diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/fingerprints.txt | 3 | ||||
| -rw-r--r-- | doc/man3/OSSL_LIB_CTX.pod | 19 | ||||
| -rw-r--r-- | doc/man3/PEM_read_bio_PrivateKey.pod | 4 | ||||
| -rw-r--r-- | doc/man3/SSL_CONF_cmd.pod | 26 | ||||
| -rw-r--r-- | doc/man3/SSL_CTX_flush_sessions.pod | 19 | ||||
| -rw-r--r-- | doc/man3/SSL_CTX_set_ct_validation_callback.pod | 2 | ||||
| -rw-r--r-- | doc/man3/SSL_CTX_set_verify.pod | 3 | ||||
| -rw-r--r-- | doc/man3/SSL_CTX_use_certificate.pod | 3 | ||||
| -rw-r--r-- | doc/man3/SSL_SESSION_get_time.pod | 28 | ||||
| -rw-r--r-- | doc/man3/d2i_X509.pod | 4 |
10 files changed, 76 insertions, 35 deletions
diff --git a/doc/fingerprints.txt b/doc/fingerprints.txt index 9613cbac98..bdcad14723 100644 --- a/doc/fingerprints.txt +++ b/doc/fingerprints.txt @@ -12,9 +12,6 @@ in the file named openssl-1.0.1h.tar.gz.asc. The following is the list of fingerprints for the keys that are currently in use to sign OpenSSL distributions: -OpenSSL OMC: -EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5 - OpenSSL: BA54 73A2 B058 7B07 FB27 CF2D 2160 94DF D0CB 81EF diff --git a/doc/man3/OSSL_LIB_CTX.pod b/doc/man3/OSSL_LIB_CTX.pod index ad058041d8..a464475a14 100644 --- a/doc/man3/OSSL_LIB_CTX.pod +++ b/doc/man3/OSSL_LIB_CTX.pod @@ -2,8 +2,9 @@ =head1 NAME -OSSL_LIB_CTX, OSSL_LIB_CTX_new, OSSL_LIB_CTX_new_from_dispatch, -OSSL_LIB_CTX_new_child, OSSL_LIB_CTX_free, OSSL_LIB_CTX_load_config, +OSSL_LIB_CTX, OSSL_LIB_CTX_get_data, OSSL_LIB_CTX_new, +OSSL_LIB_CTX_new_from_dispatch, OSSL_LIB_CTX_new_child, +OSSL_LIB_CTX_free, OSSL_LIB_CTX_load_config, OSSL_LIB_CTX_get0_global_default, OSSL_LIB_CTX_set0_default - OpenSSL library context @@ -22,6 +23,7 @@ OSSL_LIB_CTX_get0_global_default, OSSL_LIB_CTX_set0_default void OSSL_LIB_CTX_free(OSSL_LIB_CTX *ctx); OSSL_LIB_CTX *OSSL_LIB_CTX_get0_global_default(void); OSSL_LIB_CTX *OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX *ctx); + void *OSSL_LIB_CTX_get_data(OSSL_LIB_CTX *ctx, int index); =head1 DESCRIPTION @@ -111,6 +113,14 @@ in the mean time. This means that the calling thread must not free the library context that was the default at the start of the async job before that job has finished. +OSSL_LIB_CTX_get_data() returns a memory address whose interpretation depends +on the index. The index argument refers to a context member which is +to be retrieved. The values for index are all private to OpenSSL currently +and so applications should not typically call this function. +If ctx is NULL then the function operates on the default library context. +OSSL_LIB_CTX_get_data() returns a memory address whose interpretation +depends on the index. + =head1 RETURN VALUES OSSL_LIB_CTX_new(), OSSL_LIB_CTX_get0_global_default() and @@ -121,10 +131,15 @@ OSSL_LIB_CTX_free() doesn't return any value. OSSL_LIB_CTX_load_config() returns 1 on success, 0 on error. +OSSL_LIB_CTX_get_data() returns a memory address whose interpretation +depends on the index. + =head1 HISTORY All of the functions described on this page were added in OpenSSL 3.0. +OSSL_LIB_CTX_get_data() was introduced in OpenSSL 3.4. + =head1 COPYRIGHT Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/PEM_read_bio_PrivateKey.pod b/doc/man3/PEM_read_bio_PrivateKey.pod index 6e521b268f..290a5eef51 100644 --- a/doc/man3/PEM_read_bio_PrivateKey.pod +++ b/doc/man3/PEM_read_bio_PrivateKey.pod @@ -332,7 +332,9 @@ NULL but I<*x> is NULL then the structure returned will be written to I<*x>. If neither I<x> nor I<*x> is NULL then an attempt is made to reuse the structure at I<*x> (but see BUGS and EXAMPLES sections). Irrespective of the value of I<x> a pointer to the structure is always -returned (or NULL if an error occurred). +returned (or NULL if an error occurred). The caller retains ownership of the +returned object and needs to free it when it is no longer needed, e.g. +using X509_free() for X509 objects or EVP_PKEY_free() for EVP_PKEY objects. The PEM functions which write private keys take an I<enc> parameter which specifies the encryption algorithm to use, encryption is done diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index 5dc468dc2e..d9596b8231 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -118,15 +118,18 @@ algorithms to support. The B<algs> argument should be a colon separated list of signature algorithms in order of decreasing preference of the form B<algorithm+hash> -or B<signature_scheme>. B<algorithm> is one of B<RSA>, B<DSA> or B<ECDSA> and +or B<signature_scheme>. For the default providers shipped with OpenSSL, +B<algorithm> is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm OID short name such as B<SHA1>, B<SHA224>, -B<SHA256>, B<SHA384> of B<SHA512>. Note: algorithm and hash names are case +B<SHA256>, B<SHA384> or B<SHA512>. Note: algorithm and hash names are case sensitive. B<signature_scheme> is one of the signature schemes defined in TLSv1.3, specified using the IETF name, e.g., B<ecdsa_secp256r1_sha256>, -B<ed25519>, or B<rsa_pss_pss_sha256>. +B<ed25519>, or B<rsa_pss_pss_sha256>. Additional providers may make available +further algorithms via the TLS_SIGALG capability. +See L<provider-base(7)/CAPABILITIES>. -If this option is not set then all signature algorithms supported by the -OpenSSL library are permissible. +If this option is not set then all signature algorithms supported by all +activated providers are permissible. Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by using B<RSA> as the B<algorithm> or by using one of the B<rsa_pkcs1_*> @@ -369,16 +372,19 @@ servers it is used to determine which signature algorithms to support. The B<value> argument should be a colon separated list of signature algorithms in order of decreasing preference of the form B<algorithm+hash> or -B<signature_scheme>. B<algorithm> -is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm -OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>. +B<signature_scheme>. For the default providers shipped with OpenSSL, +B<algorithm> is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported +algorithm OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> +or B<SHA512>. Note: algorithm and hash names are case sensitive. B<signature_scheme> is one of the signature schemes defined in TLSv1.3, specified using the IETF name, e.g., B<ecdsa_secp256r1_sha256>, B<ed25519>, or B<rsa_pss_pss_sha256>. +Additional providers may make available further algorithms via the TLS_SIGALG +capability. See L<provider-base(7)/CAPABILITIES>. -If this option is not set then all signature algorithms supported by the -OpenSSL library are permissible. +If this option is not set then all signature algorithms supported by all +activated providers are permissible. Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by using B<RSA> as the B<algorithm> or by using one of the B<rsa_pkcs1_*> diff --git a/doc/man3/SSL_CTX_flush_sessions.pod b/doc/man3/SSL_CTX_flush_sessions.pod index 2ab7c88382..9558e4389c 100644 --- a/doc/man3/SSL_CTX_flush_sessions.pod +++ b/doc/man3/SSL_CTX_flush_sessions.pod @@ -2,19 +2,28 @@ =head1 NAME -SSL_CTX_flush_sessions - remove expired sessions +SSL_CTX_flush_sessions_ex, SSL_CTX_flush_sessions - remove expired sessions =head1 SYNOPSIS #include <openssl/ssl.h> + void SSL_CTX_flush_sessions_ex(SSL_CTX *ctx, time_t tm); + +The following functions have been deprecated since OpenSSL 3.4, and can be +hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value, +see L<openssl_user_macros(7)>: + void SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm); =head1 DESCRIPTION -SSL_CTX_flush_sessions() causes a run through the session cache of +SSL_CTX_flush_sessions_ex() causes a run through the session cache of B<ctx> to remove sessions expired at time B<tm>. +SSL_CTX_flush_sessions() is an older variant of the function that is not +Y2038 safe due to usage of long datatype instead of time_t. + =head1 NOTES If enabled, the internal session cache will collect all sessions established @@ -23,20 +32,20 @@ As sessions will not be reused ones they are expired, they should be removed from the cache to save resources. This can either be done automatically whenever 255 new sessions were established (see L<SSL_CTX_set_session_cache_mode(3)>) -or manually by calling SSL_CTX_flush_sessions(). +or manually by calling SSL_CTX_flush_sessions_ex(). The parameter B<tm> specifies the time which should be used for the expiration test, in most cases the actual time given by time(0) will be used. -SSL_CTX_flush_sessions() will only check sessions stored in the internal +SSL_CTX_flush_sessions_ex() will only check sessions stored in the internal cache. When a session is found and removed, the remove_session_cb is however called to synchronize with the external cache (see L<SSL_CTX_sess_set_get_cb(3)>). =head1 RETURN VALUES -SSL_CTX_flush_sessions() does not return a value. +SSL_CTX_flush_sessions_ex() does not return a value. =head1 SEE ALSO diff --git a/doc/man3/SSL_CTX_set_ct_validation_callback.pod b/doc/man3/SSL_CTX_set_ct_validation_callback.pod index 962f5ebd79..37f0564484 100644 --- a/doc/man3/SSL_CTX_set_ct_validation_callback.pod +++ b/doc/man3/SSL_CTX_set_ct_validation_callback.pod @@ -101,7 +101,7 @@ otherwise. When SCT processing is enabled, OCSP stapling will be enabled. This is because one possible source of SCTs is the OCSP response from a server. -The time returned by SSL_SESSION_get_time() will be used to evaluate whether any +The time returned by SSL_SESSION_get_time_ex() will be used to evaluate whether any presented SCTs have timestamps that are in the future (and therefore invalid). =head1 RESTRICTIONS diff --git a/doc/man3/SSL_CTX_set_verify.pod b/doc/man3/SSL_CTX_set_verify.pod index ac6a42c191..fd93499b1c 100644 --- a/doc/man3/SSL_CTX_set_verify.pod +++ b/doc/man3/SSL_CTX_set_verify.pod @@ -144,6 +144,9 @@ B<Client mode:> ignored (see BUGS) If the B<mode> is SSL_VERIFY_NONE none of the other flags may be set. +If verification flags are not modified explicitly by C<SSL_CTX_set_verify()> +or C<SSL_set_verify()>, the default value will be SSL_VERIFY_NONE. + The actual verification procedure is performed either using the built-in verification procedure or using another application provided verification function set with diff --git a/doc/man3/SSL_CTX_use_certificate.pod b/doc/man3/SSL_CTX_use_certificate.pod index 0d9ba74042..ed9659f1f8 100644 --- a/doc/man3/SSL_CTX_use_certificate.pod +++ b/doc/man3/SSL_CTX_use_certificate.pod @@ -68,7 +68,7 @@ SSL_use_certificate() loads B<x> into B<ssl>. The rest of the certificates needed to form the complete certificate chain can be specified using the L<SSL_CTX_add_extra_chain_cert(3)> -function. +function. On success the reference counter of the B<x> is incremented. SSL_CTX_use_certificate_ASN1() loads the ASN1 encoded certificate from the memory location B<d> (with length B<len>) into B<ctx>, @@ -97,6 +97,7 @@ to the certificate an error is returned. To change a [certificate/private-key] pair, the new certificate needs to be set first with SSL_use_certificate() or SSL_CTX_use_certificate() before setting the private key with SSL_CTX_use_PrivateKey() or SSL_use_PrivateKey(). +On success the reference counter of the B<pkey>/B<rsa> is incremented. SSL_CTX_use_cert_and_key() and SSL_use_cert_and_key() assign the X.509 certificate B<x>, private key B<key>, and certificate B<chain> onto the diff --git a/doc/man3/SSL_SESSION_get_time.pod b/doc/man3/SSL_SESSION_get_time.pod index 5c9adc1ee5..38ef35cd34 100644 --- a/doc/man3/SSL_SESSION_get_time.pod +++ b/doc/man3/SSL_SESSION_get_time.pod @@ -11,26 +11,31 @@ SSL_get_time, SSL_set_time, SSL_get_timeout, SSL_set_timeout #include <openssl/ssl.h> - long SSL_SESSION_get_time(const SSL_SESSION *s); - long SSL_SESSION_set_time(SSL_SESSION *s, long tm); long SSL_SESSION_get_timeout(const SSL_SESSION *s); long SSL_SESSION_set_timeout(SSL_SESSION *s, long tm); - long SSL_get_time(const SSL_SESSION *s); - long SSL_set_time(SSL_SESSION *s, long tm); long SSL_get_timeout(const SSL_SESSION *s); long SSL_set_timeout(SSL_SESSION *s, long tm); time_t SSL_SESSION_get_time_ex(const SSL_SESSION *s); time_t SSL_SESSION_set_time_ex(SSL_SESSION *s, time_t tm); +The following functions have been deprecated since OpenSSL 3.4, and can be +hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value, +see L<openssl_user_macros(7)>: + + long SSL_SESSION_get_time(const SSL_SESSION *s); + long SSL_SESSION_set_time(SSL_SESSION *s, long tm); + long SSL_get_time(const SSL_SESSION *s); + long SSL_set_time(SSL_SESSION *s, long tm); + =head1 DESCRIPTION -SSL_SESSION_get_time() returns the time at which the session B<s> was +SSL_SESSION_get_time_ex() returns the time at which the session B<s> was established. The time is given in seconds since the Epoch and therefore compatible to the time delivered by the time() call. -SSL_SESSION_set_time() replaces the creation time of the session B<s> with +SSL_SESSION_set_time_ex() replaces the creation time of the session B<s> with the chosen value B<tm>. SSL_SESSION_get_timeout() returns the timeout value set for session B<s> @@ -39,9 +44,10 @@ in seconds. SSL_SESSION_set_timeout() sets the timeout value for session B<s> in seconds to B<tm>. -SSL_SESSION_get_time_ex() and SSL_SESSION_set_time_ex() extended functions use -the time_t datatype instead of long to fix the Y2038 problem on systems with -64 bit time_t type. +SSL_SESSION_get_time() and SSL_SESSION_set_time() functions use +the long datatype instead of time_t and are therefore deprecated due to not +being Y2038-safe on 32 bit systems. Note that such systems still need +to be configured to use 64 bit time_t to be able to avoid overflow in system time. The SSL_get_time(), SSL_set_time(), SSL_get_timeout(), and SSL_set_timeout() functions are synonyms for the SSL_SESSION_*() counterparts. @@ -57,10 +63,10 @@ of the session. =head1 RETURN VALUES -SSL_SESSION_get_time() and SSL_SESSION_get_timeout() return the currently +SSL_SESSION_get_time_ex() and SSL_SESSION_get_timeout() return the currently valid values. -SSL_SESSION_set_time() and SSL_SESSION_set_timeout() return 1 on success. +SSL_SESSION_set_time_ex() and SSL_SESSION_set_timeout() return 1 on success. If any of the function is passed the NULL pointer for the session B<s>, 0 is returned. diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod index 06f764ef8b..1c0b5bf625 100644 --- a/doc/man3/d2i_X509.pod +++ b/doc/man3/d2i_X509.pod @@ -395,7 +395,9 @@ B<d2i_I<TYPE>>() attempts to decode I<len> bytes at I<*ppin>. If successful a pointer to the B<I<TYPE>> structure is returned and I<*ppin> is incremented to the byte following the parsed data. If I<a> is not NULL then a pointer to the returned structure is also written to I<*a>. If an error occurred -then NULL is returned. +then NULL is returned. The caller retains ownership of the +returned object and needs to free it when it is no longer needed, e.g. +using X509_free() for X509 objects or DSA_SIG_free() for DSA_SIG objects. On a successful return, if I<*a> is not NULL then it is assumed that I<*a> contains a valid B<I<TYPE>> structure and an attempt is made to reuse it. |