .ssl_connect = ssl3_connect, + .ssl_read = ssl3_read, + .ssl_peek = ssl3_peek, + .ssl_write = ssl3_write, + .ssl_shutdown = dtls1_shutdown, + .ssl_pending = ssl3_pending, + .get_ssl_method = dtls1_get_client_method, + .get_timeout = dtls1_default_timeout, + .ssl_version = ssl_undefined_void_function, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_get_message = dtls1_get_message, + .ssl_read_bytes = dtls1_read_bytes, + .ssl_write_bytes = dtls1_write_app_data_bytes, + .ssl3_enc = &DTLSv1_enc_data, +}; - return (ret); +static const SSL_METHOD DTLSv1_client_method_data = { + .ssl_dispatch_alert = dtls1_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = dtls1_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &DTLSv1_client_method_internal_data, +}; + +const SSL_METHOD * +DTLSv1_client_method(void) +{ + return &DTLSv1_client_method_data; } -int -setup_ui(void) +const SSL_METHOD * +dtls1_get_client_method(int ver) { - ui_method = UI_create_method("OpenSSL application user interface"); - UI_method_set_opener(ui_method, ui_open); - UI_method_set_reader(ui_method, ui_read); - UI_method_set_writer(ui_method, ui_write); - UI_method_set_closer(ui_method, ui_close); - return 0; + if (ver == DTLS1_VERSION) + return (DTLSv1_client_method()); + return (NULL); } -void -destroy_ui(void) +int +dtls1_get_hello_verify(SSL *s) { - if (ui_method) { - UI_destroy_method(ui_method); - ui_method = NULL; + long n; + int al, ok = 0; + size_t cookie_len; + uint16_t ssl_version; + CBS hello_verify_request, cookie; + + n = s->method->internal->ssl_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, + DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->internal->max_cert_list, &ok); + + if (!ok) + return ((int)n); + + if (S3I(s)->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { + D1I(s)->send_cookie = 0; + S3I(s)->tmp.reuse_message = 1; + return (1); } + + if (n < 0) + goto truncated; + + CBS_init(&hello_verify_request, s->internal->init_msg, n); + + if (!CBS_get_u16(&hello_verify_request, &ssl_version)) + goto truncated; + + if (ssl_version != s->version) { + SSLerror(s, SSL_R_WRONG_SSL_VERSION); + s->version = (s->version & 0xff00) | (ssl_version & 0xff); + al = SSL_AD_PROTOCOL_VERSION; + goto f_err; + } + + if (!CBS_get_u8_length_prefixed(&hello_verify_request, &cookie)) + goto truncated; + + if (!CBS_write_bytes(&cookie, D1I(s)->cookie, + sizeof(D1I(s)->cookie), &cookie_len)) { + D1I(s)->cookie_len = 0; + al = SSL_AD_ILLEGAL_PARAMETER; + goto f_err; + } + D1I(s)->cookie_len = cookie_len; + D1I(s)->send_cookie = 1; + + return 1; + +truncated: + al = SSL_AD_DECODE_ERROR; +f_err: + ssl3_send_alert(s, SSL3_AL_FATAL, al); + return -1; } diff --git a/lib/libssl/d1_meth.c b/lib/libssl/d1_meth.c index fcd8906c45..9ecca0027c 100644 --- a/lib/libssl/d1_meth.c +++ b/lib/libssl/d1_meth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_meth.c,v 1.13 2017/01/23 13:36:13 jsing Exp $ */ +/* $OpenBSD: d1_meth.c,v 1.15 2017/10/12 15:52:50 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -72,8 +72,8 @@ static const SSL_METHOD_INTERNAL DTLSv1_method_internal_data = { .ssl_new = dtls1_new, .ssl_clear = dtls1_clear, .ssl_free = dtls1_free, - .ssl_accept = dtls1_accept, - .ssl_connect = dtls1_connect, + .ssl_accept = ssl3_accept, + .ssl_connect = ssl3_connect, .ssl_read = ssl3_read, .ssl_peek = ssl3_peek, .ssl_write = ssl3_write, diff --git a/bin/openssl/apps_posix.c b/lib/libssl/d1_srvr.c similarity index 65% copy from bin/openssl/apps_posix.c copy to lib/libssl/d1_srvr.c index 67cd465088..57b8ea0e24 100644 --- a/bin/openssl/apps_posix.c +++ b/lib/libssl/d1_srvr.c @@ -1,3 +1,61 @@ +/* $OpenBSD: d1_srvr.c,v 1.91 2017/10/12 15:52:50 jsing Exp $ */ +/* + * DTLS implementation written by Nagendra Modadugu + * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. + */ +/* ==================================================================== + * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -54,111 +112,102 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ -/* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -/* - * Functions that need to be overridden by non-POSIX operating systems. - */ -#include +#include -#include +#include "ssl_locl.h" -#include "apps.h" - -double -app_tminterval(int stop, int usertime) -{ - double ret = 0; - struct tms rus; - clock_t now = times(&rus); - static clock_t tmstart; +#include +#include +#include +#include +#include +#include +#include - if (usertime) - now = rus.tms_utime; +static const SSL_METHOD_INTERNAL DTLSv1_server_method_internal_data = { + .version = DTLS1_VERSION, + .min_version = DTLS1_VERSION, + .max_version = DTLS1_VERSION, + .ssl_new = dtls1_new, + .ssl_clear = dtls1_clear, + .ssl_free = dtls1_free, + .ssl_accept = ssl3_accept, + .ssl_connect = ssl_undefined_function, + .ssl_read = ssl3_read, + .ssl_peek = ssl3_peek, + .ssl_write = ssl3_write, + .ssl_shutdown = dtls1_shutdown, + .ssl_pending = ssl3_pending, + .get_ssl_method = dtls1_get_server_method, + .get_timeout = dtls1_default_timeout, + .ssl_version = ssl_undefined_void_function, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_get_message = dtls1_get_message, + .ssl_read_bytes = dtls1_read_bytes, + .ssl_write_bytes = dtls1_write_app_data_bytes, + .ssl3_enc = &DTLSv1_enc_data, +}; - if (stop == TM_START) - tmstart = now; - else { - long int tck = sysconf(_SC_CLK_TCK); - ret = (now - tmstart) / (double) tck; - } +static const SSL_METHOD DTLSv1_server_method_data = { + .ssl_dispatch_alert = dtls1_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = dtls1_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &DTLSv1_server_method_internal_data, +}; - return (ret); +const SSL_METHOD * +DTLSv1_server_method(void) +{ + return &DTLSv1_server_method_data; } -int -setup_ui(void) +const SSL_METHOD * +dtls1_get_server_method(int ver) { - ui_method = UI_create_method("OpenSSL application user interface"); - UI_method_set_opener(ui_method, ui_open); - UI_method_set_reader(ui_method, ui_read); - UI_method_set_writer(ui_method, ui_write); - UI_method_set_closer(ui_method, ui_close); - return 0; + if (ver == DTLS1_VERSION) + return (DTLSv1_server_method()); + return (NULL); } -void -destroy_ui(void) +int +dtls1_send_hello_verify_request(SSL *s) { - if (ui_method) { - UI_destroy_method(ui_method); - ui_method = NULL; + CBB cbb, verify, cookie; + + memset(&cbb, 0, sizeof(cbb)); + + if (S3I(s)->hs.state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) { + if (s->ctx->internal->app_gen_cookie_cb == NULL || + s->ctx->internal->app_gen_cookie_cb(s, D1I(s)->cookie, + &(D1I(s)->cookie_len)) == 0) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + return 0; + } + + if (!ssl3_handshake_msg_start_cbb(s, &cbb, &verify, + DTLS1_MT_HELLO_VERIFY_REQUEST)) + goto err; + if (!CBB_add_u16(&verify, s->version)) + goto err; + if (!CBB_add_u8_length_prefixed(&verify, &cookie)) + goto err; + if (!CBB_add_bytes(&cookie, D1I(s)->cookie, D1I(s)->cookie_len)) + goto err; + if (!ssl3_handshake_msg_finish_cbb(s, &cbb)) + goto err; + + S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B; } + + /* S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */ + return (ssl3_handshake_write(s)); + + err: + CBB_cleanup(&cbb); + + return (-1); } diff --git a/lib/libssl/man/BIO_f_ssl.3 b/lib/libssl/man/BIO_f_ssl.3 index 5404b9c70f..6826441e81 100644 --- a/lib/libssl/man/BIO_f_ssl.3 +++ b/lib/libssl/man/BIO_f_ssl.3 @@ -1,6 +1,6 @@ -.\" $OpenBSD: BIO_f_ssl.3,v 1.5 2017/08/20 17:35:18 schwarze Exp $ -.\" OpenSSL BIO_f_ssl.pod e90fc053 Jul 15 09:39:45 2017 -0400 -.\" OpenSSL BIO_f_ssl.pod f672aee4 Feb 9 11:52:40 2016 -0500 +.\" $OpenBSD: BIO_f_ssl.3,v 1.8 2018/03/21 08:06:34 schwarze Exp $ +.\" full merge up to: OpenSSL f672aee4 Feb 9 11:52:40 2016 -0500 +.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2000, 2003, 2009, 2014-2016 The OpenSSL Project. @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 20 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt BIO_F_SSL 3 .Os .Sh NAME @@ -353,8 +353,37 @@ and .Fn BIO_do_handshake are implemented as macros. .Sh RETURN VALUES -.\" XXX -This section is incomplete. +.Fn BIO_f_ssl +returns a pointer to a static +.Vt BIO_METHOD +structure. +.Pp +.Fn BIO_set_ssl , +.Fn BIO_get_ssl , +.Fn BIO_set_ssl_mode , +.Fn BIO_set_ssl_renegotiate_bytes , +.Fn BIO_set_ssl_renegotiate_timeout , +and +.Fn BIO_get_num_renegotiates +return 1 on success or a value less than or equal to 0 +if an error occurred. +.Pp +.Fn BIO_new_ssl , +.Fn BIO_new_ssl_connect , +and +.Fn BIO_new_buffer_ssl_connect +returns a pointer to a newly allocated +.Vt BIO +chain or +.Dv NULL +if an error occurred. +.Pp +.Fn BIO_ssl_copy_session_id +returns 1 on success or 0 on error. +.Pp +.Fn BIO_do_handshake +returns 1 if the connection was established successfully +or a value less than or equal to 0 otherwise. .Sh EXAMPLES This SSL/TLS client example attempts to retrieve a page from an SSL/TLS web server. @@ -537,6 +566,26 @@ BIO_flush(sbio); BIO_free_all(sbio); .Ed .Sh HISTORY +.Fn BIO_f_ssl , +.Fn BIO_set_ssl , +.Fn BIO_get_ssl , +.Fn BIO_set_ssl_mode , +.Fn BIO_new_ssl , +.Fn BIO_ssl_copy_session_id , +.Fn BIO_ssl_shutdown , +and +.Fn BIO_do_handshake +appeared before SSLeay 0.8. +.Fn BIO_set_ssl_renegotiate_bytes , +.Fn BIO_get_num_renegotiates , +.Fn BIO_set_ssl_renegotiate_timeout , +.Fn BIO_new_ssl_connect , +and +.Fn BIO_new_buffer_ssl_connect +first appeared in SSLeay 0.9.0. +All these functions have been available since +.Ox 2.4 . +.Pp In OpenSSL versions before 1.0.0 the .Xr BIO_pop 3 call was handled incorrectly: diff --git a/lib/libssl/man/DTLSv1_listen.3 b/lib/libssl/man/DTLSv1_listen.3 index 457ac1add8..26a874a347 100644 --- a/lib/libssl/man/DTLSv1_listen.3 +++ b/lib/libssl/man/DTLSv1_listen.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: DTLSv1_listen.3,v 1.2 2016/12/06 12:24:33 schwarze Exp $ +.\" $OpenBSD: DTLSv1_listen.3,v 1.3 2018/03/23 02:21:08 schwarze Exp $ .\" OpenSSL 7795475f Dec 18 13:18:31 2015 -0500 .\" .\" This file was written by Matt Caswell . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt DTLSV1_LISTEN 3 .Os .Sh NAME @@ -183,4 +183,5 @@ non-fatal), whilst return codes >0 indicate success. .Xr SSL_get_error 3 .Sh HISTORY .Fn DTLSv1_listen -was added in OpenSSL 0.9.8. +first appeared in OpenSSL 0.9.8m and have been available since +.Ox 4.9 . diff --git a/lib/libssl/man/Makefile b/lib/libssl/man/Makefile index d66b75b6f1..a26a96bd96 100644 --- a/lib/libssl/man/Makefile +++ b/lib/libssl/man/Makefile @@ -1,9 +1,10 @@ -# $OpenBSD: Makefile,v 1.59 2017/08/21 10:10:25 schwarze Exp $ +# $OpenBSD: Makefile,v 1.65 2018/03/17 18:52:42 schwarze Exp $ .include MAN = BIO_f_ssl.3 \ DTLSv1_listen.3 \ + OPENSSL_init_ssl.3 \ PEM_read_SSL_SESSION.3 \ SSL_CIPHER_get_name.3 \ SSL_COMP_add_compression_method.3 \ @@ -14,6 +15,7 @@ MAN = BIO_f_ssl.3 \ SSL_CTX_free.3 \ SSL_CTX_get_ex_new_index.3 \ SSL_CTX_get_verify_mode.3 \ + SSL_CTX_get0_certificate.3 \ SSL_CTX_load_verify_locations.3 \ SSL_CTX_new.3 \ SSL_CTX_sess_number.3 \ @@ -43,6 +45,7 @@ MAN = BIO_f_ssl.3 \ SSL_CTX_set_tlsext_servername_callback.3 \ SSL_CTX_set_tlsext_status_cb.3 \ SSL_CTX_set_tlsext_ticket_key_cb.3 \ + SSL_CTX_set_tlsext_use_srtp.3 \ SSL_CTX_set_tmp_dh_callback.3 \ SSL_CTX_set_tmp_rsa_callback.3 \ SSL_CTX_set_verify.3 \ @@ -52,8 +55,10 @@ MAN = BIO_f_ssl.3 \ SSL_SESSION_get_compress_id.3 \ SSL_SESSION_get_ex_new_index.3 \ SSL_SESSION_get_id.3 \ + SSL_SESSION_get_protocol_version.3 \ SSL_SESSION_get_time.3 \ SSL_SESSION_get0_peer.3 \ + SSL_SESSION_has_ticket.3 \ SSL_SESSION_new.3 \ SSL_SESSION_print.3 \ SSL_SESSION_set1_id_context.3 \ @@ -71,6 +76,7 @@ MAN = BIO_f_ssl.3 \ SSL_get_certificate.3 \ SSL_get_ciphers.3 \ SSL_get_client_CA_list.3 \ + SSL_get_client_random.3 \ SSL_get_current_cipher.3 \ SSL_get_default_timeout.3 \ SSL_get_error.3 \ diff --git a/lib/libssl/man/OPENSSL_init_ssl.3 b/lib/libssl/man/OPENSSL_init_ssl.3 new file mode 100644 index 0000000000..7530dbe4a3 --- /dev/null +++ b/lib/libssl/man/OPENSSL_init_ssl.3 @@ -0,0 +1,61 @@ +.\" $OpenBSD: OPENSSL_init_ssl.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $ +.\" Copyright (c) 2018 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: March 24 2018 $ +.Dt OPENSSL_INIT_SSL 3 +.Os +.Sh NAME +.Nm OPENSSL_init_ssl +.Nd initialise the crypto and ssl libraries +.Sh SYNOPSIS +.In openssl/ssl.h +.Ft int +.Fo OPENSSL_init_ssl +.Fa "uint64_t options" +.Fa "const void *dummy" +.Fc +.Sh DESCRIPTION +.Fn OPENSSL_init_ssl +calls +.Xr OPENSSL_init_crypto 3 +and also allocates various resources used internally by the ssl library. +.Pp +Calling it is never useful because it is automatically called +internally when needed. +.Pp +The +.Fa options +argument is passed on to +.Xr OPENSSL_init_crypto 3 +and the +.Fa dummy +argument is ignored. +.Pp +If this function is called more than once, +none of the calls except the first one have any effect. +.Sh RETURN VALUES +.Fn OPENSSL_init_ssl +is intended to return 1 on success or 0 on error. +.Sh SEE ALSO +.Xr CONF_modules_load_file 3 , +.Xr OPENSSL_init_crypto 3 +.Sh HISTORY +.Fn OPENSSL_init_ssl +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . +.Sh BUGS +.Fn OPENSSL_init_ssl +silently ignores even more configuration failures than +.Xr OPENSSL_init_crypto 3 . diff --git a/lib/libssl/man/PEM_read_SSL_SESSION.3 b/lib/libssl/man/PEM_read_SSL_SESSION.3 index 23b811db0b..1412672caa 100644 --- a/lib/libssl/man/PEM_read_SSL_SESSION.3 +++ b/lib/libssl/man/PEM_read_SSL_SESSION.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: PEM_read_SSL_SESSION.3,v 1.1 2016/11/28 21:05:21 schwarze Exp $ +.\" $OpenBSD: PEM_read_SSL_SESSION.3,v 1.2 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL doc/man3/PEM_read_CMS.pod b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Rich Salz . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 28 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt PEM_READ_SSL_SESSION 3 .Os .Sh NAME @@ -133,3 +133,11 @@ and return the number of bytes written or 0 on error. .Sh SEE ALSO .Xr PEM_read 3 +.Sh HISTORY +.Fn PEM_read_SSL_SESSION , +.Fn PEM_read_bio_SSL_SESSION , +.Fn PEM_write_SSL_SESSION , +and +.Fn PEM_write_bio_SSL_SESSION +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_CIPHER_get_name.3 b/lib/libssl/man/SSL_CIPHER_get_name.3 index b85fdffe8d..d69590922c 100644 --- a/lib/libssl/man/SSL_CIPHER_get_name.3 +++ b/lib/libssl/man/SSL_CIPHER_get_name.3 @@ -1,9 +1,12 @@ -.\" $OpenBSD: SSL_CIPHER_get_name.3,v 1.3 2017/07/05 11:43:09 schwarze Exp $ -.\" OpenSSL 45f55f6a Nov 30 15:35:22 2014 +0100 +.\" $OpenBSD: SSL_CIPHER_get_name.3,v 1.8 2018/03/24 00:55:37 schwarze Exp $ +.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 +.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001, 2005, 2009, 2013, 2014 The OpenSSL Project. -.\" All rights reserved. +.\" This file was written by Lutz Jaenicke , +.\" Dr. Stephen Henson , Todd Short , +.\" and Paul Yang . +.\" Copyright (c) 2000, 2005, 2009, 2013, 2014, 2015, 2016, 2017 +.\" The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -49,13 +52,19 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 5 2017 $ +.Dd $Mdocdate: March 24 2018 $ .Dt SSL_CIPHER_GET_NAME 3 .Os .Sh NAME .Nm SSL_CIPHER_get_name , .Nm SSL_CIPHER_get_bits , .Nm SSL_CIPHER_get_version , +.Nm SSL_CIPHER_get_cipher_nid , +.Nm SSL_CIPHER_get_digest_nid , +.Nm SSL_CIPHER_get_kx_nid , +.Nm SSL_CIPHER_get_auth_nid , +.Nm SSL_CIPHER_is_aead , +.Nm SSL_CIPHER_get_id , .Nm SSL_CIPHER_description .Nd get SSL_CIPHER properties .Sh SYNOPSIS @@ -66,18 +75,24 @@ .Fn SSL_CIPHER_get_bits "const SSL_CIPHER *cipher" "int *alg_bits" .Ft char * .Fn SSL_CIPHER_get_version "const SSL_CIPHER *cipher" +.Ft int +.Fn SSL_CIPHER_get_cipher_nid "const SSL_CIPHER *cipher" +.Ft int +.Fn SSL_CIPHER_get_digest_nid "const SSL_CIPHER *cipher" +.Ft int +.Fn SSL_CIPHER_get_kx_nid "const SSL_CIPHER *cipher" +.Ft int +.Fn SSL_CIPHER_get_auth_nid "const SSL_CIPHER *cipher" +.Ft int +.Fn SSL_CIPHER_is_aead "const SSL_CIPHER *cipher" +.Ft unsigned long +.Fn SSL_CIPHER_get_id "const SSL_CIPHER *cipher" .Ft char * .Fn SSL_CIPHER_description "const SSL_CIPHER *cipher" "char *buf" "int size" .Sh DESCRIPTION .Fn SSL_CIPHER_get_name returns a pointer to the name of .Fa cipher . -If the -.Fa cipher -is -.Dv NULL , -it returns -.Qq (NONE) . .Pp .Fn SSL_CIPHER_get_bits returns the number of secret bits used for @@ -86,13 +101,7 @@ If .Fa alg_bits is not .Dv NULL , -it contains the number of bits processed by the -chosen algorithm. -If -.Fa cipher -is -.Dv NULL , -0 is returned. +the number of bits processed by the chosen algorithm is stored into it. .Pp .Fn SSL_CIPHER_get_version returns a string which indicates the SSL/TLS protocol version that first @@ -104,19 +113,75 @@ In some cases it should possibly return but the function does not; use .Fn SSL_CIPHER_description instead. -If +.Pp +.Fn SSL_CIPHER_get_cipher_nid +returns the cipher NID corresponding to the +.Fa cipher . +If there is no cipher (e.g. for cipher suites with no encryption), then +.Dv NID_undef +is returned. +.Pp +.Fn SSL_CIPHER_get_digest_nid +returns the digest NID corresponding to the MAC used by the .Fa cipher -is -.Dv NULL , -.Qq (NONE) +during record encryption/decryption. +If there is no digest (e.g. for AEAD cipher suites), then +.Dv NID_undef is returned. .Pp +.Fn SSL_CIPHER_get_kx_nid +returns the key exchange NID corresponding to the method used by the +.Fa cipher . +If there is no key exchange, then +.Dv NID_undef +is returned. +Examples of possible return values include +.Dv NID_kx_rsa , +.Dv NID_kx_dhe , +and +.Dv NID_kx_ecdhe . +.Pp +.Fn SSL_CIPHER_get_auth_nid +returns the authentication NID corresponding to the method used by the +.Fa cipher . +If there is no authentication, +.Dv NID_undef +is returned. +Examples of possible return values include +.Dv NID_auth_rsa +and +.Dv NID_auth_ecdsa . +.Pp +.Fn SSL_CIPHER_is_aead +returns 1 if the +.Fa cipher +is AEAD (e.g. GCM or ChaCha20/Poly1305), or 0 if it is not AEAD. +.Pp +.Fn SSL_CIPHER_get_id +returns the ID of the given +.Fa cipher , +which must not be +.Dv NULL . +The ID here is an OpenSSL-specific concept, which stores a prefix +of 0x0300 in the higher two bytes and the IANA-specified chipher +suite ID in the lower two bytes. +For instance, TLS_RSA_WITH_NULL_MD5 has IANA ID "0x00, 0x01", so +.Fn SSL_CIPHER_get_id +returns 0x03000001. +.Pp .Fn SSL_CIPHER_description -returns a textual description of the cipher used into the buffer -.Fa buf -of length -.Fa len -provided. +copies a textual description of +.Fa cipher +into the buffer +.Fa buf , +which must be at least +.Fa size +bytes long. +The +.Fa cipher +argument must not be a +.Dv NULL +pointer. If .Fa buf is @@ -128,13 +193,16 @@ that buffer should be freed using the function. If .Fa len -is too small, or if -.Fa buf -is -.Dv NULL -and the allocation fails, a pointer to the string +is too small to hold the description, a pointer to the static string .Qq Buffer too small is returned. +If memory allocation fails, which can happen even if a +.Fa buf +of sufficient size is provided, a pointer to the static string +.Qq OPENSSL_malloc Error +is returned and the content of +.Fa buf +remains unchanged. .Pp The string returned by .Fn SSL_CIPHER_description @@ -196,6 +264,48 @@ Message digest: .Sy STREEBOG256 , .Sy STREEBOG512 . .El +.Sh RETURN VALUES +.Fn SSL_CIPHER_get_name +returns an internal pointer to a NUL-terminated string. +.Fn SSL_CIPHER_get_version +returns a pointer to a static NUL-terminated string. +If +.Fa cipher +is a +.Dv NULL +pointer, both functions return a pointer to the static string +.Qq Pq NONE . +.Pp +.Fn SSL_CIPHER_get_bits +returns a positive integer representing the number of secret bits +or 0 if +.Fa cipher +is a +.Dv NULL +pointer. +.Pp +.Fn SSL_CIPHER_get_cipher_nid , +.Fn SSL_CIPHER_get_digest_nid , +.Fn SSL_CIPHER_get_kx_nid , +and +.Fn SSL_CIPHER_get_auth_nid +return an NID constant or +.Dv NID_undef +if an error occurred. +.Pp +.Fn SSL_CIPHER_is_aead +returns 1 if the +.Fa cipher +is AEAD or 0 otherwise. +.Pp +.Fn SSL_CIPHER_get_id +returns a 32-bit unsigned integer. +.Pp +.Fn SSL_CIPHER_description +returns +.Fa buf +or a newly allocated string on success or a pointer to a static +string on error. .Sh EXAMPLES An example for the output of .Fn SSL_CIPHER_description : @@ -211,15 +321,28 @@ A complete list can be retrieved by invoking the following command: .Xr ssl 3 , .Xr SSL_get_ciphers 3 , .Xr SSL_get_current_cipher 3 -.Sh BUGS -If +.Sh HISTORY +.Fn SSL_CIPHER_get_name , +.Fn SSL_CIPHER_get_bits , +.Fn SSL_CIPHER_get_version , +and .Fn SSL_CIPHER_description -is called with -.Fa cipher -being -.Dv NULL , -the library crashes. +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn SSL_CIPHER_get_id +first appeared in OpenSSL 1.0.1 and has been available since +.Ox 5.3 . .Pp +.Fn SSL_CIPHER_get_cipher_nid , +.Fn SSL_CIPHER_get_digest_nid , +.Fn SSL_CIPHER_get_kx_nid , +.Fn SSL_CIPHER_get_auth_nid , +and +.Fn SSL_CIPHER_is_aead +first appeared in OpenSSL 1.1.0 and have been available since +.Ox 6.3 . +.Sh BUGS If .Fn SSL_CIPHER_description cannot handle a built-in cipher, diff --git a/lib/libssl/man/SSL_COMP_add_compression_method.3 b/lib/libssl/man/SSL_COMP_add_compression_method.3 index dc47f4e1e9..e5421852d2 100644 --- a/lib/libssl/man/SSL_COMP_add_compression_method.3 +++ b/lib/libssl/man/SSL_COMP_add_compression_method.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_COMP_add_compression_method.3,v 1.2 2016/11/29 19:52:17 schwarze Exp $ +.\" $OpenBSD: SSL_COMP_add_compression_method.3,v 1.4 2018/03/23 00:10:28 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: November 29 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt SSL_COMP_ADD_COMPRESSION_METHOD 3 .Os .Sh NAME @@ -46,3 +46,11 @@ always returns 1. .Fn SSL_COMP_get_compression_methods always returns .Dv NULL . +.Sh HISTORY +.Fn SSL_COMP_add_compression_method +first appeared in OpenSSL 0.9.2b and has been available since +.Ox 2.6 . +.Pp +.Fn SSL_COMP_get_compression_methods +first appeared in OpenSSL 0.9.8 and has been available since +.Ox 4.5 . diff --git a/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 b/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 index b81382f3f6..1feee4265c 100644 --- a/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 +++ b/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.3 2017/04/10 14:00:51 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.5 2018/03/23 05:50:30 schwarze Exp $ .\" OpenSSL f0d6ee6be Feb 15 07:41:42 2002 +0000 .\" .\" This file was written by Lutz Jaenicke and @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt SSL_CTX_ADD_EXTRA_CHAIN_CERT 3 .Os .Sh NAME @@ -103,6 +103,14 @@ Check out the error stack to find out the reason for failure. .Xr SSL_CTX_load_verify_locations 3 , .Xr SSL_CTX_set_client_cert_cb 3 , .Xr SSL_CTX_use_certificate 3 +.Sh HISTORY +.Fn SSL_CTX_add_extra_chain_cert +first appeared in SSLeay 0.9.1 and has been available since +.Ox 2.6 . +.Pp +.Fn SSL_CTX_clear_extra_chain_certs +first appeared in OpenSSL 1.0.1 and has been available since +.Ox 5.3 . .Sh CAVEATS Only one set of extra chain certificates can be specified per .Vt SSL_CTX diff --git a/lib/libssl/man/SSL_CTX_add_session.3 b/lib/libssl/man/SSL_CTX_add_session.3 index b99639a815..285c7fbbba 100644 --- a/lib/libssl/man/SSL_CTX_add_session.3 +++ b/lib/libssl/man/SSL_CTX_add_session.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_add_session.3,v 1.3 2017/08/21 07:35:30 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_add_session.3,v 1.4 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL SSL_CTX_add_session.pod 1722496f Jun 8 15:18:38 2017 -0400 .\" .\" This file was written by Lutz Jaenicke and @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 21 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_ADD_SESSION 3 .Os .Sh NAME @@ -124,3 +124,9 @@ The operation succeeded. .Xr ssl 3 , .Xr SSL_CTX_set_session_cache_mode 3 , .Xr SSL_SESSION_free 3 +.Sh HISTORY +.Fn SSL_CTX_add_session +and +.Fn SSL_CTX_remove_session +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_CTX_ctrl.3 b/lib/libssl/man/SSL_CTX_ctrl.3 index 901a830920..f5a28a4223 100644 --- a/lib/libssl/man/SSL_CTX_ctrl.3 +++ b/lib/libssl/man/SSL_CTX_ctrl.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_ctrl.3,v 1.4 2017/04/10 15:54:46 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_ctrl.3,v 1.6 2018/03/22 16:07:53 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt SSL_CTX_CTRL 3 .Os .Sh NAME @@ -108,3 +108,15 @@ parameter. .Xr SSL_num_renegotiations 3 , .Xr SSL_session_reused 3 , .Xr SSL_set_max_send_fragment 3 +.Sh HISTORY +.Fn SSL_CTX_ctrl +and +.Fn SSL_ctrl +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn SSL_CTX_callback_ctrl +and +.Fn SSL_callback_ctrl +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . diff --git a/lib/libssl/man/SSL_CTX_flush_sessions.3 b/lib/libssl/man/SSL_CTX_flush_sessions.3 index 8926731aac..b017b9d563 100644 --- a/lib/libssl/man/SSL_CTX_flush_sessions.3 +++ b/lib/libssl/man/SSL_CTX_flush_sessions.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_flush_sessions.3,v 1.3 2017/08/21 07:45:09 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_flush_sessions.3,v 1.4 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL SSL_CTX_flush_sessions.pod 1722496f Jun 8 15:18:38 2017 -0400 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 21 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_FLUSH_SESSIONS 3 .Os .Sh NAME @@ -94,3 +94,7 @@ is however called to synchronize with the external cache (see .Xr SSL_CTX_sess_set_get_cb 3 , .Xr SSL_CTX_set_session_cache_mode 3 , .Xr SSL_CTX_set_timeout 3 +.Sh HISTORY +.Fn SSL_CTX_flush_sessions +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_CTX_free.3 b/lib/libssl/man/SSL_CTX_free.3 index c823a13a84..dec89699e0 100644 --- a/lib/libssl/man/SSL_CTX_free.3 +++ b/lib/libssl/man/SSL_CTX_free.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_free.3,v 1.2 2016/11/30 13:20:45 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_free.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 30 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_FREE 3 .Os .Sh NAME @@ -95,3 +95,7 @@ prior to calling .Xr ssl 3 , .Xr SSL_CTX_new 3 , .Xr SSL_CTX_sess_set_get_cb 3 +.Sh HISTORY +.Fn SSL_CTX_free +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_dup.3 b/lib/libssl/man/SSL_CTX_get0_certificate.3 similarity index 50% copy from lib/libssl/man/SSL_dup.3 copy to lib/libssl/man/SSL_CTX_get0_certificate.3 index 47ec2e3976..d63ad572b1 100644 --- a/lib/libssl/man/SSL_dup.3 +++ b/lib/libssl/man/SSL_CTX_get0_certificate.3 @@ -1,6 +1,6 @@ -.\" $OpenBSD: SSL_dup.3,v 1.1 2016/12/07 17:09:07 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_get0_certificate.3,v 1.2 2018/03/23 14:28:16 schwarze Exp $ .\" -.\" Copyright (c) 2016 Ingo Schwarze +.\" Copyright (c) 2018 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,46 +14,37 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 7 2016 $ -.Dt SSL_DUP 3 +.Dd $Mdocdate: March 23 2018 $ +.Dt SSL_CTX_GET0_CERTIFICATE 3 .Os .Sh NAME -.Nm SSL_dup -.Nd deep copy of an SSL object +.Nm SSL_CTX_get0_certificate +.Nd get the active certificate from an SSL context .Sh SYNOPSIS -.In openssl/ssl.h -.Ft SSL * -.Fo SSL_dup -.Fa "SSL *ssl" +.Ft X509 * +.Fo SSL_CTX_get0_certificate +.Fa "const SSL_CTX *ctx" .Fc .Sh DESCRIPTION -.Fn SSL_dup -constructs a new -.Vt SSL -object in the same context as -.Fa ssl -and copies much of the contained data from -.Fa ssl -to the new -.Vt SSL -object, but many fields, for example tlsext data, are not copied. -.Pp -As an exception from deep copying, if a session is already established, -the new object shares -.Fa ssl->cert -with the original object. -.Sh RETURN VALUES -.Fn SSL_dup -returns the new -.Vt SSL -object or +The +.Fn SSL_CTX_get0_certificate +function returns an internal pointer +to the ASN.1 certificate currently active in +.Fa ctx +or .Dv NULL -on failure. +if none was installed with +.Xr SSL_CTX_use_certificate 3 +or similar functions. +.Pp +The returned pointer must not be freed by the caller. .Sh SEE ALSO -.Xr SSL_clear 3 , -.Xr SSL_copy_session_id 3 , -.Xr SSL_free 3 , -.Xr SSL_new 3 +.Xr SSL_CTX_new 3 , +.Xr SSL_CTX_use_certificate 3 , +.Xr X509_get_pubkey 3 , +.Xr X509_get_subject_name 3 , +.Xr X509_new 3 .Sh HISTORY -.Fn SSL_dup -is available in all versions of OpenSSL. +.Fn SSL_CTX_get0_certificate +first appeared in OpenSSL 1.0.2 and have been available since +.Ox 6.3 . diff --git a/lib/libssl/man/SSL_CTX_get_ex_new_index.3 b/lib/libssl/man/SSL_CTX_get_ex_new_index.3 index cd2c0dc8ec..3dbaf2e981 100644 --- a/lib/libssl/man/SSL_CTX_get_ex_new_index.3 +++ b/lib/libssl/man/SSL_CTX_get_ex_new_index.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_get_ex_new_index.3,v 1.2 2016/12/06 22:41:16 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_get_ex_new_index.3,v 1.3 2018/03/21 08:06:34 schwarze Exp $ .\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_GET_EX_NEW_INDEX 3 .Os .Sh NAME @@ -115,3 +115,10 @@ functionality is described in .Xr CRYPTO_set_ex_data 3 , .Xr RSA_get_ex_new_index 3 , .Xr ssl 3 +.Sh HISTORY +.Fn SSL_CTX_get_ex_new_index , +.Fn SSL_CTX_set_ex_data , +and +.Fn SSL_CTX_get_ex_data +first appeared in SSLeay 0.9.0 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_CTX_get_verify_mode.3 b/lib/libssl/man/SSL_CTX_get_verify_mode.3 index 0810b107ca..bcfed50648 100644 --- a/lib/libssl/man/SSL_CTX_get_verify_mode.3 +++ b/lib/libssl/man/SSL_CTX_get_verify_mode.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_get_verify_mode.3,v 1.2 2016/11/30 13:46:26 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_get_verify_mode.3,v 1.4 2018/03/21 17:58:58 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 30 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_GET_VERIFY_MODE 3 .Os .Sh NAME @@ -115,3 +115,17 @@ pointer is returned and the default callback will be used. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_CTX_set_verify 3 +.Sh HISTORY +.Fn SSL_CTX_get_verify_mode , +.Fn SSL_get_verify_mode , +.Fn SSL_get_verify_callback , +and +.Fn SSL_CTX_get_verify_callback +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn SSL_CTX_get_verify_depth +and +.Fn SSL_get_verify_depth +first appeared in OpenSSL 0.9.3 and have been available since +.Ox 2.6 . diff --git a/lib/libssl/man/SSL_CTX_load_verify_locations.3 b/lib/libssl/man/SSL_CTX_load_verify_locations.3 index 5433a8d420..ab0374ecfc 100644 --- a/lib/libssl/man/SSL_CTX_load_verify_locations.3 +++ b/lib/libssl/man/SSL_CTX_load_verify_locations.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_load_verify_locations.3,v 1.2 2016/11/30 14:16:38 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_load_verify_locations.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 .\" .\" This file was written by Lutz Jaenicke . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 30 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_LOAD_VERIFY_LOCATIONS 3 .Os .Sh NAME @@ -221,6 +221,12 @@ $ for c in *.pem; do .Xr SSL_CTX_set_client_CA_list 3 , .Xr SSL_CTX_use_certificate 3 , .Xr SSL_get_client_CA_list 3 +.Sh HISTORY +.Fn SSL_CTX_load_verify_locations +and +.Fn SSL_CTX_set_default_verify_paths +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . .Sh CAVEATS If several CA certificates matching the name, key identifier, and serial number condition are available, only the first one will be examined. diff --git a/lib/libssl/man/SSL_CTX_new.3 b/lib/libssl/man/SSL_CTX_new.3 index 0c846ceade..78b64f0631 100644 --- a/lib/libssl/man/SSL_CTX_new.3 +++ b/lib/libssl/man/SSL_CTX_new.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: SSL_CTX_new.3,v 1.3 2017/08/19 23:45:10 schwarze Exp $ -.\" OpenSSL 21cd6e00 Aug 17 15:21:33 2015 -0400 +.\" $OpenBSD: SSL_CTX_new.3,v 1.9 2018/03/24 00:55:37 schwarze Exp $ +.\" full merge up to: OpenSSL 21cd6e00 Oct 21 14:40:15 2015 +0100 +.\" selective merge up to: OpenSSL eb43101f Dec 9 18:07:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . .\" Copyright (c) 2000, 2005, 2012, 2013, 2015, 2016 The OpenSSL Project. @@ -49,11 +50,12 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 19 2017 $ +.Dd $Mdocdate: March 24 2018 $ .Dt SSL_CTX_NEW 3 .Os .Sh NAME .Nm SSL_CTX_new , +.Nm SSL_CTX_up_ref , .Nm TLS_method , .Nm TLS_server_method , .Nm TLS_client_method , @@ -77,6 +79,8 @@ .In openssl/ssl.h .Ft SSL_CTX * .Fn SSL_CTX_new "const SSL_METHOD *method" +.Ft int +.Fn SSL_CTX_up_ref "SSL_CTX *ctx" .Ft const SSL_METHOD * .Fn TLS_method void .Ft const SSL_METHOD * @@ -122,6 +126,23 @@ It initializes the list of ciphers, the session cache setting, the callbacks, the keys and certificates, and the options to its default values. .Pp +An +.Vt SSL_CTX +object is reference counted. +Creating a new +.Vt SSL_CTX +object sets its reference count to 1. +Calling +.Fn SSL_CTX_up_ref +on it increments the reference count by 1. +Calling +.Xr SSL_CTX_free 3 +on it decrements the reference count by 1. +When the reference count drops to zero, +any memory or resources allocated to the +.Vt SSL_CTX +object are freed. +.Pp The .Vt SSL_CTX object uses @@ -202,18 +223,14 @@ In clients, when a protocol version is disabled without disabling all previous protocol versions, the effect is to also disable all subsequent protocol versions. .Sh RETURN VALUES -The following return values can occur: -.Bl -tag -width Ds -.It Dv NULL -The creation of a new -.Vt SSL_CTX -object failed. -Check the error stack to find out the reason. -.It Pointer to an SSL_CTX object -The return value points to an allocated -.Vt SSL_CTX -object. -.El +.Fn SSL_CTX_new +returns a pointer to the newly allocated object or +.Dv NULL +on failure. +Check the error stack to find out the reason for failure. +.Pp +.Fn SSL_CTX_up_ref +returns 1 for success or 0 for failure. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_accept 3 , @@ -221,3 +238,45 @@ object. .Xr SSL_CTX_set_min_proto_version 3 , .Xr SSL_CTX_set_options 3 , .Xr SSL_set_connect_state 3 +.Sh HISTORY +.Fn SSL_CTX_new , +.Fn SSLv23_method , +.Fn SSLv23_server_method , +and +.Fn SSLv23_client_method +appeared before SSLeay 0.8. +.Fn TLSv1_method , +.Fn TLSv1_server_method , +and +.Fn TLSv1_client_method +first appeared in SSLeay 0.9.0. +All these functions have been available since +.Ox 2.4 . +.Pp +.Fn DTLSv1_method , +.Fn DTLSv1_server_method , +and +.Fn DTLSv1_client_method +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . +.Pp +.Fn TLSv1_1_method , +.Fn TLSv1_1_server_method , +.Fn TLSv1_1_client_method , +.Fn TLSv1_2_method , +.Fn TLSv1_2_server_method , +and +.Fn TLSv1_2_client_method +first appeared in OpenSSL 1.0.1 and have been available since +.Ox 5.3 . +.Pp +.Fn TLS_method , +.Fn TLS_server_method , +and +.Fn TLS_client_method +first appeared in OpenSSL 1.1.0 and have been available since +.Ox 5.8 . +.Pp +.Fn SSL_CTX_up_ref +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . diff --git a/lib/libssl/man/SSL_CTX_sess_number.3 b/lib/libssl/man/SSL_CTX_sess_number.3 index c40cdbc67e..d4b5f8fa2c 100644 --- a/lib/libssl/man/SSL_CTX_sess_number.3 +++ b/lib/libssl/man/SSL_CTX_sess_number.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_sess_number.3,v 1.4 2017/04/10 14:00:51 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_sess_number.3,v 1.7 2018/03/24 00:55:37 schwarze Exp $ .\" OpenSSL SSL_CTX_sess_number.pod 7bd27895 Mar 29 11:45:29 2017 +1000 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 24 2018 $ .Dt SSL_CTX_SESS_NUMBER 3 .Os .Sh NAME @@ -145,3 +145,22 @@ cache size was exceeded. .Xr SSL_CTX_sess_set_cache_size 3 , .Xr SSL_CTX_set_session_cache_mode 3 , .Xr SSL_set_session 3 +.Sh HISTORY +.Fn SSL_CTX_sess_number , +.Fn SSL_CTX_sess_connect , +.Fn SSL_CTX_sess_connect_good , +.Fn SSL_CTX_sess_accept , +.Fn SSL_CTX_sess_accept_good , +.Fn SSL_CTX_sess_hits , +.Fn SSL_CTX_sess_cb_hits , +.Fn SSL_CTX_sess_misses , +and +.Fn SSL_CTX_sess_timeouts +appeared before SSLeay 0.8. +.Fn SSL_CTX_sess_connect_renegotiate , +.Fn SSL_CTX_sess_accept_renegotiate , +and +.Fn SSL_CTX_sess_cache_full +first appeared in SSLeay 0.9.0. +All these functions have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 b/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 index 0533a5472a..0b9e69a674 100644 --- a/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 +++ b/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_sess_set_cache_size.3,v 1.3 2017/04/10 14:00:51 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_sess_set_cache_size.3,v 1.4 2018/03/21 08:06:34 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_SESS_SET_CACHE_SIZE 3 .Os .Sh NAME @@ -100,3 +100,9 @@ returns the currently valid size. .Xr SSL_CTX_flush_sessions 3 , .Xr SSL_CTX_sess_number 3 , .Xr SSL_CTX_set_session_cache_mode 3 +.Sh HISTORY +.Fn SSL_CTX_sess_set_cache_size +and +.Fn SSL_CTX_sess_get_cache_size +first appeared in SSLeay 0.9.0 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 b/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 index 5448c97ed8..e54b49bbcd 100644 --- a/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 +++ b/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_sess_set_get_cb.3,v 1.2 2016/11/30 16:25:29 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_sess_set_get_cb.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 30 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_SESS_SET_GET_CB 3 .Os .Sh NAME @@ -205,3 +205,6 @@ not be explicitly freed with .Xr SSL_CTX_free 3 , .Xr SSL_CTX_set_session_cache_mode 3 , .Xr SSL_SESSION_free 3 +.Sh HISTORY +These functions appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_CTX_sessions.3 b/lib/libssl/man/SSL_CTX_sessions.3 index 835808ef7c..3d5db2e68a 100644 --- a/lib/libssl/man/SSL_CTX_sessions.3 +++ b/lib/libssl/man/SSL_CTX_sessions.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_sessions.3,v 1.2 2016/11/30 16:25:29 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_sessions.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 30 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_SESSIONS 3 .Os .Sh NAME @@ -80,3 +80,7 @@ family of functions. .Xr ssl 3 , .Xr SSL_CTX_add_session 3 , .Xr SSL_CTX_set_session_cache_mode 3 +.Sh HISTORY +.Fn SSL_CTX_sessions +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 b/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 index 2c0905123b..540fd011f5 100644 --- a/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 +++ b/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.5 2017/08/28 17:36:58 jsing Exp $ +.\" $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.7 2018/03/23 14:28:16 schwarze Exp $ .\" OpenSSL 87b81496 Apr 19 12:38:27 2017 -0400 .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 28 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt SSL_CTX_SET_ALPN_SELECT_CB 3 .Os .Sh NAME @@ -259,3 +259,15 @@ ALPN protocol not selected. .Xr ssl 3 , .Xr SSL_CTX_set_tlsext_servername_arg 3 , .Xr SSL_CTX_set_tlsext_servername_callback 3 +.Sh HISTORY +.Fn SSL_select_next_proto +first appeared in OpenSSL 1.0.1 and has been available since +.Ox 5.3 . +.Pp +.Fn SSL_CTX_set_alpn_protos , +.Fn SSL_set_alpn_protos , +.Fn SSL_CTX_set_alpn_select_cb , +and +.Fn SSL_get0_alpn_selected +first appeared in OpenSSL 1.0.2 and have been available since +.Ox 5.7 . diff --git a/lib/libssl/man/SSL_CTX_set_cert_store.3 b/lib/libssl/man/SSL_CTX_set_cert_store.3 index 4fd6fa7714..28a4df1d79 100644 --- a/lib/libssl/man/SSL_CTX_set_cert_store.3 +++ b/lib/libssl/man/SSL_CTX_set_cert_store.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_cert_store.3,v 1.4 2017/04/10 16:11:50 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_cert_store.3,v 1.6 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_SET_CERT_STORE 3 .Os .Sh NAME @@ -120,4 +120,11 @@ returns the current setting. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_CTX_load_verify_locations 3 , -.Xr SSL_CTX_set_verify 3 +.Xr SSL_CTX_set_verify 3 , +.Xr X509_STORE_new 3 +.Sh HISTORY +.Fn SSL_CTX_set_cert_store +and +.Fn SSL_CTX_get_cert_store +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 b/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 index f782807a1d..1f2188a6f2 100644 --- a/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 +++ b/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_cert_verify_callback.3,v 1.2 2016/11/30 17:23:53 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_cert_verify_callback.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 30 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_SET_CERT_VERIFY_CALLBACK 3 .Os .Sh NAME @@ -127,6 +127,10 @@ function set using .Xr SSL_CTX_set_verify 3 , .Xr SSL_get_verify_result 3 .Sh HISTORY +.Fn SSL_CTX_set_cert_verify_callback +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . +.Pp Previous to OpenSSL 0.9.7, the .Fa arg argument to diff --git a/lib/libssl/man/SSL_CTX_set_cipher_list.3 b/lib/libssl/man/SSL_CTX_set_cipher_list.3 index 0f24cc1c60..75895ae2a8 100644 --- a/lib/libssl/man/SSL_CTX_set_cipher_list.3 +++ b/lib/libssl/man/SSL_CTX_set_cipher_list.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.4 2017/08/19 23:47:33 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.5 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 19 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_SET_CIPHER_LIST 3 .Os .Sh NAME @@ -122,3 +122,9 @@ return 1 if any cipher could be selected and 0 on complete failure. .Xr SSL_CTX_set_tmp_dh_callback 3 , .Xr SSL_CTX_use_certificate 3 , .Xr SSL_get_ciphers 3 +.Sh HISTORY +.Fn SSL_CTX_set_cipher_list +and +.Fn SSL_set_cipher_list +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_CTX_set_client_CA_list.3 b/lib/libssl/man/SSL_CTX_set_client_CA_list.3 index 73924b0809..7f40e15b0d 100644 --- a/lib/libssl/man/SSL_CTX_set_client_CA_list.3 +++ b/lib/libssl/man/SSL_CTX_set_client_CA_list.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_client_CA_list.3,v 1.3 2016/12/14 16:20:28 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_client_CA_list.3,v 1.4 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 14 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_SET_CLIENT_CA_LIST 3 .Os .Sh NAME @@ -178,3 +178,11 @@ SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile)); .Xr SSL_get_client_CA_list 3 , .Xr SSL_load_client_CA_file 3 , .Xr X509_NAME_new 3 +.Sh HISTORY +.Fn SSL_CTX_set_client_CA_list , +.Fn SSL_set_client_CA_list , +.Fn SSL_CTX_add_client_CA , +and +.Fn SSL_add_client_CA +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 b/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 index 28002c1e5c..f1f76af8c9 100644 --- a/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 +++ b/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_client_cert_cb.3,v 1.2 2016/11/30 17:26:09 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_client_cert_cb.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 30 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_SET_CLIENT_CERT_CB 3 .Os .Sh NAME @@ -146,6 +146,12 @@ certificate. .Xr SSL_CTX_use_certificate 3 , .Xr SSL_free 3 , .Xr SSL_get_client_CA_list 3 +.Sh HISTORY +.Fn SSL_CTX_set_client_cert_cb +and +.Fn SSL_CTX_get_client_cert_cb +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . .Sh BUGS The .Fa client_cert_cb() diff --git a/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 b/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 index 0bc35106f2..ff0773adb0 100644 --- a/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 +++ b/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_default_passwd_cb.3,v 1.3 2017/08/01 14:57:03 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_default_passwd_cb.3,v 1.5 2018/03/21 21:20:26 schwarze Exp $ .\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 1 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_SET_DEFAULT_PASSWD_CB 3 .Os .Sh NAME @@ -133,3 +133,11 @@ int pem_passwd_cb(char *buf, int size, int rwflag, void *password) .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_CTX_use_certificate 3 +.Sh HISTORY +.Fn SSL_CTX_set_default_passwd_cb +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . +.Pp +.Fn SSL_CTX_set_default_passwd_cb_userdata +first appeared in OpenSSL 0.9.4 and has been available since +.Ox 2.6 . diff --git a/lib/libssl/man/SSL_CTX_set_generate_session_id.3 b/lib/libssl/man/SSL_CTX_set_generate_session_id.3 index be487ec841..d85383d776 100644 --- a/lib/libssl/man/SSL_CTX_set_generate_session_id.3 +++ b/lib/libssl/man/SSL_CTX_set_generate_session_id.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_generate_session_id.3,v 1.4 2017/08/01 14:57:03 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_generate_session_id.3,v 1.5 2018/03/22 21:09:18 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 1 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt SSL_CTX_SET_GENERATE_SESSION_ID 3 .Os .Sh NAME @@ -217,4 +217,5 @@ generate_session_id(const SSL *ssl, unsigned char *id, .Fn SSL_set_generate_session_id and .Fn SSL_has_matching_session_id -were introduced in OpenSSL 0.9.7. +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . diff --git a/lib/libssl/man/SSL_CTX_set_info_callback.3 b/lib/libssl/man/SSL_CTX_set_info_callback.3 index 2c38586078..1bb248135f 100644 --- a/lib/libssl/man/SSL_CTX_set_info_callback.3 +++ b/lib/libssl/man/SSL_CTX_set_info_callback.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_info_callback.3,v 1.2 2016/11/30 18:29:14 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_info_callback.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 30 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_SET_INFO_CALLBACK 3 .Os .Sh NAME @@ -227,3 +227,6 @@ apps_ssl_info_callback(SSL *s, int where, int ret) .Xr ssl 3 , .Xr SSL_alert_type_string 3 , .Xr SSL_state_string 3 +.Sh HISTORY +These functions appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_CTX_set_max_cert_list.3 b/lib/libssl/man/SSL_CTX_set_max_cert_list.3 index 51805c6bdc..7714e1d10e 100644 --- a/lib/libssl/man/SSL_CTX_set_max_cert_list.3 +++ b/lib/libssl/man/SSL_CTX_set_max_cert_list.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_max_cert_list.3,v 1.3 2017/04/10 14:00:51 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_max_cert_list.3,v 1.4 2018/03/22 21:09:18 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt SSL_CTX_SET_MAX_CERT_LIST 3 .Os .Sh NAME @@ -148,5 +148,6 @@ return the currently set value. .Xr SSL_CTX_set_verify 3 , .Xr SSL_new 3 .Sh HISTORY -.Fn SSL*_set/get_max_cert_list -were introduced in OpenSSL 0.9.7. +These functions first appeared in OpenSSL 0.9.7 +and have been available since +.Ox 3.2 . diff --git a/lib/libssl/man/SSL_CTX_set_min_proto_version.3 b/lib/libssl/man/SSL_CTX_set_min_proto_version.3 index ff057cadac..b1b313ffaf 100644 --- a/lib/libssl/man/SSL_CTX_set_min_proto_version.3 +++ b/lib/libssl/man/SSL_CTX_set_min_proto_version.3 @@ -1,8 +1,9 @@ -.\" $OpenBSD: SSL_CTX_set_min_proto_version.3,v 1.1 2017/08/19 23:45:10 schwarze Exp $ -.\" OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 +.\" $OpenBSD: SSL_CTX_set_min_proto_version.3,v 1.3 2018/03/24 00:55:37 schwarze Exp $ +.\" full merge up to: OpenSSL 3edabd3c Sep 14 09:28:39 2017 +0200 .\" -.\" This file was written by Kurt Roeckx . -.\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. +.\" This file was written by Kurt Roeckx and +.\" Christian Heimes . +.\" Copyright (c) 2015, 2017 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,15 +49,19 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 19 2017 $ +.Dd $Mdocdate: March 24 2018 $ .Dt SSL_CTX_SET_MIN_PROTO_VERSION 3 .Os .Sh NAME .Nm SSL_CTX_set_min_proto_version , .Nm SSL_CTX_set_max_proto_version , +.Nm SSL_CTX_get_min_proto_version , +.Nm SSL_CTX_get_max_proto_version , .Nm SSL_set_min_proto_version , -.Nm SSL_set_max_proto_version -.Nd set minimum and maximum supported protocol version +.Nm SSL_set_max_proto_version , +.Nm SSL_get_min_proto_version , +.Nm SSL_get_max_proto_version +.Nd get and set minimum and maximum supported protocol version .Sh SYNOPSIS .In openssl/ssl.h .Ft int @@ -70,6 +75,14 @@ .Fa "uint16_t version" .Fc .Ft int +.Fo SSL_CTX_get_min_proto_version +.Fa "SSL_CTX *ctx" +.Fc +.Ft int +.Fo SSL_CTX_get_max_proto_version +.Fa "SSL_CTX *ctx" +.Fc +.Ft int .Fo SSL_set_min_proto_version .Fa "SSL *ssl" .Fa "uint16_t version" @@ -79,8 +92,16 @@ .Fa "SSL *ssl" .Fa "uint16_t version" .Fc +.Ft int +.Fo SSL_get_min_proto_version +.Fa "SSL *ssl" +.Fc +.Ft int +.Fo SSL_get_max_proto_version +.Fa "SSL *ssl" +.Fc .Sh DESCRIPTION -These functions set the minimum and maximum supported protocol +These functions get or set the minimum and maximum supported protocol versions for .Fa ctx or @@ -102,13 +123,32 @@ and for TLS and .Sy DTLS1_VERSION for DTLS. +.Pp +In other implementations, these functions may be implemented as macros. .Sh RETURN VALUES -These functions return 1 on success or 0 on failure. +The setter functions return 1 on success or 0 on failure. +.Pp +The getter functions return the configured version or 0 if +.Fa ctx +or +.Fa ssl +has been configured to automatically use the lowest or highest +version supported by the library. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_CTX_new 3 , .Xr SSL_CTX_set_options 3 .Sh HISTORY -These functions first appeared in OpenSSL 1.1.0 -and have been available since +The setter functions first appeared in BoringSSL in December 2014, +with shorter names without the +.Sy proto_ +part. +Two years later, OpenSSL included them in their 1.1.0 release, +gratuitiously changing the names; Google shrugged and adopted +the longer names one month later. +They have been available since .Ox 6.2 . +.Pp +The getter functions first appeared in OpenSSL 1.1.0g +and have been available since +.Ox 6.3 . diff --git a/lib/libssl/man/SSL_CTX_set_mode.3 b/lib/libssl/man/SSL_CTX_set_mode.3 index 25a1117538..2d9e57f2da 100644 --- a/lib/libssl/man/SSL_CTX_set_mode.3 +++ b/lib/libssl/man/SSL_CTX_set_mode.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_mode.3,v 1.3 2017/04/10 14:00:51 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_mode.3,v 1.4 2018/03/21 21:20:26 schwarze Exp $ .\" OpenSSL 8671b898 Jun 3 02:48:34 2008 +0000 .\" .\" This file was written by Lutz Jaenicke and @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_SET_MODE 3 .Os .Sh NAME @@ -165,5 +165,13 @@ return the current bitmask. .Xr SSL_read 3 , .Xr SSL_write 3 .Sh HISTORY +.Fn SSL_CTX_set_mode , +.Fn SSL_set_mode , +.Fn SSL_CTX_get_mode , +and +.Fn SSL_get_mode +first appeared in OpenSSL 0.9.4 and have been available since +.Ox 2.6 . +.Pp .Dv SSL_MODE_AUTO_RETRY was added in OpenSSL 0.9.6. diff --git a/lib/libssl/man/SSL_CTX_set_msg_callback.3 b/lib/libssl/man/SSL_CTX_set_msg_callback.3 index 65d81fe464..a8af1a3454 100644 --- a/lib/libssl/man/SSL_CTX_set_msg_callback.3 +++ b/lib/libssl/man/SSL_CTX_set_msg_callback.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_msg_callback.3,v 1.3 2017/08/21 09:07:08 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_msg_callback.3,v 1.4 2018/03/22 21:09:18 schwarze Exp $ .\" OpenSSL SSL_CTX_set_msg_callback.pod e9b77246 Jan 20 19:58:49 2017 +0100 .\" OpenSSL SSL_CTX_set_msg_callback.pod b97fdb57 Nov 11 09:33:09 2016 +0100 .\" @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 21 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt SSL_CTX_SET_MSG_CALLBACK 3 .Os .Sh NAME @@ -178,4 +178,5 @@ will be .Fn SSL_set_msg_callback and .Fn SSL_set_msg_callback_arg -were added in OpenSSL 0.9.7. +first appeared in OpenSSL 0.9.7 and have been available since +.Ox 3.2 . diff --git a/lib/libssl/man/SSL_CTX_set_options.3 b/lib/libssl/man/SSL_CTX_set_options.3 index 98c1a6d365..090a767874 100644 --- a/lib/libssl/man/SSL_CTX_set_options.3 +++ b/lib/libssl/man/SSL_CTX_set_options.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: SSL_CTX_set_options.3,v 1.4 2017/08/19 23:45:10 schwarze Exp $ -.\" OpenSSL 361a1191 Dec 6 17:56:41 2015 +0100 +.\" $OpenBSD: SSL_CTX_set_options.3,v 1.11 2018/03/24 00:55:37 schwarze Exp $ +.\" full merge up to: OpenSSL 7946ab33 Dec 6 17:56:41 2015 +0100 +.\" selective merge up to: OpenSSL edb79c3a Mar 29 10:07:14 2017 +1000 .\" .\" This file was written by Lutz Jaenicke , .\" Bodo Moeller , and @@ -51,7 +52,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 19 2017 $ +.Dd $Mdocdate: March 24 2018 $ .Dt SSL_CTX_SET_OPTIONS 3 .Os .Sh NAME @@ -154,12 +155,9 @@ Disables a countermeasure against a TLS 1.0 protocol vulnerability affecting CBC ciphers, which cannot be handled by some broken SSL implementations. This option has no effect for connections using other ciphers. -.It Dv SSL_OP_TLSEXT_PADDING -Adds a padding extension to ensure the ClientHello size is never between 256 -and 511 bytes in length. -This is needed as a workaround for some implementations. .It Dv SSL_OP_ALL -All of the above bug workarounds. +This is currently an alias for +.Dv SSL_OP_LEGACY_SERVER_CONNECT . .El .Pp It is usually safe to use @@ -171,22 +169,34 @@ The following .Em modifying options are available: .Bl -tag -width Ds -.It Dv SSL_OP_TLS_ROLLBACK_BUG -Disable version rollback attack detection. -.Pp -During the client key exchange, the client must send the same information -about acceptable SSL/TLS protocol levels as during the first hello. -Some clients violate this rule by adapting to the server's answer. -(Example: the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, -the server only understands up to SSLv3. -In this case the client must still use the same SSLv3.1=TLSv1 announcement. -Some clients step down to SSLv3 with respect to the server's answer and violate -the version rollback protection.) .It Dv SSL_OP_CIPHER_SERVER_PREFERENCE When choosing a cipher, use the server's preferences instead of the client preferences. When not set, the server will always follow the client's preferences. When set, the server will choose following its own preferences. +.It Dv SSL_OP_COOKIE_EXCHANGE +Turn on Cookie Exchange as described in RFC4347 Section 4.2.1. +Only affects DTLS connections. +.It Dv SSL_OP_LEGACY_SERVER_CONNECT +Allow legacy insecure renegotiation between OpenSSL and unpatched servers +.Em only : +this option is currently set by default. +See the +.Sx SECURE RENEGOTIATION +section for more details. +.It Dv SSL_OP_NO_QUERY_MTU +Do not query the MTU. +Only affects DTLS connections. +.It Dv SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION +When performing renegotiation as a server, always start a new session (i.e., +session resumption requests are only accepted in the initial handshake). +This option is not needed for clients. +.It Dv SSL_OP_NO_TICKET +Normally clients and servers will, where possible, transparently make use of +RFC4507bis tickets for stateless session resumption. +.Pp +If this option is set this functionality is disabled and tickets will not be +used by clients or servers. .It Dv SSL_OP_NO_TLSv1 Do not use the TLSv1.0 protocol. Deprecated; use @@ -199,23 +209,17 @@ Do not use the TLSv1.2 protocol. Deprecated; use .Xr SSL_CTX_set_max_proto_version 3 instead. -.It Dv SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION -When performing renegotiation as a server, always start a new session (i.e., -session resumption requests are only accepted in the initial handshake). -This option is not needed for clients. -.It Dv SSL_OP_NO_TICKET -Normally clients and servers will, where possible, transparently make use of -RFC4507bis tickets for stateless session resumption. +.It Dv SSL_OP_TLS_ROLLBACK_BUG +Disable version rollback attack detection. .Pp -If this option is set this functionality is disabled and tickets will not be -used by clients or servers. -.It Dv SSL_OP_LEGACY_SERVER_CONNECT -Allow legacy insecure renegotiation between OpenSSL and unpatched servers -.Em only : -this option is currently set by default. -See the -.Sx SECURE RENEGOTIATION -section for more details. +During the client key exchange, the client must send the same information +about acceptable SSL/TLS protocol levels as during the first hello. +Some clients violate this rule by adapting to the server's answer. +(Example: the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, +the server only understands up to SSLv3. +In this case the client must still use the same SSLv3.1=TLSv1 announcement. +Some clients step down to SSLv3 with respect to the server's answer and violate +the version rollback protection.) .El .Pp The following options used to be supported at some point in the past @@ -228,16 +232,19 @@ and no longer have any effect: .Dv SSL_OP_NETSCAPE_CHALLENGE_BUG , .Dv SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG , .Dv SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG , +.Dv SSL_OP_NO_COMPRESSION , .Dv SSL_OP_NO_SSLv2 , .Dv SSL_OP_NO_SSLv3 , .Dv SSL_OP_PKCS1_CHECK_1 , .Dv SSL_OP_PKCS1_CHECK_2 , .Dv SSL_OP_SAFARI_ECDHE_ECDSA_BUG , .Dv SSL_OP_SINGLE_DH_USE , +.Dv SSL_OP_SINGLE_ECDH_USE , .Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG , .Dv SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG , .Dv SSL_OP_TLS_BLOCK_PADDING_BUG , -.Dv SSL_OP_TLS_D5_BUG . +.Dv SSL_OP_TLS_D5_BUG , +.Dv SSL_OP_TLSEXT_PADDING . .Sh SECURE RENEGOTIATION OpenSSL 0.9.8m and later always attempts to use secure renegotiation as described in RFC5746. @@ -268,9 +275,8 @@ alert is sent. This is because the server code may be unaware of the unpatched nature of the client. .Pp -.Em N.B.: -a bug in OpenSSL clients earlier than 0.9.8m (all of which are unpatched) will -result in the connection hanging if it receives a +Note that a bug in OpenSSL clients earlier than 0.9.8m (all of which +are unpatched) will result in the connection hanging if it receives a .Em no_renegotiation alert. OpenSSL versions 0.9.8m and later will regard a @@ -344,7 +350,21 @@ returns 1 is the peer supports secure renegotiation and 0 if it does not. .Xr SSL_CTX_set_min_proto_version 3 , .Xr SSL_new 3 .Sh HISTORY -.Fn SSL_CTX_clear_options +.Fn SSL_CTX_set_options and -.Fn SSL_clear_options -were first added in OpenSSL 0.9.8m. +.Fn SSL_set_options +first appeared in SSLeay 0.9.0 and have been available since +.Ox 2.4 . +.Pp +.Fn SSL_CTX_get_options +and +.Fn SSL_get_options +first appeared in OpenSSL 0.9.2b and have been available since +.Ox 2.6 . +.Pp +.Fn SSL_CTX_clear_options , +.Fn SSL_clear_options , +and +.Fn SSL_get_secure_renegotiation_support +first appeared in OpenSSL 0.9.8m and have been available since +.Ox 4.9 . diff --git a/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 b/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 index 9939c7d4cc..6856d364ce 100644 --- a/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 +++ b/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_quiet_shutdown.3,v 1.2 2016/12/01 16:46:59 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_quiet_shutdown.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 1 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_SET_QUIET_SHUTDOWN 3 .Os .Sh NAME @@ -160,3 +160,6 @@ return the current setting. .Xr SSL_new 3 , .Xr SSL_set_shutdown 3 , .Xr SSL_shutdown 3 +.Sh HISTORY +These functions appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_CTX_set_read_ahead.3 b/lib/libssl/man/SSL_CTX_set_read_ahead.3 index 4b6f6d7f21..8948d47e49 100644 --- a/lib/libssl/man/SSL_CTX_set_read_ahead.3 +++ b/lib/libssl/man/SSL_CTX_set_read_ahead.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_read_ahead.3,v 1.1 2016/12/01 16:48:36 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_read_ahead.3,v 1.3 2018/03/21 16:12:41 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Matt Caswell . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 1 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_SET_READ_AHEAD 3 .Os .Sh NAME @@ -125,6 +125,19 @@ except that the return values are undefined for DTLS. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_pending 3 +.Sh HISTORY +.Fn SSL_set_read_ahead +and +.Fn SSL_get_read_ahead +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn SSL_CTX_set_read_ahead , +.Fn SSL_CTX_get_read_ahead , +and +.Fn SSL_CTX_get_default_read_ahead +first appeared in OpenSSL 0.9.2b and have been available since +.Ox 2.6 . .Sh CAVEATS Switching read ahead on can impact the behaviour of the .Xr SSL_pending 3 diff --git a/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 b/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 index 4a69b84cad..9e8e8500e8 100644 --- a/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 +++ b/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_session_cache_mode.3,v 1.4 2017/04/10 14:00:51 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_session_cache_mode.3,v 1.5 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL 67adf0a7 Dec 25 19:58:38 2016 +0100 .\" .\" This file was written by Lutz Jaenicke and @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_SET_SESSION_CACHE_MODE 3 .Os .Sh NAME @@ -185,6 +185,12 @@ returns the currently set cache mode. .Xr SSL_session_reused 3 , .Xr SSL_set_session 3 .Sh HISTORY +.Fn SSL_CTX_set_session_cache_mode +and +.Fn SSL_CTX_get_session_cache_mode +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp .Dv SSL_SESS_CACHE_NO_INTERNAL_STORE and .Dv SSL_SESS_CACHE_NO_INTERNAL diff --git a/lib/libssl/man/SSL_CTX_set_session_id_context.3 b/lib/libssl/man/SSL_CTX_set_session_id_context.3 index 99fa4ae8e3..bbc0102ad8 100644 --- a/lib/libssl/man/SSL_CTX_set_session_id_context.3 +++ b/lib/libssl/man/SSL_CTX_set_session_id_context.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_session_id_context.3,v 1.3 2017/04/10 15:37:55 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_session_id_context.3,v 1.5 2018/03/21 17:58:58 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_SET_SESSION_ID_CONTEXT 3 .Os .Sh NAME @@ -151,3 +151,10 @@ The operation succeeded. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_SESSION_set1_id_context 3 +.Sh HISTORY +.Fn SSL_set_session_id_context +first appeared in OpenSSL 0.9.2b. +.Fn SSL_CTX_set_session_id_context +first appeared in OpenSSL 0.9.3. +Both functions have been available since +.Ox 2.6 . diff --git a/lib/libssl/man/SSL_CTX_set_ssl_version.3 b/lib/libssl/man/SSL_CTX_set_ssl_version.3 index 381343f7f1..6633ccd177 100644 --- a/lib/libssl/man/SSL_CTX_set_ssl_version.3 +++ b/lib/libssl/man/SSL_CTX_set_ssl_version.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_ssl_version.3,v 1.2 2016/12/01 19:50:12 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_ssl_version.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 1 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_SET_SSL_VERSION 3 .Os .Sh NAME @@ -126,3 +126,10 @@ The operation succeeded. .Xr SSL_CTX_new 3 , .Xr SSL_new 3 , .Xr SSL_set_connect_state 3 +.Sh HISTORY +.Fn SSL_CTX_set_ssl_version , +.Fn SSL_set_ssl_method , +and +.Fn SSL_get_ssl_method +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_CTX_set_timeout.3 b/lib/libssl/man/SSL_CTX_set_timeout.3 index 683c400742..3ccd3ebbd9 100644 --- a/lib/libssl/man/SSL_CTX_set_timeout.3 +++ b/lib/libssl/man/SSL_CTX_set_timeout.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_timeout.3,v 1.2 2016/12/01 19:50:12 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_timeout.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 1 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_SET_TIMEOUT 3 .Os .Sh NAME @@ -110,3 +110,9 @@ returns the currently set timeout value. .Xr SSL_CTX_set_session_cache_mode 3 , .Xr SSL_get_default_timeout 3 , .Xr SSL_SESSION_get_time 3 +.Sh HISTORY +.Fn SSL_CTX_set_timeout +and +.Fn SSL_CTX_get_timeout +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 b/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 index 790954266c..71449bd080 100644 --- a/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 +++ b/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_tlsext_servername_callback.3,v 1.2 2017/08/21 09:41:15 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_tlsext_servername_callback.3,v 1.3 2018/03/23 01:06:56 schwarze Exp $ .\" OpenSSL 190b9a03 Jun 28 15:46:13 2017 +0800 .\" OpenSSL 8c55c461 Mar 29 08:34:37 2017 +1000 .\" @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 21 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3 .Os .Sh NAME @@ -146,3 +146,7 @@ returns 1 on success or 0 in case of an error. .Sh SEE ALSO .Xr SSL_CTX_callback_ctrl 3 , .Xr SSL_CTX_set_alpn_select_cb 3 +.Sh HISTORY +These functions first appeared in OpenSSL 0.9.8f +and have been available since +.Ox 4.5 . diff --git a/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 b/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 index b195e16809..b57c28b5a9 100644 --- a/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 +++ b/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 @@ -1,8 +1,9 @@ -.\" $OpenBSD: SSL_CTX_set_tlsext_status_cb.3,v 1.2 2017/04/10 14:00:51 schwarze Exp $ -.\" OpenSSL 43c34894 Nov 30 16:04:51 2015 +0000 +.\" $OpenBSD: SSL_CTX_set_tlsext_status_cb.3,v 1.6 2018/03/24 00:11:37 schwarze Exp $ +.\" full merge up to: OpenSSL 43c34894 Nov 30 16:04:51 2015 +0000 +.\" selective merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 .\" .\" This file was written by Matt Caswell . -.\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. +.\" Copyright (c) 2015, 2016 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,12 +49,14 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 24 2018 $ .Dt SSL_CTX_SET_TLSEXT_STATUS_CB 3 .Os .Sh NAME .Nm SSL_CTX_set_tlsext_status_cb , +.Nm SSL_CTX_get_tlsext_status_cb , .Nm SSL_CTX_set_tlsext_status_arg , +.Nm SSL_CTX_get_tlsext_status_arg , .Nm SSL_set_tlsext_status_type , .Nm SSL_get_tlsext_status_ocsp_resp , .Nm SSL_set_tlsext_status_ocsp_resp @@ -66,11 +69,21 @@ .Fa "int (*callback)(SSL *, void *)" .Fc .Ft long +.Fo SSL_CTX_get_tlsext_status_cb +.Fa "SSL_CTX *ctx" +.Fa "int (*callback)(SSL *, void *)" +.Fc +.Ft long .Fo SSL_CTX_set_tlsext_status_arg .Fa "SSL_CTX *ctx" .Fa "void *arg" .Fc .Ft long +.Fo SSL_CTX_get_tlsext_status_arg +.Fa "SSL_CTX *ctx" +.Fa "void **arg" +.Fc +.Ft long .Fo SSL_set_tlsext_status_type .Fa "SSL *s" .Fa "int type" @@ -112,6 +125,13 @@ Note that the callback will not be called in the event of a handshake where session resumption occurs (because there are no Certificates exchanged in such a handshake). .Pp +The callback previously set via +.Fn SSL_CTX_set_tlsext_status_cb +can be retrieved by calling +.Fn SSL_CTX_get_tlsext_status_cb , +and the argument by calling +.Fn SSL_CTX_get_tlsext_status_arg . +.Pp The response returned by the server can be obtained via a call to .Fn SSL_get_tlsext_status_ocsp_resp . The value @@ -155,14 +175,31 @@ The callback when used on the server side should return with either (meaning that a fatal error has occurred). .Pp .Fn SSL_CTX_set_tlsext_status_cb , +.Fn SSL_CTX_get_tlsext_status_cb , .Fn SSL_CTX_set_tlsext_status_arg , +.Fn SSL_CTX_get_tlsext_status_arg , .Fn SSL_set_tlsext_status_type , and .Fn SSL_set_tlsext_status_ocsp_resp -return 0 on error or 1 on success. +always return 1, indicating success. .Pp .Fn SSL_get_tlsext_status_ocsp_resp -returns the length of the OCSP response data or -1 if there is no OCSP -response data. +returns the length of the OCSP response data +or \-1 if there is no OCSP response data. .Sh SEE ALSO .Xr SSL_CTX_callback_ctrl 3 +.Sh HISTORY +.Fn SSL_CTX_set_tlsext_status_cb , +.Fn SSL_CTX_set_tlsext_status_arg , +.Fn SSL_set_tlsext_status_type , +.Fn SSL_get_tlsext_status_ocsp_resp , +and +.Fn SSL_set_tlsext_status_ocsp_resp +first appeared in OpenSSL 0.9.8h and have been available since +.Ox 4.5 . +.Pp +.Fn SSL_CTX_get_tlsext_status_cb +and +.Fn SSL_CTX_get_tlsext_status_arg +first appeared in OpenSSL 1.1.0 and have been available since +.Ox 6.3 . diff --git a/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 b/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 index 04f4c6872f..80aeaeb44a 100644 --- a/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 +++ b/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_tlsext_ticket_key_cb.3,v 1.3 2017/04/10 14:00:51 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_tlsext_ticket_key_cb.3,v 1.4 2018/03/23 01:06:56 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Rich Salz @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3 .Os .Sh NAME @@ -293,3 +293,7 @@ static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], .Xr SSL_CTX_set_session_id_context 3 , .Xr SSL_session_reused 3 , .Xr SSL_set_session 3 +.Sh HISTORY +.Fn SSL_CTX_set_tlsext_ticket_key_cb +first appeared in OpenSSL 0.9.8h and has been available since +.Ox 4.5 . diff --git a/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3 b/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3 new file mode 100644 index 0000000000..a901b2515e --- /dev/null +++ b/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3 @@ -0,0 +1,192 @@ +.\" $OpenBSD: SSL_CTX_set_tlsext_use_srtp.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $ +.\" full merge up to: OpenSSL 3733ce61 Aug 21 08:44:14 2017 +0100 +.\" +.\" This file was written by Matt Caswell . +.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: March 24 2018 $ +.Dt SSL_CTX_SET_TLSEXT_USE_SRTP 3 +.Os +.Sh NAME +.Nm SSL_CTX_set_tlsext_use_srtp , +.Nm SSL_set_tlsext_use_srtp , +.Nm SSL_get_srtp_profiles , +.Nm SSL_get_selected_srtp_profile +.Nd Configure and query SRTP support +.Sh SYNOPSIS +.In openssl/srtp.h +.Ft int +.Fo SSL_CTX_set_tlsext_use_srtp +.Fa "SSL_CTX *ctx" +.Fa "const char *profiles" +.Fc +.Ft int +.Fo SSL_set_tlsext_use_srtp +.Fa "SSL *ssl" +.Fa "const char *profiles" +.Fc +.Ft STACK_OF(SRTP_PROTECTION_PROFILE) * +.Fo SSL_get_srtp_profiles +.Fa "SSL *ssl" +.Fc +.Ft SRTP_PROTECTION_PROFILE * +.Fo SSL_get_selected_srtp_profile +.Fa "SSL *ssl" +.Fc +.Sh DESCRIPTION +SRTP is the Secure Real-Time Transport Protocol. +OpenSSL implements support for the "use_srtp" DTLS extension +defined in RFC5764. +This provides a mechanism for establishing SRTP keying material, +algorithms and parameters using DTLS. +This capability may be used as part of an implementation that +conforms to RFC5763. +OpenSSL does not implement SRTP itself or RFC5763. +Note that OpenSSL does not support the use of SRTP Master Key +Identifiers (MKIs). +Also note that this extension is only supported in DTLS. +Any SRTP configuration is ignored if a TLS connection is attempted. +.Pp +An OpenSSL client wishing to send the "use_srtp" extension should call +.Fn SSL_CTX_set_tlsext_use_srtp +to set its use for all +.Vt SSL +objects subsequently created from +.Fa ctx . +Alternatively a client may call +.Fn SSL_set_tlsext_use_srtp +to set its use for an individual +.Vt SSL +object. +The +.Fa profiles +parameter should point to a NUL-terminated, colon delimited list of +SRTP protection profile names. +.Pp +The currently supported protection profile names are: +.Bl -tag -width Ds +.It Dv SRTP_AES128_CM_SHA1_80 +This corresponds to SRTP_AES128_CM_HMAC_SHA1_80 defined in RFC5764. +.It Dv SRTP_AES128_CM_SHA1_32 +This corresponds to SRTP_AES128_CM_HMAC_SHA1_32 defined in RFC5764. +.El +.Pp +Supplying an unrecognised protection profile name results in an error. +.Pp +An OpenSSL server wishing to support the "use_srtp" extension should +also call +.Fn SSL_CTX_set_tlsext_use_srtp +or +.Fn SSL_set_tlsext_use_srtp +to indicate the protection profiles that it is willing to negotiate. +.Pp +The currently configured list of protection profiles for either a client +or a server can be obtained by calling +.Fn SSL_get_srtp_profiles . +This returns a stack of +.Vt SRTP_PROTECTION_PROFILE +objects. +The memory pointed to in the return value of this function should not be +freed by the caller. +.Pp +After a handshake has been completed, the negotiated SRTP protection +profile (if any) can be obtained (on the client or the server) by +calling +.Fn SSL_get_selected_srtp_profile . +This function returns +.Dv NULL +if no SRTP protection profile was negotiated. +The memory returned from this function should not be freed by the +caller. +.Pp +If an SRTP protection profile has been sucessfully negotiated, +then the SRTP keying material (on both the client and server) +should be obtained by calling +.Xr SSL_export_keying_material 3 +with a +.Fa label +of +.Qq EXTRACTOR-dtls_srtp , +a +.Fa context +of +.Dv NULL , +and a +.Fa use_context +argument of 0. +The total length of keying material obtained should be equal to two +times the sum of the master key length and the salt length as defined +for the protection profile in use. +This provides the client write master key, the server write master key, +the client write master salt and the server write master salt in that +order. +.Sh RETURN VALUES +Contrary to OpenSSL conventions, +.Fn SSL_CTX_set_tlsext_use_srtp +and +.Fn SSL_set_tlsext_use_srtp +return 0 on success or 1 on error. +.Pp +.Fn SSL_get_srtp_profiles +returns a stack of +.Vt SRTP_PROTECTION_PROFILE +objects on success or +.Dv NULL +on error or if no protection profiles have been configured. +.Pp +.Fn SSL_get_selected_srtp_profile +returns a pointer to an +.Vt SRTP_PROTECTION_PROFILE +object if one has been negotiated or +.Dv NULL +otherwise. +.Sh SEE ALSO +.Xr SSL_export_keying_material 3 +.Sh HISTORY +These functions first appeared in OpenSSL 1.0.1 +and have been available since +.Ox 5.3 . diff --git a/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 b/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 index 3cfb060a9e..2456dd500d 100644 --- a/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 +++ b/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_tmp_dh_callback.3,v 1.4 2017/08/12 12:31:30 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_tmp_dh_callback.3,v 1.6 2018/03/21 16:12:41 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 12 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_SET_TMP_DH_CALLBACK 3 .Os .Sh NAME @@ -221,3 +221,15 @@ if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) { .Xr SSL_CTX_set_cipher_list 3 , .Xr SSL_CTX_set_options 3 , .Xr SSL_set_tmp_ecdh 3 +.Sh HISTORY +.Fn SSL_CTX_set_tmp_dh_callback +and +.Fn SSL_CTX_set_tmp_dh +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn SSL_set_tmp_dh_callback +and +.Fn SSL_set_tmp_dh +first appeared in OpenSSL 0.9.2b and have been available since +.Ox 2.6 . diff --git a/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 b/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 index 8a3c5fa413..ab32d41d97 100644 --- a/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 +++ b/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_tmp_rsa_callback.3,v 1.4 2017/08/12 12:21:55 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_tmp_rsa_callback.3,v 1.7 2018/03/24 00:55:37 schwarze Exp $ .\" OpenSSL 0b30fc90 Dec 19 15:23:05 2013 -0500 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 12 2017 $ +.Dd $Mdocdate: March 24 2018 $ .Dt SSL_CTX_SET_TMP_RSA_CALLBACK 3 .Os .Sh NAME @@ -57,7 +57,7 @@ .Nm SSL_CTX_need_tmp_RSA , .Nm SSL_set_tmp_rsa_callback , .Nm SSL_set_tmp_rsa , -.Nm SSL_need_tmp_rsa +.Nm SSL_need_tmp_RSA .Nd handle RSA keys for ephemeral key exchange .Sh SYNOPSIS .In openssl/ssl.h @@ -78,7 +78,7 @@ .Ft long .Fn SSL_set_tmp_rsa "SSL *ssl" "RSA *rsa" .Ft long -.Fn SSL_need_tmp_rsa "SSL *ssl" +.Fn SSL_need_tmp_RSA "SSL *ssl" .Sh DESCRIPTION Since they mattered only for deliberately insecure RSA authentication mandated by historical U.S. export restrictions, these functions @@ -98,3 +98,17 @@ These functions always return 0, indicating failure. .Xr SSL_CTX_set_tmp_dh_callback 3 , .Xr SSL_new 3 , .Xr SSL_set_tmp_ecdh 3 +.Sh HISTORY +.Fn SSL_CTX_set_tmp_rsa_callback , +.Fn SSL_CTX_set_tmp_rsa , +and +.Fn SSL_CTX_need_tmp_RSA +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn SSL_set_tmp_rsa_callback +.Fn SSL_set_tmp_rsa , +and +.Fn SSL_need_tmp_RSA +first appeared in OpenSSL 0.9.2b and have been available since +.Ox 2.6 . diff --git a/lib/libssl/man/SSL_CTX_set_verify.3 b/lib/libssl/man/SSL_CTX_set_verify.3 index 911c26edf2..4c3b5dd749 100644 --- a/lib/libssl/man/SSL_CTX_set_verify.3 +++ b/lib/libssl/man/SSL_CTX_set_verify.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: SSL_CTX_set_verify.3,v 1.3 2016/12/16 15:39:08 jmc Exp $ -.\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 +.\" $OpenBSD: SSL_CTX_set_verify.3,v 1.6 2018/03/21 17:58:58 schwarze Exp $ +.\" full merge up to: OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 +.\" selective merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . .\" Copyright (c) 2000, 2001, 2002, 2003, 2014 The OpenSSL Project. @@ -49,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 16 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CTX_SET_VERIFY 3 .Os .Sh NAME @@ -116,6 +117,11 @@ is used, that was valid at the time .Fa ssl was created with .Xr SSL_new 3 . +Within the callback function, +.Xr SSL_get_ex_data_X509_STORE_CTX_idx 3 +can be called to get the data index of the current +.Vt SSL +object that is doing the verification. .Pp .Fn SSL_CTX_set_verify_depth sets the maximum @@ -438,6 +444,18 @@ if (peer = SSL_get_peer_certificate(ssl)) { .Xr SSL_get_peer_certificate 3 , .Xr SSL_get_verify_result 3 , .Xr SSL_new 3 +.Sh HISTORY +.Fn SSL_CTX_set_verify +and +.Fn SSL_set_verify +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn SSL_CTX_set_verify_depth +and +.Fn SSL_set_verify_depth +first appeared in OpenSSL 0.9.3 and have been available since +.Ox 2.6 . .Sh BUGS In client mode, it is not checked whether the .Dv SSL_VERIFY_PEER diff --git a/lib/libssl/man/SSL_CTX_use_certificate.3 b/lib/libssl/man/SSL_CTX_use_certificate.3 index bc7d03cc19..f51b5d960f 100644 --- a/lib/libssl/man/SSL_CTX_use_certificate.3 +++ b/lib/libssl/man/SSL_CTX_use_certificate.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.5 2017/08/20 23:18:53 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.7 2018/03/24 00:55:37 schwarze Exp $ .\" OpenSSL e248596b Apr 8 22:49:57 2005 +0000 .\" .\" This file was written by Lutz Jaenicke . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 20 2017 $ +.Dd $Mdocdate: March 24 2018 $ .Dt SSL_CTX_USE_CERTIFICATE 3 .Os .Sh NAME @@ -392,6 +392,34 @@ Otherwise check out the error stack to find out the reason. .Xr SSL_new 3 , .Xr X509_check_private_key 3 .Sh HISTORY +.Fn SSL_CTX_use_certificate , +.Fn SSL_CTX_use_certificate_ASN1 , +.Fn SSL_CTX_use_certificate_file , +.Fn SSL_use_certificate , +.Fn SSL_use_certificate_ASN1 , +.Fn SSL_use_certificate_file , +.Fn SSL_CTX_use_PrivateKey , +.Fn SSL_CTX_use_PrivateKey_ASN1 , +.Fn SSL_CTX_use_PrivateKey_file , +.Fn SSL_CTX_use_RSAPrivateKey , +.Fn SSL_CTX_use_RSAPrivateKey_ASN1 , +.Fn SSL_CTX_use_RSAPrivateKey_file , +.Fn SSL_use_PrivateKey_file , +.Fn SSL_use_PrivateKey_ASN1 , +.Fn SSL_use_PrivateKey , +.Fn SSL_use_RSAPrivateKey , +.Fn SSL_use_RSAPrivateKey_ASN1 , +.Fn SSL_use_RSAPrivateKey_file , +.Fn SSL_CTX_check_private_key , +and +.Fn SSL_check_private_key +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn SSL_CTX_use_certificate_chain_file +first appeared in OpenSSL 0.9.4 and has been available since +.Ox 2.6 . +.Pp Support for DER encoded private keys .Pq Dv SSL_FILETYPE_ASN1 in @@ -399,3 +427,7 @@ in and .Fn SSL_use_PrivateKey_file was added in 0.9.8. +.Pp +.Fn SSL_CTX_use_certificate_chain_mem +first appeared in +.Ox 5.7 . diff --git a/lib/libssl/man/SSL_SESSION_free.3 b/lib/libssl/man/SSL_SESSION_free.3 index 1a37af2775..1a4b8af456 100644 --- a/lib/libssl/man/SSL_SESSION_free.3 +++ b/lib/libssl/man/SSL_SESSION_free.3 @@ -1,8 +1,10 @@ -.\" $OpenBSD: SSL_SESSION_free.3,v 1.2 2016/12/06 18:53:55 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 +.\" $OpenBSD: SSL_SESSION_free.3,v 1.5 2018/03/24 00:55:37 schwarze Exp $ +.\" full merge up to: OpenSSL b31db505 Mar 24 16:01:50 2017 +0000 .\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001, 2009 The OpenSSL Project. All rights reserved. +.\" This file was written by Lutz Jaenicke +.\" and Matt Caswell . +.\" Copyright (c) 2000, 2001, 2009, 2017 The OpenSSL Project. +.\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,25 +50,31 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 24 2018 $ .Dt SSL_SESSION_FREE 3 .Os .Sh NAME +.Nm SSL_SESSION_up_ref , .Nm SSL_SESSION_free -.Nd free an allocated SSL_SESSION structure +.Nd SSL_SESSION reference counting .Sh SYNOPSIS .In openssl/ssl.h +.Ft int +.Fn SSL_SESSION_up_ref "SSL_SESSION *session" .Ft void .Fn SSL_SESSION_free "SSL_SESSION *session" .Sh DESCRIPTION -.Fn SSL_SESSION_free -decrements the reference count of +.Fn SSL_SESSION_up_ref +increments the reference count of the given .Fa session -and removes the -.Vt SSL_SESSION -structure pointed to by +by 1. +.Pp +.Fn SSL_SESSION_free +decrements the reference count of the given .Fa session -and frees up the allocated memory, if the reference count has reached 0. +by 1. +If the reference count reaches 0, it frees the memory used by the +.Fa session . If .Fa session is a @@ -120,9 +128,20 @@ It must not be called on other .Vt SSL_SESSION objects, as this would cause incorrect reference counts and therefore program failures. +.Sh RETURN VALUES +.Fn SSL_SESSION_up_ref +returns 1 on success or 0 on error. .Sh SEE ALSO .Xr d2i_SSL_SESSION 3 , .Xr SSL_CTX_flush_sessions 3 , .Xr SSL_CTX_set_session_cache_mode 3 , .Xr SSL_get_session 3 , .Xr SSL_SESSION_new 3 +.Sh HISTORY +.Fn SSL_SESSION_free +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . +.Pp +.Fn SSL_SESSION_up_ref +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . diff --git a/lib/libssl/man/SSL_SESSION_get0_peer.3 b/lib/libssl/man/SSL_SESSION_get0_peer.3 index 2c5e6ce7e8..6b1ef6680e 100644 --- a/lib/libssl/man/SSL_SESSION_get0_peer.3 +++ b/lib/libssl/man/SSL_SESSION_get0_peer.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_SESSION_get0_peer.3,v 1.1 2017/04/10 15:37:55 schwarze Exp $ +.\" $OpenBSD: SSL_SESSION_get0_peer.3,v 1.2 2018/03/23 05:50:30 schwarze Exp $ .\" OpenSSL SSL_SESSION_get0_peer.pod b31db505 Mar 24 16:01:50 2017 +0000 .\" .\" This file was written by Matt Caswell @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt SSL_SESSION_GET0_PEER 3 .Os .Sh NAME @@ -74,3 +74,7 @@ has also been called. .Xr ssl 3 , .Xr SSL_get_session 3 , .Xr SSL_SESSION_new 3 +.Sh HISTORY +.Fn SSL_SESSION_get0_peer +first appeared in OpenSSL 1.0.1 and has been available since +.Ox 5.3 . diff --git a/lib/libssl/man/SSL_SESSION_get_compress_id.3 b/lib/libssl/man/SSL_SESSION_get_compress_id.3 index 0287f371a8..aedc216a15 100644 --- a/lib/libssl/man/SSL_SESSION_get_compress_id.3 +++ b/lib/libssl/man/SSL_SESSION_get_compress_id.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_SESSION_get_compress_id.3,v 1.1 2017/04/10 15:37:55 schwarze Exp $ +.\" $OpenBSD: SSL_SESSION_get_compress_id.3,v 1.3 2018/03/23 05:50:30 schwarze Exp $ .\" OpenSSL SSL_SESSION_get_compress_id.pod b31db505 Mar 24 16:01:50 2017 .\" .\" This file was written by Matt Caswell @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt SSL_SESSION_GET_COMPRESS_ID 3 .Os .Sh NAME @@ -69,4 +69,10 @@ which has an id of 1. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_get_session 3 , +.Xr SSL_SESSION_get_id 3 , +.Xr SSL_SESSION_get_protocol_version 3 , .Xr SSL_SESSION_new 3 +.Sh HISTORY +.Fn SSL_SESSION_get_compress_id +first appeared in OpenSSL 1.0.1 and has been available since +.Ox 5.3 . diff --git a/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 b/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 index 51cfc50568..9fd6949b6a 100644 --- a/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 +++ b/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_SESSION_get_ex_new_index.3,v 1.2 2016/12/06 22:41:16 schwarze Exp $ +.\" $OpenBSD: SSL_SESSION_get_ex_new_index.3,v 1.3 2018/03/21 08:06:34 schwarze Exp $ .\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_SESSION_GET_EX_NEW_INDEX 3 .Os .Sh NAME @@ -125,3 +125,10 @@ and can therefore not be restored. .Xr CRYPTO_set_ex_data 3 , .Xr RSA_get_ex_new_index 3 , .Xr ssl 3 +.Sh HISTORY +.Fn SSL_SESSION_get_ex_new_index , +.Fn SSL_SESSION_set_ex_data , +and +.Fn SSL_SESSION_get_ex_data +first appeared in SSLeay 0.9.0 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_SESSION_get_id.3 b/lib/libssl/man/SSL_SESSION_get_id.3 index 05b1fe53d9..6d0de1e52e 100644 --- a/lib/libssl/man/SSL_SESSION_get_id.3 +++ b/lib/libssl/man/SSL_SESSION_get_id.3 @@ -1,8 +1,10 @@ -.\" $OpenBSD: SSL_SESSION_get_id.3,v 1.1 2017/04/10 15:37:55 schwarze Exp $ -.\" OpenSSL SSL_SESSION_set1_id.pod b31db505 Mar 24 16:01:50 2017 +0000 +.\" $OpenBSD: SSL_SESSION_get_id.3,v 1.6 2018/03/24 00:55:37 schwarze Exp $ +.\" full merge up to: +.\" OpenSSL SSL_SESSION_set1_id 17b60280 Dec 21 09:08:25 2017 +0100 .\" -.\" This file was written by Matt Caswell -.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved. +.\" This file was written by Remi Gacogne +.\" and Matt Caswell . +.\" Copyright (c) 2016, 2017 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,12 +50,13 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 24 2018 $ .Dt SSL_SESSION_GET_ID 3 .Os .Sh NAME -.Nm SSL_SESSION_get_id -.Nd get the SSL session ID +.Nm SSL_SESSION_get_id , +.Nm SSL_SESSION_set1_id +.Nd get and set the SSL session ID .Sh SYNOPSIS .In openssl/ssl.h .Ft const unsigned char * @@ -61,16 +64,49 @@ .Fa "const SSL_SESSION *s" .Fa "unsigned int *len" .Fc +.Ft int +.Fo SSL_SESSION_set1_id +.Fa "SSL_SESSION *s" +.Fa "const unsigned char *sid" +.Fa "unsigned int sid_len" +.Fc .Sh DESCRIPTION .Fn SSL_SESSION_get_id -returns a pointer to the internal session id value for the session +returns a pointer to the internal session ID value for the session .Fa s . -The length of the id in bytes is stored in +The length of the ID in bytes is stored in .Pf * Fa len . The length may be 0. The caller should not free the returned pointer directly. +.Pp +.Fn SSL_SESSION_set1_id +sets the session ID for +.Fa s +to a copy of the +.Fa sid +of length +.Fa sid_len . +.Sh RETURN VALUES +.Fn SSL_SESSION_get_id +returns a pointer to the session ID value. +.Pp +.Fn SSL_SESSION_set1_id +returns 1 for success and 0 for failure, +for example if the supplied session ID length exceeds +.Dv SSL_MAX_SSL_SESSION_ID_LENGTH . .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_copy_session_id 3 , .Xr SSL_get_session 3 , +.Xr SSL_SESSION_get_compress_id 3 , +.Xr SSL_SESSION_get_protocol_version 3 , +.Xr SSL_SESSION_has_ticket 3 , .Xr SSL_SESSION_new 3 +.Sh HISTORY +.Fn SSL_SESSION_get_id +first appeared in OpenSSL 0.9.8 and has been available since +.Ox 4.5 . +.Pp +.Fn SSL_SESSION_set1_id +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . diff --git a/lib/libssl/man/SSL_SESSION_get_id.3 b/lib/libssl/man/SSL_SESSION_get_protocol_version.3 similarity index 72% copy from lib/libssl/man/SSL_SESSION_get_id.3 copy to lib/libssl/man/SSL_SESSION_get_protocol_version.3 index 05b1fe53d9..f14c0490e9 100644 --- a/lib/libssl/man/SSL_SESSION_get_id.3 +++ b/lib/libssl/man/SSL_SESSION_get_protocol_version.3 @@ -1,8 +1,8 @@ -.\" $OpenBSD: SSL_SESSION_get_id.3,v 1.1 2017/04/10 15:37:55 schwarze Exp $ -.\" OpenSSL SSL_SESSION_set1_id.pod b31db505 Mar 24 16:01:50 2017 +0000 +.\" $OpenBSD: SSL_SESSION_get_protocol_version.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $ +.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" -.\" This file was written by Matt Caswell -.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved. +.\" This file was written by TJ Saunders +.\" Copyright (c) 2016 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,29 +48,37 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ -.Dt SSL_SESSION_GET_ID 3 +.Dd $Mdocdate: March 24 2018 $ +.Dt SSL_SESSION_GET_PROTOCOL_VERSION 3 .Os .Sh NAME -.Nm SSL_SESSION_get_id -.Nd get the SSL session ID +.Nm SSL_SESSION_get_protocol_version +.Nd get the session protocol version .Sh SYNOPSIS .In openssl/ssl.h -.Ft const unsigned char * -.Fo SSL_SESSION_get_id +.Ft int +.Fo SSL_SESSION_get_protocol_version .Fa "const SSL_SESSION *s" -.Fa "unsigned int *len" .Fc .Sh DESCRIPTION -.Fn SSL_SESSION_get_id -returns a pointer to the internal session id value for the session +.Fn SSL_SESSION_get_protocol_version +returns the protocol version number used by the session .Fa s . -The length of the id in bytes is stored in -.Pf * Fa len . -The length may be 0. -The caller should not free the returned pointer directly. +.Sh RETURN VALUES +.Fn SSL_SESSION_get_protocol_version +returns a constant like +.Dv TLS1_VERSION +or +.Dv TLS1_2_VERSION . .Sh SEE ALSO .Xr ssl 3 , -.Xr SSL_copy_session_id 3 , .Xr SSL_get_session 3 , +.Xr SSL_SESSION_get0_peer 3 , +.Xr SSL_SESSION_get_compress_id 3 , +.Xr SSL_SESSION_get_id 3 , +.Xr SSL_SESSION_get_time 3 , .Xr SSL_SESSION_new 3 +.Sh HISTORY +.Fn SSL_SESSION_get_protocol_version +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . diff --git a/lib/libssl/man/SSL_SESSION_get_time.3 b/lib/libssl/man/SSL_SESSION_get_time.3 index 387a45f5e1..c15ba3dfbb 100644 --- a/lib/libssl/man/SSL_SESSION_get_time.3 +++ b/lib/libssl/man/SSL_SESSION_get_time.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_SESSION_get_time.3,v 1.3 2017/04/10 15:37:55 schwarze Exp $ +.\" $OpenBSD: SSL_SESSION_get_time.3,v 1.6 2018/03/21 08:06:34 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_SESSION_GET_TIME 3 .Os .Sh NAME @@ -145,4 +145,20 @@ pointer for the session .Xr SSL_CTX_set_timeout 3 , .Xr SSL_get_default_timeout 3 , .Xr SSL_get_session 3 , +.Xr SSL_SESSION_has_ticket 3 , .Xr SSL_SESSION_new 3 +.Sh HISTORY +.Fn SSL_get_time , +.Fn SSL_set_time , +.Fn SSL_get_timeout , +and +.Fn SSL_set_timeout +appeared before SSLeay 0.8. +.Fn SSL_SESSION_get_time , +.Fn SSL_SESSION_set_time , +.Fn SSL_SESSION_get_timeout , +and +.Fn SSL_SESSION_set_timeout +first appeared in SSLeay 0.9.0. +All these functions have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_set1_param.3 b/lib/libssl/man/SSL_SESSION_has_ticket.3 similarity index 70% copy from lib/libssl/man/SSL_set1_param.3 copy to lib/libssl/man/SSL_SESSION_has_ticket.3 index ae67d4796e..322b49feef 100644 --- a/lib/libssl/man/SSL_set1_param.3 +++ b/lib/libssl/man/SSL_SESSION_has_ticket.3 @@ -1,7 +1,8 @@ -.\" $OpenBSD: SSL_set1_param.3,v 1.1 2016/11/30 13:39:38 schwarze Exp $ -.\" OpenSSL SSL_CTX_get0_param.pod 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: SSL_SESSION_has_ticket.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $ +.\" full merge up to: OpenSSL f2baac27 Feb 8 15:43:16 2015 +0000 +.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" -.\" This file was written by Dr. Stephen Henson . +.\" This file was written by Matt Caswell . .\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -48,41 +49,37 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 30 2016 $ -.Dt SSL_SET1_PARAM 3 +.Dd $Mdocdate: March 24 2018 $ +.Dt SSL_SESSION_HAS_TICKET 3 .Os .Sh NAME -.Nm SSL_CTX_set1_param , -.Nm SSL_set1_param -.Nd set verification parameters +.Nm SSL_SESSION_has_ticket , +.Nm SSL_SESSION_get_ticket_lifetime_hint +.Nd get details about the ticket associated with a session .Sh SYNOPSIS .In openssl/ssl.h .Ft int -.Fo SSL_CTX_set1_param -.Fa "SSL_CTX *ctx" -.Fa "X509_VERIFY_PARAM *vpm" +.Fo SSL_SESSION_has_ticket +.Fa "const SSL_SESSION *s" .Fc -.Ft int -.Fo SSL_set1_param -.Fa "SSL *ssl" -.Fa "X509_VERIFY_PARAM *vpm" +.Ft unsigned long +.Fo SSL_SESSION_get_ticket_lifetime_hint +.Fa "const SSL_SESSION *s" .Fc .Sh DESCRIPTION -.Fn SSL_CTX_set1_param -and -.Fn SSL_set1_param -set the verification parameters to -.Fa vpm -for -.Fa ctx -or -.Fa ssl . -.Sh RETURN VALUES -.Fn SSL_CTX_set1_param -and -.Fn SSL_set1_param -return 1 for success or 0 for failure. +.Fn SSL_SESSION_has_ticket +returns 1 if there is a Session Ticket associated with +.Fa s +or 0 otherwise. +.Pp +.Fn SSL_SESSION_get_ticket_lifetime_hint +returns the lifetime hint in seconds associated with the session ticket. .Sh SEE ALSO -.Xr X509_VERIFY_PARAM_set_flags 3 +.Xr ssl 3 , +.Xr SSL_SESSION_get_id 3 , +.Xr SSL_SESSION_get_time 3 , +.Xr SSL_SESSION_new 3 .Sh HISTORY -These functions were first added to OpenSSL 1.0.2. +These functions first appeared in OpenSSL 1.1.0 +and have been available since +.Ox 6.3 . diff --git a/lib/libssl/man/SSL_SESSION_new.3 b/lib/libssl/man/SSL_SESSION_new.3 index 54d22b8ed5..98e22d4896 100644 --- a/lib/libssl/man/SSL_SESSION_new.3 +++ b/lib/libssl/man/SSL_SESSION_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_SESSION_new.3,v 1.2 2017/04/10 15:37:55 schwarze Exp $ +.\" $OpenBSD: SSL_SESSION_new.3,v 1.5 2018/03/21 05:07:04 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_SESSION_NEW 3 .Os .Sh NAME @@ -63,7 +63,14 @@ returns .Xr SSL_SESSION_get_compress_id 3 , .Xr SSL_SESSION_get_ex_new_index 3 , .Xr SSL_SESSION_get_id 3 , +.Xr SSL_SESSION_get_master_key 3 , +.Xr SSL_SESSION_get_protocol_version 3 , .Xr SSL_SESSION_get_time 3 , +.Xr SSL_SESSION_has_ticket 3 , .Xr SSL_SESSION_print 3 , .Xr SSL_SESSION_set1_id_context 3 , .Xr SSL_set_session 3 +.Sh HISTORY +.Fn SSL_SESSION_new +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_SESSION_print.3 b/lib/libssl/man/SSL_SESSION_print.3 index 015cd02aa7..d842437434 100644 --- a/lib/libssl/man/SSL_SESSION_print.3 +++ b/lib/libssl/man/SSL_SESSION_print.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_SESSION_print.3,v 1.1 2016/12/06 23:45:34 schwarze Exp $ +.\" $OpenBSD: SSL_SESSION_print.3,v 1.2 2018/03/21 05:07:04 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_SESSION_PRINT 3 .Os .Sh NAME @@ -64,3 +64,9 @@ In some cases, the reason for failure can be determined with .Xr SSL_SESSION_get_ex_new_index 3 , .Xr SSL_SESSION_get_time 3 , .Xr SSL_SESSION_new 3 +.Sh HISTORY +.Fn SSL_SESSION_print +and +.Fn SSL_SESSION_print_fp +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_SESSION_set1_id_context.3 b/lib/libssl/man/SSL_SESSION_set1_id_context.3 index f7fa13ebcf..dd7595baca 100644 --- a/lib/libssl/man/SSL_SESSION_set1_id_context.3 +++ b/lib/libssl/man/SSL_SESSION_set1_id_context.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: SSL_SESSION_set1_id_context.3,v 1.1 2017/04/10 15:37:55 schwarze Exp $ -.\" OpenSSL SSL_SESSION_get0_id_context.pod b31db505 Mar 24 16:01:50 2017 +.\" $OpenBSD: SSL_SESSION_set1_id_context.3,v 1.4 2018/03/24 00:55:37 schwarze Exp $ +.\" full merge up to: +.\" OpenSSL SSL_SESSION_get0_id_context b31db505 Mar 24 16:01:50 2017 .\" .\" This file was written by Matt Caswell .\" Copyright (c) 2017 The OpenSSL Project. All rights reserved. @@ -48,14 +49,20 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 24 2018 $ .Dt SSL_SESSION_SET1_ID_CONTEXT 3 .Os .Sh NAME +.Nm SSL_SESSION_get0_id_context , .Nm SSL_SESSION_set1_id_context -.Nd set the SSL ID context associated with a session +.Nd get and set the SSL ID context associated with a session .Sh SYNOPSIS .In openssl/ssl.h +.Ft const unsigned char * +.Fo SSL_SESSION_get0_id_context +.Fa "const SSL_SESSION *s" +.Fa "unsigned int *len" +.Fc .Ft int .Fo SSL_SESSION_set1_id_context .Fa "SSL_SESSION *s" @@ -63,6 +70,16 @@ .Fa "unsigned int sid_ctx_len" .Fc .Sh DESCRIPTION +.Fn SSL_SESSION_get0_id_context +returns the ID context associated with +.Fa s . +The length of the ID context in bytes is written to +.Pf * Fa len +if +.Fa len +is not +.Dv NULL . +.Pp .Fn SSL_SESSION_set1_id_context takes a copy of the provided ID context given in .Fa sid_ctx @@ -74,6 +91,11 @@ which must not exceed .Dv SSL_MAX_SID_CTX_LENGTH bytes. .Sh RETURN VALUES +.Fn SSL_SESSION_get0_id_context +returns an internal pointer to an object maintained within +.Fa s +that should not be freed by the caller. +.Pp .Fn SSL_SESSION_set1_id_context returns 1 on success or 0 on error. .Sh SEE ALSO @@ -81,3 +103,11 @@ returns 1 on success or 0 on error. .Xr SSL_CTX_set_session_id_context 3 , .Xr SSL_get_session 3 , .Xr SSL_SESSION_new 3 +.Sh HISTORY +.Fn SSL_SESSION_set1_id_context +first appeared in OpenSSL 1.0.1 and has been available since +.Ox 5.3 . +.Pp +.Fn SSL_SESSION_get0_id_context +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . diff --git a/lib/libssl/man/SSL_accept.3 b/lib/libssl/man/SSL_accept.3 index 98b76458b9..3a550369e2 100644 --- a/lib/libssl/man/SSL_accept.3 +++ b/lib/libssl/man/SSL_accept.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_accept.3,v 1.3 2016/12/06 12:24:33 schwarze Exp $ +.\" $OpenBSD: SSL_accept.3,v 1.4 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_ACCEPT 3 .Os .Sh NAME @@ -149,3 +149,7 @@ to find out the reason. .Xr SSL_get_error 3 , .Xr SSL_set_connect_state 3 , .Xr SSL_shutdown 3 +.Sh HISTORY +.Fn SSL_accept +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_alert_type_string.3 b/lib/libssl/man/SSL_alert_type_string.3 index 0af6bbcb9c..4db6b67170 100644 --- a/lib/libssl/man/SSL_alert_type_string.3 +++ b/lib/libssl/man/SSL_alert_type_string.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_alert_type_string.3,v 1.3 2017/08/11 22:12:40 schwarze Exp $ +.\" $OpenBSD: SSL_alert_type_string.3,v 1.4 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 11 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_ALERT_TYPE_STRING 3 .Os .Sh NAME @@ -238,3 +238,6 @@ does not contain a correct alert message. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_CTX_set_info_callback 3 +.Sh HISTORY +These functions appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_clear.3 b/lib/libssl/man/SSL_clear.3 index 38194154f0..43faa404ba 100644 --- a/lib/libssl/man/SSL_clear.3 +++ b/lib/libssl/man/SSL_clear.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_clear.3,v 1.2 2016/12/01 22:45:28 schwarze Exp $ +.\" $OpenBSD: SSL_clear.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 1 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CLEAR 3 .Os .Sh NAME @@ -119,6 +119,10 @@ operation was successful. .Xr SSL_new 3 , .Xr SSL_set_shutdown 3 , .Xr SSL_shutdown 3 +.Sh HISTORY +.Fn SSL_clear +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . .Sh CAVEATS .Fn SSL_clear resets the diff --git a/lib/libssl/man/SSL_connect.3 b/lib/libssl/man/SSL_connect.3 index 7fe167dd86..4529afba13 100644 --- a/lib/libssl/man/SSL_connect.3 +++ b/lib/libssl/man/SSL_connect.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_connect.3,v 1.4 2016/12/16 15:39:08 jmc Exp $ +.\" $OpenBSD: SSL_connect.3,v 1.5 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 16 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_CONNECT 3 .Os .Sh NAME @@ -148,3 +148,7 @@ to find out the reason. .Xr SSL_get_error 3 , .Xr SSL_set_connect_state 3 , .Xr SSL_shutdown 3 +.Sh HISTORY +.Fn SSL_connect +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_copy_session_id.3 b/lib/libssl/man/SSL_copy_session_id.3 index 52a5aea314..d6e25a586a 100644 --- a/lib/libssl/man/SSL_copy_session_id.3 +++ b/lib/libssl/man/SSL_copy_session_id.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_copy_session_id.3,v 1.2 2017/04/10 15:37:55 schwarze Exp $ +.\" $OpenBSD: SSL_copy_session_id.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_COPY_SESSION_ID 3 .Os .Sh NAME @@ -65,7 +65,8 @@ and by .Xr SSL_set_session_id_context 3 .Sh HISTORY .Fn SSL_copy_session_id -is available in all versions of OpenSSL. +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . .Sh BUGS Failures of .Xr SSL_set_session 3 , diff --git a/lib/libssl/man/SSL_do_handshake.3 b/lib/libssl/man/SSL_do_handshake.3 index df22059564..88d4677fc8 100644 --- a/lib/libssl/man/SSL_do_handshake.3 +++ b/lib/libssl/man/SSL_do_handshake.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_do_handshake.3,v 1.4 2016/12/16 15:39:08 jmc Exp $ +.\" $OpenBSD: SSL_do_handshake.3,v 1.5 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Martin Sjoegren . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 16 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_DO_HANDSHAKE 3 .Os .Sh NAME @@ -146,3 +146,7 @@ to find out the reason. .Xr SSL_connect 3 , .Xr SSL_get_error 3 , .Xr SSL_set_connect_state 3 +.Sh HISTORY +.Fn SSL_do_handshake +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_dup.3 b/lib/libssl/man/SSL_dup.3 index 47ec2e3976..448979360f 100644 --- a/lib/libssl/man/SSL_dup.3 +++ b/lib/libssl/man/SSL_dup.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_dup.3,v 1.1 2016/12/07 17:09:07 schwarze Exp $ +.\" $OpenBSD: SSL_dup.3,v 1.2 2018/03/21 05:07:04 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 7 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_DUP 3 .Os .Sh NAME @@ -56,4 +56,5 @@ on failure. .Xr SSL_new 3 .Sh HISTORY .Fn SSL_dup -is available in all versions of OpenSSL. +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_dup_CA_list.3 b/lib/libssl/man/SSL_dup_CA_list.3 index d6f1add686..92787a32f4 100644 --- a/lib/libssl/man/SSL_dup_CA_list.3 +++ b/lib/libssl/man/SSL_dup_CA_list.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_dup_CA_list.3,v 1.2 2016/12/14 16:20:28 schwarze Exp $ +.\" $OpenBSD: SSL_dup_CA_list.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 14 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_DUP_CA_LIST 3 .Os .Sh NAME @@ -49,4 +49,5 @@ on failure. .Xr X509_NAME_new 3 .Sh HISTORY .Fn SSL_dup_CA_list -is available in all versions of OpenSSL. +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_export_keying_material.3 b/lib/libssl/man/SSL_export_keying_material.3 index 613446a275..fe1ed748d5 100644 --- a/lib/libssl/man/SSL_export_keying_material.3 +++ b/lib/libssl/man/SSL_export_keying_material.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_export_keying_material.3,v 1.1 2017/08/21 10:10:25 schwarze Exp $ +.\" $OpenBSD: SSL_export_keying_material.3,v 1.2 2018/03/23 05:50:30 schwarze Exp $ .\" OpenSSL a599574b Jun 28 17:18:27 2017 +0100 .\" OpenSSL 23cec1f4 Jun 21 13:55:02 2017 +0100 .\" @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 21 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt SSL_EXPORT_KEYING_MATERIAL 3 .Os .Sh NAME @@ -125,3 +125,7 @@ standard to be used without registration. .Sh RETURN VALUES .Fn SSL_export_keying_material returns 1 on success or 0 or -1 on failure. +.Sh HISTORY +.Fn SSL_export_keying_material +first appeared in OpenSSL 1.0.1 and has been available since +.Ox 5.3 . diff --git a/lib/libssl/man/SSL_free.3 b/lib/libssl/man/SSL_free.3 index 96e0acb63f..a39078e474 100644 --- a/lib/libssl/man/SSL_free.3 +++ b/lib/libssl/man/SSL_free.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_free.3,v 1.2 2016/12/01 22:46:21 schwarze Exp $ +.\" $OpenBSD: SSL_free.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 1 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_FREE 3 .Os .Sh NAME @@ -112,3 +112,7 @@ does not provide diagnostic information. .Xr SSL_new 3 , .Xr SSL_set_shutdown 3 , .Xr SSL_shutdown 3 +.Sh HISTORY +.Fn SSL_free +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_get_SSL_CTX.3 b/lib/libssl/man/SSL_get_SSL_CTX.3 index 7f68128fe7..9af9698329 100644 --- a/lib/libssl/man/SSL_get_SSL_CTX.3 +++ b/lib/libssl/man/SSL_get_SSL_CTX.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_get_SSL_CTX.3,v 1.2 2016/12/03 08:54:21 schwarze Exp $ +.\" $OpenBSD: SSL_get_SSL_CTX.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 3 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_GET_SSL_CTX 3 .Os .Sh NAME @@ -73,3 +73,7 @@ object is returned. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_new 3 +.Sh HISTORY +.Fn SSL_get_SSL_CTX +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_get_certificate.3 b/lib/libssl/man/SSL_get_certificate.3 index 35650c75b1..4576a2dbcb 100644 --- a/lib/libssl/man/SSL_get_certificate.3 +++ b/lib/libssl/man/SSL_get_certificate.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_get_certificate.3,v 1.1 2016/12/10 13:54:32 schwarze Exp $ +.\" $OpenBSD: SSL_get_certificate.3,v 1.2 2018/03/21 05:07:04 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_GET_CERTIFICATE 3 .Os .Sh NAME @@ -58,4 +58,5 @@ if none is active. .Fn SSL_get_certificate and .Fn SSL_get_privatekey -are available in all versions of OpenSSL. +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_get_ciphers.3 b/lib/libssl/man/SSL_get_ciphers.3 index 4c3bbc45ce..a9e955be18 100644 --- a/lib/libssl/man/SSL_get_ciphers.3 +++ b/lib/libssl/man/SSL_get_ciphers.3 @@ -1,8 +1,11 @@ -.\" $OpenBSD: SSL_get_ciphers.3,v 1.2 2016/12/03 09:00:46 schwarze Exp $ -.\" OpenSSL c3e64028 Mar 30 11:50:14 2005 +0000 +.\" $OpenBSD: SSL_get_ciphers.3,v 1.5 2018/03/24 00:55:37 schwarze Exp $ +.\" full merge up to: OpenSSL c3e64028 Mar 30 11:50:14 2005 +0000 +.\" selective merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2005, 2015 The OpenSSL Project. All rights reserved. +.\" This file was written by Lutz Jaenicke , +.\" Nick Mathewson , and Kazuki Yamaguchi . +.\" Copyright (c) 2000, 2005, 2015, 2016 The OpenSSL Project. +.\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,17 +51,20 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 3 2016 $ +.Dd $Mdocdate: March 24 2018 $ .Dt SSL_GET_CIPHERS 3 .Os .Sh NAME .Nm SSL_get_ciphers , +.Nm SSL_CTX_get_ciphers , .Nm SSL_get_cipher_list .Nd get list of available SSL_CIPHERs .Sh SYNOPSIS .In openssl/ssl.h .Ft STACK_OF(SSL_CIPHER) * .Fn SSL_get_ciphers "const SSL *ssl" +.Ft STACK_OF(SSL_CIPHER) * +.Fn SSL_CTX_get_ciphers "const SSL_CTX *ctx" .Ft const char * .Fn SSL_get_cipher_list "const SSL *ssl" "int priority" .Sh DESCRIPTION @@ -76,15 +82,27 @@ or no ciphers are available, .Dv NULL is returned. .Pp +.Fn SSL_CTX_get_ciphers +returns the stack of available +.Vt SSL_CIPHER Ns s +for +.Fa ctx . +.Pp .Fn SSL_get_ciphers -returns a pointer to an internal cipher stack, which will be freed +and +.Fn SSL_CTX_get_ciphers +return pointers to internal cipher stacks, which will be freed later on when the .Vt SSL +or +.Vt SSL_CTX object is freed. Therefore, the calling code must not free the return value itself. .Pp The details of the ciphers obtained by .Fn SSL_get_ciphers +and +.Fn SSL_CTX_get_ciphers can be obtained using the .Xr SSL_CIPHER_get_name 3 family of functions. @@ -117,3 +135,13 @@ is returned. .Xr ssl 3 , .Xr SSL_CIPHER_get_name 3 , .Xr SSL_CTX_set_cipher_list 3 +.Sh HISTORY +.Fn SSL_get_ciphers +and +.Fn SSL_get_cipher_list +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn SSL_CTX_get_ciphers +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . diff --git a/lib/libssl/man/SSL_get_client_CA_list.3 b/lib/libssl/man/SSL_get_client_CA_list.3 index 66d6cf5976..6ed419aad9 100644 --- a/lib/libssl/man/SSL_get_client_CA_list.3 +++ b/lib/libssl/man/SSL_get_client_CA_list.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_get_client_CA_list.3,v 1.3 2016/12/14 16:20:28 schwarze Exp $ +.\" $OpenBSD: SSL_get_client_CA_list.3,v 1.4 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 14 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_GET_CLIENT_CA_LIST 3 .Os .Sh NAME @@ -88,3 +88,9 @@ returns the list of client CAs sent from the server, if any. .Xr SSL_CTX_set_client_CA_list 3 , .Xr SSL_CTX_set_client_cert_cb 3 , .Xr X509_NAME_new 3 +.Sh HISTORY +.Fn SSL_get_client_CA_list +and +.Fn SSL_CTX_get_client_CA_list +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_get_client_random.3 b/lib/libssl/man/SSL_get_client_random.3 new file mode 100644 index 0000000000..eda74db355 --- /dev/null +++ b/lib/libssl/man/SSL_get_client_random.3 @@ -0,0 +1,150 @@ +.\" $OpenBSD: SSL_get_client_random.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $ +.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 +.\" +.\" This file was written by Nick Mathewson +.\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: March 24 2018 $ +.Dt SSL_GET_CLIENT_RANDOM 3 +.Os +.Sh NAME +.Nm SSL_get_client_random , +.Nm SSL_get_server_random , +.Nm SSL_SESSION_get_master_key +.Nd get internal TLS handshake random values and master key +.Sh SYNOPSIS +.In openssl/ssl.h +.Ft size_t +.Fo SSL_get_client_random +.Fa "const SSL *ssl" +.Fa "unsigned char *out" +.Fa "size_t outlen" +.Fc +.Ft size_t +.Fo SSL_get_server_random +.Fa "const SSL *ssl" +.Fa "unsigned char *out" +.Fa "size_t outlen" +.Fc +.Ft size_t +.Fo SSL_SESSION_get_master_key +.Fa "const SSL_SESSION *session" +.Fa "unsigned char *out" +.Fa "size_t outlen" +.Fc +.Sh DESCRIPTION +.Fn SSL_get_client_random +extracts the random value that was sent from the client to the server +during the initial TLS handshake. +It copies at most +.Fa outlen +bytes of this value into the buffer +.Fa out . +If +.Fa outlen +is zero, nothing is copied. +.Pp +.Fn SSL_get_server_random +behaves the same, but extracts the random value that was sent +from the server to the client during the initial TLS handshake. +.Pp +.Fn SSL_SESSION_get_master_key +behaves the same, but extracts the master secret used to guarantee the +security of the TLS session. +The security of the TLS session depends on keeping the master key +secret: do not expose it, or any information about it, to anybody. +To calculate another secret value that depends on the master secret, +use +.Xr SSL_export_keying_material 3 +instead. +.Pp +All these functions expose internal values from the TLS handshake, +for use in low-level protocols. +Avoid using them unless implementing a feature +that requires access to the internal protocol details. +.Pp +Despite the names of +.Fn SSL_get_client_random +and +.Fn SSL_get_server_random , +they are not random number generators. +Instead, they return the mostly-random values that were already +generated and used in the TLS protocol. +.Pp +In current versions of the TLS protocols, +the length of client_random and server_random is always +.Dv SSL3_RANDOM_SIZE +bytes. +Support for other +.Fa outlen +arguments is provided for the unlikely event that a future +version or variant of TLS uses some other length. +.Pp +Finally, though the client_random and server_random values are called +.Dq random , +many TLS implementations generate four bytes of those values +based on their view of the current time. +.Sh RETURN VALUES +If +.Fa outlen +is greater than 0, these functions return the number of bytes +actually copied, which is less than or equal to +.Fa outlen . +If +.Fa outlen +is 0, these functions return the maximum number of bytes they would +copy \(em that is, the length of the underlying field. +.Sh SEE ALSO +.Xr ssl 3 , +.Xr SSL_export_keying_material 3 , +.Xr SSL_SESSION_get_id 3 , +.Xr SSL_SESSION_get_time 3 , +.Xr SSL_SESSION_new 3 +.Sh HISTORY +These functions first appeared in OpenSSL 1.1.0 +and have been available since +.Ox 6.3 . diff --git a/lib/libssl/man/SSL_get_current_cipher.3 b/lib/libssl/man/SSL_get_current_cipher.3 index e61ea2280c..8ff6a7bd0b 100644 --- a/lib/libssl/man/SSL_get_current_cipher.3 +++ b/lib/libssl/man/SSL_get_current_cipher.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_get_current_cipher.3,v 1.2 2016/12/03 09:07:56 schwarze Exp $ +.\" $OpenBSD: SSL_get_current_cipher.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 3 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_GET_CURRENT_CIPHER 3 .Os .Sh NAME @@ -107,3 +107,6 @@ if no session has been established. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_CIPHER_get_name 3 +.Sh HISTORY +These functions appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_get_default_timeout.3 b/lib/libssl/man/SSL_get_default_timeout.3 index f9ce7f3368..b8e53dc9b4 100644 --- a/lib/libssl/man/SSL_get_default_timeout.3 +++ b/lib/libssl/man/SSL_get_default_timeout.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_get_default_timeout.3,v 1.2 2016/12/03 09:10:29 schwarze Exp $ +.\" $OpenBSD: SSL_get_default_timeout.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 3 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_GET_DEFAULT_TIMEOUT 3 .Os .Sh NAME @@ -79,3 +79,7 @@ protocols (SSLv2, SSLv3, and TLSv1). .Xr SSL_CTX_flush_sessions 3 , .Xr SSL_CTX_set_session_cache_mode 3 , .Xr SSL_SESSION_get_time 3 +.Sh HISTORY +.Fn SSL_get_default_timeout +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_get_error.3 b/lib/libssl/man/SSL_get_error.3 index 4996744041..3afa3ce61f 100644 --- a/lib/libssl/man/SSL_get_error.3 +++ b/lib/libssl/man/SSL_get_error.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_get_error.3,v 1.2 2016/12/03 08:54:21 schwarze Exp $ +.\" $OpenBSD: SSL_get_error.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 .\" .\" This file was written by Bodo Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 3 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_GET_ERROR 3 .Os .Sh NAME @@ -213,4 +213,5 @@ The OpenSSL error queue contains more information on the error. .Xr ssl 3 .Sh HISTORY .Fn SSL_get_error -was added in SSLeay 0.8. +first appeared in SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 b/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 index fce584421e..632ee01caa 100644 --- a/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 +++ b/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_get_ex_data_X509_STORE_CTX_idx.3,v 1.2 2016/12/06 22:41:16 schwarze Exp $ +.\" $OpenBSD: SSL_get_ex_data_X509_STORE_CTX_idx.3,v 1.3 2018/03/21 09:05:04 schwarze Exp $ .\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_GET_EX_DATA_X509_STORE_CTX_IDX 3 .Os .Sh NAME @@ -110,3 +110,7 @@ Please check the example in .Xr CRYPTO_set_ex_data 3 , .Xr ssl 3 , .Xr SSL_CTX_set_verify 3 +.Sh HISTORY +.Fn SSL_get_ex_data_X509_STORE_CTX_idx +first appeared in SSLeay 0.9.1 and has been available since +.Ox 2.6 . diff --git a/lib/libssl/man/SSL_get_ex_new_index.3 b/lib/libssl/man/SSL_get_ex_new_index.3 index 070baa5a06..c4af30a208 100644 --- a/lib/libssl/man/SSL_get_ex_new_index.3 +++ b/lib/libssl/man/SSL_get_ex_new_index.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_get_ex_new_index.3,v 1.2 2016/12/06 22:41:16 schwarze Exp $ +.\" $OpenBSD: SSL_get_ex_new_index.3,v 1.3 2018/03/21 08:06:34 schwarze Exp $ .\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_GET_EX_NEW_INDEX 3 .Os .Sh NAME @@ -121,3 +121,10 @@ in .Xr RSA_get_ex_new_index 3 , .Xr ssl 3 , .Xr SSL_CTX_set_verify 3 +.Sh HISTORY +.Fn SSL_get_ex_new_index , +.Fn SSL_set_ex_data , +and +.Fn SSL_get_ex_data +first appeared in SSLeay 0.9.0 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_get_fd.3 b/lib/libssl/man/SSL_get_fd.3 index c5596c281b..9aa5150dbc 100644 --- a/lib/libssl/man/SSL_get_fd.3 +++ b/lib/libssl/man/SSL_get_fd.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_get_fd.3,v 1.3 2016/12/06 12:24:33 schwarze Exp $ +.\" $OpenBSD: SSL_get_fd.3,v 1.5 2018/03/22 17:38:41 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt SSL_GET_FD 3 .Os .Sh NAME @@ -91,3 +91,13 @@ The file descriptor linked to .Xr BIO_new 3 , .Xr ssl 3 , .Xr SSL_set_fd 3 +.Sh HISTORY +.Fn SSL_get_fd +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . +.Pp +.Fn SSL_get_rfd +and +.Fn SSL_get_wfd +first appeared in OpenSSL 0.9.6c and have been available since +.Ox 3.2 . diff --git a/lib/libssl/man/SSL_get_peer_cert_chain.3 b/lib/libssl/man/SSL_get_peer_cert_chain.3 index b438f45d24..b63859dfe2 100644 --- a/lib/libssl/man/SSL_get_peer_cert_chain.3 +++ b/lib/libssl/man/SSL_get_peer_cert_chain.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_get_peer_cert_chain.3,v 1.3 2017/03/28 18:21:55 schwarze Exp $ +.\" $OpenBSD: SSL_get_peer_cert_chain.3,v 1.4 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL SSL_get_peer_cert_chain.pod 1f164c6f Jan 18 01:40:36 2017 +0100 .\" OpenSSL SSL_get_peer_cert_chain.pod 9b86974e Aug 17 15:21:33 2015 -0400 .\" @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 28 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_GET_PEER_CERT_CHAIN 3 .Os .Sh NAME @@ -101,3 +101,7 @@ The return value points to the certificate chain presented by the peer. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_get_peer_certificate 3 +.Sh HISTORY +.Fn SSL_get_peer_cert_chain +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_get_peer_certificate.3 b/lib/libssl/man/SSL_get_peer_certificate.3 index 8a6e32ecd2..49d992363b 100644 --- a/lib/libssl/man/SSL_get_peer_certificate.3 +++ b/lib/libssl/man/SSL_get_peer_certificate.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_get_peer_certificate.3,v 1.2 2016/12/03 08:54:21 schwarze Exp $ +.\" $OpenBSD: SSL_get_peer_certificate.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 3 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_GET_PEER_CERTIFICATE 3 .Os .Sh NAME @@ -98,3 +98,7 @@ The return value points to the certificate presented by the peer. .Xr ssl 3 , .Xr SSL_CTX_set_verify 3 , .Xr SSL_get_verify_result 3 +.Sh HISTORY +.Fn SSL_get_peer_certificate +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_get_rbio.3 b/lib/libssl/man/SSL_get_rbio.3 index 9c8cd97210..540c13990c 100644 --- a/lib/libssl/man/SSL_get_rbio.3 +++ b/lib/libssl/man/SSL_get_rbio.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_get_rbio.3,v 1.3 2016/12/06 12:24:33 schwarze Exp $ +.\" $OpenBSD: SSL_get_rbio.3,v 1.4 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_GET_RBIO 3 .Os .Sh NAME @@ -90,3 +90,9 @@ linked to .Xr BIO_new 3 , .Xr ssl 3 , .Xr SSL_set_bio 3 +.Sh HISTORY +.Fn SSL_get_rbio +and +.Fn SSL_get_wbio +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_get_server_tmp_key.3 b/lib/libssl/man/SSL_get_server_tmp_key.3 index 66e362f6e9..6bd102e863 100644 --- a/lib/libssl/man/SSL_get_server_tmp_key.3 +++ b/lib/libssl/man/SSL_get_server_tmp_key.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_get_server_tmp_key.3,v 1.1 2017/04/10 15:54:46 schwarze Exp $ +.\" $OpenBSD: SSL_get_server_tmp_key.3,v 1.3 2018/03/24 00:55:37 schwarze Exp $ .\" OpenSSL SSL_get_server_tmp_key.pod 508fafd8 Apr 3 15:41:21 2017 +0100 .\" .\" This file was written by Matt Caswell @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 24 2018 $ .Dt SSL_GET_SERVER_TMP_KEY 3 .Os .Sh NAME @@ -82,3 +82,7 @@ returns 1 on success or 0 on failure. .Sh SEE ALSO .Xr EVP_PKEY_free 3 , .Xr SSL_ctrl 3 +.Sh HISTORY +.Fn SSL_get_server_tmp_key +first appeared in OpenSSL 1.0.2 and has been available since +.Ox 6.1 . diff --git a/lib/libssl/man/SSL_get_session.3 b/lib/libssl/man/SSL_get_session.3 index 8a1efa674d..96d597a734 100644 --- a/lib/libssl/man/SSL_get_session.3 +++ b/lib/libssl/man/SSL_get_session.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_get_session.3,v 1.3 2017/04/10 15:37:55 schwarze Exp $ +.\" $OpenBSD: SSL_get_session.3,v 1.6 2018/03/22 16:07:53 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 22 2018 $ .Dt SSL_GET_SESSION 3 .Os .Sh NAME @@ -146,6 +146,18 @@ session. .Xr SSL_SESSION_get0_peer 3 , .Xr SSL_SESSION_get_compress_id 3 , .Xr SSL_SESSION_get_id 3 , +.Xr SSL_SESSION_get_protocol_version 3 , .Xr SSL_SESSION_get_time 3 , .Xr SSL_SESSION_new 3 , -.Xr SSL_SESSION_print 3 +.Xr SSL_SESSION_print 3 , +.Xr SSL_set_session 3 +.Sh HISTORY +.Fn SSL_get_session +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . +.Pp +.Fn SSL_get0_session +and +.Fn SSL_get1_session +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . diff --git a/lib/libssl/man/SSL_get_shared_ciphers.3 b/lib/libssl/man/SSL_get_shared_ciphers.3 index 915ad68215..86ec0be660 100644 --- a/lib/libssl/man/SSL_get_shared_ciphers.3 +++ b/lib/libssl/man/SSL_get_shared_ciphers.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_get_shared_ciphers.3,v 1.1 2016/12/10 14:56:56 schwarze Exp $ +.\" $OpenBSD: SSL_get_shared_ciphers.3,v 1.2 2018/03/21 05:07:04 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_GET_SHARED_CIPHERS 3 .Os .Sh NAME @@ -55,7 +55,8 @@ Otherwise, it returns .Fa buf . .Sh HISTORY .Fn SSL_get_shared_ciphers -is available in all versions of OpenSSL. +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . .Sh BUGS If the list is too long to fit into .Fa len diff --git a/lib/libssl/man/SSL_get_state.3 b/lib/libssl/man/SSL_get_state.3 index d835b52291..1d586df7de 100644 --- a/lib/libssl/man/SSL_get_state.3 +++ b/lib/libssl/man/SSL_get_state.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_get_state.3,v 1.1 2016/12/10 13:54:32 schwarze Exp $ +.\" $OpenBSD: SSL_get_state.3,v 1.3 2018/03/21 08:06:34 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_GET_STATE 3 .Os .Sh NAME @@ -143,4 +143,15 @@ All these functions may be implemented as macros. .Xr SSL_renegotiate 3 , .Xr SSL_set_connect_state 3 .Sh HISTORY -These functions are available in all versions of OpenSSL. +.Fn SSL_state , +.Fn SSL_in_accept_init , +.Fn SSL_in_before , +.Fn SSL_in_connect_init , +.Fn SSL_in_init , +and +.Fn SSL_is_init_finished +appeared before SSLeay 0.8. +.Fn SSL_get_state +first appeared in SSLeay 0.9.0. +These functions have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_get_verify_result.3 b/lib/libssl/man/SSL_get_verify_result.3 index 78bf636a48..dac7faac2a 100644 --- a/lib/libssl/man/SSL_get_verify_result.3 +++ b/lib/libssl/man/SSL_get_verify_result.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_get_verify_result.3,v 1.2 2016/12/03 08:54:21 schwarze Exp $ +.\" $OpenBSD: SSL_get_verify_result.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 3 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_GET_VERIFY_RESULT 3 .Os .Sh NAME @@ -86,6 +86,10 @@ Documented in .Xr ssl 3 , .Xr SSL_get_peer_certificate 3 , .Xr SSL_set_verify_result 3 +.Sh HISTORY +.Fn SSL_get_verify_result +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . .Sh BUGS If no peer certificate was presented, the returned result code is .Dv X509_V_OK . diff --git a/lib/libssl/man/SSL_get_version.3 b/lib/libssl/man/SSL_get_version.3 index fe18fbf648..f903e44fcf 100644 --- a/lib/libssl/man/SSL_get_version.3 +++ b/lib/libssl/man/SSL_get_version.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_get_version.3,v 1.3 2016/12/10 13:12:08 schwarze Exp $ +.\" $OpenBSD: SSL_get_version.3,v 1.4 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 10 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_GET_VERSION 3 .Os .Sh NAME @@ -88,4 +88,5 @@ This indicates that no version has been set (no connection established). .Fn SSL_get_version and .Fn SSL_version -are available in all versions of OpenSSL. +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_library_init.3 b/lib/libssl/man/SSL_library_init.3 index 397c19ac84..a45e91e043 100644 --- a/lib/libssl/man/SSL_library_init.3 +++ b/lib/libssl/man/SSL_library_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_library_init.3,v 1.2 2016/12/04 12:13:43 schwarze Exp $ +.\" $OpenBSD: SSL_library_init.3,v 1.5 2018/03/22 16:07:53 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 4 2016 $ +.Dd $Mdocdate: March 22 2018 $ .Dt SSL_LIBRARY_INIT 3 .Os .Sh NAME @@ -96,3 +96,15 @@ SSL_library_init(); /* initialize library */ .Xr RAND_add 3 , .Xr ssl 3 , .Xr SSL_load_error_strings 3 +.Sh HISTORY +.Fn SSLeay_add_ssl_algorithms +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . +.Pp +.Fn SSL_library_init +first appeared in OpenSSL 0.9.2b and has been available since +.Ox 2.6 . +.Pp +.Fn OpenSSL_add_ssl_algorithms +first appeared in OpenSSL 0.9.5 and has been available since +.Ox 2.7 . diff --git a/lib/libssl/man/SSL_load_client_CA_file.3 b/lib/libssl/man/SSL_load_client_CA_file.3 index ed4a21ef6f..b8cf94f9d9 100644 --- a/lib/libssl/man/SSL_load_client_CA_file.3 +++ b/lib/libssl/man/SSL_load_client_CA_file.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_load_client_CA_file.3,v 1.5 2016/12/16 15:39:08 jmc Exp $ +.\" $OpenBSD: SSL_load_client_CA_file.3,v 1.7 2018/03/21 16:12:41 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 16 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_LOAD_CLIENT_CA_FILE 3 .Os .Sh NAME @@ -145,10 +145,15 @@ else .Xr X509_get_subject_name 3 , .Xr X509_NAME_new 3 .Sh HISTORY +.Fn SSL_load_client_CA_file +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . +.Pp .Fn SSL_add_file_cert_subjects_to_stack and .Fn SSL_add_dir_cert_subjects_to_stack -first appeared in OpenSSL 0.9.2b. +first appeared in OpenSSL 0.9.2b and have been available since +.Ox 2.6 . .Sh AUTHORS .Fn SSL_add_file_cert_subjects_to_stack and diff --git a/lib/libssl/man/SSL_new.3 b/lib/libssl/man/SSL_new.3 index cfe8b3368e..b0d55eca71 100644 --- a/lib/libssl/man/SSL_new.3 +++ b/lib/libssl/man/SSL_new.3 @@ -1,8 +1,9 @@ -.\" $OpenBSD: SSL_new.3,v 1.2 2016/12/04 12:22:48 schwarze Exp $ -.\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 +.\" $OpenBSD: SSL_new.3,v 1.5 2018/03/24 00:55:37 schwarze Exp $ +.\" full merge up to: OpenSSL 1c7ae3dd Mar 29 19:17:55 2017 +1000 .\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001 The OpenSSL Project. All rights reserved. +.\" This file was written by Richard Levitte +.\" and Matt Caswell . +.\" Copyright (c) 2000, 2016 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,16 +49,19 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 4 2016 $ +.Dd $Mdocdate: March 24 2018 $ .Dt SSL_NEW 3 .Os .Sh NAME -.Nm SSL_new +.Nm SSL_new , +.Nm SSL_up_ref .Nd create a new SSL structure for a connection .Sh SYNOPSIS .In openssl/ssl.h .Ft SSL * .Fn SSL_new "SSL_CTX *ctx" +.Ft int +.Fn SSL_up_ref "SSL *ssl" .Sh DESCRIPTION .Fn SSL_new creates a new @@ -67,6 +71,12 @@ The new structure inherits the settings of the underlying context .Fa ctx : connection method, options, verification settings, timeout settings. +The reference count of the new structure is set to 1. +.Pp +.Fn SSL_up_ref +increments the reference count of +.Fa ssl +by 1. .Sh RETURN VALUES The following return values can occur: .Bl -tag -width Ds @@ -80,9 +90,20 @@ The return value points to an allocated .Vt SSL structure. .El +.Pp +.Fn SSL_up_ref +returns 1 for success or 0 for failure. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_clear 3 , .Xr SSL_CTX_set_options 3 , .Xr SSL_free 3 , .Xr SSL_get_SSL_CTX 3 +.Sh HISTORY +.Fn SSL_new +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . +.Pp +.Fn SSL_up_ref +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 6.3 . diff --git a/lib/libssl/man/SSL_num_renegotiations.3 b/lib/libssl/man/SSL_num_renegotiations.3 index 7b380d93de..7a864187f6 100644 --- a/lib/libssl/man/SSL_num_renegotiations.3 +++ b/lib/libssl/man/SSL_num_renegotiations.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_num_renegotiations.3,v 1.3 2017/07/05 11:43:09 schwarze Exp $ +.\" $OpenBSD: SSL_num_renegotiations.3,v 1.4 2018/03/21 08:06:34 schwarze Exp $ .\" .\" Copyright (c) 2016 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: July 5 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_NUM_RENEGOTIATIONS 3 .Os .Sh NAME @@ -69,4 +69,6 @@ All these functions return a number of renegotiations. .Xr SSL_renegotiate 3 , .Xr SSL_write 3 .Sh HISTORY -These functions are available in all versions of OpenSSL. +These functions first appeared in SSLeay 0.9.0 +and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_pending.3 b/lib/libssl/man/SSL_pending.3 index 1f8493b87c..57e6237878 100644 --- a/lib/libssl/man/SSL_pending.3 +++ b/lib/libssl/man/SSL_pending.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_pending.3,v 1.2 2016/12/04 12:26:05 schwarze Exp $ +.\" $OpenBSD: SSL_pending.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 .\" .\" This file was written by Lutz Jaenicke , @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 4 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_PENDING 3 .Os .Sh NAME @@ -99,6 +99,10 @@ bytes that are pending and are available for immediate read. .Xr ssl 3 , .Xr SSL_CTX_set_read_ahead 3 , .Xr SSL_read 3 +.Sh HISTORY +.Fn SSL_pending +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . .Sh BUGS Up to OpenSSL 0.9.6, .Fn SSL_pending diff --git a/lib/libssl/man/SSL_read.3 b/lib/libssl/man/SSL_read.3 index 14e4853842..cdb12746b0 100644 --- a/lib/libssl/man/SSL_read.3 +++ b/lib/libssl/man/SSL_read.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_read.3,v 1.4 2016/12/07 18:47:23 schwarze Exp $ +.\" $OpenBSD: SSL_read.3,v 1.5 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Lutz Jaenicke and @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 7 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_READ 3 .Os .Sh NAME @@ -223,3 +223,9 @@ with the return value to find out the reason. .Xr SSL_set_shutdown 3 , .Xr SSL_shutdown 3 , .Xr SSL_write 3 +.Sh HISTORY +.Fn SSL_read +and +.Fn SSL_peek +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_renegotiate.3 b/lib/libssl/man/SSL_renegotiate.3 index b28bd6e992..2c90b3ef04 100644 --- a/lib/libssl/man/SSL_renegotiate.3 +++ b/lib/libssl/man/SSL_renegotiate.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_renegotiate.3,v 1.4 2017/03/29 00:24:42 jmc Exp $ +.\" $OpenBSD: SSL_renegotiate.3,v 1.7 2018/03/23 05:50:30 schwarze Exp $ .\" OpenSSL SSL_key_update.pod 4fbfe86a Feb 16 17:04:40 2017 +0000 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 29 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt SSL_RENEGOTIATE 3 .Os .Sh NAME @@ -153,4 +153,13 @@ scheduled but not yet acted on, or 0 otherwise. .Xr SSL_write 3 .Sh HISTORY .Fn SSL_renegotiate -is available in all versions of OpenSSL. +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . +.Pp +.Fn SSL_renegotiate_pending +first appeared in OpenSSL 0.9.7 and has been available since +.Ox 3.2 . +.Pp +.Fn SSL_renegotiate_abbreviated +first appeared in OpenSSL 1.0.1 and has been available since +.Ox 5.3 . diff --git a/lib/libssl/man/SSL_rstate_string.3 b/lib/libssl/man/SSL_rstate_string.3 index 3a31503008..ebc97616f5 100644 --- a/lib/libssl/man/SSL_rstate_string.3 +++ b/lib/libssl/man/SSL_rstate_string.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_rstate_string.3,v 1.2 2016/12/04 12:20:54 schwarze Exp $ +.\" $OpenBSD: SSL_rstate_string.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 4 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_RSTATE_STRING 3 .Os .Sh NAME @@ -100,3 +100,9 @@ This should never happen. .El .Sh SEE ALSO .Xr ssl 3 +.Sh HISTORY +.Fn SSL_rstate_string +and +.Fn SSL_rstate_string_long +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_session_reused.3 b/lib/libssl/man/SSL_session_reused.3 index 56c892605d..d46b32a084 100644 --- a/lib/libssl/man/SSL_session_reused.3 +++ b/lib/libssl/man/SSL_session_reused.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_session_reused.3,v 1.3 2017/04/10 14:00:51 schwarze Exp $ +.\" $OpenBSD: SSL_session_reused.3,v 1.4 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_SESSION_REUSED 3 .Os .Sh NAME @@ -77,3 +77,7 @@ A session was reused. .Xr SSL_ctrl 3 , .Xr SSL_CTX_set_session_cache_mode 3 , .Xr SSL_set_session 3 +.Sh HISTORY +.Fn SSL_session_reused +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_set1_param.3 b/lib/libssl/man/SSL_set1_param.3 index ae67d4796e..5697ac6424 100644 --- a/lib/libssl/man/SSL_set1_param.3 +++ b/lib/libssl/man/SSL_set1_param.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: SSL_set1_param.3,v 1.1 2016/11/30 13:39:38 schwarze Exp $ -.\" OpenSSL SSL_CTX_get0_param.pod 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: SSL_set1_param.3,v 1.4 2018/03/23 14:28:16 schwarze Exp $ +.\" full merge up to: +.\" OpenSSL man3/SSL_CTX_get0_param 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Dr. Stephen Henson . .\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. @@ -48,15 +49,25 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 30 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt SSL_SET1_PARAM 3 .Os .Sh NAME +.Nm SSL_CTX_get0_param , +.Nm SSL_get0_param , .Nm SSL_CTX_set1_param , .Nm SSL_set1_param -.Nd set verification parameters +.Nd get and set verification parameters .Sh SYNOPSIS .In openssl/ssl.h +.Ft X509_VERIFY_PARAM * +.Fo SSL_CTX_get0_param +.Fa "SSL_CTX *ctx" +.Fc +.Ft X509_VERIFY_PARAM * +.Fo SSL_get0_param +.Fa "SSL *ssl" +.Fc .Ft int .Fo SSL_CTX_set1_param .Fa "SSL_CTX *ctx" @@ -68,6 +79,18 @@ .Fa "X509_VERIFY_PARAM *vpm" .Fc .Sh DESCRIPTION +.Fn SSL_CTX_get0_param +and +.Fn SSL_get0_param +retrieve an internal pointer to the verification parameters for +.Fa ctx +or +.Fa ssl , +respectively. +The returned pointer must not be freed by the calling application, +but the application can modify the parameters pointed to +to suit its needs: for example to add a hostname check. +.Pp .Fn SSL_CTX_set1_param and .Fn SSL_set1_param @@ -78,11 +101,36 @@ for or .Fa ssl . .Sh RETURN VALUES +.Fn SSL_CTX_get0_param +and +.Fn SSL_get0_param +return a pointer to an +.Vt X509_VERIFY_PARAM +structure. +.Pp .Fn SSL_CTX_set1_param and .Fn SSL_set1_param return 1 for success or 0 for failure. +.Sh EXAMPLES +Check that the hostname matches +.Pa www.foo.com +in the peer certificate: +.Bd -literal -offset indent +X509_VERIFY_PARAM *vpm = SSL_get0_param(ssl); +X509_VERIFY_PARAM_set1_host(vpm, "www.foo.com", 0); +.Ed .Sh SEE ALSO .Xr X509_VERIFY_PARAM_set_flags 3 .Sh HISTORY -These functions were first added to OpenSSL 1.0.2. +.Fn SSL_CTX_set1_param +and +.Fn SSL_set1_param +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . +.Pp +.Fn SSL_CTX_get0_param +and +.Fn SSL_get0_param +first appeared in OpenSSL 1.0.2 and have been available since +.Ox 6.3 . diff --git a/lib/libssl/man/SSL_set_bio.3 b/lib/libssl/man/SSL_set_bio.3 index 391dfecce7..6b035ac82b 100644 --- a/lib/libssl/man/SSL_set_bio.3 +++ b/lib/libssl/man/SSL_set_bio.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_set_bio.3,v 1.3 2016/12/06 12:24:33 schwarze Exp $ +.\" $OpenBSD: SSL_set_bio.3,v 1.4 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL acb5b343 Sep 16 16:00:38 2000 +0000 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_SET_BIO 3 .Os .Sh NAME @@ -96,3 +96,7 @@ cannot fail. .Xr SSL_connect 3 , .Xr SSL_get_rbio 3 , .Xr SSL_shutdown 3 +.Sh HISTORY +.Fn SSL_set_bio +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_set_connect_state.3 b/lib/libssl/man/SSL_set_connect_state.3 index 67e2545cef..7e3a39985b 100644 --- a/lib/libssl/man/SSL_set_connect_state.3 +++ b/lib/libssl/man/SSL_set_connect_state.3 @@ -1,8 +1,10 @@ -.\" $OpenBSD: SSL_set_connect_state.3,v 1.2 2016/12/04 12:20:54 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 +.\" $OpenBSD: SSL_set_connect_state.3,v 1.5 2018/03/23 14:28:16 schwarze Exp $ +.\" full merge up to OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" selective merge up to: OpenSSL dbd007d7 Jul 28 13:31:27 2017 +0800 .\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2002 The OpenSSL Project. All rights reserved. +.\" This file was written by Lutz Jaenicke +.\" and Paul Yang . +.\" Copyright (c) 2001, 2017 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -48,12 +50,13 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 4 2016 $ +.Dd $Mdocdate: March 23 2018 $ .Dt SSL_SET_CONNECT_STATE 3 .Os .Sh NAME .Nm SSL_set_connect_state , -.Nm SSL_set_accept_state +.Nm SSL_set_accept_state , +.Nm SSL_is_server .Nd prepare SSL object to work in client or server mode .Sh SYNOPSIS .In openssl/ssl.h @@ -61,6 +64,8 @@ .Fn SSL_set_connect_state "SSL *ssl" .Ft void .Fn SSL_set_accept_state "SSL *ssl" +.Ft int +.Fn SSL_is_server "const SSL *ssl" .Sh DESCRIPTION .Fn SSL_set_connect_state sets @@ -72,6 +77,11 @@ sets .Fa ssl to work in server mode. .Pp +.Fn SSL_is_server +checks whether +.Fa ssl +is set to server mode. +.Pp When the .Vt SSL_CTX object was created with @@ -101,11 +111,26 @@ the handshake routines must be explicitly set in advance using either .Fn SSL_set_connect_state or .Fn SSL_set_accept_state . -.Sh RETURN VALUES +.Pp +If +.Fn SSL_is_server +is called before .Fn SSL_set_connect_state -and +or .Fn SSL_set_accept_state -do not return diagnostic information. +was called either automatically or explicitly, +the result depends on what method was used when the +.Fa SSL_CTX +was created. +If a generic method or a dedicated server method was passed to +.Xr SSL_CTX_new 3 , +.Fn SSL_is_server +returns 1; otherwise, it returns 0. +.Sh RETURN VALUES +.Fn SSL_is_server +returns 1 if +.Fa ssl +is set to server mode or 0 if it is set to client mode. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_accept 3 , @@ -116,3 +141,13 @@ do not return diagnostic information. .Xr SSL_new 3 , .Xr SSL_read 3 , .Xr SSL_write 3 +.Sh HISTORY +.Fn SSL_set_connect_state +and +.Fn SSL_set_accept_state +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . +.Pp +.Fn SSL_is_server +first appeared in OpenSSL 1.0.2 and has been available since +.Ox 6.3 . diff --git a/lib/libssl/man/SSL_set_fd.3 b/lib/libssl/man/SSL_set_fd.3 index e319c3b97e..5f2b4be3c7 100644 --- a/lib/libssl/man/SSL_set_fd.3 +++ b/lib/libssl/man/SSL_set_fd.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_set_fd.3,v 1.3 2016/12/06 12:24:33 schwarze Exp $ +.\" $OpenBSD: SSL_set_fd.3,v 1.4 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_SET_FD 3 .Os .Sh NAME @@ -118,3 +118,6 @@ The operation succeeded. .Xr SSL_get_fd 3 , .Xr SSL_set_bio 3 , .Xr SSL_shutdown 3 +.Sh HISTORY +These functions appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_set_max_send_fragment.3 b/lib/libssl/man/SSL_set_max_send_fragment.3 index 1aa5589cf8..5a62840511 100644 --- a/lib/libssl/man/SSL_set_max_send_fragment.3 +++ b/lib/libssl/man/SSL_set_max_send_fragment.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_set_max_send_fragment.3,v 1.3 2017/04/10 14:00:51 schwarze Exp $ +.\" $OpenBSD: SSL_set_max_send_fragment.3,v 1.4 2018/03/23 04:35:09 schwarze Exp $ .\" OpenSSL doc/man3/SSL_CTX_set_split_send_fragment.pod .\" OpenSSL 6782e5fd Oct 21 16:16:20 2016 +0100 .\" @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt SSL_SET_MAX_SEND_FRAGMENT 3 .Os .Sh NAME @@ -88,3 +88,9 @@ These functions return 1 on success or 0 on failure. .Xr SSL_ctrl 3 , .Xr SSL_CTX_set_read_ahead 3 , .Xr SSL_pending 3 +.Sh HISTORY +.Fn SSL_CTX_set_max_send_fragment +and +.Fn SSL_set_max_send_fragment +first appeared in OpenSSL 1.0.0 and have been available since +.Ox 4.9 . diff --git a/lib/libssl/man/SSL_set_session.3 b/lib/libssl/man/SSL_set_session.3 index 9ebd446ba2..80efd4f12b 100644 --- a/lib/libssl/man/SSL_set_session.3 +++ b/lib/libssl/man/SSL_set_session.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_set_session.3,v 1.2 2016/12/04 12:20:54 schwarze Exp $ +.\" $OpenBSD: SSL_set_session.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL 05ea606a May 20 20:52:46 2016 -0400 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 4 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_SET_SESSION 3 .Os .Sh NAME @@ -113,3 +113,7 @@ The operation succeeded. .Xr SSL_get_session 3 , .Xr SSL_SESSION_free 3 , .Xr SSL_session_reused 3 +.Sh HISTORY +.Fn SSL_set_session +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_set_shutdown.3 b/lib/libssl/man/SSL_set_shutdown.3 index 1c9fadca77..87f7a92d09 100644 --- a/lib/libssl/man/SSL_set_shutdown.3 +++ b/lib/libssl/man/SSL_set_shutdown.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_set_shutdown.3,v 1.2 2016/12/04 12:20:54 schwarze Exp $ +.\" $OpenBSD: SSL_set_shutdown.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 4 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_SET_SHUTDOWN 3 .Os .Sh NAME @@ -133,3 +133,9 @@ returns the current setting. .Xr SSL_CTX_set_quiet_shutdown 3 , .Xr SSL_free 3 , .Xr SSL_shutdown 3 +.Sh HISTORY +.Fn SSL_set_shutdown +and +.Fn SSL_get_shutdown +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_set_tmp_ecdh.3 b/lib/libssl/man/SSL_set_tmp_ecdh.3 index 634bbf3c62..e906bfdd0c 100644 --- a/lib/libssl/man/SSL_set_tmp_ecdh.3 +++ b/lib/libssl/man/SSL_set_tmp_ecdh.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_set_tmp_ecdh.3,v 1.3 2017/08/19 23:47:33 schwarze Exp $ +.\" $OpenBSD: SSL_set_tmp_ecdh.3,v 1.5 2018/03/23 14:28:16 schwarze Exp $ .\" .\" Copyright (c) 2017 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 19 2017 $ +.Dd $Mdocdate: March 23 2018 $ .Dt SSL_SET_TMP_ECDH 3 .Os .Sh NAME @@ -103,3 +103,17 @@ always return 1. .Xr SSL_CTX_set_options 3 , .Xr SSL_CTX_set_tmp_dh_callback 3 , .Xr SSL_new 3 +.Sh HISTORY +.Fn SSL_set_tmp_ecdh , +.Fn SSL_CTX_set_tmp_ecdh , +.Fn SSL_set_tmp_ecdh_callback , +and +.Fn SSL_CTX_set_tmp_ecdh_callback +first appeared in OpenSSL 0.9.8 and have been available since +.Ox 4.5 . +.Pp +.Fn SSL_CTX_set_ecdh_auto +and +.Fn SSL_set_ecdh_auto +first appeared in OpenSSL 1.0.2 and have been available since +.Ox 5.7 . diff --git a/lib/libssl/man/SSL_set_verify_result.3 b/lib/libssl/man/SSL_set_verify_result.3 index 48565d495a..2b30b892cd 100644 --- a/lib/libssl/man/SSL_set_verify_result.3 +++ b/lib/libssl/man/SSL_set_verify_result.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_set_verify_result.3,v 1.2 2016/12/04 12:20:54 schwarze Exp $ +.\" $OpenBSD: SSL_set_verify_result.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 4 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_SET_VERIFY_RESULT 3 .Os .Sh NAME @@ -87,3 +87,7 @@ does not provide a return value. .Xr ssl 3 , .Xr SSL_get_peer_certificate 3 , .Xr SSL_get_verify_result 3 +.Sh HISTORY +.Fn SSL_set_verify_result +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_shutdown.3 b/lib/libssl/man/SSL_shutdown.3 index 1174507637..c5432679b3 100644 --- a/lib/libssl/man/SSL_shutdown.3 +++ b/lib/libssl/man/SSL_shutdown.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_shutdown.3,v 1.3 2016/12/06 12:24:33 schwarze Exp $ +.\" $OpenBSD: SSL_shutdown.3,v 1.4 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_SHUTDOWN 3 .Os .Sh NAME @@ -247,3 +247,7 @@ to find out the reason. .Xr SSL_free 3 , .Xr SSL_get_error 3 , .Xr SSL_set_shutdown 3 +.Sh HISTORY +.Fn SSL_shutdown +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_state_string.3 b/lib/libssl/man/SSL_state_string.3 index 69a698c506..7e9d40a847 100644 --- a/lib/libssl/man/SSL_state_string.3 +++ b/lib/libssl/man/SSL_state_string.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_state_string.3,v 1.2 2016/12/04 12:20:54 schwarze Exp $ +.\" $OpenBSD: SSL_state_string.3,v 1.3 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 4 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_STATE_STRING 3 .Os .Sh NAME @@ -102,3 +102,9 @@ Detailed description of possible states to be included later. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_CTX_set_info_callback 3 +.Sh HISTORY +.Fn SSL_state_string +and +.Fn SSL_state_string_long +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_want.3 b/lib/libssl/man/SSL_want.3 index 4736d62ca0..f2ef1986b6 100644 --- a/lib/libssl/man/SSL_want.3 +++ b/lib/libssl/man/SSL_want.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_want.3,v 1.3 2016/12/16 15:39:08 jmc Exp $ +.\" $OpenBSD: SSL_want.3,v 1.4 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 16 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_WANT 3 .Os .Sh NAME @@ -148,3 +148,6 @@ return 1 when the corresponding condition is true or 0 otherwise. .Xr err 3 , .Xr ssl 3 , .Xr SSL_get_error 3 +.Sh HISTORY +These functions appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/SSL_write.3 b/lib/libssl/man/SSL_write.3 index 0580b6f2b9..80c3997433 100644 --- a/lib/libssl/man/SSL_write.3 +++ b/lib/libssl/man/SSL_write.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_write.3,v 1.3 2016/12/06 12:24:33 schwarze Exp $ +.\" $OpenBSD: SSL_write.3,v 1.4 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 6 2016 $ +.Dd $Mdocdate: March 21 2018 $ .Dt SSL_WRITE 3 .Os .Sh NAME @@ -218,3 +218,7 @@ with the return value to find out the reason. .Xr SSL_get_error 3 , .Xr SSL_read 3 , .Xr SSL_set_connect_state 3 +.Sh HISTORY +.Fn SSL_write +appeared before SSLeay 0.8 and has been available since +.Ox 2.4 . diff --git a/lib/libssl/man/d2i_SSL_SESSION.3 b/lib/libssl/man/d2i_SSL_SESSION.3 index 57f140ab4c..82f7b66f40 100644 --- a/lib/libssl/man/d2i_SSL_SESSION.3 +++ b/lib/libssl/man/d2i_SSL_SESSION.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: d2i_SSL_SESSION.3,v 1.3 2017/04/10 16:11:50 schwarze Exp $ +.\" $OpenBSD: d2i_SSL_SESSION.3,v 1.4 2018/03/21 05:07:04 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: March 21 2018 $ .Dt D2I_SSL_SESSION 3 .Os .Sh NAME @@ -175,3 +175,9 @@ When the session is not valid, 0 is returned and no operation is performed. .Xr ssl 3 , .Xr SSL_CTX_sess_set_get_cb 3 , .Xr SSL_SESSION_free 3 +.Sh HISTORY +.Fn d2i_SSL_SESSION +and +.Fn i2d_SSL_SESSION +appeared before SSLeay 0.8 and have been available since +.Ox 2.4 . diff --git a/lib/libssl/man/ssl.3 b/lib/libssl/man/ssl.3 index 9f3f121b32..23f2f21b54 100644 --- a/lib/libssl/man/ssl.3 +++ b/lib/libssl/man/ssl.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: ssl.3,v 1.11 2017/08/21 10:10:25 schwarze Exp $ -.\" OpenSSL e330f55d Nov 11 00:51:04 2016 +0100 +.\" $OpenBSD: ssl.3,v 1.14 2018/03/17 18:19:49 schwarze Exp $ +.\" full merge up to: OpenSSL e330f55d Nov 11 00:51:04 2016 +0100 +.\" selective merge up to: OpenSSL cbade361 Dec 12 13:14:45 2017 +0100 .\" .\" This file was written by Ralf S. Engelschall , .\" Ben Laurie , and Ulf Moeller . @@ -50,7 +51,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 21 2017 $ +.Dd $Mdocdate: March 17 2018 $ .Dt SSL 3 .Os .Sh NAME @@ -129,7 +130,7 @@ client and server certificates, keys, etc. That's the main SSL/TLS structure which is created by a server or client per established connection. This actually is the core structure in the SSL API. -Under run-time the application usually deals with this structure which has +At run-time the application usually deals with this structure which has links to mostly all other structures. .El .Sh HEADER FILES @@ -245,8 +246,10 @@ Accessors: .Xr SSL_SESSION_get_compress_id 3 , .Xr SSL_SESSION_get_ex_new_index 3 , .Xr SSL_SESSION_get_id 3 , +.Xr SSL_SESSION_get_protocol_version 3 , .Xr SSL_SESSION_get_time 3 , .Xr SSL_SESSION_get0_peer 3 , +.Xr SSL_SESSION_has_ticket 3 , .Xr SSL_SESSION_set1_id_context 3 .Pp Encoding and decoding: @@ -288,6 +291,7 @@ Accessors: .Xr SSL_export_keying_material 3 , .Xr SSL_get_SSL_CTX 3 , .Xr SSL_get_certificate 3 , +.Xr SSL_get_client_random 3 , .Xr SSL_get_default_timeout 3 , .Xr SSL_get_error 3 , .Xr SSL_get_ex_data_X509_STORE_CTX_idx 3 , diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index a05116cb8f..52e0c52410 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.161 2017/09/25 18:04:08 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.165 2018/03/15 12:27:00 jca Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1553,10 +1553,16 @@ ssl3_handshake_msg_finish_cbb(SSL *s, CBB *handshake) int ssl3_handshake_write(SSL *s) { + return ssl3_record_write(s, SSL3_RT_HANDSHAKE); +} + +int +ssl3_record_write(SSL *s, int type) +{ if (SSL_IS_DTLS(s)) - return dtls1_do_write(s, SSL3_RT_HANDSHAKE); + return dtls1_do_write(s, type); - return ssl3_do_write(s, SSL3_RT_HANDSHAKE); + return ssl3_do_write(s, type); } int @@ -1978,6 +1984,12 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_SERVER_TMP_KEY: return ssl_ctrl_get_server_tmp_key(s, parg); + case SSL_CTRL_GET_MIN_PROTO_VERSION: + return SSL_get_min_proto_version(s); + + case SSL_CTRL_GET_MAX_PROTO_VERSION: + return SSL_get_max_proto_version(s); + case SSL_CTRL_SET_MIN_PROTO_VERSION: if (larg < 0 || larg > UINT16_MAX) return 0; @@ -2128,6 +2140,13 @@ _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) } static int +_SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg) +{ + *arg = ctx->internal->tlsext_status_arg; + return 1; +} + +static int _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) { ctx->internal->tlsext_status_arg = arg; @@ -2209,6 +2228,9 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg); + case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG: + return _SSL_CTX_get_tlsext_status_arg(ctx, parg); + case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: return _SSL_CTX_set_tlsext_status_arg(ctx, parg); @@ -2227,6 +2249,12 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_GROUPS_LIST: return SSL_CTX_set1_groups_list(ctx, parg); + case SSL_CTRL_GET_MIN_PROTO_VERSION: + return SSL_CTX_get_min_proto_version(ctx); + + case SSL_CTRL_GET_MAX_PROTO_VERSION: + return SSL_CTX_get_max_proto_version(ctx); + case SSL_CTRL_SET_MIN_PROTO_VERSION: if (larg < 0 || larg > UINT16_MAX) return 0; @@ -2273,6 +2301,10 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) (int (*)(SSL *, int *, void *))fp; return 1; + case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB: + *(int (**)(SSL *, void *))fp = ctx->internal->tlsext_status_cb; + return 1; + case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: ctx->internal->tlsext_status_cb = (int (*)(SSL *, void *))fp; return 1; @@ -2292,12 +2324,12 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) const SSL_CIPHER * ssl3_get_cipher_by_char(const unsigned char *p) { - CBS cipher; uint16_t cipher_value; + CBS cbs; /* We have to assume it is at least 2 bytes due to existing API. */ - CBS_init(&cipher, p, 2); - if (!CBS_get_u16(&cipher, &cipher_value)) + CBS_init(&cbs, p, 2); + if (!CBS_get_u16(&cbs, &cipher_value)) return NULL; return ssl3_get_cipher_by_value(cipher_value); @@ -2306,12 +2338,29 @@ ssl3_get_cipher_by_char(const unsigned char *p) int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) { - if (p != NULL) { - if ((c->id & ~SSL3_CK_VALUE_MASK) != SSL3_CK_ID) - return (0); - s2n(ssl3_cipher_get_value(c), p); - } + CBB cbb; + + if (p == NULL) + return (2); + + if ((c->id & ~SSL3_CK_VALUE_MASK) != SSL3_CK_ID) + return (0); + + memset(&cbb, 0, sizeof(cbb)); + + /* We have to assume it is at least 2 bytes due to existing API. */ + if (!CBB_init_fixed(&cbb, p, 2)) + goto err; + if (!CBB_add_u16(&cbb, ssl3_cipher_get_value(c))) + goto err; + if (!CBB_finish(&cbb, NULL, NULL)) + goto err; + return (2); + + err: + CBB_cleanup(&cbb); + return (0); } SSL_CIPHER * diff --git a/lib/libssl/shlib_version b/lib/libssl/shlib_version index 4017133d58..d31fc35547 100644 --- a/lib/libssl/shlib_version +++ b/lib/libssl/shlib_version @@ -1,3 +1,3 @@ # Don't forget to give libtls the same type of bump! -major=44 +major=45 minor=1 diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h index d431b175ad..78a6787d43 100644 --- a/lib/libssl/ssl.h +++ b/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.134 2017/08/30 16:24:21 jsing Exp $ */ +/* $OpenBSD: ssl.h,v 1.154 2018/03/20 15:28:12 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1080,7 +1080,9 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x); #define SSL_CTRL_SET_TLSEXT_DEBUG_ARG 57 #define SSL_CTRL_GET_TLSEXT_TICKET_KEYS 58 #define SSL_CTRL_SET_TLSEXT_TICKET_KEYS 59 +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128 #define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63 +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129 #define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64 #define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE 65 #define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS 66 @@ -1123,6 +1125,8 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x); #define SSL_CTRL_SET_MIN_PROTO_VERSION 123 #define SSL_CTRL_SET_MAX_PROTO_VERSION 124 +#define SSL_CTRL_GET_MIN_PROTO_VERSION 130 +#define SSL_CTRL_GET_MAX_PROTO_VERSION 131 #define DTLSv1_get_timeout(ssl, arg) \ SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) @@ -1172,9 +1176,13 @@ int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups); int SSL_set1_groups(SSL *ssl, const int *groups, size_t groups_len); int SSL_set1_groups_list(SSL *ssl, const char *groups); +int SSL_CTX_get_min_proto_version(SSL_CTX *ctx); +int SSL_CTX_get_max_proto_version(SSL_CTX *ctx); int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version); int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version); +int SSL_get_min_proto_version(SSL *ssl); +int SSL_get_max_proto_version(SSL *ssl); int SSL_set_min_proto_version(SSL *ssl, uint16_t version); int SSL_set_max_proto_version(SSL *ssl, uint16_t version); @@ -1198,6 +1206,25 @@ int SSL_set_max_proto_version(SSL *ssl, uint16_t version); #define SSL_get_server_tmp_key(s, pk) \ SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk) +#ifndef LIBRESSL_INTERNAL +/* + * Also provide those functions as macros for compatibility with + * existing users. + */ +#define SSL_CTX_set1_groups SSL_CTX_set1_groups +#define SSL_CTX_set1_groups_list SSL_CTX_set1_groups_list +#define SSL_set1_groups SSL_set1_groups +#define SSL_set1_groups_list SSL_set1_groups_list +#define SSL_CTX_get_min_proto_version SSL_CTX_get_min_proto_version +#define SSL_CTX_get_max_proto_version SSL_CTX_get_max_proto_version +#define SSL_CTX_set_min_proto_version SSL_CTX_set_min_proto_version +#define SSL_CTX_set_max_proto_version SSL_CTX_set_max_proto_version +#define SSL_get_min_proto_version SSL_get_min_proto_version +#define SSL_get_max_proto_version SSL_get_max_proto_version +#define SSL_set_min_proto_version SSL_set_min_proto_version +#define SSL_set_max_proto_version SSL_set_max_proto_version +#endif + BIO_METHOD *BIO_f_ssl(void); BIO *BIO_new_ssl(SSL_CTX *ctx, int client); BIO *BIO_new_ssl_connect(SSL_CTX *ctx); @@ -1205,13 +1232,16 @@ BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx); int BIO_ssl_copy_session_id(BIO *to, BIO *from); void BIO_ssl_shutdown(BIO *ssl_bio); +STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx); int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str); SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); void SSL_CTX_free(SSL_CTX *); +int SSL_CTX_up_ref(SSL_CTX *ctx); long SSL_CTX_set_timeout(SSL_CTX *ctx, long t); long SSL_CTX_get_timeout(const SSL_CTX *ctx); X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *); void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *); +X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx); int SSL_want(const SSL *s); int SSL_clear(SSL *s); @@ -1225,6 +1255,11 @@ char * SSL_CIPHER_get_version(const SSL_CIPHER *c); const char * SSL_CIPHER_get_name(const SSL_CIPHER *c); unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c); uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *c); +int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c); +int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c); +int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c); +int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c); +int SSL_CIPHER_is_aead(const SSL_CIPHER *c); int SSL_get_fd(const SSL *s); int SSL_get_rfd(const SSL *s); @@ -1273,22 +1308,32 @@ const char *SSL_state_string(const SSL *s); const char *SSL_rstate_string(const SSL *s); const char *SSL_state_string_long(const SSL *s); const char *SSL_rstate_string_long(const SSL *s); +size_t SSL_SESSION_get_master_key(const SSL_SESSION *ss, + unsigned char *out, size_t max_out); +int SSL_SESSION_get_protocol_version(const SSL_SESSION *s); long SSL_SESSION_get_time(const SSL_SESSION *s); long SSL_SESSION_set_time(SSL_SESSION *s, long t); long SSL_SESSION_get_timeout(const SSL_SESSION *s); long SSL_SESSION_set_timeout(SSL_SESSION *s, long t); void SSL_copy_session_id(SSL *to, const SSL *from); X509 *SSL_SESSION_get0_peer(SSL_SESSION *s); +int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid, + unsigned int sid_len); int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx, unsigned int sid_ctx_len); SSL_SESSION *SSL_SESSION_new(void); -const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, +void SSL_SESSION_free(SSL_SESSION *ses); +int SSL_SESSION_up_ref(SSL_SESSION *ss); +const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *ss, + unsigned int *len); +const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *ss, unsigned int *len); -unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s); +unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s); +int SSL_SESSION_has_ticket(const SSL_SESSION *s); +unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *ss); int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *ses); int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses); -void SSL_SESSION_free(SSL_SESSION *ses); int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp); int SSL_set_session(SSL *to, SSL_SESSION *session); int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c); @@ -1320,7 +1365,9 @@ int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, const unsigned char *d, lo int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x); int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d); +pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx); void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb); +void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx); void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u); int SSL_CTX_check_private_key(const SSL_CTX *ctx); @@ -1328,7 +1375,6 @@ int SSL_check_private_key(const SSL *ctx); int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, unsigned int sid_ctx_len); -SSL *SSL_new(SSL_CTX *ctx); int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx, unsigned int sid_ctx_len); int SSL_CTX_set_purpose(SSL_CTX *s, int purpose); @@ -1336,13 +1382,17 @@ int SSL_set_purpose(SSL *s, int purpose); int SSL_CTX_set_trust(SSL_CTX *s, int trust); int SSL_set_trust(SSL *s, int trust); +X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx); int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm); +X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl); int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm); - +SSL *SSL_new(SSL_CTX *ctx); void SSL_free(SSL *ssl); +int SSL_up_ref(SSL *ssl); int SSL_accept(SSL *ssl); int SSL_connect(SSL *ssl); +int SSL_is_server(const SSL *s); int SSL_read(SSL *ssl, void *buf, int num); int SSL_peek(SSL *ssl, void *buf, int num); int SSL_write(SSL *ssl, const void *buf, int num); @@ -1505,6 +1555,9 @@ void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, void SSL_set_tmp_ecdh_callback(SSL *ssl, EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength)); +size_t SSL_get_client_random(const SSL *s, unsigned char *out, size_t max_out); +size_t SSL_get_server_random(const SSL *s, unsigned char *out, size_t max_out); + const void *SSL_get_current_compression(SSL *s); const void *SSL_get_current_expansion(SSL *s); @@ -1988,6 +2041,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273 #define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 303 #define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231 +#define SSL_R_SSL_SESSION_ID_TOO_LONG 408 #define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049 #define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050 #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 @@ -2061,6 +2115,19 @@ void ERR_load_SSL_strings(void); #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269 #define SSL_R_PEER_BEHAVING_BADLY 666 +/* + * OpenSSL compatible OPENSSL_INIT options + */ + +/* + * These are provided for compatibiliy, but have no effect + * on how LibreSSL is initialized. + */ +#define OPENSSL_INIT_LOAD_SSL_STRINGS _OPENSSL_INIT_FLAG_NOOP +#define OPENSSL_INIT_SSL_DEFAULT _OPENSSL_INIT_FLAG_NOOP + +int OPENSSL_init_ssl(uint64_t opts, const void *settings); + #ifdef __cplusplus } #endif diff --git a/lib/libssl/ssl_asn1.c b/lib/libssl/ssl_asn1.c index 95d369306e..0ca442faa0 100644 --- a/lib/libssl/ssl_asn1.c +++ b/lib/libssl/ssl_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_asn1.c,v 1.55 2017/05/06 16:18:36 jsing Exp $ */ +/* $OpenBSD: ssl_asn1.c,v 1.56 2018/03/20 16:10:57 jsing Exp $ */ /* * Copyright (c) 2016 Joel Sing * @@ -204,7 +204,7 @@ i2d_SSL_SESSION(SSL_SESSION *s, unsigned char **pp) rv = (int)data_len; err: - CBB_cleanup(&session); + CBB_cleanup(&cbb); freezero(data, data_len); free(peer_cert_bytes); diff --git a/lib/libssl/ssl_both.c b/lib/libssl/ssl_both.c index 17f93f551b..03f95977f7 100644 --- a/lib/libssl/ssl_both.c +++ b/lib/libssl/ssl_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_both.c,v 1.10 2017/08/12 02:55:22 jsing Exp $ */ +/* $OpenBSD: ssl_both.c,v 1.11 2017/10/08 16:24:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -311,19 +311,44 @@ f_err: int ssl3_send_change_cipher_spec(SSL *s, int a, int b) { - unsigned char *p; + size_t outlen; + CBB cbb; + + memset(&cbb, 0, sizeof(cbb)); if (S3I(s)->hs.state == a) { - p = (unsigned char *)s->internal->init_buf->data; - *p = SSL3_MT_CCS; - s->internal->init_num = 1; + if (!CBB_init_fixed(&cbb, s->internal->init_buf->data, + s->internal->init_buf->length)) + goto err; + if (!CBB_add_u8(&cbb, SSL3_MT_CCS)) + goto err; + if (!CBB_finish(&cbb, NULL, &outlen)) + goto err; + + if (outlen > INT_MAX) + goto err; + + s->internal->init_num = (int)outlen; s->internal->init_off = 0; + if (SSL_IS_DTLS(s)) { + D1I(s)->handshake_write_seq = + D1I(s)->next_handshake_write_seq; + dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, + D1I(s)->handshake_write_seq, 0, 0); + dtls1_buffer_message(s, 1); + } + S3I(s)->hs.state = b; } /* SSL3_ST_CW_CHANGE_B */ - return (ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC)); + return ssl3_record_write(s, SSL3_RT_CHANGE_CIPHER_SPEC); + + err: + CBB_cleanup(&cbb); + + return -1; } static int diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c index f30ffeaf2c..271d77f38b 100644 --- a/lib/libssl/ssl_ciph.c +++ b/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.97 2017/08/28 16:37:04 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.98 2018/03/17 14:40:45 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1720,6 +1720,104 @@ SSL_CIPHER_get_value(const SSL_CIPHER *c) return ssl3_cipher_get_value(c); } +int +SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c) +{ + switch (c->algorithm_enc) { + case SSL_eNULL: + return NID_undef; + case SSL_3DES: + return NID_des_ede3_cbc; + case SSL_AES128: + return NID_aes_128_cbc; + case SSL_AES128GCM: + return NID_aes_128_gcm; + case SSL_AES256: + return NID_aes_256_cbc; + case SSL_AES256GCM: + return NID_aes_256_gcm; + case SSL_CAMELLIA128: + return NID_camellia_128_cbc; + case SSL_CAMELLIA256: + return NID_camellia_256_cbc; + case SSL_CHACHA20POLY1305: + return NID_chacha20_poly1305; + case SSL_DES: + return NID_des_cbc; + case SSL_RC4: + return NID_rc4; + case SSL_eGOST2814789CNT: + return NID_gost89_cnt; + default: + return NID_undef; + } +} + +int +SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c) +{ + switch (c->algorithm_mac) { + case SSL_AEAD: + return NID_undef; + case SSL_GOST89MAC: + return NID_id_Gost28147_89_MAC; + case SSL_GOST94: + return NID_id_GostR3411_94; + case SSL_MD5: + return NID_md5; + case SSL_SHA1: + return NID_sha1; + case SSL_SHA256: + return NID_sha256; + case SSL_SHA384: + return NID_sha384; + case SSL_STREEBOG256: + return NID_id_tc26_gost3411_2012_256; + default: + return NID_undef; + } +} + +int +SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c) +{ + switch (c->algorithm_mkey) { + case SSL_kDHE: + return NID_kx_dhe; + case SSL_kECDHE: + return NID_kx_ecdhe; + case SSL_kGOST: + return NID_kx_gost; + case SSL_kRSA: + return NID_kx_rsa; + default: + return NID_undef; + } +} + +int +SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c) +{ + switch (c->algorithm_auth) { + case SSL_aNULL: + return NID_auth_null; + case SSL_aECDSA: + return NID_auth_ecdsa; + case SSL_aGOST01: + return NID_auth_gost01; + case SSL_aRSA: + return NID_auth_rsa; + default: + return NID_undef; + } +} + +int +SSL_CIPHER_is_aead(const SSL_CIPHER *c) +{ + return (c->algorithm_mac & SSL_AEAD) == SSL_AEAD; +} + void * SSL_COMP_get_compression_methods(void) { diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index 2370ce06f7..10dbe83cd5 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.17 2017/08/12 21:47:59 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.23 2018/02/08 11:30:30 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -170,15 +170,16 @@ #endif #include "bytestring.h" +#include "ssl_tlsext.h" static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b); int ssl3_connect(SSL *s) { - void (*cb)(const SSL *ssl, int type, int val) = NULL; - int ret = -1; - int new_state, state, skip = 0; + void (*cb)(const SSL *ssl, int type, int val) = NULL; + int ret = -1; + int new_state, state, skip = 0; ERR_clear_error(); errno = 0; @@ -210,10 +211,18 @@ ssl3_connect(SSL *s) if (cb != NULL) cb(s, SSL_CB_HANDSHAKE_START, 1); - if ((s->version & 0xff00 ) != 0x0300) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; + if (SSL_IS_DTLS(s)) { + if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + ret = -1; + goto end; + } + } else { + if ((s->version & 0xff00) != 0x0300) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + ret = -1; + goto end; + } } /* s->version=SSL3_VERSION; */ @@ -234,24 +243,50 @@ ssl3_connect(SSL *s) /* don't push the buffering BIO quite yet */ - if (!tls1_init_finished_mac(s)) { - ret = -1; - goto end; + if (!SSL_IS_DTLS(s)) { + if (!tls1_init_finished_mac(s)) { + ret = -1; + goto end; + } } S3I(s)->hs.state = SSL3_ST_CW_CLNT_HELLO_A; s->ctx->internal->stats.sess_connect++; s->internal->init_num = 0; + + if (SSL_IS_DTLS(s)) { + /* mark client_random uninitialized */ + memset(s->s3->client_random, 0, + sizeof(s->s3->client_random)); + D1I(s)->send_cookie = 0; + s->internal->hit = 0; + } break; case SSL3_ST_CW_CLNT_HELLO_A: case SSL3_ST_CW_CLNT_HELLO_B: - s->internal->shutdown = 0; - ret = ssl3_client_hello(s); + + if (SSL_IS_DTLS(s)) { + /* every DTLS ClientHello resets Finished MAC */ + if (!tls1_init_finished_mac(s)) { + ret = -1; + goto end; + } + + dtls1_start_timer(s); + } + + ret = ssl3_send_client_hello(s); if (ret <= 0) goto end; - S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A; + + if (SSL_IS_DTLS(s) && D1I(s)->send_cookie) { + S3I(s)->hs.state = SSL3_ST_CW_FLUSH; + S3I(s)->hs.next_state = SSL3_ST_CR_SRVR_HELLO_A; + } else + S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A; + s->internal->init_num = 0; /* turn on buffering for the next lot of output */ @@ -268,11 +303,29 @@ ssl3_connect(SSL *s) if (s->internal->hit) { S3I(s)->hs.state = SSL3_ST_CR_FINISHED_A; - if (s->internal->tlsext_ticket_expected) { - /* receive renewed session ticket */ - S3I(s)->hs.state = SSL3_ST_CR_SESSION_TICKET_A; + if (!SSL_IS_DTLS(s)) { + if (s->internal->tlsext_ticket_expected) { + /* receive renewed session ticket */ + S3I(s)->hs.state = SSL3_ST_CR_SESSION_TICKET_A; + } } - } else + } else if (SSL_IS_DTLS(s)) { + S3I(s)->hs.state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A; + } else { + S3I(s)->hs.state = SSL3_ST_CR_CERT_A; + } + s->internal->init_num = 0; + break; + + case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: + case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: + ret = dtls1_get_hello_verify(s); + if (ret <= 0) + goto end; + dtls1_stop_timer(s); + if (D1I(s)->send_cookie) /* start again, with a cookie */ + S3I(s)->hs.state = SSL3_ST_CW_CLNT_HELLO_A; + else S3I(s)->hs.state = SSL3_ST_CR_CERT_A; s->internal->init_num = 0; break; @@ -340,6 +393,8 @@ ssl3_connect(SSL *s) ret = ssl3_get_server_done(s); if (ret <= 0) goto end; + if (SSL_IS_DTLS(s)) + dtls1_stop_timer(s); if (S3I(s)->tmp.cert_req) S3I(s)->hs.state = SSL3_ST_CW_CERT_A; else @@ -352,6 +407,8 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_CERT_B: case SSL3_ST_CW_CERT_C: case SSL3_ST_CW_CERT_D: + if (SSL_IS_DTLS(s)) + dtls1_start_timer(s); ret = ssl3_send_client_certificate(s); if (ret <= 0) goto end; @@ -361,6 +418,8 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_KEY_EXCH_A: case SSL3_ST_CW_KEY_EXCH_B: + if (SSL_IS_DTLS(s)) + dtls1_start_timer(s); ret = ssl3_send_client_key_exchange(s); if (ret <= 0) goto end; @@ -386,9 +445,11 @@ ssl3_connect(SSL *s) S3I(s)->hs.state = SSL3_ST_CW_CHANGE_A; S3I(s)->change_cipher_spec = 0; } - if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { - S3I(s)->hs.state = SSL3_ST_CW_CHANGE_A; - S3I(s)->change_cipher_spec = 0; + if (!SSL_IS_DTLS(s)) { + if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { + S3I(s)->hs.state = SSL3_ST_CW_CHANGE_A; + S3I(s)->change_cipher_spec = 0; + } } s->internal->init_num = 0; @@ -396,6 +457,8 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_CERT_VRFY_A: case SSL3_ST_CW_CERT_VRFY_B: + if (SSL_IS_DTLS(s)) + dtls1_start_timer(s); ret = ssl3_send_client_verify(s); if (ret <= 0) goto end; @@ -406,6 +469,8 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_CHANGE_A: case SSL3_ST_CW_CHANGE_B: + if (SSL_IS_DTLS(s) && !s->internal->hit) + dtls1_start_timer(s); ret = ssl3_send_change_cipher_spec(s, SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B); if (ret <= 0) @@ -426,17 +491,22 @@ ssl3_connect(SSL *s) goto end; } + if (SSL_IS_DTLS(s)) + dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); + break; case SSL3_ST_CW_FINISHED_A: case SSL3_ST_CW_FINISHED_B: + if (SSL_IS_DTLS(s) && !s->internal->hit) + dtls1_start_timer(s); ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A, - SSL3_ST_CW_FINISHED_B, - TLS_MD_CLIENT_FINISH_CONST, + SSL3_ST_CW_FINISHED_B, TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE); if (ret <= 0) goto end; - s->s3->flags |= SSL3_FLAGS_CCS_OK; + if (!SSL_IS_DTLS(s)) + s->s3->flags |= SSL3_FLAGS_CCS_OK; S3I(s)->hs.state = SSL3_ST_CW_FLUSH; /* clear flags */ @@ -446,7 +516,7 @@ ssl3_connect(SSL *s) if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) { S3I(s)->hs.state = SSL_ST_OK; - s->s3->flags|=SSL3_FLAGS_POP_BUFFER; + s->s3->flags |= SSL3_FLAGS_POP_BUFFER; S3I(s)->delay_buf_pop_ret = 0; } } else { @@ -455,8 +525,8 @@ ssl3_connect(SSL *s) S3I(s)->hs.next_state = SSL3_ST_CR_SESSION_TICKET_A; else - - S3I(s)->hs.next_state = SSL3_ST_CR_FINISHED_A; + S3I(s)->hs.next_state = + SSL3_ST_CR_FINISHED_A; } s->internal->init_num = 0; break; @@ -481,11 +551,16 @@ ssl3_connect(SSL *s) case SSL3_ST_CR_FINISHED_A: case SSL3_ST_CR_FINISHED_B: - s->s3->flags |= SSL3_FLAGS_CCS_OK; + if (SSL_IS_DTLS(s)) + D1I(s)->change_cipher_spec_ok = 1; + else + s->s3->flags |= SSL3_FLAGS_CCS_OK; ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A, SSL3_ST_CR_FINISHED_B); if (ret <= 0) goto end; + if (SSL_IS_DTLS(s)) + dtls1_stop_timer(s); if (s->internal->hit) S3I(s)->hs.state = SSL3_ST_CW_CHANGE_A; @@ -497,6 +572,13 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_FLUSH: s->internal->rwstate = SSL_WRITING; if (BIO_flush(s->wbio) <= 0) { + if (SSL_IS_DTLS(s)) { + /* If the write error was fatal, stop trying */ + if (!BIO_should_retry(s->wbio)) { + s->internal->rwstate = SSL_NOTHING; + S3I(s)->hs.state = S3I(s)->hs.next_state; + } + } ret = -1; goto end; } @@ -508,8 +590,10 @@ ssl3_connect(SSL *s) /* clean a few things up */ tls1_cleanup_key_block(s); - BUF_MEM_free(s->internal->init_buf); - s->internal->init_buf = NULL; + if (!SSL_IS_DTLS(s)) { + BUF_MEM_free(s->internal->init_buf); + s->internal->init_buf = NULL; + } /* * If we are not 'joining' the last two packets, @@ -535,6 +619,12 @@ ssl3_connect(SSL *s) if (cb != NULL) cb(s, SSL_CB_HANDSHAKE_DONE, 1); + if (SSL_IS_DTLS(s)) { + /* done with handshaking */ + D1I(s)->handshake_read_seq = 0; + D1I(s)->next_handshake_write_seq = 0; + } + goto end; /* break; */ @@ -571,14 +661,14 @@ end: } int -ssl3_client_hello(SSL *s) +ssl3_send_client_hello(SSL *s) { - unsigned char *bufend, *p, *d; - uint16_t max_version; - size_t outlen; - int i; + CBB cbb, client_hello, session_id, cookie, cipher_suites; + CBB compression_methods; + uint16_t max_version; + size_t sl; - bufend = (unsigned char *)s->internal->init_buf->data + SSL3_RT_MAX_PLAIN_LENGTH; + memset(&cbb, 0, sizeof(cbb)); if (S3I(s)->hs.state == SSL3_ST_CW_CLNT_HELLO_A) { SSL_SESSION *sess = s->session; @@ -589,10 +679,10 @@ ssl3_client_hello(SSL *s) } s->client_version = s->version = max_version; - if ((sess == NULL) || - (sess->ssl_version != s->version) || + if (sess == NULL || + sess->ssl_version != s->version || (!sess->session_id_length && !sess->tlsext_tick) || - (sess->internal->not_resumable)) { + sess->internal->not_resumable) { if (!ssl_get_new_session(s, 0)) goto err; } @@ -606,7 +696,9 @@ ssl3_client_hello(SSL *s) if (!SSL_IS_DTLS(s) || D1I(s)->send_cookie == 0) arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); - d = p = ssl3_handshake_msg_start(s, SSL3_MT_CLIENT_HELLO); + if (!ssl3_handshake_msg_start_cbb(s, &cbb, &client_hello, + SSL3_MT_CLIENT_HELLO)) + goto err; /* * Version indicates the negotiated version: for example from @@ -638,27 +730,27 @@ ssl3_client_hello(SSL *s) * client_version in client hello and not resetting it to * the negotiated version. */ - - *(p++) = s->client_version >> 8; - *(p++) = s->client_version & 0xff; + if (!CBB_add_u16(&client_hello, s->client_version)) + goto err; /* Random stuff */ - memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); - p += SSL3_RANDOM_SIZE; + if (!CBB_add_bytes(&client_hello, s->s3->client_random, + sizeof(s->s3->client_random))) + goto err; /* Session ID */ - if (s->internal->new_session) - i = 0; - else - i = s->session->session_id_length; - *(p++) = i; - if (i != 0) { - if (i > (int)sizeof(s->session->session_id)) { + if (!CBB_add_u8_length_prefixed(&client_hello, &session_id)) + goto err; + if (!s->internal->new_session && + s->session->session_id_length > 0) { + sl = s->session->session_id_length; + if (sl > sizeof(s->session->session_id)) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } - memcpy(p, s->session->session_id, i); - p += i; + if (!CBB_add_bytes(&session_id, + s->session->session_id, sl)) + goto err; } /* DTLS Cookie. */ @@ -667,33 +759,37 @@ ssl3_client_hello(SSL *s) SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } - *(p++) = D1I(s)->cookie_len; - memcpy(p, D1I(s)->cookie, D1I(s)->cookie_len); - p += D1I(s)->cookie_len; + if (!CBB_add_u8_length_prefixed(&client_hello, &cookie)) + goto err; + if (!CBB_add_bytes(&cookie, D1I(s)->cookie, + D1I(s)->cookie_len)) + goto err; } /* Ciphers supported */ - if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &p[2], - bufend - &p[2], &outlen)) - goto err; - if (outlen == 0) { + if (!CBB_add_u16_length_prefixed(&client_hello, &cipher_suites)) + return 0; + if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), + &cipher_suites)) { SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE); goto err; } - s2n(outlen, p); - p += outlen; - /* add in (no) COMPRESSION */ - *(p++) = 1; - *(p++) = 0; /* Add the NULL method */ + /* Add in compression methods (null) */ + if (!CBB_add_u8_length_prefixed(&client_hello, + &compression_methods)) + goto err; + if (!CBB_add_u8(&compression_methods, 0)) + goto err; - /* TLS extensions*/ - if ((p = ssl_add_clienthello_tlsext(s, p, bufend)) == NULL) { + /* TLS extensions */ + if (!tlsext_clienthello_build(s, &client_hello)) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } - ssl3_handshake_msg_finish(s, p - d); + if (!ssl3_handshake_msg_finish_cbb(s, &cbb)) + goto err; S3I(s)->hs.state = SSL3_ST_CW_CLNT_HELLO_B; } @@ -702,6 +798,8 @@ ssl3_client_hello(SSL *s) return (ssl3_handshake_write(s)); err: + CBB_cleanup(&cbb); + return (-1); } @@ -715,7 +813,6 @@ ssl3_get_server_hello(SSL *s) STACK_OF(SSL_CIPHER) *sk; const SSL_CIPHER *cipher; const SSL_METHOD *method; - unsigned char *p; unsigned long alg_k; size_t outlen; int i, al, ok; @@ -913,22 +1010,31 @@ ssl3_get_server_hello(SSL *s) goto f_err; } - /* TLS extensions. */ - p = (unsigned char *)CBS_data(&cbs); - if (!ssl_parse_serverhello_tlsext(s, &p, CBS_len(&cbs), &al)) { - /* 'al' set by ssl_parse_serverhello_tlsext */ + if (!tlsext_serverhello_parse(s, &cbs, &al)) { SSLerror(s, SSL_R_PARSE_TLSEXT); goto f_err; } + + /* + * Determine if we need to see RI. Strictly speaking if we want to + * avoid an attack we should *always* see RI even on initial server + * hello because the client doesn't see any renegotiation during an + * attack. However this would mean we could not connect to any server + * which doesn't support RI so for the immediate future tolerate RI + * absence on initial connect only. + */ + if (!S3I(s)->renegotiate_seen && + !(s->internal->options & SSL_OP_LEGACY_SERVER_CONNECT)) { + al = SSL_AD_HANDSHAKE_FAILURE; + SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + goto f_err; + } + if (ssl_check_serverhello_tlsext(s) <= 0) { SSLerror(s, SSL_R_SERVERHELLO_TLSEXT); goto err; } - /* See if any data remains... */ - if (p - CBS_data(&cbs) != CBS_len(&cbs)) - goto truncated; - return (1); truncated: diff --git a/lib/libssl/ssl_err.c b/lib/libssl/ssl_err.c index db3c1a0d2d..250a9eef6b 100644 --- a/lib/libssl/ssl_err.c +++ b/lib/libssl/ssl_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_err.c,v 1.35 2017/08/28 17:36:58 jsing Exp $ */ +/* $OpenBSD: ssl_err.c,v 1.36 2018/03/20 15:28:12 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -390,6 +390,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= { {ERR_REASON(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG), "ssl session id context too long"}, {ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH), "ssl session id has bad length"}, {ERR_REASON(SSL_R_SSL_SESSION_ID_IS_DIFFERENT), "ssl session id is different"}, + {ERR_REASON(SSL_R_SSL_SESSION_ID_TOO_LONG), "ssl session id is too long"}, {ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED), "tlsv1 alert access denied"}, {ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR), "tlsv1 alert decode error"}, {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED), "tlsv1 alert decryption failed"}, diff --git a/lib/libssl/ssl_init.c b/lib/libssl/ssl_init.c new file mode 100644 index 0000000000..0ef80956ed --- /dev/null +++ b/lib/libssl/ssl_init.c @@ -0,0 +1,50 @@ +/* + * Copyright (c) 2018 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* OpenSSL style init */ + +#include +#include + +#include + +#include "ssl_locl.h" + +static pthread_t ssl_init_thread; + +static void +OPENSSL_init_ssl_internal(void) +{ + ssl_init_thread = pthread_self(); + SSL_load_error_strings(); + SSL_library_init(); +} + +int +OPENSSL_init_ssl(uint64_t opts, const void *settings) +{ + static pthread_once_t once = PTHREAD_ONCE_INIT; + + if (pthread_equal(pthread_self(), ssl_init_thread)) + return 1; /* don't recurse */ + + OPENSSL_init_crypto(opts, settings); + + if (pthread_once(&once, OPENSSL_init_ssl_internal) != 0) + return 0; + + return 1; +} diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 471fd7009e..573e63c934 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.170 2017/08/30 16:24:21 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.182 2018/03/17 16:20:01 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -469,12 +469,24 @@ SSL_set_trust(SSL *s, int trust) return (X509_VERIFY_PARAM_set_trust(s->param, trust)); } +X509_VERIFY_PARAM * +SSL_CTX_get0_param(SSL_CTX *ctx) +{ + return (ctx->param); +} + int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm) { return (X509_VERIFY_PARAM_set1(ctx->param, vpm)); } +X509_VERIFY_PARAM * +SSL_get0_param(SSL *ssl) +{ + return (ssl->param); +} + int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) { @@ -556,6 +568,13 @@ SSL_free(SSL *s) free(s); } +int +SSL_up_ref(SSL *s) +{ + int refs = CRYPTO_add(&s->references, 1, CRYPTO_LOCK_SSL); + return (refs > 1) ? 1 : 0; +} + void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio) { @@ -746,7 +765,8 @@ SSL_CTX_get_verify_depth(const SSL_CTX *ctx) return (X509_VERIFY_PARAM_get_depth(ctx->param)); } -int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *) +int +(*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *) { return (ctx->internal->default_verify_callback); } @@ -920,6 +940,12 @@ SSL_connect(SSL *s) return (s->method->internal->ssl_connect(s)); } +int +SSL_is_server(const SSL *s) +{ + return s->server; +} + long SSL_get_default_timeout(const SSL *s) { @@ -1301,6 +1327,12 @@ SSL_get_cipher_list(const SSL *s, int n) return (c->name); } +STACK_OF(SSL_CIPHER) * +SSL_CTX_get_ciphers(const SSL_CTX *ctx) +{ + return ctx->cipher_list; +} + /* Specify the ciphers to be used by default by the SSL_CTX. */ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) @@ -1380,81 +1412,60 @@ SSL_get_shared_ciphers(const SSL *s, char *buf, int len) } int -ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p, - size_t maxlen, size_t *outlen) +ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb) { SSL_CIPHER *cipher; - int ciphers = 0; - CBB cbb; + int num_ciphers = 0; int i; - *outlen = 0; - - if (sk == NULL) - return (0); - - if (!CBB_init_fixed(&cbb, p, maxlen)) - goto err; + if (ciphers == NULL) + return 0; - for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { - cipher = sk_SSL_CIPHER_value(sk, i); + for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { + if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL) + return 0; /* Skip TLS v1.2 only ciphersuites if lower than v1.2 */ if ((cipher->algorithm_ssl & SSL_TLSV1_2) && (TLS1_get_client_version(s) < TLS1_2_VERSION)) continue; - if (!CBB_add_u16(&cbb, ssl3_cipher_get_value(cipher))) - goto err; + if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher))) + return 0; - ciphers++; + num_ciphers++; } /* Add SCSV if there are other ciphers and we're not renegotiating. */ - if (ciphers > 0 && !s->internal->renegotiate) { - if (!CBB_add_u16(&cbb, SSL3_CK_SCSV & SSL3_CK_VALUE_MASK)) - goto err; + if (num_ciphers > 0 && !s->internal->renegotiate) { + if (!CBB_add_u16(cbb, SSL3_CK_SCSV & SSL3_CK_VALUE_MASK)) + return 0; } - if (!CBB_finish(&cbb, NULL, outlen)) - goto err; + if (!CBB_flush(cbb)) + return 0; return 1; - - err: - CBB_cleanup(&cbb); - - return 0; } STACK_OF(SSL_CIPHER) * -ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num) +ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) { - CBS cbs; - const SSL_CIPHER *c; - STACK_OF(SSL_CIPHER) *sk = NULL; - unsigned long cipher_id; - uint16_t cipher_value, max_version; + STACK_OF(SSL_CIPHER) *ciphers = NULL; + const SSL_CIPHER *cipher; + uint16_t cipher_value, max_version; + unsigned long cipher_id; - if (s->s3) + if (s->s3 != NULL) S3I(s)->send_connection_binding = 0; - /* - * RFC 5246 section 7.4.1.2 defines the interval as [2,2^16-2]. - */ - if (num < 2 || num > 0x10000 - 2) { - SSLerror(s, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); - return (NULL); - } - - if ((sk = sk_SSL_CIPHER_new_null()) == NULL) { + if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) { SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } - CBS_init(&cbs, p, num); - while (CBS_len(&cbs) > 0) { - if (!CBS_get_u16(&cbs, &cipher_value)) { + while (CBS_len(cbs) > 0) { + if (!CBS_get_u16(cbs, &cipher_value)) { SSLerror(s, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); goto err; } @@ -1495,18 +1506,18 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num) continue; } - if ((c = ssl3_get_cipher_by_value(cipher_value)) != NULL) { - if (!sk_SSL_CIPHER_push(sk, c)) { + if ((cipher = ssl3_get_cipher_by_value(cipher_value)) != NULL) { + if (!sk_SSL_CIPHER_push(ciphers, cipher)) { SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } } } - return (sk); + return (ciphers); err: - sk_SSL_CIPHER_free(sk); + sk_SSL_CIPHER_free(ciphers); return (NULL); } @@ -1780,6 +1791,11 @@ SSL_CTX_new(const SSL_METHOD *meth) { SSL_CTX *ret; + if (!OPENSSL_init_ssl(0, NULL)) { + SSLerrorx(SSL_R_LIBRARY_BUG); + return (NULL); + } + if (meth == NULL) { SSLerrorx(SSL_R_NULL_SSL_METHOD_PASSED); return (NULL); @@ -1973,12 +1989,31 @@ SSL_CTX_free(SSL_CTX *ctx) free(ctx); } +int +SSL_CTX_up_ref(SSL_CTX *ctx) +{ + int refs = CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); + return ((refs > 1) ? 1 : 0); +} + +pem_password_cb * +SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) +{ + return (ctx->default_passwd_callback); +} + void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) { ctx->default_passwd_callback = cb; } +void * +SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx) +{ + return ctx->default_passwd_callback_userdata; +} + void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u) { @@ -2647,6 +2682,38 @@ SSL_get_current_expansion(SSL *s) return (NULL); } +size_t +SSL_get_client_random(const SSL *s, unsigned char *out, size_t max_out) +{ + size_t len = sizeof(s->s3->client_random); + + if (out == NULL) + return len; + + if (len > max_out) + len = max_out; + + memcpy(out, s->s3->client_random, len); + + return len; +} + +size_t +SSL_get_server_random(const SSL *s, unsigned char *out, size_t max_out) +{ + size_t len = sizeof(s->s3->server_random); + + if (out == NULL) + return len; + + if (len > max_out) + len = max_out; + + memcpy(out, s->s3->server_random, len); + + return len; +} + int ssl_init_wbio_buffer(SSL *s, int push) { @@ -2879,6 +2946,15 @@ SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) ctx->cert_store = store; } +X509 * +SSL_CTX_get0_certificate(const SSL_CTX *ctx) +{ + if (ctx->internal->cert == NULL) + return NULL; + + return ctx->internal->cert->key->x509; +} + int SSL_want(const SSL *s) { @@ -2965,6 +3041,12 @@ SSL_cache_hit(SSL *s) } int +SSL_CTX_get_min_proto_version(SSL_CTX *ctx) +{ + return ctx->internal->min_version; +} + +int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) { return ssl_version_set_min(ctx->method, version, @@ -2972,6 +3054,12 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) } int +SSL_CTX_get_max_proto_version(SSL_CTX *ctx) +{ + return ctx->internal->max_version; +} + +int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) { return ssl_version_set_max(ctx->method, version, @@ -2979,11 +3067,22 @@ SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) } int +SSL_get_min_proto_version(SSL *ssl) +{ + return ssl->internal->min_version; +} + +int SSL_set_min_proto_version(SSL *ssl, uint16_t version) { return ssl_version_set_min(ssl->method, version, ssl->internal->max_version, &ssl->internal->min_version); } +int +SSL_get_max_proto_version(SSL *ssl) +{ + return ssl->internal->max_version; +} int SSL_set_max_proto_version(SSL *ssl, uint16_t version) diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 17a4a0d4f6..d2a99afaa4 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.193 2017/08/28 16:37:04 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.202 2018/01/27 15:30:05 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -164,6 +164,9 @@ __BEGIN_HIDDEN_DECLS +#define CTASSERT(x) extern char _ctassert[(x) ? 1 : -1 ] \ + __attribute__((__unused__)) + #define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \ *((c)++)=(unsigned char)(((l)>>16)&0xff), \ *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ @@ -1064,10 +1067,8 @@ int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b); SSL_CIPHER *OBJ_bsearch_ssl_cipher_id(SSL_CIPHER *key, SSL_CIPHER const *base, int num); int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, const SSL_CIPHER * const *bp); -STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, - int num); -int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, - unsigned char *p, size_t maxlen, size_t *outlen); +int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb); +STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, CBS *cbs); STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth, STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) **sorted, const char *rule_str); @@ -1147,15 +1148,11 @@ int ssl3_handshake_msg_start_cbb(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type); int ssl3_handshake_msg_finish_cbb(SSL *s, CBB *handshake); int ssl3_handshake_write(SSL *s); +int ssl3_record_write(SSL *s, int type); void tls1_record_sequence_increment(unsigned char *seq); int ssl3_do_change_cipher_spec(SSL *ssl); -int ssl23_read(SSL *s, void *buf, int len); -int ssl23_peek(SSL *s, void *buf, int len); -int ssl23_write(SSL *s, const void *buf, int len); -long ssl23_default_timeout(void); - long tls1_default_timeout(void); int dtls1_do_write(SSL *s, int type); int ssl3_packet_read(SSL *s, int plen); @@ -1166,12 +1163,13 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len); void dtls1_set_message_header(SSL *s, unsigned char mt, unsigned long len, unsigned long frag_off, unsigned long frag_len); +void dtls1_set_message_header_int(SSL *s, unsigned char mt, + unsigned long len, unsigned short seq_num, unsigned long frag_off, + unsigned long frag_len); int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf, int len); int dtls1_write_bytes(SSL *s, int type, const void *buf, int len); -int dtls1_send_change_cipher_spec(SSL *s, int a, int b); -unsigned long dtls1_output_cert_chain(SSL *s, X509 *x); int dtls1_read_failed(SSL *s, int code); int dtls1_buffer_message(SSL *s, int ccs); int dtls1_retransmit_message(SSL *s, unsigned short seq, @@ -1197,7 +1195,8 @@ void dtls1_double_timeout(SSL *s); unsigned int dtls1_min_mtu(void); /* some client-only functions */ -int ssl3_client_hello(SSL *s); +int dtls1_get_hello_verify(SSL *s); +int ssl3_send_client_hello(SSL *s); int ssl3_get_server_hello(SSL *s); int ssl3_get_certificate_request(SSL *s); int ssl3_get_new_session_ticket(SSL *s); @@ -1213,6 +1212,7 @@ int ssl3_check_cert_and_algorithm(SSL *s); int ssl3_check_finished(SSL *s); /* some server-only functions */ +int dtls1_send_hello_verify_request(SSL *s); int ssl3_get_client_hello(SSL *s); int ssl3_send_server_hello(SSL *s); int ssl3_send_hello_request(SSL *s); @@ -1223,18 +1223,11 @@ int ssl3_get_client_certificate(SSL *s); int ssl3_get_client_key_exchange(SSL *s); int ssl3_get_cert_verify(SSL *s); -int ssl23_accept(SSL *s); -int ssl23_connect(SSL *s); -int ssl23_read_bytes(SSL *s, int n); -int ssl23_write_bytes(SSL *s); - int tls1_new(SSL *s); void tls1_free(SSL *s); void tls1_clear(SSL *s); int dtls1_new(SSL *s); -int dtls1_accept(SSL *s); -int dtls1_connect(SSL *s); void dtls1_free(SSL *s); void dtls1_clear(SSL *s); long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg); @@ -1285,14 +1278,6 @@ uint16_t tls1_ec_nid2curve_id(const int nid); int tls1_check_curve(SSL *s, const uint16_t curve_id); int tls1_get_shared_curve(SSL *s); -unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, - unsigned char *limit); - -unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, - unsigned char *limit); - -int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, - unsigned char *d, int n, int *al); int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, size_t n, int *al); int ssl_check_clienthello_tlsext_early(SSL *s); diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c index 59d7d9ec24..b3ee7ef430 100644 --- a/lib/libssl/ssl_sess.c +++ b/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.71 2017/04/10 17:27:33 jsing Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.79 2018/03/20 15:28:12 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -199,6 +199,11 @@ SSL_SESSION_new(void) { SSL_SESSION *ss; + if (!OPENSSL_init_ssl(0, NULL)) { + SSLerrorx(SSL_R_LIBRARY_BUG); + return(NULL); + } + if ((ss = calloc(1, sizeof(*ss))) == NULL) { SSLerrorx(ERR_R_MALLOC_FAILURE); return (NULL); @@ -228,19 +233,39 @@ SSL_SESSION_new(void) } const unsigned char * -SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) +SSL_SESSION_get_id(const SSL_SESSION *ss, unsigned int *len) { - if (len) - *len = s->session_id_length; - return s->session_id; + if (len != NULL) + *len = ss->session_id_length; + return ss->session_id; +} + +const unsigned char * +SSL_SESSION_get0_id_context(const SSL_SESSION *ss, unsigned int *len) +{ + if (len != NULL) + *len = (unsigned int)ss->sid_ctx_length; + return ss->sid_ctx; } unsigned int -SSL_SESSION_get_compress_id(const SSL_SESSION *s) +SSL_SESSION_get_compress_id(const SSL_SESSION *ss) { return 0; } +unsigned long +SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s) +{ + return s->tlsext_tick_lifetime_hint; +} + +int +SSL_SESSION_has_ticket(const SSL_SESSION *s) +{ + return (s->tlsext_ticklen > 0) ? 1 : 0; +} + /* * SSLv3/TLSv1 has 32 bytes (256 bits) of session ID space. As such, filling * the ID with random gunk repeatedly until we have no conflict is going to @@ -710,6 +735,13 @@ SSL_SESSION_free(SSL_SESSION *ss) } int +SSL_SESSION_up_ref(SSL_SESSION *ss) +{ + int refs = CRYPTO_add(&ss->references, 1, CRYPTO_LOCK_SSL_SESSION); + return (refs > 1) ? 1 : 0; +} + +int SSL_set_session(SSL *s, SSL_SESSION *session) { int ret = 0; @@ -753,6 +785,23 @@ SSL_set_session(SSL *s, SSL_SESSION *session) return (ret); } +size_t +SSL_SESSION_get_master_key(const SSL_SESSION *ss, unsigned char *out, + size_t max_out) +{ + size_t len = ss->master_key_length; + + if (out == NULL) + return len; + + if (len > max_out) + len = max_out; + + memcpy(out, ss->master_key, len); + + return len; +} + long SSL_SESSION_set_timeout(SSL_SESSION *s, long t) { @@ -789,6 +838,12 @@ SSL_SESSION_set_time(SSL_SESSION *s, long t) return (t); } +int +SSL_SESSION_get_protocol_version(const SSL_SESSION *s) +{ + return s->ssl_version; +} + X509 * SSL_SESSION_get0_peer(SSL_SESSION *s) { @@ -796,6 +851,19 @@ SSL_SESSION_get0_peer(SSL_SESSION *s) } int +SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid, + unsigned int sid_len) +{ + if (sid_len > SSL_MAX_SSL_SESSION_ID_LENGTH) { + SSLerrorx(SSL_R_SSL_SESSION_ID_TOO_LONG); + return 0; + } + s->session_id_length = sid_len; + memmove(s->session_id, sid, sid_len); + return 1; +} + +int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx, unsigned int sid_ctx_len) { diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index c43d63d991..f1a0c9ae03 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.22 2017/08/12 21:47:59 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.28 2018/01/28 09:21:34 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -166,14 +166,16 @@ #include #include "bytestring.h" +#include "ssl_tlsext.h" int ssl3_accept(SSL *s) { - unsigned long alg_k; void (*cb)(const SSL *ssl, int type, int val) = NULL; + unsigned long alg_k; int ret = -1; int new_state, state, skip = 0; + int listen = 0; ERR_clear_error(); errno = 0; @@ -183,11 +185,17 @@ ssl3_accept(SSL *s) else if (s->ctx->internal->info_callback != NULL) cb = s->ctx->internal->info_callback; + if (SSL_IS_DTLS(s)) + listen = D1I(s)->listen; + /* init things to blank */ s->internal->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); + if (SSL_IS_DTLS(s)) + D1I(s)->listen = listen; + if (s->cert == NULL) { SSLerror(s, SSL_R_NO_CERTIFICATE_SET); ret = -1; @@ -206,15 +214,22 @@ ssl3_accept(SSL *s) case SSL_ST_ACCEPT: case SSL_ST_BEFORE|SSL_ST_ACCEPT: case SSL_ST_OK|SSL_ST_ACCEPT: - s->server = 1; if (cb != NULL) cb(s, SSL_CB_HANDSHAKE_START, 1); - if ((s->version >> 8) != 3) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; + if (SSL_IS_DTLS(s)) { + if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + ret = -1; + goto end; + } + } else { + if ((s->version >> 8) != 3) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + ret = -1; + goto end; + } } s->internal->type = SSL_ST_ACCEPT; @@ -239,7 +254,6 @@ ssl3_accept(SSL *s) ret = -1; goto end; } - if (!tls1_init_finished_mac(s)) { ret = -1; goto end; @@ -247,7 +261,7 @@ ssl3_accept(SSL *s) S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A; s->ctx->internal->stats.sess_accept++; - } else if (!S3I(s)->send_connection_binding) { + } else if (!SSL_IS_DTLS(s) && !S3I(s)->send_connection_binding) { /* * Server attempting to renegotiate with * client that doesn't support secure @@ -261,7 +275,7 @@ ssl3_accept(SSL *s) } else { /* * S3I(s)->hs.state == SSL_ST_RENEGOTIATE, - * we will just send a HelloRequest + * we will just send a HelloRequest. */ s->ctx->internal->stats.sess_accept_renegotiate++; S3I(s)->hs.state = SSL3_ST_SW_HELLO_REQ_A; @@ -270,12 +284,18 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_HELLO_REQ_A: case SSL3_ST_SW_HELLO_REQ_B: - s->internal->shutdown = 0; + if (SSL_IS_DTLS(s)) { + dtls1_clear_record_buffer(s); + dtls1_start_timer(s); + } ret = ssl3_send_hello_request(s); if (ret <= 0) goto end; - S3I(s)->hs.next_state = SSL3_ST_SW_HELLO_REQ_C; + if (SSL_IS_DTLS(s)) + S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A; + else + S3I(s)->hs.next_state = SSL3_ST_SW_HELLO_REQ_C; S3I(s)->hs.state = SSL3_ST_SW_FLUSH; s->internal->init_num = 0; @@ -292,21 +312,78 @@ ssl3_accept(SSL *s) case SSL3_ST_SR_CLNT_HELLO_A: case SSL3_ST_SR_CLNT_HELLO_B: case SSL3_ST_SR_CLNT_HELLO_C: - s->internal->shutdown = 0; - if (s->internal->rwstate != SSL_X509_LOOKUP) { + if (SSL_IS_DTLS(s)) { ret = ssl3_get_client_hello(s); if (ret <= 0) goto end; + dtls1_stop_timer(s); + + if (ret == 1 && + (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) + S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A; + else + S3I(s)->hs.state = SSL3_ST_SW_SRVR_HELLO_A; + + s->internal->init_num = 0; + + /* + * Reflect ClientHello sequence to remain + * stateless while listening. + */ + if (listen) { + memcpy(S3I(s)->write_sequence, + S3I(s)->read_sequence, + sizeof(S3I(s)->write_sequence)); + } + + /* If we're just listening, stop here */ + if (listen && S3I(s)->hs.state == SSL3_ST_SW_SRVR_HELLO_A) { + ret = 2; + D1I(s)->listen = 0; + /* + * Set expected sequence numbers to + * continue the handshake. + */ + D1I(s)->handshake_read_seq = 2; + D1I(s)->handshake_write_seq = 1; + D1I(s)->next_handshake_write_seq = 1; + goto end; + } + } else { + if (s->internal->rwstate != SSL_X509_LOOKUP) { + ret = ssl3_get_client_hello(s); + if (ret <= 0) + goto end; + } + + s->internal->renegotiate = 2; + S3I(s)->hs.state = SSL3_ST_SW_SRVR_HELLO_A; + s->internal->init_num = 0; } + break; - s->internal->renegotiate = 2; - S3I(s)->hs.state = SSL3_ST_SW_SRVR_HELLO_A; - s->internal->init_num = 0; + case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A: + case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B: + ret = dtls1_send_hello_verify_request(s); + if (ret <= 0) + goto end; + S3I(s)->hs.state = SSL3_ST_SW_FLUSH; + S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A; + + /* HelloVerifyRequest resets Finished MAC. */ + if (!tls1_init_finished_mac(s)) { + ret = -1; + goto end; + } break; case SSL3_ST_SW_SRVR_HELLO_A: case SSL3_ST_SW_SRVR_HELLO_B: + if (SSL_IS_DTLS(s)) { + s->internal->renegotiate = 2; + dtls1_start_timer(s); + } ret = ssl3_send_server_hello(s); if (ret <= 0) goto end; @@ -315,9 +392,9 @@ ssl3_accept(SSL *s) S3I(s)->hs.state = SSL3_ST_SW_SESSION_TICKET_A; else S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A; - } - else + } else { S3I(s)->hs.state = SSL3_ST_SW_CERT_A; + } s->internal->init_num = 0; break; @@ -326,6 +403,8 @@ ssl3_accept(SSL *s) /* Check if it is anon DH or anon ECDH. */ if (!(S3I(s)->hs.new_cipher->algorithm_auth & SSL_aNULL)) { + if (SSL_IS_DTLS(s)) + dtls1_start_timer(s); ret = ssl3_send_server_certificate(s); if (ret <= 0) goto end; @@ -353,6 +432,8 @@ ssl3_accept(SSL *s) * public key for key exchange. */ if (alg_k & (SSL_kDHE|SSL_kECDHE)) { + if (SSL_IS_DTLS(s)) + dtls1_start_timer(s); ret = ssl3_send_server_key_exchange(s); if (ret <= 0) goto end; @@ -388,11 +469,11 @@ ssl3_accept(SSL *s) ((S3I(s)->hs.new_cipher->algorithm_auth & SSL_aNULL) && !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { - /* No cert request */ + /* No cert request. */ skip = 1; S3I(s)->tmp.cert_request = 0; S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A; - if (S3I(s)->handshake_buffer) { + if (!SSL_IS_DTLS(s) && S3I(s)->handshake_buffer) { if (!tls1_digest_cached_records(s)) { ret = -1; goto end; @@ -400,6 +481,8 @@ ssl3_accept(SSL *s) } } else { S3I(s)->tmp.cert_request = 1; + if (SSL_IS_DTLS(s)) + dtls1_start_timer(s); ret = ssl3_send_certificate_request(s); if (ret <= 0) goto end; @@ -410,6 +493,8 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_SRVR_DONE_A: case SSL3_ST_SW_SRVR_DONE_B: + if (SSL_IS_DTLS(s)) + dtls1_start_timer(s); ret = ssl3_send_server_done(s); if (ret <= 0) goto end; @@ -419,7 +504,6 @@ ssl3_accept(SSL *s) break; case SSL3_ST_SW_FLUSH: - /* * This code originally checked to see if * any data was pending using BIO_CTRL_INFO @@ -430,14 +514,19 @@ ssl3_accept(SSL *s) * still exist. So instead we just flush * unconditionally. */ - s->internal->rwstate = SSL_WRITING; if (BIO_flush(s->wbio) <= 0) { + if (SSL_IS_DTLS(s)) { + /* If the write error was fatal, stop trying. */ + if (!BIO_should_retry(s->wbio)) { + s->internal->rwstate = SSL_NOTHING; + S3I(s)->hs.state = S3I(s)->hs.next_state; + } + } ret = -1; goto end; } s->internal->rwstate = SSL_NOTHING; - S3I(s)->hs.state = S3I(s)->hs.next_state; break; @@ -457,6 +546,12 @@ ssl3_accept(SSL *s) ret = ssl3_get_client_key_exchange(s); if (ret <= 0) goto end; + + if (SSL_IS_DTLS(s)) { + S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A; + s->internal->init_num = 0; + } + alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; if (ret == 2) { /* @@ -507,7 +602,7 @@ ssl3_accept(SSL *s) S3I(s)->tmp.cert_verify_md, sizeof(S3I(s)->tmp.cert_verify_md), NULL)) { - ret = -1; + ret = -1; goto end; } } @@ -515,24 +610,31 @@ ssl3_accept(SSL *s) case SSL3_ST_SR_CERT_VRFY_A: case SSL3_ST_SR_CERT_VRFY_B: - s->s3->flags |= SSL3_FLAGS_CCS_OK; + if (SSL_IS_DTLS(s)) + D1I(s)->change_cipher_spec_ok = 1; + else + s->s3->flags |= SSL3_FLAGS_CCS_OK; /* we should decide if we expected this one */ ret = ssl3_get_cert_verify(s); if (ret <= 0) goto end; - S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A; s->internal->init_num = 0; break; case SSL3_ST_SR_FINISHED_A: case SSL3_ST_SR_FINISHED_B: - s->s3->flags |= SSL3_FLAGS_CCS_OK; + if (SSL_IS_DTLS(s)) + D1I(s)->change_cipher_spec_ok = 1; + else + s->s3->flags |= SSL3_FLAGS_CCS_OK; ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A, SSL3_ST_SR_FINISHED_B); if (ret <= 0) goto end; + if (SSL_IS_DTLS(s)) + dtls1_stop_timer(s); if (s->internal->hit) S3I(s)->hs.state = SSL_ST_OK; else if (s->internal->tlsext_ticket_expected) @@ -560,10 +662,8 @@ ssl3_accept(SSL *s) s->internal->init_num = 0; break; - case SSL3_ST_SW_CHANGE_A: case SSL3_ST_SW_CHANGE_B: - s->session->cipher = S3I(s)->hs.new_cipher; if (!tls1_setup_key_block(s)) { ret = -1; @@ -572,26 +672,27 @@ ssl3_accept(SSL *s) ret = ssl3_send_change_cipher_spec(s, SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B); - if (ret <= 0) goto end; S3I(s)->hs.state = SSL3_ST_SW_FINISHED_A; s->internal->init_num = 0; - if (!tls1_change_cipher_state( - s, SSL3_CHANGE_CIPHER_SERVER_WRITE)) { + if (!tls1_change_cipher_state(s, + SSL3_CHANGE_CIPHER_SERVER_WRITE)) { ret = -1; goto end; } + if (SSL_IS_DTLS(s)) + dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); break; case SSL3_ST_SW_FINISHED_A: case SSL3_ST_SW_FINISHED_B: ret = ssl3_send_finished(s, - SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B, - TLS_MD_SERVER_FINISH_CONST, - TLS_MD_SERVER_FINISH_CONST_SIZE); + SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B, + TLS_MD_SERVER_FINISH_CONST, + TLS_MD_SERVER_FINISH_CONST_SIZE); if (ret <= 0) goto end; S3I(s)->hs.state = SSL3_ST_SW_FLUSH; @@ -606,15 +707,17 @@ ssl3_accept(SSL *s) /* clean a few things up */ tls1_cleanup_key_block(s); - BUF_MEM_free(s->internal->init_buf); - s->internal->init_buf = NULL; + if (!SSL_IS_DTLS(s)) { + BUF_MEM_free(s->internal->init_buf); + s->internal->init_buf = NULL; + } /* remove buffering on output */ ssl_free_wbio_buffer(s); s->internal->init_num = 0; - /* skipped if we just sent a HelloRequest */ + /* Skipped if we just sent a HelloRequest. */ if (s->internal->renegotiate == 2) { s->internal->renegotiate = 0; s->internal->new_session = 0; @@ -630,6 +733,14 @@ ssl3_accept(SSL *s) } ret = 1; + + if (SSL_IS_DTLS(s)) { + /* Done handshaking, next message is client hello. */ + D1I(s)->handshake_read_seq = 0; + /* Next message is server hello. */ + D1I(s)->handshake_write_seq = 0; + D1I(s)->next_handshake_write_seq = 0; + } goto end; /* break; */ @@ -658,10 +769,10 @@ ssl3_accept(SSL *s) } end: /* BIO_flush(s->wbio); */ - s->internal->in_handshake--; if (cb != NULL) cb(s, SSL_CB_ACCEPT_EXIT, ret); + return (ret); } @@ -702,7 +813,6 @@ ssl3_get_client_hello(SSL *s) int i, j, ok, al, ret = -1, cookie_valid = 0; long n; unsigned long id; - unsigned char *p, *d; SSL_CIPHER *c; STACK_OF(SSL_CIPHER) *ciphers = NULL; unsigned long alg_k; @@ -732,8 +842,7 @@ ssl3_get_client_hello(SSL *s) if (n < 0) goto err; - d = p = (unsigned char *)s->internal->init_msg; - end = d + n; + end = (unsigned char *)s->internal->init_msg + n; CBS_init(&cbs, s->internal->init_msg, n); @@ -883,11 +992,12 @@ ssl3_get_client_hello(SSL *s) if (CBS_len(&cipher_suites) > 0) { if ((ciphers = ssl_bytes_to_cipher_list(s, - CBS_data(&cipher_suites), CBS_len(&cipher_suites))) == NULL) + &cipher_suites)) == NULL) goto err; } /* If it is a hit, check that the cipher is in the list */ + /* XXX - CBS_len(&cipher_suites) will always be zero here... */ if (s->internal->hit && CBS_len(&cipher_suites) > 0) { j = 0; id = s->session->cipher->id; @@ -926,14 +1036,17 @@ ssl3_get_client_hello(SSL *s) goto f_err; } - p = (unsigned char *)CBS_data(&cbs); - - /* TLS extensions*/ - if (!ssl_parse_clienthello_tlsext(s, &p, d, n, &al)) { - /* 'al' set by ssl_parse_clienthello_tlsext */ + if (!tlsext_clienthello_parse(s, &cbs, &al)) { SSLerror(s, SSL_R_PARSE_TLSEXT); goto f_err; } + + if (!S3I(s)->renegotiate_seen && s->internal->renegotiate) { + al = SSL_AD_HANDSHAKE_FAILURE; + SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + goto f_err; + } + if (ssl_check_clienthello_tlsext_early(s) <= 0) { SSLerror(s, SSL_R_CLIENTHELLO_TLSEXT); goto err; @@ -1056,25 +1169,19 @@ err: int ssl3_send_server_hello(SSL *s) { - unsigned char *bufend; - unsigned char *p, *d; - CBB cbb, session_id; - size_t outlen; - int sl; + CBB cbb, server_hello, session_id; + size_t sl; memset(&cbb, 0, sizeof(cbb)); - bufend = (unsigned char *)s->internal->init_buf->data + SSL3_RT_MAX_PLAIN_LENGTH; - if (S3I(s)->hs.state == SSL3_ST_SW_SRVR_HELLO_A) { - d = p = ssl3_handshake_msg_start(s, SSL3_MT_SERVER_HELLO); - - if (!CBB_init_fixed(&cbb, p, bufend - p)) + if (!ssl3_handshake_msg_start_cbb(s, &cbb, &server_hello, + SSL3_MT_SERVER_HELLO)) goto err; - if (!CBB_add_u16(&cbb, s->version)) + if (!CBB_add_u16(&server_hello, s->version)) goto err; - if (!CBB_add_bytes(&cbb, s->s3->server_random, + if (!CBB_add_bytes(&server_hello, s->s3->server_random, sizeof(s->s3->server_random))) goto err; @@ -1101,35 +1208,32 @@ ssl3_send_server_hello(SSL *s) s->session->session_id_length = 0; sl = s->session->session_id_length; - if (sl > (int)sizeof(s->session->session_id)) { + if (sl > sizeof(s->session->session_id)) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } - - if (!CBB_add_u8_length_prefixed(&cbb, &session_id)) + if (!CBB_add_u8_length_prefixed(&server_hello, &session_id)) goto err; if (!CBB_add_bytes(&session_id, s->session->session_id, sl)) goto err; /* Cipher suite. */ - if (!CBB_add_u16(&cbb, + if (!CBB_add_u16(&server_hello, ssl3_cipher_get_value(S3I(s)->hs.new_cipher))) goto err; - /* Compression method. */ - if (!CBB_add_u8(&cbb, 0)) - goto err; - - if (!CBB_finish(&cbb, NULL, &outlen)) + /* Compression method (null). */ + if (!CBB_add_u8(&server_hello, 0)) goto err; - if ((p = ssl_add_serverhello_tlsext(s, p + outlen, - bufend)) == NULL) { + /* TLS extensions */ + if (!tlsext_serverhello_build(s, &server_hello)) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } - ssl3_handshake_msg_finish(s, p - d); + if (!ssl3_handshake_msg_finish_cbb(s, &cbb)) + goto err; } /* SSL3_ST_SW_SRVR_HELLO_B */ diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c index 2abfa723d8..3735b719db 100644 --- a/lib/libssl/ssl_tlsext.c +++ b/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.17.4.1 2017/12/09 13:43:25 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.21 2018/02/08 11:30:30 jsing Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -271,11 +271,12 @@ tlsext_ec_serverhello_parse(SSL *s, CBS *cbs, int *alert) /* * Servers should not send this extension per the RFC. * - * However, F5 sends it by mistake (case ID 492780) so we need to skip - * over it. This bug is from at least 2014 but as of 2017, there - * are still large sites with this bug in production. + * However, certain F5 BIG-IP systems incorrectly send it. This bug is + * from at least 2014 but as of 2017, there are still large sites with + * this unpatched in production. As a result, we need to currently skip + * over the extension and ignore its content: * - * https://devcentral.f5.com/questions/disable-supported-elliptic-curves-extension-from-server + * https://support.f5.com/csp/article/K37345003 */ if (!CBS_skip(cbs, CBS_len(cbs))) { *alert = TLS1_AD_INTERNAL_ERROR; @@ -1291,8 +1292,52 @@ static struct tls_extension tls_extensions[] = { #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) -int -tlsext_clienthello_build(SSL *s, CBB *cbb) +/* Ensure that extensions fit in a uint32_t bitmask. */ +CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); + +static struct tls_extension * +tls_extension_find(uint16_t type, size_t *tls_extensions_idx) +{ + size_t i; + + for (i = 0; i < N_TLS_EXTENSIONS; i++) { + if (tls_extensions[i].type == type) { + *tls_extensions_idx = i; + return &tls_extensions[i]; + } + } + + return NULL; +} + +static int +tls_extension_needs(struct tls_extension *tlsext, int is_serverhello, SSL *s) +{ + if (is_serverhello) + return tlsext->serverhello_needs(s); + return tlsext->clienthello_needs(s); +} + +static int +tls_extension_build(struct tls_extension *tlsext, int is_serverhello, SSL *s, + CBB *cbb) +{ + if (is_serverhello) + return tlsext->serverhello_build(s, cbb); + return tlsext->clienthello_build(s, cbb); +} + +static int +tls_extension_parse(struct tls_extension *tlsext, int is_serverhello, SSL *s, + CBS *cbs, int *alert) +{ + if (is_serverhello) + return tlsext->serverhello_parse(s, cbs, alert); + return tlsext->clienthello_parse(s, cbs, alert); +} + +static int +tlsext_build(SSL *s, CBB *cbb, int is_serverhello) { CBB extensions, extension_data; struct tls_extension *tlsext; @@ -1305,14 +1350,16 @@ tlsext_clienthello_build(SSL *s, CBB *cbb) for (i = 0; i < N_TLS_EXTENSIONS; i++) { tlsext = &tls_extensions[i]; - if (!tlsext->clienthello_needs(s)) + if (!tls_extension_needs(tlsext, is_serverhello, s)) continue; if (!CBB_add_u16(&extensions, tlsext->type)) return 0; if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) return 0; - if (!tls_extensions[i].clienthello_build(s, &extension_data)) + + if (!tls_extension_build(tlsext, is_serverhello, s, + &extension_data)) return 0; extensions_present = 1; @@ -1327,88 +1374,101 @@ tlsext_clienthello_build(SSL *s, CBB *cbb) return 1; } -int -tlsext_clienthello_parse_one(SSL *s, CBS *cbs, uint16_t type, int *alert) +static int +tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_serverhello) { + CBS extensions, extension_data; struct tls_extension *tlsext; - size_t i; - - for (i = 0; i < N_TLS_EXTENSIONS; i++) { - tlsext = &tls_extensions[i]; - - if (tlsext->type != type) - continue; - if (!tlsext->clienthello_parse(s, cbs, alert)) - return 0; - if (CBS_len(cbs) != 0) { - *alert = SSL_AD_DECODE_ERROR; - return 0; - } + uint32_t extensions_seen = 0; + uint16_t type; + size_t idx; + /* An empty extensions block is valid. */ + if (CBS_len(cbs) == 0) return 1; - } - - /* Not found. */ - return 2; -} -int -tlsext_serverhello_build(SSL *s, CBB *cbb) -{ - CBB extensions, extension_data; - struct tls_extension *tlsext; - int extensions_present = 0; - size_t i; + *alert = SSL_AD_DECODE_ERROR; - if (!CBB_add_u16_length_prefixed(cbb, &extensions)) + if (!CBS_get_u16_length_prefixed(cbs, &extensions)) return 0; - for (i = 0; i < N_TLS_EXTENSIONS; i++) { - tlsext = &tls_extensions[i]; + while (CBS_len(&extensions) > 0) { + if (!CBS_get_u16(&extensions, &type)) + return 0; + if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) + return 0; + + if (s->internal->tlsext_debug_cb != NULL) + s->internal->tlsext_debug_cb(s, is_serverhello, type, + (unsigned char *)CBS_data(&extension_data), + CBS_len(&extension_data), + s->internal->tlsext_debug_arg); - if (!tlsext->serverhello_needs(s)) + /* Unknown extensions are ignored. */ + if ((tlsext = tls_extension_find(type, &idx)) == NULL) continue; - if (!CBB_add_u16(&extensions, tlsext->type)) + /* Check for duplicate known extensions. */ + if ((extensions_seen & (1 << idx)) != 0) return 0; - if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) - return 0; - if (!tlsext->serverhello_build(s, &extension_data)) + extensions_seen |= (1 << idx); + + if (!tls_extension_parse(tlsext, is_serverhello, s, + &extension_data, alert)) return 0; - extensions_present = 1; + if (CBS_len(&extension_data) != 0) + return 0; } - if (!extensions_present) - CBB_discard_child(cbb); + return 1; +} - if (!CBB_flush(cbb)) - return 0; +static void +tlsext_clienthello_reset_state(SSL *s) +{ + s->internal->servername_done = 0; + s->tlsext_status_type = -1; + S3I(s)->renegotiate_seen = 0; + free(S3I(s)->alpn_selected); + S3I(s)->alpn_selected = NULL; + s->internal->srtp_profile = NULL; +} - return 1; +int +tlsext_clienthello_build(SSL *s, CBB *cbb) +{ + return tlsext_build(s, cbb, 0); } int -tlsext_serverhello_parse_one(SSL *s, CBS *cbs, uint16_t type, int *alert) +tlsext_clienthello_parse(SSL *s, CBS *cbs, int *alert) { - struct tls_extension *tlsext; - size_t i; + /* XXX - this possibly should be done by the caller... */ + tlsext_clienthello_reset_state(s); - for (i = 0; i < N_TLS_EXTENSIONS; i++) { - tlsext = &tls_extensions[i]; + return tlsext_parse(s, cbs, alert, 0); +} - if (tlsext->type != type) - continue; - if (!tlsext->serverhello_parse(s, cbs, alert)) - return 0; - if (CBS_len(cbs) != 0) { - *alert = SSL_AD_DECODE_ERROR; - return 0; - } +static void +tlsext_serverhello_reset_state(SSL *s) +{ + S3I(s)->renegotiate_seen = 0; + free(S3I(s)->alpn_selected); + S3I(s)->alpn_selected = NULL; +} - return 1; - } +int +tlsext_serverhello_build(SSL *s, CBB *cbb) +{ + return tlsext_build(s, cbb, 1); +} + +int +tlsext_serverhello_parse(SSL *s, CBS *cbs, int *alert) +{ + /* XXX - this possibly should be done by the caller... */ + tlsext_serverhello_reset_state(s); - /* Not found. */ - return 2; + return tlsext_parse(s, cbs, alert, 1); } diff --git a/lib/libssl/ssl_tlsext.h b/lib/libssl/ssl_tlsext.h index 7c6250a7f7..4248932fb2 100644 --- a/lib/libssl/ssl_tlsext.h +++ b/lib/libssl/ssl_tlsext.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.h,v 1.10 2017/08/27 02:58:04 doug Exp $ */ +/* $OpenBSD: ssl_tlsext.h,v 1.12 2018/02/08 11:30:30 jsing Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -82,9 +82,7 @@ int tlsext_srtp_serverhello_parse(SSL *s, CBS *cbs, int *alert); #endif int tlsext_clienthello_build(SSL *s, CBB *cbb); -int tlsext_clienthello_parse_one(SSL *s, CBS *cbs, uint16_t tlsext_type, - int *alert); +int tlsext_clienthello_parse(SSL *s, CBS *cbs, int *alert); int tlsext_serverhello_build(SSL *s, CBB *cbb); -int tlsext_serverhello_parse_one(SSL *s, CBS *cbs, uint16_t tlsext_type, - int *alert); +int tlsext_serverhello_parse(SSL *s, CBS *cbs, int *alert); diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c index 0d03b45a97..d92fd70f5b 100644 --- a/lib/libssl/t1_lib.c +++ b/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.137 2017/08/30 16:44:37 jsing Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.141 2018/02/08 11:30:30 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -661,194 +661,6 @@ tls12_get_req_sig_algs(SSL *s, unsigned char **sigalgs, size_t *sigalgs_len) *sigalgs_len = sizeof(tls12_sigalgs); } -unsigned char * -ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) -{ - size_t len; - CBB cbb; - - if (p >= limit) - return NULL; - - if (!CBB_init_fixed(&cbb, p, limit - p)) - return NULL; - if (!tlsext_clienthello_build(s, &cbb)) { - CBB_cleanup(&cbb); - return NULL; - } - if (!CBB_finish(&cbb, NULL, &len)) { - CBB_cleanup(&cbb); - return NULL; - } - - return (p + len); -} - -unsigned char * -ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) -{ - size_t len; - CBB cbb; - - if (p >= limit) - return NULL; - - if (!CBB_init_fixed(&cbb, p, limit - p)) - return NULL; - if (!tlsext_serverhello_build(s, &cbb)) { - CBB_cleanup(&cbb); - return NULL; - } - if (!CBB_finish(&cbb, NULL, &len)) { - CBB_cleanup(&cbb); - return NULL; - } - - return (p + len); -} - -int -ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, - int n, int *al) -{ - unsigned short type; - unsigned short size; - unsigned short len; - unsigned char *data = *p; - unsigned char *end = d + n; - CBS cbs; - - s->internal->servername_done = 0; - s->tlsext_status_type = -1; - S3I(s)->renegotiate_seen = 0; - free(S3I(s)->alpn_selected); - S3I(s)->alpn_selected = NULL; - s->internal->srtp_profile = NULL; - - if (data == end) - goto ri_check; - - if (end - data < 2) - goto err; - n2s(data, len); - - if (end - data != len) - goto err; - - while (end - data >= 4) { - n2s(data, type); - n2s(data, size); - - if (end - data < size) - goto err; - - if (s->internal->tlsext_debug_cb) - s->internal->tlsext_debug_cb(s, 0, type, data, size, - s->internal->tlsext_debug_arg); - - CBS_init(&cbs, data, size); - if (!tlsext_clienthello_parse_one(s, &cbs, type, al)) - return 0; - - data += size; - } - - /* Spurious data on the end */ - if (data != end) - goto err; - - *p = data; - -ri_check: - - /* Need RI if renegotiating */ - - if (!S3I(s)->renegotiate_seen && s->internal->renegotiate) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - return 0; - } - - return 1; - -err: - *al = SSL_AD_DECODE_ERROR; - return 0; -} - -int -ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al) -{ - unsigned short type; - unsigned short size; - unsigned short len; - unsigned char *data = *p; - unsigned char *end = *p + n; - CBS cbs; - - S3I(s)->renegotiate_seen = 0; - free(S3I(s)->alpn_selected); - S3I(s)->alpn_selected = NULL; - - if (data == end) - goto ri_check; - - if (end - data < 2) - goto err; - n2s(data, len); - - if (end - data != len) - goto err; - - while (end - data >= 4) { - n2s(data, type); - n2s(data, size); - - if (end - data < size) - goto err; - - if (s->internal->tlsext_debug_cb) - s->internal->tlsext_debug_cb(s, 1, type, data, size, - s->internal->tlsext_debug_arg); - - CBS_init(&cbs, data, size); - if (!tlsext_serverhello_parse_one(s, &cbs, type, al)) - return 0; - - data += size; - - } - - if (data != end) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - - *p = data; - -ri_check: - - /* Determine if we need to see RI. Strictly speaking if we want to - * avoid an attack we should *always* see RI even on initial server - * hello because the client doesn't see any renegotiation during an - * attack. However this would mean we could not connect to any server - * which doesn't support RI so for the immediate future tolerate RI - * absence on initial connect only. - */ - if (!S3I(s)->renegotiate_seen && - !(s->internal->options & SSL_OP_LEGACY_SERVER_CONNECT)) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - return 0; - } - - return 1; - -err: - *al = SSL_AD_DECODE_ERROR; - return 0; -} - int ssl_check_clienthello_tlsext_early(SSL *s) { diff --git a/lib/libssl/tls1.h b/lib/libssl/tls1.h index 8e369c7bd1..0474bb73ae 100644 --- a/lib/libssl/tls1.h +++ b/lib/libssl/tls1.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls1.h,v 1.31 2017/08/28 17:36:58 jsing Exp $ */ +/* $OpenBSD: tls1.h,v 1.32 2018/02/17 15:08:21 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -354,11 +354,15 @@ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG,0, (void *)arg) #define SSL_CTX_set_tlsext_ticket_keys(ctx, keys, keylen) \ SSL_CTX_ctrl((ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,(keylen),(keys)) +#define SSL_CTX_get_tlsext_status_cb(ssl, cb) \ +SSL_CTX_callback_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,(void (*)(void))cb) #define SSL_CTX_set_tlsext_status_cb(ssl, cb) \ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB,(void (*)(void))cb) +#define SSL_CTX_get_tlsext_status_arg(ssl, arg) \ +SSL_CTX_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG,0,(void *)arg) #define SSL_CTX_set_tlsext_status_arg(ssl, arg) \ -SSL_CTX_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG,0, (void *)arg) +SSL_CTX_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG,0,(void *)arg) #define SSL_CTX_set_tlsext_ticket_key_cb(ssl, cb) \ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) diff --git a/lib/libtls/Makefile b/lib/libtls/Makefile index 76efebb91d..ca090080e3 100644 --- a/lib/libtls/Makefile +++ b/lib/libtls/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.32 2017/08/13 19:42:33 doug Exp $ +# $OpenBSD: Makefile,v 1.33 2018/02/08 05:56:49 jsing Exp $ .include .ifndef NOMAN @@ -32,6 +32,7 @@ SRCS= tls.c \ tls_client.c \ tls_config.c \ tls_conninfo.c \ + tls_keypair.c \ tls_peer.c \ tls_server.c \ tls_util.c \ diff --git a/lib/libtls/Symbols.list b/lib/libtls/Symbols.list index 1e7538cfd4..923924fc40 100644 --- a/lib/libtls/Symbols.list +++ b/lib/libtls/Symbols.list @@ -42,6 +42,7 @@ tls_config_set_ocsp_staple_file tls_config_set_protocols tls_config_set_session_id tls_config_set_session_lifetime +tls_config_set_session_fd tls_config_set_verify_depth tls_config_skip_private_key_check tls_config_verify @@ -51,6 +52,7 @@ tls_configure tls_conn_alpn_selected tls_conn_cipher tls_conn_servername +tls_conn_session_resumed tls_conn_version tls_connect tls_connect_cbs diff --git a/lib/libtls/man/tls_config_set_session_id.3 b/lib/libtls/man/tls_config_set_session_id.3 index 7106de46df..d969e01e33 100644 --- a/lib/libtls/man/tls_config_set_session_id.3 +++ b/lib/libtls/man/tls_config_set_session_id.3 @@ -1,6 +1,7 @@ -.\" $OpenBSD: tls_config_set_session_id.3,v 1.3 2017/01/28 00:59:36 schwarze Exp $ +.\" $OpenBSD: tls_config_set_session_id.3,v 1.5 2018/02/10 06:07:43 jsing Exp $ .\" .\" Copyright (c) 2017 Claudio Jeker +.\" Copyright (c) 2018 Joel Sing .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,10 +15,11 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: January 28 2017 $ +.Dd $Mdocdate: February 10 2018 $ .Dt TLS_CONFIG_SET_SESSION_ID 3 .Os .Sh NAME +.Nm tls_config_set_session_fd , .Nm tls_config_set_session_id , .Nm tls_config_set_session_lifetime , .Nm tls_config_add_ticket_key @@ -25,6 +27,11 @@ .Sh SYNOPSIS .In tls.h .Ft int +.Fo tls_config_set_session_fd +.Fa "struct tls_config *config" +.Fa "int session_fd" +.Fc +.Ft int .Fo tls_config_set_session_id .Fa "struct tls_config *config" .Fa "const unsigned char *session_id" @@ -43,18 +50,32 @@ .Fa "size_t keylen" .Fc .Sh DESCRIPTION +.Fn tls_config_set_session_fd +sets a file descriptor to be used to manage data for TLS sessions (client only). +The given file descriptor must be a regular file and be owned by the current +user, with permissions being restricted to only allow the owner to read and +write the file (0600). +If the file has a non-zero length, the client will attempt to read session +data from this file and resume the previous TLS session with the server. +Upon a successful handshake the file will be updated with current session +data, if available. +The caller is responsible for closing this file descriptor, after all TLS +contexts that have been configured to use it have been freed via +.Fn tls_free . +.Pp .Fn tls_config_set_session_id sets the session identifier that will be used by the TLS server when -sessions are enabled. +sessions are enabled (server only). By default a random value is used. .Pp .Fn tls_config_set_session_lifetime -sets the lifetime to be used for TLS sessions. +sets the lifetime to be used for TLS sessions (server only). Session support is disabled if a lifetime of zero is specified, which is the default. .Pp .Fn tls_config_add_ticket_key -adds a key used for the encryption and authentication of TLS tickets. +adds a key used for the encryption and authentication of TLS tickets +(server only). By default keys are generated and rotated automatically based on their lifetime. This function should only be used to synchronise ticket encryption key across multiple processes. @@ -69,7 +90,16 @@ These functions return 0 on success or -1 on error. .Xr tls_load_file 3 , .Xr tls_server 3 .Sh HISTORY -These functions appeared in +.Fn tls_config_set_session_id , +.Fn tls_config_set_session_lifetime +and +.Fn tls_config_add_ticket_key +appeared in .Ox 6.1 . +.Pp +.Fn tls_config_set_session_fd +appeared in +.Ox 6.3 . .Sh AUTHORS .An Claudio Jeker Aq Mt claudio@openbsd.org +.An Joel Sing Aq Mt jsing@openbsd.org diff --git a/lib/libtls/man/tls_conn_version.3 b/lib/libtls/man/tls_conn_version.3 index 8ac2c9b6b3..d9ee4ac4b6 100644 --- a/lib/libtls/man/tls_conn_version.3 +++ b/lib/libtls/man/tls_conn_version.3 @@ -1,7 +1,7 @@ -.\" $OpenBSD: tls_conn_version.3,v 1.4 2017/01/28 00:59:36 schwarze Exp $ +.\" $OpenBSD: tls_conn_version.3,v 1.7 2018/02/10 04:43:16 jsing Exp $ .\" .\" Copyright (c) 2015 Bob Beck -.\" Copyright (c) 2016 Joel Sing +.\" Copyright (c) 2016, 2018 Joel Sing .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: January 28 2017 $ +.Dd $Mdocdate: February 10 2018 $ .Dt TLS_CONN_VERSION 3 .Os .Sh NAME @@ -23,8 +23,10 @@ .Nm tls_conn_cipher , .Nm tls_conn_alpn_selected , .Nm tls_conn_servername , +.Nm tls_conn_session_resumed , .Nm tls_peer_cert_provided , .Nm tls_peer_cert_contains_name , +.Nm tls_peer_cert_chain_pem , .Nm tls_peer_cert_issuer , .Nm tls_peer_cert_subject , .Nm tls_peer_cert_hash , @@ -42,12 +44,19 @@ .Ft const char * .Fn tls_conn_servername "struct tls *ctx" .Ft int +.Fn tls_conn_session_resumed "struct tls *ctx" +.Ft int .Fn tls_peer_cert_provided "struct tls *ctx" .Ft int .Fo tls_peer_cert_contains_name .Fa "struct tls *ctx" .Fa "const char *name" .Fc +.Ft const uint8_t * +.Fo tls_peer_cert_chain_pem +.Fa struct tls *ctx +.Fa size_t *size +.Fc .Ft const char * .Fn tls_peer_cert_issuer "struct tls *ctx" .Ft const char * @@ -84,6 +93,12 @@ returns a string corresponding to the servername that the client connected to .Ar ctx requested by sending a TLS Server Name Indication extension (server only). .Pp +.Fn tls_conn_session_resumed +indicates whether a TLS session has been resumed during the handshake with +the server connected to +.Ar ctx +(client only). +.Pp .Fn tls_peer_cert_provided checks if the peer of .Ar ctx @@ -96,6 +111,11 @@ has provided a certificate that contains a SAN or CN that matches .Ar name . .Pp +.Fn tls_peer_cert_chain_pem +returns a pointer to memory containing a PEM-encoded certificate chain for the +peer certificate from +.Ar ctx . +.Pp .Fn tls_peer_cert_subject returns a string corresponding to the subject of the peer certificate from @@ -135,6 +155,10 @@ POINTER TO .Xr tls_ocsp_process_response 3 .Sh RETURN VALUES The +.Fn tls_conn_session_resumed +function returns 1 if a TLS session was resumed or 0 if it was not. +.Pp +The .Fn tls_peer_cert_provided and .Fn tls_peer_cert_contains_name @@ -172,6 +196,10 @@ and .Fn tls_conn_alpn_selected appeared in .Ox 6.1 . +.Pp +.Fn tls_conn_session_resumed +appeared in +.Ox 6.3 . .Sh AUTHORS .An Bob Beck Aq Mt beck@openbsd.org .An Joel Sing Aq Mt jsing@openbsd.org diff --git a/lib/libtls/man/tls_init.3 b/lib/libtls/man/tls_init.3 index c83c0375ab..f5f63fa326 100644 --- a/lib/libtls/man/tls_init.3 +++ b/lib/libtls/man/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.7 2017/05/06 21:18:48 jsing Exp $ +.\" $OpenBSD: tls_init.3,v 1.11 2018/03/19 16:34:47 jsing Exp $ .\" .\" Copyright (c) 2014 Ted Unangst .\" Copyright (c) 2016 Joel Sing @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: May 6 2017 $ +.Dd $Mdocdate: March 19 2018 $ .Dt TLS_INIT 3 .Os .Sh NAME @@ -45,8 +45,9 @@ Both clients and servers are supported. The .Fn tls_init function initializes global data structures. -It should be called once before any other functions. -It may be called more than once, but not concurrently. +It may be called once before any other functions, however this is no +longer necessary since it will be handled internally on demand. +It may be called more than once, and may be called concurrently. .Pp Before a connection is created, a configuration must be created. The diff --git a/lib/libtls/man/tls_load_file.3 b/lib/libtls/man/tls_load_file.3 index 957e65503e..d487009756 100644 --- a/lib/libtls/man/tls_load_file.3 +++ b/lib/libtls/man/tls_load_file.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_load_file.3,v 1.8 2017/08/01 08:41:36 jmc Exp $ +.\" $OpenBSD: tls_load_file.3,v 1.9 2017/10/08 06:56:36 jmc Exp $ .\" .\" Copyright (c) 2014 Ted Unangst .\" Copyright (c) 2015 Reyk Floeter @@ -17,7 +17,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 1 2017 $ +.Dd $Mdocdate: October 8 2017 $ .Dt TLS_LOAD_FILE 3 .Os .Sh NAME @@ -255,11 +255,11 @@ sets the files from which the public certificate, and private key will be read. directly sets the public certificate, and private key from memory. .Pp .Fn tls_config_set_keypair_ocsp_file -sets the files from which the public certificate, private key, and DER encoded +sets the files from which the public certificate, private key, and DER-encoded OCSP staple will be read. .Pp .Fn tls_config_set_keypair_ocsp_mem -directly sets the public certificate, private key, and DER encoded OCSP staple +directly sets the public certificate, private key, and DER-encoded OCSP staple from memory. .Pp .Fn tls_config_add_keypair_file @@ -271,12 +271,12 @@ adds an additional public certificate, and private key from memory, used as an alternative certificate for Server Name Indication (server only). .Pp .Fn tls_config_add_keypair_ocsp_file -adds an additional public certificate, private key, and DER encoded OCSP staple +adds an additional public certificate, private key, and DER-encoded OCSP staple from the specified files, used as an alternative certificate for Server Name Indication (server only). .Pp .Fn tls_config_add_keypair_ocsp_mem -adds an additional public certificate, private key, and DER encoded OCSP staple +adds an additional public certificate, private key, and DER-encoded OCSP staple from memory, used as an alternative certificate for Server Name Indication (server only). .Pp diff --git a/lib/libtls/shlib_version b/lib/libtls/shlib_version index 796ed4662c..730231c38d 100644 --- a/lib/libtls/shlib_version +++ b/lib/libtls/shlib_version @@ -1,2 +1,2 @@ -major=16 +major=17 minor=1 diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c index f07c4c6deb..467db164d5 100644 --- a/lib/libtls/tls.c +++ b/lib/libtls/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.71 2017/09/20 17:05:17 jsing Exp $ */ +/* $OpenBSD: tls.c,v 1.79 2018/03/19 16:34:47 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -19,6 +19,7 @@ #include #include +#include #include #include @@ -35,28 +36,34 @@ static struct tls_config *tls_config_default; -int -tls_init(void) -{ - static int tls_initialised = 0; - - if (tls_initialised) - return (0); +static int tls_init_rv = -1; +static void +tls_do_init(void) +{ SSL_load_error_strings(); SSL_library_init(); if (BIO_sock_init() != 1) - return (-1); + return; - if ((tls_config_default = tls_config_new()) == NULL) - return (-1); + if ((tls_config_default = tls_config_new_internal()) == NULL) + return; tls_config_default->refcount++; - tls_initialised = 1; + tls_init_rv = 0; +} - return (0); +int +tls_init(void) +{ + static pthread_once_t once = PTHREAD_ONCE_INIT; + + if (pthread_once(&once, tls_do_init) != 0) + return -1; + + return tls_init_rv; } const char * @@ -269,7 +276,9 @@ tls_cert_hash(X509 *cert, char **hash) char d[EVP_MAX_MD_SIZE], *dhex = NULL; int dlen, rv = -1; + free(*hash); *hash = NULL; + if (X509_digest(cert, EVP_sha256(), d, &dlen) != 1) goto err; @@ -288,23 +297,15 @@ tls_cert_hash(X509 *cert, char **hash) return (rv); } -static int -tls_keypair_pubkey_hash(struct tls_keypair *keypair, char **hash) +int +tls_cert_pubkey_hash(X509 *cert, char **hash) { - BIO *membio = NULL; - X509 *cert = NULL; char d[EVP_MAX_MD_SIZE], *dhex = NULL; int dlen, rv = -1; + free(*hash); *hash = NULL; - if ((membio = BIO_new_mem_buf(keypair->cert_mem, - keypair->cert_len)) == NULL) - goto err; - if ((cert = PEM_read_bio_X509_AUX(membio, NULL, tls_password_cb, - NULL)) == NULL) - goto err; - if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1) goto err; @@ -320,13 +321,10 @@ tls_keypair_pubkey_hash(struct tls_keypair *keypair, char **hash) err: free(dhex); - X509_free(cert); - BIO_free(membio); return (rv); } - int tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, struct tls_keypair *keypair, int required) @@ -350,8 +348,6 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, tls_set_errorx(ctx, "failed to load certificate"); goto err; } - if (tls_keypair_pubkey_hash(keypair, &keypair->pubkey_hash) == -1) - goto err; } if (keypair->key_mem != NULL) { diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h index cc8627f2af..9f5379e65e 100644 --- a/lib/libtls/tls.h +++ b/lib/libtls/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.51 2017/08/10 18:18:30 jsing Exp $ */ +/* $OpenBSD: tls.h,v 1.53 2018/02/10 04:58:08 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -27,7 +27,7 @@ extern "C" { #include #include -#define TLS_API 20170126 +#define TLS_API 20180210 #define TLS_PROTOCOL_TLSv1_0 (1 << 1) #define TLS_PROTOCOL_TLSv1_1 (1 << 2) @@ -128,6 +128,7 @@ int tls_config_set_ocsp_staple_mem(struct tls_config *_config, int tls_config_set_ocsp_staple_file(struct tls_config *_config, const char *_staple_file); int tls_config_set_protocols(struct tls_config *_config, uint32_t _protocols); +int tls_config_set_session_fd(struct tls_config *_config, int _session_fd); int tls_config_set_verify_depth(struct tls_config *_config, int _verify_depth); void tls_config_prefer_ciphers_client(struct tls_config *_config); @@ -188,6 +189,7 @@ const uint8_t *tls_peer_cert_chain_pem(struct tls *_ctx, size_t *_len); const char *tls_conn_alpn_selected(struct tls *_ctx); const char *tls_conn_cipher(struct tls *_ctx); const char *tls_conn_servername(struct tls *_ctx); +int tls_conn_session_resumed(struct tls *_ctx); const char *tls_conn_version(struct tls *_ctx); uint8_t *tls_load_file(const char *_file, size_t *_len, char *_password); diff --git a/lib/libtls/tls_client.c b/lib/libtls/tls_client.c index c79f462a3a..04e44020ef 100644 --- a/lib/libtls/tls_client.c +++ b/lib/libtls/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.43 2017/08/10 18:18:30 jsing Exp $ */ +/* $OpenBSD: tls_client.c,v 1.45 2018/03/19 16:34:47 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -17,10 +17,12 @@ #include #include +#include #include #include +#include #include #include #include @@ -36,6 +38,9 @@ tls_client(void) { struct tls *ctx; + if (tls_init() == -1) + return (NULL); + if ((ctx = tls_new()) == NULL) return (NULL); @@ -159,6 +164,118 @@ tls_connect_servername(struct tls *ctx, const char *host, const char *port, } static int +tls_client_read_session(struct tls *ctx) +{ + int sfd = ctx->config->session_fd; + uint8_t *session = NULL; + size_t session_len = 0; + SSL_SESSION *ss = NULL; + BIO *bio = NULL; + struct stat sb; + ssize_t n; + int rv = -1; + + if (fstat(sfd, &sb) == -1) { + tls_set_error(ctx, "failed to stat session file"); + goto err; + } + if (sb.st_size < 0 || sb.st_size > INT_MAX) { + tls_set_errorx(ctx, "invalid session file size"); + goto err; + } + session_len = (size_t)sb.st_size; + + /* A zero size file means that we do not yet have a valid session. */ + if (session_len == 0) + goto done; + + if ((session = malloc(session_len)) == NULL) + goto err; + + n = pread(sfd, session, session_len, 0); + if (n < 0 || (size_t)n != session_len) { + tls_set_error(ctx, "failed to read session file"); + goto err; + } + if ((bio = BIO_new_mem_buf(session, session_len)) == NULL) + goto err; + if ((ss = PEM_read_bio_SSL_SESSION(bio, NULL, tls_password_cb, + NULL)) == NULL) { + tls_set_errorx(ctx, "failed to parse session"); + goto err; + } + + if (SSL_set_session(ctx->ssl_conn, ss) != 1) { + tls_set_errorx(ctx, "failed to set session"); + goto err; + } + + done: + rv = 0; + + err: + freezero(session, session_len); + SSL_SESSION_free(ss); + BIO_free(bio); + + return rv; +} + +static int +tls_client_write_session(struct tls *ctx) +{ + int sfd = ctx->config->session_fd; + SSL_SESSION *ss = NULL; + BIO *bio = NULL; + long data_len; + char *data; + off_t offset; + size_t len; + ssize_t n; + int rv = -1; + + if ((ss = SSL_get1_session(ctx->ssl_conn)) == NULL) { + if (ftruncate(sfd, 0) == -1) { + tls_set_error(ctx, "failed to truncate session file"); + goto err; + } + goto done; + } + + if ((bio = BIO_new(BIO_s_mem())) == NULL) + goto err; + if (PEM_write_bio_SSL_SESSION(bio, ss) == 0) + goto err; + if ((data_len = BIO_get_mem_data(bio, &data)) <= 0) + goto err; + + len = (size_t)data_len; + offset = 0; + + if (ftruncate(sfd, len) == -1) { + tls_set_error(ctx, "failed to truncate session file"); + goto err; + } + while (len > 0) { + if ((n = pwrite(sfd, data + offset, len, offset)) == -1) { + tls_set_error(ctx, "failed to write session file"); + goto err; + } + offset += n; + len -= n; + } + + done: + rv = 0; + + err: + SSL_SESSION_free(ss); + BIO_free_all(bio); + + return (rv); +} + +static int tls_connect_common(struct tls *ctx, const char *servername) { union tls_addr addrbuf; @@ -221,6 +338,12 @@ tls_connect_common(struct tls *ctx, const char *servername) goto err; } + if (ctx->config->session_fd != -1) { + SSL_clear_options(ctx->ssl_conn, SSL_OP_NO_TICKET); + if (tls_client_read_session(ctx) == -1) + goto err; + } + if (SSL_set_tlsext_status_type(ctx->ssl_conn, TLSEXT_STATUSTYPE_ocsp) != 1) { tls_set_errorx(ctx, "ssl OCSP extension setup failure"); goto err; @@ -336,6 +459,12 @@ tls_handshake_client(struct tls *ctx) } ctx->state |= TLS_HANDSHAKE_COMPLETE; + + if (ctx->config->session_fd != -1) { + if (tls_client_write_session(ctx) == -1) + goto err; + } + rv = 0; err: diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c index e7a746d30b..6094c74265 100644 --- a/lib/libtls/tls_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.44.4.1 2017/12/09 16:49:17 jsing Exp $ */ +/* $OpenBSD: tls_config.c,v 1.51.2.1 2018/04/18 16:29:11 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -24,127 +24,8 @@ #include #include -#include "tls_internal.h" - -static int -set_string(const char **dest, const char *src) -{ - free((char *)*dest); - *dest = NULL; - if (src != NULL) - if ((*dest = strdup(src)) == NULL) - return -1; - return 0; -} - -static void * -memdup(const void *in, size_t len) -{ - void *out; - - if ((out = malloc(len)) == NULL) - return NULL; - memcpy(out, in, len); - return out; -} - -static int -set_mem(char **dest, size_t *destlen, const void *src, size_t srclen) -{ - free(*dest); - *dest = NULL; - *destlen = 0; - if (src != NULL) - if ((*dest = memdup(src, srclen)) == NULL) - return -1; - *destlen = srclen; - return 0; -} - -static struct tls_keypair * -tls_keypair_new(void) -{ - return calloc(1, sizeof(struct tls_keypair)); -} - -static void -tls_keypair_clear_key(struct tls_keypair *keypair) -{ - freezero(keypair->key_mem, keypair->key_len); - keypair->key_mem = NULL; - keypair->key_len = 0; -} - -static int -tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error, - const char *cert_file) -{ - return tls_config_load_file(error, "certificate", cert_file, - &keypair->cert_mem, &keypair->cert_len); -} - -static int -tls_keypair_set_cert_mem(struct tls_keypair *keypair, const uint8_t *cert, - size_t len) -{ - return set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len); -} - -static int -tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error, - const char *key_file) -{ - tls_keypair_clear_key(keypair); - return tls_config_load_file(error, "key", key_file, - &keypair->key_mem, &keypair->key_len); -} - -static int -tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key, - size_t len) -{ - tls_keypair_clear_key(keypair); - return set_mem(&keypair->key_mem, &keypair->key_len, key, len); -} - -static int -tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair, - struct tls_error *error, const char *ocsp_file) -{ - return tls_config_load_file(error, "ocsp", ocsp_file, - &keypair->ocsp_staple, &keypair->ocsp_staple_len); -} - -static int -tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair, - const uint8_t *staple, size_t len) -{ - return set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len, staple, - len); -} - -static void -tls_keypair_clear(struct tls_keypair *keypair) -{ - tls_keypair_set_cert_mem(keypair, NULL, 0); - tls_keypair_set_key_mem(keypair, NULL, 0); -} - -static void -tls_keypair_free(struct tls_keypair *keypair) -{ - if (keypair == NULL) - return; - - tls_keypair_clear(keypair); - free(keypair->cert_mem); - free(keypair->key_mem); - free(keypair->ocsp_staple); - free(keypair->pubkey_hash); - - free(keypair); -} +#include "tls_internal.h" int tls_config_load_file(struct tls_error *error, const char *filetype, @@ -161,31 +42,31 @@ tls_config_load_file(struct tls_error *error, const char *filetype, if ((fd = open(filename, O_RDONLY)) == -1) { tls_error_set(error, "failed to open %s file '%s'", filetype, filename); - goto fail; + goto err; } if (fstat(fd, &st) != 0) { tls_error_set(error, "failed to stat %s file '%s'", filetype, filename); - goto fail; + goto err; } if (st.st_size < 0) - goto fail; + goto err; *len = (size_t)st.st_size; if ((*buf = malloc(*len)) == NULL) { tls_error_set(error, "failed to allocate buffer for " "%s file", filetype); - goto fail; + goto err; } n = read(fd, *buf, *len); if (n < 0 || (size_t)n != *len) { tls_error_set(error, "failed to read %s file '%s'", filetype, filename); - goto fail; + goto err; } close(fd); return 0; - fail: + err: if (fd != -1) close(fd); freezero(*buf, *len); @@ -196,7 +77,7 @@ tls_config_load_file(struct tls_error *error, const char *filetype, } struct tls_config * -tls_config_new(void) +tls_config_new_internal(void) { struct tls_config *config; unsigned char sid[TLS_MAX_SESSION_ID_LENGTH]; @@ -208,6 +89,7 @@ tls_config_new(void) goto err; config->refcount = 1; + config->session_fd = -1; /* * Default configuration. @@ -246,6 +128,15 @@ tls_config_new(void) return (NULL); } +struct tls_config * +tls_config_new(void) +{ + if (tls_init() == -1) + return (NULL); + + return tls_config_new_internal(); +} + void tls_config_free(struct tls_config *config) { @@ -298,10 +189,7 @@ tls_config_clear_keys(struct tls_config *config) struct tls_keypair *kp; for (kp = config->keypair; kp != NULL; kp = kp->next) - tls_keypair_clear(kp); - - tls_config_set_ca_mem(config, NULL, 0); - tls_config_set_crl_mem(config, NULL, 0); + tls_keypair_clear_key(kp); } int @@ -469,12 +357,13 @@ tls_config_add_keypair_mem_internal(struct tls_config *config, const uint8_t *ce if ((keypair = tls_keypair_new()) == NULL) return (-1); - if (tls_keypair_set_cert_mem(keypair, cert, cert_len) != 0) + if (tls_keypair_set_cert_mem(keypair, &config->error, cert, cert_len) != 0) goto err; - if (tls_keypair_set_key_mem(keypair, key, key_len) != 0) + if (tls_keypair_set_key_mem(keypair, &config->error, key, key_len) != 0) goto err; if (staple != NULL && - tls_keypair_set_ocsp_staple_mem(keypair, staple, staple_len) != 0) + tls_keypair_set_ocsp_staple_mem(keypair, &config->error, staple, + staple_len) != 0) goto err; tls_config_keypair_add(config, keypair); @@ -529,13 +418,13 @@ tls_config_set_ca_file(struct tls_config *config, const char *ca_file) int tls_config_set_ca_path(struct tls_config *config, const char *ca_path) { - return set_string(&config->ca_path, ca_path); + return tls_set_string(&config->ca_path, ca_path); } int tls_config_set_ca_mem(struct tls_config *config, const uint8_t *ca, size_t len) { - return set_mem(&config->ca_mem, &config->ca_len, ca, len); + return tls_set_mem(&config->ca_mem, &config->ca_len, ca, len); } int @@ -549,7 +438,8 @@ int tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert, size_t len) { - return tls_keypair_set_cert_mem(config->keypair, cert, len); + return tls_keypair_set_cert_mem(config->keypair, &config->error, + cert, len); } int @@ -571,17 +461,17 @@ tls_config_set_ciphers(struct tls_config *config, const char *ciphers) if ((ssl_ctx = SSL_CTX_new(SSLv23_method())) == NULL) { tls_config_set_errorx(config, "out of memory"); - goto fail; + goto err; } if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) { tls_config_set_errorx(config, "no ciphers for '%s'", ciphers); - goto fail; + goto err; } SSL_CTX_free(ssl_ctx); - return set_string(&config->ciphers, ciphers); + return tls_set_string(&config->ciphers, ciphers); - fail: + err: SSL_CTX_free(ssl_ctx); return -1; } @@ -597,7 +487,7 @@ int tls_config_set_crl_mem(struct tls_config *config, const uint8_t *crl, size_t len) { - return set_mem(&config->crl_mem, &config->crl_len, crl, len); + return tls_set_mem(&config->crl_mem, &config->crl_len, crl, len); } int @@ -624,17 +514,16 @@ tls_config_set_dheparams(struct tls_config *config, const char *params) int tls_config_set_ecdhecurve(struct tls_config *config, const char *curve) { - if (strchr(curve, ',') != NULL || strchr(curve, ':') != NULL) { + if (curve == NULL || + strcasecmp(curve, "none") == 0 || + strcasecmp(curve, "auto") == 0) { + curve = TLS_ECDHE_CURVES; + } else if (strchr(curve, ',') != NULL || strchr(curve, ':') != NULL) { tls_config_set_errorx(config, "invalid ecdhe curve '%s'", curve); return (-1); } - if (curve == NULL || - strcasecmp(curve, "none") == 0 || - strcasecmp(curve, "auto") == 0) - curve = TLS_ECDHE_CURVES; - return tls_config_set_ecdhecurves(config, curve); } @@ -710,7 +599,8 @@ int tls_config_set_key_mem(struct tls_config *config, const uint8_t *key, size_t len) { - return tls_keypair_set_key_mem(config->keypair, key, len); + return tls_keypair_set_key_mem(config->keypair, &config->error, + key, len); } static int @@ -789,6 +679,44 @@ tls_config_set_protocols(struct tls_config *config, uint32_t protocols) } int +tls_config_set_session_fd(struct tls_config *config, int session_fd) +{ + struct stat sb; + mode_t mugo; + + if (session_fd == -1) { + config->session_fd = session_fd; + return (0); + } + + if (fstat(session_fd, &sb) == -1) { + tls_config_set_error(config, "failed to stat session file"); + return (-1); + } + if (!S_ISREG(sb.st_mode)) { + tls_config_set_errorx(config, + "session file is not a regular file"); + return (-1); + } + + if (sb.st_uid != getuid()) { + tls_config_set_errorx(config, "session file has incorrect " + "owner (uid %i != %i)", sb.st_uid, getuid()); + return (-1); + } + mugo = sb.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO); + if (mugo != (S_IRUSR|S_IWUSR)) { + tls_config_set_errorx(config, "session file has incorrect " + "permissions (%o != 600)", mugo); + return (-1); + } + + config->session_fd = session_fd; + + return (0); +} + +int tls_config_set_verify_depth(struct tls_config *config, int verify_depth) { config->verify_depth = verify_depth; @@ -869,7 +797,8 @@ int tls_config_set_ocsp_staple_mem(struct tls_config *config, const uint8_t *staple, size_t len) { - return tls_keypair_set_ocsp_staple_mem(config->keypair, staple, len); + return tls_keypair_set_ocsp_staple_mem(config->keypair, &config->error, + staple, len); } int diff --git a/lib/libtls/tls_conninfo.c b/lib/libtls/tls_conninfo.c index e3820988e8..8e479ed84c 100644 --- a/lib/libtls/tls_conninfo.c +++ b/lib/libtls/tls_conninfo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_conninfo.c,v 1.16 2017/08/27 01:39:26 beck Exp $ */ +/* $OpenBSD: tls_conninfo.c,v 1.20 2018/02/10 04:48:44 jsing Exp $ */ /* * Copyright (c) 2015 Joel Sing * Copyright (c) 2015 Bob Beck @@ -185,8 +185,6 @@ tls_conninfo_cert_pem(struct tls *ctx) BIO *membio = NULL; BUF_MEM *bptr = NULL; - if (ctx->conninfo == NULL) - goto err; if (ctx->ssl_peer_cert == NULL) return 0; if ((membio = BIO_new(BIO_s_mem()))== NULL) @@ -221,6 +219,14 @@ tls_conninfo_cert_pem(struct tls *ctx) return rv; } +static int +tls_conninfo_session(struct tls *ctx) +{ + ctx->conninfo->session_resumed = SSL_session_reused(ctx->ssl_conn); + + return 0; +} + int tls_conninfo_populate(struct tls *ctx) { @@ -238,8 +244,7 @@ tls_conninfo_populate(struct tls *ctx) if ((tmp = SSL_get_cipher(ctx->ssl_conn)) == NULL) goto err; - ctx->conninfo->cipher = strdup(tmp); - if (ctx->conninfo->cipher == NULL) + if ((ctx->conninfo->cipher = strdup(tmp)) == NULL) goto err; if (ctx->servername != NULL) { @@ -250,8 +255,7 @@ tls_conninfo_populate(struct tls *ctx) if ((tmp = SSL_get_version(ctx->ssl_conn)) == NULL) goto err; - ctx->conninfo->version = strdup(tmp); - if (ctx->conninfo->version == NULL) + if ((ctx->conninfo->version = strdup(tmp)) == NULL) goto err; if (tls_get_peer_cert_info(ctx) == -1) @@ -260,6 +264,9 @@ tls_conninfo_populate(struct tls *ctx) if (tls_conninfo_cert_pem(ctx) == -1) goto err; + if (tls_conninfo_session(ctx) == -1) + goto err; + return (0); err: @@ -276,24 +283,15 @@ tls_conninfo_free(struct tls_conninfo *conninfo) return; free(conninfo->alpn); - conninfo->alpn = NULL; free(conninfo->cipher); - conninfo->cipher = NULL; free(conninfo->servername); - conninfo->servername = NULL; free(conninfo->version); - conninfo->version = NULL; free(conninfo->hash); - conninfo->hash = NULL; free(conninfo->issuer); - conninfo->issuer = NULL; free(conninfo->subject); - conninfo->subject = NULL; free(conninfo->peer_cert); - conninfo->peer_cert = NULL; - conninfo->peer_cert_len = 0; free(conninfo); } @@ -322,6 +320,14 @@ tls_conn_servername(struct tls *ctx) return (ctx->conninfo->servername); } +int +tls_conn_session_resumed(struct tls *ctx) +{ + if (ctx->conninfo == NULL) + return (0); + return (ctx->conninfo->session_resumed); +} + const char * tls_conn_version(struct tls *ctx) { @@ -329,4 +335,3 @@ tls_conn_version(struct tls *ctx) return (NULL); return (ctx->conninfo->version); } - diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h index f378ea5466..1746a1aabc 100644 --- a/lib/libtls/tls_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.65 2017/09/20 17:05:17 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.71.2.1 2018/04/18 16:29:11 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * Copyright (c) 2014 Joel Sing @@ -95,6 +95,7 @@ struct tls_config { int ocsp_require_stapling; uint32_t protocols; unsigned char session_id[TLS_MAX_SESSION_ID_LENGTH]; + int session_fd; int session_lifetime; struct tls_ticket_key ticket_keys[TLS_NUM_TICKETS]; uint32_t ticket_keyrev; @@ -111,6 +112,7 @@ struct tls_conninfo { char *alpn; char *cipher; char *servername; + int session_resumed; char *version; char *hash; @@ -192,9 +194,34 @@ struct tls { void *cb_arg; }; +int tls_set_mem(char **_dest, size_t *_destlen, const void *_src, + size_t _srclen); +int tls_set_string(const char **_dest, const char *_src); + +struct tls_keypair *tls_keypair_new(void); +void tls_keypair_clear_key(struct tls_keypair *_keypair); +void tls_keypair_clear(struct tls_keypair *_keypair); +void tls_keypair_free(struct tls_keypair *_keypair); +int tls_keypair_set_cert_file(struct tls_keypair *_keypair, + struct tls_error *_error, const char *_cert_file); +int tls_keypair_set_cert_mem(struct tls_keypair *_keypair, + struct tls_error *_error, const uint8_t *_cert, size_t _len); +int tls_keypair_set_key_file(struct tls_keypair *_keypair, + struct tls_error *_error, const char *_key_file); +int tls_keypair_set_key_mem(struct tls_keypair *_keypair, + struct tls_error *_error, const uint8_t *_key, size_t _len); +int tls_keypair_set_ocsp_staple_file(struct tls_keypair *_keypair, + struct tls_error *_error, const char *_ocsp_file); +int tls_keypair_set_ocsp_staple_mem(struct tls_keypair *_keypair, + struct tls_error *_error, const uint8_t *_staple, size_t _len); +int tls_keypair_load_cert(struct tls_keypair *_keypair, + struct tls_error *_error, X509 **_cert); + struct tls_sni_ctx *tls_sni_ctx_new(void); void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx); +struct tls_config *tls_config_new_internal(void); + struct tls *tls_new(void); struct tls *tls_server_conn(struct tls *ctx); @@ -254,6 +281,7 @@ struct tls_ocsp *tls_ocsp_setup_from_peer(struct tls *ctx); int tls_hex_string(const unsigned char *_in, size_t _inlen, char **_out, size_t *_outlen); int tls_cert_hash(X509 *_cert, char **_hash); +int tls_cert_pubkey_hash(X509 *_cert, char **_hash); int tls_password_cb(char *_buf, int _size, int _rwflag, void *_u); diff --git a/lib/libtls/tls_keypair.c b/lib/libtls/tls_keypair.c new file mode 100644 index 0000000000..64048cf6a2 --- /dev/null +++ b/lib/libtls/tls_keypair.c @@ -0,0 +1,178 @@ +/* $OpenBSD: tls_keypair.c,v 1.5.2.1 2018/04/18 16:29:11 jsing Exp $ */ +/* + * Copyright (c) 2014 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include + +#include + +#include "tls_internal.h" + +struct tls_keypair * +tls_keypair_new(void) +{ + return calloc(1, sizeof(struct tls_keypair)); +} + +void +tls_keypair_clear_key(struct tls_keypair *keypair) +{ + freezero(keypair->key_mem, keypair->key_len); + keypair->key_mem = NULL; + keypair->key_len = 0; +} + +static int +tls_keypair_pubkey_hash(struct tls_keypair *keypair, struct tls_error *error) +{ + X509 *cert = NULL; + int rv = -1; + + free(keypair->pubkey_hash); + keypair->pubkey_hash = NULL; + + if (keypair->cert_mem == NULL) { + rv = 0; + goto done; + } + + if (tls_keypair_load_cert(keypair, error, &cert) == -1) + goto err; + if (tls_cert_pubkey_hash(cert, &keypair->pubkey_hash) == -1) + goto err; + + rv = 0; + + err: + X509_free(cert); + done: + return (rv); +} + +int +tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error, + const char *cert_file) +{ + if (tls_config_load_file(error, "certificate", cert_file, + &keypair->cert_mem, &keypair->cert_len) == -1) + return -1; + return tls_keypair_pubkey_hash(keypair, error); +} + +int +tls_keypair_set_cert_mem(struct tls_keypair *keypair, struct tls_error *error, + const uint8_t *cert, size_t len) +{ + if (tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len) == -1) + return -1; + return tls_keypair_pubkey_hash(keypair, error); +} + +int +tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error, + const char *key_file) +{ + tls_keypair_clear_key(keypair); + return tls_config_load_file(error, "key", key_file, + &keypair->key_mem, &keypair->key_len); +} + +int +tls_keypair_set_key_mem(struct tls_keypair *keypair, struct tls_error *error, + const uint8_t *key, size_t len) +{ + tls_keypair_clear_key(keypair); + return tls_set_mem(&keypair->key_mem, &keypair->key_len, key, len); +} + +int +tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair, + struct tls_error *error, const char *ocsp_file) +{ + return tls_config_load_file(error, "ocsp", ocsp_file, + &keypair->ocsp_staple, &keypair->ocsp_staple_len); +} + +int +tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair, + struct tls_error *error, const uint8_t *staple, size_t len) +{ + return tls_set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len, + staple, len); +} + +void +tls_keypair_clear(struct tls_keypair *keypair) +{ + struct tls_error error; + + tls_keypair_set_cert_mem(keypair, &error, NULL, 0); + tls_keypair_set_key_mem(keypair, &error, NULL, 0); + tls_keypair_set_ocsp_staple_mem(keypair, &error, NULL, 0); + + free(keypair->pubkey_hash); + keypair->pubkey_hash = NULL; +} + +void +tls_keypair_free(struct tls_keypair *keypair) +{ + if (keypair == NULL) + return; + + tls_keypair_clear(keypair); + + free(keypair); +} + +int +tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error, + X509 **cert) +{ + char *errstr = "unknown"; + BIO *cert_bio = NULL; + int ssl_err; + int rv = -1; + + X509_free(*cert); + *cert = NULL; + + if (keypair->cert_mem == NULL) { + tls_error_set(error, "keypair has no certificate"); + goto err; + } + if ((cert_bio = BIO_new_mem_buf(keypair->cert_mem, + keypair->cert_len)) == NULL) { + tls_error_set(error, "failed to create certificate bio"); + goto err; + } + if ((*cert = PEM_read_bio_X509(cert_bio, NULL, tls_password_cb, + NULL)) == NULL) { + if ((ssl_err = ERR_peek_error()) != 0) + errstr = ERR_error_string(ssl_err, NULL); + tls_error_set(error, "failed to load certificate: %s", errstr); + goto err; + } + + rv = 0; + + err: + BIO_free(cert_bio); + + return (rv); +} diff --git a/lib/libtls/tls_ocsp.c b/lib/libtls/tls_ocsp.c index a8835edc8f..17afb8e818 100644 --- a/lib/libtls/tls_ocsp.c +++ b/lib/libtls/tls_ocsp.c @@ -47,11 +47,9 @@ tls_ocsp_free(struct tls_ocsp *ocsp) return; X509_free(ocsp->main_cert); - ocsp->main_cert = NULL; free(ocsp->ocsp_result); - ocsp->ocsp_result = NULL; free(ocsp->ocsp_url); - ocsp->ocsp_url = NULL; + free(ocsp); } @@ -101,23 +99,24 @@ tls_ocsp_fill_info(struct tls *ctx, int response_status, int cert_status, tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) { tls_set_error(ctx, "unable to parse revocation time in OCSP reply"); - goto error; + goto err; } if (thisupd != NULL && tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) { tls_set_error(ctx, "unable to parse this update time in OCSP reply"); - goto error; + goto err; } if (nextupd != NULL && tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) { tls_set_error(ctx, "unable to parse next update time in OCSP reply"); - goto error; + goto err; } ctx->ocsp->ocsp_result = info; return 0; - error: + + err: free(info); return -1; } @@ -162,32 +161,32 @@ tls_ocsp_setup_from_peer(struct tls *ctx) STACK_OF(OPENSSL_STRING) *ocsp_urls = NULL; if ((ocsp = tls_ocsp_new()) == NULL) - goto failed; + goto err; /* steal state from ctx struct */ ocsp->main_cert = SSL_get_peer_certificate(ctx->ssl_conn); ocsp->extra_certs = SSL_get_peer_cert_chain(ctx->ssl_conn); if (ocsp->main_cert == NULL) { tls_set_errorx(ctx, "no peer certificate for OCSP"); - goto failed; + goto err; } ocsp_urls = X509_get1_ocsp(ocsp->main_cert); if (ocsp_urls == NULL) { tls_set_errorx(ctx, "no OCSP URLs in peer certificate"); - goto failed; + goto err; } ocsp->ocsp_url = strdup(sk_OPENSSL_STRING_value(ocsp_urls, 0)); if (ocsp->ocsp_url == NULL) { tls_set_errorx(ctx, "out of memory"); - goto failed; + goto err; } X509_email_free(ocsp_urls); return ocsp; - failed: + err: tls_ocsp_free(ocsp); X509_email_free(ocsp_urls); return NULL; @@ -206,7 +205,7 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp) if ((br = OCSP_response_get1_basic(resp)) == NULL) { tls_set_errorx(ctx, "cannot load ocsp reply"); - goto error; + goto err; } /* @@ -219,7 +218,7 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp) if (OCSP_basic_verify(br, ctx->ocsp->extra_certs, SSL_CTX_get_cert_store(ctx->ssl_ctx), flags) != 1) { tls_set_error(ctx, "ocsp verify failed"); - goto error; + goto err; } /* signature OK, look inside */ @@ -227,43 +226,43 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp) if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) { tls_set_errorx(ctx, "ocsp verify failed: response - %s", OCSP_response_status_str(response_status)); - goto error; + goto err; } cid = tls_ocsp_get_certid(ctx->ocsp->main_cert, ctx->ocsp->extra_certs, ctx->ssl_ctx); if (cid == NULL) { tls_set_errorx(ctx, "ocsp verify failed: no issuer cert"); - goto error; + goto err; } if (OCSP_resp_find_status(br, cid, &cert_status, &crl_reason, &revtime, &thisupd, &nextupd) != 1) { tls_set_errorx(ctx, "ocsp verify failed: no result for cert"); - goto error; + goto err; } if (OCSP_check_validity(thisupd, nextupd, JITTER_SEC, MAXAGE_SEC) != 1) { tls_set_errorx(ctx, "ocsp verify failed: ocsp response not current"); - goto error; + goto err; } if (tls_ocsp_fill_info(ctx, response_status, cert_status, crl_reason, revtime, thisupd, nextupd) != 0) - goto error; + goto err; /* finally can look at status */ if (cert_status != V_OCSP_CERTSTATUS_GOOD && cert_status != V_OCSP_CERTSTATUS_UNKNOWN) { tls_set_errorx(ctx, "ocsp verify failed: revoked cert - %s", OCSP_crl_reason_str(crl_reason)); - goto error; + goto err; } ret = 0; - error: + err: sk_X509_free(combined); OCSP_CERTID_free(cid); OCSP_BASICRESP_free(br); diff --git a/lib/libtls/tls_server.c b/lib/libtls/tls_server.c index e1011769f6..44bef6bb11 100644 --- a/lib/libtls/tls_server.c +++ b/lib/libtls/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_server.c,v 1.42 2017/09/20 17:05:17 jsing Exp $ */ +/* $OpenBSD: tls_server.c,v 1.44 2018/03/19 16:34:47 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -31,6 +31,9 @@ tls_server(void) { struct tls *ctx; + if (tls_init() == -1) + return (NULL); + if ((ctx = tls_new()) == NULL) return (NULL); @@ -204,43 +207,6 @@ tls_server_ticket_cb(SSL *ssl, unsigned char *keyname, unsigned char *iv, } static int -tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error, - X509 **cert) -{ - char *errstr = "unknown"; - BIO *cert_bio = NULL; - int ssl_err; - int rv = -1; - - X509_free(*cert); - *cert = NULL; - - if (keypair->cert_mem == NULL) { - tls_error_set(error, "keypair has no certificate"); - goto err; - } - if ((cert_bio = BIO_new_mem_buf(keypair->cert_mem, - keypair->cert_len)) == NULL) { - tls_error_set(error, "failed to create certificate bio"); - goto err; - } - if ((*cert = PEM_read_bio_X509(cert_bio, NULL, tls_password_cb, - NULL)) == NULL) { - if ((ssl_err = ERR_peek_error()) != 0) - errstr = ERR_error_string(ssl_err, NULL); - tls_error_set(error, "failed to load certificate: %s", errstr); - goto err; - } - - rv = 0; - - err: - BIO_free(cert_bio); - - return (rv); -} - -static int tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx, struct tls_keypair *keypair) { diff --git a/lib/libtls/tls_util.c b/lib/libtls/tls_util.c index aaa3eef49f..b964f65121 100644 --- a/lib/libtls/tls_util.c +++ b/lib/libtls/tls_util.c @@ -1,6 +1,7 @@ -/* $OpenBSD: tls_util.c,v 1.9 2017/06/22 18:03:57 jsing Exp $ */ +/* $OpenBSD: tls_util.c,v 1.12 2018/02/08 07:55:29 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing + * Copyright (c) 2014 Ted Unangst * Copyright (c) 2015 Reyk Floeter * * Permission to use, copy, modify, and distribute this software for any @@ -25,6 +26,41 @@ #include "tls.h" #include "tls_internal.h" +static void * +memdup(const void *in, size_t len) +{ + void *out; + + if ((out = malloc(len)) == NULL) + return NULL; + memcpy(out, in, len); + return out; +} + +int +tls_set_mem(char **dest, size_t *destlen, const void *src, size_t srclen) +{ + free(*dest); + *dest = NULL; + *destlen = 0; + if (src != NULL) + if ((*dest = memdup(src, srclen)) == NULL) + return -1; + *destlen = srclen; + return 0; +} + +int +tls_set_string(const char **dest, const char *src) +{ + free((char *)*dest); + *dest = NULL; + if (src != NULL) + if ((*dest = strdup(src)) == NULL) + return -1; + return 0; +} + /* * Extract the host and port from a colon separated value. For a literal IPv6 * address the address must be contained with square braces. If a host and @@ -43,7 +79,7 @@ tls_host_port(const char *hostport, char **host, char **port) *port = NULL; if ((s = strdup(hostport)) == NULL) - goto fail; + goto err; h = p = s; @@ -66,14 +102,14 @@ tls_host_port(const char *hostport, char **host, char **port) *p++ = '\0'; if (asprintf(host, "%s", h) == -1) - goto fail; + goto err; if (asprintf(port, "%s", p) == -1) - goto fail; + goto err; rv = 0; goto done; - fail: + err: free(*host); *host = NULL; free(*port); @@ -126,38 +162,38 @@ tls_load_file(const char *name, size_t *len, char *password) /* Just load the file into memory without decryption */ if (password == NULL) { if (fstat(fd, &st) != 0) - goto fail; + goto err; if (st.st_size < 0) - goto fail; + goto err; size = (size_t)st.st_size; if ((buf = malloc(size)) == NULL) - goto fail; + goto err; n = read(fd, buf, size); if (n < 0 || (size_t)n != size) - goto fail; + goto err; close(fd); goto done; } /* Or read the (possibly) encrypted key from file */ if ((fp = fdopen(fd, "r")) == NULL) - goto fail; + goto err; fd = -1; key = PEM_read_PrivateKey(fp, NULL, tls_password_cb, password); fclose(fp); if (key == NULL) - goto fail; + goto err; /* Write unencrypted key to memory buffer */ if ((bio = BIO_new(BIO_s_mem())) == NULL) - goto fail; + goto err; if (!PEM_write_bio_PrivateKey(bio, key, NULL, NULL, 0, NULL, NULL)) - goto fail; + goto err; if ((size = BIO_get_mem_data(bio, &data)) <= 0) - goto fail; + goto err; if ((buf = malloc(size)) == NULL) - goto fail; + goto err; memcpy(buf, data, size); BIO_free_all(bio); @@ -167,7 +203,7 @@ tls_load_file(const char *name, size_t *len, char *password) *len = size; return (buf); - fail: + err: if (fd != -1) close(fd); freezero(buf, size); diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c index 3bd1057d0c..acbe163ffd 100644 --- a/lib/libtls/tls_verify.c +++ b/lib/libtls/tls_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_verify.c,v 1.19 2017/04/10 17:11:13 jsing Exp $ */ +/* $OpenBSD: tls_verify.c,v 1.20 2018/02/05 00:52:24 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * @@ -215,16 +215,16 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, subject_name = X509_get_subject_name(cert); if (subject_name == NULL) - goto out; + goto done; common_name_len = X509_NAME_get_text_by_NID(subject_name, NID_commonName, NULL, 0); if (common_name_len < 0) - goto out; + goto done; common_name = calloc(common_name_len + 1, 1); if (common_name == NULL) - goto out; + goto done; X509_NAME_get_text_by_NID(subject_name, NID_commonName, common_name, common_name_len + 1); @@ -236,7 +236,7 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, "NUL byte in Common Name field, " "probably a malicious certificate", name); rv = -1; - goto out; + goto done; } /* @@ -247,13 +247,13 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, inet_pton(AF_INET6, name, &addrbuf) == 1) { if (strcmp(common_name, name) == 0) *cn_match = 1; - goto out; + goto done; } if (tls_match_name(common_name, name) == 0) *cn_match = 1; - out: + done: free(common_name); return rv; } diff --git a/usr/src/pkg/manifests/library-libressl.mf b/usr/src/pkg/manifests/library-libressl.mf index 838bec4447..6da6dcf4eb 100644 --- a/usr/src/pkg/manifests/library-libressl.mf +++ b/usr/src/pkg/manifests/library-libressl.mf @@ -1,4 +1,4 @@ -# Copyright 2017 Lauri Tirkkonen +# Copyright 2017-2018 Lauri Tirkkonen # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -13,7 +13,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # set name=pkg.fmri \ - value=pkg:/library/libressl@2.6.4,$(PKGVERS_BUILTON)$(PKGVERS_BRANCH) + value=pkg:/library/libressl@2.7.4,$(PKGVERS_BUILTON)$(PKGVERS_BRANCH) set name=pkg.description \ value="LibreSSL - TLS/crypto stack forked from OpenSSL" set name=pkg.summary value="LibreSSL - TLS/crypto stack forked from OpenSSL" @@ -107,12 +107,12 @@ file path=usr/include/openssl/x509.h file path=usr/include/openssl/x509_vfy.h file path=usr/include/openssl/x509v3.h file path=usr/include/tls.h -file path=usr/lib/amd64/libcrypto.so.42.0 mode=0555 -file path=usr/lib/amd64/libssl.so.44.1 mode=0555 -file path=usr/lib/amd64/libtls.so.16.1 mode=0555 -file path=usr/lib/libcrypto.so.42.0 mode=0555 -file path=usr/lib/libssl.so.44.1 mode=0555 -file path=usr/lib/libtls.so.16.1 mode=0555 +file path=usr/lib/amd64/libcrypto.so.43.1 mode=0555 +file path=usr/lib/amd64/libssl.so.45.1 mode=0555 +file path=usr/lib/amd64/libtls.so.17.1 mode=0555 +file path=usr/lib/libcrypto.so.43.1 mode=0555 +file path=usr/lib/libssl.so.45.1 mode=0555 +file path=usr/lib/libtls.so.17.1 mode=0555 file path=usr/lib/pkgconfig/libcrypto.pc mode=0444 file path=usr/lib/pkgconfig/libssl.pc mode=0444 file path=usr/lib/pkgconfig/openssl.pc mode=0444 @@ -141,7 +141,9 @@ file path=usr/share/man/man3/BIO_f_md.3 file path=usr/share/man/man3/BIO_f_null.3 file path=usr/share/man/man3/BIO_f_ssl.3 file path=usr/share/man/man3/BIO_find_type.3 +file path=usr/share/man/man3/BIO_get_data.3 file path=usr/share/man/man3/BIO_get_ex_new_index.3 +file path=usr/share/man/man3/BIO_meth_new.3 file path=usr/share/man/man3/BIO_new.3 file path=usr/share/man/man3/BIO_printf.3 file path=usr/share/man/man3/BIO_push.3 @@ -187,6 +189,7 @@ file path=usr/share/man/man3/DES_set_key.3 file path=usr/share/man/man3/DH_generate_key.3 file path=usr/share/man/man3/DH_generate_parameters.3 file path=usr/share/man/man3/DH_get_ex_new_index.3 +file path=usr/share/man/man3/DH_get0_pqg.3 file path=usr/share/man/man3/DH_new.3 file path=usr/share/man/man3/DH_set_method.3 file path=usr/share/man/man3/DH_size.3 @@ -197,6 +200,8 @@ file path=usr/share/man/man3/DSA_dup_DH.3 file path=usr/share/man/man3/DSA_generate_key.3 file path=usr/share/man/man3/DSA_generate_parameters.3 file path=usr/share/man/man3/DSA_get_ex_new_index.3 +file path=usr/share/man/man3/DSA_get0_pqg.3 +file path=usr/share/man/man3/DSA_meth_new.3 file path=usr/share/man/man3/DSA_new.3 file path=usr/share/man/man3/DSA_set_method.3 file path=usr/share/man/man3/DSA_sign.3 @@ -232,6 +237,8 @@ file path=usr/share/man/man3/EVP_EncryptInit.3 file path=usr/share/man/man3/EVP_OpenInit.3 file path=usr/share/man/man3/EVP_PKEY_CTX_ctrl.3 file path=usr/share/man/man3/EVP_PKEY_CTX_new.3 +file path=usr/share/man/man3/EVP_PKEY_asn1_get_count.3 +file path=usr/share/man/man3/EVP_PKEY_asn1_new.3 file path=usr/share/man/man3/EVP_PKEY_cmp.3 file path=usr/share/man/man3/EVP_PKEY_decrypt.3 file path=usr/share/man/man3/EVP_PKEY_derive.3 @@ -239,6 +246,7 @@ file path=usr/share/man/man3/EVP_PKEY_encrypt.3 file path=usr/share/man/man3/EVP_PKEY_get_default_digest_nid.3 file path=usr/share/man/man3/EVP_PKEY_keygen.3 file path=usr/share/man/man3/EVP_PKEY_meth_get0_info.3 +file path=usr/share/man/man3/EVP_PKEY_meth_new.3 file path=usr/share/man/man3/EVP_PKEY_new.3 file path=usr/share/man/man3/EVP_PKEY_print_private.3 file path=usr/share/man/man3/EVP_PKEY_set1_RSA.3 @@ -265,8 +273,11 @@ file path=usr/share/man/man3/OCSP_sendreq_new.3 file path=usr/share/man/man3/OPENSSL_VERSION_NUMBER.3 file path=usr/share/man/man3/OPENSSL_cleanse.3 file path=usr/share/man/man3/OPENSSL_config.3 +file path=usr/share/man/man3/OPENSSL_init_crypto.3 +file path=usr/share/man/man3/OPENSSL_init_ssl.3 file path=usr/share/man/man3/OPENSSL_load_builtin_modules.3 file path=usr/share/man/man3/OPENSSL_malloc.3 +file path=usr/share/man/man3/OPENSSL_sk_new.3 file path=usr/share/man/man3/OpenSSL_add_all_algorithms.3 file path=usr/share/man/man3/PEM_bytes_read_bio.3 file path=usr/share/man/man3/PEM_read.3 @@ -300,6 +311,8 @@ file path=usr/share/man/man3/RSA_blinding_on.3 file path=usr/share/man/man3/RSA_check_key.3 file path=usr/share/man/man3/RSA_generate_key.3 file path=usr/share/man/man3/RSA_get_ex_new_index.3 +file path=usr/share/man/man3/RSA_get0_key.3 +file path=usr/share/man/man3/RSA_meth_new.3 file path=usr/share/man/man3/RSA_new.3 file path=usr/share/man/man3/RSA_padding_add_PKCS1_type_1.3 file path=usr/share/man/man3/RSA_print.3 @@ -321,6 +334,7 @@ file path=usr/share/man/man3/SSL_CTX_flush_sessions.3 file path=usr/share/man/man3/SSL_CTX_free.3 file path=usr/share/man/man3/SSL_CTX_get_ex_new_index.3 file path=usr/share/man/man3/SSL_CTX_get_verify_mode.3 +file path=usr/share/man/man3/SSL_CTX_get0_certificate.3 file path=usr/share/man/man3/SSL_CTX_load_verify_locations.3 file path=usr/share/man/man3/SSL_CTX_new.3 file path=usr/share/man/man3/SSL_CTX_sess_number.3 @@ -351,6 +365,7 @@ file path=usr/share/man/man3/SSL_CTX_set_timeout.3 file path=usr/share/man/man3/SSL_CTX_set_tlsext_servername_callback.3 file path=usr/share/man/man3/SSL_CTX_set_tlsext_status_cb.3 file path=usr/share/man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3 +file path=usr/share/man/man3/SSL_CTX_set_tlsext_use_srtp.3 file path=usr/share/man/man3/SSL_CTX_set_tmp_dh_callback.3 file path=usr/share/man/man3/SSL_CTX_set_tmp_rsa_callback.3 file path=usr/share/man/man3/SSL_CTX_set_verify.3 @@ -360,7 +375,9 @@ file path=usr/share/man/man3/SSL_SESSION_get0_peer.3 file path=usr/share/man/man3/SSL_SESSION_get_compress_id.3 file path=usr/share/man/man3/SSL_SESSION_get_ex_new_index.3 file path=usr/share/man/man3/SSL_SESSION_get_id.3 +file path=usr/share/man/man3/SSL_SESSION_get_protocol_version.3 file path=usr/share/man/man3/SSL_SESSION_get_time.3 +file path=usr/share/man/man3/SSL_SESSION_has_ticket.3 file path=usr/share/man/man3/SSL_SESSION_new.3 file path=usr/share/man/man3/SSL_SESSION_print.3 file path=usr/share/man/man3/SSL_SESSION_set1_id_context.3 @@ -378,6 +395,7 @@ file path=usr/share/man/man3/SSL_get_SSL_CTX.3 file path=usr/share/man/man3/SSL_get_certificate.3 file path=usr/share/man/man3/SSL_get_ciphers.3 file path=usr/share/man/man3/SSL_get_client_CA_list.3 +file path=usr/share/man/man3/SSL_get_client_random.3 file path=usr/share/man/man3/SSL_get_current_cipher.3 file path=usr/share/man/man3/SSL_get_default_timeout.3 file path=usr/share/man/man3/SSL_get_error.3 @@ -415,6 +433,7 @@ file path=usr/share/man/man3/SSL_shutdown.3 file path=usr/share/man/man3/SSL_state_string.3 file path=usr/share/man/man3/SSL_want.3 file path=usr/share/man/man3/SSL_write.3 +file path=usr/share/man/man3/STACK_OF.3 file path=usr/share/man/man3/SXNET_new.3 file path=usr/share/man/man3/TS_REQ_new.3 file path=usr/share/man/man3/UI_UTIL_read_pw.3 @@ -435,6 +454,7 @@ file path=usr/share/man/man3/X509_NAME_add_entry_by_txt.3 file path=usr/share/man/man3/X509_NAME_get_index_by_NID.3 file path=usr/share/man/man3/X509_NAME_new.3 file path=usr/share/man/man3/X509_NAME_print_ex.3 +file path=usr/share/man/man3/X509_OBJECT_get0_X509.3 file path=usr/share/man/man3/X509_PUBKEY_new.3 file path=usr/share/man/man3/X509_REQ_new.3 file path=usr/share/man/man3/X509_REVOKED_new.3 @@ -444,6 +464,7 @@ file path=usr/share/man/man3/X509_STORE_CTX_get_ex_new_index.3 file path=usr/share/man/man3/X509_STORE_CTX_new.3 file path=usr/share/man/man3/X509_STORE_CTX_set_verify_cb.3 file path=usr/share/man/man3/X509_STORE_load_locations.3 +file path=usr/share/man/man3/X509_STORE_new.3 file path=usr/share/man/man3/X509_STORE_set1_param.3 file path=usr/share/man/man3/X509_STORE_set_verify_cb_func.3 file path=usr/share/man/man3/X509_VERIFY_PARAM_set_flags.3 @@ -457,6 +478,8 @@ file path=usr/share/man/man3/X509_get_pubkey.3 file path=usr/share/man/man3/X509_get_serialNumber.3 file path=usr/share/man/man3/X509_get_subject_name.3 file path=usr/share/man/man3/X509_get_version.3 +file path=usr/share/man/man3/X509_get0_notBefore.3 +file path=usr/share/man/man3/X509_get0_signature.3 file path=usr/share/man/man3/X509_new.3 file path=usr/share/man/man3/X509_sign.3 file path=usr/share/man/man3/X509_verify_cert.3 @@ -517,15 +540,15 @@ file path=usr/share/man/man3/tls_ocsp_process_response.3 file path=usr/share/man/man3/tls_read.3 file path=usr/share/man/man5/openssl.cnf.5 file path=usr/share/man/man5/x509v3.cnf.5 -link path=usr/lib/amd64/libcrypto.so target=libcrypto.so.42.0 -link path=usr/lib/amd64/libcrypto.so.42 target=libcrypto.so.42.0 -link path=usr/lib/amd64/libssl.so target=libssl.so.44.1 -link path=usr/lib/amd64/libssl.so.44 target=libssl.so.44.1 -link path=usr/lib/amd64/libtls.so target=libtls.so.16.1 -link path=usr/lib/amd64/libtls.so.16 target=libtls.so.16.1 -link path=usr/lib/libcrypto.so target=libcrypto.so.42.0 -link path=usr/lib/libcrypto.so.42 target=libcrypto.so.42.0 -link path=usr/lib/libssl.so target=libssl.so.44.1 -link path=usr/lib/libssl.so.44 target=libssl.so.44.1 -link path=usr/lib/libtls.so target=libtls.so.16.1 -link path=usr/lib/libtls.so.16 target=libtls.so.16.1 +link path=usr/lib/amd64/libcrypto.so target=libcrypto.so.43.1 +link path=usr/lib/amd64/libcrypto.so.43 target=libcrypto.so.43.1 +link path=usr/lib/amd64/libssl.so target=libssl.so.45.1 +link path=usr/lib/amd64/libssl.so.45 target=libssl.so.45.1 +link path=usr/lib/amd64/libtls.so target=libtls.so.17.1 +link path=usr/lib/amd64/libtls.so.17 target=libtls.so.17.1 +link path=usr/lib/libcrypto.so target=libcrypto.so.43.1 +link path=usr/lib/libcrypto.so.43 target=libcrypto.so.43.1 +link path=usr/lib/libssl.so target=libssl.so.45.1 +link path=usr/lib/libssl.so.45 target=libssl.so.45.1 +link path=usr/lib/libtls.so target=libtls.so.17.1 +link path=usr/lib/libtls.so.17 target=libtls.so.17.1 -- 2.11.4.GIT