diff options
Diffstat (limited to 'doc')
48 files changed, 853 insertions, 199 deletions
diff --git a/doc/build.info b/doc/build.info index 3a8adb1c66..5c24273b63 100644 --- a/doc/build.info +++ b/doc/build.info @@ -783,6 +783,10 @@ DEPEND[html/man3/BUF_MEM_new.html]=man3/BUF_MEM_new.pod GENERATE[html/man3/BUF_MEM_new.html]=man3/BUF_MEM_new.pod DEPEND[man/man3/BUF_MEM_new.3]=man3/BUF_MEM_new.pod GENERATE[man/man3/BUF_MEM_new.3]=man3/BUF_MEM_new.pod +DEPEND[html/man3/CMAC_CTX.html]=man3/CMAC_CTX.pod +GENERATE[html/man3/CMAC_CTX.html]=man3/CMAC_CTX.pod +DEPEND[man/man3/CMAC_CTX.3]=man3/CMAC_CTX.pod +GENERATE[man/man3/CMAC_CTX.3]=man3/CMAC_CTX.pod DEPEND[html/man3/CMS_EncryptedData_decrypt.html]=man3/CMS_EncryptedData_decrypt.pod GENERATE[html/man3/CMS_EncryptedData_decrypt.html]=man3/CMS_EncryptedData_decrypt.pod DEPEND[man/man3/CMS_EncryptedData_decrypt.3]=man3/CMS_EncryptedData_decrypt.pod @@ -1743,6 +1747,10 @@ DEPEND[html/man3/OSSL_IETF_ATTR_SYNTAX_print.html]=man3/OSSL_IETF_ATTR_SYNTAX_pr GENERATE[html/man3/OSSL_IETF_ATTR_SYNTAX_print.html]=man3/OSSL_IETF_ATTR_SYNTAX_print.pod DEPEND[man/man3/OSSL_IETF_ATTR_SYNTAX_print.3]=man3/OSSL_IETF_ATTR_SYNTAX_print.pod GENERATE[man/man3/OSSL_IETF_ATTR_SYNTAX_print.3]=man3/OSSL_IETF_ATTR_SYNTAX_print.pod +DEPEND[html/man3/OSSL_INDICATOR_set_callback.html]=man3/OSSL_INDICATOR_set_callback.pod +GENERATE[html/man3/OSSL_INDICATOR_set_callback.html]=man3/OSSL_INDICATOR_set_callback.pod +DEPEND[man/man3/OSSL_INDICATOR_set_callback.3]=man3/OSSL_INDICATOR_set_callback.pod +GENERATE[man/man3/OSSL_INDICATOR_set_callback.3]=man3/OSSL_INDICATOR_set_callback.pod DEPEND[html/man3/OSSL_ITEM.html]=man3/OSSL_ITEM.pod GENERATE[html/man3/OSSL_ITEM.html]=man3/OSSL_ITEM.pod DEPEND[man/man3/OSSL_ITEM.3]=man3/OSSL_ITEM.pod @@ -2803,10 +2811,10 @@ DEPEND[html/man3/TS_RESP_CTX_new.html]=man3/TS_RESP_CTX_new.pod GENERATE[html/man3/TS_RESP_CTX_new.html]=man3/TS_RESP_CTX_new.pod DEPEND[man/man3/TS_RESP_CTX_new.3]=man3/TS_RESP_CTX_new.pod GENERATE[man/man3/TS_RESP_CTX_new.3]=man3/TS_RESP_CTX_new.pod -DEPEND[html/man3/TS_VERIFY_CTX_set_certs.html]=man3/TS_VERIFY_CTX_set_certs.pod -GENERATE[html/man3/TS_VERIFY_CTX_set_certs.html]=man3/TS_VERIFY_CTX_set_certs.pod -DEPEND[man/man3/TS_VERIFY_CTX_set_certs.3]=man3/TS_VERIFY_CTX_set_certs.pod -GENERATE[man/man3/TS_VERIFY_CTX_set_certs.3]=man3/TS_VERIFY_CTX_set_certs.pod +DEPEND[html/man3/TS_VERIFY_CTX.html]=man3/TS_VERIFY_CTX.pod +GENERATE[html/man3/TS_VERIFY_CTX.html]=man3/TS_VERIFY_CTX.pod +DEPEND[man/man3/TS_VERIFY_CTX.3]=man3/TS_VERIFY_CTX.pod +GENERATE[man/man3/TS_VERIFY_CTX.3]=man3/TS_VERIFY_CTX.pod DEPEND[html/man3/UI_STRING.html]=man3/UI_STRING.pod GENERATE[html/man3/UI_STRING.html]=man3/UI_STRING.pod DEPEND[man/man3/UI_STRING.3]=man3/UI_STRING.pod @@ -3179,6 +3187,7 @@ html/man3/BN_set_bit.html \ html/man3/BN_swap.html \ html/man3/BN_zero.html \ html/man3/BUF_MEM_new.html \ +html/man3/CMAC_CTX.html \ html/man3/CMS_EncryptedData_decrypt.html \ html/man3/CMS_EncryptedData_encrypt.html \ html/man3/CMS_EnvelopedData_create.html \ @@ -3419,6 +3428,7 @@ html/man3/OSSL_HTTP_parse_url.html \ html/man3/OSSL_HTTP_transfer.html \ html/man3/OSSL_IETF_ATTR_SYNTAX.html \ html/man3/OSSL_IETF_ATTR_SYNTAX_print.html \ +html/man3/OSSL_INDICATOR_set_callback.html \ html/man3/OSSL_ITEM.html \ html/man3/OSSL_LIB_CTX.html \ html/man3/OSSL_LIB_CTX_set_conf_diagnostics.html \ @@ -3684,7 +3694,7 @@ html/man3/SSL_stream_reset.html \ html/man3/SSL_want.html \ html/man3/SSL_write.html \ html/man3/TS_RESP_CTX_new.html \ -html/man3/TS_VERIFY_CTX_set_certs.html \ +html/man3/TS_VERIFY_CTX.html \ html/man3/UI_STRING.html \ html/man3/UI_UTIL_read_pw.html \ html/man3/UI_create_method.html \ @@ -3837,6 +3847,7 @@ man/man3/BN_set_bit.3 \ man/man3/BN_swap.3 \ man/man3/BN_zero.3 \ man/man3/BUF_MEM_new.3 \ +man/man3/CMAC_CTX.3 \ man/man3/CMS_EncryptedData_decrypt.3 \ man/man3/CMS_EncryptedData_encrypt.3 \ man/man3/CMS_EnvelopedData_create.3 \ @@ -4077,6 +4088,7 @@ man/man3/OSSL_HTTP_parse_url.3 \ man/man3/OSSL_HTTP_transfer.3 \ man/man3/OSSL_IETF_ATTR_SYNTAX.3 \ man/man3/OSSL_IETF_ATTR_SYNTAX_print.3 \ +man/man3/OSSL_INDICATOR_set_callback.3 \ man/man3/OSSL_ITEM.3 \ man/man3/OSSL_LIB_CTX.3 \ man/man3/OSSL_LIB_CTX_set_conf_diagnostics.3 \ @@ -4342,7 +4354,7 @@ man/man3/SSL_stream_reset.3 \ man/man3/SSL_want.3 \ man/man3/SSL_write.3 \ man/man3/TS_RESP_CTX_new.3 \ -man/man3/TS_VERIFY_CTX_set_certs.3 \ +man/man3/TS_VERIFY_CTX.3 \ man/man3/UI_STRING.3 \ man/man3/UI_UTIL_read_pw.3 \ man/man3/UI_create_method.3 \ diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index 78be2e6c09..43a9a14979 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -453,8 +453,9 @@ used multiple times if more than one signer is required. =item B<-certfile> I<file> Allows additional certificates to be specified. When signing these will -be included with the message. When verifying these will be searched for -the signers certificates. +be included with the message. When verifying, these will be searched for +signer certificates and will be used for chain building. + The input can be in PEM, DER, or PKCS#12 format. =item B<-cades> diff --git a/doc/man1/openssl-enc.pod.in b/doc/man1/openssl-enc.pod.in index 14066a3185..0f514672ec 100644 --- a/doc/man1/openssl-enc.pod.in +++ b/doc/man1/openssl-enc.pod.in @@ -98,13 +98,19 @@ Base64 process the data. This means that if encryption is taking place the data is base64 encoded after encryption. If decryption is set then the input data is base64 decoded before being decrypted. +When the B<-A> option not given, +on encoding a newline is inserted after each 64 characters, and +on decoding a newline is expected among the first 1024 bytes of input. + =item B<-base64> Same as B<-a> =item B<-A> -If the B<-a> option is set then base64 process the data on one line. +If the B<-a> option is set then base64 encoding produces output without any +newline character, and base64 decoding does not require any newlines. +Therefore it can be helpful to use the B<-A> option when decoding unknown input. =item B<-k> I<password> @@ -463,6 +469,9 @@ or =head1 BUGS The B<-A> option when used with large files doesn't work properly. +On the other hand, when base64 decoding without the B<-A> option, +if the first 1024 bytes of input do not include a newline character +the first two lines of input are ignored. The B<openssl enc> command only supports a fixed number of algorithms with certain parameters. So if, for example, you want to use RC2 with a diff --git a/doc/man1/openssl-passphrase-options.pod b/doc/man1/openssl-passphrase-options.pod index abc43fb41e..2260dce8a6 100644 --- a/doc/man1/openssl-passphrase-options.pod +++ b/doc/man1/openssl-passphrase-options.pod @@ -46,26 +46,32 @@ the environment of other processes is visible on certain platforms =item B<file:>I<pathname> -The first line of I<pathname> is the password. If the same I<pathname> -argument is supplied to B<-passin> and B<-passout> arguments then the first -line will be used for the input password and the next line for the output -password. I<pathname> need not refer to a regular file: it could for example -refer to a device or named pipe. +Reads the password from the specified file I<pathname>, which can be a regular +file, device, or named pipe. Only the first line, up to the newline character, +is read from the stream. + +If the same I<pathname> argument is supplied to both B<-passin> and B<-passout> +arguments, the first line will be used for the input password, and the next +line will be used for the output password. =item B<fd:>I<number> -Read the password from the file descriptor I<number>. This can be used to -send the data via a pipe for example. +Reads the password from the file descriptor I<number>. This can be useful for +sending data via a pipe, for example. The same line handling as described for +B<file:> applies to passwords read from file descriptors. + +B<fd:> is not supported on Windows. =item B<stdin> -Read the password from standard input. +Reads the password from standard input. The same line handling as described for +B<file:> applies to passwords read from standard input. =back =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index 808801348f..0eacfc51a4 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -392,7 +392,11 @@ Add a specific extension to the certificate (if B<-x509> is in use) or certificate request. The argument must have the form of a C<key=value> pair as it would appear in a config file. +If an extension is added using this option that has the same OID as one +defined in the extension section of the config file, it overrides that one. + This option can be given multiple times. +Doing so, the same key most not be given more than once. =item B<-precert> @@ -552,7 +556,7 @@ BMPStrings and UTF8Strings. This specifies the configuration file section containing a list of extensions to add to the certificate request. It can be overridden -by the B<-reqexts> command line switch. See the +by the B<-reqexts> (or B<-extensions>) command line switch. See the L<x509v3_config(5)> manual page for details of the extension section format. diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index 51473a65c2..2aa8c8d134 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -656,7 +656,11 @@ For example strings, see L<SSL_CTX_set1_sigalgs(3)> =item B<-curves> I<curvelist> Specifies the list of supported curves to be sent by the client. The curve is -ultimately selected by the server. For a list of all curves, use: +ultimately selected by the server. + +The list of all supported groups includes named EC parameters as well as X25519 +and X448 or FFDHE groups, and may also include groups implemented in 3rd-party +providers. For a list of named EC parameters, use: $ openssl ecparam -list_curves diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index 3049426f82..80f8c32992 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -671,7 +671,10 @@ Signature algorithms to support for client certificate authentication =item B<-named_curve> I<val> Specifies the elliptic curve to use. NOTE: this is single curve, not a list. -For a list of all possible curves, use: + +The list of all supported groups includes named EC parameters as well as X25519 +and X448 or FFDHE groups, and may also include groups implemented in 3rd-party +providers. For a list of named EC parameters, use: $ openssl ecparam -list_curves diff --git a/doc/man1/openssl-smime.pod.in b/doc/man1/openssl-smime.pod.in index 4d8d6f52cb..3652764153 100644 --- a/doc/man1/openssl-smime.pod.in +++ b/doc/man1/openssl-smime.pod.in @@ -234,8 +234,9 @@ option is present B<CRLF> is used instead. =item B<-certfile> I<file> Allows additional certificates to be specified. When signing these will -be included with the message. When verifying these will be searched for -the signers certificates. +be included with the message. When verifying, these will be searched for +signer certificates and will be used for chain building. + The input can be in PEM, DER, or PKCS#12 format. =item B<-signer> I<file> diff --git a/doc/man1/openssl-version.pod.in b/doc/man1/openssl-version.pod.in index b2f0910724..dcfd60b9c3 100644 --- a/doc/man1/openssl-version.pod.in +++ b/doc/man1/openssl-version.pod.in @@ -20,6 +20,7 @@ B<openssl version> [B<-m>] [B<-r>] [B<-c>] +[B<-w>] =head1 DESCRIPTION @@ -77,8 +78,30 @@ The random number generator source settings. The OpenSSL CPU settings info. +=item B<-w> + +The OpenSSL B<OSSL_WINCTX> build time variable, if set. +Used for computing Windows registry key names. This option is unavailable on +non-Windows platforms. + =back +=head1 HISTORY + +In OpenSSL versions prior to 3.4, OpenSSL had a limitation regarding the +B<OPENSSLDIR>, B<MODULESDIR> and B<ENGINESDIR> build time macros. These macros +were defined at build time, and represented filesystem paths. This is common +practice on unix like systems, as there was an expectation that a given build +would be installed to a pre-determined location. On Windows however, there is +no such expectation, as libraries can be installed to arbitrary locations. +B<OSSL_WINCTX> was introduced as a new build time variable to define a set of +registry keys identified by the name openssl-<version>-<ctx>, in which the +<version> value is derived from the version string in the openssl source, and +the <ctx> extension is derived from the B<OSSL_WINCTX> variable. The values of +B<OPENSSLDIR>, B<ENGINESDIR> and B<MODULESDIR> can be set to various paths +underneath this key to break the requirement to predict the installation path at +build time. + =head1 NOTES The output of C<openssl version -a> would typically be used when sending diff --git a/doc/man3/BIO_f_base64.pod b/doc/man3/BIO_f_base64.pod index c865f0a17a..7d10df933c 100644 --- a/doc/man3/BIO_f_base64.pod +++ b/doc/man3/BIO_f_base64.pod @@ -21,25 +21,23 @@ any data read through it. Base64 BIOs do not support BIO_gets() or BIO_puts(). -For writing, output is by default divided to lines of length 64 -characters and there is always a newline at the end of output. +For writing, by default output is divided to lines of length 64 +characters and there is a newline at the end of output. +This behavior can be changed with B<BIO_FLAGS_BASE64_NO_NL> flag. -For reading, first line should be at most 1024 -characters long. If it is longer then it is ignored completely. -Other input lines can be of any length. There must be a newline -at the end of input. - -This behavior can be changed with BIO_FLAGS_BASE64_NO_NL flag. +For reading, first line should be at most 1024 bytes long including newline +unless the flag B<BIO_FLAGS_BASE64_NO_NL> is set. +Further input lines can be of any length (i.e., newlines may appear anywhere +in the input) and a newline at the end of input is not needed. BIO_flush() on a base64 BIO that is being written through is used to signal that no more data is to be encoded: this is used to flush the final block through the BIO. -The flag BIO_FLAGS_BASE64_NO_NL can be set with BIO_set_flags(). +The flag B<BIO_FLAGS_BASE64_NO_NL> can be set with BIO_set_flags(). For writing, it causes all data to be written on one line without newline at the end. -For reading, it expects the data to be all on one line (with or -without a trailing newline). +For reading, it removes all expectations on newlines in the input data. =head1 NOTES @@ -85,6 +83,10 @@ data to standard output: =head1 BUGS +On decoding, if the flag B<BIO_FLAGS_BASE64_NO_NL> is not set and +the first 1024 bytes of input do not include a newline character +the first two lines of input are ignored. + The ambiguity of EOF in base64 encoded data can cause additional data following the base64 encoded block to be misinterpreted. diff --git a/doc/man3/BN_set_bit.pod b/doc/man3/BN_set_bit.pod index 349ef9e056..e4d66791e8 100644 --- a/doc/man3/BN_set_bit.pod +++ b/doc/man3/BN_set_bit.pod @@ -33,8 +33,11 @@ error occurs if B<a> is shorter than B<n> bits. BN_is_bit_set() tests if bit B<n> in B<a> is set. BN_mask_bits() truncates B<a> to an B<n> bit number -(C<a&=~((~0)E<lt>E<lt>n)>). An error occurs if B<a> already is -shorter than B<n> bits. +(C<a&=~((~0)E<lt>E<lt>n)>). An error occurs if B<n> is negative. An error is +also returned if the internal representation of B<a> is already shorter than +B<n> bits. The internal representation depends on the platform's word size, and +this error can be safely ignored. Use L<BN_num_bits(3)> to determine the exact +number of bits if needed. BN_lshift() shifts B<a> left by B<n> bits and places the result in B<r> (C<r=a*2^n>). Note that B<n> must be nonnegative. BN_lshift1() shifts diff --git a/doc/man3/CMAC_CTX.pod b/doc/man3/CMAC_CTX.pod new file mode 100644 index 0000000000..fae4fd1516 --- /dev/null +++ b/doc/man3/CMAC_CTX.pod @@ -0,0 +1,114 @@ +=pod + +=head1 NAME + +CMAC_CTX, CMAC_CTX_new, CMAC_CTX_cleanup, CMAC_CTX_free, +CMAC_CTX_get0_cipher_ctx, CMAC_CTX_copy, CMAC_Init, CMAC_Update, CMAC_Final, +CMAC_resume +- create cipher-based message authentication codes + +=head1 SYNOPSIS + + #include <openssl/cmac.h> + +The following functions have been deprecated since OpenSSL 3.0, and can be +disabled entirely by defining B<OPENSSL_API_COMPAT> with a suitable version +value, see L<openssl_user_macros(7)>. + + typedef struct CMAC_CTX_st CMAC_CTX; + + CMAC_CTX *CMAC_CTX_new(void); + void CMAC_CTX_cleanup(CMAC_CTX *ctx); + void CMAC_CTX_free(CMAC_CTX *ctx); + EVP_CIPHER_CTX *CMAC_CTX_get0_cipher_ctx(CMAC_CTX *ctx); + int CMAC_CTX_copy(CMAC_CTX *out, const CMAC_CTX *in); + int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen, + const EVP_CIPHER *cipher, ENGINE *impl); + int CMAC_Update(CMAC_CTX *ctx, const void *data, size_t dlen); + int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen); + int CMAC_resume(CMAC_CTX *ctx); + +=head1 DESCRIPTION + +The low-level MAC functions documented on this page are deprecated. +Applications should use the new L<EVP_MAC(3)> interface. +Specifically, utilize the following functions for MAC operations: + +=over 4 + +=item L<EVP_MAC_CTX_new(3)> to create a new MAC context. + +=item L<EVP_MAC_CTX_free(3)> to free the MAC context. + +=item L<EVP_MAC_init(3)> to initialize the MAC context. + +=item L<EVP_MAC_update(3)> to update the MAC with data. + +=item L<EVP_MAC_final(3)> to finalize the MAC and retrieve the output. + +=back + +Alternatively, for a single-step MAC computation, use the L<EVP_Q_mac(3)> +function. + +The B<CMAC_CTX> type is a structure used for the provision of CMAC +(Cipher-based Message Authentication Code) operations. + +CMAC_CTX_new() creates a new B<CMAC_CTX> structure and returns a pointer to it. + +CMAC_CTX_cleanup() resets the B<CMAC_CTX> structure, clearing any internal data +but not freeing the structure itself. + +CMAC_CTX_free() frees the B<CMAC_CTX> structure and any associated resources. +If the argument is NULL, no action is taken. + +CMAC_CTX_get0_cipher_ctx() returns a pointer to the internal B<EVP_CIPHER_CTX> +structure within the B<CMAC_CTX>. + +CMAC_CTX_copy() copies the state from one B<CMAC_CTX> structure to another. + +CMAC_Init() initializes the B<CMAC_CTX> structure for a new CMAC calculation +with the specified key, key length, and cipher type. +Optionally, an B<ENGINE> can be provided. + +CMAC_Update() processes data to be included in the CMAC calculation. +This function can be called multiple times to update the context with +additional data. + +CMAC_Final() finalizes the CMAC calculation and retrieves the resulting +MAC value. The output is stored in the provided buffer, and the length is +stored in the variable pointed to by I<poutlen>. To determine the required +buffer size, call with I<out> set to NULL, which stores only the length in +I<poutlen>. Allocate a buffer of this size and call CMAC_Final() again with +the allocated buffer to retrieve the MAC. + +CMAC_resume() resumes a previously finalized CMAC calculation, allowing +additional data to be processed and a new MAC to be generated. + +=head1 RETURN VALUES + +CMAC_CTX_new() returns a pointer to a new B<CMAC_CTX> structure or NULL if +an error occurs. + +CMAC_CTX_get0_cipher_ctx() returns a pointer to the internal +B<EVP_CIPHER_CTX> structure, or NULL if an error occurs. + +CMAC_CTX_copy(), CMAC_Init(), CMAC_Update(), CMAC_Final() and CMAC_resume() +return 1 for success or 0 if an error occurs. + +=head1 HISTORY + +All functions described here were deprecated in OpenSSL 3.0. For replacements, +see L<EVP_MAC_CTX_new(3)>, L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, +L<EVP_MAC_update(3)>, and L<EVP_MAC_final(3)>. + +=head1 COPYRIGHT + +Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man3/CMS_add0_cert.pod b/doc/man3/CMS_add0_cert.pod index c876238fe4..8f61813f6f 100644 --- a/doc/man3/CMS_add0_cert.pod +++ b/doc/man3/CMS_add0_cert.pod @@ -57,8 +57,9 @@ For enveloped data they are added to B<OriginatorInfo>. CMS_add0_cert(), CMS_add1_cert() and CMS_add0_crl() and CMS_add1_crl() return 1 for success and 0 for failure. -CMS_get1_certs() and CMS_get1_crls() return the STACK of certificates or CRLs -or NULL if there are none or an error occurs. The only error which will occur +CMS_get1_certs() and CMS_get1_crls() return the STACK of certificates or CRLs, +which is empty if there are none. They return NULL on error. +Besides out-of-memory, the only error which will occur in practice is if the I<cms> type is invalid. =head1 SEE ALSO diff --git a/doc/man3/CMS_verify.pod b/doc/man3/CMS_verify.pod index bd46a1262c..3f3488b2f6 100644 --- a/doc/man3/CMS_verify.pod +++ b/doc/man3/CMS_verify.pod @@ -26,6 +26,8 @@ B<CMS SignedData> structure contained in a structure of type B<CMS_ContentInfo>. I<cms> points to the B<CMS_ContentInfo> structure to verify. The optional I<certs> parameter refers to a set of certificates in which to search for signing certificates. +It is also used +as a source of untrusted intermediate CA certificates for chain building. I<cms> may contain extra untrusted CA certificates that may be used for chain building as well as CRLs that may be used for certificate validation. I<store> may be NULL or point to diff --git a/doc/man3/CRYPTO_THREAD_run_once.pod b/doc/man3/CRYPTO_THREAD_run_once.pod index 2b0d0675ab..b8894f1db5 100644 --- a/doc/man3/CRYPTO_THREAD_run_once.pod +++ b/doc/man3/CRYPTO_THREAD_run_once.pod @@ -5,8 +5,8 @@ CRYPTO_THREAD_run_once, CRYPTO_THREAD_lock_new, CRYPTO_THREAD_read_lock, CRYPTO_THREAD_write_lock, CRYPTO_THREAD_unlock, CRYPTO_THREAD_lock_free, -CRYPTO_atomic_add, CRYPTO_atomic_or, CRYPTO_atomic_load, CRYPTO_atomic_store, -CRYPTO_atomic_load_int, +CRYPTO_atomic_add, CRYPTO_atomic_add64, CRYPTO_atomic_and, CRYPTO_atomic_or, +CRYPTO_atomic_load, CRYPTO_atomic_store, CRYPTO_atomic_load_int, OSSL_set_max_threads, OSSL_get_max_threads, OSSL_get_thread_support_flags, OSSL_THREAD_SUPPORT_FLAG_THREAD_POOL, OSSL_THREAD_SUPPORT_FLAG_DEFAULT_SPAWN - OpenSSL thread support @@ -25,6 +25,10 @@ OSSL_THREAD_SUPPORT_FLAG_DEFAULT_SPAWN - OpenSSL thread support void CRYPTO_THREAD_lock_free(CRYPTO_RWLOCK *lock); int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock); + int CRYPTO_atomic_add64(uint64_t *val, uint64_t op, uint64_t *ret, + CRYPTO_RWLOCK *lock); + int CRYPTO_atomic_and(uint64_t *val, uint64_t op, uint64_t *ret, + CRYPTO_RWLOCK *lock); int CRYPTO_atomic_or(uint64_t *val, uint64_t op, uint64_t *ret, CRYPTO_RWLOCK *lock); int CRYPTO_atomic_load(uint64_t *val, uint64_t *ret, CRYPTO_RWLOCK *lock); @@ -95,6 +99,25 @@ supported and I<lock> is NULL, then the function will fail. =item * +CRYPTO_atomic_add64() atomically adds I<op> to I<*val> and returns the +result of the operation in I<*ret>. I<lock> will be locked, unless atomic +operations are supported on the specific platform. Because of this, if a +variable is modified by CRYPTO_atomic_add64() then CRYPTO_atomic_add64() must +be the only way that the variable is modified. If atomic operations are not +supported and I<lock> is NULL, then the function will fail. + +=item * + +CRYPTO_atomic_and() |